Author: pcraveiro Date: 2011-11-15 08:23:37 -0500 (Tue, 15 Nov 2011) New Revision: 1324 Added: federation/trunk/picketlink-bindings/src/test/java/org/picketlink/test/identity/federation/bindings/workflow/SAML2RedirectSignatureTomcatWorkflowUnitTestCase.java federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/idp-sig/ federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/idp-sig/WEB-INF/ federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/idp-sig/WEB-INF/jbid_test_keystore.jks federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/idp-sig/WEB-INF/picketlink-handlers.xml federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/idp-sig/WEB-INF/picketlink-idfed.xml federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/idp-sig/roles.properties federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/sp/employee-sig/ federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/sp/employee-sig/WEB-INF/ federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/sp/employee-sig/WEB-INF/jbid_test_keystore.jks federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/sp/employee-sig/WEB-INF/picketlink-handlers.xml federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/sp/employee-sig/WEB-INF/picketlink-idfed.xml federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/sp/employee-sig/roles.properties Modified: federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectSignatureFormAuthenticator.java Log: https://issues.jboss.org/browse/PLFED-248 Modified: federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java =================================================================== --- federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java 2011-11-14 15:55:39 UTC (rev 1323) +++ federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java 2011-11-15 13:23:37 UTC (rev 1324) @@ -28,7 +28,9 @@ import java.io.File; import java.io.IOException; import java.io.InputStream; +import java.net.MalformedURLException; import java.net.URI; +import java.net.URL; import java.security.GeneralSecurityException; import java.security.Principal; import java.security.PublicKey; @@ -154,6 +156,11 @@ private Boolean ignoreIncomingSignatures = false; private Boolean signOutgoingMessages = true; + + /** + * Defines how the token's signature will be validated. If true is used the token's issuer, otherwise the request.getRemoteAddr. Default false. + */ + private Boolean validatingAliasToTokenIssuer = false; private transient DelegatedAttributeManager attribManager = new DelegatedAttributeManager(); @@ -220,6 +227,20 @@ } /** + * PLFED-248 + * Allows to validate the token's signature against the keystore using the token's issuer. + */ + public void setValidatingAliasToTokenIssuer(Boolean validatingAliasToTokenIssuer) + { + this.validatingAliasToTokenIssuer = validatingAliasToTokenIssuer; + } + + public Boolean getValidatingAliasToTokenIssuer() + { + return validatingAliasToTokenIssuer; + } + + /** * IDP should not do any attributes such as generation of roles etc * @param ignoreAttributes */ @@ -489,8 +510,6 @@ Boolean requestedPostProfile = null; - //Get the SAML Request Message - RequestAbstractType requestAbstractType = null; String samlRequestMessage = (String) session.getNote(GeneralConstants.SAML_REQUEST_KEY); String relayState = (String) session.getNote(GeneralConstants.RELAY_STATE); @@ -511,15 +530,23 @@ { samlDocumentHolder = webRequestUtil.getSAMLDocumentHolder(samlRequestMessage); samlObject = samlDocumentHolder.getSamlObject(); + + if (!(samlObject instanceof RequestAbstractType)) { + throw new RuntimeException(ErrorCodes.WRONG_TYPE + samlObject.getClass().getName()); + } + //Get the SAML Request Message + RequestAbstractType requestAbstractType = (RequestAbstractType) samlObject; + String issuer = requestAbstractType.getIssuer().getValue(); + boolean isPost = webRequestUtil.hasSAMLRequestInPostProfile(); - boolean isValid = validate(request.getRemoteAddr(), request.getQueryString(), new SessionHolder( + String tokenSignatureValidatingAlias = getTokenSignatureValidatingAlias(request, issuer); + boolean isValid = validate(tokenSignatureValidatingAlias, request.getQueryString(), new SessionHolder( samlRequestMessage, signature, sigAlg), isPost); if (!isValid) throw new GeneralSecurityException(ErrorCodes.VALIDATION_CHECK_FAILED); - String issuer = null; IssuerInfoHolder idpIssuer = new IssuerInfoHolder(this.identityURL); ProtocolContext protocolContext = new HTTPContext(request, response, context.getServletContext()); //Create the request/response @@ -545,12 +572,13 @@ if (this.keyManager != null) { - String remoteHost = request.getRemoteAddr(); if (trace) { - log.trace("Remote Host=" + remoteHost); + log.trace("Remote Host=" + request.getRemoteAddr()); + log.trace("Validating Alias=" + tokenSignatureValidatingAlias); } - PublicKey validatingKey = CoreConfigUtil.getValidatingKey(keyManager, remoteHost); + + PublicKey validatingKey = CoreConfigUtil.getValidatingKey(keyManager, tokenSignatureValidatingAlias); requestOptions.put(GeneralConstants.SENDER_PUBLIC_KEY, validatingKey); requestOptions.put(GeneralConstants.DECRYPTING_KEY, keyManager.getSigningKey()); } @@ -572,31 +600,24 @@ log.trace("Handlers are=" + handlers); } - if (samlObject instanceof RequestAbstractType) + webRequestUtil.isTrusted(issuer); + + if (handlers != null) { - requestAbstractType = (RequestAbstractType) samlObject; - issuer = requestAbstractType.getIssuer().getValue(); - webRequestUtil.isTrusted(issuer); - - if (handlers != null) + try { - try + chainLock.lock(); + for (SAML2Handler handler : handlers) { - chainLock.lock(); - for (SAML2Handler handler : handlers) - { - handler.handleRequestType(saml2HandlerRequest, saml2HandlerResponse); - willSendRequest = saml2HandlerResponse.getSendRequest(); - } + handler.handleRequestType(saml2HandlerRequest, saml2HandlerResponse); + willSendRequest = saml2HandlerResponse.getSendRequest(); } - finally - { - chainLock.unlock(); - } } + finally + { + chainLock.unlock(); + } } - else - throw new RuntimeException(ErrorCodes.WRONG_TYPE + samlObject.getClass().getName()); samlResponse = saml2HandlerResponse.getResultingDocument(); relayState = saml2HandlerResponse.getRelayState(); @@ -654,6 +675,34 @@ return; } + /** + * Returns the alias to be used for the token's signature verification. + * If <code>validatingAliasToTokenIssuer</code> is true the token issuer will be returned. + * + * @param request + * @param issuer + * @return + */ + private String getTokenSignatureValidatingAlias(Request request, String issuer) + { + String issuerHost = request.getRemoteAddr(); + + if (this.validatingAliasToTokenIssuer) { + try + { + issuerHost = new URL(issuer).getHost(); + } + catch (MalformedURLException e) + { + if (trace) { + log.trace("Token issuer is not a valid URL: " + issuer + ". Using the requester address instead.", e); + } + } + } + + return issuerHost; + } + protected void processSAMLResponseMessage(IDPWebRequestUtil webRequestUtil, Request request, Response response) throws ServletException, IOException { @@ -678,17 +727,22 @@ cleanUpSessionNote(request); - StatusResponseType statusResponseType = null; try { samlDocumentHolder = webRequestUtil.getSAMLDocumentHolder(samlResponseMessage); samlObject = samlDocumentHolder.getSamlObject(); - + + if (!(samlObject instanceof StatusResponseType)) + { + throw new RuntimeException(ErrorCodes.WRONG_TYPE + samlObject.getClass().getName()); + } + boolean isPost = webRequestUtil.hasSAMLRequestInPostProfile(); boolean isValid = false; - - String remoteAddress = request.getRemoteAddr(); - + StatusResponseType statusResponseType = (StatusResponseType) samlObject; + String issuer = statusResponseType.getIssuer().getValue(); + String tokenValidatingAlias = getTokenSignatureValidatingAlias(request, issuer); + if (isPost) { //Validate @@ -696,7 +750,7 @@ if (ignoreIncomingSignatures == false && signOutgoingMessages == true) { - PublicKey publicKey = keyManager.getValidatingKey(remoteAddress); + PublicKey publicKey = keyManager.getValidatingKey(tokenValidatingAlias); isValid = samlSignature.validate(samlDocumentHolder.getSamlDocument(), publicKey); } else @@ -704,14 +758,13 @@ } else { - isValid = validate(remoteAddress, request.getQueryString(), new SessionHolder(samlResponseMessage, + isValid = validate(tokenValidatingAlias, request.getQueryString(), new SessionHolder(samlResponseMessage, signature, sigAlg), isPost); } if (!isValid) throw new GeneralSecurityException(ErrorCodes.VALIDATION_CHECK_FAILED); - String issuer = null; IssuerInfoHolder idpIssuer = new IssuerInfoHolder(this.identityURL); ProtocolContext protocolContext = new HTTPContext(request, response, context.getServletContext()); //Create the request/response @@ -723,32 +776,25 @@ Set<SAML2Handler> handlers = chain.handlers(); - if (samlObject instanceof StatusResponseType) + webRequestUtil.isTrusted(issuer); + + if (handlers != null) { - statusResponseType = (StatusResponseType) samlObject; - issuer = statusResponseType.getIssuer().getValue(); - webRequestUtil.isTrusted(issuer); - - if (handlers != null) + try { - try + chainLock.lock(); + for (SAML2Handler handler : handlers) { - chainLock.lock(); - for (SAML2Handler handler : handlers) - { - handler.reset(); - handler.handleStatusResponseType(saml2HandlerRequest, saml2HandlerResponse); - willSendRequest = saml2HandlerResponse.getSendRequest(); - } + handler.reset(); + handler.handleStatusResponseType(saml2HandlerRequest, saml2HandlerResponse); + willSendRequest = saml2HandlerResponse.getSendRequest(); } - finally - { - chainLock.unlock(); - } } + finally + { + chainLock.unlock(); + } } - else - throw new RuntimeException(ErrorCodes.WRONG_TYPE + samlObject.getClass().getName()); samlResponse = saml2HandlerResponse.getResultingDocument(); relayState = saml2HandlerResponse.getRelayState(); Modified: federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectSignatureFormAuthenticator.java =================================================================== --- federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectSignatureFormAuthenticator.java 2011-11-14 15:55:39 UTC (rev 1323) +++ federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectSignatureFormAuthenticator.java 2011-11-15 13:23:37 UTC (rev 1324) @@ -84,11 +84,23 @@ { this.idpAddress = idpAddress; } - + @Override + public void testStart() throws LifecycleException + { + super.testStart(); + this.init(); + } + + @Override public void start() throws LifecycleException { super.start(); + this.init(); + } + + private void init() throws LifecycleException + { Context context = (Context) getContainer(); KeyProviderType keyProvider = this.spConfiguration.getKeyProvider(); Added: federation/trunk/picketlink-bindings/src/test/java/org/picketlink/test/identity/federation/bindings/workflow/SAML2RedirectSignatureTomcatWorkflowUnitTestCase.java =================================================================== --- federation/trunk/picketlink-bindings/src/test/java/org/picketlink/test/identity/federation/bindings/workflow/SAML2RedirectSignatureTomcatWorkflowUnitTestCase.java (rev 0) +++ federation/trunk/picketlink-bindings/src/test/java/org/picketlink/test/identity/federation/bindings/workflow/SAML2RedirectSignatureTomcatWorkflowUnitTestCase.java 2011-11-15 13:23:37 UTC (rev 1324) @@ -0,0 +1,259 @@ +/* + * JBoss, Home of Professional Open Source. + * Copyright 2011, Red Hat Middleware LLC, and individual contributors + * as indicated by the @author tags. See the copyright.txt file in the + * distribution for a full listing of individual contributors. + * + * This is free software; you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as + * published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * This software is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this software; if not, write to the Free + * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA + * 02110-1301 USA, or see the FSF site: http://www.fsf.org. + */ +package org.picketlink.test.identity.federation.bindings.workflow; + + +import static org.junit.Assert.assertNotNull; + +import java.io.IOException; +import java.net.URL; +import java.security.Principal; +import java.util.ArrayList; +import java.util.List; + +import javax.servlet.ServletException; + +import junit.framework.Assert; + +import org.apache.catalina.LifecycleException; +import org.apache.catalina.realm.GenericPrincipal; +import org.junit.Test; +import org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve; +import org.picketlink.identity.federation.bindings.tomcat.sp.SPRedirectSignatureFormAuthenticator; +import org.picketlink.identity.federation.web.constants.GeneralConstants; +import org.picketlink.identity.federation.web.util.RedirectBindingUtil; +import org.picketlink.test.identity.federation.bindings.mock.MockCatalinaContext; +import org.picketlink.test.identity.federation.bindings.mock.MockCatalinaContextClassLoader; +import org.picketlink.test.identity.federation.bindings.mock.MockCatalinaLoginConfig; +import org.picketlink.test.identity.federation.bindings.mock.MockCatalinaRealm; +import org.picketlink.test.identity.federation.bindings.mock.MockCatalinaRequest; +import org.picketlink.test.identity.federation.bindings.mock.MockCatalinaResponse; +import org.picketlink.test.identity.federation.bindings.mock.MockCatalinaSession; + +/** + * <p> + * This {@code TestCase} tests the interaction between the SP and the IDP in a scenario where token signature is used. + * </p> + * <p> + * This class also tests the use of the {@code SPRedirectSignatureFormAuthenticator.idpAddress} and the {@code IDPWebBrowserSSOValve.validatingAliasToTokenIssuer} properties. + * <br/> + * The objective is test the following scenarios: + * <br/><br/> + * 1) User's machine is the same of the SP and the IDP. (testSAML2RedirectWithSameConsumerAndProvider) + * <br/> + * 2) User's machine is different of the SP and the IDP. (testSAML2RedirectWithSifferentConsumerAndProvider) + * 192.168.1.1 -> IDP Address (IDP_PROFILE/WEB-INF/picketlink-idfed.xml) + * 192.168.1.2 -> SP Address (SP_PROFILE/WEB-INF/picketlink-idfed.xml) + * 192.168.1.3 -> End User Address + * </p> + * + * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a> + * @since Nov 14, 2011 + */ +public class SAML2RedirectSignatureTomcatWorkflowUnitTestCase +{ + private static final String profile = "saml2/redirect"; + + private static final String IDP_PROFILE = profile + "/idp-sig/"; + + private static final String SP_PROFILE = profile + "/sp/employee-sig"; + + private final ClassLoader tcl = Thread.currentThread().getContextClassLoader(); + + private String SAML_REQUEST_KEY = "SAMLRequest="; + + private String SAML_RESPONSE_KEY = "SAMLResponse="; + + /** + * Tests the token's signatures validations when the requester and the SP/IDP as on the same host. + * The keyprovider is configured with the same ValidatingAlias for all of them. + * + * @throws Exception + */ + @Test + public void testSAML2RedirectWithSameConsumerAndProvider() throws Exception + { + testWorkflow("192.168.1.1", "192.168.1.1", false); + } + + /** + * Tests the token's signatures validations when the requester is in a differente host than the SP and IDP. + * The keyprovider is configured with a ValidatingAlias for specific for the SP (192.168.1.2) that is different from the IDP (localhost) and the user (192.168.1.1). + */ + @Test + public void testSAML2RedirectWithSifferentConsumerAndProvider() throws Exception + { + testWorkflow("192.168.1.3", "192.168.1.1", true); + } + + private void testWorkflow(String userAddress, String idpAddress, boolean validatingAliasToTokenIssuer) throws LifecycleException, IOException, ServletException + { + MockCatalinaRequest request = createRequest(userAddress); + + // Sends a initial request to the SP. Requesting a resource ... + MockCatalinaResponse idpAuthRequest = sendSPRequest(request, false, idpAddress); + + assertNotNull("Redirect String can not be null.", idpAuthRequest.redirectString); + + // Sends a auth request to the IDP + request = createRequest(userAddress); + + request.setParameter("SAMLRequest", RedirectBindingUtil.urlDecode(getSAMLRequest(idpAuthRequest))); + request.setParameter("SigAlg", RedirectBindingUtil.urlDecode(getSAMLSigAlg(idpAuthRequest))); + request.setParameter("Signature", RedirectBindingUtil.urlDecode(getSAMLSignature(idpAuthRequest))); + request.setQueryString(SAML_REQUEST_KEY + getSAMLRequest(idpAuthRequest) + "&SigAlg=" + getSAMLSigAlg(idpAuthRequest) + "&Signature=" + getSAMLSignature(idpAuthRequest)); + + request.setUserPrincipal(new GenericPrincipal(createRealm(), "user", "user", getRoles()) ); + + MockCatalinaResponse idpAuthResponse = sendIDPRequest(request, validatingAliasToTokenIssuer); + + assertNotNull("Redirect String can not be null.", idpAuthResponse.redirectString); + + // Sends the IDP response to the SP. Now the user is succesfully authenticated and access for the requested resource is granted... + request = createRequest(userAddress); + request.getContext().setRealm(createRealm()); + + request.setParameter("SAMLResponse", RedirectBindingUtil.urlDecode(getSAMLResponse(idpAuthResponse))); + request.setParameter("SigAlg", RedirectBindingUtil.urlDecode(getSAMLSigAlg(idpAuthResponse))); + request.setParameter("Signature", RedirectBindingUtil.urlDecode(getSAMLSignature(idpAuthResponse))); + request.setQueryString(SAML_RESPONSE_KEY + getSAMLResponse(idpAuthResponse) + "&SigAlg=" + getSAMLSigAlg(idpAuthResponse) + "&Signature=" + getSAMLSignature(idpAuthResponse)); + + sendSPRequest(request, true, idpAddress); + } + + private MockCatalinaRequest createRequest(String userAddress) + { + MockCatalinaRequest request = new MockCatalinaRequest(); + + request = new MockCatalinaRequest(); + request.setMethod("GET"); + request.setRemoteAddr(userAddress); + request.setSession(new MockCatalinaSession()); + request.setContext(new MockCatalinaContext()); + + return request; + } + + private String getSAMLResponse(MockCatalinaResponse response) + { + return response.redirectString.substring(response.redirectString.indexOf(SAML_RESPONSE_KEY) + + SAML_RESPONSE_KEY.length(), response.redirectString.indexOf("&SigAlg=")); + } + + private String getSAMLSignature(MockCatalinaResponse response) + { + return response.redirectString.substring(response.redirectString.indexOf("&Signature=") + + "&Signature=".length()); + } + + private String getSAMLSigAlg(MockCatalinaResponse response) + { + return response.redirectString.substring(response.redirectString.indexOf("&SigAlg=") + + "&SigAlg=".length(), response.redirectString.lastIndexOf("&Signature=")); + } + + private String getSAMLRequest(MockCatalinaResponse response) + { + return response.redirectString.substring(response.redirectString.indexOf(SAML_REQUEST_KEY) + + SAML_REQUEST_KEY.length(), response.redirectString.indexOf("&SigAlg=")); + } + + private List<String> getRoles() + { + List<String> roles = new ArrayList<String>(); + roles.add("manager"); + roles.add("employee"); + return roles; + } + + private MockCatalinaRealm createRealm() + { + return new MockCatalinaRealm("user", "user", new Principal() + { + public String getName() + { + return "user"; + } + }); + } + + private MockCatalinaResponse sendIDPRequest(MockCatalinaRequest request, boolean validatingAliasToTokenIssuer) + throws LifecycleException, IOException, ServletException + { + MockCatalinaContextClassLoader mclIDP = setupTCL(IDP_PROFILE); + Thread.currentThread().setContextClassLoader(mclIDP); + + IDPWebBrowserSSOValve idp = new IDPWebBrowserSSOValve(); + + idp.setSignOutgoingMessages(true); + idp.setIgnoreIncomingSignatures(false); + idp.setValidatingAliasToTokenIssuer(validatingAliasToTokenIssuer); + + idp.setContainer(request.getContext()); + idp.start(); + + MockCatalinaResponse response = new MockCatalinaResponse(); + + idp.invoke(request, response); + + return response; + } + + private MockCatalinaResponse sendSPRequest(MockCatalinaRequest request, boolean validateAuthentication, String idpAddress) + throws LifecycleException, IOException + { + MockCatalinaContextClassLoader mclSPEmp = setupTCL(SP_PROFILE); + Thread.currentThread().setContextClassLoader(mclSPEmp); + + SPRedirectSignatureFormAuthenticator sp = new SPRedirectSignatureFormAuthenticator(); + + sp.setIdpAddress(idpAddress); + + request.setParameter(GeneralConstants.RELAY_STATE, null); + + MockCatalinaLoginConfig loginConfig = new MockCatalinaLoginConfig(); + + sp.setContainer(request.getContext()); + sp.testStart(); + + MockCatalinaResponse response = new MockCatalinaResponse(); + + if (validateAuthentication) { + Assert.assertTrue("Employee app succesfully authenticated.", sp.authenticate(request, response, loginConfig)); + } else { + sp.authenticate(request, response, loginConfig); + } + + return response; + } + + private MockCatalinaContextClassLoader setupTCL(String resource) + { + URL[] urls = new URL[] {tcl.getResource(resource)}; + + MockCatalinaContextClassLoader mcl = new MockCatalinaContextClassLoader(urls); + mcl.setDelegate(tcl); + mcl.setProfile(resource); + return mcl; + } + +} Added: federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/idp-sig/WEB-INF/jbid_test_keystore.jks =================================================================== (Binary files differ) Property changes on: federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/idp-sig/WEB-INF/jbid_test_keystore.jks ___________________________________________________________________ Added: svn:mime-type + application/octet-stream Added: federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/idp-sig/WEB-INF/picketlink-handlers.xml =================================================================== --- federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/idp-sig/WEB-INF/picketlink-handlers.xml (rev 0) +++ federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/idp-sig/WEB-INF/picketlink-handlers.xml 2011-11-15 13:23:37 UTC (rev 1324) @@ -0,0 +1,6 @@ +<Handlers xmlns="urn:picketlink:identity-federation:handler:config:1.0"> + <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2IssuerTrustHandler"/> + <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler"/> + <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler"/> + <Handler class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler"/> +</Handlers> Added: federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/idp-sig/WEB-INF/picketlink-idfed.xml =================================================================== --- federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/idp-sig/WEB-INF/picketlink-idfed.xml (rev 0) +++ federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/idp-sig/WEB-INF/picketlink-idfed.xml 2011-11-15 13:23:37 UTC (rev 1324) @@ -0,0 +1,26 @@ +<PicketLinkIDP xmlns="urn:picketlink:identity-federation:config:1.0"> + <IdentityURL>${idp-sig.url::http://192.168.1.1:8080/idp-sig/} + </IdentityURL> + <Trust> + <Domains>192.168.1.1, 192.168.1.2</Domains> + </Trust> + <KeyProvider + ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager"> + <Auth Key="KeyStoreURL" Value="saml2/redirect/idp-sig/WEB-INF/jbid_test_keystore.jks" /> + <Auth Key="KeyStorePass" Value="MASK-O1P+U1Domeec8lCaoIkTGg==" /> + <Auth Key="SigningKeyPass" Value="MASK-AJbh4WmHwy8=" /> + <Auth Key="SigningKeyAlias" Value="servercert" /> + <Auth Key="salt" Value="18273645" /> + <Auth Key="iterationCount" Value="11" /> + <ValidatingAlias Key="192.168.1.1" Value="servercert" /> + <ValidatingAlias Key="192.168.1.2" Value="servercert" /> + </KeyProvider> +<!-- <KeyProvider --> +<!-- ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager"> --> +<!-- <Auth Key="KeyStoreURL" Value="saml2/redirect/idp-sig/WEB-INF/jbid_test_keystore.jks" /> --> +<!-- <Auth Key="KeyStorePass" Value="servercert" /> --> +<!-- <Auth Key="SigningKeyPass" Value="servercert" /> --> +<!-- <Auth Key="SigningKeyAlias" Value="172.16.2.123" /> --> +<!-- <ValidatingAlias Key="172.16.2.123" Value="172.16.2.123" /> --> +<!-- </KeyProvider> --> +</PicketLinkIDP> Added: federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/idp-sig/roles.properties =================================================================== --- federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/idp-sig/roles.properties (rev 0) +++ federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/idp-sig/roles.properties 2011-11-15 13:23:37 UTC (rev 1324) @@ -0,0 +1 @@ +manager=manager \ No newline at end of file Added: federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/sp/employee-sig/WEB-INF/jbid_test_keystore.jks =================================================================== (Binary files differ) Property changes on: federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/sp/employee-sig/WEB-INF/jbid_test_keystore.jks ___________________________________________________________________ Added: svn:mime-type + application/octet-stream Added: federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/sp/employee-sig/WEB-INF/picketlink-handlers.xml =================================================================== --- federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/sp/employee-sig/WEB-INF/picketlink-handlers.xml (rev 0) +++ federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/sp/employee-sig/WEB-INF/picketlink-handlers.xml 2011-11-15 13:23:37 UTC (rev 1324) @@ -0,0 +1,4 @@ +<Handlers xmlns="urn:picketlink:identity-federation:handler:config:1.0"> + <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler"/> + <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler"/> +</Handlers> \ No newline at end of file Added: federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/sp/employee-sig/WEB-INF/picketlink-idfed.xml =================================================================== --- federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/sp/employee-sig/WEB-INF/picketlink-idfed.xml (rev 0) +++ federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/sp/employee-sig/WEB-INF/picketlink-idfed.xml 2011-11-15 13:23:37 UTC (rev 1324) @@ -0,0 +1,26 @@ +<PicketLinkSP xmlns="urn:picketlink:identity-federation:config:1.0" + ServerEnvironment="jboss"> + <IdentityURL>${idp-sig.url::http://192.168.1.1:8080/idp/}</IdentityURL> + <ServiceURL>${employee-post-sig.url::http://192.168.1.2:8080/employee/} + </ServiceURL> + <KeyProvider + ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager"> + <Auth Key="KeyStoreURL" Value="saml2/redirect/sp/employee-sig/WEB-INF/jbid_test_keystore.jks" /> + <Auth Key="KeyStorePass" Value="MASK-O1P+U1Domeec8lCaoIkTGg==" /> + <Auth Key="SigningKeyPass" Value="MASK-AJbh4WmHwy8=" /> + <Auth Key="SigningKeyAlias" Value="servercert" /> + <Auth Key="salt" Value="18273645" /> + <Auth Key="iterationCount" Value="11" /> + <ValidatingAlias Key="192.168.1.1" Value="servercert" /> + </KeyProvider> +<!-- <KeyProvider --> +<!-- ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager"> --> +<!-- <Auth Key="KeyStoreURL" --> +<!-- Value="saml2/redirect/sp/employee-sig/WEB-INF/jbid_test_keystore.jks" /> --> +<!-- <Auth Key="KeyStorePass" Value="servercert" /> --> +<!-- <Auth Key="SigningKeyPass" Value="servercert" /> --> +<!-- <Auth Key="SigningKeyAlias" Value="172.16.2.123" /> --> +<!-- <ValidatingAlias Key="172.16.2.123" Value="172.16.2.123" /> --> +<!-- </KeyProvider> --> + +</PicketLinkSP> Added: federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/sp/employee-sig/roles.properties =================================================================== --- federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/sp/employee-sig/roles.properties (rev 0) +++ federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/sp/employee-sig/roles.properties 2011-11-15 13:23:37 UTC (rev 1324) @@ -0,0 +1 @@ +manager=manager \ No newline at end of file