cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From owu...@apache.org
Subject svn commit: r1572746 - in /cxf/fediz/trunk: plugins/core/src/main/java/org/apache/cxf/fediz/core/ plugins/core/src/main/java/org/apache/cxf/fediz/core/config/ plugins/core/src/main/resources/ plugins/core/src/main/resources/schemas/ plugins/jetty/ plug...
Date Thu, 27 Feb 2014 21:49:02 GMT
Author: owulff
Date: Thu Feb 27 21:49:01 2014
New Revision: 1572746

URL: http://svn.apache.org/r1572746
Log:
[FEDIZ-19] Single Sign out. Thanks Marc

Added:
    cxf/fediz/trunk/plugins/core/src/main/resources/logout.jpg
    cxf/fediz/trunk/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationLogoutFilter.java
    cxf/fediz/trunk/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationLogoutSuccessHandler.java
    cxf/fediz/trunk/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationSignOutCleanupFilter.java
    cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/signoutconfirmationresponse.jsp
    cxf/fediz/trunk/systests/tomcat7/src/test/resources/clientUntrusted.jks
Modified:
    cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationProcessor.java
    cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationProcessorImpl.java
    cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FederationContext.java
    cxf/fediz/trunk/plugins/core/src/main/resources/schemas/FedizConfig.xsd
    cxf/fediz/trunk/plugins/jetty/pom.xml
    cxf/fediz/trunk/plugins/jetty/src/main/java/org/apache/cxf/fediz/jetty/FederationAuthenticator.java
    cxf/fediz/trunk/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java
    cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java
    cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/domain/Application.java
    cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/domain/Idp.java
    cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/service/jpa/ApplicationDAOJPAImpl.java
    cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/service/jpa/ApplicationEntity.java
    cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/service/jpa/IdpDAOJPAImpl.java
    cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/service/jpa/IdpEntity.java
    cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/util/WebUtils.java
    cxf/fediz/trunk/services/idp/src/main/resources/entities-realma.xml
    cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/federation-validate-request.xml
    cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/idp-config-realma.xml
    cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/idp-config-realmb.xml
    cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/signoutresponse.jsp
    cxf/fediz/trunk/systests/jetty8/src/test/resources/fediz_config.xml
    cxf/fediz/trunk/systests/spring/src/test/resources/fediz_config.xml
    cxf/fediz/trunk/systests/springWebapp/src/main/java/org/apache/cxf/fediz/example/FederationServlet.java
    cxf/fediz/trunk/systests/springWebapp/src/main/webapp/WEB-INF/applicationContext-security.xml
    cxf/fediz/trunk/systests/springWebapp/src/main/webapp/WEB-INF/web.xml
    cxf/fediz/trunk/systests/tomcat7/src/test/resources/fediz_config.xml

Modified: cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationProcessor.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationProcessor.java?rev=1572746&r1=1572745&r2=1572746&view=diff
==============================================================================
--- cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationProcessor.java (original)
+++ cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationProcessor.java Thu Feb 27 21:49:01 2014
@@ -31,6 +31,8 @@ public interface FederationProcessor {
     
     String createSignInRequest(HttpServletRequest request, FederationContext config) throws ProcessingException;
 
+    String createSignOutRequest(HttpServletRequest request, FederationContext config) throws ProcessingException;
+
     Document getMetaData(FederationContext config) throws ProcessingException;
 
 }

Modified: cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationProcessorImpl.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationProcessorImpl.java?rev=1572746&r1=1572745&r2=1572746&view=diff
==============================================================================
--- cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationProcessorImpl.java (original)
+++ cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationProcessorImpl.java Thu Feb 27 21:49:01 2014
@@ -440,6 +440,49 @@ public class FederationProcessorImpl imp
         return redirectURL;
     }
 
+    @Override
+    public String createSignOutRequest(HttpServletRequest request, FederationContext config)
+        throws ProcessingException {
+
+        String redirectURL = null;
+        try {
+            if (!(config.getProtocol() instanceof FederationProtocol)) {
+                LOG.error("Unsupported protocol");
+                throw new IllegalStateException("Unsupported protocol");
+            }
+
+            String issuerURL = resolveIssuer(request, config);
+            LOG.info("Issuer url: " + issuerURL);
+            if (issuerURL != null && issuerURL.length() > 0) {
+                redirectURL = issuerURL;
+            }
+
+            StringBuilder sb = new StringBuilder();
+            sb.append(FederationConstants.PARAM_ACTION).append('=').append(FederationConstants.ACTION_SIGNOUT);
+
+            String logoutRedirectTo = config.getLogoutRedirectTo();
+            if (logoutRedirectTo != null && !logoutRedirectTo.isEmpty()) {
+
+                if (logoutRedirectTo.startsWith("/")) {
+                    logoutRedirectTo = extractFullContextPath(request).concat(logoutRedirectTo.substring(1));
+                } else {
+                    logoutRedirectTo = extractFullContextPath(request).concat(logoutRedirectTo);
+                }
+
+                LOG.debug("wreply=" + logoutRedirectTo);
+
+                sb.append('&').append(FederationConstants.PARAM_REPLY).append('=');
+                sb.append(URLEncoder.encode(logoutRedirectTo, "UTF-8"));
+            }
+
+            redirectURL = redirectURL + "?" + sb.toString();
+        } catch (Exception ex) {
+            LOG.error("Failed to create SignInRequest", ex);
+            throw new ProcessingException("Failed to create SignInRequest");
+        }
+        return redirectURL;
+    }
+
     private String resolveSignInQuery(HttpServletRequest request, FederationContext config)
         throws IOException, UnsupportedCallbackException, UnsupportedEncodingException {
         Object signInQueryObj = ((FederationProtocol)config.getProtocol()).getSignInQuery();

Modified: cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FederationContext.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FederationContext.java?rev=1572746&r1=1572745&r2=1572746&view=diff
==============================================================================
--- cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FederationContext.java (original)
+++ cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FederationContext.java Thu Feb 27 21:49:01 2014
@@ -153,7 +153,14 @@ public class FederationContext implement
         }
         return protocol;
     }
-    
+
+    public String getLogoutURL() {
+        return config.getLogoutURL();
+    }
+
+    public String getLogoutRedirectTo() {
+        return config.getLogoutRedirectTo();
+    }
     
     
     public KeyManager getSigningKey() {

Added: cxf/fediz/trunk/plugins/core/src/main/resources/logout.jpg
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/main/resources/logout.jpg?rev=1572746&view=auto
==============================================================================
Files cxf/fediz/trunk/plugins/core/src/main/resources/logout.jpg (added) and cxf/fediz/trunk/plugins/core/src/main/resources/logout.jpg Thu Feb 27 21:49:01 2014 differ

Modified: cxf/fediz/trunk/plugins/core/src/main/resources/schemas/FedizConfig.xsd
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/main/resources/schemas/FedizConfig.xsd?rev=1572746&r1=1572745&r2=1572746&view=diff
==============================================================================
--- cxf/fediz/trunk/plugins/core/src/main/resources/schemas/FedizConfig.xsd (original)
+++ cxf/fediz/trunk/plugins/core/src/main/resources/schemas/FedizConfig.xsd Thu Feb 27 21:49:01 2014
@@ -23,6 +23,8 @@
 				<xs:element ref="tokenDecryptionKey" />
 				<xs:element ref="trustedIssuers" />
 				<xs:element ref="protocol" />
+                <xs:element ref="logoutURL" minOccurs="0"/>
+                <xs:element ref="logoutRedirectTo" minOccurs="0"/>
 			</xs:sequence>
 			<xs:attribute name="name" use="required" type="xs:string" />
 
@@ -83,6 +85,10 @@
 
 	<xs:element name="protocol" type="protocolType" />
 
+    <xs:element name="logoutURL" type="xs:string"/>
+
+    <xs:element name="logoutRedirectTo" type="xs:string"/>
+
 	<xs:complexType name="federationProtocolType">
 		<xs:complexContent>
 			<xs:extension base="protocolType">

Modified: cxf/fediz/trunk/plugins/jetty/pom.xml
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/jetty/pom.xml?rev=1572746&r1=1572745&r2=1572746&view=diff
==============================================================================
--- cxf/fediz/trunk/plugins/jetty/pom.xml (original)
+++ cxf/fediz/trunk/plugins/jetty/pom.xml Thu Feb 27 21:49:01 2014
@@ -47,6 +47,12 @@
         </dependency>
         <dependency>
             <groupId>org.eclipse.jetty</groupId>
+            <artifactId>jetty-util</artifactId>
+            <version>${jetty.version}</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.eclipse.jetty</groupId>
             <artifactId>jetty-xml</artifactId>
             <version>${jetty.version}</version>
             <scope>test</scope>

Modified: cxf/fediz/trunk/plugins/jetty/src/main/java/org/apache/cxf/fediz/jetty/FederationAuthenticator.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/jetty/src/main/java/org/apache/cxf/fediz/jetty/FederationAuthenticator.java?rev=1572746&r1=1572745&r2=1572746&view=diff
==============================================================================
--- cxf/fediz/trunk/plugins/jetty/src/main/java/org/apache/cxf/fediz/jetty/FederationAuthenticator.java (original)
+++ cxf/fediz/trunk/plugins/jetty/src/main/java/org/apache/cxf/fediz/jetty/FederationAuthenticator.java Thu Feb 27 21:49:01 2014
@@ -21,8 +21,10 @@ package org.apache.cxf.fediz.jetty;
 
 import java.io.File;
 import java.io.IOException;
+import java.io.InputStream;
 import java.security.cert.X509Certificate;
 
+import javax.servlet.ServletOutputStream;
 import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
@@ -131,6 +133,11 @@ public class FederationAuthenticator ext
     /* ------------------------------------------------------------ */
     public Authentication validateRequest(ServletRequest req, ServletResponse res, boolean mandatory)
         throws ServerAuthException {
+
+        if (!mandatory) {
+            return new DeferredAuthentication(this);
+        }
+
         HttpServletRequest request = (HttpServletRequest)req;
         HttpServletResponse response = (HttpServletResponse)res;
         String uri = request.getRequestURI();
@@ -218,6 +225,27 @@ public class FederationAuthenticator ext
                         }
 
                     }
+                } else if (FederationConstants.ACTION_SIGNOUT_CLEANUP.equals(wa)) {
+                    if (LOG.isDebugEnabled()) {
+                        LOG.debug("SignOutCleanup request found");
+                        LOG.debug("SignOutCleanup action...");
+                    }
+                    session.invalidate();
+
+                    final ServletOutputStream responseOutputStream = response.getOutputStream();
+                    InputStream inputStream = this.getClass().getClassLoader().getResourceAsStream("logout.jpg");
+                    if (inputStream == null) {
+                        LOG.warn("Could not write logout.jpg");
+                        return Authentication.SEND_FAILURE;
+                    }
+                    int read = 0;
+                    byte[] buf = new byte[1024];
+                    while ((read = inputStream.read(buf)) != -1) {
+                        responseOutputStream.write(buf, 0, read);
+                    }
+                    inputStream.close();
+                    responseOutputStream.flush();
+                    return Authentication.SEND_SUCCESS;
                 } else {
                     LOG.warn("Not supported action found in parameter wa: " + wa);
                     response.sendError(HttpServletResponse.SC_BAD_REQUEST);
@@ -239,9 +267,27 @@ public class FederationAuthenticator ext
                 }
                 else
                 {
+                    //logout
+                    String contextName = request.getSession().getServletContext().getContextPath();
+                    if (contextName == null || contextName.isEmpty()) {
+                        contextName = "/";
+                    }
+                    FederationContext fedConfig = getContextConfiguration(contextName);
+
+                    String logoutUrl = fedConfig.getLogoutURL();
+                    if (logoutUrl != null && !logoutUrl.isEmpty() && uri.equals(contextName + logoutUrl)) {
+                        session.invalidate();
+
+                        FederationProcessor wfProc = new FederationProcessorImpl();
+                        signOutRedirectToIssuer(request, response, wfProc);
+
+                        return Authentication.SEND_CONTINUE;
+                    }
+
                     String j_uri = (String)session.getAttribute(J_URI);
                     if (j_uri != null)
                     {
+                        @SuppressWarnings("unchecked")
                         MultiMap<String> j_post = (MultiMap<String>)session.getAttribute(J_POST);
                         if (j_post != null)
                         {
@@ -299,7 +345,7 @@ public class FederationAuthenticator ext
             }
             
             FederationProcessor wfProc = new FederationProcessorImpl();
-            redirectToIssuer(request, response, wfProc);
+            signInRedirectToIssuer(request, response, wfProc);
 
             return Authentication.SEND_CONTINUE;
 
@@ -320,7 +366,7 @@ public class FederationAuthenticator ext
     }    
     
     /**
-     * Called to redirect to the IDP/Issuer
+     * Called to redirect sign-in to the IDP/Issuer
      * 
      * @param request
      *            Request we are processing
@@ -333,7 +379,7 @@ public class FederationAuthenticator ext
      *             {@link HttpServletResponse#sendError(int, String)} throws an
      *             {@link IOException}
      */
-    protected void redirectToIssuer(HttpServletRequest request, HttpServletResponse response, FederationProcessor processor)
+    protected void signInRedirectToIssuer(HttpServletRequest request, HttpServletResponse response, FederationProcessor processor)
         throws IOException {
 
         //Not supported in jetty 7.6
@@ -360,6 +406,33 @@ public class FederationAuthenticator ext
         }
         
     }
+
+    protected void signOutRedirectToIssuer(HttpServletRequest request, HttpServletResponse response, FederationProcessor processor)
+            throws IOException {
+
+        //Not supported in jetty 7.6
+        //String contextName = request.getServletContext().getContextPath();
+        String contextName = request.getSession().getServletContext().getContextPath();
+        if (contextName == null || contextName.isEmpty()) {
+            contextName = "/";
+        }
+        FederationContext fedCtx = this.configurator.getFederationContext(contextName);
+        String redirectURL = null;
+        try {
+            redirectURL = processor.createSignOutRequest(request, fedCtx);
+            if (redirectURL != null) {
+                response.sendRedirect(redirectURL);
+            } else {
+                LOG.warn("Failed to create SignOutRequest.");
+                response.sendError(
+                        HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Failed to create SignOutRequest.");
+            }
+        } catch (ProcessingException ex) {
+            LOG.warn("Failed to create SignOutRequest: " + ex.getMessage());
+            response.sendError(
+                    HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Failed to create SignOutRequest.");
+        }
+    }
     
     private FederationContext getContextConfiguration(String contextName) {
         if (configurator == null) {

Added: cxf/fediz/trunk/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationLogoutFilter.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationLogoutFilter.java?rev=1572746&view=auto
==============================================================================
--- cxf/fediz/trunk/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationLogoutFilter.java (added)
+++ cxf/fediz/trunk/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationLogoutFilter.java Thu Feb 27 21:49:01 2014
@@ -0,0 +1,68 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.fediz.spring.web;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.cxf.fediz.spring.FederationConfig;
+import org.springframework.beans.factory.annotation.Required;
+import org.springframework.security.web.authentication.logout.LogoutFilter;
+import org.springframework.security.web.authentication.logout.LogoutHandler;
+import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
+
+public class FederationLogoutFilter extends LogoutFilter {
+
+    private FederationConfig federationConfig;
+    private String logoutUrl;
+
+    public FederationLogoutFilter(LogoutSuccessHandler logoutSuccessHandler, LogoutHandler... handlers) {
+        super(logoutSuccessHandler, handlers);
+    }
+
+    @Required
+    public void setFederationConfig(FederationConfig federationConfig) {
+        this.federationConfig = federationConfig;
+    }
+
+    @Override
+    protected boolean requiresLogout(HttpServletRequest request, HttpServletResponse response) {
+        if (this.logoutUrl == null) {
+            String contextName = request.getContextPath();
+            if (contextName == null || contextName.isEmpty()) {
+                contextName = "/";
+            }
+            this.logoutUrl = federationConfig.getFederationContext(contextName).getLogoutURL();
+        }
+        if (this.logoutUrl != null && !this.logoutUrl.isEmpty()) {
+            super.setFilterProcessesUrl(this.logoutUrl);
+            return super.requiresLogout(request, response);
+        }
+        return false;
+    }
+
+    public void setFilterProcessesUrl(String filterProcessesUrl) {
+        throw new UnsupportedOperationException(
+                "setFilterProcessesUrl() unsupported. Use fediz config to configure logout url");
+    }
+
+    protected String getFilterProcessesUrl() {
+        return this.logoutUrl;
+    }
+}

Added: cxf/fediz/trunk/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationLogoutSuccessHandler.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationLogoutSuccessHandler.java?rev=1572746&view=auto
==============================================================================
--- cxf/fediz/trunk/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationLogoutSuccessHandler.java (added)
+++ cxf/fediz/trunk/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationLogoutSuccessHandler.java Thu Feb 27 21:49:01 2014
@@ -0,0 +1,73 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.fediz.spring.web;
+
+import java.io.IOException;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.cxf.fediz.core.FederationProcessor;
+import org.apache.cxf.fediz.core.FederationProcessorImpl;
+import org.apache.cxf.fediz.core.config.FederationContext;
+import org.apache.cxf.fediz.core.exception.ProcessingException;
+import org.apache.cxf.fediz.spring.FederationConfig;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Required;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
+
+public class FederationLogoutSuccessHandler implements LogoutSuccessHandler {
+
+    private static final Logger LOG = LoggerFactory.getLogger(FederationLogoutSuccessHandler.class);
+
+    private FederationConfig federationConfig;
+
+    @Required
+    public void setFederationConfig(FederationConfig federationConfig) {
+        this.federationConfig = federationConfig;
+    }
+
+    @Override
+    public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response,
+                                Authentication authentication) throws IOException, ServletException {
+        FederationProcessor processor = new FederationProcessorImpl();
+        String contextName = request.getContextPath();
+        if (contextName == null || contextName.isEmpty()) {
+            contextName = "/";
+        }
+        FederationContext fedCtx = federationConfig.getFederationContext(contextName);
+        String redirectURL;
+        try {
+            redirectURL = processor.createSignOutRequest(request, fedCtx);
+            if (redirectURL != null) {
+                response.sendRedirect(redirectURL);
+            } else {
+                LOG.warn("Failed to create SignOutRequest.");
+                response.sendError(
+                        HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Failed to create SignOutRequest.");
+            }
+        } catch (ProcessingException ex) {
+            LOG.warn("Failed to create SignOutRequest: " + ex.getMessage());
+            response.sendError(
+                    HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Failed to create SignOutRequest.");
+        }
+    }
+}

Added: cxf/fediz/trunk/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationSignOutCleanupFilter.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationSignOutCleanupFilter.java?rev=1572746&view=auto
==============================================================================
--- cxf/fediz/trunk/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationSignOutCleanupFilter.java (added)
+++ cxf/fediz/trunk/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationSignOutCleanupFilter.java Thu Feb 27 21:49:01 2014
@@ -0,0 +1,67 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.fediz.spring.web;
+
+import java.io.IOException;
+import java.io.InputStream;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.ServletOutputStream;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+
+import org.apache.cxf.fediz.core.FederationConstants;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.web.filter.GenericFilterBean;
+
+public class FederationSignOutCleanupFilter extends GenericFilterBean {
+
+    private static final Logger LOG = LoggerFactory.getLogger(FederationSignOutCleanupFilter.class);
+
+    @Override
+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
+        throws IOException, ServletException {
+
+        String wa = request.getParameter(FederationConstants.PARAM_ACTION);
+        if (FederationConstants.ACTION_SIGNOUT_CLEANUP.equals(wa)) {
+            if (request instanceof HttpServletRequest) {
+                ((HttpServletRequest)request).getSession().invalidate();
+            }
+
+            final ServletOutputStream responseOutputStream = response.getOutputStream();
+            InputStream inputStream = this.getClass().getClassLoader().getResourceAsStream("logout.jpg");
+            if (inputStream == null) {
+                LOG.warn("Could not write logout.jpg");
+                return;
+            }
+            int read = 0;
+            byte[] buf = new byte[1024];
+            while ((read = inputStream.read(buf)) != -1) {
+                responseOutputStream.write(buf, 0, read);
+            }
+            inputStream.close();
+            responseOutputStream.flush();
+        } else {
+            chain.doFilter(request, response);
+        }
+    }
+}

Modified: cxf/fediz/trunk/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java?rev=1572746&r1=1572745&r2=1572746&view=diff
==============================================================================
--- cxf/fediz/trunk/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java (original)
+++ cxf/fediz/trunk/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java Thu Feb 27 21:49:01 2014
@@ -21,6 +21,7 @@ package org.apache.cxf.fediz.tomcat;
 
 import java.io.File;
 import java.io.IOException;
+import java.io.InputStream;
 import java.io.PrintWriter;
 import java.security.Principal;
 import java.security.cert.X509Certificate;
@@ -29,7 +30,9 @@ import java.util.Date;
 import java.util.List;
 
 import javax.servlet.ServletException;
+import javax.servlet.ServletOutputStream;
 import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
 import javax.xml.bind.JAXBException;
 
 import org.w3c.dom.Document;
@@ -186,6 +189,53 @@ public class FederationAuthenticator ext
                 return;
             }            
         }
+
+        //logout
+        String contextName = request.getServletContext().getContextPath();
+        if (contextName == null || contextName.isEmpty()) {
+            contextName = "/";
+        }
+        FederationContext fedConfig = getContextConfiguration(contextName);
+
+        String logoutUrl = fedConfig.getLogoutURL();
+        if (logoutUrl != null && !logoutUrl.isEmpty()) {
+            HttpSession httpSession = request.getSession(false);
+            String uri = request.getRequestURI();
+            if (httpSession != null && uri.equals(contextName + logoutUrl)) {
+                httpSession.invalidate();
+
+                FederationProcessor wfProc = new FederationProcessorImpl();
+                signOutRedirectToIssuer(request, response, wfProc);
+
+                return;
+            }
+        }
+
+        String wa = request.getParameter("wa");
+        if (FederationConstants.ACTION_SIGNOUT_CLEANUP.equals(wa)) {
+            if (LOG.isDebugEnabled()) {
+                LOG.debug("SignOutCleanup request found");
+                LOG.debug("SignOutCleanup action...");
+            }
+
+            request.getSession().invalidate();
+
+            final ServletOutputStream responseOutputStream = response.getOutputStream();
+            InputStream inputStream = this.getClass().getClassLoader().getResourceAsStream("logout.jpg");
+            if (inputStream == null) {
+                LOG.warn("Could not write logout.jpg");
+                return;
+            }
+            int read = 0;
+            byte[] buf = new byte[1024];
+            while ((read = inputStream.read(buf)) != -1) {
+                responseOutputStream.write(buf, 0, read);
+            }
+            inputStream.close();
+            responseOutputStream.flush();
+
+            return;
+        }
         
         super.invoke(request, response);
 
@@ -229,7 +279,7 @@ public class FederationAuthenticator ext
                     LOG.debug("Token expiration not validated.");
                     return true;
                 }
-                
+
                 Date currentTime = new Date();
                 if (currentTime.after(wfRes.getTokenExpires())) {
                     LOG.debug("Token already expired. Clean up and redirect");
@@ -252,7 +302,7 @@ public class FederationAuthenticator ext
                         return false;
                     }
                     FederationProcessor wfProc = new FederationProcessorImpl();
-                    redirectToIssuer(request, response, wfProc);
+                    signInRedirectToIssuer(request, response, wfProc);
 
                     return false;
                 }
@@ -311,7 +361,7 @@ public class FederationAuthenticator ext
                 return false;
             }
             FederationProcessor wfProc = new FederationProcessorImpl();
-            redirectToIssuer(request, response, wfProc);
+            signInRedirectToIssuer(request, response, wfProc);
             return false;
         }
 
@@ -398,7 +448,7 @@ public class FederationAuthenticator ext
                 principal = new FederationPrincipalImpl(wfRes.getUsername(), roles,
                         wfRes.getClaims(), wfRes.getToken());
             }
-        } else {
+        }  else {
             LOG.error("Not supported action found in parameter wa: " + wa);
             response.sendError(HttpServletResponse.SC_BAD_REQUEST);
             return false;
@@ -508,7 +558,7 @@ public class FederationAuthenticator ext
      *             {@link HttpServletResponse#sendError(int, String)} throws an
      *             {@link IOException}
      */
-    protected void redirectToIssuer(Request request, HttpServletResponse response, FederationProcessor processor)
+    protected void signInRedirectToIssuer(Request request, HttpServletResponse response, FederationProcessor processor)
         throws IOException {
 
         String contextName = request.getServletContext().getContextPath();
@@ -534,4 +584,28 @@ public class FederationAuthenticator ext
         
     }
 
+    protected void signOutRedirectToIssuer(Request request, HttpServletResponse response, FederationProcessor processor)
+            throws IOException {
+
+        String contextName = request.getServletContext().getContextPath();
+        if (contextName == null || contextName.isEmpty()) {
+            contextName = "/";
+        }
+        FederationContext fedCtx = this.configurator.getFederationContext(contextName);
+        String redirectURL = null;
+        try {
+            redirectURL = processor.createSignOutRequest(request, fedCtx);
+            if (redirectURL != null) {
+                response.sendRedirect(redirectURL);
+            } else {
+                LOG.warn("Failed to create SignOutRequest.");
+                response.sendError(
+                        HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Failed to create SignOutRequest.");
+            }
+        } catch (ProcessingException ex) {
+            LOG.warn("Failed to create SignOutRequest: " + ex.getMessage());
+            response.sendError(
+                    HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Failed to create SignOutRequest.");
+        }
+    }
 }

Modified: cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java?rev=1572746&r1=1572745&r2=1572746&view=diff
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java (original)
+++ cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java Thu Feb 27 21:49:01 2014
@@ -18,11 +18,15 @@
  */
 package org.apache.cxf.fediz.service.idp.beans;
 
+import java.net.URL;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.UUID;
 
 import org.apache.cxf.fediz.core.FederationConstants;
+import org.apache.cxf.fediz.core.exception.ProcessingException;
+import org.apache.cxf.fediz.service.idp.domain.Application;
+import org.apache.cxf.fediz.service.idp.domain.Idp;
 import org.apache.cxf.fediz.service.idp.util.WebUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -30,6 +34,10 @@ import org.springframework.webflow.execu
 
 public class SigninParametersCacheAction {
 
+    //todo introduce constants class?
+    public static final String IDP_CONFIG = "idpConfig";
+    public static final String REALM_URL_MAP = "realmUrlMap";
+
     private static final Logger LOG = LoggerFactory.getLogger(SigninParametersCacheAction.class);
 
     public void store(RequestContext context) {
@@ -83,4 +91,57 @@ public class SigninParametersCacheAction
         WebUtils.removeAttributeFromFlowScope(context, FederationConstants.PARAM_CONTEXT);
         LOG.info("SignIn parameters restored and " + FederationConstants.PARAM_CONTEXT + "[" + uuidKey + "] cleared.");
     }
+
+    public void storeRPUrlInSession(RequestContext context) throws ProcessingException {
+
+        String whr = (String)WebUtils.getAttributeFromFlowScope(context, FederationConstants.PARAM_HOME_REALM);
+        if (whr == null) {
+            return;
+        }
+
+        String wtrealm = (String)WebUtils.getAttributeFromFlowScope(context, FederationConstants.PARAM_TREALM);
+        
+        Idp idpConfig = (Idp) WebUtils.getAttributeFromFlowScope(context, IDP_CONFIG);
+        
+        String url = null;
+
+        Application serviceConfig = idpConfig.findApplication(wtrealm);
+        if (serviceConfig != null) {
+            url = serviceConfig.getPassiveRequestorEndpoint();
+        }
+
+        if (url == null) {
+            url = (String)WebUtils.getAttributeFromFlowScope(context, FederationConstants.PARAM_REPLY);
+            try {
+                //basic check if the url is correctly formed
+                new URL(url);
+            } catch (Exception e) {
+                url = null;
+            }
+            if (url == null) {
+                url = wtrealm;
+                try {
+                    //basic check if the url is correctly formed
+                    new URL(url);
+                } catch (Exception e) {
+                    throw new ProcessingException(e.getMessage(), e, ProcessingException.TYPE.INVALID_REQUEST);
+                }
+            }
+        }
+
+        @SuppressWarnings("unchecked")
+        Map<String, String> rum =
+                (Map<String, String>)WebUtils
+                        .getAttributeFromExternalContext(context, REALM_URL_MAP);
+
+        if (rum == null) {
+            rum = new HashMap<String, String>();
+            WebUtils.putAttributeInExternalContext(context, REALM_URL_MAP, rum);
+        }
+
+        String val = rum.get(wtrealm);
+        if (val == null) {
+            rum.put(wtrealm, url);
+        }
+    }
 }
\ No newline at end of file

Modified: cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/domain/Application.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/domain/Application.java?rev=1572746&r1=1572745&r2=1572746&view=diff
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/domain/Application.java (original)
+++ cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/domain/Application.java Thu Feb 27 21:49:01 2014
@@ -31,7 +31,8 @@ import javax.xml.bind.annotation.XmlType
 
 @XmlRootElement(name = "application", namespace = "http://org.apache.cxf.fediz/")
 @XmlType(propOrder = {"realm", "role", "serviceDisplayName", "serviceDescription", "protocol",
-                      "tokenType", "lifeTime", "encryptionCertificate", "requestedClaims", "policyNamespace", "id" })
+                      "tokenType", "lifeTime", "encryptionCertificate", "requestedClaims",
+                      "policyNamespace", "passiveRequestorEndpoint", "id" })
 public class Application implements Serializable {
         
     private static final long serialVersionUID = 5644327504861846964L;
@@ -81,6 +82,10 @@ public class Application implements Seri
     
     private URI href;
     
+    //Could be read from Metadata, PassiveRequestorEndpoint
+    //fed:ApplicationServiceType, fed:SecurityTokenServiceType
+    private String passiveRequestorEndpoint;
+    
     
     @XmlAttribute
     public int getId() {
@@ -182,4 +187,12 @@ public class Application implements Seri
         this.policyNamespace = policyNamespace;
     }
 
+    public String getPassiveRequestorEndpoint() {
+        return passiveRequestorEndpoint;
+    }
+
+    public void setPassiveRequestorEndpoint(String passiveRequestorEndpoint) {
+        this.passiveRequestorEndpoint = passiveRequestorEndpoint;
+    }
+
 }

Modified: cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/domain/Idp.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/domain/Idp.java?rev=1572746&r1=1572745&r2=1572746&view=diff
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/domain/Idp.java (original)
+++ cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/domain/Idp.java Thu Feb 27 21:49:01 2014
@@ -33,8 +33,8 @@ import javax.xml.bind.annotation.XmlType
 @XmlRootElement(name = "idp", namespace = "http://org.apache.cxf.fediz/")
 @XmlType(propOrder = {"realm", "uri", "serviceDisplayName", "serviceDescription", "idpUrl", "stsUrl",
                      "certificate", "certificatePassword", "provideIdpList", "useCurrentIdp", "hrds",
-                     "supportedProtocols", "tokenTypesOffered", "claimTypesOffered", "authenticationURIs",
-                     "applications", "trustedIdps", "id" })
+                     "rpSingleSignOutConfirmation", "supportedProtocols", "tokenTypesOffered", "claimTypesOffered",
+                     "authenticationURIs", "applications", "trustedIdps", "id" })
 public class Idp implements Serializable {
 
     private static final long serialVersionUID = -5570301342547139039L;
@@ -111,6 +111,9 @@ public class Idp implements Serializable
     // ServiceDescription
     protected String serviceDescription;
     
+    // The user/browser must explicitly confirm to logout from all applications
+    private boolean rpSingleSignOutConfirmation;
+    
     @XmlAttribute
     public int getId() {
         return id;
@@ -278,4 +281,12 @@ public class Idp implements Serializable
         this.serviceDescription = serviceDescription;
     }
 
+    public boolean isRpSingleSignOutConfirmation() {
+        return rpSingleSignOutConfirmation;
+    }
+
+    public void setRpSingleSignOutConfirmation(boolean rpSingleSignOutConfirmation) {
+        this.rpSingleSignOutConfirmation = rpSingleSignOutConfirmation;
+    }
+
 }

Modified: cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/service/jpa/ApplicationDAOJPAImpl.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/service/jpa/ApplicationDAOJPAImpl.java?rev=1572746&r1=1572745&r2=1572746&view=diff
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/service/jpa/ApplicationDAOJPAImpl.java (original)
+++ cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/service/jpa/ApplicationDAOJPAImpl.java Thu Feb 27 21:49:01 2014
@@ -205,6 +205,7 @@ public class ApplicationDAOJPAImpl imple
         entity.setServiceDisplayName(application.getServiceDisplayName());
         entity.setTokenType(application.getTokenType());
         entity.setPolicyNamespace(application.getPolicyNamespace());
+        entity.setPassiveRequestorEndpoint(application.getPassiveRequestorEndpoint());
     }
     
     public static Application entity2domain(ApplicationEntity entity, List<String> expandList) {
@@ -219,6 +220,7 @@ public class ApplicationDAOJPAImpl imple
         application.setServiceDisplayName(entity.getServiceDisplayName());
         application.setTokenType(entity.getTokenType());
         application.setPolicyNamespace(entity.getPolicyNamespace());
+        application.setPassiveRequestorEndpoint(entity.getPassiveRequestorEndpoint());
         
         if (expandList != null && (expandList.contains("all") || expandList.contains("claims"))) {
             for (ApplicationClaimEntity item : entity.getRequestedClaims()) {

Modified: cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/service/jpa/ApplicationEntity.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/service/jpa/ApplicationEntity.java?rev=1572746&r1=1572745&r2=1572746&view=diff
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/service/jpa/ApplicationEntity.java (original)
+++ cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/service/jpa/ApplicationEntity.java Thu Feb 27 21:49:01 2014
@@ -71,8 +71,10 @@ public class ApplicationEntity {
     
     // WS-Policy Namespace in SignIn Response
     private String policyNamespace;
-
     
+    private String passiveRequestorEndpoint;
+
+
     public int getId() {
         return id;
     }
@@ -161,4 +163,12 @@ public class ApplicationEntity {
         this.policyNamespace = policyNamespace;
     }
 
+    public String getPassiveRequestorEndpoint() {
+        return passiveRequestorEndpoint;
+    }
+
+    public void setPassiveRequestorEndpoint(String passiveRequestorEndpoint) {
+        this.passiveRequestorEndpoint = passiveRequestorEndpoint;
+    }
+
 }

Modified: cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/service/jpa/IdpDAOJPAImpl.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/service/jpa/IdpDAOJPAImpl.java?rev=1572746&r1=1572745&r2=1572746&view=diff
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/service/jpa/IdpDAOJPAImpl.java (original)
+++ cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/service/jpa/IdpDAOJPAImpl.java Thu Feb 27 21:49:01 2014
@@ -311,6 +311,7 @@ public class IdpDAOJPAImpl implements Id
         entity.setStsUrl(idp.getStsUrl());
         entity.setUri(idp.getUri());
         entity.setUseCurrentIdp(idp.isUseCurrentIdp());
+        entity.setRpSingleSignOutConfirmation(idp.isRpSingleSignOutConfirmation());
         
         entity.getAuthenticationURIs().clear();
         for (Map.Entry<String, String> item : idp.getAuthenticationURIs().entrySet()) {
@@ -343,6 +344,7 @@ public class IdpDAOJPAImpl implements Id
         idp.setStsUrl(entity.getStsUrl());
         idp.setUri(entity.getUri());
         idp.setUseCurrentIdp(entity.isUseCurrentIdp());
+        idp.setRpSingleSignOutConfirmation(entity.isRpSingleSignOutConfirmation());
         
         
         if (expandList != null && (expandList.contains("all") || expandList.contains("applications"))) {

Modified: cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/service/jpa/IdpEntity.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/service/jpa/IdpEntity.java?rev=1572746&r1=1572745&r2=1572746&view=diff
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/service/jpa/IdpEntity.java (original)
+++ cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/service/jpa/IdpEntity.java Thu Feb 27 21:49:01 2014
@@ -77,6 +77,8 @@ public class IdpEntity {
     // fedl:PassiveRequestorEndpoint
     // published hostname, port must be configured
     private String idpUrl;
+    
+    private boolean rpSingleSignOutConfirmation;
 
     // RoleDescriptor protocolSupportEnumeration=
     // "http://docs.oasis-open.org/wsfed/federation/200706"
@@ -271,5 +273,13 @@ public class IdpEntity {
     public void setServiceDescription(String serviceDescription) {
         this.serviceDescription = serviceDescription;
     }
+    
+    public boolean isRpSingleSignOutConfirmation() {
+        return rpSingleSignOutConfirmation;
+    }
+
+    public void setRpSingleSignOutConfirmation(boolean rpSingleSignOutConfirmation) {
+        this.rpSingleSignOutConfirmation = rpSingleSignOutConfirmation;
+    }
 
 }

Modified: cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/util/WebUtils.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/util/WebUtils.java?rev=1572746&r1=1572745&r2=1572746&view=diff
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/util/WebUtils.java (original)
+++ cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/util/WebUtils.java Thu Feb 27 21:49:01 2014
@@ -61,6 +61,10 @@ public final class WebUtils {
                 .getNativeResponse();
     }
 
+    public static String getHttpHeader(RequestContext requestContext, String headerName) {
+        return getHttpServletRequest(requestContext).getHeader(headerName);
+    }
+
     public static void putAttributeInRequestScope(final RequestContext context,
             final String attributeKey, final Object attributeValue) {
         context.getRequestScope().put(attributeKey, attributeValue);

Modified: cxf/fediz/trunk/services/idp/src/main/resources/entities-realma.xml
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/resources/entities-realma.xml?rev=1572746&r1=1572745&r2=1572746&view=diff
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/resources/entities-realma.xml (original)
+++ cxf/fediz/trunk/services/idp/src/main/resources/entities-realma.xml Thu Feb 27 21:49:01 2014
@@ -35,6 +35,7 @@
         <property name="certificatePassword" value="realma" />
         <property name="stsUrl" value="https://localhost:9443/fediz-idp-sts/REALMA" />
         <property name="idpUrl" value="https://localhost:9443/fediz-idp/federation" />
+        <property name="rpSingleSignOutConfirmation" value="true"/>
         <property name="supportedProtocols">
             <util:list>
                 <value>http://docs.oasis-open.org/wsfed/federation/200706

Modified: cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/federation-validate-request.xml
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/federation-validate-request.xml?rev=1572746&r1=1572745&r2=1572746&view=diff
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/federation-validate-request.xml (original)
+++ cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/federation-validate-request.xml Thu Feb 27 21:49:01 2014
@@ -41,7 +41,7 @@
             then="viewBadRequest" />
         <if
             test="requestParameters.wa == 'wsignout1.0' or requestParameters.wa == 'wsignoutcleanup1.0'"
-            then="invalidateSessionAction" />
+            then="selectSignOutProcess" />
         <if
             test="requestParameters.wtrealm == null or requestParameters.wtrealm.length() == 0"
             then="viewBadRequest" else="selectSigninProcess" />
@@ -53,6 +53,15 @@
             then="signinRequest" else="signinResponse" />
     </decision-state>
 
+    <decision-state id="selectSignOutProcess">
+        <on-entry>
+            <evaluate expression="@org.apache.cxf.fediz.service.idp.util.WebUtils@getHttpHeader(flowRequestContext, 'Referer')" result="flowScope.wreply"/>
+        </on-entry>
+        <if
+            test="flowScope.idpConfig.rpSingleSignOutConfirmation == true"
+            then="viewSignoutConfirmation" else="invalidateSessionAction" />
+    </decision-state>
+
     <subflow-state id="signinRequest" subflow="signinRequest">
         <input name="idpConfig" value="flowScope.idpConfig" />
         <input name="wtrealm" value="flowScope.wtrealm" />
@@ -104,8 +113,12 @@
 
     <!-- produce RP security token (as String type) -->
     <action-state id="requestRpToken">
-        <evaluate expression="stsClientForRpAction.submit(flowRequestContext)"
-            result="flowScope.rpToken" result-type="java.lang.String" />
+        <on-entry>
+            <evaluate expression="stsClientForRpAction.submit(flowRequestContext)"
+                      result="flowScope.rpToken"/>
+        </on-entry>
+        <evaluate expression="signInParamCacheAction.storeRPUrlInSession(flowRequestContext)"
+                result="flowScope.res"/>
         <transition to="formResponseView" />
         <transition on-exception="java.lang.Throwable" to="scInternalServerError" />
     </action-state>
@@ -137,12 +150,30 @@
                 expression="externalContext.nativeResponse.setStatus(500,'IDP is unavailable, please contact the administrator')" />
             <set name="requestScope.reason"
                 value="'IDP is unavailable, please contact the administrator'" />
+            <set name="requestScope.stateException"
+                value="flowScope.stateException" />
+            <set name="requestScope.rootCauseException"
+                value="flowScope.rootCauseException" />
         </on-entry>
     </end-state>
+    
+    <!-- normal exit point for logout -->
+    <view-state id="viewSignoutConfirmation" view="signoutconfirmationresponse">
+        <transition on="submit" to="invalidateSessionAction"/>
+        <transition on="cancel" to="redirect" />
+    </view-state>
+
+    <view-state id="redirect" view="externalRedirect:${flowScope.wreply}" />
 
     <!-- normal exit point for logout -->
     <end-state id="invalidateSessionAction" view="signoutresponse">
         <on-entry>
+            <!-- store the realmUrlMap in the request map before we invalidate the session below.
+            Its needed in the signoutresponse.jsp page -->
+            <set name="externalContext.requestMap.realmUrlMap" value="externalContext.sessionMap.realmUrlMap"/>
+            <!-- there is no Saml token canceller in cxf STS...
+            <evaluate expression="stsClientForRpAction.cancelTokens(flowRequestContext)" />
+            -->
             <evaluate
                 expression="homeRealmReminder.removeCookie(flowRequestContext)" />
             <evaluate expression="logoutAction.submit(flowRequestContext)" />

Modified: cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/idp-config-realma.xml
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/idp-config-realma.xml?rev=1572746&r1=1572745&r2=1572746&view=diff
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/idp-config-realma.xml (original)
+++ cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/idp-config-realma.xml Thu Feb 27 21:49:01 2014
@@ -84,6 +84,8 @@
         </property>
         <property name="serviceDisplayName" value="REALM A" />
         <property name="serviceDescription" value="IDP of Realm A" />
+        <property name="localSingleSignOutConfirmation" value="true"/>
+        <property name="rpSingleSignOutConfirmation" value="true"/>
     </bean>
 
     <bean id="trusted-idp-realmB"
@@ -99,6 +101,7 @@
         <property name="federationType" value="FederateIdentity" /> <!-- Required for STS Relationship -->
         <property name="name" value="REALM B" />
         <property name="description" value="IDP of Realm B" />
+        <!-- todo true / false prop for propagate sign-out of other realms !?-->
     </bean>
 
     <bean id="srv-fedizhelloworld" class="org.apache.cxf.fediz.service.idp.model.ServiceConfig">

Modified: cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/idp-config-realmb.xml
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/idp-config-realmb.xml?rev=1572746&r1=1572745&r2=1572746&view=diff
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/idp-config-realmb.xml (original)
+++ cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/idp-config-realmb.xml Thu Feb 27 21:49:01 2014
@@ -78,6 +78,7 @@
         </property>
         <property name="serviceDisplayName" value="REALM B" />
         <property name="serviceDescription" value="IDP of Realm B" />
+        <property name="rpSingleSignOutConfirmation" value="true"/>
     </bean>
 
     <bean id="idp-realmA" class="org.apache.cxf.fediz.service.idp.model.ServiceConfig">

Added: cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/signoutconfirmationresponse.jsp
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/signoutconfirmationresponse.jsp?rev=1572746&view=auto
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/signoutconfirmationresponse.jsp (added)
+++ cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/signoutconfirmationresponse.jsp Thu Feb 27 21:49:01 2014
@@ -0,0 +1,46 @@
+<%@ page import="java.util.Map" %>
+<%@ page import="org.apache.cxf.fediz.service.idp.domain.Idp" %>
+<%@ page import="org.apache.cxf.fediz.service.idp.beans.SigninParametersCacheAction" %>
+<%@ page import="org.apache.cxf.fediz.core.FederationConstants" %>
+<%@ page import="java.util.List" %>
+<%@ page import="java.util.Iterator" %>
+<%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
+<%@ taglib prefix="form" uri="http://www.springframework.org/tags/form" %>
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<title>IDP SignOut Confirmation Response Page</title>
+</head>
+<body>
+	<h1>Logout from the following realms?</h1>
+
+    <p>
+        <%
+            final Idp idpConfig = (Idp) request.getAttribute(SigninParametersCacheAction.IDP_CONFIG);
+
+            @SuppressWarnings("unchecked")
+            Map<String, String> rum =
+                    (Map<String, String>) request.getSession().getAttribute(SigninParametersCacheAction.REALM_URL_MAP);
+            
+            Iterator<Map.Entry<String, String>> iterator = rum.entrySet().iterator();
+            
+            while (iterator.hasNext()) {
+                Map.Entry<String, String> next = iterator.next();
+                String rpUri = next.getValue();
+                if (rpUri != null) {
+        %>
+        Will logout on RP: <%= rpUri%>
+        <br/>
+        <%
+                }
+            }
+        %>
+        <form:form method="POST" id="signoutconfirmationresponseform" name="signoutconfirmationresponseform">
+            <input type="hidden" name="wa" value="wsignout1.0" />
+            <input type="hidden" id="execution" name="execution" value="${flowExecutionKey}" />
+            <input type="submit" name="_eventId_submit" value="Logout" />
+            <input type="submit" name="_eventId_cancel" value="Cancel" />
+        </form:form>
+    </p>
+</body>
+</html>

Modified: cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/signoutresponse.jsp
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/signoutresponse.jsp?rev=1572746&r1=1572745&r2=1572746&view=diff
==============================================================================
--- cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/signoutresponse.jsp (original)
+++ cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/signoutresponse.jsp Thu Feb 27 21:49:01 2014
@@ -1,11 +1,41 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<%@ page import="java.util.Map" %>
+<%@ page import="org.apache.cxf.fediz.service.idp.domain.Idp" %>
+<%@ page import="org.apache.cxf.fediz.service.idp.beans.SigninParametersCacheAction" %>
+<%@ page import="org.apache.cxf.fediz.core.FederationConstants" %>
+<%@ page import="java.util.List" %>
+<%@ page import="java.util.Iterator" %>
 <%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
 <%@ taglib prefix="form" uri="http://www.springframework.org/tags/form" %>
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <html>
 <head>
 <title>IDP SignOut Response Page</title>
 </head>
 <body>
 	<h1>CXF Fediz IDP succesfully logout.</h1>
+
+    <p>
+        <%
+            final Idp idpConfig = (Idp) request.getAttribute(SigninParametersCacheAction.IDP_CONFIG);
+
+            @SuppressWarnings("unchecked")
+            Map<String, String> rum =
+                    (Map<String, String>) request.getAttribute(SigninParametersCacheAction.REALM_URL_MAP);
+
+            Iterator<Map.Entry<String, String>> iterator = rum.entrySet().iterator();
+            
+            while (iterator.hasNext()) {
+                Map.Entry<String, String> next = iterator.next();
+                String rpUri = next.getValue();
+                if (rpUri != null) {
+        %>
+        Logout status of RP <%= rpUri%>:
+        <img src="<%=rpUri + "?" + FederationConstants.PARAM_ACTION + "=" + FederationConstants.ACTION_SIGNOUT_CLEANUP %>"/>
+        <br/>
+        <%
+                }
+            }
+        %>
+    </p>
 </body>
 </html>

Modified: cxf/fediz/trunk/systests/jetty8/src/test/resources/fediz_config.xml
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/systests/jetty8/src/test/resources/fediz_config.xml?rev=1572746&r1=1572745&r2=1572746&view=diff
==============================================================================
--- cxf/fediz/trunk/systests/jetty8/src/test/resources/fediz_config.xml (original)
+++ cxf/fediz/trunk/systests/jetty8/src/test/resources/fediz_config.xml Thu Feb 27 21:49:01 2014
@@ -4,56 +4,64 @@
      keystore (tomcat-rp.jks) for this task; alternatively you may wish to use a Fediz-specific keystore instead. 
 -->
 <FedizConfig>
-	<contextConfig name="/fedizhelloworld">
-		<audienceUris>
-			<audienceItem>urn:org:apache:cxf:fediz:fedizhelloworld</audienceItem>
-		</audienceUris>
-		<certificateStores>
-			<trustManager>
-				<keyStore file="ststrust.jks" password="storepass" type="JKS" />
-			</trustManager>
-		</certificateStores>
-		<trustedIssuers>
-			<issuer certificateValidation="PeerTrust" />
-		</trustedIssuers>
-		<maximumClockSkew>1000</maximumClockSkew>
-		<protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-			xsi:type="federationProtocolType" version="1.0.0">
-                        <realm>urn:org:apache:cxf:fediz:fedizhelloworld</realm>
-			<issuer>https://localhost:${idp.https.port}/fediz-idp/federation</issuer>
-			<roleDelimiter>,</roleDelimiter>
-			<roleURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</roleURI>
-			<freshness>10</freshness>
-			<homeRealm type="String">urn:org:apache:cxf:fediz:idp:realm-A</homeRealm>
-			<claimTypesRequested>
-				<claimType type="a particular claim type" optional="true" />
-			</claimTypesRequested>
-		</protocol>
-	</contextConfig>
-	<contextConfig name="/fedizspringhelloworld">
-		<audienceUris>
-			<audienceItem>urn:org:apache:cxf:fediz:fedizhelloworld</audienceItem>
-		</audienceUris>
-		<certificateStores>
-			<trustManager>
-				<keyStore file="ststrust.jks" password="storepass" type="JKS" />
-			</trustManager>
-		</certificateStores>
-		<trustedIssuers>
-			<issuer certificateValidation="PeerTrust" />
-		</trustedIssuers>
-		<maximumClockSkew>1000</maximumClockSkew>
-		<protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-			xsi:type="federationProtocolType" version="1.0.0">
-                        <realm>urn:org:apache:cxf:fediz:fedizhelloworld</realm>
-			<issuer>https://localhost:${idp.https.port}/fediz-idp/federation</issuer>
-			<roleDelimiter>,</roleDelimiter>
-			<roleURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</roleURI>
-			<homeRealm type="String">urn:org:apache:cxf:fediz:idp:realm-A</homeRealm>
-			<claimTypesRequested>
-				<claimType type="a particular claim type" optional="true" />
-			</claimTypesRequested>
-		</protocol>
-	</contextConfig>	
+    <contextConfig name="/fedizhelloworld">
+        <audienceUris>
+            <audienceItem>urn:org:apache:cxf:fediz:fedizhelloworld</audienceItem>
+        </audienceUris>
+        <certificateStores>
+            <trustManager>
+                <keyStore file="ststrust.jks" password="storepass"
+                          type="JKS" />
+            </trustManager>
+        </certificateStores>
+        <trustedIssuers>
+            <issuer certificateValidation="PeerTrust" />
+        </trustedIssuers>
+        <maximumClockSkew>1000</maximumClockSkew>
+        <protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+            xsi:type="federationProtocolType" version="1.0.0">
+            <realm>urn:org:apache:cxf:fediz:fedizhelloworld</realm>
+            <issuer>https://localhost:${idp.https.port}/fediz-idp/federation</issuer>
+            <roleDelimiter>,</roleDelimiter>
+            <roleURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</roleURI>
+            <freshness>10</freshness>
+            <homeRealm type="String">urn:org:apache:cxf:fediz:idp:realm-A</homeRealm>
+            <claimTypesRequested>
+                <claimType type="a particular claim type"
+                           optional="true" />
+            </claimTypesRequested>
+        </protocol>
+        <logoutURL>/secure/logout</logoutURL>
+        <logoutRedirectTo>/index.html</logoutRedirectTo>
+    </contextConfig>
+    <contextConfig name="/fedizspringhelloworld">
+        <audienceUris>
+            <audienceItem>urn:org:apache:cxf:fediz:fedizhelloworld</audienceItem>
+        </audienceUris>
+        <certificateStores>
+            <trustManager>
+                <keyStore file="ststrust.jks" password="storepass"
+                          type="JKS" />
+            </trustManager>
+        </certificateStores>
+        <trustedIssuers>
+            <issuer certificateValidation="PeerTrust" />
+        </trustedIssuers>
+        <maximumClockSkew>1000</maximumClockSkew>
+        <protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+            xsi:type="federationProtocolType" version="1.0.0">
+            <realm>urn:org:apache:cxf:fediz:fedizhelloworld</realm>
+            <issuer>https://localhost:${idp.https.port}/fediz-idp/federation</issuer>
+            <roleDelimiter>,</roleDelimiter>
+            <roleURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</roleURI>
+            <homeRealm type="String">urn:org:apache:cxf:fediz:idp:realm-A</homeRealm>
+            <claimTypesRequested>
+                <claimType type="a particular claim type"
+                           optional="true" />
+            </claimTypesRequested>
+        </protocol>
+        <logoutURL>/secure/logout</logoutURL>
+        <logoutRedirectTo>/index.html</logoutRedirectTo>
+    </contextConfig>
 </FedizConfig>
 

Modified: cxf/fediz/trunk/systests/spring/src/test/resources/fediz_config.xml
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/systests/spring/src/test/resources/fediz_config.xml?rev=1572746&r1=1572745&r2=1572746&view=diff
==============================================================================
--- cxf/fediz/trunk/systests/spring/src/test/resources/fediz_config.xml (original)
+++ cxf/fediz/trunk/systests/spring/src/test/resources/fediz_config.xml Thu Feb 27 21:49:01 2014
@@ -34,6 +34,8 @@
 				<claimType type="a particular claim type" optional="true" />
 			</claimTypesRequested>
 		</protocol>
+        <logoutURL>/secure/logout</logoutURL>
+        <logoutRedirectTo>/index.html</logoutRedirectTo>
 	</contextConfig>
 	<contextConfig name="/fedizhelloworld_spring2">
 		<audienceUris>
@@ -65,6 +67,8 @@
 				<claimType type="a particular claim type" optional="true" />
 			</claimTypesRequested>
 		</protocol>
+        <logoutURL>/secure/logout</logoutURL>
+        <logoutRedirectTo>/index.html</logoutRedirectTo>
 	</contextConfig>	
 </FedizConfig>
 

Modified: cxf/fediz/trunk/systests/springWebapp/src/main/java/org/apache/cxf/fediz/example/FederationServlet.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/systests/springWebapp/src/main/java/org/apache/cxf/fediz/example/FederationServlet.java?rev=1572746&r1=1572745&r2=1572746&view=diff
==============================================================================
--- cxf/fediz/trunk/systests/springWebapp/src/main/java/org/apache/cxf/fediz/example/FederationServlet.java (original)
+++ cxf/fediz/trunk/systests/springWebapp/src/main/java/org/apache/cxf/fediz/example/FederationServlet.java Thu Feb 27 21:49:01 2014
@@ -55,7 +55,7 @@ public class FederationServlet extends H
         PrintWriter out = response.getWriter();
 
         out.println("<html>");
-        out.println("<head><title>WS Federation Systests Spring Examples</title></head>");
+        out.println("<head><title>WS Federation Systests Examples</title></head>");
         out.println("<body>");
         out.println("<p>Request url: " + request.getRequestURL().toString() + "</p>");
 

Modified: cxf/fediz/trunk/systests/springWebapp/src/main/webapp/WEB-INF/applicationContext-security.xml
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/systests/springWebapp/src/main/webapp/WEB-INF/applicationContext-security.xml?rev=1572746&r1=1572745&r2=1572746&view=diff
==============================================================================
--- cxf/fediz/trunk/systests/springWebapp/src/main/webapp/WEB-INF/applicationContext-security.xml (original)
+++ cxf/fediz/trunk/systests/springWebapp/src/main/webapp/WEB-INF/applicationContext-security.xml Thu Feb 27 21:49:01 2014
@@ -23,6 +23,8 @@ http://www.springframework.org/schema/co
         <sec:intercept-url pattern="/secure/admin/**" access="hasRole('ROLE_ADMIN')"/>
         <sec:intercept-url pattern="/secure/user/**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN','ROLE_MANAGER')"/>
         <sec:custom-filter ref="federationFilter" after="BASIC_AUTH_FILTER" />
+        <sec:custom-filter ref="logoutFilter" position="LOGOUT_FILTER"/>
+        <sec:custom-filter ref="federationSignOutCleanupFilter" position="PRE_AUTH_FILTER"/>
         <sec:session-management session-authentication-strategy-ref="sas"/>
     </sec:http>
 
@@ -67,5 +69,25 @@ http://www.springframework.org/schema/co
     </bean>
 
     <bean id="sas" class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy" />
+
+    <bean id="logoutFilter" class="org.apache.cxf.fediz.spring.web.FederationLogoutFilter">
+        <constructor-arg  name="logoutSuccessHandler" ref="federationLogoutSuccessHandler"/>
+        <constructor-arg  name="handlers">
+            <list>
+                <ref bean="securityContextLogoutHandler"/>
+            </list>
+        </constructor-arg>
+        <property name="federationConfig" ref="fedizConfig"/>
+    </bean>
+
+    <bean id="federationLogoutSuccessHandler" class="org.apache.cxf.fediz.spring.web.FederationLogoutSuccessHandler">
+        <property name="federationConfig" ref="fedizConfig"/>
+    </bean>
+
+    <bean id="securityContextLogoutHandler" name="securityContextLogoutHandler"
+          class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler">
+    </bean>
+
+    <bean id="federationSignOutCleanupFilter" class="org.apache.cxf.fediz.spring.web.FederationSignOutCleanupFilter"/>
 </beans>
 

Modified: cxf/fediz/trunk/systests/springWebapp/src/main/webapp/WEB-INF/web.xml
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/systests/springWebapp/src/main/webapp/WEB-INF/web.xml?rev=1572746&r1=1572745&r2=1572746&view=diff
==============================================================================
--- cxf/fediz/trunk/systests/springWebapp/src/main/webapp/WEB-INF/web.xml (original)
+++ cxf/fediz/trunk/systests/springWebapp/src/main/webapp/WEB-INF/web.xml Thu Feb 27 21:49:01 2014
@@ -58,22 +58,7 @@
 
 	<servlet-mapping>
 		<servlet-name>FederationServlet</servlet-name>
-		<url-pattern>/secure/fedservlet</url-pattern>
-	</servlet-mapping>
-
-	<servlet-mapping>
-		<servlet-name>FederationServlet</servlet-name>
-		<url-pattern>/secure/admin/fedservlet</url-pattern>
-	</servlet-mapping>
-	
-	<servlet-mapping>
-		<servlet-name>FederationServlet</servlet-name>
-		<url-pattern>/secure/user/fedservlet</url-pattern>
-	</servlet-mapping>
-	
-	<servlet-mapping>
-		<servlet-name>FederationServlet</servlet-name>
-		<url-pattern>/secure/manager/fedservlet</url-pattern>
+		<url-pattern>/secure/*</url-pattern>
 	</servlet-mapping>
 
 </web-app>

Added: cxf/fediz/trunk/systests/tomcat7/src/test/resources/clientUntrusted.jks
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/systests/tomcat7/src/test/resources/clientUntrusted.jks?rev=1572746&view=auto
==============================================================================
Files cxf/fediz/trunk/systests/tomcat7/src/test/resources/clientUntrusted.jks (added) and cxf/fediz/trunk/systests/tomcat7/src/test/resources/clientUntrusted.jks Thu Feb 27 21:49:01 2014 differ

Modified: cxf/fediz/trunk/systests/tomcat7/src/test/resources/fediz_config.xml
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/systests/tomcat7/src/test/resources/fediz_config.xml?rev=1572746&r1=1572745&r2=1572746&view=diff
==============================================================================
--- cxf/fediz/trunk/systests/tomcat7/src/test/resources/fediz_config.xml (original)
+++ cxf/fediz/trunk/systests/tomcat7/src/test/resources/fediz_config.xml Thu Feb 27 21:49:01 2014
@@ -4,31 +4,35 @@
      keystore (tomcat-rp.jks) for this task; alternatively you may wish to use a Fediz-specific keystore instead. 
 -->
 <FedizConfig>
-	<contextConfig name="/fedizhelloworld">
-		<audienceUris>
-			<audienceItem>urn:org:apache:cxf:fediz:fedizhelloworld</audienceItem>
-		</audienceUris>
-		<certificateStores>
-			<trustManager>
-				<keyStore file="test-classes/ststrust.jks" password="storepass" type="JKS" />
-			</trustManager>
-		</certificateStores>
-		<trustedIssuers>
-			<issuer certificateValidation="PeerTrust" />
-		</trustedIssuers>
-		<maximumClockSkew>1000</maximumClockSkew>
-		<protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-			xsi:type="federationProtocolType" version="1.0.0">
-                        <realm>urn:org:apache:cxf:fediz:fedizhelloworld</realm>
-			<issuer>https://localhost:${idp.https.port}/fediz-idp/federation</issuer>
-			<roleDelimiter>,</roleDelimiter>
-			<roleURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</roleURI>
-			<freshness>10</freshness>
-			<homeRealm type="String">urn:org:apache:cxf:fediz:idp:realm-A</homeRealm>
-			<claimTypesRequested>
-				<claimType type="a particular claim type" optional="true" />
-			</claimTypesRequested>
-		</protocol>
-	</contextConfig>
+    <contextConfig name="/fedizhelloworld">
+        <audienceUris>
+            <audienceItem>urn:org:apache:cxf:fediz:fedizhelloworld</audienceItem>
+        </audienceUris>
+        <certificateStores>
+            <trustManager>
+                <keyStore file="test-classes/ststrust.jks"
+                          password="storepass" type="JKS" />
+            </trustManager>
+        </certificateStores>
+        <trustedIssuers>
+            <issuer certificateValidation="PeerTrust" />
+        </trustedIssuers>
+        <maximumClockSkew>1000</maximumClockSkew>
+        <protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+            xsi:type="federationProtocolType" version="1.0.0">
+            <realm>urn:org:apache:cxf:fediz:fedizhelloworld</realm>
+            <issuer>https://localhost:${idp.https.port}/fediz-idp/federation</issuer>
+            <roleDelimiter>,</roleDelimiter>
+            <roleURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</roleURI>
+            <freshness>10</freshness>
+            <homeRealm type="String">urn:org:apache:cxf:fediz:idp:realm-A</homeRealm>
+            <claimTypesRequested>
+                <claimType type="a particular claim type"
+                           optional="true" />
+            </claimTypesRequested>
+        </protocol>
+        <logoutURL>/secure/logout</logoutURL>
+        <logoutRedirectTo>/index.html</logoutRedirectTo>
+    </contextConfig>
 </FedizConfig>
 



Mime
View raw message