cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject git commit: Lots of changes + refactoring for SAML SSO
Date Fri, 18 Jul 2014 16:15:02 GMT
Repository: cxf-fediz
Updated Branches:
  refs/heads/master 3c0a524ca -> e7c14feac


Lots of changes + refactoring for SAML SSO


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/e7c14fea
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/e7c14fea
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/e7c14fea

Branch: refs/heads/master
Commit: e7c14feacd215f8424592bce0e51880f06e95f66
Parents: 3c0a524
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Fri Jul 18 17:14:36 2014 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Fri Jul 18 17:14:36 2014 +0100

----------------------------------------------------------------------
 .../cxf/fediz/core/TokenValidatorResponse.java  |  11 +
 .../fediz/core/config/FederationProtocol.java   |  52 +---
 .../apache/cxf/fediz/core/config/Protocol.java  |  48 ++++
 .../cxf/fediz/core/config/SAMLProtocol.java     |  34 +--
 .../core/processor/AbstractFedizProcessor.java  |  92 +++++++
 .../core/processor/FederationProcessorImpl.java | 141 ++++-------
 .../cxf/fediz/core/processor/FedizRequest.java  |   9 +
 .../fediz/core/processor/SAMLProcessorImpl.java | 220 +++-------------
 .../core/saml/FedizSignatureTrustValidator.java | 248 +++++++++++++++++++
 .../cxf/fediz/core/saml/SAMLTokenValidator.java |  17 +-
 .../fediz/core/saml/SamlAssertionValidator.java | 128 +---------
 .../core/samlsso/EHCacheSPStateManager.java     |  45 ----
 .../cxf/fediz/core/samlsso/ResponseState.java   |  81 ------
 .../samlsso/SAMLProtocolResponseValidator.java  |  83 +++++--
 .../cxf/fediz/core/samlsso/SPStateManager.java  |   4 -
 .../src/main/resources/schemas/FedizConfig.xsd  |   5 +-
 .../fediz/jetty/FederationAuthenticator.java    |   1 +
 .../web/FederationAuthenticationFilter.java     |   1 +
 .../web/FederationAuthenticationFilter.java     |   1 +
 .../fediz/tomcat/FederationAuthenticator.java   |   1 +
 20 files changed, 588 insertions(+), 634 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/e7c14fea/plugins/core/src/main/java/org/apache/cxf/fediz/core/TokenValidatorResponse.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/TokenValidatorResponse.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/TokenValidatorResponse.java
index ad093ee..a52638f 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/TokenValidatorResponse.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/TokenValidatorResponse.java
@@ -31,6 +31,7 @@ public class TokenValidatorResponse {
     private String audience;
     private List<Claim> claims;
     private Date expires;
+    private Date created;
 
 
 
@@ -73,4 +74,14 @@ public class TokenValidatorResponse {
     }
 
 
+    public Date getCreated() {
+        return created;
+    }
+
+
+    public void setCreated(Date created) {
+        this.created = created;
+    }
+
+
 }

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/e7c14fea/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FederationProtocol.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FederationProtocol.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FederationProtocol.java
index c98bb7b..17d749f 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FederationProtocol.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FederationProtocol.java
@@ -24,14 +24,12 @@ import java.util.List;
 
 import javax.security.auth.callback.CallbackHandler;
 
-import org.apache.cxf.fediz.core.TokenValidator;
 import org.apache.cxf.fediz.core.config.jaxb.CallbackType;
 import org.apache.cxf.fediz.core.config.jaxb.ClaimType;
 import org.apache.cxf.fediz.core.config.jaxb.ClaimTypesRequested;
 import org.apache.cxf.fediz.core.config.jaxb.FederationProtocolType;
 import org.apache.cxf.fediz.core.config.jaxb.ProtocolType;
 import org.apache.cxf.fediz.core.saml.SAMLTokenValidator;
-import org.apache.cxf.fediz.core.util.ClassLoaderUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -44,39 +42,15 @@ public class FederationProtocol extends Protocol {
     private Object homeRealm;
     private Object freshness;
     private Object signInQuery;
-    private Object realm;
-    private List<TokenValidator> validators = new ArrayList<TokenValidator>();
     
     public FederationProtocol(ProtocolType protocolType) {
         super(protocolType);
         
-        FederationProtocolType fp = (FederationProtocolType)protocolType;
-        if (fp.getTokenValidators() != null && fp.getTokenValidators().getValidator() != null) {
-            for (String validatorClassname : fp.getTokenValidators().getValidator()) {
-                Object obj = null;
-                try {
-                    if (super.getClassloader() == null) {
-                        obj = ClassLoaderUtils.loadClass(validatorClassname, this.getClass()).newInstance();
-                    } else {
-                        obj = super.getClassloader().loadClass(validatorClassname).newInstance();
-                    }
-                } catch (Exception ex) {
-                    LOG.error("Failed to instantiate TokenValidator implementation class: '"
-                              + validatorClassname + "'\n" + ex.getClass().getCanonicalName() + ": " + ex.getMessage());
-                }
-                if (obj instanceof TokenValidator) {
-                    validators.add((TokenValidator)obj);
-                } else if (obj != null) {
-                    LOG.error("Invalid TokenValidator implementation class: '" + validatorClassname + "'");
-                }
-            }
-        }
-        
         // add SAMLTokenValidator as the last one
         // Fediz chooses the first validator in the list if its
         // canHandleToken or canHandleTokenType method return true
         SAMLTokenValidator validator = new SAMLTokenValidator();
-        validators.add(validators.size(), validator);
+        getTokenValidators().add(getTokenValidators().size(), validator);
     }
 
     protected FederationProtocolType getFederationProtocol() {
@@ -87,26 +61,6 @@ public class FederationProtocol extends Protocol {
         super.setProtocolType(federationProtocol);
     }
 
-    public Object getRealm() {
-        if (this.realm != null) {
-            return this.realm;
-        }
-        CallbackType cbt = getFederationProtocol().getRealm();
-        this.realm = loadCallbackType(cbt, "Realm");
-        return this.realm;
-    }
-
-    public void setRealm(Object value) {
-        final boolean isString = value instanceof String;
-        final boolean isCallbackHandler = value instanceof CallbackHandler;
-        if (isString || isCallbackHandler) {
-            this.realm = value;
-        } else {
-            LOG.error("Unsupported 'Realm' object");
-            throw new IllegalArgumentException("Unsupported 'Realm' object. Type must be "
-                                               + "java.lang.String or javax.security.auth.callback.CallbackHandler.");
-        }
-    }
 
     public String getApplicationServiceURL() {
         return getFederationProtocol().getApplicationServiceURL();
@@ -242,10 +196,6 @@ public class FederationProtocol extends Protocol {
         getFederationProtocol().setClaimTypesRequested(value);
     }
 
-    public List<TokenValidator> getTokenValidators() {
-        return validators;
-    }
-
     public String getVersion() {
         return getFederationProtocol().getVersion();
     }

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/e7c14fea/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/Protocol.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/Protocol.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/Protocol.java
index 1683e6e..362ae94 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/Protocol.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/Protocol.java
@@ -19,8 +19,12 @@
 
 package org.apache.cxf.fediz.core.config;
 
+import java.util.ArrayList;
+import java.util.List;
+
 import javax.security.auth.callback.CallbackHandler;
 
+import org.apache.cxf.fediz.core.TokenValidator;
 import org.apache.cxf.fediz.core.config.jaxb.ArgumentType;
 import org.apache.cxf.fediz.core.config.jaxb.CallbackType;
 import org.apache.cxf.fediz.core.config.jaxb.ProtocolType;
@@ -34,10 +38,29 @@ public abstract class Protocol {
     private ProtocolType protocolType;
     private ClassLoader classloader;
     private Object issuer;
+    private Object realm;
+    private List<TokenValidator> validators = new ArrayList<TokenValidator>();
 
     public Protocol(ProtocolType protocolType) {
         super();
         this.protocolType = protocolType;
+        
+        if (protocolType.getTokenValidators() != null && protocolType.getTokenValidators().getValidator() != null) {
+            for (String validatorClassname : protocolType.getTokenValidators().getValidator()) {
+                Object obj = null;
+                try {
+                    obj = ClassLoaderUtils.loadClass(validatorClassname, this.getClass()).newInstance();
+                } catch (Exception ex) {
+                    LOG.error("Failed to instantiate TokenValidator implementation class: '"
+                              + validatorClassname + "'\n" + ex.getClass().getCanonicalName() + ": " + ex.getMessage());
+                }
+                if (obj instanceof TokenValidator) {
+                    validators.add((TokenValidator)obj);
+                } else if (obj != null) {
+                    LOG.error("Invalid TokenValidator implementation class: '" + validatorClassname + "'");
+                }
+            }
+        }
     }
 
     protected ProtocolType getProtocolType() {
@@ -105,6 +128,31 @@ public abstract class Protocol {
         }
     }
     
+    public Object getRealm() {
+        if (this.realm != null) {
+            return this.realm;
+        }
+        CallbackType cbt = getProtocolType().getRealm();
+        this.realm = loadCallbackType(cbt, "Realm");
+        return this.realm;
+    }
+
+    public void setRealm(Object value) {
+        final boolean isString = value instanceof String;
+        final boolean isCallbackHandler = value instanceof CallbackHandler;
+        if (isString || isCallbackHandler) {
+            this.realm = value;
+        } else {
+            LOG.error("Unsupported 'Realm' object");
+            throw new IllegalArgumentException("Unsupported 'Realm' object. Type must be "
+                                               + "java.lang.String or javax.security.auth.callback.CallbackHandler.");
+        }
+    }
+    
+    public List<TokenValidator> getTokenValidators() {
+        return validators;
+    }
+    
     protected Object loadCallbackType(CallbackType cbt, String name) {
         if (cbt == null) {
             return null;

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/e7c14fea/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/SAMLProtocol.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/SAMLProtocol.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/SAMLProtocol.java
index a1dee0b..5f1dcf1 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/SAMLProtocol.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/SAMLProtocol.java
@@ -19,10 +19,6 @@
 
 package org.apache.cxf.fediz.core.config;
 
-import java.util.ArrayList;
-import java.util.List;
-
-import org.apache.cxf.fediz.core.TokenValidator;
 import org.apache.cxf.fediz.core.config.jaxb.ProtocolType;
 import org.apache.cxf.fediz.core.config.jaxb.SamlProtocolType;
 import org.apache.cxf.fediz.core.saml.SAMLTokenValidator;
@@ -30,7 +26,6 @@ import org.apache.cxf.fediz.core.samlsso.AuthnRequestBuilder;
 import org.apache.cxf.fediz.core.samlsso.DefaultAuthnRequestBuilder;
 import org.apache.cxf.fediz.core.samlsso.EHCacheSPStateManager;
 import org.apache.cxf.fediz.core.samlsso.SPStateManager;
-import org.apache.cxf.fediz.core.util.ClassLoaderUtils;
 import org.apache.wss4j.common.util.Loader;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -41,38 +36,15 @@ public class SAMLProtocol extends Protocol {
     
     private AuthnRequestBuilder authnRequestBuilder;
     private SPStateManager stateManager;
-    private List<TokenValidator> validators = new ArrayList<TokenValidator>();
     
     public SAMLProtocol(ProtocolType protocolType) {
         super(protocolType);
         
-        SamlProtocolType sp = (SamlProtocolType)protocolType;
-        if (sp.getTokenValidators() != null && sp.getTokenValidators().getValidator() != null) {
-            for (String validatorClassname : sp.getTokenValidators().getValidator()) {
-                Object obj = null;
-                try {
-                    if (super.getClassloader() == null) {
-                        obj = ClassLoaderUtils.loadClass(validatorClassname, this.getClass()).newInstance();
-                    } else {
-                        obj = super.getClassloader().loadClass(validatorClassname).newInstance();
-                    }
-                } catch (Exception ex) {
-                    LOG.error("Failed to instantiate TokenValidator implementation class: '"
-                              + validatorClassname + "'\n" + ex.getClass().getCanonicalName() + ": " + ex.getMessage());
-                }
-                if (obj instanceof TokenValidator) {
-                    validators.add((TokenValidator)obj);
-                } else if (obj != null) {
-                    LOG.error("Invalid TokenValidator implementation class: '" + validatorClassname + "'");
-                }
-            }
-        }
-        
         // add SAMLTokenValidator as the last one
         // Fediz chooses the first validator in the list if its
         // canHandleToken or canHandleTokenType method return true
         SAMLTokenValidator validator = new SAMLTokenValidator();
-        validators.add(validators.size(), validator);
+        getTokenValidators().add(getTokenValidators().size(), validator);
     }
     
     protected SamlProtocolType getSAMLProtocol() {
@@ -167,9 +139,5 @@ public class SAMLProtocol extends Protocol {
         this.authnRequestBuilder = authnRequestBuilder;
     }
     
-    public List<TokenValidator> getTokenValidators() {
-        return validators;
-    }
-
     
 }

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/e7c14fea/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/AbstractFedizProcessor.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/AbstractFedizProcessor.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/AbstractFedizProcessor.java
new file mode 100644
index 0000000..cceab0c
--- /dev/null
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/AbstractFedizProcessor.java
@@ -0,0 +1,92 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.fediz.core.processor;
+
+import java.io.IOException;
+import java.net.MalformedURLException;
+import java.net.URL;
+
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.UnsupportedCallbackException;
+import javax.servlet.http.HttpServletRequest;
+
+import org.apache.cxf.fediz.core.config.FedizContext;
+import org.apache.cxf.fediz.core.spi.IDPCallback;
+import org.apache.cxf.fediz.core.spi.RealmCallback;
+
+public abstract class AbstractFedizProcessor implements FedizProcessor {
+
+    protected String resolveIssuer(HttpServletRequest request, FedizContext config) throws IOException,
+        UnsupportedCallbackException {
+        Object issuerObj = config.getProtocol().getIssuer();
+        String issuerURL = null;
+        if (issuerObj instanceof String) {
+            issuerURL = (String)issuerObj;
+        } else if (issuerObj instanceof CallbackHandler) {
+            CallbackHandler issuerCB = (CallbackHandler)issuerObj;
+            IDPCallback callback = new IDPCallback(request);
+            issuerCB.handle(new Callback[] {callback});
+            issuerURL = callback.getIssuerUrl().toString();
+        }
+        return issuerURL;
+    }
+
+    protected String resolveWTRealm(HttpServletRequest request, FedizContext config) throws IOException,
+        UnsupportedCallbackException {
+        Object wtRealmObj = config.getProtocol().getRealm();
+        String wtRealm = null;
+        if (wtRealmObj != null) {
+            if (wtRealmObj instanceof String) {
+                wtRealm = (String)wtRealmObj;
+            } else if (wtRealmObj instanceof CallbackHandler) {
+                CallbackHandler hrCB = (CallbackHandler)wtRealmObj;
+                RealmCallback callback = new RealmCallback(request);
+                hrCB.handle(new Callback[] {callback});
+                wtRealm = callback.getRealm();
+            }
+        } else {
+            wtRealm = extractFullContextPath(request); //default value
+        }
+        return wtRealm;
+    }
+
+    protected String extractFullContextPath(HttpServletRequest request) throws MalformedURLException {
+        String result = null;
+        String contextPath = request.getContextPath();
+        String requestUrl = request.getRequestURL().toString();
+        String requestPath = new URL(requestUrl).getPath();
+        // Cut request path of request url and add context path if not ROOT
+        if (requestPath != null && requestPath.length() > 0) {
+            int lastIndex = requestUrl.lastIndexOf(requestPath);
+            result = requestUrl.substring(0, lastIndex);
+        } else {
+            result = requestUrl;
+        }
+        if (contextPath != null && contextPath.length() > 0) {
+            // contextPath contains starting slash
+            result = result + contextPath + "/";
+        } else {
+            result = result + "/";
+        }
+        return result;
+    }
+    
+}

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/e7c14fea/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java
index 01001a0..3bf4a93 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java
@@ -25,6 +25,7 @@ import java.io.UnsupportedEncodingException;
 import java.net.MalformedURLException;
 import java.net.URL;
 import java.net.URLEncoder;
+import java.security.cert.Certificate;
 import java.text.DateFormat;
 import java.text.ParseException;
 import java.util.ArrayList;
@@ -51,8 +52,6 @@ import org.apache.cxf.fediz.core.exception.ProcessingException.TYPE;
 import org.apache.cxf.fediz.core.metadata.MetadataWriter;
 import org.apache.cxf.fediz.core.spi.FreshnessCallback;
 import org.apache.cxf.fediz.core.spi.HomeRealmCallback;
-import org.apache.cxf.fediz.core.spi.IDPCallback;
-import org.apache.cxf.fediz.core.spi.RealmCallback;
 import org.apache.cxf.fediz.core.spi.SignInQueryCallback;
 import org.apache.cxf.fediz.core.spi.WAuthCallback;
 import org.apache.cxf.fediz.core.spi.WReqCallback;
@@ -73,7 +72,7 @@ import org.joda.time.DateTime;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-public class FederationProcessorImpl implements FedizProcessor {
+public class FederationProcessorImpl extends AbstractFedizProcessor {
 
     private static final Logger LOG = LoggerFactory.getLogger(FederationProcessorImpl.class);
 
@@ -191,32 +190,8 @@ public class FederationProcessorImpl implements FedizProcessor {
             }
         }
         
-        TokenValidatorResponse validatorResponse = null;
-        List<TokenValidator> validators = ((FederationProtocol)config.getProtocol()).getTokenValidators();
-        for (TokenValidator validator : validators) {
-            boolean canHandle = false;
-            if (tt != null) {
-                canHandle = validator.canHandleTokenType(tt);
-            } else {
-                canHandle = validator.canHandleToken(rst);
-            }
-            if (canHandle) {
-                try {
-                    TokenValidatorRequest validatorRequest = 
-                        new TokenValidatorRequest(rst, request.getCerts());
-                    validatorResponse = validator.validateAndProcessToken(validatorRequest, config);
-                } catch (ProcessingException ex) {
-                    throw ex;
-                } catch (Exception ex) {
-                    LOG.warn("Failed to validate token", ex);
-                    throw new ProcessingException(TYPE.TOKEN_INVALID);
-                }
-                break;
-            } else {
-                LOG.warn("No security token validator found for '" + tt + "'");
-                throw new ProcessingException(TYPE.BAD_REQUEST);
-            }
-        }
+        TokenValidatorResponse validatorResponse = 
+            validateToken(rst, tt, config, request.getCerts());
 
         // Check whether token already used for signin
         if (validatorResponse.getUniqueTokenId() != null
@@ -245,17 +220,63 @@ public class FederationProcessorImpl implements FedizProcessor {
             }
         }
 
+        Date created = validatorResponse.getCreated();
+        if (lifeTime != null && lifeTime.getCreated() != null) {
+            created = lifeTime.getCreated();
+        }
+        Date expires = validatorResponse.getExpires();
+        if (lifeTime != null && lifeTime.getExpires() != null) {
+            expires = lifeTime.getExpires();
+        }
+        
         FedizResponse fedResponse = new FedizResponse(
                 validatorResponse.getUsername(), validatorResponse.getIssuer(),
                 validatorResponse.getRoles(), validatorResponse.getClaims(),
                 validatorResponse.getAudience(),
-                (lifeTime != null) ? lifeTime.getCreated() : null,
-                        (lifeTime != null) ? lifeTime.getExpires() : null, rst,
-                            validatorResponse.getUniqueTokenId());
+                created,
+                expires, 
+                rst,
+                validatorResponse.getUniqueTokenId());
 
         return fedResponse;
     }
     
+    private TokenValidatorResponse validateToken(
+        Element token,
+        String tokenType,
+        FedizContext config,
+        Certificate[] certs
+    ) throws ProcessingException {
+        TokenValidatorResponse validatorResponse = null;
+        List<TokenValidator> validators = ((FederationProtocol)config.getProtocol()).getTokenValidators();
+        for (TokenValidator validator : validators) {
+            boolean canHandle = false;
+            if (tokenType != null) {
+                canHandle = validator.canHandleTokenType(tokenType);
+            } else {
+                canHandle = validator.canHandleToken(token);
+            }
+            if (canHandle) {
+                try {
+                    TokenValidatorRequest validatorRequest = 
+                        new TokenValidatorRequest(token, certs);
+                    validatorResponse = validator.validateAndProcessToken(validatorRequest, config);
+                } catch (ProcessingException ex) {
+                    throw ex;
+                } catch (Exception ex) {
+                    LOG.warn("Failed to validate token", ex);
+                    throw new ProcessingException(TYPE.TOKEN_INVALID);
+                }
+                break;
+            } else {
+                LOG.warn("No security token validator found for '" + tokenType + "'");
+                throw new ProcessingException(TYPE.BAD_REQUEST);
+            }
+        }
+        
+        return validatorResponse;
+    }
+    
     private Element decryptEncryptedRST(
         Element encryptedRST,
         FedizContext config
@@ -596,62 +617,6 @@ public class FederationProcessorImpl implements FedizProcessor {
         return wReq;
     }
 
-    private String resolveIssuer(HttpServletRequest request, FedizContext config) throws IOException,
-        UnsupportedCallbackException {
-        Object issuerObj = ((FederationProtocol)config.getProtocol()).getIssuer();
-        String issuerURL = null;
-        if (issuerObj instanceof String) {
-            issuerURL = (String)issuerObj;
-        } else if (issuerObj instanceof CallbackHandler) {
-            CallbackHandler issuerCB = (CallbackHandler)issuerObj;
-            IDPCallback callback = new IDPCallback(request);
-            issuerCB.handle(new Callback[] {callback});
-            issuerURL = callback.getIssuerUrl().toString();
-        }
-        return issuerURL;
-    }
-
-    private String resolveWTRealm(HttpServletRequest request, FedizContext config) throws IOException,
-        UnsupportedCallbackException {
-        Object wtRealmObj = ((FederationProtocol)config.getProtocol()).getRealm();
-        String wtRealm = null;
-        if (wtRealmObj != null) {
-            if (wtRealmObj instanceof String) {
-                wtRealm = (String)wtRealmObj;
-            } else if (wtRealmObj instanceof CallbackHandler) {
-                CallbackHandler hrCB = (CallbackHandler)wtRealmObj;
-                RealmCallback callback = new RealmCallback(request);
-                hrCB.handle(new Callback[] {callback});
-                wtRealm = callback.getRealm();
-            }
-        } else {
-            wtRealm = extractFullContextPath(request); //default value
-        }
-        return wtRealm;
-    }
-
-
-    private String extractFullContextPath(HttpServletRequest request) throws MalformedURLException {
-        String result = null;
-        String contextPath = request.getContextPath();
-        String requestUrl = request.getRequestURL().toString();
-        String requestPath = new URL(requestUrl).getPath();
-        // Cut request path of request url and add context path if not ROOT
-        if (requestPath != null && requestPath.length() > 0) {
-            int lastIndex = requestUrl.lastIndexOf(requestPath);
-            result = requestUrl.substring(0, lastIndex);
-        } else {
-            result = requestUrl;
-        }
-        if (contextPath != null && contextPath.length() > 0) {
-            // contextPath contains starting slash
-            result = result + contextPath + "/";
-        } else {
-            result = result + "/";
-        }
-        return result;
-    }
-    
     private static class DecryptionCallbackHandler implements CallbackHandler {
         
         private final String password;

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/e7c14fea/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FedizRequest.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FedizRequest.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FedizRequest.java
index 388cf36..e413055 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FedizRequest.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FedizRequest.java
@@ -22,6 +22,8 @@ package org.apache.cxf.fediz.core.processor;
 import java.io.Serializable;
 import java.security.cert.Certificate;
 
+import javax.servlet.http.HttpServletRequest;
+
 public class FedizRequest implements Serializable {
 
     private static final long serialVersionUID = 1L;
@@ -31,6 +33,7 @@ public class FedizRequest implements Serializable {
     private String freshness;
     private String state;
     private Certificate[] certs;
+    private HttpServletRequest request;
 
     public Certificate[] getCerts() {
         return certs;
@@ -62,6 +65,12 @@ public class FedizRequest implements Serializable {
     public void setState(String state) {
         this.state = state;
     }
+    public HttpServletRequest getRequest() {
+        return request;
+    }
+    public void setRequest(HttpServletRequest request) {
+        this.request = request;
+    }
 
 
 }

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/e7c14fea/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
index 1fa1a67..94621f7 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
@@ -21,8 +21,6 @@ package org.apache.cxf.fediz.core.processor;
 
 import java.io.IOException;
 import java.io.InputStream;
-import java.net.MalformedURLException;
-import java.net.URL;
 import java.net.URLEncoder;
 import java.text.SimpleDateFormat;
 import java.util.Date;
@@ -32,14 +30,10 @@ import java.util.TimeZone;
 import java.util.UUID;
 import java.util.zip.DataFormatException;
 
-import javax.security.auth.callback.Callback;
-import javax.security.auth.callback.CallbackHandler;
-import javax.security.auth.callback.UnsupportedCallbackException;
 import javax.servlet.http.HttpServletRequest;
 
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
-
 import org.apache.cxf.fediz.core.FederationConstants;
 import org.apache.cxf.fediz.core.TokenValidator;
 import org.apache.cxf.fediz.core.TokenValidatorRequest;
@@ -54,7 +48,8 @@ import org.apache.cxf.fediz.core.samlsso.AuthnRequestBuilder;
 import org.apache.cxf.fediz.core.samlsso.CompressionUtils;
 import org.apache.cxf.fediz.core.samlsso.RequestState;
 import org.apache.cxf.fediz.core.samlsso.SAMLProtocolResponseValidator;
-import org.apache.cxf.fediz.core.spi.IDPCallback;
+import org.apache.cxf.fediz.core.samlsso.SAMLSSOResponseValidator;
+import org.apache.cxf.fediz.core.samlsso.SSOValidatorResponse;
 import org.apache.cxf.fediz.core.util.DOMUtils;
 import org.apache.wss4j.common.ext.WSSecurityException;
 import org.apache.wss4j.common.saml.OpenSAMLUtil;
@@ -67,7 +62,7 @@ import org.opensaml.xml.XMLObject;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-public class SAMLProcessorImpl implements FedizProcessor {
+public class SAMLProcessorImpl extends AbstractFedizProcessor {
 
     private static final Logger LOG = LoggerFactory.getLogger(SAMLProcessorImpl.class);
     
@@ -104,7 +99,7 @@ public class SAMLProcessorImpl implements FedizProcessor {
     public Document getMetaData(FedizContext config) throws ProcessingException {
         return new MetadataWriter().getMetaData(config);
     }
-    /*
+    
     private RequestState processRelayState(String relayState, SAMLProtocol samlProtocol) 
         throws ProcessingException {
         if (relayState.getBytes().length < 0 || relayState.getBytes().length > 80) {
@@ -135,12 +130,12 @@ public class SAMLProcessorImpl implements FedizProcessor {
         
         return false;
     }
-    */
+    
     protected FedizResponse processSignInRequest(
             FedizRequest request, FedizContext config)
         throws ProcessingException {
         SAMLProtocol protocol = (SAMLProtocol)config.getProtocol();
-        // TODO RequestState requestState = processRelayState(request.getState(), protocol);
+        RequestState requestState = processRelayState(request.getState(), protocol);
         
         InputStream tokenStream = null;
         try {
@@ -177,7 +172,7 @@ public class SAMLProcessorImpl implements FedizProcessor {
         }
         
         // Validate the Response
-        validateSamlResponseProtocol((org.opensaml.saml2.core.Response)responseObject);
+        validateSamlResponseProtocol((org.opensaml.saml2.core.Response)responseObject, config);
         
         // Validate the internal assertion(s)
         TokenValidatorResponse validatorResponse = null;
@@ -211,17 +206,15 @@ public class SAMLProcessorImpl implements FedizProcessor {
             }
         }
         
-        /* TODO
-        SSOValidatorResponse validatorResponse = 
-            validateSamlSSOResponse(postBinding, samlResponse, requestState);
-            */
+        validateSamlSSOResponse((org.opensaml.saml2.core.Response)responseObject, 
+                                request.getRequest(), requestState, config);
         
         FedizResponse fedResponse = new FedizResponse(
                 validatorResponse.getUsername(), validatorResponse.getIssuer(),
                 validatorResponse.getRoles(), validatorResponse.getClaims(),
                 validatorResponse.getAudience(),
-                null, // TODO
-                null, // TODO
+                validatorResponse.getCreated(),
+                validatorResponse.getExpires(),
                 token,
                 validatorResponse.getUniqueTokenId());
 
@@ -233,11 +226,12 @@ public class SAMLProcessorImpl implements FedizProcessor {
      * @throws ProcessingException 
      */
     protected void validateSamlResponseProtocol(
-        org.opensaml.saml2.core.Response samlResponse
+        org.opensaml.saml2.core.Response samlResponse,
+        FedizContext config
     ) throws ProcessingException {
         try {
             SAMLProtocolResponseValidator protocolValidator = new SAMLProtocolResponseValidator();
-            protocolValidator.validateSamlResponse(samlResponse);
+            protocolValidator.validateSamlResponse(samlResponse, config);
         } catch (WSSecurityException ex) {
             LOG.debug(ex.getMessage(), ex);
             throw new ProcessingException(TYPE.INVALID_REQUEST);
@@ -246,33 +240,33 @@ public class SAMLProcessorImpl implements FedizProcessor {
     
     /**
      * Validate the received SAML Response as per the Web SSO profile
+     * @throws ProcessingException 
+     */
     protected SSOValidatorResponse validateSamlSSOResponse(
-        boolean postBinding,
         org.opensaml.saml2.core.Response samlResponse,
-        RequestState requestState
-    ) {
+        HttpServletRequest request,
+        RequestState requestState,
+        FedizContext config
+    ) throws ProcessingException {
         try {
             SAMLSSOResponseValidator ssoResponseValidator = new SAMLSSOResponseValidator();
-            ssoResponseValidator.setAssertionConsumerURL(
-                messageContext.getUriInfo().getAbsolutePath().toString());
-
-            ssoResponseValidator.setClientAddress(
-                 messageContext.getHttpServletRequest().getRemoteAddr());
+            String requestURL = request.getRequestURL().toString();
+            ssoResponseValidator.setAssertionConsumerURL(requestURL);
+            ssoResponseValidator.setClientAddress(request.getRemoteAddr());
 
             ssoResponseValidator.setIssuerIDP(requestState.getIdpServiceAddress());
             ssoResponseValidator.setRequestId(requestState.getSamlRequestId());
             ssoResponseValidator.setSpIdentifier(requestState.getIssuerId());
-            ssoResponseValidator.setEnforceAssertionsSigned(enforceAssertionsSigned);
-            ssoResponseValidator.setEnforceKnownIssuer(enforceKnownIssuer);
-            ssoResponseValidator.setReplayCache(getReplayCache());
+            ssoResponseValidator.setEnforceAssertionsSigned(true);
+            ssoResponseValidator.setEnforceKnownIssuer(true);
+            ssoResponseValidator.setReplayCache(config.getTokenReplayCache());
 
-            return ssoResponseValidator.validateSamlResponse(samlResponse, postBinding);
+            return ssoResponseValidator.validateSamlResponse(samlResponse, false);
         } catch (WSSecurityException ex) {
-            reportError("INVALID_SAML_RESPONSE");
-            throw ExceptionUtils.toBadRequestException(ex, null);
+            LOG.debug(ex.getMessage(), ex);
+            throw new ProcessingException(TYPE.INVALID_REQUEST);
         }
     }
-    */
 
     @Override
     public RedirectionResponse createSignInRequest(HttpServletRequest request, FedizContext config)
@@ -299,8 +293,9 @@ public class SAMLProcessorImpl implements FedizProcessor {
      
             // Create the AuthnRequest
             String requestURL = request.getRequestURL().toString();
+            String realm = resolveWTRealm(request, config);
             AuthnRequest authnRequest = 
-                authnRequestBuilder.createAuthnRequest(config.getName(), requestURL);
+                authnRequestBuilder.createAuthnRequest(realm, requestURL);
             
             if (((SAMLProtocol)config.getProtocol()).isSignRequest()) {
                 authnRequest.setDestination(redirectURL);
@@ -314,8 +309,8 @@ public class SAMLProcessorImpl implements FedizProcessor {
             RequestState requestState = new RequestState(requestURL,
                                                          redirectURL,
                                                          authnRequest.getID(),
+                                                         realm,
                                                          config.getName(),
-                                                         requestURL,
                                                          webAppDomain,
                                                          System.currentTimeMillis());
             
@@ -447,156 +442,5 @@ public class SAMLProcessorImpl implements FedizProcessor {
         response.setRedirectionURL(redirectURL);
         return response;
     }
-/*
-    private String resolveSignInQuery(HttpServletRequest request, FedizContext config)
-        throws IOException, UnsupportedCallbackException, UnsupportedEncodingException {
-        Object signInQueryObj = ((FederationProtocol)config.getProtocol()).getSignInQuery();
-        String signInQuery = null;
-        if (signInQueryObj != null) {
-            if (signInQueryObj instanceof String) {
-                signInQuery = (String)signInQueryObj;
-            } else if (signInQueryObj instanceof CallbackHandler) {
-                CallbackHandler frCB = (CallbackHandler)signInQueryObj;
-                SignInQueryCallback callback = new SignInQueryCallback(request);
-                frCB.handle(new Callback[] {callback});
-                Map<String, String> signInQueryMap = callback.getSignInQueryParamMap();
-                StringBuilder sbQuery = new StringBuilder();
-                for (String key : signInQueryMap.keySet()) {
-                    if (sbQuery.length() > 0) {
-                        sbQuery.append("&");
-                    }
-                    sbQuery.append(key).append('=').
-                    append(URLEncoder.encode(signInQueryMap.get(key), "UTF-8"));
-                }
-                signInQuery = sbQuery.toString();
-               
-            }
-        }
-        return signInQuery;
-    }
-
-    private String resolveFreshness(HttpServletRequest request, FedizContext config) throws IOException,
-        UnsupportedCallbackException {
-        Object freshnessObj = ((FederationProtocol)config.getProtocol()).getFreshness();
-        String freshness = null;
-        if (freshnessObj != null) {
-            if (freshnessObj instanceof String) {
-                freshness = (String)freshnessObj;
-            } else if (freshnessObj instanceof CallbackHandler) {
-                CallbackHandler frCB = (CallbackHandler)freshnessObj;
-                FreshnessCallback callback = new FreshnessCallback(request);
-                frCB.handle(new Callback[] {callback});
-                freshness = callback.getFreshness();
-            }
-        }
-        return freshness;
-    }
-
-    private String resolveHomeRealm(HttpServletRequest request, FedizContext config) throws IOException,
-        UnsupportedCallbackException {
-        Object homeRealmObj = ((FederationProtocol)config.getProtocol()).getHomeRealm();
-        String homeRealm = null;
-        if (homeRealmObj != null) {
-            if (homeRealmObj instanceof String) {
-                homeRealm = (String)homeRealmObj;
-            } else if (homeRealmObj instanceof CallbackHandler) {
-                CallbackHandler hrCB = (CallbackHandler)homeRealmObj;
-                HomeRealmCallback callback = new HomeRealmCallback(request);
-                hrCB.handle(new Callback[] {callback});
-                homeRealm = callback.getHomeRealm();
-            }
-        }
-        return homeRealm;
-    }
-
-    private String resolveAuthenticationType(HttpServletRequest request, FedizContext config)
-        throws IOException, UnsupportedCallbackException {
-        Object wAuthObj = ((FederationProtocol)config.getProtocol()).getAuthenticationType();
-        String wAuth = null;
-        if (wAuthObj != null) {
-            if (wAuthObj instanceof String) {
-                wAuth = (String)wAuthObj;
-            } else if (wAuthObj instanceof CallbackHandler) {
-                CallbackHandler wauthCB = (CallbackHandler)wAuthObj;
-                WAuthCallback callback = new WAuthCallback(request);
-                wauthCB.handle(new Callback[] {callback});
-                wAuth = callback.getWauth();
-            }  
-        }
-        return wAuth;
-    }
-    
-    private String resolveRequest(HttpServletRequest request, FedizContext config)
-        throws IOException, UnsupportedCallbackException {
-        Object wReqObj = ((FederationProtocol)config.getProtocol()).getRequest();
-        String wReq = null;
-        if (wReqObj != null) {
-            if (wReqObj instanceof String) {
-                wReq = (String)wReqObj;
-            } else if (wReqObj instanceof CallbackHandler) {
-                CallbackHandler wauthCB = (CallbackHandler)wReqObj;
-                WReqCallback callback = new WReqCallback(request);
-                wauthCB.handle(new Callback[] {callback});
-                wReq = callback.getWreq();
-            }  
-        }
-        return wReq;
-    }
-*/
-    private String resolveIssuer(HttpServletRequest request, FedizContext config) throws IOException,
-        UnsupportedCallbackException {
-        Object issuerObj = config.getProtocol().getIssuer();
-        String issuerURL = null;
-        if (issuerObj instanceof String) {
-            issuerURL = (String)issuerObj;
-        } else if (issuerObj instanceof CallbackHandler) {
-            CallbackHandler issuerCB = (CallbackHandler)issuerObj;
-            IDPCallback callback = new IDPCallback(request);
-            issuerCB.handle(new Callback[] {callback});
-            issuerURL = callback.getIssuerUrl().toString();
-        }
-        return issuerURL;
-    }
-/*
-    private String resolveWTRealm(HttpServletRequest request, FedizContext config) throws IOException,
-        UnsupportedCallbackException {
-        Object wtRealmObj = ((FederationProtocol)config.getProtocol()).getRealm();
-        String wtRealm = null;
-        if (wtRealmObj != null) {
-            if (wtRealmObj instanceof String) {
-                wtRealm = (String)wtRealmObj;
-            } else if (wtRealmObj instanceof CallbackHandler) {
-                CallbackHandler hrCB = (CallbackHandler)wtRealmObj;
-                RealmCallback callback = new RealmCallback(request);
-                hrCB.handle(new Callback[] {callback});
-                wtRealm = callback.getRealm();
-            }
-        } else {
-            wtRealm = extractFullContextPath(request); //default value
-        }
-        return wtRealm;
-    }
-
-*/
-    private String extractFullContextPath(HttpServletRequest request) throws MalformedURLException {
-        String result = null;
-        String contextPath = request.getContextPath();
-        String requestUrl = request.getRequestURL().toString();
-        String requestPath = new URL(requestUrl).getPath();
-        // Cut request path of request url and add context path if not ROOT
-        if (requestPath != null && requestPath.length() > 0) {
-            int lastIndex = requestUrl.lastIndexOf(requestPath);
-            result = requestUrl.substring(0, lastIndex);
-        } else {
-            result = requestUrl;
-        }
-        if (contextPath != null && contextPath.length() > 0) {
-            // contextPath contains starting slash
-            result = result + contextPath + "/";
-        } else {
-            result = result + "/";
-        }
-        return result;
-    }
     
 }

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/e7c14fea/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/FedizSignatureTrustValidator.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/FedizSignatureTrustValidator.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/FedizSignatureTrustValidator.java
new file mode 100644
index 0000000..0a2ff81
--- /dev/null
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/FedizSignatureTrustValidator.java
@@ -0,0 +1,248 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.fediz.core.saml;
+
+
+import java.security.PublicKey;
+import java.security.cert.CertificateExpiredException;
+import java.security.cert.CertificateNotYetValidException;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+import java.util.regex.PatternSyntaxException;
+
+import org.apache.wss4j.common.crypto.Crypto;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.dom.handler.RequestData;
+import org.apache.wss4j.dom.validate.Credential;
+import org.apache.wss4j.dom.validate.Validator;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * This class verifies trust in a signature.. 
+ */
+public class FedizSignatureTrustValidator implements Validator {
+    
+    private static final Logger LOG = LoggerFactory.getLogger(FedizSignatureTrustValidator.class);
+    
+    public enum TRUST_TYPE { CHAIN_TRUST, CHAIN_TRUST_CONSTRAINTS, PEER_TRUST }
+    
+    /**
+     * Defines the kind of trust which is required
+     */
+    private TRUST_TYPE signatureTrustType = TRUST_TYPE.CHAIN_TRUST;
+        
+    /**
+     * a collection of compiled regular expression patterns for the subject DN
+     */
+    private Collection<Pattern> subjectDNPatterns = new ArrayList<Pattern>();
+    
+    
+    /**
+     * Set the kind of trust. The default is CHAIN_TRUST.
+     */
+    public void setSignatureTrustType(TRUST_TYPE trustType) {
+        this.signatureTrustType = trustType;
+    }
+
+    /**
+     * Set a list of Strings corresponding to regular expression constraints on
+     * the subject DN of a certificate
+     */
+    public void setSubjectConstraints(Collection<Pattern> constraints) {
+        if (constraints != null) {
+            subjectDNPatterns.clear();
+            subjectDNPatterns.addAll(constraints);
+        }
+    }
+    
+    /**
+     * Set a list of Strings corresponding to regular expression constraints on
+     * the subject DN of a certificate
+     */
+    public void setSubjectConstraints(List<String> constraints) {
+        if (constraints != null) {
+            subjectDNPatterns = new ArrayList<Pattern>();
+            for (String constraint : constraints) {
+                try {
+                    subjectDNPatterns.add(Pattern.compile(constraint.trim()));
+                } catch (PatternSyntaxException ex) {
+                    // LOG.severe(ex.getMessage());
+                    throw ex;
+                }
+            }
+        }
+    }
+    
+    /**
+     * Validate the credential argument. It must contain either some Certificates or a PublicKey.
+     * 
+     * A Crypto and a CallbackHandler implementation is required to be set.
+     * 
+     * @param credential the Credential to be validated
+     * @param data the RequestData associated with the request
+     * @throws WSSecurityException on a failed validation
+     */
+    public Credential validate(Credential credential, RequestData data) throws WSSecurityException {
+        if (credential == null
+            || ((credential.getCertificates() == null || credential.getCertificates().length == 0)
+                && credential.getPublicKey() == null)) {
+            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "noCredential");
+        }
+        
+        verifyTrust(credential, data);
+        
+        return credential;
+    }
+    
+    /**
+     * Verify trust in the credential.
+     * @param credential the Credential to be validated
+     * @param data The RequestData context
+     * @return A Credential instance
+     * @throws WSSecurityException
+     */
+    protected Credential verifyTrust(
+        Credential credential,
+        RequestData data
+    ) throws WSSecurityException {
+        X509Certificate[] certs = credential.getCertificates();
+        PublicKey publicKey = credential.getPublicKey();
+        Crypto crypto = getCrypto(data);
+        if (crypto == null) {
+            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "noSigCryptoFile");
+        }
+        
+        if (certs != null && certs.length > 0) {
+            validateCertificates(certs);
+            verifyTrustInCerts(certs, crypto, data, data.isRevocationEnabled());
+            if (signatureTrustType.equals(TRUST_TYPE.CHAIN_TRUST_CONSTRAINTS)) {
+                if (matches(certs[0])) {
+                    return credential;
+                } else {
+                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
+                }
+            } else {
+                return credential;
+            }
+        }
+        if (publicKey != null) {
+            validatePublicKey(publicKey, crypto);
+            return credential;
+        }
+        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
+    }
+
+    protected Crypto getCrypto(RequestData data) {
+        return data.getSigVerCrypto();
+    }
+
+
+    /**
+     * Validate the certificates by checking the validity of each cert
+     * @throws WSSecurityException
+     */
+    protected void validateCertificates(X509Certificate[] certificates) 
+        throws WSSecurityException {
+        try {
+            for (int i = 0; i < certificates.length; i++) {
+                certificates[i].checkValidity();
+            }
+        } catch (CertificateExpiredException e) {
+            throw new WSSecurityException(
+                WSSecurityException.ErrorCode.FAILED_CHECK, "invalidCert", e
+            );
+        } catch (CertificateNotYetValidException e) {
+            throw new WSSecurityException(
+                WSSecurityException.ErrorCode.FAILED_CHECK, "invalidCert", e
+            );
+        }
+    }
+    
+    /**
+     * Evaluate whether the given certificate chain should be trusted.
+     * 
+     * @param certificates the certificate chain that should be validated against the keystore
+     * @param crypto A Crypto instance
+     * @param data A RequestData instance
+     * @param enableRevocation Whether revocation is enabled or not
+     * @throws WSSecurityException if the certificate chain is not trusted
+     */
+    protected void verifyTrustInCerts(
+        X509Certificate[] certificates, 
+        Crypto crypto,
+        RequestData data,
+        boolean enableRevocation
+    ) throws WSSecurityException {
+        //
+        // Use the validation method from the crypto to check whether the subjects' 
+        // certificate was really signed by the issuer stated in the certificate
+        //
+        crypto.verifyTrust(certificates, enableRevocation, null);
+        if (LOG.isDebugEnabled()) {
+            String subjectString = certificates[0].getSubjectX500Principal().getName();
+            LOG.debug(
+                "Certificate path has been verified for certificate with subject " + subjectString
+            );
+        }
+    }
+    
+    /**
+     * Validate a public key
+     * @throws WSSecurityException
+     */
+    protected void validatePublicKey(PublicKey publicKey, Crypto crypto) 
+        throws WSSecurityException {
+        crypto.verifyTrust(publicKey);
+    }
+    
+    /**
+     * @return true if the certificate's SubjectDN matches the constraints
+     *         defined in the subject DNConstraints; false, otherwise. The
+     *         certificate subject DN only has to match ONE of the subject cert
+     *         constraints (not all).
+     */
+    public boolean matches(final java.security.cert.X509Certificate cert) {
+        if (!subjectDNPatterns.isEmpty()) {
+            if (cert == null) {
+                return false;
+            }
+            String subjectName = cert.getSubjectX500Principal().getName();
+            boolean subjectMatch = false;
+            for (Pattern subjectDNPattern : subjectDNPatterns) {
+                final Matcher matcher = subjectDNPattern.matcher(subjectName);
+                if (matcher.matches()) {
+                    subjectMatch = true;
+                    break;
+                }
+            }
+            if (!subjectMatch) {
+                return false;
+            }
+        }
+
+        return true;
+    }
+    
+}

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/e7c14fea/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java
index b468b5c..0b9b68a 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java
@@ -42,7 +42,7 @@ import org.apache.cxf.fediz.core.config.TrustManager;
 import org.apache.cxf.fediz.core.config.TrustedIssuer;
 import org.apache.cxf.fediz.core.exception.ProcessingException;
 import org.apache.cxf.fediz.core.exception.ProcessingException.TYPE;
-import org.apache.cxf.fediz.core.saml.SamlAssertionValidator.TRUST_TYPE;
+import org.apache.cxf.fediz.core.saml.FedizSignatureTrustValidator.TRUST_TYPE;
 import org.apache.wss4j.common.ext.WSSecurityException;
 import org.apache.wss4j.common.principal.SAMLTokenPrincipal;
 import org.apache.wss4j.common.principal.SAMLTokenPrincipalImpl;
@@ -205,6 +205,7 @@ public class SAMLTokenValidator implements TokenValidator {
                     assertion.getId(), p.getName(), assertionIssuer, roles,
                     new ClaimCollection(claims), audience);
             response.setExpires(getExpires(assertion));
+            response.setCreated(getCreated(assertion));
             
             return response;
 
@@ -441,6 +442,20 @@ public class SAMLTokenValidator implements TokenValidator {
         return validTill.toDate();
     }
     
+    private Date getCreated(SamlAssertionWrapper assertion) {
+        DateTime validFrom = null;
+        if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)) {
+            validFrom = assertion.getSaml2().getConditions().getNotBefore();
+        } else {
+            validFrom = assertion.getSaml1().getConditions().getNotBefore();
+        }
+        
+        if (validFrom == null) {
+            return null;
+        }
+        return validFrom.toDate();
+    }
+    
     /**
      * Check the Conditions of the Assertion.
      */

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/e7c14fea/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SamlAssertionValidator.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SamlAssertionValidator.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SamlAssertionValidator.java
index 24a6784..e72f021 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SamlAssertionValidator.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SamlAssertionValidator.java
@@ -19,19 +19,14 @@
 
 package org.apache.cxf.fediz.core.saml;
 
-
-import java.security.PublicKey;
-import java.security.cert.CertificateExpiredException;
-import java.security.cert.CertificateNotYetValidException;
-import java.security.cert.X509Certificate;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Date;
 import java.util.List;
-import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 import java.util.regex.PatternSyntaxException;
 
+import org.apache.cxf.fediz.core.saml.FedizSignatureTrustValidator.TRUST_TYPE;
 import org.apache.wss4j.common.cache.ReplayCache;
 import org.apache.wss4j.common.crypto.Crypto;
 import org.apache.wss4j.common.ext.WSSecurityException;
@@ -57,8 +52,6 @@ public class SamlAssertionValidator implements Validator {
     
     private static final Logger LOG = LoggerFactory.getLogger(SamlAssertionValidator.class);
     
-    public enum TRUST_TYPE { CHAIN_TRUST, CHAIN_TRUST_CONSTRAINTS, PEER_TRUST }
-    
     /**
      * The time in seconds in the future within which the NotBefore time of an incoming 
      * Assertion is valid. The default is 60 seconds.
@@ -71,9 +64,6 @@ public class SamlAssertionValidator implements Validator {
      */
     private boolean validateSignatureAgainstProfile = true;
 
-    /**
-     * Defines the kind of trust which is required thus assertion signature validation is successful.
-     */
     private TRUST_TYPE signatureTrustType = TRUST_TYPE.CHAIN_TRUST;
         
     /**
@@ -180,97 +170,17 @@ public class SamlAssertionValidator implements Validator {
         credential.setPublicKey(samlKeyInfo.getPublicKey());
         credential.setCertificates(samlKeyInfo.getCerts());
         
-        X509Certificate[] certs = credential.getCertificates();
-        PublicKey publicKey = credential.getPublicKey();
-        Crypto crypto = getCrypto(data);
-        if (crypto == null) {
-            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "noSigCryptoFile");
-        }
+        FedizSignatureTrustValidator trustValidator = new FedizSignatureTrustValidator();
+        trustValidator.setSignatureTrustType(signatureTrustType);
+        trustValidator.setSubjectConstraints(subjectDNPatterns);
         
-        if (certs != null && certs.length > 0) {
-            validateCertificates(certs);
-            verifyTrustInCerts(certs, crypto, data, data.isRevocationEnabled());
-            if (signatureTrustType.equals(TRUST_TYPE.CHAIN_TRUST_CONSTRAINTS)) {
-                if (matches(certs[0])) {
-                    return credential;
-                } else {
-                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
-                }
-            } else {
-                return credential;
-            }
-        }
-        if (publicKey != null) {
-            validatePublicKey(publicKey, crypto);
-            return credential;
-        }
-        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
+        return trustValidator.validate(credential, data);
     }
 
     protected Crypto getCrypto(RequestData data) {
         return data.getSigVerCrypto();
     }
 
-
-    /**
-     * Validate the certificates by checking the validity of each cert
-     * @throws WSSecurityException
-     */
-    protected void validateCertificates(X509Certificate[] certificates) 
-        throws WSSecurityException {
-        try {
-            for (int i = 0; i < certificates.length; i++) {
-                certificates[i].checkValidity();
-            }
-        } catch (CertificateExpiredException e) {
-            throw new WSSecurityException(
-                WSSecurityException.ErrorCode.FAILED_CHECK, "invalidCert", e
-            );
-        } catch (CertificateNotYetValidException e) {
-            throw new WSSecurityException(
-                WSSecurityException.ErrorCode.FAILED_CHECK, "invalidCert", e
-            );
-        }
-    }
-    
-    /**
-     * Evaluate whether the given certificate chain should be trusted.
-     * 
-     * @param certificates the certificate chain that should be validated against the keystore
-     * @param crypto A Crypto instance
-     * @param data A RequestData instance
-     * @param enableRevocation Whether revocation is enabled or not
-     * @throws WSSecurityException if the certificate chain is not trusted
-     */
-    protected void verifyTrustInCerts(
-        X509Certificate[] certificates, 
-        Crypto crypto,
-        RequestData data,
-        boolean enableRevocation
-    ) throws WSSecurityException {
-        //
-        // Use the validation method from the crypto to check whether the subjects' 
-        // certificate was really signed by the issuer stated in the certificate
-        //
-        crypto.verifyTrust(certificates, enableRevocation, null);
-        if (LOG.isDebugEnabled()) {
-            String subjectString = certificates[0].getSubjectX500Principal().getName();
-            LOG.debug(
-                "Certificate path has been verified for certificate with subject " + subjectString
-            );
-        }
-    }
-    
-    /**
-     * Validate a public key
-     * @throws WSSecurityException
-     */
-    protected void validatePublicKey(PublicKey publicKey, Crypto crypto) 
-        throws WSSecurityException {
-        crypto.verifyTrust(publicKey);
-    }
-    
-    
     /**
      * Check the Conditions of the Assertion.
      */
@@ -336,32 +246,4 @@ public class SamlAssertionValidator implements Validator {
         this.validateSignatureAgainstProfile = validateSignatureAgainstProfile;
     }
     
-    /**
-     * @return true if the certificate's SubjectDN matches the constraints
-     *         defined in the subject DNConstraints; false, otherwise. The
-     *         certificate subject DN only has to match ONE of the subject cert
-     *         constraints (not all).
-     */
-    public boolean matches(final java.security.cert.X509Certificate cert) {
-        if (!subjectDNPatterns.isEmpty()) {
-            if (cert == null) {
-                return false;
-            }
-            String subjectName = cert.getSubjectX500Principal().getName();
-            boolean subjectMatch = false;
-            for (Pattern subjectDNPattern : subjectDNPatterns) {
-                final Matcher matcher = subjectDNPattern.matcher(subjectName);
-                if (matcher.matches()) {
-                    subjectMatch = true;
-                    break;
-                }
-            }
-            if (!subjectMatch) {
-                return false;
-            }
-        }
-
-        return true;
-    }
-    
 }

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/e7c14fea/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/EHCacheSPStateManager.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/EHCacheSPStateManager.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/EHCacheSPStateManager.java
index 0daeb2a..4ec8f8e 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/EHCacheSPStateManager.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/EHCacheSPStateManager.java
@@ -41,7 +41,6 @@ public class EHCacheSPStateManager implements SPStateManager {
     public static final String RESPONSE_CACHE_KEY = "cxf.fediz.samlp.response.state.cache";
     
     private Ehcache requestCache;
-    private Ehcache responseCache;
     private CacheManager cacheManager;
     private long ttl = DEFAULT_TTL;
     
@@ -60,11 +59,6 @@ public class EHCacheSPStateManager implements SPStateManager {
 
         Ehcache newCache = new Cache(requestCC);
         requestCache = cacheManager.addCacheIfAbsent(newCache);
-        
-        CacheConfiguration responseCC = EHCacheManagerHolder.getCacheConfiguration(RESPONSE_CACHE_KEY, cacheManager);
-        
-        newCache = new Cache(responseCC);
-        responseCache = cacheManager.addCacheIfAbsent(newCache);
     }
     
     private static URL getConfigFileURL(Object o) {
@@ -100,44 +94,6 @@ public class EHCacheSPStateManager implements SPStateManager {
         return ttl;
     }
     
-    public ResponseState getResponseState(String securityContextKey) {
-        Element element = responseCache.get(securityContextKey);
-        if (element != null) {
-            if (responseCache.isExpired(element)) {
-                responseCache.remove(securityContextKey);
-                return null;
-            }
-            return (ResponseState)element.getObjectValue();
-        }
-        return null;
-    }
-
-    public ResponseState removeResponseState(String securityContextKey) {
-        Element element = responseCache.get(securityContextKey);
-        if (element != null) {
-            responseCache.remove(securityContextKey);
-            return (ResponseState)element.getObjectValue();
-        }
-        return null;
-    }
-
-    public void setResponseState(String securityContextKey, ResponseState state) {
-        if (securityContextKey == null || "".equals(securityContextKey)) {
-            return;
-        }
-        
-        int parsedTTL = (int)ttl;
-        if (ttl != (long)parsedTTL) {
-            // Fall back to 5 minutes if the default TTL is set incorrectly
-            parsedTTL = 60 * 5;
-        }
-        Element element = new Element(securityContextKey, state);
-        element.setTimeToLive(parsedTTL);
-        element.setTimeToIdle(parsedTTL);
-        
-        responseCache.put(element);
-    }
-    
     public void setRequestState(String relayState, RequestState state) {
         if (relayState == null || "".equals(relayState)) {
             return;
@@ -169,7 +125,6 @@ public class EHCacheSPStateManager implements SPStateManager {
             cacheManager.shutdown();
             cacheManager = null;
             requestCache = null;
-            responseCache = null;
         }
     }
 

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/e7c14fea/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/ResponseState.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/ResponseState.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/ResponseState.java
deleted file mode 100644
index dfbf9ff..0000000
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/ResponseState.java
+++ /dev/null
@@ -1,81 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.fediz.core.samlsso;
-
-import java.io.Serializable;
-
-import javax.xml.bind.annotation.XmlAccessType;
-import javax.xml.bind.annotation.XmlAccessorType;
-import javax.xml.bind.annotation.XmlRootElement;
-
-@XmlRootElement
-@XmlAccessorType(XmlAccessType.FIELD)
-public class ResponseState implements Serializable {
-
-    private static final long serialVersionUID = -3247188797004342462L;
-    
-    private String assertion;
-    private String relayState;
-    private String webAppContext;
-    private String webAppDomain;
-    private long createdAt;
-    private long expiresAt;
-    
-    public ResponseState() {
-        
-    }
-    
-    public ResponseState(String assertion,
-                         String relayState,
-                         String webAppContext,
-                         String webAppDomain,
-                         long createdAt, 
-                         long expiresAt) {
-        this.assertion = assertion;
-        this.relayState = relayState;
-        this.webAppContext = webAppContext;
-        this.webAppDomain = webAppDomain;
-        this.createdAt = createdAt;
-        this.expiresAt = expiresAt;
-    }
-
-    public long getCreatedAt() {
-        return createdAt;
-    }
-    
-    public long getExpiresAt() {
-        return expiresAt;
-    }
-
-    public String getRelayState() {
-        return relayState;
-    }
-    
-    public String getWebAppContext() {
-        return webAppContext;
-    }
-
-    public String getWebAppDomain() {
-        return webAppDomain;
-    }
-    
-    public String getAssertion() {
-        return assertion;
-    }
-}

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/e7c14fea/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLProtocolResponseValidator.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLProtocolResponseValidator.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLProtocolResponseValidator.java
index 2269aa4..d086aee 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLProtocolResponseValidator.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLProtocolResponseValidator.java
@@ -18,8 +18,16 @@
  */
 package org.apache.cxf.fediz.core.samlsso;
 
-import org.w3c.dom.Document;
+import java.util.Collections;
+import java.util.List;
 
+import org.w3c.dom.Document;
+import org.apache.cxf.fediz.core.config.CertificateValidationMethod;
+import org.apache.cxf.fediz.core.config.FedizContext;
+import org.apache.cxf.fediz.core.config.TrustManager;
+import org.apache.cxf.fediz.core.config.TrustedIssuer;
+import org.apache.cxf.fediz.core.saml.FedizSignatureTrustValidator;
+import org.apache.cxf.fediz.core.saml.FedizSignatureTrustValidator.TRUST_TYPE;
 import org.apache.wss4j.common.ext.WSSecurityException;
 import org.apache.wss4j.common.saml.SAMLKeyInfo;
 import org.apache.wss4j.common.saml.SAMLUtil;
@@ -27,6 +35,7 @@ import org.apache.wss4j.dom.WSDocInfo;
 import org.apache.wss4j.dom.WSSConfig;
 import org.apache.wss4j.dom.handler.RequestData;
 import org.apache.wss4j.dom.saml.WSSSAMLKeyInfoProcessor;
+import org.apache.wss4j.dom.validate.Credential;
 import org.opensaml.security.SAMLSignatureProfileValidator;
 import org.opensaml.xml.security.x509.BasicX509Credential;
 import org.opensaml.xml.signature.KeyInfo;
@@ -58,7 +67,8 @@ public class SAMLProtocolResponseValidator {
      * @throws WSSecurityException
      */
     public void validateSamlResponse(
-        org.opensaml.saml2.core.Response samlResponse
+        org.opensaml.saml2.core.Response samlResponse,
+        FedizContext config
     ) throws WSSecurityException {
         // Check the Status Code
         if (samlResponse.getStatus() == null
@@ -75,7 +85,7 @@ public class SAMLProtocolResponseValidator {
         }
         
         validateResponseAgainstSchemas(samlResponse);
-        validateResponseSignature(samlResponse);
+        validateResponseSignature(samlResponse, config);
     }
     
     /**
@@ -84,7 +94,8 @@ public class SAMLProtocolResponseValidator {
      * @throws WSSecurityException
      */
     public void validateSamlResponse(
-        org.opensaml.saml1.core.Response samlResponse
+        org.opensaml.saml1.core.Response samlResponse,
+        FedizContext config
     ) throws WSSecurityException {
         // Check the Status Code
         if (samlResponse.getStatus() == null
@@ -103,7 +114,7 @@ public class SAMLProtocolResponseValidator {
         }
 
         validateResponseAgainstSchemas(samlResponse);
-        validateResponseSignature(samlResponse);
+        validateResponseSignature(samlResponse, config);
     }
     
     /**
@@ -144,14 +155,15 @@ public class SAMLProtocolResponseValidator {
      * Validate the Response signature (if it exists)
      */
     private void validateResponseSignature(
-        org.opensaml.saml2.core.Response samlResponse
+        org.opensaml.saml2.core.Response samlResponse,
+        FedizContext config
     ) throws WSSecurityException {
         if (!samlResponse.isSigned()) {
             return;
         }
         
         validateResponseSignature(
-            samlResponse.getSignature(), samlResponse.getDOM().getOwnerDocument()
+            samlResponse.getSignature(), samlResponse.getDOM().getOwnerDocument(), config
         );
     }
     
@@ -159,14 +171,15 @@ public class SAMLProtocolResponseValidator {
      * Validate the Response signature (if it exists)
      */
     private void validateResponseSignature(
-        org.opensaml.saml1.core.Response samlResponse
+        org.opensaml.saml1.core.Response samlResponse,
+        FedizContext config
     ) throws WSSecurityException {
         if (!samlResponse.isSigned()) {
             return;
         }
         
         validateResponseSignature(
-            samlResponse.getSignature(), samlResponse.getDOM().getOwnerDocument()
+            samlResponse.getSignature(), samlResponse.getDOM().getOwnerDocument(), config
         );
     }
     
@@ -175,7 +188,8 @@ public class SAMLProtocolResponseValidator {
      */
     private void validateResponseSignature(
         Signature signature, 
-        Document doc
+        Document doc,
+        FedizContext config
     ) throws WSSecurityException {
         RequestData requestData = new RequestData();
         WSSConfig wssConfig = WSSConfig.getNewInstance();
@@ -205,17 +219,52 @@ public class SAMLProtocolResponseValidator {
         validateSignatureAgainstProfiles(signature, samlKeyInfo);
 
         // Now verify trust on the signature
-        /* TODO Credential trustCredential = new Credential();
+        Credential trustCredential = new Credential();
         trustCredential.setPublicKey(samlKeyInfo.getPublicKey());
         trustCredential.setCertificates(samlKeyInfo.getCerts());
 
-        try {
-            signatureValidator.validate(trustCredential, requestData);
-        } catch (WSSecurityException e) {
-            LOG.debug("Error in validating signature on SAML Response: " + e.getMessage(), e);
-            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
+        FedizSignatureTrustValidator trustValidator = new FedizSignatureTrustValidator();
+        
+        boolean trusted = false;
+        
+        List<TrustedIssuer> trustedIssuers = config.getTrustedIssuers();
+        for (TrustedIssuer ti : trustedIssuers) {
+            List<String> subjectConstraints = Collections.singletonList(ti.getSubject());
+            if (ti.getCertificateValidationMethod().equals(CertificateValidationMethod.CHAIN_TRUST)) {
+                trustValidator.setSubjectConstraints(subjectConstraints);
+                trustValidator.setSignatureTrustType(TRUST_TYPE.CHAIN_TRUST_CONSTRAINTS);
+            } else if (ti.getCertificateValidationMethod().equals(CertificateValidationMethod.PEER_TRUST)) {
+                trustValidator.setSignatureTrustType(TRUST_TYPE.PEER_TRUST);
+            } else {
+                throw new IllegalStateException("Unsupported certificate validation method: " 
+                                                + ti.getCertificateValidationMethod());
+            }
+            try {
+                for (TrustManager tm: config.getCertificateStores()) {
+                    try {
+                        requestData.setSigVerCrypto(tm.getCrypto());
+                        trustValidator.validate(trustCredential, requestData);
+                        trusted = true;
+                        break;
+                    } catch (Exception ex) {
+                        LOG.debug("Issuer '{}' not validated in keystore '{}'",
+                                  ti.getName(), tm.getName());
+                    }
+                }
+                if (trusted) {
+                    break;
+                }
+                
+            } catch (Exception ex) {
+                LOG.info("Error in validating signature on SAML Response: " + ex.getMessage(), ex);
+                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
+            }
+        }
+        
+        if (!trusted) {
+            LOG.warn("SAML Response is not trusted");
+            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
         }
-        */
     }
     
     /**

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/e7c14fea/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SPStateManager.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SPStateManager.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SPStateManager.java
index d55dce0..d55c5d4 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SPStateManager.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SPStateManager.java
@@ -36,9 +36,5 @@ public interface SPStateManager extends Closeable {
     void setRequestState(String relayState, RequestState state);
     RequestState removeRequestState(String relayState);
     
-    void setResponseState(String contextKey, ResponseState state);
-    ResponseState getResponseState(String contextKey);
-    ResponseState removeResponseState(String contextKey);
-    
     void close() throws IOException;
 }

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/e7c14fea/plugins/core/src/main/resources/schemas/FedizConfig.xsd
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/resources/schemas/FedizConfig.xsd b/plugins/core/src/main/resources/schemas/FedizConfig.xsd
index 748b8a7..750ec31 100644
--- a/plugins/core/src/main/resources/schemas/FedizConfig.xsd
+++ b/plugins/core/src/main/resources/schemas/FedizConfig.xsd
@@ -93,7 +93,6 @@
 		<xs:complexContent>
 			<xs:extension base="protocolType">
 				<xs:sequence>
-					<xs:element ref="realm" />
 					<xs:element ref="authenticationType" />
 					<xs:element ref="homeRealm" />
 					<xs:element ref="freshness" />
@@ -101,7 +100,6 @@
 					<xs:element ref="request" />
 					<xs:element ref="signInQuery" />
 					<xs:element ref="claimTypesRequested" />
-					<xs:element ref="tokenValidators" />
 					<xs:element ref="applicationServiceURL" />
 				</xs:sequence>
 				<xs:attribute name="version" use="required" type="xs:string" />
@@ -118,7 +116,6 @@
 					<xs:element ref="webAppDomain" />
 					<xs:element ref="authnRequestBuilder"/>
 					<xs:element ref="stateManager"/>
-					<xs:element ref="tokenValidators" />
 				</xs:sequence>
 				<xs:attribute name="version" use="required" type="xs:string" />
 			</xs:extension>
@@ -141,6 +138,8 @@
 	        <xs:element ref="roleDelimiter" />
 	        <xs:element ref="roleURI" />
 	        <xs:element ref="issuer" />
+	        <xs:element ref="realm" />
+	        <xs:element ref="tokenValidators" />
 		</xs:sequence>
 	</xs:complexType>
  

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/e7c14fea/plugins/jetty/src/main/java/org/apache/cxf/fediz/jetty/FederationAuthenticator.java
----------------------------------------------------------------------
diff --git a/plugins/jetty/src/main/java/org/apache/cxf/fediz/jetty/FederationAuthenticator.java b/plugins/jetty/src/main/java/org/apache/cxf/fediz/jetty/FederationAuthenticator.java
index ce23c0c..ebb40e3 100644
--- a/plugins/jetty/src/main/java/org/apache/cxf/fediz/jetty/FederationAuthenticator.java
+++ b/plugins/jetty/src/main/java/org/apache/cxf/fediz/jetty/FederationAuthenticator.java
@@ -196,6 +196,7 @@ public class FederationAuthenticator extends LoginAuthenticator {
                     wfReq.setAction(action);
                     wfReq.setResponseToken(responseToken);
                     wfReq.setState(request.getParameter("RelayState"));
+                    wfReq.setRequest(request);
 
                     X509Certificate certs[] = 
                         (X509Certificate[])request.getAttribute("javax.servlet.request.X509Certificate");

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/e7c14fea/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java
----------------------------------------------------------------------
diff --git a/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java b/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java
index 3e20030..2c6d85b 100644
--- a/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java
+++ b/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java
@@ -52,6 +52,7 @@ public class FederationAuthenticationFilter extends AbstractAuthenticationProces
         wfReq.setAction(wa);
         wfReq.setResponseToken(responseToken);
         wfReq.setState(request.getParameter("RelayState"));
+        wfReq.setRequest(request);
         
         X509Certificate certs[] = 
             (X509Certificate[])request.getAttribute("javax.servlet.request.X509Certificate");

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/e7c14fea/plugins/spring2/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java
----------------------------------------------------------------------
diff --git a/plugins/spring2/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java b/plugins/spring2/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java
index 466f7c3..eeb7190 100644
--- a/plugins/spring2/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java
+++ b/plugins/spring2/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java
@@ -65,6 +65,7 @@ public class FederationAuthenticationFilter extends AbstractProcessingFilter {
         wfReq.setAction(wa);
         wfReq.setResponseToken(responseToken);
         wfReq.setState(request.getParameter("RelayState"));
+        wfReq.setRequest(request);
         
         X509Certificate certs[] = 
             (X509Certificate[])request.getAttribute("javax.servlet.request.X509Certificate");

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/e7c14fea/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java
----------------------------------------------------------------------
diff --git a/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java b/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java
index ce49565..719efc9 100644
--- a/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java
+++ b/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java
@@ -422,6 +422,7 @@ public class FederationAuthenticator extends FormAuthenticator {
                 wfReq.setAction(action);
                 wfReq.setResponseToken(responseToken);
                 wfReq.setState(request.getParameter("RelayState"));
+                wfReq.setRequest(request);
                 
                 X509Certificate certs[] = 
                     (X509Certificate[])request.getAttribute("javax.servlet.request.X509Certificate");


Mime
View raw message