3-34 Developers Guide for Oracle Access Manager and Oracle Security Token Service 9. Add a custom Oracle Access Manager-specific logger and log handler to specify a log file path and required attributes, as follows: a. Add oam logger, as follows: wls:base_domainserverConfig domainRuntime wls:base_domaindomainRuntime setLogLevellogger=oracle.oam,level=WAR NING, persist=0, target=oam_server1 b. Add a custom log handler and associate it with oam logger, as shown here: wls:base_domaindomainRuntime configureLogHandlername=oam-log-handler, target=oam_server1, rotationFrequency=daily, retentionPeriod=week, path={domain.home}oamlogs, maxFileSize =10485760, maxLogSize = 104857600,addHandler=true, handlerType=oracle.core.ojdl.logging.ODLHan dlerFactory, addToLogger=oracle.oam wls:base_domaindomainRuntimeconfigureLogHandlername=oam-log-handler, addProperty=true, propertyName=supplementalAttributes, propertyValue=OAM.USER, OAM.COMPONENT, target=oam_server1 c. Verify that all the OAM logs appear in the DOMAIN_HOMEoamlogs folder. 10. Verify the generated log file to confirm the controller is logged at the TRACE:32 level: DOMAIN_HOMEserverSERVER_INSTNCE_NAMElogs 4 Writing Oracle Security Token Service Module Classes 4-1 4 Writing Oracle Security Token Service Module Classes This chapter discusses Oracle Access Manager 11g and Oracle Security Token Service custom token options. It includes the following sections: ■ Section 4.1, Introduction to Oracle Security Token Service Custom Token Module Classes ■ Section 4.2, Writing a TokenValidatorModule Class ■ Section 4.3, Writing a TokenIssuanceModule Class ■ Section 4.4, Making Custom Classes Available ■ Section 4.5, Managing a Custom Oracle Security Token Service Configuration

4.1 Introduction to Oracle Security Token Service Custom Token Module Classes

When Oracle Security Token Service does not support the token that you want to validate or issue out-of-the-box, you can write your own validation and issuance module classes. One of the two validation or issuance class is required for custom tokens: ■ Oracle Security Token Service uses the custom validation class to validate a custom token. ■ Oracle Security Token Service uses the custom issuance class to issue a custom token. The following overview outlines the tasks you must perform. Task overview: Deploying custom token module classes 1. Writing a TokenValidatorModule Class to validate a custom token with Oracle Security Token Service, if needed. 2. Writing a TokenIssuanceModule Class to issue a custom token with Oracle Security Token Service, if needed. Note: One of the two validation or issuance class is required for custom tokens. 4-2 Developers Guide for Oracle Access Manager and Oracle Security Token Service 3. Making Custom Classes Available to create a Custom Token module that will allow the user to create Validation Templates and Issuance Templates for their custom token. 4. Managing a Custom Oracle Security Token Service Configuration to create Validation and Issuance Templates for the custom token, and use the custom templates in Endpoints and Partner Profiles as you would use the templates of standard tokens.

4.2 Writing a TokenValidatorModule Class

This section provides the following topics: ■ About Writing a TokenValidatorModule Class ■ Writing a TokenValidatorModule Class

4.2.1 About Writing a TokenValidatorModule Class

The Oracle Security Token Service Validation module class implements the oracle.security.fed.sts.token.tpe.TokenValidatorModule interface. The following properties can be fetched from the TokenContext during the validation process: ■ XML_TOKEN: The bytes of the XML message that contains the token that must be validated. ■ BST_VALUE_TYPE: If the custom token is sent as a Binary Security Token, this will contain the Binary Security Token value type. ■ BST_ENCODING: If the token is sent as a Binary Security Token, this will contain the encoding. ■ BST_CONTENT: If the token is sent as a Binary Security Token, this will contain the Binary Security Token content. ■ TOKEN_ELEMENT: If the token is not a binary security token and does not have a jaxb representation in the Oracle Security Token Service internal classes, this will contain the XML element or custom JAXB class representing the token. ■ XML_DOM: This is the DOM representation of the incoming message. This will be present only if a DOM object was created as a part of Oracle Security Token Service processing thus far. The token should be validated using the information in the properties in the TokenContext and a TokenResult should be returned. The following properties can be set on a TokenResult object to return information to Oracle Security Token Service: ■ TPE_RESULT_FAILURE_CODE: The failure code if there was a failure. ■ TPE_RESULT_FAILURE_STRING: A string describing the failure. ■ Any other properties that are set in the result are available in the context to be used for token mapping. Usually, validators set STS_SUBJECT_ID property to the name ID and use this to map to a user record. See the following figures contain examples for the full implementation of EmailTokenValidatorModuleImplforBinary.java: ■ Figure 4–1, Part 1: EmailTokenValidatorModuleImplforBinary.java ■ Figure 4–2, Part 2: EmailTokenValidatorModuleImplforBinary.java Writing Oracle Security Token Service Module Classes 4-3 Figure 4–1 Part 1: EmailTokenValidatorModuleImplforBinary.java