cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [18/19] cxf-fediz git commit: FEDIZ-155 - Move .java components out of idp webapp and into a separate JAR
Date Fri, 27 Jan 2017 11:23:01 GMT
FEDIZ-155 - Move .java components out of idp webapp and into a separate JAR


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/bf309400
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/bf309400
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/bf309400

Branch: refs/heads/master
Commit: bf30940024fdde9390f654094a047e4b17fce878
Parents: f9c0026
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Fri Jan 27 10:50:48 2017 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Fri Jan 27 10:50:48 2017 +0000

----------------------------------------------------------------------
 services/idp-core/README.txt                    |  57 ++
 services/idp-core/pom.xml                       | 356 ++++++++++
 .../src/main/filters/realm-a/env.properties     |   6 +
 .../src/main/filters/realm-b/env.properties     |   6 +
 .../cxf/fediz/service/idp/FedizEntryPoint.java  | 172 +++++
 .../cxf/fediz/service/idp/IdpConstants.java     |  60 ++
 .../cxf/fediz/service/idp/IdpSTSClient.java     |  52 ++
 .../cxf/fediz/service/idp/MetadataServlet.java  | 111 ++++
 .../service/idp/STSAuthenticationProvider.java  | 307 +++++++++
 .../idp/STSKrbAuthenticationProvider.java       | 259 ++++++++
 .../cxf/fediz/service/idp/STSPortFilter.java    |  95 +++
 .../idp/STSPreAuthAuthenticationProvider.java   | 130 ++++
 .../idp/STSUPAuthenticationProvider.java        | 131 ++++
 .../cxf/fediz/service/idp/STSUserDetails.java   |  73 +++
 .../service/idp/beans/CacheSecurityToken.java   |  56 ++
 .../service/idp/beans/CommonsURLValidator.java  |  52 ++
 .../service/idp/beans/HomeRealmReminder.java    |  43 ++
 .../idp/beans/IdpTokenExpiredAction.java        |  69 ++
 .../fediz/service/idp/beans/LogoutAction.java   |  45 ++
 .../idp/beans/PassiveRequestorValidator.java    |  76 +++
 .../idp/beans/ProcessHRDSExpressionAction.java  |  72 ++
 .../service/idp/beans/STSClientAction.java      | 439 +++++++++++++
 .../idp/beans/SigninParametersCacheAction.java  | 185 ++++++
 .../service/idp/beans/TokenSerializer.java      |  62 ++
 .../idp/beans/TrustedIdpProtocolAction.java     | 100 +++
 .../idp/beans/samlsso/AuthnRequestParser.java   | 388 +++++++++++
 .../idp/beans/samlsso/LocalRedirectCreator.java |  54 ++
 .../idp/beans/samlsso/SamlResponseCreator.java  | 187 ++++++
 .../beans/samlsso/SamlResponseErrorCreator.java |  97 +++
 .../service/idp/beans/wsfed/WfreshParser.java   |  84 +++
 .../fediz/service/idp/domain/Application.java   | 242 +++++++
 .../cxf/fediz/service/idp/domain/Claim.java     |  79 +++
 .../fediz/service/idp/domain/Entitlement.java   |  70 ++
 .../service/idp/domain/FederationType.java      |  40 ++
 .../cxf/fediz/service/idp/domain/Idp.java       | 304 +++++++++
 .../fediz/service/idp/domain/RequestClaim.java  |  49 ++
 .../cxf/fediz/service/idp/domain/Role.java      |  74 +++
 .../cxf/fediz/service/idp/domain/TrustType.java |  40 ++
 .../fediz/service/idp/domain/TrustedIdp.java    | 187 ++++++
 .../KerberosAuthenticationProcessingFilter.java | 199 ++++++
 .../idp/kerberos/KerberosEntryPoint.java        |  70 ++
 .../kerberos/KerberosServiceRequestToken.java   | 150 +++++
 .../idp/kerberos/KerberosTokenValidator.java    | 185 ++++++
 .../idp/kerberos/PassThroughKerberosClient.java |  80 +++
 .../service/idp/metadata/IdpMetadataWriter.java | 180 +++++
 .../idp/metadata/ServiceMetadataWriter.java     | 214 ++++++
 .../cxf/fediz/service/idp/model/IDPConfig.java  |  44 ++
 .../fediz/service/idp/model/RequestClaim.java   |  26 +
 .../fediz/service/idp/model/ServiceConfig.java  |  35 +
 .../service/idp/model/TrustedIDPConfig.java     |  30 +
 .../service/idp/model/TrustedIDPSelection.java  |  36 +
 ...AbstractTrustedIdpOAuth2ProtocolHandler.java | 207 ++++++
 .../AbstractTrustedIdpProtocolHandler.java      |  58 ++
 .../ApplicationProtocolControllerImpl.java      |  60 ++
 .../ApplicationSAMLSSOProtocolHandler.java      |  57 ++
 .../ApplicationWSFedProtocolHandler.java        |  57 ++
 .../idp/protocols/ProtocolController.java       |  32 +
 .../TrustedIdpFacebookProtocolHandler.java      | 226 +++++++
 .../TrustedIdpOIDCProtocolHandler.java          | 335 ++++++++++
 .../TrustedIdpProtocolControllerImpl.java       |  60 ++
 .../TrustedIdpSAMLProtocolHandler.java          | 415 ++++++++++++
 .../TrustedIdpWSFedProtocolHandler.java         | 231 +++++++
 .../service/idp/rest/ApplicationService.java    |  88 +++
 .../idp/rest/ApplicationServiceImpl.java        | 151 +++++
 .../fediz/service/idp/rest/Applications.java    |  49 ++
 .../fediz/service/idp/rest/ClaimService.java    |  72 ++
 .../service/idp/rest/ClaimServiceImpl.java      | 106 +++
 .../cxf/fediz/service/idp/rest/Claims.java      |  50 ++
 .../service/idp/rest/EntitlementService.java    |  73 +++
 .../idp/rest/EntitlementServiceImpl.java        |  98 +++
 .../fediz/service/idp/rest/Entitlements.java    |  49 ++
 .../cxf/fediz/service/idp/rest/IdpService.java  | 114 ++++
 .../fediz/service/idp/rest/IdpServiceImpl.java  | 240 +++++++
 .../apache/cxf/fediz/service/idp/rest/Idps.java |  49 ++
 .../idp/rest/QueryResourceInfoComparator.java   | 114 ++++
 .../idp/rest/RestServiceExceptionMapper.java    |  83 +++
 .../cxf/fediz/service/idp/rest/RoleService.java |  88 +++
 .../fediz/service/idp/rest/RoleServiceImpl.java | 134 ++++
 .../cxf/fediz/service/idp/rest/Roles.java       |  49 ++
 .../cxf/fediz/service/idp/rest/RootService.java |  39 ++
 .../fediz/service/idp/rest/RootServiceImpl.java |  60 ++
 .../service/idp/rest/TrustedIdpService.java     |  71 ++
 .../service/idp/rest/TrustedIdpServiceImpl.java |  93 +++
 .../cxf/fediz/service/idp/rest/TrustedIdps.java |  49 ++
 .../idp/samlsso/SAML2CallbackHandler.java       | 148 +++++
 .../samlsso/SAML2PResponseComponentBuilder.java | 127 ++++
 .../service/idp/samlsso/SAMLAuthnRequest.java   |  74 +++
 .../service/idp/service/ApplicationDAO.java     |  43 ++
 .../cxf/fediz/service/idp/service/ClaimDAO.java |  38 ++
 .../service/idp/service/ConfigService.java      |  32 +
 .../idp/service/ConfigServiceSpring.java        |  76 +++
 .../service/idp/service/EntitlementDAO.java     |  38 ++
 .../cxf/fediz/service/idp/service/IdpDAO.java   |  53 ++
 .../cxf/fediz/service/idp/service/RoleDAO.java  |  43 ++
 .../service/idp/service/TrustedIdpDAO.java      |  38 ++
 .../idp/service/jpa/ApplicationClaimEntity.java |  83 +++
 .../idp/service/jpa/ApplicationDAOJPAImpl.java  | 254 ++++++++
 .../idp/service/jpa/ApplicationEntity.java      | 214 ++++++
 .../ApplicationIdpProtocolSupportValidator.java |  54 ++
 .../jpa/ApplicationProtocolSupported.java       |  47 ++
 .../idp/service/jpa/ClaimDAOJPAImpl.java        | 143 ++++
 .../service/idp/service/jpa/ClaimEntity.java    |  71 ++
 .../idp/service/jpa/ConfigServiceJPA.java       |  96 +++
 .../service/jpa/DBInitApplicationListener.java  |  73 +++
 .../fediz/service/idp/service/jpa/DBLoader.java |  28 +
 .../service/idp/service/jpa/DBLoaderImpl.java   | 163 +++++
 .../service/idp/service/jpa/DBLoaderSpring.java | 129 ++++
 .../idp/service/jpa/EntitlementDAOJPAImpl.java  | 142 ++++
 .../idp/service/jpa/EntitlementEntity.java      |  72 ++
 .../service/idp/service/jpa/IdpDAOJPAImpl.java  | 367 +++++++++++
 .../service/idp/service/jpa/IdpEntity.java      | 301 +++++++++
 .../service/idp/service/jpa/RoleDAOJPAImpl.java | 206 ++++++
 .../service/idp/service/jpa/RoleEntity.java     |  77 +++
 .../idp/service/jpa/TrustedIdpDAOJPAImpl.java   | 154 +++++
 .../idp/service/jpa/TrustedIdpEntity.java       | 201 ++++++
 .../jpa/TrustedIdpProtocolSupportValidator.java |  54 ++
 .../jpa/TrustedIdpProtocolSupported.java        |  47 ++
 .../security/GrantedAuthorityEntitlements.java  | 100 +++
 .../idp/spi/ApplicationProtocolHandler.java     |  33 +
 .../fediz/service/idp/spi/ProtocolHandler.java  |  25 +
 .../idp/spi/TrustedIdpProtocolHandler.java      |  40 ++
 .../cxf/fediz/service/idp/util/WebUtils.java    | 209 ++++++
 .../src/main/resources/META-INF/orm.xml         | 183 ++++++
 .../resources/META-INF/spring-persistence.xml   |  30 +
 .../main/webapp/WEB-INF/applicationContext.xml  |  61 ++
 .../webapp/WEB-INF/config/idp-core-servlet.xml  | 105 +++
 .../config/security-clientcert-config.xml       |  75 +++
 .../WEB-INF/config/security-krb-config.xml      |  84 +++
 .../WEB-INF/config/security-rs-config.xml       |  64 ++
 .../WEB-INF/config/security-up-config.xml       |  94 +++
 .../flows/federation-validate-request.xml       | 283 ++++++++
 .../WEB-INF/flows/saml-validate-request.xml     | 259 ++++++++
 .../webapp/WEB-INF/flows/signin-request.xml     | 171 +++++
 .../webapp/WEB-INF/flows/signin-response.xml    |  85 +++
 .../main/webapp/WEB-INF/idp-config-realma.xml   | 158 +++++
 .../main/webapp/WEB-INF/idp-config-realmb.xml   | 133 ++++
 .../src/main/webapp/WEB-INF/idp-servlet.xml     |  39 ++
 .../src/main/webapp/WEB-INF/security-config.xml |  76 +++
 .../main/webapp/WEB-INF/views/genericerror.jsp  |  11 +
 .../src/main/webapp/WEB-INF/views/idplist.jsp   |  33 +
 .../src/main/webapp/WEB-INF/views/index.jsp     |  25 +
 .../WEB-INF/views/samlsigninresponseform.jsp    |  20 +
 .../main/webapp/WEB-INF/views/signinform.jsp    |  72 ++
 .../webapp/WEB-INF/views/signinresponseform.jsp |  25 +
 .../views/signoutconfirmationresponse.jsp       |  65 ++
 .../webapp/WEB-INF/views/signoutresponse.jsp    |  56 ++
 .../idp-core/src/main/webapp/WEB-INF/web.xml    | 131 ++++
 .../webapp/resources/images/apache-logo.png     | Bin 0 -> 20928 bytes
 .../main/webapp/resources/swagger/index.html    | 156 +++++
 .../idp/service/jpa/ApplicationDAOJPATest.java  | 348 ++++++++++
 .../idp/service/jpa/ClaimDAOJPATest.java        | 115 ++++
 .../idp/service/jpa/EntitlementDAOJPATest.java  | 115 ++++
 .../service/idp/service/jpa/IdpDAOJPATest.java  | 653 +++++++++++++++++++
 .../service/idp/service/jpa/TestDBLoader.java   |  93 +++
 .../idp/service/jpa/TrustedIdpDAOJPATest.java   | 202 ++++++
 .../service/idp/util/MetadataWriterTest.java    |  57 ++
 .../src/test/resources/entities-realma.xml      | 504 ++++++++++++++
 .../idp-core/src/test/resources/idp-config.xml  | 152 +++++
 .../src/test/resources/persistence.properties   |  14 +
 .../src/test/resources/persistenceContext.xml   | 107 +++
 .../src/test/resources/realm.properties         |   4 +
 .../idp-core/src/test/resources/realma.cert     |  15 +
 .../src/test/resources/stsKeystoreA.properties  |   6 +
 .../idp-core/src/test/resources/stsrealm_a.jks  | Bin 0 -> 2061 bytes
 .../idp-core/src/test/resources/testContext.xml |  54 ++
 services/idp/pom.xml                            | 308 +--------
 .../cxf/fediz/service/idp/FedizEntryPoint.java  | 172 -----
 .../cxf/fediz/service/idp/IdpConstants.java     |  60 --
 .../cxf/fediz/service/idp/IdpSTSClient.java     |  52 --
 .../cxf/fediz/service/idp/MetadataServlet.java  | 111 ----
 .../service/idp/STSAuthenticationProvider.java  | 307 ---------
 .../idp/STSKrbAuthenticationProvider.java       | 259 --------
 .../cxf/fediz/service/idp/STSPortFilter.java    |  95 ---
 .../idp/STSPreAuthAuthenticationProvider.java   | 130 ----
 .../idp/STSUPAuthenticationProvider.java        | 131 ----
 .../cxf/fediz/service/idp/STSUserDetails.java   |  73 ---
 .../service/idp/beans/CacheSecurityToken.java   |  56 --
 .../service/idp/beans/CommonsURLValidator.java  |  52 --
 .../service/idp/beans/HomeRealmReminder.java    |  43 --
 .../idp/beans/IdpTokenExpiredAction.java        |  69 --
 .../fediz/service/idp/beans/LogoutAction.java   |  45 --
 .../idp/beans/PassiveRequestorValidator.java    |  76 ---
 .../idp/beans/ProcessHRDSExpressionAction.java  |  72 --
 .../service/idp/beans/STSClientAction.java      | 439 -------------
 .../idp/beans/SigninParametersCacheAction.java  | 185 ------
 .../service/idp/beans/TokenSerializer.java      |  62 --
 .../idp/beans/TrustedIdpProtocolAction.java     | 100 ---
 .../idp/beans/samlsso/AuthnRequestParser.java   | 388 -----------
 .../idp/beans/samlsso/LocalRedirectCreator.java |  54 --
 .../idp/beans/samlsso/SamlResponseCreator.java  | 187 ------
 .../beans/samlsso/SamlResponseErrorCreator.java |  97 ---
 .../service/idp/beans/wsfed/WfreshParser.java   |  84 ---
 .../fediz/service/idp/domain/Application.java   | 242 -------
 .../cxf/fediz/service/idp/domain/Claim.java     |  79 ---
 .../fediz/service/idp/domain/Entitlement.java   |  70 --
 .../service/idp/domain/FederationType.java      |  40 --
 .../cxf/fediz/service/idp/domain/Idp.java       | 304 ---------
 .../fediz/service/idp/domain/RequestClaim.java  |  49 --
 .../cxf/fediz/service/idp/domain/Role.java      |  74 ---
 .../cxf/fediz/service/idp/domain/TrustType.java |  40 --
 .../fediz/service/idp/domain/TrustedIdp.java    | 187 ------
 .../KerberosAuthenticationProcessingFilter.java | 199 ------
 .../idp/kerberos/KerberosEntryPoint.java        |  70 --
 .../kerberos/KerberosServiceRequestToken.java   | 150 -----
 .../idp/kerberos/KerberosTokenValidator.java    | 185 ------
 .../idp/kerberos/PassThroughKerberosClient.java |  80 ---
 .../service/idp/metadata/IdpMetadataWriter.java | 180 -----
 .../idp/metadata/ServiceMetadataWriter.java     | 214 ------
 .../cxf/fediz/service/idp/model/IDPConfig.java  |  44 --
 .../fediz/service/idp/model/RequestClaim.java   |  26 -
 .../fediz/service/idp/model/ServiceConfig.java  |  35 -
 .../service/idp/model/TrustedIDPConfig.java     |  30 -
 .../service/idp/model/TrustedIDPSelection.java  |  36 -
 ...AbstractTrustedIdpOAuth2ProtocolHandler.java | 207 ------
 .../AbstractTrustedIdpProtocolHandler.java      |  58 --
 .../ApplicationProtocolControllerImpl.java      |  60 --
 .../ApplicationSAMLSSOProtocolHandler.java      |  57 --
 .../ApplicationWSFedProtocolHandler.java        |  57 --
 .../idp/protocols/ProtocolController.java       |  32 -
 .../TrustedIdpFacebookProtocolHandler.java      | 226 -------
 .../TrustedIdpOIDCProtocolHandler.java          | 335 ----------
 .../TrustedIdpProtocolControllerImpl.java       |  60 --
 .../TrustedIdpSAMLProtocolHandler.java          | 415 ------------
 .../TrustedIdpWSFedProtocolHandler.java         | 231 -------
 .../service/idp/rest/ApplicationService.java    |  88 ---
 .../idp/rest/ApplicationServiceImpl.java        | 151 -----
 .../fediz/service/idp/rest/Applications.java    |  49 --
 .../fediz/service/idp/rest/ClaimService.java    |  72 --
 .../service/idp/rest/ClaimServiceImpl.java      | 106 ---
 .../cxf/fediz/service/idp/rest/Claims.java      |  50 --
 .../service/idp/rest/EntitlementService.java    |  73 ---
 .../idp/rest/EntitlementServiceImpl.java        |  98 ---
 .../fediz/service/idp/rest/Entitlements.java    |  49 --
 .../cxf/fediz/service/idp/rest/IdpService.java  | 114 ----
 .../fediz/service/idp/rest/IdpServiceImpl.java  | 240 -------
 .../apache/cxf/fediz/service/idp/rest/Idps.java |  49 --
 .../idp/rest/QueryResourceInfoComparator.java   | 114 ----
 .../idp/rest/RestServiceExceptionMapper.java    |  83 ---
 .../cxf/fediz/service/idp/rest/RoleService.java |  88 ---
 .../fediz/service/idp/rest/RoleServiceImpl.java | 134 ----
 .../cxf/fediz/service/idp/rest/Roles.java       |  49 --
 .../cxf/fediz/service/idp/rest/RootService.java |  39 --
 .../fediz/service/idp/rest/RootServiceImpl.java |  60 --
 .../service/idp/rest/TrustedIdpService.java     |  71 --
 .../service/idp/rest/TrustedIdpServiceImpl.java |  93 ---
 .../cxf/fediz/service/idp/rest/TrustedIdps.java |  49 --
 .../idp/samlsso/SAML2CallbackHandler.java       | 148 -----
 .../samlsso/SAML2PResponseComponentBuilder.java | 127 ----
 .../service/idp/samlsso/SAMLAuthnRequest.java   |  74 ---
 .../service/idp/service/ApplicationDAO.java     |  43 --
 .../cxf/fediz/service/idp/service/ClaimDAO.java |  38 --
 .../service/idp/service/ConfigService.java      |  32 -
 .../idp/service/ConfigServiceSpring.java        |  76 ---
 .../service/idp/service/EntitlementDAO.java     |  38 --
 .../cxf/fediz/service/idp/service/IdpDAO.java   |  53 --
 .../cxf/fediz/service/idp/service/RoleDAO.java  |  43 --
 .../service/idp/service/TrustedIdpDAO.java      |  38 --
 .../idp/service/jpa/ApplicationClaimEntity.java |  83 ---
 .../idp/service/jpa/ApplicationDAOJPAImpl.java  | 254 --------
 .../idp/service/jpa/ApplicationEntity.java      | 214 ------
 .../ApplicationIdpProtocolSupportValidator.java |  54 --
 .../jpa/ApplicationProtocolSupported.java       |  47 --
 .../idp/service/jpa/ClaimDAOJPAImpl.java        | 143 ----
 .../service/idp/service/jpa/ClaimEntity.java    |  71 --
 .../idp/service/jpa/ConfigServiceJPA.java       |  96 ---
 .../service/jpa/DBInitApplicationListener.java  |  73 ---
 .../fediz/service/idp/service/jpa/DBLoader.java |  28 -
 .../service/idp/service/jpa/DBLoaderImpl.java   | 163 -----
 .../service/idp/service/jpa/DBLoaderSpring.java | 129 ----
 .../idp/service/jpa/EntitlementDAOJPAImpl.java  | 142 ----
 .../idp/service/jpa/EntitlementEntity.java      |  72 --
 .../service/idp/service/jpa/IdpDAOJPAImpl.java  | 367 -----------
 .../service/idp/service/jpa/IdpEntity.java      | 301 ---------
 .../service/idp/service/jpa/RoleDAOJPAImpl.java | 206 ------
 .../service/idp/service/jpa/RoleEntity.java     |  77 ---
 .../idp/service/jpa/TrustedIdpDAOJPAImpl.java   | 154 -----
 .../idp/service/jpa/TrustedIdpEntity.java       | 201 ------
 .../jpa/TrustedIdpProtocolSupportValidator.java |  54 --
 .../jpa/TrustedIdpProtocolSupported.java        |  47 --
 .../security/GrantedAuthorityEntitlements.java  | 100 ---
 .../idp/spi/ApplicationProtocolHandler.java     |  33 -
 .../fediz/service/idp/spi/ProtocolHandler.java  |  25 -
 .../idp/spi/TrustedIdpProtocolHandler.java      |  40 --
 .../cxf/fediz/service/idp/util/WebUtils.java    | 209 ------
 .../idp/src/main/resources/META-INF/orm.xml     | 183 ------
 .../resources/META-INF/spring-persistence.xml   |  30 -
 .../idp/service/jpa/ApplicationDAOJPATest.java  | 348 ----------
 .../idp/service/jpa/ClaimDAOJPATest.java        | 115 ----
 .../idp/service/jpa/EntitlementDAOJPATest.java  | 115 ----
 .../service/idp/service/jpa/IdpDAOJPATest.java  | 653 -------------------
 .../service/idp/service/jpa/TestDBLoader.java   |  93 ---
 .../idp/service/jpa/TrustedIdpDAOJPATest.java   | 202 ------
 .../service/idp/util/MetadataWriterTest.java    |  57 --
 services/idp/src/test/resources/idp-config.xml  | 152 -----
 .../src/test/resources/persistence.properties   |  14 -
 .../idp/src/test/resources/realm.properties     |   4 -
 services/idp/src/test/resources/realma.cert     |  15 -
 .../src/test/resources/stsKeystoreA.properties  |   6 -
 services/idp/src/test/resources/stsrealm_a.jks  | Bin 2061 -> 0 bytes
 services/idp/src/test/resources/testContext.xml |  54 --
 services/pom.xml                                |   1 +
 301 files changed, 18843 insertions(+), 15831 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp-core/README.txt
----------------------------------------------------------------------
diff --git a/services/idp-core/README.txt b/services/idp-core/README.txt
new file mode 100644
index 0000000..55ed9a5
--- /dev/null
+++ b/services/idp-core/README.txt
@@ -0,0 +1,57 @@
+Building and Installating the IDP
+=================================
+
+IPD Realm A
+-----------
+
+Build the IDP:
+mvn clean install -Prealm-a
+
+Deploy the war target/fediz-idp.war to <tomcat-base-dir>/webapps (default https port: 9443)
+
+IPD Realm B
+-----------
+
+Build the IDP:
+mvn clean install -Prealm-b
+
+Deploy the war target/fediz-idp-remote.war to <tomcat-base-dir>/webapps (default https port: 12443)
+
+Hint: Servlet Context name different for Remote IDP to get different Cookies.
+      Cookies are bound to hostname (default: localhost) and path whereas port is not relevant.
+
+
+IDP WARs deployed in Servlet Container with different HTTPS ports
+-----------------------------------------------------------------
+
+1) update src/main/filters/realm-a/env.properties
+...
+realmA.port=9443
+realmB.port=12443
+...
+
+2) update src/main/filters/realm-b/env.properties
+...
+realmA.port=9443
+realmB.port=12443
+...
+
+
+Building and launching the IDP embedded
+=======================================
+
+You can launch the IDP from Maven to reduce time in setting up an separate Serlvet Container. The Maven Jetty plugin can be used to deploy the idp and optionally the sts component.
+
+The IDP can be started with:
+
+mvn -Pstandalone,realm-a,sts
+
+If you test the REST/JPA layer, you don't have to start the sts as well (profile 'sts').
+If you test WS-Federation with the IDP, you must start the sts as well.
+The profile 'standalone' means to start jetty embedded. You can launch both profiles in two different shells (but you MUST NOT run 'clean') otherwise you remove the war, db files of the other IDP.
+
+The following properties are supported idp.https.port, idp.http.port
+
+Default port for profile 'realm-a': 9443, 9080
+Default port for profile 'realm-b': 12443, 12080
+

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp-core/pom.xml
----------------------------------------------------------------------
diff --git a/services/idp-core/pom.xml b/services/idp-core/pom.xml
new file mode 100644
index 0000000..1b09751
--- /dev/null
+++ b/services/idp-core/pom.xml
@@ -0,0 +1,356 @@
+<?xml version="1.0"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements. See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership. The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License. You may obtain a copy of the License at
+ 
+  http://www.apache.org/licenses/LICENSE-2.0
+ 
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied. See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.apache.cxf.fediz</groupId>
+        <artifactId>fediz</artifactId>
+        <version>1.4.0-SNAPSHOT</version>
+        <relativePath>../../pom.xml</relativePath>
+    </parent>
+    <artifactId>fediz-idp-core</artifactId>
+    <name>Apache Fediz IDP Core</name>
+    <packaging>jar</packaging>
+    
+    <properties>
+        <swagger-ui.version>2.2.6</swagger-ui.version>
+    </properties>
+    
+    <dependencyManagement>
+        <dependencies>
+            <dependency>
+                <groupId>org.springframework</groupId>
+                <artifactId>spring-jdbc</artifactId>
+                <version>${spring.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>org.springframework</groupId>
+                <artifactId>spring-tx</artifactId>
+                <version>${spring.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>org.springframework</groupId>
+                <artifactId>spring-aop</artifactId>
+                <version>${spring.version}</version>
+            </dependency>
+        </dependencies>
+    </dependencyManagement>
+    <dependencies>
+        <dependency>
+            <groupId>junit</groupId>
+            <artifactId>junit</artifactId>
+            <version>${junit.version}</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>javax.servlet</groupId>
+            <artifactId>servlet-api</artifactId>
+            <version>${servlet.version}</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.cxf.fediz</groupId>
+            <artifactId>fediz-core</artifactId>
+            <version>${project.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>spring-webmvc</artifactId>
+            <version>${spring.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>spring-tx</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>spring-orm</artifactId>
+            <version>${spring.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>spring-web</artifactId>
+            <version>${spring.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>spring-test</artifactId>
+            <version>${spring.version}</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.webflow</groupId>
+            <artifactId>spring-webflow</artifactId>
+            <version>2.4.4.RELEASE</version>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-web</artifactId>
+            <version>${spring.security.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-config</artifactId>
+            <version>${spring.security.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.javassist</groupId>
+            <artifactId>javassist</artifactId>
+            <version>${javassist.version}</version>
+            <scope>runtime</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.slf4j</groupId>
+            <artifactId>slf4j-log4j12</artifactId>
+            <version>${slf4j.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.cxf</groupId>
+            <artifactId>cxf-rt-ws-security</artifactId>
+            <version>${cxf.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.cxf</groupId>
+            <artifactId>cxf-rt-rs-security-sso-saml</artifactId>
+            <version>${cxf.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.cxf</groupId>
+            <artifactId>cxf-rt-rs-security-sso-oidc</artifactId>
+            <version>${cxf.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.cxf</groupId>
+            <artifactId>cxf-rt-transports-http</artifactId>
+            <version>${cxf.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.cxf</groupId>
+            <artifactId>cxf-rt-ws-policy</artifactId>
+            <version>${cxf.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.cxf</groupId>
+            <artifactId>cxf-rt-ws-addr</artifactId>
+            <version>${cxf.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.cxf</groupId>
+            <artifactId>cxf-rt-rs-service-description-swagger</artifactId>
+            <version>${cxf.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-lang3</artifactId>
+            <version>${commons.lang.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.cxf</groupId>
+            <artifactId>cxf-rt-frontend-jaxrs</artifactId>
+            <version>${cxf.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.cxf</groupId>
+            <artifactId>cxf-rt-rs-service-description</artifactId>
+            <version>${cxf.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.cxf</groupId>
+            <artifactId>cxf-rt-rs-extension-providers</artifactId>
+            <version>${cxf.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>com.fasterxml.jackson.jaxrs</groupId>
+            <artifactId>jackson-jaxrs-json-provider</artifactId>
+            <version>2.8.6</version>
+        </dependency>
+        <dependency>
+            <groupId>org.hsqldb</groupId>
+            <artifactId>hsqldb</artifactId>
+            <version>${hsqldb.version}</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>cglib</groupId>
+            <artifactId>cglib-nodep</artifactId>
+            <version>3.2.4</version>
+        </dependency>
+        <!-- 
+        <dependency>
+            <groupId>org.apache.openjpa</groupId>
+            <artifactId>openjpa-all</artifactId>
+            <version>${openjpa.version}</version>
+        </dependency>
+        -->
+        <dependency>
+            <groupId>org.apache.commons</groupId> 
+            <artifactId>commons-dbcp2</artifactId>
+            <version>${dbcp.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.openjpa</groupId>
+            <artifactId>openjpa-jdbc</artifactId>
+            <version>${openjpa.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.openjpa</groupId>
+            <artifactId>openjpa-persistence-jdbc</artifactId>
+            <version>${openjpa.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.cxf</groupId>
+            <artifactId>cxf-rt-rs-client</artifactId>
+            <version>${cxf.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>javax.validation</groupId>
+            <artifactId>validation-api</artifactId>
+            <version>${javax.validation.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>jstl</groupId>
+            <artifactId>jstl</artifactId>
+            <version>1.2</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.bval</groupId>
+            <artifactId>bval-jsr</artifactId>
+            <version>${bval.version}</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>com.sun.xml.bind</groupId>
+                    <artifactId>jaxb-impl</artifactId>
+                </exclusion>
+                <!-- 
+                dependency to newer version (commons-beanutils)
+                imported from commons-validator
+                -->
+                <exclusion>
+                    <groupId>commons-beanutils</groupId>
+                    <artifactId>commons-beanutils-core</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+        <dependency>
+            <groupId>commons-validator</groupId>
+            <artifactId>commons-validator</artifactId>
+            <version>${commons.validator.version}</version>
+        </dependency>
+    </dependencies>
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.openjpa</groupId>
+                <artifactId>openjpa-maven-plugin</artifactId>
+                <version>${openjpa.version}</version>
+                <inherited>true</inherited>
+                <configuration>
+                    <persistenceXmlFile>${project.basedir}/src/main/resources/META-INF/spring-persistence.xml</persistenceXmlFile>
+                    <includes>org/apache/cxf/fediz/service/idp/service/jpa/**/*.class</includes>
+                </configuration>
+                <executions>
+                    <execution>
+                        <id>enhancer</id>
+                        <phase>process-classes</phase>
+                        <goals>
+                            <goal>enhance</goal>
+                        </goals>
+                    </execution>
+                </executions>
+                <dependencies>
+                    <dependency>
+                        <groupId>xerces</groupId>
+                        <artifactId>xercesImpl</artifactId>
+                        <version>2.11.0</version>
+                    </dependency>
+                </dependencies>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-dependency-plugin</artifactId>
+                <executions>
+                    <execution>
+                        <phase>generate-resources</phase>
+                        <goals>
+                            <goal>unpack</goal>
+                        </goals>
+                        <configuration>
+                            <artifactItems>
+                                <artifactItem>
+                                    <groupId>org.webjars</groupId>
+                                    <artifactId>swagger-ui</artifactId>
+                                    <version>${swagger-ui.version}</version>
+                                    <overWrite>true</overWrite>
+                                    <outputDirectory>${project.build.directory}/swagger-ui</outputDirectory>
+                                    <excludes>**/*.gz</excludes>
+                                </artifactItem>
+                            </artifactItems>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-resources-plugin</artifactId>
+                <executions>
+                    <execution>
+                        <id>copy-swagger-resources-in-place</id>
+                        <phase>process-resources</phase>
+                        <goals>
+                            <goal>copy-resources</goal>
+                        </goals>
+                        <configuration>
+                            <outputDirectory>${project.build.directory}/${project.build.finalName}/resources/swagger</outputDirectory>
+                            <resources>
+                                <resource>
+                                    <directory>${project.build.directory}/swagger-ui/META-INF/resources/webjars/swagger-ui/${swagger-ui.version}</directory>
+                                    <excludes>
+                                        <exclude>index.html</exclude>
+                                        <exclude>swagger-ui.min.js</exclude>
+                                    </excludes>
+                                </resource>
+                            </resources>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-antrun-plugin</artifactId>
+                <inherited>true</inherited>
+                <executions>
+                    <execution>
+                        <id>addMatrixParamSupport</id>
+                        <phase>process-resources</phase>
+                        <goals>
+                            <goal>run</goal>
+                        </goals>
+                        <configuration>
+                            <target>
+                                <replace file="${project.build.directory}/swagger-ui/META-INF/resources/webjars/swagger-ui/${swagger-ui.version}/swagger-ui.js" token="return url + requestUrl + querystring;" value="&#xA;var matrixstring = '';&#xA; for (var i = 0; i &lt; this.parameters.length; i++) {&#xA; var param = this.parameters[i];&#xA; &#xA; if (param.in === 'matrix') {&#xA; matrixstring += ';' + this.encodeQueryParam(param.name) + '=' + this.encodeQueryParam(args[param.name]);&#xA;     }&#xA;   }&#xA; &#xA;   var url = this.scheme + '://' + this.host;&#xA; &#xA;   if (this.basePath !== '/') {&#xA;     url += this.basePath;&#xA;   }&#xA;   return url + requestUrl + matrixstring + querystring;" />
+                            </target>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+        </plugins>
+    </build>
+
+</project>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp-core/src/main/filters/realm-a/env.properties
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/filters/realm-a/env.properties b/services/idp-core/src/main/filters/realm-a/env.properties
new file mode 100644
index 0000000..dd59a8b
--- /dev/null
+++ b/services/idp-core/src/main/filters/realm-a/env.properties
@@ -0,0 +1,6 @@
+realm.STS_URI=REALMA
+realmA.port=9443
+realmB.port=12443
+idp-config=idp-config-realma.xml
+db-load-config=entities-realma.xml
+realm-uri=urn:org:apache:cxf:fediz:idp:realm-A
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp-core/src/main/filters/realm-b/env.properties
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/filters/realm-b/env.properties b/services/idp-core/src/main/filters/realm-b/env.properties
new file mode 100644
index 0000000..d3134fd
--- /dev/null
+++ b/services/idp-core/src/main/filters/realm-b/env.properties
@@ -0,0 +1,6 @@
+realm.STS_URI=REALMB
+realmA.port=9443
+realmB.port=12443
+idp-config=idp-config-realmb.xml
+db-load-config=entities-realmb.xml
+realm-uri=urn:org:apache:cxf:fediz:idp:realm-B
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/FedizEntryPoint.java
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/FedizEntryPoint.java b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/FedizEntryPoint.java
new file mode 100644
index 0000000..dd121fb
--- /dev/null
+++ b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/FedizEntryPoint.java
@@ -0,0 +1,172 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.fediz.service.idp;
+
+import java.io.IOException;
+import java.net.MalformedURLException;
+import java.net.URL;
+import java.net.URLEncoder;
+import java.util.Enumeration;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.cxf.fediz.core.FederationConstants;
+import org.apache.cxf.fediz.service.idp.domain.Idp;
+import org.apache.cxf.fediz.service.idp.service.ConfigService;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import org.springframework.beans.BeansException;
+import org.springframework.beans.factory.InitializingBean;
+import org.springframework.context.ApplicationContext;
+import org.springframework.context.ApplicationContextAware;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.web.AuthenticationEntryPoint;
+import org.springframework.util.Assert;
+
+
+/**
+ * Used by the <code>ExceptionTranslationFilter</code> to commence authentication
+ * <p>
+ * The user's browser will be redirected to the IDP.
+ *
+ */
+public class FedizEntryPoint implements AuthenticationEntryPoint,
+    InitializingBean, ApplicationContextAware {
+
+    private static final Logger LOG = LoggerFactory.getLogger(FedizEntryPoint.class);
+
+    private ApplicationContext appContext;
+    private ConfigService configService;
+    private String realm;
+    private Idp idpConfig;
+
+    public ConfigService getConfigService() {
+        return configService;
+    }
+
+    public void setConfigService(ConfigService configService) {
+        this.configService = configService;
+    }
+
+    public String getRealm() {
+        return realm;
+    }
+
+    public void setRealm(String realm) {
+        this.realm = realm;
+    }
+
+    public void afterPropertiesSet() throws Exception {
+        Assert.notNull(this.appContext, "ApplicationContext cannot be null.");
+        Assert.notNull(this.configService, "ConfigService cannot be null.");
+        Assert.notNull(this.realm, "realm cannot be null.");
+    }
+
+    public final void commence(final HttpServletRequest servletRequest, final HttpServletResponse response,
+            final AuthenticationException authenticationException) throws IOException, ServletException {
+
+        idpConfig = configService.getIDP(realm);
+        Assert.notNull(this.idpConfig, "idpConfig cannot be null. Check realm and config service implementation");
+
+        String wauth = servletRequest.getParameter(FederationConstants.PARAM_AUTH_TYPE);
+        if (wauth == null) {
+            wauth = "default";
+        }
+        String loginUri = idpConfig.getAuthenticationURIs().get(wauth);
+        if (loginUri == null) {
+            LOG.warn("wauth value '" + wauth + "' not supported");
+            response.sendError(
+                    HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "The wauth value that was supplied is not supported");
+            return;
+        }
+
+        StringBuilder builder = new StringBuilder(extractFullContextPath(servletRequest))
+            .append(loginUri).append("?");
+
+        // Add the query parameters - URL encoding them for safety
+        @SuppressWarnings("unchecked")
+        Enumeration<String> names = servletRequest.getParameterNames();
+        while (names.hasMoreElements()) {
+            String name = names.nextElement();
+            String[] values = servletRequest.getParameterValues(name);
+            if (values != null && values.length > 0) {
+                builder.append(name).append("=");
+                builder.append(URLEncoder.encode(values[0], "UTF-8"));
+                builder.append("&");
+            }
+        }
+        // Remove trailing ampersand
+        if (builder.charAt(builder.length() - 1) == '&') {
+            builder.deleteCharAt(builder.length() - 1);
+        }
+
+        String redirectUrl = builder.toString();
+        preCommence(servletRequest, response);
+        if (LOG.isInfoEnabled()) {
+            LOG.info("Redirect to " + redirectUrl);
+        }
+        response.sendRedirect(redirectUrl);
+    }
+
+
+    /**
+     * Template method for you to do your own pre-processing before the redirect occurs.
+     *
+     * @param request the HttpServletRequest
+     * @param response the HttpServletResponse
+     */
+    protected void preCommence(final HttpServletRequest request, final HttpServletResponse response) {
+
+    }
+
+    @Override
+    public void setApplicationContext(ApplicationContext applicationContext) throws BeansException {
+        this.appContext = applicationContext;
+    }
+
+    protected String extractFullContextPath(HttpServletRequest request) throws MalformedURLException {
+        String result = null;
+        String contextPath = request.getContextPath();
+        String requestUrl = request.getRequestURL().toString();
+
+        String requestPath = new URL(requestUrl).getPath();
+        // Cut request path of request url and add context path if not ROOT
+        if (requestPath != null && requestPath.length() > 0) {
+            int lastIndex = requestUrl.lastIndexOf(requestPath);
+            result = requestUrl.substring(0, lastIndex);
+        } else {
+            result = requestUrl;
+        }
+        if (contextPath != null && contextPath.length() > 0) {
+            // contextPath contains starting slash
+            result = result + contextPath;
+        }
+        if (result.charAt(result.length() - 1) != '/') {
+            result = result + "/";
+        }
+        return result;
+    }
+
+
+
+}

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/IdpConstants.java
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/IdpConstants.java b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/IdpConstants.java
new file mode 100644
index 0000000..1e2969b
--- /dev/null
+++ b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/IdpConstants.java
@@ -0,0 +1,60 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.fediz.service.idp;
+
+public final class IdpConstants {
+
+    public static final String IDP_CONFIG = "idpConfig";
+
+    /**
+     * A key used to store context/state when communicating with a trusted third party IdP.
+     */
+    public static final String TRUSTED_IDP_CONTEXT = "trusted_idp_context";
+
+    /**
+     * A key used to store the application realm for the given request.
+     */
+    public static final String REALM = "realm";
+
+    /**
+     * A key used to store the home realm for the given request.
+     */
+    public static final String HOME_REALM = "home_realm";
+
+    /**
+     * The SAML Authn Request
+     */
+    public static final String SAML_AUTHN_REQUEST = "saml_authn_request";
+
+    /**
+     * A Context variable associated with the request (independent of protocol)
+     */
+    public static final String CONTEXT = "request_context";
+
+    /**
+     * A key used to store the return address for the given request
+     */
+    public static final String RETURN_ADDRESS = "return_address";
+
+
+    private IdpConstants() {
+        // complete
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/IdpSTSClient.java
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/IdpSTSClient.java b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/IdpSTSClient.java
new file mode 100644
index 0000000..b8450b4
--- /dev/null
+++ b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/IdpSTSClient.java
@@ -0,0 +1,52 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.fediz.service.idp;
+
+import org.w3c.dom.Element;
+
+import org.apache.cxf.Bus;
+import org.apache.cxf.ws.security.tokenstore.SecurityToken;
+import org.apache.cxf.ws.security.trust.STSClient;
+
+public class IdpSTSClient extends STSClient {
+
+    public IdpSTSClient(Bus b) {
+        super(b);
+    }
+
+    public Element requestSecurityTokenResponse() throws Exception {
+        return requestSecurityTokenResponse(null);
+    }
+
+    public Element requestSecurityTokenResponse(String appliesTo) throws Exception {
+        String action = null;
+        if (isSecureConv) {
+            action = namespace + "/RST/SCT";
+        }
+        return requestSecurityTokenResponse(appliesTo, action, "/Issue", null);
+    }
+
+    public Element requestSecurityTokenResponse(String appliesTo, String action,
+            String requestType, SecurityToken target) throws Exception {
+        STSResponse response = issue(appliesTo, null, "/Issue", null);
+
+        return getDocumentElement(response.getResponse());
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/MetadataServlet.java
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/MetadataServlet.java b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/MetadataServlet.java
new file mode 100644
index 0000000..0aab857
--- /dev/null
+++ b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/MetadataServlet.java
@@ -0,0 +1,111 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.fediz.service.idp;
+
+import java.io.IOException;
+import java.io.PrintWriter;
+
+import javax.servlet.ServletConfig;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.w3c.dom.Document;
+import org.apache.cxf.fediz.service.idp.domain.Idp;
+import org.apache.cxf.fediz.service.idp.domain.TrustedIdp;
+import org.apache.cxf.fediz.service.idp.metadata.IdpMetadataWriter;
+import org.apache.cxf.fediz.service.idp.metadata.ServiceMetadataWriter;
+import org.apache.cxf.fediz.service.idp.service.ConfigService;
+import org.apache.wss4j.common.util.DOM2Writer;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.context.ApplicationContext;
+import org.springframework.web.context.support.WebApplicationContextUtils;
+
+
+public class MetadataServlet extends HttpServlet {
+
+    public static final String PARAM_REALM = "realm";
+    
+    private static final Logger LOG = LoggerFactory
+        .getLogger(MetadataServlet.class);
+    private static final long serialVersionUID = 1L;
+    
+    private ApplicationContext applicationContext;
+    private String realm;
+    
+    
+    @Override
+    protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException,
+        IOException {
+        response.setContentType("text/xml; charset=utf-8");
+        PrintWriter out = response.getWriter();
+        
+        ConfigService cs = (ConfigService)getApplicationContext().getBean("config");
+        Idp idpConfig = cs.getIDP(realm);
+        try {
+            if (request.getServletPath() != null && request.getServletPath().startsWith("/metadata")) {
+                String serviceRealm = 
+                    request.getRequestURI().substring(request.getRequestURI().indexOf("/metadata")
+                                                      + "/metadata".length());
+                if (serviceRealm != null && serviceRealm.charAt(0) == '/') {
+                    serviceRealm = serviceRealm.substring(1);
+                }
+                TrustedIdp trustedIdp = idpConfig.findTrustedIdp(serviceRealm);
+                if (trustedIdp == null) {
+                    LOG.error("No TrustedIdp found for desired realm: " + serviceRealm);
+                    response.sendError(HttpServletResponse.SC_BAD_REQUEST);
+                    return;
+                }
+                ServiceMetadataWriter mw = new ServiceMetadataWriter();
+                Document metadata = mw.getMetaData(idpConfig, trustedIdp);
+                out.write(DOM2Writer.nodeToString(metadata));
+            } else {
+                // Otherwise return the Metadata for the Idp
+                LOG.debug(idpConfig.toString());
+                IdpMetadataWriter mw = new IdpMetadataWriter();
+                Document metadata = mw.getMetaData(idpConfig);
+                out.write(DOM2Writer.nodeToString(metadata));
+            }
+        } catch (Exception ex) {
+            LOG.error("Failed to get metadata document: ", ex);
+            response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
+        }
+    }
+
+    @Override
+    public void init(ServletConfig config) throws ServletException {
+        super.init(config);
+        realm = config.getInitParameter(PARAM_REALM);
+        if (realm == null || realm.length() == 0) {
+            throw new ServletException("Servlet parameter '" + PARAM_REALM + "' not defined");
+        }
+    }
+
+    public ApplicationContext getApplicationContext() {
+        if (applicationContext == null) {
+            LOG.debug(this.getServletContext().toString());
+            applicationContext = WebApplicationContextUtils.getWebApplicationContext(this.getServletContext());
+        }
+        return applicationContext;
+    }
+    
+}

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/STSAuthenticationProvider.java
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/STSAuthenticationProvider.java b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/STSAuthenticationProvider.java
new file mode 100644
index 0000000..4e8ed11
--- /dev/null
+++ b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/STSAuthenticationProvider.java
@@ -0,0 +1,307 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.fediz.service.idp;
+
+import java.net.URI;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import org.w3c.dom.Element;
+
+import org.apache.cxf.Bus;
+import org.apache.cxf.BusFactory;
+//import org.apache.cxf.endpoint.Client;
+import org.apache.cxf.fediz.core.Claim;
+import org.apache.cxf.fediz.core.ClaimTypes;
+import org.apache.cxf.ws.security.tokenstore.SecurityToken;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
+import org.opensaml.core.xml.XMLObject;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+//import org.apache.cxf.transport.http.HTTPConduit;
+//import org.apache.cxf.transports.http.configuration.HTTPClientPolicy;
+
+/**
+ * A base class for authenticating credentials to the STS
+ */
+public abstract class STSAuthenticationProvider implements AuthenticationProvider {
+
+    public static final String HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512_BEARER = 
+        "http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer";
+    
+    public static final String HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512 = 
+        "http://docs.oasis-open.org/ws-sx/ws-trust/200512/";
+    
+    public static final String HTTP_SCHEMAS_XMLSOAP_ORG_WS_2005_02_TRUST =
+        "http://schemas.xmlsoap.org/ws/2005/02/trust";
+    
+    private static final Logger LOG = LoggerFactory.getLogger(STSAuthenticationProvider.class);
+
+    protected String wsdlLocation;
+    
+    protected String namespace = HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512;
+    
+    protected String wsdlService;
+
+    protected String wsdlEndpoint;
+
+    protected String appliesTo;
+    
+    protected boolean use200502Namespace;
+    
+    protected String tokenType;
+    
+    protected Bus bus;
+    
+    protected Integer lifetime;
+    
+    //Required to get IDP roles to use the IDP application, used in future release
+    protected String roleURI;
+    
+    protected Map<String, Object> properties = new HashMap<>();
+    
+    private String customSTSParameter;
+    
+    protected List<GrantedAuthority> createAuthorities(SecurityToken token) throws WSSecurityException {
+        List<GrantedAuthority> authorities = new ArrayList<>();
+        //authorities.add(new SimpleGrantedAuthority("ROLE_AUTHENTICATED"));
+        //Not needed because AuthenticatedVoter has been added for SecurityFlowExecutionListener
+        if (roleURI != null) {
+            SamlAssertionWrapper assertion = new SamlAssertionWrapper(token.getToken());
+            
+            List<Claim> claims = parseClaimsInAssertion(assertion.getSaml2());
+            for (Claim c : claims) {
+                if (c.getClaimType() != null && roleURI.equals(c.getClaimType().toString())) {
+                    Object oValue = c.getValue();
+                    if ((oValue instanceof List<?>) && !((List<?>)oValue).isEmpty()) {
+                        List<?> values = (List<?>)oValue;
+                        for (Object role: values) {
+                            if (role instanceof String) {
+                                authorities.add(new SimpleGrantedAuthority((String)role));
+                            }
+                        }
+                    } else {
+                        LOG.error("Unsupported value type of Claim value");
+                        throw new IllegalStateException("Unsupported value type of Claim value");
+                    }
+                    claims.remove(c);
+                    break;
+                }
+            }
+        }
+        
+        //Add IDP_LOGIN role to be able to access resource Idp, TrustedIdp, etc.
+        authorities.add(new SimpleGrantedAuthority("ROLE_IDP_LOGIN"));
+        
+        return authorities;
+    }
+    
+    public String getWsdlLocation() {
+        return wsdlLocation;
+    }
+
+    public void setWsdlLocation(String wsdlLocation) {
+        this.wsdlLocation = wsdlLocation;
+    }
+
+    public String getWsdlService() {
+        return wsdlService;
+    }
+
+    public void setWsdlService(String wsdlService) {
+        this.wsdlService = wsdlService;
+    }
+
+    public String getWsdlEndpoint() {
+        return wsdlEndpoint;
+    }
+
+    public void setWsdlEndpoint(String wsdlEndpoint) {
+        this.wsdlEndpoint = wsdlEndpoint;
+    }
+    
+    public String getNamespace() {
+        return namespace;
+    }
+
+    public void setNamespace(String namespace) {
+        this.namespace = namespace;
+    }
+
+    public String getAppliesTo() {
+        return appliesTo;
+    }
+
+    public void setAppliesTo(String appliesTo) {
+        this.appliesTo = appliesTo;
+    }
+    
+    public void setBus(Bus bus) {
+        this.bus = bus;
+    }
+
+    public Bus getBus() {
+        // do not store a referance to the default bus
+        return (bus != null) ? bus : BusFactory.getDefaultBus();
+    }
+
+    public String getTokenType() {
+        return tokenType;
+    }
+
+    public void setTokenType(String tokenType) {
+        this.tokenType = tokenType;
+    }
+    
+    public Integer getLifetime() {
+        return lifetime;
+    }
+
+    public void setLifetime(Integer lifetime) {
+        this.lifetime = lifetime;
+    }
+
+    protected List<Claim> parseClaimsInAssertion(org.opensaml.saml.saml2.core.Assertion assertion) {
+        List<org.opensaml.saml.saml2.core.AttributeStatement> attributeStatements = assertion
+        .getAttributeStatements();
+        if (attributeStatements == null || attributeStatements.isEmpty()) {
+            LOG.debug("No attribute statements found");
+            return Collections.emptyList();
+        }
+
+        List<Claim> collection = new ArrayList<>();
+        Map<String, Claim> claimsMap = new HashMap<>();
+
+        for (org.opensaml.saml.saml2.core.AttributeStatement statement : attributeStatements) {
+            LOG.debug("parsing statement: {}", statement.getElementQName());
+            List<org.opensaml.saml.saml2.core.Attribute> attributes = statement
+            .getAttributes();
+            for (org.opensaml.saml.saml2.core.Attribute attribute : attributes) {
+                LOG.debug("parsing attribute: {}", attribute.getName());
+                Claim c = new Claim();
+                // Workaround for CXF-4484 
+                // Value of Attribute Name not fully qualified
+                // if NameFormat is http://schemas.xmlsoap.org/ws/2005/05/identity/claims
+                // but ClaimType value must be fully qualified as Namespace attribute goes away
+                URI attrName = URI.create(attribute.getName());
+                if (ClaimTypes.URI_BASE.toString().equals(attribute.getNameFormat())
+                    && !attrName.isAbsolute()) {
+                    c.setClaimType(URI.create(ClaimTypes.URI_BASE + "/" + attribute.getName()));
+                } else {
+                    c.setClaimType(URI.create(attribute.getName()));
+                }
+                c.setIssuer(assertion.getIssuer().getNameQualifier());
+
+                List<String> valueList = new ArrayList<>();
+                for (XMLObject attributeValue : attribute.getAttributeValues()) {
+                    Element attributeValueElement = attributeValue.getDOM();
+                    String value = attributeValueElement.getTextContent();
+                    LOG.debug(" [{}]", value);
+                    valueList.add(value);
+                }
+                mergeClaimToMap(claimsMap, c, valueList);
+            }
+        }
+        collection.addAll(claimsMap.values());
+        return collection;
+
+    }
+    
+    protected void mergeClaimToMap(Map<String, Claim> claimsMap, Claim c,
+                                   List<String> valueList) {
+        Claim t = claimsMap.get(c.getClaimType().toString());
+        if (t != null) {
+            //same SAML attribute already processed. Thus Claim object already created.
+            Object oValue = t.getValue();
+            if (oValue instanceof String) {
+                //one child element AttributeValue only
+                List<String> values = new ArrayList<>();
+                values.add((String)oValue); //add existing value
+                values.addAll(valueList);
+                t.setValue(values);
+            } else if (oValue instanceof List<?>) {
+                //more than one child element AttributeValue
+                @SuppressWarnings("unchecked")
+                List<String> values = (List<String>)oValue;
+                values.addAll(valueList);
+                t.setValue(values);
+            } else {
+                LOG.error("Unsupported value type of Claim value");
+                throw new IllegalStateException("Unsupported value type of Claim value");
+            }
+        } else {
+            if (valueList.size() == 1) {
+                c.setValue(valueList.get(0));
+            } else {
+                c.setValue(valueList);
+            }
+            // Add claim to map
+            claimsMap.put(c.getClaimType().toString(), c);
+        }
+    }
+
+    public String getRoleURI() {
+        return roleURI;
+    }
+
+    public void setRoleURI(String roleURI) {
+        this.roleURI = roleURI;
+    }
+    
+    public void setProperties(Map<String, Object> p) {
+        properties.putAll(p);
+    }
+
+    public Map<String, Object> getProperties() {
+        return properties;
+    }
+
+    public boolean isUse200502Namespace() {
+        return use200502Namespace;
+    }
+
+    public void setUse200502Namespace(boolean use200502Namespace) {
+        this.use200502Namespace = use200502Namespace;
+    }
+
+    public String getCustomSTSParameter() {
+        return customSTSParameter;
+    }
+
+    public void setCustomSTSParameter(String customSTSParameter) {
+        this.customSTSParameter = customSTSParameter;
+    }
+
+//May be uncommented for debugging    
+//    private void setTimeout(Client client, Long timeout) {
+//        HTTPConduit conduit = (HTTPConduit) client.getConduit();
+//        HTTPClientPolicy httpClientPolicy = new HTTPClientPolicy();
+//        httpClientPolicy.setConnectionTimeout(timeout);
+//        httpClientPolicy.setReceiveTimeout(timeout);
+//        conduit.setClient(httpClientPolicy);
+//    }
+    
+}

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/STSKrbAuthenticationProvider.java
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/STSKrbAuthenticationProvider.java b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/STSKrbAuthenticationProvider.java
new file mode 100644
index 0000000..62f4817
--- /dev/null
+++ b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/STSKrbAuthenticationProvider.java
@@ -0,0 +1,259 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.fediz.service.idp;
+
+import java.security.Principal;
+import java.security.PrivilegedActionException;
+import java.util.List;
+
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.login.LoginException;
+import javax.xml.namespace.QName;
+
+import org.apache.cxf.Bus;
+import org.apache.cxf.fediz.service.idp.kerberos.KerberosServiceRequestToken;
+import org.apache.cxf.fediz.service.idp.kerberos.KerberosTokenValidator;
+import org.apache.cxf.fediz.service.idp.kerberos.PassThroughKerberosClient;
+import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.tokenstore.SecurityToken;
+import org.apache.wss4j.common.kerberos.KerberosServiceContext;
+import org.apache.wss4j.common.principal.SAMLTokenPrincipalImpl;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
+import org.apache.wss4j.dom.WSConstants;
+import org.ietf.jgss.GSSContext;
+import org.ietf.jgss.GSSCredential;
+import org.ietf.jgss.GSSException;
+import org.ietf.jgss.GSSManager;
+import org.ietf.jgss.GSSName;
+import org.ietf.jgss.Oid;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.GrantedAuthority;
+
+/**
+ * An authentication provider to authenticate a Kerberos token to the STS
+ */
+public class STSKrbAuthenticationProvider extends STSAuthenticationProvider {
+
+    private static final Logger LOG = LoggerFactory.getLogger(STSKrbAuthenticationProvider.class);
+
+    private KerberosTokenValidator kerberosTokenValidator;
+    
+    private CallbackHandler kerberosCallbackHandler;
+    
+    private boolean kerberosUsernameServiceNameForm;
+    
+    private boolean requireDelegation;
+    
+    
+    @Override
+    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
+        // We only handle KerberosServiceRequestTokens
+        if (!(authentication instanceof KerberosServiceRequestToken)) {
+            return null;
+        }
+        
+        Bus cxfBus = getBus();
+        IdpSTSClient sts = new IdpSTSClient(cxfBus);
+        sts.setAddressingNamespace("http://www.w3.org/2005/08/addressing");
+        if (tokenType != null && tokenType.length() > 0) {
+            sts.setTokenType(tokenType);
+        } else {
+            sts.setTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE);
+        }
+        sts.setKeyType(HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512_BEARER);
+        sts.setWsdlLocation(wsdlLocation);
+        sts.setServiceQName(new QName(namespace, wsdlService));
+        sts.setEndpointQName(new QName(namespace, wsdlEndpoint));
+        
+        sts.getProperties().putAll(properties);
+        if (use200502Namespace) {
+            sts.setNamespace(HTTP_SCHEMAS_XMLSOAP_ORG_WS_2005_02_TRUST);
+        }
+        
+        if (lifetime != null) {
+            sts.setEnableLifetime(true);
+            sts.setTtl(lifetime.intValue());
+        }
+        
+        return handleKerberos((KerberosServiceRequestToken)authentication, sts);
+    }
+    
+    private Authentication handleKerberos(
+        KerberosServiceRequestToken kerberosRequestToken,
+        IdpSTSClient sts
+    ) {
+        Principal kerberosPrincipal = null;
+        // 
+        // If delegation is required then validate the received token + store the
+        // Delegated Credential so that we can retrieve a new kerberos token for the
+        // STS with it. If delegation is not required, then we just get the received
+        // token + pass it to the STS
+        //
+        if (requireDelegation) {
+            kerberosPrincipal = validateKerberosToken(kerberosRequestToken, sts);
+            if (kerberosPrincipal == null) {
+                return null;
+            }
+        } else {
+            PassThroughKerberosClient kerberosClient = new PassThroughKerberosClient();
+            kerberosClient.setToken(kerberosRequestToken.getToken());
+            sts.getProperties().put(SecurityConstants.KERBEROS_CLIENT, kerberosClient);
+        }
+        
+        try {
+            // Line below may be uncommented for debugging    
+            // setTimeout(sts.getClient(), 3600000L);
+
+            SecurityToken token = sts.requestSecurityToken(this.appliesTo);
+            
+            if (kerberosPrincipal == null && token.getToken() != null
+                && "Assertion".equals(token.getToken().getLocalName())) {
+                // For the pass-through Kerberos case, we don't know the Principal name...
+                kerberosPrincipal = 
+                    new SAMLTokenPrincipalImpl(new SamlAssertionWrapper(token.getToken()));
+            }
+            
+            if (kerberosPrincipal == null) {
+                LOG.info("Failed to authenticate user '" + kerberosRequestToken.getName());
+                return null;
+            }
+            
+            List<GrantedAuthority> authorities = createAuthorities(token);
+            
+            KerberosServiceRequestToken ksrt = 
+                new KerberosServiceRequestToken(kerberosPrincipal, authorities, kerberosRequestToken.getToken());
+            
+            STSUserDetails details = new STSUserDetails(kerberosPrincipal.getName(),
+                                                        "",
+                                                        authorities,
+                                                        token);
+            ksrt.setDetails(details);
+            
+            LOG.debug("[IDP_TOKEN={}] provided for user '{}'", token.getId(), kerberosPrincipal.getName());
+            return ksrt;
+        } catch (Exception ex) {
+            LOG.info("Failed to authenticate user '" + kerberosRequestToken.getName() + "'", ex);
+            return null;
+        }
+    }
+    
+    private Principal validateKerberosToken(
+        KerberosServiceRequestToken token,
+        IdpSTSClient sts
+    ) {
+        if (kerberosTokenValidator == null) {
+            LOG.error("KerberosTokenValidator must be configured to support kerberos "
+                + "credential delegation");
+            return null;
+        }
+        KerberosServiceContext kerberosContext;
+        Principal kerberosPrincipal = null;
+        try {
+            kerberosContext = kerberosTokenValidator.validate(token);
+            if (kerberosContext == null || kerberosContext.getDelegationCredential() == null) {
+                LOG.info("Kerberos Validation failure");
+                return null;
+            }
+            GSSCredential delegatedCredential = kerberosContext.getDelegationCredential();
+            sts.getProperties().put(SecurityConstants.DELEGATED_CREDENTIAL, 
+                                    delegatedCredential);
+            sts.getProperties().put(SecurityConstants.KERBEROS_USE_CREDENTIAL_DELEGATION, "true");
+            kerberosPrincipal = kerberosContext.getPrincipal();
+        } catch (LoginException ex) {
+            LOG.info("Failed to authenticate user", ex);
+            return null;
+        } catch (PrivilegedActionException ex) {
+            LOG.info("Failed to authenticate user", ex);
+            return null;
+        }
+
+        if (kerberosTokenValidator.getContextName() != null) {
+            sts.getProperties().put(SecurityConstants.KERBEROS_JAAS_CONTEXT_NAME, 
+                                    kerberosTokenValidator.getContextName());
+        }
+        if (kerberosTokenValidator.getServiceName() != null) {
+            sts.getProperties().put(SecurityConstants.KERBEROS_SPN,
+                                    kerberosTokenValidator.getServiceName());
+        }
+        if (kerberosCallbackHandler != null) {
+            sts.getProperties().put(SecurityConstants.CALLBACK_HANDLER, 
+                                    kerberosCallbackHandler);
+        }
+        if (kerberosUsernameServiceNameForm) {
+            sts.getProperties().put(SecurityConstants.KERBEROS_IS_USERNAME_IN_SERVICENAME_FORM, 
+                                    "true");
+        }
+        
+        return kerberosPrincipal;
+    }
+    
+    protected GSSContext createGSSContext() throws GSSException {
+        Oid oid = new Oid("1.2.840.113554.1.2.2");
+
+        GSSManager gssManager = GSSManager.getInstance();
+
+        String spn = "bob@service.ws.apache.org";
+        GSSName gssService = gssManager.createName(spn, null);
+
+        return gssManager.createContext(gssService.canonicalize(oid),
+                                        oid, null, GSSContext.DEFAULT_LIFETIME);
+
+    }
+
+    @Override
+    public boolean supports(Class<?> authentication) {
+        return authentication.equals(KerberosServiceRequestToken.class);
+    }
+    
+    public KerberosTokenValidator getKerberosTokenValidator() {
+        return kerberosTokenValidator;
+    }
+
+    public void setKerberosTokenValidator(KerberosTokenValidator kerberosTokenValidator) {
+        this.kerberosTokenValidator = kerberosTokenValidator;
+    }
+
+    public CallbackHandler getKerberosCallbackHandler() {
+        return kerberosCallbackHandler;
+    }
+
+    public void setKerberosCallbackHandler(CallbackHandler kerberosCallbackHandler) {
+        this.kerberosCallbackHandler = kerberosCallbackHandler;
+    }
+
+    public boolean isKerberosUsernameServiceNameForm() {
+        return kerberosUsernameServiceNameForm;
+    }
+
+    public void setKerberosUsernameServiceNameForm(boolean kerberosUsernameServiceNameForm) {
+        this.kerberosUsernameServiceNameForm = kerberosUsernameServiceNameForm;
+    }
+
+    public boolean isRequireDelegation() {
+        return requireDelegation;
+    }
+
+    public void setRequireDelegation(boolean requireDelegation) {
+        this.requireDelegation = requireDelegation;
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/STSPortFilter.java
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/STSPortFilter.java b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/STSPortFilter.java
new file mode 100644
index 0000000..889dadd
--- /dev/null
+++ b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/STSPortFilter.java
@@ -0,0 +1,95 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.fediz.service.idp;
+
+import java.io.IOException;
+import java.net.MalformedURLException;
+import java.net.URL;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.BeansException;
+import org.springframework.context.ApplicationContext;
+import org.springframework.context.ApplicationContextAware;
+import org.springframework.util.Assert;
+import org.springframework.web.filter.GenericFilterBean;
+
+public class STSPortFilter extends GenericFilterBean implements ApplicationContextAware {
+
+    private static final Logger LOG = LoggerFactory.getLogger(STSPortFilter.class);
+    
+    private ApplicationContext applicationContext;
+    private STSAuthenticationProvider authenticationProvider;
+    
+    private boolean isPortSet;
+    
+    @Override
+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
+        throws IOException, ServletException {
+        
+        Assert.isTrue(applicationContext != null, "Application context must not be null");
+        STSAuthenticationProvider authProvider = authenticationProvider;
+        if (authProvider == null) {
+            authProvider = applicationContext.getBean(STSAuthenticationProvider.class);
+        }
+        Assert.isTrue(authProvider != null, "STSAuthenticationProvider must be configured");
+        
+        //Only update the port if HTTPS is used, otherwise ignored (like retrieving the WADL over HTTP)
+        if (!isPortSet && request.isSecure()) {
+            try {
+                URL url = new URL(authProvider.getWsdlLocation());
+                if (url.getPort() == 0) {
+                    URL updatedUrl = new URL(url.getProtocol(), url.getHost(), request.getLocalPort(), url.getFile());
+                    setSTSWsdlUrl(authProvider, updatedUrl.toString());
+                    LOG.info("STSAuthenticationProvider.wsdlLocation set to " + updatedUrl.toString());
+                } else {
+                    setSTSWsdlUrl(authProvider, url.toString());
+                }
+            } catch (MalformedURLException e) {
+                LOG.error("Invalid Url '" + authProvider.getWsdlLocation() + "': "  + e.getMessage());
+            }
+        }
+        
+        chain.doFilter(request, response);
+    }
+
+    private synchronized void setSTSWsdlUrl(STSAuthenticationProvider authProvider, String wsdlUrl) {
+        authProvider.setWsdlLocation(wsdlUrl);
+        this.isPortSet = true;
+    }
+    
+    @Override
+    public void setApplicationContext(ApplicationContext applicationContext) throws BeansException {
+        this.applicationContext = applicationContext;
+    }
+
+    public STSAuthenticationProvider getAuthenticationProvider() {
+        return authenticationProvider;
+    }
+
+    public void setAuthenticationProvider(STSAuthenticationProvider authenticationProvider) {
+        this.authenticationProvider = authenticationProvider;
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/STSPreAuthAuthenticationProvider.java
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/STSPreAuthAuthenticationProvider.java b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/STSPreAuthAuthenticationProvider.java
new file mode 100644
index 0000000..45ec0a3
--- /dev/null
+++ b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/STSPreAuthAuthenticationProvider.java
@@ -0,0 +1,130 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.fediz.service.idp;
+
+import java.security.cert.X509Certificate;
+import java.util.List;
+
+import javax.xml.namespace.QName;
+
+import org.w3c.dom.Document;
+import org.apache.cxf.Bus;
+import org.apache.cxf.fediz.core.util.DOMUtils;
+import org.apache.cxf.ws.security.tokenstore.SecurityToken;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.xml.security.exceptions.XMLSecurityException;
+import org.apache.xml.security.keys.content.X509Data;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
+
+/**
+ * An authentication provider to authenticate a preauthenticated token to the STS
+ */
+public class STSPreAuthAuthenticationProvider extends STSAuthenticationProvider {
+
+    private static final Logger LOG = LoggerFactory
+            .getLogger(STSPreAuthAuthenticationProvider.class);
+
+    @Override
+    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
+        // We only handle PreAuthenticatedAuthenticationTokens
+        if (!(authentication instanceof PreAuthenticatedAuthenticationToken)) {
+            return null;
+        }
+        
+        Bus cxfBus = getBus();
+        IdpSTSClient sts = new IdpSTSClient(cxfBus);
+        sts.setAddressingNamespace("http://www.w3.org/2005/08/addressing");
+        if (tokenType != null && tokenType.length() > 0) {
+            sts.setTokenType(tokenType);
+        } else {
+            sts.setTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE);
+        }
+        sts.setKeyType(HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512_BEARER);
+        sts.setWsdlLocation(wsdlLocation);
+        sts.setServiceQName(new QName(namespace, wsdlService));
+        sts.setEndpointQName(new QName(namespace, wsdlEndpoint));
+        
+        sts.getProperties().putAll(properties);
+        if (use200502Namespace) {
+            sts.setNamespace(HTTP_SCHEMAS_XMLSOAP_ORG_WS_2005_02_TRUST);
+        }
+        
+        if (lifetime != null) {
+            sts.setEnableLifetime(true);
+            sts.setTtl(lifetime.intValue());
+        }
+        
+        return handlePreAuthenticated((PreAuthenticatedAuthenticationToken)authentication, sts);
+    }
+    
+    private Authentication handlePreAuthenticated(
+        PreAuthenticatedAuthenticationToken preauthenticatedToken,
+        IdpSTSClient sts
+    ) {
+        X509Certificate cert = (X509Certificate)preauthenticatedToken.getCredentials();
+        if (cert == null) {
+            return null;
+        }
+        
+        // Convert the received certificate to a DOM Element to write it out "OnBehalfOf"
+        Document doc = DOMUtils.createDocument();
+        X509Data certElem = new X509Data(doc);
+        try {
+            certElem.addCertificate(cert);
+            sts.setOnBehalfOf(certElem.getElement());
+        } catch (XMLSecurityException e) {
+            LOG.debug("Error parsing a client certificate", e);
+            return null;
+        }
+        
+        try {
+            // Line below may be uncommented for debugging    
+            // setTimeout(sts.getClient(), 3600000L);
+
+            SecurityToken token = sts.requestSecurityToken(this.appliesTo);
+            
+            List<GrantedAuthority> authorities = createAuthorities(token);
+            
+            STSUserDetails details = new STSUserDetails(preauthenticatedToken.getName(),
+                                                        "",
+                                                        authorities,
+                                                        token);
+            
+            preauthenticatedToken.setDetails(details);
+            
+            LOG.debug("[IDP_TOKEN={}] provided for user '{}'", token.getId(), preauthenticatedToken.getName());
+            return preauthenticatedToken;
+            
+        } catch (Exception ex) {
+            LOG.info("Failed to authenticate user '" + preauthenticatedToken.getName() + "'", ex);
+            return null;
+        }
+    }
+
+    @Override
+    public boolean supports(Class<?> authentication) {
+        return authentication.equals(PreAuthenticatedAuthenticationToken.class);
+    }
+    
+}


Mime
View raw message