cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From owu...@apache.org
Subject svn commit: r1514048 [1/2] - in /cxf/fediz/trunk: examples/spring2Webapp/src/main/resources/ examples/spring2Webapp/src/main/webapp/WEB-INF/ examples/springWebapp/src/main/resources/ examples/springWebapp/src/main/webapp/WEB-INF/ plugins/core/src/test/...
Date Wed, 14 Aug 2013 21:01:48 GMT
Author: owulff
Date: Wed Aug 14 21:01:46 2013
New Revision: 1514048

URL: http://svn.apache.org/r1514048
Log:
[FEDIZ-3] Support Resource IDP Role. Thanks Thierry

Added:
    cxf/fediz/trunk/services/idp/src/main/filters/
    cxf/fediz/trunk/services/idp/src/main/filters/realm-a/
    cxf/fediz/trunk/services/idp/src/main/filters/realm-a/env.properties
    cxf/fediz/trunk/services/idp/src/main/filters/realm-b/
    cxf/fediz/trunk/services/idp/src/main/filters/realm-b/env.properties
    cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/CacheTokenForWauthAction.java
      - copied, changed from r1499090, cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/InitialFlowSetupAction.java
    cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/HomeRealmReminder.java
      - copied, changed from r1499090, cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/LogoutAction.java
    cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/ProcessHRDSExpressionAction.java
      - copied, changed from r1499090, cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/LogoutAction.java
    cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java
    cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/ValidateTokenAction.java
    cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/model/TrustedIDPSelection.java
      - copied, changed from r1499090, cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/model/RequestClaim.java
    cxf/fediz/trunk/services/idp/src/main/resources/realm.properties
    cxf/fediz/trunk/services/idp/src/main/resources/realma.cert
    cxf/fediz/trunk/services/idp/src/main/resources/realmb.cert
    cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/federation-signin-request.xml
    cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/federation-signin-response.xml
    cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/federation-validate-request.xml
    cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/idplist.jsp
Removed:
    cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/InitialFlowSetupAction.java
Modified:
    cxf/fediz/trunk/examples/spring2Webapp/src/main/resources/stsstore.jks
    cxf/fediz/trunk/examples/spring2Webapp/src/main/webapp/WEB-INF/fediz_config.xml
    cxf/fediz/trunk/examples/springWebapp/src/main/resources/stsstore.jks
    cxf/fediz/trunk/examples/springWebapp/src/main/webapp/WEB-INF/fediz_config.xml
    cxf/fediz/trunk/plugins/core/src/test/resources/stsstore.jks
    cxf/fediz/trunk/services/idp/pom.xml
    cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSAuthenticationProvider.java
    cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/LogoutAction.java
    cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java
    cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/WfreshParser.java
    cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/model/IDPConfig.java
    cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/model/RequestClaim.java
    cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/model/ServiceConfig.java
    cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/model/TrustedIDPConfig.java
    cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/util/WebUtils.java
    cxf/fediz/trunk/services/idp/src/main/resources/logging.properties
    cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/applicationContext.xml
    cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/federation-webflow.xml
    cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/idp-config-realma.xml
    cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/idp-config-realmb.xml
    cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/idp-servlet.xml
    cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/security-config.xml
    cxf/fediz/trunk/services/sts/pom.xml
    cxf/fediz/trunk/services/sts/src/realms/webapp/WEB-INF/userClaims.xml
    cxf/fediz/trunk/systests/jetty8/src/test/java/org/apache/cxf/fediz/integrationtests/JettyTest.java
    cxf/fediz/trunk/systests/jetty8/src/test/resources/fediz_config.xml
    cxf/fediz/trunk/systests/jetty8/src/test/resources/stsstore.jks
    cxf/fediz/trunk/systests/spring/src/test/resources/fediz_config.xml
    cxf/fediz/trunk/systests/spring2Webapp/src/main/resources/stsstore.jks
    cxf/fediz/trunk/systests/springWebapp/src/main/resources/stsstore.jks
    cxf/fediz/trunk/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
    cxf/fediz/trunk/systests/tomcat7/src/test/java/org/apache/cxf/fediz/integrationtests/TomcatTest.java
    cxf/fediz/trunk/systests/tomcat7/src/test/resources/fediz_config.xml
    cxf/fediz/trunk/systests/tomcat7/src/test/resources/stsstore.jks

Modified: cxf/fediz/trunk/examples/spring2Webapp/src/main/resources/stsstore.jks
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/spring2Webapp/src/main/resources/stsstore.jks?rev=1514048&r1=1514047&r2=1514048&view=diff
==============================================================================
Files cxf/fediz/trunk/examples/spring2Webapp/src/main/resources/stsstore.jks (original) and cxf/fediz/trunk/examples/spring2Webapp/src/main/resources/stsstore.jks Wed Aug 14 21:01:46 2013 differ

Modified: cxf/fediz/trunk/examples/spring2Webapp/src/main/webapp/WEB-INF/fediz_config.xml
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/spring2Webapp/src/main/webapp/WEB-INF/fediz_config.xml?rev=1514048&r1=1514047&r2=1514048&view=diff
==============================================================================
--- cxf/fediz/trunk/examples/spring2Webapp/src/main/webapp/WEB-INF/fediz_config.xml (original)
+++ cxf/fediz/trunk/examples/spring2Webapp/src/main/webapp/WEB-INF/fediz_config.xml Wed Aug 14 21:01:46 2013
@@ -16,6 +16,8 @@
 		<trustedIssuers>
 			<issuer subject=".*CN=www.sts.com.*" certificateValidation="ChainTrust"
 				name="DoubleItSTSIssuer" />
+			<issuer subject=".*CN=REALMA.*" certificateValidation="ChainTrust"
+			    name="REALM A"/>				
 		</trustedIssuers>
 		<maximumClockSkew>1000</maximumClockSkew>
 		<protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
@@ -30,6 +32,7 @@
 			<!--<freshness>0</freshness>-->
 			<!--<reply>reply value</reply>-->
 			<!--<request>REQUEST</request>-->
+			<homeRealm type="String">urn:org:apache:cxf:fediz:idp:realm-A</homeRealm>
 			<claimTypesRequested>
 				<claimType type="a particular claim type" optional="true" />
 			</claimTypesRequested>

Modified: cxf/fediz/trunk/examples/springWebapp/src/main/resources/stsstore.jks
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/springWebapp/src/main/resources/stsstore.jks?rev=1514048&r1=1514047&r2=1514048&view=diff
==============================================================================
Files cxf/fediz/trunk/examples/springWebapp/src/main/resources/stsstore.jks (original) and cxf/fediz/trunk/examples/springWebapp/src/main/resources/stsstore.jks Wed Aug 14 21:01:46 2013 differ

Modified: cxf/fediz/trunk/examples/springWebapp/src/main/webapp/WEB-INF/fediz_config.xml
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/springWebapp/src/main/webapp/WEB-INF/fediz_config.xml?rev=1514048&r1=1514047&r2=1514048&view=diff
==============================================================================
--- cxf/fediz/trunk/examples/springWebapp/src/main/webapp/WEB-INF/fediz_config.xml (original)
+++ cxf/fediz/trunk/examples/springWebapp/src/main/webapp/WEB-INF/fediz_config.xml Wed Aug 14 21:01:46 2013
@@ -16,6 +16,8 @@
 		<trustedIssuers>
 			<issuer subject=".*CN=www.sts.com.*" certificateValidation="ChainTrust"
 				name="DoubleItSTSIssuer" />
+			<issuer subject=".*CN=REALMA.*" certificateValidation="ChainTrust"
+			    name="REALM A"/>				
 		</trustedIssuers>
 		<maximumClockSkew>1000</maximumClockSkew>
 		<protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
@@ -30,6 +32,7 @@
 			<!--<freshness>0</freshness>-->
 			<!--<reply>reply value</reply>-->
 			<!--<request>REQUEST</request>-->
+			<homeRealm type="String">urn:org:apache:cxf:fediz:idp:realm-A</homeRealm>
 			<claimTypesRequested>
 				<claimType type="a particular claim type" optional="true" />
 			</claimTypesRequested>

Modified: cxf/fediz/trunk/plugins/core/src/test/resources/stsstore.jks
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/test/resources/stsstore.jks?rev=1514048&r1=1514047&r2=1514048&view=diff
==============================================================================
Binary files - no diff available.

Modified: cxf/fediz/trunk/services/idp/pom.xml
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/pom.xml?rev=1514048&r1=1514047&r2=1514048&view=diff
==============================================================================
--- cxf/fediz/trunk/services/idp/pom.xml (original)
+++ cxf/fediz/trunk/services/idp/pom.xml Wed Aug 14 21:01:46 2013
@@ -35,6 +35,7 @@
     <properties>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <spring.security.version>3.1.3.RELEASE</spring.security.version>
+        <!--<spring.version>3.1.4.RELEASE</spring.version>-->
     </properties>
     <dependencies>
         <dependency>
@@ -106,6 +107,22 @@
         </dependency>
     </dependencies>
     <build>
+    	<resources>
+    		<resource>
+				<directory>src/main/resources</directory>
+				<filtering>true</filtering>
+				<includes>
+					<include>**/realm.properties</include>
+				</includes>
+			</resource>
+    		<resource>
+				<directory>src/main/resources</directory>
+				<filtering>false</filtering>
+				<excludes>
+					<exclude>**/realm.properties</exclude>
+				</excludes>
+			</resource>			
+    	</resources>
         <plugins>
             <plugin>
                 <!--for mvn tomcat:deploy/:undeploy/:redeploy -->
@@ -118,8 +135,58 @@
                     <path>/${project.build.finalName}</path>
                 </configuration>
             </plugin>
+            <plugin>
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-war-plugin</artifactId>
+				<configuration>
+					<webResources>
+						<resource>
+							<directory>src/main/webapp</directory>
+							<filtering>true</filtering>
+							<includes>
+								<include>**/applicationContext.xml</include>
+							</includes>
+						</resource>
+						<resource>
+							<directory>src/main/webapp</directory>
+							<filtering>false</filtering>
+							<excludes>
+								<exclude>**/applicationContext.xml</exclude>
+							</excludes>
+						</resource>
+					</webResources>
+				</configuration>
+			</plugin>
+            
         </plugins>
         <!-- Name of the generated WAR file -->
         <finalName>fediz-idp</finalName>
     </build>
+    
+    <profiles>
+		<profile>
+			<id>realm-a</id>
+			<activation>
+				<activeByDefault>true</activeByDefault>
+			</activation>
+			<properties>
+			</properties>
+			<build>
+				<filters>
+					<filter>src/main/filters/realm-a/env.properties</filter>
+				</filters>
+			</build>
+		</profile>
+		<profile>
+			<id>realm-b</id>			
+			<properties>
+			</properties>
+			<build>
+				<filters>
+					<filter>src/main/filters/realm-b/env.properties</filter>
+				</filters>
+				<finalName>fediz-idp-remote</finalName>
+			</build>
+		</profile>
+	</profiles>
 </project>

Added: cxf/fediz/trunk/services/idp/src/main/filters/realm-a/env.properties
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/filters/realm-a/env.properties?rev=1514048&view=auto
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/filters/realm-a/env.properties (added)
+++ cxf/fediz/trunk/services/idp/src/main/filters/realm-a/env.properties Wed Aug 14 21:01:46 2013
@@ -0,0 +1,4 @@
+realm.STS_URI=REALMA
+realmA.port=9443
+realmB.port=12443
+idp-config=idp-config-realma.xml
\ No newline at end of file

Added: cxf/fediz/trunk/services/idp/src/main/filters/realm-b/env.properties
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/filters/realm-b/env.properties?rev=1514048&view=auto
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/filters/realm-b/env.properties (added)
+++ cxf/fediz/trunk/services/idp/src/main/filters/realm-b/env.properties Wed Aug 14 21:01:46 2013
@@ -0,0 +1,4 @@
+realm.STS_URI=REALMB
+realmA.port=9443
+realmB.port=12443
+idp-config=idp-config-realmb.xml
\ No newline at end of file

Modified: cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSAuthenticationProvider.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSAuthenticationProvider.java?rev=1514048&r1=1514047&r2=1514048&view=diff
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSAuthenticationProvider.java (original)
+++ cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSAuthenticationProvider.java Wed Aug 14 21:01:46 2013
@@ -109,11 +109,13 @@ public class STSAuthenticationProvider i
         try {
 
 //Line below may be uncommented for debugging    
-//          setTimeout(sts.getClient(), 3600000L);
+//            setTimeout(sts.getClient(), 3600000L);
 
             SecurityToken token = sts.requestSecurityToken(this.appliesTo);
             
             List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
+            //authorities.add(new SimpleGrantedAuthority("ROLE_AUTHENTICATED"));
+            //Not needed because AuthenticatedVoter has been added for SecurityFlowExecutionListener
             if (roleURI != null) {
                 AssertionWrapper assertion = new AssertionWrapper(token.getToken());
                 List<Claim> claims = parseClaimsInAssertion(assertion.getSaml2());
@@ -144,6 +146,9 @@ public class STSAuthenticationProvider i
                                                         token);
             upat.setDetails(details);
             
+            if (LOG.isDebugEnabled()) {
+                LOG.debug("[IDP_TOKEN=" + token.getId() + "] provided for user '" + authentication.getName() + "'");
+            }
             return upat;
         } catch (Exception ex) {
             LOG.info("Failed to authenticate user '" + authentication.getName() + "'", ex);
@@ -309,12 +314,12 @@ public class STSAuthenticationProvider i
     }
 
 //May be uncommented for debugging    
-//  private void setTimeout(Client client, Long timeout) {
-//      HTTPConduit conduit = (HTTPConduit) client.getConduit();
-//      HTTPClientPolicy httpClientPolicy = new HTTPClientPolicy();
-//      httpClientPolicy.setConnectionTimeout(timeout);
-//      httpClientPolicy.setReceiveTimeout(timeout);
-//      conduit.setClient(httpClientPolicy);
-//  }
+//    private void setTimeout(Client client, Long timeout) {
+//        HTTPConduit conduit = (HTTPConduit) client.getConduit();
+//        HTTPClientPolicy httpClientPolicy = new HTTPClientPolicy();
+//        httpClientPolicy.setConnectionTimeout(timeout);
+//        httpClientPolicy.setReceiveTimeout(timeout);
+//        conduit.setClient(httpClientPolicy);
+//    }
     
 }

Copied: cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/CacheTokenForWauthAction.java (from r1499090, cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/InitialFlowSetupAction.java)
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/CacheTokenForWauthAction.java?p2=cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/CacheTokenForWauthAction.java&p1=cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/InitialFlowSetupAction.java&r1=1499090&r2=1514048&rev=1514048&view=diff
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/InitialFlowSetupAction.java (original)
+++ cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/CacheTokenForWauthAction.java Wed Aug 14 21:01:46 2013
@@ -18,9 +18,8 @@
  */
 package org.apache.cxf.fediz.service.idp.beans;
 
-//import java.security.Principal;
-
 import org.apache.cxf.fediz.service.idp.STSUserDetails;
+import org.apache.cxf.fediz.service.idp.model.IDPConfig;
 import org.apache.cxf.fediz.service.idp.util.WebUtils;
 import org.apache.cxf.ws.security.tokenstore.SecurityToken;
 import org.slf4j.Logger;
@@ -31,21 +30,28 @@ import org.springframework.util.Assert;
 import org.springframework.webflow.execution.RequestContext;
 
 /**
- * @author Th. Beucher This class is responsible to initialize web flow.
+ * @author 
+ * Th. Beucher This class is responsible to cache IDP token.
  */
 
-public class InitialFlowSetupAction {
+public class CacheTokenForWauthAction {
+
+    private static final String IDP_CONFIG = "idpConfig";
+    private static final Logger LOG = LoggerFactory.getLogger(CacheTokenForWauthAction.class);
 
-    private static final Logger LOG = LoggerFactory
-            .getLogger(InitialFlowSetupAction.class);
 
     public void submit(RequestContext context) {
-        
+
         Authentication auth = SecurityContextHolder.getContext().getAuthentication();
         Assert.isInstanceOf(STSUserDetails.class, auth.getDetails());
         final STSUserDetails stsUserDetails = (STSUserDetails) auth.getDetails();
         SecurityToken securityToken = stsUserDetails.getSecurityToken();
-        WebUtils.putAttributeInExternalContext(context, "IDP_TOKEN", securityToken);
-        LOG.info("Token [IDP_TOKEN] succesfully set in session.");
+
+        IDPConfig idpConfig = (IDPConfig)WebUtils.getAttributeFromFlowScope(context, IDP_CONFIG);
+
+        WebUtils.putAttributeInExternalContext(context, idpConfig.getRealm(), securityToken);
+        LOG.info("Token [IDP_TOKEN=" + securityToken.getId()
+                + "] for realm ["
+                + idpConfig.getRealm() + "] successfully cached.");
     }
-}
+}
\ No newline at end of file

Copied: cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/HomeRealmReminder.java (from r1499090, cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/LogoutAction.java)
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/HomeRealmReminder.java?p2=cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/HomeRealmReminder.java&p1=cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/LogoutAction.java&r1=1499090&r2=1514048&rev=1514048&view=diff
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/LogoutAction.java (original)
+++ cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/HomeRealmReminder.java Wed Aug 14 21:01:46 2013
@@ -18,16 +18,34 @@
  */
 package org.apache.cxf.fediz.service.idp.beans;
 
+import javax.servlet.http.Cookie;
+
 import org.apache.cxf.fediz.service.idp.util.WebUtils;
+//import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.webflow.execution.RequestContext;
 
 /**
- * @author fr17993 This class is responsible to invalidate IDP session.
+ * @author fr17993 
  */
 
-public class LogoutAction {
+public class HomeRealmReminder {
+
+    public static final String FEDIZ_HOME_REALM = "FEDIZ_HOME_REALM";
+
+
+//    public boolean alreadyAuthenticated() {
+//        return SecurityContextHolder.getContext().getAuthentication().isAuthenticated();
+//    }
+
+    public Cookie readCookie(RequestContext requestContext) {
+        return WebUtils.readCookie(requestContext, FEDIZ_HOME_REALM);
+    }
+
+    public void addCookie(RequestContext requestContext, String cookieValue) {
+        WebUtils.addCookie(requestContext, FEDIZ_HOME_REALM, cookieValue);
+    }
 
-    public void submit(RequestContext requestContext) {
-        WebUtils.getHttpSession(requestContext).invalidate();
+    public void removeCookie(RequestContext requestContext) {
+        WebUtils.removeCookie(requestContext, FEDIZ_HOME_REALM);
     }
 }

Modified: cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/LogoutAction.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/LogoutAction.java?rev=1514048&r1=1514047&r2=1514048&view=diff
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/LogoutAction.java (original)
+++ cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/LogoutAction.java Wed Aug 14 21:01:46 2013
@@ -18,16 +18,28 @@
  */
 package org.apache.cxf.fediz.service.idp.beans;
 
+import javax.servlet.http.HttpSession;
+
 import org.apache.cxf.fediz.service.idp.util.WebUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.webflow.execution.RequestContext;
 
 /**
  * @author fr17993 This class is responsible to invalidate IDP session.
  */
 
+
 public class LogoutAction {
 
+    private static final Logger LOG = LoggerFactory.getLogger(LogoutAction.class);
+
     public void submit(RequestContext requestContext) {
-        WebUtils.getHttpSession(requestContext).invalidate();
+        SecurityContextHolder.clearContext();
+        LOG.info("Security context has been cleared.");
+        HttpSession session = WebUtils.getHttpSession(requestContext);
+        session.invalidate();
+        LOG.info("Session " + session.getId() + " has been invalidated.");
     }
 }

Copied: cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/ProcessHRDSExpressionAction.java (from r1499090, cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/LogoutAction.java)
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/ProcessHRDSExpressionAction.java?p2=cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/ProcessHRDSExpressionAction.java&p1=cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/LogoutAction.java&r1=1499090&r2=1514048&rev=1514048&view=diff
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/LogoutAction.java (original)
+++ cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/ProcessHRDSExpressionAction.java Wed Aug 14 21:01:46 2013
@@ -18,16 +18,32 @@
  */
 package org.apache.cxf.fediz.service.idp.beans;
 
+import org.apache.cxf.fediz.service.idp.model.IDPConfig;
 import org.apache.cxf.fediz.service.idp.util.WebUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.springframework.webflow.execution.RequestContext;
 
 /**
- * @author fr17993 This class is responsible to invalidate IDP session.
+ * @author Th. Beucher 
+ * This class is responsible to process Home Realm Discovery Service Expression.
  */
 
-public class LogoutAction {
+public class ProcessHRDSExpressionAction {
 
-    public void submit(RequestContext requestContext) {
-        WebUtils.getHttpSession(requestContext).invalidate();
+    private static final String IDP_CONFIG = "idpConfig";
+    private static final Logger LOG = LoggerFactory
+            .getLogger(ProcessHRDSExpressionAction.class);
+
+    public String submit(RequestContext context) {
+        IDPConfig idpConfig = (IDPConfig)WebUtils.getAttributeFromFlowScope(context, IDP_CONFIG);
+        String hrds = idpConfig.getHrds();
+        //TODO
+        if (hrds == null) {
+            LOG.info("HRDS is null (Mock).");
+            return "";
+        }
+        LOG.info("HRDS is not null (Mock).");
+        return "some-whr-value";
     }
 }

Modified: cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java?rev=1514048&r1=1514047&r2=1514048&view=diff
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java (original)
+++ cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java Wed Aug 14 21:01:46 2013
@@ -18,25 +18,33 @@
  */
 package org.apache.cxf.fediz.service.idp.beans;
 
+import java.io.ByteArrayInputStream;
+import java.io.InputStream;
 import java.net.MalformedURLException;
 import java.net.URL;
-import java.security.cert.X509Certificate;
 import java.util.List;
-import java.util.Map;
 
-import javax.servlet.http.HttpServletRequest;
 import javax.xml.namespace.QName;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.stream.XMLStreamException;
 
+import org.w3c.dom.Document;
 import org.w3c.dom.Element;
+import org.w3c.dom.NodeList;
 
 import org.apache.commons.lang3.StringEscapeUtils;
 import org.apache.cxf.Bus;
 import org.apache.cxf.BusFactory;
+import org.apache.cxf.fediz.core.FederationConstants;
+import org.apache.cxf.fediz.core.exception.ProcessingException;
+import org.apache.cxf.fediz.core.exception.ProcessingException.TYPE;
 //import org.apache.cxf.endpoint.Client;
 import org.apache.cxf.fediz.service.idp.IdpSTSClient;
+import org.apache.cxf.fediz.service.idp.model.IDPConfig;
+import org.apache.cxf.fediz.service.idp.model.RequestClaim;
+import org.apache.cxf.fediz.service.idp.model.ServiceConfig;
 import org.apache.cxf.fediz.service.idp.util.WebUtils;
+import org.apache.cxf.helpers.DOMUtils;
 import org.apache.cxf.staxutils.W3CDOMStreamWriter;
 //import org.apache.cxf.transport.http.HTTPConduit;
 //import org.apache.cxf.transports.http.configuration.HTTPClientPolicy;
@@ -44,9 +52,9 @@ import org.apache.cxf.ws.security.tokens
 import org.apache.cxf.ws.security.trust.STSClient;
 import org.apache.cxf.ws.security.trust.STSUtils;
 import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.saml.ext.AssertionWrapper;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
-import org.springframework.context.ApplicationContext;
 import org.springframework.webflow.execution.RequestContext;
 
 /**
@@ -56,17 +64,19 @@ This class is responsible to ask for Sec
 
 public class STSClientAction {
 
-    private static final String REALM_TO_CLAIMS_MAP = "realm2ClaimsMap";
+    //private static final String REALM_TO_CLAIMS_MAP = "realm2ClaimsMap";
+
+    private static final String IDP_CONFIG = "idpConfig";
 
     private static final String HTTP_SCHEMAS_XMLSOAP_ORG_WS_2005_05_IDENTITY = 
             "http://schemas.xmlsoap.org/ws/2005/05/identity";
 
     private static final String HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512_BEARER = 
             "http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer";
-    
+/*    
     private static final String HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512_PUBLICKEY = 
             "http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey";
-
+*/
     private static final String HTTP_WWW_W3_ORG_2005_08_ADDRESSING = "http://www.w3.org/2005/08/addressing";
 
     private static final String HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512 = 
@@ -81,19 +91,19 @@ public class STSClientAction {
 
     protected String wsdlEndpoint;
 
-    protected String appliesTo;
+    //protected String appliesTo;
     
-    protected String tokenType;
+    protected String tokenType = WSConstants.WSS_SAML2_TOKEN_TYPE;
     
-    protected boolean useWfreshForTTL = true;
+    //protected boolean useWfreshForTTL = true;
+    
+    protected int ttl = 1800;
     
     protected Bus bus;
-
-    private boolean claimsRequired = true;
     
     private boolean isPortSet;
     
-    private String keyType = HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512_PUBLICKEY;
+    //private String keyType = HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512_PUBLICKEY;
 
     public String getWsdlLocation() {
         return wsdlLocation;
@@ -119,13 +129,14 @@ public class STSClientAction {
     public void setWsdlEndpoint(String wsdlEndpoint) {
         this.wsdlEndpoint = wsdlEndpoint;
     }
-
-    public String getAppliesTo() {
-        return appliesTo;
+    
+    public void setBus(Bus bus) {
+        this.bus = bus;
     }
 
-    public void setAppliesTo(String appliesTo) {
-        this.appliesTo = appliesTo;
+    public Bus getBus() {
+        // do not store a referance to the default bus
+        return (bus != null) ? bus : BusFactory.getDefaultBus();
     }
 
     public String getTokenType() {
@@ -136,6 +147,22 @@ public class STSClientAction {
         this.tokenType = tokenType;
     }
 
+    public int getTtl() {
+        return ttl;
+    }
+
+    public void setTtl(int ttl) {
+        this.ttl = ttl;
+    }
+    
+    /* 
+    public String getAppliesTo() {
+        return appliesTo;
+    }
+
+    public void setAppliesTo(String appliesTo) {
+        this.appliesTo = appliesTo;
+    }
     public boolean isClaimsRequired() {
         return claimsRequired;
     }
@@ -151,24 +178,47 @@ public class STSClientAction {
     public void setUseWfreshForTTL(boolean useWfreshForTTL) {
         this.useWfreshForTTL = useWfreshForTTL;
     }
-
+*/
+    
     /**
      * @param context
      *            the webflow request context
-     * @param wtrealm
-     *            the relying party security domain
      * @return a serialized RP security token
      * @throws Exception
      */
-    public String submit(String wtrealm, RequestContext context)
+    public String submit(RequestContext context)
         throws Exception {
+        
+        String wtrealm = (String)WebUtils.getAttributeFromFlowScope(context, FederationConstants.PARAM_TREALM);
+
+        SecurityToken idpToken = getSecurityToken(context);
+
+        IDPConfig idpConfig = (IDPConfig) WebUtils.getAttributeFromFlowScope(context, IDP_CONFIG);
 
         Bus cxfBus = getBus();
 
         IdpSTSClient sts = new IdpSTSClient(cxfBus);
         sts.setAddressingNamespace(HTTP_WWW_W3_ORG_2005_08_ADDRESSING);
-        paramTokenType(sts);
-        sts.setKeyType(keyType);
+        
+        ServiceConfig serviceConfig = idpConfig.getServices().get(wtrealm);
+        if (serviceConfig == null) {
+            LOG.warn("No service config found for " + wtrealm);
+            throw new ProcessingException(TYPE.BAD_REQUEST);
+        }
+        
+        if (serviceConfig.getTokenType() != null && serviceConfig.getTokenType().length() > 0) {
+            sts.setTokenType(serviceConfig.getTokenType());
+        } else {
+            sts.setTokenType(getTokenType());
+        }
+        if (LOG.isDebugEnabled()) {
+            LOG.debug("TokenType " + sts.getTokenType() + " set for " + wtrealm);
+        }
+        
+        sts.setKeyType(HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512_BEARER);
+        
+        //[TODO] What is the purpose of the keytype?
+        /*
         if (HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512_PUBLICKEY.equals(keyType)) {
             HttpServletRequest servletRequest = WebUtils.getHttpServletRequest(context);
             if (servletRequest != null) {
@@ -183,6 +233,7 @@ public class STSClientAction {
                 }
             }
         }
+        */
 
         processWsdlLocation(context);
         sts.setWsdlLocation(wsdlLocation);
@@ -192,27 +243,87 @@ public class STSClientAction {
         sts.setEndpointQName(new QName(
                 HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512, wsdlEndpoint));
 
-        if (this.claimsRequired) {
-            addClaims(wtrealm, cxfBus, sts);
+        if (serviceConfig.getRequestedClaims() != null && serviceConfig.getRequestedClaims().size() > 0) {
+            addClaims(sts, serviceConfig.getRequestedClaims());
+            if (LOG.isDebugEnabled()) {
+                LOG.debug("Requested claims set for " + wtrealm);
+            }
         }
-
-        SecurityToken idpToken = (SecurityToken) WebUtils.getAttributeFromExternalContext(context, "IDP_TOKEN");
+        
+        sts.setEnableLifetime(true);
+        if (serviceConfig.getLifeTime() != null && serviceConfig.getLifeTime().length() > 0) {
+            try {
+                int lifetime = Integer.parseInt(serviceConfig.getLifeTime());
+                sts.setTtl(lifetime);
+                sts.setEnableLifetime(lifetime > 0);
+                if (LOG.isDebugEnabled()) {
+                    LOG.debug("Lifetime set to " + serviceConfig.getLifeTime() + " seconds for " + wtrealm);
+                }
+            } catch (NumberFormatException ex) {
+                LOG.warn("Invalid lifetime configured for service provider " + wtrealm);
+                sts.setTtl(this.ttl);
+                sts.setEnableLifetime(this.ttl > 0);
+            }
+        } else {
+            sts.setTtl(this.ttl);
+            sts.setEnableLifetime(this.ttl > 0);
+            if (LOG.isDebugEnabled()) {
+                LOG.debug("Lifetime set to " + this.ttl + " seconds for " + wtrealm);
+            }
+        }
+        
+        
         sts.setOnBehalfOf(idpToken.getToken());
-
+        if (!(serviceConfig.getProtocol() == null
+            || FederationConstants.WS_FEDERATION_NS.equals(serviceConfig.getProtocol()))) {
+            LOG.error("Protocol " + serviceConfig.getProtocol() + " not supported for " + wtrealm);
+            throw new ProcessingException(TYPE.BAD_REQUEST);
+        }
+        
         String rpToken = sts.requestSecurityTokenResponse(wtrealm);
-
-        LOG.info("Token [RP_TOKEN] produced succesfully.");
+        
+        InputStream is = new ByteArrayInputStream(rpToken.getBytes());
+        Document doc = DOMUtils.readXml(is);
+        NodeList nd = doc.getElementsByTagName("saml2:Assertion");
+        if (nd.getLength() == 0) {
+            nd = doc.getElementsByTagName("saml1:Assertion");
+        }
+        Element e = (Element) nd.item(0);
+        AssertionWrapper aw = new AssertionWrapper(e);
+        String id = aw.getId();
+
+        LOG.info("[RP_TOKEN=" + id + "] successfully created for realm ["
+                + wtrealm + "] on behalf of [IDP_TOKEN=" + idpToken.getId()
+                + "]");
         return StringEscapeUtils.escapeXml(rpToken);
     }
-    
-    public void setBus(Bus bus) {
-        this.bus = bus;
-    }
 
-    public Bus getBus() {
-        // do not store a referance to the default bus
-        return (bus != null) ? bus : BusFactory.getDefaultBus();
+    private SecurityToken getSecurityToken(RequestContext context) throws ProcessingException {
+//      String whr = (String) WebUtils.
+//      getAttributeFromExternalContext(context, FederationConstants.PARAM_HOME_REALM);
+        String whr = (String) WebUtils.
+            getAttributeFromFlowScope(context, FederationConstants.PARAM_HOME_REALM);
+        SecurityToken idpToken = null;
+        if (whr != null) {
+            idpToken = (SecurityToken) WebUtils.getAttributeFromExternalContext(context, whr);
+            if (idpToken != null) {
+                if (LOG.isDebugEnabled()) {
+                    LOG.debug("[IDP_TOKEN="
+                            + idpToken.getId()
+                            + "] successfully retrieved from cache for home realm ["
+                            + whr + "]");
+                }
+            } else {
+                LOG.error("IDP_TOKEN not found");
+                throw new ProcessingException(TYPE.BAD_REQUEST);
+            }
+        } else {
+            LOG.error("Home realm not found");
+            throw new ProcessingException(TYPE.BAD_REQUEST);
+        }
+        return idpToken;
     }
+    
 
     private void processWsdlLocation(RequestContext context) {
         if (!isPortSet) {
@@ -244,38 +355,16 @@ public class STSClientAction {
 //        }
 //    }
     
-    private void addClaims(String wtrealm, Bus cxfBus, STSClient sts)
+    private void addClaims(STSClient sts, List<RequestClaim> requestClaimList)
         throws ParserConfigurationException, XMLStreamException {
-        List<String> realmClaims = null;
-        ApplicationContext ctx = (ApplicationContext) cxfBus
-                .getExtension(ApplicationContext.class);
-
-        @SuppressWarnings("unchecked")
-        Map<String, List<String>> realmClaimsMap = (Map<String, List<String>>) ctx
-                .getBean(REALM_TO_CLAIMS_MAP);
-        realmClaims = realmClaimsMap.get(wtrealm);
-        if (realmClaims != null && realmClaims.size() > 0
-                && LOG.isDebugEnabled()) {
-            LOG.debug("claims for realm " + wtrealm);
-            for (String item : realmClaims) {
-                LOG.debug("  " + item);
-            }
-        }
-        Element claims = createClaimsElement(realmClaims);
+        
+        Element claims = createClaimsElement(requestClaimList);
         if (claims != null) {
             sts.setClaims(claims);
         }
     }
 
-    private void paramTokenType(STSClient sts) {
-        if (tokenType == null) {
-            sts.setTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE);
-        } else {
-            sts.setTokenType(tokenType);
-        }
-    }
-
-    private Element createClaimsElement(List<String> realmClaims)
+    private Element createClaimsElement(List<RequestClaim> realmClaims)
         throws ParserConfigurationException, XMLStreamException {
         if (realmClaims == null || realmClaims.size() == 0) {
             return null;
@@ -290,11 +379,14 @@ public class STSClientAction {
                 HTTP_SCHEMAS_XMLSOAP_ORG_WS_2005_05_IDENTITY);
 
         if (realmClaims != null && realmClaims.size() > 0) {
-            for (String item : realmClaims) {
-                LOG.debug("claim: " + item);
+            for (RequestClaim item : realmClaims) {
+                if (LOG.isDebugEnabled()) {
+                    LOG.debug("  " + item.getClaimType().toString());
+                }
                 writer.writeStartElement("ic", "ClaimType",
                         HTTP_SCHEMAS_XMLSOAP_ORG_WS_2005_05_IDENTITY);
-                writer.writeAttribute("Uri", item);
+                writer.writeAttribute("Uri", item.getClaimType().toString());
+                writer.writeAttribute("Optional", Boolean.toString(item.isOptional())); 
                 writer.writeEndElement();
             }
         }
@@ -309,6 +401,9 @@ public class STSClientAction {
         this.isPortSet = true;
     }
 
+
+
+    /*
     public String getKeyType() {
         return keyType;
     }
@@ -316,5 +411,6 @@ public class STSClientAction {
     public void setKeyType(String keyType) {
         this.keyType = keyType;
     }
+    */
 
 }

Added: cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java?rev=1514048&view=auto
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java (added)
+++ cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java Wed Aug 14 21:01:46 2013
@@ -0,0 +1,85 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.fediz.service.idp.beans;
+
+import java.util.HashMap;
+import java.util.Map;
+import java.util.UUID;
+
+import org.apache.cxf.fediz.core.FederationConstants;
+import org.apache.cxf.fediz.service.idp.util.WebUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.webflow.execution.RequestContext;
+
+public class SigninParametersCacheAction {
+
+    private static final Logger LOG = LoggerFactory.getLogger(SigninParametersCacheAction.class);
+
+    public void store(RequestContext context) {
+        Map<String, Object> signinParams = new HashMap<String, Object>();
+        String uuidKey = UUID.randomUUID().toString();
+        
+        Object value = WebUtils.getAttributeFromFlowScope(context, FederationConstants.PARAM_REPLY);
+        if (value != null) {
+            signinParams.put(FederationConstants.PARAM_REPLY, value);
+        }
+        value = WebUtils.getAttributeFromFlowScope(context, FederationConstants.PARAM_TREALM);
+        if (value != null) {
+            signinParams.put(FederationConstants.PARAM_TREALM, value);
+        }
+        value = WebUtils.getAttributeFromFlowScope(context, FederationConstants.PARAM_HOME_REALM);
+        if (value != null) {
+            signinParams.put(FederationConstants.PARAM_HOME_REALM, value);
+        }
+        WebUtils.putAttributeInExternalContext(context, uuidKey, signinParams);
+        
+        if (LOG.isDebugEnabled()) {
+            LOG.debug("SignIn parameters cached: " + signinParams.toString() + ".");
+        }
+        WebUtils.putAttributeInFlowScope(context, FederationConstants.PARAM_CONTEXT, uuidKey);
+        LOG.info("SignIn parameters cached and wctx set to: " + uuidKey + ".");
+    }
+    
+    public void restore(RequestContext context) {
+        
+        String uuidKey = (String)WebUtils.getAttributeFromFlowScope(context, FederationConstants.PARAM_CONTEXT);
+        @SuppressWarnings("unchecked")
+        Map<String, Object> signinParams =
+            (Map<String, Object>)WebUtils.getAttributeFromExternalContext(context, uuidKey);
+        
+        String value = (String)signinParams.get(FederationConstants.PARAM_REPLY);
+        if (value != null) {
+            WebUtils.putAttributeInFlowScope(context, FederationConstants.PARAM_REPLY, value);
+        }
+        value = (String)signinParams.get(FederationConstants.PARAM_TREALM);
+        if (value != null) {
+            WebUtils.putAttributeInFlowScope(context, FederationConstants.PARAM_TREALM, value);
+        }
+        value = (String)signinParams.get(FederationConstants.PARAM_HOME_REALM);
+        if (value != null) {
+            WebUtils.putAttributeInFlowScope(context, FederationConstants.PARAM_HOME_REALM, value);
+        }
+        
+        if (LOG.isDebugEnabled()) {
+            LOG.debug("SignIn parameters restored: " + signinParams.toString() + ".");
+        }
+        LOG.info("SignIn parameters restored.");
+    }
+}
\ No newline at end of file

Added: cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/ValidateTokenAction.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/ValidateTokenAction.java?rev=1514048&view=auto
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/ValidateTokenAction.java (added)
+++ cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/ValidateTokenAction.java Wed Aug 14 21:01:46 2013
@@ -0,0 +1,172 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.fediz.service.idp.beans;
+
+import java.io.IOException;
+
+import org.w3c.dom.Element;
+
+import org.apache.cxf.fediz.core.FederationConstants;
+import org.apache.cxf.fediz.core.FederationProcessor;
+import org.apache.cxf.fediz.core.FederationProcessorImpl;
+import org.apache.cxf.fediz.core.FederationRequest;
+import org.apache.cxf.fediz.core.FederationResponse;
+import org.apache.cxf.fediz.core.config.FederationContext;
+import org.apache.cxf.fediz.core.config.jaxb.AudienceUris;
+import org.apache.cxf.fediz.core.config.jaxb.CertificateStores;
+import org.apache.cxf.fediz.core.config.jaxb.ContextConfig;
+import org.apache.cxf.fediz.core.config.jaxb.FederationProtocolType;
+import org.apache.cxf.fediz.core.config.jaxb.KeyStoreType;
+import org.apache.cxf.fediz.core.config.jaxb.TrustManagersType;
+import org.apache.cxf.fediz.core.config.jaxb.TrustedIssuerType;
+import org.apache.cxf.fediz.core.config.jaxb.TrustedIssuers;
+import org.apache.cxf.fediz.core.config.jaxb.ValidationType;
+import org.apache.cxf.fediz.core.exception.ProcessingException;
+import org.apache.cxf.fediz.core.exception.ProcessingException.TYPE;
+import org.apache.cxf.fediz.service.idp.model.IDPConfig;
+import org.apache.cxf.fediz.service.idp.model.TrustedIDPConfig;
+import org.apache.cxf.fediz.service.idp.util.WebUtils;
+import org.apache.cxf.ws.security.tokenstore.SecurityToken;
+import org.apache.ws.security.util.UUIDGenerator;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.webflow.execution.RequestContext;
+
+/**
+ * @author Th. Beucher This class is responsible to validate token returned by
+ *         requestor IDP.
+ */
+
+public class ValidateTokenAction {
+
+    private static final String IDP_CONFIG = "idpConfig";
+    private static final Logger LOG = LoggerFactory
+            .getLogger(ValidateTokenAction.class);
+
+    public SecurityToken submit(RequestContext context)
+        throws ProcessingException, IOException {
+        IDPConfig idpConfig = (IDPConfig) WebUtils.getAttributeFromFlowScope(
+                context, IDP_CONFIG);
+
+        if (idpConfig == null) {
+            throw new ProcessingException("IDP configuration is null",
+                    TYPE.BAD_REQUEST);
+        }
+
+        String whr = (String) WebUtils.getAttributeFromFlowScope(context,
+                FederationConstants.PARAM_HOME_REALM);
+
+        if (whr == null) {
+            throw new ProcessingException("Home realm is null",
+                    TYPE.BAD_REQUEST);
+        }
+
+        String wresult = (String) WebUtils.getAttributeFromFlowScope(context,
+                FederationConstants.PARAM_RESULT);
+
+        if (wresult == null) {
+            throw new ProcessingException("No security token issued",
+                    TYPE.BAD_REQUEST);
+        }
+
+        TrustedIDPConfig trustedIDPConfig = idpConfig.getTrustedIDPs().get(whr);
+
+        if (trustedIDPConfig == null) {
+            throw new ProcessingException(
+                    "No trusted IDP config found for home realm " + whr,
+                    TYPE.BAD_REQUEST);
+        }
+
+        FederationContext fedContext = getFederationContext(idpConfig,
+                trustedIDPConfig);
+
+        FederationRequest wfReq = new FederationRequest();
+        wfReq.setWa(FederationConstants.ACTION_SIGNIN);
+        wfReq.setWresult(wresult);
+
+        FederationProcessor wfProc = new FederationProcessorImpl();
+        FederationResponse wfResp = wfProc.processRequest(wfReq, fedContext);
+
+        fedContext.close();
+
+        Element e = wfResp.getToken();
+        
+        // Create new Security token with new id. 
+        // Parameters for freshness computation are copied from original IDP_TOKEN
+        String id = "_" + UUIDGenerator.getUUID();
+        SecurityToken idpToken = new SecurityToken(id,
+            wfResp.getTokenCreated(), wfResp.getTokenExpires());
+
+        idpToken.setToken(e);
+        LOG.info("[IDP_TOKEN=" + id + "] for user '" + wfResp.getUsername()
+                + "' created from [RP_TOKEN=" + wfResp.getUniqueTokenId()
+                + "issued by home realm [" + whr + "/"
+                + wfResp.getIssuer() + "].");
+        if (LOG.isDebugEnabled()) {
+            LOG.debug("Created date=" + wfResp.getTokenCreated());
+            LOG.debug("Expired date=" + wfResp.getTokenExpires());
+        }
+        if (LOG.isDebugEnabled()) {
+            LOG.debug("Validated 'wresult' : "
+                    + System.getProperty("line.separator") + wresult);
+        }
+        return idpToken;
+    }
+
+    private FederationContext getFederationContext(IDPConfig idpConfig,
+            TrustedIDPConfig trustedIdpConfig) throws ProcessingException {
+
+        ContextConfig config = new ContextConfig();
+
+        config.setName("whatever");
+
+        // Configure certificate store
+        CertificateStores certStores = new CertificateStores();
+        TrustManagersType tm0 = new TrustManagersType();
+        KeyStoreType ks0 = new KeyStoreType();
+        ks0.setType("PEM");
+        // ks0.setType("JKS");
+        // ks0.setPassword("changeit");
+        ks0.setFile(trustedIdpConfig.getCertificate());
+        tm0.setKeyStore(ks0);
+        certStores.getTrustManager().add(tm0);
+        config.setCertificateStores(certStores);
+
+        // Configure trusted IDP
+        TrustedIssuers trustedIssuers = new TrustedIssuers();
+        TrustedIssuerType ti0 = new TrustedIssuerType();
+        ti0.setCertificateValidation(ValidationType.PEER_TRUST);
+        ti0.setName(trustedIdpConfig.getName());
+        // ti0.setSubject(".*CN=www.sts.com.*");
+        trustedIssuers.getIssuer().add(ti0);
+        config.setTrustedIssuers(trustedIssuers);
+
+        FederationProtocolType protocol = new FederationProtocolType();
+        config.setProtocol(protocol);
+
+        AudienceUris audienceUris = new AudienceUris();
+        audienceUris.getAudienceItem().add(idpConfig.getRealm());
+        config.setAudienceUris(audienceUris);
+
+        FederationContext fedContext = new FederationContext(config);
+        fedContext.init();
+        return fedContext;
+    }
+
+}
\ No newline at end of file

Modified: cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/WfreshParser.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/WfreshParser.java?rev=1514048&r1=1514047&r2=1514048&view=diff
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/WfreshParser.java (original)
+++ cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/WfreshParser.java Wed Aug 14 21:01:46 2013
@@ -20,10 +20,12 @@ package org.apache.cxf.fediz.service.idp
 
 import java.util.Date;
 
+//import org.apache.cxf.fediz.service.idp.model.IDPConfig;
 import org.apache.cxf.fediz.service.idp.util.WebUtils;
 import org.apache.cxf.ws.security.tokenstore.SecurityToken;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+//import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.webflow.execution.RequestContext;
 
 /**
@@ -33,24 +35,70 @@ import org.springframework.webflow.execu
 
 public class WfreshParser {
 
+//    private static final String IDP_CONFIG = "idpConfig";
     private static final Logger LOG = LoggerFactory
             .getLogger(WfreshParser.class);
 
-    public boolean authenticationRequired(String wfresh, RequestContext context)
+    public boolean authenticationRequired(String wfresh, String whr, RequestContext context)
         throws Exception {
-        long ttl = Long.parseLong(wfresh);
+        
+        SecurityToken idpToken = 
+            (SecurityToken) WebUtils.getAttributeFromExternalContext(context, whr);
+//        if ("1".equals(wfresh)) {
+        if (idpToken.isExpired()) {
+            LOG.info("[IDP_TOKEN=" + idpToken.getId() + "] is expired.");
+//            forceFurtherAuthentication(context, whr, idpToken);
+            return true;
+        }
+
+        if (wfresh == null || wfresh.trim().isEmpty()) {
+            return false;
+        }
+
+        long ttl;
+        try {
+            ttl = Long.parseLong(wfresh.trim());
+        } catch (Exception e) {
+            LOG.info("wfresh value '" + wfresh + "' is invalid.");
+            return false;
+        }
         if (ttl > 0) {
-            SecurityToken idpToken = (SecurityToken) WebUtils.getAttributeFromExternalContext(context, "IDP_TOKEN");
+
             Date createdDate = idpToken.getCreated();
-            Date expiryDate = new Date();
-            expiryDate.setTime(createdDate.getTime() + (ttl * 60L * 1000L));
-            if (expiryDate.before(new Date())) {
-                LOG.info("IDP token is valid but relying party requested new authentication via wfresh: " + wfresh);
-                return true;
+            if (createdDate != null) {
+                Date expiryDate = new Date();
+                expiryDate.setTime(createdDate.getTime() + (ttl * 60L * 1000L));
+                if (expiryDate.before(new Date())) {
+                    LOG.info("[IDP_TOKEN="
+                            + idpToken.getId()
+                            + "] is valid but relying party requested new authentication caused by wfresh="
+                            + wfresh + " outdated.");
+//                    forceFurtherAuthentication(context, whr, idpToken);
+                    return true;
+                }
+            } else {
+                LOG.info("token creation date not set. Unable to check wfresh is outdated.");
             }
         } else {
-            LOG.info("wfresh value of " + wfresh + " is invalid");
+            LOG.info("ttl value '" + ttl + "' is negative.");
         }
         return false;
     }
+
+//    private void forceFurtherAuthentication(RequestContext context, String whr, SecurityToken idpToken) {
+//        if (isThisRealm(context, whr)) {
+//            SecurityContextHolder.clearContext();
+//            LOG.info("Security context has been cleared");
+//            WebUtils.removeAttributeFromExternalContext(context, whr);
+//            LOG.info("[IDP_TOKEN=" + idpToken.getId() + "] has been uncached.");
+//        }
+//    }
+//
+//    private boolean isThisRealm(RequestContext context, String whr) {
+//        IDPConfig idpConfig = (IDPConfig)WebUtils.getAttributeFromFlowScope(context, IDP_CONFIG);
+//        if (idpConfig.getRealm().equals(whr)) {
+//            return true;
+//        }
+//        return false;
+//    }
 }

Modified: cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/model/IDPConfig.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/model/IDPConfig.java?rev=1514048&r1=1514047&r2=1514048&view=diff
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/model/IDPConfig.java (original)
+++ cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/model/IDPConfig.java Wed Aug 14 21:01:46 2013
@@ -18,6 +18,7 @@
  */
 package org.apache.cxf.fediz.service.idp.model;
 
+import java.io.Serializable;
 import java.util.List;
 import java.util.Map;
 
@@ -28,7 +29,7 @@ import java.util.Map;
 
 //@Entity
 //@Table(name = "IDP")
-public class IDPConfig {
+public class IDPConfig implements Serializable {
         
     //@Id
     //private Long id;

Modified: cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/model/RequestClaim.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/model/RequestClaim.java?rev=1514048&r1=1514047&r2=1514048&view=diff
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/model/RequestClaim.java (original)
+++ cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/model/RequestClaim.java Wed Aug 14 21:01:46 2013
@@ -18,9 +18,10 @@
  */
 package org.apache.cxf.fediz.service.idp.model;
 
+import java.io.Serializable;
 import java.net.URI;
 
-public class RequestClaim {
+public class RequestClaim implements Serializable {
     
     private URI claimType;
     

Modified: cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/model/ServiceConfig.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/model/ServiceConfig.java?rev=1514048&r1=1514047&r2=1514048&view=diff
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/model/ServiceConfig.java (original)
+++ cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/model/ServiceConfig.java Wed Aug 14 21:01:46 2013
@@ -18,6 +18,7 @@
  */
 package org.apache.cxf.fediz.service.idp.model;
 
+import java.io.Serializable;
 import java.util.List;
 
 //import javax.persistence.Column;
@@ -27,7 +28,7 @@ import java.util.List;
 
 //@Entity
 //@Table(name = "SERVICE")
-public class ServiceConfig {
+public class ServiceConfig implements Serializable {
 
         
     //@Id

Modified: cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/model/TrustedIDPConfig.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/model/TrustedIDPConfig.java?rev=1514048&r1=1514047&r2=1514048&view=diff
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/model/TrustedIDPConfig.java (original)
+++ cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/model/TrustedIDPConfig.java Wed Aug 14 21:01:46 2013
@@ -18,6 +18,8 @@
  */
 package org.apache.cxf.fediz.service.idp.model;
 
+import java.io.Serializable;
+
 
 //import javax.persistence.Column;
 //import javax.persistence.Entity;
@@ -26,7 +28,7 @@ package org.apache.cxf.fediz.service.idp
 
 //@Entity
 //@Table(name = "TRUSTEDIDP")
-public class TrustedIDPConfig {
+public class TrustedIDPConfig implements Serializable {
 
         
     //@Id

Copied: cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/model/TrustedIDPSelection.java (from r1499090, cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/model/RequestClaim.java)
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/model/TrustedIDPSelection.java?p2=cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/model/TrustedIDPSelection.java&p1=cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/model/RequestClaim.java&r1=1499090&r2=1514048&rev=1514048&view=diff
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/model/RequestClaim.java (original)
+++ cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/model/TrustedIDPSelection.java Wed Aug 14 21:01:46 2013
@@ -18,25 +18,19 @@
  */
 package org.apache.cxf.fediz.service.idp.model;
 
-import java.net.URI;
+import java.io.Serializable;
 
-public class RequestClaim {
-    
-    private URI claimType;
-    
-    private boolean optional;
-    
+public class TrustedIDPSelection implements Serializable {
+
+    private static final long serialVersionUID = 1L;
     
-    public void setClaimType(URI claimType) {
-        this.claimType = claimType;
-    }
-    public URI getClaimType() {
-        return claimType;
-    }
-    public void setOptional(boolean optional) {
-        this.optional = optional;
+    private String whr;
+
+    public String getWhr() {
+        return whr;
     }
-    public boolean isOptional() {
-        return optional;
+
+    public void setWhr(String whr) {
+        this.whr = whr;
     }
 }

Modified: cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/util/WebUtils.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/util/WebUtils.java?rev=1514048&r1=1514047&r2=1514048&view=diff
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/util/WebUtils.java (original)
+++ cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/util/WebUtils.java Wed Aug 14 21:01:46 2013
@@ -18,6 +18,7 @@
  */
 package org.apache.cxf.fediz.service.idp.util;
 
+import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
@@ -155,7 +156,7 @@ public final class WebUtils {
     }
 
     public static void putAttributeInFlowScope(final RequestContext context,
-            final String attributeKey, final String attributeValue) {
+            final String attributeKey, final Object attributeValue) {
         context.getFlowScope().put(attributeKey, attributeValue);
     }
 
@@ -174,4 +175,37 @@ public final class WebUtils {
         return context.getRequestParameters().get(attributeKey);
     }
 
+    public static Cookie readCookie(
+            final RequestContext context, final String cookieName) {
+        HttpServletRequest httpServletRequest = getHttpServletRequest(context);
+        Cookie[] cookies = httpServletRequest.getCookies();
+        if (cookies != null) {
+            for (int i = 0; i < cookies.length; i++) {
+                if (cookies[i].getName().equals(cookieName)) {
+                    return cookies[i];
+                }
+            }
+        }
+        return null;
+    }
+
+    public static void addCookie(
+            final RequestContext context, final String cookieName, final String cookieValue) {
+        HttpServletResponse httpServletResponse = getHttpServletResponse(context);
+        Cookie cookie = new Cookie(cookieName, cookieValue);
+        cookie.setSecure(true);
+        cookie.setMaxAge(-1);
+        httpServletResponse.addCookie(cookie);
+    }
+
+    public static void removeCookie(
+            final RequestContext context, final String cookieName) {
+        HttpServletResponse httpServletResponse = getHttpServletResponse(context);
+        Cookie cookie = readCookie(context, cookieName);
+        if (cookie != null) {
+            cookie.setMaxAge(0);
+            httpServletResponse.addCookie(cookie);
+        }
+    }
+
 }

Modified: cxf/fediz/trunk/services/idp/src/main/resources/logging.properties
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/resources/logging.properties?rev=1514048&r1=1514047&r2=1514048&view=diff
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/resources/logging.properties (original)
+++ cxf/fediz/trunk/services/idp/src/main/resources/logging.properties Wed Aug 14 21:01:46 2013
@@ -52,5 +52,6 @@ java.util.logging.ConsoleHandler.formatt
 # messages:
 #com.xyz.foo.level = SEVERE
 org.apache.cxf.fediz.service.idp.level = FINE
+org.apache.cxf.level = FINE
 org.springframework.web.level = FINE
 org.springframework.webflow.level = FINE
\ No newline at end of file

Added: cxf/fediz/trunk/services/idp/src/main/resources/realm.properties
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/resources/realm.properties?rev=1514048&view=auto
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/resources/realm.properties (added)
+++ cxf/fediz/trunk/services/idp/src/main/resources/realm.properties Wed Aug 14 21:01:46 2013
@@ -0,0 +1,3 @@
+realm.STS_URI=${realm.STS_URI}
+realmA.port=${realmA.port}
+realmB.port=${realmB.port}

Added: cxf/fediz/trunk/services/idp/src/main/resources/realma.cert
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/resources/realma.cert?rev=1514048&view=auto
==============================================================================
Files cxf/fediz/trunk/services/idp/src/main/resources/realma.cert (added) and cxf/fediz/trunk/services/idp/src/main/resources/realma.cert Wed Aug 14 21:01:46 2013 differ

Added: cxf/fediz/trunk/services/idp/src/main/resources/realmb.cert
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/resources/realmb.cert?rev=1514048&view=auto
==============================================================================
Files cxf/fediz/trunk/services/idp/src/main/resources/realmb.cert (added) and cxf/fediz/trunk/services/idp/src/main/resources/realmb.cert Wed Aug 14 21:01:46 2013 differ

Modified: cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/applicationContext.xml
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/applicationContext.xml?rev=1514048&r1=1514047&r2=1514048&view=diff
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/applicationContext.xml (original)
+++ cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/applicationContext.xml Wed Aug 14 21:01:46 2013
@@ -4,6 +4,7 @@
 	xmlns:test="http://apache.org/hello_world_soap_http" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xmlns:util="http://www.springframework.org/schema/util" xmlns:http="http://cxf.apache.org/transports/http/configuration"
 	xmlns:sec="http://cxf.apache.org/configuration/security"
+	xmlns:context="http://www.springframework.org/schema/context"
 	xsi:schemaLocation="
         http://cxf.apache.org/core
         http://cxf.apache.org/schemas/core.xsd
@@ -15,14 +16,20 @@
         http://www.springframework.org/schema/util/spring-util-2.0.xsd
         http://cxf.apache.org/transports/http/configuration
         http://cxf.apache.org/schemas/configuration/http-conf.xsd
+        http://www.springframework.org/schema/context
+        http://www.springframework.org/schema/context/spring-context-3.0.xsd
         http://cxf.apache.org/configuration/security
         http://cxf.apache.org/schemas/configuration/security.xsd">
         
+    <context:property-placeholder location="classpath:realm.properties"/>
+    
 	<import resource="classpath:META-INF/cxf/cxf.xml" />
 
     <import resource="security-config.xml" />
-    <import resource="idp-config-realma.xml" />
+    <!--<import resource="${realm.idp_configfile}" />-->
+    <!--<import resource="idp-config-realma.xml" />-->
     <!--<import resource="idp-config-realmb.xml" />-->
+    <import resource="${idp-config}" />
 
 	<cxf:bus>
 		<cxf:features>

Added: cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/federation-signin-request.xml
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/federation-signin-request.xml?rev=1514048&view=auto
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/federation-signin-request.xml (added)
+++ cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/federation-signin-request.xml Wed Aug 14 21:01:46 2013
@@ -0,0 +1,149 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<flow xmlns="http://www.springframework.org/schema/webflow"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.springframework.org/schema/webflow
+                          http://www.springframework.org/schema/webflow/spring-webflow-2.0.xsd">
+
+    <input name="idpConfig" />
+    <input name="wtrealm" />
+    <input name="wreply" />
+    <input name="wctx" />
+    <input name="wfresh" />
+    <input name="wauth" />
+    <input name="whr" />
+
+    <decision-state id="checkHRDSEnabled">
+<!--         <if test="idpConfig.getHrds() != null" then="checkWhrInSigninRequest" else="checkWauthTypeSupported" /> -->
+<!--         <if test="true" then="checkWhrInSigninRequest" else="checkWauthTypeSupported" /> -->
+        <if test="true" then="checkWhrInSigninRequest" else="checkDefaultToThisIDP" />
+    </decision-state>
+    
+    <decision-state id="checkWhrInSigninRequest">
+        <if test="flowScope.whr == null or flowScope.whr.trim().isEmpty()" then="checkHomeRealm" else="checkIsThisIDP" />
+    </decision-state>
+    
+    <decision-state id="checkHomeRealm">
+        <if test="homeRealmReminder.readCookie(flowRequestContext) == null" then="processHRDSExpression" else="restoreHomeRealm" />
+    </decision-state>
+
+    <action-state id="restoreHomeRealm">
+        <evaluate expression="homeRealmReminder.readCookie(flowRequestContext).value" result="flowScope.whr" /> 
+        <transition to="checkIsThisIDP"/>
+    </action-state>
+
+    <action-state id="processHRDSExpression">
+<!--     TODO -->
+        <evaluate expression="processHRDSExpressionAction.submit(flowRequestContext)" result="flowScope.whr" /> 
+        <transition on="" to="provideIDPListForUser"/>
+        <transition to="checkIsThisIDP">
+            <evaluate expression="homeRealmReminder.addCookie(flowRequestContext, flowScope.whr)" />
+        </transition>
+    </action-state>
+
+    <decision-state id="provideIDPListForUser">
+        <if test="flowScope.idpConfig.trustedIDPs == null or idpConfig.trustedIDPs.isEmpty()" then="checkDefaultToThisIDP" />
+        <if test="flowScope.idpConfig.isProvideIDPList() == false" then="checkDefaultToThisIDP" else="showIDPList" />
+    </decision-state>
+
+    <decision-state id="checkDefaultToThisIDP">
+        <if test="flowScope.idpConfig.isUseCurrentIDP()" then="checkWauthTypeSupported" else="viewBadRequest" />
+    </decision-state>
+    
+    <view-state id="showIDPList" view="idplist" model="trustedIDPSelection">
+        <var name="trustedIDPSelection" class="org.apache.cxf.fediz.service.idp.model.TrustedIDPSelection" />
+        <binder>
+            <binding property="whr" required="true" />
+        </binder>
+        <on-entry>
+            <set name="requestScope.idPConfig" value="flowScope.idpConfig" />
+        </on-entry>
+        <transition on="submit" to="checkIsThisIDP" bind="true" validate="true">
+            <set name="flowScope.whr" value="trustedIDPSelection.whr" />
+            <evaluate expression="homeRealmReminder.addCookie(flowRequestContext, flowScope.whr)" />
+        </transition>
+        <transition on="cancel" to="checkDefaultToThisIDP" bind="false" validate="false" />
+    </view-state>
+
+<!--     Home Realm is known then we can store it in cookie -->
+    <decision-state id="checkIsThisIDP">
+<!--     	<on-entry> -->
+<!--             <evaluate expression="homeRealmReminder.addCookie(flowRequestContext, flowScope.whr)" /> -->
+<!--         </on-entry> -->
+        <if test="flowScope.idpConfig.realm.equals(flowScope.whr)" then="checkWauthTypeSupported" else="checkIdpTokenWhrWauth" />
+    </decision-state>
+    
+<!-- ============================================================================================================= -->
+
+    <!--  Is 'wresult/RP-IDP token' already received and validated (then stored in session) from requestor IDP ? -->
+    <!-- question : is freshness to be checked ? -->
+    <decision-state id="checkIdpTokenWhrWauth">
+<!--         <if test="externalContext.sessionMap[flowScope.whr] != null" then="requestRpToken" else="redirectToTrustedIDP" /> -->
+        <if test="externalContext.sessionMap[flowScope.whr] != null" then="wfreshParserRemoteAction" else="redirectToTrustedIDP" />
+    </decision-state>
+    
+    <action-state id="wfreshParserRemoteAction">
+<!--         <evaluate expression="wfreshParser.authenticationRequired(flowScope.wfresh, flowRequestContext)" /> -->
+        <evaluate expression="wfreshParser.authenticationRequired(flowScope.wfresh, flowScope.whr, flowRequestContext)" />
+        <transition on="yes" to="redirectToTrustedIDP"/>
+        <transition on="no" to="requestRpToken"/>
+        <transition on-exception="java.lang.Throwable" to="viewBadRequest" />
+    </action-state>
+
+    <decision-state id="checkWauthTypeSupported">
+        <on-entry>
+            <!-- Here, home realm is guaranteed to be THIS realm -->
+            <set name="flowScope.whr" value="flowScope.idpConfig.realm" />
+        </on-entry>
+        <if test="flowScope.idpConfig.getAuthenticationURIs() == null" then="viewBadRequest" />
+        <if test="flowScope.idpConfig.getAuthenticationURIs().get(flowScope.wauth) != null" then="checkIdpTokenWauth" else="viewBadRequest" />
+    </decision-state>
+    
+    <decision-state id="checkIdpTokenWauth">
+<!--    check presence of cached IDP token for THIS realm -->
+        <if test="externalContext.sessionMap[flowScope.whr] == null" then="cacheTokenForWauth" else="wfreshParserAction" />
+    </decision-state>
+    
+    <!-- parse wfresh parameter, provided by resource RP, overriding ttl from 'IDP_TOKEN' -->
+    <action-state id="wfreshParserAction">
+<!--         <evaluate expression="wfreshParser.authenticationRequired(flowScope.wfresh, flowRequestContext)" /> -->
+        <evaluate expression="wfreshParser.authenticationRequired(flowScope.wfresh, flowScope.whr, flowRequestContext)" />
+        <transition on="yes" to="redirectToLocalIDP"/>
+        <transition on="no" to="requestRpToken"/>
+        <transition on-exception="java.lang.Throwable" to="viewBadRequest" />
+    </action-state>
+
+    <end-state id="redirectToLocalIDP">
+        <on-entry>
+	        <evaluate expression="logoutAction.submit(flowRequestContext)" />
+        </on-entry>
+        <output name="wctx" value="flowScope.wctx" />
+    </end-state>
+
+    <action-state id="cacheTokenForWauth">
+        <secured attributes="IS_AUTHENTICATED_FULLY" />
+        <evaluate expression="cacheTokenForWauthAction.submit(flowRequestContext)" />
+        <transition to="requestRpToken" />
+    </action-state>
+
+<!-- ============================================================================================================= -->
+
+    <!-- normal exit point -->
+    <end-state id="requestRpToken">
+        <output name="whr" value="flowScope.whr" />
+        <output name="wctx" value="flowScope.wctx" />
+    </end-state>
+
+    <!-- abnormal exit point : Http 400 Bad Request -->
+    <end-state id="viewBadRequest" />
+
+    <!-- redirects to requestor idp -->
+    <end-state id="redirectToTrustedIDP">
+        <on-entry>
+        	<evaluate expression="signInParamCacheAction.store(flowRequestContext)" />
+        </on-entry>
+        <output name="whr" value="flowScope.whr" />
+        <output name="wctx" value="flowScope.wctx" />
+    </end-state>
+
+
+</flow>

Added: cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/federation-signin-response.xml
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/federation-signin-response.xml?rev=1514048&view=auto
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/federation-signin-response.xml (added)
+++ cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/federation-signin-response.xml Wed Aug 14 21:01:46 2013
@@ -0,0 +1,46 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<flow xmlns="http://www.springframework.org/schema/webflow"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.springframework.org/schema/webflow
+                          http://www.springframework.org/schema/webflow/spring-webflow-2.0.xsd">
+
+    <input name="idpConfig" />
+<!--     <input name="wreply" /> not needed cached in session under key = value of key 'wctx' -->
+<!--     <input name="wtrealm" /> not needed cached in session under key = value of key 'wctx' -->
+    <input name="wctx" />
+    <input name="wauth" />
+<!--     <input name="whr" /> not needed cached in session under key = value of key 'wctx' -->
+    <input name="wresult" />
+
+    <on-start>
+	<!--  restore 'wreply','wtrealm','whr' for current 'wctx' -->
+        <evaluate expression="signInParamCacheAction.restore(flowRequestContext)" />
+    </on-start>
+
+    <!--  validate token issued by requestor IDP ('wresult') given its 'whr' -->
+    <action-state id="validateToken">
+        <evaluate expression="validateTokenAction.submit(flowRequestContext)" 
+                        result="flowScope.rpIdpToken" 
+                        result-type="org.apache.cxf.ws.security.tokenstore.SecurityToken" /> 
+        <transition to="requestRpToken">
+            <!-- cache validated token under key = requestor home realm -->
+            <set name="externalContext.sessionMap[flowScope.whr]" value="flowScope.rpIdpToken" />
+        </transition>
+        <transition on-exception="org.apache.cxf.fediz.core.exception.ProcessingException" to="viewBadRequest" />
+        <transition on-exception="java.lang.Throwable" to="scInternalServerError" />
+    </action-state>
+
+    <end-state id="requestRpToken">
+        <output name="whr" value="flowScope.whr" />
+        <output name="wctx" value="flowScope.wctx" />
+        <output name="wreply" value="flowScope.wreply" />
+        <output name="wtrealm" value="flowScope.wtrealm" />
+    </end-state>
+
+    <!-- abnormal exit point : Http 400 Bad Request -->
+    <end-state id="viewBadRequest" />
+
+    <!-- abnormal exit point : Http 500 Internal Server Error -->
+    <end-state id="scInternalServerError" />
+   
+</flow>

Added: cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/federation-validate-request.xml
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/federation-validate-request.xml?rev=1514048&view=auto
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/federation-validate-request.xml (added)
+++ cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/federation-validate-request.xml Wed Aug 14 21:01:46 2013
@@ -0,0 +1,153 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<flow xmlns="http://www.springframework.org/schema/webflow"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.springframework.org/schema/webflow
+                          http://www.springframework.org/schema/webflow/spring-webflow-2.0.xsd">
+
+    <var name="idpConfig" class="org.apache.cxf.fediz.service.idp.model.IDPConfig"/>
+
+    <!-- protocol check -->
+    <decision-state id="WSFederationRequestCheck">
+        <on-entry>
+            <set name="flowScope.wtrealm" value="requestParameters.wtrealm" />
+            <set name="flowScope.wreply" value="requestParameters.wreply" />
+            <set name="flowScope.wctx" value="requestParameters.wctx" />
+            <set name="flowScope.wfresh" value="requestParameters.wfresh" />
+            <set name="flowScope.whr" value="requestParameters.whr" />
+            <set name="flowScope.wresult" value="requestParameters.wresult" />
+            <evaluate expression="requestScope.getString('wauth','default')" result="flowScope.wauth" /> 
+	        <set name="flowScope.idpConfig" value="config.getIdpConfigs().get(0)" />
+        </on-entry>
+        <if test="requestParameters.wa == null" then="viewBadRequest" />
+        <if test="requestParameters.wa != 'wsignin1.0' and requestParameters.wa != 'wsignout1.0' and requestParameters.wa != 'wsignoutcleanup1.0'" then="viewBadRequest" />
+        <if test="requestParameters.wa == 'wsignout1.0' or requestParameters.wa == 'wsignoutcleanup1.0'" then="invalidateSessionAction" />
+        <if test="requestParameters.wtrealm == null or requestParameters.wtrealm.length() == 0" then="viewBadRequest" else="selectSigninProcess"/>
+    </decision-state>
+
+    <decision-state id="selectSigninProcess">
+        <if test="requestParameters.wresult == null or requestParameters.wresult.isEmpty()" then="signinRequest" else="signinResponse" />
+    </decision-state>
+
+    <subflow-state id="signinRequest" subflow="signinRequest">
+        <input name="idpConfig" value="flowScope.idpConfig" />
+        <input name="wtrealm" value="flowScope.wtrealm" />
+        <input name="wreply" value="flowScope.wreply" />
+        <input name="wctx" value="flowScope.wctx" />
+        <input name="wfresh" value="flowScope.wfresh" />
+        <input name="wauth" value="flowScope.wauth" />
+        <input name="whr" value="flowScope.whr" />
+
+        <output name="whr" />
+        <output name="wctx" />  
+
+        <transition on="requestRpToken" to="requestRpToken">
+        	<set name="flowScope.whr" value="currentEvent.attributes.whr" />
+        	<set name="flowScope.wctx" value="currentEvent.attributes.wctx" />
+        </transition>
+        <transition on="viewBadRequest" to="viewBadRequest"/>
+        <transition on="scInternalServerError" to="scInternalServerError"/>
+        <transition on="redirectToTrustedIDP" to="redirectToTrustedIDP">
+        	<set name="flowScope.whr" value="currentEvent.attributes.whr" />
+        	<set name="flowScope.wctx" value="currentEvent.attributes.wctx" />
+        </transition>
+        <transition on="redirectToLocalIDP" to="redirectToLocalIDP">
+        	<set name="flowScope.wctx" value="currentEvent.attributes.wctx" />
+        </transition>
+    </subflow-state>
+        
+    <subflow-state id="signinResponse" subflow="signinResponse">
+        <input name="idpConfig" value="flowScope.idpConfig" />
+        <!--  <input name="wtrealm" value="flowScope.wtrealm"  /> not needed cached in session under key = value of key 'wctx' -->
+        <!--  <input name="wreply" value="flowScope.wreply"  /> not needed cached in session under key = value of key 'wctx' -->
+        <input name="wfresh" value="flowScope.wfresh" />
+        <input name="wctx" value="flowScope.wctx" />
+        <input name="wauth" value="flowScope.wauth" />
+        <!--  <input name="whr" value="flowScope.whr"  /> not needed cached in session under key = value of key 'wctx' -->
+        <input name="wresult" value="flowScope.wresult" />
+
+        <output name="wtrealm" /> 
+        <output name="wreply" /> 
+        <output name="wctx" /> 
+        <output name="whr" /> 
+
+        <transition on="requestRpToken" to="requestRpToken">
+        	<set name="flowScope.whr" value="currentEvent.attributes.whr" />
+        	<set name="flowScope.wctx" value="currentEvent.attributes.wctx" />
+        	<set name="flowScope.wtrealm" value="currentEvent.attributes.wtrealm" />
+        	<set name="flowScope.wreply" value="currentEvent.attributes.wreply" />
+        </transition>
+        <transition on="viewBadRequest" to="viewBadRequest"/>
+        <transition on="scInternalServerError" to="scInternalServerError"/>
+    </subflow-state>
+
+    <!-- produce RP security token (as String type) -->
+    <action-state id="requestRpToken">
+		<evaluate expression="stsClientForRpAction.submit(flowRequestContext)"
+                    result="flowScope.rpToken" 
+                    result-type="java.lang.String" />
+        <transition to="formResponseView" />
+        <transition on-exception="java.lang.Throwable" to="scInternalServerError" />
+    </action-state>
+
+    <!-- normal exit point for login -->
+    <!-- browser redirection (self-submitted form 'signinresponseform.jsp') -->
+    <end-state id="formResponseView" view="signinresponseform">
+        <on-entry>
+            <evaluate expression="flowScope.wreply" result="requestScope.fedAction" />
+            <evaluate expression="flowScope.wtrealm" result="requestScope.fedWTrealm" />
+            <evaluate expression="flowScope.wctx" result="requestScope.fedWCtx" />
+            <evaluate expression="flowScope.rpToken" result="requestScope.fedWResult" />
+        </on-entry>
+    </end-state>
+
+    <!-- abnormal exit point : Http 400 Bad Request -->
+    <end-state id="viewBadRequest" view="genericerror">
+        <on-entry>
+            <evaluate expression="externalContext.nativeResponse.setStatus(400,flowRequestContext.currentTransition.toString())" />
+            <set name="requestScope.reason" value="flowRequestContext.currentTransition" />
+        </on-entry>
+    </end-state>
+
+    <!-- abnormal exit point : Http 500 Internal Server Error -->
+    <end-state id="scInternalServerError" view="genericerror">
+        <on-entry>
+            <evaluate expression="externalContext.nativeResponse.setStatus(500,'IDP is unavailable, please contact the administrator')" />
+            <set name="requestScope.reason" value="'IDP is unavailable, please contact the administrator'" />
+        </on-entry>
+    </end-state>
+
+    <!-- normal exit point for logout -->
+    <end-state id="invalidateSessionAction" view="signoutresponse">
+    	<on-entry>
+	        <evaluate expression="homeRealmReminder.removeCookie(flowRequestContext)" />
+	        <evaluate expression="logoutAction.submit(flowRequestContext)" />
+    	</on-entry>
+    </end-state> 
+    
+    <!-- redirect to remote idp -->
+    <end-state id="redirectToTrustedIDP" view="externalRedirect:${flowScope.remoteIdpUrl}">
+        <on-entry>
+            <set name="flowScope.remoteIdpUrl" value="flowScope.idpConfig.trustedIDPs.get(flowScope.whr).url
+                +'?wa=wsignin1.0'
+                +'&amp;wtrealm='+flowScope.idpConfig.realm
+                +'&amp;wreply='+flowScope.idpConfig.idpUrl
+                +(flowScope.wfresh != null ? '&amp;wfresh='+flowScope.wfresh : '')
+                +(flowScope.wctx != null ? '&amp;wctx='+flowScope.wctx : '')">
+            </set>
+        </on-entry>
+    </end-state>
+
+    <end-state id="redirectToLocalIDP" view="externalRedirect:${flowScope.localIdpUrl}">
+        <on-entry>
+            <set name="flowScope.localIdpUrl" value="flowScope.idpConfig.idpUrl
+                +'?wa=wsignin1.0'
+                +'&amp;wreply='+flowScope.wreply
+                +'&amp;wtrealm='+flowScope.wtrealm
+                +(flowScope.wctx != null ? '&amp;wctx='+flowScope.wctx : '')
+                +(flowScope.wfresh != null ? '&amp;wfresh='+flowScope.wfresh : '')">
+            </set>
+        </on-entry>
+    </end-state>
+
+    
+</flow>



Mime
View raw message