Repository: cxf-fediz Updated Branches: refs/heads/master 8fc324cb9 -> 9d7cdcde3
[FEDIZ-23] - Added in client cert to the security-config.xml Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/9d7cdcde Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/9d7cdcde Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/9d7cdcde Branch: refs/heads/master Commit: 9d7cdcde31ebde94be0f5fd2bbd848a63231e1e5 Parents: 8fc324c Author: Colm O hEigeartaigh <[email protected]> Authored: Thu Apr 9 15:11:07 2015 +0100 Committer: Colm O hEigeartaigh <[email protected]> Committed: Thu Apr 9 15:11:07 2015 +0100 ---------------------------------------------------------------------- .../idp/src/main/resources/entities-realma.xml | 6 + .../idp/src/main/resources/entities-realmb.xml | 6 + .../main/webapp/WEB-INF/idp-config-realma.xml | 6 + .../main/webapp/WEB-INF/idp-config-realmb.xml | 6 + .../idp/src/main/webapp/WEB-INF/idp-servlet.xml | 2 + .../src/main/webapp/WEB-INF/security-config.xml | 32 +++++ services/idp/src/main/webapp/WEB-INF/web.xml | 5 + .../idp/integrationtests/RestITTest.java | 2 +- .../service/idp/service/jpa/IdpDAOJPATest.java | 2 +- systests/clientcert/pom.xml | 20 --- .../integrationtests/HOKCallbackHandler.java | 48 +++++++ .../src/test/resources/fediz_config.xml | 2 + .../src/test/resources/idp/idp-servlet.xml | 137 ------------------- .../src/test/resources/idp/security-config.xml | 103 -------------- systests/kerberos/pom.xml | 19 --- .../src/test/resources/fediz_config.xml | 1 + .../src/test/resources/idp/security-config.xml | 116 ---------------- 17 files changed, 116 insertions(+), 397 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9d7cdcde/services/idp/src/main/resources/entities-realma.xml ---------------------------------------------------------------------- diff --git a/services/idp/src/main/resources/entities-realma.xml b/services/idp/src/main/resources/entities-realma.xml index f8e1f5b..e28aa52 100644 --- a/services/idp/src/main/resources/entities-realma.xml +++ b/services/idp/src/main/resources/entities-realma.xml @@ -53,6 +53,12 @@ <property name="authenticationURIs"> <util:map> <entry key="default" value="federation/up" /> + <entry key="http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/SslAndKey"; + value="federation/krb" /> + <entry key="http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/default"; + value="federation/up" /> + <entry key="http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/Ssl"; + value="federation/clientcert" /> </util:map> </property> <property name="serviceDisplayName" value="REALM A" /> http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9d7cdcde/services/idp/src/main/resources/entities-realmb.xml ---------------------------------------------------------------------- diff --git a/services/idp/src/main/resources/entities-realmb.xml b/services/idp/src/main/resources/entities-realmb.xml index 3f17472..152ff52 100644 --- a/services/idp/src/main/resources/entities-realmb.xml +++ b/services/idp/src/main/resources/entities-realmb.xml @@ -52,6 +52,12 @@ <property name="authenticationURIs"> <util:map> <entry key="default" value="federation/up" /> + <entry key="http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/SslAndKey"; + value="federation/krb" /> + <entry key="http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/default"; + value="federation/up" /> + <entry key="http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/Ssl"; + value="federation/clientcert" /> </util:map> </property> <property name="serviceDisplayName" value="REALM B" /> http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9d7cdcde/services/idp/src/main/webapp/WEB-INF/idp-config-realma.xml ---------------------------------------------------------------------- diff --git a/services/idp/src/main/webapp/WEB-INF/idp-config-realma.xml b/services/idp/src/main/webapp/WEB-INF/idp-config-realma.xml index 9d61326..0faf1fe 100644 --- a/services/idp/src/main/webapp/WEB-INF/idp-config-realma.xml +++ b/services/idp/src/main/webapp/WEB-INF/idp-config-realma.xml @@ -75,6 +75,12 @@ <property name="authenticationURIs"> <util:map> <entry key="default" value="federation/up" /> + <entry key="http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/SslAndKey"; + value="federation/krb" /> + <entry key="http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/default"; + value="federation/up" /> + <entry key="http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/Ssl"; + value="federation/clientcert" /> </util:map> </property> <property name="trustedIDPs"> http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9d7cdcde/services/idp/src/main/webapp/WEB-INF/idp-config-realmb.xml ---------------------------------------------------------------------- diff --git a/services/idp/src/main/webapp/WEB-INF/idp-config-realmb.xml b/services/idp/src/main/webapp/WEB-INF/idp-config-realmb.xml index 830dc78..00faa08 100644 --- a/services/idp/src/main/webapp/WEB-INF/idp-config-realmb.xml +++ b/services/idp/src/main/webapp/WEB-INF/idp-config-realmb.xml @@ -74,6 +74,12 @@ <property name="authenticationURIs"> <util:map> <entry key="default" value="federation/up" /> + <entry key="http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/SslAndKey"; + value="federation/krb" /> + <entry key="http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/default"; + value="federation/up" /> + <entry key="http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/Ssl"; + value="federation/clientcert" /> </util:map> </property> <property name="serviceDisplayName" value="REALM B" /> http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9d7cdcde/services/idp/src/main/webapp/WEB-INF/idp-servlet.xml ---------------------------------------------------------------------- diff --git a/services/idp/src/main/webapp/WEB-INF/idp-servlet.xml b/services/idp/src/main/webapp/WEB-INF/idp-servlet.xml index 691f7bb..a7bc370 100644 --- a/services/idp/src/main/webapp/WEB-INF/idp-servlet.xml +++ b/services/idp/src/main/webapp/WEB-INF/idp-servlet.xml @@ -79,6 +79,8 @@ path="/WEB-INF/federation-validate-request.xml" id="federation/up" /> <webflow:flow-location path="/WEB-INF/federation-validate-request.xml" id="federation/krb" /> + <webflow:flow-location + path="/WEB-INF/federation-validate-request.xml" id="federation/clientcert" /> <webflow:flow-location path="/WEB-INF/federation-signin-request.xml" id="signinRequest" /> <webflow:flow-location path="/WEB-INF/federation-signin-response.xml" http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9d7cdcde/services/idp/src/main/webapp/WEB-INF/security-config.xml ---------------------------------------------------------------------- diff --git a/services/idp/src/main/webapp/WEB-INF/security-config.xml b/services/idp/src/main/webapp/WEB-INF/security-config.xml index c70ccfb..a3413bb 100644 --- a/services/idp/src/main/webapp/WEB-INF/security-config.xml +++ b/services/idp/src/main/webapp/WEB-INF/security-config.xml @@ -21,6 +21,7 @@ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:security="http://www.springframework.org/schema/security"; xmlns:context="http://www.springframework.org/schema/context"; + xmlns:util="http://www.springframework.org/schema/util"; xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd @@ -28,6 +29,8 @@ http://www.springframework.org/schema/context/spring-context-3.1.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd + http://www.springframework.org/schema/util + http://www.springframework.org/schema/util/spring-util-2.0.xsd "> <context:property-placeholder location="classpath:realm.properties"/> @@ -106,10 +109,21 @@ <security:custom-filter ref="kerberosAuthenticationProcessingFilter" position="BASIC_AUTH_FILTER" /> <security:logout delete-cookies="FEDIZ_HOME_REALM" invalidate-session="true" /> </security:http> + + <!-- SSL Client Cert entry point --> + <security:http pattern="/federation/clientcert" use-expressions="true"> + <security:custom-filter after="CHANNEL_FILTER" ref="stsClientCertPortFilter" /> + <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" /> + <security:intercept-url pattern="/FederationMetadata/2007-06/FederationMetadata.xml" access="isAnonymous() or isAuthenticated()" /> + + <security:x509 /> + <security:logout delete-cookies="FEDIZ_HOME_REALM" invalidate-session="true" /> + </security:http> <security:authentication-manager alias="authenticationManagers"> <security:authentication-provider ref="stsUPAuthProvider" /> <security:authentication-provider ref="stsKrbAuthProvider" /> + <security:authentication-provider ref="stsClientCertAuthProvider" /> </security:authentication-manager> <bean id="stsUPPortFilter" class="org.apache.cxf.fediz.service.idp.STSPortFilter"> @@ -147,4 +161,22 @@ <property name="requireDelegation" value="true"/>--> </bean> + <bean id="stsClientCertPortFilter" class="org.apache.cxf.fediz.service.idp.STSPortFilter"> + <property name="authenticationProvider" ref="stsClientCertAuthProvider" /> + </bean> + + <util:map id="securityProperties"> + <entry key="ws-security.username" value="idp-user" /> + <entry key="ws-security.password" value="idp-pass" /> + </util:map> + + <bean id="stsClientCertAuthProvider" class="org.apache.cxf.fediz.service.idp.STSPreAuthAuthenticationProvider"> + <property name="wsdlLocation" value="https://localhost:0/fediz-idp-sts/${realm.STS_URI}/STSServiceTransportUT?wsdl"/> + <property name="wsdlEndpoint" value="TransportUT_Port"/> + <property name="wsdlService" value="SecurityTokenService"/> + <property name="appliesTo" value="urn:fediz:idp"/> + <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"/> + <property name="properties" ref="securityProperties"/> + </bean> + </beans> http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9d7cdcde/services/idp/src/main/webapp/WEB-INF/web.xml ---------------------------------------------------------------------- diff --git a/services/idp/src/main/webapp/WEB-INF/web.xml b/services/idp/src/main/webapp/WEB-INF/web.xml index 21ea9ab..b22a0db 100644 --- a/services/idp/src/main/webapp/WEB-INF/web.xml +++ b/services/idp/src/main/webapp/WEB-INF/web.xml @@ -91,6 +91,11 @@ under the License. </servlet-mapping> <servlet-mapping> + <servlet-name>idp</servlet-name> + <url-pattern>/federation/clientcert</url-pattern> + </servlet-mapping> + + <servlet-mapping> <servlet-name>metadata</servlet-name> <url-pattern>/FederationMetadata/2007-06/FederationMetadata.xml</url-pattern> </servlet-mapping> http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9d7cdcde/services/idp/src/test/java/org/apache/cxf/fediz/service/idp/integrationtests/RestITTest.java ---------------------------------------------------------------------- diff --git a/services/idp/src/test/java/org/apache/cxf/fediz/service/idp/integrationtests/RestITTest.java b/services/idp/src/test/java/org/apache/cxf/fediz/service/idp/integrationtests/RestITTest.java index 51c3118..6931633 100644 --- a/services/idp/src/test/java/org/apache/cxf/fediz/service/idp/integrationtests/RestITTest.java +++ b/services/idp/src/test/java/org/apache/cxf/fediz/service/idp/integrationtests/RestITTest.java @@ -108,7 +108,7 @@ public class RestITTest { Assert.assertTrue("ProvideIDPList doesn't match", idp.isProvideIdpList()); Assert.assertTrue("UseCurrentIDP doesn't match", idp.isUseCurrentIdp()); Assert.assertEquals("Number of AuthenticationURIs doesn't match", - 1, idp.getAuthenticationURIs().size()); + 4, idp.getAuthenticationURIs().size()); Assert.assertEquals("Number of SupportedProtocols doesn't match", 2, idp.getSupportedProtocols().size()); Assert.assertEquals("Number of TokenTypesOffered doesn't match", http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9d7cdcde/services/idp/src/test/java/org/apache/cxf/fediz/service/idp/service/jpa/IdpDAOJPATest.java ---------------------------------------------------------------------- diff --git a/services/idp/src/test/java/org/apache/cxf/fediz/service/idp/service/jpa/IdpDAOJPATest.java b/services/idp/src/test/java/org/apache/cxf/fediz/service/idp/service/jpa/IdpDAOJPATest.java index 1b2d775..a624725 100644 --- a/services/idp/src/test/java/org/apache/cxf/fediz/service/idp/service/jpa/IdpDAOJPATest.java +++ b/services/idp/src/test/java/org/apache/cxf/fediz/service/idp/service/jpa/IdpDAOJPATest.java @@ -92,7 +92,7 @@ public class IdpDAOJPATest { "ProvideIDPList doesn't match"); Assert.isTrue(idp.isUseCurrentIdp(), "UseCurrentIDP doesn't match"); - Assert.isTrue(1 == idp.getAuthenticationURIs().size(), + Assert.isTrue(4 == idp.getAuthenticationURIs().size(), "Number of AuthenticationURIs doesn't match"); Assert.isTrue(2 == idp.getSupportedProtocols().size(), "Number of SupportedProtocols doesn't match"); http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9d7cdcde/systests/clientcert/pom.xml ---------------------------------------------------------------------- diff --git a/systests/clientcert/pom.xml b/systests/clientcert/pom.xml index b526d9f..48d691d 100644 --- a/systests/clientcert/pom.xml +++ b/systests/clientcert/pom.xml @@ -200,26 +200,6 @@ <version>2.7</version> <executions> <execution> - <id>copy-entities-to-idp</id> - <phase>generate-test-sources</phase> - <goals> - <goal>copy-resources</goal> - </goals> - <configuration> - <outputDirectory>${basedir}/target/tomcat/idp/webapps/fediz-idp/WEB-INF</outputDirectory> - <resources> - <resource> - <directory>${basedir}/src/test/resources/idp</directory> - <includes> - <include>security-config.xml</include> - <include>idp-servlet.xml</include> - </includes> - <filtering>true</filtering> - </resource> - </resources> - </configuration> - </execution> - <execution> <id>copy-entities-to-sts</id> <phase>generate-test-sources</phase> <goals> http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9d7cdcde/systests/clientcert/src/test/java/org/apache/cxf/fediz/integrationtests/HOKCallbackHandler.java ---------------------------------------------------------------------- diff --git a/systests/clientcert/src/test/java/org/apache/cxf/fediz/integrationtests/HOKCallbackHandler.java b/systests/clientcert/src/test/java/org/apache/cxf/fediz/integrationtests/HOKCallbackHandler.java new file mode 100644 index 0000000..e2f402c --- /dev/null +++ b/systests/clientcert/src/test/java/org/apache/cxf/fediz/integrationtests/HOKCallbackHandler.java @@ -0,0 +1,48 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.cxf.fediz.integrationtests; + +import java.io.IOException; + +import javax.security.auth.callback.Callback; +import javax.security.auth.callback.CallbackHandler; +import javax.security.auth.callback.UnsupportedCallbackException; + +import org.apache.cxf.fediz.core.spi.WReqCallback; + +public class HOKCallbackHandler implements CallbackHandler { + + static final String HOK_WREQ = + "<RequestSecurityToken xmlns=\"http://docs.oasis-open.org/ws-sx/ws-trust/200512\";>" + + "<KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey</KeyType>" + + "</RequestSecurityToken>"; + + public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { + for (int i = 0; i < callbacks.length; i++) { + if (callbacks[i] instanceof WReqCallback) { + WReqCallback callback = (WReqCallback) callbacks[i]; + callback.setWreq(HOK_WREQ); + } else { + throw new UnsupportedCallbackException(callbacks[i], "Unrecognized Callback"); + } + } + } + +} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9d7cdcde/systests/clientcert/src/test/resources/fediz_config.xml ---------------------------------------------------------------------- diff --git a/systests/clientcert/src/test/resources/fediz_config.xml b/systests/clientcert/src/test/resources/fediz_config.xml index 1f20ab6..5add553 100644 --- a/systests/clientcert/src/test/resources/fediz_config.xml +++ b/systests/clientcert/src/test/resources/fediz_config.xml @@ -35,6 +35,8 @@ <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"; optional="true" /> <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"; optional="true" /> </claimTypesRequested> + <authenticationType>http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/Ssl</authenticationType> + <request type="Class">org.apache.cxf.fediz.integrationtests.HOKCallbackHandler</request> </protocol> <logoutURL>/secure/logout</logoutURL> <logoutRedirectTo>/index.html</logoutRedirectTo> http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9d7cdcde/systests/clientcert/src/test/resources/idp/idp-servlet.xml ---------------------------------------------------------------------- diff --git a/systests/clientcert/src/test/resources/idp/idp-servlet.xml b/systests/clientcert/src/test/resources/idp/idp-servlet.xml deleted file mode 100644 index c09f3e3..0000000 --- a/systests/clientcert/src/test/resources/idp/idp-servlet.xml +++ /dev/null @@ -1,137 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!-- - Licensed to the Apache Software Foundation (ASF) under one - or more contributor license agreements. See the NOTICE file - distributed with this work for additional information - regarding copyright ownership. The ASF licenses this file - to you under the Apache License, Version 2.0 (the - "License"); you may not use this file except in compliance - with the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, - software distributed under the License is distributed on an - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - KIND, either express or implied. See the License for the - specific language governing permissions and limitations - under the License. ---> -<beans xmlns="http://www.springframework.org/schema/beans"; - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; - xmlns:webflow="http://www.springframework.org/schema/webflow-config"; - xmlns:p="http://www.springframework.org/schema/p"; - xmlns:context="http://www.springframework.org/schema/context"; - xsi:schemaLocation="http://www.springframework.org/schema/beans - http://www.springframework.org/schema/beans/spring-beans-3.1.xsd - http://www.springframework.org/schema/context - http://www.springframework.org/schema/context/spring-context-3.1.xsd - http://www.springframework.org/schema/webflow-config - http://www.springframework.org/schema/webflow-config/spring-webflow-config-2.0.xsd";> - - <context:property-placeholder location="classpath:realm.properties" /> - - <context:component-scan base-package="org.apache.cxf.fediz.service.idp.beans" /> - - <bean class="org.springframework.webflow.mvc.servlet.FlowHandlerMapping" - p:flowRegistry-ref="flowRegistry" p:order="2"> - </bean> - - <bean class="org.springframework.webflow.mvc.servlet.FlowHandlerAdapter" - p:flowExecutor-ref="flowExecutor" /> - - <webflow:flow-executor id="flowExecutor" - flow-registry="flowRegistry"> - <webflow:flow-execution-attributes> - <webflow:always-redirect-on-pause - value="false" /> - </webflow:flow-execution-attributes> - - <webflow:flow-execution-listeners> - <webflow:listener ref="securityFlowExecutionListener" /> - </webflow:flow-execution-listeners> - </webflow:flow-executor> - - <bean id="securityFlowExecutionListener" - class="org.springframework.webflow.security.SecurityFlowExecutionListener"> - <property name="accessDecisionManager" ref="accessDecisionManager" /> - </bean> - - <bean id="accessDecisionManager" - class="org.springframework.security.access.vote.AffirmativeBased"> - <property name="decisionVoters"> - <list> - <bean - class="org.springframework.security.access.vote.RoleVoter"> - <property name="rolePrefix" value="ROLE_" /> - </bean> - <bean - class="org.springframework.security.access.vote.AuthenticatedVoter" /> - </list> - </property> - </bean> - - <webflow:flow-registry id="flowRegistry" - flow-builder-services="builder"> - <webflow:flow-location - path="/WEB-INF/federation-validate-request.xml" id="federation" /> - <webflow:flow-location - path="/WEB-INF/federation-validate-request.xml" id="federation/up" /> - <webflow:flow-location path="/WEB-INF/federation-signin-request.xml" - id="signinRequest" /> - <webflow:flow-location path="/WEB-INF/federation-signin-response.xml" - id="signinResponse" /> - </webflow:flow-registry> - - <webflow:flow-builder-services id="builder" - view-factory-creator="viewFactoryCreator" expression-parser="expressionParser" /> - - <bean id="expressionParser" - class="org.springframework.webflow.expression.WebFlowOgnlExpressionParser" /> - - <bean id="viewFactoryCreator" - class="org.springframework.webflow.mvc.builder.MvcViewFactoryCreator"> - <property name="viewResolvers"> - <list> - <ref local="viewResolver" /> - </list> - </property> - </bean> - - <bean id="viewResolver" - class="org.springframework.web.servlet.view.InternalResourceViewResolver"> - <property name="prefix" value="/WEB-INF/" /> - <property name="suffix" value=".jsp" /> - </bean> - - <bean id="stsClientForRpAction" - class="org.apache.cxf.fediz.service.idp.beans.STSClientAction"> - <property name="wsdlLocation" - value="https://localhost:0/fediz-idp-sts/${realm.STS_URI}/STSServiceTransport?wsdl"; /> - <property name="wsdlEndpoint" value="Transport_Port" /> - <property name="tokenType" - value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"; /> - <property name="keyType" - value="http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey"; /> - </bean> - - <bean id="signInParamCacheAction" - class="org.apache.cxf.fediz.service.idp.beans.SigninParametersCacheAction" /> - - <bean id="logoutAction" class="org.apache.cxf.fediz.service.idp.beans.LogoutAction" /> - - <bean id="wfreshParser" class="org.apache.cxf.fediz.service.idp.beans.WfreshParser" /> - - <bean id="cacheTokenForWauthAction" - class="org.apache.cxf.fediz.service.idp.beans.CacheTokenForWauthAction" /> - - <bean id="processHRDSExpressionAction" - class="org.apache.cxf.fediz.service.idp.beans.ProcessHRDSExpressionAction" /> - - <bean id="homeRealmReminder" - class="org.apache.cxf.fediz.service.idp.beans.HomeRealmReminder" /> - - <bean id="trustedIdpProtocolAction" - class="org.apache.cxf.fediz.service.idp.beans.TrustedIdpProtocolAction" /> - -</beans> http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9d7cdcde/systests/clientcert/src/test/resources/idp/security-config.xml ---------------------------------------------------------------------- diff --git a/systests/clientcert/src/test/resources/idp/security-config.xml b/systests/clientcert/src/test/resources/idp/security-config.xml deleted file mode 100644 index 15767c8..0000000 --- a/systests/clientcert/src/test/resources/idp/security-config.xml +++ /dev/null @@ -1,103 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!-- - Licensed to the Apache Software Foundation (ASF) under one - or more contributor license agreements. See the NOTICE file - distributed with this work for additional information - regarding copyright ownership. The ASF licenses this file - to you under the Apache License, Version 2.0 (the - "License"); you may not use this file except in compliance - with the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, - software distributed under the License is distributed on an - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - KIND, either express or implied. See the License for the - specific language governing permissions and limitations - under the License. ---> -<beans xmlns="http://www.springframework.org/schema/beans"; - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; - xmlns:security="http://www.springframework.org/schema/security"; - xmlns:context="http://www.springframework.org/schema/context"; - xmlns:util="http://www.springframework.org/schema/util"; - xsi:schemaLocation=" - http://www.springframework.org/schema/beans - http://www.springframework.org/schema/beans/spring-beans-3.1.xsd - http://www.springframework.org/schema/context - http://www.springframework.org/schema/context/spring-context-3.1.xsd - http://www.springframework.org/schema/security - http://www.springframework.org/schema/security/spring-security-3.1.xsd - http://www.springframework.org/schema/util - http://www.springframework.org/schema/util/spring-util-2.0.xsd - "> - - <context:property-placeholder location="classpath:realm.properties"/> - - <!-- DISABLE in production as it might log confidential information about the user --> - <!-- <security:debug /> --> - - <!-- Configure Spring Security --> - - <!-- If enabled, you can't access the Service layer within the Spring Webflow --> - <!-- The user has no role during the login phase of WS-Federation --> - <security:global-method-security pre-post-annotations="enabled"/> - - <security:http pattern="/services/rs/**" use-expressions="true" authentication-manager-ref="restAuthenticationManager"> - <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" /> - <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" /> - <security:intercept-url pattern="/services/rs/**" access="isAuthenticated()"/> - <security:http-basic /> - </security:http> - - <bean id="bCryptPasswordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" /> - - <bean id="defaultPasswordEncoder" class="org.springframework.security.crypto.password.StandardPasswordEncoder" /> - - <security:authentication-manager id="restAuthenticationManager"> - <security:authentication-provider> - <!-- <security:password-encoder ref="defaultPasswordEncoder"/>--> - <!-- <security:password-encoder hash="sha-256" base64="true" />--> - <!-- - <security:password-encoder hash="sha-256" base64="true"> - <security:salt-source user-property="username"/> - </security:password-encoder> - --> - <security:user-service properties="classpath:/users.properties" /> - </security:authentication-provider> - <security:authentication-provider ref="stsAuthProvider" /> - </security:authentication-manager> - - <security:http use-expressions="true"> - <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" /> - <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" /> - <security:intercept-url pattern="/FederationMetadata/2007-06/FederationMetadata.xml" access="isAnonymous() or isAuthenticated()" /> - - <security:x509 /> - <security:logout delete-cookies="FEDIZ_HOME_REALM" invalidate-session="true" /> - </security:http> - - <security:authentication-manager> - <security:authentication-provider ref="stsAuthProvider" /> - </security:authentication-manager> - - <bean id="stsPortFilter" class="org.apache.cxf.fediz.service.idp.STSPortFilter" /> - - <bean id="entitlementsEnricher" class="org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements" /> - - <util:map id="securityProperties"> - <entry key="ws-security.username" value="idp-user" /> - <entry key="ws-security.password" value="idp-pass" /> - </util:map> - - <bean id="stsAuthProvider" class="org.apache.cxf.fediz.service.idp.STSPreAuthAuthenticationProvider"> - <property name="wsdlLocation" value="https://localhost:0/fediz-idp-sts/${realm.STS_URI}/STSServiceTransportUT?wsdl"/> - <property name="wsdlEndpoint" value="TransportUT_Port"/> - <property name="wsdlService" value="SecurityTokenService"/> - <property name="appliesTo" value="urn:fediz:idp"/> - <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"/> - <property name="properties" ref="securityProperties"/> - </bean> - -</beans> http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9d7cdcde/systests/kerberos/pom.xml ---------------------------------------------------------------------- diff --git a/systests/kerberos/pom.xml b/systests/kerberos/pom.xml index 606a2dc..d7c8ce7 100644 --- a/systests/kerberos/pom.xml +++ b/systests/kerberos/pom.xml @@ -289,25 +289,6 @@ <version>2.7</version> <executions> <execution> - <id>copy-entities-to-idp</id> - <phase>generate-test-sources</phase> - <goals> - <goal>copy-resources</goal> - </goals> - <configuration> - <outputDirectory>${basedir}/target/tomcat/idp/webapps/fediz-idp/WEB-INF</outputDirectory> - <resources> - <resource> - <directory>${basedir}/src/test/resources/idp</directory> - <includes> - <include>security-config.xml</include> - </includes> - <filtering>true</filtering> - </resource> - </resources> - </configuration> - </execution> - <execution> <id>copy-entities-to-sts</id> <phase>generate-test-sources</phase> <goals> http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9d7cdcde/systests/kerberos/src/test/resources/fediz_config.xml ---------------------------------------------------------------------- diff --git a/systests/kerberos/src/test/resources/fediz_config.xml b/systests/kerberos/src/test/resources/fediz_config.xml index 1f20ab6..244b5b7 100644 --- a/systests/kerberos/src/test/resources/fediz_config.xml +++ b/systests/kerberos/src/test/resources/fediz_config.xml @@ -35,6 +35,7 @@ <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"; optional="true" /> <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"; optional="true" /> </claimTypesRequested> + <authenticationType>http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/SslAndKey</authenticationType> </protocol> <logoutURL>/secure/logout</logoutURL> <logoutRedirectTo>/index.html</logoutRedirectTo> http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9d7cdcde/systests/kerberos/src/test/resources/idp/security-config.xml ---------------------------------------------------------------------- diff --git a/systests/kerberos/src/test/resources/idp/security-config.xml b/systests/kerberos/src/test/resources/idp/security-config.xml deleted file mode 100644 index 4fe3da2..0000000 --- a/systests/kerberos/src/test/resources/idp/security-config.xml +++ /dev/null @@ -1,116 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!-- - Licensed to the Apache Software Foundation (ASF) under one - or more contributor license agreements. See the NOTICE file - distributed with this work for additional information - regarding copyright ownership. The ASF licenses this file - to you under the Apache License, Version 2.0 (the - "License"); you may not use this file except in compliance - with the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, - software distributed under the License is distributed on an - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - KIND, either express or implied. See the License for the - specific language governing permissions and limitations - under the License. ---> -<beans xmlns="http://www.springframework.org/schema/beans"; - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; - xmlns:security="http://www.springframework.org/schema/security"; - xmlns:context="http://www.springframework.org/schema/context"; - xsi:schemaLocation=" - http://www.springframework.org/schema/beans - http://www.springframework.org/schema/beans/spring-beans-3.1.xsd - http://www.springframework.org/schema/context - http://www.springframework.org/schema/context/spring-context-3.1.xsd - http://www.springframework.org/schema/security - http://www.springframework.org/schema/security/spring-security-3.1.xsd";> - - <context:property-placeholder location="classpath:realm.properties"/> - - <!-- DISABLE in production as it might log confidential information about the user --> - <!-- <security:debug /> --> - - <!-- Configure Spring Security --> - <!-- If enabled, you can't access the Service layer within the Spring Webflow --> - <!-- The user has no role during the login phase of WS-Federation --> - <security:global-method-security pre-post-annotations="enabled"/> - - <security:http pattern="/services/rs/**" auto-config="false" use-expressions="true" entry-point-ref="kerberosEntryPoint"> - <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" /> - <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" /> - <security:intercept-url pattern="/**" access="isAuthenticated()"/> - <!--<security:http-basic />--> - <security:custom-filter ref="kerberosAuthenticationProcessingFilter" position="BASIC_AUTH_FILTER" /> - </security:http> - - <bean id="bCryptPasswordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" /> - - <bean id="defaultPasswordEncoder" class="org.springframework.security.crypto.password.StandardPasswordEncoder" /> - - <bean id="spnegoAuthenticationProcessingFilter" - class="org.apache.cxf.fediz.service.idp.kerberos.KerberosAuthenticationProcessingFilter"> - <property name="authenticationManager" ref="restAuthenticationManager" /> - </bean> - - <security:authentication-manager id="restAuthenticationManager"> - <security:authentication-provider> - <!-- <security:password-encoder ref="defaultPasswordEncoder"/>--> - <!-- <security:password-encoder hash="sha-256" base64="true" />--> - <!-- - <security:password-encoder hash="sha-256" base64="true"> - <security:salt-source user-property="username"/> - </security:password-encoder> - --> - <security:user-service properties="classpath:/users.properties" /> - </security:authentication-provider> - <security:authentication-provider ref="stsAuthProvider" /> - </security:authentication-manager> - - <security:http use-expressions="true" entry-point-ref="kerberosEntryPoint"> - <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" /> - <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" /> - <security:intercept-url pattern="/FederationMetadata/2007-06/FederationMetadata.xml" access="isAnonymous() or isAuthenticated()" /> - - <!-- <security:form-login login-page="/federation/login"/> - <security:http-basic />--> - <security:custom-filter ref="kerberosAuthenticationProcessingFilter" position="BASIC_AUTH_FILTER" /> - </security:http> - - <bean id="kerberosEntryPoint" - class="org.apache.cxf.fediz.service.idp.kerberos.KerberosEntryPoint" /> - - <bean id="kerberosAuthenticationProcessingFilter" - class="org.apache.cxf.fediz.service.idp.kerberos.KerberosAuthenticationProcessingFilter"> - <property name="authenticationManager" ref="authenticationManager" /> - </bean> - - <security:authentication-manager alias="authenticationManager"> - <security:authentication-provider ref="stsAuthProvider" /> - </security:authentication-manager> - - <bean id="stsPortFilter" class="org.apache.cxf.fediz.service.idp.STSPortFilter" /> - - <bean id="entitlementsEnricher" class="org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements" /> - - <!--<bean id="kerberosTokenValidator" class="org.apache.cxf.fediz.service.idp.kerberos.KerberosTokenValidator"> - <property name="contextName" value="bob"/> - <property name="serviceName" value="[email protected]"/> - </bean>--> - - <bean id="stsAuthProvider" class="org.apache.cxf.fediz.service.idp.STSKrbAuthenticationProvider"> - <!--<property name="wsdlLocation" value="https://localhost:0/fediz-idp-sts/${realm.STS_URI}/STSServiceTransportUT?wsdl"/> - <property name="wsdlEndpoint" value="TransportUT_Port"/> --> - <property name="wsdlLocation" value="https://localhost:0/fediz-idp-sts/${realm.STS_URI}/STSServiceTransportKerberos?wsdl"/> - <property name="wsdlEndpoint" value="TransportKerberos_Port"/> - <property name="wsdlService" value="SecurityTokenService"/> - <property name="appliesTo" value="urn:fediz:idp"/> - <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"/> - <!--<property name="kerberosTokenValidator" ref="kerberosTokenValidator"/> - <property name="requireDelegation" value="true"/>--> - </bean> - -</beans>
