You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2017/01/27 11:22:54 UTC
[11/19] cxf-fediz git commit: FEDIZ-155 - Move .java components out
of idp webapp and into a separate JAR
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/service/security/GrantedAuthorityEntitlements.java
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/service/security/GrantedAuthorityEntitlements.java b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/service/security/GrantedAuthorityEntitlements.java
new file mode 100644
index 0000000..475ccd7
--- /dev/null
+++ b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/service/security/GrantedAuthorityEntitlements.java
@@ -0,0 +1,100 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.fediz.service.idp.service.security;
+
+import java.io.IOException;
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.Set;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+
+import org.apache.cxf.fediz.service.idp.domain.Entitlement;
+import org.apache.cxf.fediz.service.idp.domain.Role;
+import org.apache.cxf.fediz.service.idp.service.RoleDAO;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.web.filter.GenericFilterBean;
+
+public class GrantedAuthorityEntitlements extends GenericFilterBean {
+
+ private static final Logger LOG = LoggerFactory.getLogger(GrantedAuthorityEntitlements.class);
+
+ @Autowired
+ private RoleDAO roleDAO;
+
+ @Override
+ public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
+ throws IOException, ServletException {
+
+ try {
+ Authentication currentAuth = SecurityContextHolder.getContext().getAuthentication();
+ if (currentAuth == null) {
+ chain.doFilter(request, response);
+ return;
+ }
+
+ final Set<GrantedAuthority> authorities = new HashSet<>();
+ if (currentAuth.getAuthorities() != null) {
+ authorities.addAll(currentAuth.getAuthorities());
+ }
+
+ Iterator<? extends GrantedAuthority> authIt = currentAuth.getAuthorities().iterator();
+ while (authIt.hasNext()) {
+ GrantedAuthority ga = authIt.next();
+ String roleName = ga.getAuthority();
+
+ try {
+ Role role = roleDAO.getRole(roleName.substring(5), Arrays.asList("all"));
+ for (Entitlement e : role.getEntitlements()) {
+ authorities.add(new SimpleGrantedAuthority(e.getName()));
+ }
+ } catch (Exception ex) {
+ LOG.error("Role '{}' not found", roleName);
+ }
+ }
+ LOG.debug("Granted Authorities: {}", authorities);
+
+ UsernamePasswordAuthenticationToken enrichedAuthentication = new UsernamePasswordAuthenticationToken(
+ currentAuth.getName(), currentAuth.getCredentials(), authorities);
+ enrichedAuthentication.setDetails(currentAuth.getDetails());
+
+ SecurityContextHolder.getContext().setAuthentication(enrichedAuthentication);
+ LOG.info("Enriched AuthenticationToken added");
+
+ } catch (Exception ex) {
+ LOG.error("Failed to enrich security context with entitlements", ex);
+ }
+
+ chain.doFilter(request, response);
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/spi/ApplicationProtocolHandler.java
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/spi/ApplicationProtocolHandler.java b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/spi/ApplicationProtocolHandler.java
new file mode 100644
index 0000000..1cd9dc1
--- /dev/null
+++ b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/spi/ApplicationProtocolHandler.java
@@ -0,0 +1,33 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.fediz.service.idp.spi;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.springframework.webflow.execution.RequestContext;
+
+public interface ApplicationProtocolHandler extends ProtocolHandler {
+
+ boolean canHandleRequest(HttpServletRequest request);
+
+ void mapSignInRequest(RequestContext context);
+
+ void mapSignInResponse(RequestContext context);
+
+}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/spi/ProtocolHandler.java
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/spi/ProtocolHandler.java b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/spi/ProtocolHandler.java
new file mode 100644
index 0000000..2c1c8c9
--- /dev/null
+++ b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/spi/ProtocolHandler.java
@@ -0,0 +1,25 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.fediz.service.idp.spi;
+
+public interface ProtocolHandler {
+
+ String getProtocol();
+
+}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/spi/TrustedIdpProtocolHandler.java
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/spi/TrustedIdpProtocolHandler.java b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/spi/TrustedIdpProtocolHandler.java
new file mode 100644
index 0000000..a33591b
--- /dev/null
+++ b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/spi/TrustedIdpProtocolHandler.java
@@ -0,0 +1,40 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.fediz.service.idp.spi;
+
+import java.net.URL;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.apache.cxf.fediz.service.idp.domain.Idp;
+import org.apache.cxf.fediz.service.idp.domain.TrustedIdp;
+import org.apache.cxf.ws.security.tokenstore.SecurityToken;
+import org.springframework.webflow.execution.RequestContext;
+
+public interface TrustedIdpProtocolHandler extends ProtocolHandler {
+
+ boolean canHandleRequest(HttpServletRequest request);
+
+ // Only supports HTTP GET SignIn Requests
+ URL mapSignInRequest(RequestContext context, Idp idp, TrustedIdp trustedIdp);
+
+ //Hook in <action-state id="validateToken"> of federation-signin-response.xml
+ SecurityToken mapSignInResponse(RequestContext context, Idp idp, TrustedIdp trustedIdp);
+
+}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/util/WebUtils.java
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/util/WebUtils.java b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/util/WebUtils.java
new file mode 100644
index 0000000..4484312
--- /dev/null
+++ b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/util/WebUtils.java
@@ -0,0 +1,209 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.fediz.service.idp.util;
+
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
+
+import org.springframework.util.Assert;
+import org.springframework.webflow.context.servlet.ServletExternalContext;
+import org.springframework.webflow.execution.RequestContext;
+
+/**
+ * Utility class to bind with webflow artifacts
+ */
+public final class WebUtils {
+
+ private WebUtils() {
+ super();
+ }
+
+ public static HttpServletRequest getHttpServletRequest(
+ final RequestContext context) {
+ Assert.isInstanceOf(ServletExternalContext.class,
+ context.getExternalContext(),
+ "Cannot obtain HttpServletRequest from event of type: "
+ + context.getExternalContext().getClass().getName());
+ return (HttpServletRequest) context.getExternalContext()
+ .getNativeRequest();
+ }
+
+ public static HttpSession getHttpSession(final RequestContext context) {
+ HttpServletRequest httpServletRequest = getHttpServletRequest(context);
+ return httpServletRequest.getSession();
+ }
+
+ public static HttpServletResponse getHttpServletResponse(
+ final RequestContext context) {
+ Assert.isInstanceOf(ServletExternalContext.class,
+ context.getExternalContext(),
+ "Cannot obtain HttpServletResponse from event of type: "
+ + context.getExternalContext().getClass().getName());
+ return (HttpServletResponse) context.getExternalContext()
+ .getNativeResponse();
+ }
+
+ public static String getHttpHeader(RequestContext requestContext, String headerName) {
+ return getHttpServletRequest(requestContext).getHeader(headerName);
+ }
+
+ public static void putAttributeInRequestScope(final RequestContext context,
+ final String attributeKey, final Object attributeValue) {
+ context.getRequestScope().put(attributeKey, attributeValue);
+ }
+
+ public static void putAttributeInExternalContext(
+ final RequestContext context, final String attributeKey,
+ final Object attributeValue) {
+ context.getExternalContext().getSessionMap()
+ .put(attributeKey, attributeValue);
+ }
+
+ /**
+ * put attribute in request or in session depending on storeInSession.
+ *
+ * @param context
+ * @param attributeKey
+ */
+ public static void putAttribute(final RequestContext context,
+ final String attributeKey, final Object attributeValue,
+ boolean storeInSession) {
+ if (storeInSession) {
+ putAttributeInExternalContext(context, attributeKey, attributeValue);
+ } else {
+ putAttributeInRequestScope(context, attributeKey, attributeValue);
+ }
+ }
+
+ public static Object getAttributeFromRequestScope(
+ final RequestContext context, final String attributeKey) {
+ return context.getRequestScope().get(attributeKey);
+ }
+
+ public static Object getAttributeFromExternalContext(
+ final RequestContext context, final String attributeKey) {
+ return context.getExternalContext().getSessionMap()
+ .get(attributeKey);
+ }
+
+ /**
+ * get attribute from request; if not found get it from session.
+ *
+ * @param context
+ * @param attributeKey
+ * @return the attribute from the request or session
+ */
+ public static Object getAttribute(final RequestContext context,
+ final String attributeKey) {
+ Object value = getAttributeFromRequestScope(context, attributeKey);
+ if (value != null) {
+ return value;
+ }
+ return getAttributeFromExternalContext(context, attributeKey);
+ }
+
+ public static Object removeAttributeFromRequestScope(
+ final RequestContext context, final String attributeKey) {
+ return context.getRequestScope().remove(attributeKey);
+ }
+
+ public static Object removeAttributeFromExternalContext(
+ final RequestContext context, final String attributeKey) {
+ return context.getExternalContext().getSessionMap()
+ .remove(attributeKey);
+ }
+
+ /**
+ * remove attribute from request and session.
+ *
+ * @param context
+ * @param attributeKey
+ * @return the removed attribute
+ */
+ public static Object removeAttribute(final RequestContext context,
+ final String attributeKey) {
+ Object valueReq = removeAttributeFromRequestScope(context, attributeKey);
+ Object valueSes = removeAttributeFromExternalContext(context,
+ attributeKey);
+ if (valueSes != null) {
+ return valueSes; // not clean if request has different value !
+ }
+ if (valueReq != null) {
+ return valueReq;
+ }
+ return null;
+ }
+
+ public static void putAttributeInFlowScope(final RequestContext context,
+ final String attributeKey, final Object attributeValue) {
+ context.getFlowScope().put(attributeKey, attributeValue);
+ }
+
+ public static Object getAttributeFromFlowScope(
+ final RequestContext context, final String attributeKey) {
+ return context.getFlowScope().get(attributeKey);
+ }
+
+ public static Object removeAttributeFromFlowScope(
+ final RequestContext context, final String attributeKey) {
+ return context.getFlowScope().remove(attributeKey);
+ }
+
+ public static String getParamFromRequestParameters(
+ final RequestContext context, final String attributeKey) {
+ return context.getRequestParameters().get(attributeKey);
+ }
+
+ public static Cookie readCookie(
+ final RequestContext context, final String cookieName) {
+ HttpServletRequest httpServletRequest = getHttpServletRequest(context);
+ Cookie[] cookies = httpServletRequest.getCookies();
+ if (cookies != null) {
+ for (int i = 0; i < cookies.length; i++) {
+ if (cookies[i].getName().equals(cookieName)) {
+ return cookies[i];
+ }
+ }
+ }
+ return null;
+ }
+
+ public static void addCookie(
+ final RequestContext context, final String cookieName, final String cookieValue) {
+ HttpServletResponse httpServletResponse = getHttpServletResponse(context);
+ Cookie cookie = new Cookie(cookieName, cookieValue);
+ cookie.setSecure(true);
+ cookie.setMaxAge(-1);
+ httpServletResponse.addCookie(cookie);
+ }
+
+ public static void removeCookie(
+ final RequestContext context, final String cookieName) {
+ HttpServletResponse httpServletResponse = getHttpServletResponse(context);
+ Cookie cookie = readCookie(context, cookieName);
+ if (cookie != null) {
+ cookie.setMaxAge(0);
+ cookie.setValue("");
+ httpServletResponse.addCookie(cookie);
+ }
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp-core/src/main/resources/META-INF/orm.xml
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/resources/META-INF/orm.xml b/services/idp-core/src/main/resources/META-INF/orm.xml
new file mode 100644
index 0000000..e9c2bd6
--- /dev/null
+++ b/services/idp-core/src/main/resources/META-INF/orm.xml
@@ -0,0 +1,183 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<entity-mappings xmlns="http://java.sun.com/xml/ns/persistence/orm"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://java.sun.com/xml/ns/persistence/orm http://java.sun.com/xml/ns/persistence/orm_2_0.xsd"
+ version="2.0">
+
+ <entity class="org.apache.cxf.fediz.service.idp.service.jpa.ClaimEntity">
+ <table>
+ <unique-constraint>
+ <column-name>claimtype</column-name>
+ </unique-constraint>
+ </table>
+ <attributes>
+ <id name="id">
+ <generated-value generator="SEQ_Claim"
+ strategy="TABLE" />
+ <table-generator name="SEQ_Claim"
+ pk-column-value="SEQ_Claim" initial-value="100" />
+ </id>
+ </attributes>
+ </entity>
+
+ <entity class="org.apache.cxf.fediz.service.idp.service.jpa.IdpEntity">
+ <table>
+ <unique-constraint>
+ <column-name>realm</column-name>
+ </unique-constraint>
+ </table>
+ <attributes>
+ <id name="id">
+ <generated-value generator="SEQ_IDP"
+ strategy="TABLE" />
+ <table-generator name="SEQ_IDP"
+ pk-column-value="SEQ_IDP" initial-value="100" />
+ </id>
+ <many-to-many name="claimTypesOffered">
+ <join-table name="idp_claims">
+ <join-column name="idp_id" />
+ <inverse-join-column name="claim_id" />
+ <unique-constraint>
+ <column-name>idp_id</column-name>
+ <column-name>claim_id</column-name>
+ </unique-constraint>
+ </join-table>
+ </many-to-many>
+ <many-to-many name="trustedIdps">
+ <join-table name="idp_trustedidps">
+ <join-column name="idp_id" />
+ <inverse-join-column name="trustedidp_id" />
+ <unique-constraint>
+ <column-name>idp_id</column-name>
+ <column-name>trustedidp_id</column-name>
+ </unique-constraint>
+ </join-table>
+ </many-to-many>
+ <many-to-many name="applications">
+ <join-table name="idp_applications">
+ <join-column name="idp_id" />
+ <inverse-join-column name="application_id" />
+ <unique-constraint>
+ <column-name>idp_id</column-name>
+ <column-name>application_id</column-name>
+ </unique-constraint>
+ </join-table>
+ </many-to-many>
+
+ </attributes>
+ </entity>
+
+ <entity
+ class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity">
+ <table>
+ <unique-constraint>
+ <column-name>realm</column-name>
+ </unique-constraint>
+ </table>
+ <attributes>
+ <id name="id">
+ <generated-value generator="SEQ_Application"
+ strategy="TABLE" />
+ <table-generator name="SEQ_Application"
+ pk-column-value="SEQ_Application" initial-value="100" />
+ </id>
+ </attributes>
+ </entity>
+
+ <entity
+ class="org.apache.cxf.fediz.service.idp.service.jpa.TrustedIdpEntity">
+ <table>
+ <unique-constraint>
+ <column-name>realm</column-name>
+ </unique-constraint>
+ </table>
+ <attributes>
+ <id name="id">
+ <generated-value generator="SEQ_TrustedIDP"
+ strategy="TABLE" />
+ <table-generator name="SEQ_TrustedIDP"
+ pk-column-value="SEQ_TrustedIDP" initial-value="100" />
+ </id>
+ </attributes>
+ </entity>
+
+ <entity
+ class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationClaimEntity">
+ <table>
+ <unique-constraint>
+ <column-name>claimid</column-name>
+ <column-name>applicationid</column-name>
+ </unique-constraint>
+ </table>
+ <attributes>
+ <id name="id">
+ <generated-value generator="SEQ_ApplicationClaim"
+ strategy="TABLE" />
+ <table-generator name="SEQ_ApplicationClaim"
+ pk-column-value="SEQ_ApplicationClaim"
+ initial-value="100" />
+ </id>
+ </attributes>
+ </entity>
+
+ <entity class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <table>
+ <unique-constraint>
+ <column-name>name</column-name>
+ </unique-constraint>
+ </table>
+ <attributes>
+ <id name="id">
+ <generated-value generator="SEQ_Entitlement"
+ strategy="TABLE" />
+ <table-generator name="SEQ_Entitlement"
+ pk-column-value="SEQ_Entitlement" initial-value="100" />
+ </id>
+ </attributes>
+ </entity>
+
+ <entity class="org.apache.cxf.fediz.service.idp.service.jpa.RoleEntity">
+ <table>
+ <unique-constraint>
+ <column-name>name</column-name>
+ </unique-constraint>
+ </table>
+ <attributes>
+ <id name="id">
+ <generated-value generator="SEQ_ROLE"
+ strategy="TABLE" />
+ <table-generator name="SEQ_ROLE"
+ pk-column-value="SEQ_ROLE" initial-value="100" />
+ </id>
+ <many-to-many name="entitlements">
+ <join-table name="role_entitlements">
+ <join-column name="role_id" />
+ <inverse-join-column name="entitlement_id" />
+ <unique-constraint>
+ <column-name>role_id</column-name>
+ <column-name>entitlement_id</column-name>
+ </unique-constraint>
+ </join-table>
+ </many-to-many>
+ </attributes>
+ </entity>
+
+</entity-mappings>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp-core/src/main/resources/META-INF/spring-persistence.xml
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/resources/META-INF/spring-persistence.xml b/services/idp-core/src/main/resources/META-INF/spring-persistence.xml
new file mode 100644
index 0000000..bf34a76
--- /dev/null
+++ b/services/idp-core/src/main/resources/META-INF/spring-persistence.xml
@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<persistence
+ xmlns="http://java.sun.com/xml/ns/persistence"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://java.sun.com/xml/ns/persistence http://java.sun.com/xml/ns/persistence/persistence_2_0.xsd"
+ version="2.0">
+
+ <persistence-unit name="fedizPersistenceUnit">
+ <mapping-file>META-INF/orm.xml</mapping-file>
+ <validation-mode>AUTO</validation-mode>
+ </persistence-unit>
+</persistence>
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp-core/src/main/webapp/WEB-INF/applicationContext.xml
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/webapp/WEB-INF/applicationContext.xml b/services/idp-core/src/main/webapp/WEB-INF/applicationContext.xml
new file mode 100644
index 0000000..68bcb0b
--- /dev/null
+++ b/services/idp-core/src/main/webapp/WEB-INF/applicationContext.xml
@@ -0,0 +1,61 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans"
+ xmlns:cxf="http://cxf.apache.org/core"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xmlns:context="http://www.springframework.org/schema/context"
+ xsi:schemaLocation="http://cxf.apache.org/core
+ http://cxf.apache.org/schemas/core.xsd
+ http://www.springframework.org/schema/beans
+ http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
+ http://www.springframework.org/schema/context
+ http://www.springframework.org/schema/context/spring-context-4.3.xsd">
+
+ <context:component-scan base-package="org.apache.cxf.fediz.service.idp.protocols" />
+
+
+ <!-- Use http://www.baeldung.com/2012/02/06/properties-with-spring/ instead -->
+ <bean
+ class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
+ <property name="locations">
+ <list>
+ <value>classpath:persistence.properties</value>
+ </list>
+ </property>
+ <property name="ignoreResourceNotFound" value="true" />
+ <property name="ignoreUnresolvablePlaceholders" value="true" />
+ </bean>
+
+ <import resource="classpath:META-INF/cxf/cxf.xml" />
+
+ <import resource="security-config.xml" />
+ <import resource="${idp-config}" />
+ <import resource="classpath:cxf-tls.xml" />
+ <import resource="classpath:persistenceContext.xml" />
+ <import resource="classpath:restContext.xml" />
+
+ <!--cxf:bus>
+ <cxf:features>
+ <cxf:logging />
+ </cxf:features>
+ </cxf:bus-->
+
+</beans>
+
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp-core/src/main/webapp/WEB-INF/config/idp-core-servlet.xml
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/webapp/WEB-INF/config/idp-core-servlet.xml b/services/idp-core/src/main/webapp/WEB-INF/config/idp-core-servlet.xml
new file mode 100644
index 0000000..3d62ad9
--- /dev/null
+++ b/services/idp-core/src/main/webapp/WEB-INF/config/idp-core-servlet.xml
@@ -0,0 +1,105 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xmlns:webflow="http://www.springframework.org/schema/webflow-config"
+ xmlns:p="http://www.springframework.org/schema/p"
+ xmlns:mvc="http://www.springframework.org/schema/mvc"
+ xmlns:context="http://www.springframework.org/schema/context"
+ xsi:schemaLocation="http://www.springframework.org/schema/beans
+ http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
+ http://www.springframework.org/schema/context
+ http://www.springframework.org/schema/context/spring-context-4.3.xsd
+ http://www.springframework.org/schema/mvc
+ http://www.springframework.org/schema/mvc/spring-mvc-4.3.xsd
+ http://www.springframework.org/schema/webflow-config
+ http://www.springframework.org/schema/webflow-config/spring-webflow-config-2.0.xsd">
+
+ <context:component-scan base-package="org.apache.cxf.fediz.service.idp.beans" />
+
+ <mvc:resources mapping="/images/**" location="/resources/images/" />
+
+ <mvc:resources mapping="/swagger/**" location="/resources/swagger/" />
+
+ <mvc:view-controller path="/" view-name="index" />
+ <mvc:view-controller path="/federation/up/login" view-name="signinform" />
+
+ <bean id="viewResolver" class="org.springframework.web.servlet.view.InternalResourceViewResolver">
+ <property name="prefix" value="/WEB-INF/views/" />
+ <property name="suffix" value=".jsp" />
+ </bean>
+
+ <bean id="viewFactoryCreator" class="org.springframework.webflow.mvc.builder.MvcViewFactoryCreator">
+ <property name="viewResolvers">
+ <list>
+ <ref bean="viewResolver" />
+ </list>
+ </property>
+ </bean>
+
+ <webflow:flow-builder-services id="builder" view-factory-creator="viewFactoryCreator" />
+
+ <webflow:flow-registry id="flowRegistry" flow-builder-services="builder">
+ <webflow:flow-location path="/WEB-INF/flows/federation-validate-request.xml" id="federation" />
+ <webflow:flow-location path="/WEB-INF/flows/federation-validate-request.xml" id="federation/up" />
+ <webflow:flow-location path="/WEB-INF/flows/federation-validate-request.xml" id="federation/krb" />
+ <webflow:flow-location path="/WEB-INF/flows/federation-validate-request.xml" id="federation/clientcert" />
+
+ <webflow:flow-location path="/WEB-INF/flows/saml-validate-request.xml" id="saml" />
+ <webflow:flow-location path="/WEB-INF/flows/saml-validate-request.xml" id="saml/up" />
+ <webflow:flow-location path="/WEB-INF/flows/saml-validate-request.xml" id="saml/krb" />
+ <webflow:flow-location path="/WEB-INF/flows/saml-validate-request.xml" id="saml/clientcert" />
+
+ <webflow:flow-location path="/WEB-INF/flows/signin-request.xml" id="signinRequest" />
+ <webflow:flow-location path="/WEB-INF/flows/signin-response.xml" id="signinResponse" />
+ </webflow:flow-registry>
+
+ <bean class="org.springframework.webflow.mvc.servlet.FlowHandlerMapping" p:flowRegistry-ref="flowRegistry"
+ p:order="2">
+ </bean>
+
+ <webflow:flow-executor id="flowExecutor" flow-registry="flowRegistry">
+ <webflow:flow-execution-attributes>
+ <webflow:always-redirect-on-pause value="false" />
+ </webflow:flow-execution-attributes>
+
+ <webflow:flow-execution-listeners>
+ <webflow:listener ref="securityFlowExecutionListener" />
+ </webflow:flow-execution-listeners>
+ </webflow:flow-executor>
+
+ <bean class="org.springframework.webflow.mvc.servlet.FlowHandlerAdapter" p:flowExecutor-ref="flowExecutor" />
+
+ <bean id="securityFlowExecutionListener" class="org.springframework.webflow.security.SecurityFlowExecutionListener">
+ <property name="accessDecisionManager" ref="accessDecisionManager" />
+ </bean>
+
+ <bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
+ <property name="decisionVoters">
+ <list>
+ <bean class="org.springframework.security.access.vote.RoleVoter">
+ <property name="rolePrefix" value="ROLE_" />
+ </bean>
+ <bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
+ </list>
+ </property>
+ </bean>
+
+</beans>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp-core/src/main/webapp/WEB-INF/config/security-clientcert-config.xml
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/webapp/WEB-INF/config/security-clientcert-config.xml b/services/idp-core/src/main/webapp/WEB-INF/config/security-clientcert-config.xml
new file mode 100644
index 0000000..d40d0c9
--- /dev/null
+++ b/services/idp-core/src/main/webapp/WEB-INF/config/security-clientcert-config.xml
@@ -0,0 +1,75 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xmlns:security="http://www.springframework.org/schema/security"
+ xmlns:context="http://www.springframework.org/schema/context"
+ xmlns:util="http://www.springframework.org/schema/util"
+ xsi:schemaLocation="
+ http://www.springframework.org/schema/beans
+ http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
+ http://www.springframework.org/schema/context
+ http://www.springframework.org/schema/context/spring-context-4.3.xsd
+ http://www.springframework.org/schema/security
+ http://www.springframework.org/schema/security/spring-security-3.2.xsd
+ http://www.springframework.org/schema/util
+ http://www.springframework.org/schema/util/spring-util-4.3.xsd
+ ">
+
+ <!-- DISABLE in production as it might log confidential information about the user -->
+ <!-- <security:debug /> -->
+
+ <!-- SSL Client Cert entry point for WS-Federation -->
+ <security:http pattern="/federation/clientcert" use-expressions="true">
+ <security:custom-filter after="CHANNEL_FILTER" ref="stsClientCertPortFilter" />
+ <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" />
+
+ <security:x509 />
+ <security:logout delete-cookies="FEDIZ_HOME_REALM" invalidate-session="true" />
+ </security:http>
+
+ <!-- SSL Client Cert entry point for SAML SSO -->
+ <security:http pattern="/saml/clientcert" use-expressions="true">
+ <security:custom-filter after="CHANNEL_FILTER" ref="stsClientCertPortFilter" />
+ <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" />
+
+ <security:x509 />
+ <security:logout delete-cookies="FEDIZ_HOME_REALM" invalidate-session="true" />
+ </security:http>
+
+ <bean id="stsClientCertPortFilter" class="org.apache.cxf.fediz.service.idp.STSPortFilter">
+ <property name="authenticationProvider" ref="stsClientCertAuthProvider" />
+ </bean>
+
+ <util:map id="securityProperties">
+ <entry key="ws-security.username" value="idp-user" />
+ <entry key="ws-security.password" value="idp-pass" />
+ </util:map>
+
+ <bean id="stsClientCertAuthProvider" class="org.apache.cxf.fediz.service.idp.STSPreAuthAuthenticationProvider">
+ <property name="wsdlLocation" value="https://localhost:0/fediz-idp-sts/${realm.STS_URI}/STSServiceTransportUT?wsdl" />
+ <property name="wsdlEndpoint" value="TransportUT_Port" />
+ <property name="wsdlService" value="SecurityTokenService" />
+ <property name="appliesTo" value="urn:fediz:idp" />
+ <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
+ <property name="properties" ref="securityProperties" />
+ </bean>
+
+</beans>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp-core/src/main/webapp/WEB-INF/config/security-krb-config.xml
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/webapp/WEB-INF/config/security-krb-config.xml b/services/idp-core/src/main/webapp/WEB-INF/config/security-krb-config.xml
new file mode 100644
index 0000000..b66044b
--- /dev/null
+++ b/services/idp-core/src/main/webapp/WEB-INF/config/security-krb-config.xml
@@ -0,0 +1,84 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xmlns:security="http://www.springframework.org/schema/security"
+ xmlns:context="http://www.springframework.org/schema/context"
+ xmlns:util="http://www.springframework.org/schema/util"
+ xsi:schemaLocation="
+ http://www.springframework.org/schema/beans
+ http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
+ http://www.springframework.org/schema/context
+ http://www.springframework.org/schema/context/spring-context-4.3.xsd
+ http://www.springframework.org/schema/security
+ http://www.springframework.org/schema/security/spring-security-3.2.xsd
+ http://www.springframework.org/schema/util
+ http://www.springframework.org/schema/util/spring-util-4.3.xsd
+ ">
+
+ <!-- DISABLE in production as it might log confidential information about the user -->
+ <!-- <security:debug /> -->
+
+ <!-- Kerberos entry point -->
+ <bean id="kerberosEntryPoint"
+ class="org.apache.cxf.fediz.service.idp.kerberos.KerberosEntryPoint" />
+
+ <bean id="kerberosAuthenticationProcessingFilter"
+ class="org.apache.cxf.fediz.service.idp.kerberos.KerberosAuthenticationProcessingFilter">
+ <property name="authenticationManager" ref="authenticationManagers" />
+ </bean>
+
+ <security:http pattern="/federation/krb" use-expressions="true" entry-point-ref="kerberosEntryPoint">
+ <security:custom-filter after="CHANNEL_FILTER" ref="stsKrbPortFilter" />
+ <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" />
+
+ <security:custom-filter ref="kerberosAuthenticationProcessingFilter" position="BASIC_AUTH_FILTER" />
+ <security:logout delete-cookies="FEDIZ_HOME_REALM" invalidate-session="true" />
+ </security:http>
+
+ <security:http pattern="/saml/krb" use-expressions="true" entry-point-ref="kerberosEntryPoint">
+ <security:custom-filter after="CHANNEL_FILTER" ref="stsKrbPortFilter" />
+ <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" />
+
+ <security:custom-filter ref="kerberosAuthenticationProcessingFilter" position="BASIC_AUTH_FILTER" />
+ <security:logout delete-cookies="FEDIZ_HOME_REALM" invalidate-session="true" />
+ </security:http>
+
+ <bean id="stsKrbPortFilter" class="org.apache.cxf.fediz.service.idp.STSPortFilter">
+ <property name="authenticationProvider" ref="stsKrbAuthProvider" />
+ </bean>
+
+ <!--<bean id="kerberosTokenValidator" class="org.apache.cxf.fediz.service.idp.kerberos.KerberosTokenValidator">
+ <property name="contextName" value="bob" />
+ <property name="serviceName" value="bob@service.ws.apache.org" />
+ </bean>-->
+
+ <!-- Kerberos authentication provider -->
+ <bean id="stsKrbAuthProvider" class="org.apache.cxf.fediz.service.idp.STSKrbAuthenticationProvider">
+ <property name="wsdlLocation" value="https://localhost:0/fediz-idp-sts/${realm.STS_URI}/STSServiceTransportKerberos?wsdl" />
+ <property name="wsdlEndpoint" value="TransportKerberos_Port" />
+ <property name="wsdlService" value="SecurityTokenService" />
+ <property name="appliesTo" value="urn:fediz:idp" />
+ <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
+ <!-- <property name="kerberosTokenValidator" ref="kerberosTokenValidator" />
+ <property name="requireDelegation" value="true" />-->
+ </bean>
+
+</beans>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp-core/src/main/webapp/WEB-INF/config/security-rs-config.xml
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/webapp/WEB-INF/config/security-rs-config.xml b/services/idp-core/src/main/webapp/WEB-INF/config/security-rs-config.xml
new file mode 100644
index 0000000..aa859b5
--- /dev/null
+++ b/services/idp-core/src/main/webapp/WEB-INF/config/security-rs-config.xml
@@ -0,0 +1,64 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xmlns:security="http://www.springframework.org/schema/security"
+ xmlns:context="http://www.springframework.org/schema/context"
+ xmlns:util="http://www.springframework.org/schema/util"
+ xsi:schemaLocation="
+ http://www.springframework.org/schema/beans
+ http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
+ http://www.springframework.org/schema/context
+ http://www.springframework.org/schema/context/spring-context-4.3.xsd
+ http://www.springframework.org/schema/security
+ http://www.springframework.org/schema/security/spring-security-3.2.xsd
+ http://www.springframework.org/schema/util
+ http://www.springframework.org/schema/util/spring-util-4.3.xsd
+ ">
+
+ <!-- DISABLE in production as it might log confidential information about the user -->
+ <!-- <security:debug /> -->
+
+ <security:http pattern="/services/rs/**" use-expressions="true" authentication-manager-ref="restAuthenticationManager">
+ <security:custom-filter after="CHANNEL_FILTER" ref="stsUPPortFilter" />
+ <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" />
+ <security:intercept-url pattern="/services/rs/**" access="isAuthenticated()" />
+ <security:http-basic />
+ </security:http>
+
+ <bean id="bCryptPasswordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />
+
+ <bean id="defaultPasswordEncoder" class="org.springframework.security.crypto.password.StandardPasswordEncoder" />
+
+ <security:authentication-manager id="restAuthenticationManager">
+ <security:authentication-provider>
+ <!-- <security:password-encoder ref="defaultPasswordEncoder" />-->
+ <!-- <security:password-encoder hash="sha-256" base64="true" />-->
+ <!--
+ <security:password-encoder hash="sha-256" base64="true">
+ <security:salt-source user-property="username" />
+ </security:password-encoder>
+ -->
+ <security:user-service properties="classpath:/users.properties" />
+ </security:authentication-provider>
+ <security:authentication-provider ref="stsUPAuthProvider" />
+ </security:authentication-manager>
+
+</beans>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp-core/src/main/webapp/WEB-INF/config/security-up-config.xml
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/webapp/WEB-INF/config/security-up-config.xml b/services/idp-core/src/main/webapp/WEB-INF/config/security-up-config.xml
new file mode 100644
index 0000000..2ba5f86
--- /dev/null
+++ b/services/idp-core/src/main/webapp/WEB-INF/config/security-up-config.xml
@@ -0,0 +1,94 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xmlns:security="http://www.springframework.org/schema/security"
+ xmlns:context="http://www.springframework.org/schema/context"
+ xmlns:util="http://www.springframework.org/schema/util"
+ xsi:schemaLocation="
+ http://www.springframework.org/schema/beans
+ http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
+ http://www.springframework.org/schema/context
+ http://www.springframework.org/schema/context/spring-context-4.3.xsd
+ http://www.springframework.org/schema/security
+ http://www.springframework.org/schema/security/spring-security-3.2.xsd
+ http://www.springframework.org/schema/util
+ http://www.springframework.org/schema/util/spring-util-4.3.xsd
+ ">
+
+ <!-- DISABLE in production as it might log confidential information about the user -->
+ <!-- <security:debug /> -->
+
+ <!-- HTTP/BA entry point for WS-Federation -->
+ <security:http pattern="/federation/up/**" use-expressions="true">
+ <security:intercept-url requires-channel="https" pattern="/federation/up/login*" access="isAnonymous() or isAuthenticated()" />
+ <security:custom-filter after="CHANNEL_FILTER" ref="stsUPPortFilter" />
+ <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" />
+
+ <security:http-basic />
+ <!--security:form-login login-page='/federation/up/login'
+ login-processing-url="/federation/up/login.do"
+ authentication-failure-url="/federation/up/login?error"
+ default-target-url="/"
+ username-parameter="username"
+ password-parameter="password"
+ /-->
+ <security:logout logout-url="/federation/up/logout"
+ logout-success-url="/federation/up/login?out"
+ delete-cookies="FEDIZ_HOME_REALM,JSESSIONID"
+ invalidate-session="true"
+ />
+ </security:http>
+
+ <!-- HTTP/BA entry point for SAML SSO -->
+ <security:http pattern="/saml/up/**" use-expressions="true">
+ <security:intercept-url requires-channel="https" pattern="/saml/up/login*" access="isAnonymous() or isAuthenticated()" />
+ <security:custom-filter after="CHANNEL_FILTER" ref="stsUPPortFilter" />
+ <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" />
+
+ <security:http-basic />
+ <!--security:form-login login-page='/federation/up/login'
+ login-processing-url="/federation/up/login.do"
+ authentication-failure-url="/federation/up/login?error"
+ default-target-url="/"
+ username-parameter="username"
+ password-parameter="password"
+ /-->
+ <security:logout logout-url="/saml/up/logout"
+ logout-success-url="/saml/up/login?out"
+ delete-cookies="FEDIZ_HOME_REALM,JSESSIONID"
+ invalidate-session="true"
+ />
+ </security:http>
+
+ <bean id="stsUPPortFilter" class="org.apache.cxf.fediz.service.idp.STSPortFilter">
+ <property name="authenticationProvider" ref="stsUPAuthProvider" />
+ </bean>
+
+ <!-- U/P Authentication Provider -->
+ <bean id="stsUPAuthProvider" class="org.apache.cxf.fediz.service.idp.STSUPAuthenticationProvider">
+ <property name="wsdlLocation" value="https://localhost:0/fediz-idp-sts/${realm.STS_URI}/STSServiceTransportUT?wsdl" />
+ <property name="wsdlEndpoint" value="TransportUT_Port" />
+ <property name="wsdlService" value="SecurityTokenService" />
+ <property name="appliesTo" value="urn:fediz:idp" />
+ <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
+ </bean>
+
+</beans>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp-core/src/main/webapp/WEB-INF/flows/federation-validate-request.xml
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/webapp/WEB-INF/flows/federation-validate-request.xml b/services/idp-core/src/main/webapp/WEB-INF/flows/federation-validate-request.xml
new file mode 100644
index 0000000..ea9ce68
--- /dev/null
+++ b/services/idp-core/src/main/webapp/WEB-INF/flows/federation-validate-request.xml
@@ -0,0 +1,283 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<flow xmlns="http://www.springframework.org/schema/webflow"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://www.springframework.org/schema/webflow
+ http://www.springframework.org/schema/webflow/spring-webflow-2.0.xsd">
+
+ <decision-state id="evaluateProtocol">
+ <on-entry>
+ <set name="flowScope.idpConfig" value="config.getIDP(fedizEntryPoint.getRealm())" />
+ </on-entry>
+ <if test="requestParameters.wa == 'wsignin1.0'" then="selectWsFedProcess" />
+ <if test="requestParameters.wa == 'wsignout1.0' or requestParameters.wa == 'wsignoutcleanup1.0'"
+ then="selectWsFedProcess" />
+ <if test="requestParameters.SAMLResponse != null" then="selectSAMLProcess"
+ else="selectOIDCAuthorizationCodeFlowProcess"
+ />
+ </decision-state>
+
+ <decision-state id="selectWsFedProcess">
+ <on-entry>
+ <set name="flowScope.wtrealm" value="requestParameters.wtrealm" />
+ <set name="flowScope.wreply" value="requestParameters.wreply" />
+ <set name="flowScope.wctx" value="requestParameters.wctx" />
+ <set name="flowScope.request_context" value="requestParameters.wctx" />
+ <set name="flowScope.wfresh" value="requestParameters.wfresh" />
+ <set name="flowScope.whr" value="requestParameters.whr" />
+ <set name="flowScope.wresult" value="requestParameters.wresult" />
+ <set name="flowScope.wreq" value="requestParameters.wreq" />
+ <evaluate expression="requestScope.getString('wauth','default')"
+ result="flowScope.wauth" />
+ </on-entry>
+ <if test="requestParameters.wa == 'wsignout1.0' or requestParameters.wa == 'wsignoutcleanup1.0'"
+ then="validateWReplyForSignout" />
+ <if test="requestParameters.wresult != null and !requestParameters.wresult.isEmpty()"
+ then="signinResponse" />
+ <if test="requestParameters.wtrealm != null and !requestParameters.wtrealm.isEmpty()"
+ then="signinRequest" else="viewBadRequest" />
+ </decision-state>
+
+ <decision-state id="selectSAMLProcess">
+ <on-entry>
+ <set name="flowScope.RelayState" value="requestParameters.RelayState" />
+ <set name="flowScope.request_context" value="requestParameters.RelayState" />
+ <set name="flowScope.SAMLResponse" value="requestParameters.SAMLResponse" />
+ </on-entry>
+ <if test="requestParameters.RelayState == null or requestParameters.RelayState.isEmpty()"
+ then="viewBadRequest" />
+ <if test="requestParameters.SAMLResponse == null or requestParameters.SAMLResponse.isEmpty()"
+ then="viewBadRequest" else="signinResponse" />
+ </decision-state>
+
+ <decision-state id="selectOIDCAuthorizationCodeFlowProcess">
+ <on-entry>
+ <set name="flowScope.state" value="requestParameters.state" />
+ <set name="flowScope.request_context" value="requestParameters.state" />
+ <set name="flowScope.code" value="requestParameters.code" />
+ </on-entry>
+ <if test="requestParameters.code == null or requestParameters.code.isEmpty()"
+ then="viewBadRequest" />
+ <if test="requestParameters.state == null or requestParameters.state.isEmpty()"
+ then="viewBadRequest" else="signinResponse" />
+ </decision-state>
+
+ <action-state id="validateWReplyForSignout">
+ <evaluate expression="commonsURLValidator.isValid(flowRequestContext, flowScope.wreply)"/>
+ <transition on="yes" to="selectSignOutProcess" />
+ <transition on="no" to="viewBadRequestAndLogout" />
+ </action-state>
+
+ <decision-state id="selectSignOutProcess">
+ <if test="requestParameters.wa == 'wsignout1.0' and flowScope.idpConfig.rpSingleSignOutConfirmation == true
+ or requestParameters.wa == 'wsignoutcleanup1.0' and flowScope.idpConfig.rpSingleSignOutCleanupConfirmation == true"
+ then="viewSignoutConfirmation" else="invalidateSessionAction" />
+ </decision-state>
+
+ <subflow-state id="signinRequest" subflow="signinRequest">
+ <input name="idpConfig" value="flowScope.idpConfig" />
+ <input name="realm" value="flowScope.wtrealm" />
+ <input name="wctx" value="flowScope.wctx" />
+ <input name="wfresh" value="flowScope.wfresh" />
+ <input name="wauth" value="flowScope.wauth" />
+ <input name="home_realm" value="flowScope.whr" />
+ <input name="protocol" value="'wsfed'" />
+ <input name="return_address" value="flowScope.wreply" />
+ <input name="request_context" value="flowScope.request_context" />
+
+ <output name="home_realm" />
+ <output name="idpToken" />
+ <output name="trusted_idp_context" />
+
+ <transition on="requestRpToken" to="requestRpToken">
+ <set name="flowScope.whr" value="currentEvent.attributes.home_realm" />
+ <set name="flowScope.idpToken" value="currentEvent.attributes.idpToken" />
+ </transition>
+ <transition on="viewBadRequest" to="viewBadRequest" />
+ <transition on="scInternalServerError" to="scInternalServerError" />
+ <transition on="redirectToTrustedIDP" to="processTrustedIdpProtocol">
+ <set name="flowScope.whr" value="currentEvent.attributes.home_realm" />
+ <set name="flowScope.trusted_idp_context" value="currentEvent.attributes.trusted_idp_context"/>
+ </transition>
+ <transition on="redirectToLocalIDP" to="redirectToLocalIDP">
+ <set name="flowScope.wctx" value="currentEvent.attributes.wctx" />
+ </transition>
+ </subflow-state>
+
+ <subflow-state id="signinResponse" subflow="signinResponse">
+ <input name="idpConfig" value="flowScope.idpConfig" />
+ <input name="wfresh" value="flowScope.wfresh" />
+ <input name="request_context" value="flowScope.request_context" />
+ <input name="wresult" value="flowScope.wresult" />
+ <input name="RelayState" value="flowScope.RelayState" />
+ <input name="SAMLResponse" value="flowScope.SAMLResponse" />
+ <input name="state" value="flowScope.state" />
+ <input name="code" value="flowScope.code" />
+ <input name="home_realm" value="flowScope.whr" />
+ <input name="protocol" value="'wsfed'" />
+
+ <output name="realm" />
+ <output name="return_address" />
+ <output name="request_context" />
+ <output name="home_realm" />
+ <output name="idpToken" />
+
+ <transition on="requestRpToken" to="requestRpToken">
+ <set name="flowScope.whr" value="currentEvent.attributes.home_realm" />
+ <set name="flowScope.wctx" value="currentEvent.attributes.request_context" />
+ <set name="flowScope.wtrealm" value="currentEvent.attributes.realm" />
+ <set name="flowScope.wreply" value="currentEvent.attributes.return_address" />
+ <set name="flowScope.idpToken" value="currentEvent.attributes.idpToken" />
+ </transition>
+ <transition on="viewBadRequest" to="viewBadRequest" />
+ <transition on="scInternalServerError" to="scInternalServerError" />
+ </subflow-state>
+
+ <!-- produce RP security token (as String type) -->
+ <action-state id="requestRpToken">
+ <on-entry>
+ <evaluate expression="stsClientForRpAction.submit(flowRequestContext, flowScope.wtrealm, flowScope.whr)"
+ result="flowScope.rpTokenElement"/>
+ <evaluate expression="tokenSerializer.serialize(flowRequestContext, flowScope.rpTokenElement)"
+ result="flowScope.rpToken"/>
+ </on-entry>
+ <evaluate expression="signinParametersCacheAction.storeRPConfigInSession(flowRequestContext)" />
+ <transition to="isWReplyProvided" />
+ <transition on-exception="org.apache.cxf.fediz.core.exception.ProcessingException" to="viewBadRequest" />
+ <transition on-exception="java.lang.Throwable" to="scInternalServerError" />
+ </action-state>
+
+ <action-state id="processTrustedIdpProtocol">
+ <evaluate expression="trustedIdpProtocolAction.mapSignInRequest(flowRequestContext, flowScope.whr)"
+ result="flowScope.remoteIdpUrl"/>
+ <transition to="redirectToTrustedIDP" />
+ <transition on-exception="java.lang.Throwable" to="scInternalServerError" />
+ </action-state>
+
+ <action-state id="isWReplyProvided">
+ <evaluate expression="flowScope.wreply != null" />
+ <transition on="yes" to="formResponseView" >
+ <set name="flowScope.signinResponseUrl" value="flowScope.wreply" />
+ </transition>
+ <transition on="no" to="formResponseView" >
+ <set name="flowScope.signinResponseUrl" value="flowScope.wtrealm" />
+ </transition>
+ </action-state>
+
+ <!-- normal exit point for login -->
+ <!-- browser redirection (self-submitted form 'signinresponseform.jsp') -->
+ <end-state id="formResponseView" view="signinresponseform">
+ <on-entry>
+ <evaluate expression="flowScope.signinResponseUrl" result="requestScope.fedAction" />
+ <evaluate expression="flowScope.wtrealm" result="requestScope.fedWTrealm" />
+ <evaluate expression="flowScope.wctx" result="requestScope.fedWCtx" />
+ <evaluate expression="flowScope.rpToken" result="requestScope.fedWResult" />
+ </on-entry>
+ </end-state>
+
+ <!-- abnormal exit point : Http 400 Bad Request -->
+ <end-state id="viewBadRequest" view="genericerror">
+ <on-entry>
+ <evaluate
+ expression="externalContext.nativeResponse.setStatus(400,flowRequestContext.currentTransition.toString())" />
+ <!--<set name="requestScope.reason" value="flowRequestContext.currentTransition" />-->
+ </on-entry>
+ </end-state>
+
+ <end-state id="viewBadRequestAndLogout" view="genericerror">
+ <on-entry>
+ <evaluate expression="homeRealmReminder.removeCookie(flowRequestContext)" />
+ <evaluate expression="logoutAction.submit(flowRequestContext)" />
+ <evaluate
+ expression="externalContext.nativeResponse.setStatus(400,flowRequestContext.currentTransition.toString())" />
+ <!--<set name="requestScope.reason" value="flowRequestContext.currentTransition" />-->
+ </on-entry>
+ </end-state>
+
+ <!-- abnormal exit point : Http 500 Internal Server Error -->
+ <end-state id="scInternalServerError" view="genericerror">
+ <on-entry>
+ <evaluate
+ expression="externalContext.nativeResponse.setStatus(500,'IDP is unavailable, please contact the administrator')" />
+ <set name="requestScope.reason"
+ value="'IDP is unavailable, please contact the administrator'" />
+ <set name="requestScope.stateException"
+ value="flowScope.stateException" />
+ <set name="requestScope.rootCauseException"
+ value="flowScope.rootCauseException" />
+ </on-entry>
+ </end-state>
+
+ <!-- normal exit point for logout -->
+ <view-state id="viewSignoutConfirmation" view="signoutconfirmationresponse">
+ <transition on="submit" to="invalidateSessionAction"/>
+ <transition on="cancel" to="redirect" />
+ </view-state>
+
+ <view-state id="redirect" view="externalRedirect:#{flowScope.wreply}" />
+
+ <!-- normal exit point for logout -->
+ <end-state id="invalidateSessionAction" view="signoutresponse">
+ <on-entry>
+ <!-- store the realmConfigMap in the request map before we invalidate the session below.
+ Its needed in the signoutresponse.jsp page -->
+ <set name="externalContext.requestMap.realmConfigMap"
+ value="externalContext.sessionMap.realmConfigMap"/>
+ <set name="externalContext.requestMap.wreply" value="flowScope.wreply"/>
+ <!-- there is no Saml token canceller in cxf STS...
+ <evaluate expression="stsClientForRpAction.cancelTokens(flowRequestContext)" />
+ -->
+ <evaluate expression="homeRealmReminder.removeCookie(flowRequestContext)" />
+ <evaluate expression="logoutAction.submit(flowRequestContext)" />
+ </on-entry>
+ </end-state>
+
+ <!-- redirect to remote idp -->
+ <end-state id="redirectToTrustedIDP" view="externalRedirect:#{flowScope.remoteIdpUrl}">
+ <!--
+ <on-entry>
+ <set name="flowScope.remoteIdpUrl"
+ value="flowScope.idpConfig.findTrustedIdp(flowScope.whr).url
+ +'?wa=wsignin1.0'
+ +'&wtrealm='+flowScope.idpConfig.realm
+ +'&wreply='+flowScope.idpConfig.idpUrl
+ +(flowScope.wfresh != null ? '&wfresh='+flowScope.wfresh : '')
+ +(flowScope.wctx != null ? '&wctx='+flowScope.wctx : '')">
+ </set>
+ </on-entry>
+ -->
+ </end-state>
+
+ <end-state id="redirectToLocalIDP" view="externalRedirect:#{flowScope.localIdpUrl}">
+ <on-entry>
+ <set name="flowScope.localIdpUrl"
+ value="flowScope.idpConfig.idpUrl
+ +'?wa=wsignin1.0'
+ +'&wreply='+flowScope.wreply
+ +'&wtrealm='+flowScope.wtrealm
+ +(flowScope.wctx != null ? '&wctx='+flowScope.wctx : '')
+ +(flowScope.wfresh != null ? '&wfresh='+flowScope.wfresh : '')
+ +(flowScope.whr != null ? '&whr='+flowScope.whr : '')
+ +(flowScope.wreq != null ? '&wreq='+flowScope.wreq : '')">
+ </set>
+ </on-entry>
+ </end-state>
+
+</flow>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp-core/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/webapp/WEB-INF/flows/saml-validate-request.xml b/services/idp-core/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
new file mode 100644
index 0000000..1f12890
--- /dev/null
+++ b/services/idp-core/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
@@ -0,0 +1,259 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<flow xmlns="http://www.springframework.org/schema/webflow"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://www.springframework.org/schema/webflow
+ http://www.springframework.org/schema/webflow/spring-webflow-2.0.xsd">
+
+ <decision-state id="evaluateProtocol">
+ <on-entry>
+ <set name="flowScope.idpConfig" value="config.getIDP(fedizEntryPoint.getRealm())" />
+ </on-entry>
+ <if test="requestParameters.wa == 'wsignin1.0'" then="selectWsFedProcess" />
+ <if test="requestParameters.SAMLRequest != null or requestParameters.SAMLResponse != null"
+ then="selectSAMLProcess" else="selectOIDCAuthorizationCodeFlowProcess"
+ />
+ </decision-state>
+
+ <decision-state id="selectWsFedProcess">
+ <on-entry>
+ <set name="flowScope.wresult" value="requestParameters.wresult" />
+ <set name="flowScope.wctx" value="requestParameters.wctx" />
+ <set name="flowScope.request_context" value="requestParameters.wctx" />
+ </on-entry>
+ <if test="requestParameters.wctx == null or requestParameters.wctx.isEmpty()"
+ then="viewBadRequest" />
+ <if test="requestParameters.wresult == null or requestParameters.wresult.isEmpty()"
+ then="viewBadRequest" />
+ <if test="requestParameters.wtrealm != null and !requestParameters.wtrealm.isEmpty()"
+ then="signinResponse" else="viewBadRequest" />
+ </decision-state>
+
+ <decision-state id="selectSAMLProcess">
+ <on-entry>
+ <set name="flowScope.RelayState" value="requestParameters.RelayState" />
+ <set name="flowScope.request_context" value="requestParameters.RelayState" />
+ <set name="flowScope.SAMLResponse" value="requestParameters.SAMLResponse" />
+ <set name="flowScope.SAMLRequest" value="requestParameters.SAMLRequest" />
+ <set name="flowScope.Signature" value="requestParameters.Signature" />
+ </on-entry>
+ <if test="requestParameters.RelayState == null or requestParameters.RelayState.isEmpty()"
+ then="viewBadRequest" />
+ <if test="requestParameters.SAMLRequest != null and !requestParameters.SAMLRequest.isEmpty()"
+ then="parseSAMLAuthnRequest" />
+ <if test="requestParameters.SAMLResponse == null or requestParameters.SAMLResponse.isEmpty()"
+ then="viewBadRequest" else="signinResponse" />
+ </decision-state>
+
+ <decision-state id="selectOIDCAuthorizationCodeFlowProcess">
+ <on-entry>
+ <set name="flowScope.state" value="requestParameters.state" />
+ <set name="flowScope.request_context" value="requestParameters.state" />
+ <set name="flowScope.code" value="requestParameters.code" />
+ </on-entry>
+ <if test="requestParameters.code == null or requestParameters.code.isEmpty()"
+ then="viewBadRequest" />
+ <if test="requestParameters.state == null or requestParameters.state.isEmpty()"
+ then="viewBadRequest" else="signinResponse" />
+ </decision-state>
+
+ <action-state id="parseSAMLAuthnRequest">
+ <evaluate expression="authnRequestParser.parseSAMLRequest(flowRequestContext, flowScope.idpConfig,
+ flowScope.SAMLRequest, flowScope.Signature,
+ flowScope.RelayState)" />
+ <transition to="retrieveConsumerURL"/>
+ <transition on-exception="org.apache.cxf.fediz.core.exception.ProcessingException" to="viewBadRequest" />
+ </action-state>
+
+ <action-state id="retrieveConsumerURL">
+ <evaluate expression="authnRequestParser.retrieveConsumerURL(flowRequestContext)"
+ result="flowScope.consumerURL"/>
+ <transition to="retrieveRealm"/>
+ <transition on-exception="org.apache.cxf.fediz.core.exception.ProcessingException" to="viewBadRequest" />
+ </action-state>
+
+ <action-state id="retrieveRealm">
+ <evaluate expression="authnRequestParser.retrieveRealm(flowRequestContext)"
+ result="flowScope.realm"/>
+ <transition to="signinRequest"/>
+ <transition on-exception="org.apache.cxf.fediz.core.exception.ProcessingException" to="viewBadRequest" />
+ </action-state>
+
+ <subflow-state id="signinRequest" subflow="signinRequest">
+ <input name="idpConfig" value="flowScope.idpConfig" />
+ <input name="SAMLRequest" value="flowScope.SAMLRequest" />
+ <input name="RelayState" value="flowScope.RelayState" />
+ <input name="Signature" value="flowScope.Signature" />
+ <input name="protocol" value="'samlsso'" />
+ <input name="saml_authn_request" value="flowScope.saml_authn_request" />
+ <input name="realm" value="flowScope.realm" />
+ <input name="home_realm" value="null" />
+ <input name="wfresh" value="null" />
+ <input name="return_address" value="flowScope.consumerURL" />
+ <input name="request_context" value="flowScope.request_context" />
+
+ <output name="home_realm" />
+ <output name="idpToken" />
+ <output name="trusted_idp_context" />
+
+ <transition on="requestRpToken" to="requestRpToken">
+ <set name="flowScope.home_realm" value="currentEvent.attributes.home_realm" />
+ <set name="flowScope.idpToken" value="currentEvent.attributes.idpToken" />
+ </transition>
+ <transition on="viewBadRequest" to="viewBadRequest" />
+ <transition on="scInternalServerError" to="scInternalServerError" />
+ <transition on="redirectToLocalIDP" to="redirectToLocalIDP" />
+ <transition on="redirectToTrustedIDP" to="processTrustedIdpProtocol">
+ <set name="flowScope.home_realm" value="currentEvent.attributes.home_realm" />
+ <set name="flowScope.trusted_idp_context" value="currentEvent.attributes.trusted_idp_context"/>
+ </transition>
+ </subflow-state>
+
+ <subflow-state id="signinResponse" subflow="signinResponse">
+ <input name="idpConfig" value="flowScope.idpConfig" />
+ <input name="wfresh" value="flowScope.wfresh" />
+ <input name="request_context" value="flowScope.request_context" />
+ <input name="wresult" value="flowScope.wresult" />
+ <input name="RelayState" value="flowScope.RelayState" />
+ <input name="SAMLResponse" value="flowScope.SAMLResponse" />
+ <input name="state" value="flowScope.state" />
+ <input name="code" value="flowScope.code" />
+ <input name="home_realm" value="flowScope.whr" />
+ <input name="protocol" value="'samlsso'" />
+
+ <output name="home_realm" />
+ <output name="idpToken" />
+ <output name="saml_authn_request" />
+ <output name="request_context" />
+
+ <transition on="requestRpToken" to="requestRpToken">
+ <set name="flowScope.home_realm" value="currentEvent.attributes.home_realm" />
+ <set name="flowScope.idpToken" value="currentEvent.attributes.idpToken" />
+ <set name="flowScope.saml_authn_request" value="currentEvent.attributes.saml_authn_request" />
+ <set name="flowScope.RelayState" value="currentEvent.attributes.request_context" />
+ </transition>
+ <transition on="viewBadRequest" to="viewBadRequest" />
+ <transition on="scInternalServerError" to="scInternalServerError" />
+ </subflow-state>
+
+ <!-- produce RP security token (as String type) -->
+ <action-state id="requestRpToken">
+ <on-entry>
+ <evaluate expression="authnRequestParser.retrieveRealm(flowRequestContext)"
+ result="flowScope.realm"/>
+ <evaluate expression="stsClientForRpAction.submit(flowRequestContext, flowScope.realm, flowScope.home_realm)"
+ result="flowScope.rpTokenElement"/>
+ </on-entry>
+ <evaluate expression="signinParametersCacheAction.storeRPConfigInSession(flowRequestContext)"/>
+ <transition to="produceSAMLResponse" />
+ <transition on-exception="org.apache.cxf.fediz.core.exception.ProcessingException" to="viewBadRequest" />
+ <transition on-exception="java.lang.Throwable" to="scInternalServerError" />
+ </action-state>
+
+ <action-state id="produceSAMLResponse">
+ <on-entry>
+ <evaluate expression="authnRequestParser.retrieveConsumerURL(flowRequestContext)"
+ result="flowScope.consumerURL"/>
+ <evaluate expression="authnRequestParser.retrieveRequestId(flowRequestContext)"
+ result="flowScope.requestId"/>
+ <evaluate expression="authnRequestParser.retrieveRequestIssuer(flowRequestContext)"
+ result="flowScope.requestIssuer"/>
+ </on-entry>
+ <evaluate expression="samlResponseCreator.createSAMLResponse(flowRequestContext, flowScope.idpConfig, flowScope.rpTokenElement,
+ flowScope.consumerURL, flowScope.requestId, flowScope.requestIssuer)"
+ result="flowScope.rpResponse"/>
+ <transition to="formResponseView" />
+ </action-state>
+
+ <!-- normal exit point for login -->
+ <!-- browser redirection (self-submitted form 'samlsigninresponseform.jsp') -->
+ <end-state id="formResponseView" view="samlsigninresponseform">
+ <on-entry>
+ <evaluate expression="flowScope.consumerURL" result="requestScope.samlAction" />
+ <evaluate expression="flowScope.RelayState" result="requestScope.relayState" />
+ <evaluate expression="flowScope.rpResponse" result="requestScope.samlResponse" />
+ </on-entry>
+ </end-state>
+
+ <action-state id="processTrustedIdpProtocol">
+ <evaluate expression="trustedIdpProtocolAction.mapSignInRequest(flowRequestContext, flowScope.home_realm)"
+ result="flowScope.remoteIdpUrl"/>
+ <transition to="redirectToTrustedIDP" />
+ <transition on-exception="java.lang.Throwable" to="scInternalServerError" />
+ </action-state>
+
+ <!-- abnormal exit point -->
+ <decision-state id="viewBadRequest">
+ <on-entry>
+ <evaluate expression="authnRequestParser.retrieveConsumerURL(flowRequestContext)"
+ result="requestScope.samlAction"/>
+ </on-entry>
+ <!-- See if we managed to at least parse the request to get the response URL -->
+ <if test="requestScope.samlAction == null or requestScope.samlAction.isEmpty()"
+ then="viewBadRequestParsingError" else="viewBadRequestResponse"/>
+ </decision-state>
+
+ <end-state id="viewBadRequestResponse" view="samlsigninresponseform">
+ <on-entry>
+ <evaluate expression="authnRequestParser.retrieveConsumerURL(flowRequestContext)"
+ result="requestScope.samlAction"/>
+ <evaluate expression="authnRequestParser.retrieveRequestId(flowRequestContext)"
+ result="flowScope.requestId"/>
+ <evaluate expression="flowScope.RelayState" result="requestScope.relayState" />
+ <evaluate expression="samlResponseErrorCreator.createSAMLResponse(flowRequestContext, true, flowScope.idpConfig,
+ flowScope.requestId)"
+ result="requestScope.samlResponse"/>
+ </on-entry>
+ </end-state>
+
+ <!-- abnormal exit point : Http 400 Bad Request -->
+ <end-state id="viewBadRequestParsingError" view="genericerror">
+ <on-entry>
+ <evaluate
+ expression="externalContext.nativeResponse.setStatus(400,'Error parsing SAML Request')" />
+ <set name="requestScope.reason" value="'Error parsing SAML Request'" />
+ </on-entry>
+ </end-state>
+
+ <!-- abnormal exit point : Http 500 Internal Server Error -->
+ <end-state id="scInternalServerError" view="genericerror">
+ <on-entry>
+ <evaluate
+ expression="externalContext.nativeResponse.setStatus(500,'IDP is unavailable, please contact the administrator')" />
+ <set name="requestScope.reason"
+ value="'IDP is unavailable, please contact the administrator'" />
+ <set name="requestScope.stateException"
+ value="flowScope.stateException" />
+ <set name="requestScope.rootCauseException"
+ value="flowScope.rootCauseException" />
+ </on-entry>
+ </end-state>
+
+ <end-state id="redirectToLocalIDP" view="externalRedirect:#{flowScope.localIdpUrl}">
+ <on-entry>
+ <evaluate expression="localRedirectCreator.createRedirectURL(flowRequestContext, flowScope.idpConfig)"
+ result="flowScope.localIdpUrl"/>
+ </on-entry>
+ </end-state>
+
+ <!-- redirect to remote idp -->
+ <end-state id="redirectToTrustedIDP" view="externalRedirect:#{flowScope.remoteIdpUrl}" />
+
+</flow>