cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [2/4] cxf-fediz git commit: Consolidating both protocols into a single subflow for "signin"
Date Wed, 14 Dec 2016 12:25:52 GMT
Consolidating both protocols into a single subflow for "signin"


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/31c75529
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/31c75529
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/31c75529

Branch: refs/heads/master
Commit: 31c7552968565fea3fb0957ab84c03f21f11f279
Parents: 44633f3
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Wed Dec 14 11:01:05 2016 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Wed Dec 14 11:01:05 2016 +0000

----------------------------------------------------------------------
 .../webapp/WEB-INF/config/idp-core-servlet.xml  |   3 +-
 .../WEB-INF/flows/federation-signin-request.xml | 173 -------------------
 .../WEB-INF/flows/saml-signin-request.xml       | 172 ------------------
 .../WEB-INF/flows/saml-validate-request.xml     |   5 +-
 .../webapp/WEB-INF/flows/signin-request.xml     | 173 +++++++++++++++++++
 5 files changed, 177 insertions(+), 349 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/31c75529/services/idp/src/main/webapp/WEB-INF/config/idp-core-servlet.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/config/idp-core-servlet.xml b/services/idp/src/main/webapp/WEB-INF/config/idp-core-servlet.xml
index 8a8760a..542360e 100644
--- a/services/idp/src/main/webapp/WEB-INF/config/idp-core-servlet.xml
+++ b/services/idp/src/main/webapp/WEB-INF/config/idp-core-servlet.xml
@@ -64,14 +64,13 @@
         <webflow:flow-location path="/WEB-INF/flows/federation-validate-request.xml" id="federation/up"
/>
         <webflow:flow-location path="/WEB-INF/flows/federation-validate-request.xml" id="federation/krb"
/>
         <webflow:flow-location path="/WEB-INF/flows/federation-validate-request.xml" id="federation/clientcert"
/>
-        <webflow:flow-location path="/WEB-INF/flows/federation-signin-request.xml" id="signinRequest"
/>
         
         <webflow:flow-location path="/WEB-INF/flows/saml-validate-request.xml" id="saml"
/>
         <webflow:flow-location path="/WEB-INF/flows/saml-validate-request.xml" id="saml/up"
/>
         <webflow:flow-location path="/WEB-INF/flows/saml-validate-request.xml" id="saml/krb"
/>
         <webflow:flow-location path="/WEB-INF/flows/saml-validate-request.xml" id="saml/clientcert"
/>
-        <webflow:flow-location path="/WEB-INF/flows/saml-signin-request.xml" id="signinSAMLRequest"
/>
         
+        <webflow:flow-location path="/WEB-INF/flows/signin-request.xml" id="signinRequest"
/>
         <webflow:flow-location path="/WEB-INF/flows/signin-response.xml" id="signinResponse"
/>
     </webflow:flow-registry>
 

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/31c75529/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-request.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-request.xml
deleted file mode 100644
index d9e8558..0000000
--- a/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-request.xml
+++ /dev/null
@@ -1,173 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
-  Licensed to the Apache Software Foundation (ASF) under one
-  or more contributor license agreements. See the NOTICE file
-  distributed with this work for additional information
-  regarding copyright ownership. The ASF licenses this file
-  to you under the Apache License, Version 2.0 (the
-  "License"); you may not use this file except in compliance
-  with the License. You may obtain a copy of the License at
- 
-  http://www.apache.org/licenses/LICENSE-2.0
- 
-  Unless required by applicable law or agreed to in writing,
-  software distributed under the License is distributed on an
-  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-  KIND, either express or implied. See the License for the
-  specific language governing permissions and limitations
-  under the License.
--->
-<flow xmlns="http://www.springframework.org/schema/webflow"
-    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-    xsi:schemaLocation="
-        http://www.springframework.org/schema/webflow
-        http://www.springframework.org/schema/webflow/spring-webflow-2.0.xsd">
-
-    <input name="idpConfig" />
-    <input name="wfresh" />
-    <input name="realm" />
-    <input name="home_realm" />
-    <input name="protocol" />
-    <input name="return_address" />
-    <input name="request_context" />
-    
-    <!-- ===== Home Realm Discovery ===== -->
-
-    <decision-state id="processHRDSExpression">
-        <on-entry>
-            <evaluate expression="processHRDSExpressionAction.submit(flowRequestContext,
flowScope.home_realm)" 
-                      result="flowScope.home_realm" />
-        </on-entry>
-        <if test="flowScope.home_realm == null or flowScope.home_realm.trim().isEmpty()"
-            then="provideIDPListForUser" else="checkIsThisIDP" />
-    </decision-state>
-
-    <decision-state id="provideIDPListForUser">
-        <if test="flowScope.idpConfig.trustedIdps == null or idpConfig.trustedIdps.isEmpty()"
-            then="checkDefaultToThisIDP" />
-        <if test="flowScope.idpConfig.isProvideIdpList() == false"
-            then="checkDefaultToThisIDP" else="showIDPList" />
-    </decision-state>
-    
-    <decision-state id="checkDefaultToThisIDP">
-        <if test="flowScope.idpConfig.isUseCurrentIdp()" then="homeRealmSignInEntryPoint"
-            else="viewBadRequest" />
-    </decision-state>
-
-    <view-state id="showIDPList" view="idplist" model="trustedIDPSelection">
-        <var name="trustedIDPSelection"
-            class="org.apache.cxf.fediz.service.idp.model.TrustedIDPSelection" />
-        <binder>
-            <binding property="home_realm" required="true" />
-        </binder>
-        <on-entry>
-            <set name="requestScope.idPConfig" value="flowScope.idpConfig" />
-        </on-entry>
-        <transition on="submit" to="checkIsThisIDP" bind="true"
-            validate="true">
-            <set name="flowScope.home_realm" value="trustedIDPSelection.home_realm" />
-            <evaluate
-                expression="homeRealmReminder.addCookie(flowRequestContext, flowScope.home_realm)"
/>
-        </transition>
-        <transition on="cancel" to="checkDefaultToThisIDP"
-            bind="false" validate="false" />
-    </view-state>
-
-    <!-- Home Realm is known then we can store it in cookie -->
-    <decision-state id="checkIsThisIDP">
-        <if test="flowScope.idpConfig.realm.equals(flowScope.home_realm)"
-            then="homeRealmSignInEntryPoint" else="checkRemoteIdpToken" />
-    </decision-state>
-    
-    <!-- ===== Realm independent ===== -->
-    
-    <action-state id="validateReturnAddress">
-        <evaluate expression="commonsURLValidator.isValid(flowRequestContext, flowScope.return_address)
-                              and passiveRequestorValidator.isValid(flowRequestContext, flowScope.return_address,
flowScope.realm)"/>
-        <transition on="yes" to="requestRpToken" />
-        <transition on="no" to="viewBadRequest" />
-    </action-state>
-    
-    <!-- ===== Home Realm != this realm ===== -->
-
-    <decision-state id="checkRemoteIdpToken">
-        <if test="externalContext.sessionMap[flowScope.home_realm] != null"
-            then="checkRemoteIdpTokenExpiry" else="redirectToTrustedIDP" />
-    </decision-state>
-
-    <action-state id="checkRemoteIdpTokenExpiry">
-        <evaluate
-            expression="idpTokenExpiredAction.isTokenExpired(flowScope.home_realm, flowRequestContext)
or
-                        protocol.equals('wsfed') and wfreshParser.authenticationRequired(flowScope.wfresh,
flowScope.home_realm, flowRequestContext)
-                        or protocol.equals('samlsso') and authnRequestParser.isForceAuthentication(flowRequestContext)"
/>
-        <transition on="yes" to="redirectToTrustedIDP" />
-        <transition on="no" to="validateReturnAddress" >
-            <set name="flowScope.idpToken" value="externalContext.sessionMap[home_realm]"
/>
-        </transition>
-        <transition on-exception="java.lang.Throwable" to="viewBadRequest" />
-    </action-state>
-    
-    <!-- ===== Home Realm == this realm ===== -->
-    
-    <decision-state id="homeRealmSignInEntryPoint">
-        <on-entry>
-            <!-- Here, home realm is guaranteed to be THIS realm -->
-            <set name="flowScope.home_realm" value="flowScope.idpConfig.realm" />
-        </on-entry>
-        <if test="flowScope.idpConfig.getAuthenticationURIs() == null"
-            then="viewBadRequest" />
-
-        <!-- check presence of cached IDP token for THIS realm -->
-        <if test="externalContext.sessionMap[flowScope.home_realm] == null"
-            then="cacheSecurityToken" else="checkLocalIdPTokenExpiry" />
-    </decision-state>
-
-    <action-state id="checkLocalIdPTokenExpiry">
-        <evaluate
-            expression="idpTokenExpiredAction.isTokenExpired(flowScope.home_realm, flowRequestContext)
or
-                        protocol.equals('wsfed') and wfreshParser.authenticationRequired(flowScope.wfresh,
flowScope.home_realm, flowRequestContext)
-                        or protocol.equals('samlsso') and authnRequestParser.isForceAuthentication(flowRequestContext)"
/>
-        <transition on="yes" to="redirectToLocalIDP" />
-        <transition on="no" to="validateReturnAddress">
-            <set name="flowScope.idpToken" value="externalContext.sessionMap[home_realm]"
/>
-        </transition>
-        <transition on-exception="java.lang.Throwable" to="viewBadRequest" />
-    </action-state>
-
-    <end-state id="redirectToLocalIDP">
-        <on-entry>
-            <evaluate expression="logoutAction.submit(flowRequestContext)" />
-        </on-entry>
-        <output name="wctx" value="flowScope.wctx" />
-        <output name="home_realm" value="flowScope.home_realm" />
-    </end-state>
-
-    <action-state id="cacheSecurityToken">
-        <secured attributes="IS_AUTHENTICATED_FULLY" />
-        <evaluate expression="cacheSecurityToken.submit(flowRequestContext)" />
-        <transition to="validateReturnAddress">
-            <set name="flowScope.idpToken" value="externalContext.sessionMap[home_realm]"
/>
-        </transition>
-    </action-state>
-
-    <!-- =============================================================================================================
-->
-
-    <!-- normal exit point -->
-    <end-state id="requestRpToken">
-        <output name="home_realm" value="flowScope.home_realm" />
-        <output name="idpToken" value="flowScope.idpToken" />
-    </end-state>
-
-    <!-- abnormal exit point : Http 400 Bad Request -->
-    <end-state id="viewBadRequest" />
-
-    <!-- redirects to requestor idp -->
-    <end-state id="redirectToTrustedIDP">
-        <on-entry>
-            <evaluate expression="signinParametersCacheAction.store(flowRequestContext,
protocol)" />
-        </on-entry>
-        <output name="home_realm" value="flowScope.home_realm" />
-        <output name="trusted_idp_context" value="flowScope.trusted_idp_context" />
-    </end-state>
-
-</flow>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/31c75529/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml
deleted file mode 100644
index c3f6dbe..0000000
--- a/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml
+++ /dev/null
@@ -1,172 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
-  Licensed to the Apache Software Foundation (ASF) under one
-  or more contributor license agreements. See the NOTICE file
-  distributed with this work for additional information
-  regarding copyright ownership. The ASF licenses this file
-  to you under the Apache License, Version 2.0 (the
-  "License"); you may not use this file except in compliance
-  with the License. You may obtain a copy of the License at
- 
-  http://www.apache.org/licenses/LICENSE-2.0
- 
-  Unless required by applicable law or agreed to in writing,
-  software distributed under the License is distributed on an
-  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-  KIND, either express or implied. See the License for the
-  specific language governing permissions and limitations
-  under the License.
--->
-<flow xmlns="http://www.springframework.org/schema/webflow"
-    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-    xsi:schemaLocation="
-        http://www.springframework.org/schema/webflow
-        http://www.springframework.org/schema/webflow/spring-webflow-2.0.xsd">
-
-    <input name="idpConfig" />
-    <input name="saml_authn_request" />
-    <input name="realm" />
-    <input name="home_realm" />
-    <input name="protocol" />
-    <input name="return_address" />
-    <input name="request_context" />
-    
-    <!-- ===== Home Realm Discovery ===== -->
-    
-    <decision-state id="processHRDSExpression">
-        <on-entry>
-            <evaluate expression="processHRDSExpressionAction.submit(flowRequestContext,
flowScope.home_realm)" 
-                      result="flowScope.home_realm" />
-        </on-entry>
-        <if test="flowScope.home_realm == null or flowScope.home_realm.trim().isEmpty()"
-            then="provideIDPListForUser" else="checkIsThisIDP" />
-    </decision-state>
-    
-    <decision-state id="provideIDPListForUser">
-        <if test="flowScope.idpConfig.trustedIdps == null or idpConfig.trustedIdps.isEmpty()"
-            then="checkDefaultToThisIDP" />
-        <if test="flowScope.idpConfig.isProvideIdpList() == false"
-            then="checkDefaultToThisIDP" else="showIDPList" />
-    </decision-state>
-    
-    <decision-state id="checkDefaultToThisIDP">
-        <if test="flowScope.idpConfig.isUseCurrentIdp()" then="homeRealmSignInEntryPoint"
-            else="viewBadRequest" />
-    </decision-state>
-    
-    <view-state id="showIDPList" view="idplist" model="trustedIDPSelection">
-        <var name="trustedIDPSelection"
-            class="org.apache.cxf.fediz.service.idp.model.TrustedIDPSelection" />
-        <binder>
-            <binding property="home_realm" required="true" />
-        </binder>
-        <on-entry>
-            <set name="requestScope.idPConfig" value="flowScope.idpConfig" />
-        </on-entry>
-        <transition on="submit" to="checkIsThisIDP" bind="true"
-            validate="true">
-            <set name="flowScope.home_realm" value="trustedIDPSelection.home_realm" />
-            <evaluate
-                expression="homeRealmReminder.addCookie(flowRequestContext, flowScope.home_realm)"
/>
-        </transition>
-        <transition on="cancel" to="checkDefaultToThisIDP"
-            bind="false" validate="false" />
-    </view-state>
-    
-    <!-- Home Realm is known then we can store it in cookie -->
-    <decision-state id="checkIsThisIDP">
-        <if test="flowScope.idpConfig.realm.equals(flowScope.home_realm)"
-            then="homeRealmSignInEntryPoint" else="checkRemoteIdpToken" />
-    </decision-state>
-    
-    <!-- ===== Realm independent ===== -->
-    
-    <action-state id="validateReturnAddress">
-        <evaluate expression="commonsURLValidator.isValid(flowRequestContext, flowScope.return_address)
-                              and passiveRequestorValidator.isValid(flowRequestContext, flowScope.return_address,
flowScope.realm)"/>
-        <transition on="yes" to="requestRpToken" />
-        <transition on="no" to="viewBadRequest" />
-    </action-state>
-    
-    <!-- ===== Home Realm != this realm ===== -->
-    
-    <decision-state id="checkRemoteIdpToken">
-        <if test="externalContext.sessionMap[flowScope.home_realm] != null"
-            then="checkRemoteIdpTokenExpiry" else="redirectToTrustedIDP" />
-    </decision-state>
-    
-    <action-state id="checkRemoteIdpTokenExpiry">
-        <evaluate
-            expression="idpTokenExpiredAction.isTokenExpired(flowScope.home_realm, flowRequestContext)
or
-                        protocol.equals('wsfed') and wfreshParser.authenticationRequired(flowScope.wfresh,
flowScope.home_realm, flowRequestContext)
-                        or protocol.equals('samlsso') and authnRequestParser.isForceAuthentication(flowRequestContext)"
/>
-        <transition on="yes" to="redirectToTrustedIDP" />
-        <transition on="no" to="validateReturnAddress" >
-            <set name="flowScope.idpToken" value="externalContext.sessionMap[flowScope.home_realm]"
/>
-        </transition>
-        <transition on-exception="java.lang.Throwable" to="viewBadRequest" />
-    </action-state>
-    
-    <!-- ===== Home Realm == this realm ===== -->
-    
-    <decision-state id="homeRealmSignInEntryPoint">
-        <on-entry>
-            <!-- Here, home realm is guaranteed to be THIS realm -->
-            <set name="flowScope.home_realm" value="flowScope.idpConfig.realm" />
-        </on-entry>
-        <if test="flowScope.idpConfig.getAuthenticationURIs() == null"
-            then="viewBadRequest" />
-            
-        <!-- check presence of cached IDP token for THIS realm -->
-        <if test="externalContext.sessionMap[flowScope.home_realm] == null"
-            then="cacheSecurityToken" else="checkLocalIdPTokenExpiry" />
-    </decision-state>
-
-    <action-state id="checkLocalIdPTokenExpiry">
-        <evaluate
-            expression="idpTokenExpiredAction.isTokenExpired(flowScope.home_realm, flowRequestContext)
or
-                        protocol.equals('wsfed') and wfreshParser.authenticationRequired(flowScope.wfresh,
flowScope.home_realm, flowRequestContext)
-                        or protocol.equals('samlsso') and authnRequestParser.isForceAuthentication(flowRequestContext)"
/>
-        <transition on="yes" to="redirectToLocalIDP" />
-        <transition on="no" to="validateReturnAddress">
-            <set name="flowScope.idpToken" value="externalContext.sessionMap[flowScope.home_realm]"
/>
-        </transition>
-        <transition on-exception="java.lang.Throwable" to="viewBadRequest" />
-    </action-state>
-
-    <end-state id="redirectToLocalIDP">
-        <on-entry>
-            <evaluate expression="logoutAction.submit(flowRequestContext)" />
-        </on-entry>
-        <output name="home_realm" value="flowScope.home_realm" />
-    </end-state>
-
-    <action-state id="cacheSecurityToken">
-        <secured attributes="IS_AUTHENTICATED_FULLY" />
-        <evaluate expression="cacheSecurityToken.submit(flowRequestContext)" />
-        <transition to="validateReturnAddress">
-            <set name="flowScope.idpToken" value="externalContext.sessionMap[flowScope.home_realm]"
/>
-        </transition>
-    </action-state>
-    
-    <!-- =============================================================================================================
-->
-
-    <!-- normal exit point -->
-    <end-state id="requestRpToken">
-        <output name="home_realm" value="flowScope.home_realm" />
-        <output name="idpToken" value="flowScope.idpToken" />
-    </end-state>
-
-    <!-- abnormal exit point -->
-    <end-state id="viewBadRequest" />
-    
-    <!-- redirects to requestor idp -->
-    <end-state id="redirectToTrustedIDP">
-        <on-entry>
-            <evaluate expression="signinParametersCacheAction.store(flowRequestContext,
protocol)" />
-        </on-entry>
-        <output name="home_realm" value="flowScope.home_realm" />
-        <output name="trusted_idp_context" value="flowScope.trusted_idp_context" />
-    </end-state>
-
-</flow>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/31c75529/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
index 17d6067..e1993b9 100644
--- a/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
+++ b/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
@@ -92,11 +92,11 @@
     <action-state id="retrieveRealm">
         <evaluate expression="authnRequestParser.retrieveRealm(flowRequestContext)" 
                   result="flowScope.realm"/>
-        <transition to="signinSAMLRequest"/>
+        <transition to="signinRequest"/>
         <transition on-exception="org.apache.cxf.fediz.core.exception.ProcessingException"
to="viewBadRequest" />
     </action-state>
     
-    <subflow-state id="signinSAMLRequest" subflow="signinSAMLRequest">
+    <subflow-state id="signinRequest" subflow="signinRequest">
         <input name="idpConfig" value="flowScope.idpConfig" />
         <input name="SAMLRequest" value="flowScope.SAMLRequest" />
         <input name="RelayState" value="flowScope.RelayState" />
@@ -105,6 +105,7 @@
         <input name="saml_authn_request" value="flowScope.saml_authn_request" />
         <input name="realm" value="flowScope.realm" />
         <input name="home_realm" value="null" />
+        <input name="wfresh" value="null" />
         <input name="return_address" value="flowScope.consumerURL" />
         <input name="request_context" value="flowScope.request_context" />
 

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/31c75529/services/idp/src/main/webapp/WEB-INF/flows/signin-request.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/flows/signin-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/signin-request.xml
new file mode 100644
index 0000000..78b149e
--- /dev/null
+++ b/services/idp/src/main/webapp/WEB-INF/flows/signin-request.xml
@@ -0,0 +1,173 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements. See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership. The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License. You may obtain a copy of the License at
+ 
+  http://www.apache.org/licenses/LICENSE-2.0
+ 
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied. See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<flow xmlns="http://www.springframework.org/schema/webflow"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="
+        http://www.springframework.org/schema/webflow
+        http://www.springframework.org/schema/webflow/spring-webflow-2.0.xsd">
+
+    <input name="idpConfig" />
+    <input name="wfresh" />
+    <input name="saml_authn_request" />
+    <input name="realm" />
+    <input name="home_realm" />
+    <input name="protocol" />
+    <input name="return_address" />
+    <input name="request_context" />
+    
+    <!-- ===== Home Realm Discovery ===== -->
+    
+    <decision-state id="processHRDSExpression">
+        <on-entry>
+            <evaluate expression="processHRDSExpressionAction.submit(flowRequestContext,
flowScope.home_realm)" 
+                      result="flowScope.home_realm" />
+        </on-entry>
+        <if test="flowScope.home_realm == null or flowScope.home_realm.trim().isEmpty()"
+            then="provideIDPListForUser" else="checkIsThisIDP" />
+    </decision-state>
+    
+    <decision-state id="provideIDPListForUser">
+        <if test="flowScope.idpConfig.trustedIdps == null or idpConfig.trustedIdps.isEmpty()"
+            then="checkDefaultToThisIDP" />
+        <if test="flowScope.idpConfig.isProvideIdpList() == false"
+            then="checkDefaultToThisIDP" else="showIDPList" />
+    </decision-state>
+    
+    <decision-state id="checkDefaultToThisIDP">
+        <if test="flowScope.idpConfig.isUseCurrentIdp()" then="homeRealmSignInEntryPoint"
+            else="viewBadRequest" />
+    </decision-state>
+    
+    <view-state id="showIDPList" view="idplist" model="trustedIDPSelection">
+        <var name="trustedIDPSelection"
+            class="org.apache.cxf.fediz.service.idp.model.TrustedIDPSelection" />
+        <binder>
+            <binding property="home_realm" required="true" />
+        </binder>
+        <on-entry>
+            <set name="requestScope.idPConfig" value="flowScope.idpConfig" />
+        </on-entry>
+        <transition on="submit" to="checkIsThisIDP" bind="true"
+            validate="true">
+            <set name="flowScope.home_realm" value="trustedIDPSelection.home_realm" />
+            <evaluate
+                expression="homeRealmReminder.addCookie(flowRequestContext, flowScope.home_realm)"
/>
+        </transition>
+        <transition on="cancel" to="checkDefaultToThisIDP"
+            bind="false" validate="false" />
+    </view-state>
+    
+    <!-- Home Realm is known then we can store it in cookie -->
+    <decision-state id="checkIsThisIDP">
+        <if test="flowScope.idpConfig.realm.equals(flowScope.home_realm)"
+            then="homeRealmSignInEntryPoint" else="checkRemoteIdpToken" />
+    </decision-state>
+    
+    <!-- ===== Realm independent ===== -->
+    
+    <action-state id="validateReturnAddress">
+        <evaluate expression="commonsURLValidator.isValid(flowRequestContext, flowScope.return_address)
+                              and passiveRequestorValidator.isValid(flowRequestContext, flowScope.return_address,
flowScope.realm)"/>
+        <transition on="yes" to="requestRpToken" />
+        <transition on="no" to="viewBadRequest" />
+    </action-state>
+    
+    <!-- ===== Home Realm != this realm ===== -->
+    
+    <decision-state id="checkRemoteIdpToken">
+        <if test="externalContext.sessionMap[flowScope.home_realm] != null"
+            then="checkRemoteIdpTokenExpiry" else="redirectToTrustedIDP" />
+    </decision-state>
+    
+    <action-state id="checkRemoteIdpTokenExpiry">
+        <evaluate
+            expression="idpTokenExpiredAction.isTokenExpired(flowScope.home_realm, flowRequestContext)
or
+                        protocol.equals('wsfed') and wfreshParser.authenticationRequired(flowScope.wfresh,
flowScope.home_realm, flowRequestContext)
+                        or protocol.equals('samlsso') and authnRequestParser.isForceAuthentication(flowRequestContext)"
/>
+        <transition on="yes" to="redirectToTrustedIDP" />
+        <transition on="no" to="validateReturnAddress" >
+            <set name="flowScope.idpToken" value="externalContext.sessionMap[flowScope.home_realm]"
/>
+        </transition>
+        <transition on-exception="java.lang.Throwable" to="viewBadRequest" />
+    </action-state>
+    
+    <!-- ===== Home Realm == this realm ===== -->
+    
+    <decision-state id="homeRealmSignInEntryPoint">
+        <on-entry>
+            <!-- Here, home realm is guaranteed to be THIS realm -->
+            <set name="flowScope.home_realm" value="flowScope.idpConfig.realm" />
+        </on-entry>
+        <if test="flowScope.idpConfig.getAuthenticationURIs() == null"
+            then="viewBadRequest" />
+            
+        <!-- check presence of cached IDP token for THIS realm -->
+        <if test="externalContext.sessionMap[flowScope.home_realm] == null"
+            then="cacheSecurityToken" else="checkLocalIdPTokenExpiry" />
+    </decision-state>
+
+    <action-state id="checkLocalIdPTokenExpiry">
+        <evaluate
+            expression="idpTokenExpiredAction.isTokenExpired(flowScope.home_realm, flowRequestContext)
or
+                        protocol.equals('wsfed') and wfreshParser.authenticationRequired(flowScope.wfresh,
flowScope.home_realm, flowRequestContext)
+                        or protocol.equals('samlsso') and authnRequestParser.isForceAuthentication(flowRequestContext)"
/>
+        <transition on="yes" to="redirectToLocalIDP" />
+        <transition on="no" to="validateReturnAddress">
+            <set name="flowScope.idpToken" value="externalContext.sessionMap[flowScope.home_realm]"
/>
+        </transition>
+        <transition on-exception="java.lang.Throwable" to="viewBadRequest" />
+    </action-state>
+
+    <end-state id="redirectToLocalIDP">
+        <on-entry>
+            <evaluate expression="logoutAction.submit(flowRequestContext)" />
+        </on-entry>
+        <output name="home_realm" value="flowScope.home_realm" />
+    </end-state>
+
+    <action-state id="cacheSecurityToken">
+        <secured attributes="IS_AUTHENTICATED_FULLY" />
+        <evaluate expression="cacheSecurityToken.submit(flowRequestContext)" />
+        <transition to="validateReturnAddress">
+            <set name="flowScope.idpToken" value="externalContext.sessionMap[flowScope.home_realm]"
/>
+        </transition>
+    </action-state>
+    
+    <!-- =============================================================================================================
-->
+
+    <!-- normal exit point -->
+    <end-state id="requestRpToken">
+        <output name="home_realm" value="flowScope.home_realm" />
+        <output name="idpToken" value="flowScope.idpToken" />
+    </end-state>
+
+    <!-- abnormal exit point -->
+    <end-state id="viewBadRequest" />
+    
+    <!-- redirects to requestor idp -->
+    <end-state id="redirectToTrustedIDP">
+        <on-entry>
+            <evaluate expression="signinParametersCacheAction.store(flowRequestContext,
protocol)" />
+        </on-entry>
+        <output name="home_realm" value="flowScope.home_realm" />
+        <output name="trusted_idp_context" value="flowScope.trusted_idp_context" />
+    </end-state>
+
+</flow>


Mime
View raw message