Repository: cxf-fediz Updated Branches: refs/heads/master c1bbb7cd6 -> 230bce9af
[FEDIZ-23] - Add redirection to UP + Kerberos. Refactored the STSAuthenticationProvider Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/230bce9a Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/230bce9a Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/230bce9a Branch: refs/heads/master Commit: 230bce9af3df47a23b5b1946adb8aa6ac4c58ed1 Parents: c1bbb7c Author: Colm O hEigeartaigh <[email protected]> Authored: Thu Apr 9 11:42:04 2015 +0100 Committer: Colm O hEigeartaigh <[email protected]> Committed: Thu Apr 9 11:42:04 2015 +0100 ---------------------------------------------------------------------- .../fediz/service/idp/FederationEntryPoint.java | 13 +- .../service/idp/STSAuthenticationProvider.java | 334 +------------------ .../idp/STSKrbAuthenticationProvider.java | 254 ++++++++++++++ .../cxf/fediz/service/idp/STSPortFilter.java | 14 +- .../idp/STSPreAuthAuthenticationProvider.java | 131 ++++++++ .../idp/STSUPAuthenticationProvider.java | 118 +++++++ .../idp/src/main/resources/entities-realma.xml | 2 +- .../main/webapp/WEB-INF/idp-config-realma.xml | 2 +- .../idp/src/main/webapp/WEB-INF/idp-servlet.xml | 4 + .../src/main/webapp/WEB-INF/security-config.xml | 76 ++++- services/idp/src/main/webapp/WEB-INF/web.xml | 12 +- 11 files changed, 618 insertions(+), 342 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/230bce9a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/FederationEntryPoint.java ---------------------------------------------------------------------- diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/FederationEntryPoint.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/FederationEntryPoint.java index c7265a1..1a39ef2 100644 --- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/FederationEntryPoint.java +++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/FederationEntryPoint.java @@ -79,13 +79,14 @@ public class FederationEntryPoint implements AuthenticationEntryPoint, Assert.notNull(this.appContext, "ApplicationContext cannot be null."); Assert.notNull(this.configService, "ConfigService cannot be null."); Assert.notNull(this.realm, "realm cannot be null."); - idpConfig = configService.getIDP(realm); - Assert.notNull(this.idpConfig, "idpConfig cannot be null. Check realm and config service implementation"); } public final void commence(final HttpServletRequest servletRequest, final HttpServletResponse response, final AuthenticationException authenticationException) throws IOException, ServletException { + idpConfig = configService.getIDP(realm); + Assert.notNull(this.idpConfig, "idpConfig cannot be null. Check realm and config service implementation"); + String redirectUrl = null; String wauth = servletRequest.getParameter(FederationConstants.PARAM_AUTH_TYPE); if (wauth == null) { @@ -98,7 +99,7 @@ public class FederationEntryPoint implements AuthenticationEntryPoint, HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "wauth value '" + wauth + "' not supported"); } redirectUrl = new StringBuilder(extractFullContextPath(servletRequest)) - .append(realm).append(loginUri).toString(); + .append(loginUri).append("?").append(servletRequest.getQueryString()).toString(); preCommence(servletRequest, response); if (LOG.isInfoEnabled()) { @@ -127,6 +128,7 @@ public class FederationEntryPoint implements AuthenticationEntryPoint, String result = null; String contextPath = request.getContextPath(); String requestUrl = request.getRequestURL().toString(); + String requestPath = new URL(requestUrl).getPath(); // Cut request path of request url and add context path if not ROOT if (requestPath != null && requestPath.length() > 0) { @@ -137,8 +139,9 @@ public class FederationEntryPoint implements AuthenticationEntryPoint, } if (contextPath != null && contextPath.length() > 0) { // contextPath contains starting slash - result = result + contextPath + "/"; - } else { + result = result + contextPath; + } + if (result.charAt(result.length() - 1) != '/') { result = result + "/"; } return result; http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/230bce9a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSAuthenticationProvider.java ---------------------------------------------------------------------- diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSAuthenticationProvider.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSAuthenticationProvider.java index 0a75b63..ab84b11 100644 --- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSAuthenticationProvider.java +++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSAuthenticationProvider.java @@ -19,71 +19,46 @@ package org.apache.cxf.fediz.service.idp; import java.net.URI; -import java.security.Principal; -import java.security.PrivilegedActionException; -import java.security.cert.X509Certificate; import java.util.ArrayList; import java.util.Collections; import java.util.HashMap; import java.util.List; import java.util.Map; -import javax.security.auth.callback.CallbackHandler; -import javax.security.auth.login.LoginException; -import javax.xml.namespace.QName; - -import org.w3c.dom.Document; import org.w3c.dom.Element; + import org.apache.cxf.Bus; import org.apache.cxf.BusFactory; //import org.apache.cxf.endpoint.Client; import org.apache.cxf.fediz.core.Claim; import org.apache.cxf.fediz.core.ClaimTypes; -import org.apache.cxf.fediz.service.idp.kerberos.KerberosServiceRequestToken; -import org.apache.cxf.fediz.service.idp.kerberos.KerberosTokenValidator; -import org.apache.cxf.fediz.service.idp.kerberos.PassThroughKerberosClient; -import org.apache.cxf.helpers.DOMUtils; -//import org.apache.cxf.transport.http.HTTPConduit; -//import org.apache.cxf.transports.http.configuration.HTTPClientPolicy; -import org.apache.cxf.ws.security.SecurityConstants; import org.apache.cxf.ws.security.tokenstore.SecurityToken; import org.apache.wss4j.common.ext.WSSecurityException; -import org.apache.wss4j.common.kerberos.KerberosServiceContext; -import org.apache.wss4j.common.principal.SAMLTokenPrincipalImpl; import org.apache.wss4j.common.saml.SamlAssertionWrapper; -import org.apache.wss4j.dom.WSConstants; -import org.apache.xml.security.exceptions.XMLSecurityException; -import org.apache.xml.security.keys.content.X509Data; -import org.ietf.jgss.GSSContext; -import org.ietf.jgss.GSSCredential; -import org.ietf.jgss.GSSException; -import org.ietf.jgss.GSSManager; -import org.ietf.jgss.GSSName; -import org.ietf.jgss.Oid; import org.opensaml.xml.XMLObject; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.security.authentication.AuthenticationProvider; -import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; -import org.springframework.security.core.Authentication; -import org.springframework.security.core.AuthenticationException; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.authority.SimpleGrantedAuthority; -import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken; +//import org.apache.cxf.transport.http.HTTPConduit; +//import org.apache.cxf.transports.http.configuration.HTTPClientPolicy; -public class STSAuthenticationProvider implements AuthenticationProvider { +/** + * A base class for authenticating credentials to the STS + */ +public abstract class STSAuthenticationProvider implements AuthenticationProvider { - private static final String HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512_BEARER = + public static final String HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512_BEARER = "http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer";; - private static final String HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512 = + public static final String HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512 = "http://docs.oasis-open.org/ws-sx/ws-trust/200512/";; - private static final String HTTP_SCHEMAS_XMLSOAP_ORG_WS_2005_02_TRUST = + public static final String HTTP_SCHEMAS_XMLSOAP_ORG_WS_2005_02_TRUST = "http://schemas.xmlsoap.org/ws/2005/02/trust";; - private static final Logger LOG = LoggerFactory - .getLogger(STSAuthenticationProvider.class); + private static final Logger LOG = LoggerFactory.getLogger(STSAuthenticationProvider.class); protected String wsdlLocation; @@ -108,190 +83,7 @@ public class STSAuthenticationProvider implements AuthenticationProvider { protected Map<String, Object> properties = new HashMap<String, Object>(); - private KerberosTokenValidator kerberosTokenValidator; - - private CallbackHandler kerberosCallbackHandler; - - private boolean kerberosUsernameServiceNameForm; - - private boolean requireDelegation; - - - @Override - public Authentication authenticate(Authentication authentication) throws AuthenticationException { - - Bus cxfBus = getBus(); - IdpSTSClient sts = new IdpSTSClient(cxfBus); - sts.setAddressingNamespace("http://www.w3.org/2005/08/addressing";); - if (tokenType != null && tokenType.length() > 0) { - sts.setTokenType(tokenType); - } else { - sts.setTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE); - } - sts.setKeyType(HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512_BEARER); - sts.setWsdlLocation(wsdlLocation); - sts.setServiceQName(new QName(namespace, wsdlService)); - sts.setEndpointQName(new QName(namespace, wsdlEndpoint)); - - sts.getProperties().putAll(properties); - if (use200502Namespace) { - sts.setNamespace(HTTP_SCHEMAS_XMLSOAP_ORG_WS_2005_02_TRUST); - } - - if (lifetime != null) { - sts.setEnableLifetime(true); - sts.setTtl(lifetime.intValue()); - } - - if (authentication instanceof KerberosServiceRequestToken) { - return handleKerberos((KerberosServiceRequestToken)authentication, sts); - } else if (authentication instanceof PreAuthenticatedAuthenticationToken) { - return handlePreAuthenticated((PreAuthenticatedAuthenticationToken)authentication, sts); - } else if (authentication instanceof UsernamePasswordAuthenticationToken) { - return handleUsernamePassword((UsernamePasswordAuthenticationToken)authentication, sts); - } else { - LOG.debug("An unknown authentication token was supplied"); - return null; - } - - } - - private Authentication handleKerberos( - KerberosServiceRequestToken kerberosRequestToken, - IdpSTSClient sts - ) { - Principal kerberosPrincipal = null; - // - // If delegation is required then validate the received token + store the - // Delegated Credential so that we can retrieve a new kerberos token for the - // STS with it. If delegation is not required, then we just get the received - // token + pass it to the STS - // - if (requireDelegation) { - kerberosPrincipal = validateKerberosToken(kerberosRequestToken, sts); - if (kerberosPrincipal == null) { - return null; - } - } else { - PassThroughKerberosClient kerberosClient = new PassThroughKerberosClient(); - kerberosClient.setToken(kerberosRequestToken.getToken()); - sts.getProperties().put(SecurityConstants.KERBEROS_CLIENT, kerberosClient); - } - - try { - // Line below may be uncommented for debugging - // setTimeout(sts.getClient(), 3600000L); - - SecurityToken token = sts.requestSecurityToken(this.appliesTo); - - if (kerberosPrincipal == null && token.getToken() != null - && "Assertion".equals(token.getToken().getLocalName())) { - // For the pass-through Kerberos case, we don't know the Principal name... - kerberosPrincipal = - new SAMLTokenPrincipalImpl(new SamlAssertionWrapper(token.getToken())); - } - - List<GrantedAuthority> authorities = createAuthorities(token); - - KerberosServiceRequestToken ksrt = - new KerberosServiceRequestToken(kerberosPrincipal, authorities, kerberosRequestToken.getToken()); - - STSUserDetails details = new STSUserDetails(kerberosPrincipal.getName(), - "", - authorities, - token); - ksrt.setDetails(details); - - LOG.debug("[IDP_TOKEN={}] provided for user '{}'", token.getId(), kerberosPrincipal.getName()); - return ksrt; - } catch (Exception ex) { - LOG.info("Failed to authenticate user '" + kerberosRequestToken.getName() + "'", ex); - return null; - } - } - - private Authentication handlePreAuthenticated( - PreAuthenticatedAuthenticationToken preauthenticatedToken, - IdpSTSClient sts - ) { - X509Certificate cert = (X509Certificate)preauthenticatedToken.getCredentials(); - if (cert == null) { - return null; - } - - // Convert the received certificate to a DOM Element to write it out "OnBehalfOf" - Document doc = DOMUtils.newDocument(); - X509Data certElem = new X509Data(doc); - try { - certElem.addCertificate(cert); - sts.setOnBehalfOf(certElem.getElement()); - } catch (XMLSecurityException e) { - LOG.debug("Error parsing a client certificate", e); - return null; - } - - try { - // Line below may be uncommented for debugging - // setTimeout(sts.getClient(), 3600000L); - - SecurityToken token = sts.requestSecurityToken(this.appliesTo); - - List<GrantedAuthority> authorities = createAuthorities(token); - - STSUserDetails details = new STSUserDetails(preauthenticatedToken.getName(), - "", - authorities, - token); - - preauthenticatedToken.setDetails(details); - - LOG.debug("[IDP_TOKEN={}] provided for user '{}'", token.getId(), preauthenticatedToken.getName()); - return preauthenticatedToken; - - } catch (Exception ex) { - LOG.info("Failed to authenticate user '" + preauthenticatedToken.getName() + "'", ex); - return null; - } - } - - private Authentication handleUsernamePassword( - UsernamePasswordAuthenticationToken usernamePasswordToken, - IdpSTSClient sts - ) { - sts.getProperties().put(SecurityConstants.USERNAME, usernamePasswordToken.getName()); - sts.getProperties().put(SecurityConstants.PASSWORD, (String)usernamePasswordToken.getCredentials()); - - try { - - // Line below may be uncommented for debugging - // setTimeout(sts.getClient(), 3600000L); - - SecurityToken token = sts.requestSecurityToken(this.appliesTo); - - List<GrantedAuthority> authorities = createAuthorities(token); - - UsernamePasswordAuthenticationToken upat = - new UsernamePasswordAuthenticationToken(usernamePasswordToken.getName(), - usernamePasswordToken.getCredentials(), - authorities); - - STSUserDetails details = new STSUserDetails(usernamePasswordToken.getName(), - (String)usernamePasswordToken.getCredentials(), - authorities, - token); - upat.setDetails(details); - - LOG.debug("[IDP_TOKEN={}] provided for user '{}'", token.getId(), usernamePasswordToken.getName()); - return upat; - - } catch (Exception ex) { - LOG.info("Failed to authenticate user '" + usernamePasswordToken.getName() + "'", ex); - return null; - } - - } - - private List<GrantedAuthority> createAuthorities(SecurityToken token) throws WSSecurityException { + protected List<GrantedAuthority> createAuthorities(SecurityToken token) throws WSSecurityException { List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>(); //authorities.add(new SimpleGrantedAuthority("ROLE_AUTHENTICATED")); //Not needed because AuthenticatedVoter has been added for SecurityFlowExecutionListener @@ -325,76 +117,6 @@ public class STSAuthenticationProvider implements AuthenticationProvider { return authorities; } - private Principal validateKerberosToken( - KerberosServiceRequestToken token, - IdpSTSClient sts - ) { - if (kerberosTokenValidator == null) { - LOG.error("KerberosTokenValidator must be configured to support kerberos " - + "credential delegation"); - return null; - } - KerberosServiceContext kerberosContext; - Principal kerberosPrincipal = null; - try { - kerberosContext = kerberosTokenValidator.validate(token); - if (kerberosContext == null || kerberosContext.getDelegationCredential() == null) { - LOG.info("Kerberos Validation failure"); - return null; - } - GSSCredential delegatedCredential = kerberosContext.getDelegationCredential(); - sts.getProperties().put(SecurityConstants.DELEGATED_CREDENTIAL, - delegatedCredential); - sts.getProperties().put(SecurityConstants.KERBEROS_USE_CREDENTIAL_DELEGATION, "true"); - kerberosPrincipal = kerberosContext.getPrincipal(); - } catch (LoginException ex) { - LOG.info("Failed to authenticate user", ex); - return null; - } catch (PrivilegedActionException ex) { - LOG.info("Failed to authenticate user", ex); - return null; - } - - if (kerberosTokenValidator.getContextName() != null) { - sts.getProperties().put(SecurityConstants.KERBEROS_JAAS_CONTEXT_NAME, - kerberosTokenValidator.getContextName()); - } - if (kerberosTokenValidator.getServiceName() != null) { - sts.getProperties().put(SecurityConstants.KERBEROS_SPN, - kerberosTokenValidator.getServiceName()); - } - if (kerberosCallbackHandler != null) { - sts.getProperties().put(SecurityConstants.CALLBACK_HANDLER, - kerberosCallbackHandler); - } - if (kerberosUsernameServiceNameForm) { - sts.getProperties().put(SecurityConstants.KERBEROS_IS_USERNAME_IN_SERVICENAME_FORM, - "true"); - } - - return kerberosPrincipal; - } - - protected GSSContext createGSSContext() throws GSSException { - Oid oid = new Oid("1.2.840.113554.1.2.2"); - - GSSManager gssManager = GSSManager.getInstance(); - - String spn = "[email protected]"; - GSSName gssService = gssManager.createName(spn, null); - - return gssManager.createContext(gssService.canonicalize(oid), - oid, null, GSSContext.DEFAULT_LIFETIME); - - } - - @Override - public boolean supports(Class<?> authentication) { - return authentication.equals(PreAuthenticatedAuthenticationToken.class) - || authentication.equals(UsernamePasswordAuthenticationToken.class) - || authentication.equals(KerberosServiceRequestToken.class); - } - public String getWsdlLocation() { return wsdlLocation; } @@ -563,38 +285,6 @@ public class STSAuthenticationProvider implements AuthenticationProvider { this.use200502Namespace = use200502Namespace; } - public KerberosTokenValidator getKerberosTokenValidator() { - return kerberosTokenValidator; - } - - public void setKerberosTokenValidator(KerberosTokenValidator kerberosTokenValidator) { - this.kerberosTokenValidator = kerberosTokenValidator; - } - - public CallbackHandler getKerberosCallbackHandler() { - return kerberosCallbackHandler; - } - - public void setKerberosCallbackHandler(CallbackHandler kerberosCallbackHandler) { - this.kerberosCallbackHandler = kerberosCallbackHandler; - } - - public boolean isKerberosUsernameServiceNameForm() { - return kerberosUsernameServiceNameForm; - } - - public void setKerberosUsernameServiceNameForm(boolean kerberosUsernameServiceNameForm) { - this.kerberosUsernameServiceNameForm = kerberosUsernameServiceNameForm; - } - - public boolean isRequireDelegation() { - return requireDelegation; - } - - public void setRequireDelegation(boolean requireDelegation) { - this.requireDelegation = requireDelegation; - } - //May be uncommented for debugging // private void setTimeout(Client client, Long timeout) { // HTTPConduit conduit = (HTTPConduit) client.getConduit(); http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/230bce9a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSKrbAuthenticationProvider.java ---------------------------------------------------------------------- diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSKrbAuthenticationProvider.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSKrbAuthenticationProvider.java new file mode 100644 index 0000000..9a5dae8 --- /dev/null +++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSKrbAuthenticationProvider.java @@ -0,0 +1,254 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.fediz.service.idp; + +import java.security.Principal; +import java.security.PrivilegedActionException; +import java.util.List; + +import javax.security.auth.callback.CallbackHandler; +import javax.security.auth.login.LoginException; +import javax.xml.namespace.QName; + +import org.apache.cxf.Bus; +import org.apache.cxf.fediz.service.idp.kerberos.KerberosServiceRequestToken; +import org.apache.cxf.fediz.service.idp.kerberos.KerberosTokenValidator; +import org.apache.cxf.fediz.service.idp.kerberos.PassThroughKerberosClient; +import org.apache.cxf.ws.security.SecurityConstants; +import org.apache.cxf.ws.security.tokenstore.SecurityToken; +import org.apache.wss4j.common.kerberos.KerberosServiceContext; +import org.apache.wss4j.common.principal.SAMLTokenPrincipalImpl; +import org.apache.wss4j.common.saml.SamlAssertionWrapper; +import org.apache.wss4j.dom.WSConstants; +import org.ietf.jgss.GSSContext; +import org.ietf.jgss.GSSCredential; +import org.ietf.jgss.GSSException; +import org.ietf.jgss.GSSManager; +import org.ietf.jgss.GSSName; +import org.ietf.jgss.Oid; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.security.core.Authentication; +import org.springframework.security.core.AuthenticationException; +import org.springframework.security.core.GrantedAuthority; + +/** + * An authentication provider to authenticate a Kerberos token to the STS + */ +public class STSKrbAuthenticationProvider extends STSAuthenticationProvider { + + private static final Logger LOG = LoggerFactory.getLogger(STSKrbAuthenticationProvider.class); + + private KerberosTokenValidator kerberosTokenValidator; + + private CallbackHandler kerberosCallbackHandler; + + private boolean kerberosUsernameServiceNameForm; + + private boolean requireDelegation; + + + @Override + public Authentication authenticate(Authentication authentication) throws AuthenticationException { + // We only handle KerberosServiceRequestTokens + if (!(authentication instanceof KerberosServiceRequestToken)) { + return null; + } + + Bus cxfBus = getBus(); + IdpSTSClient sts = new IdpSTSClient(cxfBus); + sts.setAddressingNamespace("http://www.w3.org/2005/08/addressing";); + if (tokenType != null && tokenType.length() > 0) { + sts.setTokenType(tokenType); + } else { + sts.setTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE); + } + sts.setKeyType(HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512_BEARER); + sts.setWsdlLocation(wsdlLocation); + sts.setServiceQName(new QName(namespace, wsdlService)); + sts.setEndpointQName(new QName(namespace, wsdlEndpoint)); + + sts.getProperties().putAll(properties); + if (use200502Namespace) { + sts.setNamespace(HTTP_SCHEMAS_XMLSOAP_ORG_WS_2005_02_TRUST); + } + + if (lifetime != null) { + sts.setEnableLifetime(true); + sts.setTtl(lifetime.intValue()); + } + + return handleKerberos((KerberosServiceRequestToken)authentication, sts); + } + + private Authentication handleKerberos( + KerberosServiceRequestToken kerberosRequestToken, + IdpSTSClient sts + ) { + Principal kerberosPrincipal = null; + // + // If delegation is required then validate the received token + store the + // Delegated Credential so that we can retrieve a new kerberos token for the + // STS with it. If delegation is not required, then we just get the received + // token + pass it to the STS + // + if (requireDelegation) { + kerberosPrincipal = validateKerberosToken(kerberosRequestToken, sts); + if (kerberosPrincipal == null) { + return null; + } + } else { + PassThroughKerberosClient kerberosClient = new PassThroughKerberosClient(); + kerberosClient.setToken(kerberosRequestToken.getToken()); + sts.getProperties().put(SecurityConstants.KERBEROS_CLIENT, kerberosClient); + } + + try { + // Line below may be uncommented for debugging + // setTimeout(sts.getClient(), 3600000L); + + SecurityToken token = sts.requestSecurityToken(this.appliesTo); + + if (kerberosPrincipal == null && token.getToken() != null + && "Assertion".equals(token.getToken().getLocalName())) { + // For the pass-through Kerberos case, we don't know the Principal name... + kerberosPrincipal = + new SAMLTokenPrincipalImpl(new SamlAssertionWrapper(token.getToken())); + } + + List<GrantedAuthority> authorities = createAuthorities(token); + + KerberosServiceRequestToken ksrt = + new KerberosServiceRequestToken(kerberosPrincipal, authorities, kerberosRequestToken.getToken()); + + STSUserDetails details = new STSUserDetails(kerberosPrincipal.getName(), + "", + authorities, + token); + ksrt.setDetails(details); + + LOG.debug("[IDP_TOKEN={}] provided for user '{}'", token.getId(), kerberosPrincipal.getName()); + return ksrt; + } catch (Exception ex) { + LOG.info("Failed to authenticate user '" + kerberosRequestToken.getName() + "'", ex); + return null; + } + } + + private Principal validateKerberosToken( + KerberosServiceRequestToken token, + IdpSTSClient sts + ) { + if (kerberosTokenValidator == null) { + LOG.error("KerberosTokenValidator must be configured to support kerberos " + + "credential delegation"); + return null; + } + KerberosServiceContext kerberosContext; + Principal kerberosPrincipal = null; + try { + kerberosContext = kerberosTokenValidator.validate(token); + if (kerberosContext == null || kerberosContext.getDelegationCredential() == null) { + LOG.info("Kerberos Validation failure"); + return null; + } + GSSCredential delegatedCredential = kerberosContext.getDelegationCredential(); + sts.getProperties().put(SecurityConstants.DELEGATED_CREDENTIAL, + delegatedCredential); + sts.getProperties().put(SecurityConstants.KERBEROS_USE_CREDENTIAL_DELEGATION, "true"); + kerberosPrincipal = kerberosContext.getPrincipal(); + } catch (LoginException ex) { + LOG.info("Failed to authenticate user", ex); + return null; + } catch (PrivilegedActionException ex) { + LOG.info("Failed to authenticate user", ex); + return null; + } + + if (kerberosTokenValidator.getContextName() != null) { + sts.getProperties().put(SecurityConstants.KERBEROS_JAAS_CONTEXT_NAME, + kerberosTokenValidator.getContextName()); + } + if (kerberosTokenValidator.getServiceName() != null) { + sts.getProperties().put(SecurityConstants.KERBEROS_SPN, + kerberosTokenValidator.getServiceName()); + } + if (kerberosCallbackHandler != null) { + sts.getProperties().put(SecurityConstants.CALLBACK_HANDLER, + kerberosCallbackHandler); + } + if (kerberosUsernameServiceNameForm) { + sts.getProperties().put(SecurityConstants.KERBEROS_IS_USERNAME_IN_SERVICENAME_FORM, + "true"); + } + + return kerberosPrincipal; + } + + protected GSSContext createGSSContext() throws GSSException { + Oid oid = new Oid("1.2.840.113554.1.2.2"); + + GSSManager gssManager = GSSManager.getInstance(); + + String spn = "[email protected]"; + GSSName gssService = gssManager.createName(spn, null); + + return gssManager.createContext(gssService.canonicalize(oid), + oid, null, GSSContext.DEFAULT_LIFETIME); + + } + + @Override + public boolean supports(Class<?> authentication) { + return authentication.equals(KerberosServiceRequestToken.class); + } + + public KerberosTokenValidator getKerberosTokenValidator() { + return kerberosTokenValidator; + } + + public void setKerberosTokenValidator(KerberosTokenValidator kerberosTokenValidator) { + this.kerberosTokenValidator = kerberosTokenValidator; + } + + public CallbackHandler getKerberosCallbackHandler() { + return kerberosCallbackHandler; + } + + public void setKerberosCallbackHandler(CallbackHandler kerberosCallbackHandler) { + this.kerberosCallbackHandler = kerberosCallbackHandler; + } + + public boolean isKerberosUsernameServiceNameForm() { + return kerberosUsernameServiceNameForm; + } + + public void setKerberosUsernameServiceNameForm(boolean kerberosUsernameServiceNameForm) { + this.kerberosUsernameServiceNameForm = kerberosUsernameServiceNameForm; + } + + public boolean isRequireDelegation() { + return requireDelegation; + } + + public void setRequireDelegation(boolean requireDelegation) { + this.requireDelegation = requireDelegation; + } + +} http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/230bce9a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSPortFilter.java ---------------------------------------------------------------------- diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSPortFilter.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSPortFilter.java index 83ea83d..889dadd 100644 --- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSPortFilter.java +++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSPortFilter.java @@ -40,6 +40,7 @@ public class STSPortFilter extends GenericFilterBean implements ApplicationConte private static final Logger LOG = LoggerFactory.getLogger(STSPortFilter.class); private ApplicationContext applicationContext; + private STSAuthenticationProvider authenticationProvider; private boolean isPortSet; @@ -48,7 +49,10 @@ public class STSPortFilter extends GenericFilterBean implements ApplicationConte throws IOException, ServletException { Assert.isTrue(applicationContext != null, "Application context must not be null"); - STSAuthenticationProvider authProvider = applicationContext.getBean(STSAuthenticationProvider.class); + STSAuthenticationProvider authProvider = authenticationProvider; + if (authProvider == null) { + authProvider = applicationContext.getBean(STSAuthenticationProvider.class); + } Assert.isTrue(authProvider != null, "STSAuthenticationProvider must be configured"); //Only update the port if HTTPS is used, otherwise ignored (like retrieving the WADL over HTTP) @@ -80,4 +84,12 @@ public class STSPortFilter extends GenericFilterBean implements ApplicationConte this.applicationContext = applicationContext; } + public STSAuthenticationProvider getAuthenticationProvider() { + return authenticationProvider; + } + + public void setAuthenticationProvider(STSAuthenticationProvider authenticationProvider) { + this.authenticationProvider = authenticationProvider; + } + } http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/230bce9a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSPreAuthAuthenticationProvider.java ---------------------------------------------------------------------- diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSPreAuthAuthenticationProvider.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSPreAuthAuthenticationProvider.java new file mode 100644 index 0000000..13c277b --- /dev/null +++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSPreAuthAuthenticationProvider.java @@ -0,0 +1,131 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.fediz.service.idp; + +import java.security.cert.X509Certificate; +import java.util.List; + +import javax.xml.namespace.QName; + +import org.w3c.dom.Document; + +import org.apache.cxf.Bus; +import org.apache.cxf.helpers.DOMUtils; +import org.apache.cxf.ws.security.tokenstore.SecurityToken; +import org.apache.wss4j.dom.WSConstants; +import org.apache.xml.security.exceptions.XMLSecurityException; +import org.apache.xml.security.keys.content.X509Data; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.security.core.Authentication; +import org.springframework.security.core.AuthenticationException; +import org.springframework.security.core.GrantedAuthority; +import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken; + +/** + * An authentication provider to authenticate a preauthenticated token to the STS + */ +public class STSPreAuthAuthenticationProvider extends STSAuthenticationProvider { + + private static final Logger LOG = LoggerFactory + .getLogger(STSPreAuthAuthenticationProvider.class); + + @Override + public Authentication authenticate(Authentication authentication) throws AuthenticationException { + // We only handle PreAuthenticatedAuthenticationTokens + if (!(authentication instanceof PreAuthenticatedAuthenticationToken)) { + return null; + } + + Bus cxfBus = getBus(); + IdpSTSClient sts = new IdpSTSClient(cxfBus); + sts.setAddressingNamespace("http://www.w3.org/2005/08/addressing";); + if (tokenType != null && tokenType.length() > 0) { + sts.setTokenType(tokenType); + } else { + sts.setTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE); + } + sts.setKeyType(HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512_BEARER); + sts.setWsdlLocation(wsdlLocation); + sts.setServiceQName(new QName(namespace, wsdlService)); + sts.setEndpointQName(new QName(namespace, wsdlEndpoint)); + + sts.getProperties().putAll(properties); + if (use200502Namespace) { + sts.setNamespace(HTTP_SCHEMAS_XMLSOAP_ORG_WS_2005_02_TRUST); + } + + if (lifetime != null) { + sts.setEnableLifetime(true); + sts.setTtl(lifetime.intValue()); + } + + return handlePreAuthenticated((PreAuthenticatedAuthenticationToken)authentication, sts); + } + + private Authentication handlePreAuthenticated( + PreAuthenticatedAuthenticationToken preauthenticatedToken, + IdpSTSClient sts + ) { + X509Certificate cert = (X509Certificate)preauthenticatedToken.getCredentials(); + if (cert == null) { + return null; + } + + // Convert the received certificate to a DOM Element to write it out "OnBehalfOf" + Document doc = DOMUtils.newDocument(); + X509Data certElem = new X509Data(doc); + try { + certElem.addCertificate(cert); + sts.setOnBehalfOf(certElem.getElement()); + } catch (XMLSecurityException e) { + LOG.debug("Error parsing a client certificate", e); + return null; + } + + try { + // Line below may be uncommented for debugging + // setTimeout(sts.getClient(), 3600000L); + + SecurityToken token = sts.requestSecurityToken(this.appliesTo); + + List<GrantedAuthority> authorities = createAuthorities(token); + + STSUserDetails details = new STSUserDetails(preauthenticatedToken.getName(), + "", + authorities, + token); + + preauthenticatedToken.setDetails(details); + + LOG.debug("[IDP_TOKEN={}] provided for user '{}'", token.getId(), preauthenticatedToken.getName()); + return preauthenticatedToken; + + } catch (Exception ex) { + LOG.info("Failed to authenticate user '" + preauthenticatedToken.getName() + "'", ex); + return null; + } + } + + @Override + public boolean supports(Class<?> authentication) { + return authentication.equals(PreAuthenticatedAuthenticationToken.class); + } + +} http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/230bce9a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSUPAuthenticationProvider.java ---------------------------------------------------------------------- diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSUPAuthenticationProvider.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSUPAuthenticationProvider.java new file mode 100644 index 0000000..d9be1b4 --- /dev/null +++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/STSUPAuthenticationProvider.java @@ -0,0 +1,118 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.fediz.service.idp; + +import java.util.List; + +import javax.xml.namespace.QName; + +import org.apache.cxf.Bus; +import org.apache.cxf.ws.security.SecurityConstants; +import org.apache.cxf.ws.security.tokenstore.SecurityToken; +import org.apache.wss4j.dom.WSConstants; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; +import org.springframework.security.core.Authentication; +import org.springframework.security.core.AuthenticationException; +import org.springframework.security.core.GrantedAuthority; + +/** + * An authentication provider to authenticate a Username/Password to the STS + */ +public class STSUPAuthenticationProvider extends STSAuthenticationProvider { + + private static final Logger LOG = LoggerFactory.getLogger(STSUPAuthenticationProvider.class); + + @Override + public Authentication authenticate(Authentication authentication) throws AuthenticationException { + // We only handle UsernamePasswordAuthenticationTokens + if (!(authentication instanceof UsernamePasswordAuthenticationToken)) { + return null; + } + + Bus cxfBus = getBus(); + IdpSTSClient sts = new IdpSTSClient(cxfBus); + sts.setAddressingNamespace("http://www.w3.org/2005/08/addressing";); + if (tokenType != null && tokenType.length() > 0) { + sts.setTokenType(tokenType); + } else { + sts.setTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE); + } + sts.setKeyType(HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512_BEARER); + sts.setWsdlLocation(wsdlLocation); + sts.setServiceQName(new QName(namespace, wsdlService)); + sts.setEndpointQName(new QName(namespace, wsdlEndpoint)); + + sts.getProperties().putAll(properties); + if (use200502Namespace) { + sts.setNamespace(HTTP_SCHEMAS_XMLSOAP_ORG_WS_2005_02_TRUST); + } + + if (lifetime != null) { + sts.setEnableLifetime(true); + sts.setTtl(lifetime.intValue()); + } + + return handleUsernamePassword((UsernamePasswordAuthenticationToken)authentication, sts); + } + + private Authentication handleUsernamePassword( + UsernamePasswordAuthenticationToken usernamePasswordToken, + IdpSTSClient sts + ) { + sts.getProperties().put(SecurityConstants.USERNAME, usernamePasswordToken.getName()); + sts.getProperties().put(SecurityConstants.PASSWORD, (String)usernamePasswordToken.getCredentials()); + + try { + + // Line below may be uncommented for debugging + // setTimeout(sts.getClient(), 3600000L); + + SecurityToken token = sts.requestSecurityToken(this.appliesTo); + + List<GrantedAuthority> authorities = createAuthorities(token); + + UsernamePasswordAuthenticationToken upat = + new UsernamePasswordAuthenticationToken(usernamePasswordToken.getName(), + usernamePasswordToken.getCredentials(), + authorities); + + STSUserDetails details = new STSUserDetails(usernamePasswordToken.getName(), + (String)usernamePasswordToken.getCredentials(), + authorities, + token); + upat.setDetails(details); + + LOG.debug("[IDP_TOKEN={}] provided for user '{}'", token.getId(), usernamePasswordToken.getName()); + return upat; + + } catch (Exception ex) { + LOG.info("Failed to authenticate user '" + usernamePasswordToken.getName() + "'", ex); + return null; + } + + } + + @Override + public boolean supports(Class<?> authentication) { + return authentication.equals(UsernamePasswordAuthenticationToken.class); + } + +} http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/230bce9a/services/idp/src/main/resources/entities-realma.xml ---------------------------------------------------------------------- diff --git a/services/idp/src/main/resources/entities-realma.xml b/services/idp/src/main/resources/entities-realma.xml index 87dc70a..f8e1f5b 100644 --- a/services/idp/src/main/resources/entities-realma.xml +++ b/services/idp/src/main/resources/entities-realma.xml @@ -52,7 +52,7 @@ </property> <property name="authenticationURIs"> <util:map> - <entry key="default" value="/login/default" /> + <entry key="default" value="federation/up" /> </util:map> </property> <property name="serviceDisplayName" value="REALM A" /> http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/230bce9a/services/idp/src/main/webapp/WEB-INF/idp-config-realma.xml ---------------------------------------------------------------------- diff --git a/services/idp/src/main/webapp/WEB-INF/idp-config-realma.xml b/services/idp/src/main/webapp/WEB-INF/idp-config-realma.xml index c5e0a4a..9d61326 100644 --- a/services/idp/src/main/webapp/WEB-INF/idp-config-realma.xml +++ b/services/idp/src/main/webapp/WEB-INF/idp-config-realma.xml @@ -74,7 +74,7 @@ </property> <property name="authenticationURIs"> <util:map> - <entry key="default" value="/login/default" /> + <entry key="default" value="federation/up" /> </util:map> </property> <property name="trustedIDPs"> http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/230bce9a/services/idp/src/main/webapp/WEB-INF/idp-servlet.xml ---------------------------------------------------------------------- diff --git a/services/idp/src/main/webapp/WEB-INF/idp-servlet.xml b/services/idp/src/main/webapp/WEB-INF/idp-servlet.xml index ccc2146..691f7bb 100644 --- a/services/idp/src/main/webapp/WEB-INF/idp-servlet.xml +++ b/services/idp/src/main/webapp/WEB-INF/idp-servlet.xml @@ -75,6 +75,10 @@ flow-builder-services="builder"> <webflow:flow-location path="/WEB-INF/federation-validate-request.xml" id="federation" /> + <webflow:flow-location + path="/WEB-INF/federation-validate-request.xml" id="federation/up" /> + <webflow:flow-location + path="/WEB-INF/federation-validate-request.xml" id="federation/krb" /> <webflow:flow-location path="/WEB-INF/federation-signin-request.xml" id="signinRequest" /> <webflow:flow-location path="/WEB-INF/federation-signin-response.xml" http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/230bce9a/services/idp/src/main/webapp/WEB-INF/security-config.xml ---------------------------------------------------------------------- diff --git a/services/idp/src/main/webapp/WEB-INF/security-config.xml b/services/idp/src/main/webapp/WEB-INF/security-config.xml index ab0eada..c70ccfb 100644 --- a/services/idp/src/main/webapp/WEB-INF/security-config.xml +++ b/services/idp/src/main/webapp/WEB-INF/security-config.xml @@ -42,7 +42,7 @@ <security:global-method-security pre-post-annotations="enabled"/> <security:http pattern="/services/rs/**" use-expressions="true" authentication-manager-ref="restAuthenticationManager"> - <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" /> + <security:custom-filter after="CHANNEL_FILTER" ref="stsUPPortFilter" /> <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" /> <security:intercept-url pattern="/services/rs/**" access="isAuthenticated()"/> <security:http-basic /> @@ -63,34 +63,88 @@ --> <security:user-service properties="classpath:/users.properties" /> </security:authentication-provider> - <security:authentication-provider ref="stsAuthProvider" /> + <security:authentication-provider ref="stsUPAuthProvider" /> </security:authentication-manager> - - <security:http use-expressions="true"> - <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" /> + + <!-- Redirects to a dedicated http config --> + <bean id="federationEntryPoint" class="org.apache.cxf.fediz.service.idp.FederationEntryPoint"> + <property name="realm" value="urn:org:apache:cxf:fediz:idp:realm-A" /> + <property name="configService" ref="config" /> + </bean> + + <!-- Main entry point --> + <security:http pattern="/federation" use-expressions="true" entry-point-ref="federationEntryPoint"> + <security:custom-filter after="CHANNEL_FILTER" ref="stsUPPortFilter" /> + <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" /> + <security:intercept-url pattern="/FederationMetadata/2007-06/FederationMetadata.xml" access="isAnonymous() or isAuthenticated()" /> + </security:http> + + <!-- HTTP/BA entry point --> + <security:http pattern="/federation/up" use-expressions="true"> + <security:custom-filter after="CHANNEL_FILTER" ref="stsUPPortFilter" /> <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" /> <security:intercept-url pattern="/FederationMetadata/2007-06/FederationMetadata.xml" access="isAnonymous() or isAuthenticated()" /> - <!-- MUST be http-basic thus systests run fine --> - <!--<security:form-login />--> <security:http-basic /> <security:logout delete-cookies="FEDIZ_HOME_REALM" invalidate-session="true" /> </security:http> + + <!-- Kerberos entry point --> + <bean id="kerberosEntryPoint" + class="org.apache.cxf.fediz.service.idp.kerberos.KerberosEntryPoint" /> + + <bean id="kerberosAuthenticationProcessingFilter" + class="org.apache.cxf.fediz.service.idp.kerberos.KerberosAuthenticationProcessingFilter"> + <property name="authenticationManager" ref="authenticationManagers" /> + </bean> + + <security:http pattern="/federation/krb" use-expressions="true" entry-point-ref="kerberosEntryPoint"> + <security:custom-filter after="CHANNEL_FILTER" ref="stsKrbPortFilter" /> + <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" /> + <security:intercept-url pattern="/FederationMetadata/2007-06/FederationMetadata.xml" access="isAnonymous() or isAuthenticated()" /> + + <security:custom-filter ref="kerberosAuthenticationProcessingFilter" position="BASIC_AUTH_FILTER" /> + <security:logout delete-cookies="FEDIZ_HOME_REALM" invalidate-session="true" /> + </security:http> - <security:authentication-manager> - <security:authentication-provider ref="stsAuthProvider" /> + <security:authentication-manager alias="authenticationManagers"> + <security:authentication-provider ref="stsUPAuthProvider" /> + <security:authentication-provider ref="stsKrbAuthProvider" /> </security:authentication-manager> - <bean id="stsPortFilter" class="org.apache.cxf.fediz.service.idp.STSPortFilter" /> + <bean id="stsUPPortFilter" class="org.apache.cxf.fediz.service.idp.STSPortFilter"> + <property name="authenticationProvider" ref="stsUPAuthProvider" /> + </bean> <bean id="entitlementsEnricher" class="org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements" /> - <bean id="stsAuthProvider" class="org.apache.cxf.fediz.service.idp.STSAuthenticationProvider"> + <!-- U/P Authentication Provider --> + <bean id="stsUPAuthProvider" class="org.apache.cxf.fediz.service.idp.STSUPAuthenticationProvider"> <property name="wsdlLocation" value="https://localhost:0/fediz-idp-sts/${realm.STS_URI}/STSServiceTransportUT?wsdl"/> <property name="wsdlEndpoint" value="TransportUT_Port"/> <property name="wsdlService" value="SecurityTokenService"/> <property name="appliesTo" value="urn:fediz:idp"/> <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"/> </bean> + + <bean id="stsKrbPortFilter" class="org.apache.cxf.fediz.service.idp.STSPortFilter"> + <property name="authenticationProvider" ref="stsKrbAuthProvider" /> + </bean> + + <!--<bean id="kerberosTokenValidator" class="org.apache.cxf.fediz.service.idp.kerberos.KerberosTokenValidator"> + <property name="contextName" value="bob"/> + <property name="serviceName" value="[email protected]"/> + </bean>--> + + <!-- Kerberos authentication provider --> + <bean id="stsKrbAuthProvider" class="org.apache.cxf.fediz.service.idp.STSKrbAuthenticationProvider"> + <property name="wsdlLocation" value="https://localhost:0/fediz-idp-sts/${realm.STS_URI}/STSServiceTransportKerberos?wsdl"/> + <property name="wsdlEndpoint" value="TransportKerberos_Port"/> + <property name="wsdlService" value="SecurityTokenService"/> + <property name="appliesTo" value="urn:fediz:idp"/> + <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"/> + <!-- <property name="kerberosTokenValidator" ref="kerberosTokenValidator"/> + <property name="requireDelegation" value="true"/>--> + </bean> </beans> http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/230bce9a/services/idp/src/main/webapp/WEB-INF/web.xml ---------------------------------------------------------------------- diff --git a/services/idp/src/main/webapp/WEB-INF/web.xml b/services/idp/src/main/webapp/WEB-INF/web.xml index 2849a6b..21ea9ab 100644 --- a/services/idp/src/main/webapp/WEB-INF/web.xml +++ b/services/idp/src/main/webapp/WEB-INF/web.xml @@ -79,7 +79,17 @@ under the License. <servlet-name>idp</servlet-name> <url-pattern>/federation</url-pattern> </servlet-mapping> - + + <servlet-mapping> + <servlet-name>idp</servlet-name> + <url-pattern>/federation/up</url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name>idp</servlet-name> + <url-pattern>/federation/krb</url-pattern> + </servlet-mapping> + <servlet-mapping> <servlet-name>metadata</servlet-name> <url-pattern>/FederationMetadata/2007-06/FederationMetadata.xml</url-pattern>
