[jboss-cvs] Picketlink SVN: r1324 - in federation/trunk/picketlink-bindings/src: main/java/org/picketlink/identity/federation/bindings/tomcat/sp and 7 other directories.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Tue Nov 15 08:23:38 EST 2011
Author: pcraveiro
Date: 2011-11-15 08:23:37 -0500 (Tue, 15 Nov 2011)
New Revision: 1324
Added:
federation/trunk/picketlink-bindings/src/test/java/org/picketlink/test/identity/federation/bindings/workflow/SAML2RedirectSignatureTomcatWorkflowUnitTestCase.java
federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/idp-sig/
federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/idp-sig/WEB-INF/
federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/idp-sig/WEB-INF/jbid_test_keystore.jks
federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/idp-sig/WEB-INF/picketlink-handlers.xml
federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/idp-sig/WEB-INF/picketlink-idfed.xml
federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/idp-sig/roles.properties
federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/sp/employee-sig/
federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/sp/employee-sig/WEB-INF/
federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/sp/employee-sig/WEB-INF/jbid_test_keystore.jks
federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/sp/employee-sig/WEB-INF/picketlink-handlers.xml
federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/sp/employee-sig/WEB-INF/picketlink-idfed.xml
federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/sp/employee-sig/roles.properties
Modified:
federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java
federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectSignatureFormAuthenticator.java
Log:
https://issues.jboss.org/browse/PLFED-248
Modified: federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java
===================================================================
--- federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java 2011-11-14 15:55:39 UTC (rev 1323)
+++ federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java 2011-11-15 13:23:37 UTC (rev 1324)
@@ -28,7 +28,9 @@
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
+import java.net.MalformedURLException;
import java.net.URI;
+import java.net.URL;
import java.security.GeneralSecurityException;
import java.security.Principal;
import java.security.PublicKey;
@@ -154,6 +156,11 @@
private Boolean ignoreIncomingSignatures = false;
private Boolean signOutgoingMessages = true;
+
+ /**
+ * Defines how the token's signature will be validated. If true is used the token's issuer, otherwise the request.getRemoteAddr. Default false.
+ */
+ private Boolean validatingAliasToTokenIssuer = false;
private transient DelegatedAttributeManager attribManager = new DelegatedAttributeManager();
@@ -220,6 +227,20 @@
}
/**
+ * PLFED-248
+ * Allows to validate the token's signature against the keystore using the token's issuer.
+ */
+ public void setValidatingAliasToTokenIssuer(Boolean validatingAliasToTokenIssuer)
+ {
+ this.validatingAliasToTokenIssuer = validatingAliasToTokenIssuer;
+ }
+
+ public Boolean getValidatingAliasToTokenIssuer()
+ {
+ return validatingAliasToTokenIssuer;
+ }
+
+ /**
* IDP should not do any attributes such as generation of roles etc
* @param ignoreAttributes
*/
@@ -489,8 +510,6 @@
Boolean requestedPostProfile = null;
- //Get the SAML Request Message
- RequestAbstractType requestAbstractType = null;
String samlRequestMessage = (String) session.getNote(GeneralConstants.SAML_REQUEST_KEY);
String relayState = (String) session.getNote(GeneralConstants.RELAY_STATE);
@@ -511,15 +530,23 @@
{
samlDocumentHolder = webRequestUtil.getSAMLDocumentHolder(samlRequestMessage);
samlObject = samlDocumentHolder.getSamlObject();
+
+ if (!(samlObject instanceof RequestAbstractType)) {
+ throw new RuntimeException(ErrorCodes.WRONG_TYPE + samlObject.getClass().getName());
+ }
+ //Get the SAML Request Message
+ RequestAbstractType requestAbstractType = (RequestAbstractType) samlObject;
+ String issuer = requestAbstractType.getIssuer().getValue();
+
boolean isPost = webRequestUtil.hasSAMLRequestInPostProfile();
- boolean isValid = validate(request.getRemoteAddr(), request.getQueryString(), new SessionHolder(
+ String tokenSignatureValidatingAlias = getTokenSignatureValidatingAlias(request, issuer);
+ boolean isValid = validate(tokenSignatureValidatingAlias, request.getQueryString(), new SessionHolder(
samlRequestMessage, signature, sigAlg), isPost);
if (!isValid)
throw new GeneralSecurityException(ErrorCodes.VALIDATION_CHECK_FAILED);
- String issuer = null;
IssuerInfoHolder idpIssuer = new IssuerInfoHolder(this.identityURL);
ProtocolContext protocolContext = new HTTPContext(request, response, context.getServletContext());
//Create the request/response
@@ -545,12 +572,13 @@
if (this.keyManager != null)
{
- String remoteHost = request.getRemoteAddr();
if (trace)
{
- log.trace("Remote Host=" + remoteHost);
+ log.trace("Remote Host=" + request.getRemoteAddr());
+ log.trace("Validating Alias=" + tokenSignatureValidatingAlias);
}
- PublicKey validatingKey = CoreConfigUtil.getValidatingKey(keyManager, remoteHost);
+
+ PublicKey validatingKey = CoreConfigUtil.getValidatingKey(keyManager, tokenSignatureValidatingAlias);
requestOptions.put(GeneralConstants.SENDER_PUBLIC_KEY, validatingKey);
requestOptions.put(GeneralConstants.DECRYPTING_KEY, keyManager.getSigningKey());
}
@@ -572,31 +600,24 @@
log.trace("Handlers are=" + handlers);
}
- if (samlObject instanceof RequestAbstractType)
+ webRequestUtil.isTrusted(issuer);
+
+ if (handlers != null)
{
- requestAbstractType = (RequestAbstractType) samlObject;
- issuer = requestAbstractType.getIssuer().getValue();
- webRequestUtil.isTrusted(issuer);
-
- if (handlers != null)
+ try
{
- try
+ chainLock.lock();
+ for (SAML2Handler handler : handlers)
{
- chainLock.lock();
- for (SAML2Handler handler : handlers)
- {
- handler.handleRequestType(saml2HandlerRequest, saml2HandlerResponse);
- willSendRequest = saml2HandlerResponse.getSendRequest();
- }
+ handler.handleRequestType(saml2HandlerRequest, saml2HandlerResponse);
+ willSendRequest = saml2HandlerResponse.getSendRequest();
}
- finally
- {
- chainLock.unlock();
- }
}
+ finally
+ {
+ chainLock.unlock();
+ }
}
- else
- throw new RuntimeException(ErrorCodes.WRONG_TYPE + samlObject.getClass().getName());
samlResponse = saml2HandlerResponse.getResultingDocument();
relayState = saml2HandlerResponse.getRelayState();
@@ -654,6 +675,34 @@
return;
}
+ /**
+ * Returns the alias to be used for the token's signature verification.
+ * If <code>validatingAliasToTokenIssuer</code> is true the token issuer will be returned.
+ *
+ * @param request
+ * @param issuer
+ * @return
+ */
+ private String getTokenSignatureValidatingAlias(Request request, String issuer)
+ {
+ String issuerHost = request.getRemoteAddr();
+
+ if (this.validatingAliasToTokenIssuer) {
+ try
+ {
+ issuerHost = new URL(issuer).getHost();
+ }
+ catch (MalformedURLException e)
+ {
+ if (trace) {
+ log.trace("Token issuer is not a valid URL: " + issuer + ". Using the requester address instead.", e);
+ }
+ }
+ }
+
+ return issuerHost;
+ }
+
protected void processSAMLResponseMessage(IDPWebRequestUtil webRequestUtil, Request request, Response response)
throws ServletException, IOException
{
@@ -678,17 +727,22 @@
cleanUpSessionNote(request);
- StatusResponseType statusResponseType = null;
try
{
samlDocumentHolder = webRequestUtil.getSAMLDocumentHolder(samlResponseMessage);
samlObject = samlDocumentHolder.getSamlObject();
-
+
+ if (!(samlObject instanceof StatusResponseType))
+ {
+ throw new RuntimeException(ErrorCodes.WRONG_TYPE + samlObject.getClass().getName());
+ }
+
boolean isPost = webRequestUtil.hasSAMLRequestInPostProfile();
boolean isValid = false;
-
- String remoteAddress = request.getRemoteAddr();
-
+ StatusResponseType statusResponseType = (StatusResponseType) samlObject;
+ String issuer = statusResponseType.getIssuer().getValue();
+ String tokenValidatingAlias = getTokenSignatureValidatingAlias(request, issuer);
+
if (isPost)
{
//Validate
@@ -696,7 +750,7 @@
if (ignoreIncomingSignatures == false && signOutgoingMessages == true)
{
- PublicKey publicKey = keyManager.getValidatingKey(remoteAddress);
+ PublicKey publicKey = keyManager.getValidatingKey(tokenValidatingAlias);
isValid = samlSignature.validate(samlDocumentHolder.getSamlDocument(), publicKey);
}
else
@@ -704,14 +758,13 @@
}
else
{
- isValid = validate(remoteAddress, request.getQueryString(), new SessionHolder(samlResponseMessage,
+ isValid = validate(tokenValidatingAlias, request.getQueryString(), new SessionHolder(samlResponseMessage,
signature, sigAlg), isPost);
}
if (!isValid)
throw new GeneralSecurityException(ErrorCodes.VALIDATION_CHECK_FAILED);
- String issuer = null;
IssuerInfoHolder idpIssuer = new IssuerInfoHolder(this.identityURL);
ProtocolContext protocolContext = new HTTPContext(request, response, context.getServletContext());
//Create the request/response
@@ -723,32 +776,25 @@
Set<SAML2Handler> handlers = chain.handlers();
- if (samlObject instanceof StatusResponseType)
+ webRequestUtil.isTrusted(issuer);
+
+ if (handlers != null)
{
- statusResponseType = (StatusResponseType) samlObject;
- issuer = statusResponseType.getIssuer().getValue();
- webRequestUtil.isTrusted(issuer);
-
- if (handlers != null)
+ try
{
- try
+ chainLock.lock();
+ for (SAML2Handler handler : handlers)
{
- chainLock.lock();
- for (SAML2Handler handler : handlers)
- {
- handler.reset();
- handler.handleStatusResponseType(saml2HandlerRequest, saml2HandlerResponse);
- willSendRequest = saml2HandlerResponse.getSendRequest();
- }
+ handler.reset();
+ handler.handleStatusResponseType(saml2HandlerRequest, saml2HandlerResponse);
+ willSendRequest = saml2HandlerResponse.getSendRequest();
}
- finally
- {
- chainLock.unlock();
- }
}
+ finally
+ {
+ chainLock.unlock();
+ }
}
- else
- throw new RuntimeException(ErrorCodes.WRONG_TYPE + samlObject.getClass().getName());
samlResponse = saml2HandlerResponse.getResultingDocument();
relayState = saml2HandlerResponse.getRelayState();
Modified: federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectSignatureFormAuthenticator.java
===================================================================
--- federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectSignatureFormAuthenticator.java 2011-11-14 15:55:39 UTC (rev 1323)
+++ federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectSignatureFormAuthenticator.java 2011-11-15 13:23:37 UTC (rev 1324)
@@ -84,11 +84,23 @@
{
this.idpAddress = idpAddress;
}
-
+
@Override
+ public void testStart() throws LifecycleException
+ {
+ super.testStart();
+ this.init();
+ }
+
+ @Override
public void start() throws LifecycleException
{
super.start();
+ this.init();
+ }
+
+ private void init() throws LifecycleException
+ {
Context context = (Context) getContainer();
KeyProviderType keyProvider = this.spConfiguration.getKeyProvider();
Added: federation/trunk/picketlink-bindings/src/test/java/org/picketlink/test/identity/federation/bindings/workflow/SAML2RedirectSignatureTomcatWorkflowUnitTestCase.java
===================================================================
--- federation/trunk/picketlink-bindings/src/test/java/org/picketlink/test/identity/federation/bindings/workflow/SAML2RedirectSignatureTomcatWorkflowUnitTestCase.java (rev 0)
+++ federation/trunk/picketlink-bindings/src/test/java/org/picketlink/test/identity/federation/bindings/workflow/SAML2RedirectSignatureTomcatWorkflowUnitTestCase.java 2011-11-15 13:23:37 UTC (rev 1324)
@@ -0,0 +1,259 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2011, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.picketlink.test.identity.federation.bindings.workflow;
+
+
+import static org.junit.Assert.assertNotNull;
+
+import java.io.IOException;
+import java.net.URL;
+import java.security.Principal;
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.servlet.ServletException;
+
+import junit.framework.Assert;
+
+import org.apache.catalina.LifecycleException;
+import org.apache.catalina.realm.GenericPrincipal;
+import org.junit.Test;
+import org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve;
+import org.picketlink.identity.federation.bindings.tomcat.sp.SPRedirectSignatureFormAuthenticator;
+import org.picketlink.identity.federation.web.constants.GeneralConstants;
+import org.picketlink.identity.federation.web.util.RedirectBindingUtil;
+import org.picketlink.test.identity.federation.bindings.mock.MockCatalinaContext;
+import org.picketlink.test.identity.federation.bindings.mock.MockCatalinaContextClassLoader;
+import org.picketlink.test.identity.federation.bindings.mock.MockCatalinaLoginConfig;
+import org.picketlink.test.identity.federation.bindings.mock.MockCatalinaRealm;
+import org.picketlink.test.identity.federation.bindings.mock.MockCatalinaRequest;
+import org.picketlink.test.identity.federation.bindings.mock.MockCatalinaResponse;
+import org.picketlink.test.identity.federation.bindings.mock.MockCatalinaSession;
+
+/**
+ * <p>
+ * This {@code TestCase} tests the interaction between the SP and the IDP in a scenario where token signature is used.
+ * </p>
+ * <p>
+ * This class also tests the use of the {@code SPRedirectSignatureFormAuthenticator.idpAddress} and the {@code IDPWebBrowserSSOValve.validatingAliasToTokenIssuer} properties.
+ * <br/>
+ * The objective is test the following scenarios:
+ * <br/><br/>
+ * 1) User's machine is the same of the SP and the IDP. (testSAML2RedirectWithSameConsumerAndProvider)
+ * <br/>
+ * 2) User's machine is different of the SP and the IDP. (testSAML2RedirectWithSifferentConsumerAndProvider)
+ * 192.168.1.1 -> IDP Address (IDP_PROFILE/WEB-INF/picketlink-idfed.xml)
+ * 192.168.1.2 -> SP Address (SP_PROFILE/WEB-INF/picketlink-idfed.xml)
+ * 192.168.1.3 -> End User Address
+ * </p>
+ *
+ * @author <a href="mailto:psilva at redhat.com">Pedro Igor</a>
+ * @since Nov 14, 2011
+ */
+public class SAML2RedirectSignatureTomcatWorkflowUnitTestCase
+{
+ private static final String profile = "saml2/redirect";
+
+ private static final String IDP_PROFILE = profile + "/idp-sig/";
+
+ private static final String SP_PROFILE = profile + "/sp/employee-sig";
+
+ private final ClassLoader tcl = Thread.currentThread().getContextClassLoader();
+
+ private String SAML_REQUEST_KEY = "SAMLRequest=";
+
+ private String SAML_RESPONSE_KEY = "SAMLResponse=";
+
+ /**
+ * Tests the token's signatures validations when the requester and the SP/IDP as on the same host.
+ * The keyprovider is configured with the same ValidatingAlias for all of them.
+ *
+ * @throws Exception
+ */
+ @Test
+ public void testSAML2RedirectWithSameConsumerAndProvider() throws Exception
+ {
+ testWorkflow("192.168.1.1", "192.168.1.1", false);
+ }
+
+ /**
+ * Tests the token's signatures validations when the requester is in a differente host than the SP and IDP.
+ * The keyprovider is configured with a ValidatingAlias for specific for the SP (192.168.1.2) that is different from the IDP (localhost) and the user (192.168.1.1).
+ */
+ @Test
+ public void testSAML2RedirectWithSifferentConsumerAndProvider() throws Exception
+ {
+ testWorkflow("192.168.1.3", "192.168.1.1", true);
+ }
+
+ private void testWorkflow(String userAddress, String idpAddress, boolean validatingAliasToTokenIssuer) throws LifecycleException, IOException, ServletException
+ {
+ MockCatalinaRequest request = createRequest(userAddress);
+
+ // Sends a initial request to the SP. Requesting a resource ...
+ MockCatalinaResponse idpAuthRequest = sendSPRequest(request, false, idpAddress);
+
+ assertNotNull("Redirect String can not be null.", idpAuthRequest.redirectString);
+
+ // Sends a auth request to the IDP
+ request = createRequest(userAddress);
+
+ request.setParameter("SAMLRequest", RedirectBindingUtil.urlDecode(getSAMLRequest(idpAuthRequest)));
+ request.setParameter("SigAlg", RedirectBindingUtil.urlDecode(getSAMLSigAlg(idpAuthRequest)));
+ request.setParameter("Signature", RedirectBindingUtil.urlDecode(getSAMLSignature(idpAuthRequest)));
+ request.setQueryString(SAML_REQUEST_KEY + getSAMLRequest(idpAuthRequest) + "&SigAlg=" + getSAMLSigAlg(idpAuthRequest) + "&Signature=" + getSAMLSignature(idpAuthRequest));
+
+ request.setUserPrincipal(new GenericPrincipal(createRealm(), "user", "user", getRoles()) );
+
+ MockCatalinaResponse idpAuthResponse = sendIDPRequest(request, validatingAliasToTokenIssuer);
+
+ assertNotNull("Redirect String can not be null.", idpAuthResponse.redirectString);
+
+ // Sends the IDP response to the SP. Now the user is succesfully authenticated and access for the requested resource is granted...
+ request = createRequest(userAddress);
+ request.getContext().setRealm(createRealm());
+
+ request.setParameter("SAMLResponse", RedirectBindingUtil.urlDecode(getSAMLResponse(idpAuthResponse)));
+ request.setParameter("SigAlg", RedirectBindingUtil.urlDecode(getSAMLSigAlg(idpAuthResponse)));
+ request.setParameter("Signature", RedirectBindingUtil.urlDecode(getSAMLSignature(idpAuthResponse)));
+ request.setQueryString(SAML_RESPONSE_KEY + getSAMLResponse(idpAuthResponse) + "&SigAlg=" + getSAMLSigAlg(idpAuthResponse) + "&Signature=" + getSAMLSignature(idpAuthResponse));
+
+ sendSPRequest(request, true, idpAddress);
+ }
+
+ private MockCatalinaRequest createRequest(String userAddress)
+ {
+ MockCatalinaRequest request = new MockCatalinaRequest();
+
+ request = new MockCatalinaRequest();
+ request.setMethod("GET");
+ request.setRemoteAddr(userAddress);
+ request.setSession(new MockCatalinaSession());
+ request.setContext(new MockCatalinaContext());
+
+ return request;
+ }
+
+ private String getSAMLResponse(MockCatalinaResponse response)
+ {
+ return response.redirectString.substring(response.redirectString.indexOf(SAML_RESPONSE_KEY) +
+ SAML_RESPONSE_KEY.length(), response.redirectString.indexOf("&SigAlg="));
+ }
+
+ private String getSAMLSignature(MockCatalinaResponse response)
+ {
+ return response.redirectString.substring(response.redirectString.indexOf("&Signature=") +
+ "&Signature=".length());
+ }
+
+ private String getSAMLSigAlg(MockCatalinaResponse response)
+ {
+ return response.redirectString.substring(response.redirectString.indexOf("&SigAlg=") +
+ "&SigAlg=".length(), response.redirectString.lastIndexOf("&Signature="));
+ }
+
+ private String getSAMLRequest(MockCatalinaResponse response)
+ {
+ return response.redirectString.substring(response.redirectString.indexOf(SAML_REQUEST_KEY) +
+ SAML_REQUEST_KEY.length(), response.redirectString.indexOf("&SigAlg="));
+ }
+
+ private List<String> getRoles()
+ {
+ List<String> roles = new ArrayList<String>();
+ roles.add("manager");
+ roles.add("employee");
+ return roles;
+ }
+
+ private MockCatalinaRealm createRealm()
+ {
+ return new MockCatalinaRealm("user", "user", new Principal()
+ {
+ public String getName()
+ {
+ return "user";
+ }
+ });
+ }
+
+ private MockCatalinaResponse sendIDPRequest(MockCatalinaRequest request, boolean validatingAliasToTokenIssuer)
+ throws LifecycleException, IOException, ServletException
+ {
+ MockCatalinaContextClassLoader mclIDP = setupTCL(IDP_PROFILE);
+ Thread.currentThread().setContextClassLoader(mclIDP);
+
+ IDPWebBrowserSSOValve idp = new IDPWebBrowserSSOValve();
+
+ idp.setSignOutgoingMessages(true);
+ idp.setIgnoreIncomingSignatures(false);
+ idp.setValidatingAliasToTokenIssuer(validatingAliasToTokenIssuer);
+
+ idp.setContainer(request.getContext());
+ idp.start();
+
+ MockCatalinaResponse response = new MockCatalinaResponse();
+
+ idp.invoke(request, response);
+
+ return response;
+ }
+
+ private MockCatalinaResponse sendSPRequest(MockCatalinaRequest request, boolean validateAuthentication, String idpAddress)
+ throws LifecycleException, IOException
+ {
+ MockCatalinaContextClassLoader mclSPEmp = setupTCL(SP_PROFILE);
+ Thread.currentThread().setContextClassLoader(mclSPEmp);
+
+ SPRedirectSignatureFormAuthenticator sp = new SPRedirectSignatureFormAuthenticator();
+
+ sp.setIdpAddress(idpAddress);
+
+ request.setParameter(GeneralConstants.RELAY_STATE, null);
+
+ MockCatalinaLoginConfig loginConfig = new MockCatalinaLoginConfig();
+
+ sp.setContainer(request.getContext());
+ sp.testStart();
+
+ MockCatalinaResponse response = new MockCatalinaResponse();
+
+ if (validateAuthentication) {
+ Assert.assertTrue("Employee app succesfully authenticated.", sp.authenticate(request, response, loginConfig));
+ } else {
+ sp.authenticate(request, response, loginConfig);
+ }
+
+ return response;
+ }
+
+ private MockCatalinaContextClassLoader setupTCL(String resource)
+ {
+ URL[] urls = new URL[] {tcl.getResource(resource)};
+
+ MockCatalinaContextClassLoader mcl = new MockCatalinaContextClassLoader(urls);
+ mcl.setDelegate(tcl);
+ mcl.setProfile(resource);
+ return mcl;
+ }
+
+}
Added: federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/idp-sig/WEB-INF/jbid_test_keystore.jks
===================================================================
(Binary files differ)
Property changes on: federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/idp-sig/WEB-INF/jbid_test_keystore.jks
___________________________________________________________________
Added: svn:mime-type
+ application/octet-stream
Added: federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/idp-sig/WEB-INF/picketlink-handlers.xml
===================================================================
--- federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/idp-sig/WEB-INF/picketlink-handlers.xml (rev 0)
+++ federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/idp-sig/WEB-INF/picketlink-handlers.xml 2011-11-15 13:23:37 UTC (rev 1324)
@@ -0,0 +1,6 @@
+<Handlers xmlns="urn:picketlink:identity-federation:handler:config:1.0">
+ <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2IssuerTrustHandler"/>
+ <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler"/>
+ <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler"/>
+ <Handler class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler"/>
+</Handlers>
Added: federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/idp-sig/WEB-INF/picketlink-idfed.xml
===================================================================
--- federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/idp-sig/WEB-INF/picketlink-idfed.xml (rev 0)
+++ federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/idp-sig/WEB-INF/picketlink-idfed.xml 2011-11-15 13:23:37 UTC (rev 1324)
@@ -0,0 +1,26 @@
+<PicketLinkIDP xmlns="urn:picketlink:identity-federation:config:1.0">
+ <IdentityURL>${idp-sig.url::http://192.168.1.1:8080/idp-sig/}
+ </IdentityURL>
+ <Trust>
+ <Domains>192.168.1.1, 192.168.1.2</Domains>
+ </Trust>
+ <KeyProvider
+ ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager">
+ <Auth Key="KeyStoreURL" Value="saml2/redirect/idp-sig/WEB-INF/jbid_test_keystore.jks" />
+ <Auth Key="KeyStorePass" Value="MASK-O1P+U1Domeec8lCaoIkTGg==" />
+ <Auth Key="SigningKeyPass" Value="MASK-AJbh4WmHwy8=" />
+ <Auth Key="SigningKeyAlias" Value="servercert" />
+ <Auth Key="salt" Value="18273645" />
+ <Auth Key="iterationCount" Value="11" />
+ <ValidatingAlias Key="192.168.1.1" Value="servercert" />
+ <ValidatingAlias Key="192.168.1.2" Value="servercert" />
+ </KeyProvider>
+<!-- <KeyProvider -->
+<!-- ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager"> -->
+<!-- <Auth Key="KeyStoreURL" Value="saml2/redirect/idp-sig/WEB-INF/jbid_test_keystore.jks" /> -->
+<!-- <Auth Key="KeyStorePass" Value="servercert" /> -->
+<!-- <Auth Key="SigningKeyPass" Value="servercert" /> -->
+<!-- <Auth Key="SigningKeyAlias" Value="172.16.2.123" /> -->
+<!-- <ValidatingAlias Key="172.16.2.123" Value="172.16.2.123" /> -->
+<!-- </KeyProvider> -->
+</PicketLinkIDP>
Added: federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/idp-sig/roles.properties
===================================================================
--- federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/idp-sig/roles.properties (rev 0)
+++ federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/idp-sig/roles.properties 2011-11-15 13:23:37 UTC (rev 1324)
@@ -0,0 +1 @@
+manager=manager
\ No newline at end of file
Added: federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/sp/employee-sig/WEB-INF/jbid_test_keystore.jks
===================================================================
(Binary files differ)
Property changes on: federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/sp/employee-sig/WEB-INF/jbid_test_keystore.jks
___________________________________________________________________
Added: svn:mime-type
+ application/octet-stream
Added: federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/sp/employee-sig/WEB-INF/picketlink-handlers.xml
===================================================================
--- federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/sp/employee-sig/WEB-INF/picketlink-handlers.xml (rev 0)
+++ federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/sp/employee-sig/WEB-INF/picketlink-handlers.xml 2011-11-15 13:23:37 UTC (rev 1324)
@@ -0,0 +1,4 @@
+<Handlers xmlns="urn:picketlink:identity-federation:handler:config:1.0">
+ <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler"/>
+ <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler"/>
+</Handlers>
\ No newline at end of file
Added: federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/sp/employee-sig/WEB-INF/picketlink-idfed.xml
===================================================================
--- federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/sp/employee-sig/WEB-INF/picketlink-idfed.xml (rev 0)
+++ federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/sp/employee-sig/WEB-INF/picketlink-idfed.xml 2011-11-15 13:23:37 UTC (rev 1324)
@@ -0,0 +1,26 @@
+<PicketLinkSP xmlns="urn:picketlink:identity-federation:config:1.0"
+ ServerEnvironment="jboss">
+ <IdentityURL>${idp-sig.url::http://192.168.1.1:8080/idp/}</IdentityURL>
+ <ServiceURL>${employee-post-sig.url::http://192.168.1.2:8080/employee/}
+ </ServiceURL>
+ <KeyProvider
+ ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager">
+ <Auth Key="KeyStoreURL" Value="saml2/redirect/sp/employee-sig/WEB-INF/jbid_test_keystore.jks" />
+ <Auth Key="KeyStorePass" Value="MASK-O1P+U1Domeec8lCaoIkTGg==" />
+ <Auth Key="SigningKeyPass" Value="MASK-AJbh4WmHwy8=" />
+ <Auth Key="SigningKeyAlias" Value="servercert" />
+ <Auth Key="salt" Value="18273645" />
+ <Auth Key="iterationCount" Value="11" />
+ <ValidatingAlias Key="192.168.1.1" Value="servercert" />
+ </KeyProvider>
+<!-- <KeyProvider -->
+<!-- ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager"> -->
+<!-- <Auth Key="KeyStoreURL" -->
+<!-- Value="saml2/redirect/sp/employee-sig/WEB-INF/jbid_test_keystore.jks" /> -->
+<!-- <Auth Key="KeyStorePass" Value="servercert" /> -->
+<!-- <Auth Key="SigningKeyPass" Value="servercert" /> -->
+<!-- <Auth Key="SigningKeyAlias" Value="172.16.2.123" /> -->
+<!-- <ValidatingAlias Key="172.16.2.123" Value="172.16.2.123" /> -->
+<!-- </KeyProvider> -->
+
+</PicketLinkSP>
Added: federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/sp/employee-sig/roles.properties
===================================================================
--- federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/sp/employee-sig/roles.properties (rev 0)
+++ federation/trunk/picketlink-bindings/src/test/resources/saml2/redirect/sp/employee-sig/roles.properties 2011-11-15 13:23:37 UTC (rev 1324)
@@ -0,0 +1 @@
+manager=manager
\ No newline at end of file
More information about the jboss-cvs-commits
mailing list