This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch 1.4.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf-fediz.git
The following commit(s) were added to refs/heads/1.4.x-fixes by this push:
new 0fb9d96 Adding Spring Security OIDC systests
0fb9d96 is described below
commit 0fb9d96a83f260a7dd49031d40e9aff395a75aec
Author: Colm O hEigeartaigh <coheigea@apache.org>
AuthorDate: Thu May 31 11:41:00 2018 +0100
Adding Spring Security OIDC systests
---
systests/oidc/pom.xml | 54 ++++
.../cxf/fediz/systests/oidc/OIDCSpringTest.java | 161 ++++++++++
.../src/test/resources/fediz_config_spring.xml | 59 ++++
.../resources/oidc/spring/applicationContext.xml | 350 +++++++++++++++++++++
.../oidc/src/test/resources/oidc/spring/web.xml | 79 +++++
5 files changed, 703 insertions(+)
diff --git a/systests/oidc/pom.xml b/systests/oidc/pom.xml
index a535cb2..ce33c09 100644
--- a/systests/oidc/pom.xml
+++ b/systests/oidc/pom.xml
@@ -70,6 +70,12 @@
<scope>test</scope>
</dependency>
<dependency>
+ <groupId>org.apache.cxf.fediz</groupId>
+ <artifactId>fediz-spring</artifactId>
+ <version>${project.version}</version>
+ <scope>compile</scope>
+ </dependency>
+ <dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-jdk14</artifactId>
<version>${slf4j.version}</version>
@@ -172,6 +178,14 @@
<outputDirectory>target/tomcat/rp/webapps/fediz-oidc-tomcat</outputDirectory>
</artifactItem>
<artifactItem>
+ <groupId>org.apache.cxf.fediz</groupId>
+ <artifactId>fediz-oidc</artifactId>
+ <version>${project.version}</version>
+ <type>war</type>
+ <overWrite>true</overWrite>
+ <outputDirectory>target/tomcat/rp/webapps/fediz-oidc-spring</outputDirectory>
+ </artifactItem>
+ <artifactItem>
<groupId>org.apache.cxf.fediz.systests</groupId>
<artifactId>fediz-systests-tests</artifactId>
<version>${project.version}</version>
@@ -197,6 +211,18 @@
<configuration>
<outputDirectory>${basedir}/target/tomcat/rp/webapps/fediz-oidc-tomcat/WEB-INF/lib</outputDirectory>
<includeScope>compile</includeScope>
+ <excludeGroupIds>org.springframework.security,org.apache.cxf.fediz</excludeGroupIds>
+ </configuration>
+ </execution>
+ <execution>
+ <id>copy-extra-jars-to-oidc2</id>
+ <phase>package</phase>
+ <goals>
+ <goal>copy-dependencies</goal>
+ </goals>
+ <configuration>
+ <outputDirectory>${basedir}/target/tomcat/rp/webapps/fediz-oidc-spring/WEB-INF/lib</outputDirectory>
+ <includeScope>compile</includeScope>
</configuration>
</execution>
</executions>
@@ -243,6 +269,33 @@
</resources>
</configuration>
</execution>
+ <execution>
+ <id>copy-entities-to-oidc2</id>
+ <phase>generate-test-sources</phase>
+ <goals>
+ <goal>copy-resources</goal>
+ </goals>
+ <configuration>
+ <outputDirectory>${basedir}/target/tomcat/rp/webapps/fediz-oidc-spring/WEB-INF</outputDirectory>
+ <resources>
+ <resource>
+ <directory>${basedir}/src/test/resources/oidc</directory>
+ <includes>
+ <include>data-manager.xml</include>
+ </includes>
+ <filtering>true</filtering>
+ </resource>
+ <resource>
+ <directory>${basedir}/src/test/resources/oidc/spring</directory>
+ <includes>
+ <include>applicationContext.xml</include>
+ <include>web.xml</include>
+ </includes>
+ <filtering>true</filtering>
+ </resource>
+ </resources>
+ </configuration>
+ </execution>
</executions>
</plugin>
<plugin>
@@ -259,6 +312,7 @@
<tasks>
<delete>
<fileset dir="${basedir}/target/tomcat/rp/webapps/fediz-oidc-tomcat/META-INF"
includes="context.xml" />
+ <fileset dir="${basedir}/target/tomcat/rp/webapps/fediz-oidc-spring/META-INF"
includes="context.xml" />
</delete>
</tasks>
</configuration>
diff --git a/systests/oidc/src/test/java/org/apache/cxf/fediz/systests/oidc/OIDCSpringTest.java
b/systests/oidc/src/test/java/org/apache/cxf/fediz/systests/oidc/OIDCSpringTest.java
new file mode 100644
index 0000000..b35da23
--- /dev/null
+++ b/systests/oidc/src/test/java/org/apache/cxf/fediz/systests/oidc/OIDCSpringTest.java
@@ -0,0 +1,161 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.fediz.systests.oidc;
+
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileOutputStream;
+import java.io.IOException;
+
+import javax.servlet.ServletException;
+
+import org.apache.catalina.LifecycleException;
+import org.apache.catalina.connector.Connector;
+import org.apache.catalina.startup.Tomcat;
+import org.apache.commons.io.IOUtils;
+import org.junit.AfterClass;
+import org.junit.Assert;
+import org.junit.BeforeClass;
+
+/**
+ * Some OIDC tests where the OIDC is deployed and secured by the Fediz Spring plugin.
+ */
+public class OIDCSpringTest extends AbstractOIDCTest {
+
+ static String idpHttpsPort;
+ static String rpHttpsPort;
+
+ private static Tomcat idpServer;
+ private static Tomcat rpServer;
+
+ @BeforeClass
+ public static void init() throws Exception {
+ idpHttpsPort = System.getProperty("idp.https.port");
+ Assert.assertNotNull("Property 'idp.https.port' null", idpHttpsPort);
+ rpHttpsPort = System.getProperty("rp.https.port");
+ Assert.assertNotNull("Property 'rp.https.port' null", rpHttpsPort);
+
+ idpServer = startServer(true, idpHttpsPort);
+ rpServer = startServer(false, rpHttpsPort);
+
+ loginToClientsPage(rpHttpsPort, idpHttpsPort, "fediz-oidc-spring");
+ }
+
+ private static Tomcat startServer(boolean idp, String port)
+ throws ServletException, LifecycleException, IOException {
+ Tomcat server = new Tomcat();
+ server.setPort(0);
+ String currentDir = new File(".").getCanonicalPath();
+ String baseDir = currentDir + File.separator + "target";
+ server.setBaseDir(baseDir);
+
+ if (idp) {
+ server.getHost().setAppBase("tomcat/idp/webapps");
+ } else {
+ server.getHost().setAppBase("tomcat/rp/webapps");
+ }
+ server.getHost().setAutoDeploy(true);
+ server.getHost().setDeployOnStartup(true);
+
+ Connector httpsConnector = new Connector();
+ httpsConnector.setPort(Integer.parseInt(port));
+ httpsConnector.setSecure(true);
+ httpsConnector.setScheme("https");
+ httpsConnector.setAttribute("keyAlias", "mytomidpkey");
+ httpsConnector.setAttribute("keystorePass", "tompass");
+ httpsConnector.setAttribute("keystoreFile", "test-classes/server.jks");
+ httpsConnector.setAttribute("truststorePass", "tompass");
+ httpsConnector.setAttribute("truststoreFile", "test-classes/server.jks");
+ httpsConnector.setAttribute("clientAuth", "want");
+ // httpsConnector.setAttribute("clientAuth", "false");
+ httpsConnector.setAttribute("sslProtocol", "TLS");
+ httpsConnector.setAttribute("SSLEnabled", true);
+
+ server.getService().addConnector(httpsConnector);
+
+ if (idp) {
+ File stsWebapp = new File(baseDir + File.separator + server.getHost().getAppBase(),
"fediz-idp-sts");
+ server.addWebapp("/fediz-idp-sts", stsWebapp.getAbsolutePath());
+
+ File idpWebapp = new File(baseDir + File.separator + server.getHost().getAppBase(),
"fediz-idp");
+ server.addWebapp("/fediz-idp", idpWebapp.getAbsolutePath());
+ } else {
+ File rpWebapp = new File(baseDir + File.separator + server.getHost().getAppBase(),
"fediz-oidc-spring");
+ server.addWebapp("/fediz-oidc-spring", rpWebapp.getAbsolutePath());
+
+ // Substitute the IDP port. Necessary if running the test in eclipse where port
filtering doesn't seem
+ // to work
+ File f = new File(currentDir + "/src/test/resources/fediz_config_spring.xml");
+ FileInputStream inputStream = new FileInputStream(f);
+ String content = IOUtils.toString(inputStream, "UTF-8");
+ inputStream.close();
+ if (content.contains("idp.https.port")) {
+ content = content.replaceAll("\\$\\{idp.https.port\\}", "" + idpHttpsPort);
+
+ File f2 = new File(baseDir + "/test-classes/fediz_config_spring.xml");
+ try (FileOutputStream outputStream = new FileOutputStream(f2)) {
+ IOUtils.write(content, outputStream, "UTF-8");
+ }
+ }
+ }
+
+ server.start();
+
+ return server;
+ }
+
+ @AfterClass
+ public static void cleanup() throws Exception {
+ try {
+ loginToClientsPageAndDeleteClient(rpHttpsPort, idpHttpsPort, "fediz-oidc-spring");
+ } finally {
+ shutdownServer(idpServer);
+ shutdownServer(rpServer);
+ }
+ }
+
+ @Override
+ protected String getIdpHttpsPort() {
+ return idpHttpsPort;
+ }
+
+ @Override
+ protected String getRpHttpsPort() {
+ return rpHttpsPort;
+ }
+
+ @Override
+ protected String getServletContextName() {
+ return "fediz-oidc-spring";
+ }
+
+ @Override
+ @org.junit.Test
+ public void testClientCredentialsSTS() throws Exception {
+ // Not working with Spring
+ }
+
+ @Override
+ @org.junit.Test
+ public void testLogoutViaTokenHint() throws Exception {
+ // Not working with Spring
+ }
+}
diff --git a/systests/oidc/src/test/resources/fediz_config_spring.xml b/systests/oidc/src/test/resources/fediz_config_spring.xml
new file mode 100644
index 0000000..9e0aeb2
--- /dev/null
+++ b/systests/oidc/src/test/resources/fediz_config_spring.xml
@@ -0,0 +1,59 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<!-- Place in Tomcat conf folder or other location as designated in this sample's file.
+ Keystore referenced below must have IDP STS' public cert included in it. This example
uses the
+ client Truststore (clienttrust.jks) for this task.
+ In Fediz 1.0, one keystore was used for SSL and the STS public certificate.
+-->
+<FedizConfig>
+ <contextConfig name="/fediz-oidc-spring">
+ <audienceUris>
+ <audienceItem>urn:org:apache:cxf:fediz:oidc</audienceItem>
+ </audienceUris>
+ <certificateStores>
+ <trustManager>
+ <keyStore file="test-classes/clienttrust.jks" password="storepass" type="JKS" />
+ </trustManager>
+ </certificateStores>
+ <trustedIssuers>
+ <issuer certificateValidation="PeerTrust" />
+ </trustedIssuers>
+ <maximumClockSkew>1000</maximumClockSkew>
+ <protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:type="federationProtocolType" version="1.0.0">
+ <realm>urn:org:apache:cxf:fediz:oidc</realm>
+ <issuer>https://localhost:${idp.https.port}/fediz-idp/federation</issuer>
+ <homeRealm type="Class">org.apache.cxf.fediz.service.oidc.handler.hrd.LoginHintHomeRealmDiscovery,org.apache.cxf.fediz.service.oidc.handler.hrd.ClientIdHomeRealmDiscovery</homeRealm>
+ <roleDelimiter>,</roleDelimiter>
+ <roleURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</roleURI>
+ <homeRealm type="String">urn:org:apache:cxf:fediz:idp:realm-A</homeRealm>
+ <reply>/j_spring_fediz_security_check</reply>
+ <claimTypesRequested>
+ <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" optional="false"
/>
+ <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
optional="true" />
+ <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" optional="true"
/>
+ <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
optional="true" />
+ </claimTypesRequested>
+ </protocol>
+ <logoutURL>/secure/logout</logoutURL>
+ <logoutRedirectToConstraint type="Class">org.apache.cxf.fediz.service.oidc.logout.LogoutRedirectConstraintHandler</logoutRedirectToConstraint>
+ </contextConfig>
+</FedizConfig>
+
diff --git a/systests/oidc/src/test/resources/oidc/spring/applicationContext.xml b/systests/oidc/src/test/resources/oidc/spring/applicationContext.xml
new file mode 100644
index 0000000..0dc4aba
--- /dev/null
+++ b/systests/oidc/src/test/resources/oidc/spring/applicationContext.xml
@@ -0,0 +1,350 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans"
+ xmlns:cxf="http://cxf.apache.org/core"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xmlns:jaxrs="http://cxf.apache.org/jaxrs"
+ xmlns:util="http://www.springframework.org/schema/util"
+ xmlns:http="http://cxf.apache.org/transports/http/configuration"
+ xmlns:sec="http://cxf.apache.org/configuration/security"
+ xmlns:springsec="http://www.springframework.org/schema/security"
+ xmlns:p="http://www.springframework.org/schema/p"
+ xsi:schemaLocation="
+ http://cxf.apache.org/core
+ http://cxf.apache.org/schemas/core.xsd
+ http://www.springframework.org/schema/beans
+ http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
+ http://cxf.apache.org/jaxrs
+ http://cxf.apache.org/schemas/jaxrs.xsd
+ http://www.springframework.org/schema/util
+ http://www.springframework.org/schema/util/spring-util-4.3.xsd
+ http://cxf.apache.org/transports/http/configuration
+ http://cxf.apache.org/schemas/configuration/http-conf.xsd
+ http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd
+ http://cxf.apache.org/configuration/security
+ http://cxf.apache.org/schemas/configuration/security.xsd">
+
+ <cxf:bus>
+ <cxf:features>
+ <cxf:logging/>
+ </cxf:features>
+ </cxf:bus>
+
+ <import resource="data-manager.xml" />
+
+
+<!-- DIABLE in production as it might log confidential information about the user -->
+ <springsec:debug />
+
+ <springsec:http entry-point-ref="federationEntryPoint" use-expressions="true">
+ <springsec:intercept-url pattern="/**" access="isAuthenticated()"/>
+ <springsec:custom-filter ref="federationFilter" after="BASIC_AUTH_FILTER" />
+ <springsec:custom-filter ref="logoutFilter" position="LOGOUT_FILTER"/>
+ <springsec:custom-filter ref="federationSignOutCleanupFilter" position="PRE_AUTH_FILTER"/>
+ <springsec:session-management session-authentication-strategy-ref="sas"/>
+ <springsec:csrf disabled="true"/>
+ </springsec:http>
+
+
+ <springsec:authentication-manager alias="authManager">
+ <springsec:authentication-provider ref="federationAuthProvider" />
+ </springsec:authentication-manager>
+
+ <bean id="fedizConfig" class="org.apache.cxf.fediz.spring.FederationConfigImpl" init-method="init"
+ p:configFile="file:./target/test-classes/fediz_config_spring.xml" />
+
+ <bean id="federationEntryPoint"
+ class="org.apache.cxf.fediz.spring.web.FederationAuthenticationEntryPoint"
+ p:federationConfig-ref="fedizConfig" />
+
+ <bean id="federationFilter"
+ class="org.apache.cxf.fediz.spring.web.FederationAuthenticationFilter"
+ p:authenticationManager-ref="authManager"
+ p:federationConfig-ref="fedizConfig">
+
+ <property name="authenticationFailureHandler">
+ <bean class="org.apache.cxf.fediz.spring.web.FederationAuthenticationFailureHandler"
p:federationConfig-ref="fedizConfig" />
+ </property>
+ </bean>
+
+ <bean id="federationAuthProvider" class="org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider"
+ p:federationConfig-ref="fedizConfig">
+ <property name="authenticationUserDetailsService">
+ <bean class="org.apache.cxf.fediz.spring.authentication.GrantedAuthoritiesUserDetailsFederationService"/>
+ </property>
+ </bean>
+
+ <bean id="sas" class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy"
/>
+
+ <bean id="logoutFilter" class="org.apache.cxf.fediz.spring.web.FederationLogoutFilter">
+ <constructor-arg name="logoutSuccessHandler" ref="federationLogoutSuccessHandler"/>
+ <constructor-arg name="handlers">
+ <list>
+ <ref bean="securityContextLogoutHandler"/>
+ </list>
+ </constructor-arg>
+ <property name="federationConfig" ref="fedizConfig"/>
+ </bean>
+
+ <bean id="federationLogoutSuccessHandler" class="org.apache.cxf.fediz.spring.web.FederationLogoutSuccessHandler">
+ <property name="federationConfig" ref="fedizConfig"/>
+ </bean>
+
+ <bean id="securityContextLogoutHandler" name="securityContextLogoutHandler"
+ class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler">
+ </bean>
+
+ <bean id="federationSignOutCleanupFilter" class="org.apache.cxf.fediz.spring.web.FederationSignOutCleanupFilter"/>
+
+ <!-- Supports OIDC Authorization Code flow -->
+ <util:list id="scopesRequiringNoConsent">
+ <value>openid</value>
+ <value>roles</value>
+ </util:list>
+ <bean id="oidcAuthorizationService" class="org.apache.cxf.rs.security.oidc.idp.OidcAuthorizationCodeService">
+ <property name="dataProvider" ref="oauthProvider"/>
+ <property name="subjectCreator" ref="subjectCreator"/>
+ <property name="scopesRequiringNoConsent" ref="scopesRequiringNoConsent"/>
+ <!--
+ <property name="useAllClientScopes" value="true"/>
+ -->
+ <property name="canSupportPublicClients" value="true"/>
+ </bean>
+ <!-- Supports OIDC Implicit and Hybrid flows -->
+ <bean id="oidcHybridService" class="org.apache.cxf.rs.security.oidc.idp.OidcHybridService">
+ <property name="dataProvider" ref="oauthProvider"/>
+ <property name="subjectCreator" ref="subjectCreator"/>
+ <property name="scopesRequiringNoConsent" ref="scopesRequiringNoConsent"/>
+ <property name="responseFilter" ref="idTokenFilter"/>
+ <property name="codeService" ref="oidcAuthorizationService"/>
+ </bean>
+
+ <util:list id="oidcServices">
+ <ref bean="oidcAuthorizationService"/>
+ <ref bean="oidcHybridService"/>
+ </util:list>
+
+ <!-- Service which makes Code, Implicit and Hybrid flow available
+ at the same relative "/authorize" address -->
+ <bean id="authorizationService" class="org.apache.cxf.rs.security.oauth2.services.AuthorizationService">
+ <property name="services" ref="oidcServices"/>
+ </bean>
+
+ <bean id="tokenCleanupHandler" class="org.apache.cxf.fediz.service.oidc.logout.TokenCleanupHandler">
+ <property name="dataProvider" ref="oauthProvider"/>
+ </bean>
+
+ <bean id="logoutService" class="org.apache.cxf.fediz.service.oidc.logout.LogoutService">
+ <property name="dataProvider" ref="oauthProvider"/>
+ <property name="relativeIdpLogoutUri" value="../../secure/logout"/>
+ <property name="logoutHandlers" ref="tokenCleanupHandler"/>
+ </bean>
+
+ <!-- Service supporting all OIDC Core flows -->
+ <jaxrs:server address="/idp">
+ <jaxrs:serviceBeans>
+ <ref bean="authorizationService"/>
+ <ref bean="logoutService"/>
+ </jaxrs:serviceBeans>
+ <jaxrs:providers>
+ <ref bean="viewProvider"/>
+ <ref bean="oauthJsonProvider"/>
+ </jaxrs:providers>
+ <jaxrs:properties>
+ <entry key="rs.security.signature.properties" value="rs.security.properties"/>
+ <entry key="rs.security.signature.key.password.provider" value-ref="keyPasswordProvider"/>
+ </jaxrs:properties>
+ </jaxrs:server>
+
+ <!--
+ Public JWK Key Service: Disable it if the client secret is used or if
+ pre-installing public OIDC keys to clients is preferred
+ -->
+ <bean id="oidcKeysService" class="org.apache.cxf.rs.security.oidc.idp.OidcKeysService"/>
+ <jaxrs:server address="/jwk">
+ <jaxrs:serviceBeans>
+ <ref bean="oidcKeysService"/>
+ </jaxrs:serviceBeans>
+ <jaxrs:providers>
+ <ref bean="corsFilter"/>
+ <bean class="org.apache.cxf.rs.security.jose.jaxrs.JsonWebKeysProvider"/>
+ </jaxrs:providers>
+ <jaxrs:properties>
+ <entry key="rs.security.signature.properties" value="rs.security.properties"/>
+ <entry key="rs.security.signature.key.password.provider" value-ref="keyPasswordProvider"/>
+ </jaxrs:properties>
+ </jaxrs:server>
+
+
+ <bean id="oauth2TokenValidationFilter" class="org.apache.cxf.rs.security.oauth2.filters.OAuthRequestFilter">
+ <property name="dataProvider" ref="oauthProvider"/>
+ <property name="audienceIsEndpointAddress" value="false"/>
+ </bean>
+
+ <!-- User Info Service -->
+ <bean id="userInfoService" class="org.apache.cxf.rs.security.oidc.idp.UserInfoService">
+ <property name="oauthDataProvider" ref="oauthProvider"/>
+ <property name="jwsRequired" value="false"/>
+ </bean>
+ <jaxrs:server address="/users">
+ <jaxrs:serviceBeans>
+ <ref bean="userInfoService"/>
+ </jaxrs:serviceBeans>
+ <jaxrs:providers>
+ <ref bean="corsFilter"/>
+ <bean class="org.apache.cxf.jaxrs.provider.json.JsonMapObjectProvider"/>
+ <ref bean="oauth2TokenValidationFilter"/>
+ </jaxrs:providers>
+ </jaxrs:server>
+
+ <bean id="keyPasswordProvider" class="org.apache.cxf.fediz.service.oidc.PrivateKeyPasswordProviderImpl"/>
+
+ <!-- Client Registration Service -->
+ <bean id="clientRegService" init-method="init"
+ class="org.apache.cxf.fediz.service.oidc.clients.ClientRegistrationService">
+ <property name="dataProvider" ref="oauthProvider"/>
+ <property name="clientProvider" ref="oauthProvider"/>
+ <!--
+ <property name="clientScopes" ref="supportedScopes"/>
+ -->
+ <property name="homeRealms">
+ <map>
+ <entry key="urn:org:apache:cxf:fediz:idp:realm-A" value="IDP of Realm A" />
+ <entry key="urn:org:apache:cxf:fediz:idp:realm-B" value="IDP of Realm B" />
+ </map>
+ </property>
+ <property name="additionalTLDs">
+ <list>
+ <value>domain123</value>
+ <value>corp</value>
+ <value>domain456</value>
+ </list>
+ </property>
+ </bean>
+
+ <!-- Console linking to the client registration service -->
+ <bean id="consoleService" class="org.apache.cxf.fediz.service.oidc.console.UserConsoleService">
+ <property name="clientRegService" ref="clientRegService"/>
+ </bean>
+ <jaxrs:server address="/console">
+ <jaxrs:serviceBeans>
+ <ref bean="consoleService"/>
+ </jaxrs:serviceBeans>
+ <jaxrs:providers>
+ <ref bean="viewProvider"/>
+ </jaxrs:providers>
+ </jaxrs:server>
+
+ <bean id="viewProvider" class="org.apache.cxf.jaxrs.provider.RequestDispatcherProvider">
+ <property name="useClassNames" value="true"/>
+ <property name="locationPrefix" value="/WEB-INF/views/"/>
+ <property name="beanName" value="data"/>
+ <property name="dispatcherName" value="jsp"/>
+ <property name="resourcePaths">
+ <map>
+ <entry key="/remove" value="/WEB-INF/views/registeredClients.jsp"/>
+ </map>
+ </property>
+ <property name="classResources">
+ <map>
+ <entry key="org.apache.cxf.fediz.service.oidc.clients.InvalidRegistration"
value="/WEB-INF/views/invalidRegistration.jsp"/>
+ </map>
+ </property>
+ </bean>
+
+ <!-- AccessTokenService response filter which adds IdTokens to client responses -->
+ <bean id="idTokenFilter" class="org.apache.cxf.rs.security.oidc.idp.IdTokenResponseFilter">
+ <!--
+ <property name="signWithClientSecret" value="true"/>
+ -->
+ </bean>
+ <!-- Cors filter for endpoints used by implicit flow (by js clients) -->
+ <util:list id="implicitFlowAllowHeaders">
+ <value>Authorization</value>
+ </util:list>
+ <bean id="corsFilter" class="org.apache.cxf.rs.security.cors.CrossOriginResourceSharingFilter">
+ <property name="allowHeaders" ref="implicitFlowAllowHeaders"/>
+ </bean>
+ <bean id="refreshTokenHandler" class="org.apache.cxf.rs.security.oauth2.grants.refresh.RefreshTokenGrantHandler">
+ <property name="dataProvider" ref="oauthProvider"/>
+ </bean>
+
+ <bean id="clientCredsHandler" class="org.apache.cxf.rs.security.oauth2.grants.clientcred.ClientCredentialsGrantHandler">
+ <property name="dataProvider" ref="oauthProvider"/>
+ </bean>
+
+ <util:list id="grantHandlers">
+ <ref bean="refreshTokenHandler"/>
+ <!-- Add more custom grant handlers as needed -->
+ <ref bean="clientCredsHandler"/>
+ </util:list>
+ <!-- Access Token service -->
+ <bean id="accessTokenService" class="org.apache.cxf.rs.security.oauth2.services.AccessTokenService">
+ <property name="dataProvider" ref="oauthProvider"/>
+ <property name="responseFilter" ref="idTokenFilter"/>
+ <property name="grantHandlers" ref="grantHandlers"/>
+ <property name="canSupportPublicClients" value="true"/>
+ </bean>
+ <!-- Access Token Revocation service -->
+ <bean id="accessTokenRevocationService" class="org.apache.cxf.rs.security.oauth2.services.TokenRevocationService">
+ <property name="dataProvider" ref="oauthProvider"/>
+ </bean>
+ <!-- Access Token Introspection service -->
+ <bean id="accessTokenIntrospectionService" class="org.apache.cxf.rs.security.oauth2.services.TokenIntrospectionService">
+ <property name="dataProvider" ref="oauthProvider"/>
+ <property name="blockUnauthorizedRequests" value="false"/>
+ </bean>
+ <bean id="oauthJsonProvider" class="org.apache.cxf.rs.security.oauth2.provider.OAuthJSONProvider"/>
+ <jaxrs:server address="/oauth2">
+ <jaxrs:serviceBeans>
+ <ref bean="accessTokenService"/>
+ <ref bean="accessTokenIntrospectionService"/>
+ <ref bean="accessTokenRevocationService"/>
+ </jaxrs:serviceBeans>
+ <jaxrs:providers>
+ <ref bean="oauthJsonProvider"/>
+ </jaxrs:providers>
+ <jaxrs:properties>
+ <entry key="rs.security.signature.properties" value="rs.security.properties"/>
+ <entry key="rs.security.signature.key.password.provider" value-ref="keyPasswordProvider"/>
+ </jaxrs:properties>
+ </jaxrs:server>
+
+ <!-- .well-known OIDC Configuration Service -->
+ <bean id="oidcConfigService" class="org.apache.cxf.rs.security.oidc.idp.OidcConfigurationService"/>
+ <jaxrs:server address="/.well-known">
+ <jaxrs:serviceBeans>
+ <ref bean="oidcConfigService"/>
+ </jaxrs:serviceBeans>
+ <jaxrs:properties>
+ <entry key="rs.security.signature.properties" value="rs.security.properties"/>
+ </jaxrs:properties>
+ </jaxrs:server>
+ <http:conduit name="*.http-conduit">
+ <http:tlsClientParameters
+ disableCNCheck="true">
+ <sec:trustManagers>
+ <sec:keyStore type="jks" password="tompass" resource="server.jks" />
+ </sec:trustManagers>
+ </http:tlsClientParameters>
+ </http:conduit>
+
+</beans>
+
diff --git a/systests/oidc/src/test/resources/oidc/spring/web.xml b/systests/oidc/src/test/resources/oidc/spring/web.xml
new file mode 100644
index 0000000..fd75a9e
--- /dev/null
+++ b/systests/oidc/src/test/resources/oidc/spring/web.xml
@@ -0,0 +1,79 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
+ version="3.0" metadata-complete="true">
+
+ <description>Apache CXF Fediz OIDC service</description>
+ <display-name>Apache CXF Fediz OIDC service</display-name>
+
+ <session-config>
+ <cookie-config>
+ <http-only>true</http-only>
+ <secure>true</secure>
+ </cookie-config>
+ <tracking-mode>COOKIE</tracking-mode>
+ </session-config>
+
+ <!-- Optional: Cache the security token in Thread Local Storage -->
+ <filter>
+ <filter-name>FederationFilter</filter-name>
+ <filter-class>org.apache.cxf.fediz.core.servlet.FederationFilter</filter-class>
+ </filter>
+
+ <filter-mapping>
+ <filter-name>FederationFilter</filter-name>
+ <url-pattern>/idp/*</url-pattern>
+ </filter-mapping>
+ <filter-mapping>
+ <filter-name>FederationFilter</filter-name>
+ <url-pattern>/console/*</url-pattern>
+ </filter-mapping>
+
+ <context-param>
+ <param-name>contextConfigLocation</param-name>
+ <param-value>/WEB-INF/applicationContext.xml</param-value>
+ </context-param>
+
+ <filter>
+ <filter-name>springSecurityFilterChain</filter-name>
+ <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
+ </filter>
+
+ <filter-mapping>
+ <filter-name>springSecurityFilterChain</filter-name>
+ <url-pattern>/*</url-pattern>
+ </filter-mapping>
+
+ <listener>
+ <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
+ </listener>
+
+ <servlet>
+ <servlet-name>FederationServlet</servlet-name>
+ <servlet-class>org.apache.cxf.transport.servlet.CXFServlet</servlet-class>
+ </servlet>
+
+ <servlet-mapping>
+ <servlet-name>FederationServlet</servlet-name>
+ <url-pattern>/*</url-pattern>
+ </servlet-mapping>
+
+</web-app>
--
To stop receiving notification emails like this one, please contact
coheigea@apache.org.
|