cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From owu...@apache.org
Subject svn commit: r1467592 - in /cxf/fediz/trunk: services/idp/ services/idp/src/main/java/org/apache/cxf/fediz/service/idp/ services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/ services/idp/src/main/java/org/apache/cxf/fediz/service/idp/util/ ...
Date Sat, 13 Apr 2013 11:06:54 GMT
Author: owulff
Date: Sat Apr 13 11:06:54 2013
New Revision: 1467592

URL: http://svn.apache.org/r1467592
Log:
[FEDIZ-51] Use Spring Security for authentication at the IDP

Added:
    cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSAuthenticationProvider.java
    cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSPortFilter.java
    cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSUserDetails.java
    cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/security-config.xml
Removed:
    cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/UsernamePasswordCredentials.java
    cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/DecodeAuthorizationHeaderAction.java
    cxf/fediz/trunk/systests/jetty8/src/test/webapps/fediz-idp/WEB-INF/idp-servlet.xml
    cxf/fediz/trunk/systests/tomcat7/src/test/webapps/fediz-idp/WEB-INF/idp-servlet.xml
Modified:
    cxf/fediz/trunk/services/idp/pom.xml
    cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/InitialFlowSetupAction.java
    cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java
    cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/WfreshParser.java
    cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/util/WebUtils.java
    cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/applicationContext.xml
    cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/federation-webflow.xml
    cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/idp-servlet.xml
    cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/web.xml
    cxf/fediz/trunk/systests/jetty8/src/test/java/org/apache/cxf/fediz/integrationtests/JettyPreAuthSpringTest.java
    cxf/fediz/trunk/systests/jetty8/src/test/java/org/apache/cxf/fediz/integrationtests/JettyTest.java
    cxf/fediz/trunk/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
    cxf/fediz/trunk/systests/tomcat7/src/test/java/org/apache/cxf/fediz/integrationtests/TomcatTest.java

Modified: cxf/fediz/trunk/services/idp/pom.xml
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/pom.xml?rev=1467592&r1=1467591&r2=1467592&view=diff
==============================================================================
--- cxf/fediz/trunk/services/idp/pom.xml (original)
+++ cxf/fediz/trunk/services/idp/pom.xml Sat Apr 13 11:06:54 2013
@@ -26,7 +26,7 @@
         <relativePath>../../pom.xml</relativePath>
     </parent>
     <artifactId>fediz-idp</artifactId>
-    <name>Apache Fediz IDP (Spring Web Flow)</name>
+    <name>Apache Fediz IDP (Spring Security &amp; Spring Web Flow)</name>
     <packaging>war</packaging>
     <dependencyManagement>
         <dependencies>
@@ -34,6 +34,7 @@
     </dependencyManagement>
     <properties>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+        <spring.security.version>3.1.3.RELEASE</spring.security.version>
     </properties>
     <dependencies>
         <dependency>
@@ -48,6 +49,11 @@
 <!--            <version>${spring.version}</version> -->
 <!--         </dependency> -->
         <dependency>
+            <groupId>org.apache.cxf.fediz</groupId>
+            <artifactId>fediz-core</artifactId>
+            <version>${project.version}</version>
+        </dependency>
+        <dependency>
             <groupId>org.springframework</groupId>
             <artifactId>spring-webmvc</artifactId>
             <version>${spring.version}</version>
@@ -58,6 +64,16 @@
             <version>2.3.1.RELEASE</version>
         </dependency>
         <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-web</artifactId>
+            <version>${spring.security.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-config</artifactId>
+            <version>${spring.security.version}</version>
+        </dependency> 
+        <dependency>
           <groupId>ognl</groupId>
           <artifactId>ognl</artifactId>
           <version>3.0.5</version>
@@ -65,15 +81,9 @@
         </dependency>
         <dependency>
             <groupId>org.slf4j</groupId>
-            <artifactId>slf4j-api</artifactId>
+            <artifactId>slf4j-jdk14</artifactId>
             <version>${slf4j.version}</version>
-            <scope>provided</scope>
         </dependency>
-<!--         <dependency> -->
-<!--             <groupId>org.slf4j</groupId> -->
-<!--             <artifactId>slf4j-jdk14</artifactId> -->
-<!--             <version>${slf4j.version}</version> -->
-<!--         </dependency> -->
         <dependency>
             <groupId>org.apache.cxf</groupId>
             <artifactId>cxf-rt-ws-security</artifactId>

Added: cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSAuthenticationProvider.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSAuthenticationProvider.java?rev=1467592&view=auto
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSAuthenticationProvider.java (added)
+++ cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSAuthenticationProvider.java Sat Apr 13 11:06:54 2013
@@ -0,0 +1,320 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.fediz.service.idp;
+
+import java.net.URI;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import javax.xml.namespace.QName;
+
+import org.w3c.dom.Element;
+
+import org.apache.cxf.Bus;
+import org.apache.cxf.BusFactory;
+//import org.apache.cxf.endpoint.Client;
+import org.apache.cxf.fediz.core.Claim;
+import org.apache.cxf.fediz.core.ClaimTypes;
+//import org.apache.cxf.transport.http.HTTPConduit;
+//import org.apache.cxf.transports.http.configuration.HTTPClientPolicy;
+import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.tokenstore.SecurityToken;
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.saml.ext.AssertionWrapper;
+import org.opensaml.xml.XMLObject;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+
+public class STSAuthenticationProvider implements AuthenticationProvider {
+
+    private static final String HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512_BEARER = 
+        "http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer";
+    
+    private static final String HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512 = 
+        "http://docs.oasis-open.org/ws-sx/ws-trust/200512/";
+    
+    private static final Logger LOG = LoggerFactory
+            .getLogger(STSAuthenticationProvider.class);
+
+    protected String wsdlLocation;
+    
+    protected String wsdlService;
+
+    protected String wsdlEndpoint;
+
+    protected String appliesTo;
+    
+    protected String tokenType;
+    
+    protected Bus bus;
+    
+    protected Integer lifetime;
+    
+    //Required to get IDP roles to use the IDP application, used in future release
+    protected String roleURI;
+    
+    
+    @Override
+    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
+        
+        Bus cxfBus = getBus();
+        
+        IdpSTSClient sts = new IdpSTSClient(cxfBus);
+        sts.setAddressingNamespace("http://www.w3.org/2005/08/addressing");
+        if (tokenType != null && tokenType.length() > 0) {
+            sts.setTokenType(tokenType);
+        } else {
+            sts.setTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE);
+        }
+        sts.setKeyType(HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512_BEARER);
+        sts.setWsdlLocation(wsdlLocation);
+        sts.setServiceQName(new QName(
+                                      HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512,
+                                      wsdlService));
+        sts.setEndpointQName(new QName(
+                                       HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512,
+                                       wsdlEndpoint));
+        sts.getProperties().put(SecurityConstants.USERNAME, authentication.getName());
+        sts.getProperties().put(SecurityConstants.PASSWORD, (String)authentication.getCredentials());
+           
+        if (lifetime != null) {
+            sts.setEnableLifetime(true);
+            sts.setTtl(lifetime.intValue());
+        }
+        try {
+
+//Line below may be uncommented for debugging    
+//          setTimeout(sts.getClient(), 3600000L);
+
+            SecurityToken token = sts.requestSecurityToken(this.appliesTo);
+            
+            List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
+            if (roleURI != null) {
+                AssertionWrapper assertion = new AssertionWrapper(token.getToken());
+                List<Claim> claims = parseClaimsInAssertion(assertion.getSaml2());
+                for (Claim c : claims) {
+                    if (roleURI.equals(c.getClaimType())) {
+                        Object oValue = c.getValue();
+                        if ((oValue instanceof List<?>) && !((List<?>)oValue).isEmpty()) {
+                            List<String> values = (List<String>)oValue;
+                            for (String role: values) {
+                                authorities.add(new SimpleGrantedAuthority(role));
+                            }
+                        } else {
+                            LOG.error("Unsupported value type of Claim value");
+                            throw new IllegalStateException("Unsupported value type of Claim value");
+                        }
+                        claims.remove(c);
+                        break;
+                    }
+                }
+            }
+            
+            UsernamePasswordAuthenticationToken upat = new UsernamePasswordAuthenticationToken(
+                authentication.getName(), authentication.getCredentials(), authorities);
+            
+            STSUserDetails details = new STSUserDetails(authentication.getName(),
+                                                        (String)authentication.getCredentials(),
+                                                        authorities,
+                                                        token);
+            upat.setDetails(details);
+            
+            return upat;
+        } catch (Exception ex) {
+            LOG.info("Failed to authenticate user '" + authentication.getName() + "'", ex);
+            return null;
+        }
+        
+    }
+
+    @Override
+    public boolean supports(Class<?> authentication) {
+        return authentication.equals(UsernamePasswordAuthenticationToken.class);
+    }
+    
+    public String getWsdlLocation() {
+        return wsdlLocation;
+    }
+
+    public void setWsdlLocation(String wsdlLocation) {
+        this.wsdlLocation = wsdlLocation;
+    }
+
+    public String getWsdlService() {
+        return wsdlService;
+    }
+
+    public void setWsdlService(String wsdlService) {
+        this.wsdlService = wsdlService;
+    }
+
+    public String getWsdlEndpoint() {
+        return wsdlEndpoint;
+    }
+
+    public void setWsdlEndpoint(String wsdlEndpoint) {
+        this.wsdlEndpoint = wsdlEndpoint;
+    }
+
+    public String getAppliesTo() {
+        return appliesTo;
+    }
+
+    public void setAppliesTo(String appliesTo) {
+        this.appliesTo = appliesTo;
+    }
+    
+    public void setBus(Bus bus) {
+        this.bus = bus;
+    }
+
+    public Bus getBus() {
+        // do not store a referance to the default bus
+        return (bus != null) ? bus : BusFactory.getDefaultBus();
+    }
+
+    public String getTokenType() {
+        return tokenType;
+    }
+
+    public void setTokenType(String tokenType) {
+        this.tokenType = tokenType;
+    }
+    
+    public Integer getLifetime() {
+        return lifetime;
+    }
+
+    public void setLifetime(Integer lifetime) {
+        this.lifetime = lifetime;
+    }
+
+    protected List<Claim> parseClaimsInAssertion(org.opensaml.saml2.core.Assertion assertion) {
+        List<org.opensaml.saml2.core.AttributeStatement> attributeStatements = assertion
+        .getAttributeStatements();
+        if (attributeStatements == null || attributeStatements.isEmpty()) {
+            if (LOG.isDebugEnabled()) {
+                LOG.debug("No attribute statements found");
+            }
+            return Collections.emptyList();
+        }
+
+        List<Claim> collection = new ArrayList<Claim>();
+        Map<String, Claim> claimsMap = new HashMap<String, Claim>();
+
+        for (org.opensaml.saml2.core.AttributeStatement statement : attributeStatements) {
+            if (LOG.isDebugEnabled()) {
+                LOG.debug("parsing statement: " + statement.getElementQName());
+            }
+            List<org.opensaml.saml2.core.Attribute> attributes = statement
+            .getAttributes();
+            for (org.opensaml.saml2.core.Attribute attribute : attributes) {
+                if (LOG.isDebugEnabled()) {
+                    LOG.debug("parsing attribute: " + attribute.getName());
+                }
+                Claim c = new Claim();
+                // Workaround for CXF-4484 
+                // Value of Attribute Name not fully qualified
+                // if NameFormat is http://schemas.xmlsoap.org/ws/2005/05/identity/claims
+                // but ClaimType value must be fully qualified as Namespace attribute goes away
+                URI attrName = URI.create(attribute.getName());
+                if (ClaimTypes.URI_BASE.toString().equals(attribute.getNameFormat())
+                    && !attrName.isAbsolute()) {
+                    c.setClaimType(URI.create(ClaimTypes.URI_BASE + "/" + attribute.getName()));
+                } else {
+                    c.setClaimType(URI.create(attribute.getName()));
+                }
+                c.setIssuer(assertion.getIssuer().getNameQualifier());
+
+                List<String> valueList = new ArrayList<String>();
+                for (XMLObject attributeValue : attribute.getAttributeValues()) {
+                    Element attributeValueElement = attributeValue.getDOM();
+                    String value = attributeValueElement.getTextContent();
+                    if (LOG.isDebugEnabled()) {
+                        LOG.debug(" [" + value + "]");
+                    }
+                    valueList.add(value);
+                }
+                mergeClaimToMap(claimsMap, c, valueList);
+            }
+        }
+        collection.addAll(claimsMap.values());
+        return collection;
+
+    }
+    
+    protected void mergeClaimToMap(Map<String, Claim> claimsMap, Claim c,
+                                   List<String> valueList) {
+        Claim t = claimsMap.get(c.getClaimType().toString());
+        if (t != null) {
+            //same SAML attribute already processed. Thus Claim object already created.
+            Object oValue = t.getValue();
+            if (oValue instanceof String) {
+                //one child element AttributeValue only
+                List<String> values = new ArrayList<String>();
+                values.add((String)oValue); //add existing value
+                values.addAll(valueList);
+                t.setValue(values);
+            } else if (oValue instanceof List<?>) {
+                //more than one child element AttributeValue
+                List<String> values = (List<String>)oValue;
+                values.addAll(valueList);
+                t.setValue(values);
+            } else {
+                LOG.error("Unsupported value type of Claim value");
+                throw new IllegalStateException("Unsupported value type of Claim value");
+            }
+        } else {
+            if (valueList.size() == 1) {
+                c.setValue(valueList.get(0));
+            } else {
+                c.setValue(valueList);
+            }
+            // Add claim to map
+            claimsMap.put(c.getClaimType().toString(), c);
+        }
+    }
+
+    public String getRoleURI() {
+        return roleURI;
+    }
+
+    public void setRoleURI(String roleURI) {
+        this.roleURI = roleURI;
+    }
+
+//May be uncommented for debugging    
+//  private void setTimeout(Client client, Long timeout) {
+//      HTTPConduit conduit = (HTTPConduit) client.getConduit();
+//      HTTPClientPolicy httpClientPolicy = new HTTPClientPolicy();
+//      httpClientPolicy.setConnectionTimeout(timeout);
+//      httpClientPolicy.setReceiveTimeout(timeout);
+//      conduit.setClient(httpClientPolicy);
+//  }
+    
+}

Added: cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSPortFilter.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSPortFilter.java?rev=1467592&view=auto
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSPortFilter.java (added)
+++ cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSPortFilter.java Sat Apr 13 11:06:54 2013
@@ -0,0 +1,78 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.fediz.service.idp;
+
+import java.io.IOException;
+import java.net.MalformedURLException;
+import java.net.URL;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.BeansException;
+import org.springframework.context.ApplicationContext;
+import org.springframework.context.ApplicationContextAware;
+import org.springframework.util.Assert;
+import org.springframework.web.filter.GenericFilterBean;
+
+public class STSPortFilter extends GenericFilterBean implements ApplicationContextAware {
+
+    private static final Logger LOG = LoggerFactory.getLogger(STSPortFilter.class);
+    
+    private ApplicationContext applicationContext;
+    
+    private boolean isPortSet;
+    
+    @Override
+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
+        throws IOException, ServletException {
+        
+        Assert.isTrue(applicationContext != null, "Application context must not be null");
+        STSAuthenticationProvider authProvider = applicationContext.getBean(STSAuthenticationProvider.class);
+        Assert.isTrue(authProvider != null, "STSAuthenticationProvider must be configured");
+                
+        if (!isPortSet) {
+            try {
+                URL url = new URL(authProvider.getWsdlLocation());
+                URL updatedUrl = new URL(url.getProtocol(), url.getHost(), request.getLocalPort(), url.getFile());
+                setSTSWsdlUrl(authProvider, updatedUrl.toString());
+                LOG.info("STSAuthenticationProvider.wsdlLocation set to " + updatedUrl.toString());
+            } catch (MalformedURLException e) {
+                LOG.error("Invalid Url '" + authProvider.getWsdlLocation() + "': "  + e.getMessage());
+            }
+        }
+        
+        chain.doFilter(request, response);
+    }
+
+    private synchronized void setSTSWsdlUrl(STSAuthenticationProvider authProvider, String wsdlUrl) {
+        authProvider.setWsdlLocation(wsdlUrl);
+        this.isPortSet = true;
+    }
+    
+    @Override
+    public void setApplicationContext(ApplicationContext applicationContext) throws BeansException {
+        this.applicationContext = applicationContext;
+    }
+
+}

Added: cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSUserDetails.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSUserDetails.java?rev=1467592&view=auto
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSUserDetails.java (added)
+++ cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSUserDetails.java Sat Apr 13 11:06:54 2013
@@ -0,0 +1,49 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.fediz.service.idp;
+
+import java.util.Collection;
+
+import org.apache.cxf.ws.security.tokenstore.SecurityToken;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.userdetails.User;
+
+public class STSUserDetails extends User {
+    
+    private static final long serialVersionUID = 1975259365978165675L;
+    
+    private SecurityToken token;
+    
+    public STSUserDetails(String username, String password, boolean enabled, boolean accountNonExpired,
+                          boolean credentialsNonExpired, boolean accountNonLocked,
+                          Collection<? extends GrantedAuthority> authorities) {
+        super(username, password, enabled, accountNonExpired, credentialsNonExpired, accountNonLocked, authorities);
+    }
+    
+    public STSUserDetails(String username, String password, 
+                          Collection<? extends GrantedAuthority> authorities, SecurityToken token) {
+        super(username, password, true, true, true, true, authorities);
+        this.token = token;
+    }
+
+    public SecurityToken getSecurityToken() {
+        return this.token;
+    }
+
+}

Modified: cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/InitialFlowSetupAction.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/InitialFlowSetupAction.java?rev=1467592&r1=1467591&r2=1467592&view=diff
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/InitialFlowSetupAction.java (original)
+++ cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/InitialFlowSetupAction.java Sat Apr 13 11:06:54 2013
@@ -18,74 +18,34 @@
  */
 package org.apache.cxf.fediz.service.idp.beans;
 
+//import java.security.Principal;
+
+import org.apache.cxf.fediz.service.idp.STSUserDetails;
 import org.apache.cxf.fediz.service.idp.util.WebUtils;
+import org.apache.cxf.ws.security.tokenstore.SecurityToken;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.util.Assert;
 import org.springframework.webflow.execution.RequestContext;
 
 /**
- * @author fr17993 This class is responsible to initialize web flow.
+ * @author Th. Beucher This class is responsible to initialize web flow.
  */
 
 public class InitialFlowSetupAction {
 
-    private static final String AUTH_SUPPORT_TYPE = "idp.authSupportType";
-
-    private static final String IDP_NAME = "idpName";
-
     private static final Logger LOG = LoggerFactory
             .getLogger(InitialFlowSetupAction.class);
 
-    private String idpName = "IDP";
-
-    private String authSupportType;
-
-    public String getIdpName() {
-        return idpName;
-    }
-
-    public void setIdpName(String idpName) {
-        this.idpName = idpName;
-    }
-
-    public String getAuthSupportType() {
-        return authSupportType;
-    }
-
-    public void setAuthSupportType(String authSupportType) {
-        this.authSupportType = authSupportType;
-    }
-
-    private static enum SupportType {
-        FORM, BASIC;
-    }
-
-    /**
-     * @throws IllegalArgumentException
-     */
     public void submit(RequestContext context) {
-        if (System.getProperty(AUTH_SUPPORT_TYPE) != null) {
-            authSupportType = System.getProperty(AUTH_SUPPORT_TYPE);
-            LOG.info("Bean property [authSupportType] has been overriden from system properties");
-        }
-        if (SupportType.valueOf(authSupportType) != null) {
-            WebUtils.putAttributeInFlowScope(context, AUTH_SUPPORT_TYPE,
-                    authSupportType);
-            LOG.info(AUTH_SUPPORT_TYPE + "=" + authSupportType
-                    + " has been stored in flow scope");
-        } else {
-            throw new IllegalArgumentException(AUTH_SUPPORT_TYPE + "="
-                    + authSupportType + " not supported");
-        }
-        putAttributeInFlowScope(context, IDP_NAME, idpName);
-    }
-
-    private void putAttributeInFlowScope(RequestContext context, String key, String value) {
-        if (value != null) {
-            WebUtils.putAttributeInFlowScope(context, key, value);
-            LOG.info(key + "=" + value + " has been stored in flow scope");
-        } else {
-            throw new IllegalArgumentException("Bean property [" + key + "] should be configured");
-        }
+        
+        Authentication auth = SecurityContextHolder.getContext().getAuthentication();
+        Assert.isInstanceOf(STSUserDetails.class, auth.getDetails());
+        final STSUserDetails stsUserDetails = (STSUserDetails) auth.getDetails();
+        SecurityToken securityToken = stsUserDetails.getSecurityToken();
+        WebUtils.putAttributeInExternalContext(context, "IDP_TOKEN", securityToken);
+        LOG.info("Token [IDP_TOKEN] succesfully set in session.");
     }
 }

Modified: cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java?rev=1467592&r1=1467591&r2=1467592&view=diff
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java (original)
+++ cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java Sat Apr 13 11:06:54 2013
@@ -32,11 +32,12 @@ import org.w3c.dom.Element;
 import org.apache.commons.lang3.StringEscapeUtils;
 import org.apache.cxf.Bus;
 import org.apache.cxf.BusFactory;
+//import org.apache.cxf.endpoint.Client;
 import org.apache.cxf.fediz.service.idp.IdpSTSClient;
-import org.apache.cxf.fediz.service.idp.UsernamePasswordCredentials;
 import org.apache.cxf.fediz.service.idp.util.WebUtils;
 import org.apache.cxf.staxutils.W3CDOMStreamWriter;
-import org.apache.cxf.ws.security.SecurityConstants;
+//import org.apache.cxf.transport.http.HTTPConduit;
+//import org.apache.cxf.transports.http.configuration.HTTPClientPolicy;
 import org.apache.cxf.ws.security.tokenstore.SecurityToken;
 import org.apache.cxf.ws.security.trust.STSClient;
 import org.apache.cxf.ws.security.trust.STSUtils;
@@ -47,7 +48,7 @@ import org.springframework.context.Appli
 import org.springframework.webflow.execution.RequestContext;
 
 /**
- * @author fr17993 
+ * @author Th. Beucher 
 This class is responsible to ask for Security Tokens to STS.
  */
 
@@ -146,62 +147,14 @@ public class STSClientAction {
     }
 
     /**
-     * @param credentials
-     *            : username and password provided by user
-     * @return a IDP {@link SecurityToken}
-     * @throws Exception
-     */
-    public SecurityToken submit(UsernamePasswordCredentials credentials, RequestContext context)
-        throws Exception {
-
-        Bus cxfBus = getBus();
-
-        //IdpSTSClient sts = new IdpSTSClient(bus);
-        STSClient sts = new STSClient(cxfBus);
-        sts.setAddressingNamespace(HTTP_WWW_W3_ORG_2005_08_ADDRESSING);
-        paramTokenType(sts);
-        sts.setKeyType(HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512_BEARER);
-
-        processWsdlLocation(context);
-        sts.setWsdlLocation(this.wsdlLocation);
-        sts.setServiceQName(new QName(
-                HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512,
-                SECURITY_TOKEN_SERVICE));
-        sts.setEndpointQName(new QName(
-                HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512,
-                this.wsdlEndpoint));
-
-        if (isUseWfreshForTTL()) {
-            configureTTL(sts, context);
-        }
-
-        if (isClaimsRequired()) {
-            addClaims(this.appliesTo, cxfBus, sts);
-        }
-
-        sts.getProperties().put(SecurityConstants.USERNAME,
-                credentials.getUsername());
-        sts.getProperties().put(SecurityConstants.PASSWORD,
-                credentials.getPassword());
-
-        SecurityToken idpToken = sts.requestSecurityToken(this.appliesTo);
-
-        LOG.info("Token [IDP_TOKEN] produced succesfully.");
-        return idpToken;
-    }
-
-
-
-
-    /**
-     * @param credentials
-     *            {@link SecurityToken}
+     * @param context
+     *            the webflow request context
      * @param wtrealm
      *            the relying party security domain
      * @return a serialized RP security token
      * @throws Exception
      */
-    public String submit(SecurityToken credentials, String wtrealm, RequestContext context)
+    public String submit(String wtrealm, RequestContext context)
         throws Exception {
 
         Bus cxfBus = getBus();
@@ -223,7 +176,8 @@ public class STSClientAction {
             addClaims(wtrealm, cxfBus, sts);
         }
 
-        sts.setOnBehalfOf(credentials.getToken());
+        SecurityToken idpToken = (SecurityToken) WebUtils.getAttributeFromExternalContext(context, "IDP_TOKEN");
+        sts.setOnBehalfOf(idpToken.getToken());
 
         String rpToken = sts.requestSecurityTokenResponse(wtrealm);
 
@@ -259,16 +213,16 @@ public class STSClientAction {
      * Usage of 'wfresh' parameter, picked up from the webflow context, 
      * like time-to-live of security token to be issued..
      */
-    private void configureTTL(STSClient sts, RequestContext requestContext) {
-        String wfresh = (String)WebUtils.getAttributeFromExternalContext(requestContext, "wfresh");
-        if (wfresh != null) {
-            int ttl = Integer.parseInt(wfresh);
-            if (ttl > 0) {
-                sts.setTtl(ttl * 60);                    
-                sts.setEnableLifetime(true);
-            }
-        }
-    }
+//    private void configureTTL(STSClient sts, RequestContext requestContext) {
+//        String wfresh = (String)WebUtils.getAttributeFromExternalContext(requestContext, "wfresh");
+//        if (wfresh != null) {
+//            int ttl = Integer.parseInt(wfresh);
+//            if (ttl > 0) {
+//                sts.setTtl(ttl * 60);                    
+//                sts.setEnableLifetime(true);
+//            }
+//        }
+//    }
     
     private void addClaims(String wtrealm, Bus cxfBus, STSClient sts)
         throws ParserConfigurationException, XMLStreamException {
@@ -334,4 +288,5 @@ public class STSClientAction {
         this.wsdlLocation = wsdlUrl;
         this.isPortSet = true;
     }
+
 }

Modified: cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/WfreshParser.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/WfreshParser.java?rev=1467592&r1=1467591&r2=1467592&view=diff
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/WfreshParser.java (original)
+++ cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/WfreshParser.java Sat Apr 13 11:06:54 2013
@@ -19,9 +19,12 @@
 package org.apache.cxf.fediz.service.idp.beans;
 
 import java.util.Date;
+
+import org.apache.cxf.fediz.service.idp.util.WebUtils;
 import org.apache.cxf.ws.security.tokenstore.SecurityToken;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import org.springframework.webflow.execution.RequestContext;
 
 /**
  * This class is responsible to parse 'wfresh' parameter 
@@ -33,10 +36,11 @@ public class WfreshParser {
     private static final Logger LOG = LoggerFactory
             .getLogger(WfreshParser.class);
 
-    public boolean authenticationRequired(SecurityToken idpToken, String wfresh)
+    public boolean authenticationRequired(String wfresh, RequestContext context)
         throws Exception {
         long ttl = Long.parseLong(wfresh);
         if (ttl > 0) {
+            SecurityToken idpToken = (SecurityToken) WebUtils.getAttributeFromExternalContext(context, "IDP_TOKEN");
             Date createdDate = idpToken.getCreated();
             Date expiryDate = new Date();
             expiryDate.setTime(createdDate.getTime() + (ttl * 60L * 1000L));

Modified: cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/util/WebUtils.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/util/WebUtils.java?rev=1467592&r1=1467591&r2=1467592&view=diff
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/util/WebUtils.java (original)
+++ cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/util/WebUtils.java Sat Apr 13 11:06:54 2013
@@ -97,13 +97,13 @@ public final class WebUtils {
 
     public static Object getAttributeFromRequestScope(
             final RequestContext context, final String attributeKey) {
-        return context.getRequestScope().getString(attributeKey);
+        return context.getRequestScope().get(attributeKey);
     }
 
     public static Object getAttributeFromExternalContext(
             final RequestContext context, final String attributeKey) {
         return context.getExternalContext().getSessionMap()
-                .getString(attributeKey);
+                .get(attributeKey);
     }
 
     /**
@@ -159,9 +159,9 @@ public final class WebUtils {
         context.getFlowScope().put(attributeKey, attributeValue);
     }
 
-    public static String getAttributeFromFlowScope(
+    public static Object getAttributeFromFlowScope(
             final RequestContext context, final String attributeKey) {
-        return context.getFlowScope().getString(attributeKey);
+        return context.getFlowScope().get(attributeKey);
     }
 
     public static Object removeAttributeFromFlowScope(

Modified: cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/applicationContext.xml
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/applicationContext.xml?rev=1467592&r1=1467591&r2=1467592&view=diff
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/applicationContext.xml (original)
+++ cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/applicationContext.xml Sat Apr 13 11:06:54 2013
@@ -20,6 +20,8 @@
         
 	<import resource="classpath:META-INF/cxf/cxf.xml" />
 
+    <import resource="security-config.xml" />
+
 	<cxf:bus>
 		<cxf:features>
 			<cxf:logging />

Modified: cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/federation-webflow.xml
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/federation-webflow.xml?rev=1467592&r1=1467591&r2=1467592&view=diff
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/federation-webflow.xml (original)
+++ cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/federation-webflow.xml Sat Apr 13 11:06:54 2013
@@ -22,103 +22,27 @@
         <if test="requestParameters.wa == 'wsignout1.0' or requestParameters.wa == 'wsignoutcleanup1.0'" then="invalidateSessionAction" />
         <if test="requestParameters.wtrealm == null or requestParameters.wtrealm.length() == 0" then="viewBadRequest" />
 
-<!--    check if IDP token exists in session -->
-        <if test="externalContext.sessionMap['IDP_TOKEN'] == null" then="authenticationRequired" />
 <!--    check if IDP token is expired -->
-        <if test="externalContext.sessionMap['IDP_TOKEN'].isExpired() == true" then="authenticationRequired" />
+        <if test="externalContext.sessionMap['IDP_TOKEN'].isExpired() == true" then="invalidateSessionAction" />
 <!--    check if IDP token is still valid but relying party requested new authentication -->
-        <if test="requestParameters.wfresh != null and requestParameters.wfresh.equals('0')" then="authenticationRequired" />
+        <if test="requestParameters.wfresh != null and requestParameters.wfresh.equals('0')" then="invalidateSessionAction" />
 <!--    check if IDP token is still valid but relying party requested new authentication via wfresh -->
         <if test="requestParameters.wfresh != null" then="wfreshParserAction" else="rpTokenAction" />
     </decision-state>
     
     <!-- parse wfresh parameter, provided by resource RP, overriding ttl from 'IDP_TOKEN' -->
     <action-state id="wfreshParserAction">
-        <evaluate expression="wfreshParser.authenticationRequired(requestParameters.wfresh, externalContext.sessionMap['IDP_TOKEN'])" />
-        <transition on="true" to="authenticationRequired"/>
-        <transition on="false" to="rpTokenAction"/>
+        <evaluate expression="wfreshParser.authenticationRequired(requestParameters.wfresh, flowRequestContext)" />
+        <transition on="yes" to="invalidateSessionAction"/>
+        <transition on="no" to="rpTokenAction"/>
 <!--         <transition on-exception="java.lang.Throwable" to="scInternalServerError" /> -->
 <!--     wfresh invalid, ignore exception, force authentication -->
-        <transition on-exception="java.lang.Throwable" to="authenticationRequired" />
+        <transition on-exception="java.lang.Throwable" to="invalidateSessionAction" />
     </action-state>
 
-    <!-- select authentication support type -->
-    <decision-state id="authenticationRequired">
-        <on-entry>
-<!--        remove IDP token from session (if present) -->
-            <set name="externalContext.sessionMap['IDP_TOKEN']" value="null" />
-        </on-entry>
-<!-- don't remove line commented below, stands for future use ... -->
-<!--         <if test="flowScope['idp.authSupportType'] == 'FORM'" then="formAuthenticationView" /> -->
-        <if test="flowScope['idp.authSupportType'] == 'BASIC'" then="basicAuthenticationCheck" else="viewBadRequest" />
-    </decision-state>
-    
-    <!-- display authentication form 'signinform.jsp' (username/password credentials) -->
-<!-- don't remove view-state commented below, stands for future use ... -->
-<!--     <view-state id="formAuthenticationView" view="signinform" model="usernamePasswordCredentials"> -->
-<!--         <var name="usernamePasswordCredentials" -->
-<!--             class="org.apache.cxf.fediz.service.idp.UsernamePasswordCredentials" /> -->
-<!--         <binder> -->
-<!--             <binding property="username" /> -->
-<!--             <binding property="password" /> -->
-<!--         </binder> -->
-<!--         <on-entry> -->
-<!--             <evaluate expression="externalContext.nativeResponse.setHeader('Cache-Control', 'no-store, no-cache, must-revalidate, private')" /> -->
-<!--         </on-entry> -->
-<!--         <transition on="authenticate" bind="true" validate="true" to="idpUsernamePasswordTokenAction"> -->
-<!--             <set name="flowScope.usernamePasswordCredentials" value="usernamePasswordCredentials" /> -->
-<!--         </transition> -->
-<!--     </view-state> -->
-
-    <!-- check basic authentication state -->
-    <decision-state id="basicAuthenticationCheck">
-        <if test="externalContext.nativeRequest.getHeader('Authorization') == null" then="basicAuthenticationRequested" else="decodeBasicAuthenticationAction" />
-    </decision-state>
-    
-    <!-- force basic authentication, exits with Http 401 Unauthorized -->
-    <!-- warning : flow ends here. Decoding returned 'Authorization' header will be done by an other execution instance of flow (see 'decodeBasicAuthenticationAction') -->
-    <end-state id="basicAuthenticationRequested" view="genericerror">
-        <on-entry>
-            <evaluate expression="externalContext.nativeResponse.setHeader('WWW-Authenticate', 'Basic realm='+flowScope.idpName)" />
-            <evaluate expression="externalContext.nativeResponse.setHeader('Cache-Control', 'no-store, no-cache, must-revalidate, private')" />
-            <evaluate expression="externalContext.nativeResponse.setStatus(401,'Invalid credentials')" />
-            <set name="requestScope.reason" value="'Invalid credentials'" />
-        </on-entry>
-    </end-state>
-
-    <!-- decode returned 'Authorization' header -->
-    <action-state id="decodeBasicAuthenticationAction">
-        <evaluate expression="decodeAuthorizationHeaderAction.submit(flowRequestContext)"
-                    result="flowScope.usernamePasswordCredentials" 
-                    result-type="org.apache.cxf.fediz.service.idp.UsernamePasswordCredentials" />
-        <transition to="idpUsernamePasswordTokenAction" />
-        <transition on-exception="java.lang.Throwable" to="scInternalServerError" />
-    </action-state>
-
-    <!-- Receiving username/password as credentials, produce IDP security token (as SecurityToken type) and store it in session -->
-    <!-- catch SoapFault in case of wrong credentials to redirect the flow -->
-    <action-state id="idpUsernamePasswordTokenAction">
-        <evaluate expression="stsClientForIdpAction.submit(flowScope.usernamePasswordCredentials, flowRequestContext)"
-                    result="flowScope.idpToken" 
-                    result-type="org.apache.cxf.ws.security.tokenstore.SecurityToken" />
-        <transition on="success" to="rpTokenAction">
-            <set name="externalContext.sessionMap['IDP_TOKEN']" value="flowScope.idpToken" />
-            <set name="externalContext.sessionMap['IDP_PRINCIPAL']" value="flowScope.usernamePasswordCredentials.username" />
-        </transition>
-        <transition on-exception="org.apache.cxf.binding.soap.SoapFault" to="authenticationFailedSwitch" />
-        <transition on-exception="java.lang.Throwable" to="scInternalServerError" />
-    </action-state>
-
-    <!-- when authentication failed, depending on the authentication support type set -->
-    <decision-state id="authenticationFailedSwitch">
-<!-- don't remove line commented below, stands for future use ... -->
-<!--         <if test="flowScope['idp.authSupportType'] == 'FORM'" then="formAuthenticationView" /> -->
-        <if test="flowScope['idp.authSupportType'] == 'BASIC'" then="basicAuthenticationRequested" />
-    </decision-state>
-    
     <!-- produce RP security token (as String type) -->
     <action-state id="rpTokenAction">
-        <evaluate expression="stsClientForRpAction.submit(externalContext.sessionMap['IDP_TOKEN'], externalContext.sessionMap['wtrealm'], flowRequestContext)" 
+        <evaluate expression="stsClientForRpAction.submit(externalContext.sessionMap['wtrealm'], flowRequestContext)" 
                     result="flowScope.rpToken" 
                     result-type="java.lang.String" />
         <transition to="formResponseView" />

Modified: cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/idp-servlet.xml
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/idp-servlet.xml?rev=1467592&r1=1467591&r2=1467592&view=diff
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/idp-servlet.xml (original)
+++ cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/idp-servlet.xml Sat Apr 13 11:06:54 2013
@@ -46,15 +46,6 @@
 		<property name="suffix" value=".jsp"/>
 	</bean>
 
-    <bean id="stsClientForIdpAction" class="org.apache.cxf.fediz.service.idp.beans.STSClientAction">
-        <property name="wsdlLocation" value="https://localhost:0/fediz-idp-sts/STSService?wsdl"/>
-        <property name="wsdlEndpoint" value="TransportUT_Port"/>
-        <property name="appliesTo" value="urn:fediz:idp"/>
-        <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"/>
-        <property name="useWfreshForTTL" value="true"/>
-        <property name="claimsRequired" value="true"/>
-    </bean>
-
 	<bean id="stsClientForRpAction" class="org.apache.cxf.fediz.service.idp.beans.STSClientAction">
         <property name="wsdlLocation" value="https://localhost:0/fediz-idp-sts/STSServiceTransport?wsdl"/>
 		<property name="wsdlEndpoint" value="Transport_Port"/>
@@ -64,13 +55,9 @@
 
 	<bean id="logoutAction" class="org.apache.cxf.fediz.service.idp.beans.LogoutAction" />
 	
-    <bean id="decodeAuthorizationHeaderAction" class="org.apache.cxf.fediz.service.idp.beans.DecodeAuthorizationHeaderAction" />
-    
     <bean id="wfreshParser" class="org.apache.cxf.fediz.service.idp.beans.WfreshParser" />
     
 	<bean id="initialFlowSetupAction" class="org.apache.cxf.fediz.service.idp.beans.InitialFlowSetupAction" >
-        <property name="authSupportType" value="BASIC" />
-        <property name="idpName" value="LocalIDP" />
 	</bean>
 	
 </beans>

Added: cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/security-config.xml
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/security-config.xml?rev=1467592&view=auto
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/security-config.xml (added)
+++ cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/security-config.xml Sat Apr 13 11:06:54 2013
@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xmlns:security="http://www.springframework.org/schema/security"
+       xmlns:context="http://www.springframework.org/schema/context"
+       xsi:schemaLocation="
+           http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
+           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd
+           http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
+
+    <context:component-scan base-package="org.apache.cxf.fediz.service.idp"/>
+
+    <!-- DIABLE in production as it might log confidential information about the user -->
+    <security:debug />
+
+	<!-- Configure Spring Security -->
+	<security:http auto-config="false" use-expressions="true">
+	    <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" />
+		<!-- 
+		<security:form-login login-page="/spring/login" login-processing-url="/spring/loginProcess" 
+			default-target-url="/spring/main" authentication-failure-url="/spring/login?login_error=1" />
+		<security:logout logout-url="/spring/logout" logout-success-url="/spring/logoutSuccess" />
+		 -->
+		<security:intercept-url pattern="/federation" access="isAuthenticated()"/>
+		<security:http-basic />
+		<!--<security:form-login />-->
+	</security:http>
+    
+	<security:authentication-manager>
+		<security:authentication-provider ref="stsAuthProvider" />
+	</security:authentication-manager>
+	
+	<bean id="stsPortFilter" class="org.apache.cxf.fediz.service.idp.STSPortFilter" />
+	
+	<bean id="stsAuthProvider" class="org.apache.cxf.fediz.service.idp.STSAuthenticationProvider">
+        <property name="wsdlLocation" value="https://localhost:0/fediz-idp-sts/STSService?wsdl"/>
+        <property name="wsdlEndpoint" value="TransportUT_Port"/>
+        <property name="wsdlService" value="SecurityTokenService"/>
+        <property name="appliesTo" value="urn:fediz:idp"/>
+        <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"/>
+    </bean>
+
+</beans>
\ No newline at end of file

Modified: cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/web.xml
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/web.xml?rev=1467592&r1=1467591&r2=1467592&view=diff
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/web.xml (original)
+++ cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/web.xml Sat Apr 13 11:06:54 2013
@@ -10,6 +10,17 @@
 		<param-name>contextConfigLocation</param-name>
 		<param-value>/WEB-INF/applicationContext.xml</param-value>
 	</context-param>
+	
+	<filter>
+        <filter-name>springSecurityFilterChain</filter-name>
+        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
+    </filter>
+    
+    
+    <filter-mapping>
+        <filter-name>springSecurityFilterChain</filter-name>
+        <url-pattern>/*</url-pattern>
+    </filter-mapping>
 
 	<servlet>
 		<servlet-name>idp</servlet-name>

Modified: cxf/fediz/trunk/systests/jetty8/src/test/java/org/apache/cxf/fediz/integrationtests/JettyPreAuthSpringTest.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/systests/jetty8/src/test/java/org/apache/cxf/fediz/integrationtests/JettyPreAuthSpringTest.java?rev=1467592&r1=1467591&r2=1467592&view=diff
==============================================================================
--- cxf/fediz/trunk/systests/jetty8/src/test/java/org/apache/cxf/fediz/integrationtests/JettyPreAuthSpringTest.java (original)
+++ cxf/fediz/trunk/systests/jetty8/src/test/java/org/apache/cxf/fediz/integrationtests/JettyPreAuthSpringTest.java Sat Apr 13 11:06:54 2013
@@ -38,6 +38,7 @@ public class JettyPreAuthSpringTest exte
         System.setProperty("org.apache.commons.logging.simplelog.log.httpclient.wire", "debug");
         System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.commons.httpclient", "debug");
         System.setProperty("org.apache.commons.logging.simplelog.log.org.springframework.webflow", "debug");
+        System.setProperty("org.apache.commons.logging.simplelog.log.org.springframework.security.web", "debug");
         System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.cxf.fediz", "debug"); 
 
         idpHttpsPort = System.getProperty("idp.https.port");

Modified: cxf/fediz/trunk/systests/jetty8/src/test/java/org/apache/cxf/fediz/integrationtests/JettyTest.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/systests/jetty8/src/test/java/org/apache/cxf/fediz/integrationtests/JettyTest.java?rev=1467592&r1=1467591&r2=1467592&view=diff
==============================================================================
--- cxf/fediz/trunk/systests/jetty8/src/test/java/org/apache/cxf/fediz/integrationtests/JettyTest.java (original)
+++ cxf/fediz/trunk/systests/jetty8/src/test/java/org/apache/cxf/fediz/integrationtests/JettyTest.java Sat Apr 13 11:06:54 2013
@@ -36,6 +36,7 @@ public class JettyTest extends AbstractT
         System.setProperty("org.apache.commons.logging.simplelog.log.httpclient.wire", "debug");
         System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.commons.httpclient", "debug");
         System.setProperty("org.apache.commons.logging.simplelog.log.org.springframework.webflow", "debug");
+        System.setProperty("org.apache.commons.logging.simplelog.log.org.springframework.security.web", "debug");
         System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.cxf.fediz", "debug"); 
 
         idpHttpsPort = System.getProperty("idp.https.port");

Modified: cxf/fediz/trunk/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java?rev=1467592&r1=1467591&r2=1467592&view=diff
==============================================================================
--- cxf/fediz/trunk/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java (original)
+++ cxf/fediz/trunk/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java Sat Apr 13 11:06:54 2013
@@ -138,14 +138,15 @@ public abstract class AbstractTests {
         sendHttpGet(url, user, password, 200, 403);        
     }
 
-    @org.junit.Ignore
+//    @org.junit.Ignore
     @org.junit.Test
     public void testUserAliceWrongPassword() throws Exception {
         String url = "https://localhost:" + getRpHttpsPort() + "/fedizhelloworld/secure/fedservlet";
         String user = "alice";
         String password = "alice";
-        //[TODO] Fix IDP return code from 500 to 401
-        sendHttpGet(url, user, password, 500, 0);        
+//      sendHttpGet(url, user, password, 500, 0);        
+        //[FIXED] Fix IDP return code from 500 to 401
+        sendHttpGet(url, user, password, 401, 0);        
     }
 
     @org.junit.Test

Modified: cxf/fediz/trunk/systests/tomcat7/src/test/java/org/apache/cxf/fediz/integrationtests/TomcatTest.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/systests/tomcat7/src/test/java/org/apache/cxf/fediz/integrationtests/TomcatTest.java?rev=1467592&r1=1467591&r2=1467592&view=diff
==============================================================================
--- cxf/fediz/trunk/systests/tomcat7/src/test/java/org/apache/cxf/fediz/integrationtests/TomcatTest.java (original)
+++ cxf/fediz/trunk/systests/tomcat7/src/test/java/org/apache/cxf/fediz/integrationtests/TomcatTest.java Sat Apr 13 11:06:54 2013
@@ -47,6 +47,7 @@ public class TomcatTest extends Abstract
         System.setProperty("org.apache.commons.logging.simplelog.log.httpclient.wire", "debug");
         System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.commons.httpclient", "debug");
         System.setProperty("org.apache.commons.logging.simplelog.log.org.springframework.webflow", "debug");
+        System.setProperty("org.apache.commons.logging.simplelog.log.org.springframework.security.web", "debug");
         System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.cxf.fediz", "debug"); 
         
         idpHttpsPort = System.getProperty("idp.https.port");



Mime
View raw message