cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject cxf-fediz git commit: [FEDIZ-23] - Add redirection to UP + Kerberos. Refactored the STSAuthenticationProvider
Date Thu, 09 Apr 2015 10:42:30 GMT
Repository: cxf-fediz
Updated Branches:
  refs/heads/master c1bbb7cd6 -> 230bce9af


[FEDIZ-23] - Add redirection to UP + Kerberos. Refactored the STSAuthenticationProvider


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/230bce9a
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/230bce9a
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/230bce9a

Branch: refs/heads/master
Commit: 230bce9af3df47a23b5b1946adb8aa6ac4c58ed1
Parents: c1bbb7c
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Thu Apr 9 11:42:04 2015 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Thu Apr 9 11:42:04 2015 +0100

----------------------------------------------------------------------
 .../fediz/service/idp/FederationEntryPoint.java |  13 +-
 .../service/idp/STSAuthenticationProvider.java  | 334 +------------------
 .../idp/STSKrbAuthenticationProvider.java       | 254 ++++++++++++++
 .../cxf/fediz/service/idp/STSPortFilter.java    |  14 +-
 .../idp/STSPreAuthAuthenticationProvider.java   | 131 ++++++++
 .../idp/STSUPAuthenticationProvider.java        | 118 +++++++
 .../idp/src/main/resources/entities-realma.xml  |   2 +-
 .../main/webapp/WEB-INF/idp-config-realma.xml   |   2 +-
 .../idp/src/main/webapp/WEB-INF/idp-servlet.xml |   4 +
 .../src/main/webapp/WEB-INF/security-config.xml |  76 ++++-
 services/idp/src/main/webapp/WEB-INF/web.xml    |  12 +-
 11 files changed, 618 insertions(+), 342 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/230bce9a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/FederationEntryPoint.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/FederationEntryPoint.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/FederationEntryPoint.java
index c7265a1..1a39ef2 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/FederationEntryPoint.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/FederationEntryPoint.java
@@ -79,13 +79,14 @@ public class FederationEntryPoint implements AuthenticationEntryPoint,
         Assert.notNull(this.appContext, "ApplicationContext cannot be null.");
         Assert.notNull(this.configService, "ConfigService cannot be null.");
         Assert.notNull(this.realm, "realm cannot be null.");
-        idpConfig = configService.getIDP(realm);
-        Assert.notNull(this.idpConfig, "idpConfig cannot be null. Check realm and config service implementation");
     }
 
     public final void commence(final HttpServletRequest servletRequest, final HttpServletResponse response,
             final AuthenticationException authenticationException) throws IOException, ServletException {
 
+        idpConfig = configService.getIDP(realm);
+        Assert.notNull(this.idpConfig, "idpConfig cannot be null. Check realm and config service implementation");
+        
         String redirectUrl = null;
         String wauth = servletRequest.getParameter(FederationConstants.PARAM_AUTH_TYPE);
         if (wauth == null) {
@@ -98,7 +99,7 @@ public class FederationEntryPoint implements AuthenticationEntryPoint,
                     HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "wauth value '" + wauth + "' not supported");
         }
         redirectUrl = new StringBuilder(extractFullContextPath(servletRequest))
-            .append(realm).append(loginUri).toString();
+            .append(loginUri).append("?").append(servletRequest.getQueryString()).toString();
         
         preCommence(servletRequest, response);
         if (LOG.isInfoEnabled()) {
@@ -127,6 +128,7 @@ public class FederationEntryPoint implements AuthenticationEntryPoint,
         String result = null;
         String contextPath = request.getContextPath();
         String requestUrl = request.getRequestURL().toString();
+        
         String requestPath = new URL(requestUrl).getPath();
         // Cut request path of request url and add context path if not ROOT
         if (requestPath != null && requestPath.length() > 0) {
@@ -137,8 +139,9 @@ public class FederationEntryPoint implements AuthenticationEntryPoint,
         }
         if (contextPath != null && contextPath.length() > 0) {
             // contextPath contains starting slash
-            result = result + contextPath + "/";
-        } else {
+            result = result + contextPath;
+        }
+        if (result.charAt(result.length() - 1) != '/') {
             result = result + "/";
         }
         return result;

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/230bce9a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSAuthenticationProvider.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSAuthenticationProvider.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSAuthenticationProvider.java
index 0a75b63..ab84b11 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSAuthenticationProvider.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSAuthenticationProvider.java
@@ -19,71 +19,46 @@
 package org.apache.cxf.fediz.service.idp;
 
 import java.net.URI;
-import java.security.Principal;
-import java.security.PrivilegedActionException;
-import java.security.cert.X509Certificate;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 
-import javax.security.auth.callback.CallbackHandler;
-import javax.security.auth.login.LoginException;
-import javax.xml.namespace.QName;
-
-import org.w3c.dom.Document;
 import org.w3c.dom.Element;
+
 import org.apache.cxf.Bus;
 import org.apache.cxf.BusFactory;
 //import org.apache.cxf.endpoint.Client;
 import org.apache.cxf.fediz.core.Claim;
 import org.apache.cxf.fediz.core.ClaimTypes;
-import org.apache.cxf.fediz.service.idp.kerberos.KerberosServiceRequestToken;
-import org.apache.cxf.fediz.service.idp.kerberos.KerberosTokenValidator;
-import org.apache.cxf.fediz.service.idp.kerberos.PassThroughKerberosClient;
-import org.apache.cxf.helpers.DOMUtils;
-//import org.apache.cxf.transport.http.HTTPConduit;
-//import org.apache.cxf.transports.http.configuration.HTTPClientPolicy;
-import org.apache.cxf.ws.security.SecurityConstants;
 import org.apache.cxf.ws.security.tokenstore.SecurityToken;
 import org.apache.wss4j.common.ext.WSSecurityException;
-import org.apache.wss4j.common.kerberos.KerberosServiceContext;
-import org.apache.wss4j.common.principal.SAMLTokenPrincipalImpl;
 import org.apache.wss4j.common.saml.SamlAssertionWrapper;
-import org.apache.wss4j.dom.WSConstants;
-import org.apache.xml.security.exceptions.XMLSecurityException;
-import org.apache.xml.security.keys.content.X509Data;
-import org.ietf.jgss.GSSContext;
-import org.ietf.jgss.GSSCredential;
-import org.ietf.jgss.GSSException;
-import org.ietf.jgss.GSSManager;
-import org.ietf.jgss.GSSName;
-import org.ietf.jgss.Oid;
 import org.opensaml.xml.XMLObject;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.security.authentication.AuthenticationProvider;
-import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
-import org.springframework.security.core.Authentication;
-import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
-import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
+//import org.apache.cxf.transport.http.HTTPConduit;
+//import org.apache.cxf.transports.http.configuration.HTTPClientPolicy;
 
-public class STSAuthenticationProvider implements AuthenticationProvider {
+/**
+ * A base class for authenticating credentials to the STS
+ */
+public abstract class STSAuthenticationProvider implements AuthenticationProvider {
 
-    private static final String HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512_BEARER = 
+    public static final String HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512_BEARER = 
         "http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer";
     
-    private static final String HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512 = 
+    public static final String HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512 = 
         "http://docs.oasis-open.org/ws-sx/ws-trust/200512/";
     
-    private static final String HTTP_SCHEMAS_XMLSOAP_ORG_WS_2005_02_TRUST =
+    public static final String HTTP_SCHEMAS_XMLSOAP_ORG_WS_2005_02_TRUST =
         "http://schemas.xmlsoap.org/ws/2005/02/trust";
     
-    private static final Logger LOG = LoggerFactory
-            .getLogger(STSAuthenticationProvider.class);
+    private static final Logger LOG = LoggerFactory.getLogger(STSAuthenticationProvider.class);
 
     protected String wsdlLocation;
     
@@ -108,190 +83,7 @@ public class STSAuthenticationProvider implements AuthenticationProvider {
     
     protected Map<String, Object> properties = new HashMap<String, Object>();
     
-    private KerberosTokenValidator kerberosTokenValidator;
-    
-    private CallbackHandler kerberosCallbackHandler;
-    
-    private boolean kerberosUsernameServiceNameForm;
-    
-    private boolean requireDelegation;
-    
-    
-    @Override
-    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
-        
-        Bus cxfBus = getBus();
-        IdpSTSClient sts = new IdpSTSClient(cxfBus);
-        sts.setAddressingNamespace("http://www.w3.org/2005/08/addressing");
-        if (tokenType != null && tokenType.length() > 0) {
-            sts.setTokenType(tokenType);
-        } else {
-            sts.setTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE);
-        }
-        sts.setKeyType(HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512_BEARER);
-        sts.setWsdlLocation(wsdlLocation);
-        sts.setServiceQName(new QName(namespace, wsdlService));
-        sts.setEndpointQName(new QName(namespace, wsdlEndpoint));
-        
-        sts.getProperties().putAll(properties);
-        if (use200502Namespace) {
-            sts.setNamespace(HTTP_SCHEMAS_XMLSOAP_ORG_WS_2005_02_TRUST);
-        }
-        
-        if (lifetime != null) {
-            sts.setEnableLifetime(true);
-            sts.setTtl(lifetime.intValue());
-        }
-        
-        if (authentication instanceof KerberosServiceRequestToken) {
-            return handleKerberos((KerberosServiceRequestToken)authentication, sts);
-        } else if (authentication instanceof PreAuthenticatedAuthenticationToken) {
-            return handlePreAuthenticated((PreAuthenticatedAuthenticationToken)authentication, sts);
-        } else if (authentication instanceof UsernamePasswordAuthenticationToken) {
-            return handleUsernamePassword((UsernamePasswordAuthenticationToken)authentication, sts);
-        } else {
-            LOG.debug("An unknown authentication token was supplied");
-            return null;
-        }
-        
-    }
-    
-    private Authentication handleKerberos(
-        KerberosServiceRequestToken kerberosRequestToken,
-        IdpSTSClient sts
-    ) {
-        Principal kerberosPrincipal = null;
-        // 
-        // If delegation is required then validate the received token + store the
-        // Delegated Credential so that we can retrieve a new kerberos token for the
-        // STS with it. If delegation is not required, then we just get the received
-        // token + pass it to the STS
-        //
-        if (requireDelegation) {
-            kerberosPrincipal = validateKerberosToken(kerberosRequestToken, sts);
-            if (kerberosPrincipal == null) {
-                return null;
-            }
-        } else {
-            PassThroughKerberosClient kerberosClient = new PassThroughKerberosClient();
-            kerberosClient.setToken(kerberosRequestToken.getToken());
-            sts.getProperties().put(SecurityConstants.KERBEROS_CLIENT, kerberosClient);
-        }
-        
-        try {
-            // Line below may be uncommented for debugging    
-            // setTimeout(sts.getClient(), 3600000L);
-
-            SecurityToken token = sts.requestSecurityToken(this.appliesTo);
-            
-            if (kerberosPrincipal == null && token.getToken() != null
-                && "Assertion".equals(token.getToken().getLocalName())) {
-                // For the pass-through Kerberos case, we don't know the Principal name...
-                kerberosPrincipal = 
-                    new SAMLTokenPrincipalImpl(new SamlAssertionWrapper(token.getToken()));
-            }
-            
-            List<GrantedAuthority> authorities = createAuthorities(token);
-            
-            KerberosServiceRequestToken ksrt = 
-                new KerberosServiceRequestToken(kerberosPrincipal, authorities, kerberosRequestToken.getToken());
-            
-            STSUserDetails details = new STSUserDetails(kerberosPrincipal.getName(),
-                                                        "",
-                                                        authorities,
-                                                        token);
-            ksrt.setDetails(details);
-            
-            LOG.debug("[IDP_TOKEN={}] provided for user '{}'", token.getId(), kerberosPrincipal.getName());
-            return ksrt;
-        } catch (Exception ex) {
-            LOG.info("Failed to authenticate user '" + kerberosRequestToken.getName() + "'", ex);
-            return null;
-        }
-    }
-    
-    private Authentication handlePreAuthenticated(
-        PreAuthenticatedAuthenticationToken preauthenticatedToken,
-        IdpSTSClient sts
-    ) {
-        X509Certificate cert = (X509Certificate)preauthenticatedToken.getCredentials();
-        if (cert == null) {
-            return null;
-        }
-        
-        // Convert the received certificate to a DOM Element to write it out "OnBehalfOf"
-        Document doc = DOMUtils.newDocument();
-        X509Data certElem = new X509Data(doc);
-        try {
-            certElem.addCertificate(cert);
-            sts.setOnBehalfOf(certElem.getElement());
-        } catch (XMLSecurityException e) {
-            LOG.debug("Error parsing a client certificate", e);
-            return null;
-        }
-        
-        try {
-            // Line below may be uncommented for debugging    
-            // setTimeout(sts.getClient(), 3600000L);
-
-            SecurityToken token = sts.requestSecurityToken(this.appliesTo);
-            
-            List<GrantedAuthority> authorities = createAuthorities(token);
-            
-            STSUserDetails details = new STSUserDetails(preauthenticatedToken.getName(),
-                                                        "",
-                                                        authorities,
-                                                        token);
-            
-            preauthenticatedToken.setDetails(details);
-            
-            LOG.debug("[IDP_TOKEN={}] provided for user '{}'", token.getId(), preauthenticatedToken.getName());
-            return preauthenticatedToken;
-            
-        } catch (Exception ex) {
-            LOG.info("Failed to authenticate user '" + preauthenticatedToken.getName() + "'", ex);
-            return null;
-        }
-    }
-    
-    private Authentication handleUsernamePassword(
-        UsernamePasswordAuthenticationToken usernamePasswordToken,
-        IdpSTSClient sts
-    ) {
-        sts.getProperties().put(SecurityConstants.USERNAME, usernamePasswordToken.getName());
-        sts.getProperties().put(SecurityConstants.PASSWORD, (String)usernamePasswordToken.getCredentials());
-        
-        try {
-
-            // Line below may be uncommented for debugging    
-            // setTimeout(sts.getClient(), 3600000L);
-
-            SecurityToken token = sts.requestSecurityToken(this.appliesTo);
-            
-            List<GrantedAuthority> authorities = createAuthorities(token);
-            
-            UsernamePasswordAuthenticationToken upat = 
-                new UsernamePasswordAuthenticationToken(usernamePasswordToken.getName(), 
-                                                        usernamePasswordToken.getCredentials(), 
-                                                        authorities);
-
-            STSUserDetails details = new STSUserDetails(usernamePasswordToken.getName(),
-                                                        (String)usernamePasswordToken.getCredentials(),
-                                                        authorities,
-                                                        token);
-            upat.setDetails(details);
-
-            LOG.debug("[IDP_TOKEN={}] provided for user '{}'", token.getId(), usernamePasswordToken.getName());
-            return upat;
-                                                                                           
-        } catch (Exception ex) {
-            LOG.info("Failed to authenticate user '" + usernamePasswordToken.getName() + "'", ex);
-            return null;
-        }
-        
-    }
-    
-    private List<GrantedAuthority> createAuthorities(SecurityToken token) throws WSSecurityException {
+    protected List<GrantedAuthority> createAuthorities(SecurityToken token) throws WSSecurityException {
         List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
         //authorities.add(new SimpleGrantedAuthority("ROLE_AUTHENTICATED"));
         //Not needed because AuthenticatedVoter has been added for SecurityFlowExecutionListener
@@ -325,76 +117,6 @@ public class STSAuthenticationProvider implements AuthenticationProvider {
         return authorities;
     }
     
-    private Principal validateKerberosToken(
-        KerberosServiceRequestToken token,
-        IdpSTSClient sts
-    ) {
-        if (kerberosTokenValidator == null) {
-            LOG.error("KerberosTokenValidator must be configured to support kerberos "
-                + "credential delegation");
-            return null;
-        }
-        KerberosServiceContext kerberosContext;
-        Principal kerberosPrincipal = null;
-        try {
-            kerberosContext = kerberosTokenValidator.validate(token);
-            if (kerberosContext == null || kerberosContext.getDelegationCredential() == null) {
-                LOG.info("Kerberos Validation failure");
-                return null;
-            }
-            GSSCredential delegatedCredential = kerberosContext.getDelegationCredential();
-            sts.getProperties().put(SecurityConstants.DELEGATED_CREDENTIAL, 
-                                    delegatedCredential);
-            sts.getProperties().put(SecurityConstants.KERBEROS_USE_CREDENTIAL_DELEGATION, "true");
-            kerberosPrincipal = kerberosContext.getPrincipal();
-        } catch (LoginException ex) {
-            LOG.info("Failed to authenticate user", ex);
-            return null;
-        } catch (PrivilegedActionException ex) {
-            LOG.info("Failed to authenticate user", ex);
-            return null;
-        }
-
-        if (kerberosTokenValidator.getContextName() != null) {
-            sts.getProperties().put(SecurityConstants.KERBEROS_JAAS_CONTEXT_NAME, 
-                                    kerberosTokenValidator.getContextName());
-        }
-        if (kerberosTokenValidator.getServiceName() != null) {
-            sts.getProperties().put(SecurityConstants.KERBEROS_SPN,
-                                    kerberosTokenValidator.getServiceName());
-        }
-        if (kerberosCallbackHandler != null) {
-            sts.getProperties().put(SecurityConstants.CALLBACK_HANDLER, 
-                                    kerberosCallbackHandler);
-        }
-        if (kerberosUsernameServiceNameForm) {
-            sts.getProperties().put(SecurityConstants.KERBEROS_IS_USERNAME_IN_SERVICENAME_FORM, 
-                                    "true");
-        }
-        
-        return kerberosPrincipal;
-    }
-    
-    protected GSSContext createGSSContext() throws GSSException {
-        Oid oid = new Oid("1.2.840.113554.1.2.2");
-
-        GSSManager gssManager = GSSManager.getInstance();
-
-        String spn = "bob@service.ws.apache.org";
-        GSSName gssService = gssManager.createName(spn, null);
-
-        return gssManager.createContext(gssService.canonicalize(oid),
-                                        oid, null, GSSContext.DEFAULT_LIFETIME);
-
-    }
-
-    @Override
-    public boolean supports(Class<?> authentication) {
-        return authentication.equals(PreAuthenticatedAuthenticationToken.class)
-            || authentication.equals(UsernamePasswordAuthenticationToken.class)
-            || authentication.equals(KerberosServiceRequestToken.class);
-    }
-    
     public String getWsdlLocation() {
         return wsdlLocation;
     }
@@ -563,38 +285,6 @@ public class STSAuthenticationProvider implements AuthenticationProvider {
         this.use200502Namespace = use200502Namespace;
     }
 
-    public KerberosTokenValidator getKerberosTokenValidator() {
-        return kerberosTokenValidator;
-    }
-
-    public void setKerberosTokenValidator(KerberosTokenValidator kerberosTokenValidator) {
-        this.kerberosTokenValidator = kerberosTokenValidator;
-    }
-
-    public CallbackHandler getKerberosCallbackHandler() {
-        return kerberosCallbackHandler;
-    }
-
-    public void setKerberosCallbackHandler(CallbackHandler kerberosCallbackHandler) {
-        this.kerberosCallbackHandler = kerberosCallbackHandler;
-    }
-
-    public boolean isKerberosUsernameServiceNameForm() {
-        return kerberosUsernameServiceNameForm;
-    }
-
-    public void setKerberosUsernameServiceNameForm(boolean kerberosUsernameServiceNameForm) {
-        this.kerberosUsernameServiceNameForm = kerberosUsernameServiceNameForm;
-    }
-
-    public boolean isRequireDelegation() {
-        return requireDelegation;
-    }
-
-    public void setRequireDelegation(boolean requireDelegation) {
-        this.requireDelegation = requireDelegation;
-    }
-
 //May be uncommented for debugging    
 //    private void setTimeout(Client client, Long timeout) {
 //        HTTPConduit conduit = (HTTPConduit) client.getConduit();

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/230bce9a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSKrbAuthenticationProvider.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSKrbAuthenticationProvider.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSKrbAuthenticationProvider.java
new file mode 100644
index 0000000..9a5dae8
--- /dev/null
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSKrbAuthenticationProvider.java
@@ -0,0 +1,254 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.fediz.service.idp;
+
+import java.security.Principal;
+import java.security.PrivilegedActionException;
+import java.util.List;
+
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.login.LoginException;
+import javax.xml.namespace.QName;
+
+import org.apache.cxf.Bus;
+import org.apache.cxf.fediz.service.idp.kerberos.KerberosServiceRequestToken;
+import org.apache.cxf.fediz.service.idp.kerberos.KerberosTokenValidator;
+import org.apache.cxf.fediz.service.idp.kerberos.PassThroughKerberosClient;
+import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.tokenstore.SecurityToken;
+import org.apache.wss4j.common.kerberos.KerberosServiceContext;
+import org.apache.wss4j.common.principal.SAMLTokenPrincipalImpl;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
+import org.apache.wss4j.dom.WSConstants;
+import org.ietf.jgss.GSSContext;
+import org.ietf.jgss.GSSCredential;
+import org.ietf.jgss.GSSException;
+import org.ietf.jgss.GSSManager;
+import org.ietf.jgss.GSSName;
+import org.ietf.jgss.Oid;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.GrantedAuthority;
+
+/**
+ * An authentication provider to authenticate a Kerberos token to the STS
+ */
+public class STSKrbAuthenticationProvider extends STSAuthenticationProvider {
+
+    private static final Logger LOG = LoggerFactory.getLogger(STSKrbAuthenticationProvider.class);
+
+    private KerberosTokenValidator kerberosTokenValidator;
+    
+    private CallbackHandler kerberosCallbackHandler;
+    
+    private boolean kerberosUsernameServiceNameForm;
+    
+    private boolean requireDelegation;
+    
+    
+    @Override
+    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
+        // We only handle KerberosServiceRequestTokens
+        if (!(authentication instanceof KerberosServiceRequestToken)) {
+            return null;
+        }
+        
+        Bus cxfBus = getBus();
+        IdpSTSClient sts = new IdpSTSClient(cxfBus);
+        sts.setAddressingNamespace("http://www.w3.org/2005/08/addressing");
+        if (tokenType != null && tokenType.length() > 0) {
+            sts.setTokenType(tokenType);
+        } else {
+            sts.setTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE);
+        }
+        sts.setKeyType(HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512_BEARER);
+        sts.setWsdlLocation(wsdlLocation);
+        sts.setServiceQName(new QName(namespace, wsdlService));
+        sts.setEndpointQName(new QName(namespace, wsdlEndpoint));
+        
+        sts.getProperties().putAll(properties);
+        if (use200502Namespace) {
+            sts.setNamespace(HTTP_SCHEMAS_XMLSOAP_ORG_WS_2005_02_TRUST);
+        }
+        
+        if (lifetime != null) {
+            sts.setEnableLifetime(true);
+            sts.setTtl(lifetime.intValue());
+        }
+        
+        return handleKerberos((KerberosServiceRequestToken)authentication, sts);
+    }
+    
+    private Authentication handleKerberos(
+        KerberosServiceRequestToken kerberosRequestToken,
+        IdpSTSClient sts
+    ) {
+        Principal kerberosPrincipal = null;
+        // 
+        // If delegation is required then validate the received token + store the
+        // Delegated Credential so that we can retrieve a new kerberos token for the
+        // STS with it. If delegation is not required, then we just get the received
+        // token + pass it to the STS
+        //
+        if (requireDelegation) {
+            kerberosPrincipal = validateKerberosToken(kerberosRequestToken, sts);
+            if (kerberosPrincipal == null) {
+                return null;
+            }
+        } else {
+            PassThroughKerberosClient kerberosClient = new PassThroughKerberosClient();
+            kerberosClient.setToken(kerberosRequestToken.getToken());
+            sts.getProperties().put(SecurityConstants.KERBEROS_CLIENT, kerberosClient);
+        }
+        
+        try {
+            // Line below may be uncommented for debugging    
+            // setTimeout(sts.getClient(), 3600000L);
+
+            SecurityToken token = sts.requestSecurityToken(this.appliesTo);
+            
+            if (kerberosPrincipal == null && token.getToken() != null
+                && "Assertion".equals(token.getToken().getLocalName())) {
+                // For the pass-through Kerberos case, we don't know the Principal name...
+                kerberosPrincipal = 
+                    new SAMLTokenPrincipalImpl(new SamlAssertionWrapper(token.getToken()));
+            }
+            
+            List<GrantedAuthority> authorities = createAuthorities(token);
+            
+            KerberosServiceRequestToken ksrt = 
+                new KerberosServiceRequestToken(kerberosPrincipal, authorities, kerberosRequestToken.getToken());
+            
+            STSUserDetails details = new STSUserDetails(kerberosPrincipal.getName(),
+                                                        "",
+                                                        authorities,
+                                                        token);
+            ksrt.setDetails(details);
+            
+            LOG.debug("[IDP_TOKEN={}] provided for user '{}'", token.getId(), kerberosPrincipal.getName());
+            return ksrt;
+        } catch (Exception ex) {
+            LOG.info("Failed to authenticate user '" + kerberosRequestToken.getName() + "'", ex);
+            return null;
+        }
+    }
+    
+    private Principal validateKerberosToken(
+        KerberosServiceRequestToken token,
+        IdpSTSClient sts
+    ) {
+        if (kerberosTokenValidator == null) {
+            LOG.error("KerberosTokenValidator must be configured to support kerberos "
+                + "credential delegation");
+            return null;
+        }
+        KerberosServiceContext kerberosContext;
+        Principal kerberosPrincipal = null;
+        try {
+            kerberosContext = kerberosTokenValidator.validate(token);
+            if (kerberosContext == null || kerberosContext.getDelegationCredential() == null) {
+                LOG.info("Kerberos Validation failure");
+                return null;
+            }
+            GSSCredential delegatedCredential = kerberosContext.getDelegationCredential();
+            sts.getProperties().put(SecurityConstants.DELEGATED_CREDENTIAL, 
+                                    delegatedCredential);
+            sts.getProperties().put(SecurityConstants.KERBEROS_USE_CREDENTIAL_DELEGATION, "true");
+            kerberosPrincipal = kerberosContext.getPrincipal();
+        } catch (LoginException ex) {
+            LOG.info("Failed to authenticate user", ex);
+            return null;
+        } catch (PrivilegedActionException ex) {
+            LOG.info("Failed to authenticate user", ex);
+            return null;
+        }
+
+        if (kerberosTokenValidator.getContextName() != null) {
+            sts.getProperties().put(SecurityConstants.KERBEROS_JAAS_CONTEXT_NAME, 
+                                    kerberosTokenValidator.getContextName());
+        }
+        if (kerberosTokenValidator.getServiceName() != null) {
+            sts.getProperties().put(SecurityConstants.KERBEROS_SPN,
+                                    kerberosTokenValidator.getServiceName());
+        }
+        if (kerberosCallbackHandler != null) {
+            sts.getProperties().put(SecurityConstants.CALLBACK_HANDLER, 
+                                    kerberosCallbackHandler);
+        }
+        if (kerberosUsernameServiceNameForm) {
+            sts.getProperties().put(SecurityConstants.KERBEROS_IS_USERNAME_IN_SERVICENAME_FORM, 
+                                    "true");
+        }
+        
+        return kerberosPrincipal;
+    }
+    
+    protected GSSContext createGSSContext() throws GSSException {
+        Oid oid = new Oid("1.2.840.113554.1.2.2");
+
+        GSSManager gssManager = GSSManager.getInstance();
+
+        String spn = "bob@service.ws.apache.org";
+        GSSName gssService = gssManager.createName(spn, null);
+
+        return gssManager.createContext(gssService.canonicalize(oid),
+                                        oid, null, GSSContext.DEFAULT_LIFETIME);
+
+    }
+
+    @Override
+    public boolean supports(Class<?> authentication) {
+        return authentication.equals(KerberosServiceRequestToken.class);
+    }
+    
+    public KerberosTokenValidator getKerberosTokenValidator() {
+        return kerberosTokenValidator;
+    }
+
+    public void setKerberosTokenValidator(KerberosTokenValidator kerberosTokenValidator) {
+        this.kerberosTokenValidator = kerberosTokenValidator;
+    }
+
+    public CallbackHandler getKerberosCallbackHandler() {
+        return kerberosCallbackHandler;
+    }
+
+    public void setKerberosCallbackHandler(CallbackHandler kerberosCallbackHandler) {
+        this.kerberosCallbackHandler = kerberosCallbackHandler;
+    }
+
+    public boolean isKerberosUsernameServiceNameForm() {
+        return kerberosUsernameServiceNameForm;
+    }
+
+    public void setKerberosUsernameServiceNameForm(boolean kerberosUsernameServiceNameForm) {
+        this.kerberosUsernameServiceNameForm = kerberosUsernameServiceNameForm;
+    }
+
+    public boolean isRequireDelegation() {
+        return requireDelegation;
+    }
+
+    public void setRequireDelegation(boolean requireDelegation) {
+        this.requireDelegation = requireDelegation;
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/230bce9a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSPortFilter.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSPortFilter.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSPortFilter.java
index 83ea83d..889dadd 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSPortFilter.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSPortFilter.java
@@ -40,6 +40,7 @@ public class STSPortFilter extends GenericFilterBean implements ApplicationConte
     private static final Logger LOG = LoggerFactory.getLogger(STSPortFilter.class);
     
     private ApplicationContext applicationContext;
+    private STSAuthenticationProvider authenticationProvider;
     
     private boolean isPortSet;
     
@@ -48,7 +49,10 @@ public class STSPortFilter extends GenericFilterBean implements ApplicationConte
         throws IOException, ServletException {
         
         Assert.isTrue(applicationContext != null, "Application context must not be null");
-        STSAuthenticationProvider authProvider = applicationContext.getBean(STSAuthenticationProvider.class);
+        STSAuthenticationProvider authProvider = authenticationProvider;
+        if (authProvider == null) {
+            authProvider = applicationContext.getBean(STSAuthenticationProvider.class);
+        }
         Assert.isTrue(authProvider != null, "STSAuthenticationProvider must be configured");
         
         //Only update the port if HTTPS is used, otherwise ignored (like retrieving the WADL over HTTP)
@@ -80,4 +84,12 @@ public class STSPortFilter extends GenericFilterBean implements ApplicationConte
         this.applicationContext = applicationContext;
     }
 
+    public STSAuthenticationProvider getAuthenticationProvider() {
+        return authenticationProvider;
+    }
+
+    public void setAuthenticationProvider(STSAuthenticationProvider authenticationProvider) {
+        this.authenticationProvider = authenticationProvider;
+    }
+
 }

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/230bce9a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSPreAuthAuthenticationProvider.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSPreAuthAuthenticationProvider.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSPreAuthAuthenticationProvider.java
new file mode 100644
index 0000000..13c277b
--- /dev/null
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSPreAuthAuthenticationProvider.java
@@ -0,0 +1,131 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.fediz.service.idp;
+
+import java.security.cert.X509Certificate;
+import java.util.List;
+
+import javax.xml.namespace.QName;
+
+import org.w3c.dom.Document;
+
+import org.apache.cxf.Bus;
+import org.apache.cxf.helpers.DOMUtils;
+import org.apache.cxf.ws.security.tokenstore.SecurityToken;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.xml.security.exceptions.XMLSecurityException;
+import org.apache.xml.security.keys.content.X509Data;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
+
+/**
+ * An authentication provider to authenticate a preauthenticated token to the STS
+ */
+public class STSPreAuthAuthenticationProvider extends STSAuthenticationProvider {
+
+    private static final Logger LOG = LoggerFactory
+            .getLogger(STSPreAuthAuthenticationProvider.class);
+
+    @Override
+    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
+        // We only handle PreAuthenticatedAuthenticationTokens
+        if (!(authentication instanceof PreAuthenticatedAuthenticationToken)) {
+            return null;
+        }
+        
+        Bus cxfBus = getBus();
+        IdpSTSClient sts = new IdpSTSClient(cxfBus);
+        sts.setAddressingNamespace("http://www.w3.org/2005/08/addressing");
+        if (tokenType != null && tokenType.length() > 0) {
+            sts.setTokenType(tokenType);
+        } else {
+            sts.setTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE);
+        }
+        sts.setKeyType(HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512_BEARER);
+        sts.setWsdlLocation(wsdlLocation);
+        sts.setServiceQName(new QName(namespace, wsdlService));
+        sts.setEndpointQName(new QName(namespace, wsdlEndpoint));
+        
+        sts.getProperties().putAll(properties);
+        if (use200502Namespace) {
+            sts.setNamespace(HTTP_SCHEMAS_XMLSOAP_ORG_WS_2005_02_TRUST);
+        }
+        
+        if (lifetime != null) {
+            sts.setEnableLifetime(true);
+            sts.setTtl(lifetime.intValue());
+        }
+        
+        return handlePreAuthenticated((PreAuthenticatedAuthenticationToken)authentication, sts);
+    }
+    
+    private Authentication handlePreAuthenticated(
+        PreAuthenticatedAuthenticationToken preauthenticatedToken,
+        IdpSTSClient sts
+    ) {
+        X509Certificate cert = (X509Certificate)preauthenticatedToken.getCredentials();
+        if (cert == null) {
+            return null;
+        }
+        
+        // Convert the received certificate to a DOM Element to write it out "OnBehalfOf"
+        Document doc = DOMUtils.newDocument();
+        X509Data certElem = new X509Data(doc);
+        try {
+            certElem.addCertificate(cert);
+            sts.setOnBehalfOf(certElem.getElement());
+        } catch (XMLSecurityException e) {
+            LOG.debug("Error parsing a client certificate", e);
+            return null;
+        }
+        
+        try {
+            // Line below may be uncommented for debugging    
+            // setTimeout(sts.getClient(), 3600000L);
+
+            SecurityToken token = sts.requestSecurityToken(this.appliesTo);
+            
+            List<GrantedAuthority> authorities = createAuthorities(token);
+            
+            STSUserDetails details = new STSUserDetails(preauthenticatedToken.getName(),
+                                                        "",
+                                                        authorities,
+                                                        token);
+            
+            preauthenticatedToken.setDetails(details);
+            
+            LOG.debug("[IDP_TOKEN={}] provided for user '{}'", token.getId(), preauthenticatedToken.getName());
+            return preauthenticatedToken;
+            
+        } catch (Exception ex) {
+            LOG.info("Failed to authenticate user '" + preauthenticatedToken.getName() + "'", ex);
+            return null;
+        }
+    }
+
+    @Override
+    public boolean supports(Class<?> authentication) {
+        return authentication.equals(PreAuthenticatedAuthenticationToken.class);
+    }
+    
+}

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/230bce9a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSUPAuthenticationProvider.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSUPAuthenticationProvider.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSUPAuthenticationProvider.java
new file mode 100644
index 0000000..d9be1b4
--- /dev/null
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSUPAuthenticationProvider.java
@@ -0,0 +1,118 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.fediz.service.idp;
+
+import java.util.List;
+
+import javax.xml.namespace.QName;
+
+import org.apache.cxf.Bus;
+import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.tokenstore.SecurityToken;
+import org.apache.wss4j.dom.WSConstants;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.GrantedAuthority;
+
+/**
+ * An authentication provider to authenticate a Username/Password to the STS
+ */
+public class STSUPAuthenticationProvider extends STSAuthenticationProvider {
+
+    private static final Logger LOG = LoggerFactory.getLogger(STSUPAuthenticationProvider.class);
+    
+    @Override
+    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
+        // We only handle UsernamePasswordAuthenticationTokens
+        if (!(authentication instanceof UsernamePasswordAuthenticationToken)) {
+            return null;
+        }
+        
+        Bus cxfBus = getBus();
+        IdpSTSClient sts = new IdpSTSClient(cxfBus);
+        sts.setAddressingNamespace("http://www.w3.org/2005/08/addressing");
+        if (tokenType != null && tokenType.length() > 0) {
+            sts.setTokenType(tokenType);
+        } else {
+            sts.setTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE);
+        }
+        sts.setKeyType(HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512_BEARER);
+        sts.setWsdlLocation(wsdlLocation);
+        sts.setServiceQName(new QName(namespace, wsdlService));
+        sts.setEndpointQName(new QName(namespace, wsdlEndpoint));
+        
+        sts.getProperties().putAll(properties);
+        if (use200502Namespace) {
+            sts.setNamespace(HTTP_SCHEMAS_XMLSOAP_ORG_WS_2005_02_TRUST);
+        }
+        
+        if (lifetime != null) {
+            sts.setEnableLifetime(true);
+            sts.setTtl(lifetime.intValue());
+        }
+        
+        return handleUsernamePassword((UsernamePasswordAuthenticationToken)authentication, sts);
+    }
+    
+    private Authentication handleUsernamePassword(
+        UsernamePasswordAuthenticationToken usernamePasswordToken,
+        IdpSTSClient sts
+    ) {
+        sts.getProperties().put(SecurityConstants.USERNAME, usernamePasswordToken.getName());
+        sts.getProperties().put(SecurityConstants.PASSWORD, (String)usernamePasswordToken.getCredentials());
+        
+        try {
+
+            // Line below may be uncommented for debugging    
+            // setTimeout(sts.getClient(), 3600000L);
+
+            SecurityToken token = sts.requestSecurityToken(this.appliesTo);
+            
+            List<GrantedAuthority> authorities = createAuthorities(token);
+            
+            UsernamePasswordAuthenticationToken upat = 
+                new UsernamePasswordAuthenticationToken(usernamePasswordToken.getName(), 
+                                                        usernamePasswordToken.getCredentials(), 
+                                                        authorities);
+
+            STSUserDetails details = new STSUserDetails(usernamePasswordToken.getName(),
+                                                        (String)usernamePasswordToken.getCredentials(),
+                                                        authorities,
+                                                        token);
+            upat.setDetails(details);
+
+            LOG.debug("[IDP_TOKEN={}] provided for user '{}'", token.getId(), usernamePasswordToken.getName());
+            return upat;
+                                                                                           
+        } catch (Exception ex) {
+            LOG.info("Failed to authenticate user '" + usernamePasswordToken.getName() + "'", ex);
+            return null;
+        }
+        
+    }
+    
+    @Override
+    public boolean supports(Class<?> authentication) {
+        return authentication.equals(UsernamePasswordAuthenticationToken.class);
+    }
+    
+}

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/230bce9a/services/idp/src/main/resources/entities-realma.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/resources/entities-realma.xml b/services/idp/src/main/resources/entities-realma.xml
index 87dc70a..f8e1f5b 100644
--- a/services/idp/src/main/resources/entities-realma.xml
+++ b/services/idp/src/main/resources/entities-realma.xml
@@ -52,7 +52,7 @@
         </property>
         <property name="authenticationURIs">
             <util:map>
-                <entry key="default" value="/login/default" />
+                <entry key="default" value="federation/up" />
             </util:map>
         </property>
         <property name="serviceDisplayName" value="REALM A" />

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/230bce9a/services/idp/src/main/webapp/WEB-INF/idp-config-realma.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/idp-config-realma.xml b/services/idp/src/main/webapp/WEB-INF/idp-config-realma.xml
index c5e0a4a..9d61326 100644
--- a/services/idp/src/main/webapp/WEB-INF/idp-config-realma.xml
+++ b/services/idp/src/main/webapp/WEB-INF/idp-config-realma.xml
@@ -74,7 +74,7 @@
         </property>
         <property name="authenticationURIs">
             <util:map>
-                <entry key="default" value="/login/default" />
+                <entry key="default" value="federation/up" />
             </util:map>
         </property>
         <property name="trustedIDPs">

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/230bce9a/services/idp/src/main/webapp/WEB-INF/idp-servlet.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/idp-servlet.xml b/services/idp/src/main/webapp/WEB-INF/idp-servlet.xml
index ccc2146..691f7bb 100644
--- a/services/idp/src/main/webapp/WEB-INF/idp-servlet.xml
+++ b/services/idp/src/main/webapp/WEB-INF/idp-servlet.xml
@@ -75,6 +75,10 @@
         flow-builder-services="builder">
         <webflow:flow-location
             path="/WEB-INF/federation-validate-request.xml" id="federation" />
+        <webflow:flow-location
+            path="/WEB-INF/federation-validate-request.xml" id="federation/up" />
+        <webflow:flow-location
+            path="/WEB-INF/federation-validate-request.xml" id="federation/krb" />
         <webflow:flow-location path="/WEB-INF/federation-signin-request.xml"
             id="signinRequest" />
         <webflow:flow-location path="/WEB-INF/federation-signin-response.xml"

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/230bce9a/services/idp/src/main/webapp/WEB-INF/security-config.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/security-config.xml b/services/idp/src/main/webapp/WEB-INF/security-config.xml
index ab0eada..c70ccfb 100644
--- a/services/idp/src/main/webapp/WEB-INF/security-config.xml
+++ b/services/idp/src/main/webapp/WEB-INF/security-config.xml
@@ -42,7 +42,7 @@
     <security:global-method-security pre-post-annotations="enabled"/>
 
     <security:http pattern="/services/rs/**" use-expressions="true" authentication-manager-ref="restAuthenticationManager">
-        <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" />
+        <security:custom-filter after="CHANNEL_FILTER" ref="stsUPPortFilter" />
         <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" />
         <security:intercept-url pattern="/services/rs/**" access="isAuthenticated()"/>
         <security:http-basic />
@@ -63,34 +63,88 @@
           -->
           <security:user-service properties="classpath:/users.properties" />
         </security:authentication-provider>
-        <security:authentication-provider ref="stsAuthProvider" />
+        <security:authentication-provider ref="stsUPAuthProvider" />
     </security:authentication-manager>
-
-    <security:http use-expressions="true">
-        <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" />
+    
+    <!-- Redirects to a dedicated http config -->
+    <bean id="federationEntryPoint" class="org.apache.cxf.fediz.service.idp.FederationEntryPoint">
+        <property name="realm" value="urn:org:apache:cxf:fediz:idp:realm-A" />
+        <property name="configService" ref="config" />
+    </bean>
+    
+    <!-- Main entry point -->
+    <security:http pattern="/federation" use-expressions="true" entry-point-ref="federationEntryPoint">
+        <security:custom-filter after="CHANNEL_FILTER" ref="stsUPPortFilter" />
+        <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" />
+        <security:intercept-url pattern="/FederationMetadata/2007-06/FederationMetadata.xml" access="isAnonymous() or isAuthenticated()" />
+    </security:http>
+    
+    <!-- HTTP/BA entry point -->
+    <security:http pattern="/federation/up" use-expressions="true">
+        <security:custom-filter after="CHANNEL_FILTER" ref="stsUPPortFilter" />
         <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" />
         <security:intercept-url pattern="/FederationMetadata/2007-06/FederationMetadata.xml" access="isAnonymous() or isAuthenticated()" />
 
-        <!-- MUST be http-basic thus systests run fine -->
-        <!--<security:form-login />-->
         <security:http-basic />
         <security:logout delete-cookies="FEDIZ_HOME_REALM" invalidate-session="true" />
     </security:http>
+    
+    <!-- Kerberos entry point -->
+    <bean id="kerberosEntryPoint"
+          class="org.apache.cxf.fediz.service.idp.kerberos.KerberosEntryPoint" />
+    
+    <bean id="kerberosAuthenticationProcessingFilter"
+          class="org.apache.cxf.fediz.service.idp.kerberos.KerberosAuthenticationProcessingFilter">
+          <property name="authenticationManager" ref="authenticationManagers" />
+    </bean>
+    
+    <security:http pattern="/federation/krb" use-expressions="true" entry-point-ref="kerberosEntryPoint">
+        <security:custom-filter after="CHANNEL_FILTER" ref="stsKrbPortFilter" />
+        <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" />
+        <security:intercept-url pattern="/FederationMetadata/2007-06/FederationMetadata.xml" access="isAnonymous() or isAuthenticated()" />
+
+        <security:custom-filter ref="kerberosAuthenticationProcessingFilter" position="BASIC_AUTH_FILTER" />
+        <security:logout delete-cookies="FEDIZ_HOME_REALM" invalidate-session="true" />
+    </security:http>
 
-    <security:authentication-manager>
-        <security:authentication-provider ref="stsAuthProvider" />
+    <security:authentication-manager alias="authenticationManagers">
+        <security:authentication-provider ref="stsUPAuthProvider" />
+        <security:authentication-provider ref="stsKrbAuthProvider" />
     </security:authentication-manager>
 	
-    <bean id="stsPortFilter" class="org.apache.cxf.fediz.service.idp.STSPortFilter" />
+    <bean id="stsUPPortFilter" class="org.apache.cxf.fediz.service.idp.STSPortFilter">
+        <property name="authenticationProvider" ref="stsUPAuthProvider" />
+    </bean>
     
     <bean id="entitlementsEnricher" class="org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements" />
 	
-    <bean id="stsAuthProvider" class="org.apache.cxf.fediz.service.idp.STSAuthenticationProvider">
+	<!-- U/P Authentication Provider -->
+    <bean id="stsUPAuthProvider" class="org.apache.cxf.fediz.service.idp.STSUPAuthenticationProvider">
         <property name="wsdlLocation" value="https://localhost:0/fediz-idp-sts/${realm.STS_URI}/STSServiceTransportUT?wsdl"/>
         <property name="wsdlEndpoint" value="TransportUT_Port"/>
         <property name="wsdlService" value="SecurityTokenService"/>
         <property name="appliesTo" value="urn:fediz:idp"/>
         <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"/>
     </bean>
+    
+    <bean id="stsKrbPortFilter" class="org.apache.cxf.fediz.service.idp.STSPortFilter">
+        <property name="authenticationProvider" ref="stsKrbAuthProvider" />
+    </bean>
+    
+    <!--<bean id="kerberosTokenValidator" class="org.apache.cxf.fediz.service.idp.kerberos.KerberosTokenValidator">
+        <property name="contextName" value="bob"/>
+        <property name="serviceName" value="bob@service.ws.apache.org"/>
+    </bean>-->
+	
+	<!-- Kerberos authentication provider -->
+    <bean id="stsKrbAuthProvider" class="org.apache.cxf.fediz.service.idp.STSKrbAuthenticationProvider">
+        <property name="wsdlLocation" value="https://localhost:0/fediz-idp-sts/${realm.STS_URI}/STSServiceTransportKerberos?wsdl"/>
+        <property name="wsdlEndpoint" value="TransportKerberos_Port"/>
+        <property name="wsdlService" value="SecurityTokenService"/>
+        <property name="appliesTo" value="urn:fediz:idp"/>
+        <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"/>
+        <!-- <property name="kerberosTokenValidator" ref="kerberosTokenValidator"/>
+        <property name="requireDelegation" value="true"/>-->
+    </bean>
 
 </beans>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/230bce9a/services/idp/src/main/webapp/WEB-INF/web.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/web.xml b/services/idp/src/main/webapp/WEB-INF/web.xml
index 2849a6b..21ea9ab 100644
--- a/services/idp/src/main/webapp/WEB-INF/web.xml
+++ b/services/idp/src/main/webapp/WEB-INF/web.xml
@@ -79,7 +79,17 @@ under the License.
         <servlet-name>idp</servlet-name>
         <url-pattern>/federation</url-pattern>
     </servlet-mapping>
-
+    
+    <servlet-mapping>
+        <servlet-name>idp</servlet-name>
+        <url-pattern>/federation/up</url-pattern>
+    </servlet-mapping>
+    
+    <servlet-mapping>
+        <servlet-name>idp</servlet-name>
+        <url-pattern>/federation/krb</url-pattern>
+    </servlet-mapping>
+    
     <servlet-mapping>
         <servlet-name>metadata</servlet-name>
         <url-pattern>/FederationMetadata/2007-06/FederationMetadata.xml</url-pattern>


Mime
View raw message