You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2016/02/25 18:40:23 UTC
[1/3] cxf-fediz git commit: Adding initial OIDC test web app
Repository: cxf-fediz
Updated Branches:
refs/heads/master 6a91675ef -> 785104b79
Adding initial OIDC test web app
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/423f68fb
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/423f68fb
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/423f68fb
Branch: refs/heads/master
Commit: 423f68fbc6ce6e777202f276e8bebc86bb4cbc8c
Parents: 6a91675
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Thu Feb 25 16:12:14 2016 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Thu Feb 25 16:12:14 2016 +0000
----------------------------------------------------------------------
systests/federation/oidc/pom.xml | 28 ++++-
.../cxf/fediz/integrationtests/OIDCTest.java | 35 +++---
.../oidc/src/test/resources/cxf-service.xml | 120 ++++++++++++++++++
.../oidc/src/test/resources/entities-realma.xml | 13 +-
.../src/test/resources/fediz_config_oidc.xml | 2 +-
.../oidc/src/test/resources/realmb.cert | 3 -
systests/federation/oidcIdpWebapp/pom.xml | 83 +++++++++++++
.../fediz/oidc/idp/example/BasicAuthFilter.java | 122 +++++++++++++++++++
.../oidc/idp/example/CommonCallbackHandler.java | 50 ++++++++
.../example/EHCacheRefreshTokenProvider.java | 53 ++++++++
.../oidc/idp/example/IdTokenProviderImpl.java | 50 ++++++++
.../src/main/resources/clienttrust.jks | Bin 0 -> 1512 bytes
.../src/main/resources/log4j.properties | 17 +++
.../src/main/resources/logging.properties | 52 ++++++++
.../src/main/resources/stsKeystoreB.properties | 6 +
.../src/main/resources/stsrealm_b.jks | Bin 0 -> 2062 bytes
.../main/webapp/WEB-INF/applicationContext.xml | 47 +++++++
.../src/main/webapp/WEB-INF/cxf-service.xml | 120 ++++++++++++++++++
.../src/main/webapp/WEB-INF/web.xml | 48 ++++++++
.../oidcIdpWebapp/src/main/webapp/index.html | 25 ++++
.../src/main/webapp/secure/test.html | 25 ++++
21 files changed, 864 insertions(+), 35 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/423f68fb/systests/federation/oidc/pom.xml
----------------------------------------------------------------------
diff --git a/systests/federation/oidc/pom.xml b/systests/federation/oidc/pom.xml
index 7d11584..7ff6bd8 100644
--- a/systests/federation/oidc/pom.xml
+++ b/systests/federation/oidc/pom.xml
@@ -127,7 +127,7 @@
<configuration>
<portNames>
<portName>idp.https.port</portName>
- <portName>idp.samlsso.https.port</portName>
+ <portName>idp.oidc.https.port</portName>
<portName>rp.https.port</portName>
</portNames>
</configuration>
@@ -164,11 +164,11 @@
</artifactItem>
<artifactItem>
<groupId>org.apache.cxf.fediz.systests.federation</groupId>
- <artifactId>fediz-systests-federation-samlIdpWebapp</artifactId>
+ <artifactId>fediz-systests-federation-oidcIdpWebapp</artifactId>
<version>${project.version}</version>
<type>war</type>
<overWrite>true</overWrite>
- <outputDirectory>target/tomcat/idpsamlsso/webapps/idpsaml</outputDirectory>
+ <outputDirectory>target/tomcat/idpoidc/webapps/idpoidc</outputDirectory>
</artifactItem>
<artifactItem>
<groupId>org.apache.cxf.fediz.systests.webapps</groupId>
@@ -229,7 +229,25 @@
<directory>${basedir}/src/test/resources</directory>
<includes>
<include>entities-realma.xml</include>
- <include>realmb.cert</include>
+ </includes>
+ <filtering>true</filtering>
+ </resource>
+ </resources>
+ </configuration>
+ </execution>
+ <execution>
+ <id>copy-entities-to-oidc-idp</id>
+ <phase>generate-test-sources</phase>
+ <goals>
+ <goal>copy-resources</goal>
+ </goals>
+ <configuration>
+ <outputDirectory>${basedir}/target/tomcat/idpoidc/webapps/idpoidc/WEB-INF</outputDirectory>
+ <resources>
+ <resource>
+ <directory>${basedir}/src/test/resources</directory>
+ <includes>
+ <include>cxf-service.xml</include>
</includes>
<filtering>true</filtering>
</resource>
@@ -253,7 +271,7 @@
<systemPropertyVariables>
<wt.headless>true</wt.headless>
<idp.https.port>${idp.https.port}</idp.https.port>
- <idp.samlsso.https.port>${idp.samlsso.https.port}</idp.samlsso.https.port>
+ <idp.oidc.https.port>${idp.oidc.https.port}</idp.oidc.https.port>
<rp.https.port>${rp.https.port}</rp.https.port>
</systemPropertyVariables>
<includes>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/423f68fb/systests/federation/oidc/src/test/java/org/apache/cxf/fediz/integrationtests/OIDCTest.java
----------------------------------------------------------------------
diff --git a/systests/federation/oidc/src/test/java/org/apache/cxf/fediz/integrationtests/OIDCTest.java b/systests/federation/oidc/src/test/java/org/apache/cxf/fediz/integrationtests/OIDCTest.java
index b0f370b..6053355 100644
--- a/systests/federation/oidc/src/test/java/org/apache/cxf/fediz/integrationtests/OIDCTest.java
+++ b/systests/federation/oidc/src/test/java/org/apache/cxf/fediz/integrationtests/OIDCTest.java
@@ -60,11 +60,11 @@ import org.junit.Test;
public class OIDCTest {
static String idpHttpsPort;
- static String idpSamlSSOHttpsPort;
+ static String idpOIDCHttpsPort;
static String rpHttpsPort;
private static Tomcat idpServer;
- private static Tomcat idpSamlSSOServer;
+ private static Tomcat idpOIDCServer;
private static Tomcat rpServer;
@BeforeClass
@@ -79,15 +79,14 @@ public class OIDCTest {
System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.cxf", "info");
idpHttpsPort = System.getProperty("idp.https.port");
- idpHttpsPort = "12111";
Assert.assertNotNull("Property 'idp.https.port' null", idpHttpsPort);
- idpSamlSSOHttpsPort = System.getProperty("idp.samlsso.https.port");
- Assert.assertNotNull("Property 'idp.samlsso.https.port' null", idpSamlSSOHttpsPort);
+ idpOIDCHttpsPort = System.getProperty("idp.oidc.https.port");
+ Assert.assertNotNull("Property 'idp.oidc.https.port' null", idpOIDCHttpsPort);
rpHttpsPort = System.getProperty("rp.https.port");
Assert.assertNotNull("Property 'rp.https.port' null", rpHttpsPort);
initIdp();
- initSamlSSOIdp();
+ initOIDCIdp();
initRp();
}
@@ -127,19 +126,19 @@ public class OIDCTest {
}
}
- private static void initSamlSSOIdp() {
+ private static void initOIDCIdp() {
try {
- idpSamlSSOServer = new Tomcat();
- idpSamlSSOServer.setPort(0);
+ idpOIDCServer = new Tomcat();
+ idpOIDCServer.setPort(0);
String currentDir = new File(".").getCanonicalPath();
- idpSamlSSOServer.setBaseDir(currentDir + File.separator + "target");
+ idpOIDCServer.setBaseDir(currentDir + File.separator + "target");
- idpSamlSSOServer.getHost().setAppBase("tomcat/idpsamlsso/webapps");
- idpSamlSSOServer.getHost().setAutoDeploy(true);
- idpSamlSSOServer.getHost().setDeployOnStartup(true);
+ idpOIDCServer.getHost().setAppBase("tomcat/idpoidc/webapps");
+ idpOIDCServer.getHost().setAutoDeploy(true);
+ idpOIDCServer.getHost().setDeployOnStartup(true);
Connector httpsConnector = new Connector();
- httpsConnector.setPort(Integer.parseInt(idpSamlSSOHttpsPort));
+ httpsConnector.setPort(Integer.parseInt(idpOIDCHttpsPort));
httpsConnector.setSecure(true);
httpsConnector.setScheme("https");
//httpsConnector.setAttribute("keyAlias", keyAlias);
@@ -152,11 +151,11 @@ public class OIDCTest {
httpsConnector.setAttribute("sslProtocol", "TLS");
httpsConnector.setAttribute("SSLEnabled", true);
- idpSamlSSOServer.getService().addConnector(httpsConnector);
+ idpOIDCServer.getService().addConnector(httpsConnector);
- idpSamlSSOServer.addWebapp("/idp", "idpsaml");
+ idpOIDCServer.addWebapp("/idp", "idpoidc");
- idpSamlSSOServer.start();
+ idpOIDCServer.start();
} catch (Exception e) {
e.printStackTrace();
}
@@ -258,7 +257,7 @@ public class OIDCTest {
String password = "ECILA";
final String bodyTextContent =
- login(url, user, password, idpSamlSSOHttpsPort, idpHttpsPort, false);
+ login(url, user, password, idpOIDCHttpsPort, idpHttpsPort, false);
Assert.assertTrue("Principal not alice",
bodyTextContent.contains("userPrincipal=alice"));
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/423f68fb/systests/federation/oidc/src/test/resources/cxf-service.xml
----------------------------------------------------------------------
diff --git a/systests/federation/oidc/src/test/resources/cxf-service.xml b/systests/federation/oidc/src/test/resources/cxf-service.xml
new file mode 100644
index 0000000..4201a96
--- /dev/null
+++ b/systests/federation/oidc/src/test/resources/cxf-service.xml
@@ -0,0 +1,120 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans"
+ xmlns:cxf="http://cxf.apache.org/core"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xmlns:sec="http://cxf.apache.org/configuration/security"
+ xmlns:http="http://cxf.apache.org/transports/http/configuration"
+ xmlns:jaxws="http://cxf.apache.org/jaxws"
+ xmlns:jaxrs="http://cxf.apache.org/jaxrs"
+ xmlns:util="http://www.springframework.org/schema/util"
+ xsi:schemaLocation="
+ http://cxf.apache.org/core
+ http://cxf.apache.org/schemas/core.xsd
+ http://cxf.apache.org/configuration/security
+ http://cxf.apache.org/schemas/configuration/security.xsd
+ http://cxf.apache.org/jaxws
+ http://cxf.apache.org/schemas/jaxws.xsd
+ http://cxf.apache.org/jaxrs
+ http://cxf.apache.org/schemas/jaxrs.xsd
+ http://cxf.apache.org/transports/http/configuration
+ http://cxf.apache.org/schemas/configuration/http-conf.xsd
+ http://www.springframework.org/schema/beans
+ http://www.springframework.org/schema/beans/spring-beans.xsd
+ http://www.springframework.org/schema/util
+ http://www.springframework.org/schema/util/spring-util-2.0.xsd">
+
+ <import resource="classpath:META-INF/cxf/cxf.xml" />
+
+ <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
+
+ <!--cxf:bus>
+ <cxf:features>
+ <cxf:logging/>
+ </cxf:features>
+ </cxf:bus-->
+
+ <bean id="callbackHandler" class="org.apache.cxf.fediz.oidc.idp.example.CommonCallbackHandler"/>
+ <bean id="basicAuthFilter" class="org.apache.cxf.fediz.oidc.idp.example.BasicAuthFilter">
+ <property name="callbackHandler" ref="callbackHandler"/>
+ </bean>
+
+ <bean id="client" class="org.apache.cxf.rs.security.oauth2.common.Client">
+ <constructor-arg><value>consumer-id</value></constructor-arg>
+ <constructor-arg><value>this-is-a-secret</value></constructor-arg>
+ <constructor-arg><value>true</value></constructor-arg>
+ <property name="redirectUris">
+ <util:list value-type="java.lang.String">
+ <value>https://localhost:${idp.https.port}/fediz-idp/federation</value>
+ </util:list>
+ </property>
+ <property name="allowedGrantTypes">
+ <util:list value-type="java.lang.String">
+ <value>authorization_code</value>
+ </util:list>
+ </property>
+ <property name="registeredScopes">
+ <util:list value-type="java.lang.String">
+ <value>openid</value>
+ </util:list>
+ </property>
+ </bean>
+
+ <bean id="oauthProvider" class="org.apache.cxf.fediz.oidc.idp.example.EHCacheRefreshTokenProvider">
+ <property name="client" ref="client"/>
+ </bean>
+
+ <bean id="authorizationService" class="org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService">
+ <property name="dataProvider" ref="oauthProvider"/>
+ </bean>
+
+ <bean id="idTokenProviderImpl" class="org.apache.cxf.fediz.oidc.idp.example.IdTokenProviderImpl"/>
+
+ <bean id="idTokenFilter" class="org.apache.cxf.rs.security.oidc.idp.IdTokenResponseFilter">
+ <property name="idTokenProvider" ref="idTokenProviderImpl"/>
+ </bean>
+
+ <bean id="tokenService" class="org.apache.cxf.rs.security.oauth2.services.AccessTokenService">
+ <property name="dataProvider" ref="oauthProvider"/>
+ <property name="responseFilter" ref="idTokenFilter"/>
+ </bean>
+
+ <bean id="jackson" class="com.fasterxml.jackson.jaxrs.json.JacksonJsonProvider"/>
+
+ <jaxrs:server address="/services">
+ <jaxrs:serviceBeans>
+ <ref bean="authorizationService"/>
+ <ref bean="tokenService"/>
+ </jaxrs:serviceBeans>
+ <jaxrs:providers>
+ <ref bean="jackson"/>
+ <ref bean="basicAuthFilter"/>
+ </jaxrs:providers>
+ <jaxrs:properties>
+ <entry key="rs.security.keystore.type" value="jks" />
+ <entry key="rs.security.keystore.alias" value="realmb"/>
+ <entry key="rs.security.key.password" value="realmb"/>
+ <entry key="rs.security.keystore.file" value="stsKeystoreB.properties" />
+ <entry key="rs.security.signature.algorithm" value="RS256" />
+ </jaxrs:properties>
+ </jaxrs:server>
+
+</beans>
+
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/423f68fb/systests/federation/oidc/src/test/resources/entities-realma.xml
----------------------------------------------------------------------
diff --git a/systests/federation/oidc/src/test/resources/entities-realma.xml b/systests/federation/oidc/src/test/resources/entities-realma.xml
index 43c36ef..851ef50 100644
--- a/systests/federation/oidc/src/test/resources/entities-realma.xml
+++ b/systests/federation/oidc/src/test/resources/entities-realma.xml
@@ -33,10 +33,8 @@
<property name="useCurrentIdp" value="true" />
<property name="certificate" value="stsKeystoreA.properties" />
<property name="certificatePassword" value="realma" />
- <!-- <property name="stsUrl" value="https://localhost:${idp.https.port}/fediz-idp-sts/REALMA" />
- <property name="idpUrl" value="https://localhost:${idp.https.port}/fediz-idp/federation" />-->
- <property name="stsUrl" value="https://localhost:12111/fediz-idp-sts/REALMA" />
- <property name="idpUrl" value="https://localhost:12111/fediz-idp/federation" />
+ <property name="stsUrl" value="https://localhost:${idp.https.port}/fediz-idp-sts/REALMA" />
+ <property name="idpUrl" value="https://localhost:${idp.https.port}/fediz-idp/federation" />
<property name="rpSingleSignOutConfirmation" value="true"/>
<property name="supportedProtocols">
<util:list>
@@ -89,8 +87,7 @@
class="org.apache.cxf.fediz.service.idp.service.jpa.TrustedIdpEntity">
<property name="realm" value="urn:org:apache:cxf:fediz:idp:realm-B" />
<property name="cacheTokens" value="true" />
- <!-- <property name="url" value="https://localhost:${idp.samlsso.https.port}/idp/samlsso?binding=REDIRECT" />-->
- <property name="url" value="http://localhost:8080/auth/realms/realmb/protocol/openid-connect/auth" />
+ <property name="url" value="https://localhost:${idp.oidc.https.port}/idp/services/authorize" />
<property name="certificate" value="realmb.cert" />
<property name="trustType" value="PEER_TRUST" />
<property name="protocol" value="openid-connect-1.0" />
@@ -100,8 +97,8 @@
<property name="parameters">
<util:map>
<entry key="client.id" value="consumer-id"/>
- <entry key="client.secret" value="90d5da25-e900-443f-a5d5-feb3bb060800"/>
- <entry key="token.endpoint" value="http://localhost:8080/auth/realms/realmb/protocol/openid-connect/token"/>
+ <entry key="client.secret" value="this-is-a-secret"/>
+ <entry key="token.endpoint" value="https://localhost:${idp.oidc.https.port}/idp/services/token"/>
</util:map>
</property>
</bean>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/423f68fb/systests/federation/oidc/src/test/resources/fediz_config_oidc.xml
----------------------------------------------------------------------
diff --git a/systests/federation/oidc/src/test/resources/fediz_config_oidc.xml b/systests/federation/oidc/src/test/resources/fediz_config_oidc.xml
index fecec20..7bd3cb7 100644
--- a/systests/federation/oidc/src/test/resources/fediz_config_oidc.xml
+++ b/systests/federation/oidc/src/test/resources/fediz_config_oidc.xml
@@ -39,7 +39,7 @@
<protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="federationProtocolType" version="1.0.0">
<realm>urn:org:apache:cxf:fediz:fedizhelloworld</realm>
- <issuer>https://localhost:12111/fediz-idp/federation</issuer>
+ <issuer>https://localhost:${idp.https.port}/fediz-idp/federation</issuer>
<roleDelimiter>,</roleDelimiter>
<roleURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</roleURI>
<freshness>10</freshness>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/423f68fb/systests/federation/oidc/src/test/resources/realmb.cert
----------------------------------------------------------------------
diff --git a/systests/federation/oidc/src/test/resources/realmb.cert b/systests/federation/oidc/src/test/resources/realmb.cert
deleted file mode 100644
index 9bba7ad..0000000
--- a/systests/federation/oidc/src/test/resources/realmb.cert
+++ /dev/null
@@ -1,3 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICmzCCAYMCBgFSnXNZEjANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZyZWFsbWIwHhcNMTYwMjAxMTUyNzA4WhcNMjYwMjAxMTUyODQ4WjARMQ8wDQYDVQQDDAZyZWFsbWIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9pVG5cEMbRwtl/JqY4pTSgGmYSlltpbDSbFrUHBG4z5KUGxBD1qnHYAOqY2IMUzGnqbRQhQSjU7Zd/Ko//p41PVsZQnHWQLHgJerzBFyWAmgBZthX0lMYtdBLylj9Wl2mgHK8Cgy/AWO0zq+RG7qTeB7UKBLthRXX07ERnEJEcSRPCnc7Rzf2hopKa9oZPFlwDlS7nYDwkpFLua78XeF6vlrhQB9EymM1v6moB8rWGwf+aED+QLUSSAvbBZqsXD1vxFngmpYG3ABEWsUepgsKOlVmnyZtSV85V9AeSWYwzMLEd/huvoTMYNZHY1HykigWJAhJJ6dNzsm+dUdg1KsTAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAHW3Dufv7r+hMKjy3qf0x24OEtfqmcNiRqR+2t1I22PbclSxTsdWue17E9cxXPi6gLV/eiZ+Wl7fnnB+yJBeQv/HZYVeQKHL/aYZKVJZi+vprExn1n3clHqZqgrxfYJBNW24KEHw6Ag2v3/81PzHQV0VGclcngUc3s8BvJ2x+tUMUVmyKXmW++CZBZePuN+ozk0xfzTnyW85P6qkrOooSKL/JrSrHi8/VM+hYvHS4RQioIzur0UhGs+9mPVRdMmQ66BOT3FCw7WsoynI+/U/Q9bJyP7puZLD/ftpbM+SUKhAZnBYNvKo8rui8TkU9VA/RCpkHGWnA9utjRa60MH20us=
------END CERTIFICATE-----
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/423f68fb/systests/federation/oidcIdpWebapp/pom.xml
----------------------------------------------------------------------
diff --git a/systests/federation/oidcIdpWebapp/pom.xml b/systests/federation/oidcIdpWebapp/pom.xml
new file mode 100644
index 0000000..989391c
--- /dev/null
+++ b/systests/federation/oidcIdpWebapp/pom.xml
@@ -0,0 +1,83 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+ <modelVersion>4.0.0</modelVersion>
+ <parent>
+ <groupId>org.apache.cxf.fediz.systests</groupId>
+ <artifactId>fediz-systests-federation</artifactId>
+ <version>1.3.0-SNAPSHOT</version>
+ <relativePath>../pom.xml</relativePath>
+ </parent>
+ <groupId>org.apache.cxf.fediz.systests.federation</groupId>
+ <artifactId>fediz-systests-federation-oidcIdpWebapp</artifactId>
+ <name>Apache Fediz Federation Systests OpenId Connect Mock Idp Webapp</name>
+ <packaging>war</packaging>
+ <properties>
+ <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+ </properties>
+ <dependencies>
+ <dependency>
+ <groupId>javax.servlet</groupId>
+ <artifactId>servlet-api</artifactId>
+ <version>${servlet.version}</version>
+ <scope>provided</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.commons</groupId>
+ <artifactId>commons-lang3</artifactId>
+ <version>${commons.lang.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.cxf</groupId>
+ <artifactId>cxf-rt-frontend-jaxrs</artifactId>
+ <version>${cxf.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.cxf</groupId>
+ <artifactId>cxf-rt-rs-security-sso-oidc</artifactId>
+ <version>${cxf.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.springframework</groupId>
+ <artifactId>spring-web</artifactId>
+ <version>${spring.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.slf4j</groupId>
+ <artifactId>slf4j-jdk14</artifactId>
+ <version>${slf4j.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>com.fasterxml.jackson.jaxrs</groupId>
+ <artifactId>jackson-jaxrs-json-provider</artifactId>
+ <version>2.6.5</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.cxf</groupId>
+ <artifactId>cxf-rt-ws-security</artifactId>
+ <version>${cxf.version}</version>
+ </dependency>
+
+ </dependencies>
+ <build>
+ <!-- Name of the generated WAR file -->
+ <finalName>oidcidp</finalName>
+ </build>
+</project>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/423f68fb/systests/federation/oidcIdpWebapp/src/main/java/org/apache/cxf/fediz/oidc/idp/example/BasicAuthFilter.java
----------------------------------------------------------------------
diff --git a/systests/federation/oidcIdpWebapp/src/main/java/org/apache/cxf/fediz/oidc/idp/example/BasicAuthFilter.java b/systests/federation/oidcIdpWebapp/src/main/java/org/apache/cxf/fediz/oidc/idp/example/BasicAuthFilter.java
new file mode 100644
index 0000000..6c64fbe
--- /dev/null
+++ b/systests/federation/oidcIdpWebapp/src/main/java/org/apache/cxf/fediz/oidc/idp/example/BasicAuthFilter.java
@@ -0,0 +1,122 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.fediz.oidc.idp.example;
+
+import java.io.IOException;
+import java.security.Principal;
+
+import javax.security.auth.callback.CallbackHandler;
+import javax.ws.rs.container.ContainerRequestContext;
+import javax.ws.rs.container.ContainerRequestFilter;
+import javax.ws.rs.core.Response;
+
+import org.w3c.dom.Document;
+import org.apache.cxf.configuration.security.AuthorizationPolicy;
+import org.apache.cxf.helpers.DOMUtils;
+import org.apache.cxf.jaxrs.utils.JAXRSUtils;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.security.SecurityContext;
+import org.apache.wss4j.common.principal.WSUsernameTokenPrincipalImpl;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.engine.WSSConfig;
+import org.apache.wss4j.dom.handler.RequestData;
+import org.apache.wss4j.dom.message.token.UsernameToken;
+import org.apache.wss4j.dom.validate.Credential;
+import org.apache.wss4j.dom.validate.UsernameTokenValidator;
+
+/**
+ * A simple filter to validate a Basic Auth username/password via a CallbackHandler
+ */
+public class BasicAuthFilter implements ContainerRequestFilter {
+
+ static {
+ WSSConfig.init();
+ }
+
+ private CallbackHandler callbackHandler;
+
+ public void filter(ContainerRequestContext requestContext) throws IOException {
+ Message message = JAXRSUtils.getCurrentMessage();
+ AuthorizationPolicy policy = message.get(AuthorizationPolicy.class);
+
+ if (policy == null || policy.getUserName() == null || policy.getPassword() == null) {
+ requestContext.abortWith(
+ Response.status(401).header("WWW-Authenticate", "Basic realm=\"IdP\"").build());
+ return;
+ }
+
+ try {
+ UsernameToken token = convertPolicyToToken(policy);
+ Credential credential = new Credential();
+ credential.setUsernametoken(token);
+
+ RequestData data = new RequestData();
+ data.setMsgContext(message);
+ data.setCallbackHandler(callbackHandler);
+ UsernameTokenValidator validator = new UsernameTokenValidator();
+ credential = validator.validate(credential, data);
+
+ // Create a Principal/SecurityContext
+ Principal p = null;
+ if (credential != null && credential.getPrincipal() != null) {
+ p = credential.getPrincipal();
+ } else {
+ p = new WSUsernameTokenPrincipalImpl(policy.getUserName(), false);
+ ((WSUsernameTokenPrincipalImpl)p).setPassword(policy.getPassword());
+ }
+ message.put(SecurityContext.class, createSecurityContext(p));
+ } catch (Exception ex) {
+ requestContext.abortWith(
+ Response.status(401).header("WWW-Authenticate", "Basic realm=\"IdP\"").build());
+ }
+ }
+
+ protected UsernameToken convertPolicyToToken(AuthorizationPolicy policy)
+ throws Exception {
+
+ Document doc = DOMUtils.createDocument();
+ UsernameToken token = new UsernameToken(false, doc,
+ WSConstants.PASSWORD_TEXT);
+ token.setName(policy.getUserName());
+ token.setPassword(policy.getPassword());
+ return token;
+ }
+
+ protected SecurityContext createSecurityContext(final Principal p) {
+ return new SecurityContext() {
+
+ public Principal getUserPrincipal() {
+ return p;
+ }
+
+ public boolean isUserInRole(String arg0) {
+ return false;
+ }
+ };
+ }
+
+ public CallbackHandler getCallbackHandler() {
+ return callbackHandler;
+ }
+
+ public void setCallbackHandler(CallbackHandler callbackHandler) {
+ this.callbackHandler = callbackHandler;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/423f68fb/systests/federation/oidcIdpWebapp/src/main/java/org/apache/cxf/fediz/oidc/idp/example/CommonCallbackHandler.java
----------------------------------------------------------------------
diff --git a/systests/federation/oidcIdpWebapp/src/main/java/org/apache/cxf/fediz/oidc/idp/example/CommonCallbackHandler.java b/systests/federation/oidcIdpWebapp/src/main/java/org/apache/cxf/fediz/oidc/idp/example/CommonCallbackHandler.java
new file mode 100644
index 0000000..b1d9527
--- /dev/null
+++ b/systests/federation/oidcIdpWebapp/src/main/java/org/apache/cxf/fediz/oidc/idp/example/CommonCallbackHandler.java
@@ -0,0 +1,50 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.fediz.oidc.idp.example;
+
+import java.io.IOException;
+
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.UnsupportedCallbackException;
+
+import org.apache.wss4j.common.ext.WSPasswordCallback;
+
+public class CommonCallbackHandler implements CallbackHandler {
+
+ public void handle(Callback[] callbacks) throws IOException,
+ UnsupportedCallbackException {
+ for (int i = 0; i < callbacks.length; i++) {
+ if (callbacks[i] instanceof WSPasswordCallback) { // CXF
+ WSPasswordCallback pc = (WSPasswordCallback) callbacks[i];
+ if ("ALICE".equals(pc.getIdentifier())) {
+ pc.setPassword("ECILA");
+ break;
+ } else if ("realmb".equals(pc.getIdentifier())) {
+ pc.setPassword("realmb");
+ break;
+ } else if (pc.getIdentifier() != null
+ && pc.getIdentifier().startsWith("consumer-id")) {
+ pc.setPassword("this-is-a-secret");
+ break;
+ }
+ }
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/423f68fb/systests/federation/oidcIdpWebapp/src/main/java/org/apache/cxf/fediz/oidc/idp/example/EHCacheRefreshTokenProvider.java
----------------------------------------------------------------------
diff --git a/systests/federation/oidcIdpWebapp/src/main/java/org/apache/cxf/fediz/oidc/idp/example/EHCacheRefreshTokenProvider.java b/systests/federation/oidcIdpWebapp/src/main/java/org/apache/cxf/fediz/oidc/idp/example/EHCacheRefreshTokenProvider.java
new file mode 100644
index 0000000..43c72d6
--- /dev/null
+++ b/systests/federation/oidcIdpWebapp/src/main/java/org/apache/cxf/fediz/oidc/idp/example/EHCacheRefreshTokenProvider.java
@@ -0,0 +1,53 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.fediz.oidc.idp.example;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+import org.apache.cxf.rs.security.oauth2.common.Client;
+import org.apache.cxf.rs.security.oauth2.common.OAuthPermission;
+import org.apache.cxf.rs.security.oauth2.grants.code.DefaultEHCacheCodeDataProvider;
+import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
+
+/**
+ * Extend the DefaultEHCacheCodeDataProvider to allow OpenId
+ */
+public class EHCacheRefreshTokenProvider extends DefaultEHCacheCodeDataProvider {
+
+ @Override
+ public List<OAuthPermission> convertScopeToPermissions(Client client, List<String> requestedScopes) {
+ if (requestedScopes.isEmpty()) {
+ return Collections.emptyList();
+ }
+
+ List<OAuthPermission> permissions = new ArrayList<>();
+ for (String requestedScope : requestedScopes) {
+ if ("openid".equals(requestedScope)) {
+ OAuthPermission permission = new OAuthPermission("openid", "Authenticate user");
+ permissions.add(permission);
+ } else {
+ throw new OAuthServiceException("invalid_scope");
+ }
+ }
+
+ return permissions;
+ }
+}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/423f68fb/systests/federation/oidcIdpWebapp/src/main/java/org/apache/cxf/fediz/oidc/idp/example/IdTokenProviderImpl.java
----------------------------------------------------------------------
diff --git a/systests/federation/oidcIdpWebapp/src/main/java/org/apache/cxf/fediz/oidc/idp/example/IdTokenProviderImpl.java b/systests/federation/oidcIdpWebapp/src/main/java/org/apache/cxf/fediz/oidc/idp/example/IdTokenProviderImpl.java
new file mode 100644
index 0000000..52f8fa8
--- /dev/null
+++ b/systests/federation/oidcIdpWebapp/src/main/java/org/apache/cxf/fediz/oidc/idp/example/IdTokenProviderImpl.java
@@ -0,0 +1,50 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.fediz.oidc.idp.example;
+
+import java.util.Calendar;
+import java.util.Date;
+import java.util.List;
+
+import org.apache.cxf.rs.security.oauth2.common.UserSubject;
+import org.apache.cxf.rs.security.oidc.common.IdToken;
+import org.apache.cxf.rs.security.oidc.idp.IdTokenProvider;
+
+public class IdTokenProviderImpl implements IdTokenProvider {
+
+ public IdTokenProviderImpl() {
+
+ }
+
+ @Override
+ public IdToken getIdToken(String clientId, UserSubject authenticatedUser, List<String> scopes) {
+ IdToken token = new IdToken();
+
+ Calendar cal = Calendar.getInstance();
+ cal.add(Calendar.SECOND, 60);
+ token.setExpiryTime(cal.getTimeInMillis() / 1000L);
+ token.setIssuedAt(new Date().getTime() / 1000L);
+ token.setAudience(clientId);
+ token.setSubject(authenticatedUser.getLogin());
+ token.setIssuer("OIDC IdP");
+
+ return token;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/423f68fb/systests/federation/oidcIdpWebapp/src/main/resources/clienttrust.jks
----------------------------------------------------------------------
diff --git a/systests/federation/oidcIdpWebapp/src/main/resources/clienttrust.jks b/systests/federation/oidcIdpWebapp/src/main/resources/clienttrust.jks
new file mode 100644
index 0000000..c3ad459
Binary files /dev/null and b/systests/federation/oidcIdpWebapp/src/main/resources/clienttrust.jks differ
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/423f68fb/systests/federation/oidcIdpWebapp/src/main/resources/log4j.properties
----------------------------------------------------------------------
diff --git a/systests/federation/oidcIdpWebapp/src/main/resources/log4j.properties b/systests/federation/oidcIdpWebapp/src/main/resources/log4j.properties
new file mode 100644
index 0000000..5fc56e3
--- /dev/null
+++ b/systests/federation/oidcIdpWebapp/src/main/resources/log4j.properties
@@ -0,0 +1,17 @@
+# Set root category priority to INFO and its only appender to CONSOLE.
+log4j.rootCategory=FATAL, CONSOLE
+#log4j.rootCategory=DEBUG, CONSOLE
+
+# CONSOLE is set to be a ConsoleAppender using a PatternLayout.
+log4j.appender.CONSOLE=org.apache.log4j.ConsoleAppender
+log4j.appender.CONSOLE.Threshold=DEBUG
+log4j.appender.CONSOLE.layout=org.apache.log4j.PatternLayout
+log4j.appender.CONSOLE.layout.ConversionPattern=- %m%n
+
+# LOGFILE is set to be a File appender using a PatternLayout.
+log4j.appender.LOGFILE=org.apache.log4j.FileAppender
+log4j.appender.LOGFILE.File=target/wss4j.log
+log4j.appender.LOGFILE.Append=false
+log4j.appender.LOGFILE.Threshold=DEBUG
+log4j.appender.LOGFILE.layout=org.apache.log4j.PatternLayout
+log4j.appender.LOGFILE.layout.ConversionPattern=%-4r [%t] %-5p %c %x - %m%n
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/423f68fb/systests/federation/oidcIdpWebapp/src/main/resources/logging.properties
----------------------------------------------------------------------
diff --git a/systests/federation/oidcIdpWebapp/src/main/resources/logging.properties b/systests/federation/oidcIdpWebapp/src/main/resources/logging.properties
new file mode 100644
index 0000000..20617fe
--- /dev/null
+++ b/systests/federation/oidcIdpWebapp/src/main/resources/logging.properties
@@ -0,0 +1,52 @@
+############################################################
+# Default Logging Configuration File
+#
+# You can use a different file by specifying a filename
+# with the java.util.logging.config.file system property.
+# For example java -Djava.util.logging.config.file=myfile
+############################################################
+
+############################################################
+# Global properties
+############################################################
+
+# "handlers" specifies a comma separated list of log Handler
+# classes. These handlers will be installed during VM startup.
+# Note that these classes must be on the system classpath.
+# By default we only configure a ConsoleHandler, which will only
+# show messages at the WARNING and above levels.
+handlers= java.util.logging.ConsoleHandler
+#handlers= java.util.logging.FileHandler, java.util.logging.ConsoleHandler
+
+# Default global logging level.
+# This specifies which kinds of events are logged across
+# all loggers. For any given facility this global level
+# can be overridden by a facility specific level
+# Note that the ConsoleHandler also has a separate level
+# setting to limit messages printed to the console.
+.level= INFO
+
+############################################################
+# Handler specific properties.
+# Describes specific configuration info for Handlers.
+############################################################
+
+# default file output is in user's home directory.
+java.util.logging.FileHandler.pattern = %h/java%u.log
+java.util.logging.FileHandler.limit = 50000
+java.util.logging.FileHandler.count = 1
+java.util.logging.FileHandler.formatter = java.util.logging.XMLFormatter
+
+# Limit the message that are printed on the console to WARNING and above.
+java.util.logging.ConsoleHandler.level = WARNING
+java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter
+
+
+############################################################
+# Facility specific properties.
+# Provides extra control for each logger.
+############################################################
+
+# For example, set the com.xyz.foo logger to only log SEVERE
+# messages:
+#com.xyz.foo.level = SEVERE
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/423f68fb/systests/federation/oidcIdpWebapp/src/main/resources/stsKeystoreB.properties
----------------------------------------------------------------------
diff --git a/systests/federation/oidcIdpWebapp/src/main/resources/stsKeystoreB.properties b/systests/federation/oidcIdpWebapp/src/main/resources/stsKeystoreB.properties
new file mode 100644
index 0000000..16f4a3c
--- /dev/null
+++ b/systests/federation/oidcIdpWebapp/src/main/resources/stsKeystoreB.properties
@@ -0,0 +1,6 @@
+org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
+org.apache.ws.security.crypto.merlin.keystore.type=jks
+org.apache.ws.security.crypto.merlin.keystore.password=storepass
+org.apache.ws.security.crypto.merlin.keystore.alias=realmb
+org.apache.ws.security.crypto.merlin.keystore.file=stsrealm_b.jks
+
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/423f68fb/systests/federation/oidcIdpWebapp/src/main/resources/stsrealm_b.jks
----------------------------------------------------------------------
diff --git a/systests/federation/oidcIdpWebapp/src/main/resources/stsrealm_b.jks b/systests/federation/oidcIdpWebapp/src/main/resources/stsrealm_b.jks
new file mode 100644
index 0000000..83fd045
Binary files /dev/null and b/systests/federation/oidcIdpWebapp/src/main/resources/stsrealm_b.jks differ
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/423f68fb/systests/federation/oidcIdpWebapp/src/main/webapp/WEB-INF/applicationContext.xml
----------------------------------------------------------------------
diff --git a/systests/federation/oidcIdpWebapp/src/main/webapp/WEB-INF/applicationContext.xml b/systests/federation/oidcIdpWebapp/src/main/webapp/WEB-INF/applicationContext.xml
new file mode 100644
index 0000000..7d277ae
--- /dev/null
+++ b/systests/federation/oidcIdpWebapp/src/main/webapp/WEB-INF/applicationContext.xml
@@ -0,0 +1,47 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<beans
+ xmlns="http://www.springframework.org/schema/beans"
+ xmlns:cxf="http://cxf.apache.org/core"
+ xmlns:jaxws="http://cxf.apache.org/jaxws"
+ xmlns:test="http://apache.org/hello_world_soap_http"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xmlns:util="http://www.springframework.org/schema/util"
+ xsi:schemaLocation="
+ http://cxf.apache.org/core
+ http://cxf.apache.org/schemas/core.xsd
+ http://www.springframework.org/schema/beans
+ http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
+ http://cxf.apache.org/jaxws
+ http://cxf.apache.org/schemas/jaxws.xsd
+ http://www.springframework.org/schema/util
+ http://www.springframework.org/schema/util/spring-util-2.0.xsd">
+
+ <import resource="classpath:META-INF/cxf/cxf.xml"/>
+ <import resource="cxf-service.xml"/>
+
+ <!--cxf:bus>
+ <cxf:features>
+ <cxf:logging/>
+ </cxf:features>
+ </cxf:bus-->
+
+</beans>
+
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/423f68fb/systests/federation/oidcIdpWebapp/src/main/webapp/WEB-INF/cxf-service.xml
----------------------------------------------------------------------
diff --git a/systests/federation/oidcIdpWebapp/src/main/webapp/WEB-INF/cxf-service.xml b/systests/federation/oidcIdpWebapp/src/main/webapp/WEB-INF/cxf-service.xml
new file mode 100644
index 0000000..4201a96
--- /dev/null
+++ b/systests/federation/oidcIdpWebapp/src/main/webapp/WEB-INF/cxf-service.xml
@@ -0,0 +1,120 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans"
+ xmlns:cxf="http://cxf.apache.org/core"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xmlns:sec="http://cxf.apache.org/configuration/security"
+ xmlns:http="http://cxf.apache.org/transports/http/configuration"
+ xmlns:jaxws="http://cxf.apache.org/jaxws"
+ xmlns:jaxrs="http://cxf.apache.org/jaxrs"
+ xmlns:util="http://www.springframework.org/schema/util"
+ xsi:schemaLocation="
+ http://cxf.apache.org/core
+ http://cxf.apache.org/schemas/core.xsd
+ http://cxf.apache.org/configuration/security
+ http://cxf.apache.org/schemas/configuration/security.xsd
+ http://cxf.apache.org/jaxws
+ http://cxf.apache.org/schemas/jaxws.xsd
+ http://cxf.apache.org/jaxrs
+ http://cxf.apache.org/schemas/jaxrs.xsd
+ http://cxf.apache.org/transports/http/configuration
+ http://cxf.apache.org/schemas/configuration/http-conf.xsd
+ http://www.springframework.org/schema/beans
+ http://www.springframework.org/schema/beans/spring-beans.xsd
+ http://www.springframework.org/schema/util
+ http://www.springframework.org/schema/util/spring-util-2.0.xsd">
+
+ <import resource="classpath:META-INF/cxf/cxf.xml" />
+
+ <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
+
+ <!--cxf:bus>
+ <cxf:features>
+ <cxf:logging/>
+ </cxf:features>
+ </cxf:bus-->
+
+ <bean id="callbackHandler" class="org.apache.cxf.fediz.oidc.idp.example.CommonCallbackHandler"/>
+ <bean id="basicAuthFilter" class="org.apache.cxf.fediz.oidc.idp.example.BasicAuthFilter">
+ <property name="callbackHandler" ref="callbackHandler"/>
+ </bean>
+
+ <bean id="client" class="org.apache.cxf.rs.security.oauth2.common.Client">
+ <constructor-arg><value>consumer-id</value></constructor-arg>
+ <constructor-arg><value>this-is-a-secret</value></constructor-arg>
+ <constructor-arg><value>true</value></constructor-arg>
+ <property name="redirectUris">
+ <util:list value-type="java.lang.String">
+ <value>https://localhost:${idp.https.port}/fediz-idp/federation</value>
+ </util:list>
+ </property>
+ <property name="allowedGrantTypes">
+ <util:list value-type="java.lang.String">
+ <value>authorization_code</value>
+ </util:list>
+ </property>
+ <property name="registeredScopes">
+ <util:list value-type="java.lang.String">
+ <value>openid</value>
+ </util:list>
+ </property>
+ </bean>
+
+ <bean id="oauthProvider" class="org.apache.cxf.fediz.oidc.idp.example.EHCacheRefreshTokenProvider">
+ <property name="client" ref="client"/>
+ </bean>
+
+ <bean id="authorizationService" class="org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService">
+ <property name="dataProvider" ref="oauthProvider"/>
+ </bean>
+
+ <bean id="idTokenProviderImpl" class="org.apache.cxf.fediz.oidc.idp.example.IdTokenProviderImpl"/>
+
+ <bean id="idTokenFilter" class="org.apache.cxf.rs.security.oidc.idp.IdTokenResponseFilter">
+ <property name="idTokenProvider" ref="idTokenProviderImpl"/>
+ </bean>
+
+ <bean id="tokenService" class="org.apache.cxf.rs.security.oauth2.services.AccessTokenService">
+ <property name="dataProvider" ref="oauthProvider"/>
+ <property name="responseFilter" ref="idTokenFilter"/>
+ </bean>
+
+ <bean id="jackson" class="com.fasterxml.jackson.jaxrs.json.JacksonJsonProvider"/>
+
+ <jaxrs:server address="/services">
+ <jaxrs:serviceBeans>
+ <ref bean="authorizationService"/>
+ <ref bean="tokenService"/>
+ </jaxrs:serviceBeans>
+ <jaxrs:providers>
+ <ref bean="jackson"/>
+ <ref bean="basicAuthFilter"/>
+ </jaxrs:providers>
+ <jaxrs:properties>
+ <entry key="rs.security.keystore.type" value="jks" />
+ <entry key="rs.security.keystore.alias" value="realmb"/>
+ <entry key="rs.security.key.password" value="realmb"/>
+ <entry key="rs.security.keystore.file" value="stsKeystoreB.properties" />
+ <entry key="rs.security.signature.algorithm" value="RS256" />
+ </jaxrs:properties>
+ </jaxrs:server>
+
+</beans>
+
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/423f68fb/systests/federation/oidcIdpWebapp/src/main/webapp/WEB-INF/web.xml
----------------------------------------------------------------------
diff --git a/systests/federation/oidcIdpWebapp/src/main/webapp/WEB-INF/web.xml b/systests/federation/oidcIdpWebapp/src/main/webapp/WEB-INF/web.xml
new file mode 100644
index 0000000..b024222
--- /dev/null
+++ b/systests/federation/oidcIdpWebapp/src/main/webapp/WEB-INF/web.xml
@@ -0,0 +1,48 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
+ http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
+ version="3.0" metadata-complete="true">
+
+ <description>OpenId Connect Mock IdP</description>
+ <display-name>OpenId Connect Mock IdP</display-name>
+
+ <context-param>
+ <param-name>contextConfigLocation</param-name>
+ <param-value>WEB-INF/applicationContext.xml</param-value>
+ </context-param>
+
+ <listener>
+ <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
+ </listener>
+
+ <servlet>
+ <servlet-name>OIDCIdpServlet</servlet-name>
+ <servlet-class>org.apache.cxf.transport.servlet.CXFServlet</servlet-class>
+ <load-on-startup>1</load-on-startup>
+ </servlet>
+
+ <servlet-mapping>
+ <servlet-name>OIDCIdpServlet</servlet-name>
+ <url-pattern>/*</url-pattern>
+ </servlet-mapping>
+
+</web-app>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/423f68fb/systests/federation/oidcIdpWebapp/src/main/webapp/index.html
----------------------------------------------------------------------
diff --git a/systests/federation/oidcIdpWebapp/src/main/webapp/index.html b/systests/federation/oidcIdpWebapp/src/main/webapp/index.html
new file mode 100644
index 0000000..a9dbdaa
--- /dev/null
+++ b/systests/federation/oidcIdpWebapp/src/main/webapp/index.html
@@ -0,0 +1,25 @@
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
+<HTML><HEAD><TITLE>WS Federation Tomcat Examples</TITLE>
+<META http-equiv=Content-Type content="text/html">
+</HEAD>
+<BODY>
+<P>
+<H3>Hello World</H3>
+<P></P>
+</BODY></HTML>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/423f68fb/systests/federation/oidcIdpWebapp/src/main/webapp/secure/test.html
----------------------------------------------------------------------
diff --git a/systests/federation/oidcIdpWebapp/src/main/webapp/secure/test.html b/systests/federation/oidcIdpWebapp/src/main/webapp/secure/test.html
new file mode 100644
index 0000000..9cf7366
--- /dev/null
+++ b/systests/federation/oidcIdpWebapp/src/main/webapp/secure/test.html
@@ -0,0 +1,25 @@
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
+<HTML><HEAD><TITLE>WS Federation Tomcat Examples</TITLE>
+<META http-equiv=Content-Type content="text/html">
+</HEAD>
+<BODY>
+<P>
+<H3>Secure Test</H3>
+<P></P>
+</BODY></HTML>
[3/3] cxf-fediz git commit: Got OIDC system test working using a
browser
Posted by co...@apache.org.
Got OIDC system test working using a browser
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/785104b7
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/785104b7
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/785104b7
Branch: refs/heads/master
Commit: 785104b796e706851a80c51d1999fcbc291b2e99
Parents: ed9727c
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Thu Feb 25 17:39:59 2016 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Thu Feb 25 17:39:59 2016 +0000
----------------------------------------------------------------------
.../oidc/src/test/resources/cxf-service.xml | 17 ++-
.../fediz/oidc/idp/example/BasicAuthFilter.java | 1 +
.../idp/example/EHCacheOIDCTokenProvider.java | 53 ++++++++
.../example/EHCacheRefreshTokenProvider.java | 53 --------
.../oidc/idp/example/IdTokenProviderImpl.java | 5 +-
.../src/main/resources/clienttrust.jks | Bin 1512 -> 0 bytes
.../src/main/resources/stsKeystoreB.properties | 6 -
.../src/main/webapp/WEB-INF/cxf-service.xml | 17 ++-
.../WEB-INF/views/oAuthAuthorizationData.jsp | 133 +++++++++++++++++++
systests/federation/pom.xml | 1 +
10 files changed, 218 insertions(+), 68 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/785104b7/systests/federation/oidc/src/test/resources/cxf-service.xml
----------------------------------------------------------------------
diff --git a/systests/federation/oidc/src/test/resources/cxf-service.xml b/systests/federation/oidc/src/test/resources/cxf-service.xml
index 4201a96..acc0a9a 100644
--- a/systests/federation/oidc/src/test/resources/cxf-service.xml
+++ b/systests/federation/oidc/src/test/resources/cxf-service.xml
@@ -77,7 +77,7 @@
</property>
</bean>
- <bean id="oauthProvider" class="org.apache.cxf.fediz.oidc.idp.example.EHCacheRefreshTokenProvider">
+ <bean id="oauthProvider" class="org.apache.cxf.fediz.oidc.idp.example.EHCacheOIDCTokenProvider">
<property name="client" ref="client"/>
</bean>
@@ -96,22 +96,31 @@
<property name="responseFilter" ref="idTokenFilter"/>
</bean>
- <bean id="jackson" class="com.fasterxml.jackson.jaxrs.json.JacksonJsonProvider"/>
+ <bean id="oauthJSONProvider" class="org.apache.cxf.rs.security.oauth2.provider.OAuthJSONProvider"/>
+ <bean id="viewProvider" class="org.apache.cxf.jaxrs.provider.RequestDispatcherProvider">
+ <property name="useClassNames" value="true"/>
+ <property name="locationPrefix" value="/WEB-INF/views/"/>
+ <property name="beanName" value="data"/>
+ <property name="dispatcherName" value="jsp"/>
+ </bean>
+
<jaxrs:server address="/services">
<jaxrs:serviceBeans>
<ref bean="authorizationService"/>
<ref bean="tokenService"/>
</jaxrs:serviceBeans>
<jaxrs:providers>
- <ref bean="jackson"/>
+ <ref bean="oauthJSONProvider"/>
<ref bean="basicAuthFilter"/>
+ <ref bean="viewProvider"/>
</jaxrs:providers>
<jaxrs:properties>
<entry key="rs.security.keystore.type" value="jks" />
<entry key="rs.security.keystore.alias" value="realmb"/>
<entry key="rs.security.key.password" value="realmb"/>
- <entry key="rs.security.keystore.file" value="stsKeystoreB.properties" />
+ <entry key="rs.security.keystore.password" value="storepass"/>
+ <entry key="rs.security.keystore.file" value="stsrealm_b.jks" />
<entry key="rs.security.signature.algorithm" value="RS256" />
</jaxrs:properties>
</jaxrs:server>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/785104b7/systests/federation/oidcIdpWebapp/src/main/java/org/apache/cxf/fediz/oidc/idp/example/BasicAuthFilter.java
----------------------------------------------------------------------
diff --git a/systests/federation/oidcIdpWebapp/src/main/java/org/apache/cxf/fediz/oidc/idp/example/BasicAuthFilter.java b/systests/federation/oidcIdpWebapp/src/main/java/org/apache/cxf/fediz/oidc/idp/example/BasicAuthFilter.java
index a85c8c9..7a4e48e 100644
--- a/systests/federation/oidcIdpWebapp/src/main/java/org/apache/cxf/fediz/oidc/idp/example/BasicAuthFilter.java
+++ b/systests/federation/oidcIdpWebapp/src/main/java/org/apache/cxf/fediz/oidc/idp/example/BasicAuthFilter.java
@@ -42,6 +42,7 @@ public class BasicAuthFilter extends WSS4JBasicAuthValidator implements Containe
if (policy == null || policy.getUserName() == null || policy.getPassword() == null) {
requestContext.abortWith(
Response.status(401).header("WWW-Authenticate", "Basic realm=\"IdP\"").build());
+ return;
}
try {
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/785104b7/systests/federation/oidcIdpWebapp/src/main/java/org/apache/cxf/fediz/oidc/idp/example/EHCacheOIDCTokenProvider.java
----------------------------------------------------------------------
diff --git a/systests/federation/oidcIdpWebapp/src/main/java/org/apache/cxf/fediz/oidc/idp/example/EHCacheOIDCTokenProvider.java b/systests/federation/oidcIdpWebapp/src/main/java/org/apache/cxf/fediz/oidc/idp/example/EHCacheOIDCTokenProvider.java
new file mode 100644
index 0000000..2dfb7de
--- /dev/null
+++ b/systests/federation/oidcIdpWebapp/src/main/java/org/apache/cxf/fediz/oidc/idp/example/EHCacheOIDCTokenProvider.java
@@ -0,0 +1,53 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.fediz.oidc.idp.example;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+import org.apache.cxf.rs.security.oauth2.common.Client;
+import org.apache.cxf.rs.security.oauth2.common.OAuthPermission;
+import org.apache.cxf.rs.security.oauth2.grants.code.DefaultEHCacheCodeDataProvider;
+import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
+
+/**
+ * Extend the DefaultEHCacheCodeDataProvider to allow OpenId
+ */
+public class EHCacheOIDCTokenProvider extends DefaultEHCacheCodeDataProvider {
+
+ @Override
+ public List<OAuthPermission> convertScopeToPermissions(Client client, List<String> requestedScopes) {
+ if (requestedScopes.isEmpty()) {
+ return Collections.emptyList();
+ }
+
+ List<OAuthPermission> permissions = new ArrayList<>();
+ for (String requestedScope : requestedScopes) {
+ if ("openid".equals(requestedScope)) {
+ OAuthPermission permission = new OAuthPermission("openid", "Authenticate user");
+ permissions.add(permission);
+ } else {
+ throw new OAuthServiceException("invalid_scope");
+ }
+ }
+
+ return permissions;
+ }
+}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/785104b7/systests/federation/oidcIdpWebapp/src/main/java/org/apache/cxf/fediz/oidc/idp/example/EHCacheRefreshTokenProvider.java
----------------------------------------------------------------------
diff --git a/systests/federation/oidcIdpWebapp/src/main/java/org/apache/cxf/fediz/oidc/idp/example/EHCacheRefreshTokenProvider.java b/systests/federation/oidcIdpWebapp/src/main/java/org/apache/cxf/fediz/oidc/idp/example/EHCacheRefreshTokenProvider.java
deleted file mode 100644
index 43c72d6..0000000
--- a/systests/federation/oidcIdpWebapp/src/main/java/org/apache/cxf/fediz/oidc/idp/example/EHCacheRefreshTokenProvider.java
+++ /dev/null
@@ -1,53 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.fediz.oidc.idp.example;
-
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.List;
-
-import org.apache.cxf.rs.security.oauth2.common.Client;
-import org.apache.cxf.rs.security.oauth2.common.OAuthPermission;
-import org.apache.cxf.rs.security.oauth2.grants.code.DefaultEHCacheCodeDataProvider;
-import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
-
-/**
- * Extend the DefaultEHCacheCodeDataProvider to allow OpenId
- */
-public class EHCacheRefreshTokenProvider extends DefaultEHCacheCodeDataProvider {
-
- @Override
- public List<OAuthPermission> convertScopeToPermissions(Client client, List<String> requestedScopes) {
- if (requestedScopes.isEmpty()) {
- return Collections.emptyList();
- }
-
- List<OAuthPermission> permissions = new ArrayList<>();
- for (String requestedScope : requestedScopes) {
- if ("openid".equals(requestedScope)) {
- OAuthPermission permission = new OAuthPermission("openid", "Authenticate user");
- permissions.add(permission);
- } else {
- throw new OAuthServiceException("invalid_scope");
- }
- }
-
- return permissions;
- }
-}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/785104b7/systests/federation/oidcIdpWebapp/src/main/java/org/apache/cxf/fediz/oidc/idp/example/IdTokenProviderImpl.java
----------------------------------------------------------------------
diff --git a/systests/federation/oidcIdpWebapp/src/main/java/org/apache/cxf/fediz/oidc/idp/example/IdTokenProviderImpl.java b/systests/federation/oidcIdpWebapp/src/main/java/org/apache/cxf/fediz/oidc/idp/example/IdTokenProviderImpl.java
index 52f8fa8..a6d1684 100644
--- a/systests/federation/oidcIdpWebapp/src/main/java/org/apache/cxf/fediz/oidc/idp/example/IdTokenProviderImpl.java
+++ b/systests/federation/oidcIdpWebapp/src/main/java/org/apache/cxf/fediz/oidc/idp/example/IdTokenProviderImpl.java
@@ -21,6 +21,7 @@ package org.apache.cxf.fediz.oidc.idp.example;
import java.util.Calendar;
import java.util.Date;
import java.util.List;
+import java.util.UUID;
import org.apache.cxf.rs.security.oauth2.common.UserSubject;
import org.apache.cxf.rs.security.oidc.common.IdToken;
@@ -41,7 +42,9 @@ public class IdTokenProviderImpl implements IdTokenProvider {
token.setExpiryTime(cal.getTimeInMillis() / 1000L);
token.setIssuedAt(new Date().getTime() / 1000L);
token.setAudience(clientId);
- token.setSubject(authenticatedUser.getLogin());
+ token.setTokenId(UUID.randomUUID().toString());
+ token.setSubject(authenticatedUser.getLogin().toLowerCase());
+ token.setClaim("preferred_username", authenticatedUser.getLogin().toLowerCase());
token.setIssuer("OIDC IdP");
return token;
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/785104b7/systests/federation/oidcIdpWebapp/src/main/resources/clienttrust.jks
----------------------------------------------------------------------
diff --git a/systests/federation/oidcIdpWebapp/src/main/resources/clienttrust.jks b/systests/federation/oidcIdpWebapp/src/main/resources/clienttrust.jks
deleted file mode 100644
index c3ad459..0000000
Binary files a/systests/federation/oidcIdpWebapp/src/main/resources/clienttrust.jks and /dev/null differ
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/785104b7/systests/federation/oidcIdpWebapp/src/main/resources/stsKeystoreB.properties
----------------------------------------------------------------------
diff --git a/systests/federation/oidcIdpWebapp/src/main/resources/stsKeystoreB.properties b/systests/federation/oidcIdpWebapp/src/main/resources/stsKeystoreB.properties
deleted file mode 100644
index 16f4a3c..0000000
--- a/systests/federation/oidcIdpWebapp/src/main/resources/stsKeystoreB.properties
+++ /dev/null
@@ -1,6 +0,0 @@
-org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
-org.apache.ws.security.crypto.merlin.keystore.type=jks
-org.apache.ws.security.crypto.merlin.keystore.password=storepass
-org.apache.ws.security.crypto.merlin.keystore.alias=realmb
-org.apache.ws.security.crypto.merlin.keystore.file=stsrealm_b.jks
-
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/785104b7/systests/federation/oidcIdpWebapp/src/main/webapp/WEB-INF/cxf-service.xml
----------------------------------------------------------------------
diff --git a/systests/federation/oidcIdpWebapp/src/main/webapp/WEB-INF/cxf-service.xml b/systests/federation/oidcIdpWebapp/src/main/webapp/WEB-INF/cxf-service.xml
index 4201a96..acc0a9a 100644
--- a/systests/federation/oidcIdpWebapp/src/main/webapp/WEB-INF/cxf-service.xml
+++ b/systests/federation/oidcIdpWebapp/src/main/webapp/WEB-INF/cxf-service.xml
@@ -77,7 +77,7 @@
</property>
</bean>
- <bean id="oauthProvider" class="org.apache.cxf.fediz.oidc.idp.example.EHCacheRefreshTokenProvider">
+ <bean id="oauthProvider" class="org.apache.cxf.fediz.oidc.idp.example.EHCacheOIDCTokenProvider">
<property name="client" ref="client"/>
</bean>
@@ -96,22 +96,31 @@
<property name="responseFilter" ref="idTokenFilter"/>
</bean>
- <bean id="jackson" class="com.fasterxml.jackson.jaxrs.json.JacksonJsonProvider"/>
+ <bean id="oauthJSONProvider" class="org.apache.cxf.rs.security.oauth2.provider.OAuthJSONProvider"/>
+ <bean id="viewProvider" class="org.apache.cxf.jaxrs.provider.RequestDispatcherProvider">
+ <property name="useClassNames" value="true"/>
+ <property name="locationPrefix" value="/WEB-INF/views/"/>
+ <property name="beanName" value="data"/>
+ <property name="dispatcherName" value="jsp"/>
+ </bean>
+
<jaxrs:server address="/services">
<jaxrs:serviceBeans>
<ref bean="authorizationService"/>
<ref bean="tokenService"/>
</jaxrs:serviceBeans>
<jaxrs:providers>
- <ref bean="jackson"/>
+ <ref bean="oauthJSONProvider"/>
<ref bean="basicAuthFilter"/>
+ <ref bean="viewProvider"/>
</jaxrs:providers>
<jaxrs:properties>
<entry key="rs.security.keystore.type" value="jks" />
<entry key="rs.security.keystore.alias" value="realmb"/>
<entry key="rs.security.key.password" value="realmb"/>
- <entry key="rs.security.keystore.file" value="stsKeystoreB.properties" />
+ <entry key="rs.security.keystore.password" value="storepass"/>
+ <entry key="rs.security.keystore.file" value="stsrealm_b.jks" />
<entry key="rs.security.signature.algorithm" value="RS256" />
</jaxrs:properties>
</jaxrs:server>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/785104b7/systests/federation/oidcIdpWebapp/src/main/webapp/WEB-INF/views/oAuthAuthorizationData.jsp
----------------------------------------------------------------------
diff --git a/systests/federation/oidcIdpWebapp/src/main/webapp/WEB-INF/views/oAuthAuthorizationData.jsp b/systests/federation/oidcIdpWebapp/src/main/webapp/WEB-INF/views/oAuthAuthorizationData.jsp
new file mode 100644
index 0000000..1a71624
--- /dev/null
+++ b/systests/federation/oidcIdpWebapp/src/main/webapp/WEB-INF/views/oAuthAuthorizationData.jsp
@@ -0,0 +1,133 @@
+<%@ page import="javax.servlet.http.HttpServletRequest" %>
+<%@ page import="java.util.List" %>
+<%@ page import="org.apache.cxf.rs.security.oauth2.common.OAuthAuthorizationData" %>
+<%@ page import="org.apache.cxf.rs.security.oauth2.common.OAuthPermission" %>
+
+
+<%
+ OAuthAuthorizationData data = (OAuthAuthorizationData)request.getAttribute("data");
+ List<String> authorizedScopes = data.getAlreadyAuthorizedPermissionsAsStrings();
+%>
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+ <title>Third Party Authorization Form</title>
+ <STYLE TYPE="text/css">
+ <!--
+ input,button {font-family:verdana, arial, helvetica, sans-serif;font-size:20px;line-height:40px;}
+ -->
+</STYLE>
+</head>
+<body>
+<h1 align="center">Third Party Authorization Form</h1>
+<table align="center">
+ <tr align="center">
+ <td>
+
+ <form action="<%= data.getReplyTo() %>" method="POST">
+
+ <input type="hidden" name="client_id"
+ value="<%= data.getClientId() %>"/>
+ <%
+ if (data.getState() != null) {
+ %>
+ <input type="hidden" name="state"
+ value="<%= data.getState() %>"/>
+ <%
+ }
+ %>
+ <%
+ if (data.getClientCodeChallenge() != null) {
+ %>
+ <input type="hidden" name="code_challenge"
+ value="<%= data.getClientCodeChallenge() %>"/>
+ <%
+ }
+ %>
+ <%
+ if (data.getNonce() != null) {
+ %>
+ <input type="hidden" name="nonce"
+ value="<%= data.getNonce() %>"/>
+ <%
+ }
+ %>
+ <input type="hidden" name="scope"
+ value="<%= data.getProposedScope() %>"/>
+ <input type="hidden" name="response_type"
+ value="<%= data.getResponseType() %>"/>
+
+ <%
+ if (data.getRedirectUri() != null) {
+ %>
+ <input type="hidden" name="redirect_uri"
+ value="<%= data.getRedirectUri() %>"/>
+ <%
+ }
+ %>
+ <input type="hidden"
+ name="<%= org.apache.cxf.rs.security.oauth2.utils.OAuthConstants
+ .SESSION_AUTHENTICITY_TOKEN %>"
+ value="<%= data.getAuthenticityToken() %>"/>
+ <%
+ if (data.getApplicationLogoUri() != null) {
+ %>
+ <img src="<%= data.getApplicationLogoUri() %>" alt="Application Logo" width="100" height="100">
+ <%
+ }
+ %>
+
+ <h2>Would you like to grant <%= data.getApplicationName() %><br />the following permissions:</h2>
+
+ <table>
+ <%
+ for (OAuthPermission perm : data.getAllPermissions()) {
+ %>
+ <tr>
+ <td>
+ <input type="checkbox"
+ <%
+ if (perm.isDefault() || authorizedScopes.contains(perm.getPermission())) {
+ %>
+ disabled="disabled"
+ <%
+ }
+ %>
+ checked="checked"
+ name="<%= perm.getPermission()%>_status"
+ value="allow"
+ ><big><big><%= perm.getDescription() %></big></big></input>
+ <%
+ if (perm.isDefault()) {
+ %>
+ <input type="hidden" name="<%= perm.getPermission()%>_status" value="allow" />
+ <%
+ }
+ %>
+ </td>
+ </tr>
+ <%
+ }
+ %>
+ </table>
+ <br/></p>
+ <button name="<%= org.apache.cxf.rs.security.oauth2.utils.OAuthConstants
+ .AUTHORIZATION_DECISION_KEY %>"
+ type="submit"
+ value="<%= org.apache.cxf.rs.security.oauth2.utils.OAuthConstants
+ .AUTHORIZATION_DECISION_ALLOW %>">
+ OK
+ </button>
+ <button name="<%= org.apache.cxf.rs.security.oauth2.utils.OAuthConstants
+ .AUTHORIZATION_DECISION_KEY %>"
+ type="submit"
+ value="<%= org.apache.cxf.rs.security.oauth2.utils.OAuthConstants
+ .AUTHORIZATION_DECISION_DENY %>">
+ No,thanks
+ </button>
+ </form>
+ </td>
+ </tr>
+ </table>
+
+</body>
+</html>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/785104b7/systests/federation/pom.xml
----------------------------------------------------------------------
diff --git a/systests/federation/pom.xml b/systests/federation/pom.xml
index 28e830b..7190b07 100644
--- a/systests/federation/pom.xml
+++ b/systests/federation/pom.xml
@@ -32,6 +32,7 @@
<modules>
<module>samlIdpWebapp</module>
+ <module>oidcIdpWebapp</module>
<module>samlsso</module>
<module>wsfed</module>
</modules>
[2/3] cxf-fediz git commit: Minor changes
Posted by co...@apache.org.
Minor changes
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/ed9727cc
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/ed9727cc
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/ed9727cc
Branch: refs/heads/master
Commit: ed9727cc34a57974a9ef3f5533c1e076d150b7d2
Parents: 423f68f
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Thu Feb 25 16:32:33 2016 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Thu Feb 25 16:32:33 2016 +0000
----------------------------------------------------------------------
systests/federation/oidc/pom.xml | 8 --
.../fediz/oidc/idp/example/BasicAuthFilter.java | 82 ++------------------
.../src/main/webapp/secure/test.html | 25 ------
.../src/main/webapp/secure/test.html | 25 ------
4 files changed, 7 insertions(+), 133 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/ed9727cc/systests/federation/oidc/pom.xml
----------------------------------------------------------------------
diff --git a/systests/federation/oidc/pom.xml b/systests/federation/oidc/pom.xml
index 7ff6bd8..aadb529 100644
--- a/systests/federation/oidc/pom.xml
+++ b/systests/federation/oidc/pom.xml
@@ -178,14 +178,6 @@
<overWrite>true</overWrite>
<outputDirectory>target/tomcat/rp/webapps/simpleWebapp</outputDirectory>
</artifactItem>
- <artifactItem>
- <groupId>org.apache.cxf.fediz.systests.webapps</groupId>
- <artifactId>fediz-systests-webapps-simple</artifactId>
- <version>${project.version}</version>
- <type>war</type>
- <overWrite>true</overWrite>
- <outputDirectory>target/tomcat/rp/webapps/simpleWebapp2</outputDirectory>
- </artifactItem>
</artifactItems>
<outputAbsoluteArtifactFilename>true</outputAbsoluteArtifactFilename>
<overWriteSnapshots>true</overWriteSnapshots>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/ed9727cc/systests/federation/oidcIdpWebapp/src/main/java/org/apache/cxf/fediz/oidc/idp/example/BasicAuthFilter.java
----------------------------------------------------------------------
diff --git a/systests/federation/oidcIdpWebapp/src/main/java/org/apache/cxf/fediz/oidc/idp/example/BasicAuthFilter.java b/systests/federation/oidcIdpWebapp/src/main/java/org/apache/cxf/fediz/oidc/idp/example/BasicAuthFilter.java
index 6c64fbe..a85c8c9 100644
--- a/systests/federation/oidcIdpWebapp/src/main/java/org/apache/cxf/fediz/oidc/idp/example/BasicAuthFilter.java
+++ b/systests/federation/oidcIdpWebapp/src/main/java/org/apache/cxf/fediz/oidc/idp/example/BasicAuthFilter.java
@@ -19,38 +19,22 @@
package org.apache.cxf.fediz.oidc.idp.example;
import java.io.IOException;
-import java.security.Principal;
-import javax.security.auth.callback.CallbackHandler;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.core.Response;
-import org.w3c.dom.Document;
import org.apache.cxf.configuration.security.AuthorizationPolicy;
-import org.apache.cxf.helpers.DOMUtils;
+import org.apache.cxf.jaxrs.utils.ExceptionUtils;
import org.apache.cxf.jaxrs.utils.JAXRSUtils;
import org.apache.cxf.message.Message;
-import org.apache.cxf.security.SecurityContext;
-import org.apache.wss4j.common.principal.WSUsernameTokenPrincipalImpl;
-import org.apache.wss4j.dom.WSConstants;
-import org.apache.wss4j.dom.engine.WSSConfig;
-import org.apache.wss4j.dom.handler.RequestData;
-import org.apache.wss4j.dom.message.token.UsernameToken;
-import org.apache.wss4j.dom.validate.Credential;
-import org.apache.wss4j.dom.validate.UsernameTokenValidator;
+import org.apache.cxf.rt.security.saml.interceptor.WSS4JBasicAuthValidator;
/**
- * A simple filter to validate a Basic Auth username/password via a CallbackHandler
+ * Extends the WSS4J validator as a JAX-RS request filter
*/
-public class BasicAuthFilter implements ContainerRequestFilter {
-
- static {
- WSSConfig.init();
- }
+public class BasicAuthFilter extends WSS4JBasicAuthValidator implements ContainerRequestFilter {
- private CallbackHandler callbackHandler;
-
public void filter(ContainerRequestContext requestContext) throws IOException {
Message message = JAXRSUtils.getCurrentMessage();
AuthorizationPolicy policy = message.get(AuthorizationPolicy.class);
@@ -58,65 +42,13 @@ public class BasicAuthFilter implements ContainerRequestFilter {
if (policy == null || policy.getUserName() == null || policy.getPassword() == null) {
requestContext.abortWith(
Response.status(401).header("WWW-Authenticate", "Basic realm=\"IdP\"").build());
- return;
}
try {
- UsernameToken token = convertPolicyToToken(policy);
- Credential credential = new Credential();
- credential.setUsernametoken(token);
-
- RequestData data = new RequestData();
- data.setMsgContext(message);
- data.setCallbackHandler(callbackHandler);
- UsernameTokenValidator validator = new UsernameTokenValidator();
- credential = validator.validate(credential, data);
-
- // Create a Principal/SecurityContext
- Principal p = null;
- if (credential != null && credential.getPrincipal() != null) {
- p = credential.getPrincipal();
- } else {
- p = new WSUsernameTokenPrincipalImpl(policy.getUserName(), false);
- ((WSUsernameTokenPrincipalImpl)p).setPassword(policy.getPassword());
- }
- message.put(SecurityContext.class, createSecurityContext(p));
+ super.validate(message);
} catch (Exception ex) {
- requestContext.abortWith(
- Response.status(401).header("WWW-Authenticate", "Basic realm=\"IdP\"").build());
+ throw ExceptionUtils.toInternalServerErrorException(ex, null);
}
}
- protected UsernameToken convertPolicyToToken(AuthorizationPolicy policy)
- throws Exception {
-
- Document doc = DOMUtils.createDocument();
- UsernameToken token = new UsernameToken(false, doc,
- WSConstants.PASSWORD_TEXT);
- token.setName(policy.getUserName());
- token.setPassword(policy.getPassword());
- return token;
- }
-
- protected SecurityContext createSecurityContext(final Principal p) {
- return new SecurityContext() {
-
- public Principal getUserPrincipal() {
- return p;
- }
-
- public boolean isUserInRole(String arg0) {
- return false;
- }
- };
- }
-
- public CallbackHandler getCallbackHandler() {
- return callbackHandler;
- }
-
- public void setCallbackHandler(CallbackHandler callbackHandler) {
- this.callbackHandler = callbackHandler;
- }
-
-}
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/ed9727cc/systests/federation/oidcIdpWebapp/src/main/webapp/secure/test.html
----------------------------------------------------------------------
diff --git a/systests/federation/oidcIdpWebapp/src/main/webapp/secure/test.html b/systests/federation/oidcIdpWebapp/src/main/webapp/secure/test.html
deleted file mode 100644
index 9cf7366..0000000
--- a/systests/federation/oidcIdpWebapp/src/main/webapp/secure/test.html
+++ /dev/null
@@ -1,25 +0,0 @@
-<!--
- Licensed to the Apache Software Foundation (ASF) under one or more
- contributor license agreements. See the NOTICE file distributed with
- this work for additional information regarding copyright ownership.
- The ASF licenses this file to You under the Apache License, Version 2.0
- (the "License"); you may not use this file except in compliance with
- the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
--->
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
-<HTML><HEAD><TITLE>WS Federation Tomcat Examples</TITLE>
-<META http-equiv=Content-Type content="text/html">
-</HEAD>
-<BODY>
-<P>
-<H3>Secure Test</H3>
-<P></P>
-</BODY></HTML>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/ed9727cc/systests/federation/samlIdpWebapp/src/main/webapp/secure/test.html
----------------------------------------------------------------------
diff --git a/systests/federation/samlIdpWebapp/src/main/webapp/secure/test.html b/systests/federation/samlIdpWebapp/src/main/webapp/secure/test.html
deleted file mode 100644
index 9cf7366..0000000
--- a/systests/federation/samlIdpWebapp/src/main/webapp/secure/test.html
+++ /dev/null
@@ -1,25 +0,0 @@
-<!--
- Licensed to the Apache Software Foundation (ASF) under one or more
- contributor license agreements. See the NOTICE file distributed with
- this work for additional information regarding copyright ownership.
- The ASF licenses this file to You under the Apache License, Version 2.0
- (the "License"); you may not use this file except in compliance with
- the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
--->
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
-<HTML><HEAD><TITLE>WS Federation Tomcat Examples</TITLE>
-<META http-equiv=Content-Type content="text/html">
-</HEAD>
-<BODY>
-<P>
-<H3>Secure Test</H3>
-<P></P>
-</BODY></HTML>