You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2017/01/27 11:22:49 UTC
[06/19] cxf-fediz git commit: FEDIZ-155 - Move .java components out
of idp webapp and into a separate JAR
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/domain/Application.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/domain/Application.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/domain/Application.java
deleted file mode 100644
index 814e342..0000000
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/domain/Application.java
+++ /dev/null
@@ -1,242 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.fediz.service.idp.domain;
-
-import java.io.Serializable;
-import java.net.URI;
-import java.util.ArrayList;
-import java.util.List;
-import java.util.regex.Pattern;
-
-import javax.xml.bind.annotation.XmlAttribute;
-import javax.xml.bind.annotation.XmlElementRef;
-import javax.xml.bind.annotation.XmlElementWrapper;
-import javax.xml.bind.annotation.XmlRootElement;
-import javax.xml.bind.annotation.XmlType;
-
-@XmlRootElement(name = "application", namespace = "http://org.apache.cxf.fediz/")
-@XmlType(propOrder = {"realm", "role", "serviceDisplayName", "serviceDescription", "protocol",
- "tokenType", "lifeTime", "encryptionCertificate", "requestedClaims",
- "policyNamespace", "passiveRequestorEndpoint", "passiveRequestorEndpointConstraint", "id",
- "validatingCertificate", "enableAppliesTo"})
-public class Application implements Serializable {
-
- private static final long serialVersionUID = 5644327504861846964L;
-
-
-
- protected int id;
-
-
- //Could be imported from Metadata document or manually filled
-
- //@Column(name = "REALM", nullable = true, length = FIELD_LENGTH)
- protected String realm; //wtrealm, whr
-
- //Could be read from Metadata, RoleDescriptor protocolSupportEnumeration=
- // "http://docs.oasis-open.org/wsfed/federation/200706"
- // Metadata could provide more than one but one must be chosen
- protected String protocol;
-
- // Public key only
- // Could be read from Metadata, md:KeyDescriptor, use="encryption"
- protected String encryptionCertificate;
-
- // Certificate for Signature verification
- protected String validatingCertificate;
-
- // Could be read from Metadata, fed:ClaimTypesRequested
- protected List<RequestClaim> requestedClaims = new ArrayList<>();
-
- //Could be read from Metadata, ServiceDisplayName
- //usage for list of application where user is logged in
- protected String serviceDisplayName;
-
- //Could be read from Metadata, ServiceDescription
- //usage for list of application where user is logged in
- protected String serviceDescription;
-
- //Could be read from Metadata, RoleDescriptor
- //fed:ApplicationServiceType, fed:SecurityTokenServiceType
- protected String role;
-
- // Not in Metadata, configured in IDP or passed in wreq parameter
- protected String tokenType;
-
- // Not in Metadata, configured in IDP or passed in wreq parameter
- protected int lifeTime;
-
- // WS-Policy Namespace for AppliesTo element
- protected String policyNamespace;
-
- // Request audience restriction in token for this application (default is true)
- private boolean enableAppliesTo = true;
-
- private URI href;
-
- //Could be read from Metadata, PassiveRequestorEndpoint
- //fed:ApplicationServiceType, fed:SecurityTokenServiceType
- private String passiveRequestorEndpoint;
-
- // A regular expression constraint on the passiveRequestorEndpoint
- private String passiveRequestorEndpointConstraint;
- private Pattern compiledPassiveRequestorEndpointConstraint;
-
-
- @XmlAttribute
- public int getId() {
- return id;
- }
-
- public void setId(int id) {
- this.id = id;
- }
-
- @XmlAttribute
- public URI getHref() {
- return href;
- }
-
- public void setHref(URI href) {
- this.href = href;
- }
-
- public String getRealm() {
- return realm;
- }
-
- public void setRealm(String realm) {
- this.realm = realm;
- }
-
- public String getProtocol() {
- return protocol;
- }
-
- public void setProtocol(String protocol) {
- this.protocol = protocol;
- }
-
- public String getEncryptionCertificate() {
- return encryptionCertificate;
- }
-
- public void setEncryptionCertificate(String encryptionCertificate) {
- this.encryptionCertificate = encryptionCertificate;
- }
-
- @XmlElementWrapper(name = "claims")
- @XmlElementRef(name = "requestedClaims")
- public List<RequestClaim> getRequestedClaims() {
- return requestedClaims;
- }
-
- public void setRequestedClaims(List<RequestClaim> requestedClaims) {
- this.requestedClaims = requestedClaims;
- }
-
- public String getServiceDisplayName() {
- return serviceDisplayName;
- }
-
- public void setServiceDisplayName(String serviceDisplayName) {
- this.serviceDisplayName = serviceDisplayName;
- }
-
- public String getServiceDescription() {
- return serviceDescription;
- }
-
- public void setServiceDescription(String serviceDescription) {
- this.serviceDescription = serviceDescription;
- }
-
- public String getRole() {
- return role;
- }
-
- public void setRole(String role) {
- this.role = role;
- }
-
- public String getTokenType() {
- return tokenType;
- }
-
- public void setTokenType(String tokenType) {
- this.tokenType = tokenType;
- }
-
- public int getLifeTime() {
- return lifeTime;
- }
-
- public void setLifeTime(int lifeTime) {
- this.lifeTime = lifeTime;
- }
-
- public String getPolicyNamespace() {
- return policyNamespace;
- }
-
- public void setPolicyNamespace(String policyNamespace) {
- this.policyNamespace = policyNamespace;
- }
-
- public String getPassiveRequestorEndpoint() {
- return passiveRequestorEndpoint;
- }
-
- public void setPassiveRequestorEndpoint(String passiveRequestorEndpoint) {
- this.passiveRequestorEndpoint = passiveRequestorEndpoint;
- }
-
- public String getPassiveRequestorEndpointConstraint() {
- return passiveRequestorEndpointConstraint;
- }
-
- public void setPassiveRequestorEndpointConstraint(String passiveRequestorEndpointConstraint) {
- this.passiveRequestorEndpointConstraint = passiveRequestorEndpointConstraint;
- if (passiveRequestorEndpointConstraint != null) {
- compiledPassiveRequestorEndpointConstraint = Pattern.compile(passiveRequestorEndpointConstraint);
- } else {
- compiledPassiveRequestorEndpointConstraint = null;
- }
- }
-
- public Pattern getCompiledPassiveRequestorEndpointConstraint() {
- return compiledPassiveRequestorEndpointConstraint;
- }
-
- public String getValidatingCertificate() {
- return validatingCertificate;
- }
-
- public void setValidatingCertificate(String validatingCertificate) {
- this.validatingCertificate = validatingCertificate;
- }
-
- public boolean isEnableAppliesTo() {
- return enableAppliesTo;
- }
-
- public void setEnableAppliesTo(boolean useAudienceRestriction) {
- this.enableAppliesTo = useAudienceRestriction;
- }
-}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/domain/Claim.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/domain/Claim.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/domain/Claim.java
deleted file mode 100644
index 96afed9..0000000
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/domain/Claim.java
+++ /dev/null
@@ -1,79 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.fediz.service.idp.domain;
-
-import java.io.Serializable;
-import java.net.URI;
-
-import javax.xml.bind.annotation.XmlAttribute;
-import javax.xml.bind.annotation.XmlRootElement;
-
-@XmlRootElement(name = "claim", namespace = "http://org.apache.cxf.fediz/")
-public class Claim implements Serializable {
-
- private static final long serialVersionUID = 2635896159019665467L;
-
- protected URI claimType;
- protected String displayName;
- protected String description;
- protected int id;
- private URI href;
-
- @XmlAttribute
- public URI getHref() {
- return href;
- }
-
- public void setHref(URI href) {
- this.href = href;
- }
-
- @XmlAttribute
- public int getId() {
- return id;
- }
-
- public void setId(int id) {
- this.id = id;
- }
-
- public void setClaimType(URI claimType) {
- this.claimType = claimType;
- }
-
- public URI getClaimType() {
- return claimType;
- }
-
- public String getDisplayName() {
- return displayName;
- }
-
- public void setDisplayName(String displayName) {
- this.displayName = displayName;
- }
-
- public String getDescription() {
- return description;
- }
-
- public void setDescription(String description) {
- this.description = description;
- }
-}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/domain/Entitlement.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/domain/Entitlement.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/domain/Entitlement.java
deleted file mode 100644
index c926386..0000000
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/domain/Entitlement.java
+++ /dev/null
@@ -1,70 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.fediz.service.idp.domain;
-
-import java.io.Serializable;
-
-import javax.xml.bind.annotation.XmlAttribute;
-import javax.xml.bind.annotation.XmlRootElement;
-import javax.xml.bind.annotation.XmlType;
-
-@XmlRootElement(name = "entitlement", namespace = "http://org.apache.cxf.fediz/")
-@XmlType(propOrder = {"name", "description", "internal", "id" })
-public class Entitlement implements Serializable {
-
- private static final long serialVersionUID = 2635896159019665467L;
-
- protected String name;
- protected String description;
- protected int id;
- protected boolean internal;
-
- @XmlAttribute
- public int getId() {
- return id;
- }
-
- public void setId(int id) {
- this.id = id;
- }
-
- public String getName() {
- return name;
- }
-
- public void setName(String name) {
- this.name = name;
- }
-
- public String getDescription() {
- return description;
- }
-
- public void setDescription(String description) {
- this.description = description;
- }
-
- public boolean isInternal() {
- return internal;
- }
-
- public void setInternal(boolean internal) {
- this.internal = internal;
- }
-}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/domain/FederationType.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/domain/FederationType.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/domain/FederationType.java
deleted file mode 100644
index 2dcc296..0000000
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/domain/FederationType.java
+++ /dev/null
@@ -1,40 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.fediz.service.idp.domain;
-
-import javax.xml.bind.annotation.XmlEnum;
-
-@XmlEnum
-public enum FederationType {
-
- FEDERATE_IDENTITY("FederateIdentity"),
- FEDERATE_CLAIMS("FederateClaims");
-
- private String name;
-
- FederationType(final String name) {
- this.name = name;
- }
-
- @Override
- public String toString() {
- return name;
- }
-
-}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/domain/Idp.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/domain/Idp.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/domain/Idp.java
deleted file mode 100644
index d382184..0000000
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/domain/Idp.java
+++ /dev/null
@@ -1,304 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.fediz.service.idp.domain;
-
-import java.io.Serializable;
-import java.net.URL;
-import java.util.ArrayList;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-
-import javax.xml.bind.annotation.XmlAttribute;
-import javax.xml.bind.annotation.XmlElementRef;
-import javax.xml.bind.annotation.XmlElementWrapper;
-import javax.xml.bind.annotation.XmlRootElement;
-import javax.xml.bind.annotation.XmlType;
-
-@XmlRootElement(name = "idp", namespace = "http://org.apache.cxf.fediz/")
-@XmlType(propOrder = {"realm", "uri", "serviceDisplayName", "serviceDescription", "idpUrl", "stsUrl",
- "certificate", "certificatePassword", "provideIdpList", "useCurrentIdp", "hrds",
- "rpSingleSignOutConfirmation", "supportedProtocols", "tokenTypesOffered", "claimTypesOffered",
- "authenticationURIs", "applications", "trustedIdps", "id", "rpSingleSignOutCleanupConfirmation" })
-public class Idp implements Serializable {
-
- private static final long serialVersionUID = -5570301342547139039L;
-
-
- protected int id;
-
- // Unique
- // fed:TargetScope
- protected String realm; // wtrealm, whr
-
- // Unique
- // https://<host>:<port>/fediz-idp/<IDP uri>/
- protected String uri;
-
- // Home Realm Discovery Service
- // Spring EL
- protected String hrds;
-
- // @Column(name = "INACTIVE", nullable = true, length = FIELD_LENGTH)
- // if HRDS can't determine the home realm, should
- // the list of trusted IDPs be shown to make a choice
- protected boolean provideIdpList;
-
- // If HRDS can't discover a home realm and displaying IDP list is not
- // enabled
- // it falls back to current IDP if an authentication domain is configured
- protected boolean useCurrentIdp;
-
- // Store certificate in DB or filesystem, provide options?
- // md:KeyDescriptor, use="signing"
- protected String certificate;
-
- // Password to read the private key to sign metadata document
- protected String certificatePassword;
-
- // fed:SecurityTokenSerivceEndpoint
- protected URL stsUrl;
-
- // fed:PassiveRequestorEndpoint
- // published hostname, port must be configured
- protected URL idpUrl;
-
- // RoleDescriptor protocolSupportEnumeration=
- // "http://docs.oasis-open.org/wsfed/federation/200706"
- // "http://docs.oasis-open.org/ws-sx/ws-trust/200512"
- // Could be more in the future
- protected List<String> supportedProtocols = new ArrayList<>();
-
- // list of RPs and RP-IDPs from whom we accept SignInResponse
- // which includes RP IDPs
- // key: wtrealm
- protected List<Application> applications = new ArrayList<>();
-
- // list of trusted IDP from whom we accept SignInResponse
- // key: whr
- protected List<TrustedIdp> trustedIdpList = new ArrayList<>();
-
- // which URI to redirect for authentication
- // fediz-idp/<IDP uri>/login/auth/<auth URI>
- // wauth to auth URI mapping
- protected Map<String, String> authenticationURIs = new HashMap<>();
-
- // required to create Federation Metadata document
- // fed:TokenTypesOffered
- protected List<String> tokenTypesOffered = new ArrayList<>();
-
- // fed:ClaimTypesOffered
- protected List<Claim> claimTypesOffered = new ArrayList<>();
-
- // ServiceDisplayName
- protected String serviceDisplayName;
-
- // ServiceDescription
- protected String serviceDescription;
-
- // The user/browser must explicitly confirm to logout from all applications
- private boolean rpSingleSignOutConfirmation;
-
- // Is explicit confirmation required when the "cleanup" URL is called
- private boolean rpSingleSignOutCleanupConfirmation;
-
- @XmlAttribute
- public int getId() {
- return id;
- }
-
- public void setId(int id) {
- this.id = id;
- }
-
- public String getRealm() {
- return realm;
- }
-
- public void setRealm(String realm) {
- this.realm = realm;
- }
-
- public String getUri() {
- return uri;
- }
-
- public void setUri(String uri) {
- this.uri = uri;
- }
-
- public String getHrds() {
- return hrds;
- }
-
- public void setHrds(String hrds) {
- this.hrds = hrds;
- }
-
- public boolean isProvideIdpList() {
- return provideIdpList;
- }
-
- public void setProvideIdpList(boolean provideIdpList) {
- this.provideIdpList = provideIdpList;
- }
-
- public boolean isUseCurrentIdp() {
- return useCurrentIdp;
- }
-
- public void setUseCurrentIdp(boolean useCurrentIdp) {
- this.useCurrentIdp = useCurrentIdp;
- }
-
- public String getCertificate() {
- return certificate;
- }
-
- public void setCertificate(String certificate) {
- this.certificate = certificate;
- }
-
- public String getCertificatePassword() {
- return certificatePassword;
- }
-
- public void setCertificatePassword(String password) {
- this.certificatePassword = password;
- }
-
- public URL getStsUrl() {
- return stsUrl;
- }
-
- public void setStsUrl(URL stsUrl) {
- this.stsUrl = stsUrl;
- }
-
- public URL getIdpUrl() {
- return idpUrl;
- }
-
- public void setIdpUrl(URL idpUrl) {
- this.idpUrl = idpUrl;
- }
-
- @XmlElementWrapper(name = "supportedProtocols")
- public List<String> getSupportedProtocols() {
- return supportedProtocols;
- }
-
- public void setSupportedProtocols(List<String> supportedProtocols) {
- this.supportedProtocols = supportedProtocols;
- }
-
- public Application findApplication(String realmApplication) {
- for (Application item : applications) {
- if (item.getRealm().equals(realmApplication)) {
- return item;
- }
- }
- return null;
- }
-
- @XmlElementWrapper(name = "applications")
- @XmlElementRef(name = "application")
- public List<Application> getApplications() {
- return applications;
- }
-
- public void setApplications(List<Application> applications) {
- this.applications = applications;
- }
-
- public TrustedIdp findTrustedIdp(String realmTrustedIdp) {
- for (TrustedIdp item : trustedIdpList) {
- if (item.getRealm().equals(realmTrustedIdp)) {
- return item;
- }
- }
- return null;
- }
-
- @XmlElementWrapper(name = "trustedIdps")
- @XmlElementRef(name = "trustedIdp")
- public List<TrustedIdp> getTrustedIdps() {
- return trustedIdpList;
- }
-
- public Map<String, String> getAuthenticationURIs() {
- return authenticationURIs;
- }
-
- public void setAuthenticationURIs(Map<String, String> authenticationURIs) {
- this.authenticationURIs = authenticationURIs;
- }
-
- @XmlElementWrapper(name = "tokenTypesOffered")
- public List<String> getTokenTypesOffered() {
- return tokenTypesOffered;
- }
-
- public void setTokenTypesOffered(List<String> tokenTypesOffered) {
- this.tokenTypesOffered = tokenTypesOffered;
- }
-
- @XmlElementWrapper(name = "claimTypesOffered")
- @XmlElementRef(name = "claimType")
- public List<Claim> getClaimTypesOffered() {
- return claimTypesOffered;
- }
-
- public void setClaimTypesOffered(List<Claim> claimTypesOffered) {
- this.claimTypesOffered = claimTypesOffered;
- }
-
- public String getServiceDisplayName() {
- return serviceDisplayName;
- }
-
- public void setServiceDisplayName(String serviceDisplayName) {
- this.serviceDisplayName = serviceDisplayName;
- }
-
- public String getServiceDescription() {
- return serviceDescription;
- }
-
- public void setServiceDescription(String serviceDescription) {
- this.serviceDescription = serviceDescription;
- }
-
- public boolean isRpSingleSignOutConfirmation() {
- return rpSingleSignOutConfirmation;
- }
-
- public void setRpSingleSignOutConfirmation(boolean rpSingleSignOutConfirmation) {
- this.rpSingleSignOutConfirmation = rpSingleSignOutConfirmation;
- }
-
- public boolean isRpSingleSignOutCleanupConfirmation() {
- return rpSingleSignOutCleanupConfirmation;
- }
-
- public void setRpSingleSignOutCleanupConfirmation(boolean rpSingleSignOutCleanupConfirmation) {
- this.rpSingleSignOutCleanupConfirmation = rpSingleSignOutCleanupConfirmation;
- }
-
-}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/domain/RequestClaim.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/domain/RequestClaim.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/domain/RequestClaim.java
deleted file mode 100644
index 008e75a..0000000
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/domain/RequestClaim.java
+++ /dev/null
@@ -1,49 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.fediz.service.idp.domain;
-
-import javax.xml.bind.annotation.XmlRootElement;
-
-@XmlRootElement(name = "requestClaim", namespace = "http://org.apache.cxf.fediz/")
-public class RequestClaim extends Claim {
-
- private static final long serialVersionUID = 8097560995225077866L;
-
- protected boolean optional;
-
- public RequestClaim() {
- super();
- }
-
- public RequestClaim(Claim c) {
- super();
- this.setClaimType(c.getClaimType());
- this.setDescription(c.getDescription());
- this.setDisplayName(c.getDisplayName());
- this.setId(c.getId());
- }
-
- public void setOptional(boolean optional) {
- this.optional = optional;
- }
-
- public boolean isOptional() {
- return optional;
- }
-}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/domain/Role.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/domain/Role.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/domain/Role.java
deleted file mode 100644
index f403546..0000000
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/domain/Role.java
+++ /dev/null
@@ -1,74 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.fediz.service.idp.domain;
-
-import java.io.Serializable;
-import java.util.ArrayList;
-import java.util.List;
-
-import javax.xml.bind.annotation.XmlAttribute;
-import javax.xml.bind.annotation.XmlRootElement;
-import javax.xml.bind.annotation.XmlType;
-
-@XmlRootElement(name = "role", namespace = "http://org.apache.cxf.fediz/")
-@XmlType(propOrder = {"name", "description", "entitlements", "id" })
-public class Role implements Serializable {
-
- private static final long serialVersionUID = 2635896159019665467L;
-
- protected String name;
- protected String description;
- protected int id;
-
- protected List<Entitlement> entitlements = new ArrayList<>();
-
- @XmlAttribute
- public int getId() {
- return id;
- }
-
- public void setId(int id) {
- this.id = id;
- }
-
- public String getName() {
- return name;
- }
-
- public void setName(String name) {
- this.name = name;
- }
-
- public String getDescription() {
- return description;
- }
-
- public void setDescription(String description) {
- this.description = description;
- }
-
- public List<Entitlement> getEntitlements() {
- return entitlements;
- }
-
- public void setEntitlements(List<Entitlement> entitlements) {
- this.entitlements = entitlements;
- }
-
-}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/domain/TrustType.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/domain/TrustType.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/domain/TrustType.java
deleted file mode 100644
index 50efb25..0000000
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/domain/TrustType.java
+++ /dev/null
@@ -1,40 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.fediz.service.idp.domain;
-
-import javax.xml.bind.annotation.XmlEnum;
-
-@XmlEnum
-public enum TrustType {
-
- PEER_TRUST("PeerTrust"),
- INDIRECT_TRUST("IndirectTrust");
-
- private String name;
-
- TrustType(final String name) {
- this.name = name;
- }
-
- @Override
- public String toString() {
- return name;
- }
-
-}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/domain/TrustedIdp.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/domain/TrustedIdp.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/domain/TrustedIdp.java
deleted file mode 100644
index b3262b5..0000000
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/domain/TrustedIdp.java
+++ /dev/null
@@ -1,187 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.fediz.service.idp.domain;
-
-import java.io.Serializable;
-import java.util.HashMap;
-import java.util.Map;
-
-import javax.xml.bind.annotation.XmlAttribute;
-import javax.xml.bind.annotation.XmlRootElement;
-import javax.xml.bind.annotation.XmlType;
-
-@XmlRootElement(name = "trustedIdp", namespace = "http://org.apache.cxf.fediz/")
-@XmlType(propOrder = {"realm", "issuer", "url", "name", "description", "protocol", "trustType",
- "certificate", "federationType", "cacheTokens", "logo", "id", "parameters" })
-//@XmlAttribute on Id must be set on getter, not on attribute, otherwise error
-public class TrustedIdp implements Serializable {
-
- private static final long serialVersionUID = -6520081722646469178L;
-
-
- protected int id;
-
- //@Column(name = "REALM", nullable = true, length = FIELD_LENGTH)
- protected String realm; //wtrealm, whr
-
- //@Column(name = "Issuer", nullable = true, length = FIELD_LENGTH)
- protected String issuer; //SAMLResponse issuer name
-
- // Should tokens be cached from trusted IDPs
- // to avoid redirection to the trusted IDP again for next SignIn request
- protected boolean cacheTokens;
-
- //Could be read from Metadata, PassiveRequestorEndpoint
- protected String url;
-
- //Could be read from Metadata, md:KeyDescriptor, use="signing"
- //Store certificate in DB or filesystem, provide options?
- protected String certificate;
-
- //Direct trust (signing cert imported), Indirect trust (CA certs imported, subject configured)
- protected TrustType trustType;
-
- //Could be read from Metadata, RoleDescriptor protocolSupportEnumeration=
- // "http://docs.oasis-open.org/wsfed/federation/200706"
- // Metadata could provide more than one but one must be chosen
- protected String protocol;
-
- //FederateIdentity, FederateClaims
- protected FederationType federationType;
-
- //optional (to provide a list of IDPs)
- protected String name;
-
- //optional (to provide a list of IDPs)
- protected String description;
-
- //optional (to provide a list of IDPs)
- protected String logo;
-
- // Additional (possibly protocol specific parameters)
- protected Map<String, String> parameters = new HashMap<>();
-
-
- @XmlAttribute
- public int getId() {
- return id;
- }
-
- public void setId(int id) {
- this.id = id;
- }
-
- public String getIssuer() {
- return issuer;
- }
-
- public void setIssuer(String issuer) {
- this.issuer = issuer;
- }
-
- public String getRealm() {
- return realm;
- }
-
- public void setRealm(String realm) {
- this.realm = realm;
- }
-
- public boolean isCacheTokens() {
- return cacheTokens;
- }
-
- public void setCacheTokens(boolean cacheTokens) {
- this.cacheTokens = cacheTokens;
- }
-
- public String getUrl() {
- return url;
- }
-
- public void setUrl(String url) {
- this.url = url;
- }
-
- public String getCertificate() {
- return certificate;
- }
-
- public void setCertificate(String certificate) {
- this.certificate = certificate;
- }
-
- public String getProtocol() {
- return protocol;
- }
-
- public void setProtocol(String protocol) {
- this.protocol = protocol;
- }
-
- public FederationType getFederationType() {
- return federationType;
- }
-
- public void setFederationType(FederationType federationType) {
- this.federationType = federationType;
- }
-
- public String getName() {
- return name;
- }
-
- public void setName(String name) {
- this.name = name;
- }
-
- public String getDescription() {
- return description;
- }
-
- public void setDescription(String description) {
- this.description = description;
- }
-
- public String getLogo() {
- return logo;
- }
-
- public void setLogo(String logo) {
- this.logo = logo;
- }
-
- public TrustType getTrustType() {
- return trustType;
- }
-
- public void setTrustType(TrustType trustType) {
- this.trustType = trustType;
- }
-
- public Map<String, String> getParameters() {
- return parameters;
- }
-
- public void setParameters(Map<String, String> parameters) {
- this.parameters = parameters;
- }
-
-
-}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/kerberos/KerberosAuthenticationProcessingFilter.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/kerberos/KerberosAuthenticationProcessingFilter.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/kerberos/KerberosAuthenticationProcessingFilter.java
deleted file mode 100644
index 8e39e85..0000000
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/kerberos/KerberosAuthenticationProcessingFilter.java
+++ /dev/null
@@ -1,199 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-/*
- * Copyright 2002-2008 the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.cxf.fediz.service.idp.kerberos;
-
-import java.io.IOException;
-
-import javax.servlet.FilterChain;
-import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import org.springframework.security.authentication.AnonymousAuthenticationToken;
-import org.springframework.security.authentication.AuthenticationDetailsSource;
-import org.springframework.security.authentication.AuthenticationManager;
-import org.springframework.security.core.Authentication;
-import org.springframework.security.core.AuthenticationException;
-import org.springframework.security.core.context.SecurityContextHolder;
-import org.springframework.security.crypto.codec.Base64;
-import org.springframework.security.web.authentication.AuthenticationFailureHandler;
-import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
-import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
-import org.springframework.security.web.authentication.session.NullAuthenticatedSessionStrategy;
-import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
-import org.springframework.util.Assert;
-import org.springframework.web.filter.GenericFilterBean;
-/**
- * Parses the SPNEGO authentication Header, which was generated by the browser
- * and creates a {@link KerberosServiceRequestToken} out if it. It will then
- * call the {@link AuthenticationManager}.
- *
- * @author Mike Wiesner
- * @since 1.0
- * @version $Id$
- * @see KerberosServiceAuthenticationProvider
- * @see KerberosEntryPoint
- */
-public class KerberosAuthenticationProcessingFilter extends GenericFilterBean {
- private AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource =
- new WebAuthenticationDetailsSource();
- private AuthenticationManager authenticationManager;
- private AuthenticationSuccessHandler successHandler;
- private AuthenticationFailureHandler failureHandler;
- private SessionAuthenticationStrategy sessionStrategy = new NullAuthenticatedSessionStrategy();
- private boolean skipIfAlreadyAuthenticated = true;
- /*
- * (non-Javadoc)
- *
- * @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest,
- * javax.servlet.ServletResponse, javax.servlet.FilterChain)
- */
- public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
- throws IOException, ServletException {
- HttpServletRequest request = (HttpServletRequest) req;
- HttpServletResponse response = (HttpServletResponse) res;
- if (skipIfAlreadyAuthenticated) {
- Authentication existingAuth = SecurityContextHolder.getContext().getAuthentication();
- if (existingAuth != null && existingAuth.isAuthenticated()
- && !(existingAuth instanceof AnonymousAuthenticationToken)) {
- chain.doFilter(request, response);
- return;
- }
- }
- String header = request.getHeader("Authorization");
- if ((header != null) && header.startsWith("Negotiate ")) {
- if (logger.isDebugEnabled()) {
- logger.debug("Received Negotiate Header for request " + request.getRequestURL() + ": " + header);
- }
- byte[] base64Token = header.substring(10).getBytes("UTF-8");
- byte[] kerberosTicket = Base64.decode(base64Token);
- KerberosServiceRequestToken authenticationRequest = new KerberosServiceRequestToken(kerberosTicket);
- authenticationRequest.setDetails(authenticationDetailsSource.buildDetails(request));
- Authentication authentication;
- try {
- authentication = authenticationManager.authenticate(authenticationRequest);
- } catch (AuthenticationException e) {
- //That shouldn't happen, as it is most likely a wrong
- //configuration on the server side
- logger.warn("Negotiate Header was invalid: " + header, e);
- SecurityContextHolder.clearContext();
- if (failureHandler != null) {
- failureHandler.onAuthenticationFailure(request, response, e);
- } else {
- response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
- response.flushBuffer();
- }
- return;
- }
- sessionStrategy.onAuthentication(authentication, request, response);
- SecurityContextHolder.getContext().setAuthentication(authentication);
- if (successHandler != null) {
- successHandler.onAuthenticationSuccess(request, response, authentication);
- }
- }
- chain.doFilter(request, response);
- }
- /**
- * The authentication manager for validating the ticket.
- *
- * @param authenticationManager
- */
- public void setAuthenticationManager(AuthenticationManager authenticationManager) {
- this.authenticationManager = authenticationManager;
- }
- /**
- * This handler is called after a successful authentication. One can add
- * additional authentication behavior by setting this.<br />
- * Default is null, which means nothing additional happens
- *
- * @param successHandler
- */
- public void setSuccessHandler(AuthenticationSuccessHandler successHandler) {
- this.successHandler = successHandler;
- }
- /**
- * This handler is called after a failure authentication. In most cases you
- * only get Kerberos/SPNEGO failures with a wrong server or network
- * configurations and not during runtime. If the client encounters an error,
- * he will just stop the communication with server and therefore this
- * handler will not be called in this case.<br />
- * Default is null, which means that the Filter returns the HTTP 500 code
- *
- * @param failureHandler
- */
- public void setFailureHandler(AuthenticationFailureHandler failureHandler) {
- this.failureHandler = failureHandler;
- }
- /**
- * Should Kerberos authentication be skipped if a user is already authenticated
- * for this request (e.g. in the HTTP session).
- *
- * @param skipIfAlreadyAuthenticated default is true
- */
- public void setSkipIfAlreadyAuthenticated(boolean skipIfAlreadyAuthenticated) {
- this.skipIfAlreadyAuthenticated = skipIfAlreadyAuthenticated;
- }
- /**
- * The session handling strategy which will be invoked immediately after an authentication request is
- * successfully processed by the <tt>AuthenticationManager</tt>. Used, for example, to handle changing of the
- * session identifier to prevent session fixation attacks.
- *
- * @param sessionAuthStrategy the implementation to use. If not set a null implementation is
- * used.
- */
- public void setSessionAuthenticationStrategy(SessionAuthenticationStrategy sessionAuthStrategy) {
- this.sessionStrategy = sessionAuthStrategy;
- }
- public void setAuthenticationDetailsSource(
- AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource) {
- Assert.notNull(authenticationDetailsSource, "AuthenticationDetailsSource required");
- this.authenticationDetailsSource = authenticationDetailsSource;
- }
- /*
- * (non-Javadoc)
- *
- * @see
- * org.springframework.web.filter.GenericFilterBean#afterPropertiesSet()
- */
- @Override
- public void afterPropertiesSet() throws ServletException {
- super.afterPropertiesSet();
- Assert.notNull(this.authenticationManager, "authenticationManager must be specified");
- }
-}
-
-
-
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/kerberos/KerberosEntryPoint.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/kerberos/KerberosEntryPoint.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/kerberos/KerberosEntryPoint.java
deleted file mode 100644
index 457a60e..0000000
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/kerberos/KerberosEntryPoint.java
+++ /dev/null
@@ -1,70 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-/*
- * Copyright 2009 the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.cxf.fediz.service.idp.kerberos;
-
-import java.io.IOException;
-
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-import org.springframework.security.core.AuthenticationException;
-import org.springframework.security.web.AuthenticationEntryPoint;
-
-/**
-* Sends back a request for a Negotiate Authentication to the browser.
-*
-* @author Mike Wiesner
-* @since 1.0
-* @version $Id$
-* @see KerberosAuthenticationProcessingFilter
-*/
-public class KerberosEntryPoint implements AuthenticationEntryPoint {
-
- private static final Log LOG = LogFactory.getLog(KerberosEntryPoint.class);
-
- public void commence(HttpServletRequest request, HttpServletResponse response,
- AuthenticationException ex) throws IOException, ServletException {
- if (LOG.isDebugEnabled()) {
- LOG.debug("Sending back Negotiate Header for request: " + request.getRequestURL());
- }
- response.addHeader("WWW-Authenticate", "Negotiate");
- response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
- response.flushBuffer();
- }
-
-}
-
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/kerberos/KerberosServiceRequestToken.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/kerberos/KerberosServiceRequestToken.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/kerberos/KerberosServiceRequestToken.java
deleted file mode 100644
index 2aba9cf..0000000
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/kerberos/KerberosServiceRequestToken.java
+++ /dev/null
@@ -1,150 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-/*
- * Copyright 2009 the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.cxf.fediz.service.idp.kerberos;
-
-import java.util.Arrays;
-import java.util.Collection;
-import org.springframework.security.authentication.AbstractAuthenticationToken;
-import org.springframework.security.core.GrantedAuthority;
-
-/**
- * Holds the Kerberos/SPNEGO token for requesting a kerberized service
- * and is also the output of <code>KerberosServiceAuthenticationProvider</code>.<br>
- * Will mostly be created in <code>SpnegoAuthenticationProcessingFilter</code>
- * and authenticated in <code>KerberosServiceAuthenticationProvider</code>.
- *
- * This token cannot be re-authenticated, as you will get a Kerberos Reply error.
- *
- * @author Mike Wiesner
- * @since 1.0
- * @version $Id$
- * @see KerberosServiceAuthenticationProvider
- * @see KerberosAuthenticationProcessingFilter
- */
-public class KerberosServiceRequestToken extends AbstractAuthenticationToken {
- private static final long serialVersionUID = 395488921064775014L;
- private final byte[] token;
- private final Object principal;
-
- /** Creates an authenticated token, normally used as an output of an authentication provider.
- * @param principal the user principal (mostly of instance <code>UserDetails</code>
- * @param authorities the authorities which are granted to the user
- * @param token the Kerberos/SPNEGO token
- * @see UserDetails
- */
- public KerberosServiceRequestToken(Object principal,
- Collection<? extends GrantedAuthority> authorities,
- byte[] token) {
- super(authorities);
- if (token != null) {
- this.token = Arrays.copyOf(token, token.length);
- } else {
- this.token = null;
- }
- this.principal = principal;
- super.setAuthenticated(true);
- }
-
- /**
- * Creates an unauthenticated instance which should then be authenticated by
- * <code>KerberosServiceAuthenticationProvider/code>
- *
- * @param token Kerberos/SPNEGO token
- * @see KerberosServiceAuthenticationProvider
- */
- public KerberosServiceRequestToken(byte[] token) {
- super(null);
- if (token != null) {
- this.token = Arrays.copyOf(token, token.length);
- } else {
- this.token = null;
- }
- this.principal = null;
- }
-
- /**
- * Calculates hashcode based on the Kerberos token
- */
- @Override
- public int hashCode() {
- final int prime = 31;
- int result = super.hashCode();
- result = prime * result + Arrays.hashCode(token);
- return result;
- }
-
- /**
- * equals() is based only on the Kerberos token
- */
- @Override
- public boolean equals(Object obj) {
- if (this == obj) {
- return true;
- }
- if (!super.equals(obj)) {
- return false;
- }
- if (getClass() != obj.getClass()) {
- return false;
- }
- KerberosServiceRequestToken other = (KerberosServiceRequestToken) obj;
- if (!Arrays.equals(token, other.token)) { //NOPMD
- return false;
- }
- return true;
- }
-
- /* (non-Javadoc)
- * @see org.springframework.security.core.Authentication#getCredentials()
- */
- public Object getCredentials() {
- return null;
- }
-
- /* (non-Javadoc)
- * @see org.springframework.security.core.Authentication#getPrincipal()
- */
- public Object getPrincipal() {
- return this.principal;
- }
-
- /** Returns the Kerberos token
- */
- public byte[] getToken() {
- if (token != null) {
- return Arrays.copyOf(token, token.length);
- }
- return null;
- }
-}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/kerberos/KerberosTokenValidator.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/kerberos/KerberosTokenValidator.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/kerberos/KerberosTokenValidator.java
deleted file mode 100644
index c9b0cd7..0000000
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/kerberos/KerberosTokenValidator.java
+++ /dev/null
@@ -1,185 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.fediz.service.idp.kerberos;
-
-import java.security.Principal;
-import java.security.PrivilegedActionException;
-import java.util.Set;
-
-import javax.security.auth.Subject;
-import javax.security.auth.callback.CallbackHandler;
-import javax.security.auth.login.LoginContext;
-import javax.security.auth.login.LoginException;
-
-import org.apache.wss4j.common.kerberos.KerberosServiceContext;
-import org.apache.wss4j.common.kerberos.KerberosServiceExceptionAction;
-
-/**
- * Validate a Kerberos Token
- */
-public class KerberosTokenValidator {
-
- private static final org.slf4j.Logger LOG =
- org.slf4j.LoggerFactory.getLogger(KerberosTokenValidator.class);
-
- private String serviceName;
- private CallbackHandler callbackHandler;
- private String contextName;
- private boolean usernameServiceNameForm;
- private boolean spnego;
-
- /**
- * Get the JAAS Login context name to use.
- * @return the JAAS Login context name to use
- */
- public String getContextName() {
- return contextName;
- }
-
- /**
- * Set the JAAS Login context name to use.
- * @param contextName the JAAS Login context name to use
- */
- public void setContextName(String contextName) {
- this.contextName = contextName;
- }
-
- /**
- * Get the CallbackHandler to use with the LoginContext
- * @return the CallbackHandler to use with the LoginContext
- */
- public CallbackHandler getCallbackHandler() {
- return callbackHandler;
- }
-
- /**
- * Set the CallbackHandler to use with the LoginContext. It can be null.
- * @param callbackHandler the CallbackHandler to use with the LoginContext
- */
- public void setCallbackHandler(CallbackHandler callbackHandler) {
- this.callbackHandler = callbackHandler;
- }
-
- /**
- * The name of the service to use when contacting the KDC. This value can be null, in which
- * case it defaults to the current principal name.
- * @param serviceName the name of the service to use when contacting the KDC
- */
- public void setServiceName(String serviceName) {
- this.serviceName = serviceName;
- }
-
- /**
- * Get the name of the service to use when contacting the KDC. This value can be null, in which
- * case it defaults to the current principal name.
- * @return the name of the service to use when contacting the KDC
- */
- public String getServiceName() {
- return serviceName;
- }
-
- public KerberosServiceContext validate(KerberosServiceRequestToken token)
- throws LoginException, PrivilegedActionException {
- if (LOG.isDebugEnabled()) {
- try {
- String jaasAuth = System.getProperty("java.security.auth.login.config");
- String krbConf = System.getProperty("java.security.krb5.conf");
- LOG.debug("KerberosTokenValidator - Using JAAS auth login file: " + jaasAuth);
- LOG.debug("KerberosTokenValidator - Using KRB conf file: " + krbConf);
- } catch (SecurityException ex) {
- LOG.debug(ex.getMessage(), ex);
- }
- }
-
- // Get a TGT from the KDC using JAAS
- LoginContext loginContext = null;
- if (callbackHandler != null) {
- loginContext = new LoginContext(getContextName(), callbackHandler);
- } else {
- loginContext = new LoginContext(getContextName());
- }
- loginContext.login();
- if (LOG.isDebugEnabled()) {
- LOG.debug("Successfully authenticated to the TGT");
- }
-
- // Get the service name to use - fall back on the principal
- Subject subject = loginContext.getSubject();
- String service = serviceName;
- if (service == null) {
- Set<Principal> principals = subject.getPrincipals();
- if (principals.isEmpty()) {
- LOG.debug("No Client principals found after login");
- return null;
- }
- service = principals.iterator().next().getName();
- }
-
- // Validate the ticket
- KerberosServiceExceptionAction action =
- new KerberosServiceExceptionAction(token.getToken(), service,
- isUsernameServiceNameForm(), spnego);
- KerberosServiceContext krbServiceCtx = Subject.doAs(subject, action);
-
- if (LOG.isDebugEnabled()) {
- LOG.debug("Successfully validated a ticket");
- }
-
- return krbServiceCtx;
- }
-
- /**
- * SPN can be configured to be in either <b>"hostbased"</b> or <b>"username"</b> form.<br/>
- * - <b>"hostbased"</b> - specifies that the service principal name should be interpreted
- * as a "host-based" name as specified in GSS API Rfc, section "4.1: Host-Based Service
- * Name Form" - The service name, as it is specified in LDAP/AD, as it is listed in the
- * KDC.<br/>
- * - <b>"username"</b> - specifies that the service principal name should be interpreted
- * as a "username" name as specified in GSS API Rfc, section "4.2: User Name Form"
- * This is usually the client username in LDAP/AD used for authentication to the KDC.
- *
- * <br/><br/>Default is <b>"hostbased"</b>.
- *
- * @return the isUsernameServiceNameForm
- */
- public boolean isUsernameServiceNameForm() {
- return usernameServiceNameForm;
- }
-
- /**
- * If true - sets the SPN form to "username"
- * <br/>If false<b>(default)</b> - the SPN form is "hostbased"
- *
- * @see KerberosSecurity#retrieveServiceTicket(String, CallbackHandler, String, boolean)
- *
- * @param isUsernameServiceNameForm the isUsernameServiceNameForm to set
- */
- public void setUsernameServiceNameForm(boolean isUsernameServiceNameForm) {
- this.usernameServiceNameForm = isUsernameServiceNameForm;
- }
-
- public boolean isSpnego() {
- return spnego;
- }
-
- public void setSpnego(boolean spnego) {
- this.spnego = spnego;
- }
-}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/kerberos/PassThroughKerberosClient.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/kerberos/PassThroughKerberosClient.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/kerberos/PassThroughKerberosClient.java
deleted file mode 100644
index d75b812..0000000
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/kerberos/PassThroughKerberosClient.java
+++ /dev/null
@@ -1,80 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.fediz.service.idp.kerberos;
-
-import java.util.Arrays;
-
-import org.apache.cxf.fediz.core.util.DOMUtils;
-import org.apache.cxf.ws.security.kerberos.KerberosClient;
-import org.apache.cxf.ws.security.tokenstore.SecurityToken;
-import org.apache.wss4j.common.util.KeyUtils;
-import org.apache.wss4j.dom.WSConstants;
-import org.apache.wss4j.dom.engine.WSSConfig;
-import org.apache.wss4j.dom.message.token.KerberosSecurity;
-import org.apache.xml.security.utils.Base64;
-
-/**
- * Override the default CXF KerberosClient just to create a BinarySecurityToken from a
- * give Kerberos token. This is used to pass a received Kerberos token through to the
- * STS, without retrieving a new token.
- */
-public class PassThroughKerberosClient extends KerberosClient {
-
- private byte[] token;
-
- public PassThroughKerberosClient() {
- super();
- }
-
- @Override
- public SecurityToken requestSecurityToken() throws Exception {
- KerberosSecurity bst = new KerberosSecurity(DOMUtils.createDocument());
- bst.setValueType(WSConstants.WSS_GSS_KRB_V5_AP_REQ);
- bst.setToken(token);
- bst.addWSUNamespace();
- bst.setID(WSSConfig.getNewInstance().getIdAllocator().createSecureId("BST-", bst));
-
- SecurityToken securityToken = new SecurityToken(bst.getID());
- securityToken.setToken(bst.getElement());
- securityToken.setWsuId(bst.getID());
- securityToken.setData(bst.getToken());
- String sha1 = Base64.encode(KeyUtils.generateDigest(bst.getToken()));
- securityToken.setSHA1(sha1);
- securityToken.setTokenType(bst.getValueType());
-
- return securityToken;
- }
-
- public byte[] getToken() {
- if (token != null) {
- return Arrays.copyOf(token, token.length);
- }
- return null;
- }
-
- public void setToken(byte[] token) {
- if (token != null) {
- this.token = Arrays.copyOf(token, token.length);
- } else {
- this.token = null;
- }
- }
-
-}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/metadata/IdpMetadataWriter.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/metadata/IdpMetadataWriter.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/metadata/IdpMetadataWriter.java
deleted file mode 100644
index 7c5baec..0000000
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/metadata/IdpMetadataWriter.java
+++ /dev/null
@@ -1,180 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.fediz.service.idp.metadata;
-
-import java.security.cert.X509Certificate;
-
-import javax.xml.stream.XMLStreamException;
-import javax.xml.stream.XMLStreamWriter;
-
-import org.w3c.dom.Document;
-import org.apache.cxf.fediz.core.util.CertsUtils;
-import org.apache.cxf.fediz.core.util.SignatureUtils;
-import org.apache.cxf.fediz.service.idp.domain.Claim;
-import org.apache.cxf.fediz.service.idp.domain.Idp;
-import org.apache.cxf.staxutils.W3CDOMStreamWriter;
-import org.apache.wss4j.common.crypto.Crypto;
-import org.apache.wss4j.common.util.DOM2Writer;
-import org.apache.xml.security.stax.impl.util.IDGenerator;
-import org.apache.xml.security.utils.Base64;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import static org.apache.cxf.fediz.core.FedizConstants.SAML2_METADATA_NS;
-import static org.apache.cxf.fediz.core.FedizConstants.SCHEMA_INSTANCE_NS;
-import static org.apache.cxf.fediz.core.FedizConstants.WS_ADDRESSING_NS;
-import static org.apache.cxf.fediz.core.FedizConstants.WS_FEDERATION_NS;
-
-public class IdpMetadataWriter {
-
- private static final Logger LOG = LoggerFactory.getLogger(IdpMetadataWriter.class);
-
- //CHECKSTYLE:OFF
- public Document getMetaData(Idp config) throws RuntimeException {
- try {
- //Return as text/xml
- Crypto crypto = CertsUtils.getCryptoFromFile(config.getCertificate());
-
- W3CDOMStreamWriter writer = new W3CDOMStreamWriter();
-
- writer.writeStartDocument("UTF-8", "1.0");
-
- String referenceID = IDGenerator.generateID("_");
- writer.writeStartElement("md", "EntityDescriptor", SAML2_METADATA_NS);
- writer.writeAttribute("ID", referenceID);
-
- writer.writeAttribute("entityID", config.getIdpUrl().toString());
-
- writer.writeNamespace("md", SAML2_METADATA_NS);
- writer.writeNamespace("fed", WS_FEDERATION_NS);
- writer.writeNamespace("wsa", WS_ADDRESSING_NS);
- writer.writeNamespace("auth", WS_FEDERATION_NS);
- writer.writeNamespace("xsi", SCHEMA_INSTANCE_NS);
-
- writeFederationMetadata(writer, config, crypto);
-
- writer.writeEndElement(); // EntityDescriptor
-
- writer.writeEndDocument();
-
- writer.close();
-
- if (LOG.isDebugEnabled()) {
- String out = DOM2Writer.nodeToString(writer.getDocument());
- LOG.debug("***************** unsigned ****************");
- LOG.debug(out);
- LOG.debug("***************** unsigned ****************");
- }
-
- Document result = SignatureUtils.signMetaInfo(crypto, null, config.getCertificatePassword(),
- writer.getDocument(), referenceID);
- if (result != null) {
- return result;
- } else {
- throw new RuntimeException("Failed to sign the metadata document: result=null");
- }
- } catch (Exception e) {
- LOG.error("Error creating service metadata information ", e);
- throw new RuntimeException("Error creating service metadata information: " + e.getMessage());
- }
-
- }
-
- private void writeFederationMetadata(
- XMLStreamWriter writer, Idp config, Crypto crypto
- ) throws XMLStreamException {
-
- writer.writeStartElement("md", "RoleDescriptor", WS_FEDERATION_NS);
- writer.writeAttribute(SCHEMA_INSTANCE_NS, "type", "fed:SecurityTokenServiceType");
- writer.writeAttribute("protocolSupportEnumeration", WS_FEDERATION_NS);
- if (config.getServiceDescription() != null && config.getServiceDescription().length() > 0 ) {
- writer.writeAttribute("ServiceDescription", config.getServiceDescription());
- }
- if (config.getServiceDisplayName() != null && config.getServiceDisplayName().length() > 0 ) {
- writer.writeAttribute("ServiceDisplayName", config.getServiceDisplayName());
- }
-
- //http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd
- //missing organization, contactperson
-
- //KeyDescriptor
- writer.writeStartElement("", "KeyDescriptor", SAML2_METADATA_NS);
- writer.writeAttribute("use", "signing");
- writer.writeStartElement("", "KeyInfo", "http://www.w3.org/2000/09/xmldsig#");
- writer.writeStartElement("", "X509Data", "http://www.w3.org/2000/09/xmldsig#");
- writer.writeStartElement("", "X509Certificate", "http://www.w3.org/2000/09/xmldsig#");
-
- try {
- String keyAlias = crypto.getDefaultX509Identifier();
- X509Certificate cert = CertsUtils.getX509CertificateFromCrypto(crypto, keyAlias);
- writer.writeCharacters(Base64.encode(cert.getEncoded()));
- } catch (Exception ex) {
- LOG.error("Failed to add certificate information to metadata. Metadata incomplete", ex);
- }
-
- writer.writeEndElement(); // X509Certificate
- writer.writeEndElement(); // X509Data
- writer.writeEndElement(); // KeyInfo
- writer.writeEndElement(); // KeyDescriptor
-
-
- // SecurityTokenServiceEndpoint
- writer.writeStartElement("fed", "SecurityTokenServiceEndpoint", WS_FEDERATION_NS);
- writer.writeStartElement("wsa", "EndpointReference", WS_ADDRESSING_NS);
-
- writer.writeStartElement("wsa", "Address", WS_ADDRESSING_NS);
- writer.writeCharacters(config.getStsUrl().toString());
-
- writer.writeEndElement(); // Address
- writer.writeEndElement(); // EndpointReference
- writer.writeEndElement(); // SecurityTokenServiceEndpoint
-
-
- // PassiveRequestorEndpoint
- writer.writeStartElement("fed", "PassiveRequestorEndpoint", WS_FEDERATION_NS);
- writer.writeStartElement("wsa", "EndpointReference", WS_ADDRESSING_NS);
-
- writer.writeStartElement("wsa", "Address", WS_ADDRESSING_NS);
- writer.writeCharacters(config.getIdpUrl().toString());
-
- writer.writeEndElement(); // Address
- writer.writeEndElement(); // EndpointReference
- writer.writeEndElement(); // PassiveRequestorEndpoint
-
-
- // create ClaimsType section
- if (config.getClaimTypesOffered() != null && config.getClaimTypesOffered().size() > 0) {
- writer.writeStartElement("fed", "ClaimTypesOffered", WS_FEDERATION_NS);
- for (Claim claim : config.getClaimTypesOffered()) {
-
- writer.writeStartElement("auth", "ClaimType", WS_FEDERATION_NS);
- writer.writeAttribute("Uri", claim.getClaimType().toString());
- writer.writeAttribute("Optional", "true");
- writer.writeEndElement(); // ClaimType
-
- }
- writer.writeEndElement(); // ClaimTypesOffered
- }
-
- writer.writeEndElement(); // RoleDescriptor
- }
-
-
-}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/metadata/ServiceMetadataWriter.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/metadata/ServiceMetadataWriter.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/metadata/ServiceMetadataWriter.java
deleted file mode 100644
index 3118d8f..0000000
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/metadata/ServiceMetadataWriter.java
+++ /dev/null
@@ -1,214 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.fediz.service.idp.metadata;
-
-import java.security.cert.X509Certificate;
-import java.util.Map;
-
-import javax.xml.stream.XMLStreamException;
-import javax.xml.stream.XMLStreamWriter;
-
-import org.w3c.dom.Document;
-import org.apache.cxf.fediz.core.exception.ProcessingException;
-import org.apache.cxf.fediz.core.util.CertsUtils;
-import org.apache.cxf.fediz.core.util.SignatureUtils;
-import org.apache.cxf.fediz.service.idp.domain.Idp;
-import org.apache.cxf.fediz.service.idp.domain.TrustedIdp;
-import org.apache.cxf.fediz.service.idp.protocols.TrustedIdpSAMLProtocolHandler;
-import org.apache.cxf.staxutils.W3CDOMStreamWriter;
-import org.apache.wss4j.common.crypto.Crypto;
-import org.apache.wss4j.common.util.DOM2Writer;
-import org.apache.xml.security.stax.impl.util.IDGenerator;
-import org.apache.xml.security.utils.Base64;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import static org.apache.cxf.fediz.core.FedizConstants.SAML2_METADATA_NS;
-import static org.apache.cxf.fediz.core.FedizConstants.SCHEMA_INSTANCE_NS;
-import static org.apache.cxf.fediz.core.FedizConstants.WS_ADDRESSING_NS;
-import static org.apache.cxf.fediz.core.FedizConstants.WS_FEDERATION_NS;
-
-public class ServiceMetadataWriter {
-
- private static final Logger LOG = LoggerFactory.getLogger(ServiceMetadataWriter.class);
-
- //CHECKSTYLE:OFF
- public Document getMetaData(Idp config, TrustedIdp serviceConfig) throws ProcessingException {
-
- try {
- Crypto crypto = CertsUtils.getCryptoFromFile(config.getCertificate());
-
- W3CDOMStreamWriter writer = new W3CDOMStreamWriter();
-
- writer.writeStartDocument("UTF-8", "1.0");
-
- String referenceID = IDGenerator.generateID("_");
- writer.writeStartElement("md", "EntityDescriptor", SAML2_METADATA_NS);
- writer.writeAttribute("ID", referenceID);
-
- String serviceURL = config.getIdpUrl().toString();
- writer.writeAttribute("entityID", config.getRealm());
-
- writer.writeNamespace("md", SAML2_METADATA_NS);
- writer.writeNamespace("fed", WS_FEDERATION_NS);
- writer.writeNamespace("wsa", WS_ADDRESSING_NS);
- writer.writeNamespace("auth", WS_FEDERATION_NS);
- writer.writeNamespace("xsi", SCHEMA_INSTANCE_NS);
-
- if ("http://docs.oasis-open.org/wsfed/federation/200706".equals(serviceConfig.getProtocol())) {
- writeFederationMetadata(writer, serviceConfig, serviceURL);
- } else if ("urn:oasis:names:tc:SAML:2.0:profiles:SSO:browser".equals(serviceConfig.getProtocol())) {
- writeSAMLMetadata(writer, serviceConfig, serviceURL, crypto);
- }
-
- writer.writeEndElement(); // EntityDescriptor
-
- writer.writeEndDocument();
-
- writer.close();
-
- if (LOG.isDebugEnabled()) {
- String out = DOM2Writer.nodeToString(writer.getDocument());
- LOG.debug("***************** unsigned ****************");
- LOG.debug(out);
- LOG.debug("***************** unsigned ****************");
- }
-
- Document result = SignatureUtils.signMetaInfo(crypto, null, config.getCertificatePassword(),
- writer.getDocument(), referenceID);
- if (result != null) {
- return result;
- } else {
- throw new RuntimeException("Failed to sign the metadata document: result=null");
- }
- } catch (ProcessingException e) {
- throw e;
- } catch (Exception e) {
- LOG.error("Error creating service metadata information ", e);
- throw new ProcessingException("Error creating service metadata information: " + e.getMessage());
- }
-
- }
-
- private void writeFederationMetadata(
- XMLStreamWriter writer,
- TrustedIdp config,
- String serviceURL
- ) throws XMLStreamException {
-
- writer.writeStartElement("md", "RoleDescriptor", WS_FEDERATION_NS);
- writer.writeAttribute(SCHEMA_INSTANCE_NS, "type", "fed:ApplicationServiceType");
- writer.writeAttribute("protocolSupportEnumeration", WS_FEDERATION_NS);
-
- writer.writeStartElement("fed", "ApplicationServiceEndpoint", WS_FEDERATION_NS);
- writer.writeStartElement("wsa", "EndpointReference", WS_ADDRESSING_NS);
-
- writer.writeStartElement("wsa", "Address", WS_ADDRESSING_NS);
- writer.writeCharacters(serviceURL);
-
- writer.writeEndElement(); // Address
- writer.writeEndElement(); // EndpointReference
- writer.writeEndElement(); // ApplicationServiceEndpoint
-
- // create target scope element
- writer.writeStartElement("fed", "TargetScope", WS_FEDERATION_NS);
- writer.writeEndElement(); // TargetScope
-
- // create sign in endpoint section
-
- writer.writeStartElement("fed", "PassiveRequestorEndpoint", WS_FEDERATION_NS);
- writer.writeStartElement("wsa", "EndpointReference", WS_ADDRESSING_NS);
- writer.writeStartElement("wsa", "Address", WS_ADDRESSING_NS);
-
- writer.writeCharacters(serviceURL);
-
- // writer.writeCharacters("http://host:port/url Issuer from config");
- writer.writeEndElement(); // Address
- writer.writeEndElement(); // EndpointReference
-
- writer.writeEndElement(); // PassiveRequestorEndpoint
- writer.writeEndElement(); // RoleDescriptor
- }
-
- private void writeSAMLMetadata(
- XMLStreamWriter writer,
- TrustedIdp config,
- String serviceURL,
- Crypto crypto
- ) throws Exception {
-
- writer.writeStartElement("md", "SPSSODescriptor", SAML2_METADATA_NS);
- boolean signRequest =
- isPropertyConfigured(config, TrustedIdpSAMLProtocolHandler.SIGN_REQUEST, true);
- writer.writeAttribute("AuthnRequestsSigned", Boolean.toString(signRequest));
- writer.writeAttribute("WantAssertionsSigned", "true");
- writer.writeAttribute("protocolSupportEnumeration", "urn:oasis:names:tc:SAML:2.0:protocol");
-
- writer.writeStartElement("md", "AssertionConsumerService", SAML2_METADATA_NS);
- writer.writeAttribute("Location", serviceURL);
- writer.writeAttribute("index", "0");
- writer.writeAttribute("isDefault", "true");
- writer.writeAttribute("Binding", "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
- writer.writeEndElement(); // AssertionConsumerService
-
- if (signRequest) {
- writer.writeStartElement("md", "KeyDescriptor", SAML2_METADATA_NS);
- writer.writeAttribute("use", "signing");
-
- writer.writeStartElement("ds", "KeyInfo", "http://www.w3.org/2000/09/xmldsig#");
- writer.writeNamespace("ds", "http://www.w3.org/2000/09/xmldsig#");
- writer.writeStartElement("ds", "X509Data", "http://www.w3.org/2000/09/xmldsig#");
- writer.writeStartElement("ds", "X509Certificate", "http://www.w3.org/2000/09/xmldsig#");
-
- // Write the Base-64 encoded certificate
-
- String keyAlias = crypto.getDefaultX509Identifier();
- X509Certificate cert = CertsUtils.getX509CertificateFromCrypto(crypto, keyAlias);
-
- if (cert == null) {
- throw new ProcessingException(
- "No signing certs were found to insert into the metadata using name: "
- + keyAlias);
- }
- byte data[] = cert.getEncoded();
- String encodedCertificate = Base64.encode(data);
- writer.writeCharacters(encodedCertificate);
-
- writer.writeEndElement(); // X509Certificate
- writer.writeEndElement(); // X509Data
- writer.writeEndElement(); // KeyInfo
- writer.writeEndElement(); // KeyDescriptor
- }
-
- writer.writeEndElement(); // SPSSODescriptor
- }
-
- // Is a property configured. Defaults to "true" if not
- private boolean isPropertyConfigured(TrustedIdp trustedIdp, String property, boolean defaultValue) {
- Map<String, String> parameters = trustedIdp.getParameters();
-
- if (parameters != null && parameters.containsKey(property)) {
- return Boolean.parseBoolean(parameters.get(property));
- }
-
- return defaultValue;
- }
-
-}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/model/IDPConfig.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/model/IDPConfig.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/model/IDPConfig.java
deleted file mode 100644
index 9b9c5cd..0000000
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/model/IDPConfig.java
+++ /dev/null
@@ -1,44 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.fediz.service.idp.model;
-
-import java.util.ArrayList;
-import java.util.Map;
-
-import org.apache.cxf.fediz.service.idp.domain.Application;
-import org.apache.cxf.fediz.service.idp.domain.Idp;
-import org.apache.cxf.fediz.service.idp.domain.TrustedIdp;
-
-public class IDPConfig extends Idp {
-
- private static final long serialVersionUID = -5570301342547139039L;
-
- public void setServices(Map<String, Application> applications) {
- this.applications = new ArrayList<>(applications.values());
- }
-
- public void setTrustedIdps(Map<String, TrustedIDPConfig> trustedIdps) {
- this.trustedIdpList = new ArrayList<TrustedIdp>(trustedIdps.values());
- }
-
- @Deprecated
- public void setTrustedIDPs(Map<String, TrustedIDPConfig> trustedIdps) {
- setTrustedIdps(trustedIdps);
- }
-}