Repository: cxf-fediz Updated Branches: refs/heads/master b5e43dc6d -> f9bc1e69a
Adding a new system test to show how to use client authentication with the IdP Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/f9bc1e69 Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/f9bc1e69 Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/f9bc1e69 Branch: refs/heads/master Commit: f9bc1e69a7f8eff250747bdc80d3ea11df603d9c Parents: b5e43dc Author: Colm O hEigeartaigh <[email protected]> Authored: Wed Mar 11 14:49:42 2015 +0000 Committer: Colm O hEigeartaigh <[email protected]> Committed: Wed Mar 11 14:49:42 2015 +0000 ---------------------------------------------------------------------- systests/clientcert/pom.xml | 308 +++++++++++++++++++ .../integrationtests/ClientCertificateTest.java | 242 +++++++++++++++ .../clientcert/src/test/resources/alice.cer | Bin 0 -> 808 bytes .../src/test/resources/alice_client.jks | Bin 0 -> 1277 bytes .../src/test/resources/fediz_config.xml | 43 +++ .../src/test/resources/idp/idp-servlet.xml | 135 ++++++++ .../src/test/resources/idp/security-config.xml | 96 ++++++ .../clientcert/src/test/resources/server.jks | Bin 0 -> 2701 bytes .../src/test/resources/sts/passwords.xml | 42 +++ .../src/test/resources/sts/ststrust.jks | Bin 0 -> 4079 bytes .../src/test/resources/sts/userClaims.xml | 139 +++++++++ .../clientcert/src/test/resources/ststrust.jks | Bin 0 -> 2561 bytes systests/pom.xml | 1 + 13 files changed, 1006 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f9bc1e69/systests/clientcert/pom.xml ---------------------------------------------------------------------- diff --git a/systests/clientcert/pom.xml b/systests/clientcert/pom.xml new file mode 100644 index 0000000..b526d9f --- /dev/null +++ b/systests/clientcert/pom.xml @@ -0,0 +1,308 @@ +<?xml version="1.0"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +--> +<project xmlns="http://maven.apache.org/POM/4.0.0"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd";> + <modelVersion>4.0.0</modelVersion> + <parent> + <groupId>org.apache.cxf.fediz</groupId> + <artifactId>fediz-systests</artifactId> + <version>1.2.0-SNAPSHOT</version> + <relativePath>../pom.xml</relativePath> + </parent> + <groupId>org.apache.cxf.fediz.systests</groupId> + <artifactId>fediz-systests-clientcert</artifactId> + <name>Apache Fediz Client Certificate Systests using Tomcat 7</name> + <packaging>jar</packaging> + <properties> + <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> + <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding> + </properties> + <dependencies> + <dependency> + <groupId>org.apache.tomcat.embed</groupId> + <artifactId>tomcat-embed-core</artifactId> + <version>${tomcat.version}</version> + <scope>test</scope> + </dependency> + <dependency> + <groupId>org.apache.tomcat.embed</groupId> + <artifactId>tomcat-embed-logging-juli</artifactId> + <version>${tomcat.version}</version> + <scope>test</scope> + </dependency> + <dependency> + <groupId>org.eclipse.jdt.core.compiler</groupId> + <artifactId>ecj</artifactId> + <version>3.7.1</version> + <scope>test</scope> + </dependency> + <dependency> + <groupId>org.apache.tomcat.embed</groupId> + <artifactId>tomcat-embed-jasper</artifactId> + <version>${tomcat.version}</version> + <scope>test</scope> + </dependency> + <dependency> + <groupId>junit</groupId> + <artifactId>junit</artifactId> + <version>${junit.version}</version> + <scope>test</scope> + </dependency> + <dependency> + <groupId>org.apache.cxf.fediz</groupId> + <artifactId>fediz-tomcat</artifactId> + <version>${project.version}</version> + <scope>test</scope> + </dependency> + <dependency> + <groupId>org.apache.cxf.fediz.systests</groupId> + <artifactId>fediz-systests-tests</artifactId> + <version>${project.version}</version> + <type>test-jar</type> + <scope>test</scope> + </dependency> + <dependency> + <groupId>org.slf4j</groupId> + <artifactId>slf4j-api</artifactId> + <version>${slf4j.version}</version> + <scope>test</scope> + </dependency> + <dependency> + <groupId>org.slf4j</groupId> + <artifactId>slf4j-jdk14</artifactId> + <version>${slf4j.version}</version> + <scope>test</scope> + </dependency> + <dependency> + <groupId>hsqldb</groupId> + <artifactId>hsqldb</artifactId> + <version>${hsqldb.version}</version> + <scope>test</scope> + </dependency> + </dependencies> + <build> + <testResources> + <testResource> + <directory>src/test/resources</directory> + <filtering>true</filtering> + <includes> + <include>**/fediz_config*.xml</include> + </includes> + </testResource> + <testResource> + <directory>src/test/resources</directory> + <filtering>false</filtering> + <excludes> + <exclude>**/fediz_config*.xml</exclude> + </excludes> + </testResource> + </testResources> + <plugins> + <plugin> + <groupId>org.codehaus.mojo</groupId> + <artifactId>build-helper-maven-plugin</artifactId> + <executions> + <execution> + <id>reserve-network-port</id> + <goals> + <goal>reserve-network-port</goal> + </goals> + <phase>initialize</phase> + <configuration> + <portNames> + <portName>idp.https.port</portName> + <portName>rp.https.port</portName> + </portNames> + </configuration> + </execution> + </executions> + </plugin> + <plugin> + <groupId>org.apache.maven.plugins</groupId> + <artifactId>maven-dependency-plugin</artifactId> + <executions> + <execution> + <id>copy-idp-sts</id> + <phase>generate-resources</phase> + <goals> + <goal>unpack</goal> + </goals> + <configuration> + <artifactItems> + <artifactItem> + <groupId>org.apache.cxf.fediz</groupId> + <artifactId>fediz-idp</artifactId> + <version>${project.version}</version> + <type>war</type> + <overWrite>true</overWrite> + <outputDirectory>target/tomcat/idp/webapps/fediz-idp</outputDirectory> + </artifactItem> + <artifactItem> + <groupId>org.apache.cxf.fediz</groupId> + <artifactId>fediz-idp-sts</artifactId> + <version>${project.version}</version> + <type>war</type> + <overWrite>true</overWrite> + <outputDirectory>target/tomcat/idp/webapps/fediz-idp-sts</outputDirectory> + </artifactItem> + <artifactItem> + <groupId>org.apache.cxf.fediz.systests.webapps</groupId> + <artifactId>fediz-systests-webapps-simple</artifactId> + <version>${project.version}</version> + <type>war</type> + <overWrite>true</overWrite> + <outputDirectory>target/tomcat/rp/webapps/simpleWebapp</outputDirectory> + </artifactItem> + </artifactItems> + <outputAbsoluteArtifactFilename>true</outputAbsoluteArtifactFilename> + <overWriteSnapshots>true</overWriteSnapshots> + <overWriteIfNewer>true</overWriteIfNewer> + <stripVersion>true</stripVersion> + </configuration> + </execution> + <execution> + <id>copy-xalan-to-idp</id> + <phase>generate-resources</phase> + <goals> + <goal>copy</goal> + </goals> + <configuration> + <artifactItems> + <artifactItem> + <groupId>xalan</groupId> + <artifactId>xalan</artifactId> + <version>${xalan.version}</version> + <outputDirectory>target/tomcat/idp/webapps/fediz-idp/WEB-INF/lib</outputDirectory> + </artifactItem> + </artifactItems> + </configuration> + </execution> + </executions> + </plugin> + <plugin> + <artifactId>maven-resources-plugin</artifactId> + <version>2.7</version> + <executions> + <execution> + <id>copy-entities-to-idp</id> + <phase>generate-test-sources</phase> + <goals> + <goal>copy-resources</goal> + </goals> + <configuration> + <outputDirectory>${basedir}/target/tomcat/idp/webapps/fediz-idp/WEB-INF</outputDirectory> + <resources> + <resource> + <directory>${basedir}/src/test/resources/idp</directory> + <includes> + <include>security-config.xml</include> + <include>idp-servlet.xml</include> + </includes> + <filtering>true</filtering> + </resource> + </resources> + </configuration> + </execution> + <execution> + <id>copy-entities-to-sts</id> + <phase>generate-test-sources</phase> + <goals> + <goal>copy-resources</goal> + </goals> + <configuration> + <outputDirectory>${basedir}/target/tomcat/idp/webapps/fediz-idp-sts/WEB-INF</outputDirectory> + <resources> + <resource> + <directory>${basedir}/src/test/resources/sts</directory> + <includes> + <include>passwords.xml</include> + <include>userClaims.xml</include> + </includes> + <filtering>true</filtering> + </resource> + </resources> + </configuration> + </execution> + <execution> + <id>copy-entities-to-sts2</id> + <phase>generate-test-sources</phase> + <goals> + <goal>copy-resources</goal> + </goals> + <configuration> + <outputDirectory>${basedir}/target/tomcat/idp/webapps/fediz-idp-sts/WEB-INF/classes</outputDirectory> + <overwrite>true</overwrite> + <resources> + <resource> + <directory>${basedir}/src/test/resources/sts</directory> + <includes> + <include>ststrust.jks</include> + </includes> + </resource> + </resources> + </configuration> + </execution> + </executions> + </plugin> + <plugin> + <artifactId>maven-failsafe-plugin</artifactId> + <inherited>true</inherited> + <executions> + <execution> + <id>integration-test</id> + <phase>integration-test</phase> + <goals> + <goal>integration-test</goal> + </goals> + <configuration> + <skip>false</skip> + <systemPropertyVariables> + <wt.headless>true</wt.headless> + <idp.https.port>${idp.https.port}</idp.https.port> + <rp.https.port>${rp.https.port}</rp.https.port> + </systemPropertyVariables> + <includes> + <include>**/integrationtests/**</include> + </includes> + <argLine>-Xms512m -Xmx1024m + -XX:MaxPermSize=256m</argLine> + </configuration> + </execution> + <execution> + <id>verify</id> + <phase>verify</phase> + <goals> + <goal>verify</goal> + </goals> + </execution> + </executions> + </plugin> + <plugin> + <groupId>org.apache.maven.plugins</groupId> + <artifactId>maven-surefire-plugin</artifactId> + <inherited>true</inherited> + <configuration> + <excludes> + <exclude>**/integrationtests/**</exclude> + </excludes> + </configuration> + </plugin> + </plugins> + </build> +</project> http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f9bc1e69/systests/clientcert/src/test/java/org/apache/cxf/fediz/integrationtests/ClientCertificateTest.java ---------------------------------------------------------------------- diff --git a/systests/clientcert/src/test/java/org/apache/cxf/fediz/integrationtests/ClientCertificateTest.java b/systests/clientcert/src/test/java/org/apache/cxf/fediz/integrationtests/ClientCertificateTest.java new file mode 100644 index 0000000..3e60d99 --- /dev/null +++ b/systests/clientcert/src/test/java/org/apache/cxf/fediz/integrationtests/ClientCertificateTest.java @@ -0,0 +1,242 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.cxf.fediz.integrationtests; + +import java.io.File; + +import com.gargoylesoftware.htmlunit.WebClient; +import com.gargoylesoftware.htmlunit.html.DomElement; +import com.gargoylesoftware.htmlunit.html.DomNodeList; +import com.gargoylesoftware.htmlunit.html.HtmlForm; +import com.gargoylesoftware.htmlunit.html.HtmlPage; +import com.gargoylesoftware.htmlunit.html.HtmlSubmitInput; + +import org.apache.catalina.Context; +import org.apache.catalina.LifecycleState; +import org.apache.catalina.connector.Connector; +import org.apache.catalina.startup.Tomcat; +import org.apache.cxf.fediz.core.ClaimTypes; +import org.apache.cxf.fediz.tomcat.FederationAuthenticator; +import org.junit.AfterClass; +import org.junit.Assert; +import org.junit.BeforeClass; + +/** + * In this test-case, the IdP is set up to require client authentication, rather than authenticating using a + * username + password, or via Kerberos. + */ +public class ClientCertificateTest { + + static String idpHttpsPort; + static String rpHttpsPort; + + private static Tomcat idpServer; + private static Tomcat rpServer; + + @BeforeClass + public static void init() { + System.setProperty("org.apache.commons.logging.Log", "org.apache.commons.logging.impl.SimpleLog"); + System.setProperty("org.apache.commons.logging.simplelog.showdatetime", "true"); + System.setProperty("org.apache.commons.logging.simplelog.log.httpclient.wire", "info"); + System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.commons.httpclient", "info"); + System.setProperty("org.apache.commons.logging.simplelog.log.org.springframework.webflow", "info"); + System.setProperty("org.apache.commons.logging.simplelog.log.org.springframework.security.web", "info"); + System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.cxf.fediz", "info"); + System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.cxf", "info"); + + idpHttpsPort = System.getProperty("idp.https.port"); + Assert.assertNotNull("Property 'idp.https.port' null", idpHttpsPort); + rpHttpsPort = System.getProperty("rp.https.port"); + Assert.assertNotNull("Property 'rp.https.port' null", rpHttpsPort); + + initIdp(); + initRp(); + } + + private static void initIdp() { + try { + idpServer = new Tomcat(); + idpServer.setPort(0); + String currentDir = new File(".").getCanonicalPath(); + idpServer.setBaseDir(currentDir + File.separator + "target"); + + idpServer.getHost().setAppBase("tomcat/idp/webapps"); + idpServer.getHost().setAutoDeploy(true); + idpServer.getHost().setDeployOnStartup(true); + + Connector httpsConnector = new Connector(); + httpsConnector.setPort(Integer.parseInt(idpHttpsPort)); + httpsConnector.setSecure(true); + httpsConnector.setScheme("https"); + //httpsConnector.setAttribute("keyAlias", keyAlias); + httpsConnector.setAttribute("keystorePass", "tompass"); + httpsConnector.setAttribute("keystoreFile", "test-classes/server.jks"); + httpsConnector.setAttribute("truststorePass", "tompass"); + httpsConnector.setAttribute("truststoreFile", "test-classes/server.jks"); + httpsConnector.setAttribute("clientAuth", "want"); + httpsConnector.setAttribute("sslProtocol", "TLS"); + httpsConnector.setAttribute("SSLEnabled", true); + + idpServer.getService().addConnector(httpsConnector); + + idpServer.addWebapp("/fediz-idp-sts", "fediz-idp-sts"); + idpServer.addWebapp("/fediz-idp", "fediz-idp"); + + idpServer.start(); + } catch (Exception e) { + e.printStackTrace(); + } + } + + private static void initRp() { + try { + rpServer = new Tomcat(); + rpServer.setPort(0); + String currentDir = new File(".").getCanonicalPath(); + rpServer.setBaseDir(currentDir + File.separator + "target"); + + rpServer.getHost().setAppBase("tomcat/rp/webapps"); + rpServer.getHost().setAutoDeploy(true); + rpServer.getHost().setDeployOnStartup(true); + + Connector httpsConnector = new Connector(); + httpsConnector.setPort(Integer.parseInt(rpHttpsPort)); + httpsConnector.setSecure(true); + httpsConnector.setScheme("https"); + //httpsConnector.setAttribute("keyAlias", keyAlias); + httpsConnector.setAttribute("keystorePass", "tompass"); + httpsConnector.setAttribute("keystoreFile", "test-classes/server.jks"); + httpsConnector.setAttribute("truststorePass", "tompass"); + httpsConnector.setAttribute("truststoreFile", "test-classes/server.jks"); + httpsConnector.setAttribute("clientAuth", "want"); + httpsConnector.setAttribute("sslProtocol", "TLS"); + httpsConnector.setAttribute("SSLEnabled", true); + + rpServer.getService().addConnector(httpsConnector); + + //Context ctx = + Context cxt = rpServer.addWebapp("/fedizhelloworld", "simpleWebapp"); + FederationAuthenticator fa = new FederationAuthenticator(); + fa.setConfigFile(currentDir + File.separator + "target" + File.separator + + "test-classes" + File.separator + "fediz_config.xml"); + cxt.getPipeline().addValve(fa); + + + rpServer.start(); + } catch (Exception e) { + e.printStackTrace(); + } + } + + @AfterClass + public static void cleanup() { + try { + if (idpServer.getServer() != null + && idpServer.getServer().getState() != LifecycleState.DESTROYED) { + if (idpServer.getServer().getState() != LifecycleState.STOPPED) { + idpServer.stop(); + } + idpServer.destroy(); + } + } catch (Exception e) { + e.printStackTrace(); + } + + try { + if (rpServer.getServer() != null + && rpServer.getServer().getState() != LifecycleState.DESTROYED) { + if (rpServer.getServer().getState() != LifecycleState.STOPPED) { + rpServer.stop(); + } + rpServer.destroy(); + } + } catch (Exception e) { + e.printStackTrace(); + } + } + + public String getIdpHttpsPort() { + return idpHttpsPort; + } + + public String getRpHttpsPort() { + return rpHttpsPort; + } + + public String getServletContextName() { + return "fedizhelloworld"; + } + + @org.junit.Test + public void testClientAuthentication() throws Exception { + String url = "https://localhost:"; + getRpHttpsPort() + "/fedizhelloworld/secure/fedservlet"; + + final WebClient webClient = new WebClient(); + webClient.getOptions().setUseInsecureSSL(true); + webClient.getOptions().setSSLClientCertificate( + this.getClass().getClassLoader().getResource("alice_client.jks"), "storepass", "jks"); + + webClient.getOptions().setJavaScriptEnabled(false); + final HtmlPage idpPage = webClient.getPage(url); + webClient.getOptions().setJavaScriptEnabled(true); + Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText()); + + final HtmlForm form = idpPage.getFormByName("signinresponseform"); + final HtmlSubmitInput button = form.getInputByName("_eventId_submit"); + + // Test the Subject Confirmation method here + DomNodeList<DomElement> results = idpPage.getElementsByTagName("input"); + + String wresult = null; + for (DomElement result : results) { + if ("wresult".equals(result.getAttributeNS(null, "name"))) { + wresult = result.getAttributeNS(null, "value"); + break; + } + } + Assert.assertTrue(wresult != null + && wresult.contains("urn:oasis:names:tc:SAML:2.0:cm:holder-of-key")); + + final HtmlPage rpPage = button.click(); + Assert.assertEquals("WS Federation Systests Examples", rpPage.getTitleText()); + + final String bodyTextContent = rpPage.getBody().getTextContent(); + String user = "alice"; + Assert.assertTrue("Principal not " + user, + bodyTextContent.contains("userPrincipal=" + user)); + Assert.assertTrue("User " + user + " does not have role Admin", + bodyTextContent.contains("role:Admin=false")); + Assert.assertTrue("User " + user + " does not have role Manager", + bodyTextContent.contains("role:Manager=false")); + Assert.assertTrue("User " + user + " must have role User", + bodyTextContent.contains("role:User=true")); + + String claim = ClaimTypes.FIRSTNAME.toString(); + Assert.assertTrue("User " + user + " claim " + claim + " is not 'Alice'", + bodyTextContent.contains(claim + "=Alice")); + claim = ClaimTypes.LASTNAME.toString(); + Assert.assertTrue("User " + user + " claim " + claim + " is not 'Smith'", + bodyTextContent.contains(claim + "=Smith")); + claim = ClaimTypes.EMAILADDRESS.toString(); + Assert.assertTrue("User " + user + " claim " + claim + " is not '[email protected]'", + bodyTextContent.contains(claim + "[email protected]")); + } + +} http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f9bc1e69/systests/clientcert/src/test/resources/alice.cer ---------------------------------------------------------------------- diff --git a/systests/clientcert/src/test/resources/alice.cer b/systests/clientcert/src/test/resources/alice.cer new file mode 100644 index 0000000..82ab5db Binary files /dev/null and b/systests/clientcert/src/test/resources/alice.cer differ http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f9bc1e69/systests/clientcert/src/test/resources/alice_client.jks ---------------------------------------------------------------------- diff --git a/systests/clientcert/src/test/resources/alice_client.jks b/systests/clientcert/src/test/resources/alice_client.jks new file mode 100644 index 0000000..5e1bdd2 Binary files /dev/null and b/systests/clientcert/src/test/resources/alice_client.jks differ http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f9bc1e69/systests/clientcert/src/test/resources/fediz_config.xml ---------------------------------------------------------------------- diff --git a/systests/clientcert/src/test/resources/fediz_config.xml b/systests/clientcert/src/test/resources/fediz_config.xml new file mode 100644 index 0000000..1f20ab6 --- /dev/null +++ b/systests/clientcert/src/test/resources/fediz_config.xml @@ -0,0 +1,43 @@ +<?xml version="1.0" encoding="UTF-8" standalone="yes"?> +<!-- Place in Tomcat conf folder or other location as designated in this sample's webapp/META-INF/context.xml file. + Keystore referenced below must have IDP STS' public cert included in it. This example re-uses the Tomcat SSL + keystore (tomcat-rp.jks) for this task; alternatively you may wish to use a Fediz-specific keystore instead. +--> +<FedizConfig> + <contextConfig name="/fedizhelloworld"> + <audienceUris> + <audienceItem>urn:org:apache:cxf:fediz:fedizhelloworld</audienceItem> + </audienceUris> + <certificateStores> + <trustManager> + <keyStore file="test-classes/ststrust.jks" + password="storepass" type="JKS" /> + </trustManager> + </certificateStores> + <trustedIssuers> + <issuer certificateValidation="PeerTrust" /> + </trustedIssuers> + <maximumClockSkew>1000</maximumClockSkew> + <signingKey keyAlias="mytomidpkey" keyPassword="tompass"> + <keyStore file="test-classes/server.jks" password="tompass" type="JKS" /> + </signingKey> + <protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; + xsi:type="federationProtocolType" version="1.0.0"> + <realm>urn:org:apache:cxf:fediz:fedizhelloworld</realm> + <issuer>https://localhost:${idp.https.port}/fediz-idp/federation</issuer> + <roleDelimiter>,</roleDelimiter> + <roleURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</roleURI> + <freshness>10</freshness> + <homeRealm type="String">urn:org:apache:cxf:fediz:idp:realm-A</homeRealm> + <claimTypesRequested> + <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"; optional="false" /> + <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"; optional="true" /> + <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"; optional="true" /> + <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"; optional="true" /> + </claimTypesRequested> + </protocol> + <logoutURL>/secure/logout</logoutURL> + <logoutRedirectTo>/index.html</logoutRedirectTo> + </contextConfig> +</FedizConfig> + http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f9bc1e69/systests/clientcert/src/test/resources/idp/idp-servlet.xml ---------------------------------------------------------------------- diff --git a/systests/clientcert/src/test/resources/idp/idp-servlet.xml b/systests/clientcert/src/test/resources/idp/idp-servlet.xml new file mode 100644 index 0000000..e1afb92 --- /dev/null +++ b/systests/clientcert/src/test/resources/idp/idp-servlet.xml @@ -0,0 +1,135 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +--> +<beans xmlns="http://www.springframework.org/schema/beans"; + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; + xmlns:webflow="http://www.springframework.org/schema/webflow-config"; + xmlns:p="http://www.springframework.org/schema/p"; + xmlns:context="http://www.springframework.org/schema/context"; + xsi:schemaLocation="http://www.springframework.org/schema/beans + http://www.springframework.org/schema/beans/spring-beans-3.1.xsd + http://www.springframework.org/schema/context + http://www.springframework.org/schema/context/spring-context-3.1.xsd + http://www.springframework.org/schema/webflow-config + http://www.springframework.org/schema/webflow-config/spring-webflow-config-2.0.xsd";> + + <context:property-placeholder location="classpath:realm.properties" /> + + <context:component-scan base-package="org.apache.cxf.fediz.service.idp.beans" /> + + <bean class="org.springframework.webflow.mvc.servlet.FlowHandlerMapping" + p:flowRegistry-ref="flowRegistry" p:order="2"> + </bean> + + <bean class="org.springframework.webflow.mvc.servlet.FlowHandlerAdapter" + p:flowExecutor-ref="flowExecutor" /> + + <webflow:flow-executor id="flowExecutor" + flow-registry="flowRegistry"> + <webflow:flow-execution-attributes> + <webflow:always-redirect-on-pause + value="false" /> + </webflow:flow-execution-attributes> + + <webflow:flow-execution-listeners> + <webflow:listener ref="securityFlowExecutionListener" /> + </webflow:flow-execution-listeners> + </webflow:flow-executor> + + <bean id="securityFlowExecutionListener" + class="org.springframework.webflow.security.SecurityFlowExecutionListener"> + <property name="accessDecisionManager" ref="accessDecisionManager" /> + </bean> + + <bean id="accessDecisionManager" + class="org.springframework.security.access.vote.AffirmativeBased"> + <property name="decisionVoters"> + <list> + <bean + class="org.springframework.security.access.vote.RoleVoter"> + <property name="rolePrefix" value="ROLE_" /> + </bean> + <bean + class="org.springframework.security.access.vote.AuthenticatedVoter" /> + </list> + </property> + </bean> + + <webflow:flow-registry id="flowRegistry" + flow-builder-services="builder"> + <webflow:flow-location + path="/WEB-INF/federation-validate-request.xml" id="federation" /> + <webflow:flow-location path="/WEB-INF/federation-signin-request.xml" + id="signinRequest" /> + <webflow:flow-location path="/WEB-INF/federation-signin-response.xml" + id="signinResponse" /> + </webflow:flow-registry> + + <webflow:flow-builder-services id="builder" + view-factory-creator="viewFactoryCreator" expression-parser="expressionParser" /> + + <bean id="expressionParser" + class="org.springframework.webflow.expression.WebFlowOgnlExpressionParser" /> + + <bean id="viewFactoryCreator" + class="org.springframework.webflow.mvc.builder.MvcViewFactoryCreator"> + <property name="viewResolvers"> + <list> + <ref local="viewResolver" /> + </list> + </property> + </bean> + + <bean id="viewResolver" + class="org.springframework.web.servlet.view.InternalResourceViewResolver"> + <property name="prefix" value="/WEB-INF/" /> + <property name="suffix" value=".jsp" /> + </bean> + + <bean id="stsClientForRpAction" + class="org.apache.cxf.fediz.service.idp.beans.STSClientAction"> + <property name="wsdlLocation" + value="https://localhost:0/fediz-idp-sts/${realm.STS_URI}/STSServiceTransport?wsdl"; /> + <property name="wsdlEndpoint" value="Transport_Port" /> + <property name="tokenType" + value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"; /> + <property name="keyType" + value="http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey"; /> + </bean> + + <bean id="signInParamCacheAction" + class="org.apache.cxf.fediz.service.idp.beans.SigninParametersCacheAction" /> + + <bean id="logoutAction" class="org.apache.cxf.fediz.service.idp.beans.LogoutAction" /> + + <bean id="wfreshParser" class="org.apache.cxf.fediz.service.idp.beans.WfreshParser" /> + + <bean id="cacheTokenForWauthAction" + class="org.apache.cxf.fediz.service.idp.beans.CacheTokenForWauthAction" /> + + <bean id="processHRDSExpressionAction" + class="org.apache.cxf.fediz.service.idp.beans.ProcessHRDSExpressionAction" /> + + <bean id="homeRealmReminder" + class="org.apache.cxf.fediz.service.idp.beans.HomeRealmReminder" /> + + <bean id="trustedIdpProtocolAction" + class="org.apache.cxf.fediz.service.idp.beans.TrustedIdpProtocolAction" /> + +</beans> http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f9bc1e69/systests/clientcert/src/test/resources/idp/security-config.xml ---------------------------------------------------------------------- diff --git a/systests/clientcert/src/test/resources/idp/security-config.xml b/systests/clientcert/src/test/resources/idp/security-config.xml new file mode 100644 index 0000000..b9b4a0f --- /dev/null +++ b/systests/clientcert/src/test/resources/idp/security-config.xml @@ -0,0 +1,96 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +--> +<beans xmlns="http://www.springframework.org/schema/beans"; + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; + xmlns:security="http://www.springframework.org/schema/security"; + xmlns:context="http://www.springframework.org/schema/context"; + xsi:schemaLocation=" + http://www.springframework.org/schema/beans + http://www.springframework.org/schema/beans/spring-beans-3.1.xsd + http://www.springframework.org/schema/context + http://www.springframework.org/schema/context/spring-context-3.1.xsd + http://www.springframework.org/schema/security + http://www.springframework.org/schema/security/spring-security-3.1.xsd + "> + + <context:property-placeholder location="classpath:realm.properties"/> + + <!-- DISABLE in production as it might log confidential information about the user --> + <!-- <security:debug /> --> + + <!-- Configure Spring Security --> + + <!-- If enabled, you can't access the Service layer within the Spring Webflow --> + <!-- The user has no role during the login phase of WS-Federation --> + <security:global-method-security pre-post-annotations="enabled"/> + + <security:http pattern="/services/rs/**" use-expressions="true" authentication-manager-ref="restAuthenticationManager"> + <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" /> + <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" /> + <security:intercept-url pattern="/services/rs/**" access="isAuthenticated()"/> + <security:http-basic /> + </security:http> + + <bean id="bCryptPasswordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" /> + + <bean id="defaultPasswordEncoder" class="org.springframework.security.crypto.password.StandardPasswordEncoder" /> + + <security:authentication-manager id="restAuthenticationManager"> + <security:authentication-provider> + <!-- <security:password-encoder ref="defaultPasswordEncoder"/>--> + <!-- <security:password-encoder hash="sha-256" base64="true" />--> + <!-- + <security:password-encoder hash="sha-256" base64="true"> + <security:salt-source user-property="username"/> + </security:password-encoder> + --> + <security:user-service properties="classpath:/users.properties" /> + </security:authentication-provider> + <security:authentication-provider ref="stsAuthProvider" /> + </security:authentication-manager> + + <security:http use-expressions="true"> + <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" /> + <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" /> + <security:intercept-url pattern="/FederationMetadata/2007-06/FederationMetadata.xml" access="isAnonymous() or isAuthenticated()" /> + + <security:x509 /> + <security:logout delete-cookies="FEDIZ_HOME_REALM" invalidate-session="true" /> + </security:http> + + <security:authentication-manager> + <security:authentication-provider ref="stsAuthProvider" /> + </security:authentication-manager> + + <bean id="stsPortFilter" class="org.apache.cxf.fediz.service.idp.STSPortFilter" /> + + <bean id="entitlementsEnricher" class="org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements" /> + + <bean id="stsAuthProvider" class="org.apache.cxf.fediz.service.idp.STSAuthenticationProvider"> + <property name="wsdlLocation" value="https://localhost:0/fediz-idp-sts/${realm.STS_URI}/STSServiceTransportUT?wsdl"/> + <property name="wsdlEndpoint" value="TransportUT_Port"/> + <property name="wsdlService" value="SecurityTokenService"/> + <property name="appliesTo" value="urn:fediz:idp"/> + <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"/> + <property name="technicalUser" value="idp-user"/> + <property name="technicalPassword" value="idp-pass"/> + </bean> + +</beans> http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f9bc1e69/systests/clientcert/src/test/resources/server.jks ---------------------------------------------------------------------- diff --git a/systests/clientcert/src/test/resources/server.jks b/systests/clientcert/src/test/resources/server.jks new file mode 100644 index 0000000..a292ec9 Binary files /dev/null and b/systests/clientcert/src/test/resources/server.jks differ http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f9bc1e69/systests/clientcert/src/test/resources/sts/passwords.xml ---------------------------------------------------------------------- diff --git a/systests/clientcert/src/test/resources/sts/passwords.xml b/systests/clientcert/src/test/resources/sts/passwords.xml new file mode 100644 index 0000000..3ad9e7c --- /dev/null +++ b/systests/clientcert/src/test/resources/sts/passwords.xml @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +--> +<beans xmlns="http://www.springframework.org/schema/beans"; + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; + xmlns:util="http://www.springframework.org/schema/util"; + xsi:schemaLocation=" + http://www.springframework.org/schema/beans + http://www.springframework.org/schema/beans/spring-beans-2.0.xsd + http://www.springframework.org/schema/util + http://www.springframework.org/schema/util/spring-util-2.0.xsd";> + + <util:map id="REALMA"> + <entry key="alice" value="ecila" /> + <entry key="bob" value="bob" /> + <entry key="ted" value="det" /> + <entry key="idp-user" value="idp-pass" /> + </util:map> + + <util:map id="REALMB"> + <entry key="ALICE" value="ECILA" /> + <entry key="BOB" value="BOB" /> + <entry key="TED" value="DET" /> + </util:map> + +</beans> \ No newline at end of file http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f9bc1e69/systests/clientcert/src/test/resources/sts/ststrust.jks ---------------------------------------------------------------------- diff --git a/systests/clientcert/src/test/resources/sts/ststrust.jks b/systests/clientcert/src/test/resources/sts/ststrust.jks new file mode 100644 index 0000000..c4d1c1e Binary files /dev/null and b/systests/clientcert/src/test/resources/sts/ststrust.jks differ http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f9bc1e69/systests/clientcert/src/test/resources/sts/userClaims.xml ---------------------------------------------------------------------- diff --git a/systests/clientcert/src/test/resources/sts/userClaims.xml b/systests/clientcert/src/test/resources/sts/userClaims.xml new file mode 100644 index 0000000..1a2b12f --- /dev/null +++ b/systests/clientcert/src/test/resources/sts/userClaims.xml @@ -0,0 +1,139 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +--> +<beans xmlns="http://www.springframework.org/schema/beans"; + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; + xmlns:util="http://www.springframework.org/schema/util"; + xsi:schemaLocation=" + http://www.springframework.org/schema/beans + http://www.springframework.org/schema/beans/spring-beans-2.0.xsd + http://www.springframework.org/schema/util + http://www.springframework.org/schema/util/spring-util-2.0.xsd";> + + <util:map id="userClaimsREALMA"> + <entry key="alice" value-ref="REALMA_aliceClaims" /> + <entry key="CN=alice,OU=Unknown,O=Apache,L=Dublin,ST=Unknown,C=IE" value-ref="REALMA_aliceClaims" /> + <entry key="bob" value-ref="REALMA_bobClaims" /> + <entry key="ted" value-ref="REALMA_tedClaims" /> + </util:map> + + <util:map id="REALMA_aliceClaims"> + <entry + key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"; + value="Alice" /> + <entry + key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"; + value="Smith" /> + <entry + key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"; + value="[email protected]" /> + <entry + key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"; + value="User" /> + </util:map> + + <util:map id="REALMA_bobClaims"> + <entry + key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"; + value="Bob" /> + <entry + key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"; + value="Windsor" /> + <entry + key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"; + value="[email protected]" /> + <entry + key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"; + value="User,Manager,Admin" /> + </util:map> + + <util:map id="REALMA_tedClaims"> + <entry + key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"; + value="Ted" /> + <entry + key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"; + value="Cooper" /> + <entry + key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"; + value="[email protected]" /> + <entry + key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"; + value="" /> + </util:map> + + <util:map id="userClaimsREALMB"> + <entry key="ALICE" value-ref="REALMB_aliceClaims" /> + <entry key="BOB" value-ref="REALMB_bobClaims" /> + <entry key="TED" value-ref="REALMB_tedClaims" /> + </util:map> + + <util:map id="REALMB_aliceClaims"> + <entry + key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"; + value="Alice" /> + <entry + key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"; + value="Smith" /> + <entry + key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"; + value="[email protected]" /> + <entry + key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"; + value="USER" /> + </util:map> + + <util:map id="REALMB_bobClaims"> + <entry + key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"; + value="Bob" /> + <entry + key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"; + value="Windsor" /> + <entry + key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"; + value="[email protected]" /> + <entry + key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"; + value="USER,MANAGER,ADMIN" /> + </util:map> + + <util:map id="REALMB_tedClaims"> + <entry + key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"; + value="Ted" /> + <entry + key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"; + value="Cooper" /> + <entry + key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"; + value="[email protected]" /> + <entry + key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"; + value="" /> + </util:map> + + <util:list id="supportedClaims"> + <value>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname</value> + <value>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname</value> + <value>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress</value> + <value>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</value> + </util:list> + +</beans> \ No newline at end of file http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f9bc1e69/systests/clientcert/src/test/resources/ststrust.jks ---------------------------------------------------------------------- diff --git a/systests/clientcert/src/test/resources/ststrust.jks b/systests/clientcert/src/test/resources/ststrust.jks new file mode 100644 index 0000000..911945c Binary files /dev/null and b/systests/clientcert/src/test/resources/ststrust.jks differ http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f9bc1e69/systests/pom.xml ---------------------------------------------------------------------- diff --git a/systests/pom.xml b/systests/pom.xml index 3e8e823..d69f4ad 100644 --- a/systests/pom.xml +++ b/systests/pom.xml @@ -38,6 +38,7 @@ <module>cxf</module> <module>federation</module> <module>kerberos</module> + <module>clientcert</module> </modules> </project>
