cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject cxf-fediz git commit: FEDIZ-169 - Enforce mandatory requested claims on the RP side
Date Thu, 14 Jul 2016 17:23:03 GMT
Repository: cxf-fediz
Updated Branches:
  refs/heads/master 95905560e -> bec9f5862


FEDIZ-169 - Enforce mandatory requested claims on the RP side


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/bec9f586
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/bec9f586
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/bec9f586

Branch: refs/heads/master
Commit: bec9f58621fee5381b7b612e153b61313e66b04e
Parents: 9590556
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Thu Jul 14 18:21:37 2016 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Thu Jul 14 18:21:37 2016 +0100

----------------------------------------------------------------------
 .../core/processor/FederationProcessorImpl.java |  33 ++
 .../fediz/core/AbstractSAMLCallbackHandler.java |   8 +-
 .../core/federation/RequestedClaimsTest.java    | 336 +++++++++++++++++++
 .../sts/src/main/webapp/WEB-INF/userClaims.xml  |   6 +-
 .../main/webapp/WEB-INF/userClaimsKerberos.xml  |   6 +-
 .../test/resources/realma/entities-realma.xml   |   5 +
 .../org/apache/cxf/fediz/example/Service.java   |   2 +-
 .../src/main/webapp/WEB-INF/web.xml             |   3 +
 .../WEB-INF/applicationContext-security.xml     |   2 +-
 .../src/main/webapp/WEB-INF/web.xml             |   3 +
 10 files changed, 395 insertions(+), 9 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bec9f586/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java
b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java
index cc94fee..1695f57 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java
@@ -203,6 +203,10 @@ public class FederationProcessorImpl extends AbstractFedizProcessor {
             expires = validatorResponse.getExpires();
         }
         testForReplayAttack(validatorResponse.getUniqueTokenId(), config, expires);
+        testForMandatoryClaims(((FederationProtocol)config.getProtocol()).getRoleURI(),
+                              ((FederationProtocol)config.getProtocol()).getClaimTypesRequested(),

+                              validatorResponse.getClaims(), 
+                              validatorResponse.getRoles() != null && !validatorResponse.getRoles().isEmpty());
 
         Date created = validatorResponse.getCreated();
         if (lifeTime != null && lifeTime.getCreated() != null) {
@@ -637,6 +641,35 @@ public class FederationProcessorImpl extends AbstractFedizProcessor {
         }
         return wReq;
     }
+    
+    private void testForMandatoryClaims(String roleURI,
+                                        List<org.apache.cxf.fediz.core.config.Claim>
requestedClaims, 
+                                        List<org.apache.cxf.fediz.core.Claim> receivedClaims,
+                                        boolean foundRoles
+    ) throws ProcessingException {
+        if (requestedClaims != null) {
+            for (org.apache.cxf.fediz.core.config.Claim requestedClaim : requestedClaims)
{
+                if (!requestedClaim.isOptional()) {
+                    boolean found = false;
+                    for (org.apache.cxf.fediz.core.Claim receivedClaim : receivedClaims)
{
+                        if (requestedClaim.getType().equals(receivedClaim.getClaimType().toString()))
{
+                            found = true;
+                            break;
+                        }
+                    }
+                    if (!found && foundRoles && roleURI != null &&
roleURI.equals(requestedClaim.getType())) {
+                        // Maybe the requested claim is a role, which has already been removed

+                        // from the claims collection
+                        found = true;
+                    }
+                    if (!found) {
+                        LOG.warn("Mandatory claim {} not found in token", requestedClaim.getType());
+                        throw new ProcessingException("Mandatory claim not found in token",
TYPE.INVALID_REQUEST);
+                    }
+                }
+            }
+        }
+    }
 
     private static class DecryptionCallbackHandler implements CallbackHandler {
 

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bec9f586/plugins/core/src/test/java/org/apache/cxf/fediz/core/AbstractSAMLCallbackHandler.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/test/java/org/apache/cxf/fediz/core/AbstractSAMLCallbackHandler.java
b/plugins/core/src/test/java/org/apache/cxf/fediz/core/AbstractSAMLCallbackHandler.java
index 1c7d693..bd69b14 100644
--- a/plugins/core/src/test/java/org/apache/cxf/fediz/core/AbstractSAMLCallbackHandler.java
+++ b/plugins/core/src/test/java/org/apache/cxf/fediz/core/AbstractSAMLCallbackHandler.java
@@ -354,7 +354,13 @@ public abstract class AbstractSAMLCallbackHandler implements CallbackHandler
{
                 attributeBean2.setQualifiedName(this.customClaimName);
                 attributeBean2.setNameFormat(this.getAttributeNameFormat());
             }
-            attributeBean2.addAttributeValue("CH");
+            if (customAttributeValues != null && !customAttributeValues.isEmpty())
{
+                for (Object obj : customAttributeValues) {
+                    attributeBean2.addAttributeValue(obj);
+                }
+            } else {
+                attributeBean2.addAttributeValue("CH");
+            }
             attributeList.add(attributeBean2);
             
             attrStateBean.setSamlAttributes(attributeList);

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bec9f586/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/RequestedClaimsTest.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/RequestedClaimsTest.java
b/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/RequestedClaimsTest.java
new file mode 100644
index 0000000..79c836c
--- /dev/null
+++ b/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/RequestedClaimsTest.java
@@ -0,0 +1,336 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.fediz.core.federation;
+
+import java.io.IOException;
+import java.io.StringReader;
+import java.io.StringWriter;
+import java.math.BigInteger;
+import java.util.Collections;
+
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.UnsupportedCallbackException;
+import javax.xml.bind.JAXBContext;
+import javax.xml.bind.JAXBException;
+
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+
+import org.apache.cxf.fediz.common.STSUtil;
+import org.apache.cxf.fediz.common.SecurityTestUtil;
+import org.apache.cxf.fediz.core.Claim;
+import org.apache.cxf.fediz.core.ClaimTypes;
+import org.apache.cxf.fediz.core.FederationConstants;
+import org.apache.cxf.fediz.core.KeystoreCallbackHandler;
+import org.apache.cxf.fediz.core.SAML2CallbackHandler;
+import org.apache.cxf.fediz.core.config.FedizConfigurator;
+import org.apache.cxf.fediz.core.config.FedizContext;
+import org.apache.cxf.fediz.core.config.jaxb.ArgumentType;
+import org.apache.cxf.fediz.core.config.jaxb.AudienceUris;
+import org.apache.cxf.fediz.core.config.jaxb.CallbackType;
+import org.apache.cxf.fediz.core.config.jaxb.CertificateStores;
+import org.apache.cxf.fediz.core.config.jaxb.ClaimType;
+import org.apache.cxf.fediz.core.config.jaxb.ClaimTypesRequested;
+import org.apache.cxf.fediz.core.config.jaxb.ContextConfig;
+import org.apache.cxf.fediz.core.config.jaxb.FederationProtocolType;
+import org.apache.cxf.fediz.core.config.jaxb.FedizConfig;
+import org.apache.cxf.fediz.core.config.jaxb.KeyStoreType;
+import org.apache.cxf.fediz.core.config.jaxb.ProtocolType;
+import org.apache.cxf.fediz.core.config.jaxb.TrustManagersType;
+import org.apache.cxf.fediz.core.config.jaxb.TrustedIssuerType;
+import org.apache.cxf.fediz.core.config.jaxb.TrustedIssuers;
+import org.apache.cxf.fediz.core.config.jaxb.ValidationType;
+import org.apache.cxf.fediz.core.exception.ProcessingException;
+import org.apache.cxf.fediz.core.processor.FederationProcessorImpl;
+import org.apache.cxf.fediz.core.processor.FedizProcessor;
+import org.apache.cxf.fediz.core.processor.FedizRequest;
+import org.apache.cxf.fediz.core.processor.FedizResponse;
+import org.apache.wss4j.common.crypto.Crypto;
+import org.apache.wss4j.common.crypto.CryptoFactory;
+import org.apache.wss4j.common.ext.WSPasswordCallback;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.common.saml.SAMLCallback;
+import org.apache.wss4j.common.saml.SAMLUtil;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
+import org.apache.wss4j.common.saml.bean.AudienceRestrictionBean;
+import org.apache.wss4j.common.saml.bean.ConditionsBean;
+import org.apache.wss4j.common.saml.builder.SAML2Constants;
+import org.apache.wss4j.common.util.DOM2Writer;
+
+import org.junit.AfterClass;
+import org.junit.Assert;
+import org.junit.BeforeClass;
+
+/**
+ * Test for requested claims
+ */
+public class RequestedClaimsTest {
+
+    private static final String ISSUER = "FedizSTSIssuer";
+    private static final String PROTOCOL_VERSION = "1.0.0";
+    //private static final String REQUEST = "request value";
+    private static final String REPLY = "reply value";
+    private static final String TARGET_REALM = "target realm";
+    private static final String HOME_REALM_CLASS = "org.apache.fediz.realm.MyHomeRealm.class";
+    private static final String FRESHNESS_VALUE = "10000";
+
+    private static final String CONFIG_NAME = "ROOT";
+    private static final String CLOCK_SKEW = "1000";
+
+    private static final String AUTH_TYPE_VALUE = "some auth type";
+
+    private static final String AUDIENCE_URI_1 = "http://host_one:port/url";
+
+    private static final String ROLE_DELIMITER = ";";
+    private static final String ROLE_URI = "http://someserver:8080/path/roles.uri";
+    private static final String CLAIM_TYPE_1 = ClaimTypes.FIRSTNAME.toString();
+    private static final String CLAIM_TYPE_2 = ClaimTypes.LASTNAME.toString();
+
+    private static Crypto crypto;
+    private static CallbackHandler cbPasswordHandler = new KeystoreCallbackHandler();
+    
+    @BeforeClass
+    public static void init() {
+        try {
+            crypto = CryptoFactory.getInstance("signature.properties");
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+
+    }
+    
+    @AfterClass
+    public static void cleanup() {
+        SecurityTestUtil.cleanup();
+    }
+
+    //CHECKSTYLE:OFF
+    private FedizConfig createConfiguration() throws JAXBException {
+
+        FedizConfig rootConfig = new FedizConfig();
+        ContextConfig config = new ContextConfig();
+        rootConfig.getContextConfig().add(config);
+
+        config.setName(CONFIG_NAME);
+        config.setMaximumClockSkew(new BigInteger(CLOCK_SKEW));
+
+        CertificateStores certStores = new CertificateStores();
+        
+        TrustManagersType tm0 = new TrustManagersType();       
+        KeyStoreType ks0 = new KeyStoreType();
+        ks0.setType("JKS");
+        ks0.setPassword("storepass");
+        ks0.setFile("ststrust.jks");
+        tm0.setKeyStore(ks0);
+        
+        certStores.getTrustManager().add(tm0);
+        
+        config.setCertificateStores(certStores);
+        
+        TrustedIssuers trustedIssuers = new TrustedIssuers();
+        
+        TrustedIssuerType ti0 = new TrustedIssuerType();
+        ti0.setCertificateValidation(ValidationType.PEER_TRUST);
+        trustedIssuers.getIssuer().add(ti0);
+        
+        config.setTrustedIssuers(trustedIssuers);
+        
+        ProtocolType protocol = new FederationProtocolType();
+
+        CallbackType authType = new CallbackType();
+        authType.setType(ArgumentType.STRING);
+        authType.setValue(AUTH_TYPE_VALUE);
+        ((FederationProtocolType)protocol).setAuthenticationType(authType);
+
+        CallbackType freshness = new CallbackType();
+        freshness.setValue(FRESHNESS_VALUE);
+        ((FederationProtocolType)protocol).setFreshness(freshness);
+
+        CallbackType homeRealm = new CallbackType();
+        homeRealm.setType(ArgumentType.CLASS);
+        homeRealm.setValue(HOME_REALM_CLASS);
+        ((FederationProtocolType)protocol).setHomeRealm(homeRealm);
+
+        ((FederationProtocolType)protocol).setReply(REPLY);
+        ((FederationProtocolType)protocol).setVersion(PROTOCOL_VERSION);
+        
+        config.setProtocol(protocol);
+        
+        AudienceUris audienceUris = new AudienceUris();
+        audienceUris.getAudienceItem().add(AUDIENCE_URI_1);
+        config.setAudienceUris(audienceUris);
+
+        protocol.setRoleDelimiter(ROLE_DELIMITER);
+        protocol.setRoleURI(ROLE_URI);
+
+        ClaimTypesRequested claimTypeReq = new ClaimTypesRequested();
+        ClaimType claimType = new ClaimType();
+        claimType.setOptional(false);
+        claimType.setType(CLAIM_TYPE_1);
+        claimTypeReq.getClaimType().add(claimType);
+
+        ClaimType claimType2 = new ClaimType();
+        claimType2.setOptional(true);
+        claimType2.setType(CLAIM_TYPE_2);
+        claimTypeReq.getClaimType().add(claimType2);
+
+        protocol.setClaimTypesRequested(claimTypeReq);
+
+        CallbackType realm = new CallbackType();
+        realm.setValue(TARGET_REALM);
+        protocol.setRealm(realm);
+        
+        CallbackType issuer = new CallbackType();
+        issuer.setValue(ISSUER);
+        protocol.setIssuer(issuer);
+
+        return rootConfig;
+
+    }
+
+    @org.junit.Test
+    public void testRequiredClaimIncluded() throws Exception {
+        SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+        callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
+        callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
+        callbackHandler.setIssuer(ISSUER);
+        callbackHandler.setSubjectName("alice");
+        callbackHandler.setAttributeNameFormat(ClaimTypes.URI_BASE.toString());
+        callbackHandler.setCountryClaimName("country");
+        callbackHandler.setRoleAttributeName("role");
+        callbackHandler.setCustomClaimName(CLAIM_TYPE_1);
+        callbackHandler.setCustomAttributeValues(Collections.singletonList("xyz"));
+        
+        ConditionsBean cp = new ConditionsBean();
+        AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
+        audienceRestriction.getAudienceURIs().add(AUDIENCE_URI_1);
+        cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
+        callbackHandler.setConditions(cp);
+        
+        SAMLCallback samlCallback = new SAMLCallback();
+        SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
+        SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
+        
+        String rstr = createSamlToken(assertion, "mystskey", true);
+        
+        FedizRequest wfReq = new FedizRequest();
+        wfReq.setAction(FederationConstants.ACTION_SIGNIN);
+        wfReq.setResponseToken(rstr);
+        
+        FedizConfig config = createConfiguration();
+        StringWriter writer = new StringWriter();
+        final JAXBContext jaxbContext = JAXBContext.newInstance(FedizConfig.class);
+        jaxbContext.createMarshaller().marshal(config, writer);
+        StringReader reader = new StringReader(writer.toString());
+        
+        FedizConfigurator configurator = new FedizConfigurator();
+        configurator.loadConfig(reader);
+        FedizContext context = configurator.getFedizContext(CONFIG_NAME);
+        
+        FedizProcessor wfProc = new FederationProcessorImpl();
+        FedizResponse wfRes = wfProc.processRequest(wfReq, context);
+        
+        Object claimValue = null;
+        for (Claim c : wfRes.getClaims()) {
+            if (CLAIM_TYPE_1.equals(c.getClaimType().toString())) {
+                claimValue = c.getValue();
+            }
+        }
+        
+        Assert.assertEquals("xyz", claimValue);
+    }
+    
+    @org.junit.Test
+    public void testRequiredClaimNotIncluded() throws Exception {
+        SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+        callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
+        callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
+        callbackHandler.setIssuer(ISSUER);
+        callbackHandler.setSubjectName("alice");
+        callbackHandler.setAttributeNameFormat(ClaimTypes.URI_BASE.toString());
+        callbackHandler.setCountryClaimName("country");
+        callbackHandler.setRoleAttributeName("role");
+        callbackHandler.setCustomClaimName(CLAIM_TYPE_2);
+        callbackHandler.setCustomAttributeValues(Collections.singletonList("xyz"));
+        
+        ConditionsBean cp = new ConditionsBean();
+        AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
+        audienceRestriction.getAudienceURIs().add(AUDIENCE_URI_1);
+        cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
+        callbackHandler.setConditions(cp);
+        
+        SAMLCallback samlCallback = new SAMLCallback();
+        SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
+        SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
+        
+        String rstr = createSamlToken(assertion, "mystskey", true);
+        
+        FedizRequest wfReq = new FedizRequest();
+        wfReq.setAction(FederationConstants.ACTION_SIGNIN);
+        wfReq.setResponseToken(rstr);
+        
+        FedizConfig config = createConfiguration();
+        StringWriter writer = new StringWriter();
+        final JAXBContext jaxbContext = JAXBContext.newInstance(FedizConfig.class);
+        jaxbContext.createMarshaller().marshal(config, writer);
+        StringReader reader = new StringReader(writer.toString());
+        
+        FedizConfigurator configurator = new FedizConfigurator();
+        configurator.loadConfig(reader);
+        FedizContext context = configurator.getFedizContext(CONFIG_NAME);
+        
+        FedizProcessor wfProc = new FederationProcessorImpl();
+        try {
+            wfProc.processRequest(wfReq, context);
+            Assert.fail("Failure expected on a mandatory claim not being included");
+        } catch (ProcessingException ex) {
+            // expected
+        }
+    }
+    
+    private String createSamlToken(SamlAssertionWrapper assertion, String alias, boolean
sign)
+        throws IOException, UnsupportedCallbackException, WSSecurityException, Exception
{
+        return createSamlToken(assertion, alias, sign, STSUtil.SAMPLE_RSTR_COLL_MSG);
+    }
+    
+    private String createSamlToken(SamlAssertionWrapper assertion, String alias, boolean
sign, String rstr)
+        throws IOException, UnsupportedCallbackException, WSSecurityException, Exception
{
+        WSPasswordCallback[] cb = {
+            new WSPasswordCallback(alias, WSPasswordCallback.SIGNATURE)
+        };
+        cbPasswordHandler.handle(cb);
+        String password = cb[0].getPassword();
+
+        if (sign) {
+            assertion.signAssertion(alias, password, crypto, false);
+        }
+        Document doc = STSUtil.toSOAPPart(rstr);
+        Element token = assertion.toDOM(doc);
+
+        Element e = SAMLTokenValidatorOldTest.findElement(doc, "RequestedSecurityToken",
+                                                        FederationConstants.WS_TRUST_13_NS);
+        if (e == null) {
+            e = SAMLTokenValidatorOldTest.findElement(doc, "RequestedSecurityToken",
+                                                    FederationConstants.WS_TRUST_2005_02_NS);
+        }
+        e.appendChild(token);
+        return DOM2Writer.nodeToString(doc);
+    }
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bec9f586/services/sts/src/main/webapp/WEB-INF/userClaims.xml
----------------------------------------------------------------------
diff --git a/services/sts/src/main/webapp/WEB-INF/userClaims.xml b/services/sts/src/main/webapp/WEB-INF/userClaims.xml
index 1a2b12f..13bd37f 100644
--- a/services/sts/src/main/webapp/WEB-INF/userClaims.xml
+++ b/services/sts/src/main/webapp/WEB-INF/userClaims.xml
@@ -75,7 +75,7 @@
             value="tcooper@realma.org" />
         <entry
             key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"
-            value="" />
+            value="Secretary" />
     </util:map>
 
     <util:map id="userClaimsREALMB">
@@ -126,7 +126,7 @@
             value="tcooper@realmb.org" />
         <entry
             key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"
-            value="" />
+            value="Secretary" />
     </util:map>
 
     <util:list id="supportedClaims">
@@ -136,4 +136,4 @@
         <value>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</value>
     </util:list>
 
-</beans>
\ No newline at end of file
+</beans>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bec9f586/services/sts/src/main/webapp/WEB-INF/userClaimsKerberos.xml
----------------------------------------------------------------------
diff --git a/services/sts/src/main/webapp/WEB-INF/userClaimsKerberos.xml b/services/sts/src/main/webapp/WEB-INF/userClaimsKerberos.xml
index 38ff27c..aa5faff 100644
--- a/services/sts/src/main/webapp/WEB-INF/userClaimsKerberos.xml
+++ b/services/sts/src/main/webapp/WEB-INF/userClaimsKerberos.xml
@@ -74,7 +74,7 @@
             value="tcooper@realma.org" />
         <entry
             key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"
-            value="" />
+            value="Secretary" />
     </util:map>
 
     <util:map id="userClaimsREALMB">
@@ -125,7 +125,7 @@
             value="tcooper@realmb.org" />
         <entry
             key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"
-            value="" />
+            value="Secretary" />
     </util:map>
 
     <util:list id="supportedClaims">
@@ -135,4 +135,4 @@
         <value>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</value>
     </util:list>
 
-</beans>
\ No newline at end of file
+</beans>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bec9f586/systests/oidc/src/test/resources/realma/entities-realma.xml
----------------------------------------------------------------------
diff --git a/systests/oidc/src/test/resources/realma/entities-realma.xml b/systests/oidc/src/test/resources/realma/entities-realma.xml
index 20261ee..95a91eb 100644
--- a/systests/oidc/src/test/resources/realma/entities-realma.xml
+++ b/systests/oidc/src/test/resources/realma/entities-realma.xml
@@ -126,6 +126,11 @@
         <property name="optional" value="false" />
     </bean>
     <bean class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationClaimEntity">
+        <property name="application" ref="srv-oidc" />
+        <property name="claim" ref="claim_role" />
+        <property name="optional" value="false" />
+    </bean>
+    <bean class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationClaimEntity">
         <property name="application" ref="srv-fedizhelloworld" />
         <property name="claim" ref="claim_givenname" />
         <property name="optional" value="false" />

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bec9f586/systests/webapps/cxfWebapp/src/main/java/org/apache/cxf/fediz/example/Service.java
----------------------------------------------------------------------
diff --git a/systests/webapps/cxfWebapp/src/main/java/org/apache/cxf/fediz/example/Service.java
b/systests/webapps/cxfWebapp/src/main/java/org/apache/cxf/fediz/example/Service.java
index a82a8a4..21c88d5 100644
--- a/systests/webapps/cxfWebapp/src/main/java/org/apache/cxf/fediz/example/Service.java
+++ b/systests/webapps/cxfWebapp/src/main/java/org/apache/cxf/fediz/example/Service.java
@@ -64,7 +64,7 @@ public class Service {
     }
     
     @Path("/fedservlet")
-    @RolesAllowed({ "User", "Admin", "Manager", "Authenticated" })
+    @RolesAllowed({ "User", "Admin", "Manager", "Authenticated", "Secretary" })
     @GET
     @Produces("text/html")
     public String doGetSecure(@Context UriInfo uriInfo) throws Exception {

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bec9f586/systests/webapps/simpleWebapp/src/main/webapp/WEB-INF/web.xml
----------------------------------------------------------------------
diff --git a/systests/webapps/simpleWebapp/src/main/webapp/WEB-INF/web.xml b/systests/webapps/simpleWebapp/src/main/webapp/WEB-INF/web.xml
index de8b046..33044a1 100644
--- a/systests/webapps/simpleWebapp/src/main/webapp/WEB-INF/web.xml
+++ b/systests/webapps/simpleWebapp/src/main/webapp/WEB-INF/web.xml
@@ -73,6 +73,9 @@
 	<security-role>
 		<role-name>Authenticated</role-name>
 	</security-role>				
+	<security-role>
+		<role-name>Secretary</role-name>
+	</security-role>				
 
 	<security-constraint>
 		<web-resource-collection>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bec9f586/systests/webapps/springPreauthWebapp/src/main/webapp/WEB-INF/applicationContext-security.xml
----------------------------------------------------------------------
diff --git a/systests/webapps/springPreauthWebapp/src/main/webapp/WEB-INF/applicationContext-security.xml
b/systests/webapps/springPreauthWebapp/src/main/webapp/WEB-INF/applicationContext-security.xml
index 3f09691..ee5df2a 100644
--- a/systests/webapps/springPreauthWebapp/src/main/webapp/WEB-INF/applicationContext-security.xml
+++ b/systests/webapps/springPreauthWebapp/src/main/webapp/WEB-INF/applicationContext-security.xml
@@ -103,7 +103,7 @@
                 <sec:intercept-url pattern="/secure/manager/**" access="ROLE_MANAGER"/>
                 <sec:intercept-url pattern="/secure/admin/**" access="ROLE_ADMIN"/>
                 <sec:intercept-url pattern="/secure/user/**" access="ROLE_USER,ROLE_ADMIN,ROLE_MANAGER"/>
-                <sec:intercept-url pattern="/secure/fedservlet" access="ROLE_USER,ROLE_ADMIN,ROLE_MANAGER,ROLE_AUTHENTICATED"/>
+                <sec:intercept-url pattern="/secure/fedservlet" access="ROLE_USER,ROLE_ADMIN,ROLE_MANAGER,ROLE_AUTHENTICATED,ROLE_SECRETARY"/>
             </sec:filter-invocation-definition-source>
         </property>
     </bean>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bec9f586/systests/webapps/springPreauthWebapp/src/main/webapp/WEB-INF/web.xml
----------------------------------------------------------------------
diff --git a/systests/webapps/springPreauthWebapp/src/main/webapp/WEB-INF/web.xml b/systests/webapps/springPreauthWebapp/src/main/webapp/WEB-INF/web.xml
index 60a1b47..4cd996b 100644
--- a/systests/webapps/springPreauthWebapp/src/main/webapp/WEB-INF/web.xml
+++ b/systests/webapps/springPreauthWebapp/src/main/webapp/WEB-INF/web.xml
@@ -107,6 +107,9 @@
 	<security-role>
 		<role-name>Authenticated</role-name>
 	</security-role>				
+	<security-role>
+		<role-name>Secretary</role-name>
+	</security-role>				
 
 	<security-constraint>
 		<web-resource-collection>


Mime
View raw message