Repository: cxf-fediz Updated Branches: refs/heads/master 901ef3844 -> a2f78efd1
Splitting IdP security config up to make it easier to reuse Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/a2f78efd Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/a2f78efd Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/a2f78efd Branch: refs/heads/master Commit: a2f78efd150580cf67262860a2d316753d12bfb9 Parents: 901ef38 Author: Colm O hEigeartaigh <[email protected]> Authored: Wed Oct 19 14:01:20 2016 +0100 Committer: Colm O hEigeartaigh <[email protected]> Committed: Wed Oct 19 14:01:20 2016 +0100 ---------------------------------------------------------------------- .../config/security-clientcert-config.xml | 75 ++++++++ .../WEB-INF/config/security-krb-config.xml | 84 +++++++++ .../WEB-INF/config/security-rs-config.xml | 64 +++++++ .../WEB-INF/config/security-up-config.xml | 94 ++++++++++ .../src/main/webapp/WEB-INF/security-config.xml | 177 ++----------------- 5 files changed, 328 insertions(+), 166 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/a2f78efd/services/idp/src/main/webapp/WEB-INF/config/security-clientcert-config.xml ---------------------------------------------------------------------- diff --git a/services/idp/src/main/webapp/WEB-INF/config/security-clientcert-config.xml b/services/idp/src/main/webapp/WEB-INF/config/security-clientcert-config.xml new file mode 100644 index 0000000..bc23084 --- /dev/null +++ b/services/idp/src/main/webapp/WEB-INF/config/security-clientcert-config.xml @@ -0,0 +1,75 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +--> +<beans xmlns="http://www.springframework.org/schema/beans"; + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; + xmlns:security="http://www.springframework.org/schema/security"; + xmlns:context="http://www.springframework.org/schema/context"; + xmlns:util="http://www.springframework.org/schema/util"; + xsi:schemaLocation=" + http://www.springframework.org/schema/beans + http://www.springframework.org/schema/beans/spring-beans.xsd + http://www.springframework.org/schema/context + http://www.springframework.org/schema/context/spring-context.xsd + http://www.springframework.org/schema/security + http://www.springframework.org/schema/security/spring-security-3.1.xsd + http://www.springframework.org/schema/util + http://www.springframework.org/schema/util/spring-util.xsd + "> + + <!-- DISABLE in production as it might log confidential information about the user --> + <!-- <security:debug /> --> + + <!-- SSL Client Cert entry point for WS-Federation --> + <security:http pattern="/federation/clientcert" use-expressions="true"> + <security:custom-filter after="CHANNEL_FILTER" ref="stsClientCertPortFilter" /> + <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" /> + + <security:x509 /> + <security:logout delete-cookies="FEDIZ_HOME_REALM" invalidate-session="true" /> + </security:http> + + <!-- SSL Client Cert entry point for SAML SSO --> + <security:http pattern="/saml/clientcert" use-expressions="true"> + <security:custom-filter after="CHANNEL_FILTER" ref="stsClientCertPortFilter" /> + <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" /> + + <security:x509 /> + <security:logout delete-cookies="FEDIZ_HOME_REALM" invalidate-session="true" /> + </security:http> + + <bean id="stsClientCertPortFilter" class="org.apache.cxf.fediz.service.idp.STSPortFilter"> + <property name="authenticationProvider" ref="stsClientCertAuthProvider" /> + </bean> + + <util:map id="securityProperties"> + <entry key="ws-security.username" value="idp-user" /> + <entry key="ws-security.password" value="idp-pass" /> + </util:map> + + <bean id="stsClientCertAuthProvider" class="org.apache.cxf.fediz.service.idp.STSPreAuthAuthenticationProvider"> + <property name="wsdlLocation" value="https://localhost:0/fediz-idp-sts/${realm.STS_URI}/STSServiceTransportUT?wsdl"; /> + <property name="wsdlEndpoint" value="TransportUT_Port" /> + <property name="wsdlService" value="SecurityTokenService" /> + <property name="appliesTo" value="urn:fediz:idp" /> + <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"; /> + <property name="properties" ref="securityProperties" /> + </bean> + +</beans> http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/a2f78efd/services/idp/src/main/webapp/WEB-INF/config/security-krb-config.xml ---------------------------------------------------------------------- diff --git a/services/idp/src/main/webapp/WEB-INF/config/security-krb-config.xml b/services/idp/src/main/webapp/WEB-INF/config/security-krb-config.xml new file mode 100644 index 0000000..d654bcd --- /dev/null +++ b/services/idp/src/main/webapp/WEB-INF/config/security-krb-config.xml @@ -0,0 +1,84 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +--> +<beans xmlns="http://www.springframework.org/schema/beans"; + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; + xmlns:security="http://www.springframework.org/schema/security"; + xmlns:context="http://www.springframework.org/schema/context"; + xmlns:util="http://www.springframework.org/schema/util"; + xsi:schemaLocation=" + http://www.springframework.org/schema/beans + http://www.springframework.org/schema/beans/spring-beans.xsd + http://www.springframework.org/schema/context + http://www.springframework.org/schema/context/spring-context.xsd + http://www.springframework.org/schema/security + http://www.springframework.org/schema/security/spring-security-3.1.xsd + http://www.springframework.org/schema/util + http://www.springframework.org/schema/util/spring-util.xsd + "> + + <!-- DISABLE in production as it might log confidential information about the user --> + <!-- <security:debug /> --> + + <!-- Kerberos entry point --> + <bean id="kerberosEntryPoint" + class="org.apache.cxf.fediz.service.idp.kerberos.KerberosEntryPoint" /> + + <bean id="kerberosAuthenticationProcessingFilter" + class="org.apache.cxf.fediz.service.idp.kerberos.KerberosAuthenticationProcessingFilter"> + <property name="authenticationManager" ref="authenticationManagers" /> + </bean> + + <security:http pattern="/federation/krb" use-expressions="true" entry-point-ref="kerberosEntryPoint"> + <security:custom-filter after="CHANNEL_FILTER" ref="stsKrbPortFilter" /> + <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" /> + + <security:custom-filter ref="kerberosAuthenticationProcessingFilter" position="BASIC_AUTH_FILTER" /> + <security:logout delete-cookies="FEDIZ_HOME_REALM" invalidate-session="true" /> + </security:http> + + <security:http pattern="/saml/krb" use-expressions="true" entry-point-ref="kerberosEntryPoint"> + <security:custom-filter after="CHANNEL_FILTER" ref="stsKrbPortFilter" /> + <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" /> + + <security:custom-filter ref="kerberosAuthenticationProcessingFilter" position="BASIC_AUTH_FILTER" /> + <security:logout delete-cookies="FEDIZ_HOME_REALM" invalidate-session="true" /> + </security:http> + + <bean id="stsKrbPortFilter" class="org.apache.cxf.fediz.service.idp.STSPortFilter"> + <property name="authenticationProvider" ref="stsKrbAuthProvider" /> + </bean> + + <!--<bean id="kerberosTokenValidator" class="org.apache.cxf.fediz.service.idp.kerberos.KerberosTokenValidator"> + <property name="contextName" value="bob" /> + <property name="serviceName" value="[email protected]" /> + </bean>--> + + <!-- Kerberos authentication provider --> + <bean id="stsKrbAuthProvider" class="org.apache.cxf.fediz.service.idp.STSKrbAuthenticationProvider"> + <property name="wsdlLocation" value="https://localhost:0/fediz-idp-sts/${realm.STS_URI}/STSServiceTransportKerberos?wsdl"; /> + <property name="wsdlEndpoint" value="TransportKerberos_Port" /> + <property name="wsdlService" value="SecurityTokenService" /> + <property name="appliesTo" value="urn:fediz:idp" /> + <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"; /> + <!-- <property name="kerberosTokenValidator" ref="kerberosTokenValidator" /> + <property name="requireDelegation" value="true" />--> + </bean> + +</beans> http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/a2f78efd/services/idp/src/main/webapp/WEB-INF/config/security-rs-config.xml ---------------------------------------------------------------------- diff --git a/services/idp/src/main/webapp/WEB-INF/config/security-rs-config.xml b/services/idp/src/main/webapp/WEB-INF/config/security-rs-config.xml new file mode 100644 index 0000000..72dcd6a --- /dev/null +++ b/services/idp/src/main/webapp/WEB-INF/config/security-rs-config.xml @@ -0,0 +1,64 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +--> +<beans xmlns="http://www.springframework.org/schema/beans"; + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; + xmlns:security="http://www.springframework.org/schema/security"; + xmlns:context="http://www.springframework.org/schema/context"; + xmlns:util="http://www.springframework.org/schema/util"; + xsi:schemaLocation=" + http://www.springframework.org/schema/beans + http://www.springframework.org/schema/beans/spring-beans.xsd + http://www.springframework.org/schema/context + http://www.springframework.org/schema/context/spring-context.xsd + http://www.springframework.org/schema/security + http://www.springframework.org/schema/security/spring-security-3.1.xsd + http://www.springframework.org/schema/util + http://www.springframework.org/schema/util/spring-util.xsd + "> + + <!-- DISABLE in production as it might log confidential information about the user --> + <!-- <security:debug /> --> + + <security:http pattern="/services/rs/**" use-expressions="true" authentication-manager-ref="restAuthenticationManager"> + <security:custom-filter after="CHANNEL_FILTER" ref="stsUPPortFilter" /> + <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" /> + <security:intercept-url pattern="/services/rs/**" access="isAuthenticated()" /> + <security:http-basic /> + </security:http> + + <bean id="bCryptPasswordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" /> + + <bean id="defaultPasswordEncoder" class="org.springframework.security.crypto.password.StandardPasswordEncoder" /> + + <security:authentication-manager id="restAuthenticationManager"> + <security:authentication-provider> + <!-- <security:password-encoder ref="defaultPasswordEncoder" />--> + <!-- <security:password-encoder hash="sha-256" base64="true" />--> + <!-- + <security:password-encoder hash="sha-256" base64="true"> + <security:salt-source user-property="username" /> + </security:password-encoder> + --> + <security:user-service properties="classpath:/users.properties" /> + </security:authentication-provider> + <security:authentication-provider ref="stsUPAuthProvider" /> + </security:authentication-manager> + +</beans> http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/a2f78efd/services/idp/src/main/webapp/WEB-INF/config/security-up-config.xml ---------------------------------------------------------------------- diff --git a/services/idp/src/main/webapp/WEB-INF/config/security-up-config.xml b/services/idp/src/main/webapp/WEB-INF/config/security-up-config.xml new file mode 100644 index 0000000..1fd77ed --- /dev/null +++ b/services/idp/src/main/webapp/WEB-INF/config/security-up-config.xml @@ -0,0 +1,94 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +--> +<beans xmlns="http://www.springframework.org/schema/beans"; + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; + xmlns:security="http://www.springframework.org/schema/security"; + xmlns:context="http://www.springframework.org/schema/context"; + xmlns:util="http://www.springframework.org/schema/util"; + xsi:schemaLocation=" + http://www.springframework.org/schema/beans + http://www.springframework.org/schema/beans/spring-beans.xsd + http://www.springframework.org/schema/context + http://www.springframework.org/schema/context/spring-context.xsd + http://www.springframework.org/schema/security + http://www.springframework.org/schema/security/spring-security-3.1.xsd + http://www.springframework.org/schema/util + http://www.springframework.org/schema/util/spring-util.xsd + "> + + <!-- DISABLE in production as it might log confidential information about the user --> + <!-- <security:debug /> --> + + <!-- HTTP/BA entry point for WS-Federation --> + <security:http pattern="/federation/up/**" use-expressions="true"> + <security:intercept-url requires-channel="https" pattern="/federation/up/login*" access="isAnonymous() or isAuthenticated()" /> + <security:custom-filter after="CHANNEL_FILTER" ref="stsUPPortFilter" /> + <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" /> + + <security:http-basic /> + <!--security:form-login login-page='/federation/up/login' + login-processing-url="/federation/up/login.do" + authentication-failure-url="/federation/up/login?error" + default-target-url="/" + username-parameter="username" + password-parameter="password" + /--> + <security:logout logout-url="/federation/up/logout" + logout-success-url="/federation/up/login?out" + delete-cookies="FEDIZ_HOME_REALM,JSESSIONID" + invalidate-session="true" + /> + </security:http> + + <!-- HTTP/BA entry point for SAML SSO --> + <security:http pattern="/saml/up/**" use-expressions="true"> + <security:intercept-url requires-channel="https" pattern="/saml/up/login*" access="isAnonymous() or isAuthenticated()" /> + <security:custom-filter after="CHANNEL_FILTER" ref="stsUPPortFilter" /> + <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" /> + + <security:http-basic /> + <!--security:form-login login-page='/federation/up/login' + login-processing-url="/federation/up/login.do" + authentication-failure-url="/federation/up/login?error" + default-target-url="/" + username-parameter="username" + password-parameter="password" + /--> + <security:logout logout-url="/saml/up/logout" + logout-success-url="/saml/up/login?out" + delete-cookies="FEDIZ_HOME_REALM,JSESSIONID" + invalidate-session="true" + /> + </security:http> + + <bean id="stsUPPortFilter" class="org.apache.cxf.fediz.service.idp.STSPortFilter"> + <property name="authenticationProvider" ref="stsUPAuthProvider" /> + </bean> + + <!-- U/P Authentication Provider --> + <bean id="stsUPAuthProvider" class="org.apache.cxf.fediz.service.idp.STSUPAuthenticationProvider"> + <property name="wsdlLocation" value="https://localhost:0/fediz-idp-sts/${realm.STS_URI}/STSServiceTransportUT?wsdl"; /> + <property name="wsdlEndpoint" value="TransportUT_Port" /> + <property name="wsdlService" value="SecurityTokenService" /> + <property name="appliesTo" value="urn:fediz:idp" /> + <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"; /> + </bean> + +</beans> http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/a2f78efd/services/idp/src/main/webapp/WEB-INF/security-config.xml ---------------------------------------------------------------------- diff --git a/services/idp/src/main/webapp/WEB-INF/security-config.xml b/services/idp/src/main/webapp/WEB-INF/security-config.xml index d8891e5..373edaf 100644 --- a/services/idp/src/main/webapp/WEB-INF/security-config.xml +++ b/services/idp/src/main/webapp/WEB-INF/security-config.xml @@ -33,7 +33,12 @@ http://www.springframework.org/schema/util/spring-util.xsd "> - <context:property-placeholder location="classpath:realm.properties"/> + <context:property-placeholder location="classpath:realm.properties" /> + + <import resource="config/security-krb-config.xml" /> + <import resource="config/security-clientcert-config.xml" /> + <import resource="config/security-up-config.xml" /> + <import resource="config/security-rs-config.xml" /> <!-- DISABLE in production as it might log confidential information about the user --> <!-- <security:debug /> --> @@ -42,193 +47,33 @@ <!-- If enabled, you can't access the Service layer within the Spring Webflow --> <!-- The user has no role during the login phase of WS-Federation --> - <security:global-method-security pre-post-annotations="enabled"/> + <security:global-method-security pre-post-annotations="enabled" /> - <security:http pattern="/services/rs/**" use-expressions="true" authentication-manager-ref="restAuthenticationManager"> - <security:custom-filter after="CHANNEL_FILTER" ref="stsUPPortFilter" /> - <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" /> - <security:intercept-url pattern="/services/rs/**" access="isAuthenticated()"/> - <security:http-basic /> - </security:http> - - <bean id="bCryptPasswordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" /> - - <bean id="defaultPasswordEncoder" class="org.springframework.security.crypto.password.StandardPasswordEncoder" /> - - <security:authentication-manager id="restAuthenticationManager"> - <security:authentication-provider> - <!-- <security:password-encoder ref="defaultPasswordEncoder"/>--> - <!-- <security:password-encoder hash="sha-256" base64="true" />--> - <!-- - <security:password-encoder hash="sha-256" base64="true"> - <security:salt-source user-property="username"/> - </security:password-encoder> - --> - <security:user-service properties="classpath:/users.properties" /> - </security:authentication-provider> - <security:authentication-provider ref="stsUPAuthProvider" /> - </security:authentication-manager> - <!-- Redirects to a dedicated http config --> <bean id="fedizEntryPoint" class="org.apache.cxf.fediz.service.idp.FedizEntryPoint"> <property name="realm" value="${realm-uri}" /> <property name="configService" ref="config" /> </bean> - <!-- Kerberos entry point --> - <bean id="kerberosEntryPoint" - class="org.apache.cxf.fediz.service.idp.kerberos.KerberosEntryPoint" /> - - <bean id="kerberosAuthenticationProcessingFilter" - class="org.apache.cxf.fediz.service.idp.kerberos.KerberosAuthenticationProcessingFilter"> - <property name="authenticationManager" ref="authenticationManagers" /> - </bean> - - <!-- Main entry point --> + <!-- Main entry point for WS-Federation --> <security:http pattern="/federation" use-expressions="true" entry-point-ref="fedizEntryPoint"> <security:custom-filter after="CHANNEL_FILTER" ref="stsUPPortFilter" /> <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" /> </security:http> - <!-- HTTP/BA entry point --> - <security:http pattern="/federation/up/**" use-expressions="true"> - <security:intercept-url requires-channel="https" pattern="/federation/up/login*" access="isAnonymous() or isAuthenticated()" /> - <security:custom-filter after="CHANNEL_FILTER" ref="stsUPPortFilter" /> - <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" /> - - <security:http-basic /> - <!--security:form-login login-page='/federation/up/login' - login-processing-url="/federation/up/login.do" - authentication-failure-url="/federation/up/login?error" - default-target-url="/" - username-parameter="username" - password-parameter="password" - /--> - <security:logout logout-url="/federation/up/logout" - logout-success-url="/federation/up/login?out" - delete-cookies="FEDIZ_HOME_REALM,JSESSIONID" - invalidate-session="true" - /> - </security:http> - - <security:http pattern="/federation/krb" use-expressions="true" entry-point-ref="kerberosEntryPoint"> - <security:custom-filter after="CHANNEL_FILTER" ref="stsKrbPortFilter" /> - <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" /> - - <security:custom-filter ref="kerberosAuthenticationProcessingFilter" position="BASIC_AUTH_FILTER" /> - <security:logout delete-cookies="FEDIZ_HOME_REALM" invalidate-session="true" /> - </security:http> - - <!-- SSL Client Cert entry point --> - <security:http pattern="/federation/clientcert" use-expressions="true"> - <security:custom-filter after="CHANNEL_FILTER" ref="stsClientCertPortFilter" /> - <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" /> - - <security:x509 /> - <security:logout delete-cookies="FEDIZ_HOME_REALM" invalidate-session="true" /> - </security:http> - - <!-- Main entry point --> + <!-- Main entry point for SAML SSO --> <security:http pattern="/saml" use-expressions="true" entry-point-ref="fedizEntryPoint"> <security:custom-filter after="CHANNEL_FILTER" ref="stsUPPortFilter" /> <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" /> </security:http> - <!-- HTTP/BA entry point --> - <security:http pattern="/saml/up/**" use-expressions="true"> - <security:intercept-url requires-channel="https" pattern="/saml/up/login*" access="isAnonymous() or isAuthenticated()" /> - <security:custom-filter after="CHANNEL_FILTER" ref="stsUPPortFilter" /> - <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" /> - - <security:http-basic /> - <!--security:form-login login-page='/federation/up/login' - login-processing-url="/federation/up/login.do" - authentication-failure-url="/federation/up/login?error" - default-target-url="/" - username-parameter="username" - password-parameter="password" - /--> - <security:logout logout-url="/saml/up/logout" - logout-success-url="/saml/up/login?out" - delete-cookies="FEDIZ_HOME_REALM,JSESSIONID" - invalidate-session="true" - /> - </security:http> - - <security:http pattern="/saml/krb" use-expressions="true" entry-point-ref="kerberosEntryPoint"> - <security:custom-filter after="CHANNEL_FILTER" ref="stsKrbPortFilter" /> - <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" /> - - <security:custom-filter ref="kerberosAuthenticationProcessingFilter" position="BASIC_AUTH_FILTER" /> - <security:logout delete-cookies="FEDIZ_HOME_REALM" invalidate-session="true" /> - </security:http> - - <!-- SSL Client Cert entry point --> - <security:http pattern="/saml/clientcert" use-expressions="true"> - <security:custom-filter after="CHANNEL_FILTER" ref="stsClientCertPortFilter" /> - <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" /> - - <security:x509 /> - <security:logout delete-cookies="FEDIZ_HOME_REALM" invalidate-session="true" /> - </security:http> - <security:authentication-manager alias="authenticationManagers"> <security:authentication-provider ref="stsUPAuthProvider" /> <security:authentication-provider ref="stsKrbAuthProvider" /> <security:authentication-provider ref="stsClientCertAuthProvider" /> </security:authentication-manager> - <bean id="stsUPPortFilter" class="org.apache.cxf.fediz.service.idp.STSPortFilter"> - <property name="authenticationProvider" ref="stsUPAuthProvider" /> - </bean> - - <bean id="entitlementsEnricher" class="org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements" /> - - <!-- U/P Authentication Provider --> - <bean id="stsUPAuthProvider" class="org.apache.cxf.fediz.service.idp.STSUPAuthenticationProvider"> - <property name="wsdlLocation" value="https://localhost:0/fediz-idp-sts/${realm.STS_URI}/STSServiceTransportUT?wsdl"/> - <property name="wsdlEndpoint" value="TransportUT_Port"/> - <property name="wsdlService" value="SecurityTokenService"/> - <property name="appliesTo" value="urn:fediz:idp"/> - <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"/> - </bean> - - <bean id="stsKrbPortFilter" class="org.apache.cxf.fediz.service.idp.STSPortFilter"> - <property name="authenticationProvider" ref="stsKrbAuthProvider" /> - </bean> - - <!--<bean id="kerberosTokenValidator" class="org.apache.cxf.fediz.service.idp.kerberos.KerberosTokenValidator"> - <property name="contextName" value="bob"/> - <property name="serviceName" value="[email protected]"/> - </bean>--> + <bean id="entitlementsEnricher" + class="org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements" /> - <!-- Kerberos authentication provider --> - <bean id="stsKrbAuthProvider" class="org.apache.cxf.fediz.service.idp.STSKrbAuthenticationProvider"> - <property name="wsdlLocation" value="https://localhost:0/fediz-idp-sts/${realm.STS_URI}/STSServiceTransportKerberos?wsdl"/> - <property name="wsdlEndpoint" value="TransportKerberos_Port"/> - <property name="wsdlService" value="SecurityTokenService"/> - <property name="appliesTo" value="urn:fediz:idp"/> - <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"/> - <!-- <property name="kerberosTokenValidator" ref="kerberosTokenValidator"/> - <property name="requireDelegation" value="true"/>--> - </bean> - - <bean id="stsClientCertPortFilter" class="org.apache.cxf.fediz.service.idp.STSPortFilter"> - <property name="authenticationProvider" ref="stsClientCertAuthProvider" /> - </bean> - - <util:map id="securityProperties"> - <entry key="ws-security.username" value="idp-user" /> - <entry key="ws-security.password" value="idp-pass" /> - </util:map> - - <bean id="stsClientCertAuthProvider" class="org.apache.cxf.fediz.service.idp.STSPreAuthAuthenticationProvider"> - <property name="wsdlLocation" value="https://localhost:0/fediz-idp-sts/${realm.STS_URI}/STSServiceTransportUT?wsdl"/> - <property name="wsdlEndpoint" value="TransportUT_Port"/> - <property name="wsdlService" value="SecurityTokenService"/> - <property name="appliesTo" value="urn:fediz:idp"/> - <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"/> - <property name="properties" ref="securityProperties"/> - </bean> - </beans>
