[Fediz-95] Moving Spring Security Configuration to central location
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/d16365db Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/d16365db Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/d16365db Branch: refs/heads/master Commit: d16365db1bc03bc7a2d55185949315e4cf2a58d0 Parents: ea8c7c2 Author: Jan Bernhardt <[email protected]> Authored: Wed Jan 21 12:33:40 2015 +0100 Committer: Jan Bernhardt <[email protected]> Committed: Thu Jan 29 10:10:01 2015 +0100 ---------------------------------------------------------------------- .gitignore | 1 + .../test/resources/fediz_test_config_saml.xml | 2 +- .../cxf/fediz/service/idp/util/WebUtils.java | 1 + services/idp/src/main/resources/restContext.xml | 61 +------ .../src/main/resources/restContextKerberos.xml | 169 ------------------- .../main/webapp/WEB-INF/applicationContext.xml | 26 +-- .../main/webapp/WEB-INF/idp-config-realma.xml | 5 +- .../main/webapp/WEB-INF/idp-config-realmb.xml | 4 +- .../idp/src/main/webapp/WEB-INF/idp-servlet.xml | 17 +- .../webapp/WEB-INF/security-config-kerberos.xml | 54 +++++- .../src/main/webapp/WEB-INF/security-config.xml | 44 ++++- services/idp/src/test/resources/idp-config.xml | 29 +--- 12 files changed, 124 insertions(+), 289 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/d16365db/.gitignore ---------------------------------------------------------------------- diff --git a/.gitignore b/.gitignore index f5f8e88..1e8a4b2 100644 --- a/.gitignore +++ b/.gitignore @@ -13,3 +13,4 @@ target/ velocity.log .externalToolBuilders/ +.idea http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/d16365db/plugins/core/src/test/resources/fediz_test_config_saml.xml ---------------------------------------------------------------------- diff --git a/plugins/core/src/test/resources/fediz_test_config_saml.xml b/plugins/core/src/test/resources/fediz_test_config_saml.xml index 125bccd..81973c3 100644 --- a/plugins/core/src/test/resources/fediz_test_config_saml.xml +++ b/plugins/core/src/test/resources/fediz_test_config_saml.xml @@ -200,7 +200,7 @@ </audienceUris> <certificateStores> <trustManager> - <keyStore file="clientonly.jks" password="storepass" + <keyStore file="clientonly.jks" password="cspass" type="JKS" /> </trustManager> </certificateStores> http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/d16365db/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/util/WebUtils.java ---------------------------------------------------------------------- diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/util/WebUtils.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/util/WebUtils.java index 89543dc..284fd40 100644 --- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/util/WebUtils.java +++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/util/WebUtils.java @@ -202,6 +202,7 @@ public final class WebUtils { Cookie cookie = readCookie(context, cookieName); if (cookie != null) { cookie.setMaxAge(0); + cookie.setValue(""); httpServletResponse.addCookie(cookie); } } http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/d16365db/services/idp/src/main/resources/restContext.xml ---------------------------------------------------------------------- diff --git a/services/idp/src/main/resources/restContext.xml b/services/idp/src/main/resources/restContext.xml index 24a4f1a..ce58024 100644 --- a/services/idp/src/main/resources/restContext.xml +++ b/services/idp/src/main/resources/restContext.xml @@ -18,19 +18,15 @@ under the License. --> <beans xmlns="http://www.springframework.org/schema/beans"; - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; - xmlns:context="http://www.springframework.org/schema/context"; - xmlns:jaxrs="http://cxf.apache.org/jaxrs"; - xmlns:security="http://www.springframework.org/schema/security"; - xsi:schemaLocation=" - http://www.springframework.org/schema/beans + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; + xmlns:context="http://www.springframework.org/schema/context"; + xmlns:jaxrs="http://cxf.apache.org/jaxrs"; + xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd http://www.springframework.org/schema/context - http://www.springframework.org/schema/context/spring-context-3.0.xsd + http://www.springframework.org/schema/context/spring-context-3.1.xsd http://cxf.apache.org/jaxrs - http://cxf.apache.org/schemas/jaxrs.xsd - http://www.springframework.org/schema/security - http://www.springframework.org/schema/security/spring-security-3.1.xsd";> + http://cxf.apache.org/schemas/jaxrs.xsd";> <!-- <context:component-scan base-package="org.apache.cxf.fediz.service.idp.protocols" /> @@ -43,8 +39,7 @@ <bean id="jaxbProvider" class="org.apache.cxf.jaxrs.provider.JAXBElementProvider"> <property name="depthProperties"> - <bean id="depthProperties" - class="org.apache.cxf.staxutils.DocumentDepthProperties"> + <bean class="org.apache.cxf.staxutils.DocumentDepthProperties"> <property name="innerElementCountThreshold" value="500" /> </bean> </property> @@ -102,48 +97,6 @@ <bean id="roleServiceImpl" class="org.apache.cxf.fediz.service.idp.rest.RoleServiceImpl" /> - - - <!-- If enabled, you can't access the Service layer within the Spring Webflow --> - <!-- The user has no role during the login phase of WS-Federation --> - <security:global-method-security pre-post-annotations="enabled"/> - - <security:http pattern="/services/rs/**" auto-config="false" use-expressions="true"> - <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" /> - <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" /> - <security:intercept-url pattern="/**" access="isAuthenticated()"/> - <security:http-basic /> - </security:http> - - <bean id="bCryptPasswordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" /> - - <bean id="defaultPasswordEncoder" class="org.springframework.security.crypto.password.StandardPasswordEncoder" /> - - <security:authentication-manager> - <security:authentication-provider> - <!-- <security:password-encoder ref="defaultPasswordEncoder"/>--> - <!-- <security:password-encoder hash="sha-256" base64="true" />--> - <!-- - <security:password-encoder hash="sha-256" base64="true"> - <security:salt-source user-property="username"/> - </security:password-encoder> - --> - <security:user-service properties="classpath:/users.properties" /> - </security:authentication-provider> - <security:authentication-provider ref="stsAuthProvider" /> - </security:authentication-manager> - - <bean id="entitlementsEnricher" class="org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements" /> - - <bean id="stsPortFilter" class="org.apache.cxf.fediz.service.idp.STSPortFilter" /> - - <bean id="stsAuthProvider" class="org.apache.cxf.fediz.service.idp.STSAuthenticationProvider"> - <property name="wsdlLocation" value="https://localhost:0/fediz-idp-sts/${realm.STS_URI}/STSServiceTransportUT?wsdl"/> - <property name="wsdlEndpoint" value="TransportUT_Port"/> - <property name="wsdlService" value="SecurityTokenService"/> - <property name="appliesTo" value="urn:fediz:idp"/> - <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"/> - </bean> </beans> http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/d16365db/services/idp/src/main/resources/restContextKerberos.xml ---------------------------------------------------------------------- diff --git a/services/idp/src/main/resources/restContextKerberos.xml b/services/idp/src/main/resources/restContextKerberos.xml deleted file mode 100644 index 4fa2060..0000000 --- a/services/idp/src/main/resources/restContextKerberos.xml +++ /dev/null @@ -1,169 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!-- - Licensed to the Apache Software Foundation (ASF) under one - or more contributor license agreements. See the NOTICE file - distributed with this work for additional information - regarding copyright ownership. The ASF licenses this file - to you under the Apache License, Version 2.0 (the - "License"); you may not use this file except in compliance - with the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, - software distributed under the License is distributed on an - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - KIND, either express or implied. See the License for the - specific language governing permissions and limitations - under the License. ---> -<beans xmlns="http://www.springframework.org/schema/beans"; - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; - xmlns:context="http://www.springframework.org/schema/context"; - xmlns:jaxrs="http://cxf.apache.org/jaxrs"; - xmlns:security="http://www.springframework.org/schema/security"; - xsi:schemaLocation=" - http://www.springframework.org/schema/beans - http://www.springframework.org/schema/beans/spring-beans-3.1.xsd - http://www.springframework.org/schema/context - http://www.springframework.org/schema/context/spring-context-3.0.xsd - http://cxf.apache.org/jaxrs - http://cxf.apache.org/schemas/jaxrs.xsd - http://www.springframework.org/schema/security - http://www.springframework.org/schema/security/spring-security-3.1.xsd";> - -<!-- -<context:component-scan base-package="org.apache.cxf.fediz.service.idp.protocols" /> - - - <bean - class="org.apache.cxf.fediz.service.idp.protocols.TrustedIdpProtocolHandlerImpl" /> - --> - <context:property-placeholder location="classpath:realm.properties"/> - - <bean id="jaxbProvider" class="org.apache.cxf.jaxrs.provider.JAXBElementProvider"> - <property name="depthProperties"> - <bean id="depthProperties" - class="org.apache.cxf.staxutils.DocumentDepthProperties"> - <property name="innerElementCountThreshold" value="500" /> - </bean> - </property> - <property name="marshallerProperties"> - <map> - <entry key="jaxb.formatted.output"> - <value type="java.lang.Boolean">true</value> - </entry> - </map> - </property> - </bean> - - <bean id="exceptionMapper" - class="org.apache.cxf.fediz.service.idp.rest.RestServiceExceptionMapper" /> - - <bean id="jsonProvider" class="org.codehaus.jackson.jaxrs.JacksonJaxbJsonProvider" /> - - <jaxrs:server id="idpService" address="/rs"> - <jaxrs:serviceBeans> - <ref bean="idpServiceImpl" /> - <ref bean="claimServiceImpl" /> - <ref bean="applicationServiceImpl" /> - <ref bean="trustedIdpServiceImpl" /> - <ref bean="entitlementServiceImpl" /> - <ref bean="roleServiceImpl" /> - <ref bean="rootServiceImpl" /> - </jaxrs:serviceBeans> - <jaxrs:providers> - <ref bean="jaxbProvider" /> - <ref bean="jsonProvider" /> - <ref bean="exceptionMapper" /> - </jaxrs:providers> - <jaxrs:extensionMappings> - <entry key="json" value="application/json;charset=UTF-8" /> - <entry key="xml" value="application/xml;charset=UTF-8" /> - </jaxrs:extensionMappings> - </jaxrs:server> - - <bean id="rootServiceImpl" - class="org.apache.cxf.fediz.service.idp.rest.RootServiceImpl" /> - - <bean id="idpServiceImpl" class="org.apache.cxf.fediz.service.idp.rest.IdpServiceImpl" /> - - <bean id="claimServiceImpl" - class="org.apache.cxf.fediz.service.idp.rest.ClaimServiceImpl" /> - - <bean id="applicationServiceImpl" - class="org.apache.cxf.fediz.service.idp.rest.ApplicationServiceImpl" /> - - <bean id="trustedIdpServiceImpl" - class="org.apache.cxf.fediz.service.idp.rest.TrustedIdpServiceImpl" /> - - <bean id="entitlementServiceImpl" - class="org.apache.cxf.fediz.service.idp.rest.EntitlementServiceImpl" /> - - <bean id="roleServiceImpl" - class="org.apache.cxf.fediz.service.idp.rest.RoleServiceImpl" /> - - - <!-- If enabled, you can't access the Service layer within the Spring Webflow --> - <!-- The user has no role during the login phase of WS-Federation --> - <security:global-method-security pre-post-annotations="enabled"/> - - <security:http pattern="/services/rs/**" auto-config="false" use-expressions="true" - entry-point-ref="kerberosEntryPoint"> - <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" /> - <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" /> - <security:intercept-url pattern="/**" access="isAuthenticated()"/> - <!--<security:http-basic />--> - <security:custom-filter ref="kerberosAuthenticationProcessingFilter" position="BASIC_AUTH_FILTER" /> - </security:http> - - <bean id="bCryptPasswordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" /> - - <bean id="defaultPasswordEncoder" class="org.springframework.security.crypto.password.StandardPasswordEncoder" /> - - <bean id="kerberosEntryPoint" - class="org.apache.cxf.fediz.service.idp.kerberos.KerberosEntryPoint" /> - - <bean id="spnegoAuthenticationProcessingFilter" - class="org.apache.cxf.fediz.service.idp.kerberos.KerberosAuthenticationProcessingFilter"> - <property name="authenticationManager" ref="authenticationManager" /> - </bean> - - <security:authentication-manager alias="authenticationManager"> - <security:authentication-provider> - <!-- <security:password-encoder ref="defaultPasswordEncoder"/>--> - <!-- <security:password-encoder hash="sha-256" base64="true" />--> - <!-- - <security:password-encoder hash="sha-256" base64="true"> - <security:salt-source user-property="username"/> - </security:password-encoder> - --> - <security:user-service properties="classpath:/users.properties" /> - </security:authentication-provider> - <security:authentication-provider ref="stsAuthProvider" /> - </security:authentication-manager> - - <bean id="entitlementsEnricher" class="org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements" /> - - <bean id="stsPortFilter" class="org.apache.cxf.fediz.service.idp.STSPortFilter" /> - <!-- - <bean id="kerberosTokenValidator" class="org.apache.cxf.fediz.service.idp.kerberos.KerberosTokenValidator"> - <property name="contextName" value="bob"/> - <property name="serviceName" value="[email protected]"/> - </bean> - --> - - <bean id="stsAuthProvider" class="org.apache.cxf.fediz.service.idp.STSAuthenticationProvider"> - <!--<property name="wsdlLocation" value="https://localhost:0/fediz-idp-sts/${realm.STS_URI}/STSServiceTransportUT?wsdl"/> - <property name="wsdlEndpoint" value="TransportUT_Port"/>--> - <property name="wsdlLocation" value="https://localhost:0/fediz-idp-sts/${realm.STS_URI}/STSServiceTransportKerberos?wsdl"/> - <property name="wsdlEndpoint" value="TransportKerberos_Port"/> - <property name="wsdlService" value="SecurityTokenService"/> - <property name="appliesTo" value="urn:fediz:idp"/> - <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"/> - <!--<property name="kerberosTokenValidator" ref="kerberosTokenValidator"/> - <property name="requireDelegation" value="true"/>--> - </bean> - -</beans> - http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/d16365db/services/idp/src/main/webapp/WEB-INF/applicationContext.xml ---------------------------------------------------------------------- diff --git a/services/idp/src/main/webapp/WEB-INF/applicationContext.xml b/services/idp/src/main/webapp/WEB-INF/applicationContext.xml index afe5003..a858236 100644 --- a/services/idp/src/main/webapp/WEB-INF/applicationContext.xml +++ b/services/idp/src/main/webapp/WEB-INF/applicationContext.xml @@ -18,31 +18,21 @@ under the License. --> <beans xmlns="http://www.springframework.org/schema/beans"; - xmlns:cxf="http://cxf.apache.org/core"; - xmlns:jaxws="http://cxf.apache.org/jaxws"; - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; - xmlns:util="http://www.springframework.org/schema/util"; - xmlns:http="http://cxf.apache.org/transports/http/configuration"; - xmlns:sec="http://cxf.apache.org/configuration/security"; - xmlns:context="http://www.springframework.org/schema/context"; - xmlns:jaxrs="http://cxf.apache.org/jaxrs"; - xsi:schemaLocation=" - http://cxf.apache.org/core + xmlns:cxf="http://cxf.apache.org/core"; + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; + xmlns:http="http://cxf.apache.org/transports/http/configuration"; + xmlns:sec="http://cxf.apache.org/configuration/security"; + xmlns:context="http://www.springframework.org/schema/context"; + xsi:schemaLocation="http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd - http://cxf.apache.org/jaxws - http://cxf.apache.org/schemas/jaxws.xsd - http://www.springframework.org/schema/util - http://www.springframework.org/schema/util/spring-util-2.0.xsd http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd http://www.springframework.org/schema/context - http://www.springframework.org/schema/context/spring-context-3.0.xsd + http://www.springframework.org/schema/context/spring-context-3.1.xsd http://cxf.apache.org/configuration/security - http://cxf.apache.org/schemas/configuration/security.xsd - http://cxf.apache.org/jaxrs - http://cxf.apache.org/schemas/jaxrs.xsd";> + http://cxf.apache.org/schemas/configuration/security.xsd";> <context:component-scan base-package="org.apache.cxf.fediz.service.idp.protocols" /> http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/d16365db/services/idp/src/main/webapp/WEB-INF/idp-config-realma.xml ---------------------------------------------------------------------- diff --git a/services/idp/src/main/webapp/WEB-INF/idp-config-realma.xml b/services/idp/src/main/webapp/WEB-INF/idp-config-realma.xml index 883859e..c5e0a4a 100644 --- a/services/idp/src/main/webapp/WEB-INF/idp-config-realma.xml +++ b/services/idp/src/main/webapp/WEB-INF/idp-config-realma.xml @@ -25,9 +25,10 @@ http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd http://www.springframework.org/schema/context - http://www.springframework.org/schema/context/spring-context-3.0.xsd + http://www.springframework.org/schema/context/spring-context-3.1.xsd http://www.springframework.org/schema/util - http://www.springframework.org/schema/util/spring-util-2.0.xsd";> + http://www.springframework.org/schema/util/spring-util-3.1.xsd + "> <context:property-placeholder location="classpath:realm.properties" /> http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/d16365db/services/idp/src/main/webapp/WEB-INF/idp-config-realmb.xml ---------------------------------------------------------------------- diff --git a/services/idp/src/main/webapp/WEB-INF/idp-config-realmb.xml b/services/idp/src/main/webapp/WEB-INF/idp-config-realmb.xml index f5ab043..a8c8a3b 100644 --- a/services/idp/src/main/webapp/WEB-INF/idp-config-realmb.xml +++ b/services/idp/src/main/webapp/WEB-INF/idp-config-realmb.xml @@ -25,9 +25,9 @@ http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd http://www.springframework.org/schema/context - http://www.springframework.org/schema/context/spring-context-3.0.xsd + http://www.springframework.org/schema/context/spring-context-3.1.xsd http://www.springframework.org/schema/util - http://www.springframework.org/schema/util/spring-util-2.0.xsd";> + http://www.springframework.org/schema/util/spring-util-3.1.xsd";> <context:property-placeholder location="classpath:realm.properties" /> http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/d16365db/services/idp/src/main/webapp/WEB-INF/idp-servlet.xml ---------------------------------------------------------------------- diff --git a/services/idp/src/main/webapp/WEB-INF/idp-servlet.xml b/services/idp/src/main/webapp/WEB-INF/idp-servlet.xml index ada6250..ccc2146 100644 --- a/services/idp/src/main/webapp/WEB-INF/idp-servlet.xml +++ b/services/idp/src/main/webapp/WEB-INF/idp-servlet.xml @@ -18,17 +18,14 @@ under the License. --> <beans xmlns="http://www.springframework.org/schema/beans"; - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; - xmlns:util="http://www.springframework.org/schema/util"; - xmlns:webflow="http://www.springframework.org/schema/webflow-config"; - xmlns:p="http://www.springframework.org/schema/p"; - xmlns:context="http://www.springframework.org/schema/context"; - xsi:schemaLocation="http://www.springframework.org/schema/beans - http://www.springframework.org/schema/beans/spring-beans-3.0.xsd - http://www.springframework.org/schema/util - http://www.springframework.org/schema/util/spring-util-2.0.xsd + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; + xmlns:webflow="http://www.springframework.org/schema/webflow-config"; + xmlns:p="http://www.springframework.org/schema/p"; + xmlns:context="http://www.springframework.org/schema/context"; + xsi:schemaLocation="http://www.springframework.org/schema/beans + http://www.springframework.org/schema/beans/spring-beans-3.1.xsd http://www.springframework.org/schema/context - http://www.springframework.org/schema/context/spring-context-3.0.xsd + http://www.springframework.org/schema/context/spring-context-3.1.xsd http://www.springframework.org/schema/webflow-config http://www.springframework.org/schema/webflow-config/spring-webflow-config-2.0.xsd";> http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/d16365db/services/idp/src/main/webapp/WEB-INF/security-config-kerberos.xml ---------------------------------------------------------------------- diff --git a/services/idp/src/main/webapp/WEB-INF/security-config-kerberos.xml b/services/idp/src/main/webapp/WEB-INF/security-config-kerberos.xml index 0d17349..49049ab 100644 --- a/services/idp/src/main/webapp/WEB-INF/security-config-kerberos.xml +++ b/services/idp/src/main/webapp/WEB-INF/security-config-kerberos.xml @@ -23,9 +23,9 @@ xmlns:context="http://www.springframework.org/schema/context"; xsi:schemaLocation=" http://www.springframework.org/schema/beans - http://www.springframework.org/schema/beans/spring-beans-2.0.xsd + http://www.springframework.org/schema/beans/spring-beans-3.1.xsd http://www.springframework.org/schema/context - http://www.springframework.org/schema/context/spring-context-3.0.xsd + http://www.springframework.org/schema/context/spring-context-3.1.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd";> @@ -35,18 +35,54 @@ <!-- <security:debug /> --> <!-- Configure Spring Security --> - <security:http pattern="/federation/**" auto-config="false" use-expressions="true" - entry-point-ref="kerberosEntryPoint"> + <!-- If enabled, you can't access the Service layer within the Spring Webflow --> + <!-- The user has no role during the login phase of WS-Federation --> + <security:global-method-security pre-post-annotations="enabled"/> + + <security:http pattern="/services/rs/**" auto-config="false" use-expressions="true" entry-point-ref="kerberosEntryPoint"> <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" /> <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" /> - <security:intercept-url pattern="/FederationMetadata/2007-06/FederationMetadata.xml" access="isAnonymous() or isAuthenticated()" /> - - <!-- MUST be http-basic thus systests run fine --> + <security:intercept-url pattern="/**" access="isAuthenticated()"/> <!--<security:http-basic />--> - <!--<security:form-login />--> <security:custom-filter ref="kerberosAuthenticationProcessingFilter" position="BASIC_AUTH_FILTER" /> </security:http> + + <bean id="bCryptPasswordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" /> + + <bean id="defaultPasswordEncoder" class="org.springframework.security.crypto.password.StandardPasswordEncoder" /> + + <bean id="kerberosEntryPoint" + class="org.apache.cxf.fediz.service.idp.kerberos.KerberosEntryPoint" /> + + <bean id="spnegoAuthenticationProcessingFilter" + class="org.apache.cxf.fediz.service.idp.kerberos.KerberosAuthenticationProcessingFilter"> + <property name="authenticationManager" ref="restAuthenticationManager" /> + </bean> + <security:authentication-manager id="restAuthenticationManager"> + <security:authentication-provider> + <!-- <security:password-encoder ref="defaultPasswordEncoder"/>--> + <!-- <security:password-encoder hash="sha-256" base64="true" />--> + <!-- + <security:password-encoder hash="sha-256" base64="true"> + <security:salt-source user-property="username"/> + </security:password-encoder> + --> + <security:user-service properties="classpath:/users.properties" /> + </security:authentication-provider> + <security:authentication-provider ref="stsAuthProvider" /> + </security:authentication-manager> + + <security:http use-expressions="true" entry-point-ref="kerberosEntryPoint"> + <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" /> + <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" /> + <security:intercept-url pattern="/FederationMetadata/2007-06/FederationMetadata.xml" access="isAnonymous() or isAuthenticated()" /> + + <security:form-login login-page="/federation/login"/> + <security:http-basic /> + <security:custom-filter ref="kerberosAuthenticationProcessingFilter" position="BASIC_AUTH_FILTER" /> + </security:http> + <bean id="kerberosEntryPoint" class="org.apache.cxf.fediz.service.idp.kerberos.KerberosEntryPoint" /> @@ -61,6 +97,8 @@ <bean id="stsPortFilter" class="org.apache.cxf.fediz.service.idp.STSPortFilter" /> + <bean id="entitlementsEnricher" class="org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements" /> + <!--<bean id="kerberosTokenValidator" class="org.apache.cxf.fediz.service.idp.kerberos.KerberosTokenValidator"> <property name="contextName" value="bob"/> <property name="serviceName" value="[email protected]"/> http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/d16365db/services/idp/src/main/webapp/WEB-INF/security-config.xml ---------------------------------------------------------------------- diff --git a/services/idp/src/main/webapp/WEB-INF/security-config.xml b/services/idp/src/main/webapp/WEB-INF/security-config.xml index 847b07a..ab0eada 100644 --- a/services/idp/src/main/webapp/WEB-INF/security-config.xml +++ b/services/idp/src/main/webapp/WEB-INF/security-config.xml @@ -23,11 +23,12 @@ xmlns:context="http://www.springframework.org/schema/context"; xsi:schemaLocation=" http://www.springframework.org/schema/beans - http://www.springframework.org/schema/beans/spring-beans-2.0.xsd + http://www.springframework.org/schema/beans/spring-beans-3.1.xsd http://www.springframework.org/schema/context - http://www.springframework.org/schema/context/spring-context-3.0.xsd + http://www.springframework.org/schema/context/spring-context-3.1.xsd http://www.springframework.org/schema/security - http://www.springframework.org/schema/security/spring-security-3.1.xsd";> + http://www.springframework.org/schema/security/spring-security-3.1.xsd + "> <context:property-placeholder location="classpath:realm.properties"/> @@ -35,14 +36,45 @@ <!-- <security:debug /> --> <!-- Configure Spring Security --> - <security:http pattern="/federation/**" auto-config="false" use-expressions="true"> + + <!-- If enabled, you can't access the Service layer within the Spring Webflow --> + <!-- The user has no role during the login phase of WS-Federation --> + <security:global-method-security pre-post-annotations="enabled"/> + + <security:http pattern="/services/rs/**" use-expressions="true" authentication-manager-ref="restAuthenticationManager"> + <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" /> + <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" /> + <security:intercept-url pattern="/services/rs/**" access="isAuthenticated()"/> + <security:http-basic /> + </security:http> + + <bean id="bCryptPasswordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" /> + + <bean id="defaultPasswordEncoder" class="org.springframework.security.crypto.password.StandardPasswordEncoder" /> + + <security:authentication-manager id="restAuthenticationManager"> + <security:authentication-provider> + <!-- <security:password-encoder ref="defaultPasswordEncoder"/>--> + <!-- <security:password-encoder hash="sha-256" base64="true" />--> + <!-- + <security:password-encoder hash="sha-256" base64="true"> + <security:salt-source user-property="username"/> + </security:password-encoder> + --> + <security:user-service properties="classpath:/users.properties" /> + </security:authentication-provider> + <security:authentication-provider ref="stsAuthProvider" /> + </security:authentication-manager> + + <security:http use-expressions="true"> <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" /> <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" /> <security:intercept-url pattern="/FederationMetadata/2007-06/FederationMetadata.xml" access="isAnonymous() or isAuthenticated()" /> <!-- MUST be http-basic thus systests run fine --> - <security:http-basic /> <!--<security:form-login />--> + <security:http-basic /> + <security:logout delete-cookies="FEDIZ_HOME_REALM" invalidate-session="true" /> </security:http> <security:authentication-manager> @@ -50,6 +82,8 @@ </security:authentication-manager> <bean id="stsPortFilter" class="org.apache.cxf.fediz.service.idp.STSPortFilter" /> + + <bean id="entitlementsEnricher" class="org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements" /> <bean id="stsAuthProvider" class="org.apache.cxf.fediz.service.idp.STSAuthenticationProvider"> <property name="wsdlLocation" value="https://localhost:0/fediz-idp-sts/${realm.STS_URI}/STSServiceTransportUT?wsdl"/> http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/d16365db/services/idp/src/test/resources/idp-config.xml ---------------------------------------------------------------------- diff --git a/services/idp/src/test/resources/idp-config.xml b/services/idp/src/test/resources/idp-config.xml index 6c8fdb5..ce3f60b 100644 --- a/services/idp/src/test/resources/idp-config.xml +++ b/services/idp/src/test/resources/idp-config.xml @@ -18,29 +18,18 @@ under the License. --> <beans xmlns="http://www.springframework.org/schema/beans"; - xmlns:cxf="http://cxf.apache.org/core"; - xmlns:jaxws="http://cxf.apache.org/jaxws"; - xmlns:test="http://apache.org/hello_world_soap_http"; - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; - xmlns:util="http://www.springframework.org/schema/util"; - xmlns:http="http://cxf.apache.org/transports/http/configuration"; - xmlns:sec="http://cxf.apache.org/configuration/security"; - xmlns:context="http://www.springframework.org/schema/context"; - xsi:schemaLocation=" - http://cxf.apache.org/core - http://cxf.apache.org/schemas/core.xsd - http://www.springframework.org/schema/beans - http://www.springframework.org/schema/beans/spring-beans-2.0.xsd + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; + xmlns:util="http://www.springframework.org/schema/util"; + xmlns:http="http://cxf.apache.org/transports/http/configuration"; + xmlns:context="http://www.springframework.org/schema/context"; + xsi:schemaLocation="http://www.springframework.org/schema/beans + http://www.springframework.org/schema/beans/spring-beans-3.1.xsd http://www.springframework.org/schema/context - http://www.springframework.org/schema/context/spring-context-3.0.xsd - http://cxf.apache.org/jaxws - http://cxf.apache.org/schemas/jaxws.xsd + http://www.springframework.org/schema/context/spring-context-3.1.xsd http://www.springframework.org/schema/util - http://www.springframework.org/schema/util/spring-util-2.0.xsd + http://www.springframework.org/schema/util/spring-util-3.1.xsd http://cxf.apache.org/transports/http/configuration - http://cxf.apache.org/schemas/configuration/http-conf.xsd - http://cxf.apache.org/configuration/security - http://cxf.apache.org/schemas/configuration/security.xsd";> + http://cxf.apache.org/schemas/configuration/http-conf.xsd";> <context:property-placeholder location="classpath:realm.properties" />
