cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From owu...@apache.org
Subject svn commit: r1221896 [1/4] - in /cxf/sandbox/fediz: ./ fediz-core/ fediz-core/.settings/ fediz-core/src/ fediz-core/src/main/ fediz-core/src/main/java/ fediz-core/src/main/java/org/ fediz-core/src/main/java/org/apache/ fediz-core/src/main/java/org/apac...
Date Wed, 21 Dec 2011 21:54:04 GMT
Author: owulff
Date: Wed Dec 21 21:53:59 2011
New Revision: 1221896

URL: http://svn.apache.org/viewvc?rev=1221896&view=rev
Log:
Initial commit of ws-federation

Added:
    cxf/sandbox/fediz/
    cxf/sandbox/fediz/fediz-core/
    cxf/sandbox/fediz/fediz-core/.settings/
    cxf/sandbox/fediz/fediz-core/pom.xml
    cxf/sandbox/fediz/fediz-core/src/
    cxf/sandbox/fediz/fediz-core/src/main/
    cxf/sandbox/fediz/fediz-core/src/main/java/
    cxf/sandbox/fediz/fediz-core/src/main/java/org/
    cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/
    cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/
    cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/
    cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/
    cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/Claim.java
    cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/ClaimCollection.java
    cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/ClaimTypes.java
    cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/FederationConfiguration.java
    cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/FederationConstants.java
    cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/FederationProcessor.java
    cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/FederationProcessorImpl.java
    cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/FederationRequest.java
    cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/FederationResponse.java
    cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/TokenReplayCache.java
    cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/TokenReplayCacheInMemory.java
    cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/TokenValidator.java
    cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/TokenValidatorResponse.java
    cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/WsFedPrincipal.java
    cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/saml/
    cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/saml/CertConstraintsParser.java
    cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java
    cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/util/
    cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/util/DOMUtils.java
    cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/util/StringUtils.java
    cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/util/XMLUtils.java
    cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/fediz/
    cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/fediz/core/
    cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/fediz/core/saml/
    cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/fediz/core/util/
    cxf/sandbox/fediz/fediz-core/src/test/
    cxf/sandbox/fediz/fediz-core/src/test/java/
    cxf/sandbox/fediz/fediz-core/src/test/java/org/
    cxf/sandbox/fediz/fediz-core/src/test/java/org/apache/
    cxf/sandbox/fediz/fediz-core/src/test/java/org/apache/cxf/
    cxf/sandbox/fediz/fediz-core/src/test/java/org/apache/cxf/fediz/
    cxf/sandbox/fediz/fediz-core/src/test/java/org/apache/cxf/fediz/core/
    cxf/sandbox/fediz/fediz-core/src/test/java/org/apache/cxf/fediz/core/FederationProcessorTest.java
    cxf/sandbox/fediz/fediz-core/src/test/resources/
    cxf/sandbox/fediz/fediz-core/src/test/resources/RSTR.formatted.xml
    cxf/sandbox/fediz/fediz-core/src/test/resources/RSTR.xml
    cxf/sandbox/fediz/fediz-core/src/test/resources/RSTR_old.xml
    cxf/sandbox/fediz/fediz-core/src/test/resources/logging.properties
    cxf/sandbox/fediz/fediz-core/src/test/resources/signature.properties
    cxf/sandbox/fediz/fediz-core/src/test/resources/stsstore.jks   (with props)
    cxf/sandbox/fediz/fediz-idp/
    cxf/sandbox/fediz/fediz-idp-sts/
    cxf/sandbox/fediz/fediz-idp-sts/.settings/
    cxf/sandbox/fediz/fediz-idp-sts/pom.xml
    cxf/sandbox/fediz/fediz-idp-sts/src/
    cxf/sandbox/fediz/fediz-idp-sts/src/main/
    cxf/sandbox/fediz/fediz-idp-sts/src/main/java/
    cxf/sandbox/fediz/fediz-idp-sts/src/main/java/org/
    cxf/sandbox/fediz/fediz-idp-sts/src/main/java/org/apache/
    cxf/sandbox/fediz/fediz-idp-sts/src/main/java/org/apache/cxf/
    cxf/sandbox/fediz/fediz-idp-sts/src/main/java/org/apache/cxf/fediz/
    cxf/sandbox/fediz/fediz-idp-sts/src/main/java/org/apache/cxf/fediz/service/
    cxf/sandbox/fediz/fediz-idp-sts/src/main/java/org/apache/cxf/fediz/service/sts/
    cxf/sandbox/fediz/fediz-idp-sts/src/main/java/org/apache/cxf/fediz/service/sts/FileClaimsHandler.java
    cxf/sandbox/fediz/fediz-idp-sts/src/main/java/org/apache/cxf/fediz/service/sts/PasswordCallbackHandler.java
    cxf/sandbox/fediz/fediz-idp-sts/src/main/java/org/apache/cxf/fediz/service/sts/UsernamePasswordCallbackHandler.java
    cxf/sandbox/fediz/fediz-idp-sts/src/main/resources/
    cxf/sandbox/fediz/fediz-idp-sts/src/main/resources/log4j.properties
    cxf/sandbox/fediz/fediz-idp-sts/src/main/resources/logging.properties
    cxf/sandbox/fediz/fediz-idp-sts/src/main/resources/stsKeystore.properties
    cxf/sandbox/fediz/fediz-idp-sts/src/main/resources/stsstore.jks   (with props)
    cxf/sandbox/fediz/fediz-idp-sts/src/main/webapp/
    cxf/sandbox/fediz/fediz-idp-sts/src/main/webapp/WEB-INF/
    cxf/sandbox/fediz/fediz-idp-sts/src/main/webapp/WEB-INF/cxf-encrypted-ut.xml
    cxf/sandbox/fediz/fediz-idp-sts/src/main/webapp/WEB-INF/cxf-servlet.xml
    cxf/sandbox/fediz/fediz-idp-sts/src/main/webapp/WEB-INF/cxf-transport.xml
    cxf/sandbox/fediz/fediz-idp-sts/src/main/webapp/WEB-INF/cxf-ut.xml
    cxf/sandbox/fediz/fediz-idp-sts/src/main/webapp/WEB-INF/cxf-x509.xml
    cxf/sandbox/fediz/fediz-idp-sts/src/main/webapp/WEB-INF/passwords.xml
    cxf/sandbox/fediz/fediz-idp-sts/src/main/webapp/WEB-INF/userClaims.xml
    cxf/sandbox/fediz/fediz-idp-sts/src/main/webapp/WEB-INF/web.xml
    cxf/sandbox/fediz/fediz-idp-sts/src/main/webapp/WEB-INF/wsdl/
    cxf/sandbox/fediz/fediz-idp-sts/src/main/webapp/WEB-INF/wsdl/ws-trust-1.4-service.wsdl
    cxf/sandbox/fediz/fediz-idp-sts/src/main/webapp/WEB-INF/wsdl/ws-trust-1.4.wsdl
    cxf/sandbox/fediz/fediz-idp/pom.xml
    cxf/sandbox/fediz/fediz-idp/src/
    cxf/sandbox/fediz/fediz-idp/src/main/
    cxf/sandbox/fediz/fediz-idp/src/main/java/
    cxf/sandbox/fediz/fediz-idp/src/main/java/org/
    cxf/sandbox/fediz/fediz-idp/src/main/java/org/apache/
    cxf/sandbox/fediz/fediz-idp/src/main/java/org/apache/cxf/
    cxf/sandbox/fediz/fediz-idp/src/main/java/org/apache/cxf/fediz/
    cxf/sandbox/fediz/fediz-idp/src/main/java/org/apache/cxf/fediz/service/
    cxf/sandbox/fediz/fediz-idp/src/main/java/org/apache/cxf/fediz/service/idp/
    cxf/sandbox/fediz/fediz-idp/src/main/java/org/apache/cxf/fediz/service/idp/IdpSTSClient.java
    cxf/sandbox/fediz/fediz-idp/src/main/java/org/apache/cxf/fediz/service/idp/IdpServlet.java
    cxf/sandbox/fediz/fediz-idp/src/main/resources/
    cxf/sandbox/fediz/fediz-idp/src/main/resources/clientstore.jks   (with props)
    cxf/sandbox/fediz/fediz-idp/src/main/resources/log4j.properties
    cxf/sandbox/fediz/fediz-idp/src/main/resources/logging.properties
    cxf/sandbox/fediz/fediz-idp/src/main/webapp/
    cxf/sandbox/fediz/fediz-idp/src/main/webapp/WEB-INF/
    cxf/sandbox/fediz/fediz-idp/src/main/webapp/WEB-INF/RPClaims.xml
    cxf/sandbox/fediz/fediz-idp/src/main/webapp/WEB-INF/beans.xml
    cxf/sandbox/fediz/fediz-idp/src/main/webapp/WEB-INF/signinresponse.jsp
    cxf/sandbox/fediz/fediz-idp/src/main/webapp/WEB-INF/web.xml
    cxf/sandbox/fediz/fediz-idp/src/main/webapp/index.html
    cxf/sandbox/fediz/fediz-tomcat/
    cxf/sandbox/fediz/fediz-tomcat-example/
    cxf/sandbox/fediz/fediz-tomcat-example/.settings/
    cxf/sandbox/fediz/fediz-tomcat-example/.settings/.jsdtscope
    cxf/sandbox/fediz/fediz-tomcat-example/WebContent/
    cxf/sandbox/fediz/fediz-tomcat-example/WebContent/META-INF/
    cxf/sandbox/fediz/fediz-tomcat-example/WebContent/META-INF/MANIFEST.MF
    cxf/sandbox/fediz/fediz-tomcat-example/WebContent/WEB-INF/
    cxf/sandbox/fediz/fediz-tomcat-example/WebContent/WEB-INF/lib/
    cxf/sandbox/fediz/fediz-tomcat-example/pom.xml
    cxf/sandbox/fediz/fediz-tomcat-example/src/
    cxf/sandbox/fediz/fediz-tomcat-example/src/main/
    cxf/sandbox/fediz/fediz-tomcat-example/src/main/java/
    cxf/sandbox/fediz/fediz-tomcat-example/src/main/java/org/
    cxf/sandbox/fediz/fediz-tomcat-example/src/main/java/org/apache/
    cxf/sandbox/fediz/fediz-tomcat-example/src/main/java/org/apache/cxf/
    cxf/sandbox/fediz/fediz-tomcat-example/src/main/java/org/apache/cxf/fediz/
    cxf/sandbox/fediz/fediz-tomcat-example/src/main/java/org/apache/cxf/fediz/example/
    cxf/sandbox/fediz/fediz-tomcat-example/src/main/java/org/apache/cxf/fediz/example/FederationFilter.java
    cxf/sandbox/fediz/fediz-tomcat-example/src/main/java/org/apache/cxf/fediz/example/FederationServlet.java
    cxf/sandbox/fediz/fediz-tomcat-example/src/main/java/org/apache/cxf/fediz/example/SecurityTokenThreadLocal.java
    cxf/sandbox/fediz/fediz-tomcat-example/src/main/resources/
    cxf/sandbox/fediz/fediz-tomcat-example/src/main/resources/log4j.properties
    cxf/sandbox/fediz/fediz-tomcat-example/src/main/resources/logging.properties
    cxf/sandbox/fediz/fediz-tomcat-example/src/main/webapp/
    cxf/sandbox/fediz/fediz-tomcat-example/src/main/webapp/META-INF/
    cxf/sandbox/fediz/fediz-tomcat-example/src/main/webapp/META-INF/context.xml
    cxf/sandbox/fediz/fediz-tomcat-example/src/main/webapp/WEB-INF/
    cxf/sandbox/fediz/fediz-tomcat-example/src/main/webapp/WEB-INF/web.xml
    cxf/sandbox/fediz/fediz-tomcat-example/src/main/webapp/index.html
    cxf/sandbox/fediz/fediz-tomcat-example/src/main/webapp/secure/
    cxf/sandbox/fediz/fediz-tomcat-example/src/main/webapp/secure/test.html
    cxf/sandbox/fediz/fediz-tomcat/.settings/
    cxf/sandbox/fediz/fediz-tomcat/docs/
    cxf/sandbox/fediz/fediz-tomcat/docs/readme.txt
    cxf/sandbox/fediz/fediz-tomcat/pom.xml
    cxf/sandbox/fediz/fediz-tomcat/src/
    cxf/sandbox/fediz/fediz-tomcat/src/main/
    cxf/sandbox/fediz/fediz-tomcat/src/main/assembly/
    cxf/sandbox/fediz/fediz-tomcat/src/main/assembly/assembly.xml
    cxf/sandbox/fediz/fediz-tomcat/src/main/java/
    cxf/sandbox/fediz/fediz-tomcat/src/main/java/org/
    cxf/sandbox/fediz/fediz-tomcat/src/main/java/org/apache/
    cxf/sandbox/fediz/fediz-tomcat/src/main/java/org/apache/cxf/
    cxf/sandbox/fediz/fediz-tomcat/src/main/java/org/apache/cxf/fediz/
    cxf/sandbox/fediz/fediz-tomcat/src/main/java/org/apache/cxf/fediz/tomcat/
    cxf/sandbox/fediz/fediz-tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java
    cxf/sandbox/fediz/fediz-tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationPrincipal.java
    cxf/sandbox/fediz/fediz-tomcat/src/test/
    cxf/sandbox/fediz/fediz-tomcat/src/test/resources/
    cxf/sandbox/fediz/fediz-tomcat/src/test/resources/logging.properties
    cxf/sandbox/fediz/pom.xml

Added: cxf/sandbox/fediz/fediz-core/pom.xml
URL: http://svn.apache.org/viewvc/cxf/sandbox/fediz/fediz-core/pom.xml?rev=1221896&view=auto
==============================================================================
--- cxf/sandbox/fediz/fediz-core/pom.xml (added)
+++ cxf/sandbox/fediz/fediz-core/pom.xml Wed Dec 21 21:53:59 2011
@@ -0,0 +1,118 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+
+   <modelVersion>4.0.0</modelVersion>
+   <parent>
+       <groupId>org.apache.cxf.fediz</groupId>
+       <artifactId>fediz</artifactId>
+       <version>0.6-SNAPSHOT</version>
+   </parent>
+   <artifactId>fediz-core</artifactId>
+   <name>WS Federation Core</name>
+   <packaging>jar</packaging>
+
+    <properties>
+    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+    </properties>  
+
+   <dependencies>
+   		<dependency>
+			<groupId>junit</groupId>
+			<artifactId>junit</artifactId>
+			<version>4.8.2</version>
+			<scope>test</scope>
+		</dependency>
+   		<dependency>
+   			<groupId>org.apache.ws.security</groupId>
+   			<artifactId>wss4j</artifactId>
+   			<version>1.6.2</version>
+   			<scope>compile</scope>
+   		</dependency>
+     	<dependency>
+			<groupId>org.slf4j</groupId>
+			<artifactId>slf4j-jdk14</artifactId>
+			<version>1.6.1</version>
+			<scope>test</scope>
+		</dependency>
+		<dependency>
+			<groupId>org.slf4j</groupId>
+			<artifactId>slf4j-api</artifactId>
+			<version>1.6.1</version>
+		</dependency>
+   </dependencies>
+
+   <build>
+        <testSourceDirectory>${basedir}/src/test/java</testSourceDirectory>
+        <testResources>
+            <testResource>
+                <directory>src/test/java</directory>
+                <excludes>
+                    <exclude>**/*.java</exclude>
+                </excludes>
+            </testResource>
+            <testResource>
+                <directory>src/test/resources</directory>
+                <filtering>false</filtering>
+                <includes>
+                    <include>**/*</include>
+                </includes>
+            </testResource>
+        </testResources>
+        
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-surefire-plugin</artifactId>
+                <version>2.6</version>
+                <configuration>
+                    <reportFormat>brief</reportFormat>
+                    <useFile>false</useFile>
+                    <forkMode>always</forkMode>
+                    <childDelegation>false</childDelegation>
+                    <includes>
+                        <include>**/*Test.java</include>
+                    </includes>
+                    <systemPropertyVariables>
+		        <java.util.logging.config.file>${basedir}/src/test/resources/logging.properties</java.util.logging.config.file>
+                    </systemPropertyVariables>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-pmd-plugin</artifactId>
+                <version>2.5</version>
+                <configuration>
+                    <linkXRef>false</linkXRef>
+                    <failOnViolation>true</failOnViolation>
+                    <verbose>true</verbose>
+                    <targetJdk>1.6</targetJdk>
+                </configuration>
+                <executions>
+                    <execution>
+                        <id>validate</id>
+                        <phase>validate</phase>
+                        <goals>
+                            <goal>check</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-source-plugin</artifactId>
+                <version>2.1.2</version>
+                <executions>
+                    <execution>
+                        <id>attach-sources</id>
+                        <phase>verify</phase>
+                        <goals>
+                            <goal>jar-no-fork</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
+        </plugins>
+    </build>
+    
+</project>
+ 

Added: cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/Claim.java
URL: http://svn.apache.org/viewvc/cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/Claim.java?rev=1221896&view=auto
==============================================================================
--- cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/Claim.java (added)
+++ cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/Claim.java Wed Dec 21 21:53:59 2011
@@ -0,0 +1,108 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.cxf.fediz.core;
+
+import java.io.Serializable;
+import java.net.URI;
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import java.security.Principal;
+
+/**
+ * 
+ * @author Oliver Wulff
+ */
+public class Claim implements Serializable {
+
+	
+	/**
+	 * 
+	 */
+	private static final long serialVersionUID = 1L;
+	
+	private URI claimType;
+	private String issuer;
+	private String originalIssuer;
+	private Principal principal;
+	private String value;
+	private URI namespace = ClaimTypes.URI_BASE;
+	
+	public URI getNamespace() {
+        return namespace;
+    }
+
+    public void setNamespace(URI namespace) {
+        this.namespace = namespace;
+    }
+
+    public String getIssuer() {
+		return issuer;
+	}
+
+	public void setIssuer(String issuer) {
+		this.issuer = issuer;
+	}
+
+	public String getOriginalIssuer() {
+		return originalIssuer;
+	}
+
+	public void setOriginalIssuer(String originalIssuer) {
+		this.originalIssuer = originalIssuer;
+	}
+
+	public URI getClaimType() {
+		return claimType;
+	}
+	
+	public void setClaimType(URI claimType) {
+		this.claimType = claimType;
+	}
+
+	public Principal getPrincipal() {
+        return principal;
+    }
+    
+    public void setPrincipal(Principal principal) {
+        this.principal = principal;
+    }
+    
+    public void setValue(String value) {
+        this.value = value;
+    }
+    
+    public String getValue() {
+        return value;
+    }
+	
+}

Added: cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/ClaimCollection.java
URL: http://svn.apache.org/viewvc/cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/ClaimCollection.java?rev=1221896&view=auto
==============================================================================
--- cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/ClaimCollection.java (added)
+++ cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/ClaimCollection.java Wed Dec 21 21:53:59 2011
@@ -0,0 +1,107 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.cxf.fediz.core;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.List;
+
+
+
+/**
+ * This class holds a immutable collection of Claims.
+ * 
+ * @author Oliver Wulff
+ * @author Juerg Portmann
+ */
+public class ClaimCollection extends ArrayList<Claim> {
+
+	/**
+	 * 
+	 */
+	private static final long serialVersionUID = 1L;
+
+	public ClaimCollection() {
+		super();
+	}
+
+	public ClaimCollection(Collection<? extends Claim> c) {
+		super(c);
+	}
+
+	public ClaimCollection(int initialCapacity) {
+		super(initialCapacity);
+	}
+
+	@Override
+	public Claim set(int index, Claim element) {
+		throw new UnsupportedOperationException();
+	}
+
+	@Override
+	public boolean add(Claim e) {
+		throw new UnsupportedOperationException();
+	}
+
+	@Override
+	public void add(int index, Claim element) {
+		throw new UnsupportedOperationException();
+	}
+
+	@Override
+	public Claim remove(int index) {
+		throw new UnsupportedOperationException();
+	}
+
+	@Override
+	public boolean remove(Object o) {
+		throw new UnsupportedOperationException();
+	}
+
+	@Override
+	public void clear() {
+		throw new UnsupportedOperationException();
+	}
+
+	@Override
+	public boolean addAll(Collection<? extends Claim> c) {
+		throw new UnsupportedOperationException();
+	}
+
+	@Override
+	public boolean addAll(int index, Collection<? extends Claim> c) {
+		throw new UnsupportedOperationException();
+	}
+
+	@Override
+	protected void removeRange(int fromIndex, int toIndex) {
+		throw new UnsupportedOperationException();
+	}
+
+	@Override
+	public boolean removeAll(Collection<?> c) {
+		throw new UnsupportedOperationException();
+	}
+
+	@Override
+	public List<Claim> subList(int fromIndex, int toIndex) {
+		return Collections.unmodifiableList(super.subList(fromIndex, toIndex));
+	}
+
+}

Added: cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/ClaimTypes.java
URL: http://svn.apache.org/viewvc/cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/ClaimTypes.java?rev=1221896&view=auto
==============================================================================
--- cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/ClaimTypes.java (added)
+++ cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/ClaimTypes.java Wed Dec 21 21:53:59 2011
@@ -0,0 +1,141 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.cxf.fediz.core;
+
+import java.net.URI;
+
+/**
+ * This holds a collection of Claims.
+ * 
+ * @author Oliver Wulff
+ */
+public interface ClaimTypes {
+    /**
+     * The base XML namespace URI that is used by the claim types
+     * http://docs.oasis-open.org/imi/identity/v1.0/os/identity-1.0-spec-os.pdf
+     */
+    public static final URI URI_BASE = 
+            URI.create("http://schemas.xmlsoap.org/ws/2005/05/identity/claims");
+    
+    /**
+     * (givenName in [RFC 2256]) Preferred name or first name of a Subject.
+     * According to RFC 2256: This attribute is used to hold the part of a person's name 
+     * which is not their surname nor middle name.
+     */
+    public static final URI FIRSTNAME = 
+            URI.create("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname");
+    
+    /**
+     * (sn in [RFC 2256]) Surname or family name of a Subject.
+     * According to RFC 2256: This is the X.500 surname attribute which contains the family name of a person.
+     */
+    public static final URI LASTNAME = 
+            URI.create("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname");    
+    
+    /**
+     * (mail in inetOrgPerson) Preferred address for the "To:" field of email
+     * to be sent to the Subject, usually of the form <user>@<domain>.
+     * According to inetOrgPerson using [RFC 1274]: This attribute type specifies
+     * an electronic mailbox attribute following the syntax specified in RFC 822.
+     */
+    public static final URI EMAILADDRESS = 
+            URI.create("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress");    
+    
+    /**
+     * (street in [RFC 2256]) Street address component of a Subject‟s address information.
+     * According to RFC 2256: This attribute contains the physical address of the object
+     * to which the entry corresponds, such as an address for package delivery.
+     */
+    public static final URI STREETADDRESS = 
+            URI.create("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddress");    
+    
+    /**
+     * (/ in [RFC 2256]) Locality component of a Subject's address information.
+     * According to RFC 2256: This attribute contains the name of a locality, such as a city, county or other geographic region.
+     */
+    public static final URI LOCALITY = 
+            URI.create("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality"); 
+    
+    /**
+     * (st in [RFC 2256]) Abbreviation for state or province name of a Subject's address information.
+     * According to RFC 2256: “This attribute contains the full name of a state or province.
+     * The values SHOULD be coordinated on a national level and if well-known shortcuts exist.
+     */
+    public static final URI STATE_PROVINCE = 
+            URI.create("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince");    
+
+    /**
+     * (postalCode in X.500) Postal code or zip code component of a Subject's address information.
+     * According to X.500(2001): The postal code attribute type specifies the postal code of the named object.
+     */
+    public static final URI POSTALCODE = 
+            URI.create("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcode");
+    
+    /**
+     * (c in [RFC 2256]) Country of a Subject.
+     * According to RFC 2256: This attribute contains a two-letter ISO 3166 country code.
+     */
+    public static final URI COUNTRY = 
+            URI.create("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country");
+    
+    /**
+     * (homePhone in inetOrgPerson) Primary or home telephone number of a Subject.
+     * According to inetOrgPerson using [RFC 1274]: This attribute type specifies a home telephone number associated with a person.
+     */
+    public static final URI HOMEPHONE = 
+            URI.create("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/homephone");
+    
+    /**
+     * (telephoneNumber in X.500 Person) Secondary or work telephone number of a Subject.
+     * According to X.500(2001): This attribute type specifies an office/campus telephone number associated with a person.
+     */
+    public static final URI OTHERPHONE = 
+            URI.create("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone");    
+
+    /**
+     * (mobile in inetOrgPerson) Mobile telephone number of a Subject.
+     * According to inetOrgPerson using [RFC 1274]: This attribute type specifies a mobile telephone number associated with a person.
+     */
+    public static final URI MOBILEPHONE = 
+            URI.create("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone");
+    
+    /**
+     * The date of birth of a Subject in a form allowed by the xs:date data type.
+     */
+    public static final URI DATEOFBIRTH = 
+            URI.create("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirth");
+    
+    /**
+     * Gender of a Subject that can have any of these exact URI values
+     *   '0' (meaning unspecified), '1' (meaning Male) or '2' (meaning Female)
+     */
+    public static final URI GENDER = 
+            URI.create("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/gender");
+    
+    /**
+     * A private personal identifier (PPID) that identifies the Subject to a Relying Party.
+     */
+    public static final URI PRIVATE_PERSONAL_IDENTIFIER = 
+            URI.create("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier");
+    
+    /**
+     * The Web page of a Subject expressed as a URL.
+     */
+    public static final URI WEB_PAGE = 
+            URI.create("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/webpage");    
+}

Added: cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/FederationConfiguration.java
URL: http://svn.apache.org/viewvc/cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/FederationConfiguration.java?rev=1221896&view=auto
==============================================================================
--- cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/FederationConfiguration.java (added)
+++ cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/FederationConfiguration.java Wed Dec 21 21:53:59 2011
@@ -0,0 +1,123 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.cxf.fediz.core;
+
+import java.net.URI;
+import java.util.List;
+//[TODO]check if we can cache / clone the config 
+public class FederationConfiguration {
+
+	private String freshness;
+	private String trustedIssuer;
+	private String realm;
+	private String authenticationType;
+	private URI roleURI;
+	private String roleDelimiter;
+	private String trustStoreFile;
+	private String trustStorePassword;
+	private List<Class<TokenValidator>> tokenValidators;
+	private int maxClockSkew = 0;
+	private boolean detectReplayedTokens = true;
+	private long tokenReplayCacheExpirationTime = 0;
+	private boolean detectExpiredTokens = true;
+	
+	//[TODO] TokenReplayCacheExpirationPeriod
+	//[TODO] DetectReplayedTokens
+	
+	
+	public String getFreshness() {
+		return freshness;
+	}
+	public void setFreshness(String freshness) {
+		this.freshness = freshness;
+	}
+	public String getTrustedIssuer() {
+		return trustedIssuer;
+	}
+	public void setTrustedIssuer(String trustedIssuer) {
+		this.trustedIssuer = trustedIssuer;
+	}
+	public String getRealm() {
+		return realm;
+	}
+	public void setRealm(String realm) {
+		this.realm = realm;
+	}
+	public String getAuthenticationType() {
+		return authenticationType;
+	}
+	public void setAuthenticationType(String authenticationType) {
+		this.authenticationType = authenticationType;
+	}
+	public URI getRoleURI() {
+		return roleURI;
+	}
+	public void setRoleURI(URI roleURI) {
+		this.roleURI = roleURI;
+	}
+	public String getRoleDelimiter() {
+		return roleDelimiter;
+	}
+	public void setRoleDelimiter(String roleDelimiter) {
+		this.roleDelimiter = roleDelimiter;
+	}
+	public List<Class<TokenValidator>> getTokenValidators() {
+		return tokenValidators;
+	}
+	public void setTokenValidators(List<Class<TokenValidator>> tokenValidators) {
+		this.tokenValidators = tokenValidators;
+	}
+	public int getMaxClockSkew() {
+		return maxClockSkew;
+	}
+	public void setMaxClockSkew(int maxClockSkew) {
+		this.maxClockSkew = maxClockSkew;
+	}
+	public boolean isDetectReplayedTokens() {
+		return detectReplayedTokens;
+	}
+	public void setDetectReplayedTokens(boolean detectReplayedTokens) {
+		this.detectReplayedTokens = detectReplayedTokens;
+	}
+	public long getTokenReplayCacheExpirationTime() {
+		return tokenReplayCacheExpirationTime;
+	}
+	public void setTokenReplayCacheExpirationTime(
+			long tokenReplayCacheExpirationTime) {
+		this.tokenReplayCacheExpirationTime = tokenReplayCacheExpirationTime;
+	}
+	public boolean isDetectExpiredTokens() {
+		return detectExpiredTokens;
+	}
+	public void setDetectExpiredTokens(boolean detectExpiredTokens) {
+		this.detectExpiredTokens = detectExpiredTokens;
+	}
+	public void setTrustStoreFile(String trustStoreFile) {
+		this.trustStoreFile = trustStoreFile;
+	}
+	public String getTrustStoreFile() {
+		return trustStoreFile;
+	}
+	public void setTrustStorePassword(String trustStorePassword) {
+		this.trustStorePassword = trustStorePassword;
+	}
+	public String getTrustStorePassword() {
+		return trustStorePassword;
+	}
+	
+}

Added: cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/FederationConstants.java
URL: http://svn.apache.org/viewvc/cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/FederationConstants.java?rev=1221896&view=auto
==============================================================================
--- cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/FederationConstants.java (added)
+++ cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/FederationConstants.java Wed Dec 21 21:53:59 2011
@@ -0,0 +1,214 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.cxf.fediz.core;
+
+import java.net.URI;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
+
+public class FederationConstants {
+	
+	public static final String WSFED_METHOD = "WSFED";
+	
+	public static final URI DEFAULT_ROLE_URI = URI.create("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role");
+	
+    /**
+     * Constants defined in following spec:
+     * http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html
+     */
+	
+    /**
+     * This REQUIRED parameter specifies the action to be performed.
+     * Note that this serves roughly the same purpose as the WS-Addressing Action header for the WS-Trust SOAP RST messages.
+     */
+	public static final String PARAM_ACTION = "wa";
+	
+	public static final String ACTION_SIGNIN = "wsignin1.0";
+	public static final String ACTION_SIGNOUT = "wsignout1.0";
+	public static final String ACTION_SIGNOUT_CLEANUP = "wsignoutcleanup1.0";
+	
+	
+    /**
+     * This OPTIONAL parameter is the URL to which responses are directed.
+     * Note that this serves roughly the same purpose as the WS-Addressing <wsa:ReplyTo> header for the WS-Trust SOAP RST messages.
+     */
+	public static final String PARAM_REPLY = "wreply";
+	
+	
+    /**
+     * This REQUIRED parameter is the URI of the requesting realm. 
+     * Note that this serves roughly the same purpose as the AppliesTo element in the WS-Trust SOAP RST messages.
+     */
+	public static final String PARAM_TREALM = "wtrealm";
+	
+	
+    /**
+     * This OPTIONAL parameter indicates the freshness requirements.
+     * If specified, this indicates the desired maximum age of authentication specified in minutes.
+     * An IP/STS SHOULD NOT issue a token with a longer lifetime.
+     * If specified as “0” it indicates a request for the IP/STS to re-prompt the user for authentication before issuing the token.
+     * Note that this serves roughly the same purpose as the Freshness element in the WS-Trust SOAP RST messages.
+     */
+	public static final String PARAM_FRESHNESS = "wfresh";
+	
+	
+    /**
+     * This OPTIONAL parameter indicates the REQUIRED authentication level.
+     * Note that this parameter uses the same URIs and is equivalent to the wst:AuthenticationType element in the WS-Trust SOAP RST messages.
+     */
+	public static final String PARAM_AUTH_TYPE = "wauth";
+	
+	
+    /**
+     * This OPTIONAL parameter specifies a token request using either a <wst:RequestSecurityToken> element or a full request message as described in WS-Trust.
+     * If this parameter is not specified, it is assumed that the responding service knows the correct type of token to return.
+     * Note that this can contain the same RST payload as used in WS-Trust RST messages.
+     */
+	public static final String PARAM_REQUEST = "wreq";
+	
+	
+    /**
+     * This OPTIONAL parameter indicates the current time at the sender for ensuring freshness.  This parameter is the string encoding of time using the XML Schema datetime time using UTC notation.
+     * Note that this serves roughly the same purpose as the WS-Security Timestamp elements in the Security headers of the SOAP RST messages.
+     */
+	public static final String PARAM_CURRENT_TIME = "wct";
+	
+	
+    /**
+     * This OPTIONAL parameter is an opaque context value that MUST be returned with the issued token if it is passed in the request.
+     * Note that this serves roughly the same purpose as the WS-Trust SOAP RST @Context attribute.
+     */
+	public static final String PARAM_CONTEXT = "wctx";
+	
+	
+    /**
+     * This OPTIONAL parameter is the URL for the policy which can be obtained using an HTTP GET
+     * and identifies the policy to be used related to the action specified in "wa", but MAY have a broader scope than just the "wa".
+     * Note that this serves roughly the same purpose as the Policy element in the WS-Trust SOAP RST messages.
+     */
+	public static final String PARAM_POLICY = "wp";
+	
+	
+    /**
+     * This OPTIONAL parameter indicates the federation context in which the request is made.
+     * This is equivalent to the FederationId parameter in the RST message.
+     */
+	public static final String PARAM_FED_CONTEXT = "wfed";
+	
+	
+    /**
+     * This OPTIONAL parameter indicates the encoding style to be used for XML parameter content.
+     * If not specified the default behavior is to use standard URL encoding rules
+     */
+	public static final String PARAM_ENCODING = "wencoding";
+	
+	
+    /**
+     * This REQUIRED parameter specifies the result of the token issuance.
+     * This can take the form of the <wst:RequestSecurityTokenResponse> element or <wst:RequestSecurityTokenResponseCollection> element, a SOAP security token request response (that is, a <S:Envelope>) as detailed in WS-Trust, or a SOAP <S:Fault> element.
+     */
+	public static final String PARAM_RESULT = "wresult";
+	
+	
+    /**
+     * This  OPTIONAL parameter indicates the account partner realm of the client.  This parameter is used to indicate the IP/STS address for the requestor.
+     * This may be specified directly as a URL or indirectly as an identifier (e.g. urn: or uuid:).
+     * In the case of an identifier the recipient is expected to know how to translate this (or get it translated) to a URL.
+     * When the whr parameter is used, the resource, or its local IP/STS, typically removes the parameter and writes a cookie to the client browser to remember this setting for future requests.
+     * Then, the request proceeds in the same way as if it had not been provided.
+     * Note that this serves roughly the same purpose as federation metadata for discovering IP/STS locations previously discussed.
+     */
+	public static final String PARAM_HOME_REALM = "whr";
+	
+	
+    /**
+     * This OPTIONAL parameter specifies a URL for where to find the request expressed as a <wst:RequestSecurityToken> element.
+     * Note that this does not have a WS-Trust parallel.
+     * The wreqptr parameter MUST NOT be included in a token request if wreq is present.
+     */
+	public static final String PARAM_REQUEST_PTR = "wreqptr";
+	
+	
+    /**
+     * This parameter specifies a URL to which an HTTP GET can be issued.
+     * The result is a document of type text/xml that contains the issuance result.
+     * This can either be the <wst:RequestSecurityTokenResponse> element, the <wst:RequestSecurityTokenResponseCollection> element, a SOAP response, or a SOAP <S:Fault> element.
+     */
+	public static final String PARAM_RESULT_PTR = "wresultptr";
+	
+	
+	
+    public static final Map<String, URI> AUTH_TYPE_MAP;
+    static {
+        Map<String, URI> aMap = new HashMap<String, URI>();
+        aMap.put("UNKNOWN", FederationConstants.AUTH_TYPE_UNKNOWN);
+        aMap.put("DEFAULT", FederationConstants.AUTH_TYPE_DEFAULT);
+        aMap.put("SSL", FederationConstants.AUTH_TYPE_SSL);
+        aMap.put("SSL_AND_KEY", FederationConstants.AUTH_TYPE_SSL_AND_KEY);
+        aMap.put("SSL_STRONG_PASSWORD", FederationConstants.AUTH_TYPE_SSL_STRONG_PASSWORD);
+        aMap.put("SSL_STRONG_PASSWORD_EXPIRATION", FederationConstants.AUTH_TYPE_SSL_STRONG_PASSWORD_EXPIRATION);
+        aMap.put("SMARTCARD", FederationConstants.AUTH_TYPE_SMARTCARD);
+        AUTH_TYPE_MAP = Collections.unmodifiableMap(aMap);
+    }
+
+	
+	
+    /**
+     * Unknown level of authentication
+     */
+	public static final URI AUTH_TYPE_UNKNOWN = URI.create("http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/unknown");
+	
+	/**
+     * Default sign-in mechanisms
+     */
+	public static final URI AUTH_TYPE_DEFAULT = URI.create("http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/default");
+
+	/**
+     * Sign-in using SSL
+     */
+	public static final URI AUTH_TYPE_SSL = URI.create("http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/Ssl");
+	
+	/**
+     * Sign-in using SSL and a security key
+     */
+	public static final URI AUTH_TYPE_SSL_AND_KEY = URI.create("http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/SslAndKey");
+	
+	/**
+     * Sign-in using SSL and a “strong” password
+     */
+	public static final URI AUTH_TYPE_SSL_STRONG_PASSWORD = URI.create("http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/SslAndStrongPasssword");
+	
+	/**
+     * Sign-in using SSL and a “strong” password with expiration
+     */
+	public static final URI AUTH_TYPE_SSL_STRONG_PASSWORD_EXPIRATION = URI.create("http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/SslAndStrongPasswordWithExpiration");
+	
+	/**
+     * Sign-in using Smart Card
+     */
+	public static final URI AUTH_TYPE_SMARTCARD = URI.create("http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/smartcard");
+	
+	
+	
+	
+	
+	
+	
+	
+}

Added: cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/FederationProcessor.java
URL: http://svn.apache.org/viewvc/cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/FederationProcessor.java?rev=1221896&view=auto
==============================================================================
--- cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/FederationProcessor.java (added)
+++ cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/FederationProcessor.java Wed Dec 21 21:53:59 2011
@@ -0,0 +1,24 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.cxf.fediz.core;
+
+public interface FederationProcessor {
+
+	public FederationResponse processRequest(FederationRequest request, FederationConfiguration config);
+	
+}

Added: cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/FederationProcessorImpl.java
URL: http://svn.apache.org/viewvc/cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/FederationProcessorImpl.java?rev=1221896&view=auto
==============================================================================
--- cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/FederationProcessorImpl.java (added)
+++ cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/FederationProcessorImpl.java Wed Dec 21 21:53:59 2011
@@ -0,0 +1,235 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.cxf.fediz.core;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.text.DateFormat;
+import java.text.ParseException;
+import java.util.Calendar;
+import java.util.Date;
+
+import javax.xml.parsers.ParserConfigurationException;
+
+import org.apache.cxf.fediz.core.saml.SAMLTokenValidator;
+import org.apache.cxf.fediz.core.util.DOMUtils;
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.util.XmlSchemaDateFormat;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+import org.xml.sax.SAXException;
+
+public class FederationProcessorImpl implements FederationProcessor {
+
+	private static final Logger LOG = LoggerFactory.getLogger(FederationProcessorImpl.class);
+
+	
+	private String namespace = "http://docs.oasis-open.org/ws-sx/ws-trust/200512";
+	
+	private TokenReplayCache<String> replayCache = null;
+
+	/**
+	 * Default constructor 
+	 */
+
+	public FederationProcessorImpl() {
+		super();
+		replayCache = TokenReplayCacheInMemory.getInstance();
+	}
+	
+	
+	/**
+	 * 
+	 * @param replayCache plugable token cache allowing to provide a replicated cache to be used in clustered scenarios 
+	 */
+	
+	public FederationProcessorImpl(TokenReplayCache<String> replayCache) {
+		super();
+		this.replayCache = replayCache;
+	}
+
+
+
+	@Override
+	public FederationResponse processRequest(FederationRequest request, FederationConfiguration config) {
+		FederationResponse response = null;
+		
+		if (request.getWa().equals(FederationConstants.ACTION_SIGNIN)) {
+			response = this.processSignInRequest(request, config);
+		}
+		
+		return response;
+	}
+	
+	protected FederationResponse processSignInRequest(FederationRequest request, FederationConfiguration config) {
+		
+		byte[] wresult = request.getWresult().getBytes();
+		
+		Document doc = null;
+		Element el = null;
+		try {
+			doc = DOMUtils.readXml(new ByteArrayInputStream(wresult));
+			el = doc.getDocumentElement();
+			
+		} catch (SAXException e) {
+			e.printStackTrace();
+			return null;
+		} catch (IOException e) {
+			e.printStackTrace();
+			return null;
+		} catch (ParserConfigurationException e) {
+			e.printStackTrace();
+			return null;
+		}
+		
+		
+		
+		if ("RequestSecurityTokenResponseCollection".equals(el.getLocalName())) {
+            el = DOMUtils.getFirstElement(el);
+        }
+        if (!"RequestSecurityTokenResponse".equals(el.getLocalName())) {
+        	throw new RuntimeException("Unexpected element " + el.getLocalName());
+        }
+        el = DOMUtils.getFirstElement(el);
+        Element rst = null;
+        Element lifetimeElem = null;
+        String tt = null;
+
+        while (el != null) {
+            String ln = el.getLocalName();
+            if (namespace.equals(el.getNamespaceURI())) {
+                if ("Lifetime".equals(ln)) {
+                	lifetimeElem = el;
+                } else if ("RequestedSecurityToken".equals(ln)) {
+                    rst = DOMUtils.getFirstElement(el);
+                } else if ("TokenType".equals(ln)) {
+                    tt = DOMUtils.getContent(el);
+                }
+            }
+            el = DOMUtils.getNextElement(el);
+        }
+        if (LOG.isDebugEnabled()) {
+        	LOG.debug("RST: " + rst.toString());
+        	LOG.debug("Lifetime: " + ((lifetimeElem != null) ? lifetimeElem.toString() : "null"));
+        	LOG.debug("Tokentype: " + ((tt != null) ? tt.toString() : "null"));
+        }
+		
+		LifeTime lifeTime = null;
+	    if (lifetimeElem != null) {
+	    	lifeTime = processLifeTime(lifetimeElem);
+	    }
+	    
+	    if (config.isDetectExpiredTokens() && lifeTime != null) {
+		    Calendar cal = Calendar.getInstance();
+		    if ( cal.getTime().after(lifeTime.getExpires()) ) {
+		    	LOG.warn("Token already expired");
+		    }
+		    
+		    if ( cal.getTime().before(lifeTime.getCreated())) {
+		    	LOG.warn("Token not yet valid");
+		    	//[TODO] Add Check clocksqew
+		    }
+	    }
+	    
+	    //[TODO] Exception: TokenExpiredException, TokenInvalidException, TokenCachedException
+
+		//[TODO] Flexible tokenvalidator selection, based on class list
+		SAMLTokenValidator validator = new SAMLTokenValidator();
+		TokenValidatorResponse response = validator.validateAndProcessToken(rst, config);
+		
+		
+		//Check whether token already used for signin
+		if (response.getUniqueTokenId() != null && config.isDetectReplayedTokens()) {
+			// Check whether token has already been processed once, prevent replay attack
+			
+			if (replayCache.getId(response.getUniqueTokenId()) == null) {
+				// not cached
+				replayCache.putId(response.getUniqueTokenId());
+			}
+			else {
+				LOG.error("Replay attack with token id: " +response.getUniqueTokenId());
+				throw new RuntimeException("Replay attack with token id: " +response.getUniqueTokenId());
+			}
+		}
+		
+		// [TODO] Token, WeakReference, SoftReference???
+		FederationResponse fedResponse = new FederationResponse(response.getUsername(),
+				                             response.getIssuer(),
+				                             response.getRoles(),
+				                             response.getClaims(),
+				                             response.getAudience(),
+				                             (lifeTime != null) ? lifeTime.getCreated() : null,
+				                             (lifeTime != null) ? lifeTime.getExpires() : null,
+				                             rst,
+				                             response.getUniqueTokenId());
+		
+		return fedResponse;
+	}
+	
+	
+
+    
+    private LifeTime processLifeTime(Element lifetimeElem) {
+    	//[TODO] Get rid of WSS4J dependency
+        try {
+            Element createdElem = 
+                DOMUtils.getFirstChildWithName(lifetimeElem,
+                                                WSConstants.WSU_NS,
+                                                WSConstants.CREATED_LN);
+            DateFormat zulu = new XmlSchemaDateFormat();
+            
+            Date created = zulu.parse(DOMUtils.getContent(createdElem));
+
+            Element expiresElem = 
+                DOMUtils.getFirstChildWithName(lifetimeElem,
+                                                WSConstants.WSU_NS,
+                                                WSConstants.EXPIRES_LN);
+            Date expires = zulu.parse(DOMUtils.getContent(expiresElem));
+            
+            return new LifeTime(created, expires);
+            
+        } catch (ParseException e) {
+            e.printStackTrace();
+        }
+        return null;
+    }
+    
+    public class LifeTime {
+    	
+    	private Date created;
+    	private Date expires;
+    	
+    	    	
+    	public LifeTime(Date created, Date expires) {
+    		this.created = created;
+    		this.expires = expires;
+    	}
+
+		public Date getCreated() {
+			return created;
+		}
+
+		public Date getExpires() {
+			return expires;
+		}
+    	
+    }
+
+}

Added: cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/FederationRequest.java
URL: http://svn.apache.org/viewvc/cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/FederationRequest.java?rev=1221896&view=auto
==============================================================================
--- cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/FederationRequest.java (added)
+++ cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/FederationRequest.java Wed Dec 21 21:53:59 2011
@@ -0,0 +1,48 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.cxf.fediz.core;
+
+public class FederationRequest {
+	
+	private String wa = null;
+	private String wresult = null;
+	private String wct = null;
+	
+	
+	public String getWct() {
+		return wct;
+	}
+	public void setWct(String wct) {
+		this.wct = wct;
+	}
+	
+	public String getWa() {
+		return wa;
+	}
+	public void setWa(String wa) {
+		this.wa = wa;
+	}
+	public String getWresult() {
+		return wresult;
+	}
+	public void setWresult(String wresult) {
+		this.wresult = wresult;
+	}
+
+	
+}

Added: cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/FederationResponse.java
URL: http://svn.apache.org/viewvc/cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/FederationResponse.java?rev=1221896&view=auto
==============================================================================
--- cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/FederationResponse.java (added)
+++ cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/FederationResponse.java Wed Dec 21 21:53:59 2011
@@ -0,0 +1,115 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.cxf.fediz.core;
+
+import java.util.Collections;
+import java.util.Date;
+import java.util.List;
+
+import org.w3c.dom.Element;
+
+public class FederationResponse {
+	
+	private String audience = null;
+	private String username = null;
+	private List<String> roles = null;
+	private String issuer = null;
+	private List<Claim> claims = null;
+	private Element token = null;
+	private String uniqueTokenId = null;
+	
+	/**
+	* Created time
+	*/
+	private Date tokenCreated = null;
+	
+	/**	* Expiration time
+	*/
+	private Date tokenExpires = null;
+	
+
+	
+	private FederationResponse() {}
+
+	public FederationResponse(String username, String issuer, List<String> roles, List<Claim> claims, String audience, Date created, Date expires, Element token, String uniqueTokenId) {
+		this.username = username;
+		this.issuer = issuer;
+		this.roles = roles;
+		this.claims = claims;
+		this.audience = audience;
+		this.tokenCreated = created;
+		this.tokenExpires = expires;
+		this.token = token;
+		this.uniqueTokenId = uniqueTokenId;
+	}
+	
+	
+
+	public String getUniqueTokenId() {
+		return uniqueTokenId;
+	}
+
+	public String getAudience() {
+		return audience;
+	}
+
+
+
+	public String getUsername() {
+		return username;
+	}
+
+
+
+	public List<String> getRoles() {
+		if (roles == null) return null;
+		else return Collections.unmodifiableList(roles);
+	}
+
+
+
+	public String getIssuer() {
+		return issuer;
+	}
+
+
+
+	public List<Claim> getClaims() {
+		if (claims == null) return null;
+		else return Collections.unmodifiableList(claims);
+	}
+
+
+
+	public Date getTokenCreated() {
+		return tokenCreated;
+	}
+
+
+
+	public Date getTokenExpires() {
+		return tokenExpires;
+	}
+	
+	public Element getToken() {
+		return token;
+	}
+	
+
+	
+}

Added: cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/TokenReplayCache.java
URL: http://svn.apache.org/viewvc/cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/TokenReplayCache.java?rev=1221896&view=auto
==============================================================================
--- cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/TokenReplayCache.java (added)
+++ cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/TokenReplayCache.java Wed Dec 21 21:53:59 2011
@@ -0,0 +1,9 @@
+package org.apache.cxf.fediz.core;
+
+public interface TokenReplayCache<T> {
+
+	public abstract T getId(String id);
+
+	public abstract void putId(T id);
+
+}
\ No newline at end of file

Added: cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/TokenReplayCacheInMemory.java
URL: http://svn.apache.org/viewvc/cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/TokenReplayCacheInMemory.java?rev=1221896&view=auto
==============================================================================
--- cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/TokenReplayCacheInMemory.java (added)
+++ cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/TokenReplayCacheInMemory.java Wed Dec 21 21:53:59 2011
@@ -0,0 +1,70 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.cxf.fediz.core;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+//TokenReplayCacheInMemory
+//[TODO] add properties TokenReplayCacheExpirationPeriod
+public final class TokenReplayCacheInMemory<T> implements TokenReplayCache<T>{
+
+	/**
+	 * 
+	 */
+	private static final long serialVersionUID = 7269477566842444549L;
+	
+	private List<T> cache = null;
+	private static TokenReplayCache<String> instance = null;
+	
+	private TokenReplayCacheInMemory() {
+		cache = Collections.synchronizedList(new ArrayList<T>());
+	}
+	
+	synchronized public static TokenReplayCache<String> getInstance() {
+		if (instance != null) {
+			return instance;
+		}
+		instance = new TokenReplayCacheInMemory<String>();
+		return instance;
+	}
+
+	/* (non-Javadoc)
+	 * @see org.apache.fediz.core.TokenReplayCache#getId(java.lang.String)
+	 */
+	@Override
+	public T getId(String id) {
+		int index = cache.indexOf(id);
+		if (index == -1) {
+			return null;
+		} else {
+			return cache.get(index);
+		}
+	}
+	
+	/* (non-Javadoc)
+	 * @see org.apache.fediz.core.TokenReplayCache#putId(T)
+	 */
+	@Override
+	public void putId(T id) {
+		cache.add(id);
+	}
+	
+
+}

Added: cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/TokenValidator.java
URL: http://svn.apache.org/viewvc/cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/TokenValidator.java?rev=1221896&view=auto
==============================================================================
--- cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/TokenValidator.java (added)
+++ cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/TokenValidator.java Wed Dec 21 21:53:59 2011
@@ -0,0 +1,42 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.cxf.fediz.core;
+
+import org.w3c.dom.Element;
+
+public interface TokenValidator {
+    
+	/**
+     * Return true if this TokenValidator implementation is capable of validating the
+     * TokenType argument.
+     */
+    public boolean canHandleTokenType(String tokenType);
+    
+	
+    /**
+     * Return true if this TokenValidator implementation is capable of validating the
+     * Token argument.
+     */
+	public boolean canHandleToken(Element token);
+
+	
+    /**
+     * Validate a Token using the given Element and Configuration.
+     */
+    TokenValidatorResponse validateAndProcessToken(Element token, FederationConfiguration config);
+}

Added: cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/TokenValidatorResponse.java
URL: http://svn.apache.org/viewvc/cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/TokenValidatorResponse.java?rev=1221896&view=auto
==============================================================================
--- cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/TokenValidatorResponse.java (added)
+++ cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/TokenValidatorResponse.java Wed Dec 21 21:53:59 2011
@@ -0,0 +1,64 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.cxf.fediz.core;
+
+import java.util.List;
+
+public class TokenValidatorResponse {
+	
+	private String username = null;
+	private String uniqueTokenId = null;
+	private List<String> roles = null;
+	private String issuer = null;
+	private String audience = null;
+	private List<Claim> claims = null;
+
+	
+	
+	public TokenValidatorResponse(String uniqueTokenId, String username, String issuer, List<String> roles, List<Claim> claims, String audience) {
+		this.username = username;
+		this.issuer = issuer;
+		this.roles = roles;
+		this.claims = claims;
+		this.audience = audience;
+		this.uniqueTokenId = uniqueTokenId;
+	}
+	
+	
+	public String getUsername() {
+		return username;
+	}
+	public String getUniqueTokenId() {
+		return uniqueTokenId;
+	}
+	public List<String> getRoles() {
+		return roles;
+	}
+	public String getIssuer() {
+		return issuer;
+	}
+	public String getAudience() {
+		return audience;
+	}
+	public List<Claim> getClaims() {
+		return claims;
+	}
+
+	
+	
+}

Added: cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/WsFedPrincipal.java
URL: http://svn.apache.org/viewvc/cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/WsFedPrincipal.java?rev=1221896&view=auto
==============================================================================
--- cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/WsFedPrincipal.java (added)
+++ cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/WsFedPrincipal.java Wed Dec 21 21:53:59 2011
@@ -0,0 +1,64 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+//[TODO] Should it be a Subject instead of Principal (tomcat uses a prinicpal in GenericPrinicpial)
+
+package org.apache.cxf.fediz.core;
+
+import java.security.Principal;
+import java.util.Collections;
+import java.util.List;
+
+@Deprecated
+public class WsFedPrincipal implements Principal {
+
+	protected String username = null;
+	protected List<String> roles = null;
+	protected ClaimCollection claims = null;
+
+	
+	public WsFedPrincipal(String username) {
+		this(username, null, null);
+	}
+		
+	public WsFedPrincipal(String username, List<String> roles) {
+		this(username, roles, null);
+	}
+		
+	public WsFedPrincipal(String username, List<String> roles, ClaimCollection claims) {
+		this.username = username;
+		this.roles = roles;
+		this.claims = claims;
+	}
+	
+	
+	@Override
+	public String getName() {
+		return this.username;
+	}
+	
+	
+	public List<String> getRoles() {
+		return Collections.unmodifiableList(this.roles);
+	}
+	
+
+	public ClaimCollection getClaims() {
+		return this.claims;
+	}
+	
+}

Added: cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/saml/CertConstraintsParser.java
URL: http://svn.apache.org/viewvc/cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/saml/CertConstraintsParser.java?rev=1221896&view=auto
==============================================================================
--- cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/saml/CertConstraintsParser.java (added)
+++ cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/saml/CertConstraintsParser.java Wed Dec 21 21:53:59 2011
@@ -0,0 +1,88 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.cxf.fediz.core.saml;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+import java.util.regex.PatternSyntaxException;
+
+
+/**
+ * This class provides the functionality to match a given X509Certificate against a list of
+ * regular expressions.
+ */
+public class CertConstraintsParser {
+    
+    /**
+     * a collection of compiled regular expression patterns for the subject DN
+     */
+    private Collection<Pattern> subjectDNPatterns = new ArrayList<Pattern>();
+    
+    /**
+     * Set a list of Strings corresponding to regular expression constraints on the subject DN
+     * of a certificate
+     */
+    public void setSubjectConstraints(List<String> constraints) {
+        if (constraints != null) {
+            subjectDNPatterns = new ArrayList<Pattern>();
+            for (String constraint : constraints) {
+                try {
+                    subjectDNPatterns.add(Pattern.compile(constraint.trim()));
+                } catch (PatternSyntaxException ex) {
+                    //LOG.severe(ex.getMessage());
+                    throw ex;
+                }
+            }
+        }
+    }
+    
+    /**
+     * @return      true if the certificate's SubjectDN matches the constraints defined in the
+     *              subject DNConstraints; false, otherwise. The certificate subject DN only
+     *              has to match ONE of the subject cert constraints (not all).
+     */
+    public boolean
+    matches(
+        final java.security.cert.X509Certificate cert
+    ) {
+        if (!subjectDNPatterns.isEmpty()) {
+            if (cert == null) {
+                //LOG.fine("The certificate is null so no constraints matching was possible");
+                return false;
+            }
+            String subjectName = cert.getSubjectX500Principal().getName();
+            boolean subjectMatch = false;
+            for (Pattern subjectDNPattern : subjectDNPatterns) {
+                final Matcher matcher = subjectDNPattern.matcher(subjectName);
+                if (matcher.matches()) {
+                    //LOG.fine("Subject DN " + subjectName + " matches with pattern " + subjectDNPattern);
+                    subjectMatch = true;
+                    break;
+                }
+            }
+            if (!subjectMatch) {
+                return false;
+            }
+        }
+        
+        return true;
+    }
+}

Added: cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java
URL: http://svn.apache.org/viewvc/cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java?rev=1221896&view=auto
==============================================================================
--- cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java (added)
+++ cxf/sandbox/fediz/fediz-core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java Wed Dec 21 21:53:59 2011
@@ -0,0 +1,322 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.cxf.fediz.core.saml;
+
+import java.io.IOException;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
+import java.util.Properties;
+import java.util.StringTokenizer;
+
+
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.UnsupportedCallbackException;
+
+import org.apache.cxf.fediz.core.Claim;
+import org.apache.cxf.fediz.core.ClaimCollection;
+import org.apache.cxf.fediz.core.FederationConfiguration;
+import org.apache.cxf.fediz.core.TokenValidator;
+import org.apache.cxf.fediz.core.TokenValidatorResponse;
+import org.apache.ws.security.SAMLTokenPrincipal;
+import org.apache.ws.security.WSDocInfo;
+import org.apache.ws.security.WSPasswordCallback;
+import org.apache.ws.security.WSSConfig;
+import org.apache.ws.security.WSSecurityException;
+import org.apache.ws.security.components.crypto.Crypto;
+import org.apache.ws.security.components.crypto.CryptoFactory;
+import org.apache.ws.security.handler.RequestData;
+import org.apache.ws.security.saml.SAMLKeyInfo;
+import org.apache.ws.security.saml.ext.AssertionWrapper;
+import org.apache.ws.security.validate.Credential;
+import org.apache.ws.security.validate.SignatureTrustValidator;
+import org.opensaml.common.SAMLVersion;
+import org.opensaml.xml.XMLObject;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.w3c.dom.Element;
+
+public class SAMLTokenValidator implements TokenValidator {
+	
+	private static final Logger LOG = LoggerFactory.getLogger(SAMLTokenValidator.class);
+	
+	
+	//[TODO] make sure we answer true only for cases we actually can handle
+	@Override
+	public boolean canHandleTokenType(String tokenType) {
+		return true;
+	}
+
+	@Override
+	public boolean canHandleToken(Element token) {
+		return true;
+	}
+	
+	@Override
+	public TokenValidatorResponse validateAndProcessToken(Element token, FederationConfiguration config) {
+		
+        try {
+        	
+        	Properties sigProperties = createCryptoProviderProperties(config.getTrustStoreFile(), config.getTrustStorePassword());
+        	                    	
+        	Crypto sigCrypto = CryptoFactory.getInstance(sigProperties);
+        	RequestData requestData = new RequestData();
+            requestData.setSigCrypto(sigCrypto);
+            WSSConfig wssConfig = WSSConfig.getNewInstance();
+            requestData.setWssConfig(wssConfig);
+            //not needed as no private key must be read
+            //requestData.setCallbackHandler(new PasswordCallbackHandler(password));
+        	
+	        AssertionWrapper assertion = new AssertionWrapper(token);
+	        if (!assertion.isSigned()) {
+	        	throw new RuntimeException("The received assertion is not signed, and therefore not trusted");
+	        }
+	        // Verify the signature
+	        assertion.verifySignature(
+	        	requestData, new WSDocInfo(token.getOwnerDocument())
+	        );
+	        
+	        // Now verify trust on the signature
+	        Credential trustCredential = new Credential();
+	        SAMLKeyInfo samlKeyInfo = assertion.getSignatureKeyInfo();
+	        trustCredential.setPublicKey(samlKeyInfo.getPublicKey());
+	        trustCredential.setCertificates(samlKeyInfo.getCerts());
+	        
+	        SignatureTrustValidator trustValidator = new SignatureTrustValidator();
+	        trustValidator.validate(trustCredential, requestData);
+	        
+	        String assertionIssuer = assertion.getIssuerString();
+	        
+            // Finally check that subject DN of the signing certificate matches a known constraint
+            X509Certificate cert = null;
+            if (trustCredential.getCertificates() != null) {
+                cert = trustCredential.getCertificates()[0];
+            }
+            
+            List<String> subjectConstraints = Arrays.asList(config.getTrustedIssuer());
+            
+            CertConstraintsParser certConstraints = new CertConstraintsParser();
+            certConstraints.setSubjectConstraints(subjectConstraints);
+            
+            if (!certConstraints.matches(cert)) {
+            	throw new RuntimeException("Issuer '" + assertionIssuer + "' not trusted");
+            }
+            
+            
+            String audience = null;
+            List<Claim> claims = null;
+            if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)) {
+            	claims = parseClaimsInAssertion(assertion.getSaml2());
+            	audience = getAudienceRestriction(assertion.getSaml2());
+            } else if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_11)) {
+            	claims = parseClaimsInAssertion(assertion.getSaml1());
+            	audience = getAudienceRestriction(assertion.getSaml1());
+            }
+            
+            List<String> roles = null;
+            URI roleURI = config.getRoleURI();
+            String delim = config.getRoleDelimiter();
+            if (roleURI != null) {
+            	 for (Claim c: claims) {
+            		URI claimURI = URI.create(c.getNamespace() + "/" + c.getClaimType());
+                 	if (roleURI.equals(claimURI)) {
+                 		if (delim == null) { delim = ","; }
+                 		roles =  parseRoles(c.getValue(), delim);
+                 		claims.remove(c);
+                 		break;
+                 	}
+                 }
+            }
+                       
+            SAMLTokenPrincipal p = new SAMLTokenPrincipal(assertion);
+            
+            TokenValidatorResponse response = new TokenValidatorResponse(
+            		assertion.getId(),
+            		p.getName(),
+            		assertionIssuer,
+            		roles,
+            		claims,
+            		audience);
+            
+            return response;
+            
+        } catch (WSSecurityException ex) {
+        	//[TODO] proper exception handling
+        	throw new RuntimeException(ex);
+        }
+    }
+	
+	
+	protected List<Claim> parseClaimsInAssertion(org.opensaml.saml1.core.Assertion assertion) {
+		List<org.opensaml.saml1.core.AttributeStatement> attributeStatements = 
+            assertion.getAttributeStatements();
+        if (attributeStatements == null || attributeStatements.isEmpty()) {
+            if (LOG.isDebugEnabled()) {
+            	LOG.debug("No attribute statements found");
+            }            
+            return Collections.emptyList();
+        }
+        ClaimCollection collection = new ClaimCollection();
+        
+        for (org.opensaml.saml1.core.AttributeStatement statement : attributeStatements) {
+        	if (LOG.isDebugEnabled()) {
+            	LOG.debug("parsing statement: " + statement.getElementQName());
+            }
+        
+            List<org.opensaml.saml1.core.Attribute> attributes = statement.getAttributes();
+            for (org.opensaml.saml1.core.Attribute attribute : attributes) {
+            	if (LOG.isDebugEnabled()) {
+                	LOG.debug("parsing attribute: " + attribute.getAttributeName());
+                }
+            	Claim c = new Claim();
+            	c.setIssuer(assertion.getIssuer());
+            	c.setClaimType(URI.create(attribute.getAttributeName()));
+            	try {
+					c.setClaimType(new URI(attribute.getAttributeName()));
+				} catch (URISyntaxException e) {
+					LOG.warn("Invalid attribute name in attributestatement: " + e.getMessage());
+					continue;
+				}
+            	for (XMLObject attributeValue : attribute.getAttributeValues()) {
+                    Element attributeValueElement = attributeValue.getDOM();
+                    String value = attributeValueElement.getTextContent();
+                    if (LOG.isDebugEnabled()) {
+                    	LOG.debug(" [" + value + "]");
+                    }
+                    c.setValue(value);
+                    collection.add(c);
+                    break;                    
+                }
+            }
+        }
+        return collection;
+	}
+	
+	protected List<Claim> parseClaimsInAssertion(org.opensaml.saml2.core.Assertion assertion) {
+		List<org.opensaml.saml2.core.AttributeStatement> attributeStatements = 
+            assertion.getAttributeStatements();
+        if (attributeStatements == null || attributeStatements.isEmpty()) {
+            if (LOG.isDebugEnabled()) {
+            	LOG.debug("No attribute statements found");
+            }
+            return Collections.emptyList();
+        }
+        
+        List<Claim> collection = new ArrayList<Claim>();
+        
+        for (org.opensaml.saml2.core.AttributeStatement statement : attributeStatements) {
+        	if (LOG.isDebugEnabled()) {
+            	LOG.debug("parsing statement: " + statement.getElementQName());
+            }
+            List<org.opensaml.saml2.core.Attribute> attributes = statement.getAttributes();
+            for (org.opensaml.saml2.core.Attribute attribute : attributes) {
+            	if (LOG.isDebugEnabled()) {
+                	LOG.debug("parsing attribute: " + attribute.getName());
+                }
+            	Claim c = new Claim();
+            	c.setClaimType(URI.create(attribute.getName()));
+            	c.setIssuer(assertion.getIssuer().getNameQualifier());
+            	for (XMLObject attributeValue : attribute.getAttributeValues()) {
+                    Element attributeValueElement = attributeValue.getDOM();
+                    String value = attributeValueElement.getTextContent();
+                    if (LOG.isDebugEnabled()) {
+                    	LOG.debug(" [" + value + "]");
+                    }
+                    c.setValue(value);
+                    collection.add(c);
+                    break;
+                }
+            }
+        }
+        return collection;
+		
+	}
+	
+	protected List<String> parseRoles(String value, String delim) {
+		List<String> roles = new ArrayList<String>();
+		StringTokenizer st = new StringTokenizer(value, delim);
+		while (st.hasMoreTokens()) {
+			String role = st.nextToken();
+			roles.add(role);
+		}
+		return roles;
+	}
+	
+	protected String getAudienceRestriction(org.opensaml.saml1.core.Assertion assertion) {
+		String audience = null;
+		try {
+			audience = assertion.getConditions().getAudienceRestrictionConditions().get(0).getAudiences().get(0).getUri();
+		} catch (Exception ex) {
+			LOG.warn("Failed to read audience" + ex.getMessage());
+		}
+		return audience; 
+	}
+	
+	protected String getAudienceRestriction(org.opensaml.saml2.core.Assertion assertion) {
+		String audience = null;
+		try {
+			audience = assertion.getConditions().getAudienceRestrictions().get(0).getAudiences().get(0).getAudienceURI();
+		} catch (Exception ex) {
+			LOG.warn("Failed to read audience" + ex.getMessage());
+		}
+		return audience;
+        
+	}
+	
+	protected Properties createCryptoProviderProperties(String truststoreFile, String truststorePassword) {
+		Properties p = new Properties();
+		p.put("org.apache.ws.security.crypto.provider", "org.apache.ws.security.components.crypto.Merlin");
+		p.put("org.apache.ws.security.crypto.merlin.keystore.type", "jks");
+		p.put("org.apache.ws.security.crypto.merlin.keystore.password", truststorePassword);
+		p.put("org.apache.ws.security.crypto.merlin.keystore.file", truststoreFile);
+		return p;
+	}
+   
+	
+	// A sample MyHandler class
+	class PasswordCallbackHandler 
+	    implements CallbackHandler
+	{
+		private String password;
+		
+		private PasswordCallbackHandler() {}
+		
+		public PasswordCallbackHandler(String password) {
+			this.password = password;
+		}
+		
+	    public void handle(Callback[] callbacks) throws
+	        IOException, UnsupportedCallbackException
+	    {
+	        for (int i = 0; i < callbacks.length; i++) {
+	            if (callbacks[i] instanceof WSPasswordCallback) {
+	            	WSPasswordCallback nc = (WSPasswordCallback)callbacks[i];
+	                nc.setPassword(this.password);
+	            } else {
+	                throw new UnsupportedCallbackException(callbacks[i],
+	                                                       "Unrecognized Callback");
+	            }
+	        }
+	    }
+	}
+}



Mime
View raw message