You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2016/02/19 18:03:37 UTC
[1/3] cxf-fediz git commit: Added an extension to the Fediz protocol
handlers to be able to perform two-step processing of a sign-in response.
Repository: cxf-fediz
Updated Branches:
refs/heads/master 48b9eed7a -> 4df66f377
Added an extension to the Fediz protocol handlers to be able to perform two-step processing of a sign-in response.
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/abff9ec2
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/abff9ec2
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/abff9ec2
Branch: refs/heads/master
Commit: abff9ec295f76377829a5bb073de21f4f88b3a62
Parents: 48b9eed
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Fri Feb 19 16:00:47 2016 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Feb 19 16:00:47 2016 +0000
----------------------------------------------------------------------
.../idp/beans/TrustedIdpProtocolAction.java | 27 ++++++++++++++++++++
.../TrustedIdpSAMLProtocolHandler.java | 4 +++
.../TrustedIdpWSFedProtocolHandler.java | 7 ++++-
.../idp/spi/TrustedIdpProtocolHandler.java | 3 +++
.../flows/federation-signin-response.xml | 12 ++++++++-
5 files changed, 51 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/abff9ec2/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/TrustedIdpProtocolAction.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/TrustedIdpProtocolAction.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/TrustedIdpProtocolAction.java
index 2369bae..614d196 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/TrustedIdpProtocolAction.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/TrustedIdpProtocolAction.java
@@ -73,6 +73,33 @@ public class TrustedIdpProtocolAction {
return redirectUrl.toString();
}
+ public String processSignInResponse(RequestContext requestContext) {
+ String trustedIdpRealm = requestContext.getFlowScope().getString("whr");
+
+ Idp idpConfig = (Idp) WebUtils.getAttributeFromFlowScope(requestContext, IDP_CONFIG);
+
+ TrustedIdp trustedIdp = idpConfig.findTrustedIdp(trustedIdpRealm);
+ if (trustedIdp == null) {
+ LOG.error("TrustedIdp '{}' not configured", trustedIdpRealm);
+ throw new IllegalStateException("TrustedIdp '" + trustedIdpRealm + "'");
+ }
+
+ String protocol = trustedIdp.getProtocol();
+ LOG.debug("TrustedIdp '{}' supports protocol {}", trustedIdpRealm, protocol);
+
+ TrustedIdpProtocolHandler protocolHandler = trustedIdpProtocolHandlers.getProtocolHandler(protocol);
+ if (protocolHandler == null) {
+ LOG.error("No ProtocolHandler found for {}", protocol);
+ throw new IllegalStateException("No ProtocolHandler found for '" + protocol + "'");
+ }
+ URL redirectUrl = protocolHandler.processSignInResponse(requestContext, idpConfig, trustedIdp);
+ LOG.info("Redirect required?", (redirectUrl != null));
+ if (redirectUrl != null) {
+ return redirectUrl.toString();
+ }
+ return null;
+ }
+
public SecurityToken mapSignInResponse(RequestContext requestContext) {
String trustedIdpRealm = requestContext.getFlowScope().getString("whr");
LOG.info("Prepare validate SignInResponse of Trusted IDP '{}'", trustedIdpRealm);
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/abff9ec2/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpSAMLProtocolHandler.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpSAMLProtocolHandler.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpSAMLProtocolHandler.java
index be2333c..950d0ce 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpSAMLProtocolHandler.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpSAMLProtocolHandler.java
@@ -190,6 +190,10 @@ public class TrustedIdpSAMLProtocolHandler implements TrustedIdpProtocolHandler
}
}
+ @Override
+ public URL processSignInResponse(RequestContext context, Idp idp, TrustedIdp trustedIdp) {
+ return null;
+ }
@Override
public SecurityToken mapSignInResponse(RequestContext context, Idp idp, TrustedIdp trustedIdp) {
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/abff9ec2/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpWSFedProtocolHandler.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpWSFedProtocolHandler.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpWSFedProtocolHandler.java
index 1f9da57..9c9b192 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpWSFedProtocolHandler.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpWSFedProtocolHandler.java
@@ -82,7 +82,7 @@ public class TrustedIdpWSFedProtocolHandler implements TrustedIdpProtocolHandler
public String getProtocol() {
return PROTOCOL;
}
-
+
@Override
public URL mapSignInRequest(RequestContext context, Idp idp, TrustedIdp trustedIdp) {
@@ -116,6 +116,11 @@ public class TrustedIdpWSFedProtocolHandler implements TrustedIdpProtocolHandler
throw new IllegalStateException("Invalid Redirect URL for Trusted Idp");
}
}
+
+ @Override
+ public URL processSignInResponse(RequestContext context, Idp idp, TrustedIdp trustedIdp) {
+ return null;
+ }
@Override
public SecurityToken mapSignInResponse(RequestContext context, Idp idp, TrustedIdp trustedIdp) {
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/abff9ec2/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/spi/TrustedIdpProtocolHandler.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/spi/TrustedIdpProtocolHandler.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/spi/TrustedIdpProtocolHandler.java
index a33591b..45dfa1f 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/spi/TrustedIdpProtocolHandler.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/spi/TrustedIdpProtocolHandler.java
@@ -34,6 +34,9 @@ public interface TrustedIdpProtocolHandler extends ProtocolHandler {
// Only supports HTTP GET SignIn Requests
URL mapSignInRequest(RequestContext context, Idp idp, TrustedIdp trustedIdp);
+ // Allow for processing of the Response + redirect again (required by some protocols)
+ URL processSignInResponse(RequestContext context, Idp idp, TrustedIdp trustedIdp);
+
//Hook in <action-state id="validateToken"> of federation-signin-response.xml
SecurityToken mapSignInResponse(RequestContext context, Idp idp, TrustedIdp trustedIdp);
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/abff9ec2/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-response.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-response.xml b/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-response.xml
index 9e6d342..46da2cb 100644
--- a/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-response.xml
+++ b/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-response.xml
@@ -34,7 +34,17 @@
<!-- restore 'wreply','wtrealm','whr' for current 'wctx' -->
<evaluate expression="signinParametersCacheAction.restore(flowRequestContext)" />
</on-start>
-
+
+ <!-- See whether a further sign in request is required after processing -->
+ <action-state id="isFurtherSignInRedirectRequired">
+ <evaluate expression="trustedIdpProtocolAction.processSignInResponse(flowRequestContext)"
+ result="flowScope.remoteIdpUrl"/>
+ <evaluate expression="flowScope.remoteIdpUrl != null" />
+ <transition on="yes" to="redirectToTrustedIDP" />
+ <transition on="no" to="validateToken" />
+ <transition on-exception="java.lang.Throwable" to="scInternalServerError" />
+ </action-state>
+
<!-- validate token issued by requestor IDP ('wresult') given its 'whr' -->
<action-state id="validateToken">
<evaluate expression="trustedIdpProtocolAction.mapSignInResponse(flowRequestContext)"
[3/3] cxf-fediz git commit: More work on Fediz OIDC integration
Posted by co...@apache.org.
More work on Fediz OIDC integration
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/4df66f37
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/4df66f37
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/4df66f37
Branch: refs/heads/master
Commit: 4df66f377b13230e3dc26c810902c9e5061b958c
Parents: 82a028c
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Fri Feb 19 17:03:18 2016 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Feb 19 17:03:18 2016 +0000
----------------------------------------------------------------------
services/idp/pom.xml | 5 +
.../idp/beans/SigninParametersCacheAction.java | 4 +
.../idp/beans/TrustedIdpProtocolAction.java | 6 +-
.../TrustedIdpOIDCProtocolHandler.java | 306 +++++++++++++++++++
.../flows/federation-signin-response.xml | 4 +
.../flows/federation-validate-request.xml | 20 +-
6 files changed, 341 insertions(+), 4 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4df66f37/services/idp/pom.xml
----------------------------------------------------------------------
diff --git a/services/idp/pom.xml b/services/idp/pom.xml
index 2db7b8e..6607080 100644
--- a/services/idp/pom.xml
+++ b/services/idp/pom.xml
@@ -146,6 +146,11 @@
</dependency>
<dependency>
<groupId>org.apache.cxf</groupId>
+ <artifactId>cxf-rt-rs-security-sso-oidc</artifactId>
+ <version>${cxf.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.cxf</groupId>
<artifactId>cxf-rt-transports-http</artifactId>
<version>${cxf.version}</version>
</dependency>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4df66f37/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java
index a357895..a3226bb 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java
@@ -29,6 +29,7 @@ import org.apache.cxf.fediz.core.exception.ProcessingException;
import org.apache.cxf.fediz.service.idp.domain.Application;
import org.apache.cxf.fediz.service.idp.domain.Idp;
import org.apache.cxf.fediz.service.idp.util.WebUtils;
+import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Component;
@@ -80,6 +81,9 @@ public class SigninParametersCacheAction {
if (uuidKey == null) {
uuidKey = (String)WebUtils.getAttributeFromFlowScope(context, SAMLSSOConstants.RELAY_STATE);
}
+ if (uuidKey == null) {
+ uuidKey = (String)WebUtils.getAttributeFromFlowScope(context, OAuthConstants.STATE);
+ }
@SuppressWarnings("unchecked")
Map<String, Object> signinParams =
(Map<String, Object>)WebUtils.getAttributeFromExternalContext(context, uuidKey);
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4df66f37/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/TrustedIdpProtocolAction.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/TrustedIdpProtocolAction.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/TrustedIdpProtocolAction.java
index 614d196..7289f01 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/TrustedIdpProtocolAction.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/TrustedIdpProtocolAction.java
@@ -93,9 +93,11 @@ public class TrustedIdpProtocolAction {
throw new IllegalStateException("No ProtocolHandler found for '" + protocol + "'");
}
URL redirectUrl = protocolHandler.processSignInResponse(requestContext, idpConfig, trustedIdp);
- LOG.info("Redirect required?", (redirectUrl != null));
+ LOG.info("Redirect required? {}", (redirectUrl != null));
if (redirectUrl != null) {
- return redirectUrl.toString();
+ String redirectUrlStr = redirectUrl.toString();
+ LOG.info("Redirect URL: {}", redirectUrlStr);
+ return redirectUrlStr;
}
return null;
}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4df66f37/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpOIDCProtocolHandler.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpOIDCProtocolHandler.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpOIDCProtocolHandler.java
new file mode 100644
index 0000000..28cc37e
--- /dev/null
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpOIDCProtocolHandler.java
@@ -0,0 +1,306 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.fediz.service.idp.protocols;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.UnsupportedEncodingException;
+import java.net.MalformedURLException;
+import java.net.URL;
+import java.net.URLEncoder;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
+import java.util.Collections;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.w3c.dom.Element;
+import org.apache.cxf.fediz.core.FederationConstants;
+import org.apache.cxf.fediz.core.config.FedizContext;
+import org.apache.cxf.fediz.core.config.TrustManager;
+import org.apache.cxf.fediz.core.config.jaxb.AudienceUris;
+import org.apache.cxf.fediz.core.config.jaxb.CertificateStores;
+import org.apache.cxf.fediz.core.config.jaxb.ContextConfig;
+import org.apache.cxf.fediz.core.config.jaxb.FederationProtocolType;
+import org.apache.cxf.fediz.core.config.jaxb.KeyStoreType;
+import org.apache.cxf.fediz.core.config.jaxb.TrustManagersType;
+import org.apache.cxf.fediz.core.config.jaxb.TrustedIssuerType;
+import org.apache.cxf.fediz.core.config.jaxb.TrustedIssuers;
+import org.apache.cxf.fediz.core.config.jaxb.ValidationType;
+import org.apache.cxf.fediz.core.exception.ProcessingException;
+import org.apache.cxf.fediz.core.processor.FederationProcessorImpl;
+import org.apache.cxf.fediz.core.processor.FedizProcessor;
+import org.apache.cxf.fediz.core.processor.FedizRequest;
+import org.apache.cxf.fediz.core.processor.FedizResponse;
+import org.apache.cxf.fediz.service.idp.domain.Idp;
+import org.apache.cxf.fediz.service.idp.domain.TrustedIdp;
+import org.apache.cxf.fediz.service.idp.spi.TrustedIdpProtocolHandler;
+import org.apache.cxf.fediz.service.idp.util.WebUtils;
+import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
+import org.apache.cxf.ws.security.tokenstore.SecurityToken;
+import org.apache.wss4j.common.crypto.CertificateStore;
+import org.apache.xml.security.exceptions.Base64DecodingException;
+import org.apache.xml.security.stax.impl.util.IDGenerator;
+import org.apache.xml.security.utils.Base64;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.stereotype.Component;
+import org.springframework.webflow.execution.RequestContext;
+
+@Component
+public class TrustedIdpOIDCProtocolHandler implements TrustedIdpProtocolHandler {
+
+ public static final String PROTOCOL = "openid-connect-1.0";
+
+ private static final Logger LOG = LoggerFactory.getLogger(TrustedIdpOIDCProtocolHandler.class);
+
+ @Override
+ public boolean canHandleRequest(HttpServletRequest request) {
+ // TODO Auto-generated method stub
+ return false;
+ }
+
+ @Override
+ public String getProtocol() {
+ return PROTOCOL;
+ }
+
+ @Override
+ public URL mapSignInRequest(RequestContext context, Idp idp, TrustedIdp trustedIdp) {
+
+ try {
+ StringBuilder sb = new StringBuilder();
+ sb.append(trustedIdp.getUrl());
+ sb.append("?");
+ sb.append("response_type").append('=');
+ sb.append("code"); //TODO
+ sb.append("&");
+ sb.append("client_id").append('=');
+ sb.append("consumer-id"); //TODO
+ sb.append("&");
+ sb.append("redirect_uri").append('=');
+ sb.append(URLEncoder.encode(idp.getIdpUrl().toString(), "UTF-8"));
+ sb.append("&");
+ sb.append("scope").append('=');
+ sb.append("openid");
+
+ String wctx = context.getFlowScope().getString(FederationConstants.PARAM_CONTEXT);
+ if (wctx != null) {
+ sb.append("&").append("state").append('=');
+ sb.append(wctx);
+ }
+
+ /*
+ String wfresh = context.getFlowScope().getString(FederationConstants.PARAM_FRESHNESS);
+ if (wfresh != null) {
+ sb.append("&").append(FederationConstants.PARAM_FRESHNESS).append('=');
+ sb.append(URLEncoder.encode(wfresh, "UTF-8"));
+ }
+ String wctx = context.getFlowScope().getString(FederationConstants.PARAM_CONTEXT);
+ if (wctx != null) {
+ sb.append("&").append(FederationConstants.PARAM_CONTEXT).append('=');
+ sb.append(wctx);
+ }
+ */
+ return new URL(sb.toString());
+ } catch (MalformedURLException ex) {
+ LOG.error("Invalid Redirect URL for Trusted Idp", ex);
+ throw new IllegalStateException("Invalid Redirect URL for Trusted Idp");
+ } catch (UnsupportedEncodingException ex) {
+ LOG.error("Invalid Redirect URL for Trusted Idp", ex);
+ throw new IllegalStateException("Invalid Redirect URL for Trusted Idp");
+ }
+ }
+
+ @Override
+ public URL processSignInResponse(RequestContext context, Idp idp, TrustedIdp trustedIdp) {
+ String code = (String) WebUtils.getAttributeFromFlowScope(context,
+ OAuthConstants.CODE_RESPONSE_TYPE);
+ if (code == null) {
+ return null;
+ }
+
+ try {
+ StringBuilder sb = new StringBuilder();
+ // sb.append(trustedIdp.getUrl());
+ sb.append("http://localhost:8080/auth/realms/realmb/protocol/openid-connect/token"); // TODO
+ sb.append("?");
+ sb.append("grant_type").append('=');
+ sb.append("authorization_code");
+ sb.append("&");
+ sb.append("code").append('=');
+ sb.append(code);
+ sb.append("&");
+ sb.append("redirect_uri").append('=');
+ sb.append(URLEncoder.encode(idp.getIdpUrl().toString(), "UTF-8"));
+ sb.append("&");
+ sb.append("client_id").append('=');
+ sb.append("consumer-id"); //TODO
+ // sb.append("&");
+
+ // TODOString state = (String) WebUtils.getAttributeFromFlowScope(context,
+ // OAuthConstants.STATE);
+ // sb.append("state").append('=');
+ // sb.append(state);
+
+ return new URL(sb.toString());
+ } catch (MalformedURLException ex) {
+ LOG.error("Invalid Redirect URL for Trusted Idp", ex);
+ throw new IllegalStateException("Invalid Redirect URL for Trusted Idp");
+ } catch (UnsupportedEncodingException ex) {
+ LOG.error("Invalid Redirect URL for Trusted Idp", ex);
+ throw new IllegalStateException("Invalid Redirect URL for Trusted Idp");
+ }
+ }
+
+ @Override
+ public SecurityToken mapSignInResponse(RequestContext context, Idp idp, TrustedIdp trustedIdp) {
+
+ try {
+ String whr = (String) WebUtils.getAttributeFromFlowScope(context,
+ FederationConstants.PARAM_HOME_REALM);
+
+ if (whr == null) {
+ LOG.warn("Home realm is null");
+ throw new IllegalStateException("Home realm is null");
+ }
+
+ String wresult = (String) WebUtils.getAttributeFromFlowScope(context,
+ FederationConstants.PARAM_RESULT);
+
+ if (wresult == null) {
+ LOG.warn("Parameter wresult not found");
+ throw new IllegalStateException("No security token issued");
+ }
+
+ FedizContext fedContext = getFedizContext(idp, trustedIdp);
+
+ FedizRequest wfReq = new FedizRequest();
+ wfReq.setAction(FederationConstants.ACTION_SIGNIN);
+ wfReq.setResponseToken(wresult);
+
+ FedizProcessor wfProc = new FederationProcessorImpl();
+ FedizResponse wfResp = wfProc.processRequest(wfReq, fedContext);
+
+ fedContext.close();
+
+ Element e = wfResp.getToken();
+
+ // Create new Security token with new id.
+ // Parameters for freshness computation are copied from original IDP_TOKEN
+ String id = IDGenerator.generateID("_");
+ SecurityToken idpToken = new SecurityToken(id,
+ wfResp.getTokenCreated(), wfResp.getTokenExpires());
+
+ idpToken.setToken(e);
+ LOG.info("[IDP_TOKEN={}] for user '{}' created from [RP_TOKEN={}] issued by home realm [{}/{}]",
+ id, wfResp.getUsername(), wfResp.getUniqueTokenId(), whr, wfResp.getIssuer());
+ LOG.debug("Created date={}", wfResp.getTokenCreated());
+ LOG.debug("Expired date={}", wfResp.getTokenExpires());
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Validated 'wresult' : "
+ + System.getProperty("line.separator") + wresult);
+ }
+ return idpToken;
+ } catch (IllegalStateException ex) {
+ throw ex;
+ } catch (Exception ex) {
+ LOG.warn("Unexpected exception occured", ex);
+ throw new IllegalStateException("Unexpected exception occured: " + ex.getMessage());
+ }
+ }
+
+
+ private FedizContext getFedizContext(Idp idpConfig,
+ TrustedIdp trustedIdpConfig) throws ProcessingException {
+
+ ContextConfig config = new ContextConfig();
+
+ config.setName("whatever");
+
+ // Configure certificate store
+ String certificate = trustedIdpConfig.getCertificate();
+ boolean isCertificateLocation = !certificate.startsWith("-----BEGIN CERTIFICATE");
+ if (isCertificateLocation) {
+ CertificateStores certStores = new CertificateStores();
+ TrustManagersType tm0 = new TrustManagersType();
+ KeyStoreType ks0 = new KeyStoreType();
+ ks0.setType("PEM");
+ // ks0.setType("JKS");
+ // ks0.setPassword("changeit");
+ ks0.setFile(trustedIdpConfig.getCertificate());
+ tm0.setKeyStore(ks0);
+ certStores.getTrustManager().add(tm0);
+ config.setCertificateStores(certStores);
+ }
+
+ // Configure trusted IDP
+ TrustedIssuers trustedIssuers = new TrustedIssuers();
+ TrustedIssuerType ti0 = new TrustedIssuerType();
+ ti0.setCertificateValidation(ValidationType.PEER_TRUST);
+ ti0.setName(trustedIdpConfig.getName());
+ // ti0.setSubject(".*CN=www.sts.com.*");
+ trustedIssuers.getIssuer().add(ti0);
+ config.setTrustedIssuers(trustedIssuers);
+
+ FederationProtocolType protocol = new FederationProtocolType();
+ config.setProtocol(protocol);
+
+ AudienceUris audienceUris = new AudienceUris();
+ audienceUris.getAudienceItem().add(idpConfig.getRealm());
+ config.setAudienceUris(audienceUris);
+
+ FedizContext fedContext = new FedizContext(config);
+ if (!isCertificateLocation) {
+ CertificateStore cs = null;
+
+ X509Certificate cert;
+ try {
+ cert = parseCertificate(trustedIdpConfig.getCertificate());
+ } catch (Exception ex) {
+ LOG.error("Failed to parse trusted certificate", ex);
+ throw new ProcessingException("Failed to parse trusted certificate");
+ }
+ cs = new CertificateStore(Collections.singletonList(cert).toArray(new X509Certificate[0]));
+
+ TrustManager tm = new TrustManager(cs);
+ fedContext.getCertificateStores().add(tm);
+ }
+
+ fedContext.init();
+ return fedContext;
+ }
+
+ private X509Certificate parseCertificate(String certificate)
+ throws CertificateException, Base64DecodingException, IOException {
+
+ //before decoding we need to get rod off the prefix and suffix
+ byte [] decoded = Base64.decode(certificate.replaceAll("-----BEGIN CERTIFICATE-----", "").
+ replaceAll("-----END CERTIFICATE-----", ""));
+
+ try (InputStream is = new ByteArrayInputStream(decoded)) {
+ return (X509Certificate)CertificateFactory.getInstance("X.509").generateCertificate(is);
+ }
+ }
+
+
+}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4df66f37/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-response.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-response.xml b/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-response.xml
index 46da2cb..a66d0b8 100644
--- a/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-response.xml
+++ b/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-response.xml
@@ -29,6 +29,8 @@
<input name="wresult" />
<input name="RelayState" />
<input name="SAMLResponse" />
+ <input name="state" />
+ <input name="code" />
<on-start>
<!-- restore 'wreply','wtrealm','whr' for current 'wctx' -->
@@ -78,5 +80,7 @@
<!-- abnormal exit point : Http 500 Internal Server Error -->
<end-state id="scInternalServerError" />
+
+ <end-state id="redirectToTrustedIDP" />
</flow>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4df66f37/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml
index 4ea0d9a..8d0934c 100644
--- a/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml
+++ b/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml
@@ -34,14 +34,18 @@
<set name="flowScope.wreq" value="requestParameters.wreq" />
<set name="flowScope.RelayState" value="requestParameters.RelayState" />
<set name="flowScope.SAMLResponse" value="requestParameters.SAMLResponse" />
+ <set name="flowScope.state" value="requestParameters.state" />
+ <set name="flowScope.code" value="requestParameters.code" />
<evaluate expression="requestScope.getString('wauth','default')"
result="flowScope.wauth" />
<set name="flowScope.idpConfig" value="config.getIDP(null)" />
</on-entry>
<if test="requestParameters.wa == 'wsignout1.0' or requestParameters.wa == 'wsignoutcleanup1.0'"
then="selectSignOutProcess" />
- <if test="requestParameters.wa == 'wsignin1.0'" then="selectWsFedProcess"
- else="selectSAMLProcess" />
+ <if test="requestParameters.wa == 'wsignin1.0'" then="selectWsFedProcess" />
+ <if test="requestParameters.SAMLResponse != null" then="selectSAMLProcess"
+ else="signinResponse"
+ />
</decision-state>
<decision-state id="selectWsFedProcess">
@@ -103,6 +107,8 @@
<input name="wresult" value="flowScope.wresult" />
<input name="RelayState" value="flowScope.RelayState" />
<input name="SAMLResponse" value="flowScope.SAMLResponse" />
+ <input name="state" value="flowScope.state" />
+ <input name="code" value="flowScope.code" />
<output name="wtrealm" />
<output name="wreply" />
@@ -119,6 +125,7 @@
</transition>
<transition on="viewBadRequest" to="viewBadRequest" />
<transition on="scInternalServerError" to="scInternalServerError" />
+ <transition on="redirectToTrustedIDP" to="redirectToTrustedIDP" />
</subflow-state>
<!-- produce RP security token (as String type) -->
@@ -240,4 +247,13 @@
</on-entry>
</end-state>
+ <end-state id="formResponseView" view="signinresponseform">
+ <on-entry>
+ <evaluate expression="flowScope.signinResponseUrl" result="requestScope.fedAction" />
+ <evaluate expression="flowScope.wtrealm" result="requestScope.fedWTrealm" />
+ <evaluate expression="flowScope.wctx" result="requestScope.fedWCtx" />
+ <evaluate expression="flowScope.rpToken" result="requestScope.fedWResult" />
+ </on-entry>
+ </end-state>
+
</flow>
[2/3] cxf-fediz git commit: Adding a temporary test for OIDC bridging
Posted by co...@apache.org.
Adding a temporary test for OIDC bridging
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/82a028cc
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/82a028cc
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/82a028cc
Branch: refs/heads/master
Commit: 82a028ccf86c7448ea37c17afec272dc2c23e35e
Parents: abff9ec
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Fri Feb 19 17:02:39 2016 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Feb 19 17:02:39 2016 +0000
----------------------------------------------------------------------
systests/federation/oidc/pom.xml | 286 +++++++++++
.../cxf/fediz/integrationtests/OIDCTest.java | 321 ++++++++++++
.../oidc/src/test/resources/client.jks | Bin 0 -> 2061 bytes
.../oidc/src/test/resources/clienttrust.jks | Bin 0 -> 1512 bytes
.../oidc/src/test/resources/entities-realma.xml | 500 +++++++++++++++++++
.../src/test/resources/fediz_config_oidc.xml | 56 +++
.../oidc/src/test/resources/server.jks | Bin 0 -> 3859 bytes
7 files changed, 1163 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/82a028cc/systests/federation/oidc/pom.xml
----------------------------------------------------------------------
diff --git a/systests/federation/oidc/pom.xml b/systests/federation/oidc/pom.xml
new file mode 100644
index 0000000..4df592a
--- /dev/null
+++ b/systests/federation/oidc/pom.xml
@@ -0,0 +1,286 @@
+<?xml version="1.0"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+ <modelVersion>4.0.0</modelVersion>
+ <parent>
+ <groupId>org.apache.cxf.fediz.systests</groupId>
+ <artifactId>fediz-systests-federation</artifactId>
+ <version>1.3.0-SNAPSHOT</version>
+ <relativePath>../pom.xml</relativePath>
+ </parent>
+ <groupId>org.apache.cxf.fediz.systests.federation</groupId>
+ <artifactId>fediz-systests-federation-oidc</artifactId>
+ <name>Apache Fediz Federation Systests Tomcat 7 OIDC</name>
+ <packaging>jar</packaging>
+ <properties>
+ <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+ <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
+ </properties>
+ <dependencies>
+ <dependency>
+ <groupId>org.apache.tomcat.embed</groupId>
+ <artifactId>tomcat-embed-core</artifactId>
+ <version>${tomcat7.version}</version>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.tomcat.embed</groupId>
+ <artifactId>tomcat-embed-logging-juli</artifactId>
+ <version>${tomcat7.version}</version>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.eclipse.jdt.core.compiler</groupId>
+ <artifactId>ecj</artifactId>
+ <version>${ecj.version}</version>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.tomcat.embed</groupId>
+ <artifactId>tomcat-embed-jasper</artifactId>
+ <version>${tomcat7.version}</version>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>junit</groupId>
+ <artifactId>junit</artifactId>
+ <version>${junit.version}</version>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.cxf.fediz</groupId>
+ <artifactId>fediz-tomcat7</artifactId>
+ <version>${project.version}</version>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.cxf.fediz.systests</groupId>
+ <artifactId>fediz-systests-tests</artifactId>
+ <version>${project.version}</version>
+ <type>test-jar</type>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.slf4j</groupId>
+ <artifactId>slf4j-api</artifactId>
+ <version>${slf4j.version}</version>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.slf4j</groupId>
+ <artifactId>slf4j-jdk14</artifactId>
+ <version>${slf4j.version}</version>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.hsqldb</groupId>
+ <artifactId>hsqldb</artifactId>
+ <version>${hsqldb.version}</version>
+ <scope>test</scope>
+ </dependency>
+ </dependencies>
+ <build>
+ <testResources>
+ <testResource>
+ <directory>src/test/resources</directory>
+ <filtering>true</filtering>
+ <includes>
+ <include>**/fediz_config*.xml</include>
+ </includes>
+ </testResource>
+ <testResource>
+ <directory>src/test/resources</directory>
+ <filtering>false</filtering>
+ <excludes>
+ <exclude>**/fediz_config*.xml</exclude>
+ </excludes>
+ </testResource>
+ </testResources>
+ <plugins>
+ <plugin>
+ <groupId>org.codehaus.mojo</groupId>
+ <artifactId>build-helper-maven-plugin</artifactId>
+ <executions>
+ <execution>
+ <id>reserve-network-port</id>
+ <goals>
+ <goal>reserve-network-port</goal>
+ </goals>
+ <phase>initialize</phase>
+ <configuration>
+ <portNames>
+ <portName>idp.https.port</portName>
+ <portName>idp.samlsso.https.port</portName>
+ <portName>rp.https.port</portName>
+ </portNames>
+ </configuration>
+ </execution>
+ </executions>
+ </plugin>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-dependency-plugin</artifactId>
+ <executions>
+ <execution>
+ <id>copy-idp-sts</id>
+ <phase>generate-resources</phase>
+ <goals>
+ <goal>unpack</goal>
+ </goals>
+ <configuration>
+ <artifactItems>
+ <artifactItem>
+ <groupId>org.apache.cxf.fediz</groupId>
+ <artifactId>fediz-idp</artifactId>
+ <version>${project.version}</version>
+ <type>war</type>
+ <overWrite>true</overWrite>
+ <outputDirectory>target/tomcat/idp/webapps/fediz-idp</outputDirectory>
+ </artifactItem>
+ <artifactItem>
+ <groupId>org.apache.cxf.fediz</groupId>
+ <artifactId>fediz-idp-sts</artifactId>
+ <version>${project.version}</version>
+ <type>war</type>
+ <overWrite>true</overWrite>
+ <outputDirectory>target/tomcat/idp/webapps/fediz-idp-sts</outputDirectory>
+ </artifactItem>
+ <artifactItem>
+ <groupId>org.apache.cxf.fediz.systests.federation</groupId>
+ <artifactId>fediz-systests-federation-samlIdpWebapp</artifactId>
+ <version>${project.version}</version>
+ <type>war</type>
+ <overWrite>true</overWrite>
+ <outputDirectory>target/tomcat/idpsamlsso/webapps/idpsaml</outputDirectory>
+ </artifactItem>
+ <artifactItem>
+ <groupId>org.apache.cxf.fediz.systests.webapps</groupId>
+ <artifactId>fediz-systests-webapps-simple</artifactId>
+ <version>${project.version}</version>
+ <type>war</type>
+ <overWrite>true</overWrite>
+ <outputDirectory>target/tomcat/rp/webapps/simpleWebapp</outputDirectory>
+ </artifactItem>
+ <artifactItem>
+ <groupId>org.apache.cxf.fediz.systests.webapps</groupId>
+ <artifactId>fediz-systests-webapps-simple</artifactId>
+ <version>${project.version}</version>
+ <type>war</type>
+ <overWrite>true</overWrite>
+ <outputDirectory>target/tomcat/rp/webapps/simpleWebapp2</outputDirectory>
+ </artifactItem>
+ </artifactItems>
+ <outputAbsoluteArtifactFilename>true</outputAbsoluteArtifactFilename>
+ <overWriteSnapshots>true</overWriteSnapshots>
+ <overWriteIfNewer>true</overWriteIfNewer>
+ <stripVersion>true</stripVersion>
+ </configuration>
+ </execution>
+ <execution>
+ <id>copy-xalan-to-idp</id>
+ <phase>generate-resources</phase>
+ <goals>
+ <goal>copy</goal>
+ </goals>
+ <configuration>
+ <artifactItems>
+ <artifactItem>
+ <groupId>xalan</groupId>
+ <artifactId>xalan</artifactId>
+ <version>${xalan.version}</version>
+ <outputDirectory>target/tomcat/idp/webapps/fediz-idp/WEB-INF/lib</outputDirectory>
+ </artifactItem>
+ </artifactItems>
+ </configuration>
+ </execution>
+ </executions>
+ </plugin>
+ <plugin>
+ <artifactId>maven-resources-plugin</artifactId>
+ <version>2.7</version>
+ <executions>
+ <execution>
+ <id>copy-entities-to-idp</id>
+ <phase>generate-test-sources</phase>
+ <goals>
+ <goal>copy-resources</goal>
+ </goals>
+ <configuration>
+ <outputDirectory>${basedir}/target/tomcat/idp/webapps/fediz-idp/WEB-INF/classes</outputDirectory>
+ <resources>
+ <resource>
+ <directory>${basedir}/src/test/resources</directory>
+ <includes>
+ <include>entities-realma.xml</include>
+ </includes>
+ <filtering>true</filtering>
+ </resource>
+ </resources>
+ </configuration>
+ </execution>
+ </executions>
+ </plugin>
+ <plugin>
+ <artifactId>maven-failsafe-plugin</artifactId>
+ <inherited>true</inherited>
+ <executions>
+ <execution>
+ <id>integration-test</id>
+ <phase>integration-test</phase>
+ <goals>
+ <goal>integration-test</goal>
+ </goals>
+ <configuration>
+ <skip>false</skip>
+ <systemPropertyVariables>
+ <wt.headless>true</wt.headless>
+ <idp.https.port>${idp.https.port}</idp.https.port>
+ <idp.samlsso.https.port>${idp.samlsso.https.port}</idp.samlsso.https.port>
+ <rp.https.port>${rp.https.port}</rp.https.port>
+ </systemPropertyVariables>
+ <includes>
+ <include>**/integrationtests/**</include>
+ </includes>
+ <argLine>-Xms512m -Xmx1024m
+ -XX:MaxPermSize=256m</argLine>
+ </configuration>
+ </execution>
+ <execution>
+ <id>verify</id>
+ <phase>verify</phase>
+ <goals>
+ <goal>verify</goal>
+ </goals>
+ </execution>
+ </executions>
+ </plugin>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-surefire-plugin</artifactId>
+ <inherited>true</inherited>
+ <configuration>
+ <excludes>
+ <exclude>**/integrationtests/**</exclude>
+ </excludes>
+ </configuration>
+ </plugin>
+ </plugins>
+ </build>
+</project>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/82a028cc/systests/federation/oidc/src/test/java/org/apache/cxf/fediz/integrationtests/OIDCTest.java
----------------------------------------------------------------------
diff --git a/systests/federation/oidc/src/test/java/org/apache/cxf/fediz/integrationtests/OIDCTest.java b/systests/federation/oidc/src/test/java/org/apache/cxf/fediz/integrationtests/OIDCTest.java
new file mode 100644
index 0000000..b0f370b
--- /dev/null
+++ b/systests/federation/oidc/src/test/java/org/apache/cxf/fediz/integrationtests/OIDCTest.java
@@ -0,0 +1,321 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.fediz.integrationtests;
+
+
+import java.io.File;
+import java.io.IOException;
+
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+import org.w3c.dom.Node;
+
+import com.gargoylesoftware.htmlunit.CookieManager;
+import com.gargoylesoftware.htmlunit.WebClient;
+import com.gargoylesoftware.htmlunit.html.HtmlForm;
+import com.gargoylesoftware.htmlunit.html.HtmlPage;
+import com.gargoylesoftware.htmlunit.html.HtmlSubmitInput;
+import com.gargoylesoftware.htmlunit.xml.XmlPage;
+
+import org.apache.catalina.Context;
+import org.apache.catalina.LifecycleState;
+import org.apache.catalina.connector.Connector;
+import org.apache.catalina.startup.Tomcat;
+import org.apache.cxf.fediz.core.ClaimTypes;
+import org.apache.cxf.fediz.core.util.DOMUtils;
+import org.apache.cxf.fediz.tomcat7.FederationAuthenticator;
+import org.apache.http.auth.AuthScope;
+import org.apache.http.auth.UsernamePasswordCredentials;
+import org.apache.xml.security.keys.KeyInfo;
+import org.apache.xml.security.signature.XMLSignature;
+import org.junit.AfterClass;
+import org.junit.Assert;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+/**
+ * This is a test for federation in the IdP. The RP application is configured to use a home realm of "realm b". The
+ * client gets redirected to the IdP for "realm a", which in turn redirects to the IdP for "realm b", which is a
+ * SAML SSO IdP. The IdP for "realm a" will convert the signin request to a SAML SSO sign in request. The IdP for
+ * realm b authenticates the user, who is then redirected back to the IdP for "realm a" to get a SAML token from
+ * the STS + then back to the application.
+ */
+public class OIDCTest {
+
+ static String idpHttpsPort;
+ static String idpSamlSSOHttpsPort;
+ static String rpHttpsPort;
+
+ private static Tomcat idpServer;
+ private static Tomcat idpSamlSSOServer;
+ private static Tomcat rpServer;
+
+ @BeforeClass
+ public static void init() {
+ System.setProperty("org.apache.commons.logging.Log", "org.apache.commons.logging.impl.SimpleLog");
+ System.setProperty("org.apache.commons.logging.simplelog.showdatetime", "true");
+ System.setProperty("org.apache.commons.logging.simplelog.log.httpclient.wire", "info");
+ System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.commons.httpclient", "info");
+ System.setProperty("org.apache.commons.logging.simplelog.log.org.springframework.webflow", "info");
+ System.setProperty("org.apache.commons.logging.simplelog.log.org.springframework.security.web", "info");
+ System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.cxf.fediz", "info");
+ System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.cxf", "info");
+
+ idpHttpsPort = System.getProperty("idp.https.port");
+ idpHttpsPort = "12111";
+ Assert.assertNotNull("Property 'idp.https.port' null", idpHttpsPort);
+ idpSamlSSOHttpsPort = System.getProperty("idp.samlsso.https.port");
+ Assert.assertNotNull("Property 'idp.samlsso.https.port' null", idpSamlSSOHttpsPort);
+ rpHttpsPort = System.getProperty("rp.https.port");
+ Assert.assertNotNull("Property 'rp.https.port' null", rpHttpsPort);
+
+ initIdp();
+ initSamlSSOIdp();
+ initRp();
+ }
+
+ private static void initIdp() {
+ try {
+ idpServer = new Tomcat();
+ idpServer.setPort(0);
+ String currentDir = new File(".").getCanonicalPath();
+ idpServer.setBaseDir(currentDir + File.separator + "target");
+
+ idpServer.getHost().setAppBase("tomcat/idp/webapps");
+ idpServer.getHost().setAutoDeploy(true);
+ idpServer.getHost().setDeployOnStartup(true);
+
+ Connector httpsConnector = new Connector();
+ httpsConnector.setPort(Integer.parseInt(idpHttpsPort));
+ httpsConnector.setSecure(true);
+ httpsConnector.setScheme("https");
+ //httpsConnector.setAttribute("keyAlias", keyAlias);
+ httpsConnector.setAttribute("keystorePass", "tompass");
+ httpsConnector.setAttribute("keystoreFile", "test-classes/server.jks");
+ httpsConnector.setAttribute("truststorePass", "tompass");
+ httpsConnector.setAttribute("truststoreFile", "test-classes/server.jks");
+ httpsConnector.setAttribute("clientAuth", "want");
+ // httpsConnector.setAttribute("clientAuth", "false");
+ httpsConnector.setAttribute("sslProtocol", "TLS");
+ httpsConnector.setAttribute("SSLEnabled", true);
+
+ idpServer.getService().addConnector(httpsConnector);
+
+ idpServer.addWebapp("/fediz-idp-sts", "fediz-idp-sts");
+ idpServer.addWebapp("/fediz-idp", "fediz-idp");
+
+ idpServer.start();
+ } catch (Exception e) {
+ e.printStackTrace();
+ }
+ }
+
+ private static void initSamlSSOIdp() {
+ try {
+ idpSamlSSOServer = new Tomcat();
+ idpSamlSSOServer.setPort(0);
+ String currentDir = new File(".").getCanonicalPath();
+ idpSamlSSOServer.setBaseDir(currentDir + File.separator + "target");
+
+ idpSamlSSOServer.getHost().setAppBase("tomcat/idpsamlsso/webapps");
+ idpSamlSSOServer.getHost().setAutoDeploy(true);
+ idpSamlSSOServer.getHost().setDeployOnStartup(true);
+
+ Connector httpsConnector = new Connector();
+ httpsConnector.setPort(Integer.parseInt(idpSamlSSOHttpsPort));
+ httpsConnector.setSecure(true);
+ httpsConnector.setScheme("https");
+ //httpsConnector.setAttribute("keyAlias", keyAlias);
+ httpsConnector.setAttribute("keystorePass", "tompass");
+ httpsConnector.setAttribute("keystoreFile", "test-classes/server.jks");
+ httpsConnector.setAttribute("truststorePass", "tompass");
+ httpsConnector.setAttribute("truststoreFile", "test-classes/server.jks");
+ httpsConnector.setAttribute("clientAuth", "want");
+ // httpsConnector.setAttribute("clientAuth", "false");
+ httpsConnector.setAttribute("sslProtocol", "TLS");
+ httpsConnector.setAttribute("SSLEnabled", true);
+
+ idpSamlSSOServer.getService().addConnector(httpsConnector);
+
+ idpSamlSSOServer.addWebapp("/idp", "idpsaml");
+
+ idpSamlSSOServer.start();
+ } catch (Exception e) {
+ e.printStackTrace();
+ }
+ }
+
+ private static void initRp() {
+ try {
+ rpServer = new Tomcat();
+ rpServer.setPort(0);
+ String currentDir = new File(".").getCanonicalPath();
+ rpServer.setBaseDir(currentDir + File.separator + "target");
+
+ rpServer.getHost().setAppBase("tomcat/rp/webapps");
+ rpServer.getHost().setAutoDeploy(true);
+ rpServer.getHost().setDeployOnStartup(true);
+
+ Connector httpsConnector = new Connector();
+ httpsConnector.setPort(Integer.parseInt(rpHttpsPort));
+ httpsConnector.setSecure(true);
+ httpsConnector.setScheme("https");
+ //httpsConnector.setAttribute("keyAlias", keyAlias);
+ httpsConnector.setAttribute("keystorePass", "tompass");
+ httpsConnector.setAttribute("keystoreFile", "test-classes/server.jks");
+ httpsConnector.setAttribute("truststorePass", "tompass");
+ httpsConnector.setAttribute("truststoreFile", "test-classes/server.jks");
+ // httpsConnector.setAttribute("clientAuth", "false");
+ httpsConnector.setAttribute("clientAuth", "want");
+ httpsConnector.setAttribute("sslProtocol", "TLS");
+ httpsConnector.setAttribute("SSLEnabled", true);
+
+ rpServer.getService().addConnector(httpsConnector);
+
+ Context cxt = rpServer.addWebapp("/fedizhelloworld", "simpleWebapp");
+ FederationAuthenticator fa = new FederationAuthenticator();
+ fa.setConfigFile(currentDir + File.separator + "target" + File.separator
+ + "test-classes" + File.separator + "fediz_config_oidc.xml");
+ cxt.getPipeline().addValve(fa);
+
+ rpServer.start();
+ } catch (Exception e) {
+ e.printStackTrace();
+ }
+ }
+
+ @AfterClass
+ public static void cleanup() {
+ try {
+ if (idpServer.getServer() != null
+ && idpServer.getServer().getState() != LifecycleState.DESTROYED) {
+ if (idpServer.getServer().getState() != LifecycleState.STOPPED) {
+ idpServer.stop();
+ }
+ idpServer.destroy();
+ }
+ } catch (Exception e) {
+ e.printStackTrace();
+ }
+
+ try {
+ if (rpServer.getServer() != null
+ && rpServer.getServer().getState() != LifecycleState.DESTROYED) {
+ if (rpServer.getServer().getState() != LifecycleState.STOPPED) {
+ rpServer.stop();
+ }
+ rpServer.destroy();
+ }
+ } catch (Exception e) {
+ e.printStackTrace();
+ }
+ }
+
+ public String getIdpHttpsPort() {
+ return idpHttpsPort;
+ }
+
+ public String getRpHttpsPort() {
+ return rpHttpsPort;
+ }
+
+ public String getServletContextName() {
+ return "fedizhelloworld";
+ }
+
+ @org.junit.Test
+ // @org.junit.Ignore
+ public void testBrowser() throws Exception {
+ String url = "https://localhost:" + getRpHttpsPort() + "/fedizhelloworld/secure/fedservlet";
+ System.out.println("URL: " + url);
+ Thread.sleep(60 * 1000);
+ }
+
+ @org.junit.Test
+ @org.junit.Ignore
+ public void testSAMLSSO() throws Exception {
+ String url = "https://localhost:" + getRpHttpsPort() + "/fedizhelloworld/secure/fedservlet";
+ // System.out.println("URL: " + url);
+ // Thread.sleep(60 * 2 * 1000);
+ String user = "ALICE"; // realm b credentials
+ String password = "ECILA";
+
+ final String bodyTextContent =
+ login(url, user, password, idpSamlSSOHttpsPort, idpHttpsPort, false);
+
+ Assert.assertTrue("Principal not alice",
+ bodyTextContent.contains("userPrincipal=alice"));
+ Assert.assertTrue("User " + user + " does not have role Admin",
+ bodyTextContent.contains("role:Admin=false"));
+ Assert.assertTrue("User " + user + " does not have role Manager",
+ bodyTextContent.contains("role:Manager=false"));
+ Assert.assertTrue("User " + user + " must have role User",
+ bodyTextContent.contains("role:User=true"));
+
+ String claim = ClaimTypes.FIRSTNAME.toString();
+ Assert.assertTrue("User " + user + " claim " + claim + " is not 'Alice'",
+ bodyTextContent.contains(claim + "=Alice"));
+ claim = ClaimTypes.LASTNAME.toString();
+ Assert.assertTrue("User " + user + " claim " + claim + " is not 'Smith'",
+ bodyTextContent.contains(claim + "=Smith"));
+ claim = ClaimTypes.EMAILADDRESS.toString();
+ Assert.assertTrue("User " + user + " claim " + claim + " is not 'alice@realma.org'",
+ bodyTextContent.contains(claim + "=alice@realma.org"));
+ }
+
+ private static String login(String url, String user, String password,
+ String idpPort, String rpIdpPort, boolean postBinding) throws IOException {
+ //
+ // Access the RP + get redirected to the IdP for "realm a". Then get redirected to the IdP for
+ // "realm b".
+ //
+ final WebClient webClient = new WebClient();
+ CookieManager cookieManager = new CookieManager();
+ webClient.setCookieManager(cookieManager);
+ webClient.getOptions().setUseInsecureSSL(true);
+ webClient.getCredentialsProvider().setCredentials(
+ new AuthScope("localhost", Integer.parseInt(idpPort)),
+ new UsernamePasswordCredentials(user, password));
+
+ webClient.getOptions().setJavaScriptEnabled(false);
+ HtmlPage idpPage = webClient.getPage(url);
+
+ if (postBinding) {
+ Assert.assertEquals("SAML IDP Response Form", idpPage.getTitleText());
+ final HtmlForm form = idpPage.getFormByName("signinresponseform");
+ final HtmlSubmitInput button = form.getInputByName("_eventId_submit");
+ idpPage = button.click();
+ }
+
+ Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText());
+
+ // Now redirect back to the RP
+ final HtmlForm form = idpPage.getFormByName("signinresponseform");
+
+ final HtmlSubmitInput button = form.getInputByName("_eventId_submit");
+
+ final HtmlPage rpPage = button.click();
+ Assert.assertEquals("WS Federation Systests Examples", rpPage.getTitleText());
+
+ webClient.close();
+ return rpPage.getBody().getTextContent();
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/82a028cc/systests/federation/oidc/src/test/resources/client.jks
----------------------------------------------------------------------
diff --git a/systests/federation/oidc/src/test/resources/client.jks b/systests/federation/oidc/src/test/resources/client.jks
new file mode 100644
index 0000000..62d221e
Binary files /dev/null and b/systests/federation/oidc/src/test/resources/client.jks differ
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/82a028cc/systests/federation/oidc/src/test/resources/clienttrust.jks
----------------------------------------------------------------------
diff --git a/systests/federation/oidc/src/test/resources/clienttrust.jks b/systests/federation/oidc/src/test/resources/clienttrust.jks
new file mode 100644
index 0000000..c3ad459
Binary files /dev/null and b/systests/federation/oidc/src/test/resources/clienttrust.jks differ
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/82a028cc/systests/federation/oidc/src/test/resources/entities-realma.xml
----------------------------------------------------------------------
diff --git a/systests/federation/oidc/src/test/resources/entities-realma.xml b/systests/federation/oidc/src/test/resources/entities-realma.xml
new file mode 100644
index 0000000..ab17601
--- /dev/null
+++ b/systests/federation/oidc/src/test/resources/entities-realma.xml
@@ -0,0 +1,500 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xmlns:util="http://www.springframework.org/schema/util"
+ xsi:schemaLocation="
+ http://www.springframework.org/schema/beans
+ http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
+ http://www.springframework.org/schema/util
+ http://www.springframework.org/schema/util/spring-util-2.0.xsd">
+
+ <bean id="idp-realmA" class="org.apache.cxf.fediz.service.idp.service.jpa.IdpEntity">
+ <property name="realm" value="urn:org:apache:cxf:fediz:idp:realm-A" />
+ <property name="uri" value="realma" />
+ <property name="provideIdpList" value="true" />
+ <property name="useCurrentIdp" value="true" />
+ <property name="certificate" value="stsKeystoreA.properties" />
+ <property name="certificatePassword" value="realma" />
+ <!-- <property name="stsUrl" value="https://localhost:${idp.https.port}/fediz-idp-sts/REALMA" />
+ <property name="idpUrl" value="https://localhost:${idp.https.port}/fediz-idp/federation" />-->
+ <property name="stsUrl" value="https://localhost:12111/fediz-idp-sts/REALMA" />
+ <property name="idpUrl" value="https://localhost:12111/fediz-idp/federation" />
+ <property name="rpSingleSignOutConfirmation" value="true"/>
+ <property name="supportedProtocols">
+ <util:list>
+ <value>http://docs.oasis-open.org/wsfed/federation/200706
+ </value>
+ <value>http://docs.oasis-open.org/ws-sx/ws-trust/200512
+ </value>
+ </util:list>
+ </property>
+ <property name="tokenTypesOffered">
+ <util:list>
+ <value>urn:oasis:names:tc:SAML:1.0:assertion</value>
+ <value>urn:oasis:names:tc:SAML:2.0:assertion</value>
+ </util:list>
+ </property>
+ <property name="authenticationURIs">
+ <util:map>
+ <entry key="default" value="federation/up" />
+ <entry key="http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/SslAndKey"
+ value="federation/krb" />
+ <entry key="http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/default"
+ value="federation/up" />
+ <entry key="http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/Ssl"
+ value="federation/clientcert" />
+ </util:map>
+ </property>
+ <property name="serviceDisplayName" value="REALM A" />
+ <property name="serviceDescription" value="IDP of Realm A" />
+ <property name="applications">
+ <util:list>
+ <ref bean="srv-fedizhelloworld" />
+ </util:list>
+ </property>
+ <property name="trustedIdps">
+ <util:list>
+ <ref bean="trusted-idp-realmB" />
+ <ref bean="trusted-idp-realmC" />
+ </util:list>
+ </property>
+ <property name="claimTypesOffered">
+ <util:list>
+ <ref bean="claim_role" />
+ <ref bean="claim_surname" />
+ <ref bean="claim_givenname" />
+ <ref bean="claim_email" />
+ </util:list>
+ </property>
+ </bean>
+
+ <bean id="trusted-idp-realmB"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.TrustedIdpEntity">
+ <property name="realm" value="urn:org:apache:cxf:fediz:idp:realm-B" />
+ <property name="cacheTokens" value="true" />
+ <!-- <property name="url" value="https://localhost:${idp.samlsso.https.port}/idp/samlsso?binding=REDIRECT" />-->
+ <property name="url" value="http://localhost:8080/auth/realms/realmb/protocol/openid-connect/auth" />
+ <property name="certificate" value="realmb.cert" />
+ <property name="trustType" value="PEER_TRUST" />
+ <property name="protocol" value="openid-connect-1.0" />
+ <property name="federationType" value="FEDERATE_IDENTITY" />
+ <property name="name" value="Realm B" />
+ <property name="description" value="Realm B description" />
+ <property name="parameters">
+ <util:map>
+ </util:map>
+ </property>
+ </bean>
+
+ <bean id="trusted-idp-realmC"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.TrustedIdpEntity">
+ <property name="realm" value="urn:org:apache:cxf:fediz:idp:realm-C" />
+ <property name="cacheTokens" value="true" />
+ <property name="url" value="https://localhost:${idp.samlsso.https.port}/idp/samlsso" />
+ <property name="certificate" value="realmb.cert" />
+ <property name="trustType" value="PEER_TRUST" />
+ <property name="protocol" value="urn:oasis:names:tc:SAML:2.0:profiles:SSO:browser" />
+ <property name="federationType" value="FEDERATE_IDENTITY" />
+ <property name="name" value="Realm C" />
+ <property name="description" value="SAML Web Profile - Response POST Binding" />
+ <property name="parameters">
+ <util:map>
+ <entry key="sign.request" value="true" />
+ <entry key="support.deflate.encoding" value="true" />
+ </util:map>
+ </property>
+ </bean>
+
+ <bean id="srv-fedizhelloworld" class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity">
+ <property name="realm" value="urn:org:apache:cxf:fediz:fedizhelloworld" />
+ <property name="protocol" value="http://docs.oasis-open.org/wsfed/federation/200706" />
+ <property name="serviceDisplayName" value="Fedizhelloworld" />
+ <property name="serviceDescription" value="Web Application to illustrate WS-Federation" />
+ <property name="role" value="ApplicationServiceType" />
+ <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
+ <property name="lifeTime" value="3600" />
+ <property name="passiveRequestorEndpointConstraint"
+ value="https://localhost:(\d)*/(\w)*helloworld.*/secure/.*" />
+ </bean>
+
+ <bean class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationClaimEntity">
+ <property name="application" ref="srv-fedizhelloworld" />
+ <property name="claim" ref="claim_role" />
+ <property name="optional" value="false" />
+ </bean>
+ <bean class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationClaimEntity">
+ <property name="application" ref="srv-fedizhelloworld" />
+ <property name="claim" ref="claim_givenname" />
+ <property name="optional" value="false" />
+ </bean>
+ <bean class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationClaimEntity">
+ <property name="application" ref="srv-fedizhelloworld" />
+ <property name="claim" ref="claim_surname" />
+ <property name="optional" value="false" />
+ </bean>
+ <bean class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationClaimEntity">
+ <property name="application" ref="srv-fedizhelloworld" />
+ <property name="claim" ref="claim_email" />
+ <property name="optional" value="false" />
+ </bean>
+
+ <bean id="claim_role"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.ClaimEntity">
+ <property name="claimType"
+ value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" />
+ <property name="displayName"
+ value="role" />
+ <property name="description"
+ value="Description for role" />
+ </bean>
+ <bean id="claim_givenname"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.ClaimEntity">
+ <property name="claimType"
+ value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" />
+ <property name="displayName"
+ value="firstname" />
+ <property name="description"
+ value="Description for firstname" />
+ </bean>
+ <bean id="claim_surname"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.ClaimEntity">
+ <property name="claimType"
+ value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" />
+ <property name="displayName"
+ value="lastname" />
+ <property name="description"
+ value="Description for lastname" />
+ </bean>
+ <bean id="claim_email"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.ClaimEntity">
+ <property name="claimType"
+ value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" />
+ <property name="displayName"
+ value="email" />
+ <property name="description"
+ value="Description for email" />
+ </bean>
+
+
+ <bean id="entitlement_claim_list"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="CLAIM_LIST" />
+ <property name="description"
+ value="Description for CLAIM_LIST" />
+ </bean>
+ <bean id="entitlement_claim_create"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="CLAIM_CREATE" />
+ <property name="description"
+ value="Description for CLAIM_CREATE" />
+ </bean>
+ <bean id="entitlement_claim_read"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="CLAIM_READ" />
+ <property name="description"
+ value="Description for CLAIM_READ" />
+ </bean>
+ <bean id="entitlement_claim_update"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="CLAIM_UPDATE" />
+ <property name="description"
+ value="Description for CLAIM_UPDATE" />
+ </bean>
+ <bean id="entitlement_claim_delete"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="CLAIM_DELETE" />
+ <property name="description"
+ value="Description for CLAIM_DELETE" />
+ </bean>
+
+ <bean id="entitlement_application_list"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="APPLICATION_LIST" />
+ <property name="description"
+ value="Description for APPLICATION_LIST" />
+ </bean>
+ <bean id="entitlement_application_create"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="APPLICATION_CREATE" />
+ <property name="description"
+ value="Description for APPLICATION_CREATE" />
+ </bean>
+ <bean id="entitlement_application_read"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="APPLICATION_READ" />
+ <property name="description"
+ value="Description for APPLICATION_READ" />
+ </bean>
+ <bean id="entitlement_application_update"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="APPLICATION_UPDATE" />
+ <property name="description"
+ value="Description for APPLICATION_UPDATE" />
+ </bean>
+ <bean id="entitlement_application_delete"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="APPLICATION_DELETE" />
+ <property name="description"
+ value="Description for APPLICATION_DELETE" />
+ </bean>
+
+ <bean id="entitlement_trustedidp_list"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="TRUSTEDIDP_LIST" />
+ <property name="description"
+ value="Description for TRUSTEDIDP_LIST" />
+ </bean>
+ <bean id="entitlement_trustedidp_create"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="TRUSTEDIDP_CREATE" />
+ <property name="description"
+ value="Description for TRUSTEDIDP_CREATE" />
+ </bean>
+ <bean id="entitlement_trustedidp_read"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="TRUSTEDIDP_READ" />
+ <property name="description"
+ value="Description for TRUSTEDIDP_READ" />
+ </bean>
+ <bean id="entitlement_trustedidp_update"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="TRUSTEDIDP_UPDATE" />
+ <property name="description"
+ value="Description for TRUSTEDIDP_UPDATE" />
+ </bean>
+ <bean id="entitlement_trustedidp_delete"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="TRUSTEDIDP_DELETE" />
+ <property name="description"
+ value="Description for TRUSTEDIDP_DELETE" />
+ </bean>
+
+ <bean id="entitlement_idp_list"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="IDP_LIST" />
+ <property name="description"
+ value="Description for IDP_LIST" />
+ </bean>
+ <bean id="entitlement_idp_create"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="IDP_CREATE" />
+ <property name="description"
+ value="Description for IDP_CREATE" />
+ </bean>
+ <bean id="entitlement_idp_read"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="IDP_READ" />
+ <property name="description"
+ value="Description for IDP_READ" />
+ </bean>
+ <bean id="entitlement_idp_update"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="IDP_UPDATE" />
+ <property name="description"
+ value="Description for IDP_UPDATE" />
+ </bean>
+ <bean id="entitlement_idp_delete"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="IDP_DELETE" />
+ <property name="description"
+ value="Description for IDP_DELETE" />
+ </bean>
+
+ <bean id="entitlement_role_list"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="ROLE_LIST" />
+ <property name="description"
+ value="Description for ROLE_LIST" />
+ </bean>
+ <bean id="entitlement_role_create"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="ROLE_CREATE" />
+ <property name="description"
+ value="Description for ROLE_CREATE" />
+ </bean>
+ <bean id="entitlement_role_read"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="ROLE_READ" />
+ <property name="description"
+ value="Description for ROLE_READ" />
+ </bean>
+ <bean id="entitlement_role_update"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="ROLE_UPDATE" />
+ <property name="description"
+ value="Description for ROLE_UPDATE" />
+ </bean>
+ <bean id="entitlement_role_delete"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="ROLE_DELETE" />
+ <property name="description"
+ value="Description for ROLE_DELETE" />
+ </bean>
+
+ <bean id="entitlement_entitlement_list"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="ENTITLEMENT_LIST" />
+ <property name="description"
+ value="Description for ENTITLEMENT_LIST" />
+ </bean>
+ <bean id="entitlement_entitlement_create"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="ENTITLEMENT_CREATE" />
+ <property name="description"
+ value="Description for ENTITLEMENT_CREATE" />
+ </bean>
+ <bean id="entitlement_entitlement_read"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="ENTITLEMENT_READ" />
+ <property name="description"
+ value="Description for ENTITLEMENT_READ" />
+ </bean>
+ <bean id="entitlement_entitlement_update"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="ENTITLEMENT_UPDATE" />
+ <property name="description"
+ value="Description for ENTITLEMENT_UPDATE" />
+ </bean>
+ <bean id="entitlement_entitlement_delete"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+ <property name="name"
+ value="ENTITLEMENT_DELETE" />
+ <property name="description"
+ value="Description for ENTITLEMENT_DELETE" />
+ </bean>
+
+ <bean id="role_admin"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.RoleEntity">
+ <property name="name"
+ value="ADMIN" />
+ <property name="description"
+ value="This is the administrator role with full access" />
+ <property name="entitlements">
+ <util:list>
+ <ref bean="entitlement_claim_list" />
+ <ref bean="entitlement_claim_create" />
+ <ref bean="entitlement_claim_read" />
+ <ref bean="entitlement_claim_update" />
+ <ref bean="entitlement_claim_delete" />
+ <ref bean="entitlement_idp_list" />
+ <ref bean="entitlement_idp_create" />
+ <ref bean="entitlement_idp_read" />
+ <ref bean="entitlement_idp_update" />
+ <ref bean="entitlement_idp_delete" />
+ <ref bean="entitlement_trustedidp_list" />
+ <ref bean="entitlement_trustedidp_create" />
+ <ref bean="entitlement_trustedidp_read" />
+ <ref bean="entitlement_trustedidp_update" />
+ <ref bean="entitlement_trustedidp_delete" />
+ <ref bean="entitlement_application_list" />
+ <ref bean="entitlement_application_create" />
+ <ref bean="entitlement_application_read" />
+ <ref bean="entitlement_application_update" />
+ <ref bean="entitlement_application_delete" />
+ <ref bean="entitlement_role_list" />
+ <ref bean="entitlement_role_create" />
+ <ref bean="entitlement_role_read" />
+ <ref bean="entitlement_role_update" />
+ <ref bean="entitlement_role_delete" />
+ <ref bean="entitlement_entitlement_list" />
+ <ref bean="entitlement_entitlement_create" />
+ <ref bean="entitlement_entitlement_read" />
+ <ref bean="entitlement_entitlement_update" />
+ <ref bean="entitlement_entitlement_delete" />
+ </util:list>
+ </property>
+ </bean>
+ <bean id="role_user"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.RoleEntity">
+ <property name="name"
+ value="USER" />
+ <property name="description"
+ value="This is the user role with read access" />
+ <property name="entitlements">
+ <util:list>
+ <ref bean="entitlement_claim_list" />
+ <ref bean="entitlement_claim_read" />
+ <ref bean="entitlement_idp_list" />
+ <ref bean="entitlement_idp_read" />
+ <ref bean="entitlement_trustedidp_list" />
+ <ref bean="entitlement_trustedidp_read" />
+ <ref bean="entitlement_application_list" />
+ <ref bean="entitlement_application_read" />
+ <ref bean="entitlement_role_list" />
+ <ref bean="entitlement_role_read" />
+ <ref bean="entitlement_entitlement_list" />
+ <ref bean="entitlement_entitlement_read" />
+ </util:list>
+ </property>
+ </bean>
+ <bean id="role_idp_login"
+ class="org.apache.cxf.fediz.service.idp.service.jpa.RoleEntity">
+ <property name="name"
+ value="IDP_LOGIN" />
+ <property name="description"
+ value="This is the IDP login role which is applied to Users during the IDP SSO" />
+ <property name="entitlements">
+ <util:list>
+ <ref bean="entitlement_claim_list" />
+ <ref bean="entitlement_claim_read" />
+ <ref bean="entitlement_idp_list" />
+ <ref bean="entitlement_idp_read" />
+ <ref bean="entitlement_trustedidp_list" />
+ <ref bean="entitlement_trustedidp_read" />
+ <ref bean="entitlement_application_list" />
+ <ref bean="entitlement_application_read" />
+ </util:list>
+ </property>
+ </bean>
+
+
+
+</beans>
+
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/82a028cc/systests/federation/oidc/src/test/resources/fediz_config_oidc.xml
----------------------------------------------------------------------
diff --git a/systests/federation/oidc/src/test/resources/fediz_config_oidc.xml b/systests/federation/oidc/src/test/resources/fediz_config_oidc.xml
new file mode 100644
index 0000000..fecec20
--- /dev/null
+++ b/systests/federation/oidc/src/test/resources/fediz_config_oidc.xml
@@ -0,0 +1,56 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<!-- Place in Tomcat conf folder or other location as designated in this sample's webapp/META-INF/context.xml file.
+ Keystore referenced below must have IDP STS' public cert included in it. This example re-uses the Tomcat SSL
+ keystore (tomcat-rp.jks) for this task; alternatively you may wish to use a Fediz-specific keystore instead.
+-->
+<FedizConfig>
+ <contextConfig name="/fedizhelloworld">
+ <audienceUris>
+ <audienceItem>urn:org:apache:cxf:fediz:fedizhelloworld</audienceItem>
+ </audienceUris>
+ <certificateStores>
+ <trustManager>
+ <keyStore file="test-classes/clienttrust.jks"
+ password="storepass" type="JKS" />
+ </trustManager>
+ </certificateStores>
+ <trustedIssuers>
+ <issuer certificateValidation="PeerTrust" />
+ </trustedIssuers>
+ <maximumClockSkew>1000</maximumClockSkew>
+ <protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:type="federationProtocolType" version="1.0.0">
+ <realm>urn:org:apache:cxf:fediz:fedizhelloworld</realm>
+ <issuer>https://localhost:12111/fediz-idp/federation</issuer>
+ <roleDelimiter>,</roleDelimiter>
+ <roleURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</roleURI>
+ <freshness>10</freshness>
+ <homeRealm type="String">urn:org:apache:cxf:fediz:idp:realm-B</homeRealm>
+ <claimTypesRequested>
+ <claimType type="a particular claim type"
+ optional="true" />
+ </claimTypesRequested>
+ </protocol>
+ <logoutURL>/secure/logout</logoutURL>
+ <logoutRedirectTo>/index.html</logoutRedirectTo>
+ </contextConfig>
+</FedizConfig>
+
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/82a028cc/systests/federation/oidc/src/test/resources/server.jks
----------------------------------------------------------------------
diff --git a/systests/federation/oidc/src/test/resources/server.jks b/systests/federation/oidc/src/test/resources/server.jks
new file mode 100644
index 0000000..c9c2ce2
Binary files /dev/null and b/systests/federation/oidc/src/test/resources/server.jks differ