cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [05/19] cxf-fediz git commit: FEDIZ-155 - Move .java components out of idp webapp and into a separate JAR
Date Fri, 27 Jan 2017 11:22:48 GMT
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/model/RequestClaim.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/model/RequestClaim.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/model/RequestClaim.java
deleted file mode 100644
index 6fd3d05..0000000
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/model/RequestClaim.java
+++ /dev/null
@@ -1,26 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.fediz.service.idp.model;
-
-//@XmlRootElement(name = "Claim", namespace = "http://org.apache.cxf.fediz")
-public class RequestClaim extends org.apache.cxf.fediz.service.idp.domain.RequestClaim {
-    
-    private static final long serialVersionUID = 2635896159019665467L;
-    
-}

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/model/ServiceConfig.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/model/ServiceConfig.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/model/ServiceConfig.java
deleted file mode 100644
index fdae8f5..0000000
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/model/ServiceConfig.java
+++ /dev/null
@@ -1,35 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.fediz.service.idp.model;
-
-import org.apache.cxf.fediz.service.idp.domain.Application;
-
-//import javax.persistence.Column;
-//import javax.persistence.Entity;
-//import javax.persistence.Id;
-//import javax.persistence.Table;
-
-//@Entity
-//@Table(name = "SERVICE")
-//@XmlRootElement(name = "Service", namespace = "http://org.apache.cxf.fediz")
-public class ServiceConfig extends Application {
-        
-    private static final long serialVersionUID = 585676715065240699L;       
-
-}

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/model/TrustedIDPConfig.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/model/TrustedIDPConfig.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/model/TrustedIDPConfig.java
deleted file mode 100644
index 89c2bbb..0000000
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/model/TrustedIDPConfig.java
+++ /dev/null
@@ -1,30 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.fediz.service.idp.model;
-
-
-import org.apache.cxf.fediz.service.idp.domain.TrustedIdp;
-
-//@XmlRootElement(name = "TrustedIDP", namespace = "http://org.apache.cxf.fediz")
-public class TrustedIDPConfig extends TrustedIdp {
-
-    private static final long serialVersionUID = -1182000443945024801L;
-
-
-}

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/model/TrustedIDPSelection.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/model/TrustedIDPSelection.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/model/TrustedIDPSelection.java
deleted file mode 100644
index 44cb3a2..0000000
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/model/TrustedIDPSelection.java
+++ /dev/null
@@ -1,36 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.fediz.service.idp.model;
-
-import java.io.Serializable;
-
-public class TrustedIDPSelection implements Serializable {
-
-    private static final long serialVersionUID = 1L;
-    
-    private String homeRealm;
-
-    public String getHomeRealm() {
-        return homeRealm;
-    }
-
-    public void setHomeRealm(String homeRealm) {
-        this.homeRealm = homeRealm;
-    }
-}

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/AbstractTrustedIdpOAuth2ProtocolHandler.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/AbstractTrustedIdpOAuth2ProtocolHandler.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/AbstractTrustedIdpOAuth2ProtocolHandler.java
deleted file mode 100644
index 84a70ca..0000000
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/AbstractTrustedIdpOAuth2ProtocolHandler.java
+++ /dev/null
@@ -1,207 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.fediz.service.idp.protocols;
-
-import java.io.IOException;
-import java.io.UnsupportedEncodingException;
-import java.net.MalformedURLException;
-import java.net.URL;
-import java.net.URLEncoder;
-import java.util.Date;
-
-import javax.security.auth.callback.Callback;
-import javax.security.auth.callback.CallbackHandler;
-import javax.security.auth.callback.UnsupportedCallbackException;
-
-import org.apache.cxf.fediz.core.util.CertsUtils;
-import org.apache.cxf.fediz.service.idp.IdpConstants;
-import org.apache.cxf.fediz.service.idp.domain.Idp;
-import org.apache.cxf.fediz.service.idp.domain.TrustedIdp;
-import org.apache.wss4j.common.crypto.Crypto;
-import org.apache.wss4j.common.saml.SAMLCallback;
-import org.apache.wss4j.common.saml.SAMLUtil;
-import org.apache.wss4j.common.saml.SamlAssertionWrapper;
-import org.apache.wss4j.common.saml.bean.ConditionsBean;
-import org.apache.wss4j.common.saml.bean.SubjectBean;
-import org.apache.wss4j.common.saml.bean.Version;
-import org.apache.wss4j.common.saml.builder.SAML2Constants;
-import org.joda.time.DateTime;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.springframework.webflow.execution.RequestContext;
-
-public abstract class AbstractTrustedIdpOAuth2ProtocolHandler extends AbstractTrustedIdpProtocolHandler {
-    
-    /**
-     * The client_id value to send to the IdP.
-     */
-    public static final String CLIENT_ID = "client.id";
-    
-    /**
-     * The secret associated with the client to authenticate to the IdP.
-     */
-    public static final String CLIENT_SECRET = "client.secret";
-    
-    /**
-     * The Token endpoint. The authorization endpoint is specified by TrustedIdp.url.
-     */
-    public static final String TOKEN_ENDPOINT = "token.endpoint";
-    
-    /**
-     * Additional (space-separated) parameters to be sent in the "scope" to the authorization endpoint.
-     * The default value depends on the subclass.
-     */
-    public static final String SCOPE = "scope";
-    
-    private static final Logger LOG = LoggerFactory.getLogger(AbstractTrustedIdpOAuth2ProtocolHandler.class);
-
-    @Override
-    public URL mapSignInRequest(RequestContext context, Idp idp, TrustedIdp trustedIdp) {
-        
-        String clientId = getProperty(trustedIdp, CLIENT_ID);
-        if (clientId == null || clientId.isEmpty()) {
-            LOG.warn("A CLIENT_ID must be configured for OAuth 2.0");
-            throw new IllegalStateException("No CLIENT_ID specified");
-        }
-        
-        String scope = getScope(trustedIdp);
-        LOG.debug("Using scope: {}", scope);
-        
-        try {
-            StringBuilder sb = new StringBuilder();
-            sb.append(trustedIdp.getUrl());
-            sb.append("?");
-            sb.append("response_type").append('=');
-            sb.append("code");
-            sb.append("&");
-            sb.append("client_id").append('=');
-            sb.append(clientId);
-            sb.append("&");
-            sb.append("redirect_uri").append('=');
-            sb.append(URLEncoder.encode(idp.getIdpUrl().toString(), "UTF-8"));
-            sb.append("&");
-            sb.append("scope").append('=');
-            sb.append(URLEncoder.encode(scope, "UTF-8"));
-            
-            String state = context.getFlowScope().getString(IdpConstants.TRUSTED_IDP_CONTEXT);
-            sb.append("&").append("state").append('=');
-            sb.append(state);
-            
-            return new URL(sb.toString());
-        } catch (MalformedURLException ex) {
-            LOG.error("Invalid Redirect URL for Trusted Idp", ex);
-            throw new IllegalStateException("Invalid Redirect URL for Trusted Idp");
-        } catch (UnsupportedEncodingException ex) {
-            LOG.error("Invalid Redirect URL for Trusted Idp", ex);
-            throw new IllegalStateException("Invalid Redirect URL for Trusted Idp");
-        }
-    }
-    
-    protected SamlAssertionWrapper createSamlAssertion(Idp idp, TrustedIdp trustedIdp, String subjectName,
-                                                     Date notBefore,
-                                                     Date expires) throws Exception {
-        SamlCallbackHandler callbackHandler = new SamlCallbackHandler();
-        String issuer = idp.getServiceDisplayName();
-        if (issuer == null) {
-            issuer = idp.getRealm();
-        }
-        if (issuer != null) {
-            callbackHandler.setIssuer(issuer);
-        }
-        
-        // Subject
-        SubjectBean subjectBean =
-            new SubjectBean(subjectName, SAML2Constants.NAMEID_FORMAT_UNSPECIFIED, SAML2Constants.CONF_BEARER);
-        callbackHandler.setSubjectBean(subjectBean);
-        
-        // Conditions
-        ConditionsBean conditionsBean = new ConditionsBean();
-        conditionsBean.setNotAfter(new DateTime(expires));
-        if (notBefore != null) {
-            DateTime notBeforeDT = new DateTime(notBefore);
-            conditionsBean.setNotBefore(notBeforeDT);
-        } else {
-            conditionsBean.setNotBefore(new DateTime());
-        }
-        callbackHandler.setConditionsBean(conditionsBean);
-        
-        SAMLCallback samlCallback = new SAMLCallback();
-        SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
-        
-        SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
-        
-        Crypto crypto = CertsUtils.getCryptoFromCertificate(idp.getCertificate());
-        assertion.signAssertion(crypto.getDefaultX509Identifier(), idp.getCertificatePassword(), 
-                                crypto, false);
-        
-        return assertion;
-    }
-    
-    private static class SamlCallbackHandler implements CallbackHandler {
-        private ConditionsBean conditionsBean;
-        private SubjectBean subjectBean;
-        private String issuer;
-        
-        /**
-         * Set the SubjectBean
-         */
-        public void setSubjectBean(SubjectBean subjectBean) {
-            this.subjectBean = subjectBean;
-        }
-        
-        /**
-         * Set the ConditionsBean
-         */
-        public void setConditionsBean(ConditionsBean conditionsBean) {
-            this.conditionsBean = conditionsBean;
-        }
-        
-        /**
-         * Set the issuer name
-         */
-        public void setIssuer(String issuerName) {
-            this.issuer = issuerName;
-        }
-        
-        public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
-            for (Callback callback : callbacks) {
-                if (callback instanceof SAMLCallback) {
-                    SAMLCallback samlCallback = (SAMLCallback) callback;
-
-                    // Set the Subject
-                    if (subjectBean != null) {
-                        samlCallback.setSubject(subjectBean);
-                    }
-                    samlCallback.setSamlVersion(Version.SAML_20);
-                    
-                    // Set the issuer
-                    samlCallback.setIssuer(issuer);
-
-                    // Set the conditions
-                    samlCallback.setConditions(conditionsBean);
-                }
-            }
-        }
-        
-    }
-    
-    abstract String getScope(TrustedIdp trustedIdp);
-
-}

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/AbstractTrustedIdpProtocolHandler.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/AbstractTrustedIdpProtocolHandler.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/AbstractTrustedIdpProtocolHandler.java
deleted file mode 100644
index 2329eb2..0000000
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/AbstractTrustedIdpProtocolHandler.java
+++ /dev/null
@@ -1,58 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.fediz.service.idp.protocols;
-
-import java.util.Map;
-
-import javax.servlet.http.HttpServletRequest;
-
-import org.apache.cxf.fediz.service.idp.domain.TrustedIdp;
-import org.apache.cxf.fediz.service.idp.spi.TrustedIdpProtocolHandler;
-
-public abstract class AbstractTrustedIdpProtocolHandler implements TrustedIdpProtocolHandler {
-    
-    @Override
-    public boolean canHandleRequest(HttpServletRequest request) {
-        // TODO Auto-generated method stub
-        return false;
-    }
-
-    protected String getProperty(TrustedIdp trustedIdp, String property) {
-        Map<String, String> parameters = trustedIdp.getParameters();
-        
-        if (parameters != null && parameters.containsKey(property)) {
-            return parameters.get(property);
-        }
-        
-        return null;
-    }
-    
-    // Is a property configured. Defaults to the boolean "defaultValue" if not
-    protected boolean isBooleanPropertyConfigured(TrustedIdp trustedIdp, String property, boolean defaultValue) {
-        Map<String, String> parameters = trustedIdp.getParameters();
-        
-        if (parameters != null && parameters.containsKey(property)) {
-            return Boolean.parseBoolean(parameters.get(property));
-        }
-        
-        return defaultValue;
-    }
-    
-}

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/ApplicationProtocolControllerImpl.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/ApplicationProtocolControllerImpl.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/ApplicationProtocolControllerImpl.java
deleted file mode 100644
index c2be3eb..0000000
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/ApplicationProtocolControllerImpl.java
+++ /dev/null
@@ -1,60 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.fediz.service.idp.protocols;
-
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.List;
-
-import org.apache.cxf.fediz.service.idp.spi.ApplicationProtocolHandler;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.stereotype.Component;
-
-@Component
-public class ApplicationProtocolControllerImpl implements ProtocolController<ApplicationProtocolHandler> {
-
-    private static final Logger LOG = LoggerFactory.getLogger(ApplicationProtocolControllerImpl.class);
-    
-    @Autowired
-    private List<ApplicationProtocolHandler> protocolHandlers;
-    
-    @Override
-    public ApplicationProtocolHandler getProtocolHandler(String protocol) {
-        for (ApplicationProtocolHandler protocolHandler : protocolHandlers) {
-            if (protocolHandler.getProtocol() != null && protocolHandler.getProtocol().equals(protocol)) {
-                return protocolHandler;
-            }
-        }
-        LOG.warn("No protocol handler found for {}", protocol);
-        return null;
-    }
-    
-    @Override
-    public List<String> getProtocols() {
-        List<String> protocols = new ArrayList<>();
-        for (ApplicationProtocolHandler protocolHandler : protocolHandlers) {
-            protocols.add(protocolHandler.getProtocol());
-        }
-        return Collections.unmodifiableList(protocols);
-    }
-
-}

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/ApplicationSAMLSSOProtocolHandler.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/ApplicationSAMLSSOProtocolHandler.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/ApplicationSAMLSSOProtocolHandler.java
deleted file mode 100644
index ebab362..0000000
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/ApplicationSAMLSSOProtocolHandler.java
+++ /dev/null
@@ -1,57 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.fediz.service.idp.protocols;
-
-import javax.servlet.http.HttpServletRequest;
-
-import org.apache.cxf.fediz.service.idp.spi.ApplicationProtocolHandler;
-
-import org.springframework.stereotype.Component;
-import org.springframework.webflow.execution.RequestContext;
-
-@Component
-public class ApplicationSAMLSSOProtocolHandler implements ApplicationProtocolHandler {
-    
-    public static final String PROTOCOL = "urn:oasis:names:tc:SAML:2.0:profiles:SSO:browser";
-
-    //private static final Logger LOG = LoggerFactory.getLogger(ApplicationWSFedProtocolHandler.class);
-
-    @Override
-    public boolean canHandleRequest(HttpServletRequest request) {
-        // TODO Auto-generated method stub
-        return false;
-    }
-
-    @Override
-    public String getProtocol() {
-        return PROTOCOL;
-    }
-
-    @Override
-    public void mapSignInRequest(RequestContext context) {
-        // TODO Auto-generated method stub
-    }
-
-    @Override
-    public void mapSignInResponse(RequestContext context) {
-        // TODO Auto-generated method stub
-    }
-
-}

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/ApplicationWSFedProtocolHandler.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/ApplicationWSFedProtocolHandler.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/ApplicationWSFedProtocolHandler.java
deleted file mode 100644
index 2024e3d..0000000
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/ApplicationWSFedProtocolHandler.java
+++ /dev/null
@@ -1,57 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.fediz.service.idp.protocols;
-
-import javax.servlet.http.HttpServletRequest;
-
-import org.apache.cxf.fediz.service.idp.spi.ApplicationProtocolHandler;
-
-import org.springframework.stereotype.Component;
-import org.springframework.webflow.execution.RequestContext;
-
-@Component
-public class ApplicationWSFedProtocolHandler implements ApplicationProtocolHandler {
-    
-    public static final String PROTOCOL = "http://docs.oasis-open.org/wsfed/federation/200706";
-
-    //private static final Logger LOG = LoggerFactory.getLogger(ApplicationWSFedProtocolHandler.class);
-
-    @Override
-    public boolean canHandleRequest(HttpServletRequest request) {
-        // TODO Auto-generated method stub
-        return false;
-    }
-
-    @Override
-    public String getProtocol() {
-        return PROTOCOL;
-    }
-
-    @Override
-    public void mapSignInRequest(RequestContext context) {
-        // TODO Auto-generated method stub
-    }
-
-    @Override
-    public void mapSignInResponse(RequestContext context) {
-        // TODO Auto-generated method stub
-    }
-
-}

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/ProtocolController.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/ProtocolController.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/ProtocolController.java
deleted file mode 100644
index d4da6c2..0000000
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/ProtocolController.java
+++ /dev/null
@@ -1,32 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.fediz.service.idp.protocols;
-
-import java.util.List;
-
-import org.apache.cxf.fediz.service.idp.spi.ProtocolHandler;
-
-public interface ProtocolController<T extends ProtocolHandler> {
-
-    T getProtocolHandler(String protocol);
-
-    List<String> getProtocols();
-
-}

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpFacebookProtocolHandler.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpFacebookProtocolHandler.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpFacebookProtocolHandler.java
deleted file mode 100644
index 36db3ae..0000000
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpFacebookProtocolHandler.java
+++ /dev/null
@@ -1,226 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.fediz.service.idp.protocols;
-
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.Date;
-import java.util.List;
-
-import javax.ws.rs.core.Form;
-import javax.ws.rs.core.Response;
-
-import org.w3c.dom.Document;
-import org.w3c.dom.Element;
-
-import org.apache.cxf.fediz.service.idp.IdpConstants;
-import org.apache.cxf.fediz.service.idp.domain.Idp;
-import org.apache.cxf.fediz.service.idp.domain.TrustedIdp;
-import org.apache.cxf.fediz.service.idp.util.WebUtils;
-import org.apache.cxf.helpers.DOMUtils;
-import org.apache.cxf.interceptor.LoggingInInterceptor;
-import org.apache.cxf.interceptor.LoggingOutInterceptor;
-import org.apache.cxf.jaxrs.client.ClientConfiguration;
-import org.apache.cxf.jaxrs.client.WebClient;
-import org.apache.cxf.jaxrs.json.basic.JsonMapObject;
-import org.apache.cxf.jaxrs.provider.json.JsonMapObjectProvider;
-import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken;
-import org.apache.cxf.rs.security.oauth2.provider.OAuthJSONProvider;
-import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
-import org.apache.cxf.ws.security.tokenstore.SecurityToken;
-import org.apache.wss4j.common.saml.SamlAssertionWrapper;
-import org.apache.xml.security.stax.impl.util.IDGenerator;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.springframework.stereotype.Component;
-import org.springframework.webflow.execution.RequestContext;
-
-/**
- * Extension of AbstractTrustedIdpOAuth2ProtocolHandler for Facebook Connect.
- * Default values:
- *  - scope: email
- *  - token.endpoint: https://graph.facebook.com/v2.6/oauth/access_token
- */
-@Component
-public class TrustedIdpFacebookProtocolHandler extends AbstractTrustedIdpOAuth2ProtocolHandler {
-    
-    /**
-     * The facebook API endpoint for querying claims (such as email address). If not specified
-     * it defaults to "https://graph.facebook.com/v2.6".
-     */
-    public static final String API_ENDPOINT = "api.endpoint";
-    
-    /**
-     * The Claim to use for the subject username to insert into the SAML Token. It defaults to 
-     * "email".
-     */
-    public static final String SUBJECT_CLAIM = "subject.claim";
-    
-    public static final String PROTOCOL = "facebook-connect";
-
-    private static final Logger LOG = LoggerFactory.getLogger(TrustedIdpFacebookProtocolHandler.class);
-
-    @Override
-    public String getProtocol() {
-        return PROTOCOL;
-    }
-
-    @Override
-    public SecurityToken mapSignInResponse(RequestContext context, Idp idp, TrustedIdp trustedIdp) {
-
-        String code = (String) WebUtils.getAttributeFromFlowScope(context,
-                                                                  OAuthConstants.CODE_RESPONSE_TYPE);
-        if (code != null && !code.isEmpty()) {
-            
-            String tokenEndpoint = getProperty(trustedIdp, TOKEN_ENDPOINT);
-            if (tokenEndpoint == null || tokenEndpoint.isEmpty()) {
-                tokenEndpoint = "https://graph.facebook.com/v2.6/oauth/access_token";
-            }
-            
-            String apiEndpoint = getProperty(trustedIdp, API_ENDPOINT);
-            if (apiEndpoint == null || apiEndpoint.isEmpty()) {
-                apiEndpoint = "https://graph.facebook.com/v2.6";
-            }
-            
-            String clientId = getProperty(trustedIdp, CLIENT_ID);
-            String clientSecret = getProperty(trustedIdp, CLIENT_SECRET);
-            if (clientSecret == null || clientSecret.isEmpty()) {
-                LOG.warn("A CLIENT_SECRET must be configured to use the TrustedIdpFacebookProtocolHandler");
-                throw new IllegalStateException("No CLIENT_SECRET specified");
-            }
-            
-            // Here we need to get the AccessToken using the authorization code
-            ClientAccessToken accessToken = getAccessTokenUsingCode(tokenEndpoint, code, clientId,
-                                                                    clientSecret, idp.getIdpUrl().toString());
-            if (accessToken == null || accessToken.getTokenKey() == null) {
-                LOG.warn("No Access Token received from the Facebook IdP");
-                return null;
-            }
-            
-            // Now we need to invoke on the API endpoint using the access token to get the 
-            // user's claims
-            String subjectName = getSubjectName(apiEndpoint, accessToken.getTokenKey(), trustedIdp);
-            try {
-                String whr = (String) WebUtils.getAttributeFromFlowScope(context, IdpConstants.HOME_REALM);
-                if (whr == null) {
-                    LOG.warn("Home realm is null");
-                    throw new IllegalStateException("Home realm is null");
-                }
-        
-                // Convert into a SAML Token
-                Date expires = new Date();
-                expires.setTime(expires.getTime() + (accessToken.getExpiresIn() * 1000L));
-                SecurityToken idpToken = new SecurityToken(IDGenerator.generateID(null), null, expires);
-                SamlAssertionWrapper assertion = 
-                    createSamlAssertion(idp, trustedIdp, subjectName, null, expires);
-                Document doc = DOMUtils.createDocument();
-                Element token = assertion.toDOM(doc);
-        
-                // Create new Security token with new id. 
-                // Parameters for freshness computation are copied from original IDP_TOKEN
-                idpToken.setToken(token);
-        
-                LOG.info("[IDP_TOKEN={}] for user '{}' issued by home realm [{}]",
-                         assertion.getId(), assertion.getSaml2().getSubject().getNameID().getValue(), 
-                         whr);
-                LOG.debug("Expired date={}", expires);
-                
-                return idpToken;
-            } catch (IllegalStateException ex) {
-                throw ex;
-            } catch (Exception ex) {
-                LOG.warn("Unexpected exception occured", ex);
-                throw new IllegalStateException("Unexpected exception occured: " + ex.getMessage());
-            }
-        }
-        return null;
-    }
-    
-    private ClientAccessToken getAccessTokenUsingCode(String tokenEndpoint, String code, String clientId,
-                                                      String clientSecret, String redirectURI) {
-        // Here we need to get the AccessToken using the authorization code
-        List<Object> providers = new ArrayList<Object>();
-        providers.add(new OAuthJSONProvider());
-        
-        WebClient client = 
-            WebClient.create(tokenEndpoint, providers, "cxf-tls.xml");
-        
-        ClientConfiguration config = WebClient.getConfig(client);
-
-        if (LOG.isDebugEnabled()) {
-            config.getOutInterceptors().add(new LoggingOutInterceptor());
-            config.getInInterceptors().add(new LoggingInInterceptor());
-        }
-        
-        client.type("application/x-www-form-urlencoded");
-        client.accept("application/json");
-
-        Form form = new Form();
-        form.param("grant_type", "authorization_code");
-        form.param("code", code);
-        form.param("client_id", clientId);
-        form.param("redirect_uri", redirectURI);
-        form.param("client_secret", clientSecret);
-        Response response = client.post(form);
-
-        return response.readEntity(ClientAccessToken.class);
-    }
-    
-    private String getSubjectName(String apiEndpoint, String accessToken, TrustedIdp trustedIdp) {
-        WebClient client = WebClient.create(apiEndpoint, 
-                                  Collections.singletonList(new JsonMapObjectProvider()), 
-                                  "cxf-tls.xml");
-        client.path("/me");
-        ClientConfiguration config = WebClient.getConfig(client);
-
-        if (LOG.isDebugEnabled()) {
-            config.getOutInterceptors().add(new LoggingOutInterceptor());
-            config.getInInterceptors().add(new LoggingInInterceptor());
-        }
-
-        client.accept("application/json");
-        client.query("access_token", accessToken);
-        
-        String subjectName = getProperty(trustedIdp, SUBJECT_CLAIM);
-        if (subjectName == null || subjectName.isEmpty()) {
-            subjectName = "email";
-        }
-        client.query("fields", subjectName);
-        JsonMapObject mapObject = client.get(JsonMapObject.class);
-        
-        String parsedSubjectName = (String)mapObject.getProperty(subjectName);
-        if (subjectName.contains("email")) {
-            parsedSubjectName = parsedSubjectName.replace("\\u0040", "@");
-        }
-        return parsedSubjectName;
-    }
-    
-    protected String getScope(TrustedIdp trustedIdp) {
-        String scope = getProperty(trustedIdp, SCOPE);
-        if (scope != null) {
-            scope = scope.trim();
-        }
-        
-        if (scope == null || scope.isEmpty()) {
-            scope = "email";
-        }
-        return scope;
-    }
-}

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpOIDCProtocolHandler.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpOIDCProtocolHandler.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpOIDCProtocolHandler.java
deleted file mode 100644
index b45c763..0000000
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpOIDCProtocolHandler.java
+++ /dev/null
@@ -1,335 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.fediz.service.idp.protocols;
-
-import java.io.IOException;
-import java.security.cert.CertificateException;
-import java.security.cert.X509Certificate;
-import java.util.ArrayList;
-import java.util.Date;
-import java.util.List;
-import java.util.Map;
-
-import javax.ws.rs.core.Form;
-import javax.ws.rs.core.Response;
-
-import org.w3c.dom.Document;
-import org.w3c.dom.Element;
-
-import org.apache.cxf.fediz.core.exception.ProcessingException;
-import org.apache.cxf.fediz.core.util.CertsUtils;
-import org.apache.cxf.fediz.core.util.DOMUtils;
-import org.apache.cxf.fediz.service.idp.IdpConstants;
-import org.apache.cxf.fediz.service.idp.domain.Idp;
-import org.apache.cxf.fediz.service.idp.domain.TrustedIdp;
-import org.apache.cxf.fediz.service.idp.util.WebUtils;
-import org.apache.cxf.interceptor.LoggingInInterceptor;
-import org.apache.cxf.interceptor.LoggingOutInterceptor;
-import org.apache.cxf.jaxrs.client.ClientConfiguration;
-import org.apache.cxf.jaxrs.client.WebClient;
-import org.apache.cxf.rs.security.jose.common.JoseConstants;
-import org.apache.cxf.rs.security.jose.jaxrs.JsonWebKeysProvider;
-import org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm;
-import org.apache.cxf.rs.security.jose.jwk.JsonWebKey;
-import org.apache.cxf.rs.security.jose.jwk.JsonWebKeys;
-import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer;
-import org.apache.cxf.rs.security.jose.jwt.JwtConstants;
-import org.apache.cxf.rs.security.jose.jwt.JwtToken;
-import org.apache.cxf.rs.security.jose.jwt.JwtUtils;
-import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken;
-import org.apache.cxf.rs.security.oauth2.provider.OAuthJSONProvider;
-import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
-import org.apache.cxf.ws.security.tokenstore.SecurityToken;
-import org.apache.wss4j.common.ext.WSSecurityException;
-import org.apache.wss4j.common.saml.SamlAssertionWrapper;
-import org.apache.xml.security.exceptions.Base64DecodingException;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.springframework.stereotype.Component;
-import org.springframework.webflow.execution.RequestContext;
-
-/**
- * Extension of AbstractTrustedIdpOAuth2ProtocolHandler for OpenId Connect.
- * Default values:
- *  - scope: openid
- */
-@Component
-public class TrustedIdpOIDCProtocolHandler extends AbstractTrustedIdpOAuth2ProtocolHandler {
-    
-    /**
-     * The signature algorithm to use in verifying the IdToken. The default is "RS256".
-     */
-    public static final String SIGNATURE_ALGORITHM = "signature.algorithm";
-    
-    /**
-     * The Claim in which to extract the Subject username to insert into the generated SAML token. 
-     * It defaults to "preferred_username", otherwise it falls back to the "sub" claim.
-     */
-    public static final String SUBJECT_CLAIM = "subject.claim";
-    
-    /**
-     * Additional (space-separated) parameters to be sent in the "scope" to the authorization endpoint.
-     * Fediz will automatically use "openid" for this value. 
-     */
-    public static final String SCOPE = "scope";
-    
-    /**
-     * The URI from which to retrieve the JSON Web Keys to validate the signed IdToken.
-     */
-    public static final String JWKS_URI = "jwks.uri";
-    
-    public static final String PROTOCOL = "openid-connect-1.0";
-
-    private static final Logger LOG = LoggerFactory.getLogger(TrustedIdpOIDCProtocolHandler.class);
-
-    @Override
-    public String getProtocol() {
-        return PROTOCOL;
-    }
-
-    @Override
-    public SecurityToken mapSignInResponse(RequestContext context, Idp idp, TrustedIdp trustedIdp) {
-
-        String code = (String) WebUtils.getAttributeFromFlowScope(context,
-                                                                  OAuthConstants.CODE_RESPONSE_TYPE);
-        if (code != null && !code.isEmpty()) {
-            
-            String tokenEndpoint = getProperty(trustedIdp, TOKEN_ENDPOINT);
-            if (tokenEndpoint == null || tokenEndpoint.isEmpty()) {
-                LOG.warn("A TOKEN_ENDPOINT must be configured to use the OIDCProtocolHandler");
-                throw new IllegalStateException("No TOKEN_ENDPOINT specified");
-            }
-            
-            String clientId = getProperty(trustedIdp, CLIENT_ID);
-            String clientSecret = getProperty(trustedIdp, CLIENT_SECRET);
-            if (clientSecret == null || clientSecret.isEmpty()) {
-                LOG.warn("A CLIENT_SECRET must be configured to use the OIDCProtocolHandler");
-                throw new IllegalStateException("No CLIENT_SECRET specified");
-            }
-            
-            // Here we need to get the IdToken using the authorization code
-            List<Object> providers = new ArrayList<Object>();
-            providers.add(new OAuthJSONProvider());
-            
-            WebClient client = 
-                WebClient.create(tokenEndpoint, providers, clientId, clientSecret, "cxf-tls.xml");
-            
-            ClientConfiguration config = WebClient.getConfig(client);
-
-            if (LOG.isDebugEnabled()) {
-                config.getOutInterceptors().add(new LoggingOutInterceptor());
-                config.getInInterceptors().add(new LoggingInInterceptor());
-            }
-            
-            client.type("application/x-www-form-urlencoded").accept("application/json");
-
-            Form form = new Form();
-            form.param("grant_type", "authorization_code");
-            form.param("code", code);
-            form.param("client_id", clientId);
-            form.param("redirect_uri", idp.getIdpUrl().toString());
-            Response response = client.post(form);
-
-            ClientAccessToken accessToken = response.readEntity(ClientAccessToken.class);
-            String idToken = accessToken.getParameters().get("id_token");
-            if (idToken == null) {
-                LOG.warn("No IdToken received from the OIDC IdP");
-                return null;
-            }
-            
-            client.close();
-            
-            try {
-                String whr = (String) WebUtils.getAttributeFromFlowScope(context, IdpConstants.HOME_REALM);
-                if (whr == null) {
-                    LOG.warn("Home realm is null");
-                    throw new IllegalStateException("Home realm is null");
-                }
-        
-                // Parse the received Token
-                JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(idToken);
-                JwtToken jwt = jwtConsumer.getJwtToken();
-                
-                if (jwt != null && jwt.getClaims() != null && LOG.isDebugEnabled()) {
-                    LOG.debug("Received Claims:");
-                    for (Map.Entry<String, Object> claim : jwt.getClaims().asMap().entrySet()) {
-                        LOG.debug(claim.getKey() + ": " + claim.getValue());
-                    }
-                }
-                
-                if (jwt != null && jwt.getJwsHeaders() != null && LOG.isDebugEnabled()) {
-                    LOG.debug("Received JWS Headers:");
-                    for (Map.Entry<String, Object> header : jwt.getJwsHeaders().asMap().entrySet()) {
-                        LOG.debug(header.getKey() + ": " + header.getValue());
-                    }
-                }
-                
-                if (!validateSignature(trustedIdp, jwtConsumer)) {
-                    LOG.warn("Signature does not validate");
-                    return null;
-                }
-                
-                // Make sure the received token is valid according to the spec
-                validateToken(jwt, clientId);
-                
-                Date created = new Date((long)jwt.getClaim(JwtConstants.CLAIM_ISSUED_AT) * 1000L);
-                Date notBefore = null;
-                if (jwt.getClaim(JwtConstants.CLAIM_NOT_BEFORE) != null) {
-                    notBefore = new Date((long)jwt.getClaim(JwtConstants.CLAIM_NOT_BEFORE) * 1000L);
-                } 
-                
-                Date expires = new Date((long)jwt.getClaim(JwtConstants.CLAIM_EXPIRY) * 1000L);
-                
-                // Subject
-                String subjectName = getProperty(trustedIdp, SUBJECT_CLAIM);
-                LOG.debug("Trying to extract subject name using the claim name {}", subjectName);
-                if (subjectName == null || jwt.getClaim(subjectName) == null) {
-                    LOG.debug("No claim available in the token for {}", subjectName);
-                    subjectName = "preferred_username";
-                    LOG.debug("Falling back to use subject claim name {}", subjectName);
-                    if (subjectName == null || jwt.getClaim(subjectName) == null) {
-                        subjectName = JwtConstants.CLAIM_SUBJECT;
-                        LOG.debug("No claim available in the token for preferred_username. "
-                                  + "Falling back to use {}", subjectName);
-                    }
-                }
-                
-                // Convert into a SAML Token
-                SamlAssertionWrapper assertion = 
-                    createSamlAssertion(idp, trustedIdp, (String)jwt.getClaim(subjectName), notBefore, expires);
-                Document doc = DOMUtils.createDocument();
-                Element token = assertion.toDOM(doc);
-        
-                // Create new Security token with new id. 
-                // Parameters for freshness computation are copied from original IDP_TOKEN
-                SecurityToken idpToken = new SecurityToken(assertion.getId(), created, expires);
-                idpToken.setToken(token);
-        
-                LOG.info("[IDP_TOKEN={}] for user '{}' created from [RP_TOKEN={}] issued by home realm [{}/{}]",
-                         assertion.getId(), assertion.getSaml2().getSubject().getNameID().getValue(), 
-                         jwt.getClaim(JwtConstants.CLAIM_JWT_ID), whr, jwt.getClaim(JwtConstants.CLAIM_ISSUER));
-                LOG.debug("Created date={}", created);
-                LOG.debug("Expired date={}", expires);
-                
-                return idpToken;
-            } catch (IllegalStateException ex) {
-                throw ex;
-            } catch (Exception ex) {
-                LOG.warn("Unexpected exception occured", ex);
-                throw new IllegalStateException("Unexpected exception occured: " + ex.getMessage());
-            }
-        }
-        return null;
-    }
-    
-    protected void validateToken(JwtToken jwt, String clientId) {
-        // We must have the following claims
-        if (jwt.getClaim(JwtConstants.CLAIM_ISSUER) == null
-            || jwt.getClaim(JwtConstants.CLAIM_SUBJECT) == null
-            || jwt.getClaim(JwtConstants.CLAIM_AUDIENCE) == null
-            || jwt.getClaim(JwtConstants.CLAIM_EXPIRY) == null
-            || jwt.getClaim(JwtConstants.CLAIM_ISSUED_AT) == null) {
-            LOG.warn("The IdToken is missing a required claim");
-            throw new IllegalStateException("The IdToken is missing a required claim");
-        }
-        
-        // The audience must match the client_id of this client
-        boolean match = false;
-        for (String audience : jwt.getClaims().getAudiences()) {
-            if (clientId.equals(audience)) {
-                match = true;
-                break;
-            }
-        }
-        if (!match) {
-            LOG.warn("The audience of the token does not match this client");
-            throw new IllegalStateException("The audience of the token does not match this client");
-        }
-        
-        JwtUtils.validateTokenClaims(jwt.getClaims(), 300, 0, false);
-    }
-    
-    private boolean validateSignature(TrustedIdp trustedIdp, JwsJwtCompactConsumer jwtConsumer) 
-        throws CertificateException, WSSecurityException, Base64DecodingException, 
-            ProcessingException, IOException {
-        
-        // Validate the Signature
-        String sigAlgo = getProperty(trustedIdp, SIGNATURE_ALGORITHM);
-        if (sigAlgo == null || sigAlgo.isEmpty()) {
-            sigAlgo = "RS256";
-        }
-        
-        JwtToken jwt = jwtConsumer.getJwtToken();
-        String jwksUri = getProperty(trustedIdp, JWKS_URI);
-        JsonWebKey verifyingKey = null;
-        
-        if (jwksUri != null && jwt.getJwsHeaders() != null 
-            && jwt.getJwsHeaders().containsHeader(JoseConstants.HEADER_KEY_ID)) {
-            String kid = (String)jwt.getJwsHeaders().getHeader(JoseConstants.HEADER_KEY_ID);
-            LOG.debug("Attemping to retrieve key id {} from uri {}", kid, jwksUri);
-            List<Object> jsonKeyProviders = new ArrayList<Object>();
-            jsonKeyProviders.add(new JsonWebKeysProvider());
-            
-            WebClient client = 
-                WebClient.create(jwksUri, jsonKeyProviders, "cxf-tls.xml");
-            client.accept("application/json");
-            
-            ClientConfiguration config = WebClient.getConfig(client);
-            if (LOG.isDebugEnabled()) {
-                config.getOutInterceptors().add(new LoggingOutInterceptor());
-                config.getInInterceptors().add(new LoggingInInterceptor());
-            }
-            
-            Response response = client.get();
-            JsonWebKeys jsonWebKeys = response.readEntity(JsonWebKeys.class);
-            if (jsonWebKeys != null) {
-                verifyingKey = jsonWebKeys.getKey(kid);
-            }
-        }
-        
-        if (verifyingKey != null) {
-            return jwtConsumer.verifySignatureWith(verifyingKey, SignatureAlgorithm.getAlgorithm(sigAlgo));
-        }
-        
-        X509Certificate validatingCert = CertsUtils.parseX509Certificate(trustedIdp.getCertificate());
-        if (validatingCert != null) {
-            return jwtConsumer.verifySignatureWith(validatingCert, SignatureAlgorithm.getAlgorithm(sigAlgo));
-        }
-        
-        LOG.warn("No key supplied to verify the signature of the IdToken");
-        return false;
-    }
-    
-    protected String getScope(TrustedIdp trustedIdp) {
-        String scope = getProperty(trustedIdp, SCOPE);
-        if (scope != null) {
-            scope = scope.trim();
-            if (!scope.contains("openid")) {
-                scope = "openid " + scope;
-            }
-        }
-        
-        if (scope == null || scope.isEmpty()) {
-            scope = "openid";
-        }
-        return scope;
-    }
-
-}

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpProtocolControllerImpl.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpProtocolControllerImpl.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpProtocolControllerImpl.java
deleted file mode 100644
index 31bc572..0000000
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpProtocolControllerImpl.java
+++ /dev/null
@@ -1,60 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.fediz.service.idp.protocols;
-
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.List;
-
-import org.apache.cxf.fediz.service.idp.spi.TrustedIdpProtocolHandler;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.stereotype.Component;
-
-@Component
-public class TrustedIdpProtocolControllerImpl implements ProtocolController<TrustedIdpProtocolHandler> {
-
-    private static final Logger LOG = LoggerFactory.getLogger(TrustedIdpProtocolControllerImpl.class);
-    
-    @Autowired
-    private List<TrustedIdpProtocolHandler> protocolHandlers;
-    
-    @Override
-    public TrustedIdpProtocolHandler getProtocolHandler(String protocol) {
-        for (TrustedIdpProtocolHandler protocolHandler : protocolHandlers) {
-            if (protocolHandler.getProtocol().equals(protocol)) {
-                return protocolHandler;
-            }
-        }
-        LOG.warn("No protocol handler found for {}", protocol);
-        return null;
-    }
-    
-    @Override
-    public List<String> getProtocols() {
-        List<String> protocols = new ArrayList<>();
-        for (TrustedIdpProtocolHandler protocolHandler : protocolHandlers) {
-            protocols.add(protocolHandler.getProtocol());
-        }
-        return Collections.unmodifiableList(protocols);
-    }
-
-}

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpSAMLProtocolHandler.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpSAMLProtocolHandler.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpSAMLProtocolHandler.java
deleted file mode 100644
index 7b8c3eb..0000000
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpSAMLProtocolHandler.java
+++ /dev/null
@@ -1,415 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.fediz.service.idp.protocols;
-
-import java.io.ByteArrayInputStream;
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.InputStreamReader;
-import java.io.UnsupportedEncodingException;
-import java.net.MalformedURLException;
-import java.net.URL;
-import java.net.URLEncoder;
-import java.security.PrivateKey;
-import java.security.Signature;
-import java.security.cert.X509Certificate;
-import java.util.zip.DataFormatException;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import javax.ws.rs.BadRequestException;
-import javax.ws.rs.WebApplicationException;
-import javax.ws.rs.core.UriBuilder;
-
-import org.w3c.dom.Document;
-import org.w3c.dom.Element;
-import org.apache.cxf.common.util.Base64Exception;
-import org.apache.cxf.common.util.Base64Utility;
-import org.apache.cxf.common.util.StringUtils;
-import org.apache.cxf.fediz.core.util.CertsUtils;
-import org.apache.cxf.fediz.core.util.DOMUtils;
-import org.apache.cxf.fediz.service.idp.IdpConstants;
-import org.apache.cxf.fediz.service.idp.domain.Idp;
-import org.apache.cxf.fediz.service.idp.domain.TrustedIdp;
-import org.apache.cxf.fediz.service.idp.util.WebUtils;
-import org.apache.cxf.jaxrs.utils.ExceptionUtils;
-import org.apache.cxf.rs.security.saml.DeflateEncoderDecoder;
-import org.apache.cxf.rs.security.saml.sso.AuthnRequestBuilder;
-import org.apache.cxf.rs.security.saml.sso.DefaultAuthnRequestBuilder;
-import org.apache.cxf.rs.security.saml.sso.EHCacheTokenReplayCache;
-import org.apache.cxf.rs.security.saml.sso.SAMLProtocolResponseValidator;
-import org.apache.cxf.rs.security.saml.sso.SAMLSSOResponseValidator;
-import org.apache.cxf.rs.security.saml.sso.SSOConstants;
-import org.apache.cxf.rs.security.saml.sso.SSOValidatorResponse;
-import org.apache.cxf.rs.security.saml.sso.TokenReplayCache;
-import org.apache.cxf.staxutils.StaxUtils;
-import org.apache.cxf.ws.security.tokenstore.SecurityToken;
-import org.apache.wss4j.common.crypto.Crypto;
-import org.apache.wss4j.common.ext.WSSecurityException;
-import org.apache.wss4j.common.saml.OpenSAMLUtil;
-import org.apache.wss4j.common.util.DOM2Writer;
-import org.apache.xml.security.stax.impl.util.IDGenerator;
-import org.apache.xml.security.utils.Base64;
-import org.opensaml.core.xml.XMLObject;
-import org.opensaml.saml.saml2.core.AuthnRequest;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.springframework.stereotype.Component;
-import org.springframework.webflow.execution.RequestContext;
-
-@Component
-public class TrustedIdpSAMLProtocolHandler extends AbstractTrustedIdpProtocolHandler {
-    /**
-     * Whether to sign the request or not. The default is "true".
-     */
-    public static final String SIGN_REQUEST = "sign.request";
-    
-    /**
-     * Whether to require a KeyInfo or not when processing a (signed) Response. The default is "true".
-     */
-    public static final String REQUIRE_KEYINFO = "require.keyinfo";
-    
-    /**
-     * Whether the assertions contained in the Response must be signed or not (if the response itself
-     * is not signed). The default is "true".
-     */
-    public static final String REQUIRE_SIGNED_ASSERTIONS = "require.signed.assertions";
-    
-    /**
-     * Whether we have to "know" the issuer of the SAML Response or not. The default is "true".
-     */
-    public static final String REQUIRE_KNOWN_ISSUER = "require.known.issuer";
-    
-    /**
-     * Whether we BASE-64 decode the response or not. The default is "true".
-     */
-    public static final String SUPPORT_BASE64_ENCODING = "support.base64.encoding";
-    
-    /**
-     * Whether we support Deflate encoding or not. The default is "false".
-     */
-    public static final String SUPPORT_DEFLATE_ENCODING = "support.deflate.encoding";
-
-    public static final String PROTOCOL = "urn:oasis:names:tc:SAML:2.0:profiles:SSO:browser";
-
-    private static final Logger LOG = LoggerFactory.getLogger(TrustedIdpSAMLProtocolHandler.class);
-    private static final String SAML_SSO_REQUEST_ID = "saml-sso-request-id";
-
-    private AuthnRequestBuilder authnRequestBuilder = new DefaultAuthnRequestBuilder();
-    private TokenReplayCache<String> replayCache;
-
-    static {
-        OpenSAMLUtil.initSamlEngine();
-    }
-
-    @Override
-    public String getProtocol() {
-        return PROTOCOL;
-    }
-
-    @Override
-    public URL mapSignInRequest(RequestContext context, Idp idp, TrustedIdp trustedIdp) {
-
-        try {
-            Document doc = DOMUtils.createDocument();
-            doc.appendChild(doc.createElement("root"));
-            // Create the AuthnRequest
-            AuthnRequest authnRequest = 
-                authnRequestBuilder.createAuthnRequest(
-                    null, idp.getRealm(), idp.getIdpUrl().toString()
-                );
-            
-            boolean signRequest = isBooleanPropertyConfigured(trustedIdp, SIGN_REQUEST, true);
-            if (signRequest) {
-                authnRequest.setDestination(trustedIdp.getUrl());
-            }
-            Element authnRequestElement = OpenSAMLUtil.toDom(authnRequest, doc);
-            String authnRequestEncoded = encodeAuthnRequest(authnRequestElement);
-
-            String urlEncodedRequest = URLEncoder.encode(authnRequestEncoded, "UTF-8");
-
-            UriBuilder ub = UriBuilder.fromUri(trustedIdp.getUrl());
-
-            ub.queryParam(SSOConstants.SAML_REQUEST, urlEncodedRequest);
-            
-            String wctx = context.getFlowScope().getString(IdpConstants.TRUSTED_IDP_CONTEXT);
-            ub.queryParam(SSOConstants.RELAY_STATE, wctx);
-            if (signRequest) {
-                signRequest(urlEncodedRequest, wctx, idp, ub);
-            }
-            
-            // Store the Request ID
-            String authnRequestId = authnRequest.getID();
-            WebUtils.putAttributeInExternalContext(context, SAML_SSO_REQUEST_ID, authnRequestId);
-
-            HttpServletResponse response = WebUtils.getHttpServletResponse(context);
-            response.addHeader("Cache-Control", "no-cache, no-store");
-            response.addHeader("Pragma", "no-cache");
-
-            return ub.build().toURL();
-        } catch (MalformedURLException ex) {
-            LOG.error("Invalid Redirect URL for Trusted Idp", ex);
-            throw new IllegalStateException("Invalid Redirect URL for Trusted Idp");
-        } catch (UnsupportedEncodingException ex) {
-            LOG.error("Invalid Redirect URL for Trusted Idp", ex);
-            throw new IllegalStateException("Invalid Redirect URL for Trusted Idp");
-        } catch (Exception ex) {
-            LOG.error("Invalid Redirect URL for Trusted Idp", ex);
-            throw new IllegalStateException("Invalid Redirect URL for Trusted Idp");
-        }
-    }
-
-    @Override
-    public SecurityToken mapSignInResponse(RequestContext context, Idp idp, TrustedIdp trustedIdp) {
-
-        try {
-            String encodedSAMLResponse = (String) WebUtils.getAttributeFromFlowScope(context, 
-                                                                                     SSOConstants.SAML_RESPONSE);
-            
-            // Read the response + convert to an OpenSAML Response Object
-            org.opensaml.saml.saml2.core.Response samlResponse = 
-                readSAMLResponse(encodedSAMLResponse, trustedIdp);
-            
-            Crypto crypto = CertsUtils.getCryptoFromCertificate(trustedIdp.getCertificate());
-            validateSamlResponseProtocol(samlResponse, crypto, trustedIdp);
-            // Validate the Response
-            SSOValidatorResponse validatorResponse = 
-                validateSamlSSOResponse(samlResponse, idp, trustedIdp, context);
-
-            // Create new Security token with new id. 
-            // Parameters for freshness computation are copied from original IDP_TOKEN
-            String id = IDGenerator.generateID("_");
-            SecurityToken idpToken = 
-                new SecurityToken(id, validatorResponse.getCreated(), validatorResponse.getSessionNotOnOrAfter());
-
-            idpToken.setToken(validatorResponse.getAssertionElement());
-            String whr = (String) WebUtils.getAttributeFromFlowScope(context, IdpConstants.HOME_REALM);
-            LOG.info("[IDP_TOKEN={}] created from [RP_TOKEN={}] issued by home realm [{}]",
-                     id, validatorResponse.getResponseId(), whr);
-            LOG.debug("Created date={}", validatorResponse.getCreated());
-            LOG.debug("Expired date={}", validatorResponse.getSessionNotOnOrAfter());
-            if (LOG.isDebugEnabled()) {
-                LOG.debug("Validated: "
-                    + System.getProperty("line.separator") + validatorResponse.getAssertion());
-            }
-            return idpToken;
-        } catch (BadRequestException ex) {
-            throw ex;
-        } catch (Exception ex) {
-            LOG.warn("Unexpected exception occured", ex);
-            throw new IllegalStateException("Unexpected exception occured: " + ex.getMessage());
-        }
-    }
-    
-    private String encodeAuthnRequest(Element authnRequest) throws IOException {
-        String requestMessage = DOM2Writer.nodeToString(authnRequest);
-        
-        if (LOG.isDebugEnabled()) {
-            LOG.debug(requestMessage);
-        }
-
-        DeflateEncoderDecoder encoder = new DeflateEncoderDecoder();
-        byte[] deflatedBytes = encoder.deflateToken(requestMessage.getBytes("UTF-8"));
-
-        return Base64Utility.encode(deflatedBytes);
-    }
-    
-    /**
-     * Sign a request according to the redirect binding spec for Web SSO
-     */
-    private void signRequest(
-        String authnRequest,
-        String relayState,
-        Idp config,
-        UriBuilder ub
-    ) throws Exception {
-        Crypto crypto = CertsUtils.getCryptoFromCertificate(config.getCertificate());
-        if (crypto == null) {
-            LOG.error("No crypto instance of properties file configured for signature");
-            throw new IllegalStateException("Invalid IdP configuration");
-        }
-        
-        String alias = crypto.getDefaultX509Identifier();
-        X509Certificate cert = CertsUtils.getX509CertificateFromCrypto(crypto, alias);
-        if (cert == null) {
-            LOG.error("No cert was found to sign the request using alias: " + alias);
-            throw new IllegalStateException("Invalid IdP configuration");
-        }
-
-        String sigAlgo = SSOConstants.RSA_SHA1;
-        String pubKeyAlgo = cert.getPublicKey().getAlgorithm();
-        String jceSigAlgo = "SHA1withRSA";
-        LOG.debug("automatic sig algo detection: " + pubKeyAlgo);
-        if (pubKeyAlgo.equalsIgnoreCase("DSA")) {
-            sigAlgo = SSOConstants.DSA_SHA1;
-            jceSigAlgo = "SHA1withDSA";
-        }
-        LOG.debug("Using Signature algorithm " + sigAlgo);
-        
-        ub.queryParam(SSOConstants.SIG_ALG, URLEncoder.encode(sigAlgo, "UTF-8"));
-        
-        // Get the password
-        String password = config.getCertificatePassword();
-        
-        // Get the private key
-        PrivateKey privateKey = crypto.getPrivateKey(alias, password);
-        
-        // Sign the request
-        Signature signature = Signature.getInstance(jceSigAlgo);
-        signature.initSign(privateKey);
-       
-        String requestToSign = 
-            SSOConstants.SAML_REQUEST + "=" + authnRequest + "&"
-            + SSOConstants.RELAY_STATE + "=" + relayState + "&"
-            + SSOConstants.SIG_ALG + "=" + URLEncoder.encode(sigAlgo, "UTF-8");
-
-        signature.update(requestToSign.getBytes("UTF-8"));
-        byte[] signBytes = signature.sign();
-        
-        String encodedSignature = Base64.encode(signBytes);
-        
-        ub.queryParam(SSOConstants.SIGNATURE, URLEncoder.encode(encodedSignature, "UTF-8"));
-    }
-
-    private org.opensaml.saml.saml2.core.Response readSAMLResponse(String samlResponse, TrustedIdp trustedIdp) {
-        if (StringUtils.isEmpty(samlResponse)) {
-            throw ExceptionUtils.toBadRequestException(null, null);
-        }
-
-        String samlResponseDecoded = samlResponse;
-        
-        InputStream tokenStream = null;
-        if (isBooleanPropertyConfigured(trustedIdp, SUPPORT_BASE64_ENCODING, true)) {
-            try {
-                byte[] deflatedToken = Base64Utility.decode(samlResponseDecoded);
-                tokenStream = isBooleanPropertyConfigured(trustedIdp, SUPPORT_DEFLATE_ENCODING, false)
-                    ? new DeflateEncoderDecoder().inflateToken(deflatedToken)
-                    : new ByteArrayInputStream(deflatedToken); 
-            } catch (Base64Exception ex) {
-                throw ExceptionUtils.toBadRequestException(ex, null);
-            } catch (DataFormatException ex) {
-                throw ExceptionUtils.toBadRequestException(ex, null);
-            }
-        } else {
-            try {
-                tokenStream = new ByteArrayInputStream(samlResponseDecoded.getBytes("UTF-8"));
-            } catch (UnsupportedEncodingException ex) {
-                throw ExceptionUtils.toBadRequestException(ex, null);
-            }
-        }
-
-        Document responseDoc = null;
-        try {
-            responseDoc = StaxUtils.read(new InputStreamReader(tokenStream, "UTF-8"));
-        } catch (Exception ex) {
-            throw new WebApplicationException(400);
-        }
-        
-        LOG.debug("Received response: " + DOM2Writer.nodeToString(responseDoc.getDocumentElement()));
-        
-        XMLObject responseObject = null;
-        try {
-            responseObject = OpenSAMLUtil.fromDom(responseDoc.getDocumentElement());
-        } catch (WSSecurityException ex) {
-            throw ExceptionUtils.toBadRequestException(ex, null);
-        }
-        if (!(responseObject instanceof org.opensaml.saml.saml2.core.Response)) {
-            throw ExceptionUtils.toBadRequestException(null, null);
-        }
-        return (org.opensaml.saml.saml2.core.Response)responseObject;
-
-    }
-    
-    /**
-     * Validate the received SAML Response as per the protocol
-     */
-    private void validateSamlResponseProtocol(
-        org.opensaml.saml.saml2.core.Response samlResponse, Crypto crypto, TrustedIdp trustedIdp
-    ) {
-        try {
-            SAMLProtocolResponseValidator protocolValidator = new SAMLProtocolResponseValidator();
-            protocolValidator.setKeyInfoMustBeAvailable(
-                isBooleanPropertyConfigured(trustedIdp, REQUIRE_KEYINFO, true));
-            protocolValidator.validateSamlResponse(samlResponse, crypto, null);
-        } catch (WSSecurityException ex) {
-            LOG.debug(ex.getMessage(), ex);
-            throw ExceptionUtils.toBadRequestException(null, null);
-        }
-    }
-    
-    /**
-     * Validate the received SAML Response as per the Web SSO profile
-     */
-    private SSOValidatorResponse validateSamlSSOResponse(
-        org.opensaml.saml.saml2.core.Response samlResponse,
-        Idp idp, 
-        TrustedIdp trustedIdp,
-        RequestContext requestContext
-    ) {
-        try {
-            SAMLSSOResponseValidator ssoResponseValidator = new SAMLSSOResponseValidator();
-            ssoResponseValidator.setAssertionConsumerURL(idp.getIdpUrl().toString());
-
-            HttpServletRequest servletRequest = WebUtils.getHttpServletRequest(requestContext);
-            ssoResponseValidator.setClientAddress(servletRequest.getRemoteAddr());
-
-            String issuer = trustedIdp.getIssuer();
-            if (issuer == null || issuer.isEmpty()) {
-                LOG.debug("Issuer name is not defined in trusted 3rd party configuration. "
-                    + "Using URL instead for issuer validation");
-                issuer = trustedIdp.getUrl();
-            }
-            LOG.debug("Using {} for issuer validation", issuer);
-            ssoResponseValidator.setIssuerIDP(issuer);
-            
-            // Get the stored request ID
-            String requestId = 
-                (String)WebUtils.getAttributeFromExternalContext(requestContext, SAML_SSO_REQUEST_ID);
-            ssoResponseValidator.setRequestId(requestId);
-            ssoResponseValidator.setSpIdentifier(idp.getRealm());
-            ssoResponseValidator.setEnforceAssertionsSigned(
-                isBooleanPropertyConfigured(trustedIdp, REQUIRE_SIGNED_ASSERTIONS, true));
-            ssoResponseValidator.setEnforceKnownIssuer(
-                isBooleanPropertyConfigured(trustedIdp, REQUIRE_KNOWN_ISSUER, true));
-            
-            HttpServletRequest httpServletRequest = WebUtils.getHttpServletRequest(requestContext);
-            boolean post = "POST".equals(httpServletRequest.getMethod());
-            if (post) {
-                ssoResponseValidator.setReplayCache(getReplayCache());
-            }
-
-            return ssoResponseValidator.validateSamlResponse(samlResponse, post);
-        } catch (WSSecurityException ex) {
-            LOG.debug(ex.getMessage(), ex);
-            throw ExceptionUtils.toBadRequestException(ex, null);
-        }
-    }
-    
-    public void setReplayCache(TokenReplayCache<String> replayCache) {
-        this.replayCache = replayCache;
-    }
-    
-    public TokenReplayCache<String> getReplayCache() {
-        if (replayCache == null) {
-            replayCache = new EHCacheTokenReplayCache();
-        }
-        return replayCache;
-    }
-}

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpWSFedProtocolHandler.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpWSFedProtocolHandler.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpWSFedProtocolHandler.java
deleted file mode 100644
index ea8feb4..0000000
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpWSFedProtocolHandler.java
+++ /dev/null
@@ -1,231 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.fediz.service.idp.protocols;
-
-import java.io.UnsupportedEncodingException;
-import java.net.MalformedURLException;
-import java.net.URL;
-import java.net.URLEncoder;
-import java.security.cert.X509Certificate;
-import java.util.Collections;
-
-import org.w3c.dom.Element;
-import org.apache.cxf.fediz.core.FederationConstants;
-import org.apache.cxf.fediz.core.config.FedizContext;
-import org.apache.cxf.fediz.core.config.TrustManager;
-import org.apache.cxf.fediz.core.config.jaxb.AudienceUris;
-import org.apache.cxf.fediz.core.config.jaxb.CertificateStores;
-import org.apache.cxf.fediz.core.config.jaxb.ContextConfig;
-import org.apache.cxf.fediz.core.config.jaxb.FederationProtocolType;
-import org.apache.cxf.fediz.core.config.jaxb.KeyStoreType;
-import org.apache.cxf.fediz.core.config.jaxb.TrustManagersType;
-import org.apache.cxf.fediz.core.config.jaxb.TrustedIssuerType;
-import org.apache.cxf.fediz.core.config.jaxb.TrustedIssuers;
-import org.apache.cxf.fediz.core.config.jaxb.ValidationType;
-import org.apache.cxf.fediz.core.exception.ProcessingException;
-import org.apache.cxf.fediz.core.processor.FederationProcessorImpl;
-import org.apache.cxf.fediz.core.processor.FedizProcessor;
-import org.apache.cxf.fediz.core.processor.FedizRequest;
-import org.apache.cxf.fediz.core.processor.FedizResponse;
-import org.apache.cxf.fediz.core.util.CertsUtils;
-import org.apache.cxf.fediz.service.idp.IdpConstants;
-import org.apache.cxf.fediz.service.idp.domain.Idp;
-import org.apache.cxf.fediz.service.idp.domain.TrustedIdp;
-import org.apache.cxf.fediz.service.idp.util.WebUtils;
-import org.apache.cxf.ws.security.tokenstore.SecurityToken;
-import org.apache.wss4j.common.crypto.CertificateStore;
-import org.apache.xml.security.stax.impl.util.IDGenerator;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.springframework.stereotype.Component;
-import org.springframework.webflow.execution.RequestContext;
-
-@Component
-public class TrustedIdpWSFedProtocolHandler extends AbstractTrustedIdpProtocolHandler {
-    
-    /**
-     * Whether to add the home realm parameter to the URL for redirection or not. The default is "true".
-     */
-    public static final String HOME_REALM_PROPAGATION = "home.realm.propagation";
-    
-    public static final String PROTOCOL = "http://docs.oasis-open.org/wsfed/federation/200706";
-
-    private static final Logger LOG = LoggerFactory.getLogger(TrustedIdpWSFedProtocolHandler.class);
-
-    @Override
-    public String getProtocol() {
-        return PROTOCOL;
-    }
-    
-    @Override
-    public URL mapSignInRequest(RequestContext context, Idp idp, TrustedIdp trustedIdp) {
-        
-        try {
-            StringBuilder sb = new StringBuilder();
-            sb.append(trustedIdp.getUrl());
-            sb.append("?").append(FederationConstants.PARAM_ACTION).append('=');
-            sb.append(FederationConstants.ACTION_SIGNIN);
-            sb.append("&").append(FederationConstants.PARAM_TREALM).append('=');
-            sb.append(URLEncoder.encode(idp.getRealm(), "UTF-8"));
-            sb.append("&").append(FederationConstants.PARAM_REPLY).append('=');
-            sb.append(URLEncoder.encode(idp.getIdpUrl().toString(), "UTF-8"));
-            
-            if (isBooleanPropertyConfigured(trustedIdp, HOME_REALM_PROPAGATION, true)) {
-                sb.append("&").append(FederationConstants.PARAM_HOME_REALM).append('=');
-                sb.append(trustedIdp.getRealm());
-            }
-            
-            String wfresh = context.getFlowScope().getString(FederationConstants.PARAM_FRESHNESS);
-            if (wfresh != null) {
-                sb.append("&").append(FederationConstants.PARAM_FRESHNESS).append('=');
-                sb.append(URLEncoder.encode(wfresh, "UTF-8"));
-            }
-            String wctx = context.getFlowScope().getString(IdpConstants.TRUSTED_IDP_CONTEXT);
-            sb.append("&").append(FederationConstants.PARAM_CONTEXT).append('=');
-            sb.append(wctx);
-        
-            return new URL(sb.toString());
-        } catch (MalformedURLException ex) {
-            LOG.error("Invalid Redirect URL for Trusted Idp", ex);
-            throw new IllegalStateException("Invalid Redirect URL for Trusted Idp");
-        } catch (UnsupportedEncodingException ex) {
-            LOG.error("Invalid Redirect URL for Trusted Idp", ex);
-            throw new IllegalStateException("Invalid Redirect URL for Trusted Idp");
-        }
-    }
-    
-    @Override
-    public SecurityToken mapSignInResponse(RequestContext context, Idp idp, TrustedIdp trustedIdp) {
-
-        try {
-            String whr = (String) WebUtils.getAttributeFromFlowScope(context, IdpConstants.HOME_REALM);
-    
-            if (whr == null) {
-                LOG.warn("Home realm is null");
-                throw new IllegalStateException("Home realm is null");
-            }
-    
-            String wresult = (String) WebUtils.getAttributeFromFlowScope(context,
-                                                                         FederationConstants.PARAM_RESULT);
-    
-            if (wresult == null) {
-                LOG.warn("Parameter wresult not found");
-                throw new IllegalStateException("No security token issued");
-            }
-    
-            FedizContext fedContext = getFedizContext(idp, trustedIdp);
-    
-            FedizRequest wfReq = new FedizRequest();
-            wfReq.setAction(FederationConstants.ACTION_SIGNIN);
-            wfReq.setResponseToken(wresult);
-    
-            FedizProcessor wfProc = new FederationProcessorImpl();
-            FedizResponse wfResp = wfProc.processRequest(wfReq, fedContext);
-    
-            fedContext.close();
-    
-            Element e = wfResp.getToken();
-    
-            // Create new Security token with new id. 
-            // Parameters for freshness computation are copied from original IDP_TOKEN
-            String id = IDGenerator.generateID("_");
-            SecurityToken idpToken = new SecurityToken(id,
-                                                       wfResp.getTokenCreated(), wfResp.getTokenExpires());
-    
-            idpToken.setToken(e);
-            LOG.info("[IDP_TOKEN={}] for user '{}' created from [RP_TOKEN={}] issued by home realm [{}/{}]",
-                     id, wfResp.getUsername(), wfResp.getUniqueTokenId(), whr, wfResp.getIssuer());
-            LOG.debug("Created date={}", wfResp.getTokenCreated());
-            LOG.debug("Expired date={}", wfResp.getTokenExpires());
-            if (LOG.isDebugEnabled()) {
-                LOG.debug("Validated 'wresult' : "
-                    + System.getProperty("line.separator") + wresult);
-            }
-            return idpToken;
-        } catch (IllegalStateException ex) {
-            throw ex;
-        } catch (Exception ex) {
-            LOG.warn("Unexpected exception occured", ex);
-            throw new IllegalStateException("Unexpected exception occured: " + ex.getMessage());
-        }
-    }
-    
-    
-    private FedizContext getFedizContext(Idp idpConfig,
-            TrustedIdp trustedIdpConfig) throws ProcessingException {
-
-        ContextConfig config = new ContextConfig();
-
-        config.setName("whatever");
-
-        // Configure certificate store
-        String certificate = trustedIdpConfig.getCertificate();
-        boolean isCertificateLocation = !certificate.startsWith("-----BEGIN CERTIFICATE");
-        if (isCertificateLocation) {
-            CertificateStores certStores = new CertificateStores();
-            TrustManagersType tm0 = new TrustManagersType();
-            KeyStoreType ks0 = new KeyStoreType();
-            ks0.setType("PEM");
-            // ks0.setType("JKS");
-            // ks0.setPassword("changeit");
-            ks0.setFile(trustedIdpConfig.getCertificate());
-            tm0.setKeyStore(ks0);
-            certStores.getTrustManager().add(tm0);
-            config.setCertificateStores(certStores);
-        }
-        
-        // Configure trusted IDP
-        TrustedIssuers trustedIssuers = new TrustedIssuers();
-        TrustedIssuerType ti0 = new TrustedIssuerType();
-        ti0.setCertificateValidation(ValidationType.PEER_TRUST);
-        ti0.setName(trustedIdpConfig.getName());
-        // ti0.setSubject(".*CN=www.sts.com.*");
-        trustedIssuers.getIssuer().add(ti0);
-        config.setTrustedIssuers(trustedIssuers);
-
-        FederationProtocolType protocol = new FederationProtocolType();
-        config.setProtocol(protocol);
-
-        AudienceUris audienceUris = new AudienceUris();
-        audienceUris.getAudienceItem().add(idpConfig.getRealm());
-        config.setAudienceUris(audienceUris);
-
-        FedizContext fedContext = new FedizContext(config);
-        if (!isCertificateLocation) {
-            CertificateStore cs = null;
-            
-            X509Certificate cert;
-            try {
-                cert = CertsUtils.parseX509Certificate(trustedIdpConfig.getCertificate());
-            } catch (Exception ex) {
-                LOG.error("Failed to parse trusted certificate", ex);
-                throw new ProcessingException("Failed to parse trusted certificate");
-            }
-            cs = new CertificateStore(Collections.singletonList(cert).toArray(new X509Certificate[0]));
-            
-            TrustManager tm = new TrustManager(cs);
-            fedContext.getCertificateStores().add(tm);
-        }
-        
-        fedContext.init();
-        return fedContext;
-    }
-    
-}


Mime
View raw message