You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2017/01/25 15:32:22 UTC
[1/2] cxf-fediz git commit: Adding initial test for passing custom
RST parameter between the IdP + STS
Repository: cxf-fediz
Updated Branches:
refs/heads/master 0bca89ba3 -> c38f6b781
Adding initial test for passing custom RST parameter between the IdP + STS
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/16f24957
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/16f24957
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/16f24957
Branch: refs/heads/master
Commit: 16f249576922a617c2d88cca7d53a7496eed3935
Parents: 0bca89b
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Wed Jan 25 15:12:58 2017 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Wed Jan 25 15:12:58 2017 +0000
----------------------------------------------------------------------
.../service/idp/STSAuthenticationProvider.java | 10 ++
.../idp/STSUPAuthenticationProvider.java | 13 +++
systests/idp/pom.xml | 19 ++++
.../apache/cxf/fediz/systests/idp/IdpTest.java | 64 +++++++++++++
.../resources/realma/security-up-config.xml | 98 ++++++++++++++++++++
5 files changed, 204 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/16f24957/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSAuthenticationProvider.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSAuthenticationProvider.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSAuthenticationProvider.java
index 9938b7d..4e8ed11 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSAuthenticationProvider.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSAuthenticationProvider.java
@@ -83,6 +83,8 @@ public abstract class STSAuthenticationProvider implements AuthenticationProvide
protected Map<String, Object> properties = new HashMap<>();
+ private String customSTSParameter;
+
protected List<GrantedAuthority> createAuthorities(SecurityToken token) throws WSSecurityException {
List<GrantedAuthority> authorities = new ArrayList<>();
//authorities.add(new SimpleGrantedAuthority("ROLE_AUTHENTICATED"));
@@ -285,6 +287,14 @@ public abstract class STSAuthenticationProvider implements AuthenticationProvide
this.use200502Namespace = use200502Namespace;
}
+ public String getCustomSTSParameter() {
+ return customSTSParameter;
+ }
+
+ public void setCustomSTSParameter(String customSTSParameter) {
+ this.customSTSParameter = customSTSParameter;
+ }
+
//May be uncommented for debugging
// private void setTimeout(Client client, Long timeout) {
// HTTPConduit conduit = (HTTPConduit) client.getConduit();
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/16f24957/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSUPAuthenticationProvider.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSUPAuthenticationProvider.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSUPAuthenticationProvider.java
index d9be1b4..6e9130c 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSUPAuthenticationProvider.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSUPAuthenticationProvider.java
@@ -20,6 +20,7 @@ package org.apache.cxf.fediz.service.idp;
import java.util.List;
+import javax.servlet.http.HttpServletRequest;
import javax.xml.namespace.QName;
import org.apache.cxf.Bus;
@@ -32,6 +33,8 @@ import org.springframework.security.authentication.UsernamePasswordAuthenticatio
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
+import org.springframework.web.context.request.RequestContextHolder;
+import org.springframework.web.context.request.ServletRequestAttributes;
/**
* An authentication provider to authenticate a Username/Password to the STS
@@ -81,6 +84,16 @@ public class STSUPAuthenticationProvider extends STSAuthenticationProvider {
sts.getProperties().put(SecurityConstants.PASSWORD, (String)usernamePasswordToken.getCredentials());
try {
+
+ if (getCustomSTSParameter() != null) {
+ HttpServletRequest request =
+ ((ServletRequestAttributes) RequestContextHolder.currentRequestAttributes()).getRequest();
+ String authRealmParameter = request.getParameter(getCustomSTSParameter());
+ LOG.debug("Found {} custom STS parameter {}", getCustomSTSParameter(), authRealmParameter);
+ if (authRealmParameter != null) {
+ sts.setCustomContent(authRealmParameter);
+ }
+ }
// Line below may be uncommented for debugging
// setTimeout(sts.getClient(), 3600000L);
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/16f24957/systests/idp/pom.xml
----------------------------------------------------------------------
diff --git a/systests/idp/pom.xml b/systests/idp/pom.xml
index f9319cc..66eddcb 100644
--- a/systests/idp/pom.xml
+++ b/systests/idp/pom.xml
@@ -188,6 +188,25 @@
</resources>
</configuration>
</execution>
+ <execution>
+ <id>copy-customised-spring-sec-to-idp</id>
+ <phase>generate-test-sources</phase>
+ <goals>
+ <goal>copy-resources</goal>
+ </goals>
+ <configuration>
+ <outputDirectory>${basedir}/target/tomcat/idp/webapps/fediz-idp/WEB-INF/config</outputDirectory>
+ <resources>
+ <resource>
+ <directory>${basedir}/src/test/resources/realma</directory>
+ <includes>
+ <include>security-up-config.xml</include>
+ </includes>
+ <filtering>false</filtering>
+ </resource>
+ </resources>
+ </configuration>
+ </execution>
</executions>
</plugin>
<plugin>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/16f24957/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
----------------------------------------------------------------------
diff --git a/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java b/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
index b8c0e50..1e58d82 100644
--- a/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
+++ b/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
@@ -914,4 +914,68 @@ public class IdpTest {
webClient.close();
}
+
+ // Test a custom parameter that gets passed through to the STS
+ @org.junit.Test
+ @org.junit.Ignore
+ public void testCustomParameter() throws Exception {
+ String url = "https://localhost:" + getIdpHttpsPort() + "/fediz-idp/federation?";
+ url += "wa=wsignin1.0";
+ url += "&whr=urn:org:apache:cxf:fediz:idp:realm-A";
+ url += "&wtrealm=urn:org:apache:cxf:fediz:fedizhelloworld";
+ String wreply = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet";
+ url += "&wreply=" + wreply;
+
+ String user = "alice";
+ String password = "ecila";
+
+ // Successful test
+ WebClient webClient = new WebClient();
+ webClient.getOptions().setUseInsecureSSL(true);
+ webClient.getCredentialsProvider().setCredentials(
+ new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())),
+ new UsernamePasswordCredentials(user, password));
+
+ webClient.getOptions().setJavaScriptEnabled(false);
+
+ String authUrl = url + "&auth_realm="
+ + URLEncoder.encode("<realm xmlns=\"http://cxf.apache.org/custom\">custom-realm</realm>", "UTF-8");
+ HtmlPage idpPage = webClient.getPage(authUrl);
+ webClient.getOptions().setJavaScriptEnabled(true);
+ Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText());
+
+ // Parse the form to get the token (wresult)
+ DomNodeList<DomElement> results = idpPage.getElementsByTagName("input");
+
+ String wresult = null;
+ for (DomElement result : results) {
+ if ("wresult".equals(result.getAttributeNS(null, "name"))) {
+ wresult = result.getAttributeNS(null, "value");
+ break;
+ }
+ }
+
+ Assert.assertNotNull(wresult);
+
+ webClient.close();
+
+ // Unsuccessful test
+ webClient = new WebClient();
+ webClient.getOptions().setUseInsecureSSL(true);
+ webClient.getCredentialsProvider().setCredentials(
+ new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())),
+ new UsernamePasswordCredentials(user, password));
+
+ webClient.getOptions().setJavaScriptEnabled(false);
+ authUrl = url + "&auth_realm="
+ + URLEncoder.encode("<realm xmlns=\"http://cxf.apache.org/custom\">unknown-realm</realm>", "UTF-8");
+ try {
+ webClient.getPage(authUrl);
+ Assert.fail("Failure expected on a bad auth_realm value");
+ } catch (FailingHttpStatusCodeException ex) {
+ Assert.assertEquals(ex.getStatusCode(), 401);
+ }
+
+ webClient.close();
+ }
}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/16f24957/systests/idp/src/test/resources/realma/security-up-config.xml
----------------------------------------------------------------------
diff --git a/systests/idp/src/test/resources/realma/security-up-config.xml b/systests/idp/src/test/resources/realma/security-up-config.xml
new file mode 100644
index 0000000..5227fd2
--- /dev/null
+++ b/systests/idp/src/test/resources/realma/security-up-config.xml
@@ -0,0 +1,98 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xmlns:security="http://www.springframework.org/schema/security"
+ xmlns:context="http://www.springframework.org/schema/context"
+ xmlns:util="http://www.springframework.org/schema/util"
+ xsi:schemaLocation="
+ http://www.springframework.org/schema/beans
+ http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
+ http://www.springframework.org/schema/context
+ http://www.springframework.org/schema/context/spring-context-4.3.xsd
+ http://www.springframework.org/schema/security
+ http://www.springframework.org/schema/security/spring-security-3.2.xsd
+ http://www.springframework.org/schema/util
+ http://www.springframework.org/schema/util/spring-util-4.3.xsd
+ ">
+
+ <!-- DISABLE in production as it might log confidential information about the user -->
+ <!-- <security:debug /> -->
+
+ <bean id="requestContextFilter" class="org.springframework.web.filter.RequestContextFilter"/>
+
+ <!-- HTTP/BA entry point for WS-Federation -->
+ <security:http pattern="/federation/up/**" use-expressions="true">
+ <security:intercept-url requires-channel="https" pattern="/federation/up/login*" access="isAnonymous() or isAuthenticated()" />
+ <security:custom-filter after="CHANNEL_FILTER" ref="stsUPPortFilter" />
+ <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" />
+ <security:custom-filter before="BASIC_AUTH_FILTER" ref="requestContextFilter"/>
+
+ <security:http-basic />
+ <!--security:form-login login-page='/federation/up/login'
+ login-processing-url="/federation/up/login.do"
+ authentication-failure-url="/federation/up/login?error"
+ default-target-url="/"
+ username-parameter="username"
+ password-parameter="password"
+ /-->
+ <security:logout logout-url="/federation/up/logout"
+ logout-success-url="/federation/up/login?out"
+ delete-cookies="FEDIZ_HOME_REALM,JSESSIONID"
+ invalidate-session="true"
+ />
+ </security:http>
+
+ <!-- HTTP/BA entry point for SAML SSO -->
+ <security:http pattern="/saml/up/**" use-expressions="true">
+ <security:intercept-url requires-channel="https" pattern="/saml/up/login*" access="isAnonymous() or isAuthenticated()" />
+ <security:custom-filter after="CHANNEL_FILTER" ref="stsUPPortFilter" />
+ <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" />
+
+ <security:http-basic />
+ <!--security:form-login login-page='/federation/up/login'
+ login-processing-url="/federation/up/login.do"
+ authentication-failure-url="/federation/up/login?error"
+ default-target-url="/"
+ username-parameter="username"
+ password-parameter="password"
+ /-->
+ <security:logout logout-url="/saml/up/logout"
+ logout-success-url="/saml/up/login?out"
+ delete-cookies="FEDIZ_HOME_REALM,JSESSIONID"
+ invalidate-session="true"
+ />
+ </security:http>
+
+ <bean id="stsUPPortFilter" class="org.apache.cxf.fediz.service.idp.STSPortFilter">
+ <property name="authenticationProvider" ref="stsUPAuthProvider" />
+ </bean>
+
+ <!-- U/P Authentication Provider -->
+ <bean id="stsUPAuthProvider" class="org.apache.cxf.fediz.service.idp.STSUPAuthenticationProvider">
+ <property name="wsdlLocation" value="https://localhost:0/fediz-idp-sts/${realm.STS_URI}/STSServiceTransportUT?wsdl" />
+ <property name="wsdlEndpoint" value="TransportUT_Port" />
+ <property name="wsdlService" value="SecurityTokenService" />
+ <property name="appliesTo" value="urn:fediz:idp" />
+ <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
+ <property name="customSTSParameter" value="auth_realm" />
+ </bean>
+
+</beans>
[2/2] cxf-fediz git commit: Updating Tomcat
Posted by co...@apache.org.
Updating Tomcat
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/c38f6b78
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/c38f6b78
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/c38f6b78
Branch: refs/heads/master
Commit: c38f6b7811e8bdd0b07f8651bd41e25e921bbafc
Parents: 16f2495
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Wed Jan 25 15:13:20 2017 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Wed Jan 25 15:13:20 2017 +0000
----------------------------------------------------------------------
pom.xml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/c38f6b78/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index c95c555..6e359a2 100644
--- a/pom.xml
+++ b/pom.xml
@@ -67,8 +67,8 @@
<slf4j.version>1.7.22</slf4j.version>
<spring.version>4.3.5.RELEASE</spring.version>
<spring.security.version>3.2.10.RELEASE</spring.security.version>
- <tomcat7.version>7.0.73</tomcat7.version>
- <tomcat8.version>8.0.39</tomcat8.version>
+ <tomcat7.version>7.0.75</tomcat7.version>
+ <tomcat8.version>8.0.41</tomcat8.version>
<wss4j.version>2.1.8</wss4j.version>
<tomcat.url>http://localhost:8080/manager/text</tomcat.url>