cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [3/3] cxf-fediz git commit: Adding initial SAML SSO support in the IdP
Date Thu, 03 Mar 2016 17:23:50 GMT
Adding initial SAML SSO support in the IdP


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/af2feff0
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/af2feff0
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/af2feff0

Branch: refs/heads/master
Commit: af2feff060218559e33ebdf9c0d2bada85313f60
Parents: 51ed2a3
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Thu Mar 3 17:23:34 2016 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Thu Mar 3 17:23:34 2016 +0000

----------------------------------------------------------------------
 .../service/idp/beans/STSClientAction.java      |  28 +-
 .../idp/beans/SigninParametersCacheAction.java  |  48 --
 .../flows/federation-validate-request.xml       |   3 +-
 .../WEB-INF/flows/saml-signin-request.xml       |  80 +++
 .../WEB-INF/flows/saml-validate-request.xml     | 144 +++++
 .../idp/src/main/webapp/WEB-INF/idp-servlet.xml |   6 +
 .../src/main/webapp/WEB-INF/security-config.xml |  62 ++-
 .../WEB-INF/views/samlsigninresponseform.jsp    |  20 +
 services/idp/src/main/webapp/WEB-INF/web.xml    |   4 +
 systests/pom.xml                                |   1 +
 systests/samlsso/out.txt                        | 323 ++++++++++++
 systests/samlsso/pom.xml                        | 252 +++++++++
 .../apache/cxf/fediz/systests/idp/IdpTest.java  | 222 ++++++++
 .../samlsso/src/test/resources/alice_client.jks | Bin 0 -> 2225 bytes
 systests/samlsso/src/test/resources/client.jks  | Bin 0 -> 2061 bytes
 .../samlsso/src/test/resources/clienttrust.jks  | Bin 0 -> 1512 bytes
 .../samlsso/src/test/resources/entity_wreq.xml  |  25 +
 .../src/test/resources/logging.properties       |  54 ++
 .../test/resources/realma/entities-realma.xml   | 524 +++++++++++++++++++
 .../src/test/resources/realma/realm.properties  |   5 +
 systests/samlsso/src/test/resources/server.jks  | Bin 0 -> 3859 bytes
 21 files changed, 1728 insertions(+), 73 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/af2feff0/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java
b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java
index dcbcc53..6b4e07d 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java
@@ -315,21 +315,21 @@ public class STSClientAction {
         String wreply = 
             (String)WebUtils.getAttributeFromFlowScope(context, FederationConstants.PARAM_REPLY);
         
-        // Validate it first using commons-validator
-        UrlValidator urlValidator = new UrlValidator(UrlValidator.ALLOW_LOCAL_URLS
-                                                     + UrlValidator.ALLOW_ALL_SCHEMES);
-        if (!urlValidator.isValid(wreply)) {
-            LOG.warn("The given wreply parameter {} is not a valid URL", wreply);
-            throw new ProcessingException(TYPE.BAD_REQUEST);
-        }
-        
-        if (serviceConfig.getCompiledPassiveRequestorEndpointConstraint() == null) {
-            LOG.warn("No passive requestor endpoint constraint is configured for the application.
"
-                     + "This could lead to a malicious redirection attack");
-            return;
-        }
-        
         if (wreply != null) {
+            // Validate it first using commons-validator
+            UrlValidator urlValidator = new UrlValidator(UrlValidator.ALLOW_LOCAL_URLS
+                                                         + UrlValidator.ALLOW_ALL_SCHEMES);
+            if (!urlValidator.isValid(wreply)) {
+                LOG.warn("The given wreply parameter {} is not a valid URL", wreply);
+                throw new ProcessingException(TYPE.BAD_REQUEST);
+            }
+
+            if (serviceConfig.getCompiledPassiveRequestorEndpointConstraint() == null) {
+                LOG.warn("No passive requestor endpoint constraint is configured for the
application. "
+                    + "This could lead to a malicious redirection attack");
+                return;
+            }
+        
             Matcher matcher = serviceConfig.getCompiledPassiveRequestorEndpointConstraint().matcher(wreply);
             if (!matcher.matches()) {
                 LOG.error("The wreply value of {} does not match any of the passive requestor
values",

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/af2feff0/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java
b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java
index 1ec197f..0b3288e 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java
@@ -119,54 +119,6 @@ public class SigninParametersCacheAction {
         }
     }
 
-    /**
-     * @deprecated use {@link #storeRPConfigInSession()} instead.  
-     * @param context
-     * @throws ProcessingException
-     */
-    public void storeRPUrlInSession(RequestContext context) throws ProcessingException {
-
-        String whr = (String)WebUtils.getAttributeFromFlowScope(context, FederationConstants.PARAM_HOME_REALM);
-        if (whr == null) {
-            return;
-        }
-
-        String wtrealm = (String)WebUtils.getAttributeFromFlowScope(context, FederationConstants.PARAM_TREALM);
-        
-        Idp idpConfig = (Idp) WebUtils.getAttributeFromFlowScope(context, IdpConstants.IDP_CONFIG);
-        
-        String url = null;
-
-        Application serviceConfig = idpConfig.findApplication(wtrealm);
-        if (serviceConfig != null) {
-            url = serviceConfig.getPassiveRequestorEndpoint();
-        }
-
-        if (url == null) {
-            url = guessPassiveRequestorURL(context, wtrealm);
-            if (serviceConfig != null) {
-                serviceConfig.setPassiveRequestorEndpoint(url);
-            }
-        }
-        
-        @SuppressWarnings("unchecked")
-        Map<String, String> rum =
-                (Map<String, String>)WebUtils
-                        .getAttributeFromExternalContext(context, REALM_URL_MAP);
-
-        if (rum == null) {
-            rum = new HashMap<>();
-            WebUtils.putAttributeInExternalContext(context, REALM_URL_MAP, rum);
-        }
-
-        String val = rum.get(wtrealm);
-        if (val == null) {
-            rum.put(wtrealm, url);
-        }
-        
-        storeRPConfigInSession(context);
-    }
-    
     public void storeRPConfigInSession(RequestContext context) throws ProcessingException
{
 
         String whr = (String)WebUtils.getAttributeFromFlowScope(context, FederationConstants.PARAM_HOME_REALM);

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/af2feff0/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml
index b5ee03b..8c020df 100644
--- a/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml
+++ b/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml
@@ -139,8 +139,7 @@
             <evaluate expression="stsClientForRpAction.submit(flowRequestContext)"
                       result="flowScope.rpToken"/>
         </on-entry>
-        <evaluate expression="signinParametersCacheAction.storeRPConfigInSession(flowRequestContext)"
-                result="flowScope.res"/>
+        <evaluate expression="signinParametersCacheAction.storeRPConfigInSession(flowRequestContext)"
/>
         <transition to="isWReplyProvided" />
         <transition on-exception="org.apache.cxf.fediz.core.exception.ProcessingException"
to="viewBadRequest" />
         <transition on-exception="java.lang.Throwable" to="scInternalServerError" />

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/af2feff0/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml
new file mode 100644
index 0000000..0af978f
--- /dev/null
+++ b/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml
@@ -0,0 +1,80 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements. See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership. The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License. You may obtain a copy of the License at
+ 
+  http://www.apache.org/licenses/LICENSE-2.0
+ 
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied. See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<flow xmlns="http://www.springframework.org/schema/webflow"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="
+        http://www.springframework.org/schema/webflow
+        http://www.springframework.org/schema/webflow/spring-webflow-2.0.xsd">
+
+    <input name="idpConfig" />
+    <input name="SAMLRequest" />
+    <input name="RelayState" />
+
+    <decision-state id="checkWauthTypeSupported">
+        <on-entry>
+            <!-- Here, home realm is guaranteed to be THIS realm -->
+            <set name="flowScope.whr" value="flowScope.idpConfig.realm" />
+        </on-entry>
+        <if test="flowScope.idpConfig.getAuthenticationURIs() == null"
+            then="viewBadRequest" />
+        <!-- check presence of cached IDP token for THIS realm -->
+        <if test="externalContext.sessionMap[flowScope.whr] == null"
+            then="cacheTokenForWauth" else="wfreshParserAction" />
+    </decision-state>
+
+    <!-- parse wfresh parameter, provided by resource RP, overriding ttl 
+        from 'IDP_TOKEN' -->
+    <action-state id="wfreshParserAction">
+        <evaluate
+            expression="wfreshParser.authenticationRequired(flowScope.wfresh, flowScope.whr,
flowRequestContext)" />
+        <transition on="yes" to="redirectToLocalIDP" />
+        <transition on="no" to="requestRpToken">
+            <set name="flowScope.idpToken" value="externalContext.sessionMap[whr]" />
+        </transition>
+        <transition on-exception="java.lang.Throwable" to="viewBadRequest" />
+    </action-state>
+
+    <end-state id="redirectToLocalIDP">
+        <on-entry>
+            <evaluate expression="logoutAction.submit(flowRequestContext)" />
+        </on-entry>
+        <output name="whr" value="flowScope.whr" />
+    </end-state>
+
+    <action-state id="cacheTokenForWauth">
+        <secured attributes="IS_AUTHENTICATED_FULLY" />
+        <evaluate expression="cacheTokenForWauthAction.submit(flowRequestContext)" />
+        <transition to="requestRpToken">
+            <set name="flowScope.idpToken" value="externalContext.sessionMap[whr]" />
+        </transition>
+    </action-state>
+
+    <!-- =============================================================================================================
-->
+
+    <!-- normal exit point -->
+    <end-state id="requestRpToken">
+        <output name="whr" value="flowScope.whr" />
+        <output name="idpToken" value="flowScope.idpToken" />
+    </end-state>
+
+    <!-- abnormal exit point : Http 400 Bad Request -->
+    <end-state id="viewBadRequest" />
+
+</flow>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/af2feff0/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
new file mode 100644
index 0000000..8070ecd
--- /dev/null
+++ b/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
@@ -0,0 +1,144 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements. See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership. The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License. You may obtain a copy of the License at
+ 
+  http://www.apache.org/licenses/LICENSE-2.0
+ 
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied. See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<flow xmlns="http://www.springframework.org/schema/webflow"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.springframework.org/schema/webflow
+                          http://www.springframework.org/schema/webflow/spring-webflow-2.0.xsd">
+
+    <!-- protocol check -->
+    <decision-state id="SAMLRequestCheck">
+        <on-entry>
+            <set name="flowScope.RelayState" value="requestParameters.RelayState" />
+            <set name="flowScope.SAMLRequest" value="requestParameters.SAMLRequest" />
+            <set name="flowScope.idpConfig" value="config.getIDP(null)" />
+        </on-entry>
+        <if test="requestParameters.RelayState == null or requestParameters.RelayState.length()
== 0"
+            then="viewBadRequest" />
+        <if test="requestParameters.SAMLRequest != null and !requestParameters.SAMLRequest.isEmpty()"
+            then="signinSAMLRequest" else="viewBadRequest" />
+    </decision-state>
+
+    <subflow-state id="signinSAMLRequest" subflow="signinSAMLRequest">
+        <input name="idpConfig" value="flowScope.idpConfig" />
+        <input name="wauth" value="flowScope.wauth" />
+        <input name="whr" value="flowScope.whr" />
+
+        <output name="whr" />
+        <output name="idpToken" />
+        <output name="trusted_idp_context" />
+
+        <transition on="requestRpToken" to="requestRpToken">
+            <set name="flowScope.whr" value="currentEvent.attributes.whr" />
+            <set name="flowScope.idpToken" value="currentEvent.attributes.idpToken" />
+        </transition>
+        <transition on="viewBadRequest" to="viewBadRequest" />
+        <transition on="scInternalServerError" to="scInternalServerError" />
+        <transition on="redirectToLocalIDP" to="redirectToLocalIDP">
+            <set name="flowScope.wctx" value="currentEvent.attributes.wctx" />
+        </transition>
+    </subflow-state>
+    
+    <!-- produce RP security token (as String type) -->
+    <action-state id="requestRpToken">
+        <on-entry>
+            <evaluate expression="stsClientForRpAction.submit(flowRequestContext)"
+                      result="flowScope.rpToken"/>
+        </on-entry>
+        <evaluate expression="signinParametersCacheAction.storeRPConfigInSession(flowRequestContext)"/>
+        <transition to="formResponseView" >
+            <set name="flowScope.signinResponseUrl" value="flowScope.wreply" />
+        </transition>
+        <transition on-exception="org.apache.cxf.fediz.core.exception.ProcessingException"
to="viewBadRequest" />
+        <transition on-exception="java.lang.Throwable" to="scInternalServerError" />
+    </action-state>
+    
+    <!-- normal exit point for login -->
+    <!-- browser redirection (self-submitted form 'samlsigninresponseform.jsp') -->
+    <end-state id="formResponseView" view="samlsigninresponseform">
+        <on-entry>
+            <evaluate expression="flowScope.signinResponseUrl" result="requestScope.samlAction"
/>
+            <evaluate expression="flowScope.RelayState" result="requestScope.relayState"
/>
+            <evaluate expression="flowScope.rpToken" result="requestScope.samlResponse"
/>
+        </on-entry>
+    </end-state>
+
+    <!-- abnormal exit point : Http 400 Bad Request -->
+    <end-state id="viewBadRequest" view="genericerror">
+        <on-entry>
+            <evaluate
+                expression="externalContext.nativeResponse.setStatus(400,flowRequestContext.currentTransition.toString())"
/>
+            <!-- <set name="requestScope.reason" value="flowRequestContext.currentTransition"
/> -->
+        </on-entry>
+    </end-state>
+
+    <!-- abnormal exit point : Http 500 Internal Server Error -->
+    <end-state id="scInternalServerError" view="genericerror">
+        <on-entry>
+            <evaluate
+                expression="externalContext.nativeResponse.setStatus(500,'IDP is unavailable,
please contact the administrator')" />
+            <set name="requestScope.reason"
+                value="'IDP is unavailable, please contact the administrator'" />
+            <set name="requestScope.stateException"
+                value="flowScope.stateException" />
+            <set name="requestScope.rootCauseException"
+                value="flowScope.rootCauseException" />
+        </on-entry>
+    </end-state>
+    
+    <!-- normal exit point for logout -->
+    <view-state id="viewSignoutConfirmation" view="signoutconfirmationresponse">
+        <transition on="submit" to="invalidateSessionAction"/>
+        <transition on="cancel" to="redirect" />
+    </view-state>
+
+    <view-state id="redirect" view="externalRedirect:${flowScope.wreply}" />
+
+    <!-- normal exit point for logout -->
+    <end-state id="invalidateSessionAction" view="signoutresponse">
+        <on-entry>
+            <!-- store the realmConfigMap in the request map before we invalidate the
session below.
+            Its needed in the signoutresponse.jsp page -->
+            <set name="externalContext.requestMap.realmConfigMap" 
+                value="externalContext.sessionMap.realmConfigMap"/>
+            <set name="externalContext.requestMap.wreply" value="flowScope.wreply"/>
+            <!-- there is no Saml token canceller in cxf STS...
+            <evaluate expression="stsClientForRpAction.cancelTokens(flowRequestContext)"
/>
+            -->
+            <evaluate expression="homeRealmReminder.removeCookie(flowRequestContext)"
/>
+            <evaluate expression="logoutAction.submit(flowRequestContext)" />
+        </on-entry>
+    </end-state>
+
+    <end-state id="redirectToLocalIDP" view="externalRedirect:${flowScope.localIdpUrl}">
+        <on-entry>
+            <set name="flowScope.localIdpUrl"
+                value="flowScope.idpConfig.idpUrl
+                +'?wa=wsignin1.0'
+                +'&amp;wreply='+flowScope.wreply
+                +'&amp;wtrealm='+flowScope.wtrealm
+                +(flowScope.wctx != null ? '&amp;wctx='+flowScope.wctx : '')
+                +(flowScope.wfresh != null ? '&amp;wfresh='+flowScope.wfresh : '')
+                +(flowScope.whr != null ? '&amp;whr='+flowScope.whr : '')
+                +(flowScope.wreq != null ? '&amp;wreq='+flowScope.wreq : '')">
+            </set>
+        </on-entry>
+    </end-state>
+
+</flow>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/af2feff0/services/idp/src/main/webapp/WEB-INF/idp-servlet.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/idp-servlet.xml b/services/idp/src/main/webapp/WEB-INF/idp-servlet.xml
index 638a9c8..2cb89bd 100644
--- a/services/idp/src/main/webapp/WEB-INF/idp-servlet.xml
+++ b/services/idp/src/main/webapp/WEB-INF/idp-servlet.xml
@@ -68,6 +68,12 @@
         <webflow:flow-location path="/WEB-INF/flows/federation-validate-request.xml" id="federation/clientcert"
/>
         <webflow:flow-location path="/WEB-INF/flows/federation-signin-request.xml" id="signinRequest"
/>
         <webflow:flow-location path="/WEB-INF/flows/federation-signin-response.xml" id="signinResponse"
/>
+        
+        <webflow:flow-location path="/WEB-INF/flows/saml-validate-request.xml" id="saml"
/>
+        <webflow:flow-location path="/WEB-INF/flows/saml-validate-request.xml" id="saml/up"
/>
+        <webflow:flow-location path="/WEB-INF/flows/saml-validate-request.xml" id="saml/krb"
/>
+        <webflow:flow-location path="/WEB-INF/flows/saml-validate-request.xml" id="saml/clientcert"
/>
+        <webflow:flow-location path="/WEB-INF/flows/saml-signin-request.xml" id="signinSAMLRequest"
/>
     </webflow:flow-registry>
 
     <bean class="org.springframework.webflow.mvc.servlet.FlowHandlerMapping" p:flowRegistry-ref="flowRegistry"

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/af2feff0/services/idp/src/main/webapp/WEB-INF/security-config.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/security-config.xml b/services/idp/src/main/webapp/WEB-INF/security-config.xml
index 406b798..39e0cb7 100644
--- a/services/idp/src/main/webapp/WEB-INF/security-config.xml
+++ b/services/idp/src/main/webapp/WEB-INF/security-config.xml
@@ -75,6 +75,15 @@
         <property name="configService" ref="config" />
     </bean>
     
+    <!-- Kerberos entry point -->
+    <bean id="kerberosEntryPoint"
+          class="org.apache.cxf.fediz.service.idp.kerberos.KerberosEntryPoint" />
+    
+    <bean id="kerberosAuthenticationProcessingFilter"
+          class="org.apache.cxf.fediz.service.idp.kerberos.KerberosAuthenticationProcessingFilter">
+          <property name="authenticationManager" ref="authenticationManagers" />
+    </bean>
+    
     <!-- Main entry point -->
     <security:http pattern="/federation" use-expressions="true" entry-point-ref="federationEntryPoint">
         <security:custom-filter after="CHANNEL_FILTER" ref="stsUPPortFilter" />
@@ -102,15 +111,6 @@
 			/>
     </security:http>
     
-    <!-- Kerberos entry point -->
-    <bean id="kerberosEntryPoint"
-          class="org.apache.cxf.fediz.service.idp.kerberos.KerberosEntryPoint" />
-    
-    <bean id="kerberosAuthenticationProcessingFilter"
-          class="org.apache.cxf.fediz.service.idp.kerberos.KerberosAuthenticationProcessingFilter">
-          <property name="authenticationManager" ref="authenticationManagers" />
-    </bean>
-    
     <security:http pattern="/federation/krb" use-expressions="true" entry-point-ref="kerberosEntryPoint">
         <security:custom-filter after="CHANNEL_FILTER" ref="stsKrbPortFilter" />
         <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher"
/>
@@ -127,6 +127,50 @@
         <security:x509 />
         <security:logout delete-cookies="FEDIZ_HOME_REALM" invalidate-session="true" />
     </security:http>
+    
+    <!-- Main entry point -->
+    <security:http pattern="/saml" use-expressions="true" entry-point-ref="federationEntryPoint">
+        <security:custom-filter after="CHANNEL_FILTER" ref="stsUPPortFilter" />
+        <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher"
/>
+    </security:http>
+    
+    <!-- HTTP/BA entry point -->
+    <security:http pattern="/saml/up/**" use-expressions="true">
+		<security:intercept-url requires-channel="https" pattern="/saml/up/login*" access="isAnonymous()
or isAuthenticated()" />
+        <security:custom-filter after="CHANNEL_FILTER" ref="stsUPPortFilter" />
+        <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher"
/>
+
+        <security:http-basic />
+		<!--security:form-login login-page='/federation/up/login'
+			login-processing-url="/federation/up/login.do"
+			authentication-failure-url="/federation/up/login?error" 
+			default-target-url="/"
+			username-parameter="username" 
+			password-parameter="password"
+			/-->
+		<security:logout logout-url="/saml/up/logout" 
+			logout-success-url="/saml/up/login?out" 
+			delete-cookies="FEDIZ_HOME_REALM,JSESSIONID" 
+			invalidate-session="true" 
+			/>
+    </security:http>
+    
+    <security:http pattern="/saml/krb" use-expressions="true" entry-point-ref="kerberosEntryPoint">
+        <security:custom-filter after="CHANNEL_FILTER" ref="stsKrbPortFilter" />
+        <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher"
/>
+
+        <security:custom-filter ref="kerberosAuthenticationProcessingFilter" position="BASIC_AUTH_FILTER"
/>
+        <security:logout delete-cookies="FEDIZ_HOME_REALM" invalidate-session="true" />
+    </security:http>
+    
+    <!-- SSL Client Cert entry point -->
+    <security:http pattern="/saml/clientcert" use-expressions="true">
+        <security:custom-filter after="CHANNEL_FILTER" ref="stsClientCertPortFilter" />
+        <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher"
/>
+
+        <security:x509 />
+        <security:logout delete-cookies="FEDIZ_HOME_REALM" invalidate-session="true" />
+    </security:http>
 
     <security:authentication-manager alias="authenticationManagers">
         <security:authentication-provider ref="stsUPAuthProvider" />

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/af2feff0/services/idp/src/main/webapp/WEB-INF/views/samlsigninresponseform.jsp
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/views/samlsigninresponseform.jsp b/services/idp/src/main/webapp/WEB-INF/views/samlsigninresponseform.jsp
new file mode 100644
index 0000000..3e7dc36
--- /dev/null
+++ b/services/idp/src/main/webapp/WEB-INF/views/samlsigninresponseform.jsp
@@ -0,0 +1,20 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
+<%@ taglib prefix="form" uri="http://www.springframework.org/tags/form" %>
+
+<html>
+<head>
+<title>IDP SignIn Response Form</title>
+</head>
+<body>
+	<form:form method="POST" id="samlsigninresponseform" name="samlsigninresponseform" action="${samlAction}"
htmlEscape="true">
+        <input type="hidden" name="SAMLResponse" value="${samlResponse}" /><br />
+        <input type="hidden" name="RelayState" value="${relayState}" /><br />
+  		<noscript>
+		<p>Script is disabled. Click Submit to continue.</p>
+		<input type="submit" name="_eventId_submit" value="Submit" /><br />
+ 		</noscript>
+	</form:form>
+ 	<script language="javascript">window.setTimeout('document.forms[0].submit()',0);</script>
+</body>
+</html>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/af2feff0/services/idp/src/main/webapp/WEB-INF/web.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/web.xml b/services/idp/src/main/webapp/WEB-INF/web.xml
index e888f22..4129e72 100644
--- a/services/idp/src/main/webapp/WEB-INF/web.xml
+++ b/services/idp/src/main/webapp/WEB-INF/web.xml
@@ -81,6 +81,10 @@ under the License.
 		<url-pattern>/federation/up</url-pattern>
 		<url-pattern>/federation/krb</url-pattern>
 		<url-pattern>/federation/clientcert</url-pattern>
+		<url-pattern>/saml</url-pattern>
+		<url-pattern>/saml/up</url-pattern>
+		<url-pattern>/saml/krb</url-pattern>
+		<url-pattern>/saml/clientcert</url-pattern>
 	</servlet-mapping>
 
 	<servlet>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/af2feff0/systests/pom.xml
----------------------------------------------------------------------
diff --git a/systests/pom.xml b/systests/pom.xml
index 42685d5..1614400 100644
--- a/systests/pom.xml
+++ b/systests/pom.xml
@@ -43,6 +43,7 @@
       <module>federation</module>
       <module>kerberos</module>
       <module>oidc</module>
+      <module>samlsso</module>
    </modules>
    
    <profiles>


Mime
View raw message