Temporarily adding SAML SSO -> WSFed system test.
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/ebb06de7 Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/ebb06de7 Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/ebb06de7 Branch: refs/heads/master Commit: ebb06de7f91642904b54fd83729e5aa73399cbc5 Parents: ccf669b Author: Colm O hEigeartaigh <[email protected]> Authored: Fri Oct 28 16:24:38 2016 +0100 Committer: Colm O hEigeartaigh <[email protected]> Committed: Fri Oct 28 16:24:38 2016 +0100 ---------------------------------------------------------------------- systests/federation/temp/pom.xml | 302 +++++++++++ .../apache/cxf/fediz/systests/idp/IdpTest.java | 459 ++++++++++++++++ .../temp/src/test/resources/alice_client.jks | Bin 0 -> 2225 bytes .../temp/src/test/resources/client.jks | Bin 0 -> 2061 bytes .../temp/src/test/resources/clienttrust.jks | Bin 0 -> 1512 bytes .../temp/src/test/resources/logging.properties | 54 ++ .../temp/src/test/resources/realma.cert | 15 + .../test/resources/realma/entities-realma.xml | 525 +++++++++++++++++++ .../src/test/resources/realma/realm.properties | 5 + .../test/resources/realmb/entities-realmb.xml | 422 +++++++++++++++ .../src/test/resources/realmb/idp-servlet.xml | 116 ++++ .../resources/realmb/persistence.properties | 15 + .../src/test/resources/realmb/realm.properties | 6 + .../test/resources/realmb/security-config.xml | 108 ++++ .../temp/src/test/resources/server.jks | Bin 0 -> 3859 bytes .../src/test/resources/stsKeystoreA.properties | 6 + .../temp/src/test/resources/stsrealm_a.jks | Bin 0 -> 2061 bytes 17 files changed, 2033 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/ebb06de7/systests/federation/temp/pom.xml ---------------------------------------------------------------------- diff --git a/systests/federation/temp/pom.xml b/systests/federation/temp/pom.xml new file mode 100644 index 0000000..e26e650 --- /dev/null +++ b/systests/federation/temp/pom.xml @@ -0,0 +1,302 @@ +<?xml version="1.0"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +--> +<project xmlns="http://maven.apache.org/POM/4.0.0"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd";> + <modelVersion>4.0.0</modelVersion> + <parent> + <groupId>org.apache.cxf.fediz</groupId> + <artifactId>fediz-systests</artifactId> + <version>1.3.2-SNAPSHOT</version> + <relativePath>../pom.xml</relativePath> + </parent> + <groupId>org.apache.cxf.fediz.systests.federation</groupId> + <artifactId>fediz-systests-federation-temp</artifactId> + <name>Apache Fediz Federation Systests Tomcat 7 WS-Federation temp</name> + <packaging>jar</packaging> + <properties> + <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> + <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding> + </properties> + <dependencies> + <dependency> + <groupId>org.apache.tomcat.embed</groupId> + <artifactId>tomcat-embed-core</artifactId> + <version>${tomcat7.version}</version> + <scope>test</scope> + </dependency> + <dependency> + <groupId>org.apache.tomcat.embed</groupId> + <artifactId>tomcat-embed-logging-juli</artifactId> + <version>${tomcat7.version}</version> + <scope>test</scope> + </dependency> + <dependency> + <groupId>org.eclipse.jdt.core.compiler</groupId> + <artifactId>ecj</artifactId> + <version>${ecj.version}</version> + <scope>test</scope> + </dependency> + <dependency> + <groupId>org.apache.tomcat.embed</groupId> + <artifactId>tomcat-embed-jasper</artifactId> + <version>${tomcat7.version}</version> + <scope>test</scope> + </dependency> + <dependency> + <groupId>junit</groupId> + <artifactId>junit</artifactId> + <version>${junit.version}</version> + <scope>test</scope> + </dependency> + <dependency> + <groupId>org.apache.cxf.fediz</groupId> + <artifactId>fediz-tomcat7</artifactId> + <version>${project.version}</version> + <scope>test</scope> + </dependency> + <dependency> + <groupId>org.apache.cxf.fediz.systests</groupId> + <artifactId>fediz-systests-tests</artifactId> + <version>${project.version}</version> + <type>test-jar</type> + <scope>test</scope> + </dependency> + <dependency> + <groupId>org.slf4j</groupId> + <artifactId>slf4j-api</artifactId> + <version>${slf4j.version}</version> + <scope>test</scope> + </dependency> + <dependency> + <groupId>org.slf4j</groupId> + <artifactId>slf4j-jdk14</artifactId> + <version>${slf4j.version}</version> + <scope>test</scope> + </dependency> + <dependency> + <groupId>org.hsqldb</groupId> + <artifactId>hsqldb</artifactId> + <version>${hsqldb.version}</version> + <scope>test</scope> + </dependency> + <dependency> + <groupId>org.apache.cxf</groupId> + <artifactId>cxf-rt-rs-security-sso-saml</artifactId> + <version>${cxf.version}</version> + <scope>test</scope> + </dependency> + + </dependencies> + <build> + <plugins> + <plugin> + <groupId>org.codehaus.mojo</groupId> + <artifactId>build-helper-maven-plugin</artifactId> + <executions> + <execution> + <id>reserve-network-port</id> + <goals> + <goal>reserve-network-port</goal> + </goals> + <phase>initialize</phase> + <configuration> + <portNames> + <portName>idp.https.port</portName> + <portName>idp.realmb.https.port</portName> + <portName>rp.https.port</portName> + </portNames> + </configuration> + </execution> + </executions> + </plugin> + <plugin> + <groupId>org.apache.maven.plugins</groupId> + <artifactId>maven-dependency-plugin</artifactId> + <executions> + <execution> + <id>copy-idp-sts</id> + <phase>generate-resources</phase> + <goals> + <goal>unpack</goal> + </goals> + <configuration> + <artifactItems> + <artifactItem> + <groupId>org.apache.cxf.fediz</groupId> + <artifactId>fediz-idp</artifactId> + <version>${project.version}</version> + <type>war</type> + <overWrite>true</overWrite> + <outputDirectory>target/tomcat/idp/webapps/fediz-idp</outputDirectory> + </artifactItem> + <artifactItem> + <groupId>org.apache.cxf.fediz</groupId> + <artifactId>fediz-idp-sts</artifactId> + <version>${project.version}</version> + <type>war</type> + <overWrite>true</overWrite> + <outputDirectory>target/tomcat/idp/webapps/fediz-idp-sts</outputDirectory> + </artifactItem> + <artifactItem> + <groupId>org.apache.cxf.fediz.systests.webapps</groupId> + <artifactId>fediz-systests-webapps-simple</artifactId> + <version>${project.version}</version> + <type>war</type> + <overWrite>true</overWrite> + <outputDirectory>target/tomcat/rp/webapps/simpleWebapp</outputDirectory> + </artifactItem> + <artifactItem> + <groupId>org.apache.cxf.fediz</groupId> + <artifactId>fediz-idp</artifactId> + <version>${project.version}</version> + <type>war</type> + <overWrite>true</overWrite> + <outputDirectory>target/tomcat/idprealmb/webapps/fediz-idp-realmb</outputDirectory> + </artifactItem> + <artifactItem> + <groupId>org.apache.cxf.fediz</groupId> + <artifactId>fediz-idp-sts</artifactId> + <version>${project.version}</version> + <type>war</type> + <overWrite>true</overWrite> + <outputDirectory>target/tomcat/idprealmb/webapps/fediz-idp-sts-realmb</outputDirectory> + </artifactItem> + </artifactItems> + <outputAbsoluteArtifactFilename>true</outputAbsoluteArtifactFilename> + <overWriteSnapshots>true</overWriteSnapshots> + <overWriteIfNewer>true</overWriteIfNewer> + <stripVersion>true</stripVersion> + </configuration> + </execution> + </executions> + </plugin> + <plugin> + <artifactId>maven-resources-plugin</artifactId> + <version>2.7</version> + <executions> + <execution> + <id>copy-entities-to-idp</id> + <phase>generate-test-sources</phase> + <goals> + <goal>copy-resources</goal> + </goals> + <configuration> + <outputDirectory>${basedir}/target/tomcat/idp/webapps/fediz-idp/WEB-INF/classes</outputDirectory> + <resources> + <resource> + <directory>${basedir}/src/test/resources/realma</directory> + <includes> + <include>entities-realma.xml</include> + <include>realm.properties</include> + </includes> + <filtering>true</filtering> + </resource> + </resources> + </configuration> + </execution> + <execution> + <id>copy-entities-to-remote-idp</id> + <phase>generate-test-sources</phase> + <goals> + <goal>copy-resources</goal> + </goals> + <configuration> + <outputDirectory>${basedir}/target/tomcat/idprealmb/webapps/fediz-idp-realmb/WEB-INF/classes</outputDirectory> + <resources> + <resource> + <directory>${basedir}/src/test/resources/realmb</directory> + <includes> + <include>entities-realmb.xml</include> + <include>realm.properties</include> + <include>persistence.properties</include> + </includes> + <filtering>true</filtering> + </resource> + </resources> + </configuration> + </execution> + <execution> + <id>copy-entities-to-remote-idp2</id> + <phase>generate-test-sources</phase> + <goals> + <goal>copy-resources</goal> + </goals> + <configuration> + <outputDirectory>${basedir}/target/tomcat/idprealmb/webapps/fediz-idp-realmb/WEB-INF</outputDirectory> + <resources> + <resource> + <directory>${basedir}/src/test/resources/realmb</directory> + <includes> + <include>idp-servlet.xml</include> + <include>security-config.xml</include> + </includes> + <filtering>true</filtering> + </resource> + </resources> + </configuration> + </execution> + </executions> + </plugin> + <plugin> + <artifactId>maven-failsafe-plugin</artifactId> + <inherited>true</inherited> + <executions> + <execution> + <id>integration-test</id> + <phase>integration-test</phase> + <goals> + <goal>integration-test</goal> + </goals> + <configuration> + <skip>${skipTests}</skip> + <systemPropertyVariables> + <wt.headless>true</wt.headless> + <idp.https.port>${idp.https.port}</idp.https.port> + <idp.realmb.https.port>${idp.realmb.https.port}</idp.realmb.https.port> + <rp.https.port>${rp.https.port}</rp.https.port> + </systemPropertyVariables> + <includes> + <include>**/idp/**</include> + </includes> + <argLine>-Xms512m -Xmx1024m -XX:MaxPermSize=256m </argLine> + <!--argLine>-Xms512m -Xmx1024m -XX:MaxPermSize=256m -Xdebug -Xrunjdwp:transport=dt_socket,address=8000,server=y,suspend=y</argLine--> + </configuration> + </execution> + <execution> + <id>verify</id> + <phase>verify</phase> + <goals> + <goal>verify</goal> + </goals> + </execution> + </executions> + </plugin> + <plugin> + <groupId>org.apache.maven.plugins</groupId> + <artifactId>maven-surefire-plugin</artifactId> + <inherited>true</inherited> + <configuration> + <excludes> + <exclude>**/idp/**</exclude> + </excludes> + </configuration> + </plugin> + </plugins> + </build> +</project> http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/ebb06de7/systests/federation/temp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java ---------------------------------------------------------------------- diff --git a/systests/federation/temp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java b/systests/federation/temp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java new file mode 100644 index 0000000..11ff13c --- /dev/null +++ b/systests/federation/temp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java @@ -0,0 +1,459 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.cxf.fediz.systests.idp; + +import java.io.ByteArrayInputStream; +import java.io.File; +import java.io.IOException; +import java.io.InputStream; +import java.io.InputStreamReader; +import java.net.URLEncoder; +import java.security.PrivateKey; +import java.security.cert.X509Certificate; +import java.util.UUID; + +import javax.servlet.ServletException; + +import org.apache.catalina.Context; +import org.apache.catalina.LifecycleException; +import org.apache.catalina.LifecycleState; +import org.apache.catalina.connector.Connector; +import org.apache.catalina.startup.Tomcat; +import org.apache.cxf.common.util.Base64Utility; +import org.apache.cxf.fediz.core.util.DOMUtils; +import org.apache.cxf.fediz.tomcat7.FederationAuthenticator; +import org.apache.cxf.rs.security.saml.DeflateEncoderDecoder; +import org.apache.cxf.rs.security.saml.sso.DefaultAuthnRequestBuilder; +import org.apache.cxf.rs.security.saml.sso.SSOConstants; +import org.apache.cxf.staxutils.StaxUtils; +import org.apache.wss4j.common.crypto.Crypto; +import org.apache.wss4j.common.crypto.CryptoFactory; +import org.apache.wss4j.common.crypto.CryptoType; +import org.apache.wss4j.common.saml.OpenSAMLUtil; +import org.apache.wss4j.common.util.DOM2Writer; +import org.apache.wss4j.dom.engine.WSSConfig; +import org.junit.AfterClass; +import org.junit.Assert; +import org.junit.BeforeClass; +import org.opensaml.core.xml.XMLObject; +import org.opensaml.saml.common.SignableSAMLObject; +import org.opensaml.saml.saml2.core.AuthnRequest; +import org.opensaml.security.x509.BasicX509Credential; +import org.opensaml.xmlsec.keyinfo.impl.X509KeyInfoGeneratorFactory; +import org.opensaml.xmlsec.signature.KeyInfo; +import org.opensaml.xmlsec.signature.Signature; +import org.opensaml.xmlsec.signature.support.SignatureConstants; +import org.w3c.dom.Document; +import org.w3c.dom.Element; + +import com.gargoylesoftware.htmlunit.html.DomElement; +import com.gargoylesoftware.htmlunit.html.DomNodeList; +import com.gargoylesoftware.htmlunit.html.HtmlPage; + +/** + * Some tests invoking directly on the IdP for SAML SSO + */ +public class IdpTest { + + static String idpHttpsPort; + static String rpHttpsPort; + static String idpRealmbHttpsPort; + + private static Tomcat idpServer; + private static Tomcat idpRealmbServer; + private static Tomcat rpServer; + + @BeforeClass + public static void init() throws Exception { + System.setProperty("org.apache.commons.logging.Log", "org.apache.commons.logging.impl.SimpleLog"); + System.setProperty("org.apache.commons.logging.simplelog.showdatetime", "true"); + System.setProperty("org.apache.commons.logging.simplelog.log.httpclient.wire", "info"); + System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.commons.httpclient", "info"); + System.setProperty("org.apache.commons.logging.simplelog.log.org.springframework.webflow", "info"); + System.setProperty("org.apache.commons.logging.simplelog.log.org.springframework.security.web", "info"); + System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.cxf.fediz", "info"); + System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.cxf", "info"); + + idpHttpsPort = System.getProperty("idp.https.port"); + Assert.assertNotNull("Property 'idp.https.port' null", idpHttpsPort); + idpRealmbHttpsPort = System.getProperty("idp.realmb.https.port"); + Assert.assertNotNull("Property 'idp.realmb.https.port' null", idpRealmbHttpsPort); + rpHttpsPort = System.getProperty("rp.https.port"); + Assert.assertNotNull("Property 'rp.https.port' null", rpHttpsPort); + + idpServer = startServer(true, false, idpHttpsPort); + idpRealmbServer = startServer(false, true, idpRealmbHttpsPort); + // rpServer = startServer(false, false, rpHttpsPort); + + WSSConfig.init(); + } + + private static Tomcat startServer(boolean idp, boolean realmb, String port) + throws ServletException, LifecycleException, IOException { + Tomcat server = new Tomcat(); + server.setPort(0); + String currentDir = new File(".").getCanonicalPath(); + String baseDir = currentDir + File.separator + "target"; + server.setBaseDir(baseDir); + + if (idp) { + server.getHost().setAppBase("tomcat/idp/webapps"); + } else if (realmb) { + server.getHost().setAppBase("tomcat/idprealmb/webapps"); + } else { + server.getHost().setAppBase("tomcat/rp/webapps"); + } + server.getHost().setAutoDeploy(true); + server.getHost().setDeployOnStartup(true); + + Connector httpsConnector = new Connector(); + httpsConnector.setPort(Integer.parseInt(port)); + httpsConnector.setSecure(true); + httpsConnector.setScheme("https"); + //httpsConnector.setAttribute("keyAlias", keyAlias); + httpsConnector.setAttribute("keystorePass", "tompass"); + httpsConnector.setAttribute("keystoreFile", "test-classes/server.jks"); + httpsConnector.setAttribute("truststorePass", "tompass"); + httpsConnector.setAttribute("truststoreFile", "test-classes/server.jks"); + httpsConnector.setAttribute("clientAuth", "want"); + // httpsConnector.setAttribute("clientAuth", "false"); + httpsConnector.setAttribute("sslProtocol", "TLS"); + httpsConnector.setAttribute("SSLEnabled", true); + + server.getService().addConnector(httpsConnector); + + if (idp) { + File stsWebapp = new File(baseDir + File.separator + server.getHost().getAppBase(), "fediz-idp-sts"); + server.addWebapp("/fediz-idp-sts", stsWebapp.getAbsolutePath()); + + File idpWebapp = new File(baseDir + File.separator + server.getHost().getAppBase(), "fediz-idp"); + server.addWebapp("/fediz-idp", idpWebapp.getAbsolutePath()); + } else if (realmb) { + File stsWebapp = new File(baseDir + File.separator + server.getHost().getAppBase(), "fediz-idp-sts-realmb"); + server.addWebapp("/fediz-idp-sts-realmb", stsWebapp.getAbsolutePath()); + + File idpWebapp = new File(baseDir + File.separator + server.getHost().getAppBase(), "fediz-idp-realmb"); + server.addWebapp("/fediz-idp-realmb", idpWebapp.getAbsolutePath()); + } else { + File rpWebapp = new File(baseDir + File.separator + server.getHost().getAppBase(), "simpleWebapp"); + Context cxt = server.addWebapp("/fedizhelloworld", rpWebapp.getAbsolutePath()); + + FederationAuthenticator fa = new FederationAuthenticator(); + fa.setConfigFile(currentDir + File.separator + "target" + File.separator + + "test-classes" + File.separator + "fediz_config_wsfed.xml"); + cxt.getPipeline().addValve(fa); + } + + server.start(); + + return server; + } + + @AfterClass + public static void cleanup() { + shutdownServer(idpServer); + shutdownServer(idpRealmbServer); + shutdownServer(rpServer); + } + + private static void shutdownServer(Tomcat server) { + try { + if (server != null && server.getServer() != null + && server.getServer().getState() != LifecycleState.DESTROYED) { + if (server.getServer().getState() != LifecycleState.STOPPED) { + server.stop(); + } + server.destroy(); + } + } catch (Exception e) { + e.printStackTrace(); + } + } + + public String getIdpHttpsPort() { + return idpHttpsPort; + } + + public String getRpHttpsPort() { + return rpHttpsPort; + } + + public String getServletContextName() { + return "fedizhelloworld"; + } + + // + // Successful tests + // + + @org.junit.Test + public void testBrowser() throws Exception { + OpenSAMLUtil.initSamlEngine(); + + // Create SAML AuthnRequest + Document doc = DOMUtils.createDocument(); + doc.appendChild(doc.createElement("root")); + // Create the AuthnRequest + String consumerURL = "https://localhost:"; + getRpHttpsPort() + "/" + + getServletContextName() + "/secure/fedservlet"; + AuthnRequest authnRequest = + new DefaultAuthnRequestBuilder().createAuthnRequest( + null, "urn:org:apache:cxf:fediz:fedizhelloworld", consumerURL + ); + authnRequest.setDestination("https://localhost:"; + getIdpHttpsPort() + "/fediz-idp/saml"); + signAuthnRequest(authnRequest); + + Element authnRequestElement = OpenSAMLUtil.toDom(authnRequest, doc); + String authnRequestEncoded = encodeAuthnRequest(authnRequestElement); + + String urlEncodedRequest = URLEncoder.encode(authnRequestEncoded, "UTF-8"); + + String relayState = UUID.randomUUID().toString(); + String url = "https://localhost:"; + getIdpHttpsPort() + "/fediz-idp/saml?"; + url += SSOConstants.RELAY_STATE + "=" + relayState; + url += "&" + SSOConstants.SAML_REQUEST + "=" + urlEncodedRequest; + + System.out.println("URL: " + url); + + Thread.sleep(60 * 1000); + + } + /* + @org.junit.Test + public void testSuccessfulInvokeOnIdP() throws Exception { + OpenSAMLUtil.initSamlEngine(); + + // Create SAML AuthnRequest + Document doc = DOMUtils.createDocument(); + doc.appendChild(doc.createElement("root")); + // Create the AuthnRequest + String consumerURL = "https://localhost:"; + getRpHttpsPort() + "/" + + getServletContextName() + "/secure/fedservlet"; + AuthnRequest authnRequest = + new DefaultAuthnRequestBuilder().createAuthnRequest( + null, "urn:org:apache:cxf:fediz:fedizhelloworld", consumerURL + ); + authnRequest.setDestination("https://localhost:"; + getIdpHttpsPort() + "/fediz-idp/saml"); + signAuthnRequest(authnRequest); + + Element authnRequestElement = OpenSAMLUtil.toDom(authnRequest, doc); + String authnRequestEncoded = encodeAuthnRequest(authnRequestElement); + + String urlEncodedRequest = URLEncoder.encode(authnRequestEncoded, "UTF-8"); + + String relayState = UUID.randomUUID().toString(); + String url = "https://localhost:"; + getIdpHttpsPort() + "/fediz-idp/saml?"; + url += SSOConstants.RELAY_STATE + "=" + relayState; + url += "&" + SSOConstants.SAML_REQUEST + "=" + urlEncodedRequest; + + String user = "alice"; + String password = "ecila"; + + final WebClient webClient = new WebClient(); + webClient.getOptions().setUseInsecureSSL(true); + webClient.getCredentialsProvider().setCredentials( + new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())), + new UsernamePasswordCredentials(user, password)); + + webClient.getOptions().setJavaScriptEnabled(false); + final HtmlPage idpPage = webClient.getPage(url); + webClient.getOptions().setJavaScriptEnabled(true); + Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText()); + + org.opensaml.saml.saml2.core.Response samlResponse = + parseSAMLResponse(idpPage, relayState, consumerURL, authnRequest.getID()); + String expected = "urn:oasis:names:tc:SAML:2.0:status:Success"; + Assert.assertEquals(expected, samlResponse.getStatus().getStatusCode().getValue()); + + // Check claims + String parsedResponse = DOM2Writer.nodeToString(samlResponse.getDOM().getOwnerDocument()); + String claim = ClaimTypes.FIRSTNAME.toString(); + Assert.assertTrue(parsedResponse.contains(claim)); + claim = ClaimTypes.LASTNAME.toString(); + Assert.assertTrue(parsedResponse.contains(claim)); + claim = ClaimTypes.EMAILADDRESS.toString(); + Assert.assertTrue(parsedResponse.contains(claim)); + + webClient.close(); + } + + @org.junit.Test + public void testSuccessfulInvokeOnIdPUsingPOST() throws Exception { + OpenSAMLUtil.initSamlEngine(); + + // Create SAML AuthnRequest + Document doc = DOMUtils.createDocument(); + doc.appendChild(doc.createElement("root")); + // Create the AuthnRequest + String consumerURL = "https://localhost:"; + getRpHttpsPort() + "/" + + getServletContextName() + "/secure/fedservlet"; + AuthnRequest authnRequest = + new DefaultAuthnRequestBuilder().createAuthnRequest( + null, "urn:org:apache:cxf:fediz:fedizhelloworld", consumerURL + ); + authnRequest.setDestination("https://localhost:"; + getIdpHttpsPort() + "/fediz-idp/saml/up"); + signAuthnRequest(authnRequest); + + Element authnRequestElement = OpenSAMLUtil.toDom(authnRequest, doc); + + // Don't inflate the token... + String requestMessage = DOM2Writer.nodeToString(authnRequestElement); + String authnRequestEncoded = Base64Utility.encode(requestMessage.getBytes("UTF-8")); + + String relayState = UUID.randomUUID().toString(); + String url = "https://localhost:"; + getIdpHttpsPort() + "/fediz-idp/saml/up"; + + String user = "alice"; + String password = "ecila"; + + final WebClient webClient = new WebClient(); + webClient.getOptions().setUseInsecureSSL(true); + webClient.getCredentialsProvider().setCredentials( + new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())), + new UsernamePasswordCredentials(user, password)); + + webClient.getOptions().setJavaScriptEnabled(false); + + WebRequest request = new WebRequest(new URL(url), HttpMethod.POST); + + request.setRequestParameters(new ArrayList<NameValuePair>()); + request.getRequestParameters().add(new NameValuePair(SSOConstants.RELAY_STATE, relayState)); + request.getRequestParameters().add(new NameValuePair(SSOConstants.SAML_REQUEST, authnRequestEncoded)); + + webClient.getOptions().setJavaScriptEnabled(false); + final HtmlPage idpPage = webClient.getPage(request); + + webClient.getOptions().setJavaScriptEnabled(true); + Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText()); + + org.opensaml.saml.saml2.core.Response samlResponse = + parseSAMLResponse(idpPage, relayState, consumerURL, authnRequest.getID()); + String expected = "urn:oasis:names:tc:SAML:2.0:status:Success"; + Assert.assertEquals(expected, samlResponse.getStatus().getStatusCode().getValue()); + + // Check claims + String parsedResponse = DOM2Writer.nodeToString(samlResponse.getDOM().getOwnerDocument()); + String claim = ClaimTypes.FIRSTNAME.toString(); + Assert.assertTrue(parsedResponse.contains(claim)); + claim = ClaimTypes.LASTNAME.toString(); + Assert.assertTrue(parsedResponse.contains(claim)); + claim = ClaimTypes.EMAILADDRESS.toString(); + Assert.assertTrue(parsedResponse.contains(claim)); + + webClient.close(); + } + */ + + private String encodeAuthnRequest(Element authnRequest) throws IOException { + String requestMessage = DOM2Writer.nodeToString(authnRequest); + + DeflateEncoderDecoder encoder = new DeflateEncoderDecoder(); + byte[] deflatedBytes = encoder.deflateToken(requestMessage.getBytes("UTF-8")); + + return Base64Utility.encode(deflatedBytes); + } + + private void signAuthnRequest(AuthnRequest authnRequest) throws Exception { + Crypto crypto = CryptoFactory.getInstance("stsKeystoreA.properties"); + + CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS); + cryptoType.setAlias("realma"); + X509Certificate[] issuerCerts = crypto.getX509Certificates(cryptoType); + + String sigAlgo = SSOConstants.RSA_SHA1; + + // Get the private key + PrivateKey privateKey = crypto.getPrivateKey("realma", "realma"); + + // Create the signature + Signature signature = OpenSAMLUtil.buildSignature(); + signature.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS); + signature.setSignatureAlgorithm(sigAlgo); + + BasicX509Credential signingCredential = new BasicX509Credential(issuerCerts[0], privateKey); + + signature.setSigningCredential(signingCredential); + + X509KeyInfoGeneratorFactory kiFactory = new X509KeyInfoGeneratorFactory(); + kiFactory.setEmitEntityCertificate(true); + + try { + KeyInfo keyInfo = kiFactory.newInstance().generate(signingCredential); + signature.setKeyInfo(keyInfo); + } catch (org.opensaml.security.SecurityException ex) { + throw new Exception( + "Error generating KeyInfo from signing credential", ex); + } + + SignableSAMLObject signableObject = (SignableSAMLObject) authnRequest; + signableObject.setSignature(signature); + signableObject.releaseDOM(); + signableObject.releaseChildrenDOM(true); + + } + + private org.opensaml.saml.saml2.core.Response parseSAMLResponse(HtmlPage idpPage, + String relayState, + String consumerURL, + String authnRequestId + ) throws Exception { + Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText()); + + // Parse the form to get the token (SAMLResponse) + DomNodeList<DomElement> results = idpPage.getElementsByTagName("input"); + + String samlResponse = null; + boolean foundRelayState = false; + for (DomElement result : results) { + if ("SAMLResponse".equals(result.getAttributeNS(null, "name"))) { + samlResponse = result.getAttributeNS(null, "value"); + } else if ("RelayState".equals(result.getAttributeNS(null, "name"))) { + foundRelayState = true; + Assert.assertEquals(result.getAttributeNS(null, "value"), relayState); + } + } + + Assert.assertNotNull(samlResponse); + Assert.assertTrue(foundRelayState); + + // Check the "action" + DomNodeList<DomElement> formResults = idpPage.getElementsByTagName("form"); + Assert.assertFalse(formResults.isEmpty()); + + DomElement formResult = formResults.get(0); + String action = formResult.getAttributeNS(null, "action"); + Assert.assertTrue(action.equals(consumerURL)); + + // Decode + verify response + byte[] deflatedToken = Base64Utility.decode(samlResponse); + InputStream inputStream = new ByteArrayInputStream(deflatedToken); + + Document responseDoc = StaxUtils.read(new InputStreamReader(inputStream, "UTF-8")); + + XMLObject responseObject = OpenSAMLUtil.fromDom(responseDoc.getDocumentElement()); + Assert.assertTrue(responseObject instanceof org.opensaml.saml.saml2.core.Response); + + org.opensaml.saml.saml2.core.Response samlResponseObject = + (org.opensaml.saml.saml2.core.Response)responseObject; + Assert.assertTrue(authnRequestId.equals(samlResponseObject.getInResponseTo())); + + return samlResponseObject; + } +} http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/ebb06de7/systests/federation/temp/src/test/resources/alice_client.jks ---------------------------------------------------------------------- diff --git a/systests/federation/temp/src/test/resources/alice_client.jks b/systests/federation/temp/src/test/resources/alice_client.jks new file mode 100644 index 0000000..879df98 Binary files /dev/null and b/systests/federation/temp/src/test/resources/alice_client.jks differ http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/ebb06de7/systests/federation/temp/src/test/resources/client.jks ---------------------------------------------------------------------- diff --git a/systests/federation/temp/src/test/resources/client.jks b/systests/federation/temp/src/test/resources/client.jks new file mode 100644 index 0000000..62d221e Binary files /dev/null and b/systests/federation/temp/src/test/resources/client.jks differ http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/ebb06de7/systests/federation/temp/src/test/resources/clienttrust.jks ---------------------------------------------------------------------- diff --git a/systests/federation/temp/src/test/resources/clienttrust.jks b/systests/federation/temp/src/test/resources/clienttrust.jks new file mode 100644 index 0000000..c3ad459 Binary files /dev/null and b/systests/federation/temp/src/test/resources/clienttrust.jks differ http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/ebb06de7/systests/federation/temp/src/test/resources/logging.properties ---------------------------------------------------------------------- diff --git a/systests/federation/temp/src/test/resources/logging.properties b/systests/federation/temp/src/test/resources/logging.properties new file mode 100644 index 0000000..040b210 --- /dev/null +++ b/systests/federation/temp/src/test/resources/logging.properties @@ -0,0 +1,54 @@ +############################################################ +# Default Logging Configuration File +# +# You can use a different file by specifying a filename +# with the java.util.logging.config.file system property. +# For example java -Djava.util.logging.config.file=myfile +############################################################ + +############################################################ +# Global properties +############################################################ + +# "handlers" specifies a comma separated list of log Handler +# classes. These handlers will be installed during VM startup. +# Note that these classes must be on the system classpath. +# By default we only configure a ConsoleHandler, which will only +# show messages at the WARNING and above levels. +handlers= java.util.logging.ConsoleHandler +#handlers= java.util.logging.FileHandler, java.util.logging.ConsoleHandler + +# Default global logging level. +# This specifies which kinds of events are logged across +# all loggers. For any given facility this global level +# can be overridden by a facility specific level +# Note that the ConsoleHandler also has a separate level +# setting to limit messages printed to the console. +.level= INFO + +############################################################ +# Handler specific properties. +# Describes specific configuration info for Handlers. +############################################################ + +# default file output is in user's home directory. +java.util.logging.FileHandler.pattern = %h/java%u.log +java.util.logging.FileHandler.limit = 50000 +java.util.logging.FileHandler.count = 1 +java.util.logging.FileHandler.formatter = java.util.logging.XMLFormatter + +# Limit the message that are printed on the console to WARNING and above. +java.util.logging.ConsoleHandler.level = WARNING +java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter + + +############################################################ +# Facility specific properties. +# Provides extra control for each logger. +############################################################ + +# For example, set the com.xyz.foo logger to only log SEVERE +# messages: +#com.xyz.foo.level = SEVERE +org.apache.ws.security.level = FINEST +org.apache.cxf.fediz.level = FINEST http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/ebb06de7/systests/federation/temp/src/test/resources/realma.cert ---------------------------------------------------------------------- diff --git a/systests/federation/temp/src/test/resources/realma.cert b/systests/federation/temp/src/test/resources/realma.cert new file mode 100644 index 0000000..ff97f79 --- /dev/null +++ b/systests/federation/temp/src/test/resources/realma.cert @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICwTCCAamgAwIBAgIEINqJ9TANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZSRUFMTUEwHhcN +MTUwNjEwMTU0NDE3WhcNMjUwNDE4MTU0NDE3WjARMQ8wDQYDVQQDEwZSRUFMTUEwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCJDSXn2lDR+JM+AsJarFG3/XGH7K+9AfAbQIz2IgB9MCpO +KVWTUPCvuo1I+Fp5nEGreuHYLEwgIiam3o+C9tvpLgtDDaDkmXjDzkWpk8z6+im72HZ/ODF93Rqw +jIiY5ZCzgDumFyPzdKiGwChThamidy+rd6oheSoi6qRVSMMcnwiEUmvkfFvV3izXRqeT5nGQwsin +y9mCEiGx8jkfxP++H0RQjVjhOwzfQ7epsR7dTQNf2ZhkBR3o6wKV9QnF2IBWHZpA9EK58rWU9H6j +G7b631rYvwsbOUF9HcZ8DI2BFh+4p18jDN/fnjNGSLr9rYOExpsIiF1cHBK7Tr7WwCmDAgMBAAGj +ITAfMB0GA1UdDgQWBBRHy0qYoLm9jx/1L6r61NznHKun2jANBgkqhkiG9w0BAQsFAAOCAQEAR9rU +5Sp1FsOErdvKNFqeaKl0oq6Fuz7BWcGm2kK6+1ZbWE8IOv6Vh+BlLuOe5hF7aLUbm8UIjhKsmg0M +Ey5MBwkBZktT1qhQteMuiKgYR7CxayCxO0f125RYvvwntJa5rI7bUrzOqX29VQD1qQ/Tb+08fULT +L7oURP+g88Ff99dn3IpO4VZxZdsbl4+KZRtqQvPAdXNYjOajJtPzS489+/DtfWJ6wPm/7YZ4did4 +1fYcrdwyEZ15L0/5i931z7sztNickm5WhO40qEVDKN6KrlV2Eyea0+933v2Pwe4resTlko9G2T5h +dEaSbvht2Q/JOMMmT91daeto2oS8HTKhTA== +-----END CERTIFICATE----- http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/ebb06de7/systests/federation/temp/src/test/resources/realma/entities-realma.xml ---------------------------------------------------------------------- diff --git a/systests/federation/temp/src/test/resources/realma/entities-realma.xml b/systests/federation/temp/src/test/resources/realma/entities-realma.xml new file mode 100644 index 0000000..74dd5d1 --- /dev/null +++ b/systests/federation/temp/src/test/resources/realma/entities-realma.xml @@ -0,0 +1,525 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +--> +<beans xmlns="http://www.springframework.org/schema/beans"; + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; + xmlns:util="http://www.springframework.org/schema/util"; + xsi:schemaLocation=" + http://www.springframework.org/schema/beans + http://www.springframework.org/schema/beans/spring-beans-3.1.xsd + http://www.springframework.org/schema/util + http://www.springframework.org/schema/util/spring-util-2.0.xsd";> + + <bean id="idp-realmA" class="org.apache.cxf.fediz.service.idp.service.jpa.IdpEntity"> + <property name="realm" value="urn:org:apache:cxf:fediz:idp:realm-A" /> + <property name="uri" value="realma" /> + <property name="provideIdpList" value="true" /> + <property name="useCurrentIdp" value="true" /> + <property name="certificate" value="stsKeystoreA.properties" /> + <property name="certificatePassword" value="realma" /> + <property name="stsUrl" value="https://localhost:${idp.https.port}/fediz-idp-sts/REALMA"; /> + <property name="idpUrl" value="https://localhost:${idp.https.port}/fediz-idp/federation"; /> + <property name="rpSingleSignOutConfirmation" value="true"/> + <property name="supportedProtocols"> + <util:list> + <value>http://docs.oasis-open.org/wsfed/federation/200706 + </value> + <value>http://docs.oasis-open.org/ws-sx/ws-trust/200512 + </value> + </util:list> + </property> + <property name="tokenTypesOffered"> + <util:list> + <value>urn:oasis:names:tc:SAML:1.0:assertion</value> + <value>urn:oasis:names:tc:SAML:2.0:assertion</value> + </util:list> + </property> + <property name="authenticationURIs"> + <util:map> + <entry key="default" value="federation/up" /> + <entry key="http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/SslAndKey"; + value="federation/krb" /> + <entry key="http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/default"; + value="federation/up" /> + <entry key="http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/Ssl"; + value="federation/clientcert" /> + </util:map> + </property> + <property name="serviceDisplayName" value="REALM A" /> + <property name="serviceDescription" value="IDP of Realm A" /> + <property name="applications"> + <util:list> + <ref bean="srv-fedizhelloworld" /> + </util:list> + </property> + <property name="trustedIdps"> + <util:list> + <ref bean="trusted-idp-realmB" /> + </util:list> + </property> + <property name="claimTypesOffered"> + <util:list> + <ref bean="claim_role" /> + <ref bean="claim_surname" /> + <ref bean="claim_givenname" /> + <ref bean="claim_email" /> + </util:list> + </property> + </bean> + + <bean id="idp-saml-realmA" class="org.apache.cxf.fediz.service.idp.service.jpa.IdpEntity"> + <property name="realm" value="urn:org:apache:cxf:fediz:idp:saml:realm-A" /> + <property name="uri" value="realma" /> + <property name="provideIdpList" value="true" /> + <property name="useCurrentIdp" value="true" /> + <property name="certificate" value="stsKeystoreA.properties" /> + <property name="certificatePassword" value="realma" /> + <property name="stsUrl" value="https://localhost:${idp.https.port}/fediz-idp-sts/REALMA"; /> + <property name="idpUrl" value="https://localhost:${idp.https.port}/fediz-idp/saml"; /> + <property name="rpSingleSignOutConfirmation" value="true"/> + <property name="supportedProtocols"> + <util:list> + <value>urn:oasis:names:tc:SAML:2.0:profiles:SSO:browser + </value> + <value>http://docs.oasis-open.org/ws-sx/ws-trust/200512 + </value> + </util:list> + </property> + <property name="tokenTypesOffered"> + <util:list> + <value>urn:oasis:names:tc:SAML:1.0:assertion</value> + <value>urn:oasis:names:tc:SAML:2.0:assertion</value> + </util:list> + </property> + <property name="authenticationURIs"> + <util:map> + <entry key="default" value="saml/up" /> + </util:map> + </property> + <property name="serviceDisplayName" value="REALM A" /> + <property name="serviceDescription" value="IDP of Realm A" /> + <property name="applications"> + <util:list> + <ref bean="srv-fedizhelloworld" /> + </util:list> + </property> + <property name="trustedIdps"> + <util:list> + <ref bean="trusted-idp-realmB" /> + </util:list> + </property> + <property name="claimTypesOffered"> + <util:list> + <ref bean="claim_role" /> + <ref bean="claim_surname" /> + <ref bean="claim_givenname" /> + <ref bean="claim_email" /> + </util:list> + </property> + </bean> + + <bean id="trusted-idp-realmB" + class="org.apache.cxf.fediz.service.idp.service.jpa.TrustedIdpEntity"> + <property name="realm" value="urn:org:apache:cxf:fediz:idp:realm-B" /> + <property name="cacheTokens" value="true" /> + <property name="url" value="https://localhost:${idp.realmb.https.port}/fediz-idp-realmb/federation"; /> + <property name="certificate" value="realmb.cert" /> + <property name="trustType" value="PEER_TRUST" /> + <property name="protocol" value="http://docs.oasis-open.org/wsfed/federation/200706"; /> + <property name="federationType" value="FEDERATE_IDENTITY" /> + <property name="name" value="Realm B" /> + <property name="description" value="Realm B description" /> + </bean> + + <bean id="srv-fedizhelloworld" class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity"> + <property name="realm" value="urn:org:apache:cxf:fediz:fedizhelloworld" /> + <property name="protocol" value="http://docs.oasis-open.org/wsfed/federation/200706"; /> + <property name="serviceDisplayName" value="Fedizhelloworld" /> + <property name="serviceDescription" value="Web Application to illustrate WS-Federation" /> + <property name="role" value="ApplicationServiceType" /> + <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"; /> + <property name="lifeTime" value="3600" /> + <property name="passiveRequestorEndpointConstraint" + value="https://localhost:(\d)*/(\w)*helloworld(\w)*/secure/.*" /> + <property name="validatingCertificate" value="realma.cert" /> + </bean> + + <bean class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationClaimEntity"> + <property name="application" ref="srv-fedizhelloworld" /> + <property name="claim" ref="claim_role" /> + <property name="optional" value="false" /> + </bean> + <bean class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationClaimEntity"> + <property name="application" ref="srv-fedizhelloworld" /> + <property name="claim" ref="claim_givenname" /> + <property name="optional" value="false" /> + </bean> + <bean class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationClaimEntity"> + <property name="application" ref="srv-fedizhelloworld" /> + <property name="claim" ref="claim_surname" /> + <property name="optional" value="false" /> + </bean> + <bean class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationClaimEntity"> + <property name="application" ref="srv-fedizhelloworld" /> + <property name="claim" ref="claim_email" /> + <property name="optional" value="false" /> + </bean> + + <bean id="claim_role" + class="org.apache.cxf.fediz.service.idp.service.jpa.ClaimEntity"> + <property name="claimType" + value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"; /> + <property name="displayName" + value="role" /> + <property name="description" + value="Description for role" /> + </bean> + <bean id="claim_givenname" + class="org.apache.cxf.fediz.service.idp.service.jpa.ClaimEntity"> + <property name="claimType" + value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"; /> + <property name="displayName" + value="firstname" /> + <property name="description" + value="Description for firstname" /> + </bean> + <bean id="claim_surname" + class="org.apache.cxf.fediz.service.idp.service.jpa.ClaimEntity"> + <property name="claimType" + value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"; /> + <property name="displayName" + value="lastname" /> + <property name="description" + value="Description for lastname" /> + </bean> + <bean id="claim_email" + class="org.apache.cxf.fediz.service.idp.service.jpa.ClaimEntity"> + <property name="claimType" + value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"; /> + <property name="displayName" + value="email" /> + <property name="description" + value="Description for email" /> + </bean> + + + <bean id="entitlement_claim_list" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="CLAIM_LIST" /> + <property name="description" + value="Description for CLAIM_LIST" /> + </bean> + <bean id="entitlement_claim_create" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="CLAIM_CREATE" /> + <property name="description" + value="Description for CLAIM_CREATE" /> + </bean> + <bean id="entitlement_claim_read" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="CLAIM_READ" /> + <property name="description" + value="Description for CLAIM_READ" /> + </bean> + <bean id="entitlement_claim_update" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="CLAIM_UPDATE" /> + <property name="description" + value="Description for CLAIM_UPDATE" /> + </bean> + <bean id="entitlement_claim_delete" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="CLAIM_DELETE" /> + <property name="description" + value="Description for CLAIM_DELETE" /> + </bean> + + <bean id="entitlement_application_list" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="APPLICATION_LIST" /> + <property name="description" + value="Description for APPLICATION_LIST" /> + </bean> + <bean id="entitlement_application_create" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="APPLICATION_CREATE" /> + <property name="description" + value="Description for APPLICATION_CREATE" /> + </bean> + <bean id="entitlement_application_read" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="APPLICATION_READ" /> + <property name="description" + value="Description for APPLICATION_READ" /> + </bean> + <bean id="entitlement_application_update" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="APPLICATION_UPDATE" /> + <property name="description" + value="Description for APPLICATION_UPDATE" /> + </bean> + <bean id="entitlement_application_delete" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="APPLICATION_DELETE" /> + <property name="description" + value="Description for APPLICATION_DELETE" /> + </bean> + + <bean id="entitlement_trustedidp_list" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="TRUSTEDIDP_LIST" /> + <property name="description" + value="Description for TRUSTEDIDP_LIST" /> + </bean> + <bean id="entitlement_trustedidp_create" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="TRUSTEDIDP_CREATE" /> + <property name="description" + value="Description for TRUSTEDIDP_CREATE" /> + </bean> + <bean id="entitlement_trustedidp_read" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="TRUSTEDIDP_READ" /> + <property name="description" + value="Description for TRUSTEDIDP_READ" /> + </bean> + <bean id="entitlement_trustedidp_update" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="TRUSTEDIDP_UPDATE" /> + <property name="description" + value="Description for TRUSTEDIDP_UPDATE" /> + </bean> + <bean id="entitlement_trustedidp_delete" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="TRUSTEDIDP_DELETE" /> + <property name="description" + value="Description for TRUSTEDIDP_DELETE" /> + </bean> + + <bean id="entitlement_idp_list" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="IDP_LIST" /> + <property name="description" + value="Description for IDP_LIST" /> + </bean> + <bean id="entitlement_idp_create" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="IDP_CREATE" /> + <property name="description" + value="Description for IDP_CREATE" /> + </bean> + <bean id="entitlement_idp_read" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="IDP_READ" /> + <property name="description" + value="Description for IDP_READ" /> + </bean> + <bean id="entitlement_idp_update" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="IDP_UPDATE" /> + <property name="description" + value="Description for IDP_UPDATE" /> + </bean> + <bean id="entitlement_idp_delete" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="IDP_DELETE" /> + <property name="description" + value="Description for IDP_DELETE" /> + </bean> + + <bean id="entitlement_role_list" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="ROLE_LIST" /> + <property name="description" + value="Description for ROLE_LIST" /> + </bean> + <bean id="entitlement_role_create" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="ROLE_CREATE" /> + <property name="description" + value="Description for ROLE_CREATE" /> + </bean> + <bean id="entitlement_role_read" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="ROLE_READ" /> + <property name="description" + value="Description for ROLE_READ" /> + </bean> + <bean id="entitlement_role_update" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="ROLE_UPDATE" /> + <property name="description" + value="Description for ROLE_UPDATE" /> + </bean> + <bean id="entitlement_role_delete" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="ROLE_DELETE" /> + <property name="description" + value="Description for ROLE_DELETE" /> + </bean> + + <bean id="entitlement_entitlement_list" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="ENTITLEMENT_LIST" /> + <property name="description" + value="Description for ENTITLEMENT_LIST" /> + </bean> + <bean id="entitlement_entitlement_create" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="ENTITLEMENT_CREATE" /> + <property name="description" + value="Description for ENTITLEMENT_CREATE" /> + </bean> + <bean id="entitlement_entitlement_read" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="ENTITLEMENT_READ" /> + <property name="description" + value="Description for ENTITLEMENT_READ" /> + </bean> + <bean id="entitlement_entitlement_update" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="ENTITLEMENT_UPDATE" /> + <property name="description" + value="Description for ENTITLEMENT_UPDATE" /> + </bean> + <bean id="entitlement_entitlement_delete" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="ENTITLEMENT_DELETE" /> + <property name="description" + value="Description for ENTITLEMENT_DELETE" /> + </bean> + + <bean id="role_admin" + class="org.apache.cxf.fediz.service.idp.service.jpa.RoleEntity"> + <property name="name" + value="ADMIN" /> + <property name="description" + value="This is the administrator role with full access" /> + <property name="entitlements"> + <util:list> + <ref bean="entitlement_claim_list" /> + <ref bean="entitlement_claim_create" /> + <ref bean="entitlement_claim_read" /> + <ref bean="entitlement_claim_update" /> + <ref bean="entitlement_claim_delete" /> + <ref bean="entitlement_idp_list" /> + <ref bean="entitlement_idp_create" /> + <ref bean="entitlement_idp_read" /> + <ref bean="entitlement_idp_update" /> + <ref bean="entitlement_idp_delete" /> + <ref bean="entitlement_trustedidp_list" /> + <ref bean="entitlement_trustedidp_create" /> + <ref bean="entitlement_trustedidp_read" /> + <ref bean="entitlement_trustedidp_update" /> + <ref bean="entitlement_trustedidp_delete" /> + <ref bean="entitlement_application_list" /> + <ref bean="entitlement_application_create" /> + <ref bean="entitlement_application_read" /> + <ref bean="entitlement_application_update" /> + <ref bean="entitlement_application_delete" /> + <ref bean="entitlement_role_list" /> + <ref bean="entitlement_role_create" /> + <ref bean="entitlement_role_read" /> + <ref bean="entitlement_role_update" /> + <ref bean="entitlement_role_delete" /> + <ref bean="entitlement_entitlement_list" /> + <ref bean="entitlement_entitlement_create" /> + <ref bean="entitlement_entitlement_read" /> + <ref bean="entitlement_entitlement_update" /> + <ref bean="entitlement_entitlement_delete" /> + </util:list> + </property> + </bean> + <bean id="role_user" + class="org.apache.cxf.fediz.service.idp.service.jpa.RoleEntity"> + <property name="name" + value="USER" /> + <property name="description" + value="This is the user role with read access" /> + <property name="entitlements"> + <util:list> + <ref bean="entitlement_claim_list" /> + <ref bean="entitlement_claim_read" /> + <ref bean="entitlement_idp_list" /> + <ref bean="entitlement_idp_read" /> + <ref bean="entitlement_trustedidp_list" /> + <ref bean="entitlement_trustedidp_read" /> + <ref bean="entitlement_application_list" /> + <ref bean="entitlement_application_read" /> + <ref bean="entitlement_role_list" /> + <ref bean="entitlement_role_read" /> + <ref bean="entitlement_entitlement_list" /> + <ref bean="entitlement_entitlement_read" /> + </util:list> + </property> + </bean> + <bean id="role_idp_login" + class="org.apache.cxf.fediz.service.idp.service.jpa.RoleEntity"> + <property name="name" + value="IDP_LOGIN" /> + <property name="description" + value="This is the IDP login role which is applied to Users during the IDP SSO" /> + <property name="entitlements"> + <util:list> + <ref bean="entitlement_claim_list" /> + <ref bean="entitlement_claim_read" /> + <ref bean="entitlement_idp_list" /> + <ref bean="entitlement_idp_read" /> + <ref bean="entitlement_trustedidp_list" /> + <ref bean="entitlement_trustedidp_read" /> + <ref bean="entitlement_application_list" /> + <ref bean="entitlement_application_read" /> + </util:list> + </property> + </bean> + + + +</beans> + http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/ebb06de7/systests/federation/temp/src/test/resources/realma/realm.properties ---------------------------------------------------------------------- diff --git a/systests/federation/temp/src/test/resources/realma/realm.properties b/systests/federation/temp/src/test/resources/realma/realm.properties new file mode 100644 index 0000000..1df51d7 --- /dev/null +++ b/systests/federation/temp/src/test/resources/realma/realm.properties @@ -0,0 +1,5 @@ +realm.STS_URI=REALMA +realm-uri=urn:org:apache:cxf:fediz:idp:saml:realm-A +realmA.port=9443 +realmB.port=12443 +db-load-config=entities-realma.xml http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/ebb06de7/systests/federation/temp/src/test/resources/realmb/entities-realmb.xml ---------------------------------------------------------------------- diff --git a/systests/federation/temp/src/test/resources/realmb/entities-realmb.xml b/systests/federation/temp/src/test/resources/realmb/entities-realmb.xml new file mode 100644 index 0000000..a87894b --- /dev/null +++ b/systests/federation/temp/src/test/resources/realmb/entities-realmb.xml @@ -0,0 +1,422 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +--> +<beans xmlns="http://www.springframework.org/schema/beans"; + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; + xmlns:util="http://www.springframework.org/schema/util"; + xsi:schemaLocation=" + http://www.springframework.org/schema/beans + http://www.springframework.org/schema/beans/spring-beans-3.1.xsd + http://www.springframework.org/schema/util + http://www.springframework.org/schema/util/spring-util-2.0.xsd";> + + <bean id="idp-realmB" class="org.apache.cxf.fediz.service.idp.service.jpa.IdpEntity"> + <property name="realm" value="urn:org:apache:cxf:fediz:idp:realm-B" /> + <property name="uri" value="realmb" /> + <property name="provideIdpList" value="false" /> + <property name="useCurrentIdp" value="true" /> + <property name="certificate" value="stsKeystoreB.properties" /> + <property name="certificatePassword" value="realmb" /> + <property name="stsUrl" value="https://localhost:${idp.realmb.https.port}/fediz-idp-sts-realmb/REALMB"; /> + <property name="idpUrl" value="https://localhost:${idp.realmb.https.port}/fediz-idp-realmb/federation"; /> + <property name="supportedProtocols"> + <util:list> + <value>http://docs.oasis-open.org/wsfed/federation/200706 + </value> + <value>http://docs.oasis-open.org/ws-sx/ws-trust/200512 + </value> + </util:list> + </property> + <property name="tokenTypesOffered"> + <util:list> + <value>urn:oasis:names:tc:SAML:1.0:assertion</value> + <value>urn:oasis:names:tc:SAML:2.0:assertion</value> + </util:list> + </property> + <property name="authenticationURIs"> + <util:map> + <entry key="default" value="federation/up" /> + </util:map> + </property> + <property name="serviceDisplayName" value="REALM B" /> + <property name="serviceDescription" value="IDP of Realm B" /> + <property name="applications"> + <util:list> + <ref bean="idp-realmA" /> + </util:list> + </property> + <property name="claimTypesOffered"> + <util:list> + <ref bean="claim_role" /> + <ref bean="claim_surname" /> + <ref bean="claim_givenname" /> + <ref bean="claim_email" /> + </util:list> + </property> + </bean> + + <bean id="idp-realmA" class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity"> + <property name="realm" value="urn:org:apache:cxf:fediz:idp:saml:realm-A" /> + <property name="protocol" value="http://docs.oasis-open.org/wsfed/federation/200706"; /> + <property name="serviceDisplayName" value="Resource IDP Realm A" /> + <property name="serviceDescription" value="Resource IDP Realm A" /> + <property name="role" value="SecurityTokenServiceType" /> + <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"; /> + <property name="lifeTime" value="3600" /> + </bean> + + <bean id="claim_role" + class="org.apache.cxf.fediz.service.idp.service.jpa.ClaimEntity"> + <property name="claimType" + value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"; /> + <property name="displayName" + value="role" /> + <property name="description" + value="Description for role" /> + </bean> + <bean id="claim_givenname" + class="org.apache.cxf.fediz.service.idp.service.jpa.ClaimEntity"> + <property name="claimType" + value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"; /> + <property name="displayName" + value="firstname" /> + <property name="description" + value="Description for firstname" /> + </bean> + <bean id="claim_surname" + class="org.apache.cxf.fediz.service.idp.service.jpa.ClaimEntity"> + <property name="claimType" + value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"; /> + <property name="displayName" + value="lastname" /> + <property name="description" + value="Description for lastname" /> + </bean> + <bean id="claim_email" + class="org.apache.cxf.fediz.service.idp.service.jpa.ClaimEntity"> + <property name="claimType" + value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"; /> + <property name="displayName" + value="email" /> + <property name="description" + value="Description for email" /> + </bean> + + <bean id="entitlement_claim_list" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="CLAIM_LIST" /> + <property name="description" + value="Description for CLAIM_LIST" /> + </bean> + <bean id="entitlement_claim_create" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="CLAIM_CREATE" /> + <property name="description" + value="Description for CLAIM_CREATE" /> + </bean> + <bean id="entitlement_claim_read" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="CLAIM_READ" /> + <property name="description" + value="Description for CLAIM_READ" /> + </bean> + <bean id="entitlement_claim_update" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="CLAIM_UPDATE" /> + <property name="description" + value="Description for CLAIM_UPDATE" /> + </bean> + <bean id="entitlement_claim_delete" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="CLAIM_DELETE" /> + <property name="description" + value="Description for CLAIM_DELETE" /> + </bean> + + <bean id="entitlement_application_list" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="APPLICATION_LIST" /> + <property name="description" + value="Description for APPLICATION_LIST" /> + </bean> + <bean id="entitlement_application_create" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="APPLICATION_CREATE" /> + <property name="description" + value="Description for APPLICATION_CREATE" /> + </bean> + <bean id="entitlement_application_read" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="APPLICATION_READ" /> + <property name="description" + value="Description for APPLICATION_READ" /> + </bean> + <bean id="entitlement_application_update" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="APPLICATION_UPDATE" /> + <property name="description" + value="Description for APPLICATION_UPDATE" /> + </bean> + <bean id="entitlement_application_delete" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="APPLICATION_DELETE" /> + <property name="description" + value="Description for APPLICATION_DELETE" /> + </bean> + + <bean id="entitlement_trustedidp_list" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="TRUSTEDIDP_LIST" /> + <property name="description" + value="Description for TRUSTEDIDP_LIST" /> + </bean> + <bean id="entitlement_trustedidp_create" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="TRUSTEDIDP_CREATE" /> + <property name="description" + value="Description for TRUSTEDIDP_CREATE" /> + </bean> + <bean id="entitlement_trustedidp_read" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="TRUSTEDIDP_READ" /> + <property name="description" + value="Description for TRUSTEDIDP_READ" /> + </bean> + <bean id="entitlement_trustedidp_update" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="TRUSTEDIDP_UPDATE" /> + <property name="description" + value="Description for TRUSTEDIDP_UPDATE" /> + </bean> + <bean id="entitlement_trustedidp_delete" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="TRUSTEDIDP_DELETE" /> + <property name="description" + value="Description for TRUSTEDIDP_DELETE" /> + </bean> + + <bean id="entitlement_idp_list" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="IDP_LIST" /> + <property name="description" + value="Description for IDP_LIST" /> + </bean> + <bean id="entitlement_idp_create" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="IDP_CREATE" /> + <property name="description" + value="Description for IDP_CREATE" /> + </bean> + <bean id="entitlement_idp_read" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="IDP_READ" /> + <property name="description" + value="Description for IDP_READ" /> + </bean> + <bean id="entitlement_idp_update" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="IDP_UPDATE" /> + <property name="description" + value="Description for IDP_UPDATE" /> + </bean> + <bean id="entitlement_idp_delete" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="IDP_DELETE" /> + <property name="description" + value="Description for IDP_DELETE" /> + </bean> + + <bean id="entitlement_role_list" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="ROLE_LIST" /> + <property name="description" + value="Description for ROLE_LIST" /> + </bean> + <bean id="entitlement_role_create" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="ROLE_CREATE" /> + <property name="description" + value="Description for ROLE_CREATE" /> + </bean> + <bean id="entitlement_role_read" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="ROLE_READ" /> + <property name="description" + value="Description for ROLE_READ" /> + </bean> + <bean id="entitlement_role_update" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="ROLE_UPDATE" /> + <property name="description" + value="Description for ROLE_UPDATE" /> + </bean> + <bean id="entitlement_role_delete" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="ROLE_DELETE" /> + <property name="description" + value="Description for ROLE_DELETE" /> + </bean> + + <bean id="entitlement_entitlement_list" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="ENTITLEMENT_LIST" /> + <property name="description" + value="Description for ENTITLEMENT_LIST" /> + </bean> + <bean id="entitlement_entitlement_create" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="ENTITLEMENT_CREATE" /> + <property name="description" + value="Description for ENTITLEMENT_CREATE" /> + </bean> + <bean id="entitlement_entitlement_read" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="ENTITLEMENT_READ" /> + <property name="description" + value="Description for ENTITLEMENT_READ" /> + </bean> + <bean id="entitlement_entitlement_update" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="ENTITLEMENT_UPDATE" /> + <property name="description" + value="Description for ENTITLEMENT_UPDATE" /> + </bean> + <bean id="entitlement_entitlement_delete" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="ENTITLEMENT_DELETE" /> + <property name="description" + value="Description for ENTITLEMENT_DELETE" /> + </bean> + + <bean id="role_admin" + class="org.apache.cxf.fediz.service.idp.service.jpa.RoleEntity"> + <property name="name" + value="ADMIN" /> + <property name="description" + value="This is the administrator role with full access" /> + <property name="entitlements"> + <util:list> + <ref bean="entitlement_claim_list" /> + <ref bean="entitlement_claim_create" /> + <ref bean="entitlement_claim_read" /> + <ref bean="entitlement_claim_update" /> + <ref bean="entitlement_claim_delete" /> + <ref bean="entitlement_idp_list" /> + <ref bean="entitlement_idp_create" /> + <ref bean="entitlement_idp_read" /> + <ref bean="entitlement_idp_update" /> + <ref bean="entitlement_idp_delete" /> + <ref bean="entitlement_trustedidp_list" /> + <ref bean="entitlement_trustedidp_create" /> + <ref bean="entitlement_trustedidp_read" /> + <ref bean="entitlement_trustedidp_update" /> + <ref bean="entitlement_trustedidp_delete" /> + <ref bean="entitlement_application_list" /> + <ref bean="entitlement_application_create" /> + <ref bean="entitlement_application_read" /> + <ref bean="entitlement_application_update" /> + <ref bean="entitlement_application_delete" /> + <ref bean="entitlement_role_list" /> + <ref bean="entitlement_role_create" /> + <ref bean="entitlement_role_read" /> + <ref bean="entitlement_role_update" /> + <ref bean="entitlement_role_delete" /> + <ref bean="entitlement_entitlement_list" /> + <ref bean="entitlement_entitlement_create" /> + <ref bean="entitlement_entitlement_read" /> + <ref bean="entitlement_entitlement_update" /> + <ref bean="entitlement_entitlement_delete" /> + </util:list> + </property> + </bean> + <bean id="role_user" + class="org.apache.cxf.fediz.service.idp.service.jpa.RoleEntity"> + <property name="name" + value="USER" /> + <property name="description" + value="This is the user role with read access" /> + <property name="entitlements"> + <util:list> + <ref bean="entitlement_claim_list" /> + <ref bean="entitlement_claim_read" /> + <ref bean="entitlement_idp_list" /> + <ref bean="entitlement_idp_read" /> + <ref bean="entitlement_trustedidp_list" /> + <ref bean="entitlement_trustedidp_read" /> + <ref bean="entitlement_application_list" /> + <ref bean="entitlement_application_read" /> + <ref bean="entitlement_role_list" /> + <ref bean="entitlement_role_read" /> + <ref bean="entitlement_entitlement_list" /> + <ref bean="entitlement_entitlement_read" /> + </util:list> + </property> + </bean> + <bean id="role_idp_login" + class="org.apache.cxf.fediz.service.idp.service.jpa.RoleEntity"> + <property name="name" + value="IDP_LOGIN" /> + <property name="description" + value="This is the IDP login role which is applied to Users during the IDP SSO" /> + <property name="entitlements"> + <util:list> + <ref bean="entitlement_claim_list" /> + <ref bean="entitlement_claim_read" /> + <ref bean="entitlement_idp_list" /> + <ref bean="entitlement_idp_read" /> + <ref bean="entitlement_trustedidp_list" /> + <ref bean="entitlement_trustedidp_read" /> + <ref bean="entitlement_application_list" /> + <ref bean="entitlement_application_read" /> + </util:list> + </property> + </bean> + +</beans> +
