CASA/CASA-auth-token/server/AuthTokenValidate
Juan Carlos Luciani f90f3d91bf Reverted the forked process model changes after finding out that
they needed to be more involved (Each child process needed to
initialize the JVM) and because it introduced a whole set of
new problems that were not acceptible. Instead, now we will support
an optional single-threaded process model that can be invoked to
deal with JVMs that have trouble executing when invoked from a
thread.
2006-11-15 05:06:54 +00:00
..
idenTokenProviders Finished changes to make the server project operational. 2006-11-13 05:51:53 +00:00
linux Finished changes to make the server project operational. 2006-11-13 05:51:53 +00:00
Svc Reverted the forked process model changes after finding out that 2006-11-15 05:06:54 +00:00
config_if.h The non-java project is being replaced by a client and a server project 2006-11-13 04:05:01 +00:00
config.c The non-java project is being replaced by a client and a server project 2006-11-13 04:05:01 +00:00
iden_token_provider_if.h The non-java project is being replaced by a client and a server project 2006-11-13 04:05:01 +00:00
identoken.c The non-java project is being replaced by a client and a server project 2006-11-13 04:05:01 +00:00
internal.h The non-java project is being replaced by a client and a server project 2006-11-13 04:05:01 +00:00
Makefile.am The non-java project is being replaced by a client and a server project 2006-11-13 04:05:01 +00:00
principal.c The non-java project is being replaced by a client and a server project 2006-11-13 04:05:01 +00:00
README The non-java project is being replaced by a client and a server project 2006-11-13 04:05:01 +00:00
TODO The non-java project is being replaced by a client and a server project 2006-11-13 04:05:01 +00:00
util.c The non-java project is being replaced by a client and a server project 2006-11-13 04:05:01 +00:00
validate.c The non-java project is being replaced by a client and a server project 2006-11-13 04:05:01 +00:00

/***********************************************************************
 * 
 *  Copyright (C) 2006 Novell, Inc. All Rights Reserved.
 *
 *  This library is free software; you can redistribute it and/or
 *  modify it under the terms of the GNU Lesser General Public
 *  License as published by the Free Software Foundation; version 2.1
 *  of the License.
 *
 *  This library is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 *  Library Lesser General Public License for more details.
 *
 *  You should have received a copy of the GNU Lesser General Public
 *  License along with this library; if not, Novell, Inc.
 * 
 *  To contact Novell about this file by physical or electronic mail, 
 *  you may find current contact information at www.novell.com.
 * 
 *  Author: Juan Carlos Luciani <jluciani@novell.com>
 *
 ***********************************************************************/
/***********************************************************************
 *
 *  README for libcasa_s_authtoken
 *
 ***********************************************************************/

INTRODUCTION

libcasa_s_authtoken provides an API for the validation of CASA Authentication Tokens.
The API provides a means for obtaining identity information about authenticated
entities.

Applications should avoid calling directly into this library's APIs. Instead, applications
should code to the PAM API to validate authentication credentials or allow an external
module to perform the credential validation. To facilitate this, CASA Authentication
provides PAM, Apache, and JAAS modules that can be used to validate credentials containing
CASA Authentication tokens,

libcasa_s_authtoken relies on the CasaAuthtokenValidateD service in order to perform its
functions. To learn more about CasaAuthtokenValidateD see the Svc folder.

CONFIGURING ADDITIONAL IDENTITY TOKEN PROVIDER MODULES

CASA Authentication Tokens contain Identity Tokens. The Identity Tokens contain the identity
information about the entity being authenticated. Identity Tokens can be of different types,
the type utilized for use with a particular service is configured at the time that the service
is configured for CASA Authentication. The default identity token type is CasaIdentityToken.

libcasa_s_authtoken supports different identity token types through an API that allows for the
configuration of different Identity Token Provider plug-ins. An Identity Token Provider plug-in
is configured by placing a configuration file for the plug-ins in the
/etc/CASA/authtoken/modules folder. The name of the plug-in configuration file is related
to the identity token type in the following manner: IdentityTokenTypeName.conf.

Identity Token Provider plug-in configuration files must must contain a directive indicating the
path to the library implementing the Identity Token Provider plug-in (See the configuration file
for the CasaIdentityToken plug-in for an example).

SERVER APPLICATION PROGRAMMING NOTES

The Validate CASA Authentication Token API is defined in casa_s_authtoken.h.

The API consists of a call to validate authentication tokens. The caller must supply a service
name which must match the service name provided by the client when requesting the authentication
token. Successful calls to the validate authentication token API will return a handle to a principal
interface object. The principal interface object handle can be used to obtain identity information
about the authenticated entity as well as information about the authentication realm. The principal
interface object must be released after it is no longer needed. The amount and type of identity
information associated with the principal interface is dependent on what is configured at the
time that the service is enabled for CASA Authentication.

For examples of code which uses the Validate CASA Authentication Token API look at the implementations
of the CASA Authentication PAM module and the CASA Authentication Provider Apache module. 

IDENTITY TOKEN PROVIDER PROGRAMMING NOTES

The Identity Token Provider API is defined in iden_token_provider.h.

For an example see the implementation of the CASA Identity Token Provider.

SECURITY CONSIDERATIONS

CASA Authentication Tokens when compromised can be used to either impersonate
a user or to obtain identity information about the user. Because of this it is
important that the tokens be secured by applications making use of them. It is
recommended that the tokens be transmitted using SSL.