cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [1/2] cxf-fediz git commit: Moving client certificate tests into AbstractTests so to test other plugins
Date Thu, 23 Apr 2015 15:31:37 GMT
Repository: cxf-fediz
Updated Branches:
  refs/heads/master bd0fc123e -> 9995c7b26


Moving client certificate tests into AbstractTests so to test other plugins


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/4ea42640
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/4ea42640
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/4ea42640

Branch: refs/heads/master
Commit: 4ea42640550739da4410b4b41a6b3308ea5d0a24
Parents: bd0fc12
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Thu Apr 23 16:08:06 2015 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Thu Apr 23 16:08:06 2015 +0100

----------------------------------------------------------------------
 .../sts/src/main/webapp/WEB-INF/passwords.xml   |   1 +
 .../sts/src/main/webapp/WEB-INF/userClaims.xml  |   1 +
 systests/clientcert/pom.xml                     | 288 -----------------
 .../integrationtests/ClientCertificateTest.java | 313 -------------------
 .../integrationtests/HOKCallbackHandler.java    |  48 ---
 .../clientcert/src/test/resources/alice.cer     | Bin 808 -> 0 bytes
 .../src/test/resources/alice_client.jks         | Bin 1277 -> 0 bytes
 .../src/test/resources/fediz_config.xml         |  45 ---
 .../clientcert/src/test/resources/server.jks    | Bin 2701 -> 0 bytes
 .../src/test/resources/sts/passwords.xml        |  42 ---
 .../src/test/resources/sts/ststrust.jks         | Bin 4079 -> 0 bytes
 .../src/test/resources/sts/userClaims.xml       | 139 --------
 .../clientcert/src/test/resources/ststrust.jks  | Bin 2561 -> 0 bytes
 .../AbstractClientCertTests.java                | 176 +++++++++++
 systests/tomcat7/pom.xml                        |  26 ++
 .../integrationtests/ClientCertificateTest.java | 179 +++++++++++
 systests/tomcat7/src/test/resources/alice.cer   | Bin 0 -> 808 bytes
 .../tomcat7/src/test/resources/alice_client.jks | Bin 0 -> 1277 bytes
 .../test/resources/fediz_config_client_cert.xml |  45 +++
 systests/tomcat7/src/test/resources/server.jks  | Bin 1863 -> 2701 bytes
 .../tomcat7/src/test/resources/sts/ststrust.jks | Bin 0 -> 4079 bytes
 21 files changed, 428 insertions(+), 875 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4ea42640/services/sts/src/main/webapp/WEB-INF/passwords.xml
----------------------------------------------------------------------
diff --git a/services/sts/src/main/webapp/WEB-INF/passwords.xml b/services/sts/src/main/webapp/WEB-INF/passwords.xml
index b28a217..3ad9e7c 100644
--- a/services/sts/src/main/webapp/WEB-INF/passwords.xml
+++ b/services/sts/src/main/webapp/WEB-INF/passwords.xml
@@ -30,6 +30,7 @@
         <entry key="alice" value="ecila" />
         <entry key="bob" value="bob" />
         <entry key="ted" value="det" />
+        <entry key="idp-user" value="idp-pass" />
     </util:map>
 
     <util:map id="REALMB">

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4ea42640/services/sts/src/main/webapp/WEB-INF/userClaims.xml
----------------------------------------------------------------------
diff --git a/services/sts/src/main/webapp/WEB-INF/userClaims.xml b/services/sts/src/main/webapp/WEB-INF/userClaims.xml
index 38f60ea..1a2b12f 100644
--- a/services/sts/src/main/webapp/WEB-INF/userClaims.xml
+++ b/services/sts/src/main/webapp/WEB-INF/userClaims.xml
@@ -28,6 +28,7 @@
 
     <util:map id="userClaimsREALMA">
         <entry key="alice" value-ref="REALMA_aliceClaims" />
+        <entry key="CN=alice,OU=Unknown,O=Apache,L=Dublin,ST=Unknown,C=IE" value-ref="REALMA_aliceClaims" />
         <entry key="bob" value-ref="REALMA_bobClaims" />
         <entry key="ted" value-ref="REALMA_tedClaims" />
     </util:map>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4ea42640/systests/clientcert/pom.xml
----------------------------------------------------------------------
diff --git a/systests/clientcert/pom.xml b/systests/clientcert/pom.xml
deleted file mode 100644
index 8434e48..0000000
--- a/systests/clientcert/pom.xml
+++ /dev/null
@@ -1,288 +0,0 @@
-<?xml version="1.0"?>
-<!--
-  Licensed to the Apache Software Foundation (ASF) under one
-  or more contributor license agreements. See the NOTICE file
-  distributed with this work for additional information
-  regarding copyright ownership. The ASF licenses this file
-  to you under the Apache License, Version 2.0 (the
-  "License"); you may not use this file except in compliance
-  with the License. You may obtain a copy of the License at
- 
-  http://www.apache.org/licenses/LICENSE-2.0
- 
-  Unless required by applicable law or agreed to in writing,
-  software distributed under the License is distributed on an
-  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-  KIND, either express or implied. See the License for the
-  specific language governing permissions and limitations
-  under the License.
--->
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
-    <modelVersion>4.0.0</modelVersion>
-    <parent>
-        <groupId>org.apache.cxf.fediz</groupId>
-        <artifactId>fediz-systests</artifactId>
-        <version>1.2.0-SNAPSHOT</version>
-        <relativePath>../pom.xml</relativePath>
-    </parent>
-    <groupId>org.apache.cxf.fediz.systests</groupId>
-    <artifactId>fediz-systests-clientcert</artifactId>
-    <name>Apache Fediz Client Certificate Systests using Tomcat 7</name>
-    <packaging>jar</packaging>
-    <properties>
-        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-        <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
-    </properties>
-    <dependencies>
-        <dependency>
-            <groupId>org.apache.tomcat.embed</groupId>
-            <artifactId>tomcat-embed-core</artifactId>
-            <version>${tomcat.version}</version>
-            <scope>test</scope>
-        </dependency>
-        <dependency>
-            <groupId>org.apache.tomcat.embed</groupId>
-            <artifactId>tomcat-embed-logging-juli</artifactId>
-            <version>${tomcat.version}</version>
-            <scope>test</scope>
-        </dependency>
-        <dependency>
-            <groupId>org.eclipse.jdt.core.compiler</groupId>
-            <artifactId>ecj</artifactId>
-            <version>3.7.1</version>
-            <scope>test</scope>
-        </dependency>
-        <dependency>
-            <groupId>org.apache.tomcat.embed</groupId>
-            <artifactId>tomcat-embed-jasper</artifactId>
-            <version>${tomcat.version}</version>
-            <scope>test</scope>
-        </dependency>
-        <dependency>
-            <groupId>junit</groupId>
-            <artifactId>junit</artifactId>
-            <version>${junit.version}</version>
-            <scope>test</scope>
-        </dependency>
-        <dependency>
-            <groupId>org.apache.cxf.fediz</groupId>
-            <artifactId>fediz-tomcat7</artifactId>
-            <version>${project.version}</version>
-            <scope>test</scope>
-        </dependency>
-        <dependency>
-            <groupId>org.apache.cxf.fediz.systests</groupId>
-            <artifactId>fediz-systests-tests</artifactId>
-            <version>${project.version}</version>
-            <type>test-jar</type>
-            <scope>test</scope>
-        </dependency>
-        <dependency>
-            <groupId>org.slf4j</groupId>
-            <artifactId>slf4j-api</artifactId>
-            <version>${slf4j.version}</version>
-            <scope>test</scope>
-        </dependency>
-        <dependency>
-            <groupId>org.slf4j</groupId>
-            <artifactId>slf4j-jdk14</artifactId>
-            <version>${slf4j.version}</version>
-            <scope>test</scope>
-        </dependency>
-        <dependency>
-            <groupId>hsqldb</groupId>
-            <artifactId>hsqldb</artifactId>
-            <version>${hsqldb.version}</version>
-            <scope>test</scope>
-        </dependency>
-    </dependencies>
-    <build>
-        <testResources>
-            <testResource>
-                <directory>src/test/resources</directory>
-                <filtering>true</filtering>
-                <includes>
-                    <include>**/fediz_config*.xml</include>
-                </includes>
-            </testResource>
-            <testResource>
-                <directory>src/test/resources</directory>
-                <filtering>false</filtering>
-                <excludes>
-                    <exclude>**/fediz_config*.xml</exclude>
-                </excludes>
-            </testResource>
-        </testResources>
-        <plugins>
-            <plugin>
-                <groupId>org.codehaus.mojo</groupId>
-                <artifactId>build-helper-maven-plugin</artifactId>
-                <executions>
-                    <execution>
-                        <id>reserve-network-port</id>
-                        <goals>
-                            <goal>reserve-network-port</goal>
-                        </goals>
-                        <phase>initialize</phase>
-                        <configuration>
-                            <portNames>
-                                <portName>idp.https.port</portName>
-                                <portName>rp.https.port</portName>
-                            </portNames>
-                        </configuration>
-                    </execution>
-                </executions>
-            </plugin>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-dependency-plugin</artifactId>
-                <executions>
-                    <execution>
-                        <id>copy-idp-sts</id>
-                        <phase>generate-resources</phase>
-                        <goals>
-                            <goal>unpack</goal>
-                        </goals>
-                        <configuration>
-                            <artifactItems>
-                                <artifactItem>
-                                    <groupId>org.apache.cxf.fediz</groupId>
-                                    <artifactId>fediz-idp</artifactId>
-                                    <version>${project.version}</version>
-                                    <type>war</type>
-                                    <overWrite>true</overWrite>
-                                    <outputDirectory>target/tomcat/idp/webapps/fediz-idp</outputDirectory>
-                                </artifactItem>
-                                <artifactItem>
-                                    <groupId>org.apache.cxf.fediz</groupId>
-                                    <artifactId>fediz-idp-sts</artifactId>
-                                    <version>${project.version}</version>
-                                    <type>war</type>
-                                    <overWrite>true</overWrite>
-                                    <outputDirectory>target/tomcat/idp/webapps/fediz-idp-sts</outputDirectory>
-                                </artifactItem>
-                                <artifactItem>
-                                    <groupId>org.apache.cxf.fediz.systests.webapps</groupId>
-                                    <artifactId>fediz-systests-webapps-simple</artifactId>
-                                    <version>${project.version}</version>
-                                    <type>war</type>
-                                    <overWrite>true</overWrite>
-                                    <outputDirectory>target/tomcat/rp/webapps/simpleWebapp</outputDirectory>
-                                </artifactItem>
-                            </artifactItems>
-                            <outputAbsoluteArtifactFilename>true</outputAbsoluteArtifactFilename>
-                            <overWriteSnapshots>true</overWriteSnapshots>
-                            <overWriteIfNewer>true</overWriteIfNewer>
-                            <stripVersion>true</stripVersion>
-                        </configuration>
-                    </execution>
-                    <execution>
-                        <id>copy-xalan-to-idp</id>
-                        <phase>generate-resources</phase>
-                        <goals>
-                            <goal>copy</goal>
-                        </goals>
-                        <configuration>
-                            <artifactItems>
-                                <artifactItem>
-                                    <groupId>xalan</groupId>
-                                    <artifactId>xalan</artifactId>
-                                    <version>${xalan.version}</version>
-                                    <outputDirectory>target/tomcat/idp/webapps/fediz-idp/WEB-INF/lib</outputDirectory>
-                                </artifactItem>
-                            </artifactItems>
-                        </configuration>
-                    </execution>
-                </executions>
-            </plugin>
-            <plugin>
-                <artifactId>maven-resources-plugin</artifactId>
-                <version>2.7</version>
-                <executions>
-                    <execution>
-                        <id>copy-entities-to-sts</id>
-                        <phase>generate-test-sources</phase>
-                        <goals>
-                            <goal>copy-resources</goal>
-                        </goals>
-                        <configuration>
-                            <outputDirectory>${basedir}/target/tomcat/idp/webapps/fediz-idp-sts/WEB-INF</outputDirectory>
-                            <resources>          
-                                <resource>
-                                    <directory>${basedir}/src/test/resources/sts</directory>
-                                    <includes>
-                                        <include>passwords.xml</include>
-                                        <include>userClaims.xml</include>
-                                    </includes>
-                                    <filtering>true</filtering>
-                                </resource>
-                            </resources>              
-                        </configuration>            
-                    </execution>
-                    <execution>
-                        <id>copy-entities-to-sts2</id>
-                        <phase>generate-test-sources</phase>
-                        <goals>
-                            <goal>copy-resources</goal>
-                        </goals>
-                        <configuration>
-                            <outputDirectory>${basedir}/target/tomcat/idp/webapps/fediz-idp-sts/WEB-INF/classes</outputDirectory>
-                            <overwrite>true</overwrite>
-                            <resources>
-                                <resource>
-                                    <directory>${basedir}/src/test/resources/sts</directory>
-                                    <includes>
-                                        <include>ststrust.jks</include>
-                                    </includes>
-                                </resource>
-                            </resources>              
-                        </configuration>            
-                    </execution>
-                </executions>
-            </plugin>
-            <plugin>
-                <artifactId>maven-failsafe-plugin</artifactId>
-                <inherited>true</inherited>
-                <executions>
-                    <execution>
-                        <id>integration-test</id>
-                        <phase>integration-test</phase>
-                        <goals>
-                            <goal>integration-test</goal>
-                        </goals>
-                        <configuration>
-                            <skip>false</skip>
-                            <systemPropertyVariables>
-                                <wt.headless>true</wt.headless>
-                                <idp.https.port>${idp.https.port}</idp.https.port>
-                                <rp.https.port>${rp.https.port}</rp.https.port>
-                            </systemPropertyVariables>
-                            <includes>
-                                <include>**/integrationtests/**</include>
-                            </includes>
-                            <argLine>-Xms512m -Xmx1024m
-                                -XX:MaxPermSize=256m</argLine>
-                        </configuration>
-                    </execution>
-                    <execution>
-                        <id>verify</id>
-                        <phase>verify</phase>
-                        <goals>
-                            <goal>verify</goal>
-                        </goals>
-                    </execution>
-                </executions>
-            </plugin>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-surefire-plugin</artifactId>
-                <inherited>true</inherited>
-                <configuration>
-                    <excludes>
-                        <exclude>**/integrationtests/**</exclude>
-                    </excludes>
-                </configuration>
-            </plugin>
-        </plugins>
-    </build>
-</project>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4ea42640/systests/clientcert/src/test/java/org/apache/cxf/fediz/integrationtests/ClientCertificateTest.java
----------------------------------------------------------------------
diff --git a/systests/clientcert/src/test/java/org/apache/cxf/fediz/integrationtests/ClientCertificateTest.java b/systests/clientcert/src/test/java/org/apache/cxf/fediz/integrationtests/ClientCertificateTest.java
deleted file mode 100644
index 208153a..0000000
--- a/systests/clientcert/src/test/java/org/apache/cxf/fediz/integrationtests/ClientCertificateTest.java
+++ /dev/null
@@ -1,313 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.fediz.integrationtests;
-
-import java.io.File;
-import java.net.URL;
-import java.util.ArrayList;
-
-import com.gargoylesoftware.htmlunit.CookieManager;
-import com.gargoylesoftware.htmlunit.FailingHttpStatusCodeException;
-import com.gargoylesoftware.htmlunit.HttpMethod;
-import com.gargoylesoftware.htmlunit.WebClient;
-import com.gargoylesoftware.htmlunit.WebRequest;
-import com.gargoylesoftware.htmlunit.html.DomElement;
-import com.gargoylesoftware.htmlunit.html.DomNodeList;
-import com.gargoylesoftware.htmlunit.html.HtmlForm;
-import com.gargoylesoftware.htmlunit.html.HtmlPage;
-import com.gargoylesoftware.htmlunit.html.HtmlSubmitInput;
-import com.gargoylesoftware.htmlunit.util.NameValuePair;
-
-import org.apache.catalina.Context;
-import org.apache.catalina.LifecycleState;
-import org.apache.catalina.connector.Connector;
-import org.apache.catalina.startup.Tomcat;
-import org.apache.cxf.fediz.core.ClaimTypes;
-import org.apache.cxf.fediz.tomcat.FederationAuthenticator;
-import org.junit.AfterClass;
-import org.junit.Assert;
-import org.junit.BeforeClass;
-
-/**
- * In this test-case, the IdP is set up to require client authentication, rather than authenticating using a
- * username + password, or via Kerberos.
- */
-public class ClientCertificateTest {
-
-    static String idpHttpsPort;
-    static String rpHttpsPort;
-    
-    private static Tomcat idpServer;
-    private static Tomcat rpServer;
-    
-    @BeforeClass
-    public static void init() {
-        System.setProperty("org.apache.commons.logging.Log", "org.apache.commons.logging.impl.SimpleLog");
-        System.setProperty("org.apache.commons.logging.simplelog.showdatetime", "true");
-        System.setProperty("org.apache.commons.logging.simplelog.log.httpclient.wire", "info");
-        System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.commons.httpclient", "info");
-        System.setProperty("org.apache.commons.logging.simplelog.log.org.springframework.webflow", "info");
-        System.setProperty("org.apache.commons.logging.simplelog.log.org.springframework.security.web", "info");
-        System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.cxf.fediz", "info");
-        System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.cxf", "info");  
-        
-        idpHttpsPort = System.getProperty("idp.https.port");
-        Assert.assertNotNull("Property 'idp.https.port' null", idpHttpsPort);
-        rpHttpsPort = System.getProperty("rp.https.port");
-        Assert.assertNotNull("Property 'rp.https.port' null", rpHttpsPort);
-
-        initIdp();
-        initRp();
-    }
-    
-    private static void initIdp() {
-        try {
-            idpServer = new Tomcat();
-            idpServer.setPort(0);
-            String currentDir = new File(".").getCanonicalPath();
-            idpServer.setBaseDir(currentDir + File.separator + "target");
-            
-            idpServer.getHost().setAppBase("tomcat/idp/webapps");
-            idpServer.getHost().setAutoDeploy(true);
-            idpServer.getHost().setDeployOnStartup(true);
-            
-            Connector httpsConnector = new Connector();
-            httpsConnector.setPort(Integer.parseInt(idpHttpsPort));
-            httpsConnector.setSecure(true);
-            httpsConnector.setScheme("https");
-            //httpsConnector.setAttribute("keyAlias", keyAlias);
-            httpsConnector.setAttribute("keystorePass", "tompass");
-            httpsConnector.setAttribute("keystoreFile", "test-classes/server.jks");
-            httpsConnector.setAttribute("truststorePass", "tompass");
-            httpsConnector.setAttribute("truststoreFile", "test-classes/server.jks");
-            httpsConnector.setAttribute("clientAuth", "true");
-            httpsConnector.setAttribute("sslProtocol", "TLS");
-            httpsConnector.setAttribute("SSLEnabled", true);
-
-            idpServer.getService().addConnector(httpsConnector);
-            
-            idpServer.addWebapp("/fediz-idp-sts", "fediz-idp-sts");
-            idpServer.addWebapp("/fediz-idp", "fediz-idp");
-            
-            idpServer.start();
-        } catch (Exception e) {
-            e.printStackTrace();
-        }
-    }
-    
-    private static void initRp() {
-        try {
-            rpServer = new Tomcat();
-            rpServer.setPort(0);
-            String currentDir = new File(".").getCanonicalPath();
-            rpServer.setBaseDir(currentDir + File.separator + "target");
-            
-            rpServer.getHost().setAppBase("tomcat/rp/webapps");
-            rpServer.getHost().setAutoDeploy(true);
-            rpServer.getHost().setDeployOnStartup(true);
-            
-            Connector httpsConnector = new Connector();
-            httpsConnector.setPort(Integer.parseInt(rpHttpsPort));
-            httpsConnector.setSecure(true);
-            httpsConnector.setScheme("https");
-            //httpsConnector.setAttribute("keyAlias", keyAlias);
-            httpsConnector.setAttribute("keystorePass", "tompass");
-            httpsConnector.setAttribute("keystoreFile", "test-classes/server.jks");
-            httpsConnector.setAttribute("truststorePass", "tompass");
-            httpsConnector.setAttribute("truststoreFile", "test-classes/server.jks");
-            httpsConnector.setAttribute("clientAuth", "true");
-            httpsConnector.setAttribute("sslProtocol", "TLS");
-            httpsConnector.setAttribute("SSLEnabled", true);
-
-            rpServer.getService().addConnector(httpsConnector);
-            
-            //Context ctx =
-            Context cxt = rpServer.addWebapp("/fedizhelloworld", "simpleWebapp");
-            FederationAuthenticator fa = new FederationAuthenticator();
-            fa.setConfigFile(currentDir + File.separator + "target" + File.separator
-                             + "test-classes" + File.separator + "fediz_config.xml");
-            cxt.getPipeline().addValve(fa);
-            
-            
-            rpServer.start();
-        } catch (Exception e) {
-            e.printStackTrace();
-        }
-    }
-    
-    @AfterClass
-    public static void cleanup() {
-        try {
-            if (idpServer.getServer() != null
-                && idpServer.getServer().getState() != LifecycleState.DESTROYED) {
-                if (idpServer.getServer().getState() != LifecycleState.STOPPED) {
-                    idpServer.stop();
-                }
-                idpServer.destroy();
-            }
-        } catch (Exception e) {
-            e.printStackTrace();
-        }
-
-        try {
-            if (rpServer.getServer() != null
-                && rpServer.getServer().getState() != LifecycleState.DESTROYED) {
-                if (rpServer.getServer().getState() != LifecycleState.STOPPED) {
-                    rpServer.stop();
-                }
-                rpServer.destroy();
-            }
-        } catch (Exception e) {
-            e.printStackTrace();
-        }
-    }
-
-    public String getIdpHttpsPort() {
-        return idpHttpsPort;
-    }
-
-    public String getRpHttpsPort() {
-        return rpHttpsPort;
-    }
-    
-    public String getServletContextName() {
-        return "fedizhelloworld";
-    }
-    
-    @org.junit.Test
-    public void testClientAuthentication() throws Exception {
-        String url = "https://localhost:" + getRpHttpsPort() + "/fedizhelloworld/secure/fedservlet";
-        
-        final WebClient webClient = new WebClient();
-        webClient.getOptions().setUseInsecureSSL(true);
-        webClient.getOptions().setSSLClientCertificate(
-            this.getClass().getClassLoader().getResource("alice_client.jks"), "storepass", "jks");
-
-        webClient.getOptions().setJavaScriptEnabled(false);
-        final HtmlPage idpPage = webClient.getPage(url);
-        webClient.getOptions().setJavaScriptEnabled(true);
-        Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText());
-
-        final HtmlForm form = idpPage.getFormByName("signinresponseform");
-        final HtmlSubmitInput button = form.getInputByName("_eventId_submit");
-        
-        // Test the Subject Confirmation method here
-        DomNodeList<DomElement> results = idpPage.getElementsByTagName("input");
-
-        String wresult = null;
-        for (DomElement result : results) {
-            if ("wresult".equals(result.getAttributeNS(null, "name"))) {
-                wresult = result.getAttributeNS(null, "value");
-                break;
-            }
-        }
-        Assert.assertTrue(wresult != null 
-            && wresult.contains("urn:oasis:names:tc:SAML:2.0:cm:holder-of-key"));
-
-        final HtmlPage rpPage = button.click();
-        Assert.assertEquals("WS Federation Systests Examples", rpPage.getTitleText());
-
-        final String bodyTextContent = rpPage.getBody().getTextContent();
-        String user = "alice";
-        Assert.assertTrue("Principal not " + user,
-                          bodyTextContent.contains("userPrincipal=" + user));
-        Assert.assertTrue("User " + user + " does not have role Admin",
-                          bodyTextContent.contains("role:Admin=false"));
-        Assert.assertTrue("User " + user + " does not have role Manager",
-                          bodyTextContent.contains("role:Manager=false"));
-        Assert.assertTrue("User " + user + " must have role User",
-                          bodyTextContent.contains("role:User=true"));
-        
-        String claim = ClaimTypes.FIRSTNAME.toString();
-        Assert.assertTrue("User " + user + " claim " + claim + " is not 'Alice'",
-                          bodyTextContent.contains(claim + "=Alice"));
-        claim = ClaimTypes.LASTNAME.toString();
-        Assert.assertTrue("User " + user + " claim " + claim + " is not 'Smith'",
-                          bodyTextContent.contains(claim + "=Smith"));
-        claim = ClaimTypes.EMAILADDRESS.toString();
-        Assert.assertTrue("User " + user + " claim " + claim + " is not 'alice@realma.org'",
-                          bodyTextContent.contains(claim + "=alice@realma.org"));
-    }
-    
-    @org.junit.Test
-    public void testDifferentClientCertificate() throws Exception {
-        // Get the initial wresult from the IdP
-        String url = "https://localhost:" + getRpHttpsPort() + "/fedizhelloworld/secure/fedservlet";
-        
-        CookieManager cookieManager = new CookieManager();
-        final WebClient webClient = new WebClient();
-        webClient.setCookieManager(cookieManager);
-        webClient.getOptions().setUseInsecureSSL(true);
-        webClient.getOptions().setSSLClientCertificate(
-            this.getClass().getClassLoader().getResource("alice_client.jks"), "storepass", "jks");
-
-        webClient.getOptions().setJavaScriptEnabled(false);
-        final HtmlPage idpPage = webClient.getPage(url);
-        webClient.getOptions().setJavaScriptEnabled(true);
-        Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText());
-
-        // Test the Subject Confirmation method here
-        DomNodeList<DomElement> results = idpPage.getElementsByTagName("input");
-
-        String wresult = null;
-        String wa = "wsignin1.0";
-        String wctx = null;
-        String wtrealm = null;
-        for (DomElement result : results) {
-            if ("wresult".equals(result.getAttributeNS(null, "name"))) {
-                wresult = result.getAttributeNS(null, "value");
-            } else if ("wctx".equals(result.getAttributeNS(null, "name"))) {
-                wctx = result.getAttributeNS(null, "value");
-            } else if ("wtrealm".equals(result.getAttributeNS(null, "name"))) {
-                wtrealm = result.getAttributeNS(null, "value");
-            }
-        }
-        Assert.assertTrue(wctx != null && wtrealm != null);
-        Assert.assertTrue(wresult != null 
-            && wresult.contains("urn:oasis:names:tc:SAML:2.0:cm:holder-of-key"));
-        
-        // Now invoke on the RP using the saved parameters above, but a different client cert!
-        final WebClient webClient2 = new WebClient();
-        webClient2.setCookieManager(cookieManager);
-        webClient2.getOptions().setUseInsecureSSL(true);
-        webClient2.getOptions().setSSLClientCertificate(
-            this.getClass().getClassLoader().getResource("server.jks"), "tompass", "jks");
-        
-        WebRequest request = new WebRequest(new URL(url), HttpMethod.POST);
-
-        request.setRequestParameters(new ArrayList<NameValuePair>());
-        request.getRequestParameters().add(new NameValuePair("wctx", wctx));
-        request.getRequestParameters().add(new NameValuePair("wa", wa));
-        request.getRequestParameters().add(new NameValuePair("wtrealm", wtrealm));
-        request.getRequestParameters().add(new NameValuePair("wresult", wresult));
-
-        try {
-            webClient2.getPage(request);
-            Assert.fail("Exception expected");
-        } catch (FailingHttpStatusCodeException ex) {
-            // expected
-            Assert.assertTrue(ex.getMessage().contains("401 Unauthorized")
-                              || ex.getMessage().contains("401 Authentication Failed")
-                              || ex.getMessage().contains("403 Forbidden"));
-        }
-
-    }
-
-}

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4ea42640/systests/clientcert/src/test/java/org/apache/cxf/fediz/integrationtests/HOKCallbackHandler.java
----------------------------------------------------------------------
diff --git a/systests/clientcert/src/test/java/org/apache/cxf/fediz/integrationtests/HOKCallbackHandler.java b/systests/clientcert/src/test/java/org/apache/cxf/fediz/integrationtests/HOKCallbackHandler.java
deleted file mode 100644
index e2f402c..0000000
--- a/systests/clientcert/src/test/java/org/apache/cxf/fediz/integrationtests/HOKCallbackHandler.java
+++ /dev/null
@@ -1,48 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.fediz.integrationtests;
-
-import java.io.IOException;
-
-import javax.security.auth.callback.Callback;
-import javax.security.auth.callback.CallbackHandler;
-import javax.security.auth.callback.UnsupportedCallbackException;
-
-import org.apache.cxf.fediz.core.spi.WReqCallback;
-
-public class HOKCallbackHandler implements CallbackHandler {
-
-    static final String HOK_WREQ = 
-        "<RequestSecurityToken xmlns=\"http://docs.oasis-open.org/ws-sx/ws-trust/200512\">"
-        + "<KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey</KeyType>"
-        + "</RequestSecurityToken>";
-    
-    public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
-        for (int i = 0; i < callbacks.length; i++) {
-            if (callbacks[i] instanceof WReqCallback) {
-                WReqCallback callback = (WReqCallback) callbacks[i];
-                callback.setWreq(HOK_WREQ);
-            } else {
-                throw new UnsupportedCallbackException(callbacks[i], "Unrecognized Callback");
-            }
-        }
-    }
-
-}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4ea42640/systests/clientcert/src/test/resources/alice.cer
----------------------------------------------------------------------
diff --git a/systests/clientcert/src/test/resources/alice.cer b/systests/clientcert/src/test/resources/alice.cer
deleted file mode 100644
index 82ab5db..0000000
Binary files a/systests/clientcert/src/test/resources/alice.cer and /dev/null differ

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4ea42640/systests/clientcert/src/test/resources/alice_client.jks
----------------------------------------------------------------------
diff --git a/systests/clientcert/src/test/resources/alice_client.jks b/systests/clientcert/src/test/resources/alice_client.jks
deleted file mode 100644
index 5e1bdd2..0000000
Binary files a/systests/clientcert/src/test/resources/alice_client.jks and /dev/null differ

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4ea42640/systests/clientcert/src/test/resources/fediz_config.xml
----------------------------------------------------------------------
diff --git a/systests/clientcert/src/test/resources/fediz_config.xml b/systests/clientcert/src/test/resources/fediz_config.xml
deleted file mode 100644
index 8399dfc..0000000
--- a/systests/clientcert/src/test/resources/fediz_config.xml
+++ /dev/null
@@ -1,45 +0,0 @@
-<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
-<!-- Place in Tomcat conf folder or other location as designated in this sample's webapp/META-INF/context.xml file. 
-     Keystore referenced below must have IDP STS' public cert included in it.  This example re-uses the Tomcat SSL 
-     keystore (tomcat-rp.jks) for this task; alternatively you may wish to use a Fediz-specific keystore instead. 
--->
-<FedizConfig>
-    <contextConfig name="/fedizhelloworld">
-        <audienceUris>
-            <audienceItem>urn:org:apache:cxf:fediz:fedizhelloworld</audienceItem>
-        </audienceUris>
-        <certificateStores>
-            <trustManager>
-                <keyStore file="test-classes/ststrust.jks"
-                          password="storepass" type="JKS" />
-            </trustManager>
-        </certificateStores>
-        <trustedIssuers>
-            <issuer certificateValidation="PeerTrust" />
-        </trustedIssuers>
-        <maximumClockSkew>1000</maximumClockSkew>
-        <signingKey keyAlias="mytomidpkey" keyPassword="tompass">
-            <keyStore file="test-classes/server.jks" password="tompass" type="JKS" />
-        </signingKey>
-        <protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-            xsi:type="federationProtocolType" version="1.0.0">
-            <realm>urn:org:apache:cxf:fediz:fedizhelloworld</realm>
-            <issuer>https://localhost:${idp.https.port}/fediz-idp/federation</issuer>
-            <roleDelimiter>,</roleDelimiter>
-            <roleURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</roleURI>
-            <freshness>10</freshness>
-            <homeRealm type="String">urn:org:apache:cxf:fediz:idp:realm-A</homeRealm>
-            <claimTypesRequested>
-                <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" optional="false" />
-				<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" optional="true" />
-				<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" optional="true" />
-				<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" optional="true" />
-            </claimTypesRequested>
-            <authenticationType>http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/Ssl</authenticationType>
-            <request type="Class">org.apache.cxf.fediz.integrationtests.HOKCallbackHandler</request>
-        </protocol>
-        <logoutURL>/secure/logout</logoutURL>
-        <logoutRedirectTo>/index.html</logoutRedirectTo>
-    </contextConfig>
-</FedizConfig>
-

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4ea42640/systests/clientcert/src/test/resources/server.jks
----------------------------------------------------------------------
diff --git a/systests/clientcert/src/test/resources/server.jks b/systests/clientcert/src/test/resources/server.jks
deleted file mode 100644
index a292ec9..0000000
Binary files a/systests/clientcert/src/test/resources/server.jks and /dev/null differ

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4ea42640/systests/clientcert/src/test/resources/sts/passwords.xml
----------------------------------------------------------------------
diff --git a/systests/clientcert/src/test/resources/sts/passwords.xml b/systests/clientcert/src/test/resources/sts/passwords.xml
deleted file mode 100644
index 3ad9e7c..0000000
--- a/systests/clientcert/src/test/resources/sts/passwords.xml
+++ /dev/null
@@ -1,42 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
-  Licensed to the Apache Software Foundation (ASF) under one
-  or more contributor license agreements. See the NOTICE file
-  distributed with this work for additional information
-  regarding copyright ownership. The ASF licenses this file
-  to you under the Apache License, Version 2.0 (the
-  "License"); you may not use this file except in compliance
-  with the License. You may obtain a copy of the License at
- 
-  http://www.apache.org/licenses/LICENSE-2.0
- 
-  Unless required by applicable law or agreed to in writing,
-  software distributed under the License is distributed on an
-  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-  KIND, either express or implied. See the License for the
-  specific language governing permissions and limitations
-  under the License.
--->
-<beans xmlns="http://www.springframework.org/schema/beans"
-    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-    xmlns:util="http://www.springframework.org/schema/util"
-    xsi:schemaLocation="
-        http://www.springframework.org/schema/beans
-        http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
-        http://www.springframework.org/schema/util
-        http://www.springframework.org/schema/util/spring-util-2.0.xsd">
-
-    <util:map id="REALMA">
-        <entry key="alice" value="ecila" />
-        <entry key="bob" value="bob" />
-        <entry key="ted" value="det" />
-        <entry key="idp-user" value="idp-pass" />
-    </util:map>
-
-    <util:map id="REALMB">
-        <entry key="ALICE" value="ECILA" />
-        <entry key="BOB" value="BOB" />
-        <entry key="TED" value="DET" />
-    </util:map>
-
-</beans>
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4ea42640/systests/clientcert/src/test/resources/sts/ststrust.jks
----------------------------------------------------------------------
diff --git a/systests/clientcert/src/test/resources/sts/ststrust.jks b/systests/clientcert/src/test/resources/sts/ststrust.jks
deleted file mode 100644
index c4d1c1e..0000000
Binary files a/systests/clientcert/src/test/resources/sts/ststrust.jks and /dev/null differ

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4ea42640/systests/clientcert/src/test/resources/sts/userClaims.xml
----------------------------------------------------------------------
diff --git a/systests/clientcert/src/test/resources/sts/userClaims.xml b/systests/clientcert/src/test/resources/sts/userClaims.xml
deleted file mode 100644
index 1a2b12f..0000000
--- a/systests/clientcert/src/test/resources/sts/userClaims.xml
+++ /dev/null
@@ -1,139 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
-  Licensed to the Apache Software Foundation (ASF) under one
-  or more contributor license agreements. See the NOTICE file
-  distributed with this work for additional information
-  regarding copyright ownership. The ASF licenses this file
-  to you under the Apache License, Version 2.0 (the
-  "License"); you may not use this file except in compliance
-  with the License. You may obtain a copy of the License at
- 
-  http://www.apache.org/licenses/LICENSE-2.0
- 
-  Unless required by applicable law or agreed to in writing,
-  software distributed under the License is distributed on an
-  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-  KIND, either express or implied. See the License for the
-  specific language governing permissions and limitations
-  under the License.
--->
-<beans xmlns="http://www.springframework.org/schema/beans"
-    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-    xmlns:util="http://www.springframework.org/schema/util"
-    xsi:schemaLocation="
-        http://www.springframework.org/schema/beans
-        http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
-        http://www.springframework.org/schema/util
-        http://www.springframework.org/schema/util/spring-util-2.0.xsd">
-
-    <util:map id="userClaimsREALMA">
-        <entry key="alice" value-ref="REALMA_aliceClaims" />
-        <entry key="CN=alice,OU=Unknown,O=Apache,L=Dublin,ST=Unknown,C=IE" value-ref="REALMA_aliceClaims" />
-        <entry key="bob" value-ref="REALMA_bobClaims" />
-        <entry key="ted" value-ref="REALMA_tedClaims" />
-    </util:map>
-
-    <util:map id="REALMA_aliceClaims">
-        <entry
-            key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
-            value="Alice" />
-        <entry
-            key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
-            value="Smith" />
-        <entry
-            key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
-            value="alice@realma.org" />
-        <entry
-            key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"
-            value="User" />
-    </util:map>
-
-    <util:map id="REALMA_bobClaims">
-        <entry
-            key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
-            value="Bob" />
-        <entry
-            key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
-            value="Windsor" />
-        <entry
-            key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
-            value="bobwindsor@realma.org" />
-        <entry
-            key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"
-            value="User,Manager,Admin" />
-    </util:map>
-
-    <util:map id="REALMA_tedClaims">
-        <entry
-            key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
-            value="Ted" />
-        <entry
-            key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
-            value="Cooper" />
-        <entry
-            key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
-            value="tcooper@realma.org" />
-        <entry
-            key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"
-            value="" />
-    </util:map>
-
-    <util:map id="userClaimsREALMB">
-        <entry key="ALICE" value-ref="REALMB_aliceClaims" />
-        <entry key="BOB" value-ref="REALMB_bobClaims" />
-        <entry key="TED" value-ref="REALMB_tedClaims" />
-    </util:map>
-
-    <util:map id="REALMB_aliceClaims">
-        <entry
-            key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
-            value="Alice" />
-        <entry
-            key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
-            value="Smith" />
-        <entry
-            key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
-            value="alice@realmb.org" />
-        <entry
-            key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"
-            value="USER" />
-    </util:map>
-
-    <util:map id="REALMB_bobClaims">
-        <entry
-            key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
-            value="Bob" />
-        <entry
-            key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
-            value="Windsor" />
-        <entry
-            key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
-            value="bobwindsor@realmb.org" />
-        <entry
-            key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"
-            value="USER,MANAGER,ADMIN" />
-    </util:map>
-
-    <util:map id="REALMB_tedClaims">
-        <entry
-            key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
-            value="Ted" />
-        <entry
-            key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
-            value="Cooper" />
-        <entry
-            key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
-            value="tcooper@realmb.org" />
-        <entry
-            key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"
-            value="" />
-    </util:map>
-
-    <util:list id="supportedClaims">
-        <value>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname</value>
-        <value>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname</value>
-        <value>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress</value>
-        <value>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</value>
-    </util:list>
-
-</beans>
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4ea42640/systests/clientcert/src/test/resources/ststrust.jks
----------------------------------------------------------------------
diff --git a/systests/clientcert/src/test/resources/ststrust.jks b/systests/clientcert/src/test/resources/ststrust.jks
deleted file mode 100644
index 911945c..0000000
Binary files a/systests/clientcert/src/test/resources/ststrust.jks and /dev/null differ

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4ea42640/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractClientCertTests.java
----------------------------------------------------------------------
diff --git a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractClientCertTests.java b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractClientCertTests.java
new file mode 100644
index 0000000..1a5fe6c
--- /dev/null
+++ b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractClientCertTests.java
@@ -0,0 +1,176 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.fediz.integrationtests;
+
+import java.net.URL;
+import java.util.ArrayList;
+
+import com.gargoylesoftware.htmlunit.CookieManager;
+import com.gargoylesoftware.htmlunit.FailingHttpStatusCodeException;
+import com.gargoylesoftware.htmlunit.HttpMethod;
+import com.gargoylesoftware.htmlunit.WebClient;
+import com.gargoylesoftware.htmlunit.WebRequest;
+import com.gargoylesoftware.htmlunit.html.DomElement;
+import com.gargoylesoftware.htmlunit.html.DomNodeList;
+import com.gargoylesoftware.htmlunit.html.HtmlForm;
+import com.gargoylesoftware.htmlunit.html.HtmlPage;
+import com.gargoylesoftware.htmlunit.html.HtmlSubmitInput;
+import com.gargoylesoftware.htmlunit.util.NameValuePair;
+
+import org.apache.cxf.fediz.core.ClaimTypes;
+import org.apache.wss4j.dom.WSSConfig;
+import org.junit.Assert;
+
+public abstract class AbstractClientCertTests {
+    
+    static {
+        WSSConfig.init();
+    }
+
+    public AbstractClientCertTests() {
+        super();
+    }
+
+    public abstract String getServletContextName();
+    
+    public abstract String getIdpHttpsPort();
+
+    public abstract String getRpHttpsPort();
+
+    @org.junit.Test
+    public void testClientAuthentication() throws Exception {
+        String url = "https://localhost:" + getRpHttpsPort() + "/fedizhelloworld/secure/fedservlet";
+        
+        final WebClient webClient = new WebClient();
+        webClient.getOptions().setUseInsecureSSL(true);
+        webClient.getOptions().setSSLClientCertificate(
+            this.getClass().getClassLoader().getResource("alice_client.jks"), "storepass", "jks");
+
+        webClient.getOptions().setJavaScriptEnabled(false);
+        final HtmlPage idpPage = webClient.getPage(url);
+        webClient.getOptions().setJavaScriptEnabled(true);
+        Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText());
+
+        final HtmlForm form = idpPage.getFormByName("signinresponseform");
+        final HtmlSubmitInput button = form.getInputByName("_eventId_submit");
+        
+        // Test the Subject Confirmation method here
+        DomNodeList<DomElement> results = idpPage.getElementsByTagName("input");
+
+        String wresult = null;
+        for (DomElement result : results) {
+            if ("wresult".equals(result.getAttributeNS(null, "name"))) {
+                wresult = result.getAttributeNS(null, "value");
+                break;
+            }
+        }
+        Assert.assertTrue(wresult != null 
+            && wresult.contains("urn:oasis:names:tc:SAML:2.0:cm:holder-of-key"));
+
+        final HtmlPage rpPage = button.click();
+        Assert.assertEquals("WS Federation Systests Examples", rpPage.getTitleText());
+
+        final String bodyTextContent = rpPage.getBody().getTextContent();
+        String user = "alice";
+        Assert.assertTrue("Principal not " + user,
+                          bodyTextContent.contains("userPrincipal=" + user));
+        Assert.assertTrue("User " + user + " does not have role Admin",
+                          bodyTextContent.contains("role:Admin=false"));
+        Assert.assertTrue("User " + user + " does not have role Manager",
+                          bodyTextContent.contains("role:Manager=false"));
+        Assert.assertTrue("User " + user + " must have role User",
+                          bodyTextContent.contains("role:User=true"));
+        
+        String claim = ClaimTypes.FIRSTNAME.toString();
+        Assert.assertTrue("User " + user + " claim " + claim + " is not 'Alice'",
+                          bodyTextContent.contains(claim + "=Alice"));
+        claim = ClaimTypes.LASTNAME.toString();
+        Assert.assertTrue("User " + user + " claim " + claim + " is not 'Smith'",
+                          bodyTextContent.contains(claim + "=Smith"));
+        claim = ClaimTypes.EMAILADDRESS.toString();
+        Assert.assertTrue("User " + user + " claim " + claim + " is not 'alice@realma.org'",
+                          bodyTextContent.contains(claim + "=alice@realma.org"));
+    }
+    
+    @org.junit.Test
+    public void testDifferentClientCertificate() throws Exception {
+        // Get the initial wresult from the IdP
+        String url = "https://localhost:" + getRpHttpsPort() + "/fedizhelloworld/secure/fedservlet";
+        
+        CookieManager cookieManager = new CookieManager();
+        final WebClient webClient = new WebClient();
+        webClient.setCookieManager(cookieManager);
+        webClient.getOptions().setUseInsecureSSL(true);
+        webClient.getOptions().setSSLClientCertificate(
+            this.getClass().getClassLoader().getResource("alice_client.jks"), "storepass", "jks");
+
+        webClient.getOptions().setJavaScriptEnabled(false);
+        final HtmlPage idpPage = webClient.getPage(url);
+        webClient.getOptions().setJavaScriptEnabled(true);
+        Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText());
+
+        // Test the Subject Confirmation method here
+        DomNodeList<DomElement> results = idpPage.getElementsByTagName("input");
+
+        String wresult = null;
+        String wa = "wsignin1.0";
+        String wctx = null;
+        String wtrealm = null;
+        for (DomElement result : results) {
+            if ("wresult".equals(result.getAttributeNS(null, "name"))) {
+                wresult = result.getAttributeNS(null, "value");
+            } else if ("wctx".equals(result.getAttributeNS(null, "name"))) {
+                wctx = result.getAttributeNS(null, "value");
+            } else if ("wtrealm".equals(result.getAttributeNS(null, "name"))) {
+                wtrealm = result.getAttributeNS(null, "value");
+            }
+        }
+        Assert.assertTrue(wctx != null && wtrealm != null);
+        Assert.assertTrue(wresult != null 
+            && wresult.contains("urn:oasis:names:tc:SAML:2.0:cm:holder-of-key"));
+        
+        // Now invoke on the RP using the saved parameters above, but a different client cert!
+        final WebClient webClient2 = new WebClient();
+        webClient2.setCookieManager(cookieManager);
+        webClient2.getOptions().setUseInsecureSSL(true);
+        webClient2.getOptions().setSSLClientCertificate(
+            this.getClass().getClassLoader().getResource("server.jks"), "tompass", "jks");
+        
+        WebRequest request = new WebRequest(new URL(url), HttpMethod.POST);
+
+        request.setRequestParameters(new ArrayList<NameValuePair>());
+        request.getRequestParameters().add(new NameValuePair("wctx", wctx));
+        request.getRequestParameters().add(new NameValuePair("wa", wa));
+        request.getRequestParameters().add(new NameValuePair("wtrealm", wtrealm));
+        request.getRequestParameters().add(new NameValuePair("wresult", wresult));
+
+        try {
+            webClient2.getPage(request);
+            Assert.fail("Exception expected");
+        } catch (FailingHttpStatusCodeException ex) {
+            // expected
+            Assert.assertTrue(ex.getMessage().contains("401 Unauthorized")
+                              || ex.getMessage().contains("401 Authentication Failed")
+                              || ex.getMessage().contains("403 Forbidden"));
+        }
+
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4ea42640/systests/tomcat7/pom.xml
----------------------------------------------------------------------
diff --git a/systests/tomcat7/pom.xml b/systests/tomcat7/pom.xml
index d214223..c2d8dea 100644
--- a/systests/tomcat7/pom.xml
+++ b/systests/tomcat7/pom.xml
@@ -195,6 +195,32 @@
                     </execution>
                 </executions>
             </plugin>
+            <!--  Needed for ClientCertificateTests -->
+            <plugin>
+                <artifactId>maven-resources-plugin</artifactId>
+                <version>2.7</version>
+                <executions>
+                    <execution>
+                        <id>copy-entities-to-sts2</id>
+                        <phase>generate-test-sources</phase>
+                        <goals>
+                            <goal>copy-resources</goal>
+                        </goals>
+                        <configuration>
+                            <outputDirectory>${basedir}/target/tomcat/idp/webapps/fediz-idp-sts/WEB-INF/classes</outputDirectory>
+                            <overwrite>true</overwrite>
+                            <resources>
+                                <resource>
+                                    <directory>${basedir}/src/test/resources/sts</directory>
+                                    <includes>
+                                        <include>ststrust.jks</include>
+                                    </includes>
+                                </resource>
+                            </resources>              
+                        </configuration>            
+                    </execution>
+                </executions>
+            </plugin>
             <plugin>
                 <artifactId>maven-failsafe-plugin</artifactId>
                 <inherited>true</inherited>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4ea42640/systests/tomcat7/src/test/java/org/apache/cxf/fediz/integrationtests/ClientCertificateTest.java
----------------------------------------------------------------------
diff --git a/systests/tomcat7/src/test/java/org/apache/cxf/fediz/integrationtests/ClientCertificateTest.java b/systests/tomcat7/src/test/java/org/apache/cxf/fediz/integrationtests/ClientCertificateTest.java
new file mode 100644
index 0000000..078e032
--- /dev/null
+++ b/systests/tomcat7/src/test/java/org/apache/cxf/fediz/integrationtests/ClientCertificateTest.java
@@ -0,0 +1,179 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.fediz.integrationtests;
+
+import java.io.File;
+
+import org.apache.catalina.Context;
+import org.apache.catalina.LifecycleState;
+import org.apache.catalina.connector.Connector;
+import org.apache.catalina.startup.Tomcat;
+import org.apache.cxf.fediz.tomcat.FederationAuthenticator;
+import org.junit.AfterClass;
+import org.junit.Assert;
+import org.junit.BeforeClass;
+
+/**
+ * In this test-case, the IdP is set up to require client authentication, rather than authenticating using a
+ * username + password, or via Kerberos.
+ */
+public class ClientCertificateTest extends AbstractClientCertTests {
+
+    static String idpHttpsPort;
+    static String rpHttpsPort;
+    
+    private static Tomcat idpServer;
+    private static Tomcat rpServer;
+    
+    @BeforeClass
+    public static void init() {
+        System.setProperty("org.apache.commons.logging.Log", "org.apache.commons.logging.impl.SimpleLog");
+        System.setProperty("org.apache.commons.logging.simplelog.showdatetime", "true");
+        System.setProperty("org.apache.commons.logging.simplelog.log.httpclient.wire", "info");
+        System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.commons.httpclient", "info");
+        System.setProperty("org.apache.commons.logging.simplelog.log.org.springframework.webflow", "info");
+        System.setProperty("org.apache.commons.logging.simplelog.log.org.springframework.security.web", "info");
+        System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.cxf.fediz", "info");
+        System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.cxf", "info");  
+        
+        idpHttpsPort = System.getProperty("idp.https.port");
+        Assert.assertNotNull("Property 'idp.https.port' null", idpHttpsPort);
+        rpHttpsPort = System.getProperty("rp.https.port");
+        Assert.assertNotNull("Property 'rp.https.port' null", rpHttpsPort);
+
+        initIdp();
+        initRp();
+    }
+    
+    private static void initIdp() {
+        try {
+            idpServer = new Tomcat();
+            idpServer.setPort(0);
+            String currentDir = new File(".").getCanonicalPath();
+            idpServer.setBaseDir(currentDir + File.separator + "target");
+            
+            idpServer.getHost().setAppBase("tomcat/idp/webapps");
+            idpServer.getHost().setAutoDeploy(true);
+            idpServer.getHost().setDeployOnStartup(true);
+            
+            Connector httpsConnector = new Connector();
+            httpsConnector.setPort(Integer.parseInt(idpHttpsPort));
+            httpsConnector.setSecure(true);
+            httpsConnector.setScheme("https");
+            //httpsConnector.setAttribute("keyAlias", keyAlias);
+            httpsConnector.setAttribute("keystorePass", "tompass");
+            httpsConnector.setAttribute("keystoreFile", "test-classes/server.jks");
+            httpsConnector.setAttribute("truststorePass", "tompass");
+            httpsConnector.setAttribute("truststoreFile", "test-classes/server.jks");
+            httpsConnector.setAttribute("clientAuth", "true");
+            httpsConnector.setAttribute("sslProtocol", "TLS");
+            httpsConnector.setAttribute("SSLEnabled", true);
+
+            idpServer.getService().addConnector(httpsConnector);
+            
+            idpServer.addWebapp("/fediz-idp-sts", "fediz-idp-sts");
+            idpServer.addWebapp("/fediz-idp", "fediz-idp");
+            
+            idpServer.start();
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+    }
+    
+    private static void initRp() {
+        try {
+            rpServer = new Tomcat();
+            rpServer.setPort(0);
+            String currentDir = new File(".").getCanonicalPath();
+            rpServer.setBaseDir(currentDir + File.separator + "target");
+            
+            rpServer.getHost().setAppBase("tomcat/rp/webapps");
+            rpServer.getHost().setAutoDeploy(true);
+            rpServer.getHost().setDeployOnStartup(true);
+            
+            Connector httpsConnector = new Connector();
+            httpsConnector.setPort(Integer.parseInt(rpHttpsPort));
+            httpsConnector.setSecure(true);
+            httpsConnector.setScheme("https");
+            //httpsConnector.setAttribute("keyAlias", keyAlias);
+            httpsConnector.setAttribute("keystorePass", "tompass");
+            httpsConnector.setAttribute("keystoreFile", "test-classes/server.jks");
+            httpsConnector.setAttribute("truststorePass", "tompass");
+            httpsConnector.setAttribute("truststoreFile", "test-classes/server.jks");
+            httpsConnector.setAttribute("clientAuth", "true");
+            httpsConnector.setAttribute("sslProtocol", "TLS");
+            httpsConnector.setAttribute("SSLEnabled", true);
+
+            rpServer.getService().addConnector(httpsConnector);
+            
+            //Context ctx =
+            Context cxt = rpServer.addWebapp("/fedizhelloworld", "simpleWebapp");
+            FederationAuthenticator fa = new FederationAuthenticator();
+            fa.setConfigFile(currentDir + File.separator + "target" + File.separator
+                             + "test-classes" + File.separator + "fediz_config_client_cert.xml");
+            cxt.getPipeline().addValve(fa);
+            
+            
+            rpServer.start();
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+    }
+    
+    @AfterClass
+    public static void cleanup() {
+        try {
+            if (idpServer.getServer() != null
+                && idpServer.getServer().getState() != LifecycleState.DESTROYED) {
+                if (idpServer.getServer().getState() != LifecycleState.STOPPED) {
+                    idpServer.stop();
+                }
+                idpServer.destroy();
+            }
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+
+        try {
+            if (rpServer.getServer() != null
+                && rpServer.getServer().getState() != LifecycleState.DESTROYED) {
+                if (rpServer.getServer().getState() != LifecycleState.STOPPED) {
+                    rpServer.stop();
+                }
+                rpServer.destroy();
+            }
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+    }
+
+    public String getIdpHttpsPort() {
+        return idpHttpsPort;
+    }
+
+    public String getRpHttpsPort() {
+        return rpHttpsPort;
+    }
+    
+    public String getServletContextName() {
+        return "fedizhelloworld";
+    }
+    
+}

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4ea42640/systests/tomcat7/src/test/resources/alice.cer
----------------------------------------------------------------------
diff --git a/systests/tomcat7/src/test/resources/alice.cer b/systests/tomcat7/src/test/resources/alice.cer
new file mode 100644
index 0000000..82ab5db
Binary files /dev/null and b/systests/tomcat7/src/test/resources/alice.cer differ

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4ea42640/systests/tomcat7/src/test/resources/alice_client.jks
----------------------------------------------------------------------
diff --git a/systests/tomcat7/src/test/resources/alice_client.jks b/systests/tomcat7/src/test/resources/alice_client.jks
new file mode 100644
index 0000000..5e1bdd2
Binary files /dev/null and b/systests/tomcat7/src/test/resources/alice_client.jks differ

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4ea42640/systests/tomcat7/src/test/resources/fediz_config_client_cert.xml
----------------------------------------------------------------------
diff --git a/systests/tomcat7/src/test/resources/fediz_config_client_cert.xml b/systests/tomcat7/src/test/resources/fediz_config_client_cert.xml
new file mode 100644
index 0000000..8399dfc
--- /dev/null
+++ b/systests/tomcat7/src/test/resources/fediz_config_client_cert.xml
@@ -0,0 +1,45 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<!-- Place in Tomcat conf folder or other location as designated in this sample's webapp/META-INF/context.xml file. 
+     Keystore referenced below must have IDP STS' public cert included in it.  This example re-uses the Tomcat SSL 
+     keystore (tomcat-rp.jks) for this task; alternatively you may wish to use a Fediz-specific keystore instead. 
+-->
+<FedizConfig>
+    <contextConfig name="/fedizhelloworld">
+        <audienceUris>
+            <audienceItem>urn:org:apache:cxf:fediz:fedizhelloworld</audienceItem>
+        </audienceUris>
+        <certificateStores>
+            <trustManager>
+                <keyStore file="test-classes/ststrust.jks"
+                          password="storepass" type="JKS" />
+            </trustManager>
+        </certificateStores>
+        <trustedIssuers>
+            <issuer certificateValidation="PeerTrust" />
+        </trustedIssuers>
+        <maximumClockSkew>1000</maximumClockSkew>
+        <signingKey keyAlias="mytomidpkey" keyPassword="tompass">
+            <keyStore file="test-classes/server.jks" password="tompass" type="JKS" />
+        </signingKey>
+        <protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+            xsi:type="federationProtocolType" version="1.0.0">
+            <realm>urn:org:apache:cxf:fediz:fedizhelloworld</realm>
+            <issuer>https://localhost:${idp.https.port}/fediz-idp/federation</issuer>
+            <roleDelimiter>,</roleDelimiter>
+            <roleURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</roleURI>
+            <freshness>10</freshness>
+            <homeRealm type="String">urn:org:apache:cxf:fediz:idp:realm-A</homeRealm>
+            <claimTypesRequested>
+                <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" optional="false" />
+				<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" optional="true" />
+				<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" optional="true" />
+				<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" optional="true" />
+            </claimTypesRequested>
+            <authenticationType>http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/Ssl</authenticationType>
+            <request type="Class">org.apache.cxf.fediz.integrationtests.HOKCallbackHandler</request>
+        </protocol>
+        <logoutURL>/secure/logout</logoutURL>
+        <logoutRedirectTo>/index.html</logoutRedirectTo>
+    </contextConfig>
+</FedizConfig>
+

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4ea42640/systests/tomcat7/src/test/resources/server.jks
----------------------------------------------------------------------
diff --git a/systests/tomcat7/src/test/resources/server.jks b/systests/tomcat7/src/test/resources/server.jks
index 2f0fdf3..a292ec9 100644
Binary files a/systests/tomcat7/src/test/resources/server.jks and b/systests/tomcat7/src/test/resources/server.jks differ

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4ea42640/systests/tomcat7/src/test/resources/sts/ststrust.jks
----------------------------------------------------------------------
diff --git a/systests/tomcat7/src/test/resources/sts/ststrust.jks b/systests/tomcat7/src/test/resources/sts/ststrust.jks
new file mode 100644
index 0000000..c4d1c1e
Binary files /dev/null and b/systests/tomcat7/src/test/resources/sts/ststrust.jks differ


Mime
View raw message