You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2016/11/07 13:01:01 UTC
[3/3] cxf-fediz git commit: Added partially working SAML SSO
federation test
Added partially working SAML SSO federation test
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/722b70f0
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/722b70f0
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/722b70f0
Branch: refs/heads/master
Commit: 722b70f02c08f75063d8b77ea0cd2159f88798ca
Parents: 9912e61
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Mon Nov 7 12:10:51 2016 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Mon Nov 7 12:10:51 2016 +0000
----------------------------------------------------------------------
.../idp/beans/SigninParametersCacheAction.java | 13 +-
.../flows/federation-signin-response.xml | 1 +
.../WEB-INF/flows/saml-validate-request.xml | 2 +
systests/federation/pom.xml | 2 +
systests/federation/samlWebapp/pom.xml | 73 +++
.../fediz/samlsso/service/DoubleItService.java | 53 ++
.../service/KeystorePasswordCallback.java | 66 +++
.../cxf/fediz/samlsso/service/Number.java | 48 ++
.../src/main/resources/stsKeystoreA.properties | 6 +
.../src/main/resources/stsrealm_a.jks | Bin 0 -> 2061 bytes
.../samlWebapp/src/main/resources/ststrust.jks | Bin 0 -> 3908 bytes
.../src/main/webapp/WEB-INF/cxf-service.xml | 104 ++++
.../samlWebapp/src/main/webapp/WEB-INF/web.xml | 29 +
systests/federation/samlsso/pom.xml | 369 +++++++++++++
.../cxf/fediz/integrationtests/SAMLSSOTest.java | 304 +++++++++++
.../samlsso/src/test/resources/cxf-service.xml | 130 +++++
.../src/test/resources/fediz_config_wsfed.xml | 176 ++++++
.../test/resources/realma/entities-realma.xml | 529 +++++++++++++++++++
.../test/resources/realmb/entities-realmb.xml | 422 +++++++++++++++
.../src/test/resources/realmb/idp-servlet.xml | 40 ++
.../resources/realmb/persistence.properties | 15 +
.../src/test/resources/realmb/realm.properties | 6 +
.../test/resources/realmb/security-config.xml | 134 +++++
.../src/test/resources/rp/cxf-service.xml | 104 ++++
systests/federation/temp/pom.xml | 312 -----------
.../apache/cxf/fediz/systests/idp/IdpTest.java | 459 ----------------
.../temp/src/test/resources/logging.properties | 54 --
.../temp/src/test/resources/realma.cert | 15 -
.../test/resources/realma/entities-realma.xml | 525 ------------------
.../src/test/resources/realma/realm.properties | 5 -
.../test/resources/realmb/entities-realmb.xml | 422 ---------------
.../src/test/resources/realmb/idp-servlet.xml | 116 ----
.../resources/realmb/persistence.properties | 15 -
.../src/test/resources/realmb/realm.properties | 6 -
.../test/resources/realmb/security-config.xml | 108 ----
.../src/test/resources/stsKeystoreA.properties | 6 -
.../temp/src/test/resources/stsrealm_a.jks | Bin 2061 -> 0 bytes
.../test/resources/realma/entities-realma.xml | 4 +-
38 files changed, 2627 insertions(+), 2046 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/722b70f0/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java
index 4b2b308..2ecb08e 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java
@@ -70,6 +70,11 @@ public class SigninParametersCacheAction {
if (value != null) {
signinParams.put(FederationConstants.PARAM_CONTEXT, value);
}
+ // TODO
+ value = WebUtils.getAttributeFromFlowScope(context, "RelayState");
+ if (value != null) {
+ signinParams.put("RelayState", value);
+ }
value = WebUtils.getAttributeFromFlowScope(context, IdpConstants.SAML_AUTHN_REQUEST);
if (value != null) {
signinParams.put(IdpConstants.SAML_AUTHN_REQUEST, value);
@@ -121,7 +126,13 @@ public class SigninParametersCacheAction {
(SAMLAuthnRequest)signinParams.get(IdpConstants.SAML_AUTHN_REQUEST);
if (authnRequest != null) {
WebUtils.putAttributeInFlowScope(context, IdpConstants.SAML_AUTHN_REQUEST, authnRequest);
- }
+ }
+
+ // TODO
+ value = (String)signinParams.get("RelayState");
+ if (value != null) {
+ WebUtils.putAttributeInFlowScope(context, "RelayState", value);
+ }
LOG.debug("SignIn parameters restored: {}", signinParams.toString());
WebUtils.removeAttributeFromFlowScope(context, FederationConstants.PARAM_CONTEXT);
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/722b70f0/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-response.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-response.xml b/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-response.xml
index a71e6cd..d6e761d 100644
--- a/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-response.xml
+++ b/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-response.xml
@@ -65,6 +65,7 @@
<output name="wtrealm" value="flowScope.wtrealm" />
<output name="idpToken" value="flowScope.idpToken" />
<output name="saml_authn_request" value="flowScope.saml_authn_request" />
+ <output name="RelayState" value="flowScope.RelayState" />
</end-state>
<!-- abnormal exit point : Http 400 Bad Request -->
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/722b70f0/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
index f03c985..b52d122 100644
--- a/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
+++ b/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
@@ -88,11 +88,13 @@
<output name="whr" />
<output name="idpToken" />
<output name="saml_authn_request" />
+ <output name="RelayState" />
<transition on="requestRpToken" to="requestRpToken">
<set name="flowScope.home_realm" value="currentEvent.attributes.whr" />
<set name="flowScope.idpToken" value="currentEvent.attributes.idpToken" />
<set name="flowScope.saml_authn_request" value="currentEvent.attributes.saml_authn_request" />
+ <set name="flowScope.RelayState" value="currentEvent.attributes.RelayState" />
</transition>
<transition on="viewBadRequest" to="viewBadRequest" />
<transition on="scInternalServerError" to="scInternalServerError" />
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/722b70f0/systests/federation/pom.xml
----------------------------------------------------------------------
diff --git a/systests/federation/pom.xml b/systests/federation/pom.xml
index ca73553..aa32503 100644
--- a/systests/federation/pom.xml
+++ b/systests/federation/pom.xml
@@ -31,9 +31,11 @@
<packaging>pom</packaging>
<modules>
+ <module>samlWebapp</module>
<module>samlIdpWebapp</module>
<module>oidcIdpWebapp</module>
<module>wsfed</module>
+ <!--<module>samlsso</module>-->
</modules>
</project>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/722b70f0/systests/federation/samlWebapp/pom.xml
----------------------------------------------------------------------
diff --git a/systests/federation/samlWebapp/pom.xml b/systests/federation/samlWebapp/pom.xml
new file mode 100644
index 0000000..f25b29c
--- /dev/null
+++ b/systests/federation/samlWebapp/pom.xml
@@ -0,0 +1,73 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+ <modelVersion>4.0.0</modelVersion>
+ <parent>
+ <groupId>org.apache.cxf.fediz.systests</groupId>
+ <artifactId>fediz-systests-federation</artifactId>
+ <version>1.3.2-SNAPSHOT</version>
+ <relativePath>../pom.xml</relativePath>
+ </parent>
+ <groupId>org.apache.cxf.fediz.systests.federation</groupId>
+ <artifactId>fediz-systests-federation-samlWebapp</artifactId>
+ <name>Apache Fediz Federation Systests SAML SSO Mock Webapp</name>
+ <packaging>war</packaging>
+ <properties>
+ <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+ </properties>
+ <dependencies>
+ <dependency>
+ <groupId>javax.servlet</groupId>
+ <artifactId>servlet-api</artifactId>
+ <version>${servlet.version}</version>
+ <scope>provided</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.commons</groupId>
+ <artifactId>commons-lang3</artifactId>
+ <version>${commons.lang.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.cxf</groupId>
+ <artifactId>cxf-rt-frontend-jaxrs</artifactId>
+ <version>${cxf.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.cxf</groupId>
+ <artifactId>cxf-rt-rs-security-sso-saml</artifactId>
+ <version>${cxf.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.springframework</groupId>
+ <artifactId>spring-web</artifactId>
+ <version>${spring.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.slf4j</groupId>
+ <artifactId>slf4j-jdk14</artifactId>
+ <version>${slf4j.version}</version>
+ </dependency>
+
+ </dependencies>
+ <build>
+ <!-- Name of the generated WAR file -->
+ <finalName>samlssowebapp</finalName>
+ </build>
+</project>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/722b70f0/systests/federation/samlWebapp/src/main/java/org/apache/cxf/fediz/samlsso/service/DoubleItService.java
----------------------------------------------------------------------
diff --git a/systests/federation/samlWebapp/src/main/java/org/apache/cxf/fediz/samlsso/service/DoubleItService.java b/systests/federation/samlWebapp/src/main/java/org/apache/cxf/fediz/samlsso/service/DoubleItService.java
new file mode 100644
index 0000000..ece78ce
--- /dev/null
+++ b/systests/federation/samlWebapp/src/main/java/org/apache/cxf/fediz/samlsso/service/DoubleItService.java
@@ -0,0 +1,53 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.fediz.samlsso.service;
+
+import javax.annotation.security.RolesAllowed;
+
+import javax.ws.rs.Consumes;
+import javax.ws.rs.GET;
+import javax.ws.rs.POST;
+import javax.ws.rs.Path;
+import javax.ws.rs.PathParam;
+import javax.ws.rs.Produces;
+
+@Path("/services")
+public class DoubleItService {
+
+ @GET
+ @Produces("application/xml")
+ @Path("/{numberToDouble}/")
+ @RolesAllowed({ "User", "Admin", "Manager" })
+ public Number doubleIt(@PathParam("numberToDouble") int numberToDouble) {
+ Number newNumber = new Number();
+ newNumber.setDescription("This is the double number response");
+ newNumber.setNumber(numberToDouble * 2);
+ return newNumber;
+ }
+
+ @POST
+ @Produces("application/xml")
+ @Consumes("application/x-www-form-urlencoded")
+ @Path("/{numberToDouble}/")
+ @RolesAllowed({ "User", "Admin", "Manager" })
+ public Number doubleItPost(@PathParam("numberToDouble") int numberToDouble) {
+ return doubleIt(numberToDouble);
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/722b70f0/systests/federation/samlWebapp/src/main/java/org/apache/cxf/fediz/samlsso/service/KeystorePasswordCallback.java
----------------------------------------------------------------------
diff --git a/systests/federation/samlWebapp/src/main/java/org/apache/cxf/fediz/samlsso/service/KeystorePasswordCallback.java b/systests/federation/samlWebapp/src/main/java/org/apache/cxf/fediz/samlsso/service/KeystorePasswordCallback.java
new file mode 100644
index 0000000..ef42da5
--- /dev/null
+++ b/systests/federation/samlWebapp/src/main/java/org/apache/cxf/fediz/samlsso/service/KeystorePasswordCallback.java
@@ -0,0 +1,66 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.fediz.samlsso.service;
+
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.Map;
+
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.UnsupportedCallbackException;
+
+import org.apache.wss4j.common.ext.WSPasswordCallback;
+
+/**
+ * A CallbackHandler implementation for keystores.
+ */
+public class KeystorePasswordCallback implements CallbackHandler {
+
+ private Map<String, String> passwords =
+ new HashMap<String, String>();
+
+ public KeystorePasswordCallback() {
+ passwords.put("realma", "realma");
+ }
+
+ /**
+ * It attempts to get the password from the private
+ * alias/passwords map.
+ */
+ public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
+ for (int i = 0; i < callbacks.length; i++) {
+ WSPasswordCallback pc = (WSPasswordCallback)callbacks[i];
+ if (pc.getUsage() == WSPasswordCallback.PASSWORD_ENCRYPTOR_PASSWORD) {
+ pc.setPassword("this-is-a-secret");
+ } else {
+ String pass = passwords.get(pc.getIdentifier());
+ if (pass != null) {
+ pc.setPassword(pass);
+ return;
+ } else {
+ pc.setPassword("password");
+ }
+ }
+ }
+ }
+
+
+}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/722b70f0/systests/federation/samlWebapp/src/main/java/org/apache/cxf/fediz/samlsso/service/Number.java
----------------------------------------------------------------------
diff --git a/systests/federation/samlWebapp/src/main/java/org/apache/cxf/fediz/samlsso/service/Number.java b/systests/federation/samlWebapp/src/main/java/org/apache/cxf/fediz/samlsso/service/Number.java
new file mode 100644
index 0000000..bccb647
--- /dev/null
+++ b/systests/federation/samlWebapp/src/main/java/org/apache/cxf/fediz/samlsso/service/Number.java
@@ -0,0 +1,48 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.fediz.samlsso.service;
+
+import javax.xml.bind.annotation.XmlRootElement;
+
+@XmlRootElement(name = "Number")
+public class Number {
+ private int number;
+ private String description;
+
+ public Number() {
+
+ }
+
+ public int getNumber() {
+ return number;
+ }
+
+ public void setNumber(int number) {
+ this.number = number;
+ }
+
+ public String getDescription() {
+ return description;
+ }
+
+ public void setDescription(String description) {
+ this.description = description;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/722b70f0/systests/federation/samlWebapp/src/main/resources/stsKeystoreA.properties
----------------------------------------------------------------------
diff --git a/systests/federation/samlWebapp/src/main/resources/stsKeystoreA.properties b/systests/federation/samlWebapp/src/main/resources/stsKeystoreA.properties
new file mode 100644
index 0000000..bd9fb1b
--- /dev/null
+++ b/systests/federation/samlWebapp/src/main/resources/stsKeystoreA.properties
@@ -0,0 +1,6 @@
+org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
+org.apache.ws.security.crypto.merlin.keystore.type=jks
+org.apache.ws.security.crypto.merlin.keystore.password=storepass
+org.apache.ws.security.crypto.merlin.keystore.alias=realma
+org.apache.ws.security.crypto.merlin.keystore.file=stsrealm_a.jks
+
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/722b70f0/systests/federation/samlWebapp/src/main/resources/stsrealm_a.jks
----------------------------------------------------------------------
diff --git a/systests/federation/samlWebapp/src/main/resources/stsrealm_a.jks b/systests/federation/samlWebapp/src/main/resources/stsrealm_a.jks
new file mode 100644
index 0000000..fde2928
Binary files /dev/null and b/systests/federation/samlWebapp/src/main/resources/stsrealm_a.jks differ
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/722b70f0/systests/federation/samlWebapp/src/main/resources/ststrust.jks
----------------------------------------------------------------------
diff --git a/systests/federation/samlWebapp/src/main/resources/ststrust.jks b/systests/federation/samlWebapp/src/main/resources/ststrust.jks
new file mode 100644
index 0000000..ef5a844
Binary files /dev/null and b/systests/federation/samlWebapp/src/main/resources/ststrust.jks differ
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/722b70f0/systests/federation/samlWebapp/src/main/webapp/WEB-INF/cxf-service.xml
----------------------------------------------------------------------
diff --git a/systests/federation/samlWebapp/src/main/webapp/WEB-INF/cxf-service.xml b/systests/federation/samlWebapp/src/main/webapp/WEB-INF/cxf-service.xml
new file mode 100644
index 0000000..9227893
--- /dev/null
+++ b/systests/federation/samlWebapp/src/main/webapp/WEB-INF/cxf-service.xml
@@ -0,0 +1,104 @@
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans"
+ xmlns:cxf="http://cxf.apache.org/core"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xmlns:sec="http://cxf.apache.org/configuration/security"
+ xmlns:http="http://cxf.apache.org/transports/http/configuration"
+ xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration"
+ xmlns:jaxws="http://cxf.apache.org/jaxws"
+ xmlns:jaxrs="http://cxf.apache.org/jaxrs"
+ xsi:schemaLocation="
+ http://cxf.apache.org/core
+ http://cxf.apache.org/schemas/core.xsd
+ http://cxf.apache.org/configuration/security
+ http://cxf.apache.org/schemas/configuration/security.xsd
+ http://cxf.apache.org/jaxws
+ http://cxf.apache.org/schemas/jaxws.xsd
+ http://cxf.apache.org/jaxrs
+ http://cxf.apache.org/schemas/jaxrs.xsd
+ http://cxf.apache.org/transports/http/configuration
+ http://cxf.apache.org/schemas/configuration/http-conf.xsd
+ http://cxf.apache.org/transports/http-jetty/configuration
+ http://cxf.apache.org/schemas/configuration/http-jetty.xsd
+ http://www.springframework.org/schema/beans
+ http://www.springframework.org/schema/beans/spring-beans.xsd">
+
+
+ <import resource="classpath:META-INF/cxf/cxf.xml" />
+
+ <cxf:bus>
+ <cxf:features>
+ <cxf:logging/>
+ </cxf:features>
+ </cxf:bus>
+
+ <bean id="serviceBean" class="org.apache.cxf.fediz.samlsso.service.DoubleItService"/>
+
+ <bean id="callbackHandler" class="org.apache.cxf.fediz.samlsso.service.KeystorePasswordCallback"/>
+
+ <bean id="stateManager" class="org.apache.cxf.rs.security.saml.sso.state.EHCacheSPStateManager">
+ <constructor-arg ref="cxf"/>
+ </bean>
+
+ <bean id="ssoFilter" class="org.apache.cxf.rs.security.saml.sso.SamlRedirectBindingFilter">
+ <property name="idpServiceAddress" value="https://localhost:${idp.https.port}/fediz-idp/saml/up"/>
+ <property name="assertionConsumerServiceAddress"
+ value="/racs/sso"/>
+ <property name="stateProvider" ref="stateManager"/>
+ <property name="addEndpointAddressToContext" value="true"/>
+ <property name="signRequest" value="true"/>
+ <property name="signaturePropertiesFile" value="stsKeystoreA.properties"/>
+ <property name="callbackHandler" ref="callbackHandler"/>
+ <property name="signatureUsername" value="realma" />
+ <property name="issuerId" value="urn:org:apache:cxf:fediz:fedizhelloworld" />
+ </bean>
+
+ <bean id="authorizationInterceptor"
+ class="org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor">
+ <property name="securedObject" ref="serviceBean" />
+ </bean>
+
+ <jaxrs:server address="/app1">
+ <jaxrs:serviceBeans>
+ <ref bean="serviceBean"/>
+ </jaxrs:serviceBeans>
+ <jaxrs:providers>
+ <ref bean="ssoFilter"/>
+ </jaxrs:providers>
+ <jaxrs:inInterceptors>
+ <ref bean="authorizationInterceptor"/>
+ </jaxrs:inInterceptors>
+ </jaxrs:server>
+
+ <bean id="consumerService" class="org.apache.cxf.rs.security.saml.sso.RequestAssertionConsumerService">
+ <property name="stateProvider" ref="stateManager"/>
+ <property name="signaturePropertiesFile" value="stsKeystoreA.properties"/>
+ <property name="enforceKnownIssuer" value="false"/>
+ <property name="callbackHandlerClass" value="org.apache.cxf.fediz.samlsso.service.KeystorePasswordCallback" />
+ </bean>
+
+ <jaxrs:server address="/racs">
+ <jaxrs:serviceBeans>
+ <ref bean="consumerService"/>
+ </jaxrs:serviceBeans>
+ </jaxrs:server>
+
+</beans>
+
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/722b70f0/systests/federation/samlWebapp/src/main/webapp/WEB-INF/web.xml
----------------------------------------------------------------------
diff --git a/systests/federation/samlWebapp/src/main/webapp/WEB-INF/web.xml b/systests/federation/samlWebapp/src/main/webapp/WEB-INF/web.xml
new file mode 100644
index 0000000..b0b8ab5
--- /dev/null
+++ b/systests/federation/samlWebapp/src/main/webapp/WEB-INF/web.xml
@@ -0,0 +1,29 @@
+<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
+ http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
+ version="3.0" metadata-complete="true">
+
+ <description>Apache CXF Fediz double it service</description>
+ <display-name>Apache CXF Fediz double it service</display-name>
+
+ <context-param>
+ <param-name>contextConfigLocation</param-name>
+ <param-value>WEB-INF/cxf-service.xml</param-value>
+ </context-param>
+
+ <listener>
+ <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
+ </listener>
+
+ <servlet>
+ <servlet-name>FederationServlet</servlet-name>
+ <servlet-class>org.apache.cxf.transport.servlet.CXFServlet</servlet-class>
+ <load-on-startup>1</load-on-startup>
+ </servlet>
+
+ <servlet-mapping>
+ <servlet-name>FederationServlet</servlet-name>
+ <url-pattern>/*</url-pattern>
+ </servlet-mapping>
+
+</web-app>
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/722b70f0/systests/federation/samlsso/pom.xml
----------------------------------------------------------------------
diff --git a/systests/federation/samlsso/pom.xml b/systests/federation/samlsso/pom.xml
new file mode 100644
index 0000000..2d1c1fc
--- /dev/null
+++ b/systests/federation/samlsso/pom.xml
@@ -0,0 +1,369 @@
+<?xml version="1.0"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+ <modelVersion>4.0.0</modelVersion>
+ <parent>
+ <groupId>org.apache.cxf.fediz.systests</groupId>
+ <artifactId>fediz-systests-federation</artifactId>
+ <version>1.3.2-SNAPSHOT</version>
+ <relativePath>../pom.xml</relativePath>
+ </parent>
+ <groupId>org.apache.cxf.fediz.systests.federation</groupId>
+ <artifactId>fediz-systests-federation-samlsso</artifactId>
+ <name>Apache Fediz Federation Systests Tomcat 7 SAML SSO</name>
+ <packaging>jar</packaging>
+ <properties>
+ <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+ <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
+ </properties>
+ <dependencies>
+ <dependency>
+ <groupId>org.apache.tomcat.embed</groupId>
+ <artifactId>tomcat-embed-core</artifactId>
+ <version>${tomcat7.version}</version>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.tomcat.embed</groupId>
+ <artifactId>tomcat-embed-logging-juli</artifactId>
+ <version>${tomcat7.version}</version>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.eclipse.jdt.core.compiler</groupId>
+ <artifactId>ecj</artifactId>
+ <version>${ecj.version}</version>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.tomcat.embed</groupId>
+ <artifactId>tomcat-embed-jasper</artifactId>
+ <version>${tomcat7.version}</version>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>junit</groupId>
+ <artifactId>junit</artifactId>
+ <version>${junit.version}</version>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.cxf.fediz</groupId>
+ <artifactId>fediz-tomcat7</artifactId>
+ <version>${project.version}</version>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.cxf.fediz.systests</groupId>
+ <artifactId>fediz-systests-tests</artifactId>
+ <version>${project.version}</version>
+ <type>test-jar</type>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.slf4j</groupId>
+ <artifactId>slf4j-api</artifactId>
+ <version>${slf4j.version}</version>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.slf4j</groupId>
+ <artifactId>slf4j-jdk14</artifactId>
+ <version>${slf4j.version}</version>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.hsqldb</groupId>
+ <artifactId>hsqldb</artifactId>
+ <version>${hsqldb.version}</version>
+ <scope>test</scope>
+ </dependency>
+ </dependencies>
+ <build>
+ <testResources>
+ <testResource>
+ <directory>src/test/resources</directory>
+ <filtering>true</filtering>
+ <includes>
+ <include>**/fediz_config*.xml</include>
+ </includes>
+ </testResource>
+ <testResource>
+ <directory>src/test/resources</directory>
+ <filtering>false</filtering>
+ <excludes>
+ <exclude>**/fediz_config*.xml</exclude>
+ </excludes>
+ </testResource>
+ </testResources>
+ <plugins>
+ <plugin>
+ <groupId>org.codehaus.mojo</groupId>
+ <artifactId>build-helper-maven-plugin</artifactId>
+ <executions>
+ <execution>
+ <id>reserve-network-port</id>
+ <goals>
+ <goal>reserve-network-port</goal>
+ </goals>
+ <phase>initialize</phase>
+ <configuration>
+ <portNames>
+ <portName>idp.https.port</portName>
+ <portName>idp.realmb.https.port</portName>
+ <portName>idp.oidc.https.port</portName>
+ <portName>rp.https.port</portName>
+ </portNames>
+ </configuration>
+ </execution>
+ </executions>
+ </plugin>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-dependency-plugin</artifactId>
+ <executions>
+ <execution>
+ <id>copy-idp-sts</id>
+ <phase>generate-resources</phase>
+ <goals>
+ <goal>unpack</goal>
+ </goals>
+ <configuration>
+ <artifactItems>
+ <artifactItem>
+ <groupId>org.apache.cxf.fediz</groupId>
+ <artifactId>fediz-idp</artifactId>
+ <version>${project.version}</version>
+ <type>war</type>
+ <overWrite>true</overWrite>
+ <outputDirectory>target/tomcat/idp/webapps/fediz-idp</outputDirectory>
+ </artifactItem>
+ <artifactItem>
+ <groupId>org.apache.cxf.fediz</groupId>
+ <artifactId>fediz-idp-sts</artifactId>
+ <version>${project.version}</version>
+ <type>war</type>
+ <overWrite>true</overWrite>
+ <outputDirectory>target/tomcat/idp/webapps/fediz-idp-sts</outputDirectory>
+ </artifactItem>
+ <artifactItem>
+ <groupId>org.apache.cxf.fediz.systests.federation</groupId>
+ <artifactId>fediz-systests-federation-samlWebapp</artifactId>
+ <version>${project.version}</version>
+ <type>war</type>
+ <overWrite>true</overWrite>
+ <outputDirectory>target/tomcat/rp/webapps/samlssoWebapp</outputDirectory>
+ </artifactItem>
+ <artifactItem>
+ <groupId>org.apache.cxf.fediz</groupId>
+ <artifactId>fediz-idp</artifactId>
+ <version>${project.version}</version>
+ <type>war</type>
+ <overWrite>true</overWrite>
+ <outputDirectory>target/tomcat/idprealmb/webapps/fediz-idp-realmb</outputDirectory>
+ </artifactItem>
+ <artifactItem>
+ <groupId>org.apache.cxf.fediz</groupId>
+ <artifactId>fediz-idp-sts</artifactId>
+ <version>${project.version}</version>
+ <type>war</type>
+ <overWrite>true</overWrite>
+ <outputDirectory>target/tomcat/idprealmb/webapps/fediz-idp-sts-realmb</outputDirectory>
+ </artifactItem>
+ <artifactItem>
+ <groupId>org.apache.cxf.fediz.systests.federation</groupId>
+ <artifactId>fediz-systests-federation-oidcIdpWebapp</artifactId>
+ <version>${project.version}</version>
+ <type>war</type>
+ <overWrite>true</overWrite>
+ <outputDirectory>target/tomcat/idpoidc/webapps/idpoidc</outputDirectory>
+ </artifactItem>
+ <artifactItem>
+ <groupId>org.apache.cxf.fediz.systests</groupId>
+ <artifactId>fediz-systests-tests</artifactId>
+ <version>${project.version}</version>
+ <classifier>tests</classifier>
+ <type>jar</type>
+ <overWrite>true</overWrite>
+ <outputDirectory>target/test-classes</outputDirectory>
+ <includes>**/*.jks</includes>
+ </artifactItem>
+ </artifactItems>
+ <outputAbsoluteArtifactFilename>true</outputAbsoluteArtifactFilename>
+ <overWriteSnapshots>true</overWriteSnapshots>
+ <overWriteIfNewer>true</overWriteIfNewer>
+ <stripVersion>true</stripVersion>
+ </configuration>
+ </execution>
+ </executions>
+ </plugin>
+ <plugin>
+ <artifactId>maven-resources-plugin</artifactId>
+ <version>2.7</version>
+ <executions>
+ <execution>
+ <id>copy-entities-to-idp</id>
+ <phase>generate-test-sources</phase>
+ <goals>
+ <goal>copy-resources</goal>
+ </goals>
+ <configuration>
+ <outputDirectory>${basedir}/target/tomcat/idp/webapps/fediz-idp/WEB-INF/classes</outputDirectory>
+ <resources>
+ <resource>
+ <directory>${basedir}/src/test/resources/realma</directory>
+ <includes>
+ <include>entities-realma.xml</include>
+ </includes>
+ <filtering>true</filtering>
+ </resource>
+ </resources>
+ </configuration>
+ </execution>
+ <execution>
+ <id>copy-entities-to-remote-idp</id>
+ <phase>generate-test-sources</phase>
+ <goals>
+ <goal>copy-resources</goal>
+ </goals>
+ <configuration>
+ <outputDirectory>${basedir}/target/tomcat/idprealmb/webapps/fediz-idp-realmb/WEB-INF/classes</outputDirectory>
+ <resources>
+ <resource>
+ <directory>${basedir}/src/test/resources/realmb</directory>
+ <includes>
+ <include>entities-realmb.xml</include>
+ <include>realm.properties</include>
+ <include>persistence.properties</include>
+ </includes>
+ <filtering>true</filtering>
+ </resource>
+ </resources>
+ </configuration>
+ </execution>
+ <execution>
+ <id>copy-entities-to-remote-idp2</id>
+ <phase>generate-test-sources</phase>
+ <goals>
+ <goal>copy-resources</goal>
+ </goals>
+ <configuration>
+ <outputDirectory>${basedir}/target/tomcat/idprealmb/webapps/fediz-idp-realmb/WEB-INF</outputDirectory>
+ <resources>
+ <resource>
+ <directory>${basedir}/src/test/resources/realmb</directory>
+ <includes>
+ <include>idp-servlet.xml</include>
+ <include>security-config.xml</include>
+ </includes>
+ <filtering>true</filtering>
+ </resource>
+ </resources>
+ </configuration>
+ </execution>
+ <execution>
+ <id>copy-entities-to-oidc-idp</id>
+ <phase>generate-test-sources</phase>
+ <goals>
+ <goal>copy-resources</goal>
+ </goals>
+ <configuration>
+ <outputDirectory>${basedir}/target/tomcat/idpoidc/webapps/idpoidc/WEB-INF</outputDirectory>
+ <resources>
+ <resource>
+ <directory>${basedir}/src/test/resources</directory>
+ <includes>
+ <include>cxf-service.xml</include>
+ </includes>
+ <filtering>true</filtering>
+ </resource>
+ </resources>
+ </configuration>
+ </execution>
+ <execution>
+ <id>copy-entities-to-samlsso-webapp</id>
+ <phase>generate-test-sources</phase>
+ <goals>
+ <goal>copy-resources</goal>
+ </goals>
+ <configuration>
+ <outputDirectory>${basedir}/target/tomcat/rp/webapps/samlssoWebapp/WEB-INF</outputDirectory>
+ <resources>
+ <resource>
+ <directory>${basedir}/src/test/resources/rp</directory>
+ <includes>
+ <include>cxf-service.xml</include>
+ </includes>
+ <filtering>true</filtering>
+ </resource>
+ </resources>
+ </configuration>
+ </execution>
+ </executions>
+ </plugin>
+ <plugin>
+ <artifactId>maven-failsafe-plugin</artifactId>
+ <inherited>true</inherited>
+ <executions>
+ <execution>
+ <id>integration-test</id>
+ <phase>integration-test</phase>
+ <goals>
+ <goal>integration-test</goal>
+ </goals>
+ <configuration>
+ <skip>${skipTests}</skip>
+ <systemPropertyVariables>
+ <wt.headless>true</wt.headless>
+ <idp.https.port>${idp.https.port}</idp.https.port>
+ <idp.realmb.https.port>${idp.realmb.https.port}</idp.realmb.https.port>
+ <idp.samlsso.https.port>${idp.samlsso.https.port}</idp.samlsso.https.port>
+ <idp.oidc.https.port>${idp.oidc.https.port}</idp.oidc.https.port>
+ <rp.https.port>${rp.https.port}</rp.https.port>
+ </systemPropertyVariables>
+ <includes>
+ <include>**/integrationtests/**</include>
+ </includes>
+ <argLine>-Xms512m -Xmx1024m
+ -XX:MaxPermSize=256m</argLine>
+ </configuration>
+ </execution>
+ <execution>
+ <id>verify</id>
+ <phase>verify</phase>
+ <goals>
+ <goal>verify</goal>
+ </goals>
+ </execution>
+ </executions>
+ </plugin>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-surefire-plugin</artifactId>
+ <inherited>true</inherited>
+ <configuration>
+ <excludes>
+ <exclude>**/integrationtests/**</exclude>
+ </excludes>
+ </configuration>
+ </plugin>
+ </plugins>
+ </build>
+</project>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/722b70f0/systests/federation/samlsso/src/test/java/org/apache/cxf/fediz/integrationtests/SAMLSSOTest.java
----------------------------------------------------------------------
diff --git a/systests/federation/samlsso/src/test/java/org/apache/cxf/fediz/integrationtests/SAMLSSOTest.java b/systests/federation/samlsso/src/test/java/org/apache/cxf/fediz/integrationtests/SAMLSSOTest.java
new file mode 100644
index 0000000..b42a28c
--- /dev/null
+++ b/systests/federation/samlsso/src/test/java/org/apache/cxf/fediz/integrationtests/SAMLSSOTest.java
@@ -0,0 +1,304 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.fediz.integrationtests;
+
+
+import java.io.File;
+import java.io.IOException;
+
+import javax.servlet.ServletException;
+
+import org.apache.catalina.LifecycleException;
+import org.apache.catalina.LifecycleState;
+import org.apache.catalina.connector.Connector;
+import org.apache.catalina.startup.Tomcat;
+import org.junit.AfterClass;
+import org.junit.Assert;
+import org.junit.BeforeClass;
+
+/**
+ * This is a test for federation using a SAML SSO enabled web application (using CXF interceptors). The web
+ * application is configured to use a different realm to that of the IdP. The IdP then redirects to a third party
+ * IdP for authentication. The third party IdPs that are tested are as follows:
+ * - WS-Federation (Fediz)
+ * - SAML SSO (Fediz)
+ * - OIDC (custom webapp)
+ */
+public class SAMLSSOTest {
+
+ private enum ServerType {
+ IDP, REALMB, OIDC, RP
+ }
+
+ static String idpHttpsPort;
+ static String idpRealmbHttpsPort;
+ static String idpSamlSSOHttpsPort;
+ static String idpOIDCHttpsPort;
+ static String rpHttpsPort;
+
+ private static Tomcat idpServer;
+ private static Tomcat idpRealmbServer;
+ private static Tomcat idpOIDCServer;
+ private static Tomcat rpServer;
+
+ @BeforeClass
+ public static void init() throws Exception {
+ System.setProperty("org.apache.commons.logging.Log", "org.apache.commons.logging.impl.SimpleLog");
+ System.setProperty("org.apache.commons.logging.simplelog.showdatetime", "true");
+ System.setProperty("org.apache.commons.logging.simplelog.log.httpclient.wire", "info");
+ System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.commons.httpclient", "info");
+ System.setProperty("org.apache.commons.logging.simplelog.log.org.springframework.webflow", "info");
+ System.setProperty("org.apache.commons.logging.simplelog.log.org.springframework.security.web", "info");
+ System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.cxf.fediz", "info");
+ System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.cxf", "info");
+
+ idpHttpsPort = System.getProperty("idp.https.port");
+ Assert.assertNotNull("Property 'idp.https.port' null", idpHttpsPort);
+ idpRealmbHttpsPort = System.getProperty("idp.realmb.https.port");
+ Assert.assertNotNull("Property 'idp.realmb.https.port' null", idpRealmbHttpsPort);
+ idpSamlSSOHttpsPort = System.getProperty("idp.samlsso.https.port");
+ Assert.assertNotNull("Property 'idp.samlsso.https.port' null", idpSamlSSOHttpsPort);
+ idpOIDCHttpsPort = System.getProperty("idp.oidc.https.port");
+ Assert.assertNotNull("Property 'idp.oidc.https.port' null", idpOIDCHttpsPort);
+ rpHttpsPort = System.getProperty("rp.https.port");
+ Assert.assertNotNull("Property 'rp.https.port' null", rpHttpsPort);
+
+ idpServer = startServer(ServerType.IDP, idpHttpsPort);
+ idpRealmbServer = startServer(ServerType.REALMB, idpRealmbHttpsPort);
+ idpOIDCServer = startServer(ServerType.OIDC, idpOIDCHttpsPort);
+ rpServer = startServer(ServerType.RP, rpHttpsPort);
+ }
+
+ private static Tomcat startServer(ServerType serverType, String port)
+ throws ServletException, LifecycleException, IOException {
+ Tomcat server = new Tomcat();
+ server.setPort(0);
+ String currentDir = new File(".").getCanonicalPath();
+ String baseDir = currentDir + File.separator + "target";
+ server.setBaseDir(baseDir);
+
+ if (serverType == ServerType.IDP) {
+ server.getHost().setAppBase("tomcat/idp/webapps");
+ } else if (serverType == ServerType.REALMB) {
+ server.getHost().setAppBase("tomcat/idprealmb/webapps");
+ } else if (serverType == ServerType.OIDC) {
+ server.getHost().setAppBase("tomcat/idpoidc/webapps");
+ } else {
+ server.getHost().setAppBase("tomcat/rp/webapps");
+ }
+ server.getHost().setAutoDeploy(true);
+ server.getHost().setDeployOnStartup(true);
+
+ Connector httpsConnector = new Connector();
+ httpsConnector.setPort(Integer.parseInt(port));
+ httpsConnector.setSecure(true);
+ httpsConnector.setScheme("https");
+ //httpsConnector.setAttribute("keyAlias", keyAlias);
+ httpsConnector.setAttribute("keystorePass", "tompass");
+ httpsConnector.setAttribute("keystoreFile", "test-classes/server.jks");
+ httpsConnector.setAttribute("truststorePass", "tompass");
+ httpsConnector.setAttribute("truststoreFile", "test-classes/server.jks");
+ httpsConnector.setAttribute("clientAuth", "want");
+ // httpsConnector.setAttribute("clientAuth", "false");
+ httpsConnector.setAttribute("sslProtocol", "TLS");
+ httpsConnector.setAttribute("SSLEnabled", true);
+
+ server.getService().addConnector(httpsConnector);
+
+ if (serverType == ServerType.IDP) {
+ File stsWebapp = new File(baseDir + File.separator + server.getHost().getAppBase(), "fediz-idp-sts");
+ server.addWebapp("/fediz-idp-sts", stsWebapp.getAbsolutePath());
+
+ File idpWebapp = new File(baseDir + File.separator + server.getHost().getAppBase(), "fediz-idp");
+ server.addWebapp("/fediz-idp", idpWebapp.getAbsolutePath());
+ } else if (serverType == ServerType.REALMB) {
+ File stsWebapp = new File(baseDir + File.separator + server.getHost().getAppBase(), "fediz-idp-sts-realmb");
+ server.addWebapp("/fediz-idp-sts-realmb", stsWebapp.getAbsolutePath());
+
+ File idpWebapp = new File(baseDir + File.separator + server.getHost().getAppBase(), "fediz-idp-realmb");
+ server.addWebapp("/fediz-idp-realmb", idpWebapp.getAbsolutePath());
+ } else if (serverType == ServerType.OIDC) {
+ File idpWebapp = new File(baseDir + File.separator + server.getHost().getAppBase(), "idpoidc");
+ server.addWebapp("/idpoidc", idpWebapp.getAbsolutePath());
+ } else {
+ File rpWebapp = new File(baseDir + File.separator + server.getHost().getAppBase(), "samlssoWebapp");
+ server.addWebapp("/wsfed", rpWebapp.getAbsolutePath());
+
+ /*
+ rpWebapp = new File(baseDir + File.separator + server.getHost().getAppBase(), "simpleWebapp");
+ cxt = server.addWebapp("/samlssocustom", rpWebapp.getAbsolutePath());
+ cxt.getPipeline().addValve(fa);
+
+ rpWebapp = new File(baseDir + File.separator + server.getHost().getAppBase(), "simpleWebapp");
+ cxt = server.addWebapp("/samlssocustompost", rpWebapp.getAbsolutePath());
+ cxt.getPipeline().addValve(fa);
+
+ rpWebapp = new File(baseDir + File.separator + server.getHost().getAppBase(), "simpleWebapp");
+ cxt = server.addWebapp("/oidc", rpWebapp.getAbsolutePath());
+ cxt.getPipeline().addValve(fa);
+ */
+ }
+
+ server.start();
+
+ return server;
+ }
+
+ @AfterClass
+ public static void cleanup() {
+ shutdownServer(idpServer);
+ shutdownServer(idpRealmbServer);
+ shutdownServer(idpOIDCServer);
+ shutdownServer(rpServer);
+ }
+
+ private static void shutdownServer(Tomcat server) {
+ try {
+ if (server != null && server.getServer() != null
+ && server.getServer().getState() != LifecycleState.DESTROYED) {
+ if (server.getServer().getState() != LifecycleState.STOPPED) {
+ server.stop();
+ }
+ server.destroy();
+ }
+ } catch (Exception e) {
+ e.printStackTrace();
+ }
+ }
+
+ public String getIdpHttpsPort() {
+ return idpHttpsPort;
+ }
+
+ public String getIdpRealmbHttpsPort() {
+ return idpRealmbHttpsPort;
+ }
+
+ public String getRpHttpsPort() {
+ return rpHttpsPort;
+ }
+
+ public String getServletContextName() {
+ return "fedizhelloworld";
+ }
+
+ @org.junit.Test
+ @org.junit.Ignore
+ public void testWSFederation() throws Exception {
+ String url = "https://localhost:" + getRpHttpsPort() + "/wsfed/app1/services/25";
+ System.out.println(url);
+ Thread.sleep(60 * 2 * 1000);
+
+ /*
+ String user = "ALICE"; // realm b credentials
+ String password = "ECILA";
+
+ final String bodyTextContent =
+ login(url, user, password, getIdpRealmbHttpsPort(), idpHttpsPort);
+
+ Assert.assertTrue("Principal not alice",
+ bodyTextContent.contains("userPrincipal=alice"));
+ Assert.assertTrue("User " + user + " does not have role Admin",
+ bodyTextContent.contains("role:Admin=false"));
+ Assert.assertTrue("User " + user + " does not have role Manager",
+ bodyTextContent.contains("role:Manager=false"));
+ Assert.assertTrue("User " + user + " must have role User",
+ bodyTextContent.contains("role:User=true"));
+
+ String claim = ClaimTypes.FIRSTNAME.toString();
+ Assert.assertTrue("User " + user + " claim " + claim + " is not 'Alice'",
+ bodyTextContent.contains(claim + "=Alice"));
+ claim = ClaimTypes.LASTNAME.toString();
+ Assert.assertTrue("User " + user + " claim " + claim + " is not 'Smith'",
+ bodyTextContent.contains(claim + "=Smith"));
+ claim = ClaimTypes.EMAILADDRESS.toString();
+ Assert.assertTrue("User " + user + " claim " + claim + " is not 'alice@realma.org'",
+ bodyTextContent.contains(claim + "=alice@realma.org"));
+ */
+ }
+ /*
+ private static String login(String url, String user, String password,
+ String idpPort, String rpIdpPort) throws IOException {
+ //
+ // Access the RP + get redirected to the IdP for "realm a". Then get redirected to the IdP for
+ // "realm b".
+ //
+ final WebClient webClient = new WebClient();
+ CookieManager cookieManager = new CookieManager();
+ webClient.setCookieManager(cookieManager);
+ webClient.getOptions().setUseInsecureSSL(true);
+ webClient.getCredentialsProvider().setCredentials(
+ new AuthScope("localhost", Integer.parseInt(idpPort)),
+ new UsernamePasswordCredentials(user, password));
+
+ webClient.getOptions().setJavaScriptEnabled(false);
+ final HtmlPage idpPage = webClient.getPage(url);
+ webClient.getOptions().setJavaScriptEnabled(true);
+ Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText());
+
+ // For some reason, redirecting back to the IdP for "realm a" is not working with htmlunit. So extract
+ // the parameters manually from the form, and access the IdP for "realm a" with them
+ DomNodeList<DomElement> results = idpPage.getElementsByTagName("input");
+
+ String wresult = null;
+ String wa = "wsignin1.0";
+ String wctx = null;
+ String wtrealm = null;
+ for (DomElement result : results) {
+ if ("wresult".equals(result.getAttributeNS(null, "name"))) {
+ wresult = result.getAttributeNS(null, "value");
+ } else if ("wctx".equals(result.getAttributeNS(null, "name"))) {
+ wctx = result.getAttributeNS(null, "value");
+ } else if ("wtrealm".equals(result.getAttributeNS(null, "name"))) {
+ wtrealm = result.getAttributeNS(null, "value");
+ }
+ }
+ Assert.assertTrue(wctx != null && wresult != null && wtrealm != null);
+ webClient.close();
+
+ // Invoke on the IdP for "realm a"
+ final WebClient webClient2 = new WebClient();
+ webClient2.setCookieManager(cookieManager);
+ webClient2.getOptions().setUseInsecureSSL(true);
+
+ String url2 = "https://localhost:" + rpIdpPort + "/fediz-idp/federation?";
+ url2 += "wctx=" + wctx + "&";
+ url2 += "wa=" + wa + "&";
+ url2 += "wtrealm=" + URLEncoder.encode(wtrealm, "UTF8") + "&";
+ url2 += "wresult=" + URLEncoder.encode(wresult, "UTF8") + "&";
+
+ webClient2.getOptions().setJavaScriptEnabled(false);
+ final HtmlPage idpPage2 = webClient2.getPage(url2);
+ webClient2.getOptions().setJavaScriptEnabled(true);
+ Assert.assertEquals("IDP SignIn Response Form", idpPage2.getTitleText());
+
+ // Now redirect back to the RP
+ final HtmlForm form2 = idpPage2.getFormByName("signinresponseform");
+
+ final HtmlSubmitInput button2 = form2.getInputByName("_eventId_submit");
+
+ final HtmlPage rpPage = button2.click();
+ Assert.assertEquals("WS Federation Systests Examples", rpPage.getTitleText());
+
+ webClient2.close();
+ return rpPage.getBody().getTextContent();
+ }
+ */
+}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/722b70f0/systests/federation/samlsso/src/test/resources/cxf-service.xml
----------------------------------------------------------------------
diff --git a/systests/federation/samlsso/src/test/resources/cxf-service.xml b/systests/federation/samlsso/src/test/resources/cxf-service.xml
new file mode 100644
index 0000000..7b09656
--- /dev/null
+++ b/systests/federation/samlsso/src/test/resources/cxf-service.xml
@@ -0,0 +1,130 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans"
+ xmlns:cxf="http://cxf.apache.org/core"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xmlns:sec="http://cxf.apache.org/configuration/security"
+ xmlns:http="http://cxf.apache.org/transports/http/configuration"
+ xmlns:jaxws="http://cxf.apache.org/jaxws"
+ xmlns:jaxrs="http://cxf.apache.org/jaxrs"
+ xmlns:util="http://www.springframework.org/schema/util"
+ xsi:schemaLocation="
+ http://cxf.apache.org/core
+ http://cxf.apache.org/schemas/core.xsd
+ http://cxf.apache.org/configuration/security
+ http://cxf.apache.org/schemas/configuration/security.xsd
+ http://cxf.apache.org/jaxws
+ http://cxf.apache.org/schemas/jaxws.xsd
+ http://cxf.apache.org/jaxrs
+ http://cxf.apache.org/schemas/jaxrs.xsd
+ http://cxf.apache.org/transports/http/configuration
+ http://cxf.apache.org/schemas/configuration/http-conf.xsd
+ http://www.springframework.org/schema/beans
+ http://www.springframework.org/schema/beans/spring-beans.xsd
+ http://www.springframework.org/schema/util
+ http://www.springframework.org/schema/util/spring-util-2.0.xsd">
+
+ <import resource="classpath:META-INF/cxf/cxf.xml" />
+
+ <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
+
+ <!--cxf:bus>
+ <cxf:features>
+ <cxf:logging/>
+ </cxf:features>
+ </cxf:bus-->
+
+ <bean id="callbackHandler" class="org.apache.cxf.fediz.oidc.idp.example.CommonCallbackHandler"/>
+ <bean id="basicAuthFilter" class="org.apache.cxf.fediz.oidc.idp.example.BasicAuthFilter">
+ <property name="callbackHandler" ref="callbackHandler"/>
+ </bean>
+
+ <bean id="client" class="org.apache.cxf.rs.security.oauth2.common.Client">
+ <constructor-arg><value>consumer-id</value></constructor-arg>
+ <constructor-arg><value>this-is-a-secret</value></constructor-arg>
+ <constructor-arg><value>true</value></constructor-arg>
+ <constructor-arg><value>Fediz IdP</value></constructor-arg>
+ <property name="redirectUris">
+ <util:list value-type="java.lang.String">
+ <value>https://localhost:${idp.https.port}/fediz-idp/federation</value>
+ </util:list>
+ </property>
+ <property name="allowedGrantTypes">
+ <util:list value-type="java.lang.String">
+ <value>authorization_code</value>
+ </util:list>
+ </property>
+ <property name="registeredScopes">
+ <util:list value-type="java.lang.String">
+ <value>openid</value>
+ </util:list>
+ </property>
+ </bean>
+
+ <bean id="oauthProvider" class="org.apache.cxf.fediz.oidc.idp.example.EHCacheOIDCTokenProvider">
+ <property name="client" ref="client"/>
+ </bean>
+
+ <bean id="authorizationService" class="org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService">
+ <property name="dataProvider" ref="oauthProvider"/>
+ </bean>
+
+ <bean id="idTokenProviderImpl" class="org.apache.cxf.fediz.oidc.idp.example.IdTokenProviderImpl"/>
+
+ <bean id="idTokenFilter" class="org.apache.cxf.rs.security.oidc.idp.IdTokenResponseFilter">
+ <property name="idTokenProvider" ref="idTokenProviderImpl"/>
+ </bean>
+
+ <bean id="tokenService" class="org.apache.cxf.rs.security.oauth2.services.AccessTokenService">
+ <property name="dataProvider" ref="oauthProvider"/>
+ <property name="responseFilter" ref="idTokenFilter"/>
+ </bean>
+
+ <bean id="oauthJSONProvider" class="org.apache.cxf.rs.security.oauth2.provider.OAuthJSONProvider"/>
+
+ <bean id="viewProvider" class="org.apache.cxf.jaxrs.provider.RequestDispatcherProvider">
+ <property name="useClassNames" value="true"/>
+ <property name="locationPrefix" value="/WEB-INF/views/"/>
+ <property name="beanName" value="data"/>
+ <property name="dispatcherName" value="jsp"/>
+ </bean>
+
+ <jaxrs:server address="/services">
+ <jaxrs:serviceBeans>
+ <ref bean="authorizationService"/>
+ <ref bean="tokenService"/>
+ </jaxrs:serviceBeans>
+ <jaxrs:providers>
+ <ref bean="oauthJSONProvider"/>
+ <ref bean="basicAuthFilter"/>
+ <ref bean="viewProvider"/>
+ </jaxrs:providers>
+ <jaxrs:properties>
+ <entry key="rs.security.keystore.type" value="jks" />
+ <entry key="rs.security.keystore.alias" value="realmb"/>
+ <entry key="rs.security.key.password" value="realmb"/>
+ <entry key="rs.security.keystore.password" value="storepass"/>
+ <entry key="rs.security.keystore.file" value="stsrealm_b.jks" />
+ <entry key="rs.security.signature.algorithm" value="RS256" />
+ </jaxrs:properties>
+ </jaxrs:server>
+
+</beans>
+
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/722b70f0/systests/federation/samlsso/src/test/resources/fediz_config_wsfed.xml
----------------------------------------------------------------------
diff --git a/systests/federation/samlsso/src/test/resources/fediz_config_wsfed.xml b/systests/federation/samlsso/src/test/resources/fediz_config_wsfed.xml
new file mode 100644
index 0000000..c63530b
--- /dev/null
+++ b/systests/federation/samlsso/src/test/resources/fediz_config_wsfed.xml
@@ -0,0 +1,176 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<!-- Place in Tomcat conf folder or other location as designated in this sample's webapp/META-INF/context.xml file.
+ Keystore referenced below must have IDP STS' public cert included in it. This example re-uses the Tomcat SSL
+ keystore (tomcat-rp.jks) for this task; alternatively you may wish to use a Fediz-specific keystore instead.
+-->
+<FedizConfig>
+ <contextConfig name="/wsfed">
+ <audienceUris>
+ <audienceItem>urn:org:apache:cxf:fediz:fedizhelloworld</audienceItem>
+ </audienceUris>
+ <certificateStores>
+ <trustManager>
+ <keyStore file="test-classes/clienttrust.jks"
+ password="storepass" type="JKS" />
+ </trustManager>
+ </certificateStores>
+ <trustedIssuers>
+ <issuer certificateValidation="PeerTrust" />
+ </trustedIssuers>
+ <maximumClockSkew>1000</maximumClockSkew>
+ <protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:type="federationProtocolType" version="1.0.0">
+ <realm>urn:org:apache:cxf:fediz:fedizhelloworld</realm>
+ <issuer>https://localhost:${idp.https.port}/fediz-idp/federation</issuer>
+ <roleDelimiter>,</roleDelimiter>
+ <roleURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</roleURI>
+ <freshness>10</freshness>
+ <homeRealm type="String">urn:org:apache:cxf:fediz:idp:realm-B</homeRealm>
+ <claimTypesRequested>
+ <claimType type="a particular claim type"
+ optional="true" />
+ </claimTypesRequested>
+ </protocol>
+ <logoutURL>/secure/logout</logoutURL>
+ <logoutRedirectTo>/index.html</logoutRedirectTo>
+ </contextConfig>
+ <contextConfig name="/samlsso">
+ <audienceUris>
+ <audienceItem>urn:org:apache:cxf:fediz:fedizhelloworld</audienceItem>
+ </audienceUris>
+ <certificateStores>
+ <trustManager>
+ <keyStore file="test-classes/clienttrust.jks"
+ password="storepass" type="JKS" />
+ </trustManager>
+ </certificateStores>
+ <trustedIssuers>
+ <issuer certificateValidation="PeerTrust" />
+ </trustedIssuers>
+ <maximumClockSkew>1000</maximumClockSkew>
+ <protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:type="federationProtocolType" version="1.0.0">
+ <realm>urn:org:apache:cxf:fediz:fedizhelloworld</realm>
+ <issuer>https://localhost:${idp.https.port}/fediz-idp/federation</issuer>
+ <roleDelimiter>,</roleDelimiter>
+ <roleURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</roleURI>
+ <freshness>10</freshness>
+ <homeRealm type="String">urn:org:apache:cxf:fediz:idp:realm-C</homeRealm>
+ <claimTypesRequested>
+ <claimType type="a particular claim type"
+ optional="true" />
+ </claimTypesRequested>
+ </protocol>
+ <logoutURL>/secure/logout</logoutURL>
+ <logoutRedirectTo>/index.html</logoutRedirectTo>
+ </contextConfig>
+ <contextConfig name="/samlssocustom">
+ <audienceUris>
+ <audienceItem>urn:org:apache:cxf:fediz:fedizhelloworld</audienceItem>
+ </audienceUris>
+ <certificateStores>
+ <trustManager>
+ <keyStore file="test-classes/clienttrust.jks"
+ password="storepass" type="JKS" />
+ </trustManager>
+ </certificateStores>
+ <trustedIssuers>
+ <issuer certificateValidation="PeerTrust" />
+ </trustedIssuers>
+ <maximumClockSkew>1000</maximumClockSkew>
+ <protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:type="federationProtocolType" version="1.0.0">
+ <realm>urn:org:apache:cxf:fediz:fedizhelloworld</realm>
+ <issuer>https://localhost:${idp.https.port}/fediz-idp/federation</issuer>
+ <roleDelimiter>,</roleDelimiter>
+ <roleURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</roleURI>
+ <freshness>10</freshness>
+ <homeRealm type="String">urn:org:apache:cxf:fediz:idp:realm-D</homeRealm>
+ <claimTypesRequested>
+ <claimType type="a particular claim type"
+ optional="true" />
+ </claimTypesRequested>
+ </protocol>
+ <logoutURL>/secure/logout</logoutURL>
+ <logoutRedirectTo>/index.html</logoutRedirectTo>
+ </contextConfig>
+ <contextConfig name="/samlssocustompost">
+ <audienceUris>
+ <audienceItem>urn:org:apache:cxf:fediz:fedizhelloworld</audienceItem>
+ </audienceUris>
+ <certificateStores>
+ <trustManager>
+ <keyStore file="test-classes/clienttrust.jks"
+ password="storepass" type="JKS" />
+ </trustManager>
+ </certificateStores>
+ <trustedIssuers>
+ <issuer certificateValidation="PeerTrust" />
+ </trustedIssuers>
+ <maximumClockSkew>1000</maximumClockSkew>
+ <protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:type="federationProtocolType" version="1.0.0">
+ <realm>urn:org:apache:cxf:fediz:fedizhelloworld</realm>
+ <issuer>https://localhost:${idp.https.port}/fediz-idp/federation</issuer>
+ <roleDelimiter>,</roleDelimiter>
+ <roleURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</roleURI>
+ <freshness>10</freshness>
+ <homeRealm type="String">urn:org:apache:cxf:fediz:idp:realm-E</homeRealm>
+ <claimTypesRequested>
+ <claimType type="a particular claim type"
+ optional="true" />
+ </claimTypesRequested>
+ </protocol>
+ <logoutURL>/secure/logout</logoutURL>
+ <logoutRedirectTo>/index.html</logoutRedirectTo>
+ </contextConfig>
+ <contextConfig name="/oidc">
+ <audienceUris>
+ <audienceItem>urn:org:apache:cxf:fediz:fedizhelloworld</audienceItem>
+ </audienceUris>
+ <certificateStores>
+ <trustManager>
+ <keyStore file="test-classes/clienttrust.jks"
+ password="storepass" type="JKS" />
+ </trustManager>
+ </certificateStores>
+ <trustedIssuers>
+ <issuer certificateValidation="PeerTrust" />
+ </trustedIssuers>
+ <maximumClockSkew>1000</maximumClockSkew>
+ <protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:type="federationProtocolType" version="1.0.0">
+ <realm>urn:org:apache:cxf:fediz:fedizhelloworld</realm>
+ <issuer>https://localhost:${idp.https.port}/fediz-idp/federation</issuer>
+ <roleDelimiter>,</roleDelimiter>
+ <roleURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</roleURI>
+ <freshness>10</freshness>
+ <homeRealm type="String">urn:org:apache:cxf:fediz:idp:realm-F</homeRealm>
+ <claimTypesRequested>
+ <claimType type="a particular claim type"
+ optional="true" />
+ </claimTypesRequested>
+ </protocol>
+ <logoutURL>/secure/logout</logoutURL>
+ <logoutRedirectTo>/index.html</logoutRedirectTo>
+ </contextConfig>
+</FedizConfig>
+