You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2017/10/05 15:40:56 UTC
[cxf-fediz] branch 1.3.x-fixes updated: FEDIZ-211 - Local IdP
redirection (after token expiry) is not working
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch 1.3.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf-fediz.git
The following commit(s) were added to refs/heads/1.3.x-fixes by this push:
new c5d3cae FEDIZ-211 - Local IdP redirection (after token expiry) is not working
c5d3cae is described below
commit c5d3cae7b669f5adb1153ac9a1126cfa5cd63723
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Thu Oct 5 15:23:14 2017 +0100
FEDIZ-211 - Local IdP redirection (after token expiry) is not working
---
systests/spring/pom.xml | 24 +
.../fediz/integrationtests/TokenExpiryTest.java | 162 +++++++
.../spring/src/test/resources/fediz_config.xml | 39 +-
.../src/test/resources/realma/entities-realma.xml | 506 +++++++++++++++++++++
systests/tomcat8/pom.xml | 24 +
.../fediz/integrationtests/TokenExpiryTest.java | 186 ++++++++
.../tomcat8/src/test/resources/fediz_config.xml | 35 ++
.../src/test/resources/realma/entities-realma.xml | 506 +++++++++++++++++++++
8 files changed, 1480 insertions(+), 2 deletions(-)
diff --git a/systests/spring/pom.xml b/systests/spring/pom.xml
index 8d3b713..b553a6c 100644
--- a/systests/spring/pom.xml
+++ b/systests/spring/pom.xml
@@ -175,6 +175,30 @@
</executions>
</plugin>
<plugin>
+ <artifactId>maven-resources-plugin</artifactId>
+ <executions>
+ <execution>
+ <id>copy-entities-to-idp</id>
+ <phase>generate-test-sources</phase>
+ <goals>
+ <goal>copy-resources</goal>
+ </goals>
+ <configuration>
+ <outputDirectory>${basedir}/target/tomcat/idp/webapps/fediz-idp/WEB-INF/classes</outputDirectory>
+ <resources>
+ <resource>
+ <directory>${basedir}/src/test/resources/realma</directory>
+ <includes>
+ <include>entities-realma.xml</include>
+ </includes>
+ <filtering>true</filtering>
+ </resource>
+ </resources>
+ </configuration>
+ </execution>
+ </executions>
+ </plugin>
+ <plugin>
<artifactId>maven-failsafe-plugin</artifactId>
<inherited>true</inherited>
<executions>
diff --git a/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/TokenExpiryTest.java b/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/TokenExpiryTest.java
new file mode 100644
index 0000000..6ef0586
--- /dev/null
+++ b/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/TokenExpiryTest.java
@@ -0,0 +1,162 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.fediz.integrationtests;
+
+
+import java.io.File;
+import java.io.IOException;
+
+import javax.servlet.ServletException;
+
+import com.gargoylesoftware.htmlunit.CookieManager;
+import com.gargoylesoftware.htmlunit.WebClient;
+
+import org.apache.catalina.LifecycleException;
+import org.apache.catalina.LifecycleState;
+import org.apache.catalina.connector.Connector;
+import org.apache.catalina.startup.Tomcat;
+import org.junit.AfterClass;
+import org.junit.Assert;
+import org.junit.BeforeClass;
+
+/**
+ * Test what happens when the IdP token expires. This is "mocked" by setting wfresh to "0" in the plugin configuration.
+ */
+public class TokenExpiryTest {
+
+ static String idpHttpsPort;
+ static String rpHttpsPort;
+
+ private static Tomcat idpServer;
+ private static Tomcat rpServer;
+
+ @BeforeClass
+ public static void init() throws Exception {
+ idpHttpsPort = System.getProperty("idp.https.port");
+ Assert.assertNotNull("Property 'idp.https.port' null", idpHttpsPort);
+ rpHttpsPort = System.getProperty("rp.https.port");
+ Assert.assertNotNull("Property 'rp.https.port' null", rpHttpsPort);
+
+ idpServer = startServer(true, idpHttpsPort);
+ rpServer = startServer(false, rpHttpsPort);
+ }
+
+ private static Tomcat startServer(boolean idp, String port)
+ throws ServletException, LifecycleException, IOException {
+ Tomcat server = new Tomcat();
+ server.setPort(0);
+ String currentDir = new File(".").getCanonicalPath();
+ String baseDir = currentDir + File.separator + "target";
+ server.setBaseDir(baseDir);
+
+ if (idp) {
+ server.getHost().setAppBase("tomcat/idp/webapps");
+ } else {
+ server.getHost().setAppBase("tomcat/rp/webapps");
+ }
+ server.getHost().setAutoDeploy(true);
+ server.getHost().setDeployOnStartup(true);
+
+ Connector httpsConnector = new Connector();
+ httpsConnector.setPort(Integer.parseInt(port));
+ httpsConnector.setSecure(true);
+ httpsConnector.setScheme("https");
+ httpsConnector.setAttribute("keyAlias", "mytomidpkey");
+ httpsConnector.setAttribute("keystorePass", "tompass");
+ httpsConnector.setAttribute("keystoreFile", "test-classes/server.jks");
+ httpsConnector.setAttribute("truststorePass", "tompass");
+ httpsConnector.setAttribute("truststoreFile", "test-classes/server.jks");
+ httpsConnector.setAttribute("clientAuth", "want");
+ // httpsConnector.setAttribute("clientAuth", "false");
+ httpsConnector.setAttribute("sslProtocol", "TLS");
+ httpsConnector.setAttribute("SSLEnabled", true);
+
+ server.getService().addConnector(httpsConnector);
+
+ if (idp) {
+ File stsWebapp = new File(baseDir + File.separator + server.getHost().getAppBase(), "fediz-idp-sts");
+ server.addWebapp("/fediz-idp-sts", stsWebapp.getAbsolutePath());
+
+ File idpWebapp = new File(baseDir + File.separator + server.getHost().getAppBase(), "fediz-idp");
+ server.addWebapp("/fediz-idp", idpWebapp.getAbsolutePath());
+ } else {
+ File rpWebapp = new File(baseDir + File.separator + server.getHost().getAppBase(),
+ "fediz-systests-webapps-spring");
+ server.addWebapp("/fedizhelloworld_wfresh", rpWebapp.getAbsolutePath());
+ }
+
+ server.start();
+
+ return server;
+ }
+
+ @AfterClass
+ public static void cleanup() {
+ shutdownServer(idpServer);
+ shutdownServer(rpServer);
+ }
+
+ private static void shutdownServer(Tomcat server) {
+ try {
+ if (server != null && server.getServer() != null
+ && server.getServer().getState() != LifecycleState.DESTROYED) {
+ if (server.getServer().getState() != LifecycleState.STOPPED) {
+ server.stop();
+ }
+ server.destroy();
+ }
+ } catch (Exception e) {
+ e.printStackTrace();
+ }
+ }
+
+ public String getIdpHttpsPort() {
+ return idpHttpsPort;
+ }
+
+ public String getRpHttpsPort() {
+ return rpHttpsPort;
+ }
+
+
+ @org.junit.Test
+ public void testTokenExpiry() throws Exception {
+ // 1. Login
+ String url = "https://localhost:" + getRpHttpsPort() + "/fedizhelloworld_wfresh"
+ + "/secure/fedservlet";
+ String user = "alice";
+ String password = "ecila";
+
+ CookieManager cookieManager = new CookieManager();
+
+ // 1. Login
+ HTTPTestUtils.loginWithCookieManager(url, user, password, getIdpHttpsPort(), cookieManager);
+
+ // 2. Sign out of the service (but not the Idp)
+ final WebClient webClient = new WebClient();
+ webClient.setCookieManager(cookieManager);
+ webClient.getOptions().setUseInsecureSSL(true);
+ webClient.getPage(url + "?wa=wsignoutcleanup1.0");
+ webClient.close();
+
+ // 3. Sign back in to the service provider. This time it will get a new IdP token due to wfresh=0.
+ HTTPTestUtils.loginWithCookieManager(url, user, password, getIdpHttpsPort(), cookieManager);
+ }
+}
diff --git a/systests/spring/src/test/resources/fediz_config.xml b/systests/spring/src/test/resources/fediz_config.xml
index 6cce85e..fb0c3c3 100644
--- a/systests/spring/src/test/resources/fediz_config.xml
+++ b/systests/spring/src/test/resources/fediz_config.xml
@@ -44,7 +44,7 @@
<issuer>https://localhost:${idp.https.port}/fediz-idp/federation</issuer>
<roleDelimiter>,</roleDelimiter>
<roleURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</roleURI>
- <reply>/j_spring_fediz_security_check</reply>
+ <reply>/j_spring_fediz_security_check</reply>
<!--<authenticationType type="String">some auth type</authenticationType>-->
<!--<homeRealm type="Class">org.apache.fediz.realm.MyHomeRealm</homeRealm>-->
<!--<freshness>0</freshness>-->
@@ -99,6 +99,41 @@
</protocol>
<logoutURL>/secure/logout</logoutURL>
<logoutRedirectTo>/index.html</logoutRedirectTo>
- </contextConfig>
+ </contextConfig>
+ <contextConfig name="/fedizhelloworld_wfresh">
+ <audienceUris>
+ <audienceItem>urn:org:apache:cxf:fediz:fedizhelloworld</audienceItem>
+ </audienceUris>
+ <certificateStores>
+ <trustManager>
+ <keyStore file="clienttrust.jks" password="storepass" type="JKS" />
+ </trustManager>
+ </certificateStores>
+ <trustedIssuers>
+ <issuer certificateValidation="PeerTrust" />
+ </trustedIssuers>
+ <maximumClockSkew>1000</maximumClockSkew>
+ <signingKey keyAlias="mytomidpkey" keyPassword="tompass">
+ <keyStore file="server.jks" password="tompass" type="JKS" />
+ </signingKey>
+ <protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:type="federationProtocolType" version="1.0.0">
+ <realm>urn:org:apache:cxf:fediz:fedizhelloworld</realm>
+ <issuer>https://localhost:${idp.https.port}/fediz-idp/federation</issuer>
+ <roleDelimiter>,</roleDelimiter>
+ <roleURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</roleURI>
+ <reply>/j_spring_fediz_security_check</reply>
+ <freshness>0</freshness>
+ <homeRealm type="String">urn:org:apache:cxf:fediz:idp:realm-A</homeRealm>
+ <claimTypesRequested>
+ <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" optional="false" />
+ <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" optional="true" />
+ <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" optional="true" />
+ <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" optional="true" />
+ </claimTypesRequested>
+ </protocol>
+ <logoutURL>/secure/logout</logoutURL>
+ <logoutRedirectTo>/index.html</logoutRedirectTo>
+ </contextConfig>
</FedizConfig>
diff --git a/systests/spring/src/test/resources/realma/entities-realma.xml b/systests/spring/src/test/resources/realma/entities-realma.xml
new file mode 100644
index 0000000..bc02e1b
--- /dev/null
+++ b/systests/spring/src/test/resources/realma/entities-realma.xml
@@ -0,0 +1,506 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xmlns:util="http://www.springframework.org/schema/util"
+ xsi:schemaLocation="
+ http://www.springframework.org/schema/beans
+ http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
+ http://www.springframework.org/schema/util
+ http://www.springframework.org/schema/util/spring-util-4.3.xsd">
+
+ <bean id="idp-realmA" class="org.apache.cxf.fediz.service.idp.service.jpa.IdpEntity">
+ <property name="realm" value="urn:org:apache:cxf:fediz:idp:realm-A" />
+ <property name="uri" value="realma" />
+ <property name="provideIdpList" value="true" />
+ <property name="useCurrentIdp" value="true" />
+ <property name="certificate" value="stsKeystoreA.properties" />
+ <property name="certificatePassword" value="realma" />
+ <property name="stsUrl" value="https://localhost:${idp.https.port}/fediz-idp-sts/REALMA" />
+ <property name="idpUrl" value="https://localhost:${idp.https.port}/fediz-idp/federation" />
+ <property name="rpSingleSignOutConfirmation" value="true"/>
+ <property name="supportedProtocols">
+ <util:list>
+ <value>http://docs.oasis-open.org/wsfed/federation/200706</value>
+ <value>http://docs.oasis-open.org/ws-sx/ws-trust/200512</value>
+ </util:list>
+ </property>
+ <property name="tokenTypesOffered">
+ <util:list>
+ <value>urn:oasis:names:tc:SAML:1.0:assertion</value>
+ <value>urn:oasis:names:tc:SAML:2.0:assertion</value>
+ </util:list>
+ </property>
+ <property name="authenticationURIs">
+ <util:map>
+ <entry key="default"
+ value="federation/up" />
+ <entry key="http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/SslAndKey"
+ value="federation/krb" />
+ <entry key="http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/default"
+ value="federation/up" />
+ <entry key="http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/Ssl"
+ value="federation/clientcert" />
+ </util:map>
+ </property>
+ <property name="serviceDisplayName" value="REALM A" />
+ <property name="serviceDescription" value="IDP of Realm A" />
+ <property name="applications">
+ <util:list>
+ <ref bean="srv-fedizhelloworld" />
+ <ref bean="srv-oidc" />
+ </util:list>
+ </property>
+ <property name="trustedIdps">
+ <util:list>
+ <ref bean="trusted-idp-realmB" />
+ </util:list>
+ </property>
+ <property name="claimTypesOffered">
+ <util:list>
+ <ref bean="claim_role" />
+ <ref bean="claim_surname" />
+ <ref bean="claim_givenname" />
+ <ref bean="claim_email" />
+ </util:list>
+ </property>
+ </bean>
+
+ <bean id="trusted-idp-realmB"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.TrustedIdpEntity">
+ <property name="realm" value="urn:org:apache:cxf:fediz:idp:realm-B" />
+ <property name="cacheTokens" value="true" />
+ <property name="url" value="https://localhost:12443/fediz-idp-remote/federation" />
+ <property name="certificate" value="realmb.cert" />
+ <property name="trustType" value="PEER_TRUST" />
+ <property name="protocol" value="http://docs.oasis-open.org/wsfed/federation/200706" />
+ <property name="federationType" value="FEDERATE_IDENTITY" />
+ <property name="name" value="Realm B" />
+ <property name="description" value="Realm B description" />
+ </bean>
+
+ <bean id="srv-fedizhelloworld" class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity">
+ <property name="realm" value="urn:org:apache:cxf:fediz:fedizhelloworld" />
+ <property name="protocol" value="http://docs.oasis-open.org/wsfed/federation/200706" />
+ <property name="serviceDisplayName" value="Fedizhelloworld" />
+ <property name="serviceDescription" value="Web Application to illustrate WS-Federation" />
+ <property name="role" value="ApplicationServiceType" />
+ <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
+ <property name="lifeTime" value="3600" />
+ <property name="passiveRequestorEndpointConstraint" value="https://localhost:?(\d)*/.*" />
+ <property name="logoutEndpointConstraint" value="https://localhost:?(\d)*/.*" />
+ </bean>
+
+ <bean id="srv-oidc" class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity">
+ <property name="realm" value="urn:org:apache:cxf:fediz:oidc" />
+ <property name="protocol" value="http://docs.oasis-open.org/wsfed/federation/200706" />
+ <property name="serviceDisplayName" value="OIDC Provider" />
+ <property name="serviceDescription" value="OpenID Connect Provider" />
+ <property name="role" value="ApplicationServiceType" />
+ <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
+ <property name="lifeTime" value="3600" />
+ <property name="passiveRequestorEndpointConstraint" value="https://localhost:?(\d)*/fediz-oidc/.*" />
+ <property name="logoutEndpointConstraint" value="https://localhost:?(\d)*/.*" />
+ </bean>
+
+ <bean class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationClaimEntity">
+ <property name="application" ref="srv-fedizhelloworld" />
+ <property name="claim" ref="claim_role" />
+ <property name="optional" value="false" />
+ </bean>
+ <bean class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationClaimEntity">
+ <property name="application" ref="srv-fedizhelloworld" />
+ <property name="claim" ref="claim_givenname" />
+ <property name="optional" value="false" />
+ </bean>
+ <bean class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationClaimEntity">
+ <property name="application" ref="srv-fedizhelloworld" />
+ <property name="claim" ref="claim_surname" />
+ <property name="optional" value="false" />
+ </bean>
+ <bean class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationClaimEntity">
+ <property name="application" ref="srv-fedizhelloworld" />
+ <property name="claim" ref="claim_email" />
+ <property name="optional" value="false" />
+ </bean>
+
+ <bean class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationClaimEntity">
+ <property name="application" ref="srv-oidc" />
+ <property name="claim" ref="claim_role" />
+ <property name="optional" value="false" />
+ </bean>
+ <bean class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationClaimEntity">
+ <property name="application" ref="srv-oidc" />
+ <property name="claim" ref="claim_givenname" />
+ <property name="optional" value="false" />
+ </bean>
+ <bean class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationClaimEntity">
+ <property name="application" ref="srv-oidc" />
+ <property name="claim" ref="claim_surname" />
+ <property name="optional" value="false" />
+ </bean>
+ <bean class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationClaimEntity">
+ <property name="application" ref="srv-oidc" />
+ <property name="claim" ref="claim_email" />
+ <property name="optional" value="false" />
+ </bean>
+
+ <bean id="claim_role"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.ClaimEntity">
+ <property name="claimType"
+ value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" />
+ <property name="displayName"
+ value="role" />
+ <property name="description"
+ value="Description for role" />
+ </bean>
+ <bean id="claim_givenname"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.ClaimEntity">
+ <property name="claimType"
+ value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" />
+ <property name="displayName"
+ value="firstname" />
+ <property name="description"
+ value="Description for firstname" />
+ </bean>
+ <bean id="claim_surname"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.ClaimEntity">
+ <property name="claimType"
+ value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" />
+ <property name="displayName"
+ value="lastname" />
+ <property name="description"
+ value="Description for lastname" />
+ </bean>
+ <bean id="claim_email"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.ClaimEntity">
+ <property name="claimType"
+ value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" />
+ <property name="displayName"
+ value="email" />
+ <property name="description"
+ value="Description for email" />
+ </bean>
+
+
+ <bean id="entitlement_claim_list"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="CLAIM_LIST" />
+ <property name="description"
+ value="Description for CLAIM_LIST" />
+ </bean>
+ <bean id="entitlement_claim_create"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="CLAIM_CREATE" />
+ <property name="description"
+ value="Description for CLAIM_CREATE" />
+ </bean>
+ <bean id="entitlement_claim_read"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="CLAIM_READ" />
+ <property name="description"
+ value="Description for CLAIM_READ" />
+ </bean>
+ <bean id="entitlement_claim_update"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="CLAIM_UPDATE" />
+ <property name="description"
+ value="Description for CLAIM_UPDATE" />
+ </bean>
+ <bean id="entitlement_claim_delete"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="CLAIM_DELETE" />
+ <property name="description"
+ value="Description for CLAIM_DELETE" />
+ </bean>
+
+ <bean id="entitlement_application_list"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="APPLICATION_LIST" />
+ <property name="description"
+ value="Description for APPLICATION_LIST" />
+ </bean>
+ <bean id="entitlement_application_create"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="APPLICATION_CREATE" />
+ <property name="description"
+ value="Description for APPLICATION_CREATE" />
+ </bean>
+ <bean id="entitlement_application_read"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="APPLICATION_READ" />
+ <property name="description"
+ value="Description for APPLICATION_READ" />
+ </bean>
+ <bean id="entitlement_application_update"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="APPLICATION_UPDATE" />
+ <property name="description"
+ value="Description for APPLICATION_UPDATE" />
+ </bean>
+ <bean id="entitlement_application_delete"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="APPLICATION_DELETE" />
+ <property name="description"
+ value="Description for APPLICATION_DELETE" />
+ </bean>
+
+ <bean id="entitlement_trustedidp_list"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="TRUSTEDIDP_LIST" />
+ <property name="description"
+ value="Description for TRUSTEDIDP_LIST" />
+ </bean>
+ <bean id="entitlement_trustedidp_create"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="TRUSTEDIDP_CREATE" />
+ <property name="description"
+ value="Description for TRUSTEDIDP_CREATE" />
+ </bean>
+ <bean id="entitlement_trustedidp_read"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="TRUSTEDIDP_READ" />
+ <property name="description"
+ value="Description for TRUSTEDIDP_READ" />
+ </bean>
+ <bean id="entitlement_trustedidp_update"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="TRUSTEDIDP_UPDATE" />
+ <property name="description"
+ value="Description for TRUSTEDIDP_UPDATE" />
+ </bean>
+ <bean id="entitlement_trustedidp_delete"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="TRUSTEDIDP_DELETE" />
+ <property name="description"
+ value="Description for TRUSTEDIDP_DELETE" />
+ </bean>
+
+ <bean id="entitlement_idp_list"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="IDP_LIST" />
+ <property name="description"
+ value="Description for IDP_LIST" />
+ </bean>
+ <bean id="entitlement_idp_create"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="IDP_CREATE" />
+ <property name="description"
+ value="Description for IDP_CREATE" />
+ </bean>
+ <bean id="entitlement_idp_read"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="IDP_READ" />
+ <property name="description"
+ value="Description for IDP_READ" />
+ </bean>
+ <bean id="entitlement_idp_update"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="IDP_UPDATE" />
+ <property name="description"
+ value="Description for IDP_UPDATE" />
+ </bean>
+ <bean id="entitlement_idp_delete"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="IDP_DELETE" />
+ <property name="description"
+ value="Description for IDP_DELETE" />
+ </bean>
+
+ <bean id="entitlement_role_list"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="ROLE_LIST" />
+ <property name="description"
+ value="Description for ROLE_LIST" />
+ </bean>
+ <bean id="entitlement_role_create"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="ROLE_CREATE" />
+ <property name="description"
+ value="Description for ROLE_CREATE" />
+ </bean>
+ <bean id="entitlement_role_read"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="ROLE_READ" />
+ <property name="description"
+ value="Description for ROLE_READ" />
+ </bean>
+ <bean id="entitlement_role_update"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="ROLE_UPDATE" />
+ <property name="description"
+ value="Description for ROLE_UPDATE" />
+ </bean>
+ <bean id="entitlement_role_delete"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="ROLE_DELETE" />
+ <property name="description"
+ value="Description for ROLE_DELETE" />
+ </bean>
+
+ <bean id="entitlement_entitlement_list"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="ENTITLEMENT_LIST" />
+ <property name="description"
+ value="Description for ENTITLEMENT_LIST" />
+ </bean>
+ <bean id="entitlement_entitlement_create"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="ENTITLEMENT_CREATE" />
+ <property name="description"
+ value="Description for ENTITLEMENT_CREATE" />
+ </bean>
+ <bean id="entitlement_entitlement_read"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="ENTITLEMENT_READ" />
+ <property name="description"
+ value="Description for ENTITLEMENT_READ" />
+ </bean>
+ <bean id="entitlement_entitlement_update"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="ENTITLEMENT_UPDATE" />
+ <property name="description"
+ value="Description for ENTITLEMENT_UPDATE" />
+ </bean>
+ <bean id="entitlement_entitlement_delete"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="ENTITLEMENT_DELETE" />
+ <property name="description"
+ value="Description for ENTITLEMENT_DELETE" />
+ </bean>
+
+ <bean id="role_admin"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.RoleEntity">
+ <property name="name"
+ value="ADMIN" />
+ <property name="description"
+ value="This is the administrator role with full access" />
+ <property name="entitlements">
+ <util:list>
+ <ref bean="entitlement_claim_list" />
+ <ref bean="entitlement_claim_create" />
+ <ref bean="entitlement_claim_read" />
+ <ref bean="entitlement_claim_update" />
+ <ref bean="entitlement_claim_delete" />
+ <ref bean="entitlement_idp_list" />
+ <ref bean="entitlement_idp_create" />
+ <ref bean="entitlement_idp_read" />
+ <ref bean="entitlement_idp_update" />
+ <ref bean="entitlement_idp_delete" />
+ <ref bean="entitlement_trustedidp_list" />
+ <ref bean="entitlement_trustedidp_create" />
+ <ref bean="entitlement_trustedidp_read" />
+ <ref bean="entitlement_trustedidp_update" />
+ <ref bean="entitlement_trustedidp_delete" />
+ <ref bean="entitlement_application_list" />
+ <ref bean="entitlement_application_create" />
+ <ref bean="entitlement_application_read" />
+ <ref bean="entitlement_application_update" />
+ <ref bean="entitlement_application_delete" />
+ <ref bean="entitlement_role_list" />
+ <ref bean="entitlement_role_create" />
+ <ref bean="entitlement_role_read" />
+ <ref bean="entitlement_role_update" />
+ <ref bean="entitlement_role_delete" />
+ <ref bean="entitlement_entitlement_list" />
+ <ref bean="entitlement_entitlement_create" />
+ <ref bean="entitlement_entitlement_read" />
+ <ref bean="entitlement_entitlement_update" />
+ <ref bean="entitlement_entitlement_delete" />
+ </util:list>
+ </property>
+ </bean>
+ <bean id="role_user"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.RoleEntity">
+ <property name="name"
+ value="USER" />
+ <property name="description"
+ value="This is the user role with read access" />
+ <property name="entitlements">
+ <util:list>
+ <ref bean="entitlement_claim_list" />
+ <ref bean="entitlement_claim_read" />
+ <ref bean="entitlement_idp_list" />
+ <ref bean="entitlement_idp_read" />
+ <ref bean="entitlement_trustedidp_list" />
+ <ref bean="entitlement_trustedidp_read" />
+ <ref bean="entitlement_application_list" />
+ <ref bean="entitlement_application_read" />
+ <ref bean="entitlement_role_list" />
+ <ref bean="entitlement_role_read" />
+ <ref bean="entitlement_entitlement_list" />
+ <ref bean="entitlement_entitlement_read" />
+ </util:list>
+ </property>
+ </bean>
+ <bean id="role_idp_login"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.RoleEntity">
+ <property name="name"
+ value="IDP_LOGIN" />
+ <property name="description"
+ value="This is the IDP login role which is applied to Users during the IDP SSO" />
+ <property name="entitlements">
+ <util:list>
+ <ref bean="entitlement_claim_list" />
+ <ref bean="entitlement_claim_read" />
+ <ref bean="entitlement_idp_list" />
+ <ref bean="entitlement_idp_read" />
+ <ref bean="entitlement_trustedidp_list" />
+ <ref bean="entitlement_trustedidp_read" />
+ <ref bean="entitlement_application_list" />
+ <ref bean="entitlement_application_read" />
+ </util:list>
+ </property>
+ </bean>
+
+
+
+</beans>
+
diff --git a/systests/tomcat8/pom.xml b/systests/tomcat8/pom.xml
index 94de030..fda4dd8 100644
--- a/systests/tomcat8/pom.xml
+++ b/systests/tomcat8/pom.xml
@@ -174,6 +174,30 @@
</executions>
</plugin>
<plugin>
+ <artifactId>maven-resources-plugin</artifactId>
+ <executions>
+ <execution>
+ <id>copy-entities-to-idp</id>
+ <phase>generate-test-sources</phase>
+ <goals>
+ <goal>copy-resources</goal>
+ </goals>
+ <configuration>
+ <outputDirectory>${basedir}/target/tomcat/idp/webapps/fediz-idp/WEB-INF/classes</outputDirectory>
+ <resources>
+ <resource>
+ <directory>${basedir}/src/test/resources/realma</directory>
+ <includes>
+ <include>entities-realma.xml</include>
+ </includes>
+ <filtering>true</filtering>
+ </resource>
+ </resources>
+ </configuration>
+ </execution>
+ </executions>
+ </plugin>
+ <plugin>
<artifactId>maven-failsafe-plugin</artifactId>
<inherited>true</inherited>
<executions>
diff --git a/systests/tomcat8/src/test/java/org/apache/cxf/fediz/integrationtests/TokenExpiryTest.java b/systests/tomcat8/src/test/java/org/apache/cxf/fediz/integrationtests/TokenExpiryTest.java
new file mode 100644
index 0000000..6fbcb0f
--- /dev/null
+++ b/systests/tomcat8/src/test/java/org/apache/cxf/fediz/integrationtests/TokenExpiryTest.java
@@ -0,0 +1,186 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.fediz.integrationtests;
+
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileOutputStream;
+import java.io.IOException;
+
+import javax.servlet.ServletException;
+
+import com.gargoylesoftware.htmlunit.CookieManager;
+import com.gargoylesoftware.htmlunit.WebClient;
+
+import org.apache.catalina.Context;
+import org.apache.catalina.LifecycleException;
+import org.apache.catalina.LifecycleState;
+import org.apache.catalina.connector.Connector;
+import org.apache.catalina.startup.Tomcat;
+import org.apache.commons.io.IOUtils;
+import org.apache.cxf.fediz.tomcat8.FederationAuthenticator;
+import org.junit.AfterClass;
+import org.junit.Assert;
+import org.junit.BeforeClass;
+
+/**
+ * Test what happens when the IdP token expires. This is "mocked" by setting wfresh to "0" in the plugin configuration.
+ */
+public class TokenExpiryTest {
+
+ static String idpHttpsPort;
+ static String rpHttpsPort;
+
+ private static Tomcat idpServer;
+ private static Tomcat rpServer;
+
+ @BeforeClass
+ public static void init() throws Exception {
+ idpHttpsPort = System.getProperty("idp.https.port");
+ Assert.assertNotNull("Property 'idp.https.port' null", idpHttpsPort);
+ rpHttpsPort = System.getProperty("rp.https.port");
+ Assert.assertNotNull("Property 'rp.https.port' null", rpHttpsPort);
+
+ idpServer = startServer(true, idpHttpsPort);
+ rpServer = startServer(false, rpHttpsPort);
+ }
+
+ private static Tomcat startServer(boolean idp, String port)
+ throws ServletException, LifecycleException, IOException {
+ Tomcat server = new Tomcat();
+ server.setPort(0);
+ String currentDir = new File(".").getCanonicalPath();
+ String baseDir = currentDir + File.separator + "target";
+ server.setBaseDir(baseDir);
+
+ if (idp) {
+ server.getHost().setAppBase("tomcat/idp/webapps");
+ } else {
+ server.getHost().setAppBase("tomcat/rp/webapps");
+ }
+ server.getHost().setAutoDeploy(true);
+ server.getHost().setDeployOnStartup(true);
+
+ Connector httpsConnector = new Connector();
+ httpsConnector.setPort(Integer.parseInt(port));
+ httpsConnector.setSecure(true);
+ httpsConnector.setScheme("https");
+ httpsConnector.setAttribute("keyAlias", "mytomidpkey");
+ httpsConnector.setAttribute("keystorePass", "tompass");
+ httpsConnector.setAttribute("keystoreFile", "test-classes/server.jks");
+ httpsConnector.setAttribute("truststorePass", "tompass");
+ httpsConnector.setAttribute("truststoreFile", "test-classes/server.jks");
+ httpsConnector.setAttribute("clientAuth", "want");
+ // httpsConnector.setAttribute("clientAuth", "false");
+ httpsConnector.setAttribute("sslProtocol", "TLS");
+ httpsConnector.setAttribute("SSLEnabled", true);
+
+ server.getService().addConnector(httpsConnector);
+
+ if (idp) {
+ File stsWebapp = new File(baseDir + File.separator + server.getHost().getAppBase(), "fediz-idp-sts");
+ server.addWebapp("/fediz-idp-sts", stsWebapp.getAbsolutePath());
+
+ File idpWebapp = new File(baseDir + File.separator + server.getHost().getAppBase(), "fediz-idp");
+ server.addWebapp("/fediz-idp", idpWebapp.getAbsolutePath());
+ } else {
+ File rpWebapp = new File(baseDir + File.separator + server.getHost().getAppBase(), "simpleWebapp");
+ Context cxt = server.addWebapp("/fedizhelloworld_wfresh", rpWebapp.getAbsolutePath());
+
+ // Substitute the IDP port. Necessary if running the test in eclipse where port filtering doesn't seem
+ // to work
+ File f = new File(currentDir + "/src/test/resources/fediz_config.xml");
+ FileInputStream inputStream = new FileInputStream(f);
+ String content = IOUtils.toString(inputStream, "UTF-8");
+ inputStream.close();
+ if (content.contains("idp.https.port")) {
+ content = content.replaceAll("\\$\\{idp.https.port\\}", "" + idpHttpsPort);
+
+ File f2 = new File(baseDir + "/test-classes/fediz_config_exp.xml");
+ try (FileOutputStream outputStream = new FileOutputStream(f2)) {
+ IOUtils.write(content, outputStream, "UTF-8");
+ }
+ }
+
+ FederationAuthenticator fa = new FederationAuthenticator();
+ fa.setConfigFile(currentDir + File.separator + "target" + File.separator
+ + "test-classes" + File.separator + "fediz_config_exp.xml");
+ cxt.getPipeline().addValve(fa);
+ }
+
+ server.start();
+
+ return server;
+ }
+
+ @AfterClass
+ public static void cleanup() {
+ shutdownServer(idpServer);
+ shutdownServer(rpServer);
+ }
+
+ private static void shutdownServer(Tomcat server) {
+ try {
+ if (server != null && server.getServer() != null
+ && server.getServer().getState() != LifecycleState.DESTROYED) {
+ if (server.getServer().getState() != LifecycleState.STOPPED) {
+ server.stop();
+ }
+ server.destroy();
+ }
+ } catch (Exception e) {
+ e.printStackTrace();
+ }
+ }
+
+ public String getIdpHttpsPort() {
+ return idpHttpsPort;
+ }
+
+ public String getRpHttpsPort() {
+ return rpHttpsPort;
+ }
+
+
+ @org.junit.Test
+ public void testTokenExpiry() throws Exception {
+ // 1. Login
+ String url = "https://localhost:" + getRpHttpsPort() + "/fedizhelloworld_wfresh"
+ + "/secure/fedservlet";
+ String user = "alice";
+ String password = "ecila";
+
+ CookieManager cookieManager = new CookieManager();
+
+ // 1. Login
+ HTTPTestUtils.loginWithCookieManager(url, user, password, getIdpHttpsPort(), cookieManager);
+
+ // 2. Sign out of the service (but not the Idp)
+ final WebClient webClient = new WebClient();
+ webClient.setCookieManager(cookieManager);
+ webClient.getOptions().setUseInsecureSSL(true);
+ webClient.getPage(url + "?wa=wsignoutcleanup1.0");
+ webClient.close();
+
+ // 3. Sign back in to the service provider. This time it will get a new IdP token due to wfresh=0.
+ HTTPTestUtils.loginWithCookieManager(url, user, password, getIdpHttpsPort(), cookieManager);
+ }
+}
diff --git a/systests/tomcat8/src/test/resources/fediz_config.xml b/systests/tomcat8/src/test/resources/fediz_config.xml
index dc30ea6..2699fd2 100644
--- a/systests/tomcat8/src/test/resources/fediz_config.xml
+++ b/systests/tomcat8/src/test/resources/fediz_config.xml
@@ -57,5 +57,40 @@
<logoutURL>/secure/logout</logoutURL>
<logoutRedirectTo>/index.html</logoutRedirectTo>
</contextConfig>
+ <contextConfig name="/fedizhelloworld_wfresh">
+ <audienceUris>
+ <audienceItem>urn:org:apache:cxf:fediz:fedizhelloworld</audienceItem>
+ </audienceUris>
+ <certificateStores>
+ <trustManager>
+ <keyStore file="test-classes/clienttrust.jks"
+ password="storepass" type="JKS" />
+ </trustManager>
+ </certificateStores>
+ <trustedIssuers>
+ <issuer certificateValidation="PeerTrust" />
+ </trustedIssuers>
+ <maximumClockSkew>1000</maximumClockSkew>
+ <signingKey keyAlias="mytomidpkey" keyPassword="tompass">
+ <keyStore file="test-classes/server.jks" password="tompass" type="JKS" />
+ </signingKey>
+ <protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:type="federationProtocolType" version="1.0.0">
+ <realm>urn:org:apache:cxf:fediz:fedizhelloworld</realm>
+ <issuer>https://localhost:${idp.https.port}/fediz-idp/federation</issuer>
+ <roleDelimiter>,</roleDelimiter>
+ <roleURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</roleURI>
+ <freshness>0</freshness>
+ <homeRealm type="String">urn:org:apache:cxf:fediz:idp:realm-A</homeRealm>
+ <claimTypesRequested>
+ <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" optional="false" />
+ <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" optional="true" />
+ <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" optional="true" />
+ <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" optional="true" />
+ </claimTypesRequested>
+ </protocol>
+ <logoutURL>/secure/logout</logoutURL>
+ <logoutRedirectTo>/index.html</logoutRedirectTo>
+ </contextConfig>
</FedizConfig>
diff --git a/systests/tomcat8/src/test/resources/realma/entities-realma.xml b/systests/tomcat8/src/test/resources/realma/entities-realma.xml
new file mode 100644
index 0000000..bc02e1b
--- /dev/null
+++ b/systests/tomcat8/src/test/resources/realma/entities-realma.xml
@@ -0,0 +1,506 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xmlns:util="http://www.springframework.org/schema/util"
+ xsi:schemaLocation="
+ http://www.springframework.org/schema/beans
+ http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
+ http://www.springframework.org/schema/util
+ http://www.springframework.org/schema/util/spring-util-4.3.xsd">
+
+ <bean id="idp-realmA" class="org.apache.cxf.fediz.service.idp.service.jpa.IdpEntity">
+ <property name="realm" value="urn:org:apache:cxf:fediz:idp:realm-A" />
+ <property name="uri" value="realma" />
+ <property name="provideIdpList" value="true" />
+ <property name="useCurrentIdp" value="true" />
+ <property name="certificate" value="stsKeystoreA.properties" />
+ <property name="certificatePassword" value="realma" />
+ <property name="stsUrl" value="https://localhost:${idp.https.port}/fediz-idp-sts/REALMA" />
+ <property name="idpUrl" value="https://localhost:${idp.https.port}/fediz-idp/federation" />
+ <property name="rpSingleSignOutConfirmation" value="true"/>
+ <property name="supportedProtocols">
+ <util:list>
+ <value>http://docs.oasis-open.org/wsfed/federation/200706</value>
+ <value>http://docs.oasis-open.org/ws-sx/ws-trust/200512</value>
+ </util:list>
+ </property>
+ <property name="tokenTypesOffered">
+ <util:list>
+ <value>urn:oasis:names:tc:SAML:1.0:assertion</value>
+ <value>urn:oasis:names:tc:SAML:2.0:assertion</value>
+ </util:list>
+ </property>
+ <property name="authenticationURIs">
+ <util:map>
+ <entry key="default"
+ value="federation/up" />
+ <entry key="http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/SslAndKey"
+ value="federation/krb" />
+ <entry key="http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/default"
+ value="federation/up" />
+ <entry key="http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/Ssl"
+ value="federation/clientcert" />
+ </util:map>
+ </property>
+ <property name="serviceDisplayName" value="REALM A" />
+ <property name="serviceDescription" value="IDP of Realm A" />
+ <property name="applications">
+ <util:list>
+ <ref bean="srv-fedizhelloworld" />
+ <ref bean="srv-oidc" />
+ </util:list>
+ </property>
+ <property name="trustedIdps">
+ <util:list>
+ <ref bean="trusted-idp-realmB" />
+ </util:list>
+ </property>
+ <property name="claimTypesOffered">
+ <util:list>
+ <ref bean="claim_role" />
+ <ref bean="claim_surname" />
+ <ref bean="claim_givenname" />
+ <ref bean="claim_email" />
+ </util:list>
+ </property>
+ </bean>
+
+ <bean id="trusted-idp-realmB"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.TrustedIdpEntity">
+ <property name="realm" value="urn:org:apache:cxf:fediz:idp:realm-B" />
+ <property name="cacheTokens" value="true" />
+ <property name="url" value="https://localhost:12443/fediz-idp-remote/federation" />
+ <property name="certificate" value="realmb.cert" />
+ <property name="trustType" value="PEER_TRUST" />
+ <property name="protocol" value="http://docs.oasis-open.org/wsfed/federation/200706" />
+ <property name="federationType" value="FEDERATE_IDENTITY" />
+ <property name="name" value="Realm B" />
+ <property name="description" value="Realm B description" />
+ </bean>
+
+ <bean id="srv-fedizhelloworld" class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity">
+ <property name="realm" value="urn:org:apache:cxf:fediz:fedizhelloworld" />
+ <property name="protocol" value="http://docs.oasis-open.org/wsfed/federation/200706" />
+ <property name="serviceDisplayName" value="Fedizhelloworld" />
+ <property name="serviceDescription" value="Web Application to illustrate WS-Federation" />
+ <property name="role" value="ApplicationServiceType" />
+ <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
+ <property name="lifeTime" value="3600" />
+ <property name="passiveRequestorEndpointConstraint" value="https://localhost:?(\d)*/.*" />
+ <property name="logoutEndpointConstraint" value="https://localhost:?(\d)*/.*" />
+ </bean>
+
+ <bean id="srv-oidc" class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity">
+ <property name="realm" value="urn:org:apache:cxf:fediz:oidc" />
+ <property name="protocol" value="http://docs.oasis-open.org/wsfed/federation/200706" />
+ <property name="serviceDisplayName" value="OIDC Provider" />
+ <property name="serviceDescription" value="OpenID Connect Provider" />
+ <property name="role" value="ApplicationServiceType" />
+ <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
+ <property name="lifeTime" value="3600" />
+ <property name="passiveRequestorEndpointConstraint" value="https://localhost:?(\d)*/fediz-oidc/.*" />
+ <property name="logoutEndpointConstraint" value="https://localhost:?(\d)*/.*" />
+ </bean>
+
+ <bean class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationClaimEntity">
+ <property name="application" ref="srv-fedizhelloworld" />
+ <property name="claim" ref="claim_role" />
+ <property name="optional" value="false" />
+ </bean>
+ <bean class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationClaimEntity">
+ <property name="application" ref="srv-fedizhelloworld" />
+ <property name="claim" ref="claim_givenname" />
+ <property name="optional" value="false" />
+ </bean>
+ <bean class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationClaimEntity">
+ <property name="application" ref="srv-fedizhelloworld" />
+ <property name="claim" ref="claim_surname" />
+ <property name="optional" value="false" />
+ </bean>
+ <bean class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationClaimEntity">
+ <property name="application" ref="srv-fedizhelloworld" />
+ <property name="claim" ref="claim_email" />
+ <property name="optional" value="false" />
+ </bean>
+
+ <bean class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationClaimEntity">
+ <property name="application" ref="srv-oidc" />
+ <property name="claim" ref="claim_role" />
+ <property name="optional" value="false" />
+ </bean>
+ <bean class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationClaimEntity">
+ <property name="application" ref="srv-oidc" />
+ <property name="claim" ref="claim_givenname" />
+ <property name="optional" value="false" />
+ </bean>
+ <bean class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationClaimEntity">
+ <property name="application" ref="srv-oidc" />
+ <property name="claim" ref="claim_surname" />
+ <property name="optional" value="false" />
+ </bean>
+ <bean class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationClaimEntity">
+ <property name="application" ref="srv-oidc" />
+ <property name="claim" ref="claim_email" />
+ <property name="optional" value="false" />
+ </bean>
+
+ <bean id="claim_role"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.ClaimEntity">
+ <property name="claimType"
+ value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" />
+ <property name="displayName"
+ value="role" />
+ <property name="description"
+ value="Description for role" />
+ </bean>
+ <bean id="claim_givenname"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.ClaimEntity">
+ <property name="claimType"
+ value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" />
+ <property name="displayName"
+ value="firstname" />
+ <property name="description"
+ value="Description for firstname" />
+ </bean>
+ <bean id="claim_surname"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.ClaimEntity">
+ <property name="claimType"
+ value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" />
+ <property name="displayName"
+ value="lastname" />
+ <property name="description"
+ value="Description for lastname" />
+ </bean>
+ <bean id="claim_email"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.ClaimEntity">
+ <property name="claimType"
+ value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" />
+ <property name="displayName"
+ value="email" />
+ <property name="description"
+ value="Description for email" />
+ </bean>
+
+
+ <bean id="entitlement_claim_list"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="CLAIM_LIST" />
+ <property name="description"
+ value="Description for CLAIM_LIST" />
+ </bean>
+ <bean id="entitlement_claim_create"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="CLAIM_CREATE" />
+ <property name="description"
+ value="Description for CLAIM_CREATE" />
+ </bean>
+ <bean id="entitlement_claim_read"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="CLAIM_READ" />
+ <property name="description"
+ value="Description for CLAIM_READ" />
+ </bean>
+ <bean id="entitlement_claim_update"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="CLAIM_UPDATE" />
+ <property name="description"
+ value="Description for CLAIM_UPDATE" />
+ </bean>
+ <bean id="entitlement_claim_delete"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="CLAIM_DELETE" />
+ <property name="description"
+ value="Description for CLAIM_DELETE" />
+ </bean>
+
+ <bean id="entitlement_application_list"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="APPLICATION_LIST" />
+ <property name="description"
+ value="Description for APPLICATION_LIST" />
+ </bean>
+ <bean id="entitlement_application_create"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="APPLICATION_CREATE" />
+ <property name="description"
+ value="Description for APPLICATION_CREATE" />
+ </bean>
+ <bean id="entitlement_application_read"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="APPLICATION_READ" />
+ <property name="description"
+ value="Description for APPLICATION_READ" />
+ </bean>
+ <bean id="entitlement_application_update"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="APPLICATION_UPDATE" />
+ <property name="description"
+ value="Description for APPLICATION_UPDATE" />
+ </bean>
+ <bean id="entitlement_application_delete"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="APPLICATION_DELETE" />
+ <property name="description"
+ value="Description for APPLICATION_DELETE" />
+ </bean>
+
+ <bean id="entitlement_trustedidp_list"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="TRUSTEDIDP_LIST" />
+ <property name="description"
+ value="Description for TRUSTEDIDP_LIST" />
+ </bean>
+ <bean id="entitlement_trustedidp_create"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="TRUSTEDIDP_CREATE" />
+ <property name="description"
+ value="Description for TRUSTEDIDP_CREATE" />
+ </bean>
+ <bean id="entitlement_trustedidp_read"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="TRUSTEDIDP_READ" />
+ <property name="description"
+ value="Description for TRUSTEDIDP_READ" />
+ </bean>
+ <bean id="entitlement_trustedidp_update"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="TRUSTEDIDP_UPDATE" />
+ <property name="description"
+ value="Description for TRUSTEDIDP_UPDATE" />
+ </bean>
+ <bean id="entitlement_trustedidp_delete"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="TRUSTEDIDP_DELETE" />
+ <property name="description"
+ value="Description for TRUSTEDIDP_DELETE" />
+ </bean>
+
+ <bean id="entitlement_idp_list"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="IDP_LIST" />
+ <property name="description"
+ value="Description for IDP_LIST" />
+ </bean>
+ <bean id="entitlement_idp_create"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="IDP_CREATE" />
+ <property name="description"
+ value="Description for IDP_CREATE" />
+ </bean>
+ <bean id="entitlement_idp_read"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="IDP_READ" />
+ <property name="description"
+ value="Description for IDP_READ" />
+ </bean>
+ <bean id="entitlement_idp_update"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="IDP_UPDATE" />
+ <property name="description"
+ value="Description for IDP_UPDATE" />
+ </bean>
+ <bean id="entitlement_idp_delete"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="IDP_DELETE" />
+ <property name="description"
+ value="Description for IDP_DELETE" />
+ </bean>
+
+ <bean id="entitlement_role_list"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="ROLE_LIST" />
+ <property name="description"
+ value="Description for ROLE_LIST" />
+ </bean>
+ <bean id="entitlement_role_create"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="ROLE_CREATE" />
+ <property name="description"
+ value="Description for ROLE_CREATE" />
+ </bean>
+ <bean id="entitlement_role_read"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="ROLE_READ" />
+ <property name="description"
+ value="Description for ROLE_READ" />
+ </bean>
+ <bean id="entitlement_role_update"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="ROLE_UPDATE" />
+ <property name="description"
+ value="Description for ROLE_UPDATE" />
+ </bean>
+ <bean id="entitlement_role_delete"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="ROLE_DELETE" />
+ <property name="description"
+ value="Description for ROLE_DELETE" />
+ </bean>
+
+ <bean id="entitlement_entitlement_list"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="ENTITLEMENT_LIST" />
+ <property name="description"
+ value="Description for ENTITLEMENT_LIST" />
+ </bean>
+ <bean id="entitlement_entitlement_create"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="ENTITLEMENT_CREATE" />
+ <property name="description"
+ value="Description for ENTITLEMENT_CREATE" />
+ </bean>
+ <bean id="entitlement_entitlement_read"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="ENTITLEMENT_READ" />
+ <property name="description"
+ value="Description for ENTITLEMENT_READ" />
+ </bean>
+ <bean id="entitlement_entitlement_update"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="ENTITLEMENT_UPDATE" />
+ <property name="description"
+ value="Description for ENTITLEMENT_UPDATE" />
+ </bean>
+ <bean id="entitlement_entitlement_delete"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="ENTITLEMENT_DELETE" />
+ <property name="description"
+ value="Description for ENTITLEMENT_DELETE" />
+ </bean>
+
+ <bean id="role_admin"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.RoleEntity">
+ <property name="name"
+ value="ADMIN" />
+ <property name="description"
+ value="This is the administrator role with full access" />
+ <property name="entitlements">
+ <util:list>
+ <ref bean="entitlement_claim_list" />
+ <ref bean="entitlement_claim_create" />
+ <ref bean="entitlement_claim_read" />
+ <ref bean="entitlement_claim_update" />
+ <ref bean="entitlement_claim_delete" />
+ <ref bean="entitlement_idp_list" />
+ <ref bean="entitlement_idp_create" />
+ <ref bean="entitlement_idp_read" />
+ <ref bean="entitlement_idp_update" />
+ <ref bean="entitlement_idp_delete" />
+ <ref bean="entitlement_trustedidp_list" />
+ <ref bean="entitlement_trustedidp_create" />
+ <ref bean="entitlement_trustedidp_read" />
+ <ref bean="entitlement_trustedidp_update" />
+ <ref bean="entitlement_trustedidp_delete" />
+ <ref bean="entitlement_application_list" />
+ <ref bean="entitlement_application_create" />
+ <ref bean="entitlement_application_read" />
+ <ref bean="entitlement_application_update" />
+ <ref bean="entitlement_application_delete" />
+ <ref bean="entitlement_role_list" />
+ <ref bean="entitlement_role_create" />
+ <ref bean="entitlement_role_read" />
+ <ref bean="entitlement_role_update" />
+ <ref bean="entitlement_role_delete" />
+ <ref bean="entitlement_entitlement_list" />
+ <ref bean="entitlement_entitlement_create" />
+ <ref bean="entitlement_entitlement_read" />
+ <ref bean="entitlement_entitlement_update" />
+ <ref bean="entitlement_entitlement_delete" />
+ </util:list>
+ </property>
+ </bean>
+ <bean id="role_user"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.RoleEntity">
+ <property name="name"
+ value="USER" />
+ <property name="description"
+ value="This is the user role with read access" />
+ <property name="entitlements">
+ <util:list>
+ <ref bean="entitlement_claim_list" />
+ <ref bean="entitlement_claim_read" />
+ <ref bean="entitlement_idp_list" />
+ <ref bean="entitlement_idp_read" />
+ <ref bean="entitlement_trustedidp_list" />
+ <ref bean="entitlement_trustedidp_read" />
+ <ref bean="entitlement_application_list" />
+ <ref bean="entitlement_application_read" />
+ <ref bean="entitlement_role_list" />
+ <ref bean="entitlement_role_read" />
+ <ref bean="entitlement_entitlement_list" />
+ <ref bean="entitlement_entitlement_read" />
+ </util:list>
+ </property>
+ </bean>
+ <bean id="role_idp_login"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.RoleEntity">
+ <property name="name"
+ value="IDP_LOGIN" />
+ <property name="description"
+ value="This is the IDP login role which is applied to Users during the IDP SSO" />
+ <property name="entitlements">
+ <util:list>
+ <ref bean="entitlement_claim_list" />
+ <ref bean="entitlement_claim_read" />
+ <ref bean="entitlement_idp_list" />
+ <ref bean="entitlement_idp_read" />
+ <ref bean="entitlement_trustedidp_list" />
+ <ref bean="entitlement_trustedidp_read" />
+ <ref bean="entitlement_application_list" />
+ <ref bean="entitlement_application_read" />
+ </util:list>
+ </property>
+ </bean>
+
+
+
+</beans>
+
--
To stop receiving notification emails like this one, please contact
['"commits@cxf.apache.org" <co...@cxf.apache.org>'].