cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject cxf-fediz git commit: Splitting IdP security config up to make it easier to reuse
Date Wed, 19 Oct 2016 13:01:39 GMT
Repository: cxf-fediz
Updated Branches:
  refs/heads/master 901ef3844 -> a2f78efd1


Splitting IdP security config up to make it easier to reuse


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/a2f78efd
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/a2f78efd
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/a2f78efd

Branch: refs/heads/master
Commit: a2f78efd150580cf67262860a2d316753d12bfb9
Parents: 901ef38
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Wed Oct 19 14:01:20 2016 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Wed Oct 19 14:01:20 2016 +0100

----------------------------------------------------------------------
 .../config/security-clientcert-config.xml       |  75 ++++++++
 .../WEB-INF/config/security-krb-config.xml      |  84 +++++++++
 .../WEB-INF/config/security-rs-config.xml       |  64 +++++++
 .../WEB-INF/config/security-up-config.xml       |  94 ++++++++++
 .../src/main/webapp/WEB-INF/security-config.xml | 177 ++-----------------
 5 files changed, 328 insertions(+), 166 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/a2f78efd/services/idp/src/main/webapp/WEB-INF/config/security-clientcert-config.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/config/security-clientcert-config.xml b/services/idp/src/main/webapp/WEB-INF/config/security-clientcert-config.xml
new file mode 100644
index 0000000..bc23084
--- /dev/null
+++ b/services/idp/src/main/webapp/WEB-INF/config/security-clientcert-config.xml
@@ -0,0 +1,75 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements. See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership. The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License. You may obtain a copy of the License at
+ 
+  http://www.apache.org/licenses/LICENSE-2.0
+ 
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied. See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:security="http://www.springframework.org/schema/security"
+    xmlns:context="http://www.springframework.org/schema/context"
+    xmlns:util="http://www.springframework.org/schema/util"
+    xsi:schemaLocation="
+        http://www.springframework.org/schema/beans
+        http://www.springframework.org/schema/beans/spring-beans.xsd
+        http://www.springframework.org/schema/context
+        http://www.springframework.org/schema/context/spring-context.xsd
+        http://www.springframework.org/schema/security
+        http://www.springframework.org/schema/security/spring-security-3.1.xsd
+        http://www.springframework.org/schema/util
+        http://www.springframework.org/schema/util/spring-util.xsd
+        ">
+
+    <!-- DISABLE in production as it might log confidential information about the user
-->
+    <!-- <security:debug /> -->
+
+    <!-- SSL Client Cert entry point for WS-Federation -->
+    <security:http pattern="/federation/clientcert" use-expressions="true">
+        <security:custom-filter after="CHANNEL_FILTER" ref="stsClientCertPortFilter" />
+        <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher"
/>
+
+        <security:x509 />
+        <security:logout delete-cookies="FEDIZ_HOME_REALM" invalidate-session="true" />
+    </security:http>
+    
+    <!-- SSL Client Cert entry point for SAML SSO -->
+    <security:http pattern="/saml/clientcert" use-expressions="true">
+        <security:custom-filter after="CHANNEL_FILTER" ref="stsClientCertPortFilter" />
+        <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher"
/>
+
+        <security:x509 />
+        <security:logout delete-cookies="FEDIZ_HOME_REALM" invalidate-session="true" />
+    </security:http>
+
+    <bean id="stsClientCertPortFilter" class="org.apache.cxf.fediz.service.idp.STSPortFilter">
+        <property name="authenticationProvider" ref="stsClientCertAuthProvider" />
+    </bean>
+    
+    <util:map id="securityProperties">
+        <entry key="ws-security.username" value="idp-user" />
+        <entry key="ws-security.password" value="idp-pass" />
+    </util:map>
+    
+    <bean id="stsClientCertAuthProvider" class="org.apache.cxf.fediz.service.idp.STSPreAuthAuthenticationProvider">
+        <property name="wsdlLocation" value="https://localhost:0/fediz-idp-sts/${realm.STS_URI}/STSServiceTransportUT?wsdl"
/>
+        <property name="wsdlEndpoint" value="TransportUT_Port" />
+        <property name="wsdlService" value="SecurityTokenService" />
+        <property name="appliesTo" value="urn:fediz:idp" />
+        <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
/>
+        <property name="properties" ref="securityProperties" />
+    </bean>
+    
+</beans>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/a2f78efd/services/idp/src/main/webapp/WEB-INF/config/security-krb-config.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/config/security-krb-config.xml b/services/idp/src/main/webapp/WEB-INF/config/security-krb-config.xml
new file mode 100644
index 0000000..d654bcd
--- /dev/null
+++ b/services/idp/src/main/webapp/WEB-INF/config/security-krb-config.xml
@@ -0,0 +1,84 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements. See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership. The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License. You may obtain a copy of the License at
+ 
+  http://www.apache.org/licenses/LICENSE-2.0
+ 
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied. See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:security="http://www.springframework.org/schema/security"
+    xmlns:context="http://www.springframework.org/schema/context"
+    xmlns:util="http://www.springframework.org/schema/util"
+    xsi:schemaLocation="
+        http://www.springframework.org/schema/beans
+        http://www.springframework.org/schema/beans/spring-beans.xsd
+        http://www.springframework.org/schema/context
+        http://www.springframework.org/schema/context/spring-context.xsd
+        http://www.springframework.org/schema/security
+        http://www.springframework.org/schema/security/spring-security-3.1.xsd
+        http://www.springframework.org/schema/util
+        http://www.springframework.org/schema/util/spring-util.xsd
+        ">
+
+    <!-- DISABLE in production as it might log confidential information about the user
-->
+    <!-- <security:debug /> -->
+
+    <!-- Kerberos entry point -->
+    <bean id="kerberosEntryPoint"
+          class="org.apache.cxf.fediz.service.idp.kerberos.KerberosEntryPoint" />
+    
+    <bean id="kerberosAuthenticationProcessingFilter"
+          class="org.apache.cxf.fediz.service.idp.kerberos.KerberosAuthenticationProcessingFilter">
+          <property name="authenticationManager" ref="authenticationManagers" />
+    </bean>
+    
+    <security:http pattern="/federation/krb" use-expressions="true" entry-point-ref="kerberosEntryPoint">
+        <security:custom-filter after="CHANNEL_FILTER" ref="stsKrbPortFilter" />
+        <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher"
/>
+
+        <security:custom-filter ref="kerberosAuthenticationProcessingFilter" position="BASIC_AUTH_FILTER"
/>
+        <security:logout delete-cookies="FEDIZ_HOME_REALM" invalidate-session="true" />
+    </security:http>
+    
+    <security:http pattern="/saml/krb" use-expressions="true" entry-point-ref="kerberosEntryPoint">
+        <security:custom-filter after="CHANNEL_FILTER" ref="stsKrbPortFilter" />
+        <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher"
/>
+
+        <security:custom-filter ref="kerberosAuthenticationProcessingFilter" position="BASIC_AUTH_FILTER"
/>
+        <security:logout delete-cookies="FEDIZ_HOME_REALM" invalidate-session="true" />
+    </security:http>
+    
+    <bean id="stsKrbPortFilter" class="org.apache.cxf.fediz.service.idp.STSPortFilter">
+        <property name="authenticationProvider" ref="stsKrbAuthProvider" />
+    </bean>
+    
+    <!--<bean id="kerberosTokenValidator" class="org.apache.cxf.fediz.service.idp.kerberos.KerberosTokenValidator">
+        <property name="contextName" value="bob" />
+        <property name="serviceName" value="bob@service.ws.apache.org" />
+    </bean>-->
+	
+	<!-- Kerberos authentication provider -->
+    <bean id="stsKrbAuthProvider" class="org.apache.cxf.fediz.service.idp.STSKrbAuthenticationProvider">
+        <property name="wsdlLocation" value="https://localhost:0/fediz-idp-sts/${realm.STS_URI}/STSServiceTransportKerberos?wsdl"
/>
+        <property name="wsdlEndpoint" value="TransportKerberos_Port" />
+        <property name="wsdlService" value="SecurityTokenService" />
+        <property name="appliesTo" value="urn:fediz:idp" />
+        <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
/>
+        <!-- <property name="kerberosTokenValidator" ref="kerberosTokenValidator" />
+        <property name="requireDelegation" value="true" />-->
+    </bean>
+
+</beans>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/a2f78efd/services/idp/src/main/webapp/WEB-INF/config/security-rs-config.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/config/security-rs-config.xml b/services/idp/src/main/webapp/WEB-INF/config/security-rs-config.xml
new file mode 100644
index 0000000..72dcd6a
--- /dev/null
+++ b/services/idp/src/main/webapp/WEB-INF/config/security-rs-config.xml
@@ -0,0 +1,64 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements. See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership. The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License. You may obtain a copy of the License at
+ 
+  http://www.apache.org/licenses/LICENSE-2.0
+ 
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied. See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:security="http://www.springframework.org/schema/security"
+    xmlns:context="http://www.springframework.org/schema/context"
+    xmlns:util="http://www.springframework.org/schema/util"
+    xsi:schemaLocation="
+        http://www.springframework.org/schema/beans
+        http://www.springframework.org/schema/beans/spring-beans.xsd
+        http://www.springframework.org/schema/context
+        http://www.springframework.org/schema/context/spring-context.xsd
+        http://www.springframework.org/schema/security
+        http://www.springframework.org/schema/security/spring-security-3.1.xsd
+        http://www.springframework.org/schema/util
+        http://www.springframework.org/schema/util/spring-util.xsd
+        ">
+
+    <!-- DISABLE in production as it might log confidential information about the user
-->
+    <!-- <security:debug /> -->
+
+    <security:http pattern="/services/rs/**" use-expressions="true" authentication-manager-ref="restAuthenticationManager">
+        <security:custom-filter after="CHANNEL_FILTER" ref="stsUPPortFilter" />
+        <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher"
/>
+        <security:intercept-url pattern="/services/rs/**" access="isAuthenticated()" />
+        <security:http-basic />
+    </security:http>
+
+    <bean id="bCryptPasswordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"
/>
+    
+    <bean id="defaultPasswordEncoder" class="org.springframework.security.crypto.password.StandardPasswordEncoder"
/>
+    
+    <security:authentication-manager id="restAuthenticationManager">
+        <security:authentication-provider>
+          <!-- <security:password-encoder ref="defaultPasswordEncoder" />-->
+          <!-- <security:password-encoder hash="sha-256" base64="true" />-->
+          <!--  
+          <security:password-encoder hash="sha-256" base64="true">
+            <security:salt-source user-property="username" />
+          </security:password-encoder>
+          -->
+          <security:user-service properties="classpath:/users.properties" />
+        </security:authentication-provider>
+        <security:authentication-provider ref="stsUPAuthProvider" />
+    </security:authentication-manager>
+    
+</beans>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/a2f78efd/services/idp/src/main/webapp/WEB-INF/config/security-up-config.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/config/security-up-config.xml b/services/idp/src/main/webapp/WEB-INF/config/security-up-config.xml
new file mode 100644
index 0000000..1fd77ed
--- /dev/null
+++ b/services/idp/src/main/webapp/WEB-INF/config/security-up-config.xml
@@ -0,0 +1,94 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements. See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership. The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License. You may obtain a copy of the License at
+ 
+  http://www.apache.org/licenses/LICENSE-2.0
+ 
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied. See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:security="http://www.springframework.org/schema/security"
+    xmlns:context="http://www.springframework.org/schema/context"
+    xmlns:util="http://www.springframework.org/schema/util"
+    xsi:schemaLocation="
+        http://www.springframework.org/schema/beans
+        http://www.springframework.org/schema/beans/spring-beans.xsd
+        http://www.springframework.org/schema/context
+        http://www.springframework.org/schema/context/spring-context.xsd
+        http://www.springframework.org/schema/security
+        http://www.springframework.org/schema/security/spring-security-3.1.xsd
+        http://www.springframework.org/schema/util
+        http://www.springframework.org/schema/util/spring-util.xsd
+        ">
+
+    <!-- DISABLE in production as it might log confidential information about the user
-->
+    <!-- <security:debug /> -->
+
+    <!-- HTTP/BA entry point for WS-Federation -->
+    <security:http pattern="/federation/up/**" use-expressions="true">
+		<security:intercept-url requires-channel="https" pattern="/federation/up/login*" access="isAnonymous()
or isAuthenticated()" />
+        <security:custom-filter after="CHANNEL_FILTER" ref="stsUPPortFilter" />
+        <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher"
/>
+
+        <security:http-basic />
+	<!--security:form-login login-page='/federation/up/login'
+		login-processing-url="/federation/up/login.do"
+		authentication-failure-url="/federation/up/login?error" 
+		default-target-url="/"
+		username-parameter="username" 
+		password-parameter="password"
+	/-->
+	<security:logout logout-url="/federation/up/logout" 
+		logout-success-url="/federation/up/login?out" 
+		delete-cookies="FEDIZ_HOME_REALM,JSESSIONID" 
+		invalidate-session="true" 
+	/>
+    </security:http>
+    
+    <!-- HTTP/BA entry point for SAML SSO -->
+    <security:http pattern="/saml/up/**" use-expressions="true">
+		<security:intercept-url requires-channel="https" pattern="/saml/up/login*" access="isAnonymous()
or isAuthenticated()" />
+        <security:custom-filter after="CHANNEL_FILTER" ref="stsUPPortFilter" />
+        <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher"
/>
+
+        <security:http-basic />
+	<!--security:form-login login-page='/federation/up/login'
+		login-processing-url="/federation/up/login.do"
+		authentication-failure-url="/federation/up/login?error" 
+		default-target-url="/"
+		username-parameter="username" 
+		password-parameter="password"
+	/-->
+	<security:logout logout-url="/saml/up/logout" 
+		logout-success-url="/saml/up/login?out" 
+		delete-cookies="FEDIZ_HOME_REALM,JSESSIONID" 
+		invalidate-session="true" 
+	/>
+    </security:http>
+    
+    <bean id="stsUPPortFilter" class="org.apache.cxf.fediz.service.idp.STSPortFilter">
+        <property name="authenticationProvider" ref="stsUPAuthProvider" />
+    </bean>
+    
+    <!-- U/P Authentication Provider -->
+    <bean id="stsUPAuthProvider" class="org.apache.cxf.fediz.service.idp.STSUPAuthenticationProvider">
+        <property name="wsdlLocation" value="https://localhost:0/fediz-idp-sts/${realm.STS_URI}/STSServiceTransportUT?wsdl"
/>
+        <property name="wsdlEndpoint" value="TransportUT_Port" />
+        <property name="wsdlService" value="SecurityTokenService" />
+        <property name="appliesTo" value="urn:fediz:idp" />
+        <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
/>
+    </bean>
+    
+</beans>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/a2f78efd/services/idp/src/main/webapp/WEB-INF/security-config.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/security-config.xml b/services/idp/src/main/webapp/WEB-INF/security-config.xml
index d8891e5..373edaf 100644
--- a/services/idp/src/main/webapp/WEB-INF/security-config.xml
+++ b/services/idp/src/main/webapp/WEB-INF/security-config.xml
@@ -33,7 +33,12 @@
         http://www.springframework.org/schema/util/spring-util.xsd
         ">
 
-    <context:property-placeholder location="classpath:realm.properties"/>
+    <context:property-placeholder location="classpath:realm.properties" />
+
+    <import resource="config/security-krb-config.xml" />
+    <import resource="config/security-clientcert-config.xml" />
+    <import resource="config/security-up-config.xml" />
+    <import resource="config/security-rs-config.xml" />
     
     <!-- DISABLE in production as it might log confidential information about the user
-->
     <!-- <security:debug /> -->
@@ -42,193 +47,33 @@
     
     <!-- If enabled, you can't access the Service layer within the Spring Webflow -->
     <!-- The user has no role during the login phase of WS-Federation -->
-    <security:global-method-security pre-post-annotations="enabled"/>
+    <security:global-method-security pre-post-annotations="enabled" />
 
-    <security:http pattern="/services/rs/**" use-expressions="true" authentication-manager-ref="restAuthenticationManager">
-        <security:custom-filter after="CHANNEL_FILTER" ref="stsUPPortFilter" />
-        <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher"
/>
-        <security:intercept-url pattern="/services/rs/**" access="isAuthenticated()"/>
-        <security:http-basic />
-    </security:http>
-
-    <bean id="bCryptPasswordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"
/>
-    
-    <bean id="defaultPasswordEncoder" class="org.springframework.security.crypto.password.StandardPasswordEncoder"
/>
-    
-    <security:authentication-manager id="restAuthenticationManager">
-        <security:authentication-provider>
-          <!-- <security:password-encoder ref="defaultPasswordEncoder"/>-->
-          <!-- <security:password-encoder hash="sha-256" base64="true" />-->
-          <!--  
-          <security:password-encoder hash="sha-256" base64="true">
-            <security:salt-source user-property="username"/>
-          </security:password-encoder>
-          -->
-          <security:user-service properties="classpath:/users.properties" />
-        </security:authentication-provider>
-        <security:authentication-provider ref="stsUPAuthProvider" />
-    </security:authentication-manager>
-    
     <!-- Redirects to a dedicated http config -->
     <bean id="fedizEntryPoint" class="org.apache.cxf.fediz.service.idp.FedizEntryPoint">
         <property name="realm" value="${realm-uri}" />
         <property name="configService" ref="config" />
     </bean>
     
-    <!-- Kerberos entry point -->
-    <bean id="kerberosEntryPoint"
-          class="org.apache.cxf.fediz.service.idp.kerberos.KerberosEntryPoint" />
-    
-    <bean id="kerberosAuthenticationProcessingFilter"
-          class="org.apache.cxf.fediz.service.idp.kerberos.KerberosAuthenticationProcessingFilter">
-          <property name="authenticationManager" ref="authenticationManagers" />
-    </bean>
-    
-    <!-- Main entry point -->
+    <!-- Main entry point for WS-Federation -->
     <security:http pattern="/federation" use-expressions="true" entry-point-ref="fedizEntryPoint">
         <security:custom-filter after="CHANNEL_FILTER" ref="stsUPPortFilter" />
         <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher"
/>
     </security:http>
     
-    <!-- HTTP/BA entry point -->
-    <security:http pattern="/federation/up/**" use-expressions="true">
-		<security:intercept-url requires-channel="https" pattern="/federation/up/login*" access="isAnonymous()
or isAuthenticated()" />
-        <security:custom-filter after="CHANNEL_FILTER" ref="stsUPPortFilter" />
-        <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher"
/>
-
-        <security:http-basic />
-		<!--security:form-login login-page='/federation/up/login'
-			login-processing-url="/federation/up/login.do"
-			authentication-failure-url="/federation/up/login?error" 
-			default-target-url="/"
-			username-parameter="username" 
-			password-parameter="password"
-			/-->
-		<security:logout logout-url="/federation/up/logout" 
-			logout-success-url="/federation/up/login?out" 
-			delete-cookies="FEDIZ_HOME_REALM,JSESSIONID" 
-			invalidate-session="true" 
-			/>
-    </security:http>
-    
-    <security:http pattern="/federation/krb" use-expressions="true" entry-point-ref="kerberosEntryPoint">
-        <security:custom-filter after="CHANNEL_FILTER" ref="stsKrbPortFilter" />
-        <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher"
/>
-
-        <security:custom-filter ref="kerberosAuthenticationProcessingFilter" position="BASIC_AUTH_FILTER"
/>
-        <security:logout delete-cookies="FEDIZ_HOME_REALM" invalidate-session="true" />
-    </security:http>
-    
-    <!-- SSL Client Cert entry point -->
-    <security:http pattern="/federation/clientcert" use-expressions="true">
-        <security:custom-filter after="CHANNEL_FILTER" ref="stsClientCertPortFilter" />
-        <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher"
/>
-
-        <security:x509 />
-        <security:logout delete-cookies="FEDIZ_HOME_REALM" invalidate-session="true" />
-    </security:http>
-    
-    <!-- Main entry point -->
+    <!-- Main entry point for SAML SSO -->
     <security:http pattern="/saml" use-expressions="true" entry-point-ref="fedizEntryPoint">
         <security:custom-filter after="CHANNEL_FILTER" ref="stsUPPortFilter" />
         <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher"
/>
     </security:http>
     
-    <!-- HTTP/BA entry point -->
-    <security:http pattern="/saml/up/**" use-expressions="true">
-		<security:intercept-url requires-channel="https" pattern="/saml/up/login*" access="isAnonymous()
or isAuthenticated()" />
-        <security:custom-filter after="CHANNEL_FILTER" ref="stsUPPortFilter" />
-        <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher"
/>
-
-        <security:http-basic />
-		<!--security:form-login login-page='/federation/up/login'
-			login-processing-url="/federation/up/login.do"
-			authentication-failure-url="/federation/up/login?error" 
-			default-target-url="/"
-			username-parameter="username" 
-			password-parameter="password"
-			/-->
-		<security:logout logout-url="/saml/up/logout" 
-			logout-success-url="/saml/up/login?out" 
-			delete-cookies="FEDIZ_HOME_REALM,JSESSIONID" 
-			invalidate-session="true" 
-			/>
-    </security:http>
-    
-    <security:http pattern="/saml/krb" use-expressions="true" entry-point-ref="kerberosEntryPoint">
-        <security:custom-filter after="CHANNEL_FILTER" ref="stsKrbPortFilter" />
-        <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher"
/>
-
-        <security:custom-filter ref="kerberosAuthenticationProcessingFilter" position="BASIC_AUTH_FILTER"
/>
-        <security:logout delete-cookies="FEDIZ_HOME_REALM" invalidate-session="true" />
-    </security:http>
-    
-    <!-- SSL Client Cert entry point -->
-    <security:http pattern="/saml/clientcert" use-expressions="true">
-        <security:custom-filter after="CHANNEL_FILTER" ref="stsClientCertPortFilter" />
-        <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher"
/>
-
-        <security:x509 />
-        <security:logout delete-cookies="FEDIZ_HOME_REALM" invalidate-session="true" />
-    </security:http>
-
     <security:authentication-manager alias="authenticationManagers">
         <security:authentication-provider ref="stsUPAuthProvider" />
         <security:authentication-provider ref="stsKrbAuthProvider" />
         <security:authentication-provider ref="stsClientCertAuthProvider" />
     </security:authentication-manager>
 	
-    <bean id="stsUPPortFilter" class="org.apache.cxf.fediz.service.idp.STSPortFilter">
-        <property name="authenticationProvider" ref="stsUPAuthProvider" />
-    </bean>
-    
-    <bean id="entitlementsEnricher" class="org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements"
/>
-	
-	<!-- U/P Authentication Provider -->
-    <bean id="stsUPAuthProvider" class="org.apache.cxf.fediz.service.idp.STSUPAuthenticationProvider">
-        <property name="wsdlLocation" value="https://localhost:0/fediz-idp-sts/${realm.STS_URI}/STSServiceTransportUT?wsdl"/>
-        <property name="wsdlEndpoint" value="TransportUT_Port"/>
-        <property name="wsdlService" value="SecurityTokenService"/>
-        <property name="appliesTo" value="urn:fediz:idp"/>
-        <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"/>
-    </bean>
-    
-    <bean id="stsKrbPortFilter" class="org.apache.cxf.fediz.service.idp.STSPortFilter">
-        <property name="authenticationProvider" ref="stsKrbAuthProvider" />
-    </bean>
-    
-    <!--<bean id="kerberosTokenValidator" class="org.apache.cxf.fediz.service.idp.kerberos.KerberosTokenValidator">
-        <property name="contextName" value="bob"/>
-        <property name="serviceName" value="bob@service.ws.apache.org"/>
-    </bean>-->
+    <bean id="entitlementsEnricher" 
+          class="org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements"
/>
 	
-	<!-- Kerberos authentication provider -->
-    <bean id="stsKrbAuthProvider" class="org.apache.cxf.fediz.service.idp.STSKrbAuthenticationProvider">
-        <property name="wsdlLocation" value="https://localhost:0/fediz-idp-sts/${realm.STS_URI}/STSServiceTransportKerberos?wsdl"/>
-        <property name="wsdlEndpoint" value="TransportKerberos_Port"/>
-        <property name="wsdlService" value="SecurityTokenService"/>
-        <property name="appliesTo" value="urn:fediz:idp"/>
-        <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"/>
-        <!-- <property name="kerberosTokenValidator" ref="kerberosTokenValidator"/>
-        <property name="requireDelegation" value="true"/>-->
-    </bean>
-
-    <bean id="stsClientCertPortFilter" class="org.apache.cxf.fediz.service.idp.STSPortFilter">
-        <property name="authenticationProvider" ref="stsClientCertAuthProvider" />
-    </bean>
-    
-    <util:map id="securityProperties">
-        <entry key="ws-security.username" value="idp-user" />
-        <entry key="ws-security.password" value="idp-pass" />
-    </util:map>
-    
-    <bean id="stsClientCertAuthProvider" class="org.apache.cxf.fediz.service.idp.STSPreAuthAuthenticationProvider">
-        <property name="wsdlLocation" value="https://localhost:0/fediz-idp-sts/${realm.STS_URI}/STSServiceTransportUT?wsdl"/>
-        <property name="wsdlEndpoint" value="TransportUT_Port"/>
-        <property name="wsdlService" value="SecurityTokenService"/>
-        <property name="appliesTo" value="urn:fediz:idp"/>
-        <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"/>
-        <property name="properties" ref="securityProperties"/>
-    </bean>
-    
 </beans>


Mime
View raw message