You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by ow...@apache.org on 2011/12/21 22:54:04 UTC
svn commit: r1221896 [1/4] - in /cxf/sandbox/fediz: ./ fediz-core/
fediz-core/.settings/ fediz-core/src/ fediz-core/src/main/
fediz-core/src/main/java/ fediz-core/src/main/java/org/
fediz-core/src/main/java/org/apache/ fediz-core/src/main/java/org/apac...
Author: owulff
Date: Wed Dec 21 21:53:59 2011
New Revision: 1221896
URL: http://svn.apache.org/viewvc?rev=1221896&view=rev
Log:
Initial commit of ws-federation
Added:
cxf/sandbox/fediz/
cxf/sandbox/fediz/fediz-core/
cxf/sandbox/fediz/fediz-core/.settings/
cxf/sandbox/fediz/fediz-core/pom.xml
cxf/sandbox/fediz/fediz-core/src/
cxf/sandbox/fediz/fediz-core/src/main/
cxf/sandbox/fediz/fediz-core/src/main/java/
cxf/sandbox/fediz/fediz-core/src/main/java/org/
cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/
cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/
cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/
cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/
cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/Claim.java
cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/ClaimCollection.java
cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/ClaimTypes.java
cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/FederationConfiguration.java
cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/FederationConstants.java
cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/FederationProcessor.java
cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/FederationProcessorImpl.java
cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/FederationRequest.java
cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/FederationResponse.java
cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/TokenReplayCache.java
cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/TokenReplayCacheInMemory.java
cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/TokenValidator.java
cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/TokenValidatorResponse.java
cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/WsFedPrincipal.java
cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/saml/
cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/saml/CertConstraintsParser.java
cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java
cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/util/
cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/util/DOMUtils.java
cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/util/StringUtils.java
cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/util/XMLUtils.java
cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/fediz/
cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/fediz/core/
cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/fediz/core/saml/
cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/fediz/core/util/
cxf/sandbox/fediz/fediz-core/src/test/
cxf/sandbox/fediz/fediz-core/src/test/java/
cxf/sandbox/fediz/fediz-core/src/test/java/org/
cxf/sandbox/fediz/fediz-core/src/test/java/org/apache/
cxf/sandbox/fediz/fediz-core/src/test/java/org/apache/cxf/
cxf/sandbox/fediz/fediz-core/src/test/java/org/apache/cxf/fediz/
cxf/sandbox/fediz/fediz-core/src/test/java/org/apache/cxf/fediz/core/
cxf/sandbox/fediz/fediz-core/src/test/java/org/apache/cxf/fediz/core/FederationProcessorTest.java
cxf/sandbox/fediz/fediz-core/src/test/resources/
cxf/sandbox/fediz/fediz-core/src/test/resources/RSTR.formatted.xml
cxf/sandbox/fediz/fediz-core/src/test/resources/RSTR.xml
cxf/sandbox/fediz/fediz-core/src/test/resources/RSTR_old.xml
cxf/sandbox/fediz/fediz-core/src/test/resources/logging.properties
cxf/sandbox/fediz/fediz-core/src/test/resources/signature.properties
cxf/sandbox/fediz/fediz-core/src/test/resources/stsstore.jks (with props)
cxf/sandbox/fediz/fediz-idp/
cxf/sandbox/fediz/fediz-idp-sts/
cxf/sandbox/fediz/fediz-idp-sts/.settings/
cxf/sandbox/fediz/fediz-idp-sts/pom.xml
cxf/sandbox/fediz/fediz-idp-sts/src/
cxf/sandbox/fediz/fediz-idp-sts/src/main/
cxf/sandbox/fediz/fediz-idp-sts/src/main/java/
cxf/sandbox/fediz/fediz-idp-sts/src/main/java/org/
cxf/sandbox/fediz/fediz-idp-sts/src/main/java/org/apache/
cxf/sandbox/fediz/fediz-idp-sts/src/main/java/org/apache/cxf/
cxf/sandbox/fediz/fediz-idp-sts/src/main/java/org/apache/cxf/fediz/
cxf/sandbox/fediz/fediz-idp-sts/src/main/java/org/apache/cxf/fediz/service/
cxf/sandbox/fediz/fediz-idp-sts/src/main/java/org/apache/cxf/fediz/service/sts/
cxf/sandbox/fediz/fediz-idp-sts/src/main/java/org/apache/cxf/fediz/service/sts/FileClaimsHandler.java
cxf/sandbox/fediz/fediz-idp-sts/src/main/java/org/apache/cxf/fediz/service/sts/PasswordCallbackHandler.java
cxf/sandbox/fediz/fediz-idp-sts/src/main/java/org/apache/cxf/fediz/service/sts/UsernamePasswordCallbackHandler.java
cxf/sandbox/fediz/fediz-idp-sts/src/main/resources/
cxf/sandbox/fediz/fediz-idp-sts/src/main/resources/log4j.properties
cxf/sandbox/fediz/fediz-idp-sts/src/main/resources/logging.properties
cxf/sandbox/fediz/fediz-idp-sts/src/main/resources/stsKeystore.properties
cxf/sandbox/fediz/fediz-idp-sts/src/main/resources/stsstore.jks (with props)
cxf/sandbox/fediz/fediz-idp-sts/src/main/webapp/
cxf/sandbox/fediz/fediz-idp-sts/src/main/webapp/WEB-INF/
cxf/sandbox/fediz/fediz-idp-sts/src/main/webapp/WEB-INF/cxf-encrypted-ut.xml
cxf/sandbox/fediz/fediz-idp-sts/src/main/webapp/WEB-INF/cxf-servlet.xml
cxf/sandbox/fediz/fediz-idp-sts/src/main/webapp/WEB-INF/cxf-transport.xml
cxf/sandbox/fediz/fediz-idp-sts/src/main/webapp/WEB-INF/cxf-ut.xml
cxf/sandbox/fediz/fediz-idp-sts/src/main/webapp/WEB-INF/cxf-x509.xml
cxf/sandbox/fediz/fediz-idp-sts/src/main/webapp/WEB-INF/passwords.xml
cxf/sandbox/fediz/fediz-idp-sts/src/main/webapp/WEB-INF/userClaims.xml
cxf/sandbox/fediz/fediz-idp-sts/src/main/webapp/WEB-INF/web.xml
cxf/sandbox/fediz/fediz-idp-sts/src/main/webapp/WEB-INF/wsdl/
cxf/sandbox/fediz/fediz-idp-sts/src/main/webapp/WEB-INF/wsdl/ws-trust-1.4-service.wsdl
cxf/sandbox/fediz/fediz-idp-sts/src/main/webapp/WEB-INF/wsdl/ws-trust-1.4.wsdl
cxf/sandbox/fediz/fediz-idp/pom.xml
cxf/sandbox/fediz/fediz-idp/src/
cxf/sandbox/fediz/fediz-idp/src/main/
cxf/sandbox/fediz/fediz-idp/src/main/java/
cxf/sandbox/fediz/fediz-idp/src/main/java/org/
cxf/sandbox/fediz/fediz-idp/src/main/java/org/apache/
cxf/sandbox/fediz/fediz-idp/src/main/java/org/apache/cxf/
cxf/sandbox/fediz/fediz-idp/src/main/java/org/apache/cxf/fediz/
cxf/sandbox/fediz/fediz-idp/src/main/java/org/apache/cxf/fediz/service/
cxf/sandbox/fediz/fediz-idp/src/main/java/org/apache/cxf/fediz/service/idp/
cxf/sandbox/fediz/fediz-idp/src/main/java/org/apache/cxf/fediz/service/idp/IdpSTSClient.java
cxf/sandbox/fediz/fediz-idp/src/main/java/org/apache/cxf/fediz/service/idp/IdpServlet.java
cxf/sandbox/fediz/fediz-idp/src/main/resources/
cxf/sandbox/fediz/fediz-idp/src/main/resources/clientstore.jks (with props)
cxf/sandbox/fediz/fediz-idp/src/main/resources/log4j.properties
cxf/sandbox/fediz/fediz-idp/src/main/resources/logging.properties
cxf/sandbox/fediz/fediz-idp/src/main/webapp/
cxf/sandbox/fediz/fediz-idp/src/main/webapp/WEB-INF/
cxf/sandbox/fediz/fediz-idp/src/main/webapp/WEB-INF/RPClaims.xml
cxf/sandbox/fediz/fediz-idp/src/main/webapp/WEB-INF/beans.xml
cxf/sandbox/fediz/fediz-idp/src/main/webapp/WEB-INF/signinresponse.jsp
cxf/sandbox/fediz/fediz-idp/src/main/webapp/WEB-INF/web.xml
cxf/sandbox/fediz/fediz-idp/src/main/webapp/index.html
cxf/sandbox/fediz/fediz-tomcat/
cxf/sandbox/fediz/fediz-tomcat-example/
cxf/sandbox/fediz/fediz-tomcat-example/.settings/
cxf/sandbox/fediz/fediz-tomcat-example/.settings/.jsdtscope
cxf/sandbox/fediz/fediz-tomcat-example/WebContent/
cxf/sandbox/fediz/fediz-tomcat-example/WebContent/META-INF/
cxf/sandbox/fediz/fediz-tomcat-example/WebContent/META-INF/MANIFEST.MF
cxf/sandbox/fediz/fediz-tomcat-example/WebContent/WEB-INF/
cxf/sandbox/fediz/fediz-tomcat-example/WebContent/WEB-INF/lib/
cxf/sandbox/fediz/fediz-tomcat-example/pom.xml
cxf/sandbox/fediz/fediz-tomcat-example/src/
cxf/sandbox/fediz/fediz-tomcat-example/src/main/
cxf/sandbox/fediz/fediz-tomcat-example/src/main/java/
cxf/sandbox/fediz/fediz-tomcat-example/src/main/java/org/
cxf/sandbox/fediz/fediz-tomcat-example/src/main/java/org/apache/
cxf/sandbox/fediz/fediz-tomcat-example/src/main/java/org/apache/cxf/
cxf/sandbox/fediz/fediz-tomcat-example/src/main/java/org/apache/cxf/fediz/
cxf/sandbox/fediz/fediz-tomcat-example/src/main/java/org/apache/cxf/fediz/example/
cxf/sandbox/fediz/fediz-tomcat-example/src/main/java/org/apache/cxf/fediz/example/FederationFilter.java
cxf/sandbox/fediz/fediz-tomcat-example/src/main/java/org/apache/cxf/fediz/example/FederationServlet.java
cxf/sandbox/fediz/fediz-tomcat-example/src/main/java/org/apache/cxf/fediz/example/SecurityTokenThreadLocal.java
cxf/sandbox/fediz/fediz-tomcat-example/src/main/resources/
cxf/sandbox/fediz/fediz-tomcat-example/src/main/resources/log4j.properties
cxf/sandbox/fediz/fediz-tomcat-example/src/main/resources/logging.properties
cxf/sandbox/fediz/fediz-tomcat-example/src/main/webapp/
cxf/sandbox/fediz/fediz-tomcat-example/src/main/webapp/META-INF/
cxf/sandbox/fediz/fediz-tomcat-example/src/main/webapp/META-INF/context.xml
cxf/sandbox/fediz/fediz-tomcat-example/src/main/webapp/WEB-INF/
cxf/sandbox/fediz/fediz-tomcat-example/src/main/webapp/WEB-INF/web.xml
cxf/sandbox/fediz/fediz-tomcat-example/src/main/webapp/index.html
cxf/sandbox/fediz/fediz-tomcat-example/src/main/webapp/secure/
cxf/sandbox/fediz/fediz-tomcat-example/src/main/webapp/secure/test.html
cxf/sandbox/fediz/fediz-tomcat/.settings/
cxf/sandbox/fediz/fediz-tomcat/docs/
cxf/sandbox/fediz/fediz-tomcat/docs/readme.txt
cxf/sandbox/fediz/fediz-tomcat/pom.xml
cxf/sandbox/fediz/fediz-tomcat/src/
cxf/sandbox/fediz/fediz-tomcat/src/main/
cxf/sandbox/fediz/fediz-tomcat/src/main/assembly/
cxf/sandbox/fediz/fediz-tomcat/src/main/assembly/assembly.xml
cxf/sandbox/fediz/fediz-tomcat/src/main/java/
cxf/sandbox/fediz/fediz-tomcat/src/main/java/org/
cxf/sandbox/fediz/fediz-tomcat/src/main/java/org/apache/
cxf/sandbox/fediz/fediz-tomcat/src/main/java/org/apache/cxf/
cxf/sandbox/fediz/fediz-tomcat/src/main/java/org/apache/cxf/fediz/
cxf/sandbox/fediz/fediz-tomcat/src/main/java/org/apache/cxf/fediz/tomcat/
cxf/sandbox/fediz/fediz-tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java
cxf/sandbox/fediz/fediz-tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationPrincipal.java
cxf/sandbox/fediz/fediz-tomcat/src/test/
cxf/sandbox/fediz/fediz-tomcat/src/test/resources/
cxf/sandbox/fediz/fediz-tomcat/src/test/resources/logging.properties
cxf/sandbox/fediz/pom.xml
Added: cxf/sandbox/fediz/fediz-core/pom.xml
URL: http://svn.apache.org/viewvc/cxf/sandbox/fediz/fediz-core/pom.xml?rev=1221896&view=auto
==============================================================================
--- cxf/sandbox/fediz/fediz-core/pom.xml (added)
+++ cxf/sandbox/fediz/fediz-core/pom.xml Wed Dec 21 21:53:59 2011
@@ -0,0 +1,118 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+
+ <modelVersion>4.0.0</modelVersion>
+ <parent>
+ <groupId>org.apache.cxf.fediz</groupId>
+ <artifactId>fediz</artifactId>
+ <version>0.6-SNAPSHOT</version>
+ </parent>
+ <artifactId>fediz-core</artifactId>
+ <name>WS Federation Core</name>
+ <packaging>jar</packaging>
+
+ <properties>
+ <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+ </properties>
+
+ <dependencies>
+ <dependency>
+ <groupId>junit</groupId>
+ <artifactId>junit</artifactId>
+ <version>4.8.2</version>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.ws.security</groupId>
+ <artifactId>wss4j</artifactId>
+ <version>1.6.2</version>
+ <scope>compile</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.slf4j</groupId>
+ <artifactId>slf4j-jdk14</artifactId>
+ <version>1.6.1</version>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.slf4j</groupId>
+ <artifactId>slf4j-api</artifactId>
+ <version>1.6.1</version>
+ </dependency>
+ </dependencies>
+
+ <build>
+ <testSourceDirectory>${basedir}/src/test/java</testSourceDirectory>
+ <testResources>
+ <testResource>
+ <directory>src/test/java</directory>
+ <excludes>
+ <exclude>**/*.java</exclude>
+ </excludes>
+ </testResource>
+ <testResource>
+ <directory>src/test/resources</directory>
+ <filtering>false</filtering>
+ <includes>
+ <include>**/*</include>
+ </includes>
+ </testResource>
+ </testResources>
+
+ <plugins>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-surefire-plugin</artifactId>
+ <version>2.6</version>
+ <configuration>
+ <reportFormat>brief</reportFormat>
+ <useFile>false</useFile>
+ <forkMode>always</forkMode>
+ <childDelegation>false</childDelegation>
+ <includes>
+ <include>**/*Test.java</include>
+ </includes>
+ <systemPropertyVariables>
+ <java.util.logging.config.file>${basedir}/src/test/resources/logging.properties</java.util.logging.config.file>
+ </systemPropertyVariables>
+ </configuration>
+ </plugin>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-pmd-plugin</artifactId>
+ <version>2.5</version>
+ <configuration>
+ <linkXRef>false</linkXRef>
+ <failOnViolation>true</failOnViolation>
+ <verbose>true</verbose>
+ <targetJdk>1.6</targetJdk>
+ </configuration>
+ <executions>
+ <execution>
+ <id>validate</id>
+ <phase>validate</phase>
+ <goals>
+ <goal>check</goal>
+ </goals>
+ </execution>
+ </executions>
+ </plugin>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-source-plugin</artifactId>
+ <version>2.1.2</version>
+ <executions>
+ <execution>
+ <id>attach-sources</id>
+ <phase>verify</phase>
+ <goals>
+ <goal>jar-no-fork</goal>
+ </goals>
+ </execution>
+ </executions>
+ </plugin>
+ </plugins>
+ </build>
+
+</project>
+
Added: cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/Claim.java
URL: http://svn.apache.org/viewvc/cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/Claim.java?rev=1221896&view=auto
==============================================================================
--- cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/Claim.java (added)
+++ cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/Claim.java Wed Dec 21 21:53:59 2011
@@ -0,0 +1,108 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.cxf.fediz.core;
+
+import java.io.Serializable;
+import java.net.URI;
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import java.security.Principal;
+
+/**
+ *
+ * @author Oliver Wulff
+ */
+public class Claim implements Serializable {
+
+
+ /**
+ *
+ */
+ private static final long serialVersionUID = 1L;
+
+ private URI claimType;
+ private String issuer;
+ private String originalIssuer;
+ private Principal principal;
+ private String value;
+ private URI namespace = ClaimTypes.URI_BASE;
+
+ public URI getNamespace() {
+ return namespace;
+ }
+
+ public void setNamespace(URI namespace) {
+ this.namespace = namespace;
+ }
+
+ public String getIssuer() {
+ return issuer;
+ }
+
+ public void setIssuer(String issuer) {
+ this.issuer = issuer;
+ }
+
+ public String getOriginalIssuer() {
+ return originalIssuer;
+ }
+
+ public void setOriginalIssuer(String originalIssuer) {
+ this.originalIssuer = originalIssuer;
+ }
+
+ public URI getClaimType() {
+ return claimType;
+ }
+
+ public void setClaimType(URI claimType) {
+ this.claimType = claimType;
+ }
+
+ public Principal getPrincipal() {
+ return principal;
+ }
+
+ public void setPrincipal(Principal principal) {
+ this.principal = principal;
+ }
+
+ public void setValue(String value) {
+ this.value = value;
+ }
+
+ public String getValue() {
+ return value;
+ }
+
+}
Added: cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/ClaimCollection.java
URL: http://svn.apache.org/viewvc/cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/ClaimCollection.java?rev=1221896&view=auto
==============================================================================
--- cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/ClaimCollection.java (added)
+++ cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/ClaimCollection.java Wed Dec 21 21:53:59 2011
@@ -0,0 +1,107 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.cxf.fediz.core;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.List;
+
+
+
+/**
+ * This class holds a immutable collection of Claims.
+ *
+ * @author Oliver Wulff
+ * @author Juerg Portmann
+ */
+public class ClaimCollection extends ArrayList<Claim> {
+
+ /**
+ *
+ */
+ private static final long serialVersionUID = 1L;
+
+ public ClaimCollection() {
+ super();
+ }
+
+ public ClaimCollection(Collection<? extends Claim> c) {
+ super(c);
+ }
+
+ public ClaimCollection(int initialCapacity) {
+ super(initialCapacity);
+ }
+
+ @Override
+ public Claim set(int index, Claim element) {
+ throw new UnsupportedOperationException();
+ }
+
+ @Override
+ public boolean add(Claim e) {
+ throw new UnsupportedOperationException();
+ }
+
+ @Override
+ public void add(int index, Claim element) {
+ throw new UnsupportedOperationException();
+ }
+
+ @Override
+ public Claim remove(int index) {
+ throw new UnsupportedOperationException();
+ }
+
+ @Override
+ public boolean remove(Object o) {
+ throw new UnsupportedOperationException();
+ }
+
+ @Override
+ public void clear() {
+ throw new UnsupportedOperationException();
+ }
+
+ @Override
+ public boolean addAll(Collection<? extends Claim> c) {
+ throw new UnsupportedOperationException();
+ }
+
+ @Override
+ public boolean addAll(int index, Collection<? extends Claim> c) {
+ throw new UnsupportedOperationException();
+ }
+
+ @Override
+ protected void removeRange(int fromIndex, int toIndex) {
+ throw new UnsupportedOperationException();
+ }
+
+ @Override
+ public boolean removeAll(Collection<?> c) {
+ throw new UnsupportedOperationException();
+ }
+
+ @Override
+ public List<Claim> subList(int fromIndex, int toIndex) {
+ return Collections.unmodifiableList(super.subList(fromIndex, toIndex));
+ }
+
+}
Added: cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/ClaimTypes.java
URL: http://svn.apache.org/viewvc/cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/ClaimTypes.java?rev=1221896&view=auto
==============================================================================
--- cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/ClaimTypes.java (added)
+++ cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/ClaimTypes.java Wed Dec 21 21:53:59 2011
@@ -0,0 +1,141 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.cxf.fediz.core;
+
+import java.net.URI;
+
+/**
+ * This holds a collection of Claims.
+ *
+ * @author Oliver Wulff
+ */
+public interface ClaimTypes {
+ /**
+ * The base XML namespace URI that is used by the claim types
+ * http://docs.oasis-open.org/imi/identity/v1.0/os/identity-1.0-spec-os.pdf
+ */
+ public static final URI URI_BASE =
+ URI.create("http://schemas.xmlsoap.org/ws/2005/05/identity/claims");
+
+ /**
+ * (givenName in [RFC 2256]) Preferred name or first name of a Subject.
+ * According to RFC 2256: This attribute is used to hold the part of a person's name
+ * which is not their surname nor middle name.
+ */
+ public static final URI FIRSTNAME =
+ URI.create("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname");
+
+ /**
+ * (sn in [RFC 2256]) Surname or family name of a Subject.
+ * According to RFC 2256: This is the X.500 surname attribute which contains the family name of a person.
+ */
+ public static final URI LASTNAME =
+ URI.create("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname");
+
+ /**
+ * (mail in inetOrgPerson) Preferred address for the "To:" field of email
+ * to be sent to the Subject, usually of the form <user>@<domain>.
+ * According to inetOrgPerson using [RFC 1274]: This attribute type specifies
+ * an electronic mailbox attribute following the syntax specified in RFC 822.
+ */
+ public static final URI EMAILADDRESS =
+ URI.create("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress");
+
+ /**
+ * (street in [RFC 2256]) Street address component of a Subjectâs address information.
+ * According to RFC 2256: This attribute contains the physical address of the object
+ * to which the entry corresponds, such as an address for package delivery.
+ */
+ public static final URI STREETADDRESS =
+ URI.create("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddress");
+
+ /**
+ * (/ in [RFC 2256]) Locality component of a Subject's address information.
+ * According to RFC 2256: This attribute contains the name of a locality, such as a city, county or other geographic region.
+ */
+ public static final URI LOCALITY =
+ URI.create("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality");
+
+ /**
+ * (st in [RFC 2256]) Abbreviation for state or province name of a Subject's address information.
+ * According to RFC 2256: âThis attribute contains the full name of a state or province.
+ * The values SHOULD be coordinated on a national level and if well-known shortcuts exist.
+ */
+ public static final URI STATE_PROVINCE =
+ URI.create("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince");
+
+ /**
+ * (postalCode in X.500) Postal code or zip code component of a Subject's address information.
+ * According to X.500(2001): The postal code attribute type specifies the postal code of the named object.
+ */
+ public static final URI POSTALCODE =
+ URI.create("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcode");
+
+ /**
+ * (c in [RFC 2256]) Country of a Subject.
+ * According to RFC 2256: This attribute contains a two-letter ISO 3166 country code.
+ */
+ public static final URI COUNTRY =
+ URI.create("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country");
+
+ /**
+ * (homePhone in inetOrgPerson) Primary or home telephone number of a Subject.
+ * According to inetOrgPerson using [RFC 1274]: This attribute type specifies a home telephone number associated with a person.
+ */
+ public static final URI HOMEPHONE =
+ URI.create("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/homephone");
+
+ /**
+ * (telephoneNumber in X.500 Person) Secondary or work telephone number of a Subject.
+ * According to X.500(2001): This attribute type specifies an office/campus telephone number associated with a person.
+ */
+ public static final URI OTHERPHONE =
+ URI.create("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone");
+
+ /**
+ * (mobile in inetOrgPerson) Mobile telephone number of a Subject.
+ * According to inetOrgPerson using [RFC 1274]: This attribute type specifies a mobile telephone number associated with a person.
+ */
+ public static final URI MOBILEPHONE =
+ URI.create("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone");
+
+ /**
+ * The date of birth of a Subject in a form allowed by the xs:date data type.
+ */
+ public static final URI DATEOFBIRTH =
+ URI.create("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirth");
+
+ /**
+ * Gender of a Subject that can have any of these exact URI values
+ * '0' (meaning unspecified), '1' (meaning Male) or '2' (meaning Female)
+ */
+ public static final URI GENDER =
+ URI.create("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/gender");
+
+ /**
+ * A private personal identifier (PPID) that identifies the Subject to a Relying Party.
+ */
+ public static final URI PRIVATE_PERSONAL_IDENTIFIER =
+ URI.create("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier");
+
+ /**
+ * The Web page of a Subject expressed as a URL.
+ */
+ public static final URI WEB_PAGE =
+ URI.create("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/webpage");
+}
Added: cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/FederationConfiguration.java
URL: http://svn.apache.org/viewvc/cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/FederationConfiguration.java?rev=1221896&view=auto
==============================================================================
--- cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/FederationConfiguration.java (added)
+++ cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/FederationConfiguration.java Wed Dec 21 21:53:59 2011
@@ -0,0 +1,123 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.cxf.fediz.core;
+
+import java.net.URI;
+import java.util.List;
+//[TODO]check if we can cache / clone the config
+public class FederationConfiguration {
+
+ private String freshness;
+ private String trustedIssuer;
+ private String realm;
+ private String authenticationType;
+ private URI roleURI;
+ private String roleDelimiter;
+ private String trustStoreFile;
+ private String trustStorePassword;
+ private List<Class<TokenValidator>> tokenValidators;
+ private int maxClockSkew = 0;
+ private boolean detectReplayedTokens = true;
+ private long tokenReplayCacheExpirationTime = 0;
+ private boolean detectExpiredTokens = true;
+
+ //[TODO] TokenReplayCacheExpirationPeriod
+ //[TODO] DetectReplayedTokens
+
+
+ public String getFreshness() {
+ return freshness;
+ }
+ public void setFreshness(String freshness) {
+ this.freshness = freshness;
+ }
+ public String getTrustedIssuer() {
+ return trustedIssuer;
+ }
+ public void setTrustedIssuer(String trustedIssuer) {
+ this.trustedIssuer = trustedIssuer;
+ }
+ public String getRealm() {
+ return realm;
+ }
+ public void setRealm(String realm) {
+ this.realm = realm;
+ }
+ public String getAuthenticationType() {
+ return authenticationType;
+ }
+ public void setAuthenticationType(String authenticationType) {
+ this.authenticationType = authenticationType;
+ }
+ public URI getRoleURI() {
+ return roleURI;
+ }
+ public void setRoleURI(URI roleURI) {
+ this.roleURI = roleURI;
+ }
+ public String getRoleDelimiter() {
+ return roleDelimiter;
+ }
+ public void setRoleDelimiter(String roleDelimiter) {
+ this.roleDelimiter = roleDelimiter;
+ }
+ public List<Class<TokenValidator>> getTokenValidators() {
+ return tokenValidators;
+ }
+ public void setTokenValidators(List<Class<TokenValidator>> tokenValidators) {
+ this.tokenValidators = tokenValidators;
+ }
+ public int getMaxClockSkew() {
+ return maxClockSkew;
+ }
+ public void setMaxClockSkew(int maxClockSkew) {
+ this.maxClockSkew = maxClockSkew;
+ }
+ public boolean isDetectReplayedTokens() {
+ return detectReplayedTokens;
+ }
+ public void setDetectReplayedTokens(boolean detectReplayedTokens) {
+ this.detectReplayedTokens = detectReplayedTokens;
+ }
+ public long getTokenReplayCacheExpirationTime() {
+ return tokenReplayCacheExpirationTime;
+ }
+ public void setTokenReplayCacheExpirationTime(
+ long tokenReplayCacheExpirationTime) {
+ this.tokenReplayCacheExpirationTime = tokenReplayCacheExpirationTime;
+ }
+ public boolean isDetectExpiredTokens() {
+ return detectExpiredTokens;
+ }
+ public void setDetectExpiredTokens(boolean detectExpiredTokens) {
+ this.detectExpiredTokens = detectExpiredTokens;
+ }
+ public void setTrustStoreFile(String trustStoreFile) {
+ this.trustStoreFile = trustStoreFile;
+ }
+ public String getTrustStoreFile() {
+ return trustStoreFile;
+ }
+ public void setTrustStorePassword(String trustStorePassword) {
+ this.trustStorePassword = trustStorePassword;
+ }
+ public String getTrustStorePassword() {
+ return trustStorePassword;
+ }
+
+}
Added: cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/FederationConstants.java
URL: http://svn.apache.org/viewvc/cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/FederationConstants.java?rev=1221896&view=auto
==============================================================================
--- cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/FederationConstants.java (added)
+++ cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/FederationConstants.java Wed Dec 21 21:53:59 2011
@@ -0,0 +1,214 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.cxf.fediz.core;
+
+import java.net.URI;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
+
+public class FederationConstants {
+
+ public static final String WSFED_METHOD = "WSFED";
+
+ public static final URI DEFAULT_ROLE_URI = URI.create("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role");
+
+ /**
+ * Constants defined in following spec:
+ * http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html
+ */
+
+ /**
+ * This REQUIRED parameter specifies the action to be performed.
+ * Note that this serves roughly the same purpose as the WS-Addressing Action header for the WS-Trust SOAP RST messages.
+ */
+ public static final String PARAM_ACTION = "wa";
+
+ public static final String ACTION_SIGNIN = "wsignin1.0";
+ public static final String ACTION_SIGNOUT = "wsignout1.0";
+ public static final String ACTION_SIGNOUT_CLEANUP = "wsignoutcleanup1.0";
+
+
+ /**
+ * This OPTIONAL parameter is the URL to which responses are directed.
+ * Note that this serves roughly the same purpose as the WS-Addressing <wsa:ReplyTo> header for the WS-Trust SOAP RST messages.
+ */
+ public static final String PARAM_REPLY = "wreply";
+
+
+ /**
+ * This REQUIRED parameter is the URI of the requesting realm.
+ * Note that this serves roughly the same purpose as the AppliesTo element in the WS-Trust SOAP RST messages.
+ */
+ public static final String PARAM_TREALM = "wtrealm";
+
+
+ /**
+ * This OPTIONAL parameter indicates the freshness requirements.
+ * If specified, this indicates the desired maximum age of authentication specified in minutes.
+ * An IP/STS SHOULD NOT issue a token with a longer lifetime.
+ * If specified as â0â it indicates a request for the IP/STS to re-prompt the user for authentication before issuing the token.
+ * Note that this serves roughly the same purpose as the Freshness element in the WS-Trust SOAP RST messages.
+ */
+ public static final String PARAM_FRESHNESS = "wfresh";
+
+
+ /**
+ * This OPTIONAL parameter indicates the REQUIRED authentication level.
+ * Note that this parameter uses the same URIs and is equivalent to the wst:AuthenticationType element in the WS-Trust SOAP RST messages.
+ */
+ public static final String PARAM_AUTH_TYPE = "wauth";
+
+
+ /**
+ * This OPTIONAL parameter specifies a token request using either a <wst:RequestSecurityToken> element or a full request message as described in WS-Trust.
+ * If this parameter is not specified, it is assumed that the responding service knows the correct type of token to return.
+ * Note that this can contain the same RST payload as used in WS-Trust RST messages.
+ */
+ public static final String PARAM_REQUEST = "wreq";
+
+
+ /**
+ * This OPTIONAL parameter indicates the current time at the sender for ensuring freshness. This parameter is the string encoding of time using the XML Schema datetime time using UTC notation.
+ * Note that this serves roughly the same purpose as the WS-Security Timestamp elements in the Security headers of the SOAP RST messages.
+ */
+ public static final String PARAM_CURRENT_TIME = "wct";
+
+
+ /**
+ * This OPTIONAL parameter is an opaque context value that MUST be returned with the issued token if it is passed in the request.
+ * Note that this serves roughly the same purpose as the WS-Trust SOAP RST @Context attribute.
+ */
+ public static final String PARAM_CONTEXT = "wctx";
+
+
+ /**
+ * This OPTIONAL parameter is the URL for the policy which can be obtained using an HTTP GET
+ * and identifies the policy to be used related to the action specified in "wa", but MAY have a broader scope than just the "wa".
+ * Note that this serves roughly the same purpose as the Policy element in the WS-Trust SOAP RST messages.
+ */
+ public static final String PARAM_POLICY = "wp";
+
+
+ /**
+ * This OPTIONAL parameter indicates the federation context in which the request is made.
+ * This is equivalent to the FederationId parameter in the RST message.
+ */
+ public static final String PARAM_FED_CONTEXT = "wfed";
+
+
+ /**
+ * This OPTIONAL parameter indicates the encoding style to be used for XML parameter content.
+ * If not specified the default behavior is to use standard URL encoding rules
+ */
+ public static final String PARAM_ENCODING = "wencoding";
+
+
+ /**
+ * This REQUIRED parameter specifies the result of the token issuance.
+ * This can take the form of the <wst:RequestSecurityTokenResponse> element or <wst:RequestSecurityTokenResponseCollection> element, a SOAP security token request response (that is, a <S:Envelope>) as detailed in WS-Trust, or a SOAP <S:Fault> element.
+ */
+ public static final String PARAM_RESULT = "wresult";
+
+
+ /**
+ * This OPTIONAL parameter indicates the account partner realm of the client. This parameter is used to indicate the IP/STS address for the requestor.
+ * This may be specified directly as a URL or indirectly as an identifier (e.g. urn: or uuid:).
+ * In the case of an identifier the recipient is expected to know how to translate this (or get it translated) to a URL.
+ * When the whr parameter is used, the resource, or its local IP/STS, typically removes the parameter and writes a cookie to the client browser to remember this setting for future requests.
+ * Then, the request proceeds in the same way as if it had not been provided.
+ * Note that this serves roughly the same purpose as federation metadata for discovering IP/STS locations previously discussed.
+ */
+ public static final String PARAM_HOME_REALM = "whr";
+
+
+ /**
+ * This OPTIONAL parameter specifies a URL for where to find the request expressed as a <wst:RequestSecurityToken> element.
+ * Note that this does not have a WS-Trust parallel.
+ * The wreqptr parameter MUST NOT be included in a token request if wreq is present.
+ */
+ public static final String PARAM_REQUEST_PTR = "wreqptr";
+
+
+ /**
+ * This parameter specifies a URL to which an HTTP GET can be issued.
+ * The result is a document of type text/xml that contains the issuance result.
+ * This can either be the <wst:RequestSecurityTokenResponse> element, the <wst:RequestSecurityTokenResponseCollection> element, a SOAP response, or a SOAP <S:Fault> element.
+ */
+ public static final String PARAM_RESULT_PTR = "wresultptr";
+
+
+
+ public static final Map<String, URI> AUTH_TYPE_MAP;
+ static {
+ Map<String, URI> aMap = new HashMap<String, URI>();
+ aMap.put("UNKNOWN", FederationConstants.AUTH_TYPE_UNKNOWN);
+ aMap.put("DEFAULT", FederationConstants.AUTH_TYPE_DEFAULT);
+ aMap.put("SSL", FederationConstants.AUTH_TYPE_SSL);
+ aMap.put("SSL_AND_KEY", FederationConstants.AUTH_TYPE_SSL_AND_KEY);
+ aMap.put("SSL_STRONG_PASSWORD", FederationConstants.AUTH_TYPE_SSL_STRONG_PASSWORD);
+ aMap.put("SSL_STRONG_PASSWORD_EXPIRATION", FederationConstants.AUTH_TYPE_SSL_STRONG_PASSWORD_EXPIRATION);
+ aMap.put("SMARTCARD", FederationConstants.AUTH_TYPE_SMARTCARD);
+ AUTH_TYPE_MAP = Collections.unmodifiableMap(aMap);
+ }
+
+
+
+ /**
+ * Unknown level of authentication
+ */
+ public static final URI AUTH_TYPE_UNKNOWN = URI.create("http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/unknown");
+
+ /**
+ * Default sign-in mechanisms
+ */
+ public static final URI AUTH_TYPE_DEFAULT = URI.create("http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/default");
+
+ /**
+ * Sign-in using SSL
+ */
+ public static final URI AUTH_TYPE_SSL = URI.create("http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/Ssl");
+
+ /**
+ * Sign-in using SSL and a security key
+ */
+ public static final URI AUTH_TYPE_SSL_AND_KEY = URI.create("http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/SslAndKey");
+
+ /**
+ * Sign-in using SSL and a âstrongâ password
+ */
+ public static final URI AUTH_TYPE_SSL_STRONG_PASSWORD = URI.create("http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/SslAndStrongPasssword");
+
+ /**
+ * Sign-in using SSL and a âstrongâ password with expiration
+ */
+ public static final URI AUTH_TYPE_SSL_STRONG_PASSWORD_EXPIRATION = URI.create("http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/SslAndStrongPasswordWithExpiration");
+
+ /**
+ * Sign-in using Smart Card
+ */
+ public static final URI AUTH_TYPE_SMARTCARD = URI.create("http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/smartcard");
+
+
+
+
+
+
+
+
+}
Added: cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/FederationProcessor.java
URL: http://svn.apache.org/viewvc/cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/FederationProcessor.java?rev=1221896&view=auto
==============================================================================
--- cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/FederationProcessor.java (added)
+++ cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/FederationProcessor.java Wed Dec 21 21:53:59 2011
@@ -0,0 +1,24 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.cxf.fediz.core;
+
+public interface FederationProcessor {
+
+ public FederationResponse processRequest(FederationRequest request, FederationConfiguration config);
+
+}
Added: cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/FederationProcessorImpl.java
URL: http://svn.apache.org/viewvc/cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/FederationProcessorImpl.java?rev=1221896&view=auto
==============================================================================
--- cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/FederationProcessorImpl.java (added)
+++ cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/FederationProcessorImpl.java Wed Dec 21 21:53:59 2011
@@ -0,0 +1,235 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.cxf.fediz.core;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.text.DateFormat;
+import java.text.ParseException;
+import java.util.Calendar;
+import java.util.Date;
+
+import javax.xml.parsers.ParserConfigurationException;
+
+import org.apache.cxf.fediz.core.saml.SAMLTokenValidator;
+import org.apache.cxf.fediz.core.util.DOMUtils;
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.util.XmlSchemaDateFormat;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+import org.xml.sax.SAXException;
+
+public class FederationProcessorImpl implements FederationProcessor {
+
+ private static final Logger LOG = LoggerFactory.getLogger(FederationProcessorImpl.class);
+
+
+ private String namespace = "http://docs.oasis-open.org/ws-sx/ws-trust/200512";
+
+ private TokenReplayCache<String> replayCache = null;
+
+ /**
+ * Default constructor
+ */
+
+ public FederationProcessorImpl() {
+ super();
+ replayCache = TokenReplayCacheInMemory.getInstance();
+ }
+
+
+ /**
+ *
+ * @param replayCache plugable token cache allowing to provide a replicated cache to be used in clustered scenarios
+ */
+
+ public FederationProcessorImpl(TokenReplayCache<String> replayCache) {
+ super();
+ this.replayCache = replayCache;
+ }
+
+
+
+ @Override
+ public FederationResponse processRequest(FederationRequest request, FederationConfiguration config) {
+ FederationResponse response = null;
+
+ if (request.getWa().equals(FederationConstants.ACTION_SIGNIN)) {
+ response = this.processSignInRequest(request, config);
+ }
+
+ return response;
+ }
+
+ protected FederationResponse processSignInRequest(FederationRequest request, FederationConfiguration config) {
+
+ byte[] wresult = request.getWresult().getBytes();
+
+ Document doc = null;
+ Element el = null;
+ try {
+ doc = DOMUtils.readXml(new ByteArrayInputStream(wresult));
+ el = doc.getDocumentElement();
+
+ } catch (SAXException e) {
+ e.printStackTrace();
+ return null;
+ } catch (IOException e) {
+ e.printStackTrace();
+ return null;
+ } catch (ParserConfigurationException e) {
+ e.printStackTrace();
+ return null;
+ }
+
+
+
+ if ("RequestSecurityTokenResponseCollection".equals(el.getLocalName())) {
+ el = DOMUtils.getFirstElement(el);
+ }
+ if (!"RequestSecurityTokenResponse".equals(el.getLocalName())) {
+ throw new RuntimeException("Unexpected element " + el.getLocalName());
+ }
+ el = DOMUtils.getFirstElement(el);
+ Element rst = null;
+ Element lifetimeElem = null;
+ String tt = null;
+
+ while (el != null) {
+ String ln = el.getLocalName();
+ if (namespace.equals(el.getNamespaceURI())) {
+ if ("Lifetime".equals(ln)) {
+ lifetimeElem = el;
+ } else if ("RequestedSecurityToken".equals(ln)) {
+ rst = DOMUtils.getFirstElement(el);
+ } else if ("TokenType".equals(ln)) {
+ tt = DOMUtils.getContent(el);
+ }
+ }
+ el = DOMUtils.getNextElement(el);
+ }
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("RST: " + rst.toString());
+ LOG.debug("Lifetime: " + ((lifetimeElem != null) ? lifetimeElem.toString() : "null"));
+ LOG.debug("Tokentype: " + ((tt != null) ? tt.toString() : "null"));
+ }
+
+ LifeTime lifeTime = null;
+ if (lifetimeElem != null) {
+ lifeTime = processLifeTime(lifetimeElem);
+ }
+
+ if (config.isDetectExpiredTokens() && lifeTime != null) {
+ Calendar cal = Calendar.getInstance();
+ if ( cal.getTime().after(lifeTime.getExpires()) ) {
+ LOG.warn("Token already expired");
+ }
+
+ if ( cal.getTime().before(lifeTime.getCreated())) {
+ LOG.warn("Token not yet valid");
+ //[TODO] Add Check clocksqew
+ }
+ }
+
+ //[TODO] Exception: TokenExpiredException, TokenInvalidException, TokenCachedException
+
+ //[TODO] Flexible tokenvalidator selection, based on class list
+ SAMLTokenValidator validator = new SAMLTokenValidator();
+ TokenValidatorResponse response = validator.validateAndProcessToken(rst, config);
+
+
+ //Check whether token already used for signin
+ if (response.getUniqueTokenId() != null && config.isDetectReplayedTokens()) {
+ // Check whether token has already been processed once, prevent replay attack
+
+ if (replayCache.getId(response.getUniqueTokenId()) == null) {
+ // not cached
+ replayCache.putId(response.getUniqueTokenId());
+ }
+ else {
+ LOG.error("Replay attack with token id: " +response.getUniqueTokenId());
+ throw new RuntimeException("Replay attack with token id: " +response.getUniqueTokenId());
+ }
+ }
+
+ // [TODO] Token, WeakReference, SoftReference???
+ FederationResponse fedResponse = new FederationResponse(response.getUsername(),
+ response.getIssuer(),
+ response.getRoles(),
+ response.getClaims(),
+ response.getAudience(),
+ (lifeTime != null) ? lifeTime.getCreated() : null,
+ (lifeTime != null) ? lifeTime.getExpires() : null,
+ rst,
+ response.getUniqueTokenId());
+
+ return fedResponse;
+ }
+
+
+
+
+ private LifeTime processLifeTime(Element lifetimeElem) {
+ //[TODO] Get rid of WSS4J dependency
+ try {
+ Element createdElem =
+ DOMUtils.getFirstChildWithName(lifetimeElem,
+ WSConstants.WSU_NS,
+ WSConstants.CREATED_LN);
+ DateFormat zulu = new XmlSchemaDateFormat();
+
+ Date created = zulu.parse(DOMUtils.getContent(createdElem));
+
+ Element expiresElem =
+ DOMUtils.getFirstChildWithName(lifetimeElem,
+ WSConstants.WSU_NS,
+ WSConstants.EXPIRES_LN);
+ Date expires = zulu.parse(DOMUtils.getContent(expiresElem));
+
+ return new LifeTime(created, expires);
+
+ } catch (ParseException e) {
+ e.printStackTrace();
+ }
+ return null;
+ }
+
+ public class LifeTime {
+
+ private Date created;
+ private Date expires;
+
+
+ public LifeTime(Date created, Date expires) {
+ this.created = created;
+ this.expires = expires;
+ }
+
+ public Date getCreated() {
+ return created;
+ }
+
+ public Date getExpires() {
+ return expires;
+ }
+
+ }
+
+}
Added: cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/FederationRequest.java
URL: http://svn.apache.org/viewvc/cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/FederationRequest.java?rev=1221896&view=auto
==============================================================================
--- cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/FederationRequest.java (added)
+++ cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/FederationRequest.java Wed Dec 21 21:53:59 2011
@@ -0,0 +1,48 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.cxf.fediz.core;
+
+public class FederationRequest {
+
+ private String wa = null;
+ private String wresult = null;
+ private String wct = null;
+
+
+ public String getWct() {
+ return wct;
+ }
+ public void setWct(String wct) {
+ this.wct = wct;
+ }
+
+ public String getWa() {
+ return wa;
+ }
+ public void setWa(String wa) {
+ this.wa = wa;
+ }
+ public String getWresult() {
+ return wresult;
+ }
+ public void setWresult(String wresult) {
+ this.wresult = wresult;
+ }
+
+
+}
Added: cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/FederationResponse.java
URL: http://svn.apache.org/viewvc/cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/FederationResponse.java?rev=1221896&view=auto
==============================================================================
--- cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/FederationResponse.java (added)
+++ cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/FederationResponse.java Wed Dec 21 21:53:59 2011
@@ -0,0 +1,115 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.cxf.fediz.core;
+
+import java.util.Collections;
+import java.util.Date;
+import java.util.List;
+
+import org.w3c.dom.Element;
+
+public class FederationResponse {
+
+ private String audience = null;
+ private String username = null;
+ private List<String> roles = null;
+ private String issuer = null;
+ private List<Claim> claims = null;
+ private Element token = null;
+ private String uniqueTokenId = null;
+
+ /**
+ * Created time
+ */
+ private Date tokenCreated = null;
+
+ /** * Expiration time
+ */
+ private Date tokenExpires = null;
+
+
+
+ private FederationResponse() {}
+
+ public FederationResponse(String username, String issuer, List<String> roles, List<Claim> claims, String audience, Date created, Date expires, Element token, String uniqueTokenId) {
+ this.username = username;
+ this.issuer = issuer;
+ this.roles = roles;
+ this.claims = claims;
+ this.audience = audience;
+ this.tokenCreated = created;
+ this.tokenExpires = expires;
+ this.token = token;
+ this.uniqueTokenId = uniqueTokenId;
+ }
+
+
+
+ public String getUniqueTokenId() {
+ return uniqueTokenId;
+ }
+
+ public String getAudience() {
+ return audience;
+ }
+
+
+
+ public String getUsername() {
+ return username;
+ }
+
+
+
+ public List<String> getRoles() {
+ if (roles == null) return null;
+ else return Collections.unmodifiableList(roles);
+ }
+
+
+
+ public String getIssuer() {
+ return issuer;
+ }
+
+
+
+ public List<Claim> getClaims() {
+ if (claims == null) return null;
+ else return Collections.unmodifiableList(claims);
+ }
+
+
+
+ public Date getTokenCreated() {
+ return tokenCreated;
+ }
+
+
+
+ public Date getTokenExpires() {
+ return tokenExpires;
+ }
+
+ public Element getToken() {
+ return token;
+ }
+
+
+
+}
Added: cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/TokenReplayCache.java
URL: http://svn.apache.org/viewvc/cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/TokenReplayCache.java?rev=1221896&view=auto
==============================================================================
--- cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/TokenReplayCache.java (added)
+++ cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/TokenReplayCache.java Wed Dec 21 21:53:59 2011
@@ -0,0 +1,9 @@
+package org.apache.cxf.fediz.core;
+
+public interface TokenReplayCache<T> {
+
+ public abstract T getId(String id);
+
+ public abstract void putId(T id);
+
+}
\ No newline at end of file
Added: cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/TokenReplayCacheInMemory.java
URL: http://svn.apache.org/viewvc/cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/TokenReplayCacheInMemory.java?rev=1221896&view=auto
==============================================================================
--- cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/TokenReplayCacheInMemory.java (added)
+++ cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/TokenReplayCacheInMemory.java Wed Dec 21 21:53:59 2011
@@ -0,0 +1,70 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.cxf.fediz.core;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+//TokenReplayCacheInMemory
+//[TODO] add properties TokenReplayCacheExpirationPeriod
+public final class TokenReplayCacheInMemory<T> implements TokenReplayCache<T>{
+
+ /**
+ *
+ */
+ private static final long serialVersionUID = 7269477566842444549L;
+
+ private List<T> cache = null;
+ private static TokenReplayCache<String> instance = null;
+
+ private TokenReplayCacheInMemory() {
+ cache = Collections.synchronizedList(new ArrayList<T>());
+ }
+
+ synchronized public static TokenReplayCache<String> getInstance() {
+ if (instance != null) {
+ return instance;
+ }
+ instance = new TokenReplayCacheInMemory<String>();
+ return instance;
+ }
+
+ /* (non-Javadoc)
+ * @see org.apache.fediz.core.TokenReplayCache#getId(java.lang.String)
+ */
+ @Override
+ public T getId(String id) {
+ int index = cache.indexOf(id);
+ if (index == -1) {
+ return null;
+ } else {
+ return cache.get(index);
+ }
+ }
+
+ /* (non-Javadoc)
+ * @see org.apache.fediz.core.TokenReplayCache#putId(T)
+ */
+ @Override
+ public void putId(T id) {
+ cache.add(id);
+ }
+
+
+}
Added: cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/TokenValidator.java
URL: http://svn.apache.org/viewvc/cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/TokenValidator.java?rev=1221896&view=auto
==============================================================================
--- cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/TokenValidator.java (added)
+++ cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/TokenValidator.java Wed Dec 21 21:53:59 2011
@@ -0,0 +1,42 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.cxf.fediz.core;
+
+import org.w3c.dom.Element;
+
+public interface TokenValidator {
+
+ /**
+ * Return true if this TokenValidator implementation is capable of validating the
+ * TokenType argument.
+ */
+ public boolean canHandleTokenType(String tokenType);
+
+
+ /**
+ * Return true if this TokenValidator implementation is capable of validating the
+ * Token argument.
+ */
+ public boolean canHandleToken(Element token);
+
+
+ /**
+ * Validate a Token using the given Element and Configuration.
+ */
+ TokenValidatorResponse validateAndProcessToken(Element token, FederationConfiguration config);
+}
Added: cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/TokenValidatorResponse.java
URL: http://svn.apache.org/viewvc/cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/TokenValidatorResponse.java?rev=1221896&view=auto
==============================================================================
--- cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/TokenValidatorResponse.java (added)
+++ cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/TokenValidatorResponse.java Wed Dec 21 21:53:59 2011
@@ -0,0 +1,64 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.cxf.fediz.core;
+
+import java.util.List;
+
+public class TokenValidatorResponse {
+
+ private String username = null;
+ private String uniqueTokenId = null;
+ private List<String> roles = null;
+ private String issuer = null;
+ private String audience = null;
+ private List<Claim> claims = null;
+
+
+
+ public TokenValidatorResponse(String uniqueTokenId, String username, String issuer, List<String> roles, List<Claim> claims, String audience) {
+ this.username = username;
+ this.issuer = issuer;
+ this.roles = roles;
+ this.claims = claims;
+ this.audience = audience;
+ this.uniqueTokenId = uniqueTokenId;
+ }
+
+
+ public String getUsername() {
+ return username;
+ }
+ public String getUniqueTokenId() {
+ return uniqueTokenId;
+ }
+ public List<String> getRoles() {
+ return roles;
+ }
+ public String getIssuer() {
+ return issuer;
+ }
+ public String getAudience() {
+ return audience;
+ }
+ public List<Claim> getClaims() {
+ return claims;
+ }
+
+
+
+}
Added: cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/WsFedPrincipal.java
URL: http://svn.apache.org/viewvc/cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/WsFedPrincipal.java?rev=1221896&view=auto
==============================================================================
--- cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/WsFedPrincipal.java (added)
+++ cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/WsFedPrincipal.java Wed Dec 21 21:53:59 2011
@@ -0,0 +1,64 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+//[TODO] Should it be a Subject instead of Principal (tomcat uses a prinicpal in GenericPrinicpial)
+
+package org.apache.cxf.fediz.core;
+
+import java.security.Principal;
+import java.util.Collections;
+import java.util.List;
+
+@Deprecated
+public class WsFedPrincipal implements Principal {
+
+ protected String username = null;
+ protected List<String> roles = null;
+ protected ClaimCollection claims = null;
+
+
+ public WsFedPrincipal(String username) {
+ this(username, null, null);
+ }
+
+ public WsFedPrincipal(String username, List<String> roles) {
+ this(username, roles, null);
+ }
+
+ public WsFedPrincipal(String username, List<String> roles, ClaimCollection claims) {
+ this.username = username;
+ this.roles = roles;
+ this.claims = claims;
+ }
+
+
+ @Override
+ public String getName() {
+ return this.username;
+ }
+
+
+ public List<String> getRoles() {
+ return Collections.unmodifiableList(this.roles);
+ }
+
+
+ public ClaimCollection getClaims() {
+ return this.claims;
+ }
+
+}
Added: cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/saml/CertConstraintsParser.java
URL: http://svn.apache.org/viewvc/cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/saml/CertConstraintsParser.java?rev=1221896&view=auto
==============================================================================
--- cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/saml/CertConstraintsParser.java (added)
+++ cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/saml/CertConstraintsParser.java Wed Dec 21 21:53:59 2011
@@ -0,0 +1,88 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.cxf.fediz.core.saml;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+import java.util.regex.PatternSyntaxException;
+
+
+/**
+ * This class provides the functionality to match a given X509Certificate against a list of
+ * regular expressions.
+ */
+public class CertConstraintsParser {
+
+ /**
+ * a collection of compiled regular expression patterns for the subject DN
+ */
+ private Collection<Pattern> subjectDNPatterns = new ArrayList<Pattern>();
+
+ /**
+ * Set a list of Strings corresponding to regular expression constraints on the subject DN
+ * of a certificate
+ */
+ public void setSubjectConstraints(List<String> constraints) {
+ if (constraints != null) {
+ subjectDNPatterns = new ArrayList<Pattern>();
+ for (String constraint : constraints) {
+ try {
+ subjectDNPatterns.add(Pattern.compile(constraint.trim()));
+ } catch (PatternSyntaxException ex) {
+ //LOG.severe(ex.getMessage());
+ throw ex;
+ }
+ }
+ }
+ }
+
+ /**
+ * @return true if the certificate's SubjectDN matches the constraints defined in the
+ * subject DNConstraints; false, otherwise. The certificate subject DN only
+ * has to match ONE of the subject cert constraints (not all).
+ */
+ public boolean
+ matches(
+ final java.security.cert.X509Certificate cert
+ ) {
+ if (!subjectDNPatterns.isEmpty()) {
+ if (cert == null) {
+ //LOG.fine("The certificate is null so no constraints matching was possible");
+ return false;
+ }
+ String subjectName = cert.getSubjectX500Principal().getName();
+ boolean subjectMatch = false;
+ for (Pattern subjectDNPattern : subjectDNPatterns) {
+ final Matcher matcher = subjectDNPattern.matcher(subjectName);
+ if (matcher.matches()) {
+ //LOG.fine("Subject DN " + subjectName + " matches with pattern " + subjectDNPattern);
+ subjectMatch = true;
+ break;
+ }
+ }
+ if (!subjectMatch) {
+ return false;
+ }
+ }
+
+ return true;
+ }
+}
Added: cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java
URL: http://svn.apache.org/viewvc/cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java?rev=1221896&view=auto
==============================================================================
--- cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java (added)
+++ cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java Wed Dec 21 21:53:59 2011
@@ -0,0 +1,322 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.cxf.fediz.core.saml;
+
+import java.io.IOException;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
+import java.util.Properties;
+import java.util.StringTokenizer;
+
+
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.UnsupportedCallbackException;
+
+import org.apache.cxf.fediz.core.Claim;
+import org.apache.cxf.fediz.core.ClaimCollection;
+import org.apache.cxf.fediz.core.FederationConfiguration;
+import org.apache.cxf.fediz.core.TokenValidator;
+import org.apache.cxf.fediz.core.TokenValidatorResponse;
+import org.apache.ws.security.SAMLTokenPrincipal;
+import org.apache.ws.security.WSDocInfo;
+import org.apache.ws.security.WSPasswordCallback;
+import org.apache.ws.security.WSSConfig;
+import org.apache.ws.security.WSSecurityException;
+import org.apache.ws.security.components.crypto.Crypto;
+import org.apache.ws.security.components.crypto.CryptoFactory;
+import org.apache.ws.security.handler.RequestData;
+import org.apache.ws.security.saml.SAMLKeyInfo;
+import org.apache.ws.security.saml.ext.AssertionWrapper;
+import org.apache.ws.security.validate.Credential;
+import org.apache.ws.security.validate.SignatureTrustValidator;
+import org.opensaml.common.SAMLVersion;
+import org.opensaml.xml.XMLObject;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.w3c.dom.Element;
+
+public class SAMLTokenValidator implements TokenValidator {
+
+ private static final Logger LOG = LoggerFactory.getLogger(SAMLTokenValidator.class);
+
+
+ //[TODO] make sure we answer true only for cases we actually can handle
+ @Override
+ public boolean canHandleTokenType(String tokenType) {
+ return true;
+ }
+
+ @Override
+ public boolean canHandleToken(Element token) {
+ return true;
+ }
+
+ @Override
+ public TokenValidatorResponse validateAndProcessToken(Element token, FederationConfiguration config) {
+
+ try {
+
+ Properties sigProperties = createCryptoProviderProperties(config.getTrustStoreFile(), config.getTrustStorePassword());
+
+ Crypto sigCrypto = CryptoFactory.getInstance(sigProperties);
+ RequestData requestData = new RequestData();
+ requestData.setSigCrypto(sigCrypto);
+ WSSConfig wssConfig = WSSConfig.getNewInstance();
+ requestData.setWssConfig(wssConfig);
+ //not needed as no private key must be read
+ //requestData.setCallbackHandler(new PasswordCallbackHandler(password));
+
+ AssertionWrapper assertion = new AssertionWrapper(token);
+ if (!assertion.isSigned()) {
+ throw new RuntimeException("The received assertion is not signed, and therefore not trusted");
+ }
+ // Verify the signature
+ assertion.verifySignature(
+ requestData, new WSDocInfo(token.getOwnerDocument())
+ );
+
+ // Now verify trust on the signature
+ Credential trustCredential = new Credential();
+ SAMLKeyInfo samlKeyInfo = assertion.getSignatureKeyInfo();
+ trustCredential.setPublicKey(samlKeyInfo.getPublicKey());
+ trustCredential.setCertificates(samlKeyInfo.getCerts());
+
+ SignatureTrustValidator trustValidator = new SignatureTrustValidator();
+ trustValidator.validate(trustCredential, requestData);
+
+ String assertionIssuer = assertion.getIssuerString();
+
+ // Finally check that subject DN of the signing certificate matches a known constraint
+ X509Certificate cert = null;
+ if (trustCredential.getCertificates() != null) {
+ cert = trustCredential.getCertificates()[0];
+ }
+
+ List<String> subjectConstraints = Arrays.asList(config.getTrustedIssuer());
+
+ CertConstraintsParser certConstraints = new CertConstraintsParser();
+ certConstraints.setSubjectConstraints(subjectConstraints);
+
+ if (!certConstraints.matches(cert)) {
+ throw new RuntimeException("Issuer '" + assertionIssuer + "' not trusted");
+ }
+
+
+ String audience = null;
+ List<Claim> claims = null;
+ if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)) {
+ claims = parseClaimsInAssertion(assertion.getSaml2());
+ audience = getAudienceRestriction(assertion.getSaml2());
+ } else if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_11)) {
+ claims = parseClaimsInAssertion(assertion.getSaml1());
+ audience = getAudienceRestriction(assertion.getSaml1());
+ }
+
+ List<String> roles = null;
+ URI roleURI = config.getRoleURI();
+ String delim = config.getRoleDelimiter();
+ if (roleURI != null) {
+ for (Claim c: claims) {
+ URI claimURI = URI.create(c.getNamespace() + "/" + c.getClaimType());
+ if (roleURI.equals(claimURI)) {
+ if (delim == null) { delim = ","; }
+ roles = parseRoles(c.getValue(), delim);
+ claims.remove(c);
+ break;
+ }
+ }
+ }
+
+ SAMLTokenPrincipal p = new SAMLTokenPrincipal(assertion);
+
+ TokenValidatorResponse response = new TokenValidatorResponse(
+ assertion.getId(),
+ p.getName(),
+ assertionIssuer,
+ roles,
+ claims,
+ audience);
+
+ return response;
+
+ } catch (WSSecurityException ex) {
+ //[TODO] proper exception handling
+ throw new RuntimeException(ex);
+ }
+ }
+
+
+ protected List<Claim> parseClaimsInAssertion(org.opensaml.saml1.core.Assertion assertion) {
+ List<org.opensaml.saml1.core.AttributeStatement> attributeStatements =
+ assertion.getAttributeStatements();
+ if (attributeStatements == null || attributeStatements.isEmpty()) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("No attribute statements found");
+ }
+ return Collections.emptyList();
+ }
+ ClaimCollection collection = new ClaimCollection();
+
+ for (org.opensaml.saml1.core.AttributeStatement statement : attributeStatements) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("parsing statement: " + statement.getElementQName());
+ }
+
+ List<org.opensaml.saml1.core.Attribute> attributes = statement.getAttributes();
+ for (org.opensaml.saml1.core.Attribute attribute : attributes) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("parsing attribute: " + attribute.getAttributeName());
+ }
+ Claim c = new Claim();
+ c.setIssuer(assertion.getIssuer());
+ c.setClaimType(URI.create(attribute.getAttributeName()));
+ try {
+ c.setClaimType(new URI(attribute.getAttributeName()));
+ } catch (URISyntaxException e) {
+ LOG.warn("Invalid attribute name in attributestatement: " + e.getMessage());
+ continue;
+ }
+ for (XMLObject attributeValue : attribute.getAttributeValues()) {
+ Element attributeValueElement = attributeValue.getDOM();
+ String value = attributeValueElement.getTextContent();
+ if (LOG.isDebugEnabled()) {
+ LOG.debug(" [" + value + "]");
+ }
+ c.setValue(value);
+ collection.add(c);
+ break;
+ }
+ }
+ }
+ return collection;
+ }
+
+ protected List<Claim> parseClaimsInAssertion(org.opensaml.saml2.core.Assertion assertion) {
+ List<org.opensaml.saml2.core.AttributeStatement> attributeStatements =
+ assertion.getAttributeStatements();
+ if (attributeStatements == null || attributeStatements.isEmpty()) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("No attribute statements found");
+ }
+ return Collections.emptyList();
+ }
+
+ List<Claim> collection = new ArrayList<Claim>();
+
+ for (org.opensaml.saml2.core.AttributeStatement statement : attributeStatements) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("parsing statement: " + statement.getElementQName());
+ }
+ List<org.opensaml.saml2.core.Attribute> attributes = statement.getAttributes();
+ for (org.opensaml.saml2.core.Attribute attribute : attributes) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("parsing attribute: " + attribute.getName());
+ }
+ Claim c = new Claim();
+ c.setClaimType(URI.create(attribute.getName()));
+ c.setIssuer(assertion.getIssuer().getNameQualifier());
+ for (XMLObject attributeValue : attribute.getAttributeValues()) {
+ Element attributeValueElement = attributeValue.getDOM();
+ String value = attributeValueElement.getTextContent();
+ if (LOG.isDebugEnabled()) {
+ LOG.debug(" [" + value + "]");
+ }
+ c.setValue(value);
+ collection.add(c);
+ break;
+ }
+ }
+ }
+ return collection;
+
+ }
+
+ protected List<String> parseRoles(String value, String delim) {
+ List<String> roles = new ArrayList<String>();
+ StringTokenizer st = new StringTokenizer(value, delim);
+ while (st.hasMoreTokens()) {
+ String role = st.nextToken();
+ roles.add(role);
+ }
+ return roles;
+ }
+
+ protected String getAudienceRestriction(org.opensaml.saml1.core.Assertion assertion) {
+ String audience = null;
+ try {
+ audience = assertion.getConditions().getAudienceRestrictionConditions().get(0).getAudiences().get(0).getUri();
+ } catch (Exception ex) {
+ LOG.warn("Failed to read audience" + ex.getMessage());
+ }
+ return audience;
+ }
+
+ protected String getAudienceRestriction(org.opensaml.saml2.core.Assertion assertion) {
+ String audience = null;
+ try {
+ audience = assertion.getConditions().getAudienceRestrictions().get(0).getAudiences().get(0).getAudienceURI();
+ } catch (Exception ex) {
+ LOG.warn("Failed to read audience" + ex.getMessage());
+ }
+ return audience;
+
+ }
+
+ protected Properties createCryptoProviderProperties(String truststoreFile, String truststorePassword) {
+ Properties p = new Properties();
+ p.put("org.apache.ws.security.crypto.provider", "org.apache.ws.security.components.crypto.Merlin");
+ p.put("org.apache.ws.security.crypto.merlin.keystore.type", "jks");
+ p.put("org.apache.ws.security.crypto.merlin.keystore.password", truststorePassword);
+ p.put("org.apache.ws.security.crypto.merlin.keystore.file", truststoreFile);
+ return p;
+ }
+
+
+ // A sample MyHandler class
+ class PasswordCallbackHandler
+ implements CallbackHandler
+ {
+ private String password;
+
+ private PasswordCallbackHandler() {}
+
+ public PasswordCallbackHandler(String password) {
+ this.password = password;
+ }
+
+ public void handle(Callback[] callbacks) throws
+ IOException, UnsupportedCallbackException
+ {
+ for (int i = 0; i < callbacks.length; i++) {
+ if (callbacks[i] instanceof WSPasswordCallback) {
+ WSPasswordCallback nc = (WSPasswordCallback)callbacks[i];
+ nc.setPassword(this.password);
+ } else {
+ throw new UnsupportedCallbackException(callbacks[i],
+ "Unrecognized Callback");
+ }
+ }
+ }
+ }
+}