xAdding interop with new SAML SSO support in Fediz
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/d1c0d7e2 Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/d1c0d7e2 Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/d1c0d7e2 Branch: refs/heads/master Commit: d1c0d7e236548b28da4b4fbd2dd0d3b8824416af Parents: 6426abb Author: Colm O hEigeartaigh <[email protected]> Authored: Fri Mar 25 13:50:51 2016 +0000 Committer: Colm O hEigeartaigh <[email protected]> Committed: Fri Mar 25 13:50:51 2016 +0000 ---------------------------------------------------------------------- systests/federation/samlsso/pom.xml | 59 +++ .../integrationtests/SAMLSSOFedizTest.java | 309 ++++++++++++++ .../src/test/resources/entities-realma.xml | 21 + .../test/resources/fediz_config_saml_sso.xml | 30 ++ .../test/resources/realmb/entities-realmb.xml | 423 +++++++++++++++++++ .../src/test/resources/realmb/idp-servlet.xml | 120 ++++++ .../resources/realmb/persistence.properties | 15 + .../src/test/resources/realmb/realm.properties | 6 + .../test/resources/realmb/security-config.xml | 135 ++++++ 9 files changed, 1118 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/d1c0d7e2/systests/federation/samlsso/pom.xml ---------------------------------------------------------------------- diff --git a/systests/federation/samlsso/pom.xml b/systests/federation/samlsso/pom.xml index 116527c..9c11b78 100644 --- a/systests/federation/samlsso/pom.xml +++ b/systests/federation/samlsso/pom.xml @@ -128,6 +128,7 @@ <portNames> <portName>idp.https.port</portName> <portName>idp.samlsso.https.port</portName> + <portName>idp.realmb.https.port</portName> <portName>rp.https.port</portName> </portNames> </configuration> @@ -186,6 +187,22 @@ <overWrite>true</overWrite> <outputDirectory>target/tomcat/rp/webapps/simpleWebapp2</outputDirectory> </artifactItem> + <artifactItem> + <groupId>org.apache.cxf.fediz</groupId> + <artifactId>fediz-idp</artifactId> + <version>${project.version}</version> + <type>war</type> + <overWrite>true</overWrite> + <outputDirectory>target/tomcat/idprealmb/webapps/fediz-idp-realmb</outputDirectory> + </artifactItem> + <artifactItem> + <groupId>org.apache.cxf.fediz</groupId> + <artifactId>fediz-idp-sts</artifactId> + <version>${project.version}</version> + <type>war</type> + <overWrite>true</overWrite> + <outputDirectory>target/tomcat/idprealmb/webapps/fediz-idp-sts-realmb</outputDirectory> + </artifactItem> </artifactItems> <outputAbsoluteArtifactFilename>true</outputAbsoluteArtifactFilename> <overWriteSnapshots>true</overWriteSnapshots> @@ -235,6 +252,47 @@ </resources> </configuration> </execution> + <execution> + <id>copy-entities-to-remote-idp</id> + <phase>generate-test-sources</phase> + <goals> + <goal>copy-resources</goal> + </goals> + <configuration> + <outputDirectory>${basedir}/target/tomcat/idprealmb/webapps/fediz-idp-realmb/WEB-INF/classes</outputDirectory> + <resources> + <resource> + <directory>${basedir}/src/test/resources/realmb</directory> + <includes> + <include>entities-realmb.xml</include> + <include>realm.properties</include> + <include>persistence.properties</include> + </includes> + <filtering>true</filtering> + </resource> + </resources> + </configuration> + </execution> + <execution> + <id>copy-entities-to-remote-idp2</id> + <phase>generate-test-sources</phase> + <goals> + <goal>copy-resources</goal> + </goals> + <configuration> + <outputDirectory>${basedir}/target/tomcat/idprealmb/webapps/fediz-idp-realmb/WEB-INF</outputDirectory> + <resources> + <resource> + <directory>${basedir}/src/test/resources/realmb</directory> + <includes> + <include>idp-servlet.xml</include> + <include>security-config.xml</include> + </includes> + <filtering>true</filtering> + </resource> + </resources> + </configuration> + </execution> </executions> </plugin> <plugin> @@ -253,6 +311,7 @@ <wt.headless>true</wt.headless> <idp.https.port>${idp.https.port}</idp.https.port> <idp.samlsso.https.port>${idp.samlsso.https.port}</idp.samlsso.https.port> + <idp.realmb.https.port>${idp.realmb.https.port}</idp.realmb.https.port> <rp.https.port>${rp.https.port}</rp.https.port> </systemPropertyVariables> <includes> http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/d1c0d7e2/systests/federation/samlsso/src/test/java/org/apache/cxf/fediz/integrationtests/SAMLSSOFedizTest.java ---------------------------------------------------------------------- diff --git a/systests/federation/samlsso/src/test/java/org/apache/cxf/fediz/integrationtests/SAMLSSOFedizTest.java b/systests/federation/samlsso/src/test/java/org/apache/cxf/fediz/integrationtests/SAMLSSOFedizTest.java new file mode 100644 index 0000000..42518f3 --- /dev/null +++ b/systests/federation/samlsso/src/test/java/org/apache/cxf/fediz/integrationtests/SAMLSSOFedizTest.java @@ -0,0 +1,309 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.cxf.fediz.integrationtests; + + +import java.io.File; +import java.io.IOException; + +import com.gargoylesoftware.htmlunit.CookieManager; +import com.gargoylesoftware.htmlunit.WebClient; +import com.gargoylesoftware.htmlunit.html.HtmlForm; +import com.gargoylesoftware.htmlunit.html.HtmlPage; +import com.gargoylesoftware.htmlunit.html.HtmlSubmitInput; + +import org.apache.catalina.Context; +import org.apache.catalina.LifecycleState; +import org.apache.catalina.connector.Connector; +import org.apache.catalina.startup.Tomcat; +import org.apache.cxf.fediz.core.ClaimTypes; +import org.apache.cxf.fediz.tomcat7.FederationAuthenticator; +import org.apache.http.auth.AuthScope; +import org.apache.http.auth.UsernamePasswordCredentials; +import org.junit.AfterClass; +import org.junit.Assert; +import org.junit.BeforeClass; + +/** + * This is a test for federation in the IdP. The RP application is configured to use a home realm of "realm b". The + * client gets redirected to the IdP for "realm a", which in turn redirects to the (Fediz) IdP for "realm b" + * via SAML SSO. The user authenticates + is redirected back to the IdP for "realm a" to get a + * SAML token from the STS + then back to the application. + */ +public class SAMLSSOFedizTest { + + static String idpHttpsPort; + static String idpRealmbHttpsPort; + static String rpHttpsPort; + + private static Tomcat idpServer; + private static Tomcat idpRealmbServer; + private static Tomcat rpServer; + + @BeforeClass + public static void init() { + System.setProperty("org.apache.commons.logging.Log", "org.apache.commons.logging.impl.SimpleLog"); + System.setProperty("org.apache.commons.logging.simplelog.showdatetime", "true"); + System.setProperty("org.apache.commons.logging.simplelog.log.httpclient.wire", "info"); + System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.commons.httpclient", "info"); + System.setProperty("org.apache.commons.logging.simplelog.log.org.springframework.webflow", "info"); + System.setProperty("org.apache.commons.logging.simplelog.log.org.springframework.security.web", "info"); + System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.cxf.fediz", "info"); + System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.cxf", "info"); + + idpHttpsPort = System.getProperty("idp.https.port"); + Assert.assertNotNull("Property 'idp.https.port' null", idpHttpsPort); + idpRealmbHttpsPort = System.getProperty("idp.realmb.https.port"); + Assert.assertNotNull("Property 'idp.realmb.https.port' null", idpRealmbHttpsPort); + rpHttpsPort = System.getProperty("rp.https.port"); + Assert.assertNotNull("Property 'rp.https.port' null", rpHttpsPort); + + initIdp(); + initRealmbIdp(); + initRp(); + } + + private static void initIdp() { + try { + idpServer = new Tomcat(); + idpServer.setPort(0); + String currentDir = new File(".").getCanonicalPath(); + idpServer.setBaseDir(currentDir + File.separator + "target"); + + idpServer.getHost().setAppBase("tomcat/idp/webapps"); + idpServer.getHost().setAutoDeploy(true); + idpServer.getHost().setDeployOnStartup(true); + + Connector httpsConnector = new Connector(); + httpsConnector.setPort(Integer.parseInt(idpHttpsPort)); + httpsConnector.setSecure(true); + httpsConnector.setScheme("https"); + //httpsConnector.setAttribute("keyAlias", keyAlias); + httpsConnector.setAttribute("keystorePass", "tompass"); + httpsConnector.setAttribute("keystoreFile", "test-classes/server.jks"); + httpsConnector.setAttribute("truststorePass", "tompass"); + httpsConnector.setAttribute("truststoreFile", "test-classes/server.jks"); + httpsConnector.setAttribute("clientAuth", "want"); + // httpsConnector.setAttribute("clientAuth", "false"); + httpsConnector.setAttribute("sslProtocol", "TLS"); + httpsConnector.setAttribute("SSLEnabled", true); + + idpServer.getService().addConnector(httpsConnector); + + idpServer.addWebapp("/fediz-idp-sts", "fediz-idp-sts"); + idpServer.addWebapp("/fediz-idp", "fediz-idp"); + + idpServer.start(); + } catch (Exception e) { + e.printStackTrace(); + } + } + + private static void initRealmbIdp() { + try { + idpRealmbServer = new Tomcat(); + idpRealmbServer.setPort(0); + String currentDir = new File(".").getCanonicalPath(); + idpRealmbServer.setBaseDir(currentDir + File.separator + "target"); + + idpRealmbServer.getHost().setAppBase("tomcat/idprealmb/webapps"); + idpRealmbServer.getHost().setAutoDeploy(true); + idpRealmbServer.getHost().setDeployOnStartup(true); + + Connector httpsConnector = new Connector(); + httpsConnector.setPort(Integer.parseInt(idpRealmbHttpsPort)); + httpsConnector.setSecure(true); + httpsConnector.setScheme("https"); + //httpsConnector.setAttribute("keyAlias", keyAlias); + httpsConnector.setAttribute("keystorePass", "tompass"); + httpsConnector.setAttribute("keystoreFile", "test-classes/server.jks"); + httpsConnector.setAttribute("truststorePass", "tompass"); + httpsConnector.setAttribute("truststoreFile", "test-classes/server.jks"); + httpsConnector.setAttribute("clientAuth", "want"); + // httpsConnector.setAttribute("clientAuth", "false"); + httpsConnector.setAttribute("sslProtocol", "TLS"); + httpsConnector.setAttribute("SSLEnabled", true); + + idpRealmbServer.getService().addConnector(httpsConnector); + + idpRealmbServer.addWebapp("/fediz-idp-sts-realmb", "fediz-idp-sts-realmb"); + idpRealmbServer.addWebapp("/fediz-idp-realmb", "fediz-idp-realmb"); + + idpRealmbServer.start(); + } catch (Exception e) { + e.printStackTrace(); + } + } + + private static void initRp() { + try { + rpServer = new Tomcat(); + rpServer.setPort(0); + String currentDir = new File(".").getCanonicalPath(); + rpServer.setBaseDir(currentDir + File.separator + "target"); + + rpServer.getHost().setAppBase("tomcat/rp/webapps"); + rpServer.getHost().setAutoDeploy(true); + rpServer.getHost().setDeployOnStartup(true); + + Connector httpsConnector = new Connector(); + httpsConnector.setPort(Integer.parseInt(rpHttpsPort)); + httpsConnector.setSecure(true); + httpsConnector.setScheme("https"); + //httpsConnector.setAttribute("keyAlias", keyAlias); + httpsConnector.setAttribute("keystorePass", "tompass"); + httpsConnector.setAttribute("keystoreFile", "test-classes/server.jks"); + httpsConnector.setAttribute("truststorePass", "tompass"); + httpsConnector.setAttribute("truststoreFile", "test-classes/server.jks"); + // httpsConnector.setAttribute("clientAuth", "false"); + httpsConnector.setAttribute("clientAuth", "want"); + httpsConnector.setAttribute("sslProtocol", "TLS"); + httpsConnector.setAttribute("SSLEnabled", true); + + rpServer.getService().addConnector(httpsConnector); + + //Context ctx = + Context cxt = rpServer.addWebapp("/fedizhelloworld3", "simpleWebapp"); + FederationAuthenticator fa = new FederationAuthenticator(); + fa.setConfigFile(currentDir + File.separator + "target" + File.separator + + "test-classes" + File.separator + "fediz_config_saml_sso.xml"); + cxt.getPipeline().addValve(fa); + + + rpServer.start(); + } catch (Exception e) { + e.printStackTrace(); + } + } + + @AfterClass + public static void cleanup() { + try { + if (idpServer.getServer() != null + && idpServer.getServer().getState() != LifecycleState.DESTROYED) { + if (idpServer.getServer().getState() != LifecycleState.STOPPED) { + idpServer.stop(); + } + idpServer.destroy(); + } + } catch (Exception e) { + e.printStackTrace(); + } + + try { + if (rpServer.getServer() != null + && rpServer.getServer().getState() != LifecycleState.DESTROYED) { + if (rpServer.getServer().getState() != LifecycleState.STOPPED) { + rpServer.stop(); + } + rpServer.destroy(); + } + } catch (Exception e) { + e.printStackTrace(); + } + } + + public String getIdpHttpsPort() { + return idpHttpsPort; + } + + public String getIdpRealmbHttpsPort() { + return idpRealmbHttpsPort; + } + + public String getRpHttpsPort() { + return rpHttpsPort; + } + + public String getServletContextName() { + return "fedizhelloworld"; + } + + @org.junit.Test + public void testSAMLSSO() throws Exception { + String url = "https://localhost:"; + getRpHttpsPort() + "/fedizhelloworld3/secure/fedservlet"; + // System.out.println(url); + // Thread.sleep(60 * 2 * 1000); + String user = "ALICE"; // realm b credentials + String password = "ECILA"; + + final String bodyTextContent = + login(url, user, password, getIdpRealmbHttpsPort(), getIdpHttpsPort(), true); + + Assert.assertTrue("Principal not alice", + bodyTextContent.contains("userPrincipal=alice")); + Assert.assertTrue("User " + user + " does not have role Admin", + bodyTextContent.contains("role:Admin=false")); + Assert.assertTrue("User " + user + " does not have role Manager", + bodyTextContent.contains("role:Manager=false")); + Assert.assertTrue("User " + user + " must have role User", + bodyTextContent.contains("role:User=true")); + + String claim = ClaimTypes.FIRSTNAME.toString(); + Assert.assertTrue("User " + user + " claim " + claim + " is not 'Alice'", + bodyTextContent.contains(claim + "=Alice")); + claim = ClaimTypes.LASTNAME.toString(); + Assert.assertTrue("User " + user + " claim " + claim + " is not 'Smith'", + bodyTextContent.contains(claim + "=Smith")); + claim = ClaimTypes.EMAILADDRESS.toString(); + Assert.assertTrue("User " + user + " claim " + claim + " is not '[email protected]'", + bodyTextContent.contains(claim + "[email protected]")); + } + + private static String login(String url, String user, String password, + String idpPort, String rpIdpPort, boolean postBinding) throws IOException { + // + // Access the RP + get redirected to the IdP for "realm a". Then get redirected to the IdP for + // "realm b". + // + final WebClient webClient = new WebClient(); + CookieManager cookieManager = new CookieManager(); + webClient.setCookieManager(cookieManager); + webClient.getOptions().setUseInsecureSSL(true); + webClient.getCredentialsProvider().setCredentials( + new AuthScope("localhost", Integer.parseInt(idpPort)), + new UsernamePasswordCredentials(user, password)); + + webClient.getOptions().setJavaScriptEnabled(false); + HtmlPage idpPage = webClient.getPage(url); + + if (postBinding) { + Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText()); + final HtmlForm form = idpPage.getFormByName("samlsigninresponseform"); + final HtmlSubmitInput button = form.getInputByName("_eventId_submit"); + idpPage = button.click(); + } + + Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText()); + + // Now redirect back to the RP + final HtmlForm form = idpPage.getFormByName("signinresponseform"); + + final HtmlSubmitInput button = form.getInputByName("_eventId_submit"); + + final HtmlPage rpPage = button.click(); + Assert.assertEquals("WS Federation Systests Examples", rpPage.getTitleText()); + + webClient.close(); + return rpPage.getBody().getTextContent(); + } + + +} http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/d1c0d7e2/systests/federation/samlsso/src/test/resources/entities-realma.xml ---------------------------------------------------------------------- diff --git a/systests/federation/samlsso/src/test/resources/entities-realma.xml b/systests/federation/samlsso/src/test/resources/entities-realma.xml index 145d1a8..ec7782b 100644 --- a/systests/federation/samlsso/src/test/resources/entities-realma.xml +++ b/systests/federation/samlsso/src/test/resources/entities-realma.xml @@ -72,6 +72,7 @@ <util:list> <ref bean="trusted-idp-realmB" /> <ref bean="trusted-idp-realmC" /> + <ref bean="trusted-idp-realmD" /> </util:list> </property> <property name="claimTypesOffered"> @@ -121,6 +122,26 @@ </util:map> </property> </bean> + + <bean id="trusted-idp-realmD" + class="org.apache.cxf.fediz.service.idp.service.jpa.TrustedIdpEntity"> + <property name="realm" value="urn:org:apache:cxf:fediz:idp:realm-D" /> + <property name="issuer" value="urn:org:apache:cxf:fediz:idp:realm-B" /> + <property name="cacheTokens" value="true" /> + <property name="url" value="https://localhost:${idp.realmb.https.port}/fediz-idp-realmb/saml/up"; /> + <property name="certificate" value="realmb.cert" /> + <property name="trustType" value="PEER_TRUST" /> + <property name="protocol" value="urn:oasis:names:tc:SAML:2.0:profiles:SSO:browser" /> + <property name="federationType" value="FEDERATE_IDENTITY" /> + <property name="name" value="Realm B" /> + <property name="description" value="Realm B description" /> + <property name="parameters"> + <util:map> + <entry key="sign.request" value="true" /> + <entry key="support.deflate.encoding" value="false" /> + </util:map> + </property> + </bean> <bean id="srv-fedizhelloworld" class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity"> <property name="realm" value="urn:org:apache:cxf:fediz:fedizhelloworld" /> http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/d1c0d7e2/systests/federation/samlsso/src/test/resources/fediz_config_saml_sso.xml ---------------------------------------------------------------------- diff --git a/systests/federation/samlsso/src/test/resources/fediz_config_saml_sso.xml b/systests/federation/samlsso/src/test/resources/fediz_config_saml_sso.xml index 89f158b..5109172 100644 --- a/systests/federation/samlsso/src/test/resources/fediz_config_saml_sso.xml +++ b/systests/federation/samlsso/src/test/resources/fediz_config_saml_sso.xml @@ -82,5 +82,35 @@ <logoutURL>/secure/logout</logoutURL> <logoutRedirectTo>/index.html</logoutRedirectTo> </contextConfig> + <contextConfig name="/fedizhelloworld3"> + <audienceUris> + <audienceItem>urn:org:apache:cxf:fediz:fedizhelloworld</audienceItem> + </audienceUris> + <certificateStores> + <trustManager> + <keyStore file="test-classes/clienttrust.jks" + password="storepass" type="JKS" /> + </trustManager> + </certificateStores> + <trustedIssuers> + <issuer certificateValidation="PeerTrust" /> + </trustedIssuers> + <maximumClockSkew>1000</maximumClockSkew> + <protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; + xsi:type="federationProtocolType" version="1.0.0"> + <realm>urn:org:apache:cxf:fediz:fedizhelloworld</realm> + <issuer>https://localhost:${idp.https.port}/fediz-idp/federation</issuer> + <roleDelimiter>,</roleDelimiter> + <roleURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</roleURI> + <freshness>10</freshness> + <homeRealm type="String">urn:org:apache:cxf:fediz:idp:realm-D</homeRealm> + <claimTypesRequested> + <claimType type="a particular claim type" + optional="true" /> + </claimTypesRequested> + </protocol> + <logoutURL>/secure/logout</logoutURL> + <logoutRedirectTo>/index.html</logoutRedirectTo> + </contextConfig> </FedizConfig> http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/d1c0d7e2/systests/federation/samlsso/src/test/resources/realmb/entities-realmb.xml ---------------------------------------------------------------------- diff --git a/systests/federation/samlsso/src/test/resources/realmb/entities-realmb.xml b/systests/federation/samlsso/src/test/resources/realmb/entities-realmb.xml new file mode 100644 index 0000000..9984af1 --- /dev/null +++ b/systests/federation/samlsso/src/test/resources/realmb/entities-realmb.xml @@ -0,0 +1,423 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +--> +<beans xmlns="http://www.springframework.org/schema/beans"; + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; + xmlns:util="http://www.springframework.org/schema/util"; + xsi:schemaLocation=" + http://www.springframework.org/schema/beans + http://www.springframework.org/schema/beans/spring-beans-3.1.xsd + http://www.springframework.org/schema/util + http://www.springframework.org/schema/util/spring-util-2.0.xsd";> + + <bean id="idp-realmB" class="org.apache.cxf.fediz.service.idp.service.jpa.IdpEntity"> + <property name="realm" value="urn:org:apache:cxf:fediz:idp:realm-B" /> + <property name="uri" value="realmb" /> + <property name="provideIdpList" value="false" /> + <property name="useCurrentIdp" value="true" /> + <property name="certificate" value="stsKeystoreB.properties" /> + <property name="certificatePassword" value="realmb" /> + <property name="stsUrl" value="https://localhost:${idp.realmb.https.port}/fediz-idp-sts-realmb/REALMB"; /> + <property name="idpUrl" value="https://localhost:${idp.realmb.https.port}/fediz-idp-realmb/saml"; /> + <property name="supportedProtocols"> + <util:list> + <value>urn:oasis:names:tc:SAML:2.0:profiles:SSO:browser + </value> + <value>http://docs.oasis-open.org/ws-sx/ws-trust/200512 + </value> + </util:list> + </property> + <property name="tokenTypesOffered"> + <util:list> + <value>urn:oasis:names:tc:SAML:1.0:assertion</value> + <value>urn:oasis:names:tc:SAML:2.0:assertion</value> + </util:list> + </property> + <property name="authenticationURIs"> + <util:map> + <entry key="default" value="saml/up" /> + </util:map> + </property> + <property name="serviceDisplayName" value="REALM B" /> + <property name="serviceDescription" value="IDP of Realm B" /> + <property name="applications"> + <util:list> + <ref bean="idp-realmA" /> + </util:list> + </property> + <property name="claimTypesOffered"> + <util:list> + <ref bean="claim_role" /> + <ref bean="claim_surname" /> + <ref bean="claim_givenname" /> + <ref bean="claim_email" /> + </util:list> + </property> + </bean> + + <bean id="idp-realmA" class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity"> + <property name="realm" value="urn:org:apache:cxf:fediz:idp:realm-A" /> + <property name="protocol" value="http://docs.oasis-open.org/wsfed/federation/200706"; /> + <property name="serviceDisplayName" value="Resource IDP Realm A" /> + <property name="serviceDescription" value="Resource IDP Realm A" /> + <property name="role" value="SecurityTokenServiceType" /> + <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"; /> + <property name="lifeTime" value="3600" /> + <property name="validatingCertificate" value="realma.cert" /> + </bean> + + <bean id="claim_role" + class="org.apache.cxf.fediz.service.idp.service.jpa.ClaimEntity"> + <property name="claimType" + value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"; /> + <property name="displayName" + value="role" /> + <property name="description" + value="Description for role" /> + </bean> + <bean id="claim_givenname" + class="org.apache.cxf.fediz.service.idp.service.jpa.ClaimEntity"> + <property name="claimType" + value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"; /> + <property name="displayName" + value="firstname" /> + <property name="description" + value="Description for firstname" /> + </bean> + <bean id="claim_surname" + class="org.apache.cxf.fediz.service.idp.service.jpa.ClaimEntity"> + <property name="claimType" + value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"; /> + <property name="displayName" + value="lastname" /> + <property name="description" + value="Description for lastname" /> + </bean> + <bean id="claim_email" + class="org.apache.cxf.fediz.service.idp.service.jpa.ClaimEntity"> + <property name="claimType" + value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"; /> + <property name="displayName" + value="email" /> + <property name="description" + value="Description for email" /> + </bean> + + <bean id="entitlement_claim_list" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="CLAIM_LIST" /> + <property name="description" + value="Description for CLAIM_LIST" /> + </bean> + <bean id="entitlement_claim_create" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="CLAIM_CREATE" /> + <property name="description" + value="Description for CLAIM_CREATE" /> + </bean> + <bean id="entitlement_claim_read" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="CLAIM_READ" /> + <property name="description" + value="Description for CLAIM_READ" /> + </bean> + <bean id="entitlement_claim_update" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="CLAIM_UPDATE" /> + <property name="description" + value="Description for CLAIM_UPDATE" /> + </bean> + <bean id="entitlement_claim_delete" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="CLAIM_DELETE" /> + <property name="description" + value="Description for CLAIM_DELETE" /> + </bean> + + <bean id="entitlement_application_list" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="APPLICATION_LIST" /> + <property name="description" + value="Description for APPLICATION_LIST" /> + </bean> + <bean id="entitlement_application_create" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="APPLICATION_CREATE" /> + <property name="description" + value="Description for APPLICATION_CREATE" /> + </bean> + <bean id="entitlement_application_read" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="APPLICATION_READ" /> + <property name="description" + value="Description for APPLICATION_READ" /> + </bean> + <bean id="entitlement_application_update" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="APPLICATION_UPDATE" /> + <property name="description" + value="Description for APPLICATION_UPDATE" /> + </bean> + <bean id="entitlement_application_delete" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="APPLICATION_DELETE" /> + <property name="description" + value="Description for APPLICATION_DELETE" /> + </bean> + + <bean id="entitlement_trustedidp_list" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="TRUSTEDIDP_LIST" /> + <property name="description" + value="Description for TRUSTEDIDP_LIST" /> + </bean> + <bean id="entitlement_trustedidp_create" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="TRUSTEDIDP_CREATE" /> + <property name="description" + value="Description for TRUSTEDIDP_CREATE" /> + </bean> + <bean id="entitlement_trustedidp_read" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="TRUSTEDIDP_READ" /> + <property name="description" + value="Description for TRUSTEDIDP_READ" /> + </bean> + <bean id="entitlement_trustedidp_update" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="TRUSTEDIDP_UPDATE" /> + <property name="description" + value="Description for TRUSTEDIDP_UPDATE" /> + </bean> + <bean id="entitlement_trustedidp_delete" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="TRUSTEDIDP_DELETE" /> + <property name="description" + value="Description for TRUSTEDIDP_DELETE" /> + </bean> + + <bean id="entitlement_idp_list" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="IDP_LIST" /> + <property name="description" + value="Description for IDP_LIST" /> + </bean> + <bean id="entitlement_idp_create" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="IDP_CREATE" /> + <property name="description" + value="Description for IDP_CREATE" /> + </bean> + <bean id="entitlement_idp_read" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="IDP_READ" /> + <property name="description" + value="Description for IDP_READ" /> + </bean> + <bean id="entitlement_idp_update" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="IDP_UPDATE" /> + <property name="description" + value="Description for IDP_UPDATE" /> + </bean> + <bean id="entitlement_idp_delete" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="IDP_DELETE" /> + <property name="description" + value="Description for IDP_DELETE" /> + </bean> + + <bean id="entitlement_role_list" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="ROLE_LIST" /> + <property name="description" + value="Description for ROLE_LIST" /> + </bean> + <bean id="entitlement_role_create" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="ROLE_CREATE" /> + <property name="description" + value="Description for ROLE_CREATE" /> + </bean> + <bean id="entitlement_role_read" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="ROLE_READ" /> + <property name="description" + value="Description for ROLE_READ" /> + </bean> + <bean id="entitlement_role_update" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="ROLE_UPDATE" /> + <property name="description" + value="Description for ROLE_UPDATE" /> + </bean> + <bean id="entitlement_role_delete" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="ROLE_DELETE" /> + <property name="description" + value="Description for ROLE_DELETE" /> + </bean> + + <bean id="entitlement_entitlement_list" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="ENTITLEMENT_LIST" /> + <property name="description" + value="Description for ENTITLEMENT_LIST" /> + </bean> + <bean id="entitlement_entitlement_create" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="ENTITLEMENT_CREATE" /> + <property name="description" + value="Description for ENTITLEMENT_CREATE" /> + </bean> + <bean id="entitlement_entitlement_read" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="ENTITLEMENT_READ" /> + <property name="description" + value="Description for ENTITLEMENT_READ" /> + </bean> + <bean id="entitlement_entitlement_update" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="ENTITLEMENT_UPDATE" /> + <property name="description" + value="Description for ENTITLEMENT_UPDATE" /> + </bean> + <bean id="entitlement_entitlement_delete" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="ENTITLEMENT_DELETE" /> + <property name="description" + value="Description for ENTITLEMENT_DELETE" /> + </bean> + + <bean id="role_admin" + class="org.apache.cxf.fediz.service.idp.service.jpa.RoleEntity"> + <property name="name" + value="ADMIN" /> + <property name="description" + value="This is the administrator role with full access" /> + <property name="entitlements"> + <util:list> + <ref bean="entitlement_claim_list" /> + <ref bean="entitlement_claim_create" /> + <ref bean="entitlement_claim_read" /> + <ref bean="entitlement_claim_update" /> + <ref bean="entitlement_claim_delete" /> + <ref bean="entitlement_idp_list" /> + <ref bean="entitlement_idp_create" /> + <ref bean="entitlement_idp_read" /> + <ref bean="entitlement_idp_update" /> + <ref bean="entitlement_idp_delete" /> + <ref bean="entitlement_trustedidp_list" /> + <ref bean="entitlement_trustedidp_create" /> + <ref bean="entitlement_trustedidp_read" /> + <ref bean="entitlement_trustedidp_update" /> + <ref bean="entitlement_trustedidp_delete" /> + <ref bean="entitlement_application_list" /> + <ref bean="entitlement_application_create" /> + <ref bean="entitlement_application_read" /> + <ref bean="entitlement_application_update" /> + <ref bean="entitlement_application_delete" /> + <ref bean="entitlement_role_list" /> + <ref bean="entitlement_role_create" /> + <ref bean="entitlement_role_read" /> + <ref bean="entitlement_role_update" /> + <ref bean="entitlement_role_delete" /> + <ref bean="entitlement_entitlement_list" /> + <ref bean="entitlement_entitlement_create" /> + <ref bean="entitlement_entitlement_read" /> + <ref bean="entitlement_entitlement_update" /> + <ref bean="entitlement_entitlement_delete" /> + </util:list> + </property> + </bean> + <bean id="role_user" + class="org.apache.cxf.fediz.service.idp.service.jpa.RoleEntity"> + <property name="name" + value="USER" /> + <property name="description" + value="This is the user role with read access" /> + <property name="entitlements"> + <util:list> + <ref bean="entitlement_claim_list" /> + <ref bean="entitlement_claim_read" /> + <ref bean="entitlement_idp_list" /> + <ref bean="entitlement_idp_read" /> + <ref bean="entitlement_trustedidp_list" /> + <ref bean="entitlement_trustedidp_read" /> + <ref bean="entitlement_application_list" /> + <ref bean="entitlement_application_read" /> + <ref bean="entitlement_role_list" /> + <ref bean="entitlement_role_read" /> + <ref bean="entitlement_entitlement_list" /> + <ref bean="entitlement_entitlement_read" /> + </util:list> + </property> + </bean> + <bean id="role_idp_login" + class="org.apache.cxf.fediz.service.idp.service.jpa.RoleEntity"> + <property name="name" + value="IDP_LOGIN" /> + <property name="description" + value="This is the IDP login role which is applied to Users during the IDP SSO" /> + <property name="entitlements"> + <util:list> + <ref bean="entitlement_claim_list" /> + <ref bean="entitlement_claim_read" /> + <ref bean="entitlement_idp_list" /> + <ref bean="entitlement_idp_read" /> + <ref bean="entitlement_trustedidp_list" /> + <ref bean="entitlement_trustedidp_read" /> + <ref bean="entitlement_application_list" /> + <ref bean="entitlement_application_read" /> + </util:list> + </property> + </bean> + +</beans> + http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/d1c0d7e2/systests/federation/samlsso/src/test/resources/realmb/idp-servlet.xml ---------------------------------------------------------------------- diff --git a/systests/federation/samlsso/src/test/resources/realmb/idp-servlet.xml b/systests/federation/samlsso/src/test/resources/realmb/idp-servlet.xml new file mode 100644 index 0000000..e557819 --- /dev/null +++ b/systests/federation/samlsso/src/test/resources/realmb/idp-servlet.xml @@ -0,0 +1,120 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +--> +<beans xmlns="http://www.springframework.org/schema/beans"; + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; + xmlns:webflow="http://www.springframework.org/schema/webflow-config"; + xmlns:p="http://www.springframework.org/schema/p"; + xmlns:context="http://www.springframework.org/schema/context"; + xsi:schemaLocation="http://www.springframework.org/schema/beans + http://www.springframework.org/schema/beans/spring-beans-3.1.xsd + http://www.springframework.org/schema/context + http://www.springframework.org/schema/context/spring-context-3.1.xsd + http://www.springframework.org/schema/webflow-config + http://www.springframework.org/schema/webflow-config/spring-webflow-config-2.0.xsd";> + + <context:property-placeholder location="classpath:realm.properties" /> + + <context:component-scan base-package="org.apache.cxf.fediz.service.idp.beans" /> + + <bean class="org.springframework.webflow.mvc.servlet.FlowHandlerMapping" + p:flowRegistry-ref="flowRegistry" p:order="2"> + </bean> + + <bean class="org.springframework.webflow.mvc.servlet.FlowHandlerAdapter" + p:flowExecutor-ref="flowExecutor" /> + + <webflow:flow-executor id="flowExecutor" + flow-registry="flowRegistry"> + <webflow:flow-execution-attributes> + <webflow:always-redirect-on-pause + value="false" /> + </webflow:flow-execution-attributes> + + <webflow:flow-execution-listeners> + <webflow:listener ref="securityFlowExecutionListener" /> + </webflow:flow-execution-listeners> + </webflow:flow-executor> + + <bean id="securityFlowExecutionListener" + class="org.springframework.webflow.security.SecurityFlowExecutionListener"> + <property name="accessDecisionManager" ref="accessDecisionManager" /> + </bean> + + <bean id="accessDecisionManager" + class="org.springframework.security.access.vote.AffirmativeBased"> + <property name="decisionVoters"> + <list> + <bean + class="org.springframework.security.access.vote.RoleVoter"> + <property name="rolePrefix" value="ROLE_" /> + </bean> + <bean + class="org.springframework.security.access.vote.AuthenticatedVoter" /> + </list> + </property> + </bean> + + <webflow:flow-registry id="flowRegistry" + flow-builder-services="builder"> + <webflow:flow-location + path="/WEB-INF/flows/federation-validate-request.xml" id="federation" /> + <webflow:flow-location + path="/WEB-INF/flows/federation-validate-request.xml" id="federation/up" /> + <webflow:flow-location path="/WEB-INF/flows/federation-signin-request.xml" + id="signinRequest" /> + <webflow:flow-location path="/WEB-INF/flows/federation-signin-response.xml" + id="signinResponse" /> + + <webflow:flow-location path="/WEB-INF/flows/saml-validate-request.xml" id="saml" /> + <webflow:flow-location path="/WEB-INF/flows/saml-validate-request.xml" id="saml/up" /> + <webflow:flow-location path="/WEB-INF/flows/saml-signin-request.xml" id="signinSAMLRequest" /> + </webflow:flow-registry> + + <webflow:flow-builder-services id="builder" + view-factory-creator="viewFactoryCreator" expression-parser="expressionParser" /> + + <bean id="expressionParser" + class="org.springframework.webflow.expression.WebFlowOgnlExpressionParser" /> + + <bean id="viewFactoryCreator" + class="org.springframework.webflow.mvc.builder.MvcViewFactoryCreator"> + <property name="viewResolvers"> + <list> + <ref local="viewResolver" /> + </list> + </property> + </bean> + + <bean id="viewResolver" + class="org.springframework.web.servlet.view.InternalResourceViewResolver"> + <property name="prefix" value="/WEB-INF/views/" /> + <property name="suffix" value=".jsp" /> + </bean> + + <bean id="stsClientForRpAction" + class="org.apache.cxf.fediz.service.idp.beans.STSClientAction"> + <property name="wsdlLocation" + value="https://localhost:0/fediz-idp-sts-realmb/${realm.STS_URI}/STSServiceTransport?wsdl"; /> + <property name="wsdlEndpoint" value="Transport_Port" /> + <property name="tokenType" + value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"; /> + </bean> + +</beans> http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/d1c0d7e2/systests/federation/samlsso/src/test/resources/realmb/persistence.properties ---------------------------------------------------------------------- diff --git a/systests/federation/samlsso/src/test/resources/realmb/persistence.properties b/systests/federation/samlsso/src/test/resources/realmb/persistence.properties new file mode 100644 index 0000000..2628714 --- /dev/null +++ b/systests/federation/samlsso/src/test/resources/realmb/persistence.properties @@ -0,0 +1,15 @@ +#jpa.driverClassName=org.apache.derby.jdbc.ClientDriver +#jpa.url=jdbc:derby://localhost:1527/Fediz +#jpa.username=admin +#jpa.password=admin +#jpa.defaultData=true +#jpa.platform=DerbyDictionary + + +jpa.driverClassName=org.hsqldb.jdbcDriver +#jpa.url=jdbc:hsqldb:target/fediz/db/myDB;shutdown=true +jpa.url=jdbc:hsqldb:target/db/realmb/myDB;shutdown=true +jpa.username=sa +jpa.password= +jpa.defaultData=true +jpa.platform=HSQLDictionary \ No newline at end of file http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/d1c0d7e2/systests/federation/samlsso/src/test/resources/realmb/realm.properties ---------------------------------------------------------------------- diff --git a/systests/federation/samlsso/src/test/resources/realmb/realm.properties b/systests/federation/samlsso/src/test/resources/realmb/realm.properties new file mode 100644 index 0000000..41d04cd --- /dev/null +++ b/systests/federation/samlsso/src/test/resources/realmb/realm.properties @@ -0,0 +1,6 @@ +realm.STS_URI=REALMB +realmA.port=${idp.https.port} +realmB.port=${idp.realmb.https.port} +idp-config=idp-config-realmb.xml +db-load-config=entities-realmb.xml +realm-uri=urn:org:apache:cxf:fediz:idp:realm-B http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/d1c0d7e2/systests/federation/samlsso/src/test/resources/realmb/security-config.xml ---------------------------------------------------------------------- diff --git a/systests/federation/samlsso/src/test/resources/realmb/security-config.xml b/systests/federation/samlsso/src/test/resources/realmb/security-config.xml new file mode 100644 index 0000000..78e50c8 --- /dev/null +++ b/systests/federation/samlsso/src/test/resources/realmb/security-config.xml @@ -0,0 +1,135 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +--> +<beans xmlns="http://www.springframework.org/schema/beans"; + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; + xmlns:security="http://www.springframework.org/schema/security"; + xmlns:context="http://www.springframework.org/schema/context"; + xsi:schemaLocation=" + http://www.springframework.org/schema/beans + http://www.springframework.org/schema/beans/spring-beans.xsd + http://www.springframework.org/schema/context + http://www.springframework.org/schema/context/spring-context.xsd + http://www.springframework.org/schema/security + http://www.springframework.org/schema/security/spring-security-3.1.xsd + "> + + <context:property-placeholder location="classpath:realm.properties"/> + + <!-- DISABLE in production as it might log confidential information about the user --> + <!-- <security:debug /> --> + + <!-- Configure Spring Security --> + + <!-- If enabled, you can't access the Service layer within the Spring Webflow --> + <!-- The user has no role during the login phase of WS-Federation --> + <security:global-method-security pre-post-annotations="enabled"/> + + <security:http pattern="/services/rs/**" use-expressions="true" authentication-manager-ref="restAuthenticationManager"> + <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" /> + <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" /> + <security:intercept-url pattern="/services/rs/**" access="isAuthenticated()"/> + <security:http-basic /> + </security:http> + + <bean id="bCryptPasswordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" /> + + <bean id="defaultPasswordEncoder" class="org.springframework.security.crypto.password.StandardPasswordEncoder" /> + + <security:authentication-manager id="restAuthenticationManager"> + <security:authentication-provider> + <!-- <security:password-encoder ref="defaultPasswordEncoder"/>--> + <!-- <security:password-encoder hash="sha-256" base64="true" />--> + <!-- + <security:password-encoder hash="sha-256" base64="true"> + <security:salt-source user-property="username"/> + </security:password-encoder> + --> + <security:user-service properties="classpath:/users.properties" /> + </security:authentication-provider> + <security:authentication-provider ref="stsAuthProvider" /> + </security:authentication-manager> + + <!-- Redirects to a dedicated http config --> + <bean id="fedizEntryPoint" class="org.apache.cxf.fediz.service.idp.FedizEntryPoint"> + <property name="realm" value="urn:org:apache:cxf:fediz:idp:realm-B" /> + <property name="configService" ref="config" /> + </bean> + + <!-- Main entry point --> + <security:http pattern="/federation" use-expressions="true" entry-point-ref="fedizEntryPoint"> + <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" /> + <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" /> + <security:intercept-url pattern="/FederationMetadata/2007-06/FederationMetadata.xml" access="isAnonymous() or isAuthenticated()" /> + </security:http> + + <!-- HTTP/BA entry point --> + <security:http pattern="/federation/up" use-expressions="true"> + <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" /> + <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" /> + <security:intercept-url pattern="/FederationMetadata/2007-06/FederationMetadata.xml" access="isAnonymous() or isAuthenticated()" /> + + <security:http-basic /> + <security:logout delete-cookies="FEDIZ_HOME_REALM" invalidate-session="true" /> + </security:http> + + <!-- Main entry point --> + <security:http pattern="/saml" use-expressions="true" entry-point-ref="fedizEntryPoint"> + <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" /> + <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" /> + </security:http> + + <!-- HTTP/BA entry point --> + <security:http pattern="/saml/up/**" use-expressions="true"> + <security:intercept-url requires-channel="https" pattern="/saml/up/login*" access="isAnonymous() or isAuthenticated()" /> + <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" /> + <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" /> + + <security:http-basic /> + <!--security:form-login login-page='/federation/up/login' + login-processing-url="/federation/up/login.do" + authentication-failure-url="/federation/up/login?error" + default-target-url="/" + username-parameter="username" + password-parameter="password" + /--> + <security:logout logout-url="/saml/up/logout" + logout-success-url="/saml/up/login?out" + delete-cookies="FEDIZ_HOME_REALM,JSESSIONID" + invalidate-session="true" + /> + </security:http> + + <security:authentication-manager> + <security:authentication-provider ref="stsAuthProvider" /> + </security:authentication-manager> + + <bean id="stsPortFilter" class="org.apache.cxf.fediz.service.idp.STSPortFilter" /> + + <bean id="entitlementsEnricher" class="org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements" /> + + <bean id="stsAuthProvider" class="org.apache.cxf.fediz.service.idp.STSUPAuthenticationProvider"> + <property name="wsdlLocation" value="https://localhost:0/fediz-idp-sts-realmb/${realm.STS_URI}/STSServiceTransportUT?wsdl"/> + <property name="wsdlEndpoint" value="TransportUT_Port"/> + <property name="wsdlService" value="SecurityTokenService"/> + <property name="appliesTo" value="urn:fediz:idp"/> + <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"/> + </bean> + +</beans>
