cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jbernha...@apache.org
Subject [4/4] cxf-fediz git commit: [FEDIZ-119] Customizable login page
Date Tue, 05 May 2015 14:26:46 GMT
[FEDIZ-119] Customizable login page


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/5ad84a6f
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/5ad84a6f
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/5ad84a6f

Branch: refs/heads/master
Commit: 5ad84a6ff23fa70ec8ed7b57b633e489fc95b09d
Parents: 90636de
Author: Jan Bernhardt <jbernhardt@talend.com>
Authored: Tue May 5 11:02:10 2015 +0200
Committer: Jan Bernhardt <jbernhardt@talend.com>
Committed: Tue May 5 16:26:23 2015 +0200

----------------------------------------------------------------------
 services/idp/pom.xml                            |   6 +-
 .../WEB-INF/federation-signin-request.xml       | 191 --------------
 .../WEB-INF/federation-signin-response.xml      |  72 ------
 .../WEB-INF/federation-validate-request.xml     | 250 -------------------
 .../WEB-INF/flows/federation-signin-request.xml | 191 ++++++++++++++
 .../flows/federation-signin-response.xml        |  72 ++++++
 .../flows/federation-validate-request.xml       | 250 +++++++++++++++++++
 .../src/main/webapp/WEB-INF/genericerror.jsp    |  11 -
 .../idp/src/main/webapp/WEB-INF/idp-servlet.xml |  37 +--
 .../idp/src/main/webapp/WEB-INF/idplist.jsp     |  34 ---
 .../src/main/webapp/WEB-INF/security-config.xml |  20 +-
 .../idp/src/main/webapp/WEB-INF/signinform.jsp  |  18 --
 .../main/webapp/WEB-INF/signinresponseform.jsp  |  25 --
 .../WEB-INF/signoutconfirmationresponse.jsp     |  56 -----
 .../src/main/webapp/WEB-INF/signoutresponse.jsp |  48 ----
 .../main/webapp/WEB-INF/views/genericerror.jsp  |  11 +
 .../src/main/webapp/WEB-INF/views/idplist.jsp   |  31 +++
 .../idp/src/main/webapp/WEB-INF/views/index.jsp |  25 ++
 .../main/webapp/WEB-INF/views/signinform.jsp    |  72 ++++++
 .../webapp/WEB-INF/views/signinresponseform.jsp |  25 ++
 .../views/signoutconfirmationresponse.jsp       |  56 +++++
 .../webapp/WEB-INF/views/signoutresponse.jsp    |  48 ++++
 services/idp/src/main/webapp/WEB-INF/web.xml    |  15 +-
 services/idp/src/main/webapp/index.html         |  25 --
 .../webapp/resources/images/apache-logo.png     | Bin 0 -> 20928 bytes
 .../src/test/resources/realmb/idp-servlet.xml   |  10 +-
 26 files changed, 829 insertions(+), 770 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/5ad84a6f/services/idp/pom.xml
----------------------------------------------------------------------
diff --git a/services/idp/pom.xml b/services/idp/pom.xml
index bff8cee..4285461 100644
--- a/services/idp/pom.xml
+++ b/services/idp/pom.xml
@@ -231,7 +231,11 @@
             <artifactId>bval-jsr303</artifactId>
             <version>${bval.version}</version>
         </dependency>
-        
+        <dependency>
+            <groupId>jstl</groupId>
+            <artifactId>jstl</artifactId>
+            <version>1.2</version>
+        </dependency>
     </dependencies>
     <build>
         <resources>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/5ad84a6f/services/idp/src/main/webapp/WEB-INF/federation-signin-request.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/federation-signin-request.xml b/services/idp/src/main/webapp/WEB-INF/federation-signin-request.xml
deleted file mode 100644
index 2fe2795..0000000
--- a/services/idp/src/main/webapp/WEB-INF/federation-signin-request.xml
+++ /dev/null
@@ -1,191 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
-  Licensed to the Apache Software Foundation (ASF) under one
-  or more contributor license agreements. See the NOTICE file
-  distributed with this work for additional information
-  regarding copyright ownership. The ASF licenses this file
-  to you under the Apache License, Version 2.0 (the
-  "License"); you may not use this file except in compliance
-  with the License. You may obtain a copy of the License at
- 
-  http://www.apache.org/licenses/LICENSE-2.0
- 
-  Unless required by applicable law or agreed to in writing,
-  software distributed under the License is distributed on an
-  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-  KIND, either express or implied. See the License for the
-  specific language governing permissions and limitations
-  under the License.
--->
-<flow xmlns="http://www.springframework.org/schema/webflow"
-    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-    xsi:schemaLocation="
-        http://www.springframework.org/schema/webflow
-        http://www.springframework.org/schema/webflow/spring-webflow-2.0.xsd">
-
-    <input name="idpConfig" />
-    <input name="wtrealm" />
-    <input name="wreply" />
-    <input name="wctx" />
-    <input name="wfresh" />
-    <input name="wauth" />
-    <input name="whr" />
-
-    <decision-state id="checkHRDSEnabled">
-        <if test="true" then="checkWhrInSigninRequest" else="checkDefaultToThisIDP" />
-    </decision-state>
-
-    <decision-state id="checkWhrInSigninRequest">
-        <if test="flowScope.whr == null or flowScope.whr.trim().isEmpty()"
-            then="checkHomeRealm" else="checkIsThisIDP" />
-    </decision-state>
-
-    <decision-state id="checkHomeRealm">
-        <if test="homeRealmReminder.readCookie(flowRequestContext) == null"
-            then="processHRDSExpression" else="restoreHomeRealm" />
-    </decision-state>
-
-    <action-state id="restoreHomeRealm">
-        <evaluate
-            expression="homeRealmReminder.readCookie(flowRequestContext).value"
-            result="flowScope.whr" />
-        <transition to="checkIsThisIDP" />
-    </action-state>
-
-    <action-state id="processHRDSExpression">
-        <!-- TODO -->
-        <evaluate
-            expression="processHRDSExpressionAction.submit(flowRequestContext)"
-            result="flowScope.whr" />
-        <transition on="" to="provideIDPListForUser" />
-        <transition to="checkIsThisIDP">
-            <evaluate
-                expression="homeRealmReminder.addCookie(flowRequestContext, flowScope.whr)" />
-        </transition>
-    </action-state>
-
-    <decision-state id="provideIDPListForUser">
-        <if
-            test="flowScope.idpConfig.trustedIdps == null or idpConfig.trustedIdps.isEmpty()"
-            then="checkDefaultToThisIDP" />
-        <if test="flowScope.idpConfig.isProvideIdpList() == false"
-            then="checkDefaultToThisIDP" else="showIDPList" />
-    </decision-state>
-
-    <decision-state id="checkDefaultToThisIDP">
-        <if test="flowScope.idpConfig.isUseCurrentIdp()" then="checkWauthTypeSupported"
-            else="viewBadRequest" />
-    </decision-state>
-
-    <view-state id="showIDPList" view="idplist" model="trustedIDPSelection">
-        <var name="trustedIDPSelection"
-            class="org.apache.cxf.fediz.service.idp.model.TrustedIDPSelection" />
-        <binder>
-            <binding property="whr" required="true" />
-        </binder>
-        <on-entry>
-            <set name="requestScope.idPConfig" value="flowScope.idpConfig" />
-        </on-entry>
-        <transition on="submit" to="checkIsThisIDP" bind="true"
-            validate="true">
-            <set name="flowScope.whr" value="trustedIDPSelection.whr" />
-            <evaluate
-                expression="homeRealmReminder.addCookie(flowRequestContext, flowScope.whr)" />
-        </transition>
-        <transition on="cancel" to="checkDefaultToThisIDP"
-            bind="false" validate="false" />
-    </view-state>
-
-    <!-- Home Realm is known then we can store it in cookie -->
-    <decision-state id="checkIsThisIDP">
-        <if test="flowScope.idpConfig.realm.equals(flowScope.whr)"
-            then="checkWauthTypeSupported" else="checkIdpTokenWhrWauth" />
-    </decision-state>
-
-    <!-- ============================================================================================================= -->
-
-    <!-- Is 'wresult/RP-IDP token' already received and validated (then stored 
-        in session) from requestor IDP ? -->
-    <decision-state id="checkIdpTokenWhrWauth">
-        <if test="externalContext.sessionMap[flowScope.whr] != null"
-            then="wfreshParserRemoteAction" else="redirectToTrustedIDP" />
-    </decision-state>
-
-    <action-state id="wfreshParserRemoteAction">
-        <evaluate
-            expression="wfreshParser.authenticationRequired(flowScope.wfresh, flowScope.whr, flowRequestContext)" />
-        <transition on="yes" to="redirectToTrustedIDP" />
-        <transition on="no" to="requestRpToken" >
-            <set name="flowScope.idpToken" value="externalContext.sessionMap[whr]" />
-        </transition>
-        <transition on-exception="java.lang.Throwable" to="viewBadRequest" />
-    </action-state>
-
-    <decision-state id="checkWauthTypeSupported">
-        <on-entry>
-            <!-- Here, home realm is guaranteed to be THIS realm -->
-            <set name="flowScope.whr" value="flowScope.idpConfig.realm" />
-        </on-entry>
-        <if test="flowScope.idpConfig.getAuthenticationURIs() == null"
-            then="viewBadRequest" />
-        <if
-            test="flowScope.idpConfig.getAuthenticationURIs().get(flowScope.wauth) != null"
-            then="checkIdpTokenWauth" else="viewBadRequest" />
-    </decision-state>
-
-    <decision-state id="checkIdpTokenWauth">
-        <!-- check presence of cached IDP token for THIS realm -->
-        <if test="externalContext.sessionMap[flowScope.whr] == null"
-            then="cacheTokenForWauth" else="wfreshParserAction" />
-    </decision-state>
-
-    <!-- parse wfresh parameter, provided by resource RP, overriding ttl 
-        from 'IDP_TOKEN' -->
-    <action-state id="wfreshParserAction">
-        <evaluate
-            expression="wfreshParser.authenticationRequired(flowScope.wfresh, flowScope.whr, flowRequestContext)" />
-        <transition on="yes" to="redirectToLocalIDP" />
-        <transition on="no" to="requestRpToken">
-            <set name="flowScope.idpToken" value="externalContext.sessionMap[whr]" />
-        </transition>
-        <transition on-exception="java.lang.Throwable" to="viewBadRequest" />
-    </action-state>
-
-    <end-state id="redirectToLocalIDP">
-        <on-entry>
-            <evaluate expression="logoutAction.submit(flowRequestContext)" />
-        </on-entry>
-        <output name="wctx" value="flowScope.wctx" />
-    </end-state>
-
-    <action-state id="cacheTokenForWauth">
-        <secured attributes="IS_AUTHENTICATED_FULLY" />
-        <evaluate expression="cacheTokenForWauthAction.submit(flowRequestContext)" />
-        <transition to="requestRpToken">
-            <set name="flowScope.idpToken" value="externalContext.sessionMap[whr]" />
-        </transition>
-    </action-state>
-
-    <!-- ============================================================================================================= -->
-
-    <!-- normal exit point -->
-    <end-state id="requestRpToken">
-        <output name="whr" value="flowScope.whr" />
-        <output name="wctx" value="flowScope.wctx" />
-        <output name="idpToken" value="flowScope.idpToken" />
-    </end-state>
-
-    <!-- abnormal exit point : Http 400 Bad Request -->
-    <end-state id="viewBadRequest" />
-
-    <!-- redirects to requestor idp -->
-    <end-state id="redirectToTrustedIDP">
-        <on-entry>
-            <evaluate expression="signInParamCacheAction.store(flowRequestContext)" />
-        </on-entry>
-        <output name="whr" value="flowScope.whr" />
-        <output name="wctx" value="flowScope.wctx" />
-        <output name="RelayState" value="flowScope.RelayState" />
-    </end-state>
-
-</flow>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/5ad84a6f/services/idp/src/main/webapp/WEB-INF/federation-signin-response.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/federation-signin-response.xml b/services/idp/src/main/webapp/WEB-INF/federation-signin-response.xml
deleted file mode 100644
index e060b46..0000000
--- a/services/idp/src/main/webapp/WEB-INF/federation-signin-response.xml
+++ /dev/null
@@ -1,72 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
-  Licensed to the Apache Software Foundation (ASF) under one
-  or more contributor license agreements. See the NOTICE file
-  distributed with this work for additional information
-  regarding copyright ownership. The ASF licenses this file
-  to you under the Apache License, Version 2.0 (the
-  "License"); you may not use this file except in compliance
-  with the License. You may obtain a copy of the License at
- 
-  http://www.apache.org/licenses/LICENSE-2.0
- 
-  Unless required by applicable law or agreed to in writing,
-  software distributed under the License is distributed on an
-  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-  KIND, either express or implied. See the License for the
-  specific language governing permissions and limitations
-  under the License.
--->
-<flow xmlns="http://www.springframework.org/schema/webflow"
-    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-    xsi:schemaLocation="
-        http://www.springframework.org/schema/webflow
-        http://www.springframework.org/schema/webflow/spring-webflow-2.0.xsd">
-
-    <input name="idpConfig" />
-    <input name="wctx" />
-    <input name="wauth" />
-    <input name="wresult" />
-    <input name="RelayState" />
-    <input name="SAMLResponse" />
-
-    <on-start>
-        <!-- restore 'wreply','wtrealm','whr' for current 'wctx' -->
-        <evaluate expression="signInParamCacheAction.restore(flowRequestContext)" />
-    </on-start>
-
-    <!-- validate token issued by requestor IDP ('wresult') given its 'whr' -->
-    <action-state id="validateToken">
-        <evaluate expression="trustedIdpProtocolAction.mapSignInResponse(flowRequestContext)"
-            result="flowScope.idpToken" result-type="org.apache.cxf.ws.security.tokenstore.SecurityToken" />
-        <transition to="checkCacheTrustedIdpToken" />
-        <transition
-            on-exception="org.apache.cxf.fediz.core.exception.ProcessingException"
-            to="viewBadRequest" />
-        <transition on-exception="java.lang.Throwable" to="scInternalServerError" />
-    </action-state>
-    
-    <action-state id="checkCacheTrustedIdpToken">
-        <evaluate expression="idpConfig.findTrustedIdp(flowScope.whr).cacheTokens" />
-        <transition on="yes" to="requestRpToken">
-            <set name="externalContext.sessionMap[flowScope.whr]"
-                    value="flowScope.idpToken" />
-        </transition>
-        <transition on="no" to="requestRpToken" />
-    </action-state>
-
-    <end-state id="requestRpToken">
-        <output name="whr" value="flowScope.whr" />
-        <output name="wctx" value="flowScope.wctx" />
-        <output name="wreply" value="flowScope.wreply" />
-        <output name="wtrealm" value="flowScope.wtrealm" />
-        <output name="idpToken" value="flowScope.idpToken" />
-    </end-state>
-
-    <!-- abnormal exit point : Http 400 Bad Request -->
-    <end-state id="viewBadRequest" />
-
-    <!-- abnormal exit point : Http 500 Internal Server Error -->
-    <end-state id="scInternalServerError" />
-
-</flow>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/5ad84a6f/services/idp/src/main/webapp/WEB-INF/federation-validate-request.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/federation-validate-request.xml b/services/idp/src/main/webapp/WEB-INF/federation-validate-request.xml
deleted file mode 100644
index 9184f7b..0000000
--- a/services/idp/src/main/webapp/WEB-INF/federation-validate-request.xml
+++ /dev/null
@@ -1,250 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
-  Licensed to the Apache Software Foundation (ASF) under one
-  or more contributor license agreements. See the NOTICE file
-  distributed with this work for additional information
-  regarding copyright ownership. The ASF licenses this file
-  to you under the Apache License, Version 2.0 (the
-  "License"); you may not use this file except in compliance
-  with the License. You may obtain a copy of the License at
- 
-  http://www.apache.org/licenses/LICENSE-2.0
- 
-  Unless required by applicable law or agreed to in writing,
-  software distributed under the License is distributed on an
-  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-  KIND, either express or implied. See the License for the
-  specific language governing permissions and limitations
-  under the License.
--->
-<flow xmlns="http://www.springframework.org/schema/webflow"
-    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-    xsi:schemaLocation="http://www.springframework.org/schema/webflow
-                          http://www.springframework.org/schema/webflow/spring-webflow-2.0.xsd">
-
-    <!-- protocol check -->
-    <decision-state id="WSFederationRequestCheck">
-        <on-entry>
-            <set name="flowScope.wtrealm" value="requestParameters.wtrealm" />
-            <set name="flowScope.wreply" value="requestParameters.wreply" />
-            <set name="flowScope.wctx" value="requestParameters.wctx" />
-            <set name="flowScope.wfresh" value="requestParameters.wfresh" />
-            <set name="flowScope.whr" value="requestParameters.whr" />
-            <set name="flowScope.wresult" value="requestParameters.wresult" />
-            <set name="flowScope.wreq" value="requestParameters.wreq" />
-            <set name="flowScope.RelayState" value="requestParameters.RelayState" />
-            <set name="flowScope.SAMLResponse" value="requestParameters.SAMLResponse" />
-            <evaluate expression="requestScope.getString('wauth','default')"
-                result="flowScope.wauth" />
-            <set name="flowScope.idpConfig" value="config.getIDP(null)" />
-        </on-entry>
-        <if
-            test="requestParameters.wa == 'wsignout1.0' or requestParameters.wa == 'wsignoutcleanup1.0'"
-            then="selectSignOutProcess" />
-        <if
-            test="requestParameters.wa == 'wsignin1.0'" then="selectWsFedProcess" 
-            else="selectSAMLProcess" /> 
-    </decision-state>
-
-    <decision-state id="selectWsFedProcess">
-        <if
-            test="requestParameters.wtrealm == null or requestParameters.wtrealm.length() == 0"
-            then="viewBadRequest" />
-        <if
-            test="requestParameters.wresult == null or requestParameters.wresult.isEmpty()"
-            then="signinRequest" else="signinResponse" />
-    </decision-state>
-    
-    <decision-state id="selectSAMLProcess">
-        <if
-            test="requestParameters.RelayState == null or requestParameters.RelayState.length() == 0"
-            then="viewBadRequest" />
-        <if
-            test="requestParameters.SAMLResponse == null or requestParameters.SAMLResponse.length() == 0"
-            then="viewBadRequest" else="signinResponse" />
-    </decision-state>
-
-    <decision-state id="selectSignOutProcess">
-        <on-entry>
-            <evaluate expression="@org.apache.cxf.fediz.service.idp.util.WebUtils@getHttpHeader(flowRequestContext, 'Referer')" result="flowScope.wreply"/>
-        </on-entry>
-        <if
-            test="requestParameters.wa == 'wsignout1.0' and flowScope.idpConfig.rpSingleSignOutConfirmation == true
-            or requestParameters.wa == 'wsignoutcleanup1.0' and flowScope.idpConfig.rpSingleSignOutCleanupConfirmation == true"
-            then="viewSignoutConfirmation" else="invalidateSessionAction" />
-    </decision-state>
-
-    <subflow-state id="signinRequest" subflow="signinRequest">
-        <input name="idpConfig" value="flowScope.idpConfig" />
-        <input name="wtrealm" value="flowScope.wtrealm" />
-        <input name="wreply" value="flowScope.wreply" />
-        <input name="wctx" value="flowScope.wctx" />
-        <input name="wfresh" value="flowScope.wfresh" />
-        <input name="wauth" value="flowScope.wauth" />
-        <input name="whr" value="flowScope.whr" />
-
-        <output name="whr" />
-        <output name="wctx" />
-        <output name="RelayState" />
-        <output name="idpToken" />
-
-        <transition on="requestRpToken" to="requestRpToken">
-            <set name="flowScope.whr" value="currentEvent.attributes.whr" />
-            <set name="flowScope.wctx" value="currentEvent.attributes.wctx" />
-            <set name="flowScope.idpToken" value="currentEvent.attributes.idpToken" />
-        </transition>
-        <transition on="viewBadRequest" to="viewBadRequest" />
-        <transition on="scInternalServerError" to="scInternalServerError" />
-        <transition on="redirectToTrustedIDP" to="processTrustedIdpProtocol">
-            <set name="flowScope.whr" value="currentEvent.attributes.whr" />
-            <set name="flowScope.wctx" value="currentEvent.attributes.wctx" />
-            <set name="flowScope.RelayState" value="currentEvent.attributes.RelayState" />
-        </transition>
-        <transition on="redirectToLocalIDP" to="redirectToLocalIDP">
-            <set name="flowScope.wctx" value="currentEvent.attributes.wctx" />
-        </transition>
-    </subflow-state>
-
-    <subflow-state id="signinResponse" subflow="signinResponse">
-        <input name="idpConfig" value="flowScope.idpConfig" />
-        <input name="wfresh" value="flowScope.wfresh" />
-        <input name="wctx" value="flowScope.wctx" />
-        <input name="wauth" value="flowScope.wauth" />
-        <input name="wresult" value="flowScope.wresult" />
-        <input name="RelayState" value="flowScope.RelayState" />
-        <input name="SAMLResponse" value="flowScope.SAMLResponse" />
-
-        <output name="wtrealm" />
-        <output name="wreply" />
-        <output name="wctx" />
-        <output name="whr" />
-        <output name="idpToken" />
-
-        <transition on="requestRpToken" to="requestRpToken">
-            <set name="flowScope.whr" value="currentEvent.attributes.whr" />
-            <set name="flowScope.wctx" value="currentEvent.attributes.wctx" />
-            <set name="flowScope.wtrealm" value="currentEvent.attributes.wtrealm" />
-            <set name="flowScope.wreply" value="currentEvent.attributes.wreply" />
-            <set name="flowScope.idpToken" value="currentEvent.attributes.idpToken" />
-        </transition>
-        <transition on="viewBadRequest" to="viewBadRequest" />
-        <transition on="scInternalServerError" to="scInternalServerError" />
-    </subflow-state>
-
-    <!-- produce RP security token (as String type) -->
-    <action-state id="requestRpToken">
-        <on-entry>
-            <evaluate expression="stsClientForRpAction.submit(flowRequestContext)"
-                      result="flowScope.rpToken"/>
-        </on-entry>
-        <evaluate expression="signInParamCacheAction.storeRPUrlInSession(flowRequestContext)"
-                result="flowScope.res"/>
-        <transition to="isWReplyProvided" />
-        <transition on-exception="org.apache.cxf.fediz.core.exception.ProcessingException" to="viewBadRequest" />
-        <transition on-exception="java.lang.Throwable" to="scInternalServerError" />
-    </action-state>
-    
-    <action-state id="processTrustedIdpProtocol">
-        <evaluate expression="trustedIdpProtocolAction.mapSignInRequest(flowRequestContext)"
-                      result="flowScope.remoteIdpUrl"/>
-        <transition to="redirectToTrustedIDP" />
-        <transition on-exception="java.lang.Throwable" to="scInternalServerError" />
-    </action-state>
-
-    <action-state id="isWReplyProvided">
-        <evaluate expression="flowScope.wreply != null" />
-        <transition on="yes" to="formResponseView" >
-            <set name="flowScope.signinResponseUrl" value="flowScope.wreply" />
-        </transition>
-        <transition on="no" to="formResponseView" >
-            <set name="flowScope.signinResponseUrl" value="flowScope.wtrealm" />
-        </transition>
-    </action-state>
-
-    <!-- normal exit point for login -->
-    <!-- browser redirection (self-submitted form 'signinresponseform.jsp') -->
-    <end-state id="formResponseView" view="signinresponseform">
-        <on-entry>
-            <evaluate expression="flowScope.signinResponseUrl" result="requestScope.fedAction" />
-            <evaluate expression="flowScope.wtrealm" result="requestScope.fedWTrealm" />
-            <evaluate expression="flowScope.wctx" result="requestScope.fedWCtx" />
-            <evaluate expression="flowScope.rpToken" result="requestScope.fedWResult" />
-        </on-entry>
-    </end-state>
-
-    <!-- abnormal exit point : Http 400 Bad Request -->
-    <end-state id="viewBadRequest" view="genericerror">
-        <on-entry>
-            <evaluate
-                expression="externalContext.nativeResponse.setStatus(400,flowRequestContext.currentTransition.toString())" />
-            <!--<set name="requestScope.reason" value="flowRequestContext.currentTransition" />-->
-        </on-entry>
-    </end-state>
-
-    <!-- abnormal exit point : Http 500 Internal Server Error -->
-    <end-state id="scInternalServerError" view="genericerror">
-        <on-entry>
-            <evaluate
-                expression="externalContext.nativeResponse.setStatus(500,'IDP is unavailable, please contact the administrator')" />
-            <set name="requestScope.reason"
-                value="'IDP is unavailable, please contact the administrator'" />
-            <set name="requestScope.stateException"
-                value="flowScope.stateException" />
-            <set name="requestScope.rootCauseException"
-                value="flowScope.rootCauseException" />
-        </on-entry>
-    </end-state>
-    
-    <!-- normal exit point for logout -->
-    <view-state id="viewSignoutConfirmation" view="signoutconfirmationresponse">
-        <transition on="submit" to="invalidateSessionAction"/>
-        <transition on="cancel" to="redirect" />
-    </view-state>
-
-    <view-state id="redirect" view="externalRedirect:${flowScope.wreply}" />
-
-    <!-- normal exit point for logout -->
-    <end-state id="invalidateSessionAction" view="signoutresponse">
-        <on-entry>
-            <!-- store the realmUrlMap in the request map before we invalidate the session below.
-            Its needed in the signoutresponse.jsp page -->
-            <set name="externalContext.requestMap.realmUrlMap" value="externalContext.sessionMap.realmUrlMap"/>
-            <!-- there is no Saml token canceller in cxf STS...
-            <evaluate expression="stsClientForRpAction.cancelTokens(flowRequestContext)" />
-            -->
-            <evaluate
-                expression="homeRealmReminder.removeCookie(flowRequestContext)" />
-            <evaluate expression="logoutAction.submit(flowRequestContext)" />
-        </on-entry>
-    </end-state>
-
-    <!-- redirect to remote idp -->
-    <end-state id="redirectToTrustedIDP" view="externalRedirect:${flowScope.remoteIdpUrl}">
-    <!-- 
-        <on-entry>
-            <set name="flowScope.remoteIdpUrl"
-                value="flowScope.idpConfig.findTrustedIdp(flowScope.whr).url
-                +'?wa=wsignin1.0'
-                +'&amp;wtrealm='+flowScope.idpConfig.realm
-                +'&amp;wreply='+flowScope.idpConfig.idpUrl
-                +(flowScope.wfresh != null ? '&amp;wfresh='+flowScope.wfresh : '')
-                +(flowScope.wctx != null ? '&amp;wctx='+flowScope.wctx : '')">
-            </set>
-        </on-entry>
-         --> 
-    </end-state>
-
-    <end-state id="redirectToLocalIDP" view="externalRedirect:${flowScope.localIdpUrl}">
-        <on-entry>
-            <set name="flowScope.localIdpUrl"
-                value="flowScope.idpConfig.idpUrl
-                +'?wa=wsignin1.0'
-                +'&amp;wreply='+flowScope.wreply
-                +'&amp;wtrealm='+flowScope.wtrealm
-                +(flowScope.wctx != null ? '&amp;wctx='+flowScope.wctx : '')
-                +(flowScope.wfresh != null ? '&amp;wfresh='+flowScope.wfresh : '')">
-            </set>
-        </on-entry>
-    </end-state>
-
-</flow>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/5ad84a6f/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-request.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-request.xml
new file mode 100644
index 0000000..2fe2795
--- /dev/null
+++ b/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-request.xml
@@ -0,0 +1,191 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements. See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership. The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License. You may obtain a copy of the License at
+ 
+  http://www.apache.org/licenses/LICENSE-2.0
+ 
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied. See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<flow xmlns="http://www.springframework.org/schema/webflow"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="
+        http://www.springframework.org/schema/webflow
+        http://www.springframework.org/schema/webflow/spring-webflow-2.0.xsd">
+
+    <input name="idpConfig" />
+    <input name="wtrealm" />
+    <input name="wreply" />
+    <input name="wctx" />
+    <input name="wfresh" />
+    <input name="wauth" />
+    <input name="whr" />
+
+    <decision-state id="checkHRDSEnabled">
+        <if test="true" then="checkWhrInSigninRequest" else="checkDefaultToThisIDP" />
+    </decision-state>
+
+    <decision-state id="checkWhrInSigninRequest">
+        <if test="flowScope.whr == null or flowScope.whr.trim().isEmpty()"
+            then="checkHomeRealm" else="checkIsThisIDP" />
+    </decision-state>
+
+    <decision-state id="checkHomeRealm">
+        <if test="homeRealmReminder.readCookie(flowRequestContext) == null"
+            then="processHRDSExpression" else="restoreHomeRealm" />
+    </decision-state>
+
+    <action-state id="restoreHomeRealm">
+        <evaluate
+            expression="homeRealmReminder.readCookie(flowRequestContext).value"
+            result="flowScope.whr" />
+        <transition to="checkIsThisIDP" />
+    </action-state>
+
+    <action-state id="processHRDSExpression">
+        <!-- TODO -->
+        <evaluate
+            expression="processHRDSExpressionAction.submit(flowRequestContext)"
+            result="flowScope.whr" />
+        <transition on="" to="provideIDPListForUser" />
+        <transition to="checkIsThisIDP">
+            <evaluate
+                expression="homeRealmReminder.addCookie(flowRequestContext, flowScope.whr)" />
+        </transition>
+    </action-state>
+
+    <decision-state id="provideIDPListForUser">
+        <if
+            test="flowScope.idpConfig.trustedIdps == null or idpConfig.trustedIdps.isEmpty()"
+            then="checkDefaultToThisIDP" />
+        <if test="flowScope.idpConfig.isProvideIdpList() == false"
+            then="checkDefaultToThisIDP" else="showIDPList" />
+    </decision-state>
+
+    <decision-state id="checkDefaultToThisIDP">
+        <if test="flowScope.idpConfig.isUseCurrentIdp()" then="checkWauthTypeSupported"
+            else="viewBadRequest" />
+    </decision-state>
+
+    <view-state id="showIDPList" view="idplist" model="trustedIDPSelection">
+        <var name="trustedIDPSelection"
+            class="org.apache.cxf.fediz.service.idp.model.TrustedIDPSelection" />
+        <binder>
+            <binding property="whr" required="true" />
+        </binder>
+        <on-entry>
+            <set name="requestScope.idPConfig" value="flowScope.idpConfig" />
+        </on-entry>
+        <transition on="submit" to="checkIsThisIDP" bind="true"
+            validate="true">
+            <set name="flowScope.whr" value="trustedIDPSelection.whr" />
+            <evaluate
+                expression="homeRealmReminder.addCookie(flowRequestContext, flowScope.whr)" />
+        </transition>
+        <transition on="cancel" to="checkDefaultToThisIDP"
+            bind="false" validate="false" />
+    </view-state>
+
+    <!-- Home Realm is known then we can store it in cookie -->
+    <decision-state id="checkIsThisIDP">
+        <if test="flowScope.idpConfig.realm.equals(flowScope.whr)"
+            then="checkWauthTypeSupported" else="checkIdpTokenWhrWauth" />
+    </decision-state>
+
+    <!-- ============================================================================================================= -->
+
+    <!-- Is 'wresult/RP-IDP token' already received and validated (then stored 
+        in session) from requestor IDP ? -->
+    <decision-state id="checkIdpTokenWhrWauth">
+        <if test="externalContext.sessionMap[flowScope.whr] != null"
+            then="wfreshParserRemoteAction" else="redirectToTrustedIDP" />
+    </decision-state>
+
+    <action-state id="wfreshParserRemoteAction">
+        <evaluate
+            expression="wfreshParser.authenticationRequired(flowScope.wfresh, flowScope.whr, flowRequestContext)" />
+        <transition on="yes" to="redirectToTrustedIDP" />
+        <transition on="no" to="requestRpToken" >
+            <set name="flowScope.idpToken" value="externalContext.sessionMap[whr]" />
+        </transition>
+        <transition on-exception="java.lang.Throwable" to="viewBadRequest" />
+    </action-state>
+
+    <decision-state id="checkWauthTypeSupported">
+        <on-entry>
+            <!-- Here, home realm is guaranteed to be THIS realm -->
+            <set name="flowScope.whr" value="flowScope.idpConfig.realm" />
+        </on-entry>
+        <if test="flowScope.idpConfig.getAuthenticationURIs() == null"
+            then="viewBadRequest" />
+        <if
+            test="flowScope.idpConfig.getAuthenticationURIs().get(flowScope.wauth) != null"
+            then="checkIdpTokenWauth" else="viewBadRequest" />
+    </decision-state>
+
+    <decision-state id="checkIdpTokenWauth">
+        <!-- check presence of cached IDP token for THIS realm -->
+        <if test="externalContext.sessionMap[flowScope.whr] == null"
+            then="cacheTokenForWauth" else="wfreshParserAction" />
+    </decision-state>
+
+    <!-- parse wfresh parameter, provided by resource RP, overriding ttl 
+        from 'IDP_TOKEN' -->
+    <action-state id="wfreshParserAction">
+        <evaluate
+            expression="wfreshParser.authenticationRequired(flowScope.wfresh, flowScope.whr, flowRequestContext)" />
+        <transition on="yes" to="redirectToLocalIDP" />
+        <transition on="no" to="requestRpToken">
+            <set name="flowScope.idpToken" value="externalContext.sessionMap[whr]" />
+        </transition>
+        <transition on-exception="java.lang.Throwable" to="viewBadRequest" />
+    </action-state>
+
+    <end-state id="redirectToLocalIDP">
+        <on-entry>
+            <evaluate expression="logoutAction.submit(flowRequestContext)" />
+        </on-entry>
+        <output name="wctx" value="flowScope.wctx" />
+    </end-state>
+
+    <action-state id="cacheTokenForWauth">
+        <secured attributes="IS_AUTHENTICATED_FULLY" />
+        <evaluate expression="cacheTokenForWauthAction.submit(flowRequestContext)" />
+        <transition to="requestRpToken">
+            <set name="flowScope.idpToken" value="externalContext.sessionMap[whr]" />
+        </transition>
+    </action-state>
+
+    <!-- ============================================================================================================= -->
+
+    <!-- normal exit point -->
+    <end-state id="requestRpToken">
+        <output name="whr" value="flowScope.whr" />
+        <output name="wctx" value="flowScope.wctx" />
+        <output name="idpToken" value="flowScope.idpToken" />
+    </end-state>
+
+    <!-- abnormal exit point : Http 400 Bad Request -->
+    <end-state id="viewBadRequest" />
+
+    <!-- redirects to requestor idp -->
+    <end-state id="redirectToTrustedIDP">
+        <on-entry>
+            <evaluate expression="signInParamCacheAction.store(flowRequestContext)" />
+        </on-entry>
+        <output name="whr" value="flowScope.whr" />
+        <output name="wctx" value="flowScope.wctx" />
+        <output name="RelayState" value="flowScope.RelayState" />
+    </end-state>
+
+</flow>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/5ad84a6f/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-response.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-response.xml b/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-response.xml
new file mode 100644
index 0000000..e060b46
--- /dev/null
+++ b/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-response.xml
@@ -0,0 +1,72 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements. See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership. The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License. You may obtain a copy of the License at
+ 
+  http://www.apache.org/licenses/LICENSE-2.0
+ 
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied. See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<flow xmlns="http://www.springframework.org/schema/webflow"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="
+        http://www.springframework.org/schema/webflow
+        http://www.springframework.org/schema/webflow/spring-webflow-2.0.xsd">
+
+    <input name="idpConfig" />
+    <input name="wctx" />
+    <input name="wauth" />
+    <input name="wresult" />
+    <input name="RelayState" />
+    <input name="SAMLResponse" />
+
+    <on-start>
+        <!-- restore 'wreply','wtrealm','whr' for current 'wctx' -->
+        <evaluate expression="signInParamCacheAction.restore(flowRequestContext)" />
+    </on-start>
+
+    <!-- validate token issued by requestor IDP ('wresult') given its 'whr' -->
+    <action-state id="validateToken">
+        <evaluate expression="trustedIdpProtocolAction.mapSignInResponse(flowRequestContext)"
+            result="flowScope.idpToken" result-type="org.apache.cxf.ws.security.tokenstore.SecurityToken" />
+        <transition to="checkCacheTrustedIdpToken" />
+        <transition
+            on-exception="org.apache.cxf.fediz.core.exception.ProcessingException"
+            to="viewBadRequest" />
+        <transition on-exception="java.lang.Throwable" to="scInternalServerError" />
+    </action-state>
+    
+    <action-state id="checkCacheTrustedIdpToken">
+        <evaluate expression="idpConfig.findTrustedIdp(flowScope.whr).cacheTokens" />
+        <transition on="yes" to="requestRpToken">
+            <set name="externalContext.sessionMap[flowScope.whr]"
+                    value="flowScope.idpToken" />
+        </transition>
+        <transition on="no" to="requestRpToken" />
+    </action-state>
+
+    <end-state id="requestRpToken">
+        <output name="whr" value="flowScope.whr" />
+        <output name="wctx" value="flowScope.wctx" />
+        <output name="wreply" value="flowScope.wreply" />
+        <output name="wtrealm" value="flowScope.wtrealm" />
+        <output name="idpToken" value="flowScope.idpToken" />
+    </end-state>
+
+    <!-- abnormal exit point : Http 400 Bad Request -->
+    <end-state id="viewBadRequest" />
+
+    <!-- abnormal exit point : Http 500 Internal Server Error -->
+    <end-state id="scInternalServerError" />
+
+</flow>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/5ad84a6f/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml
new file mode 100644
index 0000000..9184f7b
--- /dev/null
+++ b/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml
@@ -0,0 +1,250 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements. See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership. The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License. You may obtain a copy of the License at
+ 
+  http://www.apache.org/licenses/LICENSE-2.0
+ 
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied. See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<flow xmlns="http://www.springframework.org/schema/webflow"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.springframework.org/schema/webflow
+                          http://www.springframework.org/schema/webflow/spring-webflow-2.0.xsd">
+
+    <!-- protocol check -->
+    <decision-state id="WSFederationRequestCheck">
+        <on-entry>
+            <set name="flowScope.wtrealm" value="requestParameters.wtrealm" />
+            <set name="flowScope.wreply" value="requestParameters.wreply" />
+            <set name="flowScope.wctx" value="requestParameters.wctx" />
+            <set name="flowScope.wfresh" value="requestParameters.wfresh" />
+            <set name="flowScope.whr" value="requestParameters.whr" />
+            <set name="flowScope.wresult" value="requestParameters.wresult" />
+            <set name="flowScope.wreq" value="requestParameters.wreq" />
+            <set name="flowScope.RelayState" value="requestParameters.RelayState" />
+            <set name="flowScope.SAMLResponse" value="requestParameters.SAMLResponse" />
+            <evaluate expression="requestScope.getString('wauth','default')"
+                result="flowScope.wauth" />
+            <set name="flowScope.idpConfig" value="config.getIDP(null)" />
+        </on-entry>
+        <if
+            test="requestParameters.wa == 'wsignout1.0' or requestParameters.wa == 'wsignoutcleanup1.0'"
+            then="selectSignOutProcess" />
+        <if
+            test="requestParameters.wa == 'wsignin1.0'" then="selectWsFedProcess" 
+            else="selectSAMLProcess" /> 
+    </decision-state>
+
+    <decision-state id="selectWsFedProcess">
+        <if
+            test="requestParameters.wtrealm == null or requestParameters.wtrealm.length() == 0"
+            then="viewBadRequest" />
+        <if
+            test="requestParameters.wresult == null or requestParameters.wresult.isEmpty()"
+            then="signinRequest" else="signinResponse" />
+    </decision-state>
+    
+    <decision-state id="selectSAMLProcess">
+        <if
+            test="requestParameters.RelayState == null or requestParameters.RelayState.length() == 0"
+            then="viewBadRequest" />
+        <if
+            test="requestParameters.SAMLResponse == null or requestParameters.SAMLResponse.length() == 0"
+            then="viewBadRequest" else="signinResponse" />
+    </decision-state>
+
+    <decision-state id="selectSignOutProcess">
+        <on-entry>
+            <evaluate expression="@org.apache.cxf.fediz.service.idp.util.WebUtils@getHttpHeader(flowRequestContext, 'Referer')" result="flowScope.wreply"/>
+        </on-entry>
+        <if
+            test="requestParameters.wa == 'wsignout1.0' and flowScope.idpConfig.rpSingleSignOutConfirmation == true
+            or requestParameters.wa == 'wsignoutcleanup1.0' and flowScope.idpConfig.rpSingleSignOutCleanupConfirmation == true"
+            then="viewSignoutConfirmation" else="invalidateSessionAction" />
+    </decision-state>
+
+    <subflow-state id="signinRequest" subflow="signinRequest">
+        <input name="idpConfig" value="flowScope.idpConfig" />
+        <input name="wtrealm" value="flowScope.wtrealm" />
+        <input name="wreply" value="flowScope.wreply" />
+        <input name="wctx" value="flowScope.wctx" />
+        <input name="wfresh" value="flowScope.wfresh" />
+        <input name="wauth" value="flowScope.wauth" />
+        <input name="whr" value="flowScope.whr" />
+
+        <output name="whr" />
+        <output name="wctx" />
+        <output name="RelayState" />
+        <output name="idpToken" />
+
+        <transition on="requestRpToken" to="requestRpToken">
+            <set name="flowScope.whr" value="currentEvent.attributes.whr" />
+            <set name="flowScope.wctx" value="currentEvent.attributes.wctx" />
+            <set name="flowScope.idpToken" value="currentEvent.attributes.idpToken" />
+        </transition>
+        <transition on="viewBadRequest" to="viewBadRequest" />
+        <transition on="scInternalServerError" to="scInternalServerError" />
+        <transition on="redirectToTrustedIDP" to="processTrustedIdpProtocol">
+            <set name="flowScope.whr" value="currentEvent.attributes.whr" />
+            <set name="flowScope.wctx" value="currentEvent.attributes.wctx" />
+            <set name="flowScope.RelayState" value="currentEvent.attributes.RelayState" />
+        </transition>
+        <transition on="redirectToLocalIDP" to="redirectToLocalIDP">
+            <set name="flowScope.wctx" value="currentEvent.attributes.wctx" />
+        </transition>
+    </subflow-state>
+
+    <subflow-state id="signinResponse" subflow="signinResponse">
+        <input name="idpConfig" value="flowScope.idpConfig" />
+        <input name="wfresh" value="flowScope.wfresh" />
+        <input name="wctx" value="flowScope.wctx" />
+        <input name="wauth" value="flowScope.wauth" />
+        <input name="wresult" value="flowScope.wresult" />
+        <input name="RelayState" value="flowScope.RelayState" />
+        <input name="SAMLResponse" value="flowScope.SAMLResponse" />
+
+        <output name="wtrealm" />
+        <output name="wreply" />
+        <output name="wctx" />
+        <output name="whr" />
+        <output name="idpToken" />
+
+        <transition on="requestRpToken" to="requestRpToken">
+            <set name="flowScope.whr" value="currentEvent.attributes.whr" />
+            <set name="flowScope.wctx" value="currentEvent.attributes.wctx" />
+            <set name="flowScope.wtrealm" value="currentEvent.attributes.wtrealm" />
+            <set name="flowScope.wreply" value="currentEvent.attributes.wreply" />
+            <set name="flowScope.idpToken" value="currentEvent.attributes.idpToken" />
+        </transition>
+        <transition on="viewBadRequest" to="viewBadRequest" />
+        <transition on="scInternalServerError" to="scInternalServerError" />
+    </subflow-state>
+
+    <!-- produce RP security token (as String type) -->
+    <action-state id="requestRpToken">
+        <on-entry>
+            <evaluate expression="stsClientForRpAction.submit(flowRequestContext)"
+                      result="flowScope.rpToken"/>
+        </on-entry>
+        <evaluate expression="signInParamCacheAction.storeRPUrlInSession(flowRequestContext)"
+                result="flowScope.res"/>
+        <transition to="isWReplyProvided" />
+        <transition on-exception="org.apache.cxf.fediz.core.exception.ProcessingException" to="viewBadRequest" />
+        <transition on-exception="java.lang.Throwable" to="scInternalServerError" />
+    </action-state>
+    
+    <action-state id="processTrustedIdpProtocol">
+        <evaluate expression="trustedIdpProtocolAction.mapSignInRequest(flowRequestContext)"
+                      result="flowScope.remoteIdpUrl"/>
+        <transition to="redirectToTrustedIDP" />
+        <transition on-exception="java.lang.Throwable" to="scInternalServerError" />
+    </action-state>
+
+    <action-state id="isWReplyProvided">
+        <evaluate expression="flowScope.wreply != null" />
+        <transition on="yes" to="formResponseView" >
+            <set name="flowScope.signinResponseUrl" value="flowScope.wreply" />
+        </transition>
+        <transition on="no" to="formResponseView" >
+            <set name="flowScope.signinResponseUrl" value="flowScope.wtrealm" />
+        </transition>
+    </action-state>
+
+    <!-- normal exit point for login -->
+    <!-- browser redirection (self-submitted form 'signinresponseform.jsp') -->
+    <end-state id="formResponseView" view="signinresponseform">
+        <on-entry>
+            <evaluate expression="flowScope.signinResponseUrl" result="requestScope.fedAction" />
+            <evaluate expression="flowScope.wtrealm" result="requestScope.fedWTrealm" />
+            <evaluate expression="flowScope.wctx" result="requestScope.fedWCtx" />
+            <evaluate expression="flowScope.rpToken" result="requestScope.fedWResult" />
+        </on-entry>
+    </end-state>
+
+    <!-- abnormal exit point : Http 400 Bad Request -->
+    <end-state id="viewBadRequest" view="genericerror">
+        <on-entry>
+            <evaluate
+                expression="externalContext.nativeResponse.setStatus(400,flowRequestContext.currentTransition.toString())" />
+            <!--<set name="requestScope.reason" value="flowRequestContext.currentTransition" />-->
+        </on-entry>
+    </end-state>
+
+    <!-- abnormal exit point : Http 500 Internal Server Error -->
+    <end-state id="scInternalServerError" view="genericerror">
+        <on-entry>
+            <evaluate
+                expression="externalContext.nativeResponse.setStatus(500,'IDP is unavailable, please contact the administrator')" />
+            <set name="requestScope.reason"
+                value="'IDP is unavailable, please contact the administrator'" />
+            <set name="requestScope.stateException"
+                value="flowScope.stateException" />
+            <set name="requestScope.rootCauseException"
+                value="flowScope.rootCauseException" />
+        </on-entry>
+    </end-state>
+    
+    <!-- normal exit point for logout -->
+    <view-state id="viewSignoutConfirmation" view="signoutconfirmationresponse">
+        <transition on="submit" to="invalidateSessionAction"/>
+        <transition on="cancel" to="redirect" />
+    </view-state>
+
+    <view-state id="redirect" view="externalRedirect:${flowScope.wreply}" />
+
+    <!-- normal exit point for logout -->
+    <end-state id="invalidateSessionAction" view="signoutresponse">
+        <on-entry>
+            <!-- store the realmUrlMap in the request map before we invalidate the session below.
+            Its needed in the signoutresponse.jsp page -->
+            <set name="externalContext.requestMap.realmUrlMap" value="externalContext.sessionMap.realmUrlMap"/>
+            <!-- there is no Saml token canceller in cxf STS...
+            <evaluate expression="stsClientForRpAction.cancelTokens(flowRequestContext)" />
+            -->
+            <evaluate
+                expression="homeRealmReminder.removeCookie(flowRequestContext)" />
+            <evaluate expression="logoutAction.submit(flowRequestContext)" />
+        </on-entry>
+    </end-state>
+
+    <!-- redirect to remote idp -->
+    <end-state id="redirectToTrustedIDP" view="externalRedirect:${flowScope.remoteIdpUrl}">
+    <!-- 
+        <on-entry>
+            <set name="flowScope.remoteIdpUrl"
+                value="flowScope.idpConfig.findTrustedIdp(flowScope.whr).url
+                +'?wa=wsignin1.0'
+                +'&amp;wtrealm='+flowScope.idpConfig.realm
+                +'&amp;wreply='+flowScope.idpConfig.idpUrl
+                +(flowScope.wfresh != null ? '&amp;wfresh='+flowScope.wfresh : '')
+                +(flowScope.wctx != null ? '&amp;wctx='+flowScope.wctx : '')">
+            </set>
+        </on-entry>
+         --> 
+    </end-state>
+
+    <end-state id="redirectToLocalIDP" view="externalRedirect:${flowScope.localIdpUrl}">
+        <on-entry>
+            <set name="flowScope.localIdpUrl"
+                value="flowScope.idpConfig.idpUrl
+                +'?wa=wsignin1.0'
+                +'&amp;wreply='+flowScope.wreply
+                +'&amp;wtrealm='+flowScope.wtrealm
+                +(flowScope.wctx != null ? '&amp;wctx='+flowScope.wctx : '')
+                +(flowScope.wfresh != null ? '&amp;wfresh='+flowScope.wfresh : '')">
+            </set>
+        </on-entry>
+    </end-state>
+
+</flow>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/5ad84a6f/services/idp/src/main/webapp/WEB-INF/genericerror.jsp
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/genericerror.jsp b/services/idp/src/main/webapp/WEB-INF/genericerror.jsp
deleted file mode 100644
index c31c77c..0000000
--- a/services/idp/src/main/webapp/WEB-INF/genericerror.jsp
+++ /dev/null
@@ -1,11 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>IDP generic error page</title>
-</head>
-<body>
-	<h1>Sorry, CXF Fediz IDP cannot satisfy your request.</h1>
-	<p>Reason : ${reason}</p>
-</body>
-</html>
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/5ad84a6f/services/idp/src/main/webapp/WEB-INF/idp-servlet.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/idp-servlet.xml b/services/idp/src/main/webapp/WEB-INF/idp-servlet.xml
index a7bc370..1d80557 100644
--- a/services/idp/src/main/webapp/WEB-INF/idp-servlet.xml
+++ b/services/idp/src/main/webapp/WEB-INF/idp-servlet.xml
@@ -18,14 +18,17 @@
   under the License.
 -->
 <beans xmlns="http://www.springframework.org/schema/beans"
-       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-       xmlns:webflow="http://www.springframework.org/schema/webflow-config"
-       xmlns:p="http://www.springframework.org/schema/p"
-       xmlns:context="http://www.springframework.org/schema/context"
-       xsi:schemaLocation="http://www.springframework.org/schema/beans
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:webflow="http://www.springframework.org/schema/webflow-config"
+    xmlns:p="http://www.springframework.org/schema/p"
+    xmlns:mvc="http://www.springframework.org/schema/mvc"
+    xmlns:context="http://www.springframework.org/schema/context"
+    xsi:schemaLocation="http://www.springframework.org/schema/beans
         http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
         http://www.springframework.org/schema/context
         http://www.springframework.org/schema/context/spring-context-3.1.xsd
+        http://www.springframework.org/schema/mvc
+        http://www.springframework.org/schema/mvc/spring-mvc-3.2.xsd
         http://www.springframework.org/schema/webflow-config
         http://www.springframework.org/schema/webflow-config/spring-webflow-config-2.0.xsd">
 
@@ -33,6 +36,10 @@
     
     <context:component-scan base-package="org.apache.cxf.fediz.service.idp.beans" />
 
+    <mvc:resources mapping="/images/**" location="/resources/images/" />
+	<mvc:view-controller path="/" view-name="index" />
+	<mvc:view-controller path="/federation/up/login" view-name="signinform" />
+
     <bean class="org.springframework.webflow.mvc.servlet.FlowHandlerMapping"
         p:flowRegistry-ref="flowRegistry" p:order="2">
     </bean>
@@ -47,9 +54,9 @@
                 value="false" />
         </webflow:flow-execution-attributes>
 
-        <webflow:flow-execution-listeners>
-            <webflow:listener ref="securityFlowExecutionListener" />
-        </webflow:flow-execution-listeners>
+	<webflow:flow-execution-listeners>
+	    <webflow:listener ref="securityFlowExecutionListener" />
+	</webflow:flow-execution-listeners>
     </webflow:flow-executor>
 
     <bean id="securityFlowExecutionListener"
@@ -74,16 +81,16 @@
     <webflow:flow-registry id="flowRegistry"
         flow-builder-services="builder">
         <webflow:flow-location
-            path="/WEB-INF/federation-validate-request.xml" id="federation" />
+            path="/WEB-INF/flows/federation-validate-request.xml" id="federation" />
         <webflow:flow-location
-            path="/WEB-INF/federation-validate-request.xml" id="federation/up" />
+            path="/WEB-INF/flows/federation-validate-request.xml" id="federation/up" />
         <webflow:flow-location
-            path="/WEB-INF/federation-validate-request.xml" id="federation/krb" />
+            path="/WEB-INF/flows/federation-validate-request.xml" id="federation/krb" />
         <webflow:flow-location
-            path="/WEB-INF/federation-validate-request.xml" id="federation/clientcert" />
-        <webflow:flow-location path="/WEB-INF/federation-signin-request.xml"
+            path="/WEB-INF/flows/federation-validate-request.xml" id="federation/clientcert" />
+        <webflow:flow-location path="/WEB-INF/flows/federation-signin-request.xml"
             id="signinRequest" />
-        <webflow:flow-location path="/WEB-INF/federation-signin-response.xml"
+        <webflow:flow-location path="/WEB-INF/flows/federation-signin-response.xml"
             id="signinResponse" />
     </webflow:flow-registry>
 
@@ -104,7 +111,7 @@
 
     <bean id="viewResolver"
         class="org.springframework.web.servlet.view.InternalResourceViewResolver">
-        <property name="prefix" value="/WEB-INF/" />
+        <property name="prefix" value="/WEB-INF/views/" />
         <property name="suffix" value=".jsp" />
     </bean>
 

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/5ad84a6f/services/idp/src/main/webapp/WEB-INF/idplist.jsp
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/idplist.jsp b/services/idp/src/main/webapp/WEB-INF/idplist.jsp
deleted file mode 100644
index dc87376..0000000
--- a/services/idp/src/main/webapp/WEB-INF/idplist.jsp
+++ /dev/null
@@ -1,34 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<%@page import="java.util.Map"%>
-<%@page import="org.apache.cxf.fediz.service.idp.domain.Idp"%>
-<%@page import="org.apache.cxf.fediz.service.idp.domain.TrustedIdp"%>
-<%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
-<%@ taglib prefix="form" uri="http://www.springframework.org/tags/form" %>
-<html>
-<head>
-<title>Trusted IDP List</title>
-</head>
-<body>
-	<h1>Trusted IDP List</h1>
-	<i>Where are you from? Please, select one Identity Provider in the list which is able to authenticate you. </i>
-	<form:form method="POST" id="idplist" name="idplist">
-		<br />
-        <%
-            Idp idpConfig = (Idp)request.getAttribute("idpConfig");
-        %>
-      <select name="whr">
-        <option value="<%=idpConfig.getRealm()%>" selected="selected" ><%=idpConfig.getServiceDescription()%></option>
-        <%
-            for (TrustedIdp trustedIDP : idpConfig.getTrustedIdps()) {
-        %>
-        <option value="<%=trustedIDP.getRealm()%>"><%=trustedIDP.getDescription()%></option>
-        <% } %>
-      </select>
-      <br />
-      <input type="hidden" id="execution" name="execution" value="${flowExecutionKey}"/>
-      <br />
-      <input type="submit" name="_eventId_submit" value="Select Home Realm" />
-      <input type="submit" name="_eventId_cancel" value="Cancel" />
-    </form:form>
-</body>
-</html>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/5ad84a6f/services/idp/src/main/webapp/WEB-INF/security-config.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/security-config.xml b/services/idp/src/main/webapp/WEB-INF/security-config.xml
index a3413bb..9f16898 100644
--- a/services/idp/src/main/webapp/WEB-INF/security-config.xml
+++ b/services/idp/src/main/webapp/WEB-INF/security-config.xml
@@ -79,17 +79,27 @@
     <security:http pattern="/federation" use-expressions="true" entry-point-ref="federationEntryPoint">
         <security:custom-filter after="CHANNEL_FILTER" ref="stsUPPortFilter" />
         <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" />
-        <security:intercept-url pattern="/FederationMetadata/2007-06/FederationMetadata.xml" access="isAnonymous() or isAuthenticated()" />
     </security:http>
     
     <!-- HTTP/BA entry point -->
-    <security:http pattern="/federation/up" use-expressions="true">
+    <security:http pattern="/federation/up/**" use-expressions="true">
+		<security:intercept-url requires-channel="https" pattern="/federation/up/login*" access="isAnonymous() or isAuthenticated()" />
         <security:custom-filter after="CHANNEL_FILTER" ref="stsUPPortFilter" />
         <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" />
-        <security:intercept-url pattern="/FederationMetadata/2007-06/FederationMetadata.xml" access="isAnonymous() or isAuthenticated()" />
 
         <security:http-basic />
-        <security:logout delete-cookies="FEDIZ_HOME_REALM" invalidate-session="true" />
+		<!--security:form-login login-page='/federation/up/login'
+			login-processing-url="/federation/up/login.do"
+			authentication-failure-url="/federation/up/login?error" 
+			default-target-url="/"
+			username-parameter="username" 
+			password-parameter="password"
+			/-->
+		<security:logout logout-url="/federation/up/logout" 
+			logout-success-url="/federation/up/login?out" 
+			delete-cookies="FEDIZ_HOME_REALM,JSESSIONID" 
+			invalidate-session="true" 
+			/>
     </security:http>
     
     <!-- Kerberos entry point -->
@@ -104,7 +114,6 @@
     <security:http pattern="/federation/krb" use-expressions="true" entry-point-ref="kerberosEntryPoint">
         <security:custom-filter after="CHANNEL_FILTER" ref="stsKrbPortFilter" />
         <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" />
-        <security:intercept-url pattern="/FederationMetadata/2007-06/FederationMetadata.xml" access="isAnonymous() or isAuthenticated()" />
 
         <security:custom-filter ref="kerberosAuthenticationProcessingFilter" position="BASIC_AUTH_FILTER" />
         <security:logout delete-cookies="FEDIZ_HOME_REALM" invalidate-session="true" />
@@ -114,7 +123,6 @@
     <security:http pattern="/federation/clientcert" use-expressions="true">
         <security:custom-filter after="CHANNEL_FILTER" ref="stsClientCertPortFilter" />
         <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" />
-        <security:intercept-url pattern="/FederationMetadata/2007-06/FederationMetadata.xml" access="isAnonymous() or isAuthenticated()" />
 
         <security:x509 />
         <security:logout delete-cookies="FEDIZ_HOME_REALM" invalidate-session="true" />

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/5ad84a6f/services/idp/src/main/webapp/WEB-INF/signinform.jsp
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/signinform.jsp b/services/idp/src/main/webapp/WEB-INF/signinform.jsp
deleted file mode 100644
index 250bb35..0000000
--- a/services/idp/src/main/webapp/WEB-INF/signinform.jsp
+++ /dev/null
@@ -1,18 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
-<%@ taglib prefix="form" uri="http://www.springframework.org/tags/form" %>
-<html>
-<head>
-<title>IDP SignIn Request Form</title>
-</head>
-<body>
-	<h1>IDP SignIn Request Form</h1>
-	<form:form method="POST" id="signinform" name="signinform" >
-		<br />
-		userid   : <input type="text" name="username" size="32" /><br />
-		password : <input type="password" name="password" size="32" /><br />
-		<input type="hidden" id="execution" name="execution" value="${flowExecutionKey}"/>
-		<input type="submit" name="_eventId_authenticate" value="Authenticate" /><br />
-	</form:form>
-</body>
-</html>
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/5ad84a6f/services/idp/src/main/webapp/WEB-INF/signinresponseform.jsp
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/signinresponseform.jsp b/services/idp/src/main/webapp/WEB-INF/signinresponseform.jsp
deleted file mode 100644
index 7a98789..0000000
--- a/services/idp/src/main/webapp/WEB-INF/signinresponseform.jsp
+++ /dev/null
@@ -1,25 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
-<%@ taglib prefix="form" uri="http://www.springframework.org/tags/form" %>
-
-<html>
-<head>
-<title>IDP SignIn Response Form</title>
-</head>
-<body>
-	<form:form method="POST" id="signinresponseform" name="signinresponseform" action="${fedAction}" htmlEscape="true">
-        <input type="hidden" name="wa" value="wsignin1.0" /><br />
-        <input type="hidden" name="wresult" value="${fedWResult}" /><br />
-        <% String wctx = (String)request.getAttribute("fedWCtx");
-           if (wctx != null && !wctx.isEmpty()) { %>
-        	<input type="hidden" name="wctx" value="${fedWCtx}" /><br />
-	    <% } %>
-        <input type="hidden" name="wtrealm" value="${fedWTrealm}" /><br />
-  		<noscript>
-		<p>Script is disabled. Click Submit to continue.</p>
-		<input type="submit" name="_eventId_submit" value="Submit" /><br />
- 		</noscript>
-	</form:form>
- 	<script language="javascript">window.setTimeout('document.forms[0].submit()',0);</script>
-</body>
-</html>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/5ad84a6f/services/idp/src/main/webapp/WEB-INF/signoutconfirmationresponse.jsp
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/signoutconfirmationresponse.jsp b/services/idp/src/main/webapp/WEB-INF/signoutconfirmationresponse.jsp
deleted file mode 100644
index cc9479a..0000000
--- a/services/idp/src/main/webapp/WEB-INF/signoutconfirmationresponse.jsp
+++ /dev/null
@@ -1,56 +0,0 @@
-<%@ page import="java.util.Map" %>
-<%@ page import="org.apache.cxf.fediz.service.idp.beans.SigninParametersCacheAction" %>
-<%@ page import="org.apache.cxf.fediz.core.FederationConstants" %>
-<%@ page import="java.util.List" %>
-<%@ page import="java.util.Iterator" %>
-<%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
-<%@ taglib prefix="form" uri="http://www.springframework.org/tags/form" %>
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<html>
-<head>
-<title>IDP SignOut Confirmation Response Page</title>
-</head>
-<body>
-    <%
-        @SuppressWarnings("unchecked")
-        Map<String, String> rum =
-                (Map<String, String>) request.getSession().getAttribute(SigninParametersCacheAction.REALM_URL_MAP);
-
-        if (rum == null) {
-    %>
-	        <p>You have already logged out</p>
-    <%
-        } else {
-    %>
-	        <h1>Logout from the following realms?</h1>
-	   
-    <%
-            Iterator<Map.Entry<String, String>> iterator = rum.entrySet().iterator();
-                
-            while (iterator.hasNext()) {
-                Map.Entry<String, String> next = iterator.next();
-                String rpUri = next.getValue();
-                if (rpUri != null) {
-    %>
-                    <p>
-                    Will logout on RP: <%= rpUri%>
-                    </p>
-                    <br/>
-    <%
-                }
-            }
-        }
-        
-        if (rum != null && !rum.isEmpty()) {
-    %>
-        <form:form method="POST" id="signoutconfirmationresponseform" name="signoutconfirmationresponseform">
-            <input type="hidden" name="wa" value="wsignout1.0" />
-            <input type="hidden" id="execution" name="execution" value="${flowExecutionKey}" />
-            <input type="submit" name="_eventId_submit" value="Logout" />
-            <input type="submit" name="_eventId_cancel" value="Cancel" />
-        </form:form>
-    <%     
-        }
-    %>
-</body>
-</html>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/5ad84a6f/services/idp/src/main/webapp/WEB-INF/signoutresponse.jsp
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/signoutresponse.jsp b/services/idp/src/main/webapp/WEB-INF/signoutresponse.jsp
deleted file mode 100644
index 71110bf..0000000
--- a/services/idp/src/main/webapp/WEB-INF/signoutresponse.jsp
+++ /dev/null
@@ -1,48 +0,0 @@
-<%@ page import="java.util.Map" %>
-<%@ page import="org.apache.cxf.fediz.service.idp.beans.SigninParametersCacheAction" %>
-<%@ page import="org.apache.cxf.fediz.core.FederationConstants" %>
-<%@ page import="java.util.List" %>
-<%@ page import="java.util.Iterator" %>
-<%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
-<%@ taglib prefix="form" uri="http://www.springframework.org/tags/form" %>
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<html>
-<head>
-<title>IDP SignOut Response Page</title>
-</head>
-<body>
-    <%
-        @SuppressWarnings("unchecked")
-        Map<String, String> rum =
-                (Map<String, String>) request.getAttribute(SigninParametersCacheAction.REALM_URL_MAP);
-
-        if (rum == null) {
-    %>
-	        <p>You have already logged out</p>
-    <%
-        } else {
-    %>
-            <h1>CXF Fediz IDP successful logout.</h1>
-        
-            <p>
-    <%
-            Iterator<Map.Entry<String, String>> iterator = rum.entrySet().iterator();
-            
-            while (iterator.hasNext()) {
-                Map.Entry<String, String> next = iterator.next();
-                String rpUri = next.getValue();
-                if (rpUri != null) {
-    %>
-                    Logout status of RP <%= rpUri%>:
-                    <img src="<%=rpUri + "?" + FederationConstants.PARAM_ACTION + "=" + FederationConstants.ACTION_SIGNOUT_CLEANUP %>"/>
-                    <br/>
-    <%
-                }
-            }
-    %>
-	        </p>
-    <%
-        }
-    %>
-</body>
-</html>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/5ad84a6f/services/idp/src/main/webapp/WEB-INF/views/genericerror.jsp
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/views/genericerror.jsp b/services/idp/src/main/webapp/WEB-INF/views/genericerror.jsp
new file mode 100644
index 0000000..c31c77c
--- /dev/null
+++ b/services/idp/src/main/webapp/WEB-INF/views/genericerror.jsp
@@ -0,0 +1,11 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>IDP generic error page</title>
+</head>
+<body>
+	<h1>Sorry, CXF Fediz IDP cannot satisfy your request.</h1>
+	<p>Reason : ${reason}</p>
+</body>
+</html>
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/5ad84a6f/services/idp/src/main/webapp/WEB-INF/views/idplist.jsp
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/views/idplist.jsp b/services/idp/src/main/webapp/WEB-INF/views/idplist.jsp
new file mode 100644
index 0000000..13b68ef
--- /dev/null
+++ b/services/idp/src/main/webapp/WEB-INF/views/idplist.jsp
@@ -0,0 +1,31 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<%@page import="java.util.Map"%>
+<%@page import="org.apache.cxf.fediz.service.idp.model.IDPConfig"%>
+<%@page import="org.apache.cxf.fediz.service.idp.model.TrustedIDPConfig"%>
+<%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
+<%@ taglib prefix="form" uri="http://www.springframework.org/tags/form" %>
+<html>
+<head>
+<title>Trusted IDP List</title>
+</head>
+<body>
+	<h1>Trusted IDP List</h1>
+	<i>Where are you from? Please, select one Identity Provider in the list which is able to authenticate you. </i>
+	<form:form method="POST" id="idplist" name="idplist">
+		<br />
+        <% IDPConfig idpConfig = (IDPConfig)request.getAttribute("idpConfig");
+        Map<String, TrustedIDPConfig> trustedIDPs = idpConfig.getTrustedIDPs(); %>
+      <select name="whr">
+        <option value="<%=idpConfig.getRealm()%>" selected="selected" ><%=idpConfig.getServiceDescription()%></option>
+        <% for (TrustedIDPConfig trustedIDP : trustedIDPs.values()) { %>
+        <option value="<%=trustedIDP.getRealm()%>"><%=trustedIDP.getDescription()%></option>
+        <% } %>
+      </select>
+      <br />
+      <input type="hidden" id="execution" name="execution" value="${flowExecutionKey}"/>
+      <br />
+      <input type="submit" name="_eventId_submit" value="Select Home Realm" />
+      <input type="submit" name="_eventId_cancel" value="Cancel" />
+    </form:form>
+</body>
+</html>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/5ad84a6f/services/idp/src/main/webapp/WEB-INF/views/index.jsp
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/views/index.jsp b/services/idp/src/main/webapp/WEB-INF/views/index.jsp
new file mode 100644
index 0000000..1a1ef1d
--- /dev/null
+++ b/services/idp/src/main/webapp/WEB-INF/views/index.jsp
@@ -0,0 +1,25 @@
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
+<HTML><HEAD><TITLE>WS Federation Tomcat Examples</TITLE>
+<META http-equiv=Content-Type content="text/html">
+</HEAD>
+<BODY>
+<P>
+<H3>Hello World</H3>
+<P></P>
+</BODY></HTML>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/5ad84a6f/services/idp/src/main/webapp/WEB-INF/views/signinform.jsp
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/views/signinform.jsp b/services/idp/src/main/webapp/WEB-INF/views/signinform.jsp
new file mode 100644
index 0000000..bcd7916
--- /dev/null
+++ b/services/idp/src/main/webapp/WEB-INF/views/signinform.jsp
@@ -0,0 +1,72 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
+<%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
+<%@ taglib prefix="form" uri="http://www.springframework.org/tags/form" %>
+<html>
+	<head>
+		<title>IDP SignIn Request Form</title>
+		<style type="text/css">
+			.error 			{
+								color: #a94442 !important;
+								background-color: #f2dede !important;
+								border-color: #ebccd1 !important;
+							}
+			.msg 			{
+								padding: 15px;
+								border: 1px solid transparent;
+								border-radius: 4px;
+								color: #31708f;
+								background-color: #d9edf7;
+								border-color: #bce8f1;
+								margin: auto;
+								text-align: center;
+								margin-top: 5px;
+								width: 60%;
+							}
+			h1				{
+								font-size: 24px;
+								margin-top: 25px;
+							}
+			body			{
+								font-family:arial;
+							}
+			label			{
+								width: 90px;
+								display: inline-block;
+							}
+			#login_form		{
+								width: 250px;
+							}
+			#submit_button	{
+								float: right;
+								margin: 5px 12px;
+							}
+		</style>
+	</head>
+	<body onload='document.signinform.username.focus();'>
+		<img src="<c:url value='/images/apache-logo.png' />" alt="Apache Logo" style="margin:5px auto">
+		
+		<c:if test="${param.error != null}">
+			<div class="msg error"><b>Login Failed</b><br />
+                Username and password do not match. Please try again.</div>
+		</c:if>
+		<c:if test="${param.out != null}">
+			<div class="msg info"><b>Logout successful</b></div>
+		</c:if>
+		
+		<h1>Fediz IDP Login</h1>
+		
+		<form:form method="POST" id="signinform" name="signinform" action="login.do" >
+			<div id="login_form">
+				<label for="username">UserId</label>
+				<input type="text" id="username" name="username" placeholder="username" />
+				<br />
+				<label for="password">Password</label>
+				<input type="password" id="password" name="password" placeholder="password" />
+				<br />
+				<!--input type="hidden" id="execution" name="execution" value="${flowExecutionKey}"/-->
+				<input type="submit" id="submit_button" name="authenticate" value="Authenticate" />
+			</div>
+		</form:form>
+	</body>
+</html>
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/5ad84a6f/services/idp/src/main/webapp/WEB-INF/views/signinresponseform.jsp
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/views/signinresponseform.jsp b/services/idp/src/main/webapp/WEB-INF/views/signinresponseform.jsp
new file mode 100644
index 0000000..7a98789
--- /dev/null
+++ b/services/idp/src/main/webapp/WEB-INF/views/signinresponseform.jsp
@@ -0,0 +1,25 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
+<%@ taglib prefix="form" uri="http://www.springframework.org/tags/form" %>
+
+<html>
+<head>
+<title>IDP SignIn Response Form</title>
+</head>
+<body>
+	<form:form method="POST" id="signinresponseform" name="signinresponseform" action="${fedAction}" htmlEscape="true">
+        <input type="hidden" name="wa" value="wsignin1.0" /><br />
+        <input type="hidden" name="wresult" value="${fedWResult}" /><br />
+        <% String wctx = (String)request.getAttribute("fedWCtx");
+           if (wctx != null && !wctx.isEmpty()) { %>
+        	<input type="hidden" name="wctx" value="${fedWCtx}" /><br />
+	    <% } %>
+        <input type="hidden" name="wtrealm" value="${fedWTrealm}" /><br />
+  		<noscript>
+		<p>Script is disabled. Click Submit to continue.</p>
+		<input type="submit" name="_eventId_submit" value="Submit" /><br />
+ 		</noscript>
+	</form:form>
+ 	<script language="javascript">window.setTimeout('document.forms[0].submit()',0);</script>
+</body>
+</html>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/5ad84a6f/services/idp/src/main/webapp/WEB-INF/views/signoutconfirmationresponse.jsp
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/views/signoutconfirmationresponse.jsp b/services/idp/src/main/webapp/WEB-INF/views/signoutconfirmationresponse.jsp
new file mode 100644
index 0000000..cc9479a
--- /dev/null
+++ b/services/idp/src/main/webapp/WEB-INF/views/signoutconfirmationresponse.jsp
@@ -0,0 +1,56 @@
+<%@ page import="java.util.Map" %>
+<%@ page import="org.apache.cxf.fediz.service.idp.beans.SigninParametersCacheAction" %>
+<%@ page import="org.apache.cxf.fediz.core.FederationConstants" %>
+<%@ page import="java.util.List" %>
+<%@ page import="java.util.Iterator" %>
+<%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
+<%@ taglib prefix="form" uri="http://www.springframework.org/tags/form" %>
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<title>IDP SignOut Confirmation Response Page</title>
+</head>
+<body>
+    <%
+        @SuppressWarnings("unchecked")
+        Map<String, String> rum =
+                (Map<String, String>) request.getSession().getAttribute(SigninParametersCacheAction.REALM_URL_MAP);
+
+        if (rum == null) {
+    %>
+	        <p>You have already logged out</p>
+    <%
+        } else {
+    %>
+	        <h1>Logout from the following realms?</h1>
+	   
+    <%
+            Iterator<Map.Entry<String, String>> iterator = rum.entrySet().iterator();
+                
+            while (iterator.hasNext()) {
+                Map.Entry<String, String> next = iterator.next();
+                String rpUri = next.getValue();
+                if (rpUri != null) {
+    %>
+                    <p>
+                    Will logout on RP: <%= rpUri%>
+                    </p>
+                    <br/>
+    <%
+                }
+            }
+        }
+        
+        if (rum != null && !rum.isEmpty()) {
+    %>
+        <form:form method="POST" id="signoutconfirmationresponseform" name="signoutconfirmationresponseform">
+            <input type="hidden" name="wa" value="wsignout1.0" />
+            <input type="hidden" id="execution" name="execution" value="${flowExecutionKey}" />
+            <input type="submit" name="_eventId_submit" value="Logout" />
+            <input type="submit" name="_eventId_cancel" value="Cancel" />
+        </form:form>
+    <%     
+        }
+    %>
+</body>
+</html>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/5ad84a6f/services/idp/src/main/webapp/WEB-INF/views/signoutresponse.jsp
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/views/signoutresponse.jsp b/services/idp/src/main/webapp/WEB-INF/views/signoutresponse.jsp
new file mode 100644
index 0000000..71110bf
--- /dev/null
+++ b/services/idp/src/main/webapp/WEB-INF/views/signoutresponse.jsp
@@ -0,0 +1,48 @@
+<%@ page import="java.util.Map" %>
+<%@ page import="org.apache.cxf.fediz.service.idp.beans.SigninParametersCacheAction" %>
+<%@ page import="org.apache.cxf.fediz.core.FederationConstants" %>
+<%@ page import="java.util.List" %>
+<%@ page import="java.util.Iterator" %>
+<%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
+<%@ taglib prefix="form" uri="http://www.springframework.org/tags/form" %>
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<title>IDP SignOut Response Page</title>
+</head>
+<body>
+    <%
+        @SuppressWarnings("unchecked")
+        Map<String, String> rum =
+                (Map<String, String>) request.getAttribute(SigninParametersCacheAction.REALM_URL_MAP);
+
+        if (rum == null) {
+    %>
+	        <p>You have already logged out</p>
+    <%
+        } else {
+    %>
+            <h1>CXF Fediz IDP successful logout.</h1>
+        
+            <p>
+    <%
+            Iterator<Map.Entry<String, String>> iterator = rum.entrySet().iterator();
+            
+            while (iterator.hasNext()) {
+                Map.Entry<String, String> next = iterator.next();
+                String rpUri = next.getValue();
+                if (rpUri != null) {
+    %>
+                    Logout status of RP <%= rpUri%>:
+                    <img src="<%=rpUri + "?" + FederationConstants.PARAM_ACTION + "=" + FederationConstants.ACTION_SIGNOUT_CLEANUP %>"/>
+                    <br/>
+    <%
+                }
+            }
+    %>
+	        </p>
+    <%
+        }
+    %>
+</body>
+</html>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/5ad84a6f/services/idp/src/main/webapp/WEB-INF/web.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/web.xml b/services/idp/src/main/webapp/WEB-INF/web.xml
index b22a0db..f96bf3a 100644
--- a/services/idp/src/main/webapp/WEB-INF/web.xml
+++ b/services/idp/src/main/webapp/WEB-INF/web.xml
@@ -77,21 +77,10 @@ under the License.
 
     <servlet-mapping>
         <servlet-name>idp</servlet-name>
+		<url-pattern>/</url-pattern>
         <url-pattern>/federation</url-pattern>
-    </servlet-mapping>
-    
-    <servlet-mapping>
-        <servlet-name>idp</servlet-name>
-        <url-pattern>/federation/up</url-pattern>
-    </servlet-mapping>
-    
-    <servlet-mapping>
-        <servlet-name>idp</servlet-name>
+		<url-pattern>/federation/up</url-pattern>
         <url-pattern>/federation/krb</url-pattern>
-    </servlet-mapping>
-    
-    <servlet-mapping>
-        <servlet-name>idp</servlet-name>
         <url-pattern>/federation/clientcert</url-pattern>
     </servlet-mapping>
     

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/5ad84a6f/services/idp/src/main/webapp/index.html
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/index.html b/services/idp/src/main/webapp/index.html
deleted file mode 100644
index a9dbdaa..0000000
--- a/services/idp/src/main/webapp/index.html
+++ /dev/null
@@ -1,25 +0,0 @@
-<!--
-  Licensed to the Apache Software Foundation (ASF) under one or more
-  contributor license agreements.  See the NOTICE file distributed with
-  this work for additional information regarding copyright ownership.
-  The ASF licenses this file to You under the Apache License, Version 2.0
-  (the "License"); you may not use this file except in compliance with
-  the License.  You may obtain a copy of the License at
-
-      http://www.apache.org/licenses/LICENSE-2.0
-
-  Unless required by applicable law or agreed to in writing, software
-  distributed under the License is distributed on an "AS IS" BASIS,
-  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-  See the License for the specific language governing permissions and
-  limitations under the License.
--->
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
-<HTML><HEAD><TITLE>WS Federation Tomcat Examples</TITLE>
-<META http-equiv=Content-Type content="text/html">
-</HEAD>
-<BODY>
-<P>
-<H3>Hello World</H3>
-<P></P>
-</BODY></HTML>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/5ad84a6f/services/idp/src/main/webapp/resources/images/apache-logo.png
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/resources/images/apache-logo.png b/services/idp/src/main/webapp/resources/images/apache-logo.png
new file mode 100644
index 0000000..39b040e
Binary files /dev/null and b/services/idp/src/main/webapp/resources/images/apache-logo.png differ


Mime
View raw message