Start line:  
End line:  

Snippet Preview

Snippet HTML Code

Stack Overflow Questions
  package org.picketlink.identity.federation.bindings.jboss.auth.mapping;
  import java.util.List;
  import java.util.Map;
  import java.util.Set;

This mapping provider looks at the role attributes in the Assertion and returns corresponding JBoss RoleGroup objects for insertion into the Subject.


 <application-policy name="saml-issue-token">
     <login-module code="org.picketlink.identity.federation.core.wstrust.auth.STSIssuingLoginModule" flag="required">
       <module-option name="configFile">/</module-option>
       <module-option name="password-stacking">useFirstPass</module-option>
     <mapping-module code="org.picketlink.identity.federation.bindings.jboss.auth.mapping.STSPrincipalMappingProvider" type="principal"/>
     <mapping-module code="org.picketlink.identity.federation.bindings.jboss.auth.mapping.STSGroupMappingProvider" type="role">
       <module-option name="token-role-attribute-name">role</module-option>
As demonstrated above, this mapping provider is typically configured for an STS Login Module to extract user roles from the STS token and supply them for insertion into the JAAS Subject. This mapping provider looks for a multi-valued Attribute in the Assertion, where each value is a user role. The name of this attribute defaults to SAML20TokenRoleAttributeProvider.DEFAULT_TOKEN_ROLE_ATTRIBUTE_NAME but may be set to any value through the "token-role-attribute-name" module option.

Babak Mozaffari
 public class STSGroupMappingProvider implements MappingProvider<RoleGroup> {
     private static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger();
     private MappingResult<RoleGroup> result;
     private String tokenRoleAttributeName;
     public void init(Map<StringObjectcontextMap) {
         Object tokenRoleAttributeObject = contextMap.get("token-role-attribute-name");
         if (tokenRoleAttributeObject != null) {
              = (StringtokenRoleAttributeObject;
         } else {
         // No initialization needed
         .trace("Initialized with " + contextMap);
     public void performMapping(Map<StringObjectcontextMap, RoleGroup Group) {
         .debug("performMapping with map as " + contextMap);
         if (contextMap == null) {
         Object tokenObject = contextMap.get(.);
         if (!(tokenObject instanceof Element)) {
             // With Tomcat SSO Valves, mapping providers DO get called automatically, so there may be no tokens and errors
             // should be expected and handled
             .debug("Did not find a token " + Element.class.getName() + " under " + . + " in the map");
         try {
             Element tokenElement = (ElementtokenObject;
             AssertionType assertion = SAMLUtil.fromElement(tokenElement);
            // check the assertion statements and look for role attributes.
            AttributeStatementType attributeStatement = this.getAttributeStatement(assertion);
            if (attributeStatement != null) {
                RoleGroup rolesGroup = new SimpleRoleGroup(.);
                List<ASTChoiceTypeattributeList = attributeStatement.getAttributes();
                for (ASTChoiceType obj : attributeList) {
                    AttributeType attribute = obj.getAttribute();
                    if (attribute != null) {
                        // if this is a role attribute, get its values and add them to the role set.
                        if (.equals(attribute.getName())) {
                            for (Object value : attribute.getAttributeValue()) {
                                rolesGroup.addRole(new SimpleRole((Stringvalue));
                .trace("Mapped roles to " + rolesGroup);
        } catch (Exception e) {
    public void setMappingResult(MappingResult<RoleGroup> mappingResult) {
        this. = mappingResult;


See also:
    public boolean supports(Class<?> p) {
        if (RoleGroup.class.isAssignableFrom(p))
            return true;
        return false;


Checks if the specified SAML assertion contains a AttributeStatementType and returns this type when it is available.

assertion a reference to the AssertionType that may contain an AttributeStatementType.
the assertion's AttributeStatementType, or null if no such type can be found in the SAML assertion.
        Set<StatementAbstractTypestatementList = assertion.getStatements();
        if (statementList.size() != 0) {
            for (StatementAbstractType statement : statementList) {
                if (statement instanceof AttributeStatementType)
                    return (AttributeStatementTypestatement;
        return null;
New to GrepCode? Check out our FAQ X