cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From owu...@apache.org
Subject svn commit: r1414378 - in /cxf/fediz/trunk/services/idp/src/main: java/org/apache/cxf/fediz/service/idp/ resources/ webapp/WEB-INF/
Date Tue, 27 Nov 2012 20:30:48 GMT
Author: owulff
Date: Tue Nov 27 20:30:46 2012
New Revision: 1414378

URL: http://svn.apache.org/viewvc?rev=1414378&view=rev
Log:
Initial IDP refactoring

Added:
    cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/AbstractAuthFilter.java
    cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/AuthContext.java
    cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/AuthenticationFilter.java
    cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/BasicAuthenticationFilter.java
    cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/FederationFilter.java
    cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/FederationPostFilter.java
    cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/ProcessingException.java
    cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSClientFilter.java
    cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/SessionCacheFilter.java
    cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/States.java
Modified:
    cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/LogoutFilter.java
    cxf/fediz/trunk/services/idp/src/main/resources/logging.properties
    cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/web.xml

Added: cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/AbstractAuthFilter.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/AbstractAuthFilter.java?rev=1414378&view=auto
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/AbstractAuthFilter.java (added)
+++ cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/AbstractAuthFilter.java Tue Nov 27 20:30:46 2012
@@ -0,0 +1,183 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.fediz.service.idp;
+
+import java.io.IOException;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+
+public abstract class AbstractAuthFilter implements Filter {
+
+    public static final String PRE_STATE = "pre-state";
+    public static final String NEXT_STATE = "next-state";
+    public static final String PROCESSING_STATE = "processing-state";
+    
+    //@SuppressWarnings("PMD")
+    //protected static Logger LOG;
+    private static final Logger LOG = LoggerFactory.getLogger(AbstractAuthFilter.class);
+
+    // String used because of custom states, state set during processing time are stored in AuthContext
+    private String preState;
+    private String nextState;
+
+    enum ProcessingState {
+        CONTINUE,
+        SEND_RESPONSE
+    }
+    
+    public void setNextState(String state, AuthContext context) {
+        context.put(NEXT_STATE, state);
+    }
+    
+    public String getNextState(AuthContext context, boolean remove) {
+        String updatedNextState = (String)context.get(NEXT_STATE);
+        if (updatedNextState != null) {
+            if (LOG.isDebugEnabled()) {
+                LOG.debug("next-state [" + updatedNextState + "] overwritten by filter");
+            }
+            if (remove) {
+                context.remove(NEXT_STATE);
+            }
+            return updatedNextState;
+        } else {
+            return nextState;
+        }
+    }
+    
+    public String getNextState(AuthContext context) {
+        return getNextState(context, false);
+    }
+    
+
+    @Override
+    public void init(FilterConfig filterConfig) throws ServletException {
+        preState = filterConfig.getInitParameter(PRE_STATE);
+        if (LOG.isDebugEnabled()) {
+            if (preState == null) {
+                LOG.debug("Parameter '" + PRE_STATE + "' not defined");
+            } else {
+                LOG.debug("Parameter '" + PRE_STATE + "' set to [" + preState + "]");
+            }
+        }
+        
+        nextState = filterConfig.getInitParameter(NEXT_STATE);
+        if (LOG.isDebugEnabled()) {
+            if (nextState == null) {
+                LOG.debug("Parameter '" + NEXT_STATE + "' not defined");
+            } else {
+                LOG.debug("Parameter '" + NEXT_STATE + "' set to [" + nextState + "]");
+            }
+        }
+
+    }
+
+    @Override
+    public void doFilter(ServletRequest request, ServletResponse response,
+                         FilterChain chain) throws IOException, ServletException {
+
+        HttpServletRequest hrequest = null;
+        if (request instanceof HttpServletRequest) {
+            hrequest = (HttpServletRequest)request;
+        } else {
+            throw new IllegalStateException("ServletRequest not of type HttpServletRequest");
+        }
+        HttpSession session = (HttpSession)hrequest.getSession(true);
+        AuthContext context = new AuthContext(session, hrequest);
+        
+        String currentState = null;
+        if (context.get(AuthContext.CURRENT_STATE) == null) {
+            currentState = States.NOT_AUTHENTICATED.toString();
+            context.put(AuthContext.CURRENT_STATE, currentState);
+            LOG.info("No state defined. Defaulting to [" + States.NOT_AUTHENTICATED.toString() + "]");
+        } else {
+            currentState = (String)context.get(AuthContext.CURRENT_STATE);
+            LOG.info("Current state: " + currentState);
+        }
+        if (preState == null) {
+            LOG.info("No pre-state defined. State condition ignored");
+            //throw new IllegalStateException("No pre-state defined");
+        }
+        if (preState == null || preState.equals(currentState)) {
+            if (preState == null) {
+                LOG.info("No pre-state defined. State condition ignored");
+            } else {
+                LOG.info("State condition met for " + this.getClass().getName());
+            }
+            try {
+                this.process(hrequest, (HttpServletResponse)response, context);
+                String resolvedNextState = getNextState(context, true);
+                if (resolvedNextState != null) {
+                    context.put(AuthContext.CURRENT_STATE, resolvedNextState);
+                    LOG.info("State changed to [" + resolvedNextState + "]");
+                } else {
+                    LOG.info("State remains at [" + currentState + "]");
+                }
+            } catch (ProcessingException ex) {
+                LOG.info("ProcessingException occured. Sending repsonse.");
+                //response message prepared by underlying filter, error code
+                return;
+            }
+        } else {
+            LOG.debug("State condition not met for " + this.getClass().getName() + ". Ignored."); 
+        }
+        if (context.get(PROCESSING_STATE) == null
+            || ProcessingState.CONTINUE.equals((ProcessingState)context.get(PROCESSING_STATE))) {
+            chain.doFilter(request, response);
+        } else {
+            LOG.info("Processing aborted. Invalidate session. Sending response.");
+            //session.invalidate(); //why???
+            //context.remove(PROCESSING_STATE); //why???
+        }
+        
+        if (hrequest.getSession(false) != null) {
+            context.put(AuthContext.CURRENT_STATE, context.get(AuthContext.CURRENT_STATE), true);
+            
+            if (context.get(AuthContext.INVALIDATE_SESSION) != null
+                && Boolean.TRUE.equals((Boolean)context.get(AuthContext.INVALIDATE_SESSION))) {
+                context.remove(AuthContext.INVALIDATE_SESSION);
+                session.invalidate();
+                LOG.info("Session invalidated");
+            }
+        }
+        
+        
+    }
+
+    @Override
+    public void destroy() {
+
+    }
+
+    public abstract void process(HttpServletRequest request, HttpServletResponse response, AuthContext context)
+        throws IOException, ServletException, ProcessingException;
+
+
+}

Added: cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/AuthContext.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/AuthContext.java?rev=1414378&view=auto
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/AuthContext.java (added)
+++ cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/AuthContext.java Tue Nov 27 20:30:46 2012
@@ -0,0 +1,132 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.fediz.service.idp;
+
+import java.util.Collection;
+import java.util.Map;
+import java.util.Set;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpSession;
+
+public class AuthContext implements Map<String, Object> {
+
+    public static final String CURRENT_STATE = "current-state";
+    public static final String INVALIDATE_SESSION = "invalidate-session";
+    public static final String IDP_PRINCIPAL = "IDP_PRINCIPAL";
+    public static final String AUTH_USERNAME = "auth-username";
+    public static final String AUTH_PASSWORD = "auth-password";
+
+
+    private HttpSession session;
+    private HttpServletRequest request;
+
+    public AuthContext(HttpSession session, HttpServletRequest request) {
+        this.session = session;
+        this.request = request;
+    }
+
+    @Override
+    public int size() {
+        throw new UnsupportedOperationException("method 'size' not supported");
+    }
+
+    @Override
+    public boolean isEmpty() {
+        throw new UnsupportedOperationException("method 'isEmpty' not supported");
+    }
+
+    @Override
+    public boolean containsKey(Object key) {
+        throw new UnsupportedOperationException("method 'containsKey' not supported");
+    }
+
+    @Override
+    public boolean containsValue(Object value) {
+        throw new UnsupportedOperationException("method 'containsValue' not supported");
+    }
+
+    @Override
+    public Object get(Object key) {
+        Object value = request.getAttribute((String)key);
+        if (value != null) {
+            return value;
+        }
+        value = session.getAttribute((String)key);
+        return value;
+    }
+
+    @Override
+    public Object put(String key, Object value) {
+        Object oldValue = request.getAttribute((String)key);
+        request.setAttribute(key, value);
+        return oldValue;
+    }
+    
+    public Object put(String key, Object value, boolean storeInSession) {
+        Object oldValue = null;
+        if (storeInSession) {
+            oldValue = session.getAttribute((String)key);
+            session.setAttribute(key, value);
+        } else {
+            oldValue = request.getAttribute((String)key);
+            request.setAttribute(key, value);
+        }
+        return oldValue;
+    }
+
+    @Override
+    public Object remove(Object key) {
+        Object value = request.getAttribute((String)key);
+        if (value != null) {
+            request.removeAttribute((String)key);
+        }
+        value = session.getAttribute((String)key);
+        if (value != null) {
+            session.removeAttribute((String)key);
+        }
+        return value;
+    }
+
+    @Override
+    public void putAll(Map<? extends String, ? extends Object> m) {
+        throw new UnsupportedOperationException("method 'putAll' not supported");
+    }
+
+    @Override
+    public void clear() {
+        throw new UnsupportedOperationException("method 'clear' not supported");
+    }
+
+    @Override
+    public Set<String> keySet() {
+        throw new UnsupportedOperationException("method 'keySet' not supported");
+    }
+
+    @Override
+    public Collection<Object> values() {
+        throw new UnsupportedOperationException("method 'values' not supported");
+    }
+
+    @Override
+    public Set<java.util.Map.Entry<String, Object>> entrySet() {
+        throw new UnsupportedOperationException("method 'entrySet' not supported");
+    }
+
+}

Added: cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/AuthenticationFilter.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/AuthenticationFilter.java?rev=1414378&view=auto
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/AuthenticationFilter.java (added)
+++ cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/AuthenticationFilter.java Tue Nov 27 20:30:46 2012
@@ -0,0 +1,50 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.fediz.service.idp;
+
+import java.io.IOException;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class AuthenticationFilter extends AbstractAuthFilter {
+
+    private static final Logger LOG = LoggerFactory.getLogger(AuthenticationFilter.class);
+//    static {
+//        LOG = LoggerFactory.getLogger(AuthenticationFilter.class);
+//    }
+    
+    @Override
+    public void process(HttpServletRequest request,
+                        HttpServletResponse response, AuthContext context)
+        throws IOException, ServletException, ProcessingException {
+
+        //Only Username/password authentication supported
+        //otherwise parse wauth parameter
+        if (context.get(FederationFilter.PARAM_WAUTH) != null) {
+            LOG.warn("Parameter 'wauth' ignored");
+        }
+        this.setNextState(States.USERNAME_PASSWORD_REQUIRED.toString(), context);
+    }
+
+}

Added: cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/BasicAuthenticationFilter.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/BasicAuthenticationFilter.java?rev=1414378&view=auto
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/BasicAuthenticationFilter.java (added)
+++ cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/BasicAuthenticationFilter.java Tue Nov 27 20:30:46 2012
@@ -0,0 +1,100 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.fediz.service.idp;
+
+import java.io.IOException;
+import java.util.StringTokenizer;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.cxf.common.util.Base64Utility;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class BasicAuthenticationFilter extends AbstractAuthFilter {
+
+    public static final String AUTH_HEADER_NAME = "WWW-Authenticate";
+
+    private static final Logger LOG = LoggerFactory.getLogger(BasicAuthenticationFilter.class);
+    
+//    static {
+//        LOG = LoggerFactory.getLogger(BasicAuthenticationFilter.class);
+//    }
+
+    @Override
+    public void process(HttpServletRequest request,
+                        HttpServletResponse response, AuthContext context)
+        throws IOException, ServletException {
+
+        String auth = request.getHeader("Authorization");
+        LOG.debug("Authorization header: " + auth);
+
+        if (auth == null) {
+            // request authentication from browser
+            StringBuilder value = new StringBuilder(16);
+            value.append("Basic realm=\"IDP\"");
+            response.setHeader(AUTH_HEADER_NAME, value.toString());
+            response.setHeader("Cache-Control", "no-store, no-cache, must-revalidate, private");
+            response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
+            this.setNextState(States.USERNAME_PASSWORD_REQUIRED.toString(), context);
+            // signal to send response to client or throw exception
+            // SEND_RESPONSE, CONTINUE
+            context.put(AbstractAuthFilter.PROCESSING_STATE, AbstractAuthFilter.ProcessingState.SEND_RESPONSE);
+            return;
+
+        } else {
+            String username = null;
+            String password = null;
+
+            try {
+                StringTokenizer st = new StringTokenizer(auth, " ");
+                String authType = st.nextToken();
+                String encoded = st.nextToken();
+
+                if (!authType.equalsIgnoreCase("basic")) {
+                    response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Invalid Authorization header");
+                    return;
+                }
+
+                String decoded = new String(
+                                            Base64Utility.decode(encoded));
+
+                int colon = decoded.indexOf(':');
+                if (colon < 0) {
+                    username = decoded;
+                } else {
+                    username = decoded.substring(0, colon);
+                    password = decoded.substring(colon + 1,
+                                                 decoded.length());
+                }
+                context.put(AuthContext.AUTH_USERNAME, username);
+                context.put(AuthContext.AUTH_PASSWORD, password);
+
+            } catch (Exception ex) {
+                LOG.error("Invalid Authorization header", ex);
+                response.sendError(HttpServletResponse.SC_BAD_REQUEST,
+                    "Invalid Authorization header");
+                throw new ProcessingException("Invalid Authorization header");
+            }
+        }
+    }
+
+}

Added: cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/FederationFilter.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/FederationFilter.java?rev=1414378&view=auto
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/FederationFilter.java (added)
+++ cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/FederationFilter.java Tue Nov 27 20:30:46 2012
@@ -0,0 +1,153 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.fediz.service.idp;
+
+import java.io.IOException;
+
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.cxf.ws.security.tokenstore.SecurityToken;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class FederationFilter extends AbstractAuthFilter {
+
+    public static final String PARAM_ACTION = "wa";
+
+    public static final String ACTION_SIGNIN = "wsignin1.0";
+
+    public static final String ACTION_SIGNOUT = "wsignout1.0";
+
+    public static final String ACTION_SIGNOUT_CLEANUP = "wsignoutcleanup1.0";
+
+    public static final String PARAM_WTREALM = "wtrealm";
+
+    public static final String PARAM_WREPLY = "wreply";
+
+    public static final String PARAM_WRESULT = "wresult";
+
+    public static final String PARAM_WCONTEXT = "wctx";
+
+    public static final String PARAM_WFRESH = "wfresh";
+
+    public static final String PARAM_WAUTH = "wauth";
+    
+    public static final String PARAM_SESSION_TOKEN = "session.token";
+
+    private static final Logger LOG = LoggerFactory.getLogger(FederationFilter.class);
+    
+    
+    private String sessionToken;
+//    static {
+//        LOG = LoggerFactory.getLogger(FederationFilter.class);
+//    }
+    
+    @Override
+    public void init(FilterConfig filterConfig) throws ServletException {
+        super.init(filterConfig);
+        
+        sessionToken = filterConfig.getInitParameter(PARAM_SESSION_TOKEN);
+        if (sessionToken != null && sessionToken.length() > 0) {
+            LOG.info("Configured Session token: " + sessionToken);
+        }
+    }
+
+    @Override
+    public void process(HttpServletRequest request,
+                        HttpServletResponse response, AuthContext context)
+        throws IOException, ServletException, ProcessingException {
+
+
+        String action = request.getParameter(PARAM_ACTION);
+        String wtrealm = request.getParameter(PARAM_WTREALM);
+        String wctx = request.getParameter(PARAM_WCONTEXT);
+        String wreply = request.getParameter(PARAM_WREPLY);
+        String wfresh = request.getParameter(PARAM_WFRESH);
+        String wauth = request.getParameter(PARAM_WAUTH);
+
+        if (action == null) {
+            //[TODO] should not fail because other filter might be relevant
+            //Initial session state (AUTHENTICATED) ignored, but STSClientFilter requires SECURITY_TOKEN_REQUIRED
+            LOG.info("Not a WS-Federation request");
+            return;
+            /* LOG.error("Bad request. HTTP parameter '" + PARAM_ACTION
+                      + "' missing");
+            response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Parameter "
+                               + PARAM_ACTION + " missing");
+            throw new ProcessingException("Bad request. HTTP parameter '" + PARAM_ACTION
+                                          + "' missing");
+                                          */
+        }
+        if (action.equals(ACTION_SIGNIN)) {
+            LOG.debug("Sign-In request [" + PARAM_ACTION + "=" + ACTION_SIGNIN
+                      + "] ...");
+
+            if (wtrealm == null || wtrealm.length() == 0) {
+                LOG.error("Bad request. HTTP parameter '" + ACTION_SIGNIN
+                          + "' missing");
+                response.sendError(HttpServletResponse.SC_BAD_REQUEST,
+                                   "Parameter " + ACTION_SIGNIN + " missing");
+                throw new ProcessingException("Bad request. HTTP parameter '" + ACTION_SIGNIN
+                                              + "' missing");
+            }
+            boolean authenticationRequired = false;
+
+            context.put(PARAM_WCONTEXT, wctx);
+            context.put(PARAM_WTREALM, wtrealm);
+            context.put(PARAM_WREPLY, wreply);
+            context.put(PARAM_WAUTH, wauth);
+            context.put(PARAM_ACTION, action);
+
+
+            SecurityToken idpToken = null;
+            idpToken = (SecurityToken)context.get(sessionToken);
+            String user = (String)context.get(AuthContext.IDP_PRINCIPAL);
+            if (idpToken == null) {
+                LOG.debug("IDP token not found");
+                authenticationRequired = true;
+            } else {
+                if (idpToken.isExpired()) {
+                    LOG.info("IDP token of '" + user + "' expired. Require authentication.");
+                    authenticationRequired = idpToken.isExpired();
+                } else if (wfresh != null && wfresh.equals("0")) {
+                    LOG.info("IDP token of '" + user + "' valid but relying party requested new authentication");
+                    authenticationRequired = true;
+                } else {
+                    LOG.debug("Session found for '" + user + "'.");
+                    //Add it to the request context
+                    context.put(sessionToken, idpToken);
+                    context.put(AuthContext.IDP_PRINCIPAL, user);
+                }
+            }
+            if (authenticationRequired) {
+                context.remove(sessionToken);
+                this.setNextState(States.AUTHENTICATION_REQUIRED.toString(), context);
+            } else {
+                this.setNextState(States.SECURITY_TOKEN_REQUIRED.toString(), context);
+            }
+
+        }
+    }
+
+
+
+}

Added: cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/FederationPostFilter.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/FederationPostFilter.java?rev=1414378&view=auto
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/FederationPostFilter.java (added)
+++ cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/FederationPostFilter.java Tue Nov 27 20:30:46 2012
@@ -0,0 +1,100 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.fediz.service.idp;
+
+import java.io.IOException;
+
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.commons.lang3.StringEscapeUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class FederationPostFilter extends AbstractAuthFilter {
+
+    private static final String PARAM_TOKEN_STORE_NAME = "token.store.name";
+
+    private static final Logger LOG = LoggerFactory.getLogger(FederationPostFilter.class);
+    
+//    static {
+//        LOG = LoggerFactory.getLogger(FederationPostFilter.class);
+//    }
+    
+    protected String tokenStoreName;
+
+    @Override
+    public void init(FilterConfig filterConfig) throws ServletException {
+        super.init(filterConfig);
+
+        tokenStoreName = filterConfig.getInitParameter(PARAM_TOKEN_STORE_NAME);
+        if (tokenStoreName == null) {
+            throw new ServletException(
+                                       "Parameter '" + PARAM_TOKEN_STORE_NAME + "' not configured");
+        }
+    }
+
+    @Override
+    public void process(HttpServletRequest request,
+                        HttpServletResponse response, AuthContext context)
+        throws IOException, ServletException, ProcessingException {
+
+        if (context.get(FederationFilter.PARAM_ACTION) == null) {
+            LOG.info("Not a WS-Federation request");            
+            return;
+        }
+        
+        try {
+            Object obj = context.get(tokenStoreName);
+            if (!(obj instanceof String)) {
+                LOG.error("Token in '" + tokenStoreName + "' not of type String/RSTR");
+                throw new IllegalStateException("Token in '" + tokenStoreName + "' not of type String/RSTR");
+            }
+            request.setAttribute("fed." + FederationFilter.PARAM_WRESULT,
+                                 StringEscapeUtils.escapeXml((String)obj));
+            String wctx = (String)context.get(FederationFilter.PARAM_WCONTEXT);
+            if (wctx != null) {
+                request.setAttribute("fed." + FederationFilter.PARAM_WCONTEXT,
+                                     StringEscapeUtils.escapeXml(wctx));
+            }
+            String wreply = (String)context.get(FederationFilter.PARAM_WREPLY);
+            String wtrealm = (String)context.get(FederationFilter.PARAM_WTREALM);
+            if (wreply == null) {
+                request.setAttribute("fed.action", wtrealm);
+            } else {
+                request.setAttribute("fed.action", wreply);
+            }
+
+        } catch (Exception ex) {
+            LOG.warn("Requesting security token failed", ex);
+            response.sendError(HttpServletResponse.SC_FORBIDDEN,
+                "Requesting security token failed");
+            throw new ProcessingException("Requesting security token failed");          
+        }
+
+        LOG.debug("Forward to jsp...");
+        response.setHeader("Cache-Control", "no-store, no-cache, must-revalidate, private");
+        request.getRequestDispatcher("/WEB-INF/signinresponse.jsp")
+            .forward(request, response);
+
+    }
+
+}

Modified: cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/LogoutFilter.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/LogoutFilter.java?rev=1414378&r1=1414377&r2=1414378&view=diff
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/LogoutFilter.java (original)
+++ cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/LogoutFilter.java Tue Nov 27 20:30:46 2012
@@ -16,67 +16,76 @@
  * specific language governing permissions and limitations
  * under the License.
  */
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
 package org.apache.cxf.fediz.service.idp;
 
 import java.io.IOException;
 
-import javax.servlet.Filter;
-import javax.servlet.FilterChain;
 import javax.servlet.FilterConfig;
 import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
-//import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+public class LogoutFilter extends AbstractAuthFilter {
 
-public class LogoutFilter implements Filter {
+    public static final String PARAM_LOGOUT_URI = "logout.uri";
     
-    public static final String IDP_USER = "idp-user";
-
-    public static final String LOGOUT_URI = "logout.uri";
-
     private static final Logger LOG = LoggerFactory.getLogger(LogoutFilter.class);
-    
-    private String logoutUri = "logout";
 
+    private String logoutUri;
+    
     @Override
     public void init(FilterConfig filterConfig) throws ServletException {
-        if (filterConfig.getInitParameter(LOGOUT_URI) != null) {
-            logoutUri = filterConfig.getInitParameter(LOGOUT_URI);
+        super.init(filterConfig);
+        
+        logoutUri = filterConfig.getInitParameter(PARAM_LOGOUT_URI);
+        if (logoutUri != null && logoutUri.length() > 0) {
+            LOG.info("Configured logout URI: " + logoutUri);
         }
     }
-
+    
     @Override
-    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
-        throws IOException, ServletException {
-        
-        if (request instanceof HttpServletRequest) {
-            HttpServletRequest hrequest = (HttpServletRequest)request;
-            if (hrequest.getParameter(this.logoutUri) != null) {
-                HttpSession session = hrequest.getSession(false);
-                if (session == null) {
-                    LOG.info("Logout ignored. No session available.");
-                    return;
-                }
-                
-                LOG.info("Logout session for '" + session.getAttribute(IDP_USER) + "'");
-                session.invalidate();
+    public void process(HttpServletRequest request,
+                        HttpServletResponse response, AuthContext context)
+        throws IOException, ServletException, ProcessingException {
+
+        if (request.getParameter(this.logoutUri) != null) {
+            HttpSession session = request.getSession(false);
+            if (session == null) {
+                LOG.info("Logout ignored. No session available.");
                 return;
             }
+            
+            LOG.info("Logout session for '" + context.get(AuthContext.IDP_PRINCIPAL) + "'");
+            context.put(AuthContext.INVALIDATE_SESSION, Boolean.TRUE);
+            //Session invalidation occurs in AbstractAuthFilter due to session access for
+            //State management
+            //session.invalidate();
+            this.setNextState(States.NOT_AUTHENTICATED.toString(), context);
+            context.put(AbstractAuthFilter.PROCESSING_STATE, AbstractAuthFilter.ProcessingState.SEND_RESPONSE);
         }
         
-        chain.doFilter(request, response);
-        
-    }
-
-    @Override
-    public void destroy() {
-
     }
 
 }

Added: cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/ProcessingException.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/ProcessingException.java?rev=1414378&view=auto
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/ProcessingException.java (added)
+++ cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/ProcessingException.java Tue Nov 27 20:30:46 2012
@@ -0,0 +1,43 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.fediz.service.idp;
+
+import javax.servlet.ServletException;
+
+public class ProcessingException extends ServletException {
+
+    private static final long serialVersionUID = -7826089555569489534L;
+    
+    public ProcessingException() {
+        super();
+    }
+
+    public ProcessingException(String message, Throwable rootCause) {
+        super(message, rootCause);
+    }
+
+    public ProcessingException(String message) {
+        super(message);
+    }
+
+    public ProcessingException(Throwable rootCause) {
+        super(rootCause);
+    }
+
+}

Added: cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSClientFilter.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSClientFilter.java?rev=1414378&view=auto
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSClientFilter.java (added)
+++ cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSClientFilter.java Tue Nov 27 20:30:46 2012
@@ -0,0 +1,347 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.fediz.service.idp;
+
+import java.io.IOException;
+import java.util.List;
+import java.util.Map;
+
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.xml.namespace.QName;
+
+import org.w3c.dom.Element;
+
+import org.apache.cxf.Bus;
+import org.apache.cxf.BusFactory;
+import org.apache.cxf.staxutils.W3CDOMStreamWriter;
+import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.tokenstore.SecurityToken;
+import org.apache.cxf.ws.security.trust.STSUtils;
+import org.apache.ws.security.WSConstants;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.context.ApplicationContext;
+
+
+public class STSClientFilter extends AbstractAuthFilter {
+
+    private static final String PARAM_TOKENTYPE = "tokentype";
+
+    private static final String PARAM_STS_WSDL_ENDPOINT = "sts.wsdl.endpoint";
+
+    private static final String PARAM_STS_WSDL_SERVICE = "sts.wsdl.service";
+
+    private static final String PARAM_STS_WSDL_URL = "sts.wsdl.url";
+
+    private static final String PARAM_STS_APPLIES_TO = "sts.applies-to";
+
+    private static final String PARAM_STS_CLAIMS_REQUIRED = "sts.claims.required";
+
+    private static final String PARAM_STS_AUTH_TYPE = "sts.auth-type";
+
+    private static final String PARAM_TOKEN_STORE_NAME = "token.store.name";
+
+    //private static final String PARAM_TOKEN_STORE_SESSION = "token.store.session";
+    
+    private static final String PARAM_RSTR_CONTENT_TYPE = "sts.rstr.content-type";
+
+    private static final String PARAM_STS_ONBEHALFOF_TOKEN_NAME = "sts.onbehalfof.token.name";
+
+    private static final Logger LOG = LoggerFactory.getLogger(STSClientFilter.class);
+    
+//    static {
+//        LOG = LoggerFactory.getLogger(STSClientFilter.class);
+//    }
+    
+    enum AuthenticationType {
+        USERNAME_PASSWORD,
+        NONE
+    }
+
+    protected String tokenType;
+    protected String stsWsdlEndpoint;
+    protected String stsWsdlService;
+    protected String stsWsdlUrl;
+
+    protected String authenticationType;   //Send UsernameToken
+    protected boolean claimsRequired; // = false;  //
+    protected String onBehalfOfTokenName;  //idp-token
+    //protected boolean storeTokenInSession; // = false;
+    protected String tokenStoreName;
+    protected String appliesTo; // $wtrealm
+    protected String contentType;  //token, rstr
+
+    @Override
+    public void init(FilterConfig filterConfig) throws ServletException {
+        super.init(filterConfig);
+        tokenType = filterConfig.getInitParameter(PARAM_TOKENTYPE);
+        if (tokenType != null && tokenType.length() > 0) {
+            LOG.info("Configured Tokentype: " + tokenType);
+        }
+
+        stsWsdlUrl = filterConfig.getInitParameter(PARAM_STS_WSDL_URL);
+        if (stsWsdlUrl == null) {
+            throw new ServletException(
+                                       "Parameter '" + PARAM_STS_WSDL_URL + "' not configured");
+        }
+
+        stsWsdlService = filterConfig.getInitParameter(PARAM_STS_WSDL_SERVICE);
+        if (stsWsdlService == null) {
+            throw new ServletException(
+                                       "Parameter '" + PARAM_STS_WSDL_SERVICE + "' not configured");
+        }
+
+        stsWsdlEndpoint = filterConfig.getInitParameter(PARAM_STS_WSDL_ENDPOINT);
+        if (stsWsdlEndpoint == null) {
+            throw new ServletException(
+                                       "Parameter '" + PARAM_STS_WSDL_ENDPOINT + "' not configured");
+        }
+
+        appliesTo = filterConfig.getInitParameter(PARAM_STS_APPLIES_TO);
+        if (appliesTo == null) {
+            throw new ServletException(
+                                       "Parameter '" + PARAM_STS_APPLIES_TO + "' not configured");
+        }
+
+        tokenStoreName = filterConfig.getInitParameter(PARAM_TOKEN_STORE_NAME);
+        if (tokenStoreName == null) {
+            throw new ServletException(
+                                       "Parameter '" + PARAM_TOKEN_STORE_NAME + "' not configured");
+        }
+
+        onBehalfOfTokenName = filterConfig.getInitParameter(PARAM_STS_ONBEHALFOF_TOKEN_NAME);
+
+        try {
+            String claimsParam = filterConfig.getInitParameter(PARAM_STS_CLAIMS_REQUIRED);
+            if (claimsParam != null) {
+                claimsRequired = Boolean.valueOf(claimsParam).booleanValue();
+            } else {
+                claimsRequired = false;
+            }
+        } catch (Exception ex) {
+            LOG.error("Failed to parse parameter '" + PARAM_STS_CLAIMS_REQUIRED + "': " + ex.toString());
+            throw new ServletException(
+                                       "Failed to parse parameter '" + PARAM_STS_CLAIMS_REQUIRED + "'");
+        }
+
+        /*
+        try {
+            String storeSession = filterConfig.getInitParameter(PARAM_TOKEN_STORE_SESSION);
+            if (storeSession != null) {
+                storeTokenInSession = Boolean.valueOf(storeSession).booleanValue();
+            } else {
+                storeTokenInSession = false;
+            }
+        } catch (Exception ex) {
+            LOG.error("Failed to parse parameter '" + PARAM_TOKEN_STORE_SESSION + "': " + ex.toString());
+            throw new ServletException(
+                                       "Failed to parse parameter '" + PARAM_TOKEN_STORE_SESSION + "'");
+        }
+        */
+
+        authenticationType = filterConfig.getInitParameter(PARAM_STS_AUTH_TYPE);
+        if (authenticationType == null) {
+            throw new ServletException(
+                                       "Parameter '" + PARAM_STS_AUTH_TYPE + "' not configured");
+        }
+        
+        contentType = filterConfig.getInitParameter(PARAM_RSTR_CONTENT_TYPE);
+        if (PARAM_RSTR_CONTENT_TYPE == null) {
+            throw new ServletException(
+                                       "Parameter '" + PARAM_RSTR_CONTENT_TYPE + "' not configured");
+        }
+        
+        
+
+    }
+
+    @Override
+    public void process(HttpServletRequest request,
+                        HttpServletResponse response, AuthContext context)
+        throws IOException, ServletException, ProcessingException {
+
+
+        String resolvedAppliesTo = null;
+        try {
+            
+            if (context.get(tokenStoreName) != null) {
+                LOG.info("Security token '" + tokenStoreName + "' already created.");
+                return;
+            }
+
+            Bus bus = BusFactory.getDefaultBus();
+
+            IdpSTSClient sts = new IdpSTSClient(bus);
+            sts.setAddressingNamespace("http://www.w3.org/2005/08/addressing");
+            if (tokenType != null && tokenType.length() > 0) {
+                sts.setTokenType(tokenType);
+            } else {
+                sts.setTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE);
+            }
+            sts.setKeyType("http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer");
+
+            sts.setWsdlLocation(stsWsdlUrl);
+            sts.setServiceQName(new QName(
+                                          "http://docs.oasis-open.org/ws-sx/ws-trust/200512/",
+                                          stsWsdlService));
+            sts.setEndpointQName(new QName(
+                                           "http://docs.oasis-open.org/ws-sx/ws-trust/200512/",
+                                           stsWsdlEndpoint));
+            String username = null;
+            if (authenticationType.equals(AuthenticationType.USERNAME_PASSWORD.toString())) {
+                username = (String)context.get(AuthContext.AUTH_USERNAME);
+                String password = (String)context.get(AuthContext.AUTH_PASSWORD);
+                context.remove(AuthContext.AUTH_USERNAME);
+                context.remove(AuthContext.AUTH_PASSWORD);
+                sts.getProperties().put(SecurityConstants.USERNAME, username);
+                sts.getProperties().put(SecurityConstants.PASSWORD, password);
+            }
+
+
+            /*
+            if (getInitParameter(S_PARAM_TOKEN_INTERNAL_LIFETIME) != null) {
+                sts.setEnableLifetime(true);
+                int ttl = Integer.parseInt(getInitParameter(S_PARAM_TOKEN_INTERNAL_LIFETIME));
+                sts.setTtl(ttl);
+            }
+             */
+
+
+            if (appliesTo.startsWith("$")) {
+                resolvedAppliesTo = (String)context.get(appliesTo.substring(1));
+                if (resolvedAppliesTo == null) {
+                    LOG.error("Parameter '" + appliesTo.substring(1) + "' not found in context");
+                    response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
+                                       "Parameter '" + appliesTo.substring(1) + "' not found in context");
+                    throw new ProcessingException("Parameter '" + appliesTo.substring(1) + "' not found in context");
+                }
+            } else {
+                resolvedAppliesTo = appliesTo;
+            }
+
+            if (this.claimsRequired) {
+                List<String> realmClaims = null;
+                ApplicationContext ctx = (ApplicationContext) bus
+                .getExtension(ApplicationContext.class);
+                try {
+                    @SuppressWarnings("unchecked")
+                    Map<String, List<String>> realmClaimsMap = (Map<String, List<String>>) ctx
+                    .getBean("realm2ClaimsMap");
+                    realmClaims = realmClaimsMap.get(resolvedAppliesTo);
+                    if (realmClaims != null && realmClaims.size() > 0 && LOG.isDebugEnabled()) {
+                        LOG.debug("claims for realm " + resolvedAppliesTo);
+                        for (String item : realmClaims) {
+                            LOG.debug("  " + item);
+                        }
+                    }
+                    Element claims = createClaimsElement(realmClaims);
+                    if (claims != null) {
+                        sts.setClaims(claims);
+                    }
+
+                } catch (Exception ex) {
+                    LOG.error("Failed to read bean 'realm2ClaimsMap'", ex);
+                    response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
+                                       "Failed to read bean 'realm2ClaimsMap'");
+                    throw new ProcessingException("Failed to read bean 'realm2ClaimsMap'");
+                }
+            }
+
+            if (this.onBehalfOfTokenName != null) {
+                SecurityToken token = (SecurityToken)context.get(onBehalfOfTokenName);
+                if (token == null) {
+                    LOG.error("Token '" + onBehalfOfTokenName + "' not found");
+                    response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
+                                       "Token '" + onBehalfOfTokenName + "' not found");
+                    throw new ProcessingException("Token '" + onBehalfOfTokenName + "' not found");
+                }
+                sts.setOnBehalfOf(token.getToken());
+            }
+
+            Object token = null;
+            if (contentType != null && contentType.equalsIgnoreCase("TOKEN")) {
+                token = sts.requestSecurityToken(resolvedAppliesTo);
+            } else if (contentType != null && contentType.equalsIgnoreCase("RSTR")) {
+                token = sts.requestSecurityTokenResponse(resolvedAppliesTo);
+            } else {
+                LOG.error("Unknown content type '" + contentType + "'");
+                response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
+                                   "Unknown content type '" + contentType + "'");
+                throw new ProcessingException("Unknown content type '" + contentType + "'");
+            }
+
+            //[TODO] SessionCacheFilter, use this filter instead of code here
+            /* not needed anymore due to SessionCacheFilter
+            if (this.storeTokenInSession) {
+                request.getSession().setAttribute(tokenStoreName, token);
+                LOG.info("Token '" + tokenStoreName + "' stored in session.");
+            } else {
+                context.put(tokenStoreName, token);
+                LOG.info("Token '" + tokenStoreName + "' stored in request.");
+            }*/
+            context.put(tokenStoreName, token);
+            LOG.info("Token '" + tokenStoreName + "' stored in request.");
+            
+            if (username != null) {
+                context.put(AuthContext.IDP_PRINCIPAL, username);
+            }
+            
+
+        } catch (Exception ex) {
+            LOG.info("Requesting security token for '" + resolvedAppliesTo + "' failed", ex);
+            response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
+                               "Requesting security token for '" + resolvedAppliesTo + "'failed");
+            throw new ProcessingException("Requesting security token for '" + resolvedAppliesTo + "' failed");
+        }
+
+    }
+
+    private Element createClaimsElement(List<String> realmClaims)
+        throws Exception {
+        if (realmClaims == null || realmClaims.size() == 0) {
+            return null;
+        }
+
+        W3CDOMStreamWriter writer = new W3CDOMStreamWriter();
+        writer.writeStartElement("wst", "Claims", STSUtils.WST_NS_05_12);
+        writer.writeNamespace("wst", STSUtils.WST_NS_05_12);
+        writer.writeNamespace("ic",
+            "http://schemas.xmlsoap.org/ws/2005/05/identity");
+        writer.writeAttribute("Dialect",
+            "http://schemas.xmlsoap.org/ws/2005/05/identity");
+
+        if (realmClaims != null && realmClaims.size() > 0) {
+            for (String item : realmClaims) {
+                LOG.debug("claim: " + item);
+                writer.writeStartElement("ic", "ClaimType",
+                    "http://schemas.xmlsoap.org/ws/2005/05/identity");
+                writer.writeAttribute("Uri", item);
+                writer.writeEndElement();
+            }
+        }
+
+        writer.writeEndElement();
+
+        return writer.getDocument().getDocumentElement();
+    }
+
+}

Added: cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/SessionCacheFilter.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/SessionCacheFilter.java?rev=1414378&view=auto
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/SessionCacheFilter.java (added)
+++ cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/SessionCacheFilter.java Tue Nov 27 20:30:46 2012
@@ -0,0 +1,89 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.fediz.service.idp;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Enumeration;
+import java.util.List;
+
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class SessionCacheFilter extends AbstractAuthFilter {
+
+    private static final Logger LOG = LoggerFactory.getLogger(SessionCacheFilter.class);
+
+    protected List<String> cacheAttributes = new ArrayList<String>();
+    
+    @Override
+    public void init(FilterConfig filterConfig) throws ServletException {
+        super.init(filterConfig);
+        
+        Enumeration enumParams = filterConfig.getInitParameterNames();   
+        while (enumParams.hasMoreElements()) {
+            String paramName = (String)enumParams.nextElement();
+            String paramValue = filterConfig.getInitParameter(paramName);
+            if (paramValue != null && paramValue.length() > 0
+                && paramName.startsWith("item")) {
+                cacheAttributes.add(filterConfig.getInitParameter(paramName));
+                if (LOG.isDebugEnabled()) {
+                    LOG.debug("Attribute '" + paramValue + "' configured to be stored in session.");
+                } 
+            } else  {
+                if (LOG.isDebugEnabled()) {
+                    LOG.debug("Attribute '" + paramName + "' is ignored, null or empty.");
+                }
+            }
+            
+        }
+        
+    }
+    
+    @Override
+    public void process(HttpServletRequest request,
+                        HttpServletResponse response, AuthContext context)
+        throws IOException, ServletException, ProcessingException {
+        
+        if (LOG.isDebugEnabled()) {
+            Enumeration e = request.getAttributeNames();
+            StringBuffer sb = new StringBuffer();
+            sb.append("Cachable attributes:").append(System.getProperty("line.separator"));
+            while (e.hasMoreElements()) {
+                sb.append((String)e.nextElement()).append(System.getProperty("line.separator"));
+            }
+            LOG.debug(sb.toString());
+        }
+        
+        for (String item : cacheAttributes) {
+            Object value = request.getAttribute(item);
+            request.getSession().setAttribute(item, value);
+            if (LOG.isInfoEnabled()) {
+                LOG.info("Attribute '" + item + "' [" + value + "] stored in session");
+            }
+        }
+        
+    }
+
+}

Added: cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/States.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/States.java?rev=1414378&view=auto
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/States.java (added)
+++ cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/States.java Tue Nov 27 20:30:46 2012
@@ -0,0 +1,29 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.fediz.service.idp;
+
+public enum States {
+    NOT_AUTHENTICATED,
+    AUTHENTICATION_REQUIRED,
+    LOGOUT_REQUIRED,
+    USERNAME_PASSWORD_REQUIRED,
+    SECURITY_TOKEN_REQUIRED,
+    SECURITY_TOKEN_CACHED,  //maybe replace by AUTHENTICATED
+    AUTHENTICATED,
+}

Modified: cxf/fediz/trunk/services/idp/src/main/resources/logging.properties
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/resources/logging.properties?rev=1414378&r1=1414377&r2=1414378&view=diff
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/resources/logging.properties (original)
+++ cxf/fediz/trunk/services/idp/src/main/resources/logging.properties Tue Nov 27 20:30:46 2012
@@ -38,7 +38,7 @@ java.util.logging.FileHandler.count = 1
 java.util.logging.FileHandler.formatter = java.util.logging.XMLFormatter
 
 # Limit the message that are printed on the console to WARNING and above.
-java.util.logging.ConsoleHandler.level = INFO
+java.util.logging.ConsoleHandler.level = FINEST
 java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter
 
 
@@ -50,3 +50,4 @@ java.util.logging.ConsoleHandler.formatt
 # For example, set the com.xyz.foo logger to only log SEVERE
 # messages:
 #com.xyz.foo.level = SEVERE
+org.apache.cxf.fediz.service.idp.level = FINEST

Modified: cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/web.xml
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/web.xml?rev=1414378&r1=1414377&r2=1414378&view=diff
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/web.xml (original)
+++ cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/web.xml Tue Nov 27 20:30:46 2012
@@ -9,65 +9,246 @@
 	<display-name>WS Federation Tomcat Example</display-name>
 
 	<filter>
-		<filter-name>LogoutFilter</filter-name>
-		<filter-class>org.apache.cxf.fediz.service.idp.LogoutFilter</filter-class>
+		<filter-name>FederationFilter</filter-name>
+		<filter-class>org.apache.cxf.fediz.service.idp.FederationFilter</filter-class>
+		<!-- 
 		<init-param>
-			<param-name>logout.uri</param-name>
-			<param-value>logout</param-value>
+			<param-name>pre-state</param-name>
+			<param-value>NOT_AUTHENTICATED</param-value>
 		</init-param>
+		-->
+		<!--
+		<init-param>
+			<param-name>next-state</param-name>
+			<param-value>AUTHENTICATION_REQUIRED</param-value>
+		</init-param>
+		-->
+		<init-param>
+			<param-name>session.token</param-name>
+			<param-value>IDP_TOKEN</param-value>
+		</init-param>		
+		
 	</filter>
+
+	<filter>
+		<filter-name>AuthenticationFilter</filter-name>
+		<filter-class>org.apache.cxf.fediz.service.idp.AuthenticationFilter</filter-class>
+		<init-param>
+			<param-name>pre-state</param-name>
+			<param-value>AUTHENTICATION_REQUIRED</param-value>
+		</init-param>
+	</filter>	
 	
-	<filter-mapping>
-		<filter-name>LogoutFilter</filter-name>
-		<url-pattern>/*</url-pattern>
-	</filter-mapping>
+	<filter>
+		<filter-name>BasicAuthenticationFilter</filter-name>
+		<filter-class>org.apache.cxf.fediz.service.idp.BasicAuthenticationFilter</filter-class>
+		<init-param>
+			<param-name>pre-state</param-name>
+			<param-value>USERNAME_PASSWORD_REQUIRED</param-value>
+		</init-param>
+		<init-param>
+			<param-name>next-state</param-name>
+			<param-value>SECURITY_TOKEN_REQUIRED</param-value>
+		</init-param>		
+	</filter>
 	
-	<servlet>
-		<servlet-name>FederationServlet</servlet-name>
-		<servlet-class>org.apache.cxf.fediz.service.idp.IdpServlet</servlet-class>
+	<filter>
+		<filter-name>STSClientFilterRequestor</filter-name>
+		<filter-class>org.apache.cxf.fediz.service.idp.STSClientFilter</filter-class>
+		<init-param>
+			<param-name>pre-state</param-name>
+			<param-value>SECURITY_TOKEN_REQUIRED</param-value>
+		</init-param>
+		<init-param>
+			<param-name>next-state</param-name>
+			<param-value>SECURITY_TOKEN_REQUIRED</param-value>
+		</init-param>			
 		<init-param>
 			<param-name>sts.wsdl.url</param-name>
-			<param-value>https://localhost:9443/fedizidpsts/</param-value>
+			<param-value>https://localhost:9443/fedizidpsts/STSService?wsdl</param-value>
 		</init-param>
 		<init-param>
 			<param-name>sts.wsdl.service</param-name>
 			<param-value>SecurityTokenService</param-value>
 		</init-param>
 		<init-param>
-			<param-name>sts.UT.wsdl.endpoint</param-name>
+			<param-name>sts.wsdl.endpoint</param-name>
 			<param-value>TransportUT_Port</param-value>
 		</init-param>
-	    <init-param>
-			<param-name>sts.UT.uri</param-name>
-			<param-value>STSService</param-value>
+		<init-param>
+			<param-name>sts.auth-type</param-name>
+			<param-value>USERNAME_PASSWORD</param-value>
 		</init-param>		
 		<init-param>
-			<param-name>sts.RP.wsdl.endpoint</param-name>
+			<param-name>sts.applies-to</param-name>
+			<param-value>urn:fediz:idp</param-value>
+		</init-param>
+		<init-param>
+			<param-name>token.store.name</param-name>
+			<param-value>IDP_TOKEN</param-value>
+		</init-param>
+		<!--
+		<init-param>
+			<param-name>token.store.session</param-name>
+			<param-value>true</param-value>
+		</init-param>
+		-->
+		<init-param>
+			<param-name>sts.rstr.content-type</param-name>
+			<param-value>TOKEN</param-value>
+		</init-param>			
+	</filter>
+	
+	<filter>
+		<filter-name>STSClientFilterRP</filter-name>
+		<filter-class>org.apache.cxf.fediz.service.idp.STSClientFilter</filter-class>
+		<init-param>
+			<param-name>pre-state</param-name>
+			<param-value>SECURITY_TOKEN_REQUIRED</param-value>
+		</init-param>
+		<init-param>
+			<param-name>next-state</param-name>
+			<param-value>AUTHENTICATED</param-value>
+		</init-param>			
+		<init-param>
+			<param-name>sts.wsdl.url</param-name>
+			<param-value>https://localhost:9443/fedizidpsts/STSServiceTransport?wsdl</param-value>
+		</init-param>
+		<init-param>
+			<param-name>sts.wsdl.service</param-name>
+			<param-value>SecurityTokenService</param-value>
+		</init-param>
+		<init-param>
+			<param-name>sts.wsdl.endpoint</param-name>
 			<param-value>Transport_Port</param-value>
 		</init-param>
 		<init-param>
-			<param-name>sts.RP.uri</param-name>
-			<param-value>STSServiceTransport</param-value>
+			<param-name>sts.auth-type</param-name>
+			<param-value>NONE</param-value>
+		</init-param>
+		<init-param>
+			<param-name>sts.applies-to</param-name>
+			<param-value>$wtrealm</param-value>
 		</init-param>
 		<init-param>
-			<param-name>token.internal.lifetime</param-name>
-			<param-value>7200</param-value>
+			<param-name>sts.onbehalfof.token.name</param-name>
+			<param-value>IDP_TOKEN</param-value>
+		</init-param>		
+		<init-param>
+			<param-name>token.store.name</param-name>
+			<param-value>RP_TOKEN</param-value>
 		</init-param>
+		<init-param>
+			<param-name>sts.rstr.content-type</param-name>
+			<param-value>RSTR</param-value>
+		</init-param>		
 		
-<!--		
+	</filter>	
+
+	<filter>
+		<filter-name>FederationPostFilter</filter-name>
+		<filter-class>org.apache.cxf.fediz.service.idp.FederationPostFilter</filter-class>
 		<init-param>
-			<param-name>ws-trust-tokentype</param-name>
-			<param-value>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</param-value>
+			<param-name>pre-state</param-name>
+			<param-value>AUTHENTICATED</param-value>
 		</init-param>
--->
-	</servlet>
+		<init-param>
+			<param-name>next-state</param-name>
+			<param-value>AUTHENTICATED</param-value>
+		</init-param>		
+		<init-param>
+			<param-name>token.store.name</param-name>
+			<param-value>RP_TOKEN</param-value>		
+		</init-param>
+	</filter>
+
+	<filter>
+		<filter-name>LogoutFilter</filter-name>
+		<filter-class>org.apache.cxf.fediz.service.idp.LogoutFilter</filter-class>
+		<init-param>
+			<param-name>pre-state</param-name>
+			<param-value>AUTHENTICATED</param-value>
+		</init-param>
+		<init-param>
+			<param-name>logout.uri</param-name>
+			<param-value>logout</param-value>
+		</init-param>
+	</filter>
+	
+	<filter>
+		<filter-name>SessionCacheFilter</filter-name>
+		<filter-class>org.apache.cxf.fediz.service.idp.SessionCacheFilter</filter-class>
+		<init-param>
+			<param-name>pre-state</param-name>
+			<param-value>AUTHENTICATED</param-value>
+		</init-param>
+		<init-param>
+			<param-name>next-state</param-name>
+			<param-value>AUTHENTICATED</param-value>
+		</init-param>		
+		<init-param>
+			<param-name>item1</param-name>
+			<param-value>IDP_PRINCIPAL</param-value>		
+		</init-param>
+		<init-param>
+			<param-name>item2</param-name>
+			<param-value>IDP_TOKEN</param-value>		
+		</init-param>		
+	</filter>	
 
-	<servlet-mapping>
-		<servlet-name>FederationServlet</servlet-name>
-		<url-pattern>/</url-pattern>
-	</servlet-mapping>
 
 
+	<filter-mapping>
+		<filter-name>FederationFilter</filter-name>
+		<url-pattern>/*</url-pattern>
+	</filter-mapping>
+	
+	<filter-mapping>
+		<filter-name>AuthenticationFilter</filter-name>
+		<url-pattern>/*</url-pattern>
+	</filter-mapping>
+	
+	<filter-mapping>
+		<filter-name>FederationFilter</filter-name>
+		<url-pattern>/*</url-pattern>
+	</filter-mapping>
+
+	<filter-mapping>
+		<filter-name>BasicAuthenticationFilter</filter-name>
+		<url-pattern>/*</url-pattern>
+	</filter-mapping>
+	
+	<filter-mapping>
+		<filter-name>STSClientFilterRequestor</filter-name>
+		<url-pattern>/*</url-pattern>
+	</filter-mapping>
+	
+	<filter-mapping>
+		<filter-name>STSClientFilterRequestor</filter-name>
+		<url-pattern>/*</url-pattern>
+	</filter-mapping>
+	
+	<filter-mapping>
+		<filter-name>STSClientFilterRP</filter-name>
+		<url-pattern>/*</url-pattern>
+	</filter-mapping>
+
+	<filter-mapping>
+		<filter-name>FederationPostFilter</filter-name>
+		<url-pattern>/*</url-pattern>
+	</filter-mapping>
+
+	<filter-mapping>
+		<filter-name>LogoutFilter</filter-name>
+		<url-pattern>/*</url-pattern>
+	</filter-mapping>	
+	
+	<filter-mapping>
+		<filter-name>SessionCacheFilter</filter-name>
+		<url-pattern>/*</url-pattern>
+	</filter-mapping>
+	
+
 	<context-param>
 		<param-name>contextConfigLocation</param-name>
 		<param-value>WEB-INF/applicationContext.xml</param-value>



Mime
View raw message