You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2015/04/09 16:11:27 UTC
cxf-fediz git commit: [FEDIZ-23] - Added in client cert to the
security-config.xml
Repository: cxf-fediz
Updated Branches:
refs/heads/master 8fc324cb9 -> 9d7cdcde3
[FEDIZ-23] - Added in client cert to the security-config.xml
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/9d7cdcde
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/9d7cdcde
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/9d7cdcde
Branch: refs/heads/master
Commit: 9d7cdcde31ebde94be0f5fd2bbd848a63231e1e5
Parents: 8fc324c
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Thu Apr 9 15:11:07 2015 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Thu Apr 9 15:11:07 2015 +0100
----------------------------------------------------------------------
.../idp/src/main/resources/entities-realma.xml | 6 +
.../idp/src/main/resources/entities-realmb.xml | 6 +
.../main/webapp/WEB-INF/idp-config-realma.xml | 6 +
.../main/webapp/WEB-INF/idp-config-realmb.xml | 6 +
.../idp/src/main/webapp/WEB-INF/idp-servlet.xml | 2 +
.../src/main/webapp/WEB-INF/security-config.xml | 32 +++++
services/idp/src/main/webapp/WEB-INF/web.xml | 5 +
.../idp/integrationtests/RestITTest.java | 2 +-
.../service/idp/service/jpa/IdpDAOJPATest.java | 2 +-
systests/clientcert/pom.xml | 20 ---
.../integrationtests/HOKCallbackHandler.java | 48 +++++++
.../src/test/resources/fediz_config.xml | 2 +
.../src/test/resources/idp/idp-servlet.xml | 137 -------------------
.../src/test/resources/idp/security-config.xml | 103 --------------
systests/kerberos/pom.xml | 19 ---
.../src/test/resources/fediz_config.xml | 1 +
.../src/test/resources/idp/security-config.xml | 116 ----------------
17 files changed, 116 insertions(+), 397 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9d7cdcde/services/idp/src/main/resources/entities-realma.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/resources/entities-realma.xml b/services/idp/src/main/resources/entities-realma.xml
index f8e1f5b..e28aa52 100644
--- a/services/idp/src/main/resources/entities-realma.xml
+++ b/services/idp/src/main/resources/entities-realma.xml
@@ -53,6 +53,12 @@
<property name="authenticationURIs">
<util:map>
<entry key="default" value="federation/up" />
+ <entry key="http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/SslAndKey"
+ value="federation/krb" />
+ <entry key="http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/default"
+ value="federation/up" />
+ <entry key="http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/Ssl"
+ value="federation/clientcert" />
</util:map>
</property>
<property name="serviceDisplayName" value="REALM A" />
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9d7cdcde/services/idp/src/main/resources/entities-realmb.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/resources/entities-realmb.xml b/services/idp/src/main/resources/entities-realmb.xml
index 3f17472..152ff52 100644
--- a/services/idp/src/main/resources/entities-realmb.xml
+++ b/services/idp/src/main/resources/entities-realmb.xml
@@ -52,6 +52,12 @@
<property name="authenticationURIs">
<util:map>
<entry key="default" value="federation/up" />
+ <entry key="http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/SslAndKey"
+ value="federation/krb" />
+ <entry key="http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/default"
+ value="federation/up" />
+ <entry key="http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/Ssl"
+ value="federation/clientcert" />
</util:map>
</property>
<property name="serviceDisplayName" value="REALM B" />
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9d7cdcde/services/idp/src/main/webapp/WEB-INF/idp-config-realma.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/idp-config-realma.xml b/services/idp/src/main/webapp/WEB-INF/idp-config-realma.xml
index 9d61326..0faf1fe 100644
--- a/services/idp/src/main/webapp/WEB-INF/idp-config-realma.xml
+++ b/services/idp/src/main/webapp/WEB-INF/idp-config-realma.xml
@@ -75,6 +75,12 @@
<property name="authenticationURIs">
<util:map>
<entry key="default" value="federation/up" />
+ <entry key="http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/SslAndKey"
+ value="federation/krb" />
+ <entry key="http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/default"
+ value="federation/up" />
+ <entry key="http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/Ssl"
+ value="federation/clientcert" />
</util:map>
</property>
<property name="trustedIDPs">
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9d7cdcde/services/idp/src/main/webapp/WEB-INF/idp-config-realmb.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/idp-config-realmb.xml b/services/idp/src/main/webapp/WEB-INF/idp-config-realmb.xml
index 830dc78..00faa08 100644
--- a/services/idp/src/main/webapp/WEB-INF/idp-config-realmb.xml
+++ b/services/idp/src/main/webapp/WEB-INF/idp-config-realmb.xml
@@ -74,6 +74,12 @@
<property name="authenticationURIs">
<util:map>
<entry key="default" value="federation/up" />
+ <entry key="http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/SslAndKey"
+ value="federation/krb" />
+ <entry key="http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/default"
+ value="federation/up" />
+ <entry key="http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/Ssl"
+ value="federation/clientcert" />
</util:map>
</property>
<property name="serviceDisplayName" value="REALM B" />
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9d7cdcde/services/idp/src/main/webapp/WEB-INF/idp-servlet.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/idp-servlet.xml b/services/idp/src/main/webapp/WEB-INF/idp-servlet.xml
index 691f7bb..a7bc370 100644
--- a/services/idp/src/main/webapp/WEB-INF/idp-servlet.xml
+++ b/services/idp/src/main/webapp/WEB-INF/idp-servlet.xml
@@ -79,6 +79,8 @@
path="/WEB-INF/federation-validate-request.xml" id="federation/up" />
<webflow:flow-location
path="/WEB-INF/federation-validate-request.xml" id="federation/krb" />
+ <webflow:flow-location
+ path="/WEB-INF/federation-validate-request.xml" id="federation/clientcert" />
<webflow:flow-location path="/WEB-INF/federation-signin-request.xml"
id="signinRequest" />
<webflow:flow-location path="/WEB-INF/federation-signin-response.xml"
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9d7cdcde/services/idp/src/main/webapp/WEB-INF/security-config.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/security-config.xml b/services/idp/src/main/webapp/WEB-INF/security-config.xml
index c70ccfb..a3413bb 100644
--- a/services/idp/src/main/webapp/WEB-INF/security-config.xml
+++ b/services/idp/src/main/webapp/WEB-INF/security-config.xml
@@ -21,6 +21,7 @@
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:context="http://www.springframework.org/schema/context"
+ xmlns:util="http://www.springframework.org/schema/util"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
@@ -28,6 +29,8 @@
http://www.springframework.org/schema/context/spring-context-3.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd
+ http://www.springframework.org/schema/util
+ http://www.springframework.org/schema/util/spring-util-2.0.xsd
">
<context:property-placeholder location="classpath:realm.properties"/>
@@ -106,10 +109,21 @@
<security:custom-filter ref="kerberosAuthenticationProcessingFilter" position="BASIC_AUTH_FILTER" />
<security:logout delete-cookies="FEDIZ_HOME_REALM" invalidate-session="true" />
</security:http>
+
+ <!-- SSL Client Cert entry point -->
+ <security:http pattern="/federation/clientcert" use-expressions="true">
+ <security:custom-filter after="CHANNEL_FILTER" ref="stsClientCertPortFilter" />
+ <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" />
+ <security:intercept-url pattern="/FederationMetadata/2007-06/FederationMetadata.xml" access="isAnonymous() or isAuthenticated()" />
+
+ <security:x509 />
+ <security:logout delete-cookies="FEDIZ_HOME_REALM" invalidate-session="true" />
+ </security:http>
<security:authentication-manager alias="authenticationManagers">
<security:authentication-provider ref="stsUPAuthProvider" />
<security:authentication-provider ref="stsKrbAuthProvider" />
+ <security:authentication-provider ref="stsClientCertAuthProvider" />
</security:authentication-manager>
<bean id="stsUPPortFilter" class="org.apache.cxf.fediz.service.idp.STSPortFilter">
@@ -147,4 +161,22 @@
<property name="requireDelegation" value="true"/>-->
</bean>
+ <bean id="stsClientCertPortFilter" class="org.apache.cxf.fediz.service.idp.STSPortFilter">
+ <property name="authenticationProvider" ref="stsClientCertAuthProvider" />
+ </bean>
+
+ <util:map id="securityProperties">
+ <entry key="ws-security.username" value="idp-user" />
+ <entry key="ws-security.password" value="idp-pass" />
+ </util:map>
+
+ <bean id="stsClientCertAuthProvider" class="org.apache.cxf.fediz.service.idp.STSPreAuthAuthenticationProvider">
+ <property name="wsdlLocation" value="https://localhost:0/fediz-idp-sts/${realm.STS_URI}/STSServiceTransportUT?wsdl"/>
+ <property name="wsdlEndpoint" value="TransportUT_Port"/>
+ <property name="wsdlService" value="SecurityTokenService"/>
+ <property name="appliesTo" value="urn:fediz:idp"/>
+ <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"/>
+ <property name="properties" ref="securityProperties"/>
+ </bean>
+
</beans>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9d7cdcde/services/idp/src/main/webapp/WEB-INF/web.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/web.xml b/services/idp/src/main/webapp/WEB-INF/web.xml
index 21ea9ab..b22a0db 100644
--- a/services/idp/src/main/webapp/WEB-INF/web.xml
+++ b/services/idp/src/main/webapp/WEB-INF/web.xml
@@ -91,6 +91,11 @@ under the License.
</servlet-mapping>
<servlet-mapping>
+ <servlet-name>idp</servlet-name>
+ <url-pattern>/federation/clientcert</url-pattern>
+ </servlet-mapping>
+
+ <servlet-mapping>
<servlet-name>metadata</servlet-name>
<url-pattern>/FederationMetadata/2007-06/FederationMetadata.xml</url-pattern>
</servlet-mapping>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9d7cdcde/services/idp/src/test/java/org/apache/cxf/fediz/service/idp/integrationtests/RestITTest.java
----------------------------------------------------------------------
diff --git a/services/idp/src/test/java/org/apache/cxf/fediz/service/idp/integrationtests/RestITTest.java b/services/idp/src/test/java/org/apache/cxf/fediz/service/idp/integrationtests/RestITTest.java
index 51c3118..6931633 100644
--- a/services/idp/src/test/java/org/apache/cxf/fediz/service/idp/integrationtests/RestITTest.java
+++ b/services/idp/src/test/java/org/apache/cxf/fediz/service/idp/integrationtests/RestITTest.java
@@ -108,7 +108,7 @@ public class RestITTest {
Assert.assertTrue("ProvideIDPList doesn't match", idp.isProvideIdpList());
Assert.assertTrue("UseCurrentIDP doesn't match", idp.isUseCurrentIdp());
Assert.assertEquals("Number of AuthenticationURIs doesn't match",
- 1, idp.getAuthenticationURIs().size());
+ 4, idp.getAuthenticationURIs().size());
Assert.assertEquals("Number of SupportedProtocols doesn't match",
2, idp.getSupportedProtocols().size());
Assert.assertEquals("Number of TokenTypesOffered doesn't match",
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9d7cdcde/services/idp/src/test/java/org/apache/cxf/fediz/service/idp/service/jpa/IdpDAOJPATest.java
----------------------------------------------------------------------
diff --git a/services/idp/src/test/java/org/apache/cxf/fediz/service/idp/service/jpa/IdpDAOJPATest.java b/services/idp/src/test/java/org/apache/cxf/fediz/service/idp/service/jpa/IdpDAOJPATest.java
index 1b2d775..a624725 100644
--- a/services/idp/src/test/java/org/apache/cxf/fediz/service/idp/service/jpa/IdpDAOJPATest.java
+++ b/services/idp/src/test/java/org/apache/cxf/fediz/service/idp/service/jpa/IdpDAOJPATest.java
@@ -92,7 +92,7 @@ public class IdpDAOJPATest {
"ProvideIDPList doesn't match");
Assert.isTrue(idp.isUseCurrentIdp(),
"UseCurrentIDP doesn't match");
- Assert.isTrue(1 == idp.getAuthenticationURIs().size(),
+ Assert.isTrue(4 == idp.getAuthenticationURIs().size(),
"Number of AuthenticationURIs doesn't match");
Assert.isTrue(2 == idp.getSupportedProtocols().size(),
"Number of SupportedProtocols doesn't match");
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9d7cdcde/systests/clientcert/pom.xml
----------------------------------------------------------------------
diff --git a/systests/clientcert/pom.xml b/systests/clientcert/pom.xml
index b526d9f..48d691d 100644
--- a/systests/clientcert/pom.xml
+++ b/systests/clientcert/pom.xml
@@ -200,26 +200,6 @@
<version>2.7</version>
<executions>
<execution>
- <id>copy-entities-to-idp</id>
- <phase>generate-test-sources</phase>
- <goals>
- <goal>copy-resources</goal>
- </goals>
- <configuration>
- <outputDirectory>${basedir}/target/tomcat/idp/webapps/fediz-idp/WEB-INF</outputDirectory>
- <resources>
- <resource>
- <directory>${basedir}/src/test/resources/idp</directory>
- <includes>
- <include>security-config.xml</include>
- <include>idp-servlet.xml</include>
- </includes>
- <filtering>true</filtering>
- </resource>
- </resources>
- </configuration>
- </execution>
- <execution>
<id>copy-entities-to-sts</id>
<phase>generate-test-sources</phase>
<goals>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9d7cdcde/systests/clientcert/src/test/java/org/apache/cxf/fediz/integrationtests/HOKCallbackHandler.java
----------------------------------------------------------------------
diff --git a/systests/clientcert/src/test/java/org/apache/cxf/fediz/integrationtests/HOKCallbackHandler.java b/systests/clientcert/src/test/java/org/apache/cxf/fediz/integrationtests/HOKCallbackHandler.java
new file mode 100644
index 0000000..e2f402c
--- /dev/null
+++ b/systests/clientcert/src/test/java/org/apache/cxf/fediz/integrationtests/HOKCallbackHandler.java
@@ -0,0 +1,48 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.fediz.integrationtests;
+
+import java.io.IOException;
+
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.UnsupportedCallbackException;
+
+import org.apache.cxf.fediz.core.spi.WReqCallback;
+
+public class HOKCallbackHandler implements CallbackHandler {
+
+ static final String HOK_WREQ =
+ "<RequestSecurityToken xmlns=\"http://docs.oasis-open.org/ws-sx/ws-trust/200512\">"
+ + "<KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey</KeyType>"
+ + "</RequestSecurityToken>";
+
+ public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
+ for (int i = 0; i < callbacks.length; i++) {
+ if (callbacks[i] instanceof WReqCallback) {
+ WReqCallback callback = (WReqCallback) callbacks[i];
+ callback.setWreq(HOK_WREQ);
+ } else {
+ throw new UnsupportedCallbackException(callbacks[i], "Unrecognized Callback");
+ }
+ }
+ }
+
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9d7cdcde/systests/clientcert/src/test/resources/fediz_config.xml
----------------------------------------------------------------------
diff --git a/systests/clientcert/src/test/resources/fediz_config.xml b/systests/clientcert/src/test/resources/fediz_config.xml
index 1f20ab6..5add553 100644
--- a/systests/clientcert/src/test/resources/fediz_config.xml
+++ b/systests/clientcert/src/test/resources/fediz_config.xml
@@ -35,6 +35,8 @@
<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" optional="true" />
<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" optional="true" />
</claimTypesRequested>
+ <authenticationType>http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/Ssl</authenticationType>
+ <request type="Class">org.apache.cxf.fediz.integrationtests.HOKCallbackHandler</request>
</protocol>
<logoutURL>/secure/logout</logoutURL>
<logoutRedirectTo>/index.html</logoutRedirectTo>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9d7cdcde/systests/clientcert/src/test/resources/idp/idp-servlet.xml
----------------------------------------------------------------------
diff --git a/systests/clientcert/src/test/resources/idp/idp-servlet.xml b/systests/clientcert/src/test/resources/idp/idp-servlet.xml
deleted file mode 100644
index c09f3e3..0000000
--- a/systests/clientcert/src/test/resources/idp/idp-servlet.xml
+++ /dev/null
@@ -1,137 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing,
- software distributed under the License is distributed on an
- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- KIND, either express or implied. See the License for the
- specific language governing permissions and limitations
- under the License.
--->
-<beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xmlns:webflow="http://www.springframework.org/schema/webflow-config"
- xmlns:p="http://www.springframework.org/schema/p"
- xmlns:context="http://www.springframework.org/schema/context"
- xsi:schemaLocation="http://www.springframework.org/schema/beans
- http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
- http://www.springframework.org/schema/context
- http://www.springframework.org/schema/context/spring-context-3.1.xsd
- http://www.springframework.org/schema/webflow-config
- http://www.springframework.org/schema/webflow-config/spring-webflow-config-2.0.xsd">
-
- <context:property-placeholder location="classpath:realm.properties" />
-
- <context:component-scan base-package="org.apache.cxf.fediz.service.idp.beans" />
-
- <bean class="org.springframework.webflow.mvc.servlet.FlowHandlerMapping"
- p:flowRegistry-ref="flowRegistry" p:order="2">
- </bean>
-
- <bean class="org.springframework.webflow.mvc.servlet.FlowHandlerAdapter"
- p:flowExecutor-ref="flowExecutor" />
-
- <webflow:flow-executor id="flowExecutor"
- flow-registry="flowRegistry">
- <webflow:flow-execution-attributes>
- <webflow:always-redirect-on-pause
- value="false" />
- </webflow:flow-execution-attributes>
-
- <webflow:flow-execution-listeners>
- <webflow:listener ref="securityFlowExecutionListener" />
- </webflow:flow-execution-listeners>
- </webflow:flow-executor>
-
- <bean id="securityFlowExecutionListener"
- class="org.springframework.webflow.security.SecurityFlowExecutionListener">
- <property name="accessDecisionManager" ref="accessDecisionManager" />
- </bean>
-
- <bean id="accessDecisionManager"
- class="org.springframework.security.access.vote.AffirmativeBased">
- <property name="decisionVoters">
- <list>
- <bean
- class="org.springframework.security.access.vote.RoleVoter">
- <property name="rolePrefix" value="ROLE_" />
- </bean>
- <bean
- class="org.springframework.security.access.vote.AuthenticatedVoter" />
- </list>
- </property>
- </bean>
-
- <webflow:flow-registry id="flowRegistry"
- flow-builder-services="builder">
- <webflow:flow-location
- path="/WEB-INF/federation-validate-request.xml" id="federation" />
- <webflow:flow-location
- path="/WEB-INF/federation-validate-request.xml" id="federation/up" />
- <webflow:flow-location path="/WEB-INF/federation-signin-request.xml"
- id="signinRequest" />
- <webflow:flow-location path="/WEB-INF/federation-signin-response.xml"
- id="signinResponse" />
- </webflow:flow-registry>
-
- <webflow:flow-builder-services id="builder"
- view-factory-creator="viewFactoryCreator" expression-parser="expressionParser" />
-
- <bean id="expressionParser"
- class="org.springframework.webflow.expression.WebFlowOgnlExpressionParser" />
-
- <bean id="viewFactoryCreator"
- class="org.springframework.webflow.mvc.builder.MvcViewFactoryCreator">
- <property name="viewResolvers">
- <list>
- <ref local="viewResolver" />
- </list>
- </property>
- </bean>
-
- <bean id="viewResolver"
- class="org.springframework.web.servlet.view.InternalResourceViewResolver">
- <property name="prefix" value="/WEB-INF/" />
- <property name="suffix" value=".jsp" />
- </bean>
-
- <bean id="stsClientForRpAction"
- class="org.apache.cxf.fediz.service.idp.beans.STSClientAction">
- <property name="wsdlLocation"
- value="https://localhost:0/fediz-idp-sts/${realm.STS_URI}/STSServiceTransport?wsdl" />
- <property name="wsdlEndpoint" value="Transport_Port" />
- <property name="tokenType"
- value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
- <property name="keyType"
- value="http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey" />
- </bean>
-
- <bean id="signInParamCacheAction"
- class="org.apache.cxf.fediz.service.idp.beans.SigninParametersCacheAction" />
-
- <bean id="logoutAction" class="org.apache.cxf.fediz.service.idp.beans.LogoutAction" />
-
- <bean id="wfreshParser" class="org.apache.cxf.fediz.service.idp.beans.WfreshParser" />
-
- <bean id="cacheTokenForWauthAction"
- class="org.apache.cxf.fediz.service.idp.beans.CacheTokenForWauthAction" />
-
- <bean id="processHRDSExpressionAction"
- class="org.apache.cxf.fediz.service.idp.beans.ProcessHRDSExpressionAction" />
-
- <bean id="homeRealmReminder"
- class="org.apache.cxf.fediz.service.idp.beans.HomeRealmReminder" />
-
- <bean id="trustedIdpProtocolAction"
- class="org.apache.cxf.fediz.service.idp.beans.TrustedIdpProtocolAction" />
-
-</beans>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9d7cdcde/systests/clientcert/src/test/resources/idp/security-config.xml
----------------------------------------------------------------------
diff --git a/systests/clientcert/src/test/resources/idp/security-config.xml b/systests/clientcert/src/test/resources/idp/security-config.xml
deleted file mode 100644
index 15767c8..0000000
--- a/systests/clientcert/src/test/resources/idp/security-config.xml
+++ /dev/null
@@ -1,103 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing,
- software distributed under the License is distributed on an
- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- KIND, either express or implied. See the License for the
- specific language governing permissions and limitations
- under the License.
--->
-<beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xmlns:security="http://www.springframework.org/schema/security"
- xmlns:context="http://www.springframework.org/schema/context"
- xmlns:util="http://www.springframework.org/schema/util"
- xsi:schemaLocation="
- http://www.springframework.org/schema/beans
- http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
- http://www.springframework.org/schema/context
- http://www.springframework.org/schema/context/spring-context-3.1.xsd
- http://www.springframework.org/schema/security
- http://www.springframework.org/schema/security/spring-security-3.1.xsd
- http://www.springframework.org/schema/util
- http://www.springframework.org/schema/util/spring-util-2.0.xsd
- ">
-
- <context:property-placeholder location="classpath:realm.properties"/>
-
- <!-- DISABLE in production as it might log confidential information about the user -->
- <!-- <security:debug /> -->
-
- <!-- Configure Spring Security -->
-
- <!-- If enabled, you can't access the Service layer within the Spring Webflow -->
- <!-- The user has no role during the login phase of WS-Federation -->
- <security:global-method-security pre-post-annotations="enabled"/>
-
- <security:http pattern="/services/rs/**" use-expressions="true" authentication-manager-ref="restAuthenticationManager">
- <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" />
- <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" />
- <security:intercept-url pattern="/services/rs/**" access="isAuthenticated()"/>
- <security:http-basic />
- </security:http>
-
- <bean id="bCryptPasswordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />
-
- <bean id="defaultPasswordEncoder" class="org.springframework.security.crypto.password.StandardPasswordEncoder" />
-
- <security:authentication-manager id="restAuthenticationManager">
- <security:authentication-provider>
- <!-- <security:password-encoder ref="defaultPasswordEncoder"/>-->
- <!-- <security:password-encoder hash="sha-256" base64="true" />-->
- <!--
- <security:password-encoder hash="sha-256" base64="true">
- <security:salt-source user-property="username"/>
- </security:password-encoder>
- -->
- <security:user-service properties="classpath:/users.properties" />
- </security:authentication-provider>
- <security:authentication-provider ref="stsAuthProvider" />
- </security:authentication-manager>
-
- <security:http use-expressions="true">
- <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" />
- <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" />
- <security:intercept-url pattern="/FederationMetadata/2007-06/FederationMetadata.xml" access="isAnonymous() or isAuthenticated()" />
-
- <security:x509 />
- <security:logout delete-cookies="FEDIZ_HOME_REALM" invalidate-session="true" />
- </security:http>
-
- <security:authentication-manager>
- <security:authentication-provider ref="stsAuthProvider" />
- </security:authentication-manager>
-
- <bean id="stsPortFilter" class="org.apache.cxf.fediz.service.idp.STSPortFilter" />
-
- <bean id="entitlementsEnricher" class="org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements" />
-
- <util:map id="securityProperties">
- <entry key="ws-security.username" value="idp-user" />
- <entry key="ws-security.password" value="idp-pass" />
- </util:map>
-
- <bean id="stsAuthProvider" class="org.apache.cxf.fediz.service.idp.STSPreAuthAuthenticationProvider">
- <property name="wsdlLocation" value="https://localhost:0/fediz-idp-sts/${realm.STS_URI}/STSServiceTransportUT?wsdl"/>
- <property name="wsdlEndpoint" value="TransportUT_Port"/>
- <property name="wsdlService" value="SecurityTokenService"/>
- <property name="appliesTo" value="urn:fediz:idp"/>
- <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"/>
- <property name="properties" ref="securityProperties"/>
- </bean>
-
-</beans>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9d7cdcde/systests/kerberos/pom.xml
----------------------------------------------------------------------
diff --git a/systests/kerberos/pom.xml b/systests/kerberos/pom.xml
index 606a2dc..d7c8ce7 100644
--- a/systests/kerberos/pom.xml
+++ b/systests/kerberos/pom.xml
@@ -289,25 +289,6 @@
<version>2.7</version>
<executions>
<execution>
- <id>copy-entities-to-idp</id>
- <phase>generate-test-sources</phase>
- <goals>
- <goal>copy-resources</goal>
- </goals>
- <configuration>
- <outputDirectory>${basedir}/target/tomcat/idp/webapps/fediz-idp/WEB-INF</outputDirectory>
- <resources>
- <resource>
- <directory>${basedir}/src/test/resources/idp</directory>
- <includes>
- <include>security-config.xml</include>
- </includes>
- <filtering>true</filtering>
- </resource>
- </resources>
- </configuration>
- </execution>
- <execution>
<id>copy-entities-to-sts</id>
<phase>generate-test-sources</phase>
<goals>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9d7cdcde/systests/kerberos/src/test/resources/fediz_config.xml
----------------------------------------------------------------------
diff --git a/systests/kerberos/src/test/resources/fediz_config.xml b/systests/kerberos/src/test/resources/fediz_config.xml
index 1f20ab6..244b5b7 100644
--- a/systests/kerberos/src/test/resources/fediz_config.xml
+++ b/systests/kerberos/src/test/resources/fediz_config.xml
@@ -35,6 +35,7 @@
<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" optional="true" />
<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" optional="true" />
</claimTypesRequested>
+ <authenticationType>http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/SslAndKey</authenticationType>
</protocol>
<logoutURL>/secure/logout</logoutURL>
<logoutRedirectTo>/index.html</logoutRedirectTo>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9d7cdcde/systests/kerberos/src/test/resources/idp/security-config.xml
----------------------------------------------------------------------
diff --git a/systests/kerberos/src/test/resources/idp/security-config.xml b/systests/kerberos/src/test/resources/idp/security-config.xml
deleted file mode 100644
index 4fe3da2..0000000
--- a/systests/kerberos/src/test/resources/idp/security-config.xml
+++ /dev/null
@@ -1,116 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing,
- software distributed under the License is distributed on an
- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- KIND, either express or implied. See the License for the
- specific language governing permissions and limitations
- under the License.
--->
-<beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xmlns:security="http://www.springframework.org/schema/security"
- xmlns:context="http://www.springframework.org/schema/context"
- xsi:schemaLocation="
- http://www.springframework.org/schema/beans
- http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
- http://www.springframework.org/schema/context
- http://www.springframework.org/schema/context/spring-context-3.1.xsd
- http://www.springframework.org/schema/security
- http://www.springframework.org/schema/security/spring-security-3.1.xsd">
-
- <context:property-placeholder location="classpath:realm.properties"/>
-
- <!-- DISABLE in production as it might log confidential information about the user -->
- <!-- <security:debug /> -->
-
- <!-- Configure Spring Security -->
- <!-- If enabled, you can't access the Service layer within the Spring Webflow -->
- <!-- The user has no role during the login phase of WS-Federation -->
- <security:global-method-security pre-post-annotations="enabled"/>
-
- <security:http pattern="/services/rs/**" auto-config="false" use-expressions="true" entry-point-ref="kerberosEntryPoint">
- <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" />
- <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" />
- <security:intercept-url pattern="/**" access="isAuthenticated()"/>
- <!--<security:http-basic />-->
- <security:custom-filter ref="kerberosAuthenticationProcessingFilter" position="BASIC_AUTH_FILTER" />
- </security:http>
-
- <bean id="bCryptPasswordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />
-
- <bean id="defaultPasswordEncoder" class="org.springframework.security.crypto.password.StandardPasswordEncoder" />
-
- <bean id="spnegoAuthenticationProcessingFilter"
- class="org.apache.cxf.fediz.service.idp.kerberos.KerberosAuthenticationProcessingFilter">
- <property name="authenticationManager" ref="restAuthenticationManager" />
- </bean>
-
- <security:authentication-manager id="restAuthenticationManager">
- <security:authentication-provider>
- <!-- <security:password-encoder ref="defaultPasswordEncoder"/>-->
- <!-- <security:password-encoder hash="sha-256" base64="true" />-->
- <!--
- <security:password-encoder hash="sha-256" base64="true">
- <security:salt-source user-property="username"/>
- </security:password-encoder>
- -->
- <security:user-service properties="classpath:/users.properties" />
- </security:authentication-provider>
- <security:authentication-provider ref="stsAuthProvider" />
- </security:authentication-manager>
-
- <security:http use-expressions="true" entry-point-ref="kerberosEntryPoint">
- <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" />
- <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" />
- <security:intercept-url pattern="/FederationMetadata/2007-06/FederationMetadata.xml" access="isAnonymous() or isAuthenticated()" />
-
- <!-- <security:form-login login-page="/federation/login"/>
- <security:http-basic />-->
- <security:custom-filter ref="kerberosAuthenticationProcessingFilter" position="BASIC_AUTH_FILTER" />
- </security:http>
-
- <bean id="kerberosEntryPoint"
- class="org.apache.cxf.fediz.service.idp.kerberos.KerberosEntryPoint" />
-
- <bean id="kerberosAuthenticationProcessingFilter"
- class="org.apache.cxf.fediz.service.idp.kerberos.KerberosAuthenticationProcessingFilter">
- <property name="authenticationManager" ref="authenticationManager" />
- </bean>
-
- <security:authentication-manager alias="authenticationManager">
- <security:authentication-provider ref="stsAuthProvider" />
- </security:authentication-manager>
-
- <bean id="stsPortFilter" class="org.apache.cxf.fediz.service.idp.STSPortFilter" />
-
- <bean id="entitlementsEnricher" class="org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements" />
-
- <!--<bean id="kerberosTokenValidator" class="org.apache.cxf.fediz.service.idp.kerberos.KerberosTokenValidator">
- <property name="contextName" value="bob"/>
- <property name="serviceName" value="bob@service.ws.apache.org"/>
- </bean>-->
-
- <bean id="stsAuthProvider" class="org.apache.cxf.fediz.service.idp.STSKrbAuthenticationProvider">
- <!--<property name="wsdlLocation" value="https://localhost:0/fediz-idp-sts/${realm.STS_URI}/STSServiceTransportUT?wsdl"/>
- <property name="wsdlEndpoint" value="TransportUT_Port"/> -->
- <property name="wsdlLocation" value="https://localhost:0/fediz-idp-sts/${realm.STS_URI}/STSServiceTransportKerberos?wsdl"/>
- <property name="wsdlEndpoint" value="TransportKerberos_Port"/>
- <property name="wsdlService" value="SecurityTokenService"/>
- <property name="appliesTo" value="urn:fediz:idp"/>
- <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"/>
- <!--<property name="kerberosTokenValidator" ref="kerberosTokenValidator"/>
- <property name="requireDelegation" value="true"/>-->
- </bean>
-
-</beans>