cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [11/19] cxf-fediz git commit: FEDIZ-155 - Move .java components out of idp webapp and into a separate JAR
Date Fri, 27 Jan 2017 11:22:54 GMT
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/service/security/GrantedAuthorityEntitlements.java
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/service/security/GrantedAuthorityEntitlements.java b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/service/security/GrantedAuthorityEntitlements.java
new file mode 100644
index 0000000..475ccd7
--- /dev/null
+++ b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/service/security/GrantedAuthorityEntitlements.java
@@ -0,0 +1,100 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.fediz.service.idp.service.security;
+
+import java.io.IOException;
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.Set;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+
+import org.apache.cxf.fediz.service.idp.domain.Entitlement;
+import org.apache.cxf.fediz.service.idp.domain.Role;
+import org.apache.cxf.fediz.service.idp.service.RoleDAO;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.web.filter.GenericFilterBean;
+
+public class GrantedAuthorityEntitlements extends GenericFilterBean {
+
+    private static final Logger LOG = LoggerFactory.getLogger(GrantedAuthorityEntitlements.class);
+    
+    @Autowired
+    private RoleDAO roleDAO;
+    
+    @Override
+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
+        throws IOException, ServletException {
+        
+        try {
+            Authentication currentAuth = SecurityContextHolder.getContext().getAuthentication();
+            if (currentAuth == null) {
+                chain.doFilter(request, response);
+                return;
+            }
+            
+            final Set<GrantedAuthority> authorities = new HashSet<>();
+            if (currentAuth.getAuthorities() != null) {
+                authorities.addAll(currentAuth.getAuthorities());
+            }
+            
+            Iterator<? extends GrantedAuthority> authIt = currentAuth.getAuthorities().iterator();
+            while (authIt.hasNext()) {
+                GrantedAuthority ga = authIt.next();
+                String roleName = ga.getAuthority();
+                
+                try {
+                    Role role = roleDAO.getRole(roleName.substring(5), Arrays.asList("all"));
+                    for (Entitlement e : role.getEntitlements()) {
+                        authorities.add(new SimpleGrantedAuthority(e.getName()));
+                    }
+                } catch (Exception ex) {
+                    LOG.error("Role '{}' not found", roleName);
+                }
+            }
+            LOG.debug("Granted Authorities: {}", authorities);
+            
+            UsernamePasswordAuthenticationToken enrichedAuthentication = new UsernamePasswordAuthenticationToken(
+                currentAuth.getName(), currentAuth.getCredentials(), authorities);
+            enrichedAuthentication.setDetails(currentAuth.getDetails());
+            
+            SecurityContextHolder.getContext().setAuthentication(enrichedAuthentication);
+            LOG.info("Enriched AuthenticationToken added");
+            
+        } catch (Exception ex) {
+            LOG.error("Failed to enrich security context with entitlements", ex);
+        }
+        
+        chain.doFilter(request, response);
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/spi/ApplicationProtocolHandler.java
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/spi/ApplicationProtocolHandler.java b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/spi/ApplicationProtocolHandler.java
new file mode 100644
index 0000000..1cd9dc1
--- /dev/null
+++ b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/spi/ApplicationProtocolHandler.java
@@ -0,0 +1,33 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.fediz.service.idp.spi;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.springframework.webflow.execution.RequestContext;
+
+public interface ApplicationProtocolHandler extends ProtocolHandler {
+    
+    boolean canHandleRequest(HttpServletRequest request);
+
+    void mapSignInRequest(RequestContext context);
+    
+    void mapSignInResponse(RequestContext context);
+
+}

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/spi/ProtocolHandler.java
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/spi/ProtocolHandler.java b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/spi/ProtocolHandler.java
new file mode 100644
index 0000000..2c1c8c9
--- /dev/null
+++ b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/spi/ProtocolHandler.java
@@ -0,0 +1,25 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.fediz.service.idp.spi;
+
+public interface ProtocolHandler {
+
+    String getProtocol();
+
+}

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/spi/TrustedIdpProtocolHandler.java
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/spi/TrustedIdpProtocolHandler.java b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/spi/TrustedIdpProtocolHandler.java
new file mode 100644
index 0000000..a33591b
--- /dev/null
+++ b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/spi/TrustedIdpProtocolHandler.java
@@ -0,0 +1,40 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.fediz.service.idp.spi;
+
+import java.net.URL;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.apache.cxf.fediz.service.idp.domain.Idp;
+import org.apache.cxf.fediz.service.idp.domain.TrustedIdp;
+import org.apache.cxf.ws.security.tokenstore.SecurityToken;
+import org.springframework.webflow.execution.RequestContext;
+
+public interface TrustedIdpProtocolHandler extends ProtocolHandler {
+    
+    boolean canHandleRequest(HttpServletRequest request);
+
+    // Only supports HTTP GET SignIn Requests
+    URL mapSignInRequest(RequestContext context, Idp idp, TrustedIdp trustedIdp);
+    
+    //Hook in <action-state id="validateToken"> of federation-signin-response.xml
+    SecurityToken mapSignInResponse(RequestContext context, Idp idp, TrustedIdp trustedIdp);
+
+}

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/util/WebUtils.java
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/util/WebUtils.java b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/util/WebUtils.java
new file mode 100644
index 0000000..4484312
--- /dev/null
+++ b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/util/WebUtils.java
@@ -0,0 +1,209 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.fediz.service.idp.util;
+
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
+
+import org.springframework.util.Assert;
+import org.springframework.webflow.context.servlet.ServletExternalContext;
+import org.springframework.webflow.execution.RequestContext;
+
+/**
+ * Utility class to bind with webflow artifacts
+ */
+public final class WebUtils {
+    
+    private WebUtils() {
+        super();
+    }
+
+    public static HttpServletRequest getHttpServletRequest(
+            final RequestContext context) {
+        Assert.isInstanceOf(ServletExternalContext.class,
+                context.getExternalContext(),
+                "Cannot obtain HttpServletRequest from event of type: "
+                        + context.getExternalContext().getClass().getName());
+        return (HttpServletRequest) context.getExternalContext()
+                .getNativeRequest();
+    }
+
+    public static HttpSession getHttpSession(final RequestContext context) {
+        HttpServletRequest httpServletRequest = getHttpServletRequest(context);
+        return httpServletRequest.getSession();
+    }
+
+    public static HttpServletResponse getHttpServletResponse(
+            final RequestContext context) {
+        Assert.isInstanceOf(ServletExternalContext.class,
+                context.getExternalContext(),
+                "Cannot obtain HttpServletResponse from event of type: "
+                        + context.getExternalContext().getClass().getName());
+        return (HttpServletResponse) context.getExternalContext()
+                .getNativeResponse();
+    }
+
+    public static String getHttpHeader(RequestContext requestContext, String headerName) {
+        return getHttpServletRequest(requestContext).getHeader(headerName);
+    }
+
+    public static void putAttributeInRequestScope(final RequestContext context,
+            final String attributeKey, final Object attributeValue) {
+        context.getRequestScope().put(attributeKey, attributeValue);
+    }
+
+    public static void putAttributeInExternalContext(
+            final RequestContext context, final String attributeKey,
+            final Object attributeValue) {
+        context.getExternalContext().getSessionMap()
+                .put(attributeKey, attributeValue);
+    }
+
+    /**
+     * put attribute in request or in session depending on storeInSession.
+     * 
+     * @param context
+     * @param attributeKey
+     */
+    public static void putAttribute(final RequestContext context,
+            final String attributeKey, final Object attributeValue,
+            boolean storeInSession) {
+        if (storeInSession) {
+            putAttributeInExternalContext(context, attributeKey, attributeValue);
+        } else {
+            putAttributeInRequestScope(context, attributeKey, attributeValue);
+        }
+    }
+
+    public static Object getAttributeFromRequestScope(
+            final RequestContext context, final String attributeKey) {
+        return context.getRequestScope().get(attributeKey);
+    }
+
+    public static Object getAttributeFromExternalContext(
+            final RequestContext context, final String attributeKey) {
+        return context.getExternalContext().getSessionMap()
+                .get(attributeKey);
+    }
+
+    /**
+     * get attribute from request; if not found get it from session.
+     * 
+     * @param context
+     * @param attributeKey
+     * @return the attribute from the request or session
+     */
+    public static Object getAttribute(final RequestContext context,
+            final String attributeKey) {
+        Object value = getAttributeFromRequestScope(context, attributeKey);
+        if (value != null) {
+            return value;
+        }
+        return getAttributeFromExternalContext(context, attributeKey);
+    }
+
+    public static Object removeAttributeFromRequestScope(
+            final RequestContext context, final String attributeKey) {
+        return context.getRequestScope().remove(attributeKey);
+    }
+
+    public static Object removeAttributeFromExternalContext(
+            final RequestContext context, final String attributeKey) {
+        return context.getExternalContext().getSessionMap()
+                .remove(attributeKey);
+    }
+
+    /**
+     * remove attribute from request and session.
+     * 
+     * @param context
+     * @param attributeKey
+     * @return the removed attribute
+     */
+    public static Object removeAttribute(final RequestContext context,
+            final String attributeKey) {
+        Object valueReq = removeAttributeFromRequestScope(context, attributeKey);
+        Object valueSes = removeAttributeFromExternalContext(context,
+                attributeKey);
+        if (valueSes != null) {
+            return valueSes; // not clean if request has different value !
+        }
+        if (valueReq != null) {
+            return valueReq;
+        }
+        return null;
+    }
+
+    public static void putAttributeInFlowScope(final RequestContext context,
+            final String attributeKey, final Object attributeValue) {
+        context.getFlowScope().put(attributeKey, attributeValue);
+    }
+
+    public static Object getAttributeFromFlowScope(
+            final RequestContext context, final String attributeKey) {
+        return context.getFlowScope().get(attributeKey);
+    }
+
+    public static Object removeAttributeFromFlowScope(
+            final RequestContext context, final String attributeKey) {
+        return context.getFlowScope().remove(attributeKey);
+    }
+
+    public static String getParamFromRequestParameters(
+            final RequestContext context, final String attributeKey) {
+        return context.getRequestParameters().get(attributeKey);
+    }
+
+    public static Cookie readCookie(
+            final RequestContext context, final String cookieName) {
+        HttpServletRequest httpServletRequest = getHttpServletRequest(context);
+        Cookie[] cookies = httpServletRequest.getCookies();
+        if (cookies != null) {
+            for (int i = 0; i < cookies.length; i++) {
+                if (cookies[i].getName().equals(cookieName)) {
+                    return cookies[i];
+                }
+            }
+        }
+        return null;
+    }
+
+    public static void addCookie(
+            final RequestContext context, final String cookieName, final String cookieValue) {
+        HttpServletResponse httpServletResponse = getHttpServletResponse(context);
+        Cookie cookie = new Cookie(cookieName, cookieValue);
+        cookie.setSecure(true);
+        cookie.setMaxAge(-1);
+        httpServletResponse.addCookie(cookie);
+    }
+
+    public static void removeCookie(
+            final RequestContext context, final String cookieName) {
+        HttpServletResponse httpServletResponse = getHttpServletResponse(context);
+        Cookie cookie = readCookie(context, cookieName);
+        if (cookie != null) {
+            cookie.setMaxAge(0);
+            cookie.setValue("");
+            httpServletResponse.addCookie(cookie);
+        }
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp-core/src/main/resources/META-INF/orm.xml
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/resources/META-INF/orm.xml b/services/idp-core/src/main/resources/META-INF/orm.xml
new file mode 100644
index 0000000..e9c2bd6
--- /dev/null
+++ b/services/idp-core/src/main/resources/META-INF/orm.xml
@@ -0,0 +1,183 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements. See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership. The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License. You may obtain a copy of the License at
+ 
+  http://www.apache.org/licenses/LICENSE-2.0
+ 
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied. See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<entity-mappings xmlns="http://java.sun.com/xml/ns/persistence/orm"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://java.sun.com/xml/ns/persistence/orm http://java.sun.com/xml/ns/persistence/orm_2_0.xsd"
+    version="2.0">
+
+    <entity class="org.apache.cxf.fediz.service.idp.service.jpa.ClaimEntity">
+        <table>
+            <unique-constraint>
+                <column-name>claimtype</column-name>
+            </unique-constraint>
+        </table>
+        <attributes>
+            <id name="id">
+                <generated-value generator="SEQ_Claim"
+                    strategy="TABLE" />
+                <table-generator name="SEQ_Claim"
+                    pk-column-value="SEQ_Claim" initial-value="100" />
+            </id>
+        </attributes>
+    </entity>
+
+    <entity class="org.apache.cxf.fediz.service.idp.service.jpa.IdpEntity">
+        <table>
+            <unique-constraint>
+                <column-name>realm</column-name>
+            </unique-constraint>
+        </table>
+        <attributes>
+            <id name="id">
+                <generated-value generator="SEQ_IDP"
+                    strategy="TABLE" />
+                <table-generator name="SEQ_IDP"
+                    pk-column-value="SEQ_IDP" initial-value="100" />
+            </id>
+            <many-to-many name="claimTypesOffered">
+                <join-table name="idp_claims">
+                    <join-column name="idp_id" />
+                    <inverse-join-column name="claim_id" />
+                    <unique-constraint>
+                        <column-name>idp_id</column-name>
+                        <column-name>claim_id</column-name>
+                    </unique-constraint>
+                </join-table>
+            </many-to-many>
+            <many-to-many name="trustedIdps">
+                <join-table name="idp_trustedidps">
+                    <join-column name="idp_id" />
+                    <inverse-join-column name="trustedidp_id" />
+                    <unique-constraint>
+                        <column-name>idp_id</column-name>
+                        <column-name>trustedidp_id</column-name>
+                    </unique-constraint>
+                </join-table>
+            </many-to-many>
+            <many-to-many name="applications">
+                <join-table name="idp_applications">
+                    <join-column name="idp_id" />
+                    <inverse-join-column name="application_id" />
+                    <unique-constraint>
+                        <column-name>idp_id</column-name>
+                        <column-name>application_id</column-name>
+                    </unique-constraint>
+                </join-table>
+            </many-to-many>
+
+        </attributes>
+    </entity>
+
+    <entity
+        class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity">
+        <table>
+            <unique-constraint>
+                <column-name>realm</column-name>
+            </unique-constraint>
+        </table>
+        <attributes>
+            <id name="id">
+                <generated-value generator="SEQ_Application"
+                    strategy="TABLE" />
+                <table-generator name="SEQ_Application"
+                    pk-column-value="SEQ_Application" initial-value="100" />
+            </id>
+        </attributes>
+    </entity>
+
+    <entity
+        class="org.apache.cxf.fediz.service.idp.service.jpa.TrustedIdpEntity">
+        <table>
+            <unique-constraint>
+                <column-name>realm</column-name>
+            </unique-constraint>
+        </table>
+        <attributes>
+            <id name="id">
+                <generated-value generator="SEQ_TrustedIDP"
+                    strategy="TABLE" />
+                <table-generator name="SEQ_TrustedIDP"
+                    pk-column-value="SEQ_TrustedIDP" initial-value="100" />
+            </id>
+        </attributes>
+    </entity>
+
+    <entity
+        class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationClaimEntity">
+        <table>
+            <unique-constraint>
+                <column-name>claimid</column-name>
+                <column-name>applicationid</column-name>
+            </unique-constraint>
+        </table>
+        <attributes>
+            <id name="id">
+                <generated-value generator="SEQ_ApplicationClaim"
+                    strategy="TABLE" />
+                <table-generator name="SEQ_ApplicationClaim"
+                    pk-column-value="SEQ_ApplicationClaim"
+                    initial-value="100" />
+            </id>
+        </attributes>
+    </entity>
+    
+    <entity class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity">
+        <table>
+            <unique-constraint>
+                <column-name>name</column-name>
+            </unique-constraint>
+        </table>
+        <attributes>
+            <id name="id">
+                <generated-value generator="SEQ_Entitlement"
+                    strategy="TABLE" />
+                <table-generator name="SEQ_Entitlement"
+                    pk-column-value="SEQ_Entitlement" initial-value="100" />
+            </id>
+        </attributes>
+    </entity>
+    
+    <entity class="org.apache.cxf.fediz.service.idp.service.jpa.RoleEntity">
+        <table>
+            <unique-constraint>
+                <column-name>name</column-name>
+            </unique-constraint>
+        </table>
+        <attributes>
+            <id name="id">
+                <generated-value generator="SEQ_ROLE"
+                    strategy="TABLE" />
+                <table-generator name="SEQ_ROLE"
+                    pk-column-value="SEQ_ROLE" initial-value="100" />
+            </id>
+            <many-to-many name="entitlements">
+                <join-table name="role_entitlements">
+                    <join-column name="role_id" />
+                    <inverse-join-column name="entitlement_id" />
+                    <unique-constraint>
+                        <column-name>role_id</column-name>
+                        <column-name>entitlement_id</column-name>
+                    </unique-constraint>
+                </join-table>
+            </many-to-many>
+        </attributes>
+    </entity>
+    
+</entity-mappings>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp-core/src/main/resources/META-INF/spring-persistence.xml
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/resources/META-INF/spring-persistence.xml b/services/idp-core/src/main/resources/META-INF/spring-persistence.xml
new file mode 100644
index 0000000..bf34a76
--- /dev/null
+++ b/services/idp-core/src/main/resources/META-INF/spring-persistence.xml
@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements. See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership. The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License. You may obtain a copy of the License at
+ 
+  http://www.apache.org/licenses/LICENSE-2.0
+ 
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied. See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<persistence
+    xmlns="http://java.sun.com/xml/ns/persistence"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://java.sun.com/xml/ns/persistence http://java.sun.com/xml/ns/persistence/persistence_2_0.xsd"
+    version="2.0">
+
+    <persistence-unit name="fedizPersistenceUnit">
+        <mapping-file>META-INF/orm.xml</mapping-file>
+        <validation-mode>AUTO</validation-mode>
+    </persistence-unit>
+</persistence>
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp-core/src/main/webapp/WEB-INF/applicationContext.xml
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/webapp/WEB-INF/applicationContext.xml b/services/idp-core/src/main/webapp/WEB-INF/applicationContext.xml
new file mode 100644
index 0000000..68bcb0b
--- /dev/null
+++ b/services/idp-core/src/main/webapp/WEB-INF/applicationContext.xml
@@ -0,0 +1,61 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements. See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership. The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License. You may obtain a copy of the License at
+ 
+  http://www.apache.org/licenses/LICENSE-2.0
+ 
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied. See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:cxf="http://cxf.apache.org/core"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xmlns:context="http://www.springframework.org/schema/context"
+       xsi:schemaLocation="http://cxf.apache.org/core
+        http://cxf.apache.org/schemas/core.xsd
+        http://www.springframework.org/schema/beans
+        http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
+        http://www.springframework.org/schema/context
+        http://www.springframework.org/schema/context/spring-context-4.3.xsd">
+
+    <context:component-scan base-package="org.apache.cxf.fediz.service.idp.protocols" />
+        
+        
+    <!-- Use http://www.baeldung.com/2012/02/06/properties-with-spring/ instead -->
+    <bean
+        class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
+        <property name="locations">
+            <list>
+                <value>classpath:persistence.properties</value>
+            </list>
+        </property>
+        <property name="ignoreResourceNotFound" value="true" />
+        <property name="ignoreUnresolvablePlaceholders" value="true" />
+    </bean>
+
+    <import resource="classpath:META-INF/cxf/cxf.xml" />
+
+    <import resource="security-config.xml" />
+    <import resource="${idp-config}" />
+    <import resource="classpath:cxf-tls.xml" />
+    <import resource="classpath:persistenceContext.xml" />
+    <import resource="classpath:restContext.xml" />
+
+    <!--cxf:bus>
+        <cxf:features>
+            <cxf:logging />
+        </cxf:features>
+    </cxf:bus-->
+    
+</beans>
+

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp-core/src/main/webapp/WEB-INF/config/idp-core-servlet.xml
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/webapp/WEB-INF/config/idp-core-servlet.xml b/services/idp-core/src/main/webapp/WEB-INF/config/idp-core-servlet.xml
new file mode 100644
index 0000000..3d62ad9
--- /dev/null
+++ b/services/idp-core/src/main/webapp/WEB-INF/config/idp-core-servlet.xml
@@ -0,0 +1,105 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements. See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership. The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License. You may obtain a copy of the License at
+ 
+  http://www.apache.org/licenses/LICENSE-2.0
+ 
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied. See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:webflow="http://www.springframework.org/schema/webflow-config"
+    xmlns:p="http://www.springframework.org/schema/p"
+    xmlns:mvc="http://www.springframework.org/schema/mvc"
+    xmlns:context="http://www.springframework.org/schema/context"
+    xsi:schemaLocation="http://www.springframework.org/schema/beans
+        http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
+        http://www.springframework.org/schema/context
+        http://www.springframework.org/schema/context/spring-context-4.3.xsd
+        http://www.springframework.org/schema/mvc
+        http://www.springframework.org/schema/mvc/spring-mvc-4.3.xsd
+        http://www.springframework.org/schema/webflow-config
+        http://www.springframework.org/schema/webflow-config/spring-webflow-config-2.0.xsd">
+
+    <context:component-scan base-package="org.apache.cxf.fediz.service.idp.beans" />
+
+    <mvc:resources mapping="/images/**" location="/resources/images/" />
+    
+    <mvc:resources mapping="/swagger/**" location="/resources/swagger/" />
+    
+    <mvc:view-controller path="/" view-name="index" />
+    <mvc:view-controller path="/federation/up/login" view-name="signinform" />
+
+    <bean id="viewResolver" class="org.springframework.web.servlet.view.InternalResourceViewResolver">
+        <property name="prefix" value="/WEB-INF/views/" />
+        <property name="suffix" value=".jsp" />
+    </bean>
+
+    <bean id="viewFactoryCreator" class="org.springframework.webflow.mvc.builder.MvcViewFactoryCreator">
+        <property name="viewResolvers">
+            <list>
+                <ref bean="viewResolver" />
+            </list>
+        </property>
+    </bean>
+
+    <webflow:flow-builder-services id="builder" view-factory-creator="viewFactoryCreator" />
+
+    <webflow:flow-registry id="flowRegistry" flow-builder-services="builder">
+        <webflow:flow-location path="/WEB-INF/flows/federation-validate-request.xml" id="federation" />
+        <webflow:flow-location path="/WEB-INF/flows/federation-validate-request.xml" id="federation/up" />
+        <webflow:flow-location path="/WEB-INF/flows/federation-validate-request.xml" id="federation/krb" />
+        <webflow:flow-location path="/WEB-INF/flows/federation-validate-request.xml" id="federation/clientcert" />
+        
+        <webflow:flow-location path="/WEB-INF/flows/saml-validate-request.xml" id="saml" />
+        <webflow:flow-location path="/WEB-INF/flows/saml-validate-request.xml" id="saml/up" />
+        <webflow:flow-location path="/WEB-INF/flows/saml-validate-request.xml" id="saml/krb" />
+        <webflow:flow-location path="/WEB-INF/flows/saml-validate-request.xml" id="saml/clientcert" />
+        
+        <webflow:flow-location path="/WEB-INF/flows/signin-request.xml" id="signinRequest" />
+        <webflow:flow-location path="/WEB-INF/flows/signin-response.xml" id="signinResponse" />
+    </webflow:flow-registry>
+
+    <bean class="org.springframework.webflow.mvc.servlet.FlowHandlerMapping" p:flowRegistry-ref="flowRegistry"
+        p:order="2">
+    </bean>
+
+    <webflow:flow-executor id="flowExecutor" flow-registry="flowRegistry">
+        <webflow:flow-execution-attributes>
+            <webflow:always-redirect-on-pause value="false" />
+        </webflow:flow-execution-attributes>
+
+        <webflow:flow-execution-listeners>
+            <webflow:listener ref="securityFlowExecutionListener" />
+        </webflow:flow-execution-listeners>
+    </webflow:flow-executor>
+
+    <bean class="org.springframework.webflow.mvc.servlet.FlowHandlerAdapter" p:flowExecutor-ref="flowExecutor" />
+
+    <bean id="securityFlowExecutionListener" class="org.springframework.webflow.security.SecurityFlowExecutionListener">
+        <property name="accessDecisionManager" ref="accessDecisionManager" />
+    </bean>
+
+    <bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
+        <property name="decisionVoters">
+            <list>
+                <bean class="org.springframework.security.access.vote.RoleVoter">
+                    <property name="rolePrefix" value="ROLE_" />
+                </bean>
+                <bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
+            </list>
+        </property>
+    </bean>
+
+</beans>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp-core/src/main/webapp/WEB-INF/config/security-clientcert-config.xml
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/webapp/WEB-INF/config/security-clientcert-config.xml b/services/idp-core/src/main/webapp/WEB-INF/config/security-clientcert-config.xml
new file mode 100644
index 0000000..d40d0c9
--- /dev/null
+++ b/services/idp-core/src/main/webapp/WEB-INF/config/security-clientcert-config.xml
@@ -0,0 +1,75 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements. See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership. The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License. You may obtain a copy of the License at
+ 
+  http://www.apache.org/licenses/LICENSE-2.0
+ 
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied. See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:security="http://www.springframework.org/schema/security"
+    xmlns:context="http://www.springframework.org/schema/context"
+    xmlns:util="http://www.springframework.org/schema/util"
+    xsi:schemaLocation="
+        http://www.springframework.org/schema/beans
+        http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
+        http://www.springframework.org/schema/context
+        http://www.springframework.org/schema/context/spring-context-4.3.xsd
+        http://www.springframework.org/schema/security
+        http://www.springframework.org/schema/security/spring-security-3.2.xsd
+        http://www.springframework.org/schema/util
+        http://www.springframework.org/schema/util/spring-util-4.3.xsd
+        ">
+
+    <!-- DISABLE in production as it might log confidential information about the user -->
+    <!-- <security:debug /> -->
+
+    <!-- SSL Client Cert entry point for WS-Federation -->
+    <security:http pattern="/federation/clientcert" use-expressions="true">
+        <security:custom-filter after="CHANNEL_FILTER" ref="stsClientCertPortFilter" />
+        <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" />
+
+        <security:x509 />
+        <security:logout delete-cookies="FEDIZ_HOME_REALM" invalidate-session="true" />
+    </security:http>
+    
+    <!-- SSL Client Cert entry point for SAML SSO -->
+    <security:http pattern="/saml/clientcert" use-expressions="true">
+        <security:custom-filter after="CHANNEL_FILTER" ref="stsClientCertPortFilter" />
+        <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" />
+
+        <security:x509 />
+        <security:logout delete-cookies="FEDIZ_HOME_REALM" invalidate-session="true" />
+    </security:http>
+
+    <bean id="stsClientCertPortFilter" class="org.apache.cxf.fediz.service.idp.STSPortFilter">
+        <property name="authenticationProvider" ref="stsClientCertAuthProvider" />
+    </bean>
+    
+    <util:map id="securityProperties">
+        <entry key="ws-security.username" value="idp-user" />
+        <entry key="ws-security.password" value="idp-pass" />
+    </util:map>
+    
+    <bean id="stsClientCertAuthProvider" class="org.apache.cxf.fediz.service.idp.STSPreAuthAuthenticationProvider">
+        <property name="wsdlLocation" value="https://localhost:0/fediz-idp-sts/${realm.STS_URI}/STSServiceTransportUT?wsdl" />
+        <property name="wsdlEndpoint" value="TransportUT_Port" />
+        <property name="wsdlService" value="SecurityTokenService" />
+        <property name="appliesTo" value="urn:fediz:idp" />
+        <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
+        <property name="properties" ref="securityProperties" />
+    </bean>
+    
+</beans>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp-core/src/main/webapp/WEB-INF/config/security-krb-config.xml
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/webapp/WEB-INF/config/security-krb-config.xml b/services/idp-core/src/main/webapp/WEB-INF/config/security-krb-config.xml
new file mode 100644
index 0000000..b66044b
--- /dev/null
+++ b/services/idp-core/src/main/webapp/WEB-INF/config/security-krb-config.xml
@@ -0,0 +1,84 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements. See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership. The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License. You may obtain a copy of the License at
+ 
+  http://www.apache.org/licenses/LICENSE-2.0
+ 
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied. See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:security="http://www.springframework.org/schema/security"
+    xmlns:context="http://www.springframework.org/schema/context"
+    xmlns:util="http://www.springframework.org/schema/util"
+    xsi:schemaLocation="
+        http://www.springframework.org/schema/beans
+        http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
+        http://www.springframework.org/schema/context
+        http://www.springframework.org/schema/context/spring-context-4.3.xsd
+        http://www.springframework.org/schema/security
+        http://www.springframework.org/schema/security/spring-security-3.2.xsd
+        http://www.springframework.org/schema/util
+        http://www.springframework.org/schema/util/spring-util-4.3.xsd
+        ">
+
+    <!-- DISABLE in production as it might log confidential information about the user -->
+    <!-- <security:debug /> -->
+
+    <!-- Kerberos entry point -->
+    <bean id="kerberosEntryPoint"
+          class="org.apache.cxf.fediz.service.idp.kerberos.KerberosEntryPoint" />
+    
+    <bean id="kerberosAuthenticationProcessingFilter"
+          class="org.apache.cxf.fediz.service.idp.kerberos.KerberosAuthenticationProcessingFilter">
+          <property name="authenticationManager" ref="authenticationManagers" />
+    </bean>
+    
+    <security:http pattern="/federation/krb" use-expressions="true" entry-point-ref="kerberosEntryPoint">
+        <security:custom-filter after="CHANNEL_FILTER" ref="stsKrbPortFilter" />
+        <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" />
+
+        <security:custom-filter ref="kerberosAuthenticationProcessingFilter" position="BASIC_AUTH_FILTER" />
+        <security:logout delete-cookies="FEDIZ_HOME_REALM" invalidate-session="true" />
+    </security:http>
+    
+    <security:http pattern="/saml/krb" use-expressions="true" entry-point-ref="kerberosEntryPoint">
+        <security:custom-filter after="CHANNEL_FILTER" ref="stsKrbPortFilter" />
+        <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" />
+
+        <security:custom-filter ref="kerberosAuthenticationProcessingFilter" position="BASIC_AUTH_FILTER" />
+        <security:logout delete-cookies="FEDIZ_HOME_REALM" invalidate-session="true" />
+    </security:http>
+    
+    <bean id="stsKrbPortFilter" class="org.apache.cxf.fediz.service.idp.STSPortFilter">
+        <property name="authenticationProvider" ref="stsKrbAuthProvider" />
+    </bean>
+    
+    <!--<bean id="kerberosTokenValidator" class="org.apache.cxf.fediz.service.idp.kerberos.KerberosTokenValidator">
+        <property name="contextName" value="bob" />
+        <property name="serviceName" value="bob@service.ws.apache.org" />
+    </bean>-->
+	
+	<!-- Kerberos authentication provider -->
+    <bean id="stsKrbAuthProvider" class="org.apache.cxf.fediz.service.idp.STSKrbAuthenticationProvider">
+        <property name="wsdlLocation" value="https://localhost:0/fediz-idp-sts/${realm.STS_URI}/STSServiceTransportKerberos?wsdl" />
+        <property name="wsdlEndpoint" value="TransportKerberos_Port" />
+        <property name="wsdlService" value="SecurityTokenService" />
+        <property name="appliesTo" value="urn:fediz:idp" />
+        <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
+        <!-- <property name="kerberosTokenValidator" ref="kerberosTokenValidator" />
+        <property name="requireDelegation" value="true" />-->
+    </bean>
+
+</beans>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp-core/src/main/webapp/WEB-INF/config/security-rs-config.xml
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/webapp/WEB-INF/config/security-rs-config.xml b/services/idp-core/src/main/webapp/WEB-INF/config/security-rs-config.xml
new file mode 100644
index 0000000..aa859b5
--- /dev/null
+++ b/services/idp-core/src/main/webapp/WEB-INF/config/security-rs-config.xml
@@ -0,0 +1,64 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements. See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership. The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License. You may obtain a copy of the License at
+ 
+  http://www.apache.org/licenses/LICENSE-2.0
+ 
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied. See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:security="http://www.springframework.org/schema/security"
+    xmlns:context="http://www.springframework.org/schema/context"
+    xmlns:util="http://www.springframework.org/schema/util"
+    xsi:schemaLocation="
+        http://www.springframework.org/schema/beans
+        http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
+        http://www.springframework.org/schema/context
+        http://www.springframework.org/schema/context/spring-context-4.3.xsd
+        http://www.springframework.org/schema/security
+        http://www.springframework.org/schema/security/spring-security-3.2.xsd
+        http://www.springframework.org/schema/util
+        http://www.springframework.org/schema/util/spring-util-4.3.xsd
+        ">
+
+    <!-- DISABLE in production as it might log confidential information about the user -->
+    <!-- <security:debug /> -->
+
+    <security:http pattern="/services/rs/**" use-expressions="true" authentication-manager-ref="restAuthenticationManager">
+        <security:custom-filter after="CHANNEL_FILTER" ref="stsUPPortFilter" />
+        <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" />
+        <security:intercept-url pattern="/services/rs/**" access="isAuthenticated()" />
+        <security:http-basic />
+    </security:http>
+
+    <bean id="bCryptPasswordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />
+    
+    <bean id="defaultPasswordEncoder" class="org.springframework.security.crypto.password.StandardPasswordEncoder" />
+    
+    <security:authentication-manager id="restAuthenticationManager">
+        <security:authentication-provider>
+          <!-- <security:password-encoder ref="defaultPasswordEncoder" />-->
+          <!-- <security:password-encoder hash="sha-256" base64="true" />-->
+          <!--  
+          <security:password-encoder hash="sha-256" base64="true">
+            <security:salt-source user-property="username" />
+          </security:password-encoder>
+          -->
+          <security:user-service properties="classpath:/users.properties" />
+        </security:authentication-provider>
+        <security:authentication-provider ref="stsUPAuthProvider" />
+    </security:authentication-manager>
+    
+</beans>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp-core/src/main/webapp/WEB-INF/config/security-up-config.xml
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/webapp/WEB-INF/config/security-up-config.xml b/services/idp-core/src/main/webapp/WEB-INF/config/security-up-config.xml
new file mode 100644
index 0000000..2ba5f86
--- /dev/null
+++ b/services/idp-core/src/main/webapp/WEB-INF/config/security-up-config.xml
@@ -0,0 +1,94 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements. See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership. The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License. You may obtain a copy of the License at
+ 
+  http://www.apache.org/licenses/LICENSE-2.0
+ 
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied. See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:security="http://www.springframework.org/schema/security"
+    xmlns:context="http://www.springframework.org/schema/context"
+    xmlns:util="http://www.springframework.org/schema/util"
+    xsi:schemaLocation="
+        http://www.springframework.org/schema/beans
+        http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
+        http://www.springframework.org/schema/context
+        http://www.springframework.org/schema/context/spring-context-4.3.xsd
+        http://www.springframework.org/schema/security
+        http://www.springframework.org/schema/security/spring-security-3.2.xsd
+        http://www.springframework.org/schema/util
+        http://www.springframework.org/schema/util/spring-util-4.3.xsd
+        ">
+
+    <!-- DISABLE in production as it might log confidential information about the user -->
+    <!-- <security:debug /> -->
+
+    <!-- HTTP/BA entry point for WS-Federation -->
+    <security:http pattern="/federation/up/**" use-expressions="true">
+		<security:intercept-url requires-channel="https" pattern="/federation/up/login*" access="isAnonymous() or isAuthenticated()" />
+        <security:custom-filter after="CHANNEL_FILTER" ref="stsUPPortFilter" />
+        <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" />
+
+        <security:http-basic />
+	<!--security:form-login login-page='/federation/up/login'
+		login-processing-url="/federation/up/login.do"
+		authentication-failure-url="/federation/up/login?error" 
+		default-target-url="/"
+		username-parameter="username" 
+		password-parameter="password"
+	/-->
+	<security:logout logout-url="/federation/up/logout" 
+		logout-success-url="/federation/up/login?out" 
+		delete-cookies="FEDIZ_HOME_REALM,JSESSIONID" 
+		invalidate-session="true" 
+	/>
+    </security:http>
+    
+    <!-- HTTP/BA entry point for SAML SSO -->
+    <security:http pattern="/saml/up/**" use-expressions="true">
+		<security:intercept-url requires-channel="https" pattern="/saml/up/login*" access="isAnonymous() or isAuthenticated()" />
+        <security:custom-filter after="CHANNEL_FILTER" ref="stsUPPortFilter" />
+        <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" />
+
+        <security:http-basic />
+	<!--security:form-login login-page='/federation/up/login'
+		login-processing-url="/federation/up/login.do"
+		authentication-failure-url="/federation/up/login?error" 
+		default-target-url="/"
+		username-parameter="username" 
+		password-parameter="password"
+	/-->
+	<security:logout logout-url="/saml/up/logout" 
+		logout-success-url="/saml/up/login?out" 
+		delete-cookies="FEDIZ_HOME_REALM,JSESSIONID" 
+		invalidate-session="true" 
+	/>
+    </security:http>
+    
+    <bean id="stsUPPortFilter" class="org.apache.cxf.fediz.service.idp.STSPortFilter">
+        <property name="authenticationProvider" ref="stsUPAuthProvider" />
+    </bean>
+    
+    <!-- U/P Authentication Provider -->
+    <bean id="stsUPAuthProvider" class="org.apache.cxf.fediz.service.idp.STSUPAuthenticationProvider">
+        <property name="wsdlLocation" value="https://localhost:0/fediz-idp-sts/${realm.STS_URI}/STSServiceTransportUT?wsdl" />
+        <property name="wsdlEndpoint" value="TransportUT_Port" />
+        <property name="wsdlService" value="SecurityTokenService" />
+        <property name="appliesTo" value="urn:fediz:idp" />
+        <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
+    </bean>
+    
+</beans>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp-core/src/main/webapp/WEB-INF/flows/federation-validate-request.xml
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/webapp/WEB-INF/flows/federation-validate-request.xml b/services/idp-core/src/main/webapp/WEB-INF/flows/federation-validate-request.xml
new file mode 100644
index 0000000..ea9ce68
--- /dev/null
+++ b/services/idp-core/src/main/webapp/WEB-INF/flows/federation-validate-request.xml
@@ -0,0 +1,283 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements. See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership. The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License. You may obtain a copy of the License at
+ 
+  http://www.apache.org/licenses/LICENSE-2.0
+ 
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied. See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<flow xmlns="http://www.springframework.org/schema/webflow"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.springframework.org/schema/webflow
+                          http://www.springframework.org/schema/webflow/spring-webflow-2.0.xsd">
+
+    <decision-state id="evaluateProtocol">
+        <on-entry>
+            <set name="flowScope.idpConfig" value="config.getIDP(fedizEntryPoint.getRealm())" />
+        </on-entry>
+        <if test="requestParameters.wa == 'wsignin1.0'" then="selectWsFedProcess" />
+        <if test="requestParameters.wa == 'wsignout1.0' or requestParameters.wa == 'wsignoutcleanup1.0'"
+            then="selectWsFedProcess" />
+        <if test="requestParameters.SAMLResponse != null" then="selectSAMLProcess"
+            else="selectOIDCAuthorizationCodeFlowProcess"
+        /> 
+    </decision-state>
+
+    <decision-state id="selectWsFedProcess">
+        <on-entry>
+            <set name="flowScope.wtrealm" value="requestParameters.wtrealm" />
+            <set name="flowScope.wreply" value="requestParameters.wreply" />
+            <set name="flowScope.wctx" value="requestParameters.wctx" />
+            <set name="flowScope.request_context" value="requestParameters.wctx" />
+            <set name="flowScope.wfresh" value="requestParameters.wfresh" />
+            <set name="flowScope.whr" value="requestParameters.whr" />
+            <set name="flowScope.wresult" value="requestParameters.wresult" />
+            <set name="flowScope.wreq" value="requestParameters.wreq" />
+            <evaluate expression="requestScope.getString('wauth','default')"
+                result="flowScope.wauth" />
+        </on-entry>
+        <if test="requestParameters.wa == 'wsignout1.0' or requestParameters.wa == 'wsignoutcleanup1.0'"
+            then="validateWReplyForSignout" />
+        <if test="requestParameters.wresult != null and !requestParameters.wresult.isEmpty()"
+            then="signinResponse" />
+        <if test="requestParameters.wtrealm != null and !requestParameters.wtrealm.isEmpty()"
+            then="signinRequest" else="viewBadRequest" />
+    </decision-state>
+    
+    <decision-state id="selectSAMLProcess">
+        <on-entry>
+            <set name="flowScope.RelayState" value="requestParameters.RelayState" />
+            <set name="flowScope.request_context" value="requestParameters.RelayState" />
+            <set name="flowScope.SAMLResponse" value="requestParameters.SAMLResponse" />
+        </on-entry>
+        <if test="requestParameters.RelayState == null or requestParameters.RelayState.isEmpty()"
+            then="viewBadRequest" />
+        <if test="requestParameters.SAMLResponse == null or requestParameters.SAMLResponse.isEmpty()"
+            then="viewBadRequest" else="signinResponse" />
+    </decision-state>
+    
+    <decision-state id="selectOIDCAuthorizationCodeFlowProcess">
+         <on-entry>
+            <set name="flowScope.state" value="requestParameters.state" />
+            <set name="flowScope.request_context" value="requestParameters.state" />
+            <set name="flowScope.code" value="requestParameters.code" />
+        </on-entry>
+        <if test="requestParameters.code == null or requestParameters.code.isEmpty()"
+            then="viewBadRequest" />
+        <if test="requestParameters.state == null or requestParameters.state.isEmpty()"
+            then="viewBadRequest" else="signinResponse" />
+    </decision-state>
+    
+    <action-state id="validateWReplyForSignout">
+        <evaluate expression="commonsURLValidator.isValid(flowRequestContext, flowScope.wreply)"/>
+        <transition on="yes" to="selectSignOutProcess" />
+        <transition on="no" to="viewBadRequestAndLogout" />
+    </action-state>
+	
+    <decision-state id="selectSignOutProcess">
+        <if test="requestParameters.wa == 'wsignout1.0' and flowScope.idpConfig.rpSingleSignOutConfirmation == true
+            or requestParameters.wa == 'wsignoutcleanup1.0' and flowScope.idpConfig.rpSingleSignOutCleanupConfirmation == true"
+            then="viewSignoutConfirmation" else="invalidateSessionAction" />
+    </decision-state>
+
+    <subflow-state id="signinRequest" subflow="signinRequest">
+        <input name="idpConfig" value="flowScope.idpConfig" />
+        <input name="realm" value="flowScope.wtrealm" />
+        <input name="wctx" value="flowScope.wctx" />
+        <input name="wfresh" value="flowScope.wfresh" />
+        <input name="wauth" value="flowScope.wauth" />
+        <input name="home_realm" value="flowScope.whr" />
+        <input name="protocol" value="'wsfed'" />
+        <input name="return_address" value="flowScope.wreply" />
+        <input name="request_context" value="flowScope.request_context" />
+
+        <output name="home_realm" />
+        <output name="idpToken" />
+        <output name="trusted_idp_context" />
+
+        <transition on="requestRpToken" to="requestRpToken">
+            <set name="flowScope.whr" value="currentEvent.attributes.home_realm" />
+            <set name="flowScope.idpToken" value="currentEvent.attributes.idpToken" />
+        </transition>
+        <transition on="viewBadRequest" to="viewBadRequest" />
+        <transition on="scInternalServerError" to="scInternalServerError" />
+        <transition on="redirectToTrustedIDP" to="processTrustedIdpProtocol">
+            <set name="flowScope.whr" value="currentEvent.attributes.home_realm" />
+            <set name="flowScope.trusted_idp_context" value="currentEvent.attributes.trusted_idp_context"/>
+        </transition>
+        <transition on="redirectToLocalIDP" to="redirectToLocalIDP">
+            <set name="flowScope.wctx" value="currentEvent.attributes.wctx" />
+        </transition>
+    </subflow-state>
+
+    <subflow-state id="signinResponse" subflow="signinResponse">
+        <input name="idpConfig" value="flowScope.idpConfig" />
+        <input name="wfresh" value="flowScope.wfresh" />
+        <input name="request_context" value="flowScope.request_context" />
+        <input name="wresult" value="flowScope.wresult" />
+        <input name="RelayState" value="flowScope.RelayState" />
+        <input name="SAMLResponse" value="flowScope.SAMLResponse" />
+        <input name="state" value="flowScope.state" />
+        <input name="code" value="flowScope.code" />
+        <input name="home_realm" value="flowScope.whr" />
+        <input name="protocol" value="'wsfed'" />
+
+        <output name="realm" />
+        <output name="return_address" />
+        <output name="request_context" />
+        <output name="home_realm" />
+        <output name="idpToken" />
+
+        <transition on="requestRpToken" to="requestRpToken">
+            <set name="flowScope.whr" value="currentEvent.attributes.home_realm" />
+            <set name="flowScope.wctx" value="currentEvent.attributes.request_context" />
+            <set name="flowScope.wtrealm" value="currentEvent.attributes.realm" />
+            <set name="flowScope.wreply" value="currentEvent.attributes.return_address" />
+            <set name="flowScope.idpToken" value="currentEvent.attributes.idpToken" />
+        </transition>
+        <transition on="viewBadRequest" to="viewBadRequest" />
+        <transition on="scInternalServerError" to="scInternalServerError" />
+    </subflow-state>
+    
+    <!-- produce RP security token (as String type) -->
+    <action-state id="requestRpToken">
+        <on-entry>
+            <evaluate expression="stsClientForRpAction.submit(flowRequestContext, flowScope.wtrealm, flowScope.whr)"
+                      result="flowScope.rpTokenElement"/>
+            <evaluate expression="tokenSerializer.serialize(flowRequestContext, flowScope.rpTokenElement)"
+                      result="flowScope.rpToken"/>
+        </on-entry>
+        <evaluate expression="signinParametersCacheAction.storeRPConfigInSession(flowRequestContext)" />
+        <transition to="isWReplyProvided" />
+        <transition on-exception="org.apache.cxf.fediz.core.exception.ProcessingException" to="viewBadRequest" />
+        <transition on-exception="java.lang.Throwable" to="scInternalServerError" />
+    </action-state>
+    
+    <action-state id="processTrustedIdpProtocol">
+        <evaluate expression="trustedIdpProtocolAction.mapSignInRequest(flowRequestContext, flowScope.whr)"
+                      result="flowScope.remoteIdpUrl"/>
+        <transition to="redirectToTrustedIDP" />
+        <transition on-exception="java.lang.Throwable" to="scInternalServerError" />
+    </action-state>
+
+    <action-state id="isWReplyProvided">
+        <evaluate expression="flowScope.wreply != null" />
+        <transition on="yes" to="formResponseView" >
+            <set name="flowScope.signinResponseUrl" value="flowScope.wreply" />
+        </transition>
+        <transition on="no" to="formResponseView" >
+            <set name="flowScope.signinResponseUrl" value="flowScope.wtrealm" />
+        </transition>
+    </action-state>
+
+    <!-- normal exit point for login -->
+    <!-- browser redirection (self-submitted form 'signinresponseform.jsp') -->
+    <end-state id="formResponseView" view="signinresponseform">
+        <on-entry>
+            <evaluate expression="flowScope.signinResponseUrl" result="requestScope.fedAction" />
+            <evaluate expression="flowScope.wtrealm" result="requestScope.fedWTrealm" />
+            <evaluate expression="flowScope.wctx" result="requestScope.fedWCtx" />
+            <evaluate expression="flowScope.rpToken" result="requestScope.fedWResult" />
+        </on-entry>
+    </end-state>
+
+    <!-- abnormal exit point : Http 400 Bad Request -->
+    <end-state id="viewBadRequest" view="genericerror">
+        <on-entry>
+            <evaluate
+                expression="externalContext.nativeResponse.setStatus(400,flowRequestContext.currentTransition.toString())" />
+            <!--<set name="requestScope.reason" value="flowRequestContext.currentTransition" />-->
+        </on-entry>
+    </end-state>
+    
+    <end-state id="viewBadRequestAndLogout" view="genericerror">
+        <on-entry>
+            <evaluate expression="homeRealmReminder.removeCookie(flowRequestContext)" />
+            <evaluate expression="logoutAction.submit(flowRequestContext)" />
+            <evaluate
+                expression="externalContext.nativeResponse.setStatus(400,flowRequestContext.currentTransition.toString())" />
+            <!--<set name="requestScope.reason" value="flowRequestContext.currentTransition" />-->
+        </on-entry>
+    </end-state>
+
+    <!-- abnormal exit point : Http 500 Internal Server Error -->
+    <end-state id="scInternalServerError" view="genericerror">
+        <on-entry>
+            <evaluate
+                expression="externalContext.nativeResponse.setStatus(500,'IDP is unavailable, please contact the administrator')" />
+            <set name="requestScope.reason"
+                value="'IDP is unavailable, please contact the administrator'" />
+            <set name="requestScope.stateException"
+                value="flowScope.stateException" />
+            <set name="requestScope.rootCauseException"
+                value="flowScope.rootCauseException" />
+        </on-entry>
+    </end-state>
+    
+    <!-- normal exit point for logout -->
+    <view-state id="viewSignoutConfirmation" view="signoutconfirmationresponse">
+        <transition on="submit" to="invalidateSessionAction"/>
+        <transition on="cancel" to="redirect" />
+    </view-state>
+
+    <view-state id="redirect" view="externalRedirect:#{flowScope.wreply}" />
+
+    <!-- normal exit point for logout -->
+    <end-state id="invalidateSessionAction" view="signoutresponse">
+        <on-entry>
+            <!-- store the realmConfigMap in the request map before we invalidate the session below.
+            Its needed in the signoutresponse.jsp page -->
+            <set name="externalContext.requestMap.realmConfigMap" 
+                value="externalContext.sessionMap.realmConfigMap"/>
+            <set name="externalContext.requestMap.wreply" value="flowScope.wreply"/>
+            <!-- there is no Saml token canceller in cxf STS...
+            <evaluate expression="stsClientForRpAction.cancelTokens(flowRequestContext)" />
+            -->
+            <evaluate expression="homeRealmReminder.removeCookie(flowRequestContext)" />
+            <evaluate expression="logoutAction.submit(flowRequestContext)" />
+        </on-entry>
+    </end-state>
+
+    <!-- redirect to remote idp -->
+    <end-state id="redirectToTrustedIDP" view="externalRedirect:#{flowScope.remoteIdpUrl}">
+    <!-- 
+        <on-entry>
+            <set name="flowScope.remoteIdpUrl"
+                value="flowScope.idpConfig.findTrustedIdp(flowScope.whr).url
+                +'?wa=wsignin1.0'
+                +'&amp;wtrealm='+flowScope.idpConfig.realm
+                +'&amp;wreply='+flowScope.idpConfig.idpUrl
+                +(flowScope.wfresh != null ? '&amp;wfresh='+flowScope.wfresh : '')
+                +(flowScope.wctx != null ? '&amp;wctx='+flowScope.wctx : '')">
+            </set>
+        </on-entry>
+         --> 
+    </end-state>
+
+    <end-state id="redirectToLocalIDP" view="externalRedirect:#{flowScope.localIdpUrl}">
+        <on-entry>
+            <set name="flowScope.localIdpUrl"
+                value="flowScope.idpConfig.idpUrl
+                +'?wa=wsignin1.0'
+                +'&amp;wreply='+flowScope.wreply
+                +'&amp;wtrealm='+flowScope.wtrealm
+                +(flowScope.wctx != null ? '&amp;wctx='+flowScope.wctx : '')
+                +(flowScope.wfresh != null ? '&amp;wfresh='+flowScope.wfresh : '')
+                +(flowScope.whr != null ? '&amp;whr='+flowScope.whr : '')
+                +(flowScope.wreq != null ? '&amp;wreq='+flowScope.wreq : '')">
+            </set>
+        </on-entry>
+    </end-state>
+
+</flow>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp-core/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/webapp/WEB-INF/flows/saml-validate-request.xml b/services/idp-core/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
new file mode 100644
index 0000000..1f12890
--- /dev/null
+++ b/services/idp-core/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
@@ -0,0 +1,259 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements. See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership. The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License. You may obtain a copy of the License at
+ 
+  http://www.apache.org/licenses/LICENSE-2.0
+ 
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied. See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<flow xmlns="http://www.springframework.org/schema/webflow"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.springframework.org/schema/webflow
+                          http://www.springframework.org/schema/webflow/spring-webflow-2.0.xsd">
+
+    <decision-state id="evaluateProtocol">
+        <on-entry>
+            <set name="flowScope.idpConfig" value="config.getIDP(fedizEntryPoint.getRealm())" />
+        </on-entry>
+        <if test="requestParameters.wa == 'wsignin1.0'" then="selectWsFedProcess" />
+        <if test="requestParameters.SAMLRequest != null or requestParameters.SAMLResponse != null" 
+            then="selectSAMLProcess" else="selectOIDCAuthorizationCodeFlowProcess"
+        />
+    </decision-state>
+    
+    <decision-state id="selectWsFedProcess">
+        <on-entry>
+            <set name="flowScope.wresult" value="requestParameters.wresult" />
+            <set name="flowScope.wctx" value="requestParameters.wctx" />
+            <set name="flowScope.request_context" value="requestParameters.wctx" />
+        </on-entry>
+        <if test="requestParameters.wctx == null or requestParameters.wctx.isEmpty()"
+            then="viewBadRequest" />
+        <if test="requestParameters.wresult == null or requestParameters.wresult.isEmpty()"
+            then="viewBadRequest" />
+        <if test="requestParameters.wtrealm != null and !requestParameters.wtrealm.isEmpty()"
+            then="signinResponse" else="viewBadRequest" />
+    </decision-state>
+    
+    <decision-state id="selectSAMLProcess">
+        <on-entry>
+            <set name="flowScope.RelayState" value="requestParameters.RelayState" />
+            <set name="flowScope.request_context" value="requestParameters.RelayState" />
+            <set name="flowScope.SAMLResponse" value="requestParameters.SAMLResponse" />
+            <set name="flowScope.SAMLRequest" value="requestParameters.SAMLRequest" />
+            <set name="flowScope.Signature" value="requestParameters.Signature" />
+        </on-entry>
+        <if test="requestParameters.RelayState == null or requestParameters.RelayState.isEmpty()"
+            then="viewBadRequest" />
+        <if test="requestParameters.SAMLRequest != null and !requestParameters.SAMLRequest.isEmpty()"
+            then="parseSAMLAuthnRequest" />
+        <if test="requestParameters.SAMLResponse == null or requestParameters.SAMLResponse.isEmpty()"
+            then="viewBadRequest" else="signinResponse" />
+    </decision-state>
+    
+    <decision-state id="selectOIDCAuthorizationCodeFlowProcess">
+        <on-entry>
+            <set name="flowScope.state" value="requestParameters.state" />
+            <set name="flowScope.request_context" value="requestParameters.state" />
+            <set name="flowScope.code" value="requestParameters.code" />
+        </on-entry>
+        <if test="requestParameters.code == null or requestParameters.code.isEmpty()"
+            then="viewBadRequest" />
+        <if test="requestParameters.state == null or requestParameters.state.isEmpty()"
+            then="viewBadRequest" else="signinResponse" />
+    </decision-state>
+    
+    <action-state id="parseSAMLAuthnRequest">
+        <evaluate expression="authnRequestParser.parseSAMLRequest(flowRequestContext, flowScope.idpConfig,
+                                                              flowScope.SAMLRequest, flowScope.Signature,
+                                                              flowScope.RelayState)" />
+        <transition to="retrieveConsumerURL"/>
+        <transition on-exception="org.apache.cxf.fediz.core.exception.ProcessingException" to="viewBadRequest" />
+    </action-state>
+    
+    <action-state id="retrieveConsumerURL">
+        <evaluate expression="authnRequestParser.retrieveConsumerURL(flowRequestContext)" 
+                  result="flowScope.consumerURL"/>
+        <transition to="retrieveRealm"/>
+        <transition on-exception="org.apache.cxf.fediz.core.exception.ProcessingException" to="viewBadRequest" />
+    </action-state>
+    
+    <action-state id="retrieveRealm">
+        <evaluate expression="authnRequestParser.retrieveRealm(flowRequestContext)" 
+                  result="flowScope.realm"/>
+        <transition to="signinRequest"/>
+        <transition on-exception="org.apache.cxf.fediz.core.exception.ProcessingException" to="viewBadRequest" />
+    </action-state>
+    
+    <subflow-state id="signinRequest" subflow="signinRequest">
+        <input name="idpConfig" value="flowScope.idpConfig" />
+        <input name="SAMLRequest" value="flowScope.SAMLRequest" />
+        <input name="RelayState" value="flowScope.RelayState" />
+        <input name="Signature" value="flowScope.Signature" />
+        <input name="protocol" value="'samlsso'" />
+        <input name="saml_authn_request" value="flowScope.saml_authn_request" />
+        <input name="realm" value="flowScope.realm" />
+        <input name="home_realm" value="null" />
+        <input name="wfresh" value="null" />
+        <input name="return_address" value="flowScope.consumerURL" />
+        <input name="request_context" value="flowScope.request_context" />
+
+        <output name="home_realm" />
+        <output name="idpToken" />
+        <output name="trusted_idp_context" />
+
+        <transition on="requestRpToken" to="requestRpToken">
+            <set name="flowScope.home_realm" value="currentEvent.attributes.home_realm" />
+            <set name="flowScope.idpToken" value="currentEvent.attributes.idpToken" />
+        </transition>
+        <transition on="viewBadRequest" to="viewBadRequest" />
+        <transition on="scInternalServerError" to="scInternalServerError" />
+        <transition on="redirectToLocalIDP" to="redirectToLocalIDP" />
+        <transition on="redirectToTrustedIDP" to="processTrustedIdpProtocol">
+            <set name="flowScope.home_realm" value="currentEvent.attributes.home_realm" />
+            <set name="flowScope.trusted_idp_context" value="currentEvent.attributes.trusted_idp_context"/>
+        </transition>
+    </subflow-state>
+    
+     <subflow-state id="signinResponse" subflow="signinResponse">
+        <input name="idpConfig" value="flowScope.idpConfig" />
+        <input name="wfresh" value="flowScope.wfresh" />
+        <input name="request_context" value="flowScope.request_context" />
+        <input name="wresult" value="flowScope.wresult" />
+        <input name="RelayState" value="flowScope.RelayState" />
+        <input name="SAMLResponse" value="flowScope.SAMLResponse" />
+        <input name="state" value="flowScope.state" />
+        <input name="code" value="flowScope.code" />
+        <input name="home_realm" value="flowScope.whr" />
+        <input name="protocol" value="'samlsso'" />
+
+        <output name="home_realm" />
+        <output name="idpToken" />
+        <output name="saml_authn_request" />
+        <output name="request_context" />
+
+        <transition on="requestRpToken" to="requestRpToken">
+            <set name="flowScope.home_realm" value="currentEvent.attributes.home_realm" />
+            <set name="flowScope.idpToken" value="currentEvent.attributes.idpToken" />
+            <set name="flowScope.saml_authn_request" value="currentEvent.attributes.saml_authn_request" />
+            <set name="flowScope.RelayState" value="currentEvent.attributes.request_context" />
+        </transition>
+        <transition on="viewBadRequest" to="viewBadRequest" />
+        <transition on="scInternalServerError" to="scInternalServerError" />
+    </subflow-state>
+    
+    <!-- produce RP security token (as String type) -->
+    <action-state id="requestRpToken">
+        <on-entry>
+            <evaluate expression="authnRequestParser.retrieveRealm(flowRequestContext)" 
+                      result="flowScope.realm"/>
+            <evaluate expression="stsClientForRpAction.submit(flowRequestContext, flowScope.realm, flowScope.home_realm)"
+                      result="flowScope.rpTokenElement"/>
+        </on-entry>
+        <evaluate expression="signinParametersCacheAction.storeRPConfigInSession(flowRequestContext)"/>
+        <transition to="produceSAMLResponse" />
+        <transition on-exception="org.apache.cxf.fediz.core.exception.ProcessingException" to="viewBadRequest" />
+        <transition on-exception="java.lang.Throwable" to="scInternalServerError" />
+    </action-state>
+    
+    <action-state id="produceSAMLResponse">
+        <on-entry>
+            <evaluate expression="authnRequestParser.retrieveConsumerURL(flowRequestContext)" 
+                      result="flowScope.consumerURL"/>
+            <evaluate expression="authnRequestParser.retrieveRequestId(flowRequestContext)" 
+                      result="flowScope.requestId"/>
+            <evaluate expression="authnRequestParser.retrieveRequestIssuer(flowRequestContext)" 
+                      result="flowScope.requestIssuer"/>
+        </on-entry>
+        <evaluate expression="samlResponseCreator.createSAMLResponse(flowRequestContext, flowScope.idpConfig, flowScope.rpTokenElement,
+                                                                     flowScope.consumerURL, flowScope.requestId, flowScope.requestIssuer)"
+                  result="flowScope.rpResponse"/>                                               
+        <transition to="formResponseView" />
+    </action-state>
+    
+    <!-- normal exit point for login -->
+    <!-- browser redirection (self-submitted form 'samlsigninresponseform.jsp') -->
+    <end-state id="formResponseView" view="samlsigninresponseform">
+        <on-entry>
+            <evaluate expression="flowScope.consumerURL" result="requestScope.samlAction" />
+            <evaluate expression="flowScope.RelayState" result="requestScope.relayState" />
+            <evaluate expression="flowScope.rpResponse" result="requestScope.samlResponse" />
+        </on-entry>
+    </end-state>
+    
+    <action-state id="processTrustedIdpProtocol">
+        <evaluate expression="trustedIdpProtocolAction.mapSignInRequest(flowRequestContext, flowScope.home_realm)"
+                      result="flowScope.remoteIdpUrl"/>
+        <transition to="redirectToTrustedIDP" />
+        <transition on-exception="java.lang.Throwable" to="scInternalServerError" />
+    </action-state>
+
+    <!-- abnormal exit point -->
+    <decision-state id="viewBadRequest">
+        <on-entry>
+            <evaluate expression="authnRequestParser.retrieveConsumerURL(flowRequestContext)" 
+                      result="requestScope.samlAction"/>
+        </on-entry>
+        <!-- See if we managed to at least parse the request to get the response URL -->
+        <if test="requestScope.samlAction == null or requestScope.samlAction.isEmpty()"
+            then="viewBadRequestParsingError" else="viewBadRequestResponse"/>
+    </decision-state>
+    
+    <end-state id="viewBadRequestResponse" view="samlsigninresponseform">
+        <on-entry>
+            <evaluate expression="authnRequestParser.retrieveConsumerURL(flowRequestContext)" 
+                      result="requestScope.samlAction"/>
+            <evaluate expression="authnRequestParser.retrieveRequestId(flowRequestContext)" 
+                      result="flowScope.requestId"/>
+            <evaluate expression="flowScope.RelayState" result="requestScope.relayState" />
+            <evaluate expression="samlResponseErrorCreator.createSAMLResponse(flowRequestContext, true, flowScope.idpConfig, 
+                                                                     flowScope.requestId)"
+                      result="requestScope.samlResponse"/>     
+        </on-entry>
+    </end-state>
+    
+    <!-- abnormal exit point : Http 400 Bad Request -->
+    <end-state id="viewBadRequestParsingError" view="genericerror">
+        <on-entry>
+            <evaluate
+                expression="externalContext.nativeResponse.setStatus(400,'Error parsing SAML Request')" />
+            <set name="requestScope.reason" value="'Error parsing SAML Request'" />
+        </on-entry>
+    </end-state>
+
+    <!-- abnormal exit point : Http 500 Internal Server Error -->
+    <end-state id="scInternalServerError" view="genericerror">
+        <on-entry>
+            <evaluate
+                expression="externalContext.nativeResponse.setStatus(500,'IDP is unavailable, please contact the administrator')" />
+            <set name="requestScope.reason"
+                value="'IDP is unavailable, please contact the administrator'" />
+            <set name="requestScope.stateException"
+                value="flowScope.stateException" />
+            <set name="requestScope.rootCauseException"
+                value="flowScope.rootCauseException" />
+        </on-entry>
+    </end-state>
+    
+    <end-state id="redirectToLocalIDP" view="externalRedirect:#{flowScope.localIdpUrl}">
+        <on-entry>
+            <evaluate expression="localRedirectCreator.createRedirectURL(flowRequestContext, flowScope.idpConfig)"
+                      result="flowScope.localIdpUrl"/>
+        </on-entry>
+    </end-state>
+    
+    <!-- redirect to remote idp -->
+    <end-state id="redirectToTrustedIDP" view="externalRedirect:#{flowScope.remoteIdpUrl}" />
+
+</flow>


Mime
View raw message