cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [07/19] cxf-fediz git commit: FEDIZ-155 - Move .java components out of idp webapp and into a separate JAR
Date Fri, 27 Jan 2017 11:22:50 GMT
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/IdpTokenExpiredAction.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/IdpTokenExpiredAction.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/IdpTokenExpiredAction.java
deleted file mode 100644
index cbe4ee8..0000000
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/IdpTokenExpiredAction.java
+++ /dev/null
@@ -1,69 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.fediz.service.idp.beans;
-
-import org.apache.cxf.fediz.service.idp.util.WebUtils;
-import org.apache.cxf.ws.security.tokenstore.SecurityToken;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.springframework.stereotype.Component;
-import org.springframework.webflow.execution.RequestContext;
-
-/**
- * Check to see whether the IdP Token is expired or not
- */
-@Component
-public class IdpTokenExpiredAction {
-
-    private static final Logger LOG = LoggerFactory
-            .getLogger(IdpTokenExpiredAction.class);
-    private boolean tokenExpirationValidation = true;
-
-    public boolean isTokenExpired(String homeRealm, RequestContext context)
-        throws Exception {
-        
-        SecurityToken idpToken = 
-            (SecurityToken) WebUtils.getAttributeFromExternalContext(context, homeRealm);
-        if (idpToken == null) {
-            return true;
-        }
-        
-        if (tokenExpirationValidation && idpToken.isExpired()) {
-            LOG.info("[IDP_TOKEN=" + idpToken.getId() + "] is expired.");
-            return true;
-        }
-
-        return false;
-    }
-
-    public boolean isTokenExpirationValidation() {
-        return tokenExpirationValidation;
-    }
-
-    /**
-     * Set whether the token validation (e.g. lifetime) shall be performed on every request (true) or only 
-     * once at initial authentication (false). The default is "true" (note that the plugins default for this
-     * configuration option is "true").
-     * @param tokenExpirationValidation Whether to perform token expiration validation per request
-     */
-    public void setTokenExpirationValidation(boolean tokenExpirationValidation) {
-        this.tokenExpirationValidation = tokenExpirationValidation;
-    }
-
-}

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/LogoutAction.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/LogoutAction.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/LogoutAction.java
deleted file mode 100644
index ae90757..0000000
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/LogoutAction.java
+++ /dev/null
@@ -1,45 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.fediz.service.idp.beans;
-
-import javax.servlet.http.HttpSession;
-
-import org.apache.cxf.fediz.service.idp.util.WebUtils;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.springframework.security.core.context.SecurityContextHolder;
-import org.springframework.stereotype.Component;
-import org.springframework.webflow.execution.RequestContext;
-
-/**
- * This class is responsible to clear security context and invalidate the IDP session.
- */
-@Component
-public class LogoutAction {
-
-    private static final Logger LOG = LoggerFactory.getLogger(LogoutAction.class);
-
-    public void submit(RequestContext requestContext) {
-        SecurityContextHolder.clearContext();
-        LOG.info("Security context has been cleared.");
-        HttpSession session = WebUtils.getHttpSession(requestContext);
-        session.invalidate();
-        LOG.info("Session " + session.getId() + " has been invalidated.");
-    }
-}

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/PassiveRequestorValidator.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/PassiveRequestorValidator.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/PassiveRequestorValidator.java
deleted file mode 100644
index 3f5be36..0000000
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/PassiveRequestorValidator.java
+++ /dev/null
@@ -1,76 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.fediz.service.idp.beans;
-
-import java.util.regex.Matcher;
-
-import org.apache.cxf.fediz.service.idp.domain.Application;
-import org.apache.cxf.fediz.service.idp.domain.Idp;
-import org.apache.cxf.fediz.service.idp.util.WebUtils;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.springframework.stereotype.Component;
-import org.springframework.webflow.execution.RequestContext;
-
-/**
- * This class is responsible to validate the 'wreply' parameter for WS-Federation, or else the
- * AssertionConsumer URL address for SAML SSO, by comparing it to a regular expression.
- */
-@Component
-public class PassiveRequestorValidator {
-
-    private static final Logger LOG = LoggerFactory.getLogger(PassiveRequestorValidator.class);
-
-    public boolean isValid(RequestContext context, String endpointAddress, String realm)
-        throws Exception {
-        if (endpointAddress == null) {
-            return true;
-        }
-        
-        Idp idpConfig = (Idp) WebUtils.getAttributeFromFlowScope(context, "idpConfig");
-        Application serviceConfig = idpConfig.findApplication(realm);
-        if (serviceConfig == null) {
-            LOG.warn("No service config found for " + realm);
-            return false;
-        }
-        
-        if (serviceConfig.getPassiveRequestorEndpoint() == null 
-            && serviceConfig.getCompiledPassiveRequestorEndpointConstraint() == null) {
-            LOG.error("Either the 'passiveRequestorEndpoint' or the 'passiveRequestorEndpointConstraint' "
-                + "configuration values must be specified for the application");
-        } else if (serviceConfig.getPassiveRequestorEndpoint() != null 
-            && serviceConfig.getPassiveRequestorEndpoint().equals(endpointAddress)) {
-            LOG.debug("The supplied endpoint address {} matches the configured passive requestor endpoint value", 
-                      endpointAddress);
-            return true;
-        } else if (serviceConfig.getCompiledPassiveRequestorEndpointConstraint() != null) {
-            Matcher matcher = 
-                serviceConfig.getCompiledPassiveRequestorEndpointConstraint().matcher(endpointAddress);
-            if (matcher.matches()) {
-                return true;
-            } else {
-                LOG.error("The endpointAddress value of {} does not match any of the passive requestor values",
-                          endpointAddress);
-            }
-        }
-        
-        return false;
-    }
-    
-}

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/ProcessHRDSExpressionAction.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/ProcessHRDSExpressionAction.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/ProcessHRDSExpressionAction.java
deleted file mode 100644
index 351f88c..0000000
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/ProcessHRDSExpressionAction.java
+++ /dev/null
@@ -1,72 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.fediz.service.idp.beans;
-
-import javax.servlet.http.Cookie;
-
-import org.apache.cxf.fediz.service.idp.domain.Idp;
-import org.apache.cxf.fediz.service.idp.util.WebUtils;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.expression.Expression;
-import org.springframework.expression.ExpressionParser;
-import org.springframework.expression.spel.standard.SpelExpressionParser;
-import org.springframework.stereotype.Component;
-import org.springframework.webflow.execution.RequestContext;
-
-/**
- * This class is responsible to process Home Realm Discovery Service Expression.
- */
-@Component
-public class ProcessHRDSExpressionAction {
-
-    private static final String IDP_CONFIG = "idpConfig";
-
-    private static final Logger LOG = LoggerFactory.getLogger(ProcessHRDSExpressionAction.class);
-
-    @Autowired
-    private HomeRealmReminder homeRealmReminder;
-
-    public String submit(RequestContext context, String homeRealm) {
-        // Check if home realm is known already
-        Cookie homeRealmCookie = homeRealmReminder.readCookie(context);
-        if (homeRealmCookie != null) {
-            LOG.debug("Home Realm Cookie set: {}", homeRealmCookie);
-            return homeRealmCookie.getValue();
-        }
-
-        // Check if custom HRDS is defined
-        Idp idpConfig = (Idp)WebUtils.getAttributeFromFlowScope(context, IDP_CONFIG);
-        String hrds = idpConfig.getHrds();
-
-        if (hrds != null) {
-            LOG.debug("HomeRealmDiscoveryService EL: {}", hrds);
-            ExpressionParser parser = new SpelExpressionParser();
-            Expression exp = parser.parseExpression(hrds);
-            String result = exp.getValue(context, String.class);
-            LOG.info("Realm resolved by HomeRealmDiscoveryService: {}", result);
-            return result;
-        }
-
-        // Return home realm parameter unchanged
-        LOG.debug("No custom homeRealm handling, using home realm parameter as provided in request: {}", homeRealm);
-        return homeRealm;
-    }
-}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java
deleted file mode 100644
index 0d6c37d..0000000
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java
+++ /dev/null
@@ -1,439 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.fediz.service.idp.beans;
-
-import java.io.IOException;
-import java.io.StringReader;
-import java.net.MalformedURLException;
-import java.net.URL;
-import java.security.cert.X509Certificate;
-import java.util.List;
-import java.util.Map;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.xml.namespace.QName;
-import javax.xml.parsers.ParserConfigurationException;
-import javax.xml.stream.XMLStreamException;
-
-import org.w3c.dom.Document;
-import org.w3c.dom.Element;
-import org.w3c.dom.NodeList;
-import org.apache.cxf.Bus;
-import org.apache.cxf.BusFactory;
-import org.apache.cxf.binding.soap.SoapFault;
-import org.apache.cxf.fediz.core.FederationConstants;
-import org.apache.cxf.fediz.core.exception.ProcessingException;
-import org.apache.cxf.fediz.core.exception.ProcessingException.TYPE;
-import org.apache.cxf.fediz.core.util.DOMUtils;
-import org.apache.cxf.fediz.service.idp.IdpSTSClient;
-import org.apache.cxf.fediz.service.idp.domain.Application;
-import org.apache.cxf.fediz.service.idp.domain.Idp;
-import org.apache.cxf.fediz.service.idp.domain.RequestClaim;
-import org.apache.cxf.fediz.service.idp.util.WebUtils;
-import org.apache.cxf.staxutils.W3CDOMStreamWriter;
-import org.apache.cxf.ws.security.tokenstore.SecurityToken;
-import org.apache.cxf.ws.security.trust.STSClient;
-import org.apache.cxf.ws.security.trust.STSUtils;
-import org.apache.wss4j.dom.WSConstants;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.springframework.webflow.execution.RequestContext;
-
-/**
- * This class is responsible to ask for Security Tokens to STS.
- */
-
-public class STSClientAction {
-
-    private static final String HTTP_SCHEMAS_XMLSOAP_ORG_WS_2005_05_IDENTITY = 
-            "http://schemas.xmlsoap.org/ws/2005/05/identity";
-
-    private static final String HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512_BEARER = 
-            "http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer";
-    
-    private static final String HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512_PUBLICKEY = 
-            "http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey";
-
-    private static final String HTTP_WWW_W3_ORG_2005_08_ADDRESSING = "http://www.w3.org/2005/08/addressing";
-
-    private static final String HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512 = 
-            "http://docs.oasis-open.org/ws-sx/ws-trust/200512/";
-    
-    private static final String HTTP_SCHEMAS_XMLSOAP_ORG_WS_2005_02_TRUST =
-        "http://schemas.xmlsoap.org/ws/2005/02/trust";
-
-    private static final String SECURITY_TOKEN_SERVICE = "SecurityTokenService";
-
-    private static final Logger LOG = LoggerFactory
-            .getLogger(STSClientAction.class);
-    
-    protected String namespace = HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512;
-
-    protected String wsdlLocation;
-
-    protected String wsdlEndpoint;
-    
-    protected String wsdlService = SECURITY_TOKEN_SERVICE;
-  
-    protected String tokenType = WSConstants.WSS_SAML2_TOKEN_TYPE;
-    
-    protected Map<String, Object> properties;
-    
-    protected boolean use200502Namespace;
-    
-    protected int ttl = 1800;
-    
-    protected Bus bus;
-    
-    private boolean isPortSet;
-    
-    private String keyType = HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512_BEARER;
-
-
-    public String getWsdlLocation() {
-        return wsdlLocation;
-    }
-
-    public void setWsdlLocation(String wsdlLocation) {
-        this.wsdlLocation = wsdlLocation;
-        try {
-            URL url = new URL(wsdlLocation);
-            isPortSet = url.getPort() > 0;
-            if (!isPortSet) {
-                LOG.info("Port is 0 for 'wsdlLocation'. Port evaluated when processing first request.");
-            }
-        } catch (MalformedURLException e) {
-            LOG.error("Invalid Url '" + wsdlLocation + "': "  + e.getMessage());
-        }
-    }
-
-    public String getWsdlEndpoint() {
-        return wsdlEndpoint;
-    }
-
-    public void setWsdlEndpoint(String wsdlEndpoint) {
-        this.wsdlEndpoint = wsdlEndpoint;
-    }
-    
-    public String getWsdlService() {
-        return wsdlService;
-    }
-
-    public void setWsdlService(String wsdlService) {
-        this.wsdlService = wsdlService;
-    }
-    
-    public String getNamespace() {
-        return namespace;
-    }
-
-    public void setNamespace(String namespace) {
-        this.namespace = namespace;
-    }
-    
-    public void setBus(Bus bus) {
-        this.bus = bus;
-    }
-
-    public Bus getBus() {
-        // do not store a referance to the default bus
-        return (bus != null) ? bus : BusFactory.getDefaultBus();
-    }
-
-    public String getTokenType() {
-        return tokenType;
-    }
-
-    public void setTokenType(String tokenType) {
-        this.tokenType = tokenType;
-    }
-
-    public int getTtl() {
-        return ttl;
-    }
-
-    public void setTtl(int ttl) {
-        this.ttl = ttl;
-    }
-    
-    /**
-     * @param context the webflow request context
-     * @param realm The client/application realm
-     * @return a RP security token
-     * @throws Exception
-     */
-    public Element submit(RequestContext context, String realm, String homeRealm)
-        throws Exception {
-        
-        SecurityToken idpToken = getSecurityToken(context, homeRealm);
-
-        Bus cxfBus = getBus();
-        Idp idpConfig = (Idp) WebUtils.getAttributeFromFlowScope(context, "idpConfig");
-
-        IdpSTSClient sts = new IdpSTSClient(cxfBus);
-        sts.setAddressingNamespace(HTTP_WWW_W3_ORG_2005_08_ADDRESSING);
-        
-        Application serviceConfig = idpConfig.findApplication(realm);
-        if (serviceConfig == null) {
-            LOG.warn("No service config found for " + realm);
-            throw new ProcessingException(TYPE.BAD_REQUEST);
-        }
-        
-        // Parse wreq parameter - we only support parsing TokenType and KeyType for now
-        String wreq = (String)WebUtils.getAttributeFromFlowScope(context, FederationConstants.PARAM_REQUEST);
-        String stsTokenType = null;
-        String stsKeyType = keyType;
-        if (wreq != null) {
-            try {
-                Document wreqDoc = DOMUtils.readXml(new StringReader(wreq));
-                Element wreqElement = wreqDoc.getDocumentElement();
-                if (wreqElement != null && "RequestSecurityToken".equals(wreqElement.getLocalName())
-                    && (STSUtils.WST_NS_05_12.equals(wreqElement.getNamespaceURI())
-                        || HTTP_SCHEMAS_XMLSOAP_ORG_WS_2005_02_TRUST.equals(wreqElement.getNamespaceURI()))) {
-                    Element tokenTypeElement = 
-                        DOMUtils.getFirstChildWithName(wreqElement, wreqElement.getNamespaceURI(), "TokenType");
-                    if (tokenTypeElement != null) {
-                        stsTokenType = tokenTypeElement.getTextContent();
-                    }
-                    Element keyTypeElement = 
-                        DOMUtils.getFirstChildWithName(wreqElement, wreqElement.getNamespaceURI(), "KeyType");
-                    if (keyTypeElement != null) {
-                        stsKeyType = keyTypeElement.getTextContent();
-                    }
-                }
-            } catch (Exception e) {
-                LOG.warn("Error parsing 'wreq' parameter: " + e.getMessage());
-                throw new ProcessingException(TYPE.BAD_REQUEST);
-            }
-        }
-        
-        if (stsTokenType != null) {
-            sts.setTokenType(stsTokenType);
-        } else if (serviceConfig.getTokenType() != null && serviceConfig.getTokenType().length() > 0) {
-            sts.setTokenType(serviceConfig.getTokenType());
-        } else {
-            sts.setTokenType(getTokenType());
-        }
-        
-        if (serviceConfig.getPolicyNamespace() != null && serviceConfig.getPolicyNamespace().length() > 0) {
-            sts.setWspNamespace(serviceConfig.getPolicyNamespace());
-        }
-        
-        LOG.debug("TokenType {} set for realm {}", sts.getTokenType(), realm);
-        
-        sts.setKeyType(stsKeyType);
-        if (HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512_PUBLICKEY.equals(stsKeyType)) {
-            HttpServletRequest servletRequest = WebUtils.getHttpServletRequest(context);
-            if (servletRequest != null) {
-                X509Certificate certs[] = 
-                    (X509Certificate[])servletRequest.getAttribute("javax.servlet.request.X509Certificate");
-                if (certs != null && certs.length > 0) {
-                    sts.setUseCertificateForConfirmationKeyInfo(true);
-                    sts.setUseKeyCertificate(certs[0]);
-                } else {
-                    LOG.info("Can't send a PublicKey KeyType as no client certs are available");
-                    sts.setKeyType(HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512_BEARER);
-                }
-            }
-        }
-
-        processWsdlLocation(context);
-        sts.setWsdlLocation(wsdlLocation);
-        sts.setServiceQName(new QName(namespace, wsdlService));
-        sts.setEndpointQName(new QName(namespace, wsdlEndpoint));
-        if (use200502Namespace) {
-            sts.setNamespace(HTTP_SCHEMAS_XMLSOAP_ORG_WS_2005_02_TRUST);
-        }
-
-        if (serviceConfig.getRequestedClaims() != null && serviceConfig.getRequestedClaims().size() > 0) {
-            addClaims(sts, serviceConfig.getRequestedClaims());
-            LOG.debug("Requested claims set for {}", realm);
-        }
-        
-        sts.setEnableLifetime(true);
-        setLifetime(sts, serviceConfig, realm);
-        
-        sts.setEnableAppliesTo(serviceConfig.isEnableAppliesTo());
-        
-        sts.setOnBehalfOf(idpToken.getToken());
-       
-        if (properties != null) {
-            sts.setProperties(properties);
-        }
-        
-        Element rpToken = null;
-        try {
-            rpToken = sts.requestSecurityTokenResponse(realm);
-        } catch (SoapFault ex) {
-            LOG.error("Error in retrieving a token", ex.getMessage());
-            if (ex.getFaultCode() != null 
-                && "RequestFailed".equals(ex.getFaultCode().getLocalPart())) {
-                throw new ProcessingException(TYPE.BAD_REQUEST);
-            }
-            throw ex;
-        }
-
-        if (LOG.isInfoEnabled()) {
-            String id = getIdFromToken(rpToken);
-            
-            LOG.info("[RP_TOKEN={}] successfully created for realm [{}] on behalf of [IDP_TOKEN={}]",
-                     id, realm, idpToken.getId());
-        }
-        return rpToken;
-    }
-    
-    private String getIdFromToken(Element token) throws IOException, XMLStreamException {
-        if (token != null) {
-            NodeList nd = token.getElementsByTagNameNS(WSConstants.SAML2_NS, "Assertion");
-            
-            String identifier = "ID";
-            if (nd.getLength() == 0) {
-                nd = token.getElementsByTagNameNS(WSConstants.SAML_NS, "Assertion");
-                identifier = "AssertionID";
-            }
-            
-            if (nd.getLength() > 0) {
-                Element e = (Element) nd.item(0);
-                if (e.hasAttributeNS(null, identifier)) {
-                    return e.getAttributeNS(null, identifier);
-                }
-            }
-        }
-        
-        return "";
-    }
-
-    private SecurityToken getSecurityToken(RequestContext context, String homeRealm) throws ProcessingException {
-
-        SecurityToken idpToken = (SecurityToken) WebUtils.getAttributeFromFlowScope(context, "idpToken");
-        if (idpToken != null) {
-            LOG.debug("[IDP_TOKEN={} successfully retrieved from cache for home realm [{}]",
-                          idpToken.getId(), homeRealm);
-        } else {
-            LOG.error("IDP_TOKEN not found");
-            throw new ProcessingException(TYPE.BAD_REQUEST);
-        }
-        return idpToken;
-    }
-    
-
-    private void processWsdlLocation(RequestContext context) {
-        if (!isPortSet) {
-            try {
-                URL url = new URL(this.wsdlLocation);
-                URL updatedUrl = new URL(url.getProtocol(), url.getHost(),
-                                         WebUtils.getHttpServletRequest(context).getLocalPort(), url.getFile());
-                
-                setSTSWsdlUrl(updatedUrl.toString());
-                LOG.info("STS WSDL URL updated to {}", updatedUrl.toString());
-            } catch (MalformedURLException e) {
-                LOG.error("Invalid Url '{}': {}", this.wsdlLocation, e.getMessage());
-            }
-        }
-    }
-
-    private void addClaims(STSClient sts, List<RequestClaim> requestClaimList)
-        throws ParserConfigurationException, XMLStreamException {
-        
-        Element claims = createClaimsElement(requestClaimList);
-        if (claims != null) {
-            sts.setClaims(claims);
-        }
-    }
-
-    private Element createClaimsElement(List<RequestClaim> realmClaims)
-        throws ParserConfigurationException, XMLStreamException {
-        if (realmClaims == null || realmClaims.size() == 0) {
-            return null;
-        }
-
-        W3CDOMStreamWriter writer = new W3CDOMStreamWriter();
-        writer.writeStartElement("wst", "Claims", STSUtils.WST_NS_05_12);
-        writer.writeNamespace("wst", STSUtils.WST_NS_05_12);
-        writer.writeNamespace("ic",
-                HTTP_SCHEMAS_XMLSOAP_ORG_WS_2005_05_IDENTITY);
-        writer.writeAttribute("Dialect",
-                HTTP_SCHEMAS_XMLSOAP_ORG_WS_2005_05_IDENTITY);
-
-        if (realmClaims.size() > 0) {
-            for (RequestClaim item : realmClaims) {
-                LOG.debug("  {}", item.getClaimType().toString());
-                writer.writeStartElement("ic", "ClaimType",
-                        HTTP_SCHEMAS_XMLSOAP_ORG_WS_2005_05_IDENTITY);
-                writer.writeAttribute("Uri", item.getClaimType().toString());
-                writer.writeAttribute("Optional", Boolean.toString(item.isOptional())); 
-                writer.writeEndElement();
-            }
-        }
-
-        writer.writeEndElement();
-
-        return writer.getDocument().getDocumentElement();
-    }
-    
-    private synchronized void setSTSWsdlUrl(String wsdlUrl) {
-        this.wsdlLocation = wsdlUrl;
-        this.isPortSet = true;
-    }
-
-    public String getKeyType() {
-        return keyType;
-    }
-
-    public void setKeyType(String keyType) {
-        this.keyType = keyType;
-    }
-
-    public boolean isUse200502Namespace() {
-        return use200502Namespace;
-    }
-
-    public void setUse200502Namespace(boolean use200502Namespace) {
-        this.use200502Namespace = use200502Namespace;
-    }
-
-    private void setLifetime(STSClient sts, Application serviceConfig, String wtrealm) {
-        if (serviceConfig.getLifeTime() > 0) {
-            try {
-                int lifetime = serviceConfig.getLifeTime();
-                sts.setTtl(lifetime);
-                sts.setEnableLifetime(lifetime > 0);
-                LOG.debug("Lifetime set to {} seconds for realm {}", serviceConfig.getLifeTime(), wtrealm);
-            } catch (NumberFormatException ex) {
-                LOG.warn("Invalid lifetime configured for service provider " + wtrealm);
-                sts.setTtl(this.ttl);
-                sts.setEnableLifetime(this.ttl > 0);
-            }
-        } else {
-            sts.setTtl(this.ttl);
-            sts.setEnableLifetime(this.ttl > 0);
-            if (LOG.isDebugEnabled()) {
-                LOG.debug("Lifetime set to {} seconds for realm {}", this.ttl, wtrealm);
-            }
-        }
-    }
-
-    public Map<String, Object> getProperties() {
-        return properties;
-    }
-
-    public void setProperties(Map<String, Object> properties) {
-        this.properties = properties;
-    }
-}

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java
deleted file mode 100644
index bbecc5a..0000000
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/SigninParametersCacheAction.java
+++ /dev/null
@@ -1,185 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.fediz.service.idp.beans;
-
-import java.net.URL;
-import java.util.HashMap;
-import java.util.Map;
-import java.util.UUID;
-
-import org.apache.cxf.fediz.core.FederationConstants;
-import org.apache.cxf.fediz.core.exception.ProcessingException;
-import org.apache.cxf.fediz.service.idp.IdpConstants;
-import org.apache.cxf.fediz.service.idp.domain.Application;
-import org.apache.cxf.fediz.service.idp.domain.Idp;
-import org.apache.cxf.fediz.service.idp.samlsso.SAMLAuthnRequest;
-import org.apache.cxf.fediz.service.idp.util.WebUtils;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.springframework.stereotype.Component;
-import org.springframework.webflow.execution.RequestContext;
-
-@Component
-public class SigninParametersCacheAction {
-
-    public static final String ACTIVE_APPLICATIONS = "realmConfigMap";
-
-    private static final Logger LOG = LoggerFactory.getLogger(SigninParametersCacheAction.class);
-
-    public void store(RequestContext context, String protocol) {
-        Map<String, Object> signinParams = new HashMap<>();
-        String uuidKey = UUID.randomUUID().toString();
-
-        Object value = WebUtils.getAttributeFromFlowScope(context, IdpConstants.HOME_REALM);
-        if (value != null) {
-            signinParams.put(IdpConstants.HOME_REALM, value);
-        }
-        value = WebUtils.getAttributeFromFlowScope(context, IdpConstants.CONTEXT);
-        if (value != null) {
-            signinParams.put(IdpConstants.CONTEXT, value);
-        }
-        value = WebUtils.getAttributeFromFlowScope(context, IdpConstants.REALM);
-        if (value != null) {
-            signinParams.put(IdpConstants.REALM, value);
-        }
-        value = WebUtils.getAttributeFromFlowScope(context, IdpConstants.RETURN_ADDRESS);
-        if (value != null) {
-            signinParams.put(IdpConstants.RETURN_ADDRESS, value);
-        }
-        value = WebUtils.getAttributeFromFlowScope(context, IdpConstants.RETURN_ADDRESS);
-        if (value != null) {
-            signinParams.put(IdpConstants.RETURN_ADDRESS, value);
-        }
-
-        if ("samlsso".equals(protocol)) {
-            value = WebUtils.getAttributeFromFlowScope(context, IdpConstants.SAML_AUTHN_REQUEST);
-            if (value != null) {
-                signinParams.put(IdpConstants.SAML_AUTHN_REQUEST, value);
-            }
-        }
-
-        WebUtils.putAttributeInExternalContext(context, uuidKey, signinParams);
-
-        LOG.debug("SignIn parameters cached: {}", signinParams.toString());
-        WebUtils.putAttributeInFlowScope(context, IdpConstants.TRUSTED_IDP_CONTEXT, uuidKey);
-        LOG.info("SignIn parameters cached and context set to [" + uuidKey + "].");
-    }
-
-    public void restore(RequestContext context, String contextKey, String protocol) {
-
-        if (contextKey != null) {
-            @SuppressWarnings("unchecked")
-            Map<String, Object> signinParams =
-                (Map<String, Object>)WebUtils.getAttributeFromExternalContext(context, contextKey);
-
-            if (signinParams != null) {
-                LOG.debug("SignIn parameters restored: {}", signinParams.toString());
-
-                String value = (String)signinParams.get(IdpConstants.HOME_REALM);
-                if (value != null) {
-                    WebUtils.putAttributeInFlowScope(context, IdpConstants.HOME_REALM, value);
-                }
-                value = (String)signinParams.get(IdpConstants.REALM);
-                if (value != null) {
-                    WebUtils.putAttributeInFlowScope(context, IdpConstants.REALM, value);
-                }
-                value = (String)signinParams.get(IdpConstants.RETURN_ADDRESS);
-                if (value != null) {
-                    WebUtils.putAttributeInFlowScope(context, IdpConstants.RETURN_ADDRESS, value);
-                }
-                value = (String)signinParams.get(IdpConstants.CONTEXT);
-                if (value != null) {
-                    WebUtils.putAttributeInFlowScope(context, IdpConstants.CONTEXT, value);
-                }
-
-                if ("wsfed".equals(protocol)) {
-
-                    WebUtils.removeAttributeFromFlowScope(context, FederationConstants.PARAM_CONTEXT);
-                    LOG.info("SignIn parameters restored and " + FederationConstants.PARAM_CONTEXT + "["
-                        + contextKey + "] cleared.");
-
-                } else if ("samlsso".equals(protocol)) {
-                    SAMLAuthnRequest authnRequest =
-                        (SAMLAuthnRequest)signinParams.get(IdpConstants.SAML_AUTHN_REQUEST);
-                    if (authnRequest != null) {
-                        WebUtils.putAttributeInFlowScope(context, IdpConstants.SAML_AUTHN_REQUEST, authnRequest);
-                    }
-                }
-
-            }  else {
-                LOG.debug("Error in restoring security context");
-            }
-
-            WebUtils.removeAttributeFromFlowScope(context, contextKey);
-        } else {
-            LOG.debug("Error in restoring security context");
-        }
-    }
-
-    public void storeRPConfigInSession(RequestContext context) throws ProcessingException {
-
-        String wtrealm = (String)WebUtils.getAttributeFromFlowScope(context, FederationConstants.PARAM_TREALM);
-        Idp idpConfig = (Idp) WebUtils.getAttributeFromFlowScope(context, IdpConstants.IDP_CONFIG);
-        if (wtrealm == null || idpConfig == null) {
-            return;
-        }
-
-        Application serviceConfig = idpConfig.findApplication(wtrealm);
-        if (serviceConfig != null) {
-            if (serviceConfig.getPassiveRequestorEndpoint() == null) {
-                String url = guessPassiveRequestorURL(context, wtrealm);
-                serviceConfig.setPassiveRequestorEndpoint(url);
-            }
-
-            @SuppressWarnings("unchecked")
-            Map<String, Application> realmConfigMap =
-                    (Map<String, Application>)WebUtils
-                            .getAttributeFromExternalContext(context, ACTIVE_APPLICATIONS);
-
-            if (realmConfigMap == null) {
-                realmConfigMap = new HashMap<>();
-                WebUtils.putAttributeInExternalContext(context, ACTIVE_APPLICATIONS, realmConfigMap);
-            }
-
-            if (realmConfigMap.get(wtrealm) == null) {
-                realmConfigMap.put(wtrealm, serviceConfig);
-            }
-        }
-    }
-
-    protected String guessPassiveRequestorURL(RequestContext context, String wtrealm) throws ProcessingException {
-        String url = (String)WebUtils.getAttributeFromFlowScope(context, FederationConstants.PARAM_REPLY);
-        try {
-            //basic check if the url is correctly formed
-            new URL(url);
-        } catch (Exception e) {
-            url = null;
-        }
-        if (url == null) {
-            url = wtrealm;
-            try {
-                //basic check if the url is correctly formed
-                new URL(url);
-            } catch (Exception e) {
-                throw new ProcessingException(e.getMessage(), e, ProcessingException.TYPE.INVALID_REQUEST);
-            }
-        }
-        return url;
-    }
-}

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/TokenSerializer.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/TokenSerializer.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/TokenSerializer.java
deleted file mode 100644
index 4665cb5..0000000
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/TokenSerializer.java
+++ /dev/null
@@ -1,62 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.fediz.service.idp.beans;
-
-import java.io.StringWriter;
-
-import javax.xml.transform.OutputKeys;
-import javax.xml.transform.Transformer;
-import javax.xml.transform.TransformerException;
-import javax.xml.transform.TransformerFactory;
-import javax.xml.transform.dom.DOMSource;
-import javax.xml.transform.stream.StreamResult;
-
-import org.w3c.dom.Element;
-
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.springframework.stereotype.Component;
-import org.springframework.webflow.execution.RequestContext;
-
-/**
- * Serialize the RP Token
- */
-@Component
-public class TokenSerializer {
-
-    private static final Logger LOG = LoggerFactory.getLogger(TokenSerializer.class);
-
-    public String serialize(RequestContext context, Element rpToken) {
-        if (rpToken != null) {
-            StringWriter sw = new StringWriter();
-            try {
-                Transformer t = TransformerFactory.newInstance().newTransformer();
-                t.setOutputProperty(OutputKeys.OMIT_XML_DECLARATION, "yes");
-                t.transform(new DOMSource(rpToken), new StreamResult(sw));
-            } catch (TransformerException te) {
-                LOG.warn("nodeToString Transformer Exception");
-            }
-            String serializedToken = sw.toString();
-    
-            return org.apache.commons.lang3.StringEscapeUtils.escapeXml11(serializedToken);
-        }
-        
-        return null;
-    }
-}

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/TrustedIdpProtocolAction.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/TrustedIdpProtocolAction.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/TrustedIdpProtocolAction.java
deleted file mode 100644
index 9ea2de2..0000000
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/TrustedIdpProtocolAction.java
+++ /dev/null
@@ -1,100 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.fediz.service.idp.beans;
-
-import java.net.URL;
-
-import org.apache.cxf.fediz.service.idp.domain.Idp;
-import org.apache.cxf.fediz.service.idp.domain.TrustedIdp;
-import org.apache.cxf.fediz.service.idp.protocols.ProtocolController;
-import org.apache.cxf.fediz.service.idp.spi.TrustedIdpProtocolHandler;
-import org.apache.cxf.fediz.service.idp.util.WebUtils;
-import org.apache.cxf.ws.security.tokenstore.SecurityToken;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.beans.factory.annotation.Qualifier;
-import org.springframework.stereotype.Component;
-import org.springframework.webflow.execution.RequestContext;
-
-/**
- * This class is responsible to map the sign in request/response when calling a trusted third party IdP
- */
-@Component
-public class TrustedIdpProtocolAction {
-
-    private static final Logger LOG = LoggerFactory.getLogger(TrustedIdpProtocolAction.class);
-    
-    private static final String IDP_CONFIG = "idpConfig";
-    
-    @Autowired
-    // Qualifier workaround. See http://www.jayway.com/2013/11/03/spring-and-autowiring-of-generic-types/
-    @Qualifier("trustedIdpProtocolControllerImpl")
-    private ProtocolController<TrustedIdpProtocolHandler> trustedIdpProtocolHandlers;
-    
-    public String mapSignInRequest(RequestContext requestContext, String trustedIdpRealm) {
-        LOG.info("Prepare redirect to Trusted IDP '{}'", trustedIdpRealm);
-        
-        Idp idpConfig = (Idp) WebUtils.getAttributeFromFlowScope(requestContext, IDP_CONFIG);
-        
-        TrustedIdp trustedIdp = idpConfig.findTrustedIdp(trustedIdpRealm);
-        if (trustedIdp == null) {
-            LOG.error("TrustedIdp '{}' not configured", trustedIdpRealm);
-            throw new IllegalStateException("TrustedIdp '" + trustedIdpRealm + "'");
-        }
-        
-        String protocol = trustedIdp.getProtocol();
-        LOG.debug("TrustedIdp '{}' supports protocol {}", trustedIdpRealm, protocol);
-        
-        TrustedIdpProtocolHandler protocolHandler = trustedIdpProtocolHandlers.getProtocolHandler(protocol);
-        if (protocolHandler == null) {
-            LOG.error("No ProtocolHandler found for {}", protocol);
-            throw new IllegalStateException("No ProtocolHandler found for '" + protocol + "'");
-        }
-        URL redirectUrl = protocolHandler.mapSignInRequest(requestContext, idpConfig, trustedIdp);
-        LOG.info("Redirect url {}", redirectUrl.toString());
-        return redirectUrl.toString();
-    }
-    
-    public SecurityToken mapSignInResponse(RequestContext requestContext, String trustedIdpRealm) {
-        LOG.info("Prepare validate SignInResponse of Trusted IDP '{}'", trustedIdpRealm);
-        
-        Idp idpConfig = (Idp) WebUtils.getAttributeFromFlowScope(requestContext, IDP_CONFIG);
-        
-        TrustedIdp trustedIdp = idpConfig.findTrustedIdp(trustedIdpRealm);
-        if (trustedIdp == null) {
-            LOG.error("TrustedIdp '{}' not configured", trustedIdpRealm);
-            throw new IllegalStateException("TrustedIdp '" + trustedIdpRealm + "'");
-        }
-        
-        String protocol = trustedIdp.getProtocol();
-        LOG.debug("TrustedIdp '{}' supports protocol {}", trustedIdpRealm, protocol);
-        
-        TrustedIdpProtocolHandler protocolHandler = trustedIdpProtocolHandlers.getProtocolHandler(protocol);
-        if (protocolHandler == null) {
-            LOG.error("No ProtocolHandler found for {}", protocol);
-            throw new IllegalStateException("No ProtocolHandler found for '" + protocol + "'");
-        }
-        SecurityToken token = protocolHandler.mapSignInResponse(requestContext, idpConfig, trustedIdp);
-        if (token != null) {
-            LOG.info("SignInResponse successfully validated and SecurityToken created");
-        }
-        return token;
-    }
-}

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/AuthnRequestParser.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/AuthnRequestParser.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/AuthnRequestParser.java
deleted file mode 100644
index 53feb73..0000000
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/AuthnRequestParser.java
+++ /dev/null
@@ -1,388 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.fediz.service.idp.beans.samlsso;
-
-import java.io.ByteArrayInputStream;
-import java.io.InputStream;
-import java.io.InputStreamReader;
-import java.net.URLEncoder;
-import java.nio.charset.StandardCharsets;
-import java.security.cert.X509Certificate;
-import java.util.Collections;
-
-import org.w3c.dom.Document;
-
-import org.apache.cxf.common.util.Base64Utility;
-import org.apache.cxf.fediz.core.exception.ProcessingException;
-import org.apache.cxf.fediz.core.exception.ProcessingException.TYPE;
-import org.apache.cxf.fediz.core.util.CertsUtils;
-import org.apache.cxf.fediz.service.idp.IdpConstants;
-import org.apache.cxf.fediz.service.idp.domain.Application;
-import org.apache.cxf.fediz.service.idp.domain.Idp;
-import org.apache.cxf.fediz.service.idp.samlsso.SAMLAuthnRequest;
-import org.apache.cxf.fediz.service.idp.util.WebUtils;
-import org.apache.cxf.rs.security.saml.DeflateEncoderDecoder;
-import org.apache.cxf.rs.security.saml.sso.SSOConstants;
-import org.apache.cxf.staxutils.StaxUtils;
-import org.apache.wss4j.common.crypto.CertificateStore;
-import org.apache.wss4j.common.crypto.Crypto;
-import org.apache.wss4j.common.ext.WSSecurityException;
-import org.apache.wss4j.common.saml.OpenSAMLUtil;
-import org.apache.wss4j.common.saml.SAMLKeyInfo;
-import org.apache.wss4j.common.saml.SAMLUtil;
-import org.apache.wss4j.common.util.DOM2Writer;
-import org.apache.wss4j.dom.WSDocInfo;
-import org.apache.wss4j.dom.engine.WSSConfig;
-import org.apache.wss4j.dom.handler.RequestData;
-import org.apache.wss4j.dom.saml.WSSSAMLKeyInfoProcessor;
-import org.apache.wss4j.dom.validate.Credential;
-import org.apache.wss4j.dom.validate.SignatureTrustValidator;
-import org.apache.wss4j.dom.validate.Validator;
-import org.apache.xml.security.utils.Base64;
-import org.opensaml.saml.saml2.core.AuthnRequest;
-import org.opensaml.saml.security.impl.SAMLSignatureProfileValidator;
-import org.opensaml.security.credential.BasicCredential;
-import org.opensaml.security.x509.BasicX509Credential;
-import org.opensaml.xmlsec.signature.KeyInfo;
-import org.opensaml.xmlsec.signature.Signature;
-import org.opensaml.xmlsec.signature.support.SignatureException;
-import org.opensaml.xmlsec.signature.support.SignatureValidator;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.springframework.stereotype.Component;
-import org.springframework.webflow.execution.RequestContext;
-
-/**
- * Parse the received SAMLRequest into an OpenSAML AuthnRequest
- */
-@Component
-public class AuthnRequestParser {
-
-    private static final Logger LOG = LoggerFactory.getLogger(AuthnRequestParser.class);
-    private boolean supportDeflateEncoding;
-    private boolean requireSignature = true;
-
-    public void parseSAMLRequest(RequestContext context, Idp idp, String samlRequest,
-                                 String signature, String relayState) throws ProcessingException {
-        LOG.debug("Received SAML Request: {}", samlRequest);
-        
-        if (samlRequest == null) {
-            WebUtils.removeAttribute(context, IdpConstants.SAML_AUTHN_REQUEST);
-            throw new ProcessingException(TYPE.BAD_REQUEST);
-        } else {
-            AuthnRequest parsedRequest = null;
-            try {
-                parsedRequest = extractRequest(context, samlRequest);
-            } catch (Exception ex) {
-                LOG.warn("Error parsing request: {}", ex.getMessage());
-                throw new ProcessingException(TYPE.BAD_REQUEST);
-            }
-            
-            // Store various attributes from the AuthnRequest
-            SAMLAuthnRequest authnRequest = new SAMLAuthnRequest(parsedRequest);
-            WebUtils.putAttributeInFlowScope(context, IdpConstants.SAML_AUTHN_REQUEST, authnRequest);
-            
-            validateSignature(context, parsedRequest, idp, signature, relayState, 
-                              samlRequest, authnRequest.getIssuer());
-            validateRequest(parsedRequest);
-            
-            LOG.debug("SAML Request with id '{}' successfully parsed", parsedRequest.getID());
-        }
-    }
-    
-    public String retrieveRealm(RequestContext context) {
-        SAMLAuthnRequest authnRequest = 
-            (SAMLAuthnRequest)WebUtils.getAttributeFromFlowScope(context, IdpConstants.SAML_AUTHN_REQUEST);
-        
-        if (authnRequest != null) {
-            String issuer = authnRequest.getIssuer();
-            LOG.debug("Parsed SAML AuthnRequest Issuer: {}", issuer);
-            return issuer;
-        }
-        
-        LOG.debug("No AuthnRequest available to be parsed");
-        return null;
-    }
-    
-    public String retrieveConsumerURL(RequestContext context) {
-        SAMLAuthnRequest authnRequest = 
-            (SAMLAuthnRequest)WebUtils.getAttributeFromFlowScope(context, IdpConstants.SAML_AUTHN_REQUEST);
-
-        if (authnRequest != null && authnRequest.getConsumerServiceURL() != null) {
-            String consumerURL = authnRequest.getConsumerServiceURL();
-            LOG.debug("Parsed SAML AuthnRequest Consumer URL: {}", consumerURL);
-            return consumerURL;
-        }
-        
-        LOG.debug("No AuthnRequest available to be parsed");
-        return null;
-    }
-    
-    public String retrieveRequestId(RequestContext context) {
-        SAMLAuthnRequest authnRequest = 
-            (SAMLAuthnRequest)WebUtils.getAttributeFromFlowScope(context, IdpConstants.SAML_AUTHN_REQUEST);
-
-        if (authnRequest != null && authnRequest.getRequestId() != null) {
-            String id = authnRequest.getRequestId();
-            LOG.debug("Parsed SAML AuthnRequest Id: {}", id);
-            return id;
-        }
-        
-        LOG.debug("No AuthnRequest available to be parsed");
-        return null;
-    }
-    
-    public String retrieveRequestIssuer(RequestContext context) {
-        SAMLAuthnRequest authnRequest = 
-            (SAMLAuthnRequest)WebUtils.getAttributeFromFlowScope(context, IdpConstants.SAML_AUTHN_REQUEST);
-
-        if (authnRequest != null && authnRequest.getIssuer() != null) {
-            String issuer = authnRequest.getIssuer();
-            LOG.debug("Parsed SAML AuthnRequest Issuer: {}", issuer);
-            return issuer;
-        }
-        
-        LOG.debug("No AuthnRequest available to be parsed");
-        return null;
-    }
-    
-    public boolean isForceAuthentication(RequestContext context) {
-        SAMLAuthnRequest authnRequest = 
-            (SAMLAuthnRequest)WebUtils.getAttributeFromFlowScope(context, IdpConstants.SAML_AUTHN_REQUEST);
-        if (authnRequest != null) {
-            return authnRequest.isForceAuthn();
-        }
-        
-        LOG.debug("No AuthnRequest available to be parsed");
-        return false;
-    }
-    
-    protected AuthnRequest extractRequest(RequestContext context, String samlRequest) throws Exception {
-        byte[] deflatedToken = Base64Utility.decode(samlRequest);
-        String httpMethod = WebUtils.getHttpServletRequest(context).getMethod();
-        
-        InputStream tokenStream = supportDeflateEncoding || "GET".equals(httpMethod)
-             ? new DeflateEncoderDecoder().inflateToken(deflatedToken)
-                 : new ByteArrayInputStream(deflatedToken);
-
-        Document responseDoc = StaxUtils.read(new InputStreamReader(tokenStream, "UTF-8"));
-        AuthnRequest request = 
-            (AuthnRequest)OpenSAMLUtil.fromDom(responseDoc.getDocumentElement());
-        if (LOG.isDebugEnabled()) {
-            LOG.debug(DOM2Writer.nodeToString(responseDoc));
-        }
-        return request;
-    }
-    
-    public boolean isSupportDeflateEncoding() {
-        return supportDeflateEncoding;
-    }
-
-    public void setSupportDeflateEncoding(boolean supportDeflateEncoding) {
-        this.supportDeflateEncoding = supportDeflateEncoding;
-    }
-    
-    private void validateRequest(AuthnRequest parsedRequest) throws ProcessingException {
-        if (parsedRequest.getIssuer() == null) {
-            LOG.debug("No Issuer is present in the AuthnRequest");
-            throw new ProcessingException(TYPE.BAD_REQUEST);
-        }
-        
-        String format = parsedRequest.getIssuer().getFormat();
-        if (format != null
-            && !"urn:oasis:names:tc:SAML:2.0:nameid-format:entity".equals(format)) {
-            LOG.debug("An invalid Format attribute was received: {}", format);
-            throw new ProcessingException(TYPE.BAD_REQUEST);
-        }
-        
-        // No SubjectConfirmation Elements are allowed
-        if (parsedRequest.getSubject() != null 
-            && parsedRequest.getSubject().getSubjectConfirmations() != null
-            && !parsedRequest.getSubject().getSubjectConfirmations().isEmpty()) {
-            LOG.debug("An invalid SubjectConfirmation Element was received");
-            throw new ProcessingException(TYPE.BAD_REQUEST);
-        }
-    }
-    
-    private void validateSignature(RequestContext context, AuthnRequest authnRequest, Idp idp, 
-                                   String signature, String relayState, String samlRequest, 
-                                   String realm) throws ProcessingException {
-        try {
-            if (authnRequest.isSigned()) {
-                // Check destination
-                checkDestination(context, authnRequest);
-                
-                // Check signature
-                X509Certificate validatingCert = getValidatingCertificate(idp, realm);
-                Crypto issuerCrypto = 
-                    new CertificateStore(Collections.singletonList(validatingCert).toArray(new X509Certificate[0]));
-                validateAuthnRequestSignature(authnRequest.getSignature(), issuerCrypto);
-            } else if (signature != null) {
-                // Check destination
-                checkDestination(context, authnRequest);
-                
-                // Check signature
-                X509Certificate validatingCert = getValidatingCertificate(idp, realm);
-                
-                java.security.Signature sig = java.security.Signature.getInstance("SHA1withRSA");
-                sig.initVerify(validatingCert);
-                
-                // Recreate request to sign
-                String requestToSign = SSOConstants.SAML_REQUEST + "=" + URLEncoder.encode(samlRequest, "UTF-8")
-                     + "&" + SSOConstants.RELAY_STATE + "=" + relayState + "&" + SSOConstants.SIG_ALG 
-                     + "=" + URLEncoder.encode(SSOConstants.RSA_SHA1, StandardCharsets.UTF_8.name());
-                
-                sig.update(requestToSign.getBytes(StandardCharsets.UTF_8));
-                
-                if (!sig.verify(Base64.decode(signature))) {
-                    LOG.debug("Signature validation failed");
-                    throw new ProcessingException(TYPE.BAD_REQUEST);
-                }
-            } else if (requireSignature) {
-                LOG.debug("No signature is present, therefore the request is rejected");
-                throw new ProcessingException(TYPE.BAD_REQUEST);
-            } else {
-                LOG.debug("No signature is present, but this is allowed by configuration");
-            }
-        } catch (Exception ex) {
-            LOG.debug("Error validating SAML Signature", ex);
-            throw new ProcessingException(TYPE.BAD_REQUEST);
-        }
-    }
-    
-    private X509Certificate getValidatingCertificate(Idp idp, String realm) 
-        throws Exception {
-        Application serviceConfig = idp.findApplication(realm);
-        if (serviceConfig == null || serviceConfig.getValidatingCertificate() == null) {
-            LOG.debug("No validating certificate found for realm {}", realm);
-            throw new ProcessingException(TYPE.ISSUER_NOT_TRUSTED);
-        }
-        
-        return CertsUtils.parseX509Certificate(serviceConfig.getValidatingCertificate());
-    }
-    
-    private void checkDestination(RequestContext context, AuthnRequest authnRequest) throws ProcessingException {
-        // Check destination
-        String destination = authnRequest.getDestination();
-        LOG.debug("Validating destination: {}", destination);
-        
-        String localAddr = WebUtils.getHttpServletRequest(context).getRequestURL().toString();
-        if (destination == null || !localAddr.startsWith(destination)) {
-            LOG.debug("The destination {} does not match the local address {}", destination, localAddr);
-            throw new ProcessingException(TYPE.BAD_REQUEST);
-        }
-    }
-    
-    /**
-     * Validate the AuthnRequest signature
-     */
-    private void validateAuthnRequestSignature(
-        Signature signature,
-        Crypto sigCrypto
-    ) throws WSSecurityException {
-        RequestData requestData = new RequestData();
-        requestData.setSigVerCrypto(sigCrypto);
-        WSSConfig wssConfig = WSSConfig.getNewInstance();
-        requestData.setWssConfig(wssConfig);
-        // requestData.setCallbackHandler(callbackHandler);
-
-        SAMLKeyInfo samlKeyInfo = null;
-
-        KeyInfo keyInfo = signature.getKeyInfo();
-        if (keyInfo != null) {
-            try {
-                Document doc = signature.getDOM().getOwnerDocument();
-                samlKeyInfo =
-                    SAMLUtil.getCredentialFromKeyInfo(
-                        keyInfo.getDOM(), new WSSSAMLKeyInfoProcessor(requestData, new WSDocInfo(doc)), sigCrypto
-                    );
-            } catch (WSSecurityException ex) {
-                LOG.debug("Error in getting KeyInfo from SAML AuthnRequest: {}", ex.getMessage(), ex);
-                throw ex;
-            }
-        }
-        
-        if (samlKeyInfo == null) {
-            LOG.debug("No KeyInfo supplied in the AuthnRequest signature");
-            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
-        }
-
-        // Validate Signature against profiles
-        validateSignatureAgainstProfiles(signature, samlKeyInfo);
-
-        // Now verify trust on the signature
-        Credential trustCredential = new Credential();
-        trustCredential.setPublicKey(samlKeyInfo.getPublicKey());
-        trustCredential.setCertificates(samlKeyInfo.getCerts());
-
-        try {
-            Validator signatureValidator = new SignatureTrustValidator();
-            signatureValidator.validate(trustCredential, requestData);
-        } catch (WSSecurityException e) {
-            LOG.debug("Error in validating signature on SAML AuthnRequest: {}", e.getMessage(), e);
-            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
-        }
-    }
-
-    /**
-     * Validate a signature against the profiles
-     */
-    private void validateSignatureAgainstProfiles(
-        Signature signature,
-        SAMLKeyInfo samlKeyInfo
-    ) throws WSSecurityException {
-        // Validate Signature against profiles
-        SAMLSignatureProfileValidator validator = new SAMLSignatureProfileValidator();
-        try {
-            validator.validate(signature);
-        } catch (SignatureException ex) {
-            LOG.debug("Error in validating the SAML Signature: {}", ex.getMessage(), ex);
-            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
-        }
-
-        BasicCredential credential = null;
-        if (samlKeyInfo.getCerts() != null) {
-            credential = new BasicX509Credential(samlKeyInfo.getCerts()[0]);
-        } else if (samlKeyInfo.getPublicKey() != null) {
-            credential = new BasicCredential(samlKeyInfo.getPublicKey());
-        } else {
-            LOG.debug("Can't get X509Certificate or PublicKey to verify signature");
-            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
-        }
-        try {
-            SignatureValidator.validate(signature, credential);
-        } catch (SignatureException ex) {
-            LOG.debug("Error in validating the SAML Signature: {}", ex.getMessage(), ex);
-            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
-        }
-    }
-
-    public boolean isRequireSignature() {
-        return requireSignature;
-    }
-
-    /**
-     * Whether to require a signature or not on the AuthnRequest
-     * @param requireSignature
-     */
-    public void setRequireSignature(boolean requireSignature) {
-        this.requireSignature = requireSignature;
-    }
-    
-}

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/LocalRedirectCreator.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/LocalRedirectCreator.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/LocalRedirectCreator.java
deleted file mode 100644
index 9dfd626..0000000
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/LocalRedirectCreator.java
+++ /dev/null
@@ -1,54 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.fediz.service.idp.beans.samlsso;
-
-import java.io.UnsupportedEncodingException;
-import java.net.URLEncoder;
-
-import org.apache.cxf.fediz.service.idp.domain.Idp;
-import org.apache.cxf.fediz.service.idp.util.WebUtils;
-import org.springframework.stereotype.Component;
-import org.springframework.webflow.execution.RequestContext;
-
-/**
- * Parse the parameters to create the URL for local redirection
- */
-@Component
-public class LocalRedirectCreator {
-
-    public String createRedirectURL(RequestContext context, Idp idp) throws UnsupportedEncodingException {
-        StringBuilder redirectURL = new StringBuilder();
-        redirectURL.append(idp.getIdpUrl().toString()).append("?");
-        
-        String relayState = (String)WebUtils.getAttributeFromFlowScope(context, "RelayState");
-        redirectURL.append("RelayState=").append(relayState).append("&");
-        String samlRequest = (String)WebUtils.getAttributeFromFlowScope(context, "SAMLRequest");
-        redirectURL.append("SAMLRequest=").append(URLEncoder.encode(samlRequest, "UTF-8"));
-        
-        String signature = (String)WebUtils.getAttributeFromFlowScope(context, "Signature");
-        if (signature != null) {
-            redirectURL.append("&");
-            redirectURL.append("Signature=").append(URLEncoder.encode(signature, "UTF-8"));
-        }
-        
-        return redirectURL.toString();
-    }
-    
-    
-}

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/SamlResponseCreator.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/SamlResponseCreator.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/SamlResponseCreator.java
deleted file mode 100644
index 742797d..0000000
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/SamlResponseCreator.java
+++ /dev/null
@@ -1,187 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.fediz.service.idp.beans.samlsso;
-
-import java.io.IOException;
-import java.util.Collections;
-import java.util.List;
-
-import org.w3c.dom.Document;
-import org.w3c.dom.Element;
-
-import org.apache.cxf.common.util.Base64Utility;
-import org.apache.cxf.fediz.core.exception.ProcessingException;
-import org.apache.cxf.fediz.core.exception.ProcessingException.TYPE;
-import org.apache.cxf.fediz.core.util.CertsUtils;
-import org.apache.cxf.fediz.service.idp.IdpConstants;
-import org.apache.cxf.fediz.service.idp.domain.Idp;
-import org.apache.cxf.fediz.service.idp.samlsso.SAML2CallbackHandler;
-import org.apache.cxf.fediz.service.idp.samlsso.SAML2PResponseComponentBuilder;
-import org.apache.cxf.fediz.service.idp.samlsso.SAMLAuthnRequest;
-import org.apache.cxf.fediz.service.idp.util.WebUtils;
-import org.apache.cxf.helpers.DOMUtils;
-import org.apache.cxf.rs.security.saml.DeflateEncoderDecoder;
-import org.apache.wss4j.common.crypto.Crypto;
-import org.apache.wss4j.common.saml.OpenSAMLUtil;
-import org.apache.wss4j.common.saml.SAMLCallback;
-import org.apache.wss4j.common.saml.SAMLUtil;
-import org.apache.wss4j.common.saml.SamlAssertionWrapper;
-import org.apache.wss4j.common.saml.bean.AudienceRestrictionBean;
-import org.apache.wss4j.common.saml.bean.ConditionsBean;
-import org.apache.wss4j.common.saml.bean.SubjectConfirmationDataBean;
-import org.apache.wss4j.common.util.DOM2Writer;
-import org.apache.wss4j.dom.WSConstants;
-import org.joda.time.DateTime;
-import org.opensaml.saml.saml2.core.Assertion;
-import org.opensaml.saml.saml2.core.NameID;
-import org.opensaml.saml.saml2.core.Response;
-import org.opensaml.saml.saml2.core.Status;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.springframework.stereotype.Component;
-import org.springframework.webflow.execution.RequestContext;
-
-/**
- * Insert the SAML Token received from the STS into a SAML Response
- */
-@Component
-public class SamlResponseCreator {
-
-    private static final Logger LOG = LoggerFactory.getLogger(SamlResponseCreator.class);
-    private boolean supportDeflateEncoding;
-
-    public String createSAMLResponse(RequestContext context, Idp idp, Element rpToken,
-                                     String consumerURL, String requestId, String requestIssuer) 
-                                         throws ProcessingException {
-        List<Element> samlTokens = 
-            DOMUtils.findAllElementsByTagNameNS(rpToken, WSConstants.SAML2_NS, "Assertion");
-        if (samlTokens.isEmpty() || samlTokens.size() != 1) {
-            throw new ProcessingException(TYPE.BAD_REQUEST);
-        }
-        
-        try {
-            SamlAssertionWrapper wrapper = new SamlAssertionWrapper(samlTokens.get(0));
-            if (wrapper.getSaml2() == null) {
-                throw new ProcessingException(TYPE.BAD_REQUEST);
-            }
-            
-            String remoteAddr = WebUtils.getHttpServletRequest(context).getRemoteAddr();
-            Assertion saml2Assertion = 
-                createSAML2Assertion(context, idp, wrapper, requestId, requestIssuer, 
-                                     remoteAddr, consumerURL);
-            
-            Element response = createResponse(idp, requestId, saml2Assertion);
-            return encodeResponse(response);
-        } catch (Exception ex) {
-            LOG.warn("Error marshalling SAML Token: {}", ex.getMessage());
-            throw new ProcessingException(TYPE.BAD_REQUEST);
-        }
-    }
-    
-    private Assertion createSAML2Assertion(RequestContext context, Idp idp, SamlAssertionWrapper receivedToken,
-                                           String requestID, String requestIssuer, 
-                                           String remoteAddr, String racs) throws Exception {
-        // Create an AuthenticationAssertion
-        SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
-        callbackHandler.setIssuer(idp.getRealm());
-        callbackHandler.setSubject(receivedToken.getSaml2().getSubject());
-        
-        // Test Subject against received Subject (if applicable)
-        SAMLAuthnRequest authnRequest = 
-            (SAMLAuthnRequest)WebUtils.getAttributeFromFlowScope(context, IdpConstants.SAML_AUTHN_REQUEST);
-        if (authnRequest.getSubjectNameId() != null && receivedToken.getSaml2().getSubject().getNameID() != null) {
-            NameID issuedNameId = receivedToken.getSaml2().getSubject().getNameID();
-            if (!authnRequest.getSubjectNameId().equals(issuedNameId.getValue())) {
-                LOG.debug("Received NameID value of {} does not match issued value {}",
-                          authnRequest.getSubjectNameId(), issuedNameId.getValue());
-                throw new ProcessingException(ProcessingException.TYPE.INVALID_REQUEST);
-            }
-        }
-        
-        // Subject Confirmation Data
-        SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
-        subjectConfirmationData.setAddress(remoteAddr);
-        subjectConfirmationData.setInResponseTo(requestID);
-        subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
-        subjectConfirmationData.setRecipient(racs);
-        callbackHandler.setSubjectConfirmationData(subjectConfirmationData);
-        
-        // Audience Restriction
-        ConditionsBean conditions = new ConditionsBean();
-        conditions.setTokenPeriodMinutes(5);
-        
-        AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
-        audienceRestriction.setAudienceURIs(Collections.singletonList(requestIssuer));
-        conditions.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
-        callbackHandler.setConditions(conditions);
-        
-        // Attributes
-        callbackHandler.setAttributeStatements(receivedToken.getSaml2().getAttributeStatements());
-        
-        SAMLCallback samlCallback = new SAMLCallback();
-        SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
-        SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
-        
-        Crypto issuerCrypto = CertsUtils.getCryptoFromCertificate(idp.getCertificate());
-        assertion.signAssertion(issuerCrypto.getDefaultX509Identifier(), idp.getCertificatePassword(), 
-                                issuerCrypto, false);
-        
-        return assertion.getSaml2();
-    }
-    
-    protected Element createResponse(Idp idp, String requestID, Assertion assertion) throws Exception {
-        Document doc = DOMUtils.newDocument();
-        
-        Status status = 
-            SAML2PResponseComponentBuilder.createStatus(
-                "urn:oasis:names:tc:SAML:2.0:status:Success", null
-            );
-        Response response = 
-            SAML2PResponseComponentBuilder.createSAMLResponse(requestID, idp.getRealm(), status);
-        
-        response.getAssertions().add(assertion);
-        
-        Element policyElement = OpenSAMLUtil.toDom(response, doc);
-        doc.appendChild(policyElement);
-        
-        return policyElement;
-    }
-
-    protected String encodeResponse(Element response) throws IOException {
-        String responseMessage = DOM2Writer.nodeToString(response);
-        LOG.debug("Created Response: {}", responseMessage);
-
-        if (supportDeflateEncoding) {
-            DeflateEncoderDecoder encoder = new DeflateEncoderDecoder();
-            byte[] deflatedBytes = encoder.deflateToken(responseMessage.getBytes("UTF-8"));
-
-            return Base64Utility.encode(deflatedBytes);
-        }
-        
-        return Base64Utility.encode(responseMessage.getBytes());
-    }
-    
-    public boolean isSupportDeflateEncoding() {
-        return supportDeflateEncoding;
-    }
-
-    public void setSupportDeflateEncoding(boolean supportDeflateEncoding) {
-        this.supportDeflateEncoding = supportDeflateEncoding;
-    }
-}

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/SamlResponseErrorCreator.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/SamlResponseErrorCreator.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/SamlResponseErrorCreator.java
deleted file mode 100644
index ce257e0..0000000
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/SamlResponseErrorCreator.java
+++ /dev/null
@@ -1,97 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.fediz.service.idp.beans.samlsso;
-
-import java.io.IOException;
-
-import org.w3c.dom.Document;
-import org.w3c.dom.Element;
-
-import org.apache.cxf.common.util.Base64Utility;
-import org.apache.cxf.fediz.core.exception.ProcessingException;
-import org.apache.cxf.fediz.core.exception.ProcessingException.TYPE;
-import org.apache.cxf.fediz.service.idp.domain.Idp;
-import org.apache.cxf.fediz.service.idp.samlsso.SAML2PResponseComponentBuilder;
-import org.apache.cxf.helpers.DOMUtils;
-import org.apache.cxf.rs.security.saml.DeflateEncoderDecoder;
-import org.apache.wss4j.common.saml.OpenSAMLUtil;
-import org.apache.wss4j.common.util.DOM2Writer;
-import org.opensaml.saml.saml2.core.Response;
-import org.opensaml.saml.saml2.core.Status;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.springframework.stereotype.Component;
-import org.springframework.webflow.execution.RequestContext;
-
-/**
- * Create a SAML Error Response
- */
-@Component
-public class SamlResponseErrorCreator {
-
-    private static final Logger LOG = LoggerFactory.getLogger(SamlResponseErrorCreator.class);
-    private boolean supportDeflateEncoding;
-
-    public String createSAMLResponse(RequestContext context, boolean requestor,
-                                     Idp idp, String requestID) throws ProcessingException { 
-        Document doc = DOMUtils.newDocument();
-        
-        String statusValue = "urn:oasis:names:tc:SAML:2.0:status:Responder";
-        if (requestor) {
-            statusValue = "urn:oasis:names:tc:SAML:2.0:status:Requester";
-        }
-        Status status = 
-            SAML2PResponseComponentBuilder.createStatus(statusValue, null);
-        Response response = 
-            SAML2PResponseComponentBuilder.createSAMLResponse(requestID, idp.getRealm(), status);
-        
-        try {
-            Element policyElement = OpenSAMLUtil.toDom(response, doc);
-            doc.appendChild(policyElement);
-            
-            Element responseElement = policyElement;
-            return encodeResponse(responseElement);
-        } catch (Exception e) {
-            LOG.warn("Error marshalling SAML Token: {}", e.getMessage());
-            throw new ProcessingException(TYPE.BAD_REQUEST);
-        }
-    }
-
-    protected String encodeResponse(Element response) throws IOException {
-        String responseMessage = DOM2Writer.nodeToString(response);
-        LOG.debug("Created Response: {}", responseMessage);
-
-        if (supportDeflateEncoding) {
-            DeflateEncoderDecoder encoder = new DeflateEncoderDecoder();
-            byte[] deflatedBytes = encoder.deflateToken(responseMessage.getBytes("UTF-8"));
-
-            return Base64Utility.encode(deflatedBytes);
-        }
-        
-        return Base64Utility.encode(responseMessage.getBytes());
-    }
-    
-    public boolean isSupportDeflateEncoding() {
-        return supportDeflateEncoding;
-    }
-
-    public void setSupportDeflateEncoding(boolean supportDeflateEncoding) {
-        this.supportDeflateEncoding = supportDeflateEncoding;
-    }
-}

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/wsfed/WfreshParser.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/wsfed/WfreshParser.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/wsfed/WfreshParser.java
deleted file mode 100644
index 148d24b..0000000
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/wsfed/WfreshParser.java
+++ /dev/null
@@ -1,84 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.fediz.service.idp.beans.wsfed;
-
-import java.util.Date;
-
-import org.apache.cxf.fediz.service.idp.util.WebUtils;
-import org.apache.cxf.ws.security.tokenstore.SecurityToken;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.springframework.stereotype.Component;
-import org.springframework.webflow.execution.RequestContext;
-
-/**
- * This class is responsible to parse the 'wfresh' parameter 
- */
-@Component
-public class WfreshParser {
-
-    private static final Logger LOG = LoggerFactory.getLogger(WfreshParser.class);
-
-    public boolean authenticationRequired(String wfresh, String whr, RequestContext context)
-        throws Exception {
-        
-        SecurityToken idpToken = 
-            (SecurityToken) WebUtils.getAttributeFromExternalContext(context, whr);
-        if (idpToken == null) {
-            return true;
-        }
-        
-        if (wfresh == null || wfresh.trim().isEmpty()) {
-            return false;
-        }
-
-        long ttl;
-        try {
-            ttl = Long.parseLong(wfresh.trim());
-        } catch (Exception e) {
-            LOG.info("wfresh value '" + wfresh + "' is invalid.");
-            return false;
-        }
-        if (ttl == 0) {
-            return true;
-        }
-        
-        long ttlMs = ttl * 60L * 1000L;
-        if (ttlMs > 0) {
-            Date createdDate = idpToken.getCreated();
-            if (createdDate != null) {
-                Date expiryDate = new Date();
-                expiryDate.setTime(createdDate.getTime() + ttlMs);
-                if (expiryDate.before(new Date())) {
-                    LOG.info("[IDP_TOKEN="
-                            + idpToken.getId()
-                            + "] is valid but relying party requested new authentication caused by wfresh="
-                            + wfresh + " outdated.");
-                    return true;
-                }
-            } else {
-                LOG.info("token creation date not set. Unable to check wfresh is outdated.");
-            }
-        } else {
-            LOG.info("ttl value '" + ttl + "' is negative or is too large.");
-        }
-        return false;
-    }
-    
-}


Mime
View raw message