cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [1/3] cxf-fediz git commit: Adding a test to show how to federate "unknown" subjects in the local STS
Date Wed, 12 Jul 2017 17:03:54 GMT
Repository: cxf-fediz
Updated Branches:
  refs/heads/1.4.x-fixes 5d96e47da -> 79b693c64


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/e87b5e86/systests/federation/unknown-subject/src/test/resources/realmb/security-config.xml
----------------------------------------------------------------------
diff --git a/systests/federation/unknown-subject/src/test/resources/realmb/security-config.xml
b/systests/federation/unknown-subject/src/test/resources/realmb/security-config.xml
new file mode 100644
index 0000000..866d2e9
--- /dev/null
+++ b/systests/federation/unknown-subject/src/test/resources/realmb/security-config.xml
@@ -0,0 +1,137 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements. See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership. The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License. You may obtain a copy of the License at
+ 
+  http://www.apache.org/licenses/LICENSE-2.0
+ 
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied. See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:security="http://www.springframework.org/schema/security"
+    xmlns:context="http://www.springframework.org/schema/context"
+    xsi:schemaLocation="
+        http://www.springframework.org/schema/beans
+        http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
+        http://www.springframework.org/schema/context
+        http://www.springframework.org/schema/context/spring-context-4.3.xsd
+        http://www.springframework.org/schema/security
+        http://www.springframework.org/schema/security/spring-security-3.2.xsd
+        ">
+
+    <context:property-placeholder location="classpath:realm.properties"/>
+    
+    <!-- DISABLE in production as it might log confidential information about the user
-->
+    <!-- <security:debug /> -->
+
+    <!-- Configure Spring Security -->
+    
+    <!-- If enabled, you can't access the Service layer within the Spring Webflow -->
+    <!-- The user has no role during the login phase of WS-Federation -->
+    <security:global-method-security pre-post-annotations="enabled"/>
+
+    <security:http pattern="/services/rs/**" use-expressions="true" authentication-manager-ref="restAuthenticationManager">
+        <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" />
+        <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher"
/>
+        <security:intercept-url pattern="/services/rs/**" access="isAuthenticated()"/>
+        <security:http-basic />
+    </security:http>
+
+    <bean id="bCryptPasswordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"
/>
+    
+    <bean id="defaultPasswordEncoder" class="org.springframework.security.crypto.password.StandardPasswordEncoder"
/>
+    
+    <security:authentication-manager id="restAuthenticationManager">
+        <security:authentication-provider>
+          <!-- <security:password-encoder ref="defaultPasswordEncoder"/>-->
+          <!-- <security:password-encoder hash="sha-256" base64="true" />-->
+          <!--  
+          <security:password-encoder hash="sha-256" base64="true">
+            <security:salt-source user-property="username"/>
+          </security:password-encoder>
+          -->
+          <security:user-service properties="classpath:/users.properties" />
+        </security:authentication-provider>
+        <security:authentication-provider ref="stsAuthProvider" />
+    </security:authentication-manager>
+
+    <!-- Redirects to a dedicated http config -->
+    <bean id="fedizEntryPoint" class="org.apache.cxf.fediz.service.idp.FedizEntryPoint">
+        <property name="realm" value="urn:org:apache:cxf:fediz:idp:realm-B" />
+        <property name="configService" ref="config" />
+    </bean>
+    
+    <!-- Main entry point -->
+    <security:http pattern="/federation" use-expressions="true" entry-point-ref="fedizEntryPoint">
+        <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" />
+        <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher"
/>
+        <security:intercept-url pattern="/FederationMetadata/2007-06/FederationMetadata.xml"
access="isAnonymous() or isAuthenticated()" />
+    </security:http>
+    
+    <!-- HTTP/BA entry point -->
+    <security:http pattern="/federation/up" use-expressions="true">
+        <security:intercept-url requires-channel="https" pattern="/federation/up/login*"
access="isAuthenticated()" />
+        <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" />
+        <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher"
/>
+
+        <security:http-basic />
+        <security:logout delete-cookies="FEDIZ_HOME_REALM" invalidate-session="true" />
+    </security:http>
+    
+    <security:http pattern="/saml" use-expressions="true" entry-point-ref="fedizEntryPoint">
+        <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" />
+        <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher"
/>
+    </security:http>
+    
+    <!-- HTTP/BA entry point -->
+    <security:http pattern="/saml/up/**" use-expressions="true">
+        <security:intercept-url requires-channel="https" pattern="/saml/up/login*" access="isAuthenticated()"
/>
+        <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" />
+        <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher"
/>
+
+        <security:http-basic />
+        <!--security:form-login login-page='/federation/up/login'
+            login-processing-url="/federation/up/login.do"
+            authentication-failure-url="/federation/up/login?error" 
+            default-target-url="/"
+            username-parameter="username" 
+            password-parameter="password"
+            /-->
+        <security:logout logout-url="/saml/up/logout" 
+            logout-success-url="/saml/up/login?out" 
+            delete-cookies="FEDIZ_HOME_REALM,JSESSIONID" 
+            invalidate-session="true" 
+            />
+    </security:http>	
+
+    <security:authentication-manager>
+        <security:authentication-provider ref="stsAuthProvider" />
+    </security:authentication-manager>
+	
+    <bean id="stsPortFilter" class="org.apache.cxf.fediz.service.idp.STSPortFilter" />
+    
+    <bean id="entitlementsEnricher" class="org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements"
/>
+
+    <bean id="commonsURLValidator"
+          class="org.apache.cxf.fediz.service.idp.beans.CommonsURLValidator" />
+	
+    <bean id="stsAuthProvider" class="org.apache.cxf.fediz.service.idp.STSUPAuthenticationProvider">
+        <property name="wsdlLocation" value="https://localhost:0/fediz-idp-sts-realmb/${realm.STS_URI}/STSServiceTransportUT?wsdl"/>
+        <property name="wsdlEndpoint" value="TransportUT_Port"/>
+        <property name="wsdlService" value="SecurityTokenService"/>
+        <property name="appliesTo" value="urn:fediz:idp"/>
+        <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"/>
+    </bean>
+
+</beans>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/e87b5e86/systests/federation/unknown-subject/src/test/resources/sts/realms.xml
----------------------------------------------------------------------
diff --git a/systests/federation/unknown-subject/src/test/resources/sts/realms.xml b/systests/federation/unknown-subject/src/test/resources/sts/realms.xml
new file mode 100644
index 0000000..a34281d
--- /dev/null
+++ b/systests/federation/unknown-subject/src/test/resources/sts/realms.xml
@@ -0,0 +1,73 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements. See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership. The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License. You may obtain a copy of the License at
+ 
+  http://www.apache.org/licenses/LICENSE-2.0
+ 
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied. See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans"
+    xmlns:cxf="http://cxf.apache.org/core"
+    xmlns:jaxws="http://cxf.apache.org/jaxws"
+    xmlns:test="http://apache.org/hello_world_soap_http"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:util="http://www.springframework.org/schema/util"
+    xmlns:http="http://cxf.apache.org/transports/http/configuration"
+    xmlns:sec="http://cxf.apache.org/configuration/security"
+    xsi:schemaLocation="
+        http://cxf.apache.org/core
+        http://cxf.apache.org/schemas/core.xsd
+        http://www.springframework.org/schema/beans
+        http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
+        http://cxf.apache.org/jaxws
+        http://cxf.apache.org/schemas/jaxws.xsd
+        http://www.springframework.org/schema/util
+        http://www.springframework.org/schema/util/spring-util-4.3.xsd
+        http://cxf.apache.org/transports/http/configuration
+        http://cxf.apache.org/schemas/configuration/http-conf.xsd
+        http://cxf.apache.org/configuration/security
+        http://cxf.apache.org/schemas/configuration/security.xsd">
+
+    <bean id="claimsMapper" class="sts.DefaultClaimsMapper" />
+        
+    <util:list id="relationships">
+        <bean class="org.apache.cxf.sts.token.realm.Relationship">
+            <property name="sourceRealm" value="REALMB" />
+            <property name="targetRealm" value="REALMA" />
+            <property name="claimsMapper" ref="claimsMapper" />
+            <property name="type" value="FederatedClaims" />
+        </bean>
+    </util:list>
+
+    <bean id="realmA" class="org.apache.cxf.sts.token.realm.RealmProperties">
+        <property name="issuer" value="STS Realm A" />
+        <property name="signaturePropertiesFile" value="stsKeystoreA.properties" />
+        <property name="callbackHandlerClass"
+            value="org.apache.cxf.fediz.service.sts.PasswordCallbackHandler" />
+    </bean>
+
+    <bean id="realmB" class="org.apache.cxf.sts.token.realm.RealmProperties">
+        <property name="issuer" value="STS Realm B" />
+        <property name="signaturePropertiesFile" value="stsKeystoreB.properties" />
+        <property name="callbackHandlerClass"
+            value="org.apache.cxf.fediz.service.sts.PasswordCallbackHandler" />
+    </bean>
+
+    <util:map id="realms">
+        <entry key="REALMA" value-ref="realmA" />
+        <entry key="REALMB" value-ref="realmB" />
+    </util:map>
+    
+</beans>
+

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/e87b5e86/systests/webapps/simpleWebapp/src/main/webapp/WEB-INF/web.xml
----------------------------------------------------------------------
diff --git a/systests/webapps/simpleWebapp/src/main/webapp/WEB-INF/web.xml b/systests/webapps/simpleWebapp/src/main/webapp/WEB-INF/web.xml
index 33044a1..f96cd77 100644
--- a/systests/webapps/simpleWebapp/src/main/webapp/WEB-INF/web.xml
+++ b/systests/webapps/simpleWebapp/src/main/webapp/WEB-INF/web.xml
@@ -68,6 +68,9 @@
 		<role-name>User</role-name>
 	</security-role>
 	<security-role>
+		<role-name>USER</role-name>
+	</security-role>
+	<security-role>
 		<role-name>Admin</role-name>
 	</security-role>
 	<security-role>


Mime
View raw message