cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [cxf-fediz] branch 1.4.x-fixes updated: Adding Spring Security OIDC systests
Date Thu, 31 May 2018 11:20:07 GMT
This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch 1.4.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf-fediz.git


The following commit(s) were added to refs/heads/1.4.x-fixes by this push:
     new 0fb9d96  Adding Spring Security OIDC systests
0fb9d96 is described below

commit 0fb9d96a83f260a7dd49031d40e9aff395a75aec
Author: Colm O hEigeartaigh <coheigea@apache.org>
AuthorDate: Thu May 31 11:41:00 2018 +0100

    Adding Spring Security OIDC systests
---
 systests/oidc/pom.xml                              |  54 ++++
 .../cxf/fediz/systests/oidc/OIDCSpringTest.java    | 161 ++++++++++
 .../src/test/resources/fediz_config_spring.xml     |  59 ++++
 .../resources/oidc/spring/applicationContext.xml   | 350 +++++++++++++++++++++
 .../oidc/src/test/resources/oidc/spring/web.xml    |  79 +++++
 5 files changed, 703 insertions(+)

diff --git a/systests/oidc/pom.xml b/systests/oidc/pom.xml
index a535cb2..ce33c09 100644
--- a/systests/oidc/pom.xml
+++ b/systests/oidc/pom.xml
@@ -70,6 +70,12 @@
             <scope>test</scope>
         </dependency>
         <dependency>
+            <groupId>org.apache.cxf.fediz</groupId>
+            <artifactId>fediz-spring</artifactId>
+            <version>${project.version}</version>
+            <scope>compile</scope>
+        </dependency>
+        <dependency>
             <groupId>org.slf4j</groupId>
             <artifactId>slf4j-jdk14</artifactId>
             <version>${slf4j.version}</version>
@@ -172,6 +178,14 @@
                                     <outputDirectory>target/tomcat/rp/webapps/fediz-oidc-tomcat</outputDirectory>
                                 </artifactItem>
                                 <artifactItem>
+                                    <groupId>org.apache.cxf.fediz</groupId>
+                                    <artifactId>fediz-oidc</artifactId>
+                                    <version>${project.version}</version>
+                                    <type>war</type>
+                                    <overWrite>true</overWrite>
+                                    <outputDirectory>target/tomcat/rp/webapps/fediz-oidc-spring</outputDirectory>
+                                </artifactItem>
+                                <artifactItem>
                                     <groupId>org.apache.cxf.fediz.systests</groupId>
                                     <artifactId>fediz-systests-tests</artifactId>
                                     <version>${project.version}</version>
@@ -197,6 +211,18 @@
                         <configuration>
                             <outputDirectory>${basedir}/target/tomcat/rp/webapps/fediz-oidc-tomcat/WEB-INF/lib</outputDirectory>
                              <includeScope>compile</includeScope>
+                             <excludeGroupIds>org.springframework.security,org.apache.cxf.fediz</excludeGroupIds>
+                        </configuration>
+                    </execution>
+                    <execution>
+                        <id>copy-extra-jars-to-oidc2</id>
+                        <phase>package</phase>
+                        <goals>
+                          <goal>copy-dependencies</goal>
+                        </goals>
+                        <configuration>
+                            <outputDirectory>${basedir}/target/tomcat/rp/webapps/fediz-oidc-spring/WEB-INF/lib</outputDirectory>
+                             <includeScope>compile</includeScope>
                         </configuration>
                     </execution>
                 </executions>
@@ -243,6 +269,33 @@
                             </resources>              
                         </configuration>            
                     </execution>
+                    <execution>
+                        <id>copy-entities-to-oidc2</id>
+                        <phase>generate-test-sources</phase>
+                        <goals>
+                            <goal>copy-resources</goal>
+                        </goals>
+                        <configuration>
+                            <outputDirectory>${basedir}/target/tomcat/rp/webapps/fediz-oidc-spring/WEB-INF</outputDirectory>
+                            <resources>
+                                <resource>
+                                    <directory>${basedir}/src/test/resources/oidc</directory>
+                                    <includes>
+                                        <include>data-manager.xml</include>
+                                    </includes>
+                                    <filtering>true</filtering>
+                                </resource>
+                                <resource>
+                                    <directory>${basedir}/src/test/resources/oidc/spring</directory>
+                                    <includes>
+                                        <include>applicationContext.xml</include>
+                                        <include>web.xml</include>
+                                    </includes>
+                                    <filtering>true</filtering>
+                                </resource>
+                            </resources>
+                        </configuration>
+                    </execution>
                 </executions>
             </plugin>
             <plugin>
@@ -259,6 +312,7 @@
                             <tasks>
                                 <delete>
                                     <fileset dir="${basedir}/target/tomcat/rp/webapps/fediz-oidc-tomcat/META-INF"
includes="context.xml" />
+                                    <fileset dir="${basedir}/target/tomcat/rp/webapps/fediz-oidc-spring/META-INF"
includes="context.xml" />
                                 </delete>
                             </tasks>
                         </configuration>
diff --git a/systests/oidc/src/test/java/org/apache/cxf/fediz/systests/oidc/OIDCSpringTest.java
b/systests/oidc/src/test/java/org/apache/cxf/fediz/systests/oidc/OIDCSpringTest.java
new file mode 100644
index 0000000..b35da23
--- /dev/null
+++ b/systests/oidc/src/test/java/org/apache/cxf/fediz/systests/oidc/OIDCSpringTest.java
@@ -0,0 +1,161 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.fediz.systests.oidc;
+
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileOutputStream;
+import java.io.IOException;
+
+import javax.servlet.ServletException;
+
+import org.apache.catalina.LifecycleException;
+import org.apache.catalina.connector.Connector;
+import org.apache.catalina.startup.Tomcat;
+import org.apache.commons.io.IOUtils;
+import org.junit.AfterClass;
+import org.junit.Assert;
+import org.junit.BeforeClass;
+
+/**
+ * Some OIDC tests where the OIDC is deployed and secured by the Fediz Spring plugin.
+ */
+public class OIDCSpringTest extends AbstractOIDCTest {
+
+    static String idpHttpsPort;
+    static String rpHttpsPort;
+
+    private static Tomcat idpServer;
+    private static Tomcat rpServer;
+
+    @BeforeClass
+    public static void init() throws Exception {
+        idpHttpsPort = System.getProperty("idp.https.port");
+        Assert.assertNotNull("Property 'idp.https.port' null", idpHttpsPort);
+        rpHttpsPort = System.getProperty("rp.https.port");
+        Assert.assertNotNull("Property 'rp.https.port' null", rpHttpsPort);
+
+        idpServer = startServer(true, idpHttpsPort);
+        rpServer = startServer(false, rpHttpsPort);
+
+        loginToClientsPage(rpHttpsPort, idpHttpsPort, "fediz-oidc-spring");
+    }
+
+    private static Tomcat startServer(boolean idp, String port)
+        throws ServletException, LifecycleException, IOException {
+        Tomcat server = new Tomcat();
+        server.setPort(0);
+        String currentDir = new File(".").getCanonicalPath();
+        String baseDir = currentDir + File.separator + "target";
+        server.setBaseDir(baseDir);
+
+        if (idp) {
+            server.getHost().setAppBase("tomcat/idp/webapps");
+        } else {
+            server.getHost().setAppBase("tomcat/rp/webapps");
+        }
+        server.getHost().setAutoDeploy(true);
+        server.getHost().setDeployOnStartup(true);
+
+        Connector httpsConnector = new Connector();
+        httpsConnector.setPort(Integer.parseInt(port));
+        httpsConnector.setSecure(true);
+        httpsConnector.setScheme("https");
+        httpsConnector.setAttribute("keyAlias", "mytomidpkey");
+        httpsConnector.setAttribute("keystorePass", "tompass");
+        httpsConnector.setAttribute("keystoreFile", "test-classes/server.jks");
+        httpsConnector.setAttribute("truststorePass", "tompass");
+        httpsConnector.setAttribute("truststoreFile", "test-classes/server.jks");
+        httpsConnector.setAttribute("clientAuth", "want");
+        // httpsConnector.setAttribute("clientAuth", "false");
+        httpsConnector.setAttribute("sslProtocol", "TLS");
+        httpsConnector.setAttribute("SSLEnabled", true);
+
+        server.getService().addConnector(httpsConnector);
+
+        if (idp) {
+            File stsWebapp = new File(baseDir + File.separator + server.getHost().getAppBase(),
"fediz-idp-sts");
+            server.addWebapp("/fediz-idp-sts", stsWebapp.getAbsolutePath());
+
+            File idpWebapp = new File(baseDir + File.separator + server.getHost().getAppBase(),
"fediz-idp");
+            server.addWebapp("/fediz-idp", idpWebapp.getAbsolutePath());
+        } else {
+            File rpWebapp = new File(baseDir + File.separator + server.getHost().getAppBase(),
"fediz-oidc-spring");
+            server.addWebapp("/fediz-oidc-spring", rpWebapp.getAbsolutePath());
+
+            // Substitute the IDP port. Necessary if running the test in eclipse where port
filtering doesn't seem
+            // to work
+            File f = new File(currentDir + "/src/test/resources/fediz_config_spring.xml");
+            FileInputStream inputStream = new FileInputStream(f);
+            String content = IOUtils.toString(inputStream, "UTF-8");
+            inputStream.close();
+            if (content.contains("idp.https.port")) {
+                content = content.replaceAll("\\$\\{idp.https.port\\}", "" + idpHttpsPort);
+
+                File f2 = new File(baseDir + "/test-classes/fediz_config_spring.xml");
+                try (FileOutputStream outputStream = new FileOutputStream(f2)) {
+                    IOUtils.write(content, outputStream, "UTF-8");
+                }
+            }
+        }
+
+        server.start();
+
+        return server;
+    }
+
+    @AfterClass
+    public static void cleanup() throws Exception {
+        try {
+            loginToClientsPageAndDeleteClient(rpHttpsPort, idpHttpsPort, "fediz-oidc-spring");
+        } finally {
+            shutdownServer(idpServer);
+            shutdownServer(rpServer);
+        }
+    }
+
+    @Override
+    protected String getIdpHttpsPort() {
+        return idpHttpsPort;
+    }
+
+    @Override
+    protected String getRpHttpsPort() {
+        return rpHttpsPort;
+    }
+    
+    @Override
+    protected String getServletContextName() {
+        return "fediz-oidc-spring";
+    }
+
+    @Override
+    @org.junit.Test
+    public void testClientCredentialsSTS() throws Exception {
+        // Not working with Spring
+    }
+    
+    @Override
+    @org.junit.Test
+    public void testLogoutViaTokenHint() throws Exception {
+        // Not working with Spring
+    }
+}
diff --git a/systests/oidc/src/test/resources/fediz_config_spring.xml b/systests/oidc/src/test/resources/fediz_config_spring.xml
new file mode 100644
index 0000000..9e0aeb2
--- /dev/null
+++ b/systests/oidc/src/test/resources/fediz_config_spring.xml
@@ -0,0 +1,59 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements. See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership. The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License. You may obtain a copy of the License at
+ 
+  http://www.apache.org/licenses/LICENSE-2.0
+ 
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied. See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<!-- Place in Tomcat conf folder or other location as designated in this sample's file.

+     Keystore referenced below must have IDP STS' public cert included in it.  This example
uses the
+     client Truststore (clienttrust.jks) for this task.
+     In Fediz 1.0, one keystore was used for SSL and the STS public certificate.
+-->
+<FedizConfig>
+	<contextConfig name="/fediz-oidc-spring">
+		<audienceUris>
+			<audienceItem>urn:org:apache:cxf:fediz:oidc</audienceItem>
+		</audienceUris>
+		<certificateStores>
+			<trustManager>
+				<keyStore file="test-classes/clienttrust.jks" password="storepass" type="JKS" />
+			</trustManager>
+		</certificateStores>
+		<trustedIssuers>
+			<issuer certificateValidation="PeerTrust" />
+		</trustedIssuers>
+		<maximumClockSkew>1000</maximumClockSkew>
+		<protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+			xsi:type="federationProtocolType" version="1.0.0">
+			<realm>urn:org:apache:cxf:fediz:oidc</realm>
+			<issuer>https://localhost:${idp.https.port}/fediz-idp/federation</issuer>
+            <homeRealm type="Class">org.apache.cxf.fediz.service.oidc.handler.hrd.LoginHintHomeRealmDiscovery,org.apache.cxf.fediz.service.oidc.handler.hrd.ClientIdHomeRealmDiscovery</homeRealm>
+			<roleDelimiter>,</roleDelimiter>
+			<roleURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</roleURI>
+			<homeRealm type="String">urn:org:apache:cxf:fediz:idp:realm-A</homeRealm>
+			<reply>/j_spring_fediz_security_check</reply>
+			<claimTypesRequested>
+				<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" optional="false"
/>
+				<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
optional="true" />
+				<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" optional="true"
/>
+				<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
optional="true" />
+			</claimTypesRequested>
+		</protocol>
+		<logoutURL>/secure/logout</logoutURL>
+        <logoutRedirectToConstraint type="Class">org.apache.cxf.fediz.service.oidc.logout.LogoutRedirectConstraintHandler</logoutRedirectToConstraint>
+	</contextConfig>
+</FedizConfig>
+
diff --git a/systests/oidc/src/test/resources/oidc/spring/applicationContext.xml b/systests/oidc/src/test/resources/oidc/spring/applicationContext.xml
new file mode 100644
index 0000000..0dc4aba
--- /dev/null
+++ b/systests/oidc/src/test/resources/oidc/spring/applicationContext.xml
@@ -0,0 +1,350 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements. See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership. The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License. You may obtain a copy of the License at
+ 
+  http://www.apache.org/licenses/LICENSE-2.0
+ 
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied. See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans"
+	xmlns:cxf="http://cxf.apache.org/core"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:jaxrs="http://cxf.apache.org/jaxrs" 
+    xmlns:util="http://www.springframework.org/schema/util"
+    xmlns:http="http://cxf.apache.org/transports/http/configuration"
+    xmlns:sec="http://cxf.apache.org/configuration/security"
+    xmlns:springsec="http://www.springframework.org/schema/security"
+    xmlns:p="http://www.springframework.org/schema/p"
+    xsi:schemaLocation="
+        http://cxf.apache.org/core
+        http://cxf.apache.org/schemas/core.xsd
+		http://www.springframework.org/schema/beans
+        http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
+        http://cxf.apache.org/jaxrs
+        http://cxf.apache.org/schemas/jaxrs.xsd
+        http://www.springframework.org/schema/util 
+        http://www.springframework.org/schema/util/spring-util-4.3.xsd
+        http://cxf.apache.org/transports/http/configuration
+        http://cxf.apache.org/schemas/configuration/http-conf.xsd
+        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd

+        http://cxf.apache.org/configuration/security
+        http://cxf.apache.org/schemas/configuration/security.xsd">
+
+	<cxf:bus>
+        <cxf:features>
+            <cxf:logging/>
+        </cxf:features>
+    </cxf:bus>
+		
+    <import resource="data-manager.xml" />
+    
+    
+<!-- DIABLE in production as it might log confidential information about the user -->
+    <springsec:debug />
+
+    <springsec:http entry-point-ref="federationEntryPoint" use-expressions="true">
+        <springsec:intercept-url pattern="/**" access="isAuthenticated()"/>
+        <springsec:custom-filter ref="federationFilter" after="BASIC_AUTH_FILTER" />
+        <springsec:custom-filter ref="logoutFilter" position="LOGOUT_FILTER"/>
+        <springsec:custom-filter ref="federationSignOutCleanupFilter" position="PRE_AUTH_FILTER"/>
+        <springsec:session-management session-authentication-strategy-ref="sas"/>
+        <springsec:csrf disabled="true"/>
+    </springsec:http>
+
+
+    <springsec:authentication-manager alias="authManager">
+        <springsec:authentication-provider ref="federationAuthProvider" />
+    </springsec:authentication-manager>
+
+    <bean id="fedizConfig" class="org.apache.cxf.fediz.spring.FederationConfigImpl" init-method="init"
+        p:configFile="file:./target/test-classes/fediz_config_spring.xml" />
+
+    <bean id="federationEntryPoint"
+        class="org.apache.cxf.fediz.spring.web.FederationAuthenticationEntryPoint"
+        p:federationConfig-ref="fedizConfig" />
+
+    <bean id="federationFilter"
+        class="org.apache.cxf.fediz.spring.web.FederationAuthenticationFilter"
+        p:authenticationManager-ref="authManager"
+        p:federationConfig-ref="fedizConfig">
+
+        <property name="authenticationFailureHandler">
+            <bean class="org.apache.cxf.fediz.spring.web.FederationAuthenticationFailureHandler"
p:federationConfig-ref="fedizConfig" />
+        </property>
+    </bean>
+    
+    <bean id="federationAuthProvider" class="org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider"
+        p:federationConfig-ref="fedizConfig">
+        <property name="authenticationUserDetailsService">
+            <bean class="org.apache.cxf.fediz.spring.authentication.GrantedAuthoritiesUserDetailsFederationService"/>
+        </property>
+    </bean>
+
+    <bean id="sas" class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy"
/>
+
+    <bean id="logoutFilter" class="org.apache.cxf.fediz.spring.web.FederationLogoutFilter">
+        <constructor-arg  name="logoutSuccessHandler" ref="federationLogoutSuccessHandler"/>
+        <constructor-arg  name="handlers">
+            <list>
+                <ref bean="securityContextLogoutHandler"/>
+            </list>
+        </constructor-arg>
+        <property name="federationConfig" ref="fedizConfig"/>
+    </bean>
+
+    <bean id="federationLogoutSuccessHandler" class="org.apache.cxf.fediz.spring.web.FederationLogoutSuccessHandler">
+        <property name="federationConfig" ref="fedizConfig"/>
+    </bean>
+
+    <bean id="securityContextLogoutHandler" name="securityContextLogoutHandler"
+          class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler">
+    </bean>
+
+    <bean id="federationSignOutCleanupFilter" class="org.apache.cxf.fediz.spring.web.FederationSignOutCleanupFilter"/>
+    
+    <!-- Supports OIDC Authorization Code flow -->
+    <util:list id="scopesRequiringNoConsent">
+        <value>openid</value>
+        <value>roles</value>
+    </util:list>
+    <bean id="oidcAuthorizationService" class="org.apache.cxf.rs.security.oidc.idp.OidcAuthorizationCodeService">
+         <property name="dataProvider" ref="oauthProvider"/>
+         <property name="subjectCreator" ref="subjectCreator"/>
+         <property name="scopesRequiringNoConsent" ref="scopesRequiringNoConsent"/>
+         <!--
+         <property name="useAllClientScopes" value="true"/>
+         -->
+         <property name="canSupportPublicClients" value="true"/>
+    </bean>
+    <!-- Supports OIDC Implicit and Hybrid flows -->
+    <bean id="oidcHybridService" class="org.apache.cxf.rs.security.oidc.idp.OidcHybridService">
+         <property name="dataProvider" ref="oauthProvider"/>
+         <property name="subjectCreator" ref="subjectCreator"/>
+         <property name="scopesRequiringNoConsent" ref="scopesRequiringNoConsent"/>
+         <property name="responseFilter" ref="idTokenFilter"/>
+         <property name="codeService" ref="oidcAuthorizationService"/>
+    </bean>
+    
+    <util:list id="oidcServices">
+        <ref bean="oidcAuthorizationService"/>
+        <ref bean="oidcHybridService"/>
+    </util:list>
+    
+    <!-- Service which makes Code, Implicit and Hybrid flow available 
+         at the same relative "/authorize" address -->
+    <bean id="authorizationService" class="org.apache.cxf.rs.security.oauth2.services.AuthorizationService">
+         <property name="services" ref="oidcServices"/>
+    </bean>
+    
+    <bean id="tokenCleanupHandler" class="org.apache.cxf.fediz.service.oidc.logout.TokenCleanupHandler">
+         <property name="dataProvider" ref="oauthProvider"/>
+    </bean>
+    
+    <bean id="logoutService" class="org.apache.cxf.fediz.service.oidc.logout.LogoutService">
+         <property name="dataProvider" ref="oauthProvider"/>
+         <property name="relativeIdpLogoutUri" value="../../secure/logout"/>
+         <property name="logoutHandlers" ref="tokenCleanupHandler"/>
+    </bean>
+    
+    <!-- Service supporting all OIDC Core flows -->
+    <jaxrs:server address="/idp">
+        <jaxrs:serviceBeans>
+           <ref bean="authorizationService"/>
+           <ref bean="logoutService"/>
+        </jaxrs:serviceBeans>
+        <jaxrs:providers>
+            <ref bean="viewProvider"/>
+            <ref bean="oauthJsonProvider"/>
+        </jaxrs:providers>
+        <jaxrs:properties>
+            <entry key="rs.security.signature.properties" value="rs.security.properties"/>
+            <entry key="rs.security.signature.key.password.provider" value-ref="keyPasswordProvider"/>
+        </jaxrs:properties>
+    </jaxrs:server>
+    
+    <!-- 
+         Public JWK Key Service: Disable it if the client secret is used or if 
+         pre-installing public OIDC keys to clients is preferred
+    --> 
+    <bean id="oidcKeysService" class="org.apache.cxf.rs.security.oidc.idp.OidcKeysService"/>
+    <jaxrs:server address="/jwk">
+        <jaxrs:serviceBeans>
+           <ref bean="oidcKeysService"/>
+        </jaxrs:serviceBeans>
+        <jaxrs:providers>
+            <ref bean="corsFilter"/>
+            <bean class="org.apache.cxf.rs.security.jose.jaxrs.JsonWebKeysProvider"/>
+        </jaxrs:providers>
+        <jaxrs:properties>
+            <entry key="rs.security.signature.properties" value="rs.security.properties"/>
+            <entry key="rs.security.signature.key.password.provider" value-ref="keyPasswordProvider"/>
+        </jaxrs:properties>
+    </jaxrs:server>
+    
+    
+    <bean id="oauth2TokenValidationFilter" class="org.apache.cxf.rs.security.oauth2.filters.OAuthRequestFilter">
+         <property name="dataProvider" ref="oauthProvider"/>
+         <property name="audienceIsEndpointAddress" value="false"/>
+    </bean>
+     
+    <!-- User Info Service --> 
+    <bean id="userInfoService" class="org.apache.cxf.rs.security.oidc.idp.UserInfoService">
+        <property name="oauthDataProvider" ref="oauthProvider"/>
+        <property name="jwsRequired" value="false"/>
+    </bean>
+    <jaxrs:server address="/users">
+        <jaxrs:serviceBeans>
+           <ref bean="userInfoService"/>
+        </jaxrs:serviceBeans>
+        <jaxrs:providers>
+            <ref bean="corsFilter"/>
+            <bean class="org.apache.cxf.jaxrs.provider.json.JsonMapObjectProvider"/>
+            <ref bean="oauth2TokenValidationFilter"/>
+        </jaxrs:providers>
+    </jaxrs:server>
+    
+    <bean id="keyPasswordProvider" class="org.apache.cxf.fediz.service.oidc.PrivateKeyPasswordProviderImpl"/>
+    
+    <!-- Client Registration Service -->
+    <bean id="clientRegService" init-method="init" 
+       class="org.apache.cxf.fediz.service.oidc.clients.ClientRegistrationService">
+       <property name="dataProvider" ref="oauthProvider"/>
+       <property name="clientProvider" ref="oauthProvider"/>
+       <!-- 
+           <property name="clientScopes" ref="supportedScopes"/>
+       -->
+       <property name="homeRealms">
+          <map>
+            <entry key="urn:org:apache:cxf:fediz:idp:realm-A" value="IDP of Realm A" />
+            <entry key="urn:org:apache:cxf:fediz:idp:realm-B" value="IDP of Realm B" />
+          </map>
+       </property>
+       <property name="additionalTLDs">
+           <list>
+               <value>domain123</value>
+               <value>corp</value>
+               <value>domain456</value>
+           </list>
+       </property>
+    </bean>
+    
+    <!-- Console linking to the client registration service -->
+    <bean id="consoleService" class="org.apache.cxf.fediz.service.oidc.console.UserConsoleService">
+        <property name="clientRegService" ref="clientRegService"/>
+    </bean>
+    <jaxrs:server address="/console">
+        <jaxrs:serviceBeans>
+            <ref bean="consoleService"/>
+        </jaxrs:serviceBeans>
+        <jaxrs:providers>
+            <ref bean="viewProvider"/>
+        </jaxrs:providers> 
+    </jaxrs:server>
+    
+    <bean id="viewProvider" class="org.apache.cxf.jaxrs.provider.RequestDispatcherProvider">
+       <property name="useClassNames" value="true"/>
+       <property name="locationPrefix" value="/WEB-INF/views/"/>
+       <property name="beanName" value="data"/>
+       <property name="dispatcherName" value="jsp"/>
+       <property name="resourcePaths">
+            <map>
+              <entry key="/remove" value="/WEB-INF/views/registeredClients.jsp"/>
+            </map>
+       </property>
+       <property name="classResources">
+            <map>
+              <entry key="org.apache.cxf.fediz.service.oidc.clients.InvalidRegistration"
value="/WEB-INF/views/invalidRegistration.jsp"/>
+            </map>
+       </property>
+    </bean>
+    
+    <!-- AccessTokenService response filter which adds IdTokens to client responses -->
+    <bean id="idTokenFilter" class="org.apache.cxf.rs.security.oidc.idp.IdTokenResponseFilter">
+      <!--
+        <property name="signWithClientSecret" value="true"/>
+      -->
+    </bean>
+    <!-- Cors filter for endpoints used by implicit flow (by js clients) -->
+    <util:list id="implicitFlowAllowHeaders">
+        <value>Authorization</value>
+    </util:list>
+    <bean id="corsFilter" class="org.apache.cxf.rs.security.cors.CrossOriginResourceSharingFilter">
+        <property name="allowHeaders" ref="implicitFlowAllowHeaders"/>
+    </bean>
+    <bean id="refreshTokenHandler" class="org.apache.cxf.rs.security.oauth2.grants.refresh.RefreshTokenGrantHandler">
+        <property name="dataProvider" ref="oauthProvider"/>
+    </bean>
+    
+    <bean id="clientCredsHandler" class="org.apache.cxf.rs.security.oauth2.grants.clientcred.ClientCredentialsGrantHandler">
+        <property name="dataProvider" ref="oauthProvider"/>
+    </bean>
+        
+    <util:list id="grantHandlers">
+        <ref bean="refreshTokenHandler"/>
+        <!-- Add more custom grant handlers as needed -->
+        <ref bean="clientCredsHandler"/>
+    </util:list>
+    <!-- Access Token service -->
+    <bean id="accessTokenService" class="org.apache.cxf.rs.security.oauth2.services.AccessTokenService">
+        <property name="dataProvider" ref="oauthProvider"/>
+        <property name="responseFilter" ref="idTokenFilter"/>
+        <property name="grantHandlers" ref="grantHandlers"/>
+        <property name="canSupportPublicClients" value="true"/>
+    </bean>
+    <!-- Access Token Revocation service -->
+    <bean id="accessTokenRevocationService" class="org.apache.cxf.rs.security.oauth2.services.TokenRevocationService">
+        <property name="dataProvider" ref="oauthProvider"/>
+    </bean>
+    <!-- Access Token Introspection service -->
+    <bean id="accessTokenIntrospectionService" class="org.apache.cxf.rs.security.oauth2.services.TokenIntrospectionService">
+        <property name="dataProvider" ref="oauthProvider"/>
+        <property name="blockUnauthorizedRequests" value="false"/> 
+    </bean>
+    <bean id="oauthJsonProvider" class="org.apache.cxf.rs.security.oauth2.provider.OAuthJSONProvider"/>
+    <jaxrs:server address="/oauth2">
+        <jaxrs:serviceBeans>
+            <ref bean="accessTokenService"/>
+            <ref bean="accessTokenIntrospectionService"/>
+            <ref bean="accessTokenRevocationService"/>
+        </jaxrs:serviceBeans>
+        <jaxrs:providers>
+           <ref bean="oauthJsonProvider"/>
+        </jaxrs:providers>
+        <jaxrs:properties>
+            <entry key="rs.security.signature.properties" value="rs.security.properties"/>
+            <entry key="rs.security.signature.key.password.provider" value-ref="keyPasswordProvider"/>
+        </jaxrs:properties>
+     </jaxrs:server>
+    
+     <!-- .well-known OIDC Configuration Service --> 
+     <bean id="oidcConfigService" class="org.apache.cxf.rs.security.oidc.idp.OidcConfigurationService"/>
+     <jaxrs:server address="/.well-known">
+        <jaxrs:serviceBeans>
+            <ref bean="oidcConfigService"/>
+        </jaxrs:serviceBeans>
+        <jaxrs:properties>
+            <entry key="rs.security.signature.properties" value="rs.security.properties"/>
+        </jaxrs:properties>
+     </jaxrs:server>
+     <http:conduit name="*.http-conduit">
+        <http:tlsClientParameters
+            disableCNCheck="true">
+            <sec:trustManagers>
+                <sec:keyStore type="jks" password="tompass" resource="server.jks" />
+            </sec:trustManagers>
+        </http:tlsClientParameters>
+    </http:conduit>
+     
+</beans>
+
diff --git a/systests/oidc/src/test/resources/oidc/spring/web.xml b/systests/oidc/src/test/resources/oidc/spring/web.xml
new file mode 100644
index 0000000..fd75a9e
--- /dev/null
+++ b/systests/oidc/src/test/resources/oidc/spring/web.xml
@@ -0,0 +1,79 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements. See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership. The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License. You may obtain a copy of the License at
+ 
+  http://www.apache.org/licenses/LICENSE-2.0
+ 
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied. See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
+    version="3.0" metadata-complete="true">
+
+    <description>Apache CXF Fediz OIDC service</description>
+    <display-name>Apache CXF Fediz OIDC service</display-name>
+	
+	<session-config>
+	    <cookie-config>
+            <http-only>true</http-only>
+            <secure>true</secure>
+        </cookie-config>
+		<tracking-mode>COOKIE</tracking-mode>
+	</session-config>
+	
+    <!-- Optional: Cache the security token in Thread Local Storage -->
+    <filter>
+        <filter-name>FederationFilter</filter-name>
+        <filter-class>org.apache.cxf.fediz.core.servlet.FederationFilter</filter-class>
+    </filter>
+
+    <filter-mapping>
+        <filter-name>FederationFilter</filter-name>
+        <url-pattern>/idp/*</url-pattern>
+    </filter-mapping>
+    <filter-mapping>
+        <filter-name>FederationFilter</filter-name>
+        <url-pattern>/console/*</url-pattern>
+    </filter-mapping>
+
+    <context-param>
+        <param-name>contextConfigLocation</param-name>
+        <param-value>/WEB-INF/applicationContext.xml</param-value>
+    </context-param>
+    
+    <filter>
+        <filter-name>springSecurityFilterChain</filter-name>
+        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
+    </filter>
+    
+    <filter-mapping>
+      <filter-name>springSecurityFilterChain</filter-name>
+      <url-pattern>/*</url-pattern>
+    </filter-mapping>
+
+    <listener>
+        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
+    </listener>
+
+    <servlet>
+        <servlet-name>FederationServlet</servlet-name>
+        <servlet-class>org.apache.cxf.transport.servlet.CXFServlet</servlet-class>
+    </servlet>
+
+    <servlet-mapping>
+        <servlet-name>FederationServlet</servlet-name>
+        <url-pattern>/*</url-pattern>
+    </servlet-mapping>
+    
+</web-app>

-- 
To stop receiving notification emails like this one, please contact
coheigea@apache.org.

Mime
View raw message