cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jbernha...@apache.org
Subject [3/3] cxf-fediz git commit: [Fediz-95] Moving Spring Security Configuration to central location
Date Thu, 29 Jan 2015 09:38:58 GMT
[Fediz-95] Moving Spring Security Configuration to central location


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/d16365db
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/d16365db
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/d16365db

Branch: refs/heads/master
Commit: d16365db1bc03bc7a2d55185949315e4cf2a58d0
Parents: ea8c7c2
Author: Jan Bernhardt <jbernhardt@talend.com>
Authored: Wed Jan 21 12:33:40 2015 +0100
Committer: Jan Bernhardt <jbernhardt@talend.com>
Committed: Thu Jan 29 10:10:01 2015 +0100

----------------------------------------------------------------------
 .gitignore                                      |   1 +
 .../test/resources/fediz_test_config_saml.xml   |   2 +-
 .../cxf/fediz/service/idp/util/WebUtils.java    |   1 +
 services/idp/src/main/resources/restContext.xml |  61 +------
 .../src/main/resources/restContextKerberos.xml  | 169 -------------------
 .../main/webapp/WEB-INF/applicationContext.xml  |  26 +--
 .../main/webapp/WEB-INF/idp-config-realma.xml   |   5 +-
 .../main/webapp/WEB-INF/idp-config-realmb.xml   |   4 +-
 .../idp/src/main/webapp/WEB-INF/idp-servlet.xml |  17 +-
 .../webapp/WEB-INF/security-config-kerberos.xml |  54 +++++-
 .../src/main/webapp/WEB-INF/security-config.xml |  44 ++++-
 services/idp/src/test/resources/idp-config.xml  |  29 +---
 12 files changed, 124 insertions(+), 289 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/d16365db/.gitignore
----------------------------------------------------------------------
diff --git a/.gitignore b/.gitignore
index f5f8e88..1e8a4b2 100644
--- a/.gitignore
+++ b/.gitignore
@@ -13,3 +13,4 @@ target/
 velocity.log
 .externalToolBuilders/
 
+.idea

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/d16365db/plugins/core/src/test/resources/fediz_test_config_saml.xml
----------------------------------------------------------------------
diff --git a/plugins/core/src/test/resources/fediz_test_config_saml.xml b/plugins/core/src/test/resources/fediz_test_config_saml.xml
index 125bccd..81973c3 100644
--- a/plugins/core/src/test/resources/fediz_test_config_saml.xml
+++ b/plugins/core/src/test/resources/fediz_test_config_saml.xml
@@ -200,7 +200,7 @@
 		</audienceUris>
 		<certificateStores>
 			<trustManager>
-				<keyStore file="clientonly.jks" password="storepass"
+				<keyStore file="clientonly.jks" password="cspass"
 					type="JKS" />
 			</trustManager>		
 		</certificateStores>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/d16365db/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/util/WebUtils.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/util/WebUtils.java
b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/util/WebUtils.java
index 89543dc..284fd40 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/util/WebUtils.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/util/WebUtils.java
@@ -202,6 +202,7 @@ public final class WebUtils {
         Cookie cookie = readCookie(context, cookieName);
         if (cookie != null) {
             cookie.setMaxAge(0);
+            cookie.setValue("");
             httpServletResponse.addCookie(cookie);
         }
     }

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/d16365db/services/idp/src/main/resources/restContext.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/resources/restContext.xml b/services/idp/src/main/resources/restContext.xml
index 24a4f1a..ce58024 100644
--- a/services/idp/src/main/resources/restContext.xml
+++ b/services/idp/src/main/resources/restContext.xml
@@ -18,19 +18,15 @@
   under the License.
 -->
 <beans xmlns="http://www.springframework.org/schema/beans"
-    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-    xmlns:context="http://www.springframework.org/schema/context"
-    xmlns:jaxrs="http://cxf.apache.org/jaxrs"
-    xmlns:security="http://www.springframework.org/schema/security"
-    xsi:schemaLocation="
-        http://www.springframework.org/schema/beans
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xmlns:context="http://www.springframework.org/schema/context"
+       xmlns:jaxrs="http://cxf.apache.org/jaxrs"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans
         http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
         http://www.springframework.org/schema/context
-        http://www.springframework.org/schema/context/spring-context-3.0.xsd
+        http://www.springframework.org/schema/context/spring-context-3.1.xsd
         http://cxf.apache.org/jaxrs
-        http://cxf.apache.org/schemas/jaxrs.xsd
-        http://www.springframework.org/schema/security
-        http://www.springframework.org/schema/security/spring-security-3.1.xsd">
+        http://cxf.apache.org/schemas/jaxrs.xsd">
 
 <!-- 
 <context:component-scan base-package="org.apache.cxf.fediz.service.idp.protocols" />
@@ -43,8 +39,7 @@
     
     <bean id="jaxbProvider" class="org.apache.cxf.jaxrs.provider.JAXBElementProvider">
         <property name="depthProperties">
-            <bean id="depthProperties"
-                class="org.apache.cxf.staxutils.DocumentDepthProperties">
+            <bean class="org.apache.cxf.staxutils.DocumentDepthProperties">
                 <property name="innerElementCountThreshold" value="500" />
             </bean>
         </property>
@@ -102,48 +97,6 @@
 
     <bean id="roleServiceImpl"
         class="org.apache.cxf.fediz.service.idp.rest.RoleServiceImpl" />
-
-
-    <!-- If enabled, you can't access the Service layer within the Spring Webflow -->
-    <!-- The user has no role during the login phase of WS-Federation -->
-    <security:global-method-security pre-post-annotations="enabled"/>
-
-    <security:http pattern="/services/rs/**" auto-config="false" use-expressions="true">
-        <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" />
-        <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher"
/>
-        <security:intercept-url pattern="/**" access="isAuthenticated()"/>
-        <security:http-basic />
-    </security:http>
-
-    <bean id="bCryptPasswordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"
/>
-    
-    <bean id="defaultPasswordEncoder" class="org.springframework.security.crypto.password.StandardPasswordEncoder"
/>
-    
-    <security:authentication-manager>
-        <security:authentication-provider>
-          <!-- <security:password-encoder ref="defaultPasswordEncoder"/>-->
-          <!-- <security:password-encoder hash="sha-256" base64="true" />-->
-          <!--  
-          <security:password-encoder hash="sha-256" base64="true">
-            <security:salt-source user-property="username"/>
-          </security:password-encoder>
-          -->
-          <security:user-service properties="classpath:/users.properties" />
-        </security:authentication-provider>
-        <security:authentication-provider ref="stsAuthProvider" />
-    </security:authentication-manager>
-
-    <bean id="entitlementsEnricher" class="org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements"
/>
-
-    <bean id="stsPortFilter" class="org.apache.cxf.fediz.service.idp.STSPortFilter" />
-    
-    <bean id="stsAuthProvider" class="org.apache.cxf.fediz.service.idp.STSAuthenticationProvider">
-        <property name="wsdlLocation" value="https://localhost:0/fediz-idp-sts/${realm.STS_URI}/STSServiceTransportUT?wsdl"/>
-        <property name="wsdlEndpoint" value="TransportUT_Port"/>
-        <property name="wsdlService" value="SecurityTokenService"/>
-        <property name="appliesTo" value="urn:fediz:idp"/>
-        <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"/>
-    </bean>
     
 </beans>
 

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/d16365db/services/idp/src/main/resources/restContextKerberos.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/resources/restContextKerberos.xml b/services/idp/src/main/resources/restContextKerberos.xml
deleted file mode 100644
index 4fa2060..0000000
--- a/services/idp/src/main/resources/restContextKerberos.xml
+++ /dev/null
@@ -1,169 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
-  Licensed to the Apache Software Foundation (ASF) under one
-  or more contributor license agreements. See the NOTICE file
-  distributed with this work for additional information
-  regarding copyright ownership. The ASF licenses this file
-  to you under the Apache License, Version 2.0 (the
-  "License"); you may not use this file except in compliance
-  with the License. You may obtain a copy of the License at
- 
-  http://www.apache.org/licenses/LICENSE-2.0
- 
-  Unless required by applicable law or agreed to in writing,
-  software distributed under the License is distributed on an
-  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-  KIND, either express or implied. See the License for the
-  specific language governing permissions and limitations
-  under the License.
--->
-<beans xmlns="http://www.springframework.org/schema/beans"
-    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-    xmlns:context="http://www.springframework.org/schema/context"
-    xmlns:jaxrs="http://cxf.apache.org/jaxrs"
-    xmlns:security="http://www.springframework.org/schema/security"
-    xsi:schemaLocation="
-        http://www.springframework.org/schema/beans
-        http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
-        http://www.springframework.org/schema/context
-        http://www.springframework.org/schema/context/spring-context-3.0.xsd
-        http://cxf.apache.org/jaxrs
-        http://cxf.apache.org/schemas/jaxrs.xsd
-        http://www.springframework.org/schema/security
-        http://www.springframework.org/schema/security/spring-security-3.1.xsd">
-
-<!-- 
-<context:component-scan base-package="org.apache.cxf.fediz.service.idp.protocols" />
-    
-    
-    <bean
-        class="org.apache.cxf.fediz.service.idp.protocols.TrustedIdpProtocolHandlerImpl"
/>
-      -->   
-    <context:property-placeholder location="classpath:realm.properties"/>
-    
-    <bean id="jaxbProvider" class="org.apache.cxf.jaxrs.provider.JAXBElementProvider">
-        <property name="depthProperties">
-            <bean id="depthProperties"
-                class="org.apache.cxf.staxutils.DocumentDepthProperties">
-                <property name="innerElementCountThreshold" value="500" />
-            </bean>
-        </property>
-        <property name="marshallerProperties">
-            <map>
-                <entry key="jaxb.formatted.output">
-                    <value type="java.lang.Boolean">true</value>
-                </entry>
-            </map>
-        </property>
-    </bean>
-
-    <bean id="exceptionMapper"
-        class="org.apache.cxf.fediz.service.idp.rest.RestServiceExceptionMapper" />
-
-    <bean id="jsonProvider" class="org.codehaus.jackson.jaxrs.JacksonJaxbJsonProvider"
/>
-
-    <jaxrs:server id="idpService" address="/rs">
-        <jaxrs:serviceBeans>
-            <ref bean="idpServiceImpl" />
-            <ref bean="claimServiceImpl" />
-            <ref bean="applicationServiceImpl" />
-            <ref bean="trustedIdpServiceImpl" />
-            <ref bean="entitlementServiceImpl" />
-            <ref bean="roleServiceImpl" />
-            <ref bean="rootServiceImpl" />
-        </jaxrs:serviceBeans>
-        <jaxrs:providers>
-            <ref bean="jaxbProvider" />
-            <ref bean="jsonProvider" />
-            <ref bean="exceptionMapper" />
-        </jaxrs:providers>
-        <jaxrs:extensionMappings>
-            <entry key="json" value="application/json;charset=UTF-8" />
-            <entry key="xml" value="application/xml;charset=UTF-8" />
-        </jaxrs:extensionMappings>
-    </jaxrs:server>
-
-    <bean id="rootServiceImpl"
-        class="org.apache.cxf.fediz.service.idp.rest.RootServiceImpl" />
-
-    <bean id="idpServiceImpl" class="org.apache.cxf.fediz.service.idp.rest.IdpServiceImpl"
/>
-
-    <bean id="claimServiceImpl"
-        class="org.apache.cxf.fediz.service.idp.rest.ClaimServiceImpl" />
-
-    <bean id="applicationServiceImpl"
-        class="org.apache.cxf.fediz.service.idp.rest.ApplicationServiceImpl" />
-
-    <bean id="trustedIdpServiceImpl"
-        class="org.apache.cxf.fediz.service.idp.rest.TrustedIdpServiceImpl" />
-
-    <bean id="entitlementServiceImpl"
-        class="org.apache.cxf.fediz.service.idp.rest.EntitlementServiceImpl" />
-
-    <bean id="roleServiceImpl"
-        class="org.apache.cxf.fediz.service.idp.rest.RoleServiceImpl" />
-
-
-    <!-- If enabled, you can't access the Service layer within the Spring Webflow -->
-    <!-- The user has no role during the login phase of WS-Federation -->
-    <security:global-method-security pre-post-annotations="enabled"/>
-
-    <security:http pattern="/services/rs/**" auto-config="false" use-expressions="true"
-        entry-point-ref="kerberosEntryPoint">
-        <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" />
-        <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher"
/>
-        <security:intercept-url pattern="/**" access="isAuthenticated()"/>
-        <!--<security:http-basic />-->
-        <security:custom-filter ref="kerberosAuthenticationProcessingFilter" position="BASIC_AUTH_FILTER"
/>
-    </security:http>
-
-    <bean id="bCryptPasswordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"
/>
-    
-    <bean id="defaultPasswordEncoder" class="org.springframework.security.crypto.password.StandardPasswordEncoder"
/>
-    
-    <bean id="kerberosEntryPoint" 
-          class="org.apache.cxf.fediz.service.idp.kerberos.KerberosEntryPoint" />
-    
-    <bean id="spnegoAuthenticationProcessingFilter"
-          class="org.apache.cxf.fediz.service.idp.kerberos.KerberosAuthenticationProcessingFilter">
-        <property name="authenticationManager" ref="authenticationManager" />
-    </bean>
-    
-    <security:authentication-manager alias="authenticationManager">
-        <security:authentication-provider>
-          <!-- <security:password-encoder ref="defaultPasswordEncoder"/>-->
-          <!-- <security:password-encoder hash="sha-256" base64="true" />-->
-          <!--  
-          <security:password-encoder hash="sha-256" base64="true">
-            <security:salt-source user-property="username"/>
-          </security:password-encoder>
-          -->
-          <security:user-service properties="classpath:/users.properties" />
-        </security:authentication-provider>
-        <security:authentication-provider ref="stsAuthProvider" />
-    </security:authentication-manager>
-
-    <bean id="entitlementsEnricher" class="org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements"
/>
-
-    <bean id="stsPortFilter" class="org.apache.cxf.fediz.service.idp.STSPortFilter" />
-    <!--
-    <bean id="kerberosTokenValidator" class="org.apache.cxf.fediz.service.idp.kerberos.KerberosTokenValidator">
-        <property name="contextName" value="bob"/>
-        <property name="serviceName" value="bob@service.ws.apache.org"/>
-    </bean>
-    -->
-    
-    <bean id="stsAuthProvider" class="org.apache.cxf.fediz.service.idp.STSAuthenticationProvider">
-        <!--<property name="wsdlLocation" value="https://localhost:0/fediz-idp-sts/${realm.STS_URI}/STSServiceTransportUT?wsdl"/>
-        <property name="wsdlEndpoint" value="TransportUT_Port"/>-->
-        <property name="wsdlLocation" value="https://localhost:0/fediz-idp-sts/${realm.STS_URI}/STSServiceTransportKerberos?wsdl"/>
-        <property name="wsdlEndpoint" value="TransportKerberos_Port"/>
-        <property name="wsdlService" value="SecurityTokenService"/>
-        <property name="appliesTo" value="urn:fediz:idp"/>
-        <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"/>
-        <!--<property name="kerberosTokenValidator" ref="kerberosTokenValidator"/>
-        <property name="requireDelegation" value="true"/>-->
-    </bean>
-    
-</beans>
-

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/d16365db/services/idp/src/main/webapp/WEB-INF/applicationContext.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/applicationContext.xml b/services/idp/src/main/webapp/WEB-INF/applicationContext.xml
index afe5003..a858236 100644
--- a/services/idp/src/main/webapp/WEB-INF/applicationContext.xml
+++ b/services/idp/src/main/webapp/WEB-INF/applicationContext.xml
@@ -18,31 +18,21 @@
   under the License.
 -->
 <beans xmlns="http://www.springframework.org/schema/beans"
-    xmlns:cxf="http://cxf.apache.org/core"
-    xmlns:jaxws="http://cxf.apache.org/jaxws"
-    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-    xmlns:util="http://www.springframework.org/schema/util"
-    xmlns:http="http://cxf.apache.org/transports/http/configuration"
-    xmlns:sec="http://cxf.apache.org/configuration/security"
-    xmlns:context="http://www.springframework.org/schema/context"
-    xmlns:jaxrs="http://cxf.apache.org/jaxrs"
-    xsi:schemaLocation="
-        http://cxf.apache.org/core
+       xmlns:cxf="http://cxf.apache.org/core"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xmlns:http="http://cxf.apache.org/transports/http/configuration"
+       xmlns:sec="http://cxf.apache.org/configuration/security"
+       xmlns:context="http://www.springframework.org/schema/context"
+       xsi:schemaLocation="http://cxf.apache.org/core
         http://cxf.apache.org/schemas/core.xsd
         http://www.springframework.org/schema/beans
         http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
-        http://cxf.apache.org/jaxws
-        http://cxf.apache.org/schemas/jaxws.xsd
-        http://www.springframework.org/schema/util
-        http://www.springframework.org/schema/util/spring-util-2.0.xsd
         http://cxf.apache.org/transports/http/configuration
         http://cxf.apache.org/schemas/configuration/http-conf.xsd
         http://www.springframework.org/schema/context
-        http://www.springframework.org/schema/context/spring-context-3.0.xsd
+        http://www.springframework.org/schema/context/spring-context-3.1.xsd
         http://cxf.apache.org/configuration/security
-        http://cxf.apache.org/schemas/configuration/security.xsd
-        http://cxf.apache.org/jaxrs
-        http://cxf.apache.org/schemas/jaxrs.xsd">
+        http://cxf.apache.org/schemas/configuration/security.xsd">
 
     <context:component-scan base-package="org.apache.cxf.fediz.service.idp.protocols"
/>
         

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/d16365db/services/idp/src/main/webapp/WEB-INF/idp-config-realma.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/idp-config-realma.xml b/services/idp/src/main/webapp/WEB-INF/idp-config-realma.xml
index 883859e..c5e0a4a 100644
--- a/services/idp/src/main/webapp/WEB-INF/idp-config-realma.xml
+++ b/services/idp/src/main/webapp/WEB-INF/idp-config-realma.xml
@@ -25,9 +25,10 @@
         http://www.springframework.org/schema/beans
         http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
         http://www.springframework.org/schema/context
-        http://www.springframework.org/schema/context/spring-context-3.0.xsd
+        http://www.springframework.org/schema/context/spring-context-3.1.xsd
         http://www.springframework.org/schema/util
-        http://www.springframework.org/schema/util/spring-util-2.0.xsd">
+        http://www.springframework.org/schema/util/spring-util-3.1.xsd
+        ">
 
     <context:property-placeholder location="classpath:realm.properties" />
 

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/d16365db/services/idp/src/main/webapp/WEB-INF/idp-config-realmb.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/idp-config-realmb.xml b/services/idp/src/main/webapp/WEB-INF/idp-config-realmb.xml
index f5ab043..a8c8a3b 100644
--- a/services/idp/src/main/webapp/WEB-INF/idp-config-realmb.xml
+++ b/services/idp/src/main/webapp/WEB-INF/idp-config-realmb.xml
@@ -25,9 +25,9 @@
         http://www.springframework.org/schema/beans
         http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
         http://www.springframework.org/schema/context
-        http://www.springframework.org/schema/context/spring-context-3.0.xsd
+        http://www.springframework.org/schema/context/spring-context-3.1.xsd
         http://www.springframework.org/schema/util
-        http://www.springframework.org/schema/util/spring-util-2.0.xsd">
+        http://www.springframework.org/schema/util/spring-util-3.1.xsd">
 
     <context:property-placeholder location="classpath:realm.properties" />
 

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/d16365db/services/idp/src/main/webapp/WEB-INF/idp-servlet.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/idp-servlet.xml b/services/idp/src/main/webapp/WEB-INF/idp-servlet.xml
index ada6250..ccc2146 100644
--- a/services/idp/src/main/webapp/WEB-INF/idp-servlet.xml
+++ b/services/idp/src/main/webapp/WEB-INF/idp-servlet.xml
@@ -18,17 +18,14 @@
   under the License.
 -->
 <beans xmlns="http://www.springframework.org/schema/beans"
-    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-    xmlns:util="http://www.springframework.org/schema/util" 
-    xmlns:webflow="http://www.springframework.org/schema/webflow-config"
-    xmlns:p="http://www.springframework.org/schema/p"
-    xmlns:context="http://www.springframework.org/schema/context"
-    xsi:schemaLocation="http://www.springframework.org/schema/beans
-        http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
-        http://www.springframework.org/schema/util
-        http://www.springframework.org/schema/util/spring-util-2.0.xsd
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xmlns:webflow="http://www.springframework.org/schema/webflow-config"
+       xmlns:p="http://www.springframework.org/schema/p"
+       xmlns:context="http://www.springframework.org/schema/context"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans
+        http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
         http://www.springframework.org/schema/context
-        http://www.springframework.org/schema/context/spring-context-3.0.xsd
+        http://www.springframework.org/schema/context/spring-context-3.1.xsd
         http://www.springframework.org/schema/webflow-config
         http://www.springframework.org/schema/webflow-config/spring-webflow-config-2.0.xsd">
 

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/d16365db/services/idp/src/main/webapp/WEB-INF/security-config-kerberos.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/security-config-kerberos.xml b/services/idp/src/main/webapp/WEB-INF/security-config-kerberos.xml
index 0d17349..49049ab 100644
--- a/services/idp/src/main/webapp/WEB-INF/security-config-kerberos.xml
+++ b/services/idp/src/main/webapp/WEB-INF/security-config-kerberos.xml
@@ -23,9 +23,9 @@
     xmlns:context="http://www.springframework.org/schema/context"
     xsi:schemaLocation="
         http://www.springframework.org/schema/beans
-        http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
+        http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
         http://www.springframework.org/schema/context
-        http://www.springframework.org/schema/context/spring-context-3.0.xsd
+        http://www.springframework.org/schema/context/spring-context-3.1.xsd
         http://www.springframework.org/schema/security
         http://www.springframework.org/schema/security/spring-security-3.1.xsd">
 
@@ -35,18 +35,54 @@
     <!-- <security:debug /> -->
 
     <!-- Configure Spring Security -->
-    <security:http pattern="/federation/**" auto-config="false" use-expressions="true"
-        entry-point-ref="kerberosEntryPoint">
+    <!-- If enabled, you can't access the Service layer within the Spring Webflow -->
+    <!-- The user has no role during the login phase of WS-Federation -->
+    <security:global-method-security pre-post-annotations="enabled"/>
+
+    <security:http pattern="/services/rs/**" auto-config="false" use-expressions="true"
entry-point-ref="kerberosEntryPoint">
         <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" />
         <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher"
/>
-        <security:intercept-url pattern="/FederationMetadata/2007-06/FederationMetadata.xml"
access="isAnonymous() or isAuthenticated()" />
-
-        <!-- MUST be http-basic thus systests run fine -->
+        <security:intercept-url pattern="/**" access="isAuthenticated()"/>
         <!--<security:http-basic />-->
-        <!--<security:form-login />-->
         <security:custom-filter ref="kerberosAuthenticationProcessingFilter" position="BASIC_AUTH_FILTER"
/>
     </security:http>
+
+    <bean id="bCryptPasswordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"
/>
+    
+    <bean id="defaultPasswordEncoder" class="org.springframework.security.crypto.password.StandardPasswordEncoder"
/>
+    
+    <bean id="kerberosEntryPoint" 
+          class="org.apache.cxf.fediz.service.idp.kerberos.KerberosEntryPoint" />
+    
+    <bean id="spnegoAuthenticationProcessingFilter"
+          class="org.apache.cxf.fediz.service.idp.kerberos.KerberosAuthenticationProcessingFilter">
+        <property name="authenticationManager" ref="restAuthenticationManager" />
+    </bean>
     
+    <security:authentication-manager id="restAuthenticationManager">
+        <security:authentication-provider>
+          <!-- <security:password-encoder ref="defaultPasswordEncoder"/>-->
+          <!-- <security:password-encoder hash="sha-256" base64="true" />-->
+          <!--  
+          <security:password-encoder hash="sha-256" base64="true">
+            <security:salt-source user-property="username"/>
+          </security:password-encoder>
+          -->
+          <security:user-service properties="classpath:/users.properties" />
+        </security:authentication-provider>
+        <security:authentication-provider ref="stsAuthProvider" />
+    </security:authentication-manager>
+      
+    <security:http use-expressions="true" entry-point-ref="kerberosEntryPoint">
+        <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" />
+        <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher"
/>
+        <security:intercept-url pattern="/FederationMetadata/2007-06/FederationMetadata.xml"
access="isAnonymous() or isAuthenticated()" />
+
+        <security:form-login login-page="/federation/login"/>
+        <security:http-basic />
+        <security:custom-filter ref="kerberosAuthenticationProcessingFilter" position="BASIC_AUTH_FILTER"
/>
+    </security:http>
+
     <bean id="kerberosEntryPoint"
           class="org.apache.cxf.fediz.service.idp.kerberos.KerberosEntryPoint" />
     
@@ -61,6 +97,8 @@
 	
     <bean id="stsPortFilter" class="org.apache.cxf.fediz.service.idp.STSPortFilter" />
     
+    <bean id="entitlementsEnricher" class="org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements"
/>
+    
     <!--<bean id="kerberosTokenValidator" class="org.apache.cxf.fediz.service.idp.kerberos.KerberosTokenValidator">
         <property name="contextName" value="bob"/>
         <property name="serviceName" value="bob@service.ws.apache.org"/>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/d16365db/services/idp/src/main/webapp/WEB-INF/security-config.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/security-config.xml b/services/idp/src/main/webapp/WEB-INF/security-config.xml
index 847b07a..ab0eada 100644
--- a/services/idp/src/main/webapp/WEB-INF/security-config.xml
+++ b/services/idp/src/main/webapp/WEB-INF/security-config.xml
@@ -23,11 +23,12 @@
     xmlns:context="http://www.springframework.org/schema/context"
     xsi:schemaLocation="
         http://www.springframework.org/schema/beans
-        http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
+        http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
         http://www.springframework.org/schema/context
-        http://www.springframework.org/schema/context/spring-context-3.0.xsd
+        http://www.springframework.org/schema/context/spring-context-3.1.xsd
         http://www.springframework.org/schema/security
-        http://www.springframework.org/schema/security/spring-security-3.1.xsd">
+        http://www.springframework.org/schema/security/spring-security-3.1.xsd
+        ">
 
     <context:property-placeholder location="classpath:realm.properties"/>
     
@@ -35,14 +36,45 @@
     <!-- <security:debug /> -->
 
     <!-- Configure Spring Security -->
-    <security:http pattern="/federation/**" auto-config="false" use-expressions="true">
+    
+    <!-- If enabled, you can't access the Service layer within the Spring Webflow -->
+    <!-- The user has no role during the login phase of WS-Federation -->
+    <security:global-method-security pre-post-annotations="enabled"/>
+
+    <security:http pattern="/services/rs/**" use-expressions="true" authentication-manager-ref="restAuthenticationManager">
+        <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" />
+        <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher"
/>
+        <security:intercept-url pattern="/services/rs/**" access="isAuthenticated()"/>
+        <security:http-basic />
+    </security:http>
+
+    <bean id="bCryptPasswordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"
/>
+    
+    <bean id="defaultPasswordEncoder" class="org.springframework.security.crypto.password.StandardPasswordEncoder"
/>
+    
+    <security:authentication-manager id="restAuthenticationManager">
+        <security:authentication-provider>
+          <!-- <security:password-encoder ref="defaultPasswordEncoder"/>-->
+          <!-- <security:password-encoder hash="sha-256" base64="true" />-->
+          <!--  
+          <security:password-encoder hash="sha-256" base64="true">
+            <security:salt-source user-property="username"/>
+          </security:password-encoder>
+          -->
+          <security:user-service properties="classpath:/users.properties" />
+        </security:authentication-provider>
+        <security:authentication-provider ref="stsAuthProvider" />
+    </security:authentication-manager>
+
+    <security:http use-expressions="true">
         <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" />
         <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher"
/>
         <security:intercept-url pattern="/FederationMetadata/2007-06/FederationMetadata.xml"
access="isAnonymous() or isAuthenticated()" />
 
         <!-- MUST be http-basic thus systests run fine -->
-        <security:http-basic />
         <!--<security:form-login />-->
+        <security:http-basic />
+        <security:logout delete-cookies="FEDIZ_HOME_REALM" invalidate-session="true" />
     </security:http>
 
     <security:authentication-manager>
@@ -50,6 +82,8 @@
     </security:authentication-manager>
 	
     <bean id="stsPortFilter" class="org.apache.cxf.fediz.service.idp.STSPortFilter" />
+    
+    <bean id="entitlementsEnricher" class="org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements"
/>
 	
     <bean id="stsAuthProvider" class="org.apache.cxf.fediz.service.idp.STSAuthenticationProvider">
         <property name="wsdlLocation" value="https://localhost:0/fediz-idp-sts/${realm.STS_URI}/STSServiceTransportUT?wsdl"/>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/d16365db/services/idp/src/test/resources/idp-config.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/test/resources/idp-config.xml b/services/idp/src/test/resources/idp-config.xml
index 6c8fdb5..ce3f60b 100644
--- a/services/idp/src/test/resources/idp-config.xml
+++ b/services/idp/src/test/resources/idp-config.xml
@@ -18,29 +18,18 @@
   under the License.
 -->
 <beans xmlns="http://www.springframework.org/schema/beans"
-    xmlns:cxf="http://cxf.apache.org/core"
-    xmlns:jaxws="http://cxf.apache.org/jaxws"
-    xmlns:test="http://apache.org/hello_world_soap_http"
-    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-    xmlns:util="http://www.springframework.org/schema/util"
-    xmlns:http="http://cxf.apache.org/transports/http/configuration"
-    xmlns:sec="http://cxf.apache.org/configuration/security"
-    xmlns:context="http://www.springframework.org/schema/context"
-    xsi:schemaLocation="
-        http://cxf.apache.org/core
-        http://cxf.apache.org/schemas/core.xsd
-        http://www.springframework.org/schema/beans
-        http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xmlns:util="http://www.springframework.org/schema/util"
+       xmlns:http="http://cxf.apache.org/transports/http/configuration"
+       xmlns:context="http://www.springframework.org/schema/context"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans
+        http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
         http://www.springframework.org/schema/context
-        http://www.springframework.org/schema/context/spring-context-3.0.xsd
-        http://cxf.apache.org/jaxws
-        http://cxf.apache.org/schemas/jaxws.xsd
+        http://www.springframework.org/schema/context/spring-context-3.1.xsd
         http://www.springframework.org/schema/util
-        http://www.springframework.org/schema/util/spring-util-2.0.xsd
+        http://www.springframework.org/schema/util/spring-util-3.1.xsd
         http://cxf.apache.org/transports/http/configuration
-        http://cxf.apache.org/schemas/configuration/http-conf.xsd
-        http://cxf.apache.org/configuration/security
-        http://cxf.apache.org/schemas/configuration/security.xsd">
+        http://cxf.apache.org/schemas/configuration/http-conf.xsd">
 
     <context:property-placeholder location="classpath:realm.properties" />
 


Mime
View raw message