cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [10/19] cxf-fediz git commit: FEDIZ-155 - Move .java components out of idp webapp and into a separate JAR
Date Fri, 27 Jan 2017 11:22:53 GMT
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp-core/src/main/webapp/WEB-INF/flows/signin-request.xml
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/webapp/WEB-INF/flows/signin-request.xml b/services/idp-core/src/main/webapp/WEB-INF/flows/signin-request.xml
new file mode 100644
index 0000000..2a7b125
--- /dev/null
+++ b/services/idp-core/src/main/webapp/WEB-INF/flows/signin-request.xml
@@ -0,0 +1,171 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements. See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership. The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License. You may obtain a copy of the License at
+ 
+  http://www.apache.org/licenses/LICENSE-2.0
+ 
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied. See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<flow xmlns="http://www.springframework.org/schema/webflow"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="
+        http://www.springframework.org/schema/webflow
+        http://www.springframework.org/schema/webflow/spring-webflow-2.0.xsd">
+
+    <input name="idpConfig" />
+    <input name="wfresh" />
+    <input name="saml_authn_request" />
+    <input name="realm" />
+    <input name="home_realm" />
+    <input name="protocol" />
+    <input name="return_address" />
+    <input name="request_context" />
+    
+    <!-- ===== Home Realm Discovery ===== -->
+    
+    <decision-state id="processHRDSExpression">
+        <on-entry>
+            <evaluate expression="processHRDSExpressionAction.submit(flowRequestContext, flowScope.home_realm)" 
+                      result="flowScope.home_realm" />
+        </on-entry>
+        <if test="flowScope.home_realm == null or flowScope.home_realm.trim().isEmpty()"
+            then="provideIDPListForUser" else="checkIsThisIDP" />
+    </decision-state>
+    
+    <decision-state id="provideIDPListForUser">
+        <if test="flowScope.idpConfig.trustedIdps == null or idpConfig.trustedIdps.isEmpty()"
+            then="checkDefaultToThisIDP" />
+        <if test="flowScope.idpConfig.isProvideIdpList() == false"
+            then="checkDefaultToThisIDP" else="showIDPList" />
+    </decision-state>
+    
+    <decision-state id="checkDefaultToThisIDP">
+        <if test="flowScope.idpConfig.isUseCurrentIdp()" then="homeRealmSignInEntryPoint"
+            else="viewBadRequest" />
+    </decision-state>
+    
+    <view-state id="showIDPList" view="idplist" model="trustedIDPSelection">
+        <var name="trustedIDPSelection"
+            class="org.apache.cxf.fediz.service.idp.model.TrustedIDPSelection" />
+        <binder>
+            <binding property="homeRealm" required="true" />
+        </binder>
+        <on-entry>
+            <set name="requestScope.idPConfig" value="flowScope.idpConfig" />
+        </on-entry>
+        <transition on="submit" to="checkIsThisIDP" bind="true"
+            validate="true">
+            <set name="flowScope.home_realm" value="trustedIDPSelection.homeRealm" />
+            <evaluate
+                expression="homeRealmReminder.addCookie(flowRequestContext, flowScope.home_realm)" />
+        </transition>
+        <transition on="cancel" to="checkDefaultToThisIDP"
+            bind="false" validate="false" />
+    </view-state>
+    
+    <!-- Home Realm is known then we can store it in cookie -->
+    <decision-state id="checkIsThisIDP">
+        <if test="flowScope.idpConfig.realm.equals(flowScope.home_realm)"
+            then="homeRealmSignInEntryPoint" else="checkRemoteIdpToken" />
+    </decision-state>
+    
+    <!-- ===== Realm independent ===== -->
+    
+    <action-state id="validateReturnAddress">
+        <evaluate expression="commonsURLValidator.isValid(flowRequestContext, flowScope.return_address)
+                              and passiveRequestorValidator.isValid(flowRequestContext, flowScope.return_address, flowScope.realm)"/>
+        <transition on="yes" to="requestRpToken" />
+        <transition on="no" to="viewBadRequest" />
+    </action-state>
+    
+    <!-- ===== Home Realm != this realm ===== -->
+    
+    <decision-state id="checkRemoteIdpToken">
+        <if test="externalContext.sessionMap[flowScope.home_realm] != null"
+            then="checkRemoteIdpTokenExpiry" else="redirectToTrustedIDP" />
+    </decision-state>
+    
+    <action-state id="checkRemoteIdpTokenExpiry">
+        <evaluate
+            expression="idpTokenExpiredAction.isTokenExpired(flowScope.home_realm, flowRequestContext) or
+                        protocol.equals('wsfed') and wfreshParser.authenticationRequired(flowScope.wfresh, flowScope.home_realm, flowRequestContext)
+                        or protocol.equals('samlsso') and authnRequestParser.isForceAuthentication(flowRequestContext)" />
+        <transition on="yes" to="redirectToTrustedIDP" />
+        <transition on="no" to="validateReturnAddress" >
+            <set name="flowScope.idpToken" value="externalContext.sessionMap[flowScope.home_realm]" />
+        </transition>
+        <transition on-exception="java.lang.Throwable" to="viewBadRequest" />
+    </action-state>
+    
+    <!-- ===== Home Realm == this realm ===== -->
+    
+    <decision-state id="homeRealmSignInEntryPoint">
+        <on-entry>
+            <!-- Here, home realm is guaranteed to be THIS realm -->
+            <set name="flowScope.home_realm" value="flowScope.idpConfig.realm" />
+        </on-entry>
+            
+        <!-- check presence of cached IDP token for THIS realm -->
+        <if test="externalContext.sessionMap[flowScope.home_realm] == null"
+            then="cacheSecurityToken" else="checkLocalIdPTokenExpiry" />
+    </decision-state>
+
+    <action-state id="checkLocalIdPTokenExpiry">
+        <evaluate
+            expression="idpTokenExpiredAction.isTokenExpired(flowScope.home_realm, flowRequestContext) or
+                        protocol.equals('wsfed') and wfreshParser.authenticationRequired(flowScope.wfresh, flowScope.home_realm, flowRequestContext)
+                        or protocol.equals('samlsso') and authnRequestParser.isForceAuthentication(flowRequestContext)" />
+        <transition on="yes" to="redirectToLocalIDP" />
+        <transition on="no" to="validateReturnAddress">
+            <set name="flowScope.idpToken" value="externalContext.sessionMap[flowScope.home_realm]" />
+        </transition>
+        <transition on-exception="java.lang.Throwable" to="viewBadRequest" />
+    </action-state>
+
+    <end-state id="redirectToLocalIDP">
+        <on-entry>
+            <evaluate expression="logoutAction.submit(flowRequestContext)" />
+        </on-entry>
+        <output name="home_realm" value="flowScope.home_realm" />
+    </end-state>
+
+    <action-state id="cacheSecurityToken">
+        <secured attributes="IS_AUTHENTICATED_FULLY" />
+        <evaluate expression="cacheSecurityToken.submit(flowRequestContext)" />
+        <transition to="validateReturnAddress">
+            <set name="flowScope.idpToken" value="externalContext.sessionMap[flowScope.home_realm]" />
+        </transition>
+    </action-state>
+    
+    <!-- ============================================================================================================= -->
+
+    <!-- normal exit point -->
+    <end-state id="requestRpToken">
+        <output name="home_realm" value="flowScope.home_realm" />
+        <output name="idpToken" value="flowScope.idpToken" />
+    </end-state>
+
+    <!-- abnormal exit point -->
+    <end-state id="viewBadRequest" />
+    
+    <!-- redirects to requestor idp -->
+    <end-state id="redirectToTrustedIDP">
+        <on-entry>
+            <evaluate expression="signinParametersCacheAction.store(flowRequestContext, protocol)" />
+        </on-entry>
+        <output name="home_realm" value="flowScope.home_realm" />
+        <output name="trusted_idp_context" value="flowScope.trusted_idp_context" />
+    </end-state>
+
+</flow>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp-core/src/main/webapp/WEB-INF/flows/signin-response.xml
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/webapp/WEB-INF/flows/signin-response.xml b/services/idp-core/src/main/webapp/WEB-INF/flows/signin-response.xml
new file mode 100644
index 0000000..ebfbf1f
--- /dev/null
+++ b/services/idp-core/src/main/webapp/WEB-INF/flows/signin-response.xml
@@ -0,0 +1,85 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements. See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership. The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License. You may obtain a copy of the License at
+ 
+  http://www.apache.org/licenses/LICENSE-2.0
+ 
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied. See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<!--
+Process a response from a trusted third party IdP. It starts by restoring the original request parameters for the current context. 
+It then converts the response from the third party IdP into a SecurityToken via the TrustedIdPProtocolAction. It then exits this 
+subflow to get a RP token from the STS.
+ -->
+<flow xmlns="http://www.springframework.org/schema/webflow"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="
+        http://www.springframework.org/schema/webflow
+        http://www.springframework.org/schema/webflow/spring-webflow-2.0.xsd">
+
+    <input name="idpConfig" />
+    <input name="request_context" />
+    <input name="wresult" />
+    <input name="RelayState" />
+    <input name="SAMLResponse" />
+    <input name="state" />
+    <input name="code" />
+    <input name="home_realm" />
+    <input name="protocol" />
+
+    <on-start>
+        <!-- restore the original request parameters for the current context -->
+        <evaluate expression="signinParametersCacheAction.restore(flowRequestContext, request_context, protocol)" />
+    </on-start>
+    
+    <!-- validate token issued by requestor IDP given its home realm -->
+    <action-state id="validateToken">
+        <evaluate expression="trustedIdpProtocolAction.mapSignInResponse(flowRequestContext, home_realm)"
+            result="flowScope.idpToken" result-type="org.apache.cxf.ws.security.tokenstore.SecurityToken" />
+        <transition to="checkCacheTrustedIdpToken" />
+        <transition
+            on-exception="org.apache.cxf.fediz.core.exception.ProcessingException" to="viewBadRequest" />
+        <transition
+            on-exception="javax.ws.rs.BadRequestException" to="viewBadRequest" />
+        <transition on-exception="java.lang.Throwable" to="scInternalServerError" />
+    </action-state>
+    
+    <action-state id="checkCacheTrustedIdpToken">
+        <evaluate expression="idpConfig.findTrustedIdp(flowScope.home_realm).cacheTokens" />
+        <transition on="yes" to="requestRpToken">
+            <set name="externalContext.sessionMap[flowScope.home_realm]"
+                    value="flowScope.idpToken" />
+        </transition>
+        <transition on="no" to="requestRpToken" />
+    </action-state>
+
+    <end-state id="requestRpToken">
+        <output name="home_realm" value="flowScope.home_realm" />
+        <output name="request_context" value="flowScope.request_context" />
+        <output name="return_address" value="flowScope.return_address" />
+        <output name="realm" value="flowScope.realm" />
+        <output name="idpToken" value="flowScope.idpToken" />
+        <output name="saml_authn_request" value="flowScope.saml_authn_request" />
+    </end-state>
+
+    <!-- abnormal exit point : Http 400 Bad Request -->
+    <end-state id="viewBadRequest">
+        <output name="saml_authn_request" value="flowScope.saml_authn_request" />
+        <output name="RelayState" value="flowScope.RelayState" />
+    </end-state>
+
+    <!-- abnormal exit point : Http 500 Internal Server Error -->
+    <end-state id="scInternalServerError" />
+    
+</flow>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp-core/src/main/webapp/WEB-INF/idp-config-realma.xml
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/webapp/WEB-INF/idp-config-realma.xml b/services/idp-core/src/main/webapp/WEB-INF/idp-config-realma.xml
new file mode 100644
index 0000000..8e66b57
--- /dev/null
+++ b/services/idp-core/src/main/webapp/WEB-INF/idp-config-realma.xml
@@ -0,0 +1,158 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements. See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership. The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License. You may obtain a copy of the License at
+ 
+  http://www.apache.org/licenses/LICENSE-2.0
+ 
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied. See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<beans profile="spring" xmlns="http://www.springframework.org/schema/beans"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:util="http://www.springframework.org/schema/util"
+    xmlns:context="http://www.springframework.org/schema/context"
+    xsi:schemaLocation="
+        http://www.springframework.org/schema/beans
+        http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
+        http://www.springframework.org/schema/context
+        http://www.springframework.org/schema/context/spring-context-4.3.xsd
+        http://www.springframework.org/schema/util
+        http://www.springframework.org/schema/util/spring-util-4.3.xsd
+        ">
+
+    <context:property-placeholder location="classpath:realm.properties" />
+
+    <bean id="config"
+        class="org.apache.cxf.fediz.service.idp.service.ConfigServiceSpring">
+        <property name="idpConfigs">
+            <util:list>
+                <ref bean="idp-realmA" />
+            </util:list>
+        </property>
+        <property name="serviceConfigs">
+            <util:list>
+                <ref bean="srv-fedizhelloworld" />
+            </util:list>
+        </property>
+    </bean>
+
+    <bean id="idp-realmA" class="org.apache.cxf.fediz.service.idp.model.IDPConfig">
+        <property name="realm" value="urn:org:apache:cxf:fediz:idp:realm-A" />
+        <property name="uri" value="realma" />
+        <!--<property name="hrds" value="" /> --> <!-- TBD, not defined, provide list if enabled -->
+        <property name="provideIdpList" value="true" />
+        <property name="useCurrentIdp" value="true" />
+        <property name="certificate" value="stsKeystoreA.properties" />
+        <property name="certificatePassword" value="realma" />
+        <property name="stsUrl"
+            value="https://localhost:0/fediz-idp-sts/REALMA" />
+        <property name="idpUrl"
+            value="https://localhost:${realmA.port}/fediz-idp/federation" />
+        <property name="supportedProtocols">
+            <util:list>
+                <value>http://docs.oasis-open.org/wsfed/federation/200706
+                </value>
+                <value>http://docs.oasis-open.org/ws-sx/ws-trust/200512
+                </value>
+            </util:list>
+        </property>
+        <property name="services">
+            <util:map>
+                <entry key="urn:org:apache:cxf:fediz:fedizhelloworld"
+                    value-ref="srv-fedizhelloworld" />
+            </util:map>
+        </property>
+        <property name="authenticationURIs">
+            <util:map>
+                <entry key="default" value="federation/up" />
+                <entry key="http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/SslAndKey" 
+                       value="federation/krb" />
+                <entry key="http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/default"
+                       value="federation/up" />
+                <entry key="http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/Ssl"
+                       value="federation/clientcert" />
+            </util:map>
+        </property>
+        <property name="trustedIdps">
+            <util:map>
+                <entry key="urn:org:apache:cxf:fediz:idp:realm-B"
+                    value-ref="trusted-idp-realmB" />
+            </util:map>
+        </property>
+        <property name="serviceDisplayName" value="REALM A" />
+        <property name="serviceDescription" value="IDP of Realm A" />
+        <property name="rpSingleSignOutConfirmation" value="true"/>
+        <property name="rpSingleSignOutCleanupConfirmation" value="false"/>
+    </bean>
+
+    <bean id="trusted-idp-realmB"
+        class="org.apache.cxf.fediz.service.idp.model.TrustedIDPConfig">
+        <property name="realm" value="urn:org:apache:cxf:fediz:idp:realm-B" />
+        <property name="cacheTokens" value="true" />
+        <property name="url"
+            value="https://localhost:${realmB.port}/fediz-idp-remote/federation" />
+        <property name="certificate" value="realmb.cert" />
+        <property name="trustType" value="PEER_TRUST" />  <!-- Required for Fediz Core, Process SignInResponse -->
+        <property name="protocol"
+            value="http://docs.oasis-open.org/wsfed/federation/200706" />
+        <property name="federationType" value="FEDERATE_IDENTITY" /> <!-- Required for STS Relationship -->
+        <property name="name" value="REALM B" />
+        <property name="description" value="IDP of Realm B" />
+        <!-- todo true / false prop for propagate sign-out of other realms !?-->
+    </bean>
+
+    <bean id="srv-fedizhelloworld" class="org.apache.cxf.fediz.service.idp.model.ServiceConfig">
+        <property name="realm"
+            value="urn:org:apache:cxf:fediz:fedizhelloworld" />
+        <property name="protocol"
+            value="http://docs.oasis-open.org/wsfed/federation/200706" />
+        <property name="serviceDisplayName" value="Fedizhelloworld" />
+        <property name="serviceDescription"
+            value="Web Application to illustrate WS-Federation" />
+        <property name="role" value="ApplicationServiceType" />
+        <property name="tokenType"
+            value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
+        <property name="lifeTime" value="3600" />
+        <!-- <property name="encryptionCertificate" value="" /> -->
+        <property name="requestedClaims">
+            <util:list>
+                <bean
+                    class="org.apache.cxf.fediz.service.idp.model.RequestClaim">
+                    <property name="claimType"
+                        value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" />
+                    <property name="optional" value="false" />
+                </bean>
+                <bean
+                    class="org.apache.cxf.fediz.service.idp.model.RequestClaim">
+                    <property name="claimType"
+                        value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" />
+                    <property name="optional" value="false" />
+                </bean>
+                <bean
+                    class="org.apache.cxf.fediz.service.idp.model.RequestClaim">
+                    <property name="claimType"
+                        value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" />
+                    <property name="optional" value="false" />
+                </bean>
+                <bean
+                    class="org.apache.cxf.fediz.service.idp.model.RequestClaim">
+                    <property name="claimType"
+                        value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" />
+                    <property name="optional" value="true" />
+                </bean>
+            </util:list>
+        </property>
+    </bean>
+
+</beans>
+

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp-core/src/main/webapp/WEB-INF/idp-config-realmb.xml
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/webapp/WEB-INF/idp-config-realmb.xml b/services/idp-core/src/main/webapp/WEB-INF/idp-config-realmb.xml
new file mode 100644
index 0000000..9494587
--- /dev/null
+++ b/services/idp-core/src/main/webapp/WEB-INF/idp-config-realmb.xml
@@ -0,0 +1,133 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements. See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership. The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License. You may obtain a copy of the License at
+ 
+  http://www.apache.org/licenses/LICENSE-2.0
+ 
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied. See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<beans profile="spring" xmlns="http://www.springframework.org/schema/beans"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:util="http://www.springframework.org/schema/util"
+    xmlns:context="http://www.springframework.org/schema/context"
+    xsi:schemaLocation="
+        http://www.springframework.org/schema/beans
+        http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
+        http://www.springframework.org/schema/context
+        http://www.springframework.org/schema/context/spring-context-4.3.xsd
+        http://www.springframework.org/schema/util
+        http://www.springframework.org/schema/util/spring-util-4.3.xsd">
+
+    <context:property-placeholder location="classpath:realm.properties" />
+
+    <bean id="config"
+        class="org.apache.cxf.fediz.service.idp.service.ConfigServiceSpring">
+        <property name="idpConfigs">
+            <util:list>
+                <ref bean="idp-realmB" />
+            </util:list>
+        </property>
+        <property name="serviceConfigs">
+            <util:list>
+                <ref bean="idp-realmA" />
+            </util:list>
+        </property>
+    </bean>
+
+    <bean id="idp-realmB" class="org.apache.cxf.fediz.service.idp.model.IDPConfig">
+        <property name="realm" value="urn:org:apache:cxf:fediz:idp:realm-B" />
+        <property name="uri" value="realmb" />
+        <!--<property name="hrds" value="" /> --> <!-- TBD, not defined, provide list if enabled -->
+        <property name="provideIdpList" value="false" />
+        <property name="useCurrentIdp" value="true" />
+        <property name="certificate" value="stsKeystoreB.properties" />
+        <property name="certificatePassword" value="realmb" />
+        <property name="stsUrl"
+            value="https://localhost:0/fediz-idp-sts/REALMB" />
+        <property name="idpUrl"
+            value="https://localhost:${realmB.port}/fediz-idp-remote/federation" />
+        <property name="supportedProtocols">
+            <util:list>
+                <value>http://docs.oasis-open.org/wsfed/federation/200706
+                </value>
+                <value>http://docs.oasis-open.org/ws-sx/ws-trust/200512
+                </value>
+            </util:list>
+        </property>
+        <property name="services">
+            <util:map>
+                <entry key="urn:org:apache:cxf:fediz:idp:realm-A"
+                    value-ref="idp-realmA" />
+            </util:map>
+        </property>
+        <property name="authenticationURIs">
+            <util:map>
+                <entry key="default" value="federation/up" />
+                <entry key="http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/SslAndKey" 
+                       value="federation/krb" />
+                <entry key="http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/default"
+                       value="federation/up" />
+                <entry key="http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/Ssl"
+                       value="federation/clientcert" />
+            </util:map>
+        </property>
+        <property name="serviceDisplayName" value="REALM B" />
+        <property name="serviceDescription" value="IDP of Realm B" />
+        <property name="rpSingleSignOutConfirmation" value="true"/>
+        <property name="rpSingleSignOutCleanupConfirmation" value="false"/>
+    </bean>
+
+    <bean id="idp-realmA" class="org.apache.cxf.fediz.service.idp.model.ServiceConfig">
+        <property name="realm" value="urn:org:apache:cxf:fediz:idp:realm-A" />
+        <property name="protocol"
+            value="http://docs.oasis-open.org/wsfed/federation/200706" />
+        <property name="serviceDisplayName" value="Resource IDP Realm A" />
+        <property name="serviceDescription" value="Resource IDP Realm A" />
+        <property name="role" value="SecurityTokenServiceType" />
+        <property name="tokenType"
+            value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
+        <property name="lifeTime" value="3600" />
+        <!-- <property name="encryptionCertificate" value="" /> -->
+        <property name="requestedClaims">
+            <util:list>
+                <bean
+                    class="org.apache.cxf.fediz.service.idp.model.RequestClaim">
+                    <property name="claimType"
+                        value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" />
+                    <property name="optional" value="false" />
+                </bean>
+                <bean
+                    class="org.apache.cxf.fediz.service.idp.model.RequestClaim">
+                    <property name="claimType"
+                        value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" />
+                    <property name="optional" value="false" />
+                </bean>
+                <bean
+                    class="org.apache.cxf.fediz.service.idp.model.RequestClaim">
+                    <property name="claimType"
+                        value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" />
+                    <property name="optional" value="false" />
+                </bean>
+                <bean
+                    class="org.apache.cxf.fediz.service.idp.model.RequestClaim">
+                    <property name="claimType"
+                        value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" />
+                    <property name="optional" value="false" />
+                </bean>
+            </util:list>
+        </property>
+    </bean>
+
+</beans>
+

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp-core/src/main/webapp/WEB-INF/idp-servlet.xml
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/webapp/WEB-INF/idp-servlet.xml b/services/idp-core/src/main/webapp/WEB-INF/idp-servlet.xml
new file mode 100644
index 0000000..e7c24ee
--- /dev/null
+++ b/services/idp-core/src/main/webapp/WEB-INF/idp-servlet.xml
@@ -0,0 +1,39 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements. See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership. The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License. You may obtain a copy of the License at
+ 
+  http://www.apache.org/licenses/LICENSE-2.0
+ 
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied. See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:context="http://www.springframework.org/schema/context"
+    xsi:schemaLocation="http://www.springframework.org/schema/beans
+        http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
+        http://www.springframework.org/schema/context
+        http://www.springframework.org/schema/context/spring-context-4.3.xsd">
+
+    <import resource="config/idp-core-servlet.xml" />
+
+    <!-- Define some mutable properties for the IdP -->
+    <context:property-placeholder location="classpath:realm.properties" />
+
+    <bean id="stsClientForRpAction" class="org.apache.cxf.fediz.service.idp.beans.STSClientAction">
+        <property name="wsdlLocation" value="https://localhost:0/fediz-idp-sts/${realm.STS_URI}/STSServiceTransport?wsdl" />
+        <property name="wsdlEndpoint" value="Transport_Port" />
+        <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
+    </bean>
+
+</beans>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp-core/src/main/webapp/WEB-INF/security-config.xml
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/webapp/WEB-INF/security-config.xml b/services/idp-core/src/main/webapp/WEB-INF/security-config.xml
new file mode 100644
index 0000000..e51f906
--- /dev/null
+++ b/services/idp-core/src/main/webapp/WEB-INF/security-config.xml
@@ -0,0 +1,76 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements. See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership. The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License. You may obtain a copy of the License at
+ 
+  http://www.apache.org/licenses/LICENSE-2.0
+ 
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied. See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:security="http://www.springframework.org/schema/security"
+    xmlns:context="http://www.springframework.org/schema/context"
+    xsi:schemaLocation="
+        http://www.springframework.org/schema/beans
+        http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
+        http://www.springframework.org/schema/context
+        http://www.springframework.org/schema/context/spring-context-4.3.xsd
+        http://www.springframework.org/schema/security
+        http://www.springframework.org/schema/security/spring-security-3.2.xsd
+        ">
+
+    <context:property-placeholder location="classpath:realm.properties" />
+
+    <import resource="config/security-krb-config.xml" />
+    <import resource="config/security-clientcert-config.xml" />
+    <import resource="config/security-up-config.xml" />
+    <import resource="config/security-rs-config.xml" />
+    
+    <!-- DISABLE in production as it might log confidential information about the user -->
+    <!-- <security:debug /> -->
+
+    <!-- Configure Spring Security -->
+    
+    <!-- If enabled, you can't access the Service layer within the Spring Webflow -->
+    <!-- The user has no role during the login phase of WS-Federation -->
+    <security:global-method-security pre-post-annotations="enabled" />
+
+    <!-- Redirects to a dedicated http config -->
+    <bean id="fedizEntryPoint" class="org.apache.cxf.fediz.service.idp.FedizEntryPoint">
+        <property name="realm" value="${realm-uri}" />
+        <property name="configService" ref="config" />
+    </bean>
+    
+    <!-- Main entry point for WS-Federation -->
+    <security:http pattern="/federation" use-expressions="true" entry-point-ref="fedizEntryPoint">
+        <security:custom-filter after="CHANNEL_FILTER" ref="stsUPPortFilter" />
+        <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" />
+    </security:http>
+    
+    <!-- Main entry point for SAML SSO -->
+    <security:http pattern="/saml" use-expressions="true" entry-point-ref="fedizEntryPoint">
+        <security:custom-filter after="CHANNEL_FILTER" ref="stsUPPortFilter" />
+        <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" />
+    </security:http>
+    
+    <security:authentication-manager alias="authenticationManagers">
+        <security:authentication-provider ref="stsUPAuthProvider" />
+        <security:authentication-provider ref="stsKrbAuthProvider" />
+        <security:authentication-provider ref="stsClientCertAuthProvider" />
+    </security:authentication-manager>
+	
+    <bean id="entitlementsEnricher" 
+          class="org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements" />
+	
+</beans>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp-core/src/main/webapp/WEB-INF/views/genericerror.jsp
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/webapp/WEB-INF/views/genericerror.jsp b/services/idp-core/src/main/webapp/WEB-INF/views/genericerror.jsp
new file mode 100644
index 0000000..c31c77c
--- /dev/null
+++ b/services/idp-core/src/main/webapp/WEB-INF/views/genericerror.jsp
@@ -0,0 +1,11 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>IDP generic error page</title>
+</head>
+<body>
+	<h1>Sorry, CXF Fediz IDP cannot satisfy your request.</h1>
+	<p>Reason : ${reason}</p>
+</body>
+</html>
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp-core/src/main/webapp/WEB-INF/views/idplist.jsp
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/webapp/WEB-INF/views/idplist.jsp b/services/idp-core/src/main/webapp/WEB-INF/views/idplist.jsp
new file mode 100644
index 0000000..0a9cdb1
--- /dev/null
+++ b/services/idp-core/src/main/webapp/WEB-INF/views/idplist.jsp
@@ -0,0 +1,33 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<%@page import="java.util.List"%>
+<%@page import="org.apache.cxf.fediz.service.idp.domain.Idp"%>
+<%@page import="org.apache.cxf.fediz.service.idp.domain.TrustedIdp"%>
+<%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
+<%@ taglib prefix="form" uri="http://www.springframework.org/tags/form" %>
+<html>
+<head>
+<title>Trusted IDP List</title>
+</head>
+<body>
+	<h1>Trusted IDP List</h1>
+	<i>Where are you from? Please, select one Identity Provider in the list which is able to authenticate you. </i>
+	<form:form method="POST" id="idplist" name="idplist">
+		<br />
+        <% Idp idp = (Idp)request.getAttribute("idpConfig");
+        List<TrustedIdp> trustedIDPs = idp.getTrustedIdps(); %>
+      <select name="homeRealm">
+        <% if (idp.isUseCurrentIdp()) { %>
+        <option value="<%=idp.getRealm()%>" selected="selected" ><%=idp.getServiceDescription()%></option>
+        <% } 
+           for (TrustedIdp trustedIDP : trustedIDPs) { %>
+        <option value="<%=trustedIDP.getRealm()%>"><%=trustedIDP.getDescription()%></option>
+        <% } %>
+      </select>
+      <br />
+      <input type="hidden" id="execution" name="execution" value="${flowExecutionKey}"/>
+      <br />
+      <input type="submit" name="_eventId_submit" value="Select Home Realm" />
+      <input type="submit" name="_eventId_cancel" value="Cancel" />
+    </form:form>
+</body>
+</html>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp-core/src/main/webapp/WEB-INF/views/index.jsp
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/webapp/WEB-INF/views/index.jsp b/services/idp-core/src/main/webapp/WEB-INF/views/index.jsp
new file mode 100644
index 0000000..1a1ef1d
--- /dev/null
+++ b/services/idp-core/src/main/webapp/WEB-INF/views/index.jsp
@@ -0,0 +1,25 @@
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
+<HTML><HEAD><TITLE>WS Federation Tomcat Examples</TITLE>
+<META http-equiv=Content-Type content="text/html">
+</HEAD>
+<BODY>
+<P>
+<H3>Hello World</H3>
+<P></P>
+</BODY></HTML>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp-core/src/main/webapp/WEB-INF/views/samlsigninresponseform.jsp
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/webapp/WEB-INF/views/samlsigninresponseform.jsp b/services/idp-core/src/main/webapp/WEB-INF/views/samlsigninresponseform.jsp
new file mode 100644
index 0000000..3e7dc36
--- /dev/null
+++ b/services/idp-core/src/main/webapp/WEB-INF/views/samlsigninresponseform.jsp
@@ -0,0 +1,20 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
+<%@ taglib prefix="form" uri="http://www.springframework.org/tags/form" %>
+
+<html>
+<head>
+<title>IDP SignIn Response Form</title>
+</head>
+<body>
+	<form:form method="POST" id="samlsigninresponseform" name="samlsigninresponseform" action="${samlAction}" htmlEscape="true">
+        <input type="hidden" name="SAMLResponse" value="${samlResponse}" /><br />
+        <input type="hidden" name="RelayState" value="${relayState}" /><br />
+  		<noscript>
+		<p>Script is disabled. Click Submit to continue.</p>
+		<input type="submit" name="_eventId_submit" value="Submit" /><br />
+ 		</noscript>
+	</form:form>
+ 	<script language="javascript">window.setTimeout('document.forms[0].submit()',0);</script>
+</body>
+</html>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp-core/src/main/webapp/WEB-INF/views/signinform.jsp
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/webapp/WEB-INF/views/signinform.jsp b/services/idp-core/src/main/webapp/WEB-INF/views/signinform.jsp
new file mode 100644
index 0000000..bcd7916
--- /dev/null
+++ b/services/idp-core/src/main/webapp/WEB-INF/views/signinform.jsp
@@ -0,0 +1,72 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
+<%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
+<%@ taglib prefix="form" uri="http://www.springframework.org/tags/form" %>
+<html>
+	<head>
+		<title>IDP SignIn Request Form</title>
+		<style type="text/css">
+			.error 			{
+								color: #a94442 !important;
+								background-color: #f2dede !important;
+								border-color: #ebccd1 !important;
+							}
+			.msg 			{
+								padding: 15px;
+								border: 1px solid transparent;
+								border-radius: 4px;
+								color: #31708f;
+								background-color: #d9edf7;
+								border-color: #bce8f1;
+								margin: auto;
+								text-align: center;
+								margin-top: 5px;
+								width: 60%;
+							}
+			h1				{
+								font-size: 24px;
+								margin-top: 25px;
+							}
+			body			{
+								font-family:arial;
+							}
+			label			{
+								width: 90px;
+								display: inline-block;
+							}
+			#login_form		{
+								width: 250px;
+							}
+			#submit_button	{
+								float: right;
+								margin: 5px 12px;
+							}
+		</style>
+	</head>
+	<body onload='document.signinform.username.focus();'>
+		<img src="<c:url value='/images/apache-logo.png' />" alt="Apache Logo" style="margin:5px auto">
+		
+		<c:if test="${param.error != null}">
+			<div class="msg error"><b>Login Failed</b><br />
+                Username and password do not match. Please try again.</div>
+		</c:if>
+		<c:if test="${param.out != null}">
+			<div class="msg info"><b>Logout successful</b></div>
+		</c:if>
+		
+		<h1>Fediz IDP Login</h1>
+		
+		<form:form method="POST" id="signinform" name="signinform" action="login.do" >
+			<div id="login_form">
+				<label for="username">UserId</label>
+				<input type="text" id="username" name="username" placeholder="username" />
+				<br />
+				<label for="password">Password</label>
+				<input type="password" id="password" name="password" placeholder="password" />
+				<br />
+				<!--input type="hidden" id="execution" name="execution" value="${flowExecutionKey}"/-->
+				<input type="submit" id="submit_button" name="authenticate" value="Authenticate" />
+			</div>
+		</form:form>
+	</body>
+</html>
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp-core/src/main/webapp/WEB-INF/views/signinresponseform.jsp
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/webapp/WEB-INF/views/signinresponseform.jsp b/services/idp-core/src/main/webapp/WEB-INF/views/signinresponseform.jsp
new file mode 100644
index 0000000..7a98789
--- /dev/null
+++ b/services/idp-core/src/main/webapp/WEB-INF/views/signinresponseform.jsp
@@ -0,0 +1,25 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
+<%@ taglib prefix="form" uri="http://www.springframework.org/tags/form" %>
+
+<html>
+<head>
+<title>IDP SignIn Response Form</title>
+</head>
+<body>
+	<form:form method="POST" id="signinresponseform" name="signinresponseform" action="${fedAction}" htmlEscape="true">
+        <input type="hidden" name="wa" value="wsignin1.0" /><br />
+        <input type="hidden" name="wresult" value="${fedWResult}" /><br />
+        <% String wctx = (String)request.getAttribute("fedWCtx");
+           if (wctx != null && !wctx.isEmpty()) { %>
+        	<input type="hidden" name="wctx" value="${fedWCtx}" /><br />
+	    <% } %>
+        <input type="hidden" name="wtrealm" value="${fedWTrealm}" /><br />
+  		<noscript>
+		<p>Script is disabled. Click Submit to continue.</p>
+		<input type="submit" name="_eventId_submit" value="Submit" /><br />
+ 		</noscript>
+	</form:form>
+ 	<script language="javascript">window.setTimeout('document.forms[0].submit()',0);</script>
+</body>
+</html>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp-core/src/main/webapp/WEB-INF/views/signoutconfirmationresponse.jsp
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/webapp/WEB-INF/views/signoutconfirmationresponse.jsp b/services/idp-core/src/main/webapp/WEB-INF/views/signoutconfirmationresponse.jsp
new file mode 100644
index 0000000..3e7a547
--- /dev/null
+++ b/services/idp-core/src/main/webapp/WEB-INF/views/signoutconfirmationresponse.jsp
@@ -0,0 +1,65 @@
+<%@ page import="java.util.Map" %>
+<%@ page import="org.apache.cxf.fediz.service.idp.beans.SigninParametersCacheAction" %>
+<%@ page import="org.apache.cxf.fediz.service.idp.domain.Application" %>
+<%@ page import="org.apache.cxf.fediz.core.FederationConstants" %>
+<%@ page import="java.util.List" %>
+<%@ page import="java.util.Iterator" %>
+<%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
+<%@ taglib prefix="form" uri="http://www.springframework.org/tags/form" %>
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<title>IDP SignOut Confirmation Response Page</title>
+</head>
+<body>
+    <%
+        @SuppressWarnings("unchecked")
+        Map<String, Application> rcm =
+        (Map<String, Application>) request.getSession().getAttribute(SigninParametersCacheAction.ACTIVE_APPLICATIONS);
+    	String wreply = (String) request.getAttribute("wreply");
+
+        if (rcm == null) {
+    %>
+	        <p>You have already logged out</p>
+    <%
+        } else {
+    %>
+	        <h1>Logout from the following Applications?</h1>
+			<div>	   
+    <%
+            Iterator<Map.Entry<String, Application>> iterator = rcm.entrySet().iterator();
+                
+            while (iterator.hasNext()) {
+                Application next = iterator.next().getValue();
+                if (next != null) {
+    %>
+                    <%= next.getServiceDisplayName() %>
+                    <br/>
+    <%
+                }
+            }
+        }
+        
+        if (rcm != null && !rcm.isEmpty()) {
+    %>
+	    	</div>
+	    	<br/>
+	    	<br/>
+	        <form:form method="POST" id="signoutconfirmationresponseform" name="signoutconfirmationresponseform">
+	            <input type="hidden" name="wa" value="wsignout1.0" />
+	            <input type="hidden" id="execution" name="execution" value="${flowExecutionKey}" />
+	            <input type="submit" name="_eventId_submit" value="Logout" />
+			    <%     
+			        if (wreply != null && !wreply.isEmpty()) {
+			    %>
+			    <input type="hidden" name="wreply" value="<%= wreply%>" />        
+	            <input type="submit" name="_eventId_cancel" value="Cancel" />
+	            <%     
+			        }
+			    %>
+	        </form:form>
+    <%     
+        }
+    %>
+</body>
+</html>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp-core/src/main/webapp/WEB-INF/views/signoutresponse.jsp
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/webapp/WEB-INF/views/signoutresponse.jsp b/services/idp-core/src/main/webapp/WEB-INF/views/signoutresponse.jsp
new file mode 100644
index 0000000..429c026
--- /dev/null
+++ b/services/idp-core/src/main/webapp/WEB-INF/views/signoutresponse.jsp
@@ -0,0 +1,56 @@
+<%@page import="org.opensaml.soap.wsfed.WSFedConstants"%>
+<%@ page import="java.util.Map" %>
+<%@ page import="org.apache.cxf.fediz.service.idp.beans.SigninParametersCacheAction" %>
+<%@ page import="org.apache.cxf.fediz.service.idp.domain.Application" %>
+<%@ page import="org.apache.cxf.fediz.core.FederationConstants" %>
+<%@ page import="java.util.List" %>
+<%@ page import="java.util.Iterator" %>
+<%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
+<%@ taglib prefix="form" uri="http://www.springframework.org/tags/form" %>
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<title>IDP SignOut Response Page</title>
+</head>
+<body>
+    <%
+        @SuppressWarnings("unchecked")
+        Map<String, Application> apps =
+                (Map<String, Application>) request.getAttribute(SigninParametersCacheAction.ACTIVE_APPLICATIONS);
+    	String wreply = (String) request.getAttribute("wreply");
+
+        if (apps == null) {
+    %>
+	        <p>You have already logged out</p>
+    <%
+        } else {
+    %>
+            <h1>CXF Fediz IDP successful logout.</h1>
+        
+            <p>
+    <%
+            Iterator<Map.Entry<String, Application>> iterator = apps.entrySet().iterator();
+            
+            while (iterator.hasNext()) {
+                Application next = iterator.next().getValue();
+                if (next != null) {
+    %>
+                    <%= next.getServiceDisplayName() %> 
+                    <img src="<%=next.getPassiveRequestorEndpoint() + "?" + FederationConstants.PARAM_ACTION 
+                        + "=" + FederationConstants.ACTION_SIGNOUT_CLEANUP %>"/>
+                    <br/>
+    <%
+                }
+            }
+    %>
+	        </p>
+    <%
+        }
+        if (wreply != null && !wreply.isEmpty()) {
+    %>
+    <p><a href="<%= wreply%>">continue</a></p>
+    <%
+        }
+    %>
+</body>
+</html>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp-core/src/main/webapp/WEB-INF/web.xml
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/webapp/WEB-INF/web.xml b/services/idp-core/src/main/webapp/WEB-INF/web.xml
new file mode 100644
index 0000000..807fa23
--- /dev/null
+++ b/services/idp-core/src/main/webapp/WEB-INF/web.xml
@@ -0,0 +1,131 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+
+-->
+<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
+    version="3.0" metadata-complete="true">
+
+	<description>Fediz IDP</description>
+	<display-name>Fediz IDP</display-name>
+	
+	<session-config>
+	    <cookie-config>
+            <http-only>true</http-only>
+        </cookie-config>
+		<tracking-mode>COOKIE</tracking-mode>
+	</session-config>
+
+	<context-param>
+		<param-name>contextConfigLocation</param-name>
+		<param-value>/WEB-INF/applicationContext.xml</param-value>
+	</context-param>
+
+	<context-param>
+		<param-name>spring.profiles.active</param-name>
+		<param-value>jpa</param-value>
+	</context-param>
+
+	<filter>
+		<filter-name>encodingFilter</filter-name>
+		<filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
+		<init-param>
+			<param-name>encoding</param-name>
+			<param-value>UTF-8</param-value>
+		</init-param>
+		<init-param>
+			<param-name>forceEncoding</param-name>
+			<param-value>true</param-value>
+		</init-param>
+	</filter>
+	<filter-mapping>
+		<filter-name>encodingFilter</filter-name>
+		<url-pattern>/*</url-pattern>
+	</filter-mapping>
+
+	<filter>
+		<filter-name>springSecurityFilterChain</filter-name>
+		<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
+	</filter>
+	<filter-mapping>
+		<filter-name>springSecurityFilterChain</filter-name>
+		<url-pattern>/*</url-pattern>
+	</filter-mapping>
+
+	<servlet>
+		<servlet-name>idp</servlet-name>
+		<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
+		<init-param>
+			<param-name>publishContext</param-name>
+			<param-value>false</param-value>
+		</init-param>
+		<load-on-startup>1</load-on-startup>
+	</servlet>
+	<servlet-mapping>
+		<servlet-name>idp</servlet-name>
+		<url-pattern>/</url-pattern>
+		<url-pattern>/federation</url-pattern>
+		<url-pattern>/federation/up</url-pattern>
+		<url-pattern>/federation/krb</url-pattern>
+		<url-pattern>/federation/clientcert</url-pattern>
+		<url-pattern>/saml</url-pattern>
+		<url-pattern>/saml/up</url-pattern>
+		<url-pattern>/saml/krb</url-pattern>
+		<url-pattern>/saml/clientcert</url-pattern>
+	</servlet-mapping>
+
+	<servlet>
+		<servlet-name>metadata</servlet-name>
+		<servlet-class>org.apache.cxf.fediz.service.idp.MetadataServlet</servlet-class>
+		<init-param>
+			<param-name>realm</param-name>
+			<param-value>${realm-uri}</param-value>
+		</init-param>
+	</servlet>
+	<servlet-mapping>
+		<servlet-name>metadata</servlet-name>
+		<url-pattern>/FederationMetadata/2007-06/FederationMetadata.xml</url-pattern>
+		<url-pattern>/metadata/*</url-pattern>
+	</servlet-mapping>
+
+	<servlet>
+		<servlet-name>CXFServlet</servlet-name>
+		<servlet-class>org.apache.cxf.transport.servlet.CXFServlet</servlet-class>
+		<load-on-startup>1</load-on-startup>
+	</servlet>
+	<servlet-mapping>
+		<servlet-name>CXFServlet</servlet-name>
+		<url-pattern>/services/*</url-pattern>
+	</servlet-mapping>
+
+	<listener>
+		<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
+	</listener>
+
+	<!-- Uncomment this when using JNDI DataSource -->
+	<!-- The property jpa.platform must be updated in persistence.properties even you use JNDI Datasource -->
+	<!-- 
+    <resource-ref>
+        <res-ref-name>jdbc/fedizDataSource</res-ref-name>
+        <res-type>javax.sql.DataSource</res-type>
+        <res-auth>Container</res-auth>
+    </resource-ref>
+    -->
+
+</web-app>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp-core/src/main/webapp/resources/images/apache-logo.png
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/webapp/resources/images/apache-logo.png b/services/idp-core/src/main/webapp/resources/images/apache-logo.png
new file mode 100644
index 0000000..39b040e
Binary files /dev/null and b/services/idp-core/src/main/webapp/resources/images/apache-logo.png differ

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp-core/src/main/webapp/resources/swagger/index.html
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/webapp/resources/swagger/index.html b/services/idp-core/src/main/webapp/resources/swagger/index.html
new file mode 100644
index 0000000..223cf1e
--- /dev/null
+++ b/services/idp-core/src/main/webapp/resources/swagger/index.html
@@ -0,0 +1,156 @@
+<!DOCTYPE html>
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+  http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+<html>
+<head>
+  <meta charset="UTF-8">
+    <!-- <ApacheFediz -->
+    <!--<title>Swagger UI</title>-->
+    <title>Swagger UI - Apache Fediz ${project.version}</title>
+    <!-- </ApacheFediz -->
+  <link rel="icon" type="image/png" href="images/favicon-32x32.png" sizes="32x32" />
+  <link rel="icon" type="image/png" href="images/favicon-16x16.png" sizes="16x16" />
+  <link href='css/typography.css' media='screen' rel='stylesheet' type='text/css'/>
+  <link href='css/reset.css' media='screen' rel='stylesheet' type='text/css'/>
+  <link href='css/screen.css' media='screen' rel='stylesheet' type='text/css'/>
+  <link href='css/reset.css' media='print' rel='stylesheet' type='text/css'/>
+  <link href='css/print.css' media='print' rel='stylesheet' type='text/css'/>
+  <script src='lib/jquery-1.8.0.min.js' type='text/javascript'></script>
+  <script src='lib/jquery.slideto.min.js' type='text/javascript'></script>
+  <script src='lib/jquery.wiggle.min.js' type='text/javascript'></script>
+  <script src='lib/jquery.ba-bbq.min.js' type='text/javascript'></script>
+  <script src='lib/handlebars-2.0.0.js' type='text/javascript'></script>
+  <script src='lib/underscore-min.js' type='text/javascript'></script>
+  <script src='lib/backbone-min.js' type='text/javascript'></script>
+  <script src='swagger-ui.js' type='text/javascript'></script>
+  <script src='lib/highlight.7.3.pack.js' type='text/javascript'></script>
+  <script src='lib/jsoneditor.min.js' type='text/javascript'></script>
+  <script src='lib/marked.js' type='text/javascript'></script>
+  <script src='lib/swagger-oauth.js' type='text/javascript'></script>
+
+  <!-- Some basic translations -->
+  <!-- <script src='lang/translator.js' type='text/javascript'></script> -->
+  <!-- <script src='lang/ru.js' type='text/javascript'></script> -->
+  <!-- <script src='lang/en.js' type='text/javascript'></script> -->
+
+  <script type="text/javascript">
+    $(function () {
+        // <ApacheFediz>
+        /*var url = window.location.search.match(/url=([^&]+)/);
+      if (url && url.length > 1) {
+        url = decodeURIComponent(url[1]);
+      } else {
+        url = "http://petstore.swagger.io/v2/swagger.json";
+         }*/
+        var url = window.location.href.substring(0, window.location.href.lastIndexOf('/')) + "/../services/rs/swagger.json";
+        // </ApacheFediz>
+      // Pre load translate...
+      if(window.SwaggerTranslator) {
+        window.SwaggerTranslator.translate();
+      }
+      window.swaggerUi = new SwaggerUi({
+        url: url,
+        dom_id: "swagger-ui-container",
+        supportedSubmitMethods: ['get', 'post', 'put', 'delete', 'patch'],
+        onComplete: function(swaggerApi, swaggerUi){
+          if(typeof initOAuth == "function") {
+            initOAuth({
+              clientId: "your-client-id",
+              clientSecret: "your-client-secret-if-required",
+              realm: "your-realms",
+              appName: "your-app-name", 
+              scopeSeparator: ",",
+              additionalQueryStringParams: {}
+            });
+          }
+          if(window.SwaggerTranslator) {
+            window.SwaggerTranslator.translate();
+          }
+          $('pre code').each(function(i, e) {
+            hljs.highlightBlock(e)
+          });
+          addApiKeyAuthorization();
+        },
+        onFailure: function(data) {
+          log("Unable to Load SwaggerUI");
+        },
+        docExpansion: "none",
+        jsonEditor: false,
+        apisSorter: "alpha",
+        defaultModelRendering: 'schema',
+        showRequestHeaders: false
+      });
+        function addApiKeyAuthorization() {
+          // <ApacheFediz>
+          /*var key = encodeURIComponent($('#input_apiKey')[0].value);
+           if (key && key.trim() != "") {
+            var apiKeyAuth = new SwaggerClient.ApiKeyAuthorization("api_key", key, "query");
+            window.swaggerUi.api.clientAuthorizations.add("api_key", apiKeyAuth);
+            log("added key " + key);
+           }*/
+          var username = $('#input_username').val().trim();
+          var password = $('#input_password').val().trim();
+          if (username !== "" && password !== "") {
+            window.swaggerUi.api.clientAuthorizations.add(
+                    "basicAuth", new SwaggerClient.PasswordAuthorization(username, password));
+        }
+          // </ApacheFediz>
+      }
+        // <ApacheFediz>
+        //$('#input_apiKey').change(addApiKeyAuthorization);
+        $("#input_username").blur(function () {
+          addApiKeyAuthorization();
+        });
+        $("#input_password").blur(function () {
+          addApiKeyAuthorization();
+        });
+        // </ApacheFediz>
+      // if you have an apiKey you would like to pre-populate on the page for demonstration purposes...
+      /*
+        var apiKey = "myApiKeyXXXX123456789";
+        $('#input_apiKey').val(apiKey);
+      */
+      window.swaggerUi.load();
+      function log() {
+        if ('console' in window) {
+          console.log.apply(console, arguments);
+        }
+      }
+  });
+  </script>
+</head>
+
+<body class="swagger-section">
+<div id='header'>
+  <div class="swagger-ui-wrap">
+    <a id="logo" href="http://swagger.io">swagger</a>
+    <form id='api_selector'>
+       <!-- <ApacheFediz -->
+      <!--<div class='input'><input placeholder="http://example.com/api" id="input_baseUrl" name="baseUrl" type="text"/></div>-->
+      <!--<div class='input'><input placeholder="api_key" id="input_apiKey" name="apiKey" type="text"/></div>-->
+      <!--<div class='input'><a id="explore" href="#" data-sw-translate>Explore</a></div>-->
+          <div class='input'><input placeholder="username" id="input_username" name="username" type="text"/></div>
+          <div class='input'><input placeholder="password" id="input_password" name="password" type="password"/></div>
+          <!-- </ApacheFediz -->
+    </form>
+  </div>
+</div>
+
+<div id="message-bar" class="swagger-ui-wrap" data-sw-translate>&nbsp;</div>
+<div id="swagger-ui-container" class="swagger-ui-wrap"></div>
+</body>
+</html>
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp-core/src/test/java/org/apache/cxf/fediz/service/idp/service/jpa/ApplicationDAOJPATest.java
----------------------------------------------------------------------
diff --git a/services/idp-core/src/test/java/org/apache/cxf/fediz/service/idp/service/jpa/ApplicationDAOJPATest.java b/services/idp-core/src/test/java/org/apache/cxf/fediz/service/idp/service/jpa/ApplicationDAOJPATest.java
new file mode 100644
index 0000000..4a2970c
--- /dev/null
+++ b/services/idp-core/src/test/java/org/apache/cxf/fediz/service/idp/service/jpa/ApplicationDAOJPATest.java
@@ -0,0 +1,348 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.fediz.service.idp.service.jpa;
+
+import java.net.URI;
+import java.util.Arrays;
+import java.util.List;
+
+
+import org.apache.cxf.fediz.service.idp.domain.Application;
+import org.apache.cxf.fediz.service.idp.domain.RequestClaim;
+import org.apache.cxf.fediz.service.idp.service.ApplicationDAO;
+
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.dao.DataIntegrityViolationException;
+import org.springframework.dao.EmptyResultDataAccessException;
+import org.springframework.orm.jpa.JpaObjectRetrievalFailureException;
+import org.springframework.test.context.ContextConfiguration;
+import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
+import org.springframework.util.Assert;
+
+
+@RunWith(SpringJUnit4ClassRunner.class)
+@ContextConfiguration(locations = { "classpath:testContext.xml" })
+public class ApplicationDAOJPATest {
+
+    @Autowired
+    private ApplicationDAO applicationDAO;
+    
+    
+    @BeforeClass
+    public static void init() {
+        System.setProperty("spring.profiles.active", "jpa");
+    }
+    
+    
+    @Test
+    public void testReadAllApplications() {
+        List<Application> applications = applicationDAO.getApplications(0, 999, null);
+        // Application could have been removed, Order not given as per JUnit design
+        Assert.isTrue(1 < applications.size(), "Size doesn't match [" + applications.size() + "]");
+    }
+    
+    
+    @Test
+    public void testReadExistingApplicationEmbeddedAll() {
+        Application application = applicationDAO.getApplication("urn:org:apache:cxf:fediz:fedizhelloworld",
+                                                                Arrays.asList("all"));
+        
+        Assert.isTrue(application.getLifeTime() == 3600,
+                      "LifeTime doesn't match");
+        Assert.isTrue("http://docs.oasis-open.org/wsfed/federation/200706".equals(application.getProtocol()),
+                      "Protocol doesn't match");
+        Assert.isTrue("urn:org:apache:cxf:fediz:fedizhelloworld".equals(application.getRealm()),
+                      "Realm doesn't match");
+        Assert.isTrue("ApplicationServiceType".equals(application.getRole()),
+                      "Role doesn't match");
+        Assert.isTrue("Web Application to illustrate WS-Federation".equals(application.getServiceDescription()),
+                      "ServiceDescription doesn't match");
+        Assert.isTrue("Fedizhelloworld".equals(application.getServiceDisplayName()),
+                      "ServiceDisplayName doesn't match");
+        Assert.isTrue("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
+                      .equals(application.getTokenType()),
+                      "TokenType doesn't match");
+        Assert.isTrue(4 == application.getRequestedClaims().size(),
+                      "Number of claims doesn't match [" + application.getRequestedClaims().size() + "]");
+    }
+    
+    @Test
+    public void testReadExistingApplicationEmbeddedClaims() {
+        Application application = applicationDAO.getApplication("urn:org:apache:cxf:fediz:fedizhelloworld",
+                                                                Arrays.asList("claims"));
+        
+        Assert.isTrue(4 == application.getRequestedClaims().size(),
+                      "Number of claims doesn't match");
+    }
+    
+    @Test
+    public void testReadExistingApplicationEmbeddedNull() {
+        Application application = applicationDAO.getApplication("urn:org:apache:cxf:fediz:fedizhelloworld",
+                                                                null);
+        
+        Assert.isTrue(0 == application.getRequestedClaims().size(),
+                      "Number of claims doesn't match");
+    }
+    
+    
+    @Test(expected = EmptyResultDataAccessException.class)
+    public void testTryReadNonexistingApplication() {
+        applicationDAO.getApplication("urn:org:apache:cxf:fediz:fedizhelloworld:NOTEXIST", null);
+    }
+    
+    
+    @Test
+    public void testAddNewApplication() {
+        
+        String realm = "urn:org:apache:cxf:fediz:application:testaddnew";
+        Application application = createApplication(realm);
+        applicationDAO.addApplication(application);
+        
+        application = applicationDAO.getApplication(realm, null);
+        
+        Assert.isTrue("".equals(application.getEncryptionCertificate()),
+                      "EncryptionCertificate doesn't match");
+        Assert.isTrue(application.getLifeTime() == 3600,
+                      "LifeTime doesn't match");
+        Assert.isTrue("http://docs.oasis-open.org/wsfed/federation/200706".equals(application.getProtocol()),
+                      "Protocol doesn't match");
+        Assert.isTrue(realm.equals(application.getRealm()),
+                      "Realm doesn't match");
+        Assert.isTrue("ApplicationServiceType".equals(application.getRole()),
+                      "Role doesn't match");
+        Assert.isTrue("Fedizhelloworld2 description".equals(application.getServiceDescription()),
+                      "ServiceDescription doesn't match");
+        Assert.isTrue("Fedizhelloworld2".equals(application.getServiceDisplayName()),
+                      "ServiceDisplayName doesn't match");
+        Assert.isTrue("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1"
+                      .equals(application.getTokenType()),
+                      "TokenType doesn't match");
+        Assert.isTrue("http://www.w3.org/ns/ws-policy"
+                      .equals(application.getPolicyNamespace()),
+                      "Policy Namespace doesn't match");
+        Assert.isTrue(0 == application.getRequestedClaims().size(),
+                      "Number of claims doesn't match");
+    }
+    
+    @Test
+    public void testUpdateApplication() {
+        String realm = "urn:org:apache:cxf:fediz:application:testupdate";
+        
+        //Prepare
+        Application application = createApplication(realm);
+        applicationDAO.addApplication(application);
+        
+        //Testcase
+        application = new Application();
+        application.setRealm(realm);
+        application.setEncryptionCertificate("U");
+        application.setLifeTime(1800);
+        application.setProtocol("Uhttp://docs.oasis-open.org/wsfed/federation/200706");
+        application.setRole("UApplicationServiceType");
+        application.setServiceDescription("UFedizhelloworld2 description");
+        application.setServiceDisplayName("UFedizhelloworld2");
+        application.setTokenType("Uhttp://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1");
+        application.setPolicyNamespace("Uhttp://www.w3.org/ns/ws-policy");
+        
+        Assert.isTrue("U".equals(application.getEncryptionCertificate()),
+                      "EncryptionCertificate doesn't match");
+        Assert.isTrue(application.getLifeTime() == 1800,
+                      "LifeTime doesn't match");
+        Assert.isTrue("Uhttp://docs.oasis-open.org/wsfed/federation/200706".equals(application.getProtocol()),
+                      "Protocol doesn't match");
+        Assert.isTrue(realm.equals(application.getRealm()),
+                      "Realm doesn't match");
+        Assert.isTrue("UApplicationServiceType".equals(application.getRole()),
+                      "Role doesn't match");
+        Assert.isTrue("UFedizhelloworld2 description".equals(application.getServiceDescription()),
+                      "ServiceDescription doesn't match");
+        Assert.isTrue("UFedizhelloworld2".equals(application.getServiceDisplayName()),
+                      "ServiceDisplayName doesn't match");
+        Assert.isTrue("Uhttp://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1"
+                      .equals(application.getTokenType()),
+                      "TokenType doesn't match");
+        Assert.isTrue("Uhttp://www.w3.org/ns/ws-policy"
+                      .equals(application.getPolicyNamespace()),
+                      "Policy Namespace doesn't match");
+        Assert.isTrue(0 == application.getRequestedClaims().size(),
+                      "Number of claims doesn't match");
+    }
+    
+    @Test(expected = DataIntegrityViolationException.class)
+    public void testTryAddExistingApplication() {
+        Application application = new Application();
+        application.setRealm("urn:org:apache:cxf:fediz:fedizhelloworld");
+        application.setEncryptionCertificate("");
+        application.setLifeTime(3600);
+        application.setProtocol("http://docs.oasis-open.org/wsfed/federation/200706");
+        application.setRole("ApplicationServiceType");
+        application.setServiceDescription("Fedizhelloworld description");
+        application.setServiceDisplayName("Fedizhelloworld");
+        application.setTokenType("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0");
+        
+        applicationDAO.addApplication(application);
+    }
+    
+    
+    @Test(expected = EmptyResultDataAccessException.class)
+    public void testTryRemoveUnknownApplication() {
+        applicationDAO.deleteApplication("urn:org:apache:cxf:fediz:fedizhelloworld:NOTEXIST");
+    }
+    
+    
+    @Test(expected = EmptyResultDataAccessException.class)
+    public void testRemoveExistingApplication() {
+        String realm = "urn:org:apache:cxf:fediz:app:testdelete";
+        Application application = createApplication(realm);
+        
+        applicationDAO.addApplication(application);
+        
+        applicationDAO.deleteApplication(realm);
+        
+        applicationDAO.getApplication(realm, null);
+    }
+    
+    @Test
+    public void testAddClaimToApplication() {
+        //Prepare step
+        Application application = new Application();
+        application.setRealm("urn:org:apache:cxf:fediz:fedizhelloworld:testaddclaim");
+        application.setEncryptionCertificate("");
+        application.setLifeTime(3600);
+        application.setProtocol("http://docs.oasis-open.org/wsfed/federation/200706");
+        application.setRole("ApplicationServiceType");
+        application.setServiceDescription("Fedizhelloworld description");
+        application.setServiceDisplayName("Fedizhelloworld");
+        application.setTokenType("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0");
+        
+        applicationDAO.addApplication(application);
+        
+        //Testcase
+        RequestClaim requestClaim = new RequestClaim();
+        requestClaim.setOptional(false);
+        requestClaim.setClaimType(URI.create("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"));
+        
+        applicationDAO.addClaimToApplication(application, requestClaim);
+               
+        application = applicationDAO.getApplication("urn:org:apache:cxf:fediz:fedizhelloworld:testaddclaim",
+                                                    Arrays.asList("all"));
+        
+        Assert.isTrue(1 == application.getRequestedClaims().size(), "requestedClaims size doesn't match");
+    }
+    
+    @Test(expected = DataIntegrityViolationException.class)
+    public void testTryAddExistingClaimToApplication() {
+        Application application = new Application();
+        application.setRealm("urn:org:apache:cxf:fediz:fedizhelloworld");
+        
+        RequestClaim requestClaim = new RequestClaim();
+        requestClaim.setOptional(false);
+        requestClaim.setClaimType(URI.create("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"));
+        
+        applicationDAO.addClaimToApplication(application, requestClaim);
+    }
+    
+    @Test(expected = EmptyResultDataAccessException.class)
+    public void testTryAddUnknownClaimToApplication() {
+        Application application = new Application();
+        application.setRealm("urn:org:apache:cxf:fediz:fedizhelloworld");
+        
+        RequestClaim requestClaim = new RequestClaim();
+        requestClaim.setOptional(false);
+        requestClaim.setClaimType(URI.create("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/UNKOWN"));
+        
+        applicationDAO.addClaimToApplication(application, requestClaim);
+    }
+    
+    
+    @Test
+    public void testRemoveClaimFromApplication() {
+        //Prepare step
+        Application application = new Application();
+        application.setRealm("urn:org:apache:cxf:fediz:fedizhelloworld:testremoveclaim");
+        application.setEncryptionCertificate("");
+        application.setLifeTime(3600);
+        application.setProtocol("http://docs.oasis-open.org/wsfed/federation/200706");
+        application.setRole("ApplicationServiceType");
+        application.setServiceDescription("Fedizhelloworld description");
+        application.setServiceDisplayName("Fedizhelloworld");
+        application.setTokenType("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0");
+        
+        applicationDAO.addApplication(application);
+        
+        RequestClaim requestClaim = new RequestClaim();
+        requestClaim.setOptional(false);
+        requestClaim.setClaimType(URI.create("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"));
+        
+        applicationDAO.addClaimToApplication(application, requestClaim);
+               
+        application = applicationDAO.getApplication("urn:org:apache:cxf:fediz:fedizhelloworld:testremoveclaim",
+                                                    Arrays.asList("all"));
+        Assert.isTrue(1 == application.getRequestedClaims().size(), "requestedClaims size doesn't match");
+        
+        //Testcase
+        applicationDAO.removeClaimFromApplication(application, requestClaim);
+        application = applicationDAO.getApplication("urn:org:apache:cxf:fediz:fedizhelloworld:testremoveclaim",
+                                                    Arrays.asList("all"));
+        Assert.isTrue(0 == application.getRequestedClaims().size(), "requestedClaims size doesn't match");
+    }
+    
+    @Test(expected = JpaObjectRetrievalFailureException.class)
+    public void testTryRemoveNotAssignedClaimFromApplication() {
+        Application application = new Application();
+        application.setRealm("urn:org:apache:cxf:fediz:fedizhelloworld");
+                
+        RequestClaim requestClaim = new RequestClaim();
+        requestClaim.setOptional(false);
+        requestClaim.setClaimType(URI.create("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/city"));
+        
+        applicationDAO.removeClaimFromApplication(application, requestClaim);
+    }
+    
+    @Test(expected = JpaObjectRetrievalFailureException.class)
+    public void testTryRemoveUnknownClaimFromApplication() {
+        Application application = new Application();
+        application.setRealm("urn:org:apache:cxf:fediz:fedizhelloworld");
+                
+        RequestClaim requestClaim = new RequestClaim();
+        requestClaim.setOptional(false);
+        requestClaim.setClaimType(URI.create("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/UNKNOWN"));
+        
+        applicationDAO.removeClaimFromApplication(application, requestClaim);
+    }
+    
+    private static Application createApplication(String realm) {
+        Application application = new Application();
+        application.setRealm(realm);
+        application.setEncryptionCertificate("");
+        application.setLifeTime(3600);
+        application.setProtocol("http://docs.oasis-open.org/wsfed/federation/200706");
+        application.setRole("ApplicationServiceType");
+        application.setServiceDescription("Fedizhelloworld2 description");
+        application.setServiceDisplayName("Fedizhelloworld2");
+        application.setTokenType("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1");
+        application.setPolicyNamespace("http://www.w3.org/ns/ws-policy");
+        return application;
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/bf309400/services/idp-core/src/test/java/org/apache/cxf/fediz/service/idp/service/jpa/ClaimDAOJPATest.java
----------------------------------------------------------------------
diff --git a/services/idp-core/src/test/java/org/apache/cxf/fediz/service/idp/service/jpa/ClaimDAOJPATest.java b/services/idp-core/src/test/java/org/apache/cxf/fediz/service/idp/service/jpa/ClaimDAOJPATest.java
new file mode 100644
index 0000000..767a989
--- /dev/null
+++ b/services/idp-core/src/test/java/org/apache/cxf/fediz/service/idp/service/jpa/ClaimDAOJPATest.java
@@ -0,0 +1,115 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.fediz.service.idp.service.jpa;
+
+import java.net.URI;
+import java.util.List;
+
+import org.apache.cxf.fediz.service.idp.domain.Claim;
+import org.apache.cxf.fediz.service.idp.service.ClaimDAO;
+
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.dao.DataIntegrityViolationException;
+import org.springframework.dao.EmptyResultDataAccessException;
+import org.springframework.test.context.ContextConfiguration;
+import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
+import org.springframework.util.Assert;
+
+
+@RunWith(SpringJUnit4ClassRunner.class)
+@ContextConfiguration(locations = { "classpath:testContext.xml" })
+public class ClaimDAOJPATest {
+
+    @Autowired
+    private ClaimDAO claimDAO;
+    
+    
+    @BeforeClass
+    public static void init() {
+        System.setProperty("spring.profiles.active", "jpa");
+    }
+    
+    
+    @Test
+    public void testReadAllClaims() {
+        List<Claim> claims = claimDAO.getClaims(0, 999);
+        Assert.isTrue(5 == claims.size(), "Size doesn't match");
+    }
+    
+    @Test
+    public void testReadExistingClaim() {
+        Claim claim = claimDAO.getClaim("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname");
+        Assert.isTrue("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
+                      .equals(claim.getClaimType().toString()),
+                      "ClaimType doesn't match");
+        Assert.isTrue("firstname".equals(claim.getDisplayName()),
+                      "Claim Display name doesn't match");
+        Assert.isTrue("Description for firstname".equals(claim.getDescription()),
+                      "Claim Description name doesn't match");
+    }
+    
+    
+    @Test(expected = EmptyResultDataAccessException.class)
+    public void testTryReadNonexistingClaim() {
+        claimDAO.getClaim("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givennamenotexist");
+    }
+    
+    
+    @Test
+    public void testAddNewClaim() {
+        Claim claim5 = new Claim();
+        claim5.setClaimType(URI.create("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/town"));
+        claim5.setDisplayName("Town");
+        claim5.setDescription("Town Description");
+        claimDAO.addClaim(claim5);
+        
+        List<Claim> claims = claimDAO.getClaims(0, 999);
+        Assert.isTrue(6 == claims.size(), "Size doesn't match. Claim not added");
+    }
+    
+    
+    @Test(expected = DataIntegrityViolationException.class)
+    public void testTryAddExistingClaim() {
+        Claim claim5 = new Claim();
+        claim5.setClaimType(URI.create("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"));
+        claim5.setDisplayName("firstname");
+        claim5.setDescription("Description for firstname");
+        claimDAO.addClaim(claim5);
+    }
+    
+    
+    @Test(expected = EmptyResultDataAccessException.class)
+    public void testTryRemoveUnknownClaim() {
+        claimDAO.deleteClaim("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/town/WRONG");
+    }
+    
+    
+    @Test(expected = EmptyResultDataAccessException.class)
+    public void testRemoveExistingClaim() {
+        claimDAO.deleteClaim("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email");
+        
+        claimDAO.getClaim("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email");
+    }
+    
+
+}


Mime
View raw message