The TokenValidator interface
SecurityTokens are validated in the STS using the TokenValidator interface. It is very similar to the TokenProvider interface. It has three methods:
- boolean canHandleToken(ReceivedToken validateTarget) - Whether this TokenValidator implementation can validate the given token
- boolean canHandleToken(ReceivedToken validateTarget, String realm) - Whether this TokenValidator implementation can validate the given token in the given realm
- TokenValidatorResponse validateToken(TokenValidatorParameters tvp) - Validate a token using the given parameters.
A client can validate a security token using the STS by invoking the validate operation. Assuming that the client request is authenticated and well-formed, the STS will iterate through a list of TokenValidator implementations to see if one can "handle" the received token. If one can, then that implementation is used to validate the received security token, and the validation result is returned to the client. The second canHandleToken method also requires a realm parameter.
To support the validation of a particular token type in an STS deployment, it is necessary to specify a TokenValidator implementation that can handle that token. The STS currently ships with four TokenValidator implementations, to validate SecurityContextTokens, SAML Assertions, UsernameTokens, and BinarySecurityTokens. Before looking at these implementations, let's take a look at the validateToken operation in more details. This method takes a TokenValidatorParameters instance.