cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject cxf-fediz git commit: [FEDIZ-23] - Added in client cert to the security-config.xml
Date Thu, 09 Apr 2015 14:11:27 GMT
Repository: cxf-fediz
Updated Branches:
  refs/heads/master 8fc324cb9 -> 9d7cdcde3


[FEDIZ-23] - Added in client cert to the security-config.xml


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/9d7cdcde
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/9d7cdcde
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/9d7cdcde

Branch: refs/heads/master
Commit: 9d7cdcde31ebde94be0f5fd2bbd848a63231e1e5
Parents: 8fc324c
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Thu Apr 9 15:11:07 2015 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Thu Apr 9 15:11:07 2015 +0100

----------------------------------------------------------------------
 .../idp/src/main/resources/entities-realma.xml  |   6 +
 .../idp/src/main/resources/entities-realmb.xml  |   6 +
 .../main/webapp/WEB-INF/idp-config-realma.xml   |   6 +
 .../main/webapp/WEB-INF/idp-config-realmb.xml   |   6 +
 .../idp/src/main/webapp/WEB-INF/idp-servlet.xml |   2 +
 .../src/main/webapp/WEB-INF/security-config.xml |  32 +++++
 services/idp/src/main/webapp/WEB-INF/web.xml    |   5 +
 .../idp/integrationtests/RestITTest.java        |   2 +-
 .../service/idp/service/jpa/IdpDAOJPATest.java  |   2 +-
 systests/clientcert/pom.xml                     |  20 ---
 .../integrationtests/HOKCallbackHandler.java    |  48 +++++++
 .../src/test/resources/fediz_config.xml         |   2 +
 .../src/test/resources/idp/idp-servlet.xml      | 137 -------------------
 .../src/test/resources/idp/security-config.xml  | 103 --------------
 systests/kerberos/pom.xml                       |  19 ---
 .../src/test/resources/fediz_config.xml         |   1 +
 .../src/test/resources/idp/security-config.xml  | 116 ----------------
 17 files changed, 116 insertions(+), 397 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9d7cdcde/services/idp/src/main/resources/entities-realma.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/resources/entities-realma.xml b/services/idp/src/main/resources/entities-realma.xml
index f8e1f5b..e28aa52 100644
--- a/services/idp/src/main/resources/entities-realma.xml
+++ b/services/idp/src/main/resources/entities-realma.xml
@@ -53,6 +53,12 @@
         <property name="authenticationURIs">
             <util:map>
                 <entry key="default" value="federation/up" />
+                <entry key="http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/SslAndKey"

+                       value="federation/krb" />
+                <entry key="http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/default"
+                       value="federation/up" />
+                <entry key="http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/Ssl"
+                       value="federation/clientcert" />
             </util:map>
         </property>
         <property name="serviceDisplayName" value="REALM A" />

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9d7cdcde/services/idp/src/main/resources/entities-realmb.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/resources/entities-realmb.xml b/services/idp/src/main/resources/entities-realmb.xml
index 3f17472..152ff52 100644
--- a/services/idp/src/main/resources/entities-realmb.xml
+++ b/services/idp/src/main/resources/entities-realmb.xml
@@ -52,6 +52,12 @@
         <property name="authenticationURIs">
             <util:map>
                 <entry key="default" value="federation/up" />
+                <entry key="http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/SslAndKey"

+                       value="federation/krb" />
+                <entry key="http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/default"
+                       value="federation/up" />
+                <entry key="http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/Ssl"
+                       value="federation/clientcert" />
             </util:map>
         </property>
         <property name="serviceDisplayName" value="REALM B" />

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9d7cdcde/services/idp/src/main/webapp/WEB-INF/idp-config-realma.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/idp-config-realma.xml b/services/idp/src/main/webapp/WEB-INF/idp-config-realma.xml
index 9d61326..0faf1fe 100644
--- a/services/idp/src/main/webapp/WEB-INF/idp-config-realma.xml
+++ b/services/idp/src/main/webapp/WEB-INF/idp-config-realma.xml
@@ -75,6 +75,12 @@
         <property name="authenticationURIs">
             <util:map>
                 <entry key="default" value="federation/up" />
+                <entry key="http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/SslAndKey"

+                       value="federation/krb" />
+                <entry key="http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/default"
+                       value="federation/up" />
+                <entry key="http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/Ssl"
+                       value="federation/clientcert" />
             </util:map>
         </property>
         <property name="trustedIDPs">

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9d7cdcde/services/idp/src/main/webapp/WEB-INF/idp-config-realmb.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/idp-config-realmb.xml b/services/idp/src/main/webapp/WEB-INF/idp-config-realmb.xml
index 830dc78..00faa08 100644
--- a/services/idp/src/main/webapp/WEB-INF/idp-config-realmb.xml
+++ b/services/idp/src/main/webapp/WEB-INF/idp-config-realmb.xml
@@ -74,6 +74,12 @@
         <property name="authenticationURIs">
             <util:map>
                 <entry key="default" value="federation/up" />
+                <entry key="http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/SslAndKey"

+                       value="federation/krb" />
+                <entry key="http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/default"
+                       value="federation/up" />
+                <entry key="http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/Ssl"
+                       value="federation/clientcert" />
             </util:map>
         </property>
         <property name="serviceDisplayName" value="REALM B" />

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9d7cdcde/services/idp/src/main/webapp/WEB-INF/idp-servlet.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/idp-servlet.xml b/services/idp/src/main/webapp/WEB-INF/idp-servlet.xml
index 691f7bb..a7bc370 100644
--- a/services/idp/src/main/webapp/WEB-INF/idp-servlet.xml
+++ b/services/idp/src/main/webapp/WEB-INF/idp-servlet.xml
@@ -79,6 +79,8 @@
             path="/WEB-INF/federation-validate-request.xml" id="federation/up" />
         <webflow:flow-location
             path="/WEB-INF/federation-validate-request.xml" id="federation/krb" />
+        <webflow:flow-location
+            path="/WEB-INF/federation-validate-request.xml" id="federation/clientcert" />
         <webflow:flow-location path="/WEB-INF/federation-signin-request.xml"
             id="signinRequest" />
         <webflow:flow-location path="/WEB-INF/federation-signin-response.xml"

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9d7cdcde/services/idp/src/main/webapp/WEB-INF/security-config.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/security-config.xml b/services/idp/src/main/webapp/WEB-INF/security-config.xml
index c70ccfb..a3413bb 100644
--- a/services/idp/src/main/webapp/WEB-INF/security-config.xml
+++ b/services/idp/src/main/webapp/WEB-INF/security-config.xml
@@ -21,6 +21,7 @@
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xmlns:security="http://www.springframework.org/schema/security"
     xmlns:context="http://www.springframework.org/schema/context"
+    xmlns:util="http://www.springframework.org/schema/util"
     xsi:schemaLocation="
         http://www.springframework.org/schema/beans
         http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
@@ -28,6 +29,8 @@
         http://www.springframework.org/schema/context/spring-context-3.1.xsd
         http://www.springframework.org/schema/security
         http://www.springframework.org/schema/security/spring-security-3.1.xsd
+        http://www.springframework.org/schema/util
+        http://www.springframework.org/schema/util/spring-util-2.0.xsd
         ">
 
     <context:property-placeholder location="classpath:realm.properties"/>
@@ -106,10 +109,21 @@
         <security:custom-filter ref="kerberosAuthenticationProcessingFilter" position="BASIC_AUTH_FILTER"
/>
         <security:logout delete-cookies="FEDIZ_HOME_REALM" invalidate-session="true" />
     </security:http>
+    
+    <!-- SSL Client Cert entry point -->
+    <security:http pattern="/federation/clientcert" use-expressions="true">
+        <security:custom-filter after="CHANNEL_FILTER" ref="stsClientCertPortFilter" />
+        <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher"
/>
+        <security:intercept-url pattern="/FederationMetadata/2007-06/FederationMetadata.xml"
access="isAnonymous() or isAuthenticated()" />
+
+        <security:x509 />
+        <security:logout delete-cookies="FEDIZ_HOME_REALM" invalidate-session="true" />
+    </security:http>
 
     <security:authentication-manager alias="authenticationManagers">
         <security:authentication-provider ref="stsUPAuthProvider" />
         <security:authentication-provider ref="stsKrbAuthProvider" />
+        <security:authentication-provider ref="stsClientCertAuthProvider" />
     </security:authentication-manager>
 	
     <bean id="stsUPPortFilter" class="org.apache.cxf.fediz.service.idp.STSPortFilter">
@@ -147,4 +161,22 @@
         <property name="requireDelegation" value="true"/>-->
     </bean>
 
+    <bean id="stsClientCertPortFilter" class="org.apache.cxf.fediz.service.idp.STSPortFilter">
+        <property name="authenticationProvider" ref="stsClientCertAuthProvider" />
+    </bean>
+    
+    <util:map id="securityProperties">
+        <entry key="ws-security.username" value="idp-user" />
+        <entry key="ws-security.password" value="idp-pass" />
+    </util:map>
+    
+    <bean id="stsClientCertAuthProvider" class="org.apache.cxf.fediz.service.idp.STSPreAuthAuthenticationProvider">
+        <property name="wsdlLocation" value="https://localhost:0/fediz-idp-sts/${realm.STS_URI}/STSServiceTransportUT?wsdl"/>
+        <property name="wsdlEndpoint" value="TransportUT_Port"/>
+        <property name="wsdlService" value="SecurityTokenService"/>
+        <property name="appliesTo" value="urn:fediz:idp"/>
+        <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"/>
+        <property name="properties" ref="securityProperties"/>
+    </bean>
+    
 </beans>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9d7cdcde/services/idp/src/main/webapp/WEB-INF/web.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/web.xml b/services/idp/src/main/webapp/WEB-INF/web.xml
index 21ea9ab..b22a0db 100644
--- a/services/idp/src/main/webapp/WEB-INF/web.xml
+++ b/services/idp/src/main/webapp/WEB-INF/web.xml
@@ -91,6 +91,11 @@ under the License.
     </servlet-mapping>
     
     <servlet-mapping>
+        <servlet-name>idp</servlet-name>
+        <url-pattern>/federation/clientcert</url-pattern>
+    </servlet-mapping>
+    
+    <servlet-mapping>
         <servlet-name>metadata</servlet-name>
         <url-pattern>/FederationMetadata/2007-06/FederationMetadata.xml</url-pattern>
     </servlet-mapping>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9d7cdcde/services/idp/src/test/java/org/apache/cxf/fediz/service/idp/integrationtests/RestITTest.java
----------------------------------------------------------------------
diff --git a/services/idp/src/test/java/org/apache/cxf/fediz/service/idp/integrationtests/RestITTest.java
b/services/idp/src/test/java/org/apache/cxf/fediz/service/idp/integrationtests/RestITTest.java
index 51c3118..6931633 100644
--- a/services/idp/src/test/java/org/apache/cxf/fediz/service/idp/integrationtests/RestITTest.java
+++ b/services/idp/src/test/java/org/apache/cxf/fediz/service/idp/integrationtests/RestITTest.java
@@ -108,7 +108,7 @@ public class RestITTest {
         Assert.assertTrue("ProvideIDPList doesn't match", idp.isProvideIdpList());
         Assert.assertTrue("UseCurrentIDP doesn't match", idp.isUseCurrentIdp());
         Assert.assertEquals("Number of AuthenticationURIs doesn't match",
-                            1, idp.getAuthenticationURIs().size());
+                            4, idp.getAuthenticationURIs().size());
         Assert.assertEquals("Number of SupportedProtocols doesn't match",
                             2, idp.getSupportedProtocols().size());
         Assert.assertEquals("Number of TokenTypesOffered doesn't match",

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9d7cdcde/services/idp/src/test/java/org/apache/cxf/fediz/service/idp/service/jpa/IdpDAOJPATest.java
----------------------------------------------------------------------
diff --git a/services/idp/src/test/java/org/apache/cxf/fediz/service/idp/service/jpa/IdpDAOJPATest.java
b/services/idp/src/test/java/org/apache/cxf/fediz/service/idp/service/jpa/IdpDAOJPATest.java
index 1b2d775..a624725 100644
--- a/services/idp/src/test/java/org/apache/cxf/fediz/service/idp/service/jpa/IdpDAOJPATest.java
+++ b/services/idp/src/test/java/org/apache/cxf/fediz/service/idp/service/jpa/IdpDAOJPATest.java
@@ -92,7 +92,7 @@ public class IdpDAOJPATest {
                       "ProvideIDPList doesn't match");
         Assert.isTrue(idp.isUseCurrentIdp(),
                       "UseCurrentIDP doesn't match");
-        Assert.isTrue(1 == idp.getAuthenticationURIs().size(),
+        Assert.isTrue(4 == idp.getAuthenticationURIs().size(),
                       "Number of AuthenticationURIs doesn't match");
         Assert.isTrue(2 == idp.getSupportedProtocols().size(),
                       "Number of SupportedProtocols doesn't match");

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9d7cdcde/systests/clientcert/pom.xml
----------------------------------------------------------------------
diff --git a/systests/clientcert/pom.xml b/systests/clientcert/pom.xml
index b526d9f..48d691d 100644
--- a/systests/clientcert/pom.xml
+++ b/systests/clientcert/pom.xml
@@ -200,26 +200,6 @@
                 <version>2.7</version>
                 <executions>
                     <execution>
-                        <id>copy-entities-to-idp</id>
-                        <phase>generate-test-sources</phase>
-                        <goals>
-                            <goal>copy-resources</goal>
-                        </goals>
-                        <configuration>
-                            <outputDirectory>${basedir}/target/tomcat/idp/webapps/fediz-idp/WEB-INF</outputDirectory>
-                            <resources>          
-                                <resource>
-                                    <directory>${basedir}/src/test/resources/idp</directory>
-                                    <includes>
-                                        <include>security-config.xml</include>
-                                        <include>idp-servlet.xml</include>
-                                    </includes>
-                                    <filtering>true</filtering>
-                                </resource>
-                            </resources>              
-                        </configuration>            
-                    </execution>
-                    <execution>
                         <id>copy-entities-to-sts</id>
                         <phase>generate-test-sources</phase>
                         <goals>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9d7cdcde/systests/clientcert/src/test/java/org/apache/cxf/fediz/integrationtests/HOKCallbackHandler.java
----------------------------------------------------------------------
diff --git a/systests/clientcert/src/test/java/org/apache/cxf/fediz/integrationtests/HOKCallbackHandler.java
b/systests/clientcert/src/test/java/org/apache/cxf/fediz/integrationtests/HOKCallbackHandler.java
new file mode 100644
index 0000000..e2f402c
--- /dev/null
+++ b/systests/clientcert/src/test/java/org/apache/cxf/fediz/integrationtests/HOKCallbackHandler.java
@@ -0,0 +1,48 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.fediz.integrationtests;
+
+import java.io.IOException;
+
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.UnsupportedCallbackException;
+
+import org.apache.cxf.fediz.core.spi.WReqCallback;
+
+public class HOKCallbackHandler implements CallbackHandler {
+
+    static final String HOK_WREQ = 
+        "<RequestSecurityToken xmlns=\"http://docs.oasis-open.org/ws-sx/ws-trust/200512\">"
+        + "<KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey</KeyType>"
+        + "</RequestSecurityToken>";
+    
+    public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException
{
+        for (int i = 0; i < callbacks.length; i++) {
+            if (callbacks[i] instanceof WReqCallback) {
+                WReqCallback callback = (WReqCallback) callbacks[i];
+                callback.setWreq(HOK_WREQ);
+            } else {
+                throw new UnsupportedCallbackException(callbacks[i], "Unrecognized Callback");
+            }
+        }
+    }
+
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9d7cdcde/systests/clientcert/src/test/resources/fediz_config.xml
----------------------------------------------------------------------
diff --git a/systests/clientcert/src/test/resources/fediz_config.xml b/systests/clientcert/src/test/resources/fediz_config.xml
index 1f20ab6..5add553 100644
--- a/systests/clientcert/src/test/resources/fediz_config.xml
+++ b/systests/clientcert/src/test/resources/fediz_config.xml
@@ -35,6 +35,8 @@
 				<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" optional="true"
/>
 				<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
optional="true" />
             </claimTypesRequested>
+            <authenticationType>http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/Ssl</authenticationType>
+             <request type="Class">org.apache.cxf.fediz.integrationtests.HOKCallbackHandler</request>
         </protocol>
         <logoutURL>/secure/logout</logoutURL>
         <logoutRedirectTo>/index.html</logoutRedirectTo>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9d7cdcde/systests/clientcert/src/test/resources/idp/idp-servlet.xml
----------------------------------------------------------------------
diff --git a/systests/clientcert/src/test/resources/idp/idp-servlet.xml b/systests/clientcert/src/test/resources/idp/idp-servlet.xml
deleted file mode 100644
index c09f3e3..0000000
--- a/systests/clientcert/src/test/resources/idp/idp-servlet.xml
+++ /dev/null
@@ -1,137 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
-  Licensed to the Apache Software Foundation (ASF) under one
-  or more contributor license agreements. See the NOTICE file
-  distributed with this work for additional information
-  regarding copyright ownership. The ASF licenses this file
-  to you under the Apache License, Version 2.0 (the
-  "License"); you may not use this file except in compliance
-  with the License. You may obtain a copy of the License at
- 
-  http://www.apache.org/licenses/LICENSE-2.0
- 
-  Unless required by applicable law or agreed to in writing,
-  software distributed under the License is distributed on an
-  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-  KIND, either express or implied. See the License for the
-  specific language governing permissions and limitations
-  under the License.
--->
-<beans xmlns="http://www.springframework.org/schema/beans"
-       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-       xmlns:webflow="http://www.springframework.org/schema/webflow-config"
-       xmlns:p="http://www.springframework.org/schema/p"
-       xmlns:context="http://www.springframework.org/schema/context"
-       xsi:schemaLocation="http://www.springframework.org/schema/beans
-        http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
-        http://www.springframework.org/schema/context
-        http://www.springframework.org/schema/context/spring-context-3.1.xsd
-        http://www.springframework.org/schema/webflow-config
-        http://www.springframework.org/schema/webflow-config/spring-webflow-config-2.0.xsd">
-
-    <context:property-placeholder location="classpath:realm.properties" />
-    
-    <context:component-scan base-package="org.apache.cxf.fediz.service.idp.beans" />
-
-    <bean class="org.springframework.webflow.mvc.servlet.FlowHandlerMapping"
-        p:flowRegistry-ref="flowRegistry" p:order="2">
-    </bean>
-
-    <bean class="org.springframework.webflow.mvc.servlet.FlowHandlerAdapter"
-        p:flowExecutor-ref="flowExecutor" />
-
-    <webflow:flow-executor id="flowExecutor"
-        flow-registry="flowRegistry">
-        <webflow:flow-execution-attributes>
-            <webflow:always-redirect-on-pause
-                value="false" />
-        </webflow:flow-execution-attributes>
-
-        <webflow:flow-execution-listeners>
-            <webflow:listener ref="securityFlowExecutionListener" />
-        </webflow:flow-execution-listeners>
-    </webflow:flow-executor>
-
-    <bean id="securityFlowExecutionListener"
-        class="org.springframework.webflow.security.SecurityFlowExecutionListener">
-        <property name="accessDecisionManager" ref="accessDecisionManager" />
-    </bean>
-
-    <bean id="accessDecisionManager"
-        class="org.springframework.security.access.vote.AffirmativeBased">
-        <property name="decisionVoters">
-            <list>
-                <bean
-                    class="org.springframework.security.access.vote.RoleVoter">
-                    <property name="rolePrefix" value="ROLE_" />
-                </bean>
-                <bean
-                    class="org.springframework.security.access.vote.AuthenticatedVoter" />
-            </list>
-        </property>
-    </bean>
-
-    <webflow:flow-registry id="flowRegistry"
-        flow-builder-services="builder">
-        <webflow:flow-location
-            path="/WEB-INF/federation-validate-request.xml" id="federation" />
-        <webflow:flow-location
-            path="/WEB-INF/federation-validate-request.xml" id="federation/up" />
-        <webflow:flow-location path="/WEB-INF/federation-signin-request.xml"
-            id="signinRequest" />
-        <webflow:flow-location path="/WEB-INF/federation-signin-response.xml"
-            id="signinResponse" />
-    </webflow:flow-registry>
-
-    <webflow:flow-builder-services id="builder"
-        view-factory-creator="viewFactoryCreator" expression-parser="expressionParser" />
-
-    <bean id="expressionParser"
-        class="org.springframework.webflow.expression.WebFlowOgnlExpressionParser" />
-
-    <bean id="viewFactoryCreator"
-        class="org.springframework.webflow.mvc.builder.MvcViewFactoryCreator">
-        <property name="viewResolvers">
-            <list>
-                <ref local="viewResolver" />
-            </list>
-        </property>
-    </bean>
-
-    <bean id="viewResolver"
-        class="org.springframework.web.servlet.view.InternalResourceViewResolver">
-        <property name="prefix" value="/WEB-INF/" />
-        <property name="suffix" value=".jsp" />
-    </bean>
-
-    <bean id="stsClientForRpAction"
-        class="org.apache.cxf.fediz.service.idp.beans.STSClientAction">
-        <property name="wsdlLocation"
-            value="https://localhost:0/fediz-idp-sts/${realm.STS_URI}/STSServiceTransport?wsdl"
/>
-        <property name="wsdlEndpoint" value="Transport_Port" />
-        <property name="tokenType"
-            value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
/>
-        <property name="keyType"
-            value="http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey" />
-    </bean>
-
-    <bean id="signInParamCacheAction"
-        class="org.apache.cxf.fediz.service.idp.beans.SigninParametersCacheAction" />
-
-    <bean id="logoutAction" class="org.apache.cxf.fediz.service.idp.beans.LogoutAction"
/>
-
-    <bean id="wfreshParser" class="org.apache.cxf.fediz.service.idp.beans.WfreshParser"
/>
-
-    <bean id="cacheTokenForWauthAction"
-        class="org.apache.cxf.fediz.service.idp.beans.CacheTokenForWauthAction" />
-
-    <bean id="processHRDSExpressionAction"
-        class="org.apache.cxf.fediz.service.idp.beans.ProcessHRDSExpressionAction" />
-
-    <bean id="homeRealmReminder"
-        class="org.apache.cxf.fediz.service.idp.beans.HomeRealmReminder" />
-        
-    <bean id="trustedIdpProtocolAction"
-        class="org.apache.cxf.fediz.service.idp.beans.TrustedIdpProtocolAction" />
-
-</beans>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9d7cdcde/systests/clientcert/src/test/resources/idp/security-config.xml
----------------------------------------------------------------------
diff --git a/systests/clientcert/src/test/resources/idp/security-config.xml b/systests/clientcert/src/test/resources/idp/security-config.xml
deleted file mode 100644
index 15767c8..0000000
--- a/systests/clientcert/src/test/resources/idp/security-config.xml
+++ /dev/null
@@ -1,103 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
-  Licensed to the Apache Software Foundation (ASF) under one
-  or more contributor license agreements. See the NOTICE file
-  distributed with this work for additional information
-  regarding copyright ownership. The ASF licenses this file
-  to you under the Apache License, Version 2.0 (the
-  "License"); you may not use this file except in compliance
-  with the License. You may obtain a copy of the License at
- 
-  http://www.apache.org/licenses/LICENSE-2.0
- 
-  Unless required by applicable law or agreed to in writing,
-  software distributed under the License is distributed on an
-  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-  KIND, either express or implied. See the License for the
-  specific language governing permissions and limitations
-  under the License.
--->
-<beans xmlns="http://www.springframework.org/schema/beans"
-    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-    xmlns:security="http://www.springframework.org/schema/security"
-    xmlns:context="http://www.springframework.org/schema/context"
-    xmlns:util="http://www.springframework.org/schema/util"
-    xsi:schemaLocation="
-        http://www.springframework.org/schema/beans
-        http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
-        http://www.springframework.org/schema/context
-        http://www.springframework.org/schema/context/spring-context-3.1.xsd
-        http://www.springframework.org/schema/security
-        http://www.springframework.org/schema/security/spring-security-3.1.xsd
-        http://www.springframework.org/schema/util
-        http://www.springframework.org/schema/util/spring-util-2.0.xsd
-        ">
-
-    <context:property-placeholder location="classpath:realm.properties"/>
-    
-    <!-- DISABLE in production as it might log confidential information about the user
-->
-    <!-- <security:debug /> -->
-
-    <!-- Configure Spring Security -->
-    
-    <!-- If enabled, you can't access the Service layer within the Spring Webflow -->
-    <!-- The user has no role during the login phase of WS-Federation -->
-    <security:global-method-security pre-post-annotations="enabled"/>
-
-    <security:http pattern="/services/rs/**" use-expressions="true" authentication-manager-ref="restAuthenticationManager">
-        <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" />
-        <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher"
/>
-        <security:intercept-url pattern="/services/rs/**" access="isAuthenticated()"/>
-        <security:http-basic />
-    </security:http>
-
-    <bean id="bCryptPasswordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"
/>
-    
-    <bean id="defaultPasswordEncoder" class="org.springframework.security.crypto.password.StandardPasswordEncoder"
/>
-    
-    <security:authentication-manager id="restAuthenticationManager">
-        <security:authentication-provider>
-          <!-- <security:password-encoder ref="defaultPasswordEncoder"/>-->
-          <!-- <security:password-encoder hash="sha-256" base64="true" />-->
-          <!--  
-          <security:password-encoder hash="sha-256" base64="true">
-            <security:salt-source user-property="username"/>
-          </security:password-encoder>
-          -->
-          <security:user-service properties="classpath:/users.properties" />
-        </security:authentication-provider>
-        <security:authentication-provider ref="stsAuthProvider" />
-    </security:authentication-manager>
-
-    <security:http use-expressions="true">
-        <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" />
-        <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher"
/>
-        <security:intercept-url pattern="/FederationMetadata/2007-06/FederationMetadata.xml"
access="isAnonymous() or isAuthenticated()" />
-
-        <security:x509 />
-        <security:logout delete-cookies="FEDIZ_HOME_REALM" invalidate-session="true" />
-    </security:http>
-
-    <security:authentication-manager>
-        <security:authentication-provider ref="stsAuthProvider" />
-    </security:authentication-manager>
-	
-    <bean id="stsPortFilter" class="org.apache.cxf.fediz.service.idp.STSPortFilter" />
-    
-    <bean id="entitlementsEnricher" class="org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements"
/>
-	
-	<util:map id="securityProperties">
-        <entry key="ws-security.username" value="idp-user" />
-        <entry key="ws-security.password" value="idp-pass" />
-    </util:map>
-    
-    <bean id="stsAuthProvider" class="org.apache.cxf.fediz.service.idp.STSPreAuthAuthenticationProvider">
-        <property name="wsdlLocation" value="https://localhost:0/fediz-idp-sts/${realm.STS_URI}/STSServiceTransportUT?wsdl"/>
-        <property name="wsdlEndpoint" value="TransportUT_Port"/>
-        <property name="wsdlService" value="SecurityTokenService"/>
-        <property name="appliesTo" value="urn:fediz:idp"/>
-        <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"/>
-        <property name="properties" ref="securityProperties"/>
-    </bean>
-
-</beans>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9d7cdcde/systests/kerberos/pom.xml
----------------------------------------------------------------------
diff --git a/systests/kerberos/pom.xml b/systests/kerberos/pom.xml
index 606a2dc..d7c8ce7 100644
--- a/systests/kerberos/pom.xml
+++ b/systests/kerberos/pom.xml
@@ -289,25 +289,6 @@
                 <version>2.7</version>
                 <executions>
                     <execution>
-                        <id>copy-entities-to-idp</id>
-                        <phase>generate-test-sources</phase>
-                        <goals>
-                            <goal>copy-resources</goal>
-                        </goals>
-                        <configuration>
-                            <outputDirectory>${basedir}/target/tomcat/idp/webapps/fediz-idp/WEB-INF</outputDirectory>
-                            <resources>          
-                                <resource>
-                                    <directory>${basedir}/src/test/resources/idp</directory>
-                                    <includes>
-                                        <include>security-config.xml</include>
-                                    </includes>
-                                    <filtering>true</filtering>
-                                </resource>
-                            </resources>              
-                        </configuration>            
-                    </execution>
-                    <execution>
                         <id>copy-entities-to-sts</id>
                         <phase>generate-test-sources</phase>
                         <goals>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9d7cdcde/systests/kerberos/src/test/resources/fediz_config.xml
----------------------------------------------------------------------
diff --git a/systests/kerberos/src/test/resources/fediz_config.xml b/systests/kerberos/src/test/resources/fediz_config.xml
index 1f20ab6..244b5b7 100644
--- a/systests/kerberos/src/test/resources/fediz_config.xml
+++ b/systests/kerberos/src/test/resources/fediz_config.xml
@@ -35,6 +35,7 @@
 				<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" optional="true"
/>
 				<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
optional="true" />
             </claimTypesRequested>
+            <authenticationType>http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/SslAndKey</authenticationType>
         </protocol>
         <logoutURL>/secure/logout</logoutURL>
         <logoutRedirectTo>/index.html</logoutRedirectTo>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9d7cdcde/systests/kerberos/src/test/resources/idp/security-config.xml
----------------------------------------------------------------------
diff --git a/systests/kerberos/src/test/resources/idp/security-config.xml b/systests/kerberos/src/test/resources/idp/security-config.xml
deleted file mode 100644
index 4fe3da2..0000000
--- a/systests/kerberos/src/test/resources/idp/security-config.xml
+++ /dev/null
@@ -1,116 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
-  Licensed to the Apache Software Foundation (ASF) under one
-  or more contributor license agreements. See the NOTICE file
-  distributed with this work for additional information
-  regarding copyright ownership. The ASF licenses this file
-  to you under the Apache License, Version 2.0 (the
-  "License"); you may not use this file except in compliance
-  with the License. You may obtain a copy of the License at
- 
-  http://www.apache.org/licenses/LICENSE-2.0
- 
-  Unless required by applicable law or agreed to in writing,
-  software distributed under the License is distributed on an
-  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-  KIND, either express or implied. See the License for the
-  specific language governing permissions and limitations
-  under the License.
--->
-<beans xmlns="http://www.springframework.org/schema/beans"
-    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-    xmlns:security="http://www.springframework.org/schema/security"
-    xmlns:context="http://www.springframework.org/schema/context"
-    xsi:schemaLocation="
-        http://www.springframework.org/schema/beans
-        http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
-        http://www.springframework.org/schema/context
-        http://www.springframework.org/schema/context/spring-context-3.1.xsd
-        http://www.springframework.org/schema/security
-        http://www.springframework.org/schema/security/spring-security-3.1.xsd">
-
-    <context:property-placeholder location="classpath:realm.properties"/>
-    
-    <!-- DISABLE in production as it might log confidential information about the user
-->
-    <!-- <security:debug /> -->
-
-    <!-- Configure Spring Security -->
-    <!-- If enabled, you can't access the Service layer within the Spring Webflow -->
-    <!-- The user has no role during the login phase of WS-Federation -->
-    <security:global-method-security pre-post-annotations="enabled"/>
-
-    <security:http pattern="/services/rs/**" auto-config="false" use-expressions="true"
entry-point-ref="kerberosEntryPoint">
-        <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" />
-        <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher"
/>
-        <security:intercept-url pattern="/**" access="isAuthenticated()"/>
-        <!--<security:http-basic />-->
-        <security:custom-filter ref="kerberosAuthenticationProcessingFilter" position="BASIC_AUTH_FILTER"
/>
-    </security:http>
-
-    <bean id="bCryptPasswordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"
/>
-    
-    <bean id="defaultPasswordEncoder" class="org.springframework.security.crypto.password.StandardPasswordEncoder"
/>
-    
-    <bean id="spnegoAuthenticationProcessingFilter"
-          class="org.apache.cxf.fediz.service.idp.kerberos.KerberosAuthenticationProcessingFilter">
-        <property name="authenticationManager" ref="restAuthenticationManager" />
-    </bean>
-    
-    <security:authentication-manager id="restAuthenticationManager">
-        <security:authentication-provider>
-          <!-- <security:password-encoder ref="defaultPasswordEncoder"/>-->
-          <!-- <security:password-encoder hash="sha-256" base64="true" />-->
-          <!--  
-          <security:password-encoder hash="sha-256" base64="true">
-            <security:salt-source user-property="username"/>
-          </security:password-encoder>
-          -->
-          <security:user-service properties="classpath:/users.properties" />
-        </security:authentication-provider>
-        <security:authentication-provider ref="stsAuthProvider" />
-    </security:authentication-manager>
-      
-    <security:http use-expressions="true" entry-point-ref="kerberosEntryPoint">
-        <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" />
-        <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher"
/>
-        <security:intercept-url pattern="/FederationMetadata/2007-06/FederationMetadata.xml"
access="isAnonymous() or isAuthenticated()" />
-
-        <!-- <security:form-login login-page="/federation/login"/>
-        <security:http-basic />-->
-        <security:custom-filter ref="kerberosAuthenticationProcessingFilter" position="BASIC_AUTH_FILTER"
/>
-    </security:http>
-
-    <bean id="kerberosEntryPoint"
-          class="org.apache.cxf.fediz.service.idp.kerberos.KerberosEntryPoint" />
-    
-    <bean id="kerberosAuthenticationProcessingFilter"
-          class="org.apache.cxf.fediz.service.idp.kerberos.KerberosAuthenticationProcessingFilter">
-          <property name="authenticationManager" ref="authenticationManager" />
-    </bean>
-
-    <security:authentication-manager alias="authenticationManager">
-        <security:authentication-provider ref="stsAuthProvider" />
-    </security:authentication-manager>
-	
-    <bean id="stsPortFilter" class="org.apache.cxf.fediz.service.idp.STSPortFilter" />
-    
-    <bean id="entitlementsEnricher" class="org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements"
/>
-    
-    <!--<bean id="kerberosTokenValidator" class="org.apache.cxf.fediz.service.idp.kerberos.KerberosTokenValidator">
-        <property name="contextName" value="bob"/>
-        <property name="serviceName" value="bob@service.ws.apache.org"/>
-    </bean>-->
-	
-    <bean id="stsAuthProvider" class="org.apache.cxf.fediz.service.idp.STSKrbAuthenticationProvider">
-        <!--<property name="wsdlLocation" value="https://localhost:0/fediz-idp-sts/${realm.STS_URI}/STSServiceTransportUT?wsdl"/>
-        <property name="wsdlEndpoint" value="TransportUT_Port"/> -->
-        <property name="wsdlLocation" value="https://localhost:0/fediz-idp-sts/${realm.STS_URI}/STSServiceTransportKerberos?wsdl"/>
-        <property name="wsdlEndpoint" value="TransportKerberos_Port"/>
-        <property name="wsdlService" value="SecurityTokenService"/>
-        <property name="appliesTo" value="urn:fediz:idp"/>
-        <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"/>
-        <!--<property name="kerberosTokenValidator" ref="kerberosTokenValidator"/>
-        <property name="requireDelegation" value="true"/>-->
-    </bean>
-
-</beans>


Mime
View raw message