knox-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From m...@apache.org
Subject [08/64] [partial] knox git commit: KNOX-998 - Refactoring save 1
Date Fri, 01 Sep 2017 13:17:06 GMT
http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-picketlink/src/main/java/org/apache/knox/gateway/picketlink/deploy/PicketlinkConf.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-picketlink/src/main/java/org/apache/knox/gateway/picketlink/deploy/PicketlinkConf.java b/gateway-provider-security-picketlink/src/main/java/org/apache/knox/gateway/picketlink/deploy/PicketlinkConf.java
new file mode 100644
index 0000000..5b3b6e0
--- /dev/null
+++ b/gateway-provider-security-picketlink/src/main/java/org/apache/knox/gateway/picketlink/deploy/PicketlinkConf.java
@@ -0,0 +1,194 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.picketlink.deploy;
+
+/**
+ * Provides a serializable configuration file for adding to
+ * the webapp as an XML string for picketlink.xml
+ *
+ */
+public class PicketlinkConf {
+  public static final String INDENT = "    ";
+  public static final String LT_OPEN = "<";
+  public static final String LT_CLOSE = "</";
+  public static final String GT = ">";
+  public static final String GT_CLOSE = "/>";
+  public static final String NL = "\n";
+  public static final String PICKETLINK_XMLNS = "urn:picketlink:identity-federation:config:2.1";
+  public static final String PICKETLINK_SP_XMLNS = "urn:picketlink:identity-federation:config:1.0";
+  public static final String C14N_METHOD = "http://www.w3.org/2001/10/xml-exc-c14n#";
+  public static final String KEYPROVIDER_ELEMENT = "KeyProvider";
+  public static final String KEYPROVIDER_CLASSNAME = "org.picketlink.identity.federation.core.impl.KeyStoreKeyManager";
+  public static final String AUTH_HANDLER_CLASSNAME = "org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler";
+  public static final String ROLE_GEN_HANDLER_CLASSNAME = "org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler";
+  public static final String PICKETLINK_ELEMENT = "PicketLink";
+  public static final String PICKETLINKSP_ELEMENT = "PicketLinkSP";
+  public static final String HANDLERS_ELEMENT = "Handlers";
+  public static final String HANDLER_ELEMENT = "Handler";
+  public static final String OPTION_ELEMENT = "Option";
+  public static final String VAL_ALIAS_ELEMENT = "ValidatingAlias";
+  public static final String AUTH_ELEMENT = "Auth";
+
+  private String serverEnvironment = "jetty";
+  private String bindingType = "POST";
+  private String idpUsesPostingBinding = "true";
+  private String supportsSignatures = "true";
+  private String identityURL = null;
+  private String serviceURL = null;
+  private String keystoreURL = null;
+  private String keystorePass = null;
+  private String signingKeyAlias = null;
+  private String signingKeyPass = null;
+  private String validatingKeyAlias = null;
+  private String validatingKeyValue = null;
+  private String nameIDFormat = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent";
+  private String clockSkewMilis = null;
+  private String assertionSessionAttributeName = "org.picketlink.sp.assertion";
+  
+  public String getServerEnvironment() {
+    return serverEnvironment;
+  }
+  public void setServerEnvironment(String serverEnvironment) {
+    this.serverEnvironment = serverEnvironment;
+  }
+  public String getBindingType() {
+    return bindingType;
+  }
+  public void setBindingType(String bindingType) {
+    this.bindingType = bindingType;
+  }
+  public String getIdpUsesPostingBinding() {
+    return idpUsesPostingBinding;
+  }
+  public void setIdpUsesPostingBinding(String idpUsesPostingBinding) {
+    this.idpUsesPostingBinding = idpUsesPostingBinding;
+  }
+  public String getSupportsSignatures() {
+    return supportsSignatures;
+  }
+  public void setSupportsSignatures(String supportsSignatures) {
+    this.supportsSignatures = supportsSignatures;
+  }
+  public String getIdentityURL() {
+    return identityURL;
+  }
+  public void setIdentityURL(String identityURL) {
+    this.identityURL = identityURL;
+  }
+  public String getServiceURL() {
+    return serviceURL;
+  }
+  public void setServiceURL(String serviceURL) {
+    this.serviceURL = serviceURL;
+  }
+  public String getKeystoreURL() {
+    return keystoreURL;
+  }
+  public void setKeystoreURL(String keystoreURL) {
+    this.keystoreURL = keystoreURL;
+  }
+  public String getKeystorePass() {
+    return keystorePass;
+  }
+  public void setKeystorePass(String keystorePass) {
+    this.keystorePass = keystorePass;
+  }
+  public String getSigningKeyAlias() {
+    return signingKeyAlias;
+  }
+  public void setSigningKeyAlias(String signingKeyAlias) {
+    this.signingKeyAlias = signingKeyAlias;
+  }
+  public String getSigningKeyPass() {
+    return signingKeyPass;
+  }
+  public void setSigningKeyPass(String signingKeyPass) {
+    this.signingKeyPass = signingKeyPass;
+  }
+  public String getValidatingKeyAlias() {
+    return validatingKeyAlias;
+  }
+  public void setValidatingAliasKey(String validatingKeyAlias) {
+    this.validatingKeyAlias = validatingKeyAlias;
+  }
+  public String getValidatingKeyValue() {
+    return validatingKeyValue;
+  }
+  public void setValidatingAliasValue(String validatingKeyValue) {
+    this.validatingKeyValue = validatingKeyValue;
+  }
+  public String getNameIDFormat() {
+    return nameIDFormat;
+  }
+  public void setNameIDFormat(String nameIDFormat) {
+    this.nameIDFormat = nameIDFormat;
+  }
+  public String getClockSkewMilis() {
+    return clockSkewMilis;
+  }
+  public void setClockSkewMilis(String clockSkewMilis) {
+    this.clockSkewMilis = clockSkewMilis;
+  }
+  public String getAssertionSessionAttributeName() {
+    return assertionSessionAttributeName;
+  }
+  public void setAssertionSessionAttributeName(
+      String assertionSessionAttributeName) {
+    this.assertionSessionAttributeName = assertionSessionAttributeName;
+  }
+  @Override
+  public String toString() {
+    // THIS IS HORRID REPLACE WITH DOM+TRANSFORM
+    StringBuffer xml = new StringBuffer();
+    xml.append("<?xml version=\"1.0\" encoding=\"UTF-8\" ?>").append(NL)
+    .append(LT_OPEN).append(PICKETLINK_ELEMENT).append(" xmlns=\"").append(PICKETLINK_XMLNS).append("\"" + GT).append(NL)
+      .append(INDENT).append(LT_OPEN).append(PICKETLINKSP_ELEMENT).append(" xmlns=\"").append(PICKETLINK_SP_XMLNS + "\"").append(NL)
+      .append(INDENT).append(INDENT).append("ServerEnvironment").append("=\"").append(serverEnvironment).append("\"").append(NL)
+      .append(INDENT).append(INDENT).append("BindingType").append("=\"").append(bindingType).append("\"").append(NL)
+      .append(INDENT).append(INDENT).append("IDPUsesPostBinding").append("=\"").append(idpUsesPostingBinding).append("\"").append(NL)
+      .append(INDENT).append(INDENT).append("SupportsSignatures").append("=\"").append(supportsSignatures).append("\"").append(NL)
+      .append(INDENT).append(INDENT).append("CanonicalizationMethod").append("=\"").append(C14N_METHOD).append("\"").append(GT).append(NL).append(NL)
+      .append(INDENT).append(INDENT).append(LT_OPEN).append("IdentityURL").append(GT).append(identityURL).append(LT_CLOSE).append("IdentityURL").append(GT).append(NL)
+      .append(INDENT).append(INDENT).append(LT_OPEN).append("ServiceURL").append(GT).append(serviceURL).append(LT_CLOSE).append("ServiceURL").append(GT).append(NL)
+      .append(INDENT).append(INDENT).append(LT_OPEN).append(KEYPROVIDER_ELEMENT).append(" ").append("ClassName=\"").append(KEYPROVIDER_CLASSNAME + "\"" + GT).append(NL)
+        .append(INDENT).append(INDENT).append(INDENT).append(LT_OPEN).append(AUTH_ELEMENT).append(" Key=\"KeyStoreURL\" Value=\"").append(keystoreURL).append("\"").append(GT_CLOSE).append(NL)
+        .append(INDENT).append(INDENT).append(INDENT).append(LT_OPEN).append(AUTH_ELEMENT).append(" Key=\"KeyStorePass\" Value=\"").append(keystorePass).append("\"").append(GT_CLOSE).append(NL)
+        .append(INDENT).append(INDENT).append(INDENT).append(LT_OPEN).append(AUTH_ELEMENT).append(" Key=\"SigningKeyAlias\" Value=\"").append(signingKeyAlias).append("\"").append(GT_CLOSE).append(NL)
+        .append(INDENT).append(INDENT).append(INDENT).append(LT_OPEN).append(AUTH_ELEMENT).append(" Key=\"SigningKeyPass\" Value=\"").append(signingKeyPass).append("\"").append(GT_CLOSE).append(NL)
+        .append(INDENT).append(INDENT).append(INDENT).append(LT_OPEN).append(VAL_ALIAS_ELEMENT).append(" Key=\"").append(validatingKeyAlias).append("\" Value=\"").append(validatingKeyValue).append("\"").append(GT_CLOSE).append(NL)
+      .append(INDENT).append(INDENT).append(LT_CLOSE).append(KEYPROVIDER_ELEMENT).append(GT).append(NL)
+      .append(INDENT).append(LT_CLOSE).append(PICKETLINKSP_ELEMENT).append(GT).append(NL)
+      .append(INDENT).append(LT_OPEN).append(HANDLERS_ELEMENT).append(GT).append(NL)
+        .append(INDENT).append(INDENT).append(LT_OPEN).append(HANDLER_ELEMENT).append(" class=\"").append(AUTH_HANDLER_CLASSNAME).append("\">").append(NL)
+          .append(INDENT).append(INDENT).append(INDENT).append(LT_OPEN).append(OPTION_ELEMENT).append(" Key=\"NAMEID_FORMAT\" Value=\"").append(nameIDFormat).append("\"").append(GT_CLOSE).append(NL)
+          .append(INDENT).append(INDENT).append(INDENT).append(LT_OPEN).append(OPTION_ELEMENT).append(" Key=\"CLOCK_SKEW_MILIS\" Value=\"").append(clockSkewMilis).append("\"").append(GT_CLOSE).append(NL)
+          .append(INDENT).append(INDENT).append(INDENT).append(LT_OPEN).append(OPTION_ELEMENT).append(" Key=\"ASSERTION_SESSION_ATTRIBUTE_NAME\" Value=\"").append(assertionSessionAttributeName).append("\"").append(GT_CLOSE).append(NL)
+        .append(INDENT).append(INDENT).append(LT_CLOSE).append(HANDLER_ELEMENT).append(GT).append(NL)
+        .append(INDENT).append(INDENT).append(LT_OPEN).append(HANDLER_ELEMENT).append(" class=\"").append(ROLE_GEN_HANDLER_CLASSNAME).append("\"/>").append(NL)
+      .append(INDENT).append(LT_CLOSE).append(HANDLERS_ELEMENT).append(GT).append(NL)
+    .append(LT_CLOSE).append(PICKETLINK_ELEMENT).append(GT).append(NL);
+     
+    return xml.toString();
+  }
+  
+  public static void main(String[] args) {
+    PicketlinkConf conf = new PicketlinkConf();
+    System.out.println(conf.toString());
+  }
+
+}

http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-picketlink/src/main/java/org/apache/knox/gateway/picketlink/deploy/PicketlinkFederationProviderContributor.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-picketlink/src/main/java/org/apache/knox/gateway/picketlink/deploy/PicketlinkFederationProviderContributor.java b/gateway-provider-security-picketlink/src/main/java/org/apache/knox/gateway/picketlink/deploy/PicketlinkFederationProviderContributor.java
new file mode 100644
index 0000000..d13bdaa
--- /dev/null
+++ b/gateway-provider-security-picketlink/src/main/java/org/apache/knox/gateway/picketlink/deploy/PicketlinkFederationProviderContributor.java
@@ -0,0 +1,132 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.picketlink.deploy;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+import java.util.Map.Entry;
+
+import org.apache.knox.gateway.deploy.DeploymentContext;
+import org.apache.knox.gateway.deploy.ProviderDeploymentContributorBase;
+import org.apache.knox.gateway.descriptor.FilterParamDescriptor;
+import org.apache.knox.gateway.descriptor.ResourceDescriptor;
+import org.apache.knox.gateway.i18n.messages.MessagesFactory;
+import org.apache.knox.gateway.picketlink.PicketlinkMessages;
+import org.apache.knox.gateway.services.security.AliasService;
+import org.apache.knox.gateway.services.security.AliasServiceException;
+import org.apache.knox.gateway.services.security.MasterService;
+import org.apache.knox.gateway.topology.Provider;
+import org.apache.knox.gateway.topology.Service;
+import org.jboss.shrinkwrap.api.asset.StringAsset;
+import org.picketlink.identity.federation.web.filters.ServiceProviderContextInitializer;
+
+public class PicketlinkFederationProviderContributor extends
+    ProviderDeploymentContributorBase {
+  private static final String ROLE = "federation";
+  private static final String NAME = "Picketlink";
+  private static final String PICKETLINK_FILTER_CLASSNAME = "org.picketlink.identity.federation.web.filters.SPFilter";
+  private static final String CAPTURE_URL_FILTER_CLASSNAME = "CaptureOriginalURLFilter";
+  private static final String IDENTITY_ADAPTER_CLASSNAME = "PicketlinkIdentityAdapter";
+  private static final String IDENTITY_URL_PARAM = "identity.url";
+  private static final String SERVICE_URL_PARAM = "service.url";
+  private static final String KEYSTORE_URL_PARAM = "keystore.url";
+  private static final String SIGNINGKEY_ALIAS = "gateway-identity";
+  private static final String VALIDATING_ALIAS_KEY = "validating.alias.key";
+  private static final String VALIDATING_ALIAS_VALUE = "validating.alias.value";
+  private static final String CLOCK_SKEW_MILIS = "clock.skew.milis";
+  private static PicketlinkMessages log = MessagesFactory.get( PicketlinkMessages.class );
+
+  private MasterService ms = null;
+  private AliasService as = null;
+
+  @Override
+  public String getRole() {
+    return ROLE;
+  }
+
+  @Override
+  public String getName() {
+    return NAME;
+  }
+  
+  public void setMasterService(MasterService ms) {
+    this.ms = ms;
+  }
+
+  public void setAliasService(AliasService as) {
+    this.as = as;
+  }
+
+  @Override
+  public void initializeContribution(DeploymentContext context) {
+    super.initializeContribution(context);
+  }
+
+  @Override
+  public void contributeProvider(DeploymentContext context, Provider provider) {
+    // LJM TODO: consider creating a picketlink configuration provider to
+    // handle the keystore secrets without putting them in a config file directly.
+    // Once that is done then we can remove the unneeded gateway services from those
+    // that are available to providers.
+    context.getWebAppDescriptor().createListener().listenerClass( ServiceProviderContextInitializer.class.getName());
+
+    PicketlinkConf config = new PicketlinkConf( );
+    Map<String,String> params = provider.getParams();
+    config.setIdentityURL(params.get(IDENTITY_URL_PARAM));
+    config.setServiceURL(params.get(SERVICE_URL_PARAM));
+    config.setKeystoreURL(params.get(KEYSTORE_URL_PARAM));
+    if (ms != null) {
+      config.setKeystorePass(new String(ms.getMasterSecret()));
+    }
+    config.setSigningKeyAlias(SIGNINGKEY_ALIAS);
+    if (as != null) {
+      char[] passphrase = null;
+      try {
+        passphrase = as.getGatewayIdentityPassphrase();
+        config.setSigningKeyPass(new String(passphrase));
+      } catch (AliasServiceException e) {
+        log.unableToGetGatewayIdentityPassphrase(e);
+      }
+    }
+    config.setValidatingAliasKey(params.get(VALIDATING_ALIAS_KEY));
+    config.setValidatingAliasValue(params.get(VALIDATING_ALIAS_VALUE));
+    config.setClockSkewMilis(params.get(CLOCK_SKEW_MILIS));
+    String configStr = config.toString();
+    if( config != null ) {
+      context.getWebArchive().addAsWebInfResource( new StringAsset( configStr ), "picketlink.xml" );
+    }
+  }
+
+  @Override
+  public void contributeFilter(DeploymentContext context, Provider provider, Service service,
+      ResourceDescriptor resource, List<FilterParamDescriptor> params) {
+    // blindly add all the provider params as filter init params
+    if (params == null) {
+      params = new ArrayList<FilterParamDescriptor>();
+    }
+    Map<String, String> providerParams = provider.getParams();
+    for(Entry<String, String> entry : providerParams.entrySet()) {
+      params.add( resource.createFilterParam().name( entry.getKey().toLowerCase() ).value( entry.getValue() ) );
+    }
+    resource.addFilter().name( getName() ).role( getRole() ).impl( CAPTURE_URL_FILTER_CLASSNAME ).params( params );
+    resource.addFilter().name( getName() ).role( getRole() ).impl( PICKETLINK_FILTER_CLASSNAME ).params( params );
+    resource.addFilter().name( getName() ).role( getRole() ).impl( IDENTITY_ADAPTER_CLASSNAME ).params( params );
+  }
+
+}

http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-picketlink/src/main/java/org/apache/knox/gateway/picketlink/filter/CaptureOriginalURLFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-picketlink/src/main/java/org/apache/knox/gateway/picketlink/filter/CaptureOriginalURLFilter.java b/gateway-provider-security-picketlink/src/main/java/org/apache/knox/gateway/picketlink/filter/CaptureOriginalURLFilter.java
new file mode 100644
index 0000000..b062013
--- /dev/null
+++ b/gateway-provider-security-picketlink/src/main/java/org/apache/knox/gateway/picketlink/filter/CaptureOriginalURLFilter.java
@@ -0,0 +1,89 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.picketlink.filter;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.knox.gateway.i18n.messages.MessagesFactory;
+import org.apache.knox.gateway.picketlink.PicketlinkMessages;
+
+import java.io.IOException;
+
+public class CaptureOriginalURLFilter implements Filter {
+  private static PicketlinkMessages log = MessagesFactory.get( PicketlinkMessages.class );
+  private static final String COOKIE_PATH = "cookie.path";
+  private static final String COOKIE_SECURE = "cookie.secure";
+  private String cookiePath = null;
+  private String cookieSecure = null;
+
+  @Override
+  public void init( FilterConfig filterConfig ) throws ServletException {
+    cookiePath = filterConfig.getInitParameter(COOKIE_PATH);
+    if (cookiePath == null) {
+      cookiePath = "/gateway/idp/knoxsso/api/v1/websso";
+    }
+    cookieSecure = filterConfig.getInitParameter(COOKIE_SECURE);
+    if (cookieSecure == null) {
+      cookieSecure = "true";
+    }
+  }
+
+  @Override
+  public void doFilter( ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain ) throws IOException, ServletException {
+    String original = null;
+    HttpServletRequest request = (HttpServletRequest)servletRequest;
+    String url = request.getParameter("originalUrl");
+    if (url != null) {
+      log.foundOriginalURLInRequest(url);
+      original = request.getParameter("originalUrl");
+      log.settingCookieForOriginalURL();
+      addCookie(servletResponse, original);
+    }
+    filterChain.doFilter(request, servletResponse);
+  }
+
+  @Override
+  public void destroy() {
+
+  }
+
+  private void addCookie(ServletResponse servletResponse, String original) {
+    Cookie c = new Cookie("original-url", original);
+    c.setPath(cookiePath);
+    c.setHttpOnly(true);
+    boolean secureOnly = true;
+    if (cookieSecure != null) {
+      secureOnly = ("false".equals(cookieSecure) ? false : true);
+      if (!secureOnly) {
+        log.secureFlagFalseForCookie();
+      }
+    }
+    c.setSecure(secureOnly);
+    c.setMaxAge(60);
+    ((HttpServletResponse)servletResponse).addCookie(c);
+  }
+
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-picketlink/src/main/java/org/apache/knox/gateway/picketlink/filter/PicketlinkIdentityAdapter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-picketlink/src/main/java/org/apache/knox/gateway/picketlink/filter/PicketlinkIdentityAdapter.java b/gateway-provider-security-picketlink/src/main/java/org/apache/knox/gateway/picketlink/filter/PicketlinkIdentityAdapter.java
new file mode 100644
index 0000000..e3811b4
--- /dev/null
+++ b/gateway-provider-security-picketlink/src/main/java/org/apache/knox/gateway/picketlink/filter/PicketlinkIdentityAdapter.java
@@ -0,0 +1,102 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.picketlink.filter;
+
+import java.io.IOException;
+import java.security.Principal;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
+import javax.security.auth.Subject;
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+
+import org.apache.knox.gateway.audit.api.Action;
+import org.apache.knox.gateway.audit.api.ActionOutcome;
+import org.apache.knox.gateway.audit.api.AuditService;
+import org.apache.knox.gateway.audit.api.AuditServiceFactory;
+import org.apache.knox.gateway.audit.api.Auditor;
+import org.apache.knox.gateway.audit.api.ResourceType;
+import org.apache.knox.gateway.audit.log4j.audit.AuditConstants;
+import org.apache.knox.gateway.filter.AbstractGatewayFilter;
+import org.apache.knox.gateway.security.PrimaryPrincipal;
+
+public class PicketlinkIdentityAdapter implements Filter {
+  
+  private static AuditService auditService = AuditServiceFactory.getAuditService();
+  private static Auditor auditor = auditService.getAuditor(
+      AuditConstants.DEFAULT_AUDITOR_NAME, AuditConstants.KNOX_SERVICE_NAME,
+      AuditConstants.KNOX_COMPONENT_NAME );
+  
+
+  @Override
+  public void init( FilterConfig filterConfig ) throws ServletException {
+  }
+
+  public void destroy() {
+  }
+
+  public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) 
+      throws IOException, ServletException {
+    
+    HttpServletRequest httpRequest = (HttpServletRequest) request;
+    String username = httpRequest.getUserPrincipal().getName();
+    PrimaryPrincipal pp = new PrimaryPrincipal(username);
+    Subject subject = new Subject();
+    subject.getPrincipals().add(pp);
+    
+    Principal principal = (Principal) subject.getPrincipals(PrimaryPrincipal.class);
+    auditService.getContext().setUsername( principal.getName() );
+    String sourceUri = (String)request.getAttribute( AbstractGatewayFilter.SOURCE_REQUEST_CONTEXT_URL_ATTRIBUTE_NAME );
+    auditor.audit( Action.AUTHENTICATION , sourceUri, ResourceType.URI, ActionOutcome.SUCCESS );
+
+    doAs(request, response, chain, subject);
+  }
+  
+  private void doAs(final ServletRequest request,
+      final ServletResponse response, final FilterChain chain, Subject subject)
+      throws IOException, ServletException {
+    try {
+      Subject.doAs(
+          subject,
+          new PrivilegedExceptionAction<Object>() {
+            public Object run() throws Exception {
+              chain.doFilter(request, response);
+              return null;
+            }
+          }
+          );
+    }
+    catch (PrivilegedActionException e) {
+      Throwable t = e.getCause();
+      if (t instanceof IOException) {
+        throw (IOException) t;
+      }
+      else if (t instanceof ServletException) {
+        throw (ServletException) t;
+      }
+      else {
+        throw new ServletException(t);
+      }
+    }
+  }
+}

http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-picketlink/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor
----------------------------------------------------------------------
diff --git a/gateway-provider-security-picketlink/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor b/gateway-provider-security-picketlink/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor
deleted file mode 100644
index ec4affc..0000000
--- a/gateway-provider-security-picketlink/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor
+++ /dev/null
@@ -1,19 +0,0 @@
-##########################################################################
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements.  See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership.  The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License.  You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-##########################################################################
-
-org.apache.hadoop.gateway.picketlink.deploy.PicketlinkFederationProviderContributor

http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-picketlink/src/main/resources/META-INF/services/org.apache.knox.gateway.deploy.ProviderDeploymentContributor
----------------------------------------------------------------------
diff --git a/gateway-provider-security-picketlink/src/main/resources/META-INF/services/org.apache.knox.gateway.deploy.ProviderDeploymentContributor b/gateway-provider-security-picketlink/src/main/resources/META-INF/services/org.apache.knox.gateway.deploy.ProviderDeploymentContributor
new file mode 100644
index 0000000..2d6b75c
--- /dev/null
+++ b/gateway-provider-security-picketlink/src/main/resources/META-INF/services/org.apache.knox.gateway.deploy.ProviderDeploymentContributor
@@ -0,0 +1,19 @@
+##########################################################################
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+##########################################################################
+
+org.apache.knox.gateway.picketlink.deploy.PicketlinkFederationProviderContributor

http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-picketlink/src/test/java/org/apache/hadoop/gateway/picketlink/PicketlinkTest.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-picketlink/src/test/java/org/apache/hadoop/gateway/picketlink/PicketlinkTest.java b/gateway-provider-security-picketlink/src/test/java/org/apache/hadoop/gateway/picketlink/PicketlinkTest.java
deleted file mode 100644
index 4ef3088..0000000
--- a/gateway-provider-security-picketlink/src/test/java/org/apache/hadoop/gateway/picketlink/PicketlinkTest.java
+++ /dev/null
@@ -1,31 +0,0 @@
-
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.gateway.picketlink;
-
-import junit.framework.TestCase;
-
-import org.apache.hadoop.gateway.services.security.token.impl.JWTToken;
-import org.junit.Test;
-
-public class PicketlinkTest extends TestCase {
-  @Test
-  public void testPicketlink() throws Exception {
-    assertTrue(true);
-  }
-}

http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-picketlink/src/test/java/org/apache/knox/gateway/picketlink/PicketlinkTest.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-picketlink/src/test/java/org/apache/knox/gateway/picketlink/PicketlinkTest.java b/gateway-provider-security-picketlink/src/test/java/org/apache/knox/gateway/picketlink/PicketlinkTest.java
new file mode 100644
index 0000000..92edc98
--- /dev/null
+++ b/gateway-provider-security-picketlink/src/test/java/org/apache/knox/gateway/picketlink/PicketlinkTest.java
@@ -0,0 +1,30 @@
+
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.picketlink;
+
+import junit.framework.TestCase;
+
+import org.junit.Test;
+
+public class PicketlinkTest extends TestCase {
+  @Test
+  public void testPicketlink() throws Exception {
+    assertTrue(true);
+  }
+}

http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/PreAuthMessages.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/PreAuthMessages.java b/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/PreAuthMessages.java
deleted file mode 100644
index 5b2e991..0000000
--- a/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/PreAuthMessages.java
+++ /dev/null
@@ -1,26 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.gateway.preauth;
-
-import org.apache.hadoop.gateway.i18n.messages.Message;
-import org.apache.hadoop.gateway.i18n.messages.MessageLevel;
-import org.apache.hadoop.gateway.i18n.messages.Messages;
-
-@Messages(logger="org.apache.hadoop.gateway.provider.global.csrf")
-public interface PreAuthMessages {
-}

http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/deploy/HeaderPreAuthContributor.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/deploy/HeaderPreAuthContributor.java b/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/deploy/HeaderPreAuthContributor.java
deleted file mode 100644
index 52d2131..0000000
--- a/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/deploy/HeaderPreAuthContributor.java
+++ /dev/null
@@ -1,66 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.gateway.preauth.deploy;
-
-import java.util.ArrayList;
-import java.util.List;
-import java.util.Map;
-import java.util.Map.Entry;
-
-import org.apache.hadoop.gateway.deploy.DeploymentContext;
-import org.apache.hadoop.gateway.deploy.ProviderDeploymentContributorBase;
-import org.apache.hadoop.gateway.descriptor.FilterParamDescriptor;
-import org.apache.hadoop.gateway.descriptor.ResourceDescriptor;
-import org.apache.hadoop.gateway.topology.Provider;
-import org.apache.hadoop.gateway.topology.Service;
-
-public class HeaderPreAuthContributor extends
-    ProviderDeploymentContributorBase {
-  private static final String ROLE = "federation";
-  private static final String NAME = "HeaderPreAuth";
-  private static final String PREAUTH_FILTER_CLASSNAME = "org.apache.hadoop.gateway.preauth.filter.HeaderPreAuthFederationFilter";
-
-  @Override
-  public String getRole() {
-    return ROLE;
-  }
-
-  @Override
-  public String getName() {
-    return NAME;
-  }
-
-  @Override
-  public void initializeContribution(DeploymentContext context) {
-    super.initializeContribution(context);
-  }
-
-  @Override
-  public void contributeFilter(DeploymentContext context, Provider provider, Service service, 
-      ResourceDescriptor resource, List<FilterParamDescriptor> params) {
-    // blindly add all the provider params as filter init params
-    if (params == null) {
-      params = new ArrayList<FilterParamDescriptor>();
-    }
-    Map<String, String> providerParams = provider.getParams();
-    for(Entry<String, String> entry : providerParams.entrySet()) {
-      params.add( resource.createFilterParam().name( entry.getKey().toLowerCase() ).value( entry.getValue() ) );
-    }
-    resource.addFilter().name( getName() ).role( getRole() ).impl( PREAUTH_FILTER_CLASSNAME ).params( params );
-  }
-}

http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/AbstractPreAuthFederationFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/AbstractPreAuthFederationFilter.java b/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/AbstractPreAuthFederationFilter.java
deleted file mode 100644
index fa4df69..0000000
--- a/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/AbstractPreAuthFederationFilter.java
+++ /dev/null
@@ -1,144 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.gateway.preauth.filter;
-
-import java.io.IOException;
-import java.security.Principal;
-import java.security.PrivilegedActionException;
-import java.security.PrivilegedExceptionAction;
-import java.util.List;
-import java.util.Set;
-
-import javax.security.auth.Subject;
-import javax.servlet.Filter;
-import javax.servlet.FilterChain;
-import javax.servlet.FilterConfig;
-import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import com.google.common.annotations.VisibleForTesting;
-
-import org.apache.hadoop.gateway.audit.api.Action;
-import org.apache.hadoop.gateway.audit.api.ActionOutcome;
-import org.apache.hadoop.gateway.audit.api.AuditService;
-import org.apache.hadoop.gateway.audit.api.AuditServiceFactory;
-import org.apache.hadoop.gateway.audit.api.Auditor;
-import org.apache.hadoop.gateway.audit.api.ResourceType;
-import org.apache.hadoop.gateway.audit.log4j.audit.AuditConstants;
-import org.apache.hadoop.gateway.filter.AbstractGatewayFilter;
-import org.apache.hadoop.gateway.security.PrimaryPrincipal;
-
-/**
- *
- */
-public abstract class AbstractPreAuthFederationFilter implements Filter {
-
-  private List<PreAuthValidator> validators = null;
-  private FilterConfig filterConfig;
-  private static AuditService auditService = AuditServiceFactory.getAuditService();
-  private static Auditor auditor = auditService.getAuditor(
-      AuditConstants.DEFAULT_AUDITOR_NAME, AuditConstants.KNOX_SERVICE_NAME,
-      AuditConstants.KNOX_COMPONENT_NAME );
-
-  /**
-   * 
-   */
-  public AbstractPreAuthFederationFilter() {
-    super();
-  }
-
-  @Override
-  public void init(FilterConfig filterConfig) throws ServletException {
-    this.filterConfig = filterConfig;
-    validators = PreAuthService.getValidators(filterConfig);
-  }
-
-  @VisibleForTesting
-  public List<PreAuthValidator> getValidators() {
-    return validators;
-  }
-
-  @Override
-  public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
-      throws IOException, ServletException {
-    HttpServletRequest httpRequest = (HttpServletRequest)request;
-    String principal = getPrimaryPrincipal(httpRequest);
-    if (principal != null) {
-      if (PreAuthService.validate(httpRequest, filterConfig, validators)) {
-        Subject subject = new Subject();
-        subject.getPrincipals().add(new PrimaryPrincipal(principal));
-        addGroupPrincipals(httpRequest, subject.getPrincipals());
-        auditService.getContext().setUsername( principal ); //KM: Audit Fix
-        String sourceUri = (String)request.getAttribute( AbstractGatewayFilter.SOURCE_REQUEST_CONTEXT_URL_ATTRIBUTE_NAME );
-        auditor.audit( Action.AUTHENTICATION , sourceUri, ResourceType.URI, ActionOutcome.SUCCESS );
-        doAs(httpRequest, response, chain, subject);
-      }
-      else {
-        // TODO: log preauthenticated SSO validation failure
-        ((HttpServletResponse)response).sendError(HttpServletResponse.SC_FORBIDDEN, "SSO Validation Failure.");
-      }
-    } 
-    else {
-      ((HttpServletResponse)response).sendError(HttpServletResponse.SC_FORBIDDEN, "Missing Required Header for PreAuth SSO Federation");
-    }
-  }
-
-  @Override
-  public void destroy() {
-  }
-
-  private void doAs(final ServletRequest request, final ServletResponse response, final FilterChain chain, Subject subject)
-    throws IOException, ServletException {
-    try {
-      Subject.doAs(
-          subject,
-          new PrivilegedExceptionAction<Object>() {
-            public Object run() throws Exception {
-              chain.doFilter(request, response);
-              return null;
-            }
-          }
-          );
-    }
-    catch (PrivilegedActionException e) {
-      Throwable t = e.getCause();
-      if (t instanceof IOException) {
-        throw (IOException) t;
-      }
-      else if (t instanceof ServletException) {
-        throw (ServletException) t;
-      }
-      else {
-        throw new ServletException(t);
-      }
-    }
-  }
-  
-  /**
-   * @param httpRequest
-   */
-  abstract protected String getPrimaryPrincipal(HttpServletRequest httpRequest);
-
-  /**
-   * @param principals
-   */
-  abstract protected void addGroupPrincipals(HttpServletRequest request, Set<Principal> principals);
-}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/DefaultValidator.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/DefaultValidator.java b/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/DefaultValidator.java
deleted file mode 100644
index fe1cec5..0000000
--- a/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/DefaultValidator.java
+++ /dev/null
@@ -1,56 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.gateway.preauth.filter;
-
-import javax.servlet.FilterConfig;
-import javax.servlet.http.HttpServletRequest;
-
-/**
- * @since 0.12
- * This class implements the default Validator where really no validation is performed.
- * TODO: log the fact that there is no verification going on to validate
- * +  who is asserting the identity with the a header. Without some validation
- * +  we are assuming the network security is the primary protection method.
- */
-public class DefaultValidator implements PreAuthValidator {
-  public static final String DEFAULT_VALIDATION_METHOD_VALUE = "preauth.default.validation";
-
-  public DefaultValidator() {
-  }
-
-  /**
-   * @param httpRequest
-   * @param filterConfig
-   * @return true if validated, otherwise false
-   * @throws PreAuthValidationException
-   */
-  @Override
-  public boolean validate(HttpServletRequest httpRequest, FilterConfig filterConfig) throws PreAuthValidationException {
-    return true;
-  }
-
-  /**
-   * Return unique validator name
-   *
-   * @return name of validator
-   */
-  @Override
-  public String getName() {
-    return DEFAULT_VALIDATION_METHOD_VALUE;
-  }
-}

http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/HeaderPreAuthFederationFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/HeaderPreAuthFederationFilter.java b/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/HeaderPreAuthFederationFilter.java
deleted file mode 100644
index df88849..0000000
--- a/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/HeaderPreAuthFederationFilter.java
+++ /dev/null
@@ -1,72 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.gateway.preauth.filter;
-
-import java.security.Principal;
-import java.util.Set;
-
-import javax.servlet.FilterConfig;
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
-
-import org.apache.hadoop.gateway.security.GroupPrincipal;
-
-
-public class HeaderPreAuthFederationFilter extends AbstractPreAuthFederationFilter {
-  static final String CUSTOM_HEADER_PARAM = "preauth.custom.header";
-  static final String CUSTOM_GROUP_HEADER_PARAM = "preauth.custom.group.header";
-  String headerName = "SM_USER";
-  String groupHeaderName = null;
-  
-  @Override
-  public void init(FilterConfig filterConfig) throws ServletException {
-    super.init(filterConfig);
-    String customHeader = filterConfig.getInitParameter(CUSTOM_HEADER_PARAM);
-    if (customHeader != null) {
-      headerName = customHeader;
-    }
-    String customGroupHeader = filterConfig.getInitParameter(CUSTOM_GROUP_HEADER_PARAM);
-    if (customGroupHeader != null) {
-      groupHeaderName = customGroupHeader;
-    }
-  }
-
-  /**
-   * @param httpRequest
-   */
-  @Override
-  protected String getPrimaryPrincipal(HttpServletRequest httpRequest) {
-    return httpRequest.getHeader(headerName);
-  }
-
-  /**
-   * @param principals
-   */
-  @Override
-  protected void addGroupPrincipals(HttpServletRequest request, Set<Principal> principals) {
-    if (groupHeaderName != null) {
-      String headers = request.getHeader(groupHeaderName);
-      if (headers != null) {
-        String[] groups = headers.split(",");
-        for (int i = 0; i < groups.length; i++) {
-          principals.add(new GroupPrincipal(groups[i]));
-        }
-      }
-    }
-  }
-}

http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/IPValidator.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/IPValidator.java b/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/IPValidator.java
deleted file mode 100644
index 9df23b5..0000000
--- a/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/IPValidator.java
+++ /dev/null
@@ -1,58 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.gateway.preauth.filter;
-
-import javax.servlet.FilterConfig;
-import javax.servlet.http.HttpServletRequest;
-
-import org.apache.hadoop.gateway.util.IpAddressValidator;
-
-/**
- *
- */
-public class IPValidator implements PreAuthValidator {
-  public static final String IP_ADDRESSES_PARAM = "preauth.ip.addresses";
-  public static final String IP_VALIDATION_METHOD_VALUE = "preauth.ip.validation";
-
-  public IPValidator() {
-  }
-
-  /**
-   * @param httpRequest
-   * @param filterConfig
-   * @return true if validated, otherwise false
-   * @throws PreAuthValidationException
-   */
-  @Override
-  public boolean validate(HttpServletRequest httpRequest, FilterConfig filterConfig)
-      throws PreAuthValidationException {
-    String ipParam = filterConfig.getInitParameter(IP_ADDRESSES_PARAM);
-    IpAddressValidator ipv = new IpAddressValidator(ipParam);
-    return ipv.validateIpAddress(httpRequest.getRemoteAddr());
-  }
-
-  /**
-   * Return unique validator name
-   *
-   * @return name of validator
-   */
-  @Override
-  public String getName() {
-    return IP_VALIDATION_METHOD_VALUE;
-  }
-}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/PreAuthFederationFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/PreAuthFederationFilter.java b/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/PreAuthFederationFilter.java
deleted file mode 100644
index 27ae803..0000000
--- a/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/PreAuthFederationFilter.java
+++ /dev/null
@@ -1,142 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.gateway.preauth.filter;
-
-import java.io.IOException;
-import java.security.AccessController;
-import java.security.Principal;
-import java.security.PrivilegedActionException;
-import java.security.PrivilegedExceptionAction;
-import java.util.List;
-
-import javax.security.auth.Subject;
-import javax.servlet.Filter;
-import javax.servlet.FilterChain;
-import javax.servlet.FilterConfig;
-import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import org.apache.hadoop.gateway.security.PrimaryPrincipal;
-
-public class PreAuthFederationFilter implements Filter {
-  private static final String CUSTOM_HEADER_PARAM = "preauth.customHeader";
-  private List<PreAuthValidator> validators = null;
-  private FilterConfig filterConfig;
-  private String headerName = "SM_USER";
-
-  @Override
-  public void init(FilterConfig filterConfig) throws ServletException {
-    String customHeader = filterConfig.getInitParameter(CUSTOM_HEADER_PARAM);
-    if (customHeader != null) {
-      headerName = customHeader;
-    }
-    this.filterConfig = filterConfig;
-    validators = PreAuthService.getValidators(filterConfig);
-  }
-
-  @Override
-  public void doFilter(ServletRequest request, ServletResponse response,
-                       FilterChain chain) throws IOException, ServletException {
-    HttpServletRequest httpRequest = (HttpServletRequest) request;
-    if (httpRequest.getHeader(headerName) != null) {
-      if (PreAuthService.validate(httpRequest, filterConfig, validators)) {
-        // TODO: continue as subject
-        chain.doFilter(request, response);
-      } else {
-        // TODO: log preauthenticated SSO validation failure
-        ((HttpServletResponse) response).sendError(HttpServletResponse.SC_BAD_REQUEST, "Missing Required Header for SSO Validation");
-      }
-    } else {
-      ((HttpServletResponse) response).sendError(HttpServletResponse.SC_BAD_REQUEST, "Missing Required Header for PreAuth SSO Federation");
-    }
-  }
-
-  /* (non-Javadoc)
-   * @see javax.servlet.Filter#destroy()
-   */
-  @Override
-  public void destroy() {
-    // TODO Auto-generated method stub
-
-  }
-
-  /**
-   * Recreate the current Subject based upon the provided mappedPrincipal
-   * and look for the groups that should be associated with the new Subject.
-   * Upon finding groups mapped to the principal - add them to the new Subject.
-   * @param mappedPrincipalName
-   * @throws ServletException
-   * @throws IOException
-   */
-  protected void continueChainAsPrincipal(final ServletRequest request, final ServletResponse response,
-                                          final FilterChain chain, String principal) throws IOException, ServletException {
-    Subject subject = null;
-    Principal primaryPrincipal = null;
-
-    // do some check to ensure that the extracted identity matches any existing security context
-    // if not, there is may be someone tampering with the request - consult config to determine
-    // how we are to handle it
-
-    // TODO: make sure that this makes sense with existing sessions or lack thereof
-    Subject currentSubject = Subject.getSubject(AccessController.getContext());
-    if (currentSubject != null) {
-      primaryPrincipal = (PrimaryPrincipal) currentSubject.getPrincipals(PrimaryPrincipal.class).toArray()[0];
-      if (primaryPrincipal != null) {
-        if (!primaryPrincipal.getName().equals(principal)) {
-        }
-      }
-    }
-
-    subject = new Subject();
-    subject.getPrincipals().add(primaryPrincipal);
-    doAs(request, response, chain, subject);
-  }
-
-  private void doAs(final ServletRequest request,
-                    final ServletResponse response, final FilterChain chain, Subject subject)
-      throws IOException, ServletException {
-    try {
-      Subject.doAs(
-          subject,
-          new PrivilegedExceptionAction<Object>() {
-            public Object run() throws Exception {
-              doFilterInternal(request, response, chain);
-              return null;
-            }
-          }
-      );
-    } catch (PrivilegedActionException e) {
-      Throwable t = e.getCause();
-      if (t instanceof IOException) {
-        throw (IOException) t;
-      } else if (t instanceof ServletException) {
-        throw (ServletException) t;
-      } else {
-        throw new ServletException(t);
-      }
-    }
-  }
-
-  private void doFilterInternal(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
-    chain.doFilter(request, response);
-  }
-
-}

http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/PreAuthService.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/PreAuthService.java b/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/PreAuthService.java
deleted file mode 100644
index e1d9751..0000000
--- a/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/PreAuthService.java
+++ /dev/null
@@ -1,106 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.gateway.preauth.filter;
-
-import com.google.common.annotations.VisibleForTesting;
-import com.google.common.base.Strings;
-
-import javax.servlet.FilterConfig;
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
-import java.util.ArrayList;
-import java.util.LinkedHashSet;
-import java.util.List;
-import java.util.Set;
-import java.util.Collections;
-import java.util.ServiceLoader;
-import java.util.Iterator;
-import java.util.Map;
-import java.util.concurrent.ConcurrentHashMap;
-
-/**
- * This class manages few utility methods used across different classes of pre-auth module
- * @since 0.12
- */
-public class PreAuthService {
-
-  public static final String VALIDATION_METHOD_PARAM = "preauth.validation.method";
-  private static ConcurrentHashMap<String, PreAuthValidator> validatorMap;
-
-  static {
-    initializeValidators();
-  }
-
-
-  private static void initializeValidators() {
-    ServiceLoader<PreAuthValidator> servLoader = ServiceLoader.load(PreAuthValidator.class);
-    validatorMap = new ConcurrentHashMap<>();
-    for (Iterator<PreAuthValidator> iterator = servLoader.iterator(); iterator.hasNext(); ) {
-      PreAuthValidator validator = iterator.next();
-      validatorMap.put(validator.getName(), validator);
-    }
-  }
-
-  @VisibleForTesting
-  public static Map<String, PreAuthValidator> getValidatorMap() {
-    return Collections.unmodifiableMap(validatorMap);
-  }
-
-  /**
-   * This method returns appropriate pre-auth Validator as defined in config
-   *
-   * @since 0.12
-   * @param filterConfig
-   * @return List<PreAuthValidator>
-   * @throws ServletException
-   */
-  public static List<PreAuthValidator> getValidators(FilterConfig filterConfig) throws ServletException {
-    String validationMethods = filterConfig.getInitParameter(VALIDATION_METHOD_PARAM);
-    List<PreAuthValidator> vList = new ArrayList<>();
-    if (Strings.isNullOrEmpty(validationMethods)) {
-      validationMethods = DefaultValidator.DEFAULT_VALIDATION_METHOD_VALUE;
-    }
-    Set<String> vMethodSet = new LinkedHashSet<>();
-    Collections.addAll(vMethodSet, validationMethods.trim().split("\\s*,\\s*"));
-    for (String vName : vMethodSet) {
-      if (validatorMap.containsKey(vName)) {
-        vList.add(validatorMap.get(vName));
-      } else {
-        throw new ServletException(String.format("Unable to find validator with name '%s'", validationMethods));
-      }
-    }
-    return vList;
-  }
-
-  public static boolean validate(HttpServletRequest httpRequest, FilterConfig filterConfig, List<PreAuthValidator>
-      validators) {
-    try {
-      for (PreAuthValidator validator : validators) {
-        //Any one validator fails, it will fail the request. loginal AND behavior
-        if (!validator.validate(httpRequest, filterConfig)) {
-          return false;
-        }
-      }
-    } catch (PreAuthValidationException e) {
-      // TODO log exception
-      return false;
-    }
-    return true;
-  }
-
-}

http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/PreAuthValidationException.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/PreAuthValidationException.java b/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/PreAuthValidationException.java
deleted file mode 100644
index e643033..0000000
--- a/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/PreAuthValidationException.java
+++ /dev/null
@@ -1,32 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.gateway.preauth.filter;
-
-/**
- * @author larry
- *
- */
-public class PreAuthValidationException extends Exception {
-  PreAuthValidationException(String message) {
-    super(message);
-  }
-
-  PreAuthValidationException(String message, Exception e) {
-    super(message, e);
-  }
-}

http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/PreAuthValidator.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/PreAuthValidator.java b/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/PreAuthValidator.java
deleted file mode 100644
index 5819801..0000000
--- a/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/PreAuthValidator.java
+++ /dev/null
@@ -1,42 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.gateway.preauth.filter;
-
-import javax.servlet.FilterConfig;
-import javax.servlet.http.HttpServletRequest;
-
-/**
- *
- */
-public interface PreAuthValidator {
-  /**
-   * @param httpRequest
-   * @param filterConfig
-   * @return true if validated, otherwise false
-   * @throws PreAuthValidationException
-   */
-  public abstract boolean validate(HttpServletRequest httpRequest, FilterConfig filterConfig) throws
-      PreAuthValidationException;
-
-  /**
-   * Return unique validator name
-   *
-   * @return name of validator
-   */
-  public abstract String getName();
-}

http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-preauth/src/main/java/org/apache/knox/gateway/preauth/PreAuthMessages.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-preauth/src/main/java/org/apache/knox/gateway/preauth/PreAuthMessages.java b/gateway-provider-security-preauth/src/main/java/org/apache/knox/gateway/preauth/PreAuthMessages.java
new file mode 100644
index 0000000..dfe4ca9
--- /dev/null
+++ b/gateway-provider-security-preauth/src/main/java/org/apache/knox/gateway/preauth/PreAuthMessages.java
@@ -0,0 +1,24 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.preauth;
+
+import org.apache.knox.gateway.i18n.messages.Messages;
+
+@Messages(logger="org.apache.hadoop.gateway.provider.global.csrf")
+public interface PreAuthMessages {
+}

http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-preauth/src/main/java/org/apache/knox/gateway/preauth/deploy/HeaderPreAuthContributor.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-preauth/src/main/java/org/apache/knox/gateway/preauth/deploy/HeaderPreAuthContributor.java b/gateway-provider-security-preauth/src/main/java/org/apache/knox/gateway/preauth/deploy/HeaderPreAuthContributor.java
new file mode 100644
index 0000000..2a5cebd
--- /dev/null
+++ b/gateway-provider-security-preauth/src/main/java/org/apache/knox/gateway/preauth/deploy/HeaderPreAuthContributor.java
@@ -0,0 +1,66 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.preauth.deploy;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+import java.util.Map.Entry;
+
+import org.apache.knox.gateway.deploy.DeploymentContext;
+import org.apache.knox.gateway.deploy.ProviderDeploymentContributorBase;
+import org.apache.knox.gateway.descriptor.FilterParamDescriptor;
+import org.apache.knox.gateway.descriptor.ResourceDescriptor;
+import org.apache.knox.gateway.topology.Provider;
+import org.apache.knox.gateway.topology.Service;
+
+public class HeaderPreAuthContributor extends
+    ProviderDeploymentContributorBase {
+  private static final String ROLE = "federation";
+  private static final String NAME = "HeaderPreAuth";
+  private static final String PREAUTH_FILTER_CLASSNAME = "HeaderPreAuthFederationFilter";
+
+  @Override
+  public String getRole() {
+    return ROLE;
+  }
+
+  @Override
+  public String getName() {
+    return NAME;
+  }
+
+  @Override
+  public void initializeContribution(DeploymentContext context) {
+    super.initializeContribution(context);
+  }
+
+  @Override
+  public void contributeFilter(DeploymentContext context, Provider provider, Service service,
+      ResourceDescriptor resource, List<FilterParamDescriptor> params) {
+    // blindly add all the provider params as filter init params
+    if (params == null) {
+      params = new ArrayList<FilterParamDescriptor>();
+    }
+    Map<String, String> providerParams = provider.getParams();
+    for(Entry<String, String> entry : providerParams.entrySet()) {
+      params.add( resource.createFilterParam().name( entry.getKey().toLowerCase() ).value( entry.getValue() ) );
+    }
+    resource.addFilter().name( getName() ).role( getRole() ).impl( PREAUTH_FILTER_CLASSNAME ).params( params );
+  }
+}

http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-preauth/src/main/java/org/apache/knox/gateway/preauth/filter/AbstractPreAuthFederationFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-preauth/src/main/java/org/apache/knox/gateway/preauth/filter/AbstractPreAuthFederationFilter.java b/gateway-provider-security-preauth/src/main/java/org/apache/knox/gateway/preauth/filter/AbstractPreAuthFederationFilter.java
new file mode 100644
index 0000000..66ee586
--- /dev/null
+++ b/gateway-provider-security-preauth/src/main/java/org/apache/knox/gateway/preauth/filter/AbstractPreAuthFederationFilter.java
@@ -0,0 +1,144 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.preauth.filter;
+
+import java.io.IOException;
+import java.security.Principal;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
+import java.util.List;
+import java.util.Set;
+
+import javax.security.auth.Subject;
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import com.google.common.annotations.VisibleForTesting;
+
+import org.apache.knox.gateway.audit.api.Action;
+import org.apache.knox.gateway.audit.api.ActionOutcome;
+import org.apache.knox.gateway.audit.api.AuditService;
+import org.apache.knox.gateway.audit.api.AuditServiceFactory;
+import org.apache.knox.gateway.audit.api.Auditor;
+import org.apache.knox.gateway.audit.api.ResourceType;
+import org.apache.knox.gateway.audit.log4j.audit.AuditConstants;
+import org.apache.knox.gateway.filter.AbstractGatewayFilter;
+import org.apache.knox.gateway.security.PrimaryPrincipal;
+
+/**
+ *
+ */
+public abstract class AbstractPreAuthFederationFilter implements Filter {
+
+  private List<PreAuthValidator> validators = null;
+  private FilterConfig filterConfig;
+  private static AuditService auditService = AuditServiceFactory.getAuditService();
+  private static Auditor auditor = auditService.getAuditor(
+      AuditConstants.DEFAULT_AUDITOR_NAME, AuditConstants.KNOX_SERVICE_NAME,
+      AuditConstants.KNOX_COMPONENT_NAME );
+
+  /**
+   * 
+   */
+  public AbstractPreAuthFederationFilter() {
+    super();
+  }
+
+  @Override
+  public void init(FilterConfig filterConfig) throws ServletException {
+    this.filterConfig = filterConfig;
+    validators = PreAuthService.getValidators(filterConfig);
+  }
+
+  @VisibleForTesting
+  public List<PreAuthValidator> getValidators() {
+    return validators;
+  }
+
+  @Override
+  public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
+      throws IOException, ServletException {
+    HttpServletRequest httpRequest = (HttpServletRequest)request;
+    String principal = getPrimaryPrincipal(httpRequest);
+    if (principal != null) {
+      if (PreAuthService.validate(httpRequest, filterConfig, validators)) {
+        Subject subject = new Subject();
+        subject.getPrincipals().add(new PrimaryPrincipal(principal));
+        addGroupPrincipals(httpRequest, subject.getPrincipals());
+        auditService.getContext().setUsername( principal ); //KM: Audit Fix
+        String sourceUri = (String)request.getAttribute( AbstractGatewayFilter.SOURCE_REQUEST_CONTEXT_URL_ATTRIBUTE_NAME );
+        auditor.audit( Action.AUTHENTICATION , sourceUri, ResourceType.URI, ActionOutcome.SUCCESS );
+        doAs(httpRequest, response, chain, subject);
+      }
+      else {
+        // TODO: log preauthenticated SSO validation failure
+        ((HttpServletResponse)response).sendError(HttpServletResponse.SC_FORBIDDEN, "SSO Validation Failure.");
+      }
+    } 
+    else {
+      ((HttpServletResponse)response).sendError(HttpServletResponse.SC_FORBIDDEN, "Missing Required Header for PreAuth SSO Federation");
+    }
+  }
+
+  @Override
+  public void destroy() {
+  }
+
+  private void doAs(final ServletRequest request, final ServletResponse response, final FilterChain chain, Subject subject)
+    throws IOException, ServletException {
+    try {
+      Subject.doAs(
+          subject,
+          new PrivilegedExceptionAction<Object>() {
+            public Object run() throws Exception {
+              chain.doFilter(request, response);
+              return null;
+            }
+          }
+          );
+    }
+    catch (PrivilegedActionException e) {
+      Throwable t = e.getCause();
+      if (t instanceof IOException) {
+        throw (IOException) t;
+      }
+      else if (t instanceof ServletException) {
+        throw (ServletException) t;
+      }
+      else {
+        throw new ServletException(t);
+      }
+    }
+  }
+  
+  /**
+   * @param httpRequest
+   */
+  abstract protected String getPrimaryPrincipal(HttpServletRequest httpRequest);
+
+  /**
+   * @param principals
+   */
+  abstract protected void addGroupPrincipals(HttpServletRequest request, Set<Principal> principals);
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-preauth/src/main/java/org/apache/knox/gateway/preauth/filter/DefaultValidator.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-preauth/src/main/java/org/apache/knox/gateway/preauth/filter/DefaultValidator.java b/gateway-provider-security-preauth/src/main/java/org/apache/knox/gateway/preauth/filter/DefaultValidator.java
new file mode 100644
index 0000000..a51d540
--- /dev/null
+++ b/gateway-provider-security-preauth/src/main/java/org/apache/knox/gateway/preauth/filter/DefaultValidator.java
@@ -0,0 +1,56 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.preauth.filter;
+
+import javax.servlet.FilterConfig;
+import javax.servlet.http.HttpServletRequest;
+
+/**
+ * @since 0.12
+ * This class implements the default Validator where really no validation is performed.
+ * TODO: log the fact that there is no verification going on to validate
+ * +  who is asserting the identity with the a header. Without some validation
+ * +  we are assuming the network security is the primary protection method.
+ */
+public class DefaultValidator implements PreAuthValidator {
+  public static final String DEFAULT_VALIDATION_METHOD_VALUE = "preauth.default.validation";
+
+  public DefaultValidator() {
+  }
+
+  /**
+   * @param httpRequest
+   * @param filterConfig
+   * @return true if validated, otherwise false
+   * @throws PreAuthValidationException
+   */
+  @Override
+  public boolean validate(HttpServletRequest httpRequest, FilterConfig filterConfig) throws PreAuthValidationException {
+    return true;
+  }
+
+  /**
+   * Return unique validator name
+   *
+   * @return name of validator
+   */
+  @Override
+  public String getName() {
+    return DEFAULT_VALIDATION_METHOD_VALUE;
+  }
+}

http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-preauth/src/main/java/org/apache/knox/gateway/preauth/filter/HeaderPreAuthFederationFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-preauth/src/main/java/org/apache/knox/gateway/preauth/filter/HeaderPreAuthFederationFilter.java b/gateway-provider-security-preauth/src/main/java/org/apache/knox/gateway/preauth/filter/HeaderPreAuthFederationFilter.java
new file mode 100644
index 0000000..eb16ab9
--- /dev/null
+++ b/gateway-provider-security-preauth/src/main/java/org/apache/knox/gateway/preauth/filter/HeaderPreAuthFederationFilter.java
@@ -0,0 +1,71 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.preauth.filter;
+
+import java.security.Principal;
+import java.util.Set;
+
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+
+import org.apache.knox.gateway.security.GroupPrincipal;
+
+public class HeaderPreAuthFederationFilter extends AbstractPreAuthFederationFilter {
+  static final String CUSTOM_HEADER_PARAM = "preauth.custom.header";
+  static final String CUSTOM_GROUP_HEADER_PARAM = "preauth.custom.group.header";
+  String headerName = "SM_USER";
+  String groupHeaderName = null;
+  
+  @Override
+  public void init(FilterConfig filterConfig) throws ServletException {
+    super.init(filterConfig);
+    String customHeader = filterConfig.getInitParameter(CUSTOM_HEADER_PARAM);
+    if (customHeader != null) {
+      headerName = customHeader;
+    }
+    String customGroupHeader = filterConfig.getInitParameter(CUSTOM_GROUP_HEADER_PARAM);
+    if (customGroupHeader != null) {
+      groupHeaderName = customGroupHeader;
+    }
+  }
+
+  /**
+   * @param httpRequest
+   */
+  @Override
+  protected String getPrimaryPrincipal(HttpServletRequest httpRequest) {
+    return httpRequest.getHeader(headerName);
+  }
+
+  /**
+   * @param principals
+   */
+  @Override
+  protected void addGroupPrincipals(HttpServletRequest request, Set<Principal> principals) {
+    if (groupHeaderName != null) {
+      String headers = request.getHeader(groupHeaderName);
+      if (headers != null) {
+        String[] groups = headers.split(",");
+        for (int i = 0; i < groups.length; i++) {
+          principals.add(new GroupPrincipal(groups[i]));
+        }
+      }
+    }
+  }
+}

http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-preauth/src/main/java/org/apache/knox/gateway/preauth/filter/IPValidator.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-preauth/src/main/java/org/apache/knox/gateway/preauth/filter/IPValidator.java b/gateway-provider-security-preauth/src/main/java/org/apache/knox/gateway/preauth/filter/IPValidator.java
new file mode 100644
index 0000000..d0c9e5d
--- /dev/null
+++ b/gateway-provider-security-preauth/src/main/java/org/apache/knox/gateway/preauth/filter/IPValidator.java
@@ -0,0 +1,58 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.preauth.filter;
+
+import javax.servlet.FilterConfig;
+import javax.servlet.http.HttpServletRequest;
+
+import org.apache.knox.gateway.util.IpAddressValidator;
+
+/**
+ *
+ */
+public class IPValidator implements PreAuthValidator {
+  public static final String IP_ADDRESSES_PARAM = "preauth.ip.addresses";
+  public static final String IP_VALIDATION_METHOD_VALUE = "preauth.ip.validation";
+
+  public IPValidator() {
+  }
+
+  /**
+   * @param httpRequest
+   * @param filterConfig
+   * @return true if validated, otherwise false
+   * @throws PreAuthValidationException
+   */
+  @Override
+  public boolean validate(HttpServletRequest httpRequest, FilterConfig filterConfig)
+      throws PreAuthValidationException {
+    String ipParam = filterConfig.getInitParameter(IP_ADDRESSES_PARAM);
+    IpAddressValidator ipv = new IpAddressValidator(ipParam);
+    return ipv.validateIpAddress(httpRequest.getRemoteAddr());
+  }
+
+  /**
+   * Return unique validator name
+   *
+   * @return name of validator
+   */
+  @Override
+  public String getName() {
+    return IP_VALIDATION_METHOD_VALUE;
+  }
+}
\ No newline at end of file


Mime
View raw message