You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2015/03/09 16:06:15 UTC
[2/2] cxf-fediz git commit: Adding a new systests module for kerberos
testing using an Apache DS KDC
Adding a new systests module for kerberos testing using an Apache DS KDC
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/e3931b19
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/e3931b19
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/e3931b19
Branch: refs/heads/master
Commit: e3931b19e4b40832455d64406adf1bbad1ab0b65
Parents: 3110146
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Mon Mar 9 15:05:52 2015 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Mon Mar 9 15:05:52 2015 +0000
----------------------------------------------------------------------
pom.xml | 1 +
.../idp/src/main/webapp/WEB-INF/kerberos.jaas | 8 -
.../webapp/WEB-INF/security-config-kerberos.xml | 119 ------
systests/kerberos/pom.xml | 338 +++++++++++++++
.../KerberosClientPasswordCallback.java | 48 +++
.../KerberosServicePasswordCallback.java | 58 +++
.../fediz/integrationtests/KerberosTest.java | 420 +++++++++++++++++++
.../src/test/resources/fediz_config.xml | 43 ++
.../src/test/resources/idp/security-config.xml | 116 +++++
.../kerberos/src/test/resources/kerberos.jaas | 8 +
.../kerberos/src/test/resources/kerberos.ldif | 51 +++
systests/kerberos/src/test/resources/krb5.conf | 7 +
systests/kerberos/src/test/resources/server.jks | Bin 0 -> 1863 bytes
.../src/test/resources/sts/cxf-transport.xml | 229 ++++++++++
.../src/test/resources/sts/kerberos.xml | 83 ++++
.../test/resources/sts/userClaimsKerberos.xml | 138 ++++++
.../kerberos/src/test/resources/ststrust.jks | Bin 0 -> 2561 bytes
systests/pom.xml | 1 +
.../fediz/integrationtests/KerberosTest.java | 344 ---------------
.../tomcat7/src/test/resources/kerberos.jaas | 8 -
20 files changed, 1541 insertions(+), 479 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/e3931b19/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index 8b03090..79a2b06 100644
--- a/pom.xml
+++ b/pom.xml
@@ -36,6 +36,7 @@
</prerequisites>
<properties>
+ <apacheds.version>2.0.0-M19</apacheds.version>
<commons.lang.version>3.3.2</commons.lang.version>
<commons.logging.version>1.1.3</commons.logging.version>
<cxf.version>3.0.5-SNAPSHOT</cxf.version>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/e3931b19/services/idp/src/main/webapp/WEB-INF/kerberos.jaas
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/kerberos.jaas b/services/idp/src/main/webapp/WEB-INF/kerberos.jaas
deleted file mode 100644
index b773cf6..0000000
--- a/services/idp/src/main/webapp/WEB-INF/kerberos.jaas
+++ /dev/null
@@ -1,8 +0,0 @@
-
-alice {
- com.sun.security.auth.module.Krb5LoginModule required refreshKrb5Config=true useKeyTab=true keyTab="/etc/alice.keytab" principal="alice";
-};
-
-bob {
- com.sun.security.auth.module.Krb5LoginModule required refreshKrb5Config=true useKeyTab=true storeKey=true keyTab="/etc/bob.keytab" principal="bob/service.ws.apache.org";
-};
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/e3931b19/services/idp/src/main/webapp/WEB-INF/security-config-kerberos.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/security-config-kerberos.xml b/services/idp/src/main/webapp/WEB-INF/security-config-kerberos.xml
deleted file mode 100644
index 49049ab..0000000
--- a/services/idp/src/main/webapp/WEB-INF/security-config-kerberos.xml
+++ /dev/null
@@ -1,119 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing,
- software distributed under the License is distributed on an
- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- KIND, either express or implied. See the License for the
- specific language governing permissions and limitations
- under the License.
--->
-<beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xmlns:security="http://www.springframework.org/schema/security"
- xmlns:context="http://www.springframework.org/schema/context"
- xsi:schemaLocation="
- http://www.springframework.org/schema/beans
- http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
- http://www.springframework.org/schema/context
- http://www.springframework.org/schema/context/spring-context-3.1.xsd
- http://www.springframework.org/schema/security
- http://www.springframework.org/schema/security/spring-security-3.1.xsd">
-
- <context:property-placeholder location="classpath:realm.properties"/>
-
- <!-- DISABLE in production as it might log confidential information about the user -->
- <!-- <security:debug /> -->
-
- <!-- Configure Spring Security -->
- <!-- If enabled, you can't access the Service layer within the Spring Webflow -->
- <!-- The user has no role during the login phase of WS-Federation -->
- <security:global-method-security pre-post-annotations="enabled"/>
-
- <security:http pattern="/services/rs/**" auto-config="false" use-expressions="true" entry-point-ref="kerberosEntryPoint">
- <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" />
- <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" />
- <security:intercept-url pattern="/**" access="isAuthenticated()"/>
- <!--<security:http-basic />-->
- <security:custom-filter ref="kerberosAuthenticationProcessingFilter" position="BASIC_AUTH_FILTER" />
- </security:http>
-
- <bean id="bCryptPasswordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />
-
- <bean id="defaultPasswordEncoder" class="org.springframework.security.crypto.password.StandardPasswordEncoder" />
-
- <bean id="kerberosEntryPoint"
- class="org.apache.cxf.fediz.service.idp.kerberos.KerberosEntryPoint" />
-
- <bean id="spnegoAuthenticationProcessingFilter"
- class="org.apache.cxf.fediz.service.idp.kerberos.KerberosAuthenticationProcessingFilter">
- <property name="authenticationManager" ref="restAuthenticationManager" />
- </bean>
-
- <security:authentication-manager id="restAuthenticationManager">
- <security:authentication-provider>
- <!-- <security:password-encoder ref="defaultPasswordEncoder"/>-->
- <!-- <security:password-encoder hash="sha-256" base64="true" />-->
- <!--
- <security:password-encoder hash="sha-256" base64="true">
- <security:salt-source user-property="username"/>
- </security:password-encoder>
- -->
- <security:user-service properties="classpath:/users.properties" />
- </security:authentication-provider>
- <security:authentication-provider ref="stsAuthProvider" />
- </security:authentication-manager>
-
- <security:http use-expressions="true" entry-point-ref="kerberosEntryPoint">
- <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" />
- <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" />
- <security:intercept-url pattern="/FederationMetadata/2007-06/FederationMetadata.xml" access="isAnonymous() or isAuthenticated()" />
-
- <security:form-login login-page="/federation/login"/>
- <security:http-basic />
- <security:custom-filter ref="kerberosAuthenticationProcessingFilter" position="BASIC_AUTH_FILTER" />
- </security:http>
-
- <bean id="kerberosEntryPoint"
- class="org.apache.cxf.fediz.service.idp.kerberos.KerberosEntryPoint" />
-
- <bean id="kerberosAuthenticationProcessingFilter"
- class="org.apache.cxf.fediz.service.idp.kerberos.KerberosAuthenticationProcessingFilter">
- <property name="authenticationManager" ref="authenticationManager" />
- </bean>
-
- <security:authentication-manager alias="authenticationManager">
- <security:authentication-provider ref="stsAuthProvider" />
- </security:authentication-manager>
-
- <bean id="stsPortFilter" class="org.apache.cxf.fediz.service.idp.STSPortFilter" />
-
- <bean id="entitlementsEnricher" class="org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements" />
-
- <!--<bean id="kerberosTokenValidator" class="org.apache.cxf.fediz.service.idp.kerberos.KerberosTokenValidator">
- <property name="contextName" value="bob"/>
- <property name="serviceName" value="bob@service.ws.apache.org"/>
- </bean>-->
-
- <bean id="stsAuthProvider" class="org.apache.cxf.fediz.service.idp.STSAuthenticationProvider">
- <!--<property name="wsdlLocation" value="https://localhost:0/fediz-idp-sts/${realm.STS_URI}/STSServiceTransportUT?wsdl"/>
- <property name="wsdlEndpoint" value="TransportUT_Port"/> -->
- <property name="wsdlLocation" value="https://localhost:0/fediz-idp-sts/${realm.STS_URI}/STSServiceTransportKerberos?wsdl"/>
- <property name="wsdlEndpoint" value="TransportKerberos_Port"/>
- <property name="wsdlService" value="SecurityTokenService"/>
- <property name="appliesTo" value="urn:fediz:idp"/>
- <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"/>
- <!--<property name="kerberosTokenValidator" ref="kerberosTokenValidator"/>
- <property name="requireDelegation" value="true"/>-->
- </bean>
-
-</beans>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/e3931b19/systests/kerberos/pom.xml
----------------------------------------------------------------------
diff --git a/systests/kerberos/pom.xml b/systests/kerberos/pom.xml
new file mode 100644
index 0000000..8187c59
--- /dev/null
+++ b/systests/kerberos/pom.xml
@@ -0,0 +1,338 @@
+<?xml version="1.0"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+ <modelVersion>4.0.0</modelVersion>
+ <parent>
+ <groupId>org.apache.cxf.fediz</groupId>
+ <artifactId>fediz-systests</artifactId>
+ <version>1.2.0-SNAPSHOT</version>
+ <relativePath>../pom.xml</relativePath>
+ </parent>
+ <groupId>org.apache.cxf.fediz.systests</groupId>
+ <artifactId>fediz-systests-kerberos</artifactId>
+ <name>Apache Fediz Kerberos Systests</name>
+ <packaging>jar</packaging>
+ <properties>
+ <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+ <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
+ </properties>
+ <dependencies>
+ <dependency>
+ <groupId>org.apache.tomcat.embed</groupId>
+ <artifactId>tomcat-embed-core</artifactId>
+ <version>${tomcat.version}</version>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.tomcat.embed</groupId>
+ <artifactId>tomcat-embed-logging-juli</artifactId>
+ <version>${tomcat.version}</version>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.eclipse.jdt.core.compiler</groupId>
+ <artifactId>ecj</artifactId>
+ <version>3.7.1</version>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.tomcat.embed</groupId>
+ <artifactId>tomcat-embed-jasper</artifactId>
+ <version>${tomcat.version}</version>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>junit</groupId>
+ <artifactId>junit</artifactId>
+ <version>${junit.version}</version>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.cxf.fediz</groupId>
+ <artifactId>fediz-tomcat</artifactId>
+ <version>${project.version}</version>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.cxf.fediz.systests</groupId>
+ <artifactId>fediz-systests-tests</artifactId>
+ <version>${project.version}</version>
+ <type>test-jar</type>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.slf4j</groupId>
+ <artifactId>slf4j-api</artifactId>
+ <version>${slf4j.version}</version>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.slf4j</groupId>
+ <artifactId>slf4j-jdk14</artifactId>
+ <version>${slf4j.version}</version>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>hsqldb</groupId>
+ <artifactId>hsqldb</artifactId>
+ <version>${hsqldb.version}</version>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.directory.server</groupId>
+ <artifactId>apacheds-core-annotations</artifactId>
+ <version>${apacheds.version}</version>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.directory.server</groupId>
+ <artifactId>apacheds-core-integ</artifactId>
+ <version>${apacheds.version}</version>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.directory.server</groupId>
+ <artifactId>apacheds-protocol-shared</artifactId>
+ <version>${apacheds.version}</version>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.directory.server</groupId>
+ <artifactId>apacheds-protocol-kerberos</artifactId>
+ <version>${apacheds.version}</version>
+ <scope>test</scope>
+ <exclusions>
+ <exclusion>
+ <groupId>net.sf.ehcache</groupId>
+ <artifactId>ehcache-core</artifactId>
+ </exclusion>
+ </exclusions>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.directory.server</groupId>
+ <artifactId>apacheds-interceptor-kerberos</artifactId>
+ <version>${apacheds.version}</version>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.directory.server</groupId>
+ <artifactId>apacheds-kerberos-codec</artifactId>
+ <version>${apacheds.version}</version>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>commons-io</groupId>
+ <artifactId>commons-io</artifactId>
+ <version>2.4</version>
+ <scope>test</scope>
+ </dependency>
+ </dependencies>
+ <build>
+ <testResources>
+ <testResource>
+ <directory>src/test/resources</directory>
+ <filtering>true</filtering>
+ <includes>
+ <include>**/fediz_config*.xml</include>
+ </includes>
+ </testResource>
+ <testResource>
+ <directory>src/test/resources</directory>
+ <filtering>false</filtering>
+ <excludes>
+ <exclude>**/fediz_config*.xml</exclude>
+ </excludes>
+ </testResource>
+ </testResources>
+ <plugins>
+ <plugin>
+ <groupId>org.codehaus.mojo</groupId>
+ <artifactId>build-helper-maven-plugin</artifactId>
+ <executions>
+ <execution>
+ <id>reserve-network-port</id>
+ <goals>
+ <goal>reserve-network-port</goal>
+ </goals>
+ <phase>initialize</phase>
+ <configuration>
+ <portNames>
+ <portName>idp.https.port</portName>
+ <portName>rp.https.port</portName>
+ </portNames>
+ </configuration>
+ </execution>
+ </executions>
+ </plugin>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-dependency-plugin</artifactId>
+ <executions>
+ <execution>
+ <id>copy-idp-sts</id>
+ <phase>generate-resources</phase>
+ <goals>
+ <goal>unpack</goal>
+ </goals>
+ <configuration>
+ <artifactItems>
+ <artifactItem>
+ <groupId>org.apache.cxf.fediz</groupId>
+ <artifactId>fediz-idp</artifactId>
+ <version>${project.version}</version>
+ <type>war</type>
+ <overWrite>true</overWrite>
+ <outputDirectory>target/tomcat/idp/webapps/fediz-idp</outputDirectory>
+ </artifactItem>
+ <artifactItem>
+ <groupId>org.apache.cxf.fediz</groupId>
+ <artifactId>fediz-idp-sts</artifactId>
+ <version>${project.version}</version>
+ <type>war</type>
+ <overWrite>true</overWrite>
+ <outputDirectory>target/tomcat/idp/webapps/fediz-idp-sts</outputDirectory>
+ </artifactItem>
+ <artifactItem>
+ <groupId>org.apache.cxf.fediz.systests.webapps</groupId>
+ <artifactId>fediz-systests-webapps-simple</artifactId>
+ <version>${project.version}</version>
+ <type>war</type>
+ <overWrite>true</overWrite>
+ <outputDirectory>target/tomcat/rp/webapps/simpleWebapp</outputDirectory>
+ </artifactItem>
+ </artifactItems>
+ <outputAbsoluteArtifactFilename>true</outputAbsoluteArtifactFilename>
+ <overWriteSnapshots>true</overWriteSnapshots>
+ <overWriteIfNewer>true</overWriteIfNewer>
+ <stripVersion>true</stripVersion>
+ </configuration>
+ </execution>
+ <execution>
+ <id>copy-xalan-to-idp</id>
+ <phase>generate-resources</phase>
+ <goals>
+ <goal>copy</goal>
+ </goals>
+ <configuration>
+ <artifactItems>
+ <artifactItem>
+ <groupId>xalan</groupId>
+ <artifactId>xalan</artifactId>
+ <version>${xalan.version}</version>
+ <outputDirectory>target/tomcat/idp/webapps/fediz-idp/WEB-INF/lib</outputDirectory>
+ </artifactItem>
+ </artifactItems>
+ </configuration>
+ </execution>
+ </executions>
+ </plugin>
+ <plugin>
+ <artifactId>maven-resources-plugin</artifactId>
+ <version>2.7</version>
+ <executions>
+ <execution>
+ <id>copy-entities-to-idp</id>
+ <phase>generate-test-sources</phase>
+ <goals>
+ <goal>copy-resources</goal>
+ </goals>
+ <configuration>
+ <outputDirectory>${basedir}/target/tomcat/idp/webapps/fediz-idp/WEB-INF</outputDirectory>
+ <resources>
+ <resource>
+ <directory>${basedir}/src/test/resources/idp</directory>
+ <includes>
+ <include>security-config.xml</include>
+ </includes>
+ <filtering>true</filtering>
+ </resource>
+ </resources>
+ </configuration>
+ </execution>
+ <execution>
+ <id>copy-entities-to-sts</id>
+ <phase>generate-test-sources</phase>
+ <goals>
+ <goal>copy-resources</goal>
+ </goals>
+ <configuration>
+ <outputDirectory>${basedir}/target/tomcat/idp/webapps/fediz-idp-sts/WEB-INF</outputDirectory>
+ <resources>
+ <resource>
+ <directory>${basedir}/src/test/resources/sts</directory>
+ <includes>
+ <include>cxf-transport.xml</include>
+ <include>kerberos.xml</include>
+ <include>userClaimsKerberos.xml</include>
+ </includes>
+ <filtering>true</filtering>
+ </resource>
+ </resources>
+ </configuration>
+ </execution>
+ </executions>
+ </plugin>
+ <plugin>
+ <artifactId>maven-failsafe-plugin</artifactId>
+ <inherited>true</inherited>
+ <executions>
+ <execution>
+ <id>integration-test</id>
+ <phase>integration-test</phase>
+ <goals>
+ <goal>integration-test</goal>
+ </goals>
+ <configuration>
+ <skip>false</skip>
+ <systemPropertyVariables>
+ <wt.headless>true</wt.headless>
+ <idp.https.port>${idp.https.port}</idp.https.port>
+ <rp.https.port>${rp.https.port}</rp.https.port>
+ <java.security.krb5.conf>src/test/resources/krb5.conf</java.security.krb5.conf>
+ </systemPropertyVariables>
+ <includes>
+ <include>**/integrationtests/**</include>
+ </includes>
+ <argLine>-Xms512m -Xmx1024m
+ -XX:MaxPermSize=256m</argLine>
+ </configuration>
+ </execution>
+ <execution>
+ <id>verify</id>
+ <phase>verify</phase>
+ <goals>
+ <goal>verify</goal>
+ </goals>
+ </execution>
+ </executions>
+ </plugin>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-surefire-plugin</artifactId>
+ <inherited>true</inherited>
+ <configuration>
+ <excludes>
+ <exclude>**/integrationtests/**</exclude>
+ </excludes>
+ </configuration>
+ </plugin>
+ </plugins>
+ </build>
+</project>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/e3931b19/systests/kerberos/src/test/java/org/apache/cxf/fediz/integrationtests/KerberosClientPasswordCallback.java
----------------------------------------------------------------------
diff --git a/systests/kerberos/src/test/java/org/apache/cxf/fediz/integrationtests/KerberosClientPasswordCallback.java b/systests/kerberos/src/test/java/org/apache/cxf/fediz/integrationtests/KerberosClientPasswordCallback.java
new file mode 100644
index 0000000..798e681
--- /dev/null
+++ b/systests/kerberos/src/test/java/org/apache/cxf/fediz/integrationtests/KerberosClientPasswordCallback.java
@@ -0,0 +1,48 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.fediz.integrationtests;
+
+import java.io.IOException;
+
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.NameCallback;
+import javax.security.auth.callback.PasswordCallback;
+import javax.security.auth.callback.UnsupportedCallbackException;
+
+/**
+ * A CallbackHandler implementation for the kerberos client.
+ */
+public class KerberosClientPasswordCallback implements CallbackHandler {
+
+ public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
+ for (int i = 0; i < callbacks.length; i++) {
+ if (callbacks[i] instanceof NameCallback) {
+ NameCallback nameCallback = (NameCallback)callbacks[i];
+ nameCallback.setName("alice");
+ } else if (callbacks[i] instanceof PasswordCallback) {
+ PasswordCallback passwordCallback = (PasswordCallback)callbacks[i];
+ passwordCallback.setPassword("alice".toCharArray());
+ }
+ }
+ }
+
+
+}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/e3931b19/systests/kerberos/src/test/java/org/apache/cxf/fediz/integrationtests/KerberosServicePasswordCallback.java
----------------------------------------------------------------------
diff --git a/systests/kerberos/src/test/java/org/apache/cxf/fediz/integrationtests/KerberosServicePasswordCallback.java b/systests/kerberos/src/test/java/org/apache/cxf/fediz/integrationtests/KerberosServicePasswordCallback.java
new file mode 100644
index 0000000..ea74a8c
--- /dev/null
+++ b/systests/kerberos/src/test/java/org/apache/cxf/fediz/integrationtests/KerberosServicePasswordCallback.java
@@ -0,0 +1,58 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.fediz.integrationtests;
+
+import java.io.IOException;
+
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.NameCallback;
+import javax.security.auth.callback.PasswordCallback;
+import javax.security.auth.callback.UnsupportedCallbackException;
+
+import org.apache.wss4j.common.kerberos.KerberosContextAndServiceNameCallback;
+
+/**
+ * A CallbackHandler implementation for the kerberos service.
+ */
+public class KerberosServicePasswordCallback implements CallbackHandler {
+
+ public KerberosServicePasswordCallback() {
+ }
+
+ public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
+ for (int i = 0; i < callbacks.length; i++) {
+ if (callbacks[i] instanceof KerberosContextAndServiceNameCallback) {
+ KerberosContextAndServiceNameCallback pc =
+ (KerberosContextAndServiceNameCallback)callbacks[i];
+ pc.setContextName("bob");
+ pc.setServiceName("bob@service.ws.apache.org");
+ } else if (callbacks[i] instanceof NameCallback) {
+ NameCallback nameCallback = (NameCallback)callbacks[i];
+ nameCallback.setName("bob");
+ } else if (callbacks[i] instanceof PasswordCallback) {
+ PasswordCallback passwordCallback = (PasswordCallback)callbacks[i];
+ passwordCallback.setPassword("bob".toCharArray());
+ }
+ }
+ }
+
+
+}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/e3931b19/systests/kerberos/src/test/java/org/apache/cxf/fediz/integrationtests/KerberosTest.java
----------------------------------------------------------------------
diff --git a/systests/kerberos/src/test/java/org/apache/cxf/fediz/integrationtests/KerberosTest.java b/systests/kerberos/src/test/java/org/apache/cxf/fediz/integrationtests/KerberosTest.java
new file mode 100644
index 0000000..8379b3e
--- /dev/null
+++ b/systests/kerberos/src/test/java/org/apache/cxf/fediz/integrationtests/KerberosTest.java
@@ -0,0 +1,420 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.fediz.integrationtests;
+
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileOutputStream;
+import java.security.PrivilegedExceptionAction;
+
+import javax.security.auth.Subject;
+import javax.security.auth.login.LoginContext;
+
+import com.gargoylesoftware.htmlunit.WebClient;
+import com.gargoylesoftware.htmlunit.html.HtmlForm;
+import com.gargoylesoftware.htmlunit.html.HtmlPage;
+import com.gargoylesoftware.htmlunit.html.HtmlSubmitInput;
+
+import org.apache.catalina.Context;
+import org.apache.catalina.LifecycleState;
+import org.apache.catalina.connector.Connector;
+import org.apache.catalina.startup.Tomcat;
+import org.apache.commons.io.IOUtils;
+import org.apache.cxf.fediz.core.ClaimTypes;
+import org.apache.cxf.fediz.tomcat.FederationAuthenticator;
+import org.apache.directory.server.annotations.CreateKdcServer;
+import org.apache.directory.server.annotations.CreateLdapServer;
+import org.apache.directory.server.annotations.CreateTransport;
+import org.apache.directory.server.core.annotations.ApplyLdifFiles;
+import org.apache.directory.server.core.annotations.CreateDS;
+import org.apache.directory.server.core.annotations.CreateIndex;
+import org.apache.directory.server.core.annotations.CreatePartition;
+import org.apache.directory.server.core.integ.AbstractLdapTestUnit;
+import org.apache.directory.server.core.integ.FrameworkRunner;
+import org.apache.directory.server.core.kerberos.KeyDerivationInterceptor;
+import org.apache.wss4j.dom.WSSConfig;
+import org.apache.xml.security.utils.Base64;
+import org.ietf.jgss.GSSContext;
+import org.ietf.jgss.GSSException;
+import org.ietf.jgss.GSSManager;
+import org.ietf.jgss.GSSName;
+import org.ietf.jgss.Oid;
+import org.junit.AfterClass;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.runner.RunWith;
+
+/**
+ * A test that sends a Kerberos ticket to the IdP for authentication. The IdP must be configured
+ * to validate the Kerberos ticket, and in turn get a delegation token to authenticate to the
+ * STS + retrieve claims etc.
+ *
+ * This test uses an Apache DS instance as the KDC
+ */
+
+@RunWith(FrameworkRunner.class)
+
+//Define the DirectoryService
+@CreateDS(name = "KerberosTest-class",
+ enableAccessControl = false,
+ allowAnonAccess = false,
+ enableChangeLog = true,
+ partitions = {
+ @CreatePartition(
+ name = "example",
+ suffix = "dc=example,dc=com",
+ indexes = {
+ @CreateIndex(attribute = "objectClass"),
+ @CreateIndex(attribute = "dc"),
+ @CreateIndex(attribute = "ou")
+ }
+ ) },
+ additionalInterceptors = {
+ KeyDerivationInterceptor.class
+ }
+)
+
+@CreateLdapServer(
+ transports = {
+ @CreateTransport(protocol = "LDAP")
+ }
+)
+
+@CreateKdcServer(
+ transports = {
+ // @CreateTransport(protocol = "TCP", address = "127.0.0.1", port=1024)
+ @CreateTransport(protocol = "UDP", address = "127.0.0.1")
+ },
+ primaryRealm = "service.ws.apache.org",
+ kdcPrincipal = "krbtgt/service.ws.apache.org@service.ws.apache.org"
+)
+
+//Inject an file containing entries
+@ApplyLdifFiles("kerberos.ldif")
+
+public class KerberosTest extends AbstractLdapTestUnit {
+
+ static String idpHttpsPort;
+ static String rpHttpsPort;
+
+ private static Tomcat idpServer;
+ private static Tomcat rpServer;
+ private static boolean portUpdated;
+
+ @BeforeClass
+ public static void init() {
+ System.setProperty("org.apache.commons.logging.Log", "org.apache.commons.logging.impl.SimpleLog");
+ System.setProperty("org.apache.commons.logging.simplelog.showdatetime", "true");
+ System.setProperty("org.apache.commons.logging.simplelog.log.httpclient.wire", "info");
+ System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.commons.httpclient", "info");
+ System.setProperty("org.apache.commons.logging.simplelog.log.org.springframework.webflow", "info");
+ System.setProperty("org.apache.commons.logging.simplelog.log.org.springframework.security.web", "info");
+ System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.cxf.fediz", "info");
+ System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.cxf", "info");
+
+ idpHttpsPort = System.getProperty("idp.https.port");
+ Assert.assertNotNull("Property 'idp.https.port' null", idpHttpsPort);
+ rpHttpsPort = System.getProperty("rp.https.port");
+ Assert.assertNotNull("Property 'rp.https.port' null", rpHttpsPort);
+
+ WSSConfig.init();
+
+ initIdp();
+ initRp();
+ }
+
+ @Before
+ public void updatePort() throws Exception {
+ if (!portUpdated) {
+ String basedir = System.getProperty("basedir");
+ if (basedir == null) {
+ basedir = new File(".").getCanonicalPath();
+ }
+
+ // Read in krb5.conf and substitute in the correct port
+ File f = new File(basedir + "/src/test/resources/krb5.conf");
+
+ FileInputStream inputStream = new FileInputStream(f);
+ String content = IOUtils.toString(inputStream, "UTF-8");
+ inputStream.close();
+ content = content.replaceAll("port", "" + super.getKdcServer().getTransports()[0].getPort());
+
+ File f2 = new File(basedir + "/target/test-classes/fediz.kerberos.krb5.conf");
+ FileOutputStream outputStream = new FileOutputStream(f2);
+ IOUtils.write(content, outputStream, "UTF-8");
+ outputStream.close();
+
+ System.setProperty("java.security.krb5.conf", f2.getPath());
+ portUpdated = true;
+ }
+
+ System.setProperty("java.security.auth.login.config", "src/test/resources/kerberos.jaas");
+ }
+
+ private static void initIdp() {
+ try {
+ idpServer = new Tomcat();
+ idpServer.setPort(0);
+ String currentDir = new File(".").getCanonicalPath();
+ idpServer.setBaseDir(currentDir + File.separator + "target");
+
+ idpServer.getHost().setAppBase("tomcat/idp/webapps");
+ idpServer.getHost().setAutoDeploy(true);
+ idpServer.getHost().setDeployOnStartup(true);
+
+ Connector httpsConnector = new Connector();
+ httpsConnector.setPort(Integer.parseInt(idpHttpsPort));
+ httpsConnector.setSecure(true);
+ httpsConnector.setScheme("https");
+ //httpsConnector.setAttribute("keyAlias", keyAlias);
+ httpsConnector.setAttribute("keystorePass", "tompass");
+ httpsConnector.setAttribute("keystoreFile", "test-classes/server.jks");
+ httpsConnector.setAttribute("truststorePass", "tompass");
+ httpsConnector.setAttribute("truststoreFile", "test-classes/server.jks");
+ httpsConnector.setAttribute("clientAuth", "want");
+ // httpsConnector.setAttribute("clientAuth", "false");
+ httpsConnector.setAttribute("sslProtocol", "TLS");
+ httpsConnector.setAttribute("SSLEnabled", true);
+
+ idpServer.getService().addConnector(httpsConnector);
+
+ idpServer.addWebapp("/fediz-idp-sts", "fediz-idp-sts");
+ idpServer.addWebapp("/fediz-idp", "fediz-idp");
+
+ idpServer.start();
+ } catch (Exception e) {
+ e.printStackTrace();
+ }
+ }
+
+ private static void initRp() {
+ try {
+ rpServer = new Tomcat();
+ rpServer.setPort(0);
+ String currentDir = new File(".").getCanonicalPath();
+ rpServer.setBaseDir(currentDir + File.separator + "target");
+
+ rpServer.getHost().setAppBase("tomcat/rp/webapps");
+ rpServer.getHost().setAutoDeploy(true);
+ rpServer.getHost().setDeployOnStartup(true);
+
+ Connector httpsConnector = new Connector();
+ httpsConnector.setPort(Integer.parseInt(rpHttpsPort));
+ httpsConnector.setSecure(true);
+ httpsConnector.setScheme("https");
+ //httpsConnector.setAttribute("keyAlias", keyAlias);
+ httpsConnector.setAttribute("keystorePass", "tompass");
+ httpsConnector.setAttribute("keystoreFile", "test-classes/server.jks");
+ httpsConnector.setAttribute("truststorePass", "tompass");
+ httpsConnector.setAttribute("truststoreFile", "test-classes/server.jks");
+ // httpsConnector.setAttribute("clientAuth", "false");
+ httpsConnector.setAttribute("clientAuth", "want");
+ httpsConnector.setAttribute("sslProtocol", "TLS");
+ httpsConnector.setAttribute("SSLEnabled", true);
+
+ rpServer.getService().addConnector(httpsConnector);
+
+ //Context ctx =
+ Context cxt = rpServer.addWebapp("/fedizhelloworld", "simpleWebapp");
+ FederationAuthenticator fa = new FederationAuthenticator();
+ fa.setConfigFile(currentDir + File.separator + "target" + File.separator
+ + "test-classes" + File.separator + "fediz_config.xml");
+ cxt.getPipeline().addValve(fa);
+
+
+ rpServer.start();
+ } catch (Exception e) {
+ e.printStackTrace();
+ }
+ }
+
+ @AfterClass
+ public static void cleanup() {
+ try {
+ if (idpServer.getServer() != null
+ && idpServer.getServer().getState() != LifecycleState.DESTROYED) {
+ if (idpServer.getServer().getState() != LifecycleState.STOPPED) {
+ idpServer.stop();
+ }
+ idpServer.destroy();
+ }
+ } catch (Exception e) {
+ e.printStackTrace();
+ }
+
+ try {
+ if (rpServer.getServer() != null
+ && rpServer.getServer().getState() != LifecycleState.DESTROYED) {
+ if (rpServer.getServer().getState() != LifecycleState.STOPPED) {
+ rpServer.stop();
+ }
+ rpServer.destroy();
+ }
+ } catch (Exception e) {
+ e.printStackTrace();
+ }
+ }
+
+ public String getIdpHttpsPort() {
+ return idpHttpsPort;
+ }
+
+ public String getRpHttpsPort() {
+ return rpHttpsPort;
+ }
+
+ public String getServletContextName() {
+ return "fedizhelloworld";
+ }
+
+ @org.junit.Test
+ public void testKerberos() throws Exception {
+ String url = "https://localhost:" + getRpHttpsPort() + "/fedizhelloworld/secure/fedservlet";
+ // Get a Kerberos Ticket + Base64 encode it
+ String ticket = getEncodedKerberosTicket(false);
+
+ final WebClient webClient = new WebClient();
+ webClient.getOptions().setUseInsecureSSL(true);
+
+ webClient.getOptions().setJavaScriptEnabled(false);
+ webClient.addRequestHeader("Authorization", "Negotiate " + ticket);
+ final HtmlPage idpPage = webClient.getPage(url);
+ webClient.getOptions().setJavaScriptEnabled(true);
+ Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText());
+
+ final HtmlForm form = idpPage.getFormByName("signinresponseform");
+ final HtmlSubmitInput button = form.getInputByName("_eventId_submit");
+
+ final HtmlPage rpPage = button.click();
+ Assert.assertEquals("WS Federation Systests Examples", rpPage.getTitleText());
+
+ final String bodyTextContent = rpPage.getBody().getTextContent();
+ String user = "alice";
+ Assert.assertTrue("Principal not " + user,
+ bodyTextContent.contains("userPrincipal=" + user));
+ Assert.assertTrue("User " + user + " does not have role Admin",
+ bodyTextContent.contains("role:Admin=false"));
+ Assert.assertTrue("User " + user + " does not have role Manager",
+ bodyTextContent.contains("role:Manager=false"));
+ Assert.assertTrue("User " + user + " must have role User",
+ bodyTextContent.contains("role:User=true"));
+
+ String claim = ClaimTypes.FIRSTNAME.toString();
+ Assert.assertTrue("User " + user + " claim " + claim + " is not 'Alice'",
+ bodyTextContent.contains(claim + "=Alice"));
+ claim = ClaimTypes.LASTNAME.toString();
+ Assert.assertTrue("User " + user + " claim " + claim + " is not 'Smith'",
+ bodyTextContent.contains(claim + "=Smith"));
+ claim = ClaimTypes.EMAILADDRESS.toString();
+ Assert.assertTrue("User " + user + " claim " + claim + " is not 'alice@realma.org'",
+ bodyTextContent.contains(claim + "=alice@realma.org"));
+ }
+
+ // To get this test to work, uncomment the "spnego" configuration in the STS's kerberos.xml
+ @org.junit.Test
+ @org.junit.Ignore
+ public void testSpnego() throws Exception {
+ String url = "https://localhost:" + getRpHttpsPort() + "/fedizhelloworld/secure/fedservlet";
+ // Get a Kerberos Ticket + Base64 encode it
+ String ticket = getEncodedKerberosTicket(true);
+
+ final WebClient webClient = new WebClient();
+ webClient.getOptions().setUseInsecureSSL(true);
+
+ webClient.getOptions().setJavaScriptEnabled(false);
+ webClient.addRequestHeader("Authorization", "Negotiate " + ticket);
+ final HtmlPage idpPage = webClient.getPage(url);
+ webClient.getOptions().setJavaScriptEnabled(true);
+ Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText());
+
+ final HtmlForm form = idpPage.getFormByName("signinresponseform");
+ final HtmlSubmitInput button = form.getInputByName("_eventId_submit");
+
+ final HtmlPage rpPage = button.click();
+ Assert.assertEquals("WS Federation Systests Examples", rpPage.getTitleText());
+
+ final String bodyTextContent = rpPage.getBody().getTextContent();
+ String user = "alice";
+ Assert.assertTrue("Principal not " + user,
+ bodyTextContent.contains("userPrincipal=" + user));
+ Assert.assertTrue("User " + user + " does not have role Admin",
+ bodyTextContent.contains("role:Admin=false"));
+ Assert.assertTrue("User " + user + " does not have role Manager",
+ bodyTextContent.contains("role:Manager=false"));
+ Assert.assertTrue("User " + user + " must have role User",
+ bodyTextContent.contains("role:User=true"));
+
+ String claim = ClaimTypes.FIRSTNAME.toString();
+ Assert.assertTrue("User " + user + " claim " + claim + " is not 'Alice'",
+ bodyTextContent.contains(claim + "=Alice"));
+ claim = ClaimTypes.LASTNAME.toString();
+ Assert.assertTrue("User " + user + " claim " + claim + " is not 'Smith'",
+ bodyTextContent.contains(claim + "=Smith"));
+ claim = ClaimTypes.EMAILADDRESS.toString();
+ Assert.assertTrue("User " + user + " claim " + claim + " is not 'alice@realma.org'",
+ bodyTextContent.contains(claim + "=alice@realma.org"));
+ }
+
+ private String getEncodedKerberosTicket(boolean spnego) throws Exception {
+
+ Oid kerberos5Oid = null;
+ if (spnego) {
+ kerberos5Oid = new Oid("1.3.6.1.5.5.2");
+ } else {
+ kerberos5Oid = new Oid("1.2.840.113554.1.2.2");
+ }
+
+ GSSManager manager = GSSManager.getInstance();
+ GSSName serverName = manager.createName("bob@service.ws.apache.org",
+ GSSName.NT_HOSTBASED_SERVICE);
+
+ GSSContext context = manager
+ .createContext(serverName.canonicalize(kerberos5Oid), kerberos5Oid,
+ null, GSSContext.DEFAULT_LIFETIME);
+
+ context.requestCredDeleg(true);
+
+ final byte[] token = new byte[0];
+
+ String contextName = "alice";
+ LoginContext lc = new LoginContext(contextName, new KerberosClientPasswordCallback());
+ lc.login();
+
+ byte[] ticket = (byte[])Subject.doAs(lc.getSubject(), new CreateServiceTicketAction(context, token));
+ return Base64.encode(ticket);
+ }
+
+ private final class CreateServiceTicketAction implements PrivilegedExceptionAction<byte[]> {
+ private final GSSContext context;
+ private final byte[] token;
+
+ private CreateServiceTicketAction(GSSContext context, byte[] token) {
+ this.context = context;
+ this.token = token;
+ }
+
+ public byte[] run() throws GSSException {
+ return context.initSecContext(token, 0, token.length);
+ }
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/e3931b19/systests/kerberos/src/test/resources/fediz_config.xml
----------------------------------------------------------------------
diff --git a/systests/kerberos/src/test/resources/fediz_config.xml b/systests/kerberos/src/test/resources/fediz_config.xml
new file mode 100644
index 0000000..1f20ab6
--- /dev/null
+++ b/systests/kerberos/src/test/resources/fediz_config.xml
@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<!-- Place in Tomcat conf folder or other location as designated in this sample's webapp/META-INF/context.xml file.
+ Keystore referenced below must have IDP STS' public cert included in it. This example re-uses the Tomcat SSL
+ keystore (tomcat-rp.jks) for this task; alternatively you may wish to use a Fediz-specific keystore instead.
+-->
+<FedizConfig>
+ <contextConfig name="/fedizhelloworld">
+ <audienceUris>
+ <audienceItem>urn:org:apache:cxf:fediz:fedizhelloworld</audienceItem>
+ </audienceUris>
+ <certificateStores>
+ <trustManager>
+ <keyStore file="test-classes/ststrust.jks"
+ password="storepass" type="JKS" />
+ </trustManager>
+ </certificateStores>
+ <trustedIssuers>
+ <issuer certificateValidation="PeerTrust" />
+ </trustedIssuers>
+ <maximumClockSkew>1000</maximumClockSkew>
+ <signingKey keyAlias="mytomidpkey" keyPassword="tompass">
+ <keyStore file="test-classes/server.jks" password="tompass" type="JKS" />
+ </signingKey>
+ <protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:type="federationProtocolType" version="1.0.0">
+ <realm>urn:org:apache:cxf:fediz:fedizhelloworld</realm>
+ <issuer>https://localhost:${idp.https.port}/fediz-idp/federation</issuer>
+ <roleDelimiter>,</roleDelimiter>
+ <roleURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</roleURI>
+ <freshness>10</freshness>
+ <homeRealm type="String">urn:org:apache:cxf:fediz:idp:realm-A</homeRealm>
+ <claimTypesRequested>
+ <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" optional="false" />
+ <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" optional="true" />
+ <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" optional="true" />
+ <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" optional="true" />
+ </claimTypesRequested>
+ </protocol>
+ <logoutURL>/secure/logout</logoutURL>
+ <logoutRedirectTo>/index.html</logoutRedirectTo>
+ </contextConfig>
+</FedizConfig>
+
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/e3931b19/systests/kerberos/src/test/resources/idp/security-config.xml
----------------------------------------------------------------------
diff --git a/systests/kerberos/src/test/resources/idp/security-config.xml b/systests/kerberos/src/test/resources/idp/security-config.xml
new file mode 100644
index 0000000..7b1b22a
--- /dev/null
+++ b/systests/kerberos/src/test/resources/idp/security-config.xml
@@ -0,0 +1,116 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xmlns:security="http://www.springframework.org/schema/security"
+ xmlns:context="http://www.springframework.org/schema/context"
+ xsi:schemaLocation="
+ http://www.springframework.org/schema/beans
+ http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
+ http://www.springframework.org/schema/context
+ http://www.springframework.org/schema/context/spring-context-3.1.xsd
+ http://www.springframework.org/schema/security
+ http://www.springframework.org/schema/security/spring-security-3.1.xsd">
+
+ <context:property-placeholder location="classpath:realm.properties"/>
+
+ <!-- DISABLE in production as it might log confidential information about the user -->
+ <!-- <security:debug /> -->
+
+ <!-- Configure Spring Security -->
+ <!-- If enabled, you can't access the Service layer within the Spring Webflow -->
+ <!-- The user has no role during the login phase of WS-Federation -->
+ <security:global-method-security pre-post-annotations="enabled"/>
+
+ <security:http pattern="/services/rs/**" auto-config="false" use-expressions="true" entry-point-ref="kerberosEntryPoint">
+ <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" />
+ <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" />
+ <security:intercept-url pattern="/**" access="isAuthenticated()"/>
+ <!--<security:http-basic />-->
+ <security:custom-filter ref="kerberosAuthenticationProcessingFilter" position="BASIC_AUTH_FILTER" />
+ </security:http>
+
+ <bean id="bCryptPasswordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />
+
+ <bean id="defaultPasswordEncoder" class="org.springframework.security.crypto.password.StandardPasswordEncoder" />
+
+ <bean id="spnegoAuthenticationProcessingFilter"
+ class="org.apache.cxf.fediz.service.idp.kerberos.KerberosAuthenticationProcessingFilter">
+ <property name="authenticationManager" ref="restAuthenticationManager" />
+ </bean>
+
+ <security:authentication-manager id="restAuthenticationManager">
+ <security:authentication-provider>
+ <!-- <security:password-encoder ref="defaultPasswordEncoder"/>-->
+ <!-- <security:password-encoder hash="sha-256" base64="true" />-->
+ <!--
+ <security:password-encoder hash="sha-256" base64="true">
+ <security:salt-source user-property="username"/>
+ </security:password-encoder>
+ -->
+ <security:user-service properties="classpath:/users.properties" />
+ </security:authentication-provider>
+ <security:authentication-provider ref="stsAuthProvider" />
+ </security:authentication-manager>
+
+ <security:http use-expressions="true" entry-point-ref="kerberosEntryPoint">
+ <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" />
+ <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" />
+ <security:intercept-url pattern="/FederationMetadata/2007-06/FederationMetadata.xml" access="isAnonymous() or isAuthenticated()" />
+
+ <!-- <security:form-login login-page="/federation/login"/>
+ <security:http-basic />-->
+ <security:custom-filter ref="kerberosAuthenticationProcessingFilter" position="BASIC_AUTH_FILTER" />
+ </security:http>
+
+ <bean id="kerberosEntryPoint"
+ class="org.apache.cxf.fediz.service.idp.kerberos.KerberosEntryPoint" />
+
+ <bean id="kerberosAuthenticationProcessingFilter"
+ class="org.apache.cxf.fediz.service.idp.kerberos.KerberosAuthenticationProcessingFilter">
+ <property name="authenticationManager" ref="authenticationManager" />
+ </bean>
+
+ <security:authentication-manager alias="authenticationManager">
+ <security:authentication-provider ref="stsAuthProvider" />
+ </security:authentication-manager>
+
+ <bean id="stsPortFilter" class="org.apache.cxf.fediz.service.idp.STSPortFilter" />
+
+ <bean id="entitlementsEnricher" class="org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements" />
+
+ <!--<bean id="kerberosTokenValidator" class="org.apache.cxf.fediz.service.idp.kerberos.KerberosTokenValidator">
+ <property name="contextName" value="bob"/>
+ <property name="serviceName" value="bob@service.ws.apache.org"/>
+ </bean>-->
+
+ <bean id="stsAuthProvider" class="org.apache.cxf.fediz.service.idp.STSAuthenticationProvider">
+ <!--<property name="wsdlLocation" value="https://localhost:0/fediz-idp-sts/${realm.STS_URI}/STSServiceTransportUT?wsdl"/>
+ <property name="wsdlEndpoint" value="TransportUT_Port"/> -->
+ <property name="wsdlLocation" value="https://localhost:0/fediz-idp-sts/${realm.STS_URI}/STSServiceTransportKerberos?wsdl"/>
+ <property name="wsdlEndpoint" value="TransportKerberos_Port"/>
+ <property name="wsdlService" value="SecurityTokenService"/>
+ <property name="appliesTo" value="urn:fediz:idp"/>
+ <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"/>
+ <!--<property name="kerberosTokenValidator" ref="kerberosTokenValidator"/>
+ <property name="requireDelegation" value="true"/>-->
+ </bean>
+
+</beans>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/e3931b19/systests/kerberos/src/test/resources/kerberos.jaas
----------------------------------------------------------------------
diff --git a/systests/kerberos/src/test/resources/kerberos.jaas b/systests/kerberos/src/test/resources/kerberos.jaas
new file mode 100644
index 0000000..cd5b316
--- /dev/null
+++ b/systests/kerberos/src/test/resources/kerberos.jaas
@@ -0,0 +1,8 @@
+
+alice {
+ com.sun.security.auth.module.Krb5LoginModule required refreshKrb5Config=true useKeyTab=false principal="alice";
+};
+
+bob {
+ com.sun.security.auth.module.Krb5LoginModule required refreshKrb5Config=true useKeyTab=false storeKey=true principal="bob/service.ws.apache.org";
+};
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/e3931b19/systests/kerberos/src/test/resources/kerberos.ldif
----------------------------------------------------------------------
diff --git a/systests/kerberos/src/test/resources/kerberos.ldif b/systests/kerberos/src/test/resources/kerberos.ldif
new file mode 100644
index 0000000..40f07fd
--- /dev/null
+++ b/systests/kerberos/src/test/resources/kerberos.ldif
@@ -0,0 +1,51 @@
+dn: dc=example,dc=com
+dc: example
+objectClass: top
+objectClass: domain
+
+dn: ou=users,dc=example,dc=com
+objectClass: organizationalUnit
+objectClass: top
+ou: users
+
+# Web server identity/service principal.
+dn: uid=bob,ou=users,dc=example,dc=com
+objectclass: top
+objectclass: person
+objectclass: inetOrgPerson
+objectclass: krb5Principal
+objectclass: krb5KDCEntry
+cn: bob
+sn: bob
+uid: bob
+userpassword: bob
+krb5PrincipalName: bob/service.ws.apache.org@service.ws.apache.org
+krb5KeyVersionNumber: 0
+
+# User / client principal.
+dn: uid=alice,ou=users,dc=example,dc=com
+objectclass: top
+objectclass: person
+objectclass: inetOrgPerson
+objectclass: krb5Principal
+objectclass: krb5KDCEntry
+cn: alice
+sn: alice
+uid: alice
+userpassword: alice
+krb5PrincipalName: alice@service.ws.apache.org
+krb5KeyVersionNumber: 0
+
+# Ticket Granting Service.
+dn: uid=krbtgt,ou=users,dc=example,dc=com
+objectclass: top
+objectclass: person
+objectclass: inetOrgPerson
+objectclass: krb5Principal
+objectclass: krb5KDCEntry
+cn: KDC Service
+sn: KDC Service
+uid: krbtgt
+userpassword: randomKey
+krb5PrincipalName: krbtgt/service.ws.apache.org@service.ws.apache.org
+krb5KeyVersionNumber: 0
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/e3931b19/systests/kerberos/src/test/resources/krb5.conf
----------------------------------------------------------------------
diff --git a/systests/kerberos/src/test/resources/krb5.conf b/systests/kerberos/src/test/resources/krb5.conf
new file mode 100644
index 0000000..a1a6dc9
--- /dev/null
+++ b/systests/kerberos/src/test/resources/krb5.conf
@@ -0,0 +1,7 @@
+[libdefaults]
+ default_realm = service.ws.apache.org
+
+[realms]
+ service.ws.apache.org = {
+ kdc = localhost:port
+ }
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/e3931b19/systests/kerberos/src/test/resources/server.jks
----------------------------------------------------------------------
diff --git a/systests/kerberos/src/test/resources/server.jks b/systests/kerberos/src/test/resources/server.jks
new file mode 100644
index 0000000..2f0fdf3
Binary files /dev/null and b/systests/kerberos/src/test/resources/server.jks differ
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/e3931b19/systests/kerberos/src/test/resources/sts/cxf-transport.xml
----------------------------------------------------------------------
diff --git a/systests/kerberos/src/test/resources/sts/cxf-transport.xml b/systests/kerberos/src/test/resources/sts/cxf-transport.xml
new file mode 100644
index 0000000..5ed843b
--- /dev/null
+++ b/systests/kerberos/src/test/resources/sts/cxf-transport.xml
@@ -0,0 +1,229 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans"
+ xmlns:cxf="http://cxf.apache.org/core"
+ xmlns:jaxws="http://cxf.apache.org/jaxws"
+ xmlns:test="http://apache.org/hello_world_soap_http"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xmlns:util="http://www.springframework.org/schema/util"
+ xmlns:http="http://cxf.apache.org/transports/http/configuration"
+ xmlns:sec="http://cxf.apache.org/configuration/security"
+ xsi:schemaLocation="
+ http://cxf.apache.org/core
+ http://cxf.apache.org/schemas/core.xsd
+ http://www.springframework.org/schema/beans
+ http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
+ http://cxf.apache.org/jaxws
+ http://cxf.apache.org/schemas/jaxws.xsd
+ http://www.springframework.org/schema/util
+ http://www.springframework.org/schema/util/spring-util-2.0.xsd
+ http://cxf.apache.org/transports/http/configuration
+ http://cxf.apache.org/schemas/configuration/http-conf.xsd
+ http://cxf.apache.org/configuration/security
+ http://cxf.apache.org/schemas/configuration/security.xsd">
+
+ <import resource="classpath:META-INF/cxf/cxf.xml" />
+
+ <bean id="loggerListener" class="org.apache.cxf.sts.event.map.EventMapper">
+ <constructor-arg>
+ <bean class="org.apache.cxf.sts.event.map.MapEventLogger" />
+ </constructor-arg>
+ </bean>
+
+ <!-- Per default the resource <file.xml> is imported.
+ If built with Maven Profile 'ldap', the resource <ldap.xml> is imported -->
+ <import resource="kerberos.xml" />
+
+ <cxf:bus>
+ <cxf:features>
+ <cxf:logging />
+ </cxf:features>
+ </cxf:bus>
+
+ <util:list id="delegationHandlers">
+ <bean id="samlDelegationHandler"
+ class="org.apache.cxf.fediz.service.sts.FedizSAMLDelegationHandler" />
+ <bean id="x509DelegationHandler"
+ class="org.apache.cxf.fediz.service.sts.FedizX509DelegationHandler" />
+ </util:list>
+
+ <bean id="transportSTSProviderBean"
+ class="org.apache.cxf.ws.security.sts.provider.SecurityTokenServiceProvider">
+ <property name="issueOperation" ref="transportIssueDelegate" />
+ <property name="validateOperation" ref="transportValidateDelegate" />
+ </bean>
+
+ <bean id="transportIssueDelegate" class="org.apache.cxf.sts.operation.TokenIssueOperation">
+ <property name="tokenProviders" ref="transportTokenProviders" />
+ <property name="services" ref="transportServices" />
+ <property name="stsProperties" ref="transportSTSProperties" />
+ <property name="claimsManager" ref="claimsManager" />
+ <property name="tokenValidators" ref="transportTokenValidators" />
+ <property name="eventListener" ref="loggerListener" />
+ <property name="delegationHandlers" ref="delegationHandlers" />
+ <property name="encryptIssuedToken" value="true"/>
+ </bean>
+
+ <bean id="transportValidateDelegate" class="org.apache.cxf.sts.operation.TokenValidateOperation">
+ <property name="tokenValidators" ref="transportTokenValidators" />
+ <property name="stsProperties" ref="transportSTSProperties" />
+ <property name="eventListener" ref="loggerListener" />
+ </bean>
+
+ <util:list id="relationships">
+ <bean class="org.apache.cxf.sts.token.realm.Relationship">
+ <property name="sourceRealm" value="REALMA" />
+ <property name="targetRealm" value="REALMB" />
+ <property name="identityMapper" ref="identityMapper" />
+ <property name="type" value="FederatedIdentity" />
+ </bean>
+ <bean class="org.apache.cxf.sts.token.realm.Relationship">
+ <property name="sourceRealm" value="REALMB" />
+ <property name="targetRealm" value="REALMA" />
+ <property name="identityMapper" ref="identityMapper" />
+ <property name="type" value="FederatedIdentity" />
+ </bean>
+ </util:list>
+
+ <util:list id="transportTokenProviders">
+ <ref bean="transportSamlTokenProvider" />
+ </util:list>
+
+ <util:list id="transportTokenValidators">
+ <ref bean="transportSamlTokenValidator" />
+ <bean class="org.apache.cxf.sts.token.validator.X509TokenValidator" />
+ </util:list>
+
+ <bean id="realmA" class="org.apache.cxf.sts.token.realm.SAMLRealm">
+ <property name="issuer" value="STS Realm A" />
+ <property name="signaturePropertiesFile" value="stsKeystoreA.properties" />
+ <property name="callbackHandlerClass"
+ value="org.apache.cxf.fediz.service.sts.PasswordCallbackHandler" />
+ </bean>
+
+ <bean id="realmB" class="org.apache.cxf.sts.token.realm.SAMLRealm">
+ <property name="issuer" value="STS Realm B" />
+ <property name="signaturePropertiesFile" value="stsKeystoreB.properties" />
+ <property name="callbackHandlerClass"
+ value="org.apache.cxf.fediz.service.sts.PasswordCallbackHandler" />
+ </bean>
+
+ <util:map id="realms">
+ <entry key="REALMA" value-ref="realmA" />
+ <entry key="REALMB" value-ref="realmB" />
+ </util:map>
+
+ <bean id="transportSamlTokenProvider" class="org.apache.cxf.sts.token.provider.SAMLTokenProvider">
+ <property name="attributeStatementProviders" ref="attributeStatementProvidersList" />
+ <property name="realmMap" ref="realms" />
+ <property name="conditionsProvider" ref="conditionsProvider" />
+ </bean>
+
+ <bean id="conditionsProvider"
+ class="org.apache.cxf.sts.token.provider.DefaultConditionsProvider">
+ <property name="lifetime" value="1200" />
+ <property name="acceptClientLifetime" value="true" />
+ </bean>
+
+ <util:list id="attributeStatementProvidersList">
+ <ref bean="claimAttributeProvider" />
+ </util:list>
+
+ <bean id="claimAttributeProvider"
+ class="org.apache.cxf.sts.claims.ClaimsAttributeStatementProvider">
+ </bean>
+
+ <bean id="claimsManager" class="org.apache.cxf.sts.claims.ClaimsManager">
+ <property name="claimHandlers" ref="claimHandlerList" />
+ </bean>
+
+ <bean id="identityMapper"
+ class="org.apache.cxf.fediz.service.sts.realms.IdentityMapperImpl" />
+
+ <bean id="samlRealmCodec"
+ class="org.apache.cxf.fediz.service.sts.realms.SamlRealmCodec" />
+
+ <bean id="customRealmParser"
+ class="org.apache.cxf.fediz.service.sts.realms.UriRealmParser" />
+
+ <bean id="transportSamlTokenValidator"
+ class="org.apache.cxf.sts.token.validator.SAMLTokenValidator">
+ <property name="samlRealmCodec" ref="samlRealmCodec" />
+ </bean>
+
+ <bean id="transportUsernameTokenValidator"
+ class="org.apache.cxf.sts.token.validator.UsernameTokenValidator">
+ </bean>
+
+ <util:list id="transportServices">
+ <ref bean="myEncryptionService" />
+ <ref bean="transportService" />
+ </util:list>
+
+ <bean id="transportService" class="org.apache.cxf.sts.service.StaticService">
+ <property name="endpoints">
+ <util:list>
+ <value>.*</value>
+ </util:list>
+ </property>
+ </bean>
+
+ <bean id="myEncryptionService" class="org.apache.cxf.sts.service.StaticService">
+ <property name="endpoints">
+ <util:list>
+ <value>myServiceB.*</value>
+ </util:list>
+ </property>
+ <property name="encryptionProperties">
+ <bean class="org.apache.cxf.sts.service.EncryptionProperties">
+ <property name="encryptionName" value="serviceB"/>
+ <property name="encryptionAlgorithm" value="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
+ </bean>
+ </property>
+ </bean>
+
+ <bean id="transportSTSProperties" class="org.apache.cxf.sts.StaticSTSProperties">
+ <property name="callbackHandlerClass"
+ value="org.apache.cxf.fediz.service.sts.PasswordCallbackHandler" />
+ <property name="issuer" value="Fediz STS" />
+ <property name="realmParser" ref="customRealmParser" />
+ <property name="signatureCryptoProperties" value="stsTruststore.properties" />
+ <property name="encryptionCryptoProperties" value="stsEncryption.properties"/>
+ <property name="relationships" ref="relationships" />
+ </bean>
+
+ <jaxws:endpoint id="transportSTSRealmA" implementor="#transportSTSProviderBean"
+ address="/REALMA/STSServiceTransport" wsdlLocation="/WEB-INF/wsdl/ws-trust-1.4-service.wsdl"
+ xmlns:ns1="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"
+ serviceName="ns1:SecurityTokenService" endpointName="ns1:Transport_Port">
+ <jaxws:properties>
+ </jaxws:properties>
+ </jaxws:endpoint>
+
+ <jaxws:endpoint id="transportSTSRealmB" implementor="#transportSTSProviderBean"
+ address="/REALMB/STSServiceTransport" wsdlLocation="/WEB-INF/wsdl/ws-trust-1.4-service.wsdl"
+ xmlns:ns1="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"
+ serviceName="ns1:SecurityTokenService" endpointName="ns1:Transport_Port">
+ <jaxws:properties>
+ </jaxws:properties>
+ </jaxws:endpoint>
+
+</beans>
+
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/e3931b19/systests/kerberos/src/test/resources/sts/kerberos.xml
----------------------------------------------------------------------
diff --git a/systests/kerberos/src/test/resources/sts/kerberos.xml b/systests/kerberos/src/test/resources/sts/kerberos.xml
new file mode 100644
index 0000000..0fc304f
--- /dev/null
+++ b/systests/kerberos/src/test/resources/sts/kerberos.xml
@@ -0,0 +1,83 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xmlns:util="http://www.springframework.org/schema/util"
+ xmlns:jaxws="http://cxf.apache.org/jaxws"
+ xsi:schemaLocation="
+ http://www.springframework.org/schema/beans
+ http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
+ http://www.springframework.org/schema/util
+ http://www.springframework.org/schema/util/spring-util-2.0.xsd
+ http://cxf.apache.org/jaxws
+ http://cxf.apache.org/schemas/jaxws.xsd">
+
+ <import resource="userClaimsKerberos.xml" />
+
+ <util:list id="claimHandlerList">
+ <ref bean="claimsHandlerA" />
+ <ref bean="claimsHandlerB" />
+ </util:list>
+
+ <bean id="claimsHandlerA"
+ class="org.apache.cxf.fediz.service.sts.realms.RealmFileClaimsHandler">
+ <property name="userClaims" ref="userClaimsREALMA" />
+ <property name="supportedClaims" ref="supportedClaims" />
+ <property name="realm" value="REALMA" />
+ </bean>
+
+ <bean id="claimsHandlerB"
+ class="org.apache.cxf.fediz.service.sts.realms.RealmFileClaimsHandler">
+ <property name="userClaims" ref="userClaimsREALMB" />
+ <property name="supportedClaims" ref="supportedClaims" />
+ <property name="realm" value="REALMB" />
+ </bean>
+
+ <bean id="kerberosCallbackHandler"
+ class="org.apache.cxf.fediz.integrationtests.KerberosServicePasswordCallback" />
+
+ <bean id="kerberosValidator" class="org.apache.wss4j.dom.validate.KerberosTokenValidator">
+ <property name="contextName" value="bob"/>
+ <property name="serviceName" value="bob@service.ws.apache.org"/>
+ <property name="callbackHandler" ref="kerberosCallbackHandler"/>
+ <!-- <property name="spnego" value="true"/> -->
+ </bean>
+
+ <jaxws:endpoint id="transportSTSRealmAKerberos"
+ implementor="#transportSTSProviderBean" address="/REALMA/STSServiceTransportKerberos"
+ wsdlLocation="/WEB-INF/wsdl/ws-trust-1.4-service.wsdl"
+ xmlns:ns1="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"
+ serviceName="ns1:SecurityTokenService" endpointName="ns1:TransportKerberos_Port">
+ <jaxws:properties>
+ <entry key="ws-security.bst.validator" value-ref="kerberosValidator"/>
+ </jaxws:properties>
+ </jaxws:endpoint>
+
+ <jaxws:endpoint id="transportSTSRealmBKerberos"
+ implementor="#transportSTSProviderBean" address="/REALMB/STSServiceTransportKerberos"
+ wsdlLocation="/WEB-INF/wsdl/ws-trust-1.4-service.wsdl"
+ xmlns:ns1="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"
+ serviceName="ns1:SecurityTokenService" endpointName="ns1:TransportKerberos_Port">
+ <jaxws:properties>
+ <entry key="ws-security.bst.validator" value-ref="kerberosValidator"/>
+ </jaxws:properties>
+ </jaxws:endpoint>
+
+</beans>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/e3931b19/systests/kerberos/src/test/resources/sts/userClaimsKerberos.xml
----------------------------------------------------------------------
diff --git a/systests/kerberos/src/test/resources/sts/userClaimsKerberos.xml b/systests/kerberos/src/test/resources/sts/userClaimsKerberos.xml
new file mode 100644
index 0000000..47297df
--- /dev/null
+++ b/systests/kerberos/src/test/resources/sts/userClaimsKerberos.xml
@@ -0,0 +1,138 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xmlns:util="http://www.springframework.org/schema/util"
+ xsi:schemaLocation="
+ http://www.springframework.org/schema/beans
+ http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
+ http://www.springframework.org/schema/util
+ http://www.springframework.org/schema/util/spring-util-2.0.xsd">
+
+ <util:map id="userClaimsREALMA">
+ <entry key="alice@service.ws.apache.org" value-ref="REALMA_aliceClaims" />
+ <entry key="bob/service.ws.apache.org@WS.APACHE.ORG" value-ref="REALMA_bobClaims" />
+ <entry key="ted@service.ws.apache.org" value-ref="REALMA_tedClaims" />
+ </util:map>
+
+ <util:map id="REALMA_aliceClaims">
+ <entry
+ key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
+ value="Alice" />
+ <entry
+ key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
+ value="Smith" />
+ <entry
+ key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
+ value="alice@realma.org" />
+ <entry
+ key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"
+ value="User" />
+ </util:map>
+
+ <util:map id="REALMA_bobClaims">
+ <entry
+ key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
+ value="Bob" />
+ <entry
+ key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
+ value="Windsor" />
+ <entry
+ key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
+ value="bobwindsor@realma.org" />
+ <entry
+ key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"
+ value="User,Manager,Admin" />
+ </util:map>
+
+ <util:map id="REALMA_tedClaims">
+ <entry
+ key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
+ value="Ted" />
+ <entry
+ key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
+ value="Cooper" />
+ <entry
+ key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
+ value="tcooper@realma.org" />
+ <entry
+ key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"
+ value="" />
+ </util:map>
+
+ <util:map id="userClaimsREALMB">
+ <entry key="ALICE" value-ref="REALMB_aliceClaims" />
+ <entry key="BOB" value-ref="REALMB_bobClaims" />
+ <entry key="TED" value-ref="REALMB_tedClaims" />
+ </util:map>
+
+ <util:map id="REALMB_aliceClaims">
+ <entry
+ key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
+ value="Alice" />
+ <entry
+ key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
+ value="Smith" />
+ <entry
+ key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
+ value="alice@realmb.org" />
+ <entry
+ key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"
+ value="USER" />
+ </util:map>
+
+ <util:map id="REALMB_bobClaims">
+ <entry
+ key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
+ value="Bob" />
+ <entry
+ key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
+ value="Windsor" />
+ <entry
+ key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
+ value="bobwindsor@realmb.org" />
+ <entry
+ key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"
+ value="USER,MANAGER,ADMIN" />
+ </util:map>
+
+ <util:map id="REALMB_tedClaims">
+ <entry
+ key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
+ value="Ted" />
+ <entry
+ key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
+ value="Cooper" />
+ <entry
+ key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
+ value="tcooper@realmb.org" />
+ <entry
+ key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"
+ value="" />
+ </util:map>
+
+ <util:list id="supportedClaims">
+ <value>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname</value>
+ <value>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname</value>
+ <value>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress</value>
+ <value>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</value>
+ </util:list>
+
+</beans>
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/e3931b19/systests/kerberos/src/test/resources/ststrust.jks
----------------------------------------------------------------------
diff --git a/systests/kerberos/src/test/resources/ststrust.jks b/systests/kerberos/src/test/resources/ststrust.jks
new file mode 100644
index 0000000..911945c
Binary files /dev/null and b/systests/kerberos/src/test/resources/ststrust.jks differ
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/e3931b19/systests/pom.xml
----------------------------------------------------------------------
diff --git a/systests/pom.xml b/systests/pom.xml
index 199db76..3e8e823 100644
--- a/systests/pom.xml
+++ b/systests/pom.xml
@@ -37,6 +37,7 @@
<module>spring</module>
<module>cxf</module>
<module>federation</module>
+ <module>kerberos</module>
</modules>
</project>