You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2015/04/09 12:42:30 UTC
cxf-fediz git commit: [FEDIZ-23] - Add redirection to UP + Kerberos.
Refactored the STSAuthenticationProvider
Repository: cxf-fediz
Updated Branches:
refs/heads/master c1bbb7cd6 -> 230bce9af
[FEDIZ-23] - Add redirection to UP + Kerberos. Refactored the STSAuthenticationProvider
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/230bce9a
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/230bce9a
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/230bce9a
Branch: refs/heads/master
Commit: 230bce9af3df47a23b5b1946adb8aa6ac4c58ed1
Parents: c1bbb7c
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Thu Apr 9 11:42:04 2015 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Thu Apr 9 11:42:04 2015 +0100
----------------------------------------------------------------------
.../fediz/service/idp/FederationEntryPoint.java | 13 +-
.../service/idp/STSAuthenticationProvider.java | 334 +------------------
.../idp/STSKrbAuthenticationProvider.java | 254 ++++++++++++++
.../cxf/fediz/service/idp/STSPortFilter.java | 14 +-
.../idp/STSPreAuthAuthenticationProvider.java | 131 ++++++++
.../idp/STSUPAuthenticationProvider.java | 118 +++++++
.../idp/src/main/resources/entities-realma.xml | 2 +-
.../main/webapp/WEB-INF/idp-config-realma.xml | 2 +-
.../idp/src/main/webapp/WEB-INF/idp-servlet.xml | 4 +
.../src/main/webapp/WEB-INF/security-config.xml | 76 ++++-
services/idp/src/main/webapp/WEB-INF/web.xml | 12 +-
11 files changed, 618 insertions(+), 342 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/230bce9a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/FederationEntryPoint.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/FederationEntryPoint.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/FederationEntryPoint.java
index c7265a1..1a39ef2 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/FederationEntryPoint.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/FederationEntryPoint.java
@@ -79,13 +79,14 @@ public class FederationEntryPoint implements AuthenticationEntryPoint,
Assert.notNull(this.appContext, "ApplicationContext cannot be null.");
Assert.notNull(this.configService, "ConfigService cannot be null.");
Assert.notNull(this.realm, "realm cannot be null.");
- idpConfig = configService.getIDP(realm);
- Assert.notNull(this.idpConfig, "idpConfig cannot be null. Check realm and config service implementation");
}
public final void commence(final HttpServletRequest servletRequest, final HttpServletResponse response,
final AuthenticationException authenticationException) throws IOException, ServletException {
+ idpConfig = configService.getIDP(realm);
+ Assert.notNull(this.idpConfig, "idpConfig cannot be null. Check realm and config service implementation");
+
String redirectUrl = null;
String wauth = servletRequest.getParameter(FederationConstants.PARAM_AUTH_TYPE);
if (wauth == null) {
@@ -98,7 +99,7 @@ public class FederationEntryPoint implements AuthenticationEntryPoint,
HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "wauth value '" + wauth + "' not supported");
}
redirectUrl = new StringBuilder(extractFullContextPath(servletRequest))
- .append(realm).append(loginUri).toString();
+ .append(loginUri).append("?").append(servletRequest.getQueryString()).toString();
preCommence(servletRequest, response);
if (LOG.isInfoEnabled()) {
@@ -127,6 +128,7 @@ public class FederationEntryPoint implements AuthenticationEntryPoint,
String result = null;
String contextPath = request.getContextPath();
String requestUrl = request.getRequestURL().toString();
+
String requestPath = new URL(requestUrl).getPath();
// Cut request path of request url and add context path if not ROOT
if (requestPath != null && requestPath.length() > 0) {
@@ -137,8 +139,9 @@ public class FederationEntryPoint implements AuthenticationEntryPoint,
}
if (contextPath != null && contextPath.length() > 0) {
// contextPath contains starting slash
- result = result + contextPath + "/";
- } else {
+ result = result + contextPath;
+ }
+ if (result.charAt(result.length() - 1) != '/') {
result = result + "/";
}
return result;
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/230bce9a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSAuthenticationProvider.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSAuthenticationProvider.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSAuthenticationProvider.java
index 0a75b63..ab84b11 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSAuthenticationProvider.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSAuthenticationProvider.java
@@ -19,71 +19,46 @@
package org.apache.cxf.fediz.service.idp;
import java.net.URI;
-import java.security.Principal;
-import java.security.PrivilegedActionException;
-import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
-import javax.security.auth.callback.CallbackHandler;
-import javax.security.auth.login.LoginException;
-import javax.xml.namespace.QName;
-
-import org.w3c.dom.Document;
import org.w3c.dom.Element;
+
import org.apache.cxf.Bus;
import org.apache.cxf.BusFactory;
//import org.apache.cxf.endpoint.Client;
import org.apache.cxf.fediz.core.Claim;
import org.apache.cxf.fediz.core.ClaimTypes;
-import org.apache.cxf.fediz.service.idp.kerberos.KerberosServiceRequestToken;
-import org.apache.cxf.fediz.service.idp.kerberos.KerberosTokenValidator;
-import org.apache.cxf.fediz.service.idp.kerberos.PassThroughKerberosClient;
-import org.apache.cxf.helpers.DOMUtils;
-//import org.apache.cxf.transport.http.HTTPConduit;
-//import org.apache.cxf.transports.http.configuration.HTTPClientPolicy;
-import org.apache.cxf.ws.security.SecurityConstants;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.wss4j.common.ext.WSSecurityException;
-import org.apache.wss4j.common.kerberos.KerberosServiceContext;
-import org.apache.wss4j.common.principal.SAMLTokenPrincipalImpl;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
-import org.apache.wss4j.dom.WSConstants;
-import org.apache.xml.security.exceptions.XMLSecurityException;
-import org.apache.xml.security.keys.content.X509Data;
-import org.ietf.jgss.GSSContext;
-import org.ietf.jgss.GSSCredential;
-import org.ietf.jgss.GSSException;
-import org.ietf.jgss.GSSManager;
-import org.ietf.jgss.GSSName;
-import org.ietf.jgss.Oid;
import org.opensaml.xml.XMLObject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.AuthenticationProvider;
-import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
-import org.springframework.security.core.Authentication;
-import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
-import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
+//import org.apache.cxf.transport.http.HTTPConduit;
+//import org.apache.cxf.transports.http.configuration.HTTPClientPolicy;
-public class STSAuthenticationProvider implements AuthenticationProvider {
+/**
+ * A base class for authenticating credentials to the STS
+ */
+public abstract class STSAuthenticationProvider implements AuthenticationProvider {
- private static final String HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512_BEARER =
+ public static final String HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512_BEARER =
"http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer";
- private static final String HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512 =
+ public static final String HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512 =
"http://docs.oasis-open.org/ws-sx/ws-trust/200512/";
- private static final String HTTP_SCHEMAS_XMLSOAP_ORG_WS_2005_02_TRUST =
+ public static final String HTTP_SCHEMAS_XMLSOAP_ORG_WS_2005_02_TRUST =
"http://schemas.xmlsoap.org/ws/2005/02/trust";
- private static final Logger LOG = LoggerFactory
- .getLogger(STSAuthenticationProvider.class);
+ private static final Logger LOG = LoggerFactory.getLogger(STSAuthenticationProvider.class);
protected String wsdlLocation;
@@ -108,190 +83,7 @@ public class STSAuthenticationProvider implements AuthenticationProvider {
protected Map<String, Object> properties = new HashMap<String, Object>();
- private KerberosTokenValidator kerberosTokenValidator;
-
- private CallbackHandler kerberosCallbackHandler;
-
- private boolean kerberosUsernameServiceNameForm;
-
- private boolean requireDelegation;
-
-
- @Override
- public Authentication authenticate(Authentication authentication) throws AuthenticationException {
-
- Bus cxfBus = getBus();
- IdpSTSClient sts = new IdpSTSClient(cxfBus);
- sts.setAddressingNamespace("http://www.w3.org/2005/08/addressing");
- if (tokenType != null && tokenType.length() > 0) {
- sts.setTokenType(tokenType);
- } else {
- sts.setTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE);
- }
- sts.setKeyType(HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512_BEARER);
- sts.setWsdlLocation(wsdlLocation);
- sts.setServiceQName(new QName(namespace, wsdlService));
- sts.setEndpointQName(new QName(namespace, wsdlEndpoint));
-
- sts.getProperties().putAll(properties);
- if (use200502Namespace) {
- sts.setNamespace(HTTP_SCHEMAS_XMLSOAP_ORG_WS_2005_02_TRUST);
- }
-
- if (lifetime != null) {
- sts.setEnableLifetime(true);
- sts.setTtl(lifetime.intValue());
- }
-
- if (authentication instanceof KerberosServiceRequestToken) {
- return handleKerberos((KerberosServiceRequestToken)authentication, sts);
- } else if (authentication instanceof PreAuthenticatedAuthenticationToken) {
- return handlePreAuthenticated((PreAuthenticatedAuthenticationToken)authentication, sts);
- } else if (authentication instanceof UsernamePasswordAuthenticationToken) {
- return handleUsernamePassword((UsernamePasswordAuthenticationToken)authentication, sts);
- } else {
- LOG.debug("An unknown authentication token was supplied");
- return null;
- }
-
- }
-
- private Authentication handleKerberos(
- KerberosServiceRequestToken kerberosRequestToken,
- IdpSTSClient sts
- ) {
- Principal kerberosPrincipal = null;
- //
- // If delegation is required then validate the received token + store the
- // Delegated Credential so that we can retrieve a new kerberos token for the
- // STS with it. If delegation is not required, then we just get the received
- // token + pass it to the STS
- //
- if (requireDelegation) {
- kerberosPrincipal = validateKerberosToken(kerberosRequestToken, sts);
- if (kerberosPrincipal == null) {
- return null;
- }
- } else {
- PassThroughKerberosClient kerberosClient = new PassThroughKerberosClient();
- kerberosClient.setToken(kerberosRequestToken.getToken());
- sts.getProperties().put(SecurityConstants.KERBEROS_CLIENT, kerberosClient);
- }
-
- try {
- // Line below may be uncommented for debugging
- // setTimeout(sts.getClient(), 3600000L);
-
- SecurityToken token = sts.requestSecurityToken(this.appliesTo);
-
- if (kerberosPrincipal == null && token.getToken() != null
- && "Assertion".equals(token.getToken().getLocalName())) {
- // For the pass-through Kerberos case, we don't know the Principal name...
- kerberosPrincipal =
- new SAMLTokenPrincipalImpl(new SamlAssertionWrapper(token.getToken()));
- }
-
- List<GrantedAuthority> authorities = createAuthorities(token);
-
- KerberosServiceRequestToken ksrt =
- new KerberosServiceRequestToken(kerberosPrincipal, authorities, kerberosRequestToken.getToken());
-
- STSUserDetails details = new STSUserDetails(kerberosPrincipal.getName(),
- "",
- authorities,
- token);
- ksrt.setDetails(details);
-
- LOG.debug("[IDP_TOKEN={}] provided for user '{}'", token.getId(), kerberosPrincipal.getName());
- return ksrt;
- } catch (Exception ex) {
- LOG.info("Failed to authenticate user '" + kerberosRequestToken.getName() + "'", ex);
- return null;
- }
- }
-
- private Authentication handlePreAuthenticated(
- PreAuthenticatedAuthenticationToken preauthenticatedToken,
- IdpSTSClient sts
- ) {
- X509Certificate cert = (X509Certificate)preauthenticatedToken.getCredentials();
- if (cert == null) {
- return null;
- }
-
- // Convert the received certificate to a DOM Element to write it out "OnBehalfOf"
- Document doc = DOMUtils.newDocument();
- X509Data certElem = new X509Data(doc);
- try {
- certElem.addCertificate(cert);
- sts.setOnBehalfOf(certElem.getElement());
- } catch (XMLSecurityException e) {
- LOG.debug("Error parsing a client certificate", e);
- return null;
- }
-
- try {
- // Line below may be uncommented for debugging
- // setTimeout(sts.getClient(), 3600000L);
-
- SecurityToken token = sts.requestSecurityToken(this.appliesTo);
-
- List<GrantedAuthority> authorities = createAuthorities(token);
-
- STSUserDetails details = new STSUserDetails(preauthenticatedToken.getName(),
- "",
- authorities,
- token);
-
- preauthenticatedToken.setDetails(details);
-
- LOG.debug("[IDP_TOKEN={}] provided for user '{}'", token.getId(), preauthenticatedToken.getName());
- return preauthenticatedToken;
-
- } catch (Exception ex) {
- LOG.info("Failed to authenticate user '" + preauthenticatedToken.getName() + "'", ex);
- return null;
- }
- }
-
- private Authentication handleUsernamePassword(
- UsernamePasswordAuthenticationToken usernamePasswordToken,
- IdpSTSClient sts
- ) {
- sts.getProperties().put(SecurityConstants.USERNAME, usernamePasswordToken.getName());
- sts.getProperties().put(SecurityConstants.PASSWORD, (String)usernamePasswordToken.getCredentials());
-
- try {
-
- // Line below may be uncommented for debugging
- // setTimeout(sts.getClient(), 3600000L);
-
- SecurityToken token = sts.requestSecurityToken(this.appliesTo);
-
- List<GrantedAuthority> authorities = createAuthorities(token);
-
- UsernamePasswordAuthenticationToken upat =
- new UsernamePasswordAuthenticationToken(usernamePasswordToken.getName(),
- usernamePasswordToken.getCredentials(),
- authorities);
-
- STSUserDetails details = new STSUserDetails(usernamePasswordToken.getName(),
- (String)usernamePasswordToken.getCredentials(),
- authorities,
- token);
- upat.setDetails(details);
-
- LOG.debug("[IDP_TOKEN={}] provided for user '{}'", token.getId(), usernamePasswordToken.getName());
- return upat;
-
- } catch (Exception ex) {
- LOG.info("Failed to authenticate user '" + usernamePasswordToken.getName() + "'", ex);
- return null;
- }
-
- }
-
- private List<GrantedAuthority> createAuthorities(SecurityToken token) throws WSSecurityException {
+ protected List<GrantedAuthority> createAuthorities(SecurityToken token) throws WSSecurityException {
List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
//authorities.add(new SimpleGrantedAuthority("ROLE_AUTHENTICATED"));
//Not needed because AuthenticatedVoter has been added for SecurityFlowExecutionListener
@@ -325,76 +117,6 @@ public class STSAuthenticationProvider implements AuthenticationProvider {
return authorities;
}
- private Principal validateKerberosToken(
- KerberosServiceRequestToken token,
- IdpSTSClient sts
- ) {
- if (kerberosTokenValidator == null) {
- LOG.error("KerberosTokenValidator must be configured to support kerberos "
- + "credential delegation");
- return null;
- }
- KerberosServiceContext kerberosContext;
- Principal kerberosPrincipal = null;
- try {
- kerberosContext = kerberosTokenValidator.validate(token);
- if (kerberosContext == null || kerberosContext.getDelegationCredential() == null) {
- LOG.info("Kerberos Validation failure");
- return null;
- }
- GSSCredential delegatedCredential = kerberosContext.getDelegationCredential();
- sts.getProperties().put(SecurityConstants.DELEGATED_CREDENTIAL,
- delegatedCredential);
- sts.getProperties().put(SecurityConstants.KERBEROS_USE_CREDENTIAL_DELEGATION, "true");
- kerberosPrincipal = kerberosContext.getPrincipal();
- } catch (LoginException ex) {
- LOG.info("Failed to authenticate user", ex);
- return null;
- } catch (PrivilegedActionException ex) {
- LOG.info("Failed to authenticate user", ex);
- return null;
- }
-
- if (kerberosTokenValidator.getContextName() != null) {
- sts.getProperties().put(SecurityConstants.KERBEROS_JAAS_CONTEXT_NAME,
- kerberosTokenValidator.getContextName());
- }
- if (kerberosTokenValidator.getServiceName() != null) {
- sts.getProperties().put(SecurityConstants.KERBEROS_SPN,
- kerberosTokenValidator.getServiceName());
- }
- if (kerberosCallbackHandler != null) {
- sts.getProperties().put(SecurityConstants.CALLBACK_HANDLER,
- kerberosCallbackHandler);
- }
- if (kerberosUsernameServiceNameForm) {
- sts.getProperties().put(SecurityConstants.KERBEROS_IS_USERNAME_IN_SERVICENAME_FORM,
- "true");
- }
-
- return kerberosPrincipal;
- }
-
- protected GSSContext createGSSContext() throws GSSException {
- Oid oid = new Oid("1.2.840.113554.1.2.2");
-
- GSSManager gssManager = GSSManager.getInstance();
-
- String spn = "bob@service.ws.apache.org";
- GSSName gssService = gssManager.createName(spn, null);
-
- return gssManager.createContext(gssService.canonicalize(oid),
- oid, null, GSSContext.DEFAULT_LIFETIME);
-
- }
-
- @Override
- public boolean supports(Class<?> authentication) {
- return authentication.equals(PreAuthenticatedAuthenticationToken.class)
- || authentication.equals(UsernamePasswordAuthenticationToken.class)
- || authentication.equals(KerberosServiceRequestToken.class);
- }
-
public String getWsdlLocation() {
return wsdlLocation;
}
@@ -563,38 +285,6 @@ public class STSAuthenticationProvider implements AuthenticationProvider {
this.use200502Namespace = use200502Namespace;
}
- public KerberosTokenValidator getKerberosTokenValidator() {
- return kerberosTokenValidator;
- }
-
- public void setKerberosTokenValidator(KerberosTokenValidator kerberosTokenValidator) {
- this.kerberosTokenValidator = kerberosTokenValidator;
- }
-
- public CallbackHandler getKerberosCallbackHandler() {
- return kerberosCallbackHandler;
- }
-
- public void setKerberosCallbackHandler(CallbackHandler kerberosCallbackHandler) {
- this.kerberosCallbackHandler = kerberosCallbackHandler;
- }
-
- public boolean isKerberosUsernameServiceNameForm() {
- return kerberosUsernameServiceNameForm;
- }
-
- public void setKerberosUsernameServiceNameForm(boolean kerberosUsernameServiceNameForm) {
- this.kerberosUsernameServiceNameForm = kerberosUsernameServiceNameForm;
- }
-
- public boolean isRequireDelegation() {
- return requireDelegation;
- }
-
- public void setRequireDelegation(boolean requireDelegation) {
- this.requireDelegation = requireDelegation;
- }
-
//May be uncommented for debugging
// private void setTimeout(Client client, Long timeout) {
// HTTPConduit conduit = (HTTPConduit) client.getConduit();
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/230bce9a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSKrbAuthenticationProvider.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSKrbAuthenticationProvider.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSKrbAuthenticationProvider.java
new file mode 100644
index 0000000..9a5dae8
--- /dev/null
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSKrbAuthenticationProvider.java
@@ -0,0 +1,254 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.fediz.service.idp;
+
+import java.security.Principal;
+import java.security.PrivilegedActionException;
+import java.util.List;
+
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.login.LoginException;
+import javax.xml.namespace.QName;
+
+import org.apache.cxf.Bus;
+import org.apache.cxf.fediz.service.idp.kerberos.KerberosServiceRequestToken;
+import org.apache.cxf.fediz.service.idp.kerberos.KerberosTokenValidator;
+import org.apache.cxf.fediz.service.idp.kerberos.PassThroughKerberosClient;
+import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.tokenstore.SecurityToken;
+import org.apache.wss4j.common.kerberos.KerberosServiceContext;
+import org.apache.wss4j.common.principal.SAMLTokenPrincipalImpl;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
+import org.apache.wss4j.dom.WSConstants;
+import org.ietf.jgss.GSSContext;
+import org.ietf.jgss.GSSCredential;
+import org.ietf.jgss.GSSException;
+import org.ietf.jgss.GSSManager;
+import org.ietf.jgss.GSSName;
+import org.ietf.jgss.Oid;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.GrantedAuthority;
+
+/**
+ * An authentication provider to authenticate a Kerberos token to the STS
+ */
+public class STSKrbAuthenticationProvider extends STSAuthenticationProvider {
+
+ private static final Logger LOG = LoggerFactory.getLogger(STSKrbAuthenticationProvider.class);
+
+ private KerberosTokenValidator kerberosTokenValidator;
+
+ private CallbackHandler kerberosCallbackHandler;
+
+ private boolean kerberosUsernameServiceNameForm;
+
+ private boolean requireDelegation;
+
+
+ @Override
+ public Authentication authenticate(Authentication authentication) throws AuthenticationException {
+ // We only handle KerberosServiceRequestTokens
+ if (!(authentication instanceof KerberosServiceRequestToken)) {
+ return null;
+ }
+
+ Bus cxfBus = getBus();
+ IdpSTSClient sts = new IdpSTSClient(cxfBus);
+ sts.setAddressingNamespace("http://www.w3.org/2005/08/addressing");
+ if (tokenType != null && tokenType.length() > 0) {
+ sts.setTokenType(tokenType);
+ } else {
+ sts.setTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE);
+ }
+ sts.setKeyType(HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512_BEARER);
+ sts.setWsdlLocation(wsdlLocation);
+ sts.setServiceQName(new QName(namespace, wsdlService));
+ sts.setEndpointQName(new QName(namespace, wsdlEndpoint));
+
+ sts.getProperties().putAll(properties);
+ if (use200502Namespace) {
+ sts.setNamespace(HTTP_SCHEMAS_XMLSOAP_ORG_WS_2005_02_TRUST);
+ }
+
+ if (lifetime != null) {
+ sts.setEnableLifetime(true);
+ sts.setTtl(lifetime.intValue());
+ }
+
+ return handleKerberos((KerberosServiceRequestToken)authentication, sts);
+ }
+
+ private Authentication handleKerberos(
+ KerberosServiceRequestToken kerberosRequestToken,
+ IdpSTSClient sts
+ ) {
+ Principal kerberosPrincipal = null;
+ //
+ // If delegation is required then validate the received token + store the
+ // Delegated Credential so that we can retrieve a new kerberos token for the
+ // STS with it. If delegation is not required, then we just get the received
+ // token + pass it to the STS
+ //
+ if (requireDelegation) {
+ kerberosPrincipal = validateKerberosToken(kerberosRequestToken, sts);
+ if (kerberosPrincipal == null) {
+ return null;
+ }
+ } else {
+ PassThroughKerberosClient kerberosClient = new PassThroughKerberosClient();
+ kerberosClient.setToken(kerberosRequestToken.getToken());
+ sts.getProperties().put(SecurityConstants.KERBEROS_CLIENT, kerberosClient);
+ }
+
+ try {
+ // Line below may be uncommented for debugging
+ // setTimeout(sts.getClient(), 3600000L);
+
+ SecurityToken token = sts.requestSecurityToken(this.appliesTo);
+
+ if (kerberosPrincipal == null && token.getToken() != null
+ && "Assertion".equals(token.getToken().getLocalName())) {
+ // For the pass-through Kerberos case, we don't know the Principal name...
+ kerberosPrincipal =
+ new SAMLTokenPrincipalImpl(new SamlAssertionWrapper(token.getToken()));
+ }
+
+ List<GrantedAuthority> authorities = createAuthorities(token);
+
+ KerberosServiceRequestToken ksrt =
+ new KerberosServiceRequestToken(kerberosPrincipal, authorities, kerberosRequestToken.getToken());
+
+ STSUserDetails details = new STSUserDetails(kerberosPrincipal.getName(),
+ "",
+ authorities,
+ token);
+ ksrt.setDetails(details);
+
+ LOG.debug("[IDP_TOKEN={}] provided for user '{}'", token.getId(), kerberosPrincipal.getName());
+ return ksrt;
+ } catch (Exception ex) {
+ LOG.info("Failed to authenticate user '" + kerberosRequestToken.getName() + "'", ex);
+ return null;
+ }
+ }
+
+ private Principal validateKerberosToken(
+ KerberosServiceRequestToken token,
+ IdpSTSClient sts
+ ) {
+ if (kerberosTokenValidator == null) {
+ LOG.error("KerberosTokenValidator must be configured to support kerberos "
+ + "credential delegation");
+ return null;
+ }
+ KerberosServiceContext kerberosContext;
+ Principal kerberosPrincipal = null;
+ try {
+ kerberosContext = kerberosTokenValidator.validate(token);
+ if (kerberosContext == null || kerberosContext.getDelegationCredential() == null) {
+ LOG.info("Kerberos Validation failure");
+ return null;
+ }
+ GSSCredential delegatedCredential = kerberosContext.getDelegationCredential();
+ sts.getProperties().put(SecurityConstants.DELEGATED_CREDENTIAL,
+ delegatedCredential);
+ sts.getProperties().put(SecurityConstants.KERBEROS_USE_CREDENTIAL_DELEGATION, "true");
+ kerberosPrincipal = kerberosContext.getPrincipal();
+ } catch (LoginException ex) {
+ LOG.info("Failed to authenticate user", ex);
+ return null;
+ } catch (PrivilegedActionException ex) {
+ LOG.info("Failed to authenticate user", ex);
+ return null;
+ }
+
+ if (kerberosTokenValidator.getContextName() != null) {
+ sts.getProperties().put(SecurityConstants.KERBEROS_JAAS_CONTEXT_NAME,
+ kerberosTokenValidator.getContextName());
+ }
+ if (kerberosTokenValidator.getServiceName() != null) {
+ sts.getProperties().put(SecurityConstants.KERBEROS_SPN,
+ kerberosTokenValidator.getServiceName());
+ }
+ if (kerberosCallbackHandler != null) {
+ sts.getProperties().put(SecurityConstants.CALLBACK_HANDLER,
+ kerberosCallbackHandler);
+ }
+ if (kerberosUsernameServiceNameForm) {
+ sts.getProperties().put(SecurityConstants.KERBEROS_IS_USERNAME_IN_SERVICENAME_FORM,
+ "true");
+ }
+
+ return kerberosPrincipal;
+ }
+
+ protected GSSContext createGSSContext() throws GSSException {
+ Oid oid = new Oid("1.2.840.113554.1.2.2");
+
+ GSSManager gssManager = GSSManager.getInstance();
+
+ String spn = "bob@service.ws.apache.org";
+ GSSName gssService = gssManager.createName(spn, null);
+
+ return gssManager.createContext(gssService.canonicalize(oid),
+ oid, null, GSSContext.DEFAULT_LIFETIME);
+
+ }
+
+ @Override
+ public boolean supports(Class<?> authentication) {
+ return authentication.equals(KerberosServiceRequestToken.class);
+ }
+
+ public KerberosTokenValidator getKerberosTokenValidator() {
+ return kerberosTokenValidator;
+ }
+
+ public void setKerberosTokenValidator(KerberosTokenValidator kerberosTokenValidator) {
+ this.kerberosTokenValidator = kerberosTokenValidator;
+ }
+
+ public CallbackHandler getKerberosCallbackHandler() {
+ return kerberosCallbackHandler;
+ }
+
+ public void setKerberosCallbackHandler(CallbackHandler kerberosCallbackHandler) {
+ this.kerberosCallbackHandler = kerberosCallbackHandler;
+ }
+
+ public boolean isKerberosUsernameServiceNameForm() {
+ return kerberosUsernameServiceNameForm;
+ }
+
+ public void setKerberosUsernameServiceNameForm(boolean kerberosUsernameServiceNameForm) {
+ this.kerberosUsernameServiceNameForm = kerberosUsernameServiceNameForm;
+ }
+
+ public boolean isRequireDelegation() {
+ return requireDelegation;
+ }
+
+ public void setRequireDelegation(boolean requireDelegation) {
+ this.requireDelegation = requireDelegation;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/230bce9a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSPortFilter.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSPortFilter.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSPortFilter.java
index 83ea83d..889dadd 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSPortFilter.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSPortFilter.java
@@ -40,6 +40,7 @@ public class STSPortFilter extends GenericFilterBean implements ApplicationConte
private static final Logger LOG = LoggerFactory.getLogger(STSPortFilter.class);
private ApplicationContext applicationContext;
+ private STSAuthenticationProvider authenticationProvider;
private boolean isPortSet;
@@ -48,7 +49,10 @@ public class STSPortFilter extends GenericFilterBean implements ApplicationConte
throws IOException, ServletException {
Assert.isTrue(applicationContext != null, "Application context must not be null");
- STSAuthenticationProvider authProvider = applicationContext.getBean(STSAuthenticationProvider.class);
+ STSAuthenticationProvider authProvider = authenticationProvider;
+ if (authProvider == null) {
+ authProvider = applicationContext.getBean(STSAuthenticationProvider.class);
+ }
Assert.isTrue(authProvider != null, "STSAuthenticationProvider must be configured");
//Only update the port if HTTPS is used, otherwise ignored (like retrieving the WADL over HTTP)
@@ -80,4 +84,12 @@ public class STSPortFilter extends GenericFilterBean implements ApplicationConte
this.applicationContext = applicationContext;
}
+ public STSAuthenticationProvider getAuthenticationProvider() {
+ return authenticationProvider;
+ }
+
+ public void setAuthenticationProvider(STSAuthenticationProvider authenticationProvider) {
+ this.authenticationProvider = authenticationProvider;
+ }
+
}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/230bce9a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSPreAuthAuthenticationProvider.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSPreAuthAuthenticationProvider.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSPreAuthAuthenticationProvider.java
new file mode 100644
index 0000000..13c277b
--- /dev/null
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSPreAuthAuthenticationProvider.java
@@ -0,0 +1,131 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.fediz.service.idp;
+
+import java.security.cert.X509Certificate;
+import java.util.List;
+
+import javax.xml.namespace.QName;
+
+import org.w3c.dom.Document;
+
+import org.apache.cxf.Bus;
+import org.apache.cxf.helpers.DOMUtils;
+import org.apache.cxf.ws.security.tokenstore.SecurityToken;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.xml.security.exceptions.XMLSecurityException;
+import org.apache.xml.security.keys.content.X509Data;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
+
+/**
+ * An authentication provider to authenticate a preauthenticated token to the STS
+ */
+public class STSPreAuthAuthenticationProvider extends STSAuthenticationProvider {
+
+ private static final Logger LOG = LoggerFactory
+ .getLogger(STSPreAuthAuthenticationProvider.class);
+
+ @Override
+ public Authentication authenticate(Authentication authentication) throws AuthenticationException {
+ // We only handle PreAuthenticatedAuthenticationTokens
+ if (!(authentication instanceof PreAuthenticatedAuthenticationToken)) {
+ return null;
+ }
+
+ Bus cxfBus = getBus();
+ IdpSTSClient sts = new IdpSTSClient(cxfBus);
+ sts.setAddressingNamespace("http://www.w3.org/2005/08/addressing");
+ if (tokenType != null && tokenType.length() > 0) {
+ sts.setTokenType(tokenType);
+ } else {
+ sts.setTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE);
+ }
+ sts.setKeyType(HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512_BEARER);
+ sts.setWsdlLocation(wsdlLocation);
+ sts.setServiceQName(new QName(namespace, wsdlService));
+ sts.setEndpointQName(new QName(namespace, wsdlEndpoint));
+
+ sts.getProperties().putAll(properties);
+ if (use200502Namespace) {
+ sts.setNamespace(HTTP_SCHEMAS_XMLSOAP_ORG_WS_2005_02_TRUST);
+ }
+
+ if (lifetime != null) {
+ sts.setEnableLifetime(true);
+ sts.setTtl(lifetime.intValue());
+ }
+
+ return handlePreAuthenticated((PreAuthenticatedAuthenticationToken)authentication, sts);
+ }
+
+ private Authentication handlePreAuthenticated(
+ PreAuthenticatedAuthenticationToken preauthenticatedToken,
+ IdpSTSClient sts
+ ) {
+ X509Certificate cert = (X509Certificate)preauthenticatedToken.getCredentials();
+ if (cert == null) {
+ return null;
+ }
+
+ // Convert the received certificate to a DOM Element to write it out "OnBehalfOf"
+ Document doc = DOMUtils.newDocument();
+ X509Data certElem = new X509Data(doc);
+ try {
+ certElem.addCertificate(cert);
+ sts.setOnBehalfOf(certElem.getElement());
+ } catch (XMLSecurityException e) {
+ LOG.debug("Error parsing a client certificate", e);
+ return null;
+ }
+
+ try {
+ // Line below may be uncommented for debugging
+ // setTimeout(sts.getClient(), 3600000L);
+
+ SecurityToken token = sts.requestSecurityToken(this.appliesTo);
+
+ List<GrantedAuthority> authorities = createAuthorities(token);
+
+ STSUserDetails details = new STSUserDetails(preauthenticatedToken.getName(),
+ "",
+ authorities,
+ token);
+
+ preauthenticatedToken.setDetails(details);
+
+ LOG.debug("[IDP_TOKEN={}] provided for user '{}'", token.getId(), preauthenticatedToken.getName());
+ return preauthenticatedToken;
+
+ } catch (Exception ex) {
+ LOG.info("Failed to authenticate user '" + preauthenticatedToken.getName() + "'", ex);
+ return null;
+ }
+ }
+
+ @Override
+ public boolean supports(Class<?> authentication) {
+ return authentication.equals(PreAuthenticatedAuthenticationToken.class);
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/230bce9a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSUPAuthenticationProvider.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSUPAuthenticationProvider.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSUPAuthenticationProvider.java
new file mode 100644
index 0000000..d9be1b4
--- /dev/null
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSUPAuthenticationProvider.java
@@ -0,0 +1,118 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.fediz.service.idp;
+
+import java.util.List;
+
+import javax.xml.namespace.QName;
+
+import org.apache.cxf.Bus;
+import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.tokenstore.SecurityToken;
+import org.apache.wss4j.dom.WSConstants;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.GrantedAuthority;
+
+/**
+ * An authentication provider to authenticate a Username/Password to the STS
+ */
+public class STSUPAuthenticationProvider extends STSAuthenticationProvider {
+
+ private static final Logger LOG = LoggerFactory.getLogger(STSUPAuthenticationProvider.class);
+
+ @Override
+ public Authentication authenticate(Authentication authentication) throws AuthenticationException {
+ // We only handle UsernamePasswordAuthenticationTokens
+ if (!(authentication instanceof UsernamePasswordAuthenticationToken)) {
+ return null;
+ }
+
+ Bus cxfBus = getBus();
+ IdpSTSClient sts = new IdpSTSClient(cxfBus);
+ sts.setAddressingNamespace("http://www.w3.org/2005/08/addressing");
+ if (tokenType != null && tokenType.length() > 0) {
+ sts.setTokenType(tokenType);
+ } else {
+ sts.setTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE);
+ }
+ sts.setKeyType(HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512_BEARER);
+ sts.setWsdlLocation(wsdlLocation);
+ sts.setServiceQName(new QName(namespace, wsdlService));
+ sts.setEndpointQName(new QName(namespace, wsdlEndpoint));
+
+ sts.getProperties().putAll(properties);
+ if (use200502Namespace) {
+ sts.setNamespace(HTTP_SCHEMAS_XMLSOAP_ORG_WS_2005_02_TRUST);
+ }
+
+ if (lifetime != null) {
+ sts.setEnableLifetime(true);
+ sts.setTtl(lifetime.intValue());
+ }
+
+ return handleUsernamePassword((UsernamePasswordAuthenticationToken)authentication, sts);
+ }
+
+ private Authentication handleUsernamePassword(
+ UsernamePasswordAuthenticationToken usernamePasswordToken,
+ IdpSTSClient sts
+ ) {
+ sts.getProperties().put(SecurityConstants.USERNAME, usernamePasswordToken.getName());
+ sts.getProperties().put(SecurityConstants.PASSWORD, (String)usernamePasswordToken.getCredentials());
+
+ try {
+
+ // Line below may be uncommented for debugging
+ // setTimeout(sts.getClient(), 3600000L);
+
+ SecurityToken token = sts.requestSecurityToken(this.appliesTo);
+
+ List<GrantedAuthority> authorities = createAuthorities(token);
+
+ UsernamePasswordAuthenticationToken upat =
+ new UsernamePasswordAuthenticationToken(usernamePasswordToken.getName(),
+ usernamePasswordToken.getCredentials(),
+ authorities);
+
+ STSUserDetails details = new STSUserDetails(usernamePasswordToken.getName(),
+ (String)usernamePasswordToken.getCredentials(),
+ authorities,
+ token);
+ upat.setDetails(details);
+
+ LOG.debug("[IDP_TOKEN={}] provided for user '{}'", token.getId(), usernamePasswordToken.getName());
+ return upat;
+
+ } catch (Exception ex) {
+ LOG.info("Failed to authenticate user '" + usernamePasswordToken.getName() + "'", ex);
+ return null;
+ }
+
+ }
+
+ @Override
+ public boolean supports(Class<?> authentication) {
+ return authentication.equals(UsernamePasswordAuthenticationToken.class);
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/230bce9a/services/idp/src/main/resources/entities-realma.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/resources/entities-realma.xml b/services/idp/src/main/resources/entities-realma.xml
index 87dc70a..f8e1f5b 100644
--- a/services/idp/src/main/resources/entities-realma.xml
+++ b/services/idp/src/main/resources/entities-realma.xml
@@ -52,7 +52,7 @@
</property>
<property name="authenticationURIs">
<util:map>
- <entry key="default" value="/login/default" />
+ <entry key="default" value="federation/up" />
</util:map>
</property>
<property name="serviceDisplayName" value="REALM A" />
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/230bce9a/services/idp/src/main/webapp/WEB-INF/idp-config-realma.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/idp-config-realma.xml b/services/idp/src/main/webapp/WEB-INF/idp-config-realma.xml
index c5e0a4a..9d61326 100644
--- a/services/idp/src/main/webapp/WEB-INF/idp-config-realma.xml
+++ b/services/idp/src/main/webapp/WEB-INF/idp-config-realma.xml
@@ -74,7 +74,7 @@
</property>
<property name="authenticationURIs">
<util:map>
- <entry key="default" value="/login/default" />
+ <entry key="default" value="federation/up" />
</util:map>
</property>
<property name="trustedIDPs">
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/230bce9a/services/idp/src/main/webapp/WEB-INF/idp-servlet.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/idp-servlet.xml b/services/idp/src/main/webapp/WEB-INF/idp-servlet.xml
index ccc2146..691f7bb 100644
--- a/services/idp/src/main/webapp/WEB-INF/idp-servlet.xml
+++ b/services/idp/src/main/webapp/WEB-INF/idp-servlet.xml
@@ -75,6 +75,10 @@
flow-builder-services="builder">
<webflow:flow-location
path="/WEB-INF/federation-validate-request.xml" id="federation" />
+ <webflow:flow-location
+ path="/WEB-INF/federation-validate-request.xml" id="federation/up" />
+ <webflow:flow-location
+ path="/WEB-INF/federation-validate-request.xml" id="federation/krb" />
<webflow:flow-location path="/WEB-INF/federation-signin-request.xml"
id="signinRequest" />
<webflow:flow-location path="/WEB-INF/federation-signin-response.xml"
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/230bce9a/services/idp/src/main/webapp/WEB-INF/security-config.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/security-config.xml b/services/idp/src/main/webapp/WEB-INF/security-config.xml
index ab0eada..c70ccfb 100644
--- a/services/idp/src/main/webapp/WEB-INF/security-config.xml
+++ b/services/idp/src/main/webapp/WEB-INF/security-config.xml
@@ -42,7 +42,7 @@
<security:global-method-security pre-post-annotations="enabled"/>
<security:http pattern="/services/rs/**" use-expressions="true" authentication-manager-ref="restAuthenticationManager">
- <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" />
+ <security:custom-filter after="CHANNEL_FILTER" ref="stsUPPortFilter" />
<security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" />
<security:intercept-url pattern="/services/rs/**" access="isAuthenticated()"/>
<security:http-basic />
@@ -63,34 +63,88 @@
-->
<security:user-service properties="classpath:/users.properties" />
</security:authentication-provider>
- <security:authentication-provider ref="stsAuthProvider" />
+ <security:authentication-provider ref="stsUPAuthProvider" />
</security:authentication-manager>
-
- <security:http use-expressions="true">
- <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" />
+
+ <!-- Redirects to a dedicated http config -->
+ <bean id="federationEntryPoint" class="org.apache.cxf.fediz.service.idp.FederationEntryPoint">
+ <property name="realm" value="urn:org:apache:cxf:fediz:idp:realm-A" />
+ <property name="configService" ref="config" />
+ </bean>
+
+ <!-- Main entry point -->
+ <security:http pattern="/federation" use-expressions="true" entry-point-ref="federationEntryPoint">
+ <security:custom-filter after="CHANNEL_FILTER" ref="stsUPPortFilter" />
+ <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" />
+ <security:intercept-url pattern="/FederationMetadata/2007-06/FederationMetadata.xml" access="isAnonymous() or isAuthenticated()" />
+ </security:http>
+
+ <!-- HTTP/BA entry point -->
+ <security:http pattern="/federation/up" use-expressions="true">
+ <security:custom-filter after="CHANNEL_FILTER" ref="stsUPPortFilter" />
<security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" />
<security:intercept-url pattern="/FederationMetadata/2007-06/FederationMetadata.xml" access="isAnonymous() or isAuthenticated()" />
- <!-- MUST be http-basic thus systests run fine -->
- <!--<security:form-login />-->
<security:http-basic />
<security:logout delete-cookies="FEDIZ_HOME_REALM" invalidate-session="true" />
</security:http>
+
+ <!-- Kerberos entry point -->
+ <bean id="kerberosEntryPoint"
+ class="org.apache.cxf.fediz.service.idp.kerberos.KerberosEntryPoint" />
+
+ <bean id="kerberosAuthenticationProcessingFilter"
+ class="org.apache.cxf.fediz.service.idp.kerberos.KerberosAuthenticationProcessingFilter">
+ <property name="authenticationManager" ref="authenticationManagers" />
+ </bean>
+
+ <security:http pattern="/federation/krb" use-expressions="true" entry-point-ref="kerberosEntryPoint">
+ <security:custom-filter after="CHANNEL_FILTER" ref="stsKrbPortFilter" />
+ <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" />
+ <security:intercept-url pattern="/FederationMetadata/2007-06/FederationMetadata.xml" access="isAnonymous() or isAuthenticated()" />
+
+ <security:custom-filter ref="kerberosAuthenticationProcessingFilter" position="BASIC_AUTH_FILTER" />
+ <security:logout delete-cookies="FEDIZ_HOME_REALM" invalidate-session="true" />
+ </security:http>
- <security:authentication-manager>
- <security:authentication-provider ref="stsAuthProvider" />
+ <security:authentication-manager alias="authenticationManagers">
+ <security:authentication-provider ref="stsUPAuthProvider" />
+ <security:authentication-provider ref="stsKrbAuthProvider" />
</security:authentication-manager>
- <bean id="stsPortFilter" class="org.apache.cxf.fediz.service.idp.STSPortFilter" />
+ <bean id="stsUPPortFilter" class="org.apache.cxf.fediz.service.idp.STSPortFilter">
+ <property name="authenticationProvider" ref="stsUPAuthProvider" />
+ </bean>
<bean id="entitlementsEnricher" class="org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements" />
- <bean id="stsAuthProvider" class="org.apache.cxf.fediz.service.idp.STSAuthenticationProvider">
+ <!-- U/P Authentication Provider -->
+ <bean id="stsUPAuthProvider" class="org.apache.cxf.fediz.service.idp.STSUPAuthenticationProvider">
<property name="wsdlLocation" value="https://localhost:0/fediz-idp-sts/${realm.STS_URI}/STSServiceTransportUT?wsdl"/>
<property name="wsdlEndpoint" value="TransportUT_Port"/>
<property name="wsdlService" value="SecurityTokenService"/>
<property name="appliesTo" value="urn:fediz:idp"/>
<property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"/>
</bean>
+
+ <bean id="stsKrbPortFilter" class="org.apache.cxf.fediz.service.idp.STSPortFilter">
+ <property name="authenticationProvider" ref="stsKrbAuthProvider" />
+ </bean>
+
+ <!--<bean id="kerberosTokenValidator" class="org.apache.cxf.fediz.service.idp.kerberos.KerberosTokenValidator">
+ <property name="contextName" value="bob"/>
+ <property name="serviceName" value="bob@service.ws.apache.org"/>
+ </bean>-->
+
+ <!-- Kerberos authentication provider -->
+ <bean id="stsKrbAuthProvider" class="org.apache.cxf.fediz.service.idp.STSKrbAuthenticationProvider">
+ <property name="wsdlLocation" value="https://localhost:0/fediz-idp-sts/${realm.STS_URI}/STSServiceTransportKerberos?wsdl"/>
+ <property name="wsdlEndpoint" value="TransportKerberos_Port"/>
+ <property name="wsdlService" value="SecurityTokenService"/>
+ <property name="appliesTo" value="urn:fediz:idp"/>
+ <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"/>
+ <!-- <property name="kerberosTokenValidator" ref="kerberosTokenValidator"/>
+ <property name="requireDelegation" value="true"/>-->
+ </bean>
</beans>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/230bce9a/services/idp/src/main/webapp/WEB-INF/web.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/web.xml b/services/idp/src/main/webapp/WEB-INF/web.xml
index 2849a6b..21ea9ab 100644
--- a/services/idp/src/main/webapp/WEB-INF/web.xml
+++ b/services/idp/src/main/webapp/WEB-INF/web.xml
@@ -79,7 +79,17 @@ under the License.
<servlet-name>idp</servlet-name>
<url-pattern>/federation</url-pattern>
</servlet-mapping>
-
+
+ <servlet-mapping>
+ <servlet-name>idp</servlet-name>
+ <url-pattern>/federation/up</url-pattern>
+ </servlet-mapping>
+
+ <servlet-mapping>
+ <servlet-name>idp</servlet-name>
+ <url-pattern>/federation/krb</url-pattern>
+ </servlet-mapping>
+
<servlet-mapping>
<servlet-name>metadata</servlet-name>
<url-pattern>/FederationMetadata/2007-06/FederationMetadata.xml</url-pattern>