You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2017/08/09 14:27:30 UTC
[1/5] cxf-fediz git commit: Return the IdP metadata if no realm is
specified.
Repository: cxf-fediz
Updated Branches:
refs/heads/master 947f73d11 -> 2db18ceff
Return the IdP metadata if no realm is specified.
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/cb4a0995
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/cb4a0995
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/cb4a0995
Branch: refs/heads/master
Commit: cb4a0995995126397c66a832eda972bb728b6592
Parents: 947f73d
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Wed Aug 9 10:26:38 2017 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Wed Aug 9 10:26:38 2017 +0100
----------------------------------------------------------------------
.../cxf/fediz/service/idp/MetadataServlet.java | 20 +++++++++---
.../apache/cxf/fediz/systests/idp/IdpTest.java | 33 ++++++++++++++++++++
2 files changed, 48 insertions(+), 5 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/cb4a0995/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/MetadataServlet.java
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/MetadataServlet.java b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/MetadataServlet.java
index dca1b46..1077f8b 100644
--- a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/MetadataServlet.java
+++ b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/MetadataServlet.java
@@ -63,15 +63,25 @@ public class MetadataServlet extends HttpServlet {
Idp idpConfig = cs.getIDP(realm);
try {
if (request.getServletPath() != null && request.getServletPath().startsWith("/metadata")) {
- String serviceRealm =
+ String parsedRealm =
request.getRequestURI().substring(request.getRequestURI().indexOf("/metadata")
+ "/metadata".length());
- if (serviceRealm != null && serviceRealm.charAt(0) == '/') {
- serviceRealm = serviceRealm.substring(1);
+ if (parsedRealm != null && !parsedRealm.isEmpty() && parsedRealm.charAt(0) == '/') {
+ parsedRealm = parsedRealm.substring(1);
}
- TrustedIdp trustedIdp = idpConfig.findTrustedIdp(serviceRealm);
+
+ // Default to writing out the metadata for the IdP
+ if (idpConfig.getRealm().equals(parsedRealm) || parsedRealm == null || parsedRealm.isEmpty()) {
+ IdpMetadataWriter mw = new IdpMetadataWriter();
+ Document metadata = mw.getMetaData(idpConfig);
+ out.write(DOM2Writer.nodeToString(metadata));
+ return;
+ }
+
+ // Otherwise try to find the metadata for the trusted third party IdP
+ TrustedIdp trustedIdp = idpConfig.findTrustedIdp(parsedRealm);
if (trustedIdp == null) {
- LOG.error("No TrustedIdp found for desired realm: " + serviceRealm);
+ LOG.error("No TrustedIdp found for desired realm: " + parsedRealm);
response.sendError(HttpServletResponse.SC_BAD_REQUEST);
return;
}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/cb4a0995/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
----------------------------------------------------------------------
diff --git a/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java b/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
index d01ea3f..70db9ee 100644
--- a/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
+++ b/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
@@ -290,6 +290,39 @@ public class IdpTest {
}
@Test
+ public void testIdPMetadataDefault() throws Exception {
+ String url = "https://localhost:" + getIdpHttpsPort()
+ + "/fediz-idp/metadata";
+
+ final WebClient webClient = new WebClient();
+ webClient.getOptions().setUseInsecureSSL(true);
+ webClient.getOptions().setSSLClientCertificate(
+ this.getClass().getClassLoader().getResource("client.jks"), "storepass", "jks");
+
+ final XmlPage rpPage = webClient.getPage(url);
+ final String xmlContent = rpPage.asXml();
+ Assert.assertTrue(xmlContent.startsWith("<md:EntityDescriptor"));
+
+ // Now validate the Signature
+ Document doc = rpPage.getXmlDocument();
+
+ doc.getDocumentElement().setIdAttributeNS(null, "ID", true);
+
+ Node signatureNode =
+ DOMUtils.getChild(doc.getDocumentElement(), "Signature");
+ Assert.assertNotNull(signatureNode);
+
+ XMLSignature signature = new XMLSignature((Element)signatureNode, "");
+ KeyInfo ki = signature.getKeyInfo();
+ Assert.assertNotNull(ki);
+ Assert.assertNotNull(ki.getX509Certificate());
+
+ Assert.assertTrue(signature.checkSignatureValue(ki.getX509Certificate()));
+
+ webClient.close();
+ }
+
+ @Test
public void testIdPServiceMetadata() throws Exception {
String url = "https://localhost:" + getIdpHttpsPort()
+ "/fediz-idp/metadata/urn:org:apache:cxf:fediz:idp:realm-B";
[3/5] cxf-fediz git commit: Fixing tests
Posted by co...@apache.org.
Fixing tests
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/110cac03
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/110cac03
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/110cac03
Branch: refs/heads/master
Commit: 110cac03b7b57e6a1c6d2d50cacafe5e3470a5eb
Parents: cd97dae
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Wed Aug 9 12:39:19 2017 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Wed Aug 9 12:39:19 2017 +0100
----------------------------------------------------------------------
.../idp/beans/samlsso/SamlResponseCreator.java | 15 +++++++++++++--
.../src/test/resources/realmb/idp-servlet.xml | 4 ++++
.../wsfed/src/test/resources/realmb/idp-servlet.xml | 4 ++++
3 files changed, 21 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/110cac03/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/SamlResponseCreator.java
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/SamlResponseCreator.java b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/SamlResponseCreator.java
index d5a13a2..6824202 100644
--- a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/SamlResponseCreator.java
+++ b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/SamlResponseCreator.java
@@ -66,6 +66,7 @@ public class SamlResponseCreator {
private static final Logger LOG = LoggerFactory.getLogger(SamlResponseCreator.class);
private boolean supportDeflateEncoding;
+ private boolean useRealmForIssuer;
public String createSAMLResponse(RequestContext context, Idp idp, Element rpToken,
String consumerURL, String requestId, String requestIssuer)
@@ -100,7 +101,8 @@ public class SamlResponseCreator {
String remoteAddr, String racs) throws Exception {
// Create an AuthenticationAssertion
SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
- callbackHandler.setIssuer(idp.getIdpUrl().toString());
+ String issuer = useRealmForIssuer ? idp.getRealm() : idp.getIdpUrl().toString();
+ callbackHandler.setIssuer(issuer);
callbackHandler.setSubject(receivedToken.getSaml2().getSubject());
// Test Subject against received Subject (if applicable)
@@ -153,8 +155,9 @@ public class SamlResponseCreator {
SAML2PResponseComponentBuilder.createStatus(
"urn:oasis:names:tc:SAML:2.0:status:Success", null
);
+ String issuer = useRealmForIssuer ? idp.getRealm() : idp.getIdpUrl().toString();
Response response =
- SAML2PResponseComponentBuilder.createSAMLResponse(requestID, idp.getIdpUrl().toString(), status);
+ SAML2PResponseComponentBuilder.createSAMLResponse(requestID, issuer, status);
response.getAssertions().add(assertion);
@@ -185,4 +188,12 @@ public class SamlResponseCreator {
public void setSupportDeflateEncoding(boolean supportDeflateEncoding) {
this.supportDeflateEncoding = supportDeflateEncoding;
}
+
+ public boolean isUseRealmForIssuer() {
+ return useRealmForIssuer;
+ }
+
+ public void setUseRealmForIssuer(boolean useRealmForIssuer) {
+ this.useRealmForIssuer = useRealmForIssuer;
+ }
}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/110cac03/systests/federation/samlsso/src/test/resources/realmb/idp-servlet.xml
----------------------------------------------------------------------
diff --git a/systests/federation/samlsso/src/test/resources/realmb/idp-servlet.xml b/systests/federation/samlsso/src/test/resources/realmb/idp-servlet.xml
index c556808..479c493 100644
--- a/systests/federation/samlsso/src/test/resources/realmb/idp-servlet.xml
+++ b/systests/federation/samlsso/src/test/resources/realmb/idp-servlet.xml
@@ -36,5 +36,9 @@
<property name="wsdlEndpoint" value="Transport_Port" />
<property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
</bean>
+
+ <bean id="samlResponseCreator" class="org.apache.cxf.fediz.service.idp.beans.samlsso.SamlResponseCreator">
+ <property name="useRealmForIssuer" value="true"/>
+ </bean>
</beans>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/110cac03/systests/federation/wsfed/src/test/resources/realmb/idp-servlet.xml
----------------------------------------------------------------------
diff --git a/systests/federation/wsfed/src/test/resources/realmb/idp-servlet.xml b/systests/federation/wsfed/src/test/resources/realmb/idp-servlet.xml
index c556808..8c44885 100644
--- a/systests/federation/wsfed/src/test/resources/realmb/idp-servlet.xml
+++ b/systests/federation/wsfed/src/test/resources/realmb/idp-servlet.xml
@@ -37,4 +37,8 @@
<property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
</bean>
+ <bean id="samlResponseCreator" class="org.apache.cxf.fediz.service.idp.beans.samlsso.SamlResponseCreator">
+ <property name="useRealmForIssuer" value="true"/>
+ </bean>
+
</beans>
[4/5] cxf-fediz git commit: FEDIZ-205 - Support creating IdP Metadata
for SAML SSO
Posted by co...@apache.org.
FEDIZ-205 - Support creating IdP Metadata for SAML SSO
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/4808a7b4
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/4808a7b4
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/4808a7b4
Branch: refs/heads/master
Commit: 4808a7b49a7948e459c57d7ba1d228ea873cdcd7
Parents: 110cac0
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Wed Aug 9 12:41:34 2017 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Wed Aug 9 12:41:34 2017 +0100
----------------------------------------------------------------------
.../cxf/fediz/service/idp/MetadataServlet.java | 9 +-
.../service/idp/metadata/IdpMetadataWriter.java | 89 +++++++++++++++++---
.../cxf/fediz/systests/samlsso/IdpTest.java | 38 +++++++++
3 files changed, 121 insertions(+), 15 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4808a7b4/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/MetadataServlet.java
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/MetadataServlet.java b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/MetadataServlet.java
index 1077f8b..f09bd08 100644
--- a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/MetadataServlet.java
+++ b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/MetadataServlet.java
@@ -52,7 +52,6 @@ public class MetadataServlet extends HttpServlet {
private ApplicationContext applicationContext;
private String realm;
-
@Override
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException,
IOException {
@@ -62,6 +61,8 @@ public class MetadataServlet extends HttpServlet {
ConfigService cs = (ConfigService)getApplicationContext().getBean("config");
Idp idpConfig = cs.getIDP(realm);
try {
+ boolean isSamlRequest = request.getQueryString() != null
+ && request.getQueryString().contains("protocol=saml");
if (request.getServletPath() != null && request.getServletPath().startsWith("/metadata")) {
String parsedRealm =
request.getRequestURI().substring(request.getRequestURI().indexOf("/metadata")
@@ -73,7 +74,7 @@ public class MetadataServlet extends HttpServlet {
// Default to writing out the metadata for the IdP
if (idpConfig.getRealm().equals(parsedRealm) || parsedRealm == null || parsedRealm.isEmpty()) {
IdpMetadataWriter mw = new IdpMetadataWriter();
- Document metadata = mw.getMetaData(idpConfig);
+ Document metadata = mw.getMetaData(idpConfig, isSamlRequest);
out.write(DOM2Writer.nodeToString(metadata));
return;
}
@@ -92,7 +93,7 @@ public class MetadataServlet extends HttpServlet {
// Otherwise return the Metadata for the Idp
LOG.debug(idpConfig.toString());
IdpMetadataWriter mw = new IdpMetadataWriter();
- Document metadata = mw.getMetaData(idpConfig);
+ Document metadata = mw.getMetaData(idpConfig, isSamlRequest);
out.write(DOM2Writer.nodeToString(metadata));
}
} catch (Exception ex) {
@@ -118,4 +119,6 @@ public class MetadataServlet extends HttpServlet {
return applicationContext;
}
+
+
}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4808a7b4/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/metadata/IdpMetadataWriter.java
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/metadata/IdpMetadataWriter.java b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/metadata/IdpMetadataWriter.java
index 97bcfcb..44eb6cb 100644
--- a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/metadata/IdpMetadataWriter.java
+++ b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/metadata/IdpMetadataWriter.java
@@ -46,8 +46,11 @@ public class IdpMetadataWriter {
private static final Logger LOG = LoggerFactory.getLogger(IdpMetadataWriter.class);
- //CHECKSTYLE:OFF
- public Document getMetaData(Idp config) throws RuntimeException {
+ public Document getMetaData(Idp config) {
+ return getMetaData(config, false);
+ }
+
+ public Document getMetaData(Idp config, boolean saml) {
try {
//Return as text/xml
Crypto crypto = CertsUtils.getCryptoFromFile(config.getCertificate());
@@ -63,12 +66,13 @@ public class IdpMetadataWriter {
writer.writeAttribute("entityID", config.getIdpUrl().toString());
writer.writeNamespace("md", SAML2_METADATA_NS);
- writer.writeNamespace("fed", WS_FEDERATION_NS);
- writer.writeNamespace("wsa", WS_ADDRESSING_NS);
- writer.writeNamespace("auth", WS_FEDERATION_NS);
writer.writeNamespace("xsi", SCHEMA_INSTANCE_NS);
- writeFederationMetadata(writer, config, crypto);
+ if (saml) {
+ writeSAMLSSOMetadata(writer, config, crypto);
+ } else {
+ writeFederationMetadata(writer, config, crypto);
+ }
writer.writeEndElement(); // EntityDescriptor
@@ -101,13 +105,17 @@ public class IdpMetadataWriter {
XMLStreamWriter writer, Idp config, Crypto crypto
) throws XMLStreamException {
+ writer.writeNamespace("fed", WS_FEDERATION_NS);
+ writer.writeNamespace("wsa", WS_ADDRESSING_NS);
+ writer.writeNamespace("auth", WS_FEDERATION_NS);
+
writer.writeStartElement("md", "RoleDescriptor", WS_FEDERATION_NS);
writer.writeAttribute(SCHEMA_INSTANCE_NS, "type", "fed:SecurityTokenServiceType");
writer.writeAttribute("protocolSupportEnumeration", WS_FEDERATION_NS);
- if (config.getServiceDescription() != null && config.getServiceDescription().length() > 0 ) {
+ if (config.getServiceDescription() != null && config.getServiceDescription().length() > 0) {
writer.writeAttribute("ServiceDescription", config.getServiceDescription());
}
- if (config.getServiceDisplayName() != null && config.getServiceDisplayName().length() > 0 ) {
+ if (config.getServiceDisplayName() != null && config.getServiceDisplayName().length() > 0) {
writer.writeAttribute("ServiceDisplayName", config.getServiceDisplayName());
}
@@ -115,11 +123,12 @@ public class IdpMetadataWriter {
//missing organization, contactperson
//KeyDescriptor
- writer.writeStartElement("", "KeyDescriptor", SAML2_METADATA_NS);
+ writer.writeStartElement("md", "KeyDescriptor", SAML2_METADATA_NS);
writer.writeAttribute("use", "signing");
- writer.writeStartElement("", "KeyInfo", "http://www.w3.org/2000/09/xmldsig#");
- writer.writeStartElement("", "X509Data", "http://www.w3.org/2000/09/xmldsig#");
- writer.writeStartElement("", "X509Certificate", "http://www.w3.org/2000/09/xmldsig#");
+ writer.writeStartElement("ds", "KeyInfo", "http://www.w3.org/2000/09/xmldsig#");
+ writer.writeNamespace("ds", "http://www.w3.org/2000/09/xmldsig#");
+ writer.writeStartElement("ds", "X509Data", "http://www.w3.org/2000/09/xmldsig#");
+ writer.writeStartElement("ds", "X509Certificate", "http://www.w3.org/2000/09/xmldsig#");
try {
String keyAlias = crypto.getDefaultX509Identifier();
@@ -176,5 +185,61 @@ public class IdpMetadataWriter {
writer.writeEndElement(); // RoleDescriptor
}
+ private void writeSAMLSSOMetadata(
+ XMLStreamWriter writer, Idp config, Crypto crypto
+ ) throws XMLStreamException {
+
+ writer.writeStartElement("md", "IDPSSODescriptor", SAML2_METADATA_NS);
+ writer.writeAttribute("WantAuthnRequestsSigned", "true");
+ writer.writeAttribute("protocolSupportEnumeration", "urn:oasis:names:tc:SAML:2.0:protocol");
+
+ //KeyDescriptor
+ writer.writeStartElement("md", "KeyDescriptor", SAML2_METADATA_NS);
+ writer.writeAttribute("use", "signing");
+ writer.writeStartElement("ds", "KeyInfo", "http://www.w3.org/2000/09/xmldsig#");
+ writer.writeNamespace("ds", "http://www.w3.org/2000/09/xmldsig#");
+ writer.writeStartElement("ds", "X509Data", "http://www.w3.org/2000/09/xmldsig#");
+ writer.writeStartElement("ds", "X509Certificate", "http://www.w3.org/2000/09/xmldsig#");
+
+ try {
+ String keyAlias = crypto.getDefaultX509Identifier();
+ X509Certificate cert = CertsUtils.getX509CertificateFromCrypto(crypto, keyAlias);
+ writer.writeCharacters(Base64.encode(cert.getEncoded()));
+ } catch (Exception ex) {
+ LOG.error("Failed to add certificate information to metadata. Metadata incomplete", ex);
+ }
+
+ writer.writeEndElement(); // X509Certificate
+ writer.writeEndElement(); // X509Data
+ writer.writeEndElement(); // KeyInfo
+ writer.writeEndElement(); // KeyDescriptor
+
+
+ writer.writeStartElement("md", "NameIDFormat", SAML2_METADATA_NS);
+ writer.writeCharacters("urn:oasis:names:tc:SAML:2.0:nameid-format:persistent");
+ writer.writeEndElement(); // NameIDFormat
+
+ writer.writeStartElement("md", "NameIDFormat", SAML2_METADATA_NS);
+ writer.writeCharacters("urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified");
+ writer.writeEndElement(); // NameIDFormat
+
+ writer.writeStartElement("md", "NameIDFormat", SAML2_METADATA_NS);
+ writer.writeCharacters("urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress");
+ writer.writeEndElement(); // NameIDFormat
+
+ // SingleSignOnService
+ writer.writeStartElement("md", "SingleSignOnService", SAML2_METADATA_NS);
+ writer.writeAttribute("Binding", "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect");
+ writer.writeAttribute("Location", config.getIdpUrl().toString());
+ writer.writeEndElement(); // SingleSignOnService
+
+ // SingleSignOnService
+ writer.writeStartElement("md", "SingleSignOnService", SAML2_METADATA_NS);
+ writer.writeAttribute("Binding", "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
+ writer.writeAttribute("Location", config.getIdpUrl().toString());
+ writer.writeEndElement(); // SingleSignOnService
+
+ writer.writeEndElement(); // IDPSSODescriptor
+ }
}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4808a7b4/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/samlsso/IdpTest.java
----------------------------------------------------------------------
diff --git a/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/samlsso/IdpTest.java b/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/samlsso/IdpTest.java
index 6542eed..d0fa7b9 100644
--- a/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/samlsso/IdpTest.java
+++ b/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/samlsso/IdpTest.java
@@ -37,6 +37,7 @@ import javax.servlet.ServletException;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
+import org.w3c.dom.Node;
import com.gargoylesoftware.htmlunit.CookieManager;
import com.gargoylesoftware.htmlunit.FailingHttpStatusCodeException;
@@ -47,6 +48,7 @@ import com.gargoylesoftware.htmlunit.html.DomElement;
import com.gargoylesoftware.htmlunit.html.DomNodeList;
import com.gargoylesoftware.htmlunit.html.HtmlPage;
import com.gargoylesoftware.htmlunit.util.NameValuePair;
+import com.gargoylesoftware.htmlunit.xml.XmlPage;
import org.apache.catalina.LifecycleException;
import org.apache.catalina.LifecycleState;
@@ -68,10 +70,12 @@ import org.apache.wss4j.common.crypto.CryptoType;
import org.apache.wss4j.common.saml.OpenSAMLUtil;
import org.apache.wss4j.common.util.DOM2Writer;
import org.apache.wss4j.dom.engine.WSSConfig;
+import org.apache.xml.security.signature.XMLSignature;
import org.apache.xml.security.utils.Base64;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.BeforeClass;
+import org.junit.Test;
import org.opensaml.core.xml.XMLObject;
import org.opensaml.saml.common.SAMLVersion;
import org.opensaml.saml.common.SignableSAMLObject;
@@ -216,6 +220,40 @@ public class IdpTest {
}
*/
+
+ @Test
+ public void testIdPMetadata() throws Exception {
+ String url = "https://localhost:" + getIdpHttpsPort()
+ + "/fediz-idp/metadata?protocol=saml";
+
+ final WebClient webClient = new WebClient();
+ webClient.getOptions().setUseInsecureSSL(true);
+ webClient.getOptions().setSSLClientCertificate(
+ this.getClass().getClassLoader().getResource("client.jks"), "storepass", "jks");
+
+ final XmlPage rpPage = webClient.getPage(url);
+ final String xmlContent = rpPage.asXml();
+ Assert.assertTrue(xmlContent.startsWith("<md:EntityDescriptor"));
+
+ // Now validate the Signature
+ Document doc = rpPage.getXmlDocument();
+
+ doc.getDocumentElement().setIdAttributeNS(null, "ID", true);
+
+ Node signatureNode =
+ DOMUtils.getChild(doc.getDocumentElement(), "Signature");
+ Assert.assertNotNull(signatureNode);
+
+ XMLSignature signature = new XMLSignature((Element)signatureNode, "");
+ org.apache.xml.security.keys.KeyInfo ki = signature.getKeyInfo();
+ Assert.assertNotNull(ki);
+ Assert.assertNotNull(ki.getX509Certificate());
+
+ Assert.assertTrue(signature.checkSignatureValue(ki.getX509Certificate()));
+
+ webClient.close();
+ }
+
@org.junit.Test
public void testSuccessfulInvokeOnIdP() throws Exception {
OpenSAMLUtil.initSamlEngine();
[5/5] cxf-fediz git commit: Fix to default to taking the RACS URL
from the application configuration.
Posted by co...@apache.org.
Fix to default to taking the RACS URL from the application configuration.
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/2db18cef
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/2db18cef
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/2db18cef
Branch: refs/heads/master
Commit: 2db18ceffdd1c6547e6a589d7ce3bd798eda5ed5
Parents: 4808a7b
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Wed Aug 9 15:25:45 2017 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Wed Aug 9 15:25:45 2017 +0100
----------------------------------------------------------------------
.../fediz/service/idp/beans/EndpointAddressValidator.java | 4 ++--
.../service/idp/beans/samlsso/AuthnRequestParser.java | 10 ++++++++++
2 files changed, 12 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/2db18cef/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/beans/EndpointAddressValidator.java
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/beans/EndpointAddressValidator.java b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/beans/EndpointAddressValidator.java
index de193b8..6a19554 100644
--- a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/beans/EndpointAddressValidator.java
+++ b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/beans/EndpointAddressValidator.java
@@ -46,7 +46,7 @@ public class EndpointAddressValidator {
Idp idpConfig = (Idp) WebUtils.getAttributeFromFlowScope(context, "idpConfig");
Application serviceConfig = idpConfig.findApplication(realm);
if (serviceConfig == null) {
- LOG.warn("No service config found for " + realm);
+ LOG.warn("No service config found for {}", realm);
return false;
}
@@ -66,7 +66,7 @@ public class EndpointAddressValidator {
Application serviceConfig = idpConfig.findApplication(realm);
if (serviceConfig == null) {
- LOG.warn("No service config found for " + realm);
+ LOG.warn("No service config found for {}", realm);
return false;
}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/2db18cef/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/AuthnRequestParser.java
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/AuthnRequestParser.java b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/AuthnRequestParser.java
index 3110eb1..92d0d7a 100644
--- a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/AuthnRequestParser.java
+++ b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/AuthnRequestParser.java
@@ -131,6 +131,16 @@ public class AuthnRequestParser {
}
LOG.debug("No AuthnRequest available to be parsed");
+
+ Idp idpConfig = (Idp) WebUtils.getAttributeFromFlowScope(context, "idpConfig");
+ String realm = retrieveRealm(context);
+ Application serviceConfig = idpConfig.findApplication(realm);
+ if (serviceConfig != null) {
+ String racs = serviceConfig.getPassiveRequestorEndpoint();
+ LOG.debug("Attempting to use the configured passive requestor endpoint instead: {}", racs);
+ return racs;
+ }
+
return null;
}
[2/5] cxf-fediz git commit: Switch the SAML issuer to be the IDP URL
as opposed to the realm
Posted by co...@apache.org.
Switch the SAML issuer to be the IDP URL as opposed to the realm
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/cd97daed
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/cd97daed
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/cd97daed
Branch: refs/heads/master
Commit: cd97daed2705105fb960bfbe8adccab3d5870be4
Parents: cb4a099
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Wed Aug 9 11:45:37 2017 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Wed Aug 9 12:39:14 2017 +0100
----------------------------------------------------------------------
.../cxf/fediz/service/idp/beans/samlsso/SamlResponseCreator.java | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/cd97daed/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/SamlResponseCreator.java
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/SamlResponseCreator.java b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/SamlResponseCreator.java
index dd0d65e..d5a13a2 100644
--- a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/SamlResponseCreator.java
+++ b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/SamlResponseCreator.java
@@ -100,7 +100,7 @@ public class SamlResponseCreator {
String remoteAddr, String racs) throws Exception {
// Create an AuthenticationAssertion
SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
- callbackHandler.setIssuer(idp.getRealm());
+ callbackHandler.setIssuer(idp.getIdpUrl().toString());
callbackHandler.setSubject(receivedToken.getSaml2().getSubject());
// Test Subject against received Subject (if applicable)
@@ -154,7 +154,7 @@ public class SamlResponseCreator {
"urn:oasis:names:tc:SAML:2.0:status:Success", null
);
Response response =
- SAML2PResponseComponentBuilder.createSAMLResponse(requestID, idp.getRealm(), status);
+ SAML2PResponseComponentBuilder.createSAMLResponse(requestID, idp.getIdpUrl().toString(), status);
response.getAssertions().add(assertion);