diff --git a/modules/core/distribution/src/assembly/bin.xml b/modules/core/distribution/src/assembly/bin.xml
index 321c76a5..c08ba5cc 100644
--- a/modules/core/distribution/src/assembly/bin.xml
+++ b/modules/core/distribution/src/assembly/bin.xml
@@ -111,6 +111,8 @@
**/org.wso2.carbon.hostobjects.sso_4.4.3.jar**/org.wso2.carbon.hostobjects.sso_4.3.2.jar**/conf/log4j.properties
+ **/repository/conf/security/Owasp.CsrfGuard.Carbon.properties
+ **/repository/components/plugins/httpclient_4.3.2.wso2v1.jar
@@ -529,6 +531,7 @@
base-page/**login/**styles-layout.css
+ **/site/conf/site.json
@@ -587,13 +590,20 @@
${pom.artifactId}-${pom.version}/repository/conf/identity
- **/sso-idp-config.xml**/saml1-assertion-config**/msg-mgt.properties**/entitlement.properties**/EndpointConfig.properties
+
+ src/repository/conf/identity/service-providers
+ ${pom.artifactId}-${pom.version}/repository/conf/identity/service-providers
+
+ */**
+
+
+
../p2-profile-gen/target/wso2carbon-core-${carbon.kernel.version}/repository/conf/identity/identity-providers
@@ -655,6 +665,9 @@
**/*
+
+ **/configs/designer.json
+
@@ -705,6 +718,16 @@
755
+
+
+
+ src/repository/jaggeryapps/api-store/site/conf/site.json
+
+ ${pom.artifactId}-${pom.version}/repository/deployment/server/jaggeryapps/api-store/site/conf
+
+ 755
+
+
src/repository/conf/synapse.properties
@@ -734,6 +757,11 @@
true644
+
+
+ src/repository/conf/security/Owasp.CsrfGuard.Carbon.properties
+ ${pom.artifactId}-${pom.version}/repository/conf/security
+ ../p2-profile-gen/target/wso2carbon-core-${carbon.kernel.version}/repository/conf/event-broker.xml
@@ -802,15 +830,6 @@
true644
-
-
- ../p2-profile-gen/target/wso2carbon-core-${carbon.kernel.version}/repository/conf/identity/sso-idp-config.xml
-
- ${pom.artifactId}-${pom.version}/repository/conf/identity
-
- true
- 644
- src/repository/conf/application-authenticators.xml
@@ -845,6 +864,12 @@
true644
+
+
+ src/repository/conf/identity/sso-idp-config.xml
+ ${pom.artifactId}-${pom.version}/repository/conf/identity
+ 644
+
@@ -1019,6 +1044,8 @@
${pom.artifactId}-${pom.version}/repository/conf/true
+
+
diff --git a/modules/core/distribution/src/assembly/filter.properties b/modules/core/distribution/src/assembly/filter.properties
index cf2d1eac..b915e955 100644
--- a/modules/core/distribution/src/assembly/filter.properties
+++ b/modules/core/distribution/src/assembly/filter.properties
@@ -25,3 +25,5 @@ carbon.version=4.4.9
default.server.role=IoTServer
cep.server.role=ComplexEventProcessor
das.server.role=DataAnalyticsServer
+emm.analytics.role=EMMAnalytics
+cdmf.analytics.role=CDMFAnalytics
\ No newline at end of file
diff --git a/modules/core/distribution/src/repository/conf/app-manager.xml b/modules/core/distribution/src/repository/conf/app-manager.xml
index 368e777c..53552cfe 100644
--- a/modules/core/distribution/src/repository/conf/app-manager.xml
+++ b/modules/core/distribution/src/repository/conf/app-manager.xml
@@ -307,7 +307,7 @@
false
- https://${carbon.local.ip}:${mgt.transport.https.port}/samlsso
+ https://localhost:${mgt.transport.https.port}/samlssoappm/acs
diff --git a/modules/core/distribution/src/repository/conf/carbon.xml b/modules/core/distribution/src/repository/conf/carbon.xml
index 84ef0927..d87f271e 100644
--- a/modules/core/distribution/src/repository/conf/carbon.xml
+++ b/modules/core/distribution/src/repository/conf/carbon.xml
@@ -79,6 +79,8 @@
${default.server.role}${das.server.role}${cep.server.role}
+ ${emm.analytics.role}
+ ${cdmf.analytics.role}IoTServerCDMFPlatformGeoDashboard
diff --git a/modules/core/distribution/src/repository/conf/identity/identity.xml b/modules/core/distribution/src/repository/conf/identity/identity.xml
index af9e7900..eb099596 100644
--- a/modules/core/distribution/src/repository/conf/identity/identity.xml
+++ b/modules/core/distribution/src/repository/conf/identity/identity.xml
@@ -89,6 +89,7 @@
https://localhost:9443/oauth/request-tokenhttps://localhost:9443/oauth/access-tokenhttps://localhost:9443/oauth/authorize-url
+ https://localhost:${mgt.transport.https.port}/oauth2/token300
diff --git a/modules/core/distribution/src/repository/conf/identity/service-providers/API_STORE.xml b/modules/core/distribution/src/repository/conf/identity/service-providers/API_STORE.xml
new file mode 100644
index 00000000..d77e49a3
--- /dev/null
+++ b/modules/core/distribution/src/repository/conf/identity/service-providers/API_STORE.xml
@@ -0,0 +1,60 @@
+
+
+
+ 8
+ API_STORE
+ App Manager - Publisher
+
+
+
+ API_STORE
+ samlsso
+
+
+
+
+
+
+
+
+ 1
+
+
+ BasicAuthenticator
+ basicauth
+ true
+
+
+ true
+ true
+
+
+ true
+ true
+
+
+
+
+
+
+
+
+ true
+
+
+
+
diff --git a/modules/core/distribution/src/repository/conf/identity/service-providers/devicemgt.xml b/modules/core/distribution/src/repository/conf/identity/service-providers/devicemgt.xml
new file mode 100644
index 00000000..2c7c52d9
--- /dev/null
+++ b/modules/core/distribution/src/repository/conf/identity/service-providers/devicemgt.xml
@@ -0,0 +1,60 @@
+
+
+
+ 8
+ devicemgt
+ Device Manager
+
+
+
+ devicemgt
+ samlsso
+
+
+
+
+
+
+
+
+ 1
+
+
+ BasicAuthenticator
+ basicauth
+ true
+
+
+ true
+ true
+
+
+ true
+ true
+
+
+
+
+
+
+
+
+ true
+
+
+
+
diff --git a/modules/core/distribution/src/repository/conf/identity/service-providers/portal.xml b/modules/core/distribution/src/repository/conf/identity/service-providers/portal.xml
new file mode 100644
index 00000000..3cd65666
--- /dev/null
+++ b/modules/core/distribution/src/repository/conf/identity/service-providers/portal.xml
@@ -0,0 +1,60 @@
+
+
+
+ 9
+ portal
+ Carbon Dashboards Portal
+
+
+
+ portal
+ samlsso
+
+
+
+
+
+
+
+
+ 1
+
+
+ BasicAuthenticator
+ basicauth
+ true
+
+
+ true
+ true
+
+
+ true
+ true
+
+
+
+
+
+
+
+
+ true
+
+
+
+
diff --git a/modules/core/distribution/src/repository/conf/identity/service-providers/publisher.xml b/modules/core/distribution/src/repository/conf/identity/service-providers/publisher.xml
new file mode 100644
index 00000000..33a4736d
--- /dev/null
+++ b/modules/core/distribution/src/repository/conf/identity/service-providers/publisher.xml
@@ -0,0 +1,60 @@
+
+
+
+ 2
+ publisher
+ App Manager - Publisher
+
+
+
+ publisher
+ samlsso
+
+
+
+
+
+
+
+
+ 1
+
+
+ BasicAuthenticator
+ basicauth
+ true
+
+
+ true
+ true
+
+
+ true
+ true
+
+
+
+
+
+
+
+
+ true
+
+
+
+
diff --git a/modules/core/distribution/src/repository/conf/identity/service-providers/store.xml b/modules/core/distribution/src/repository/conf/identity/service-providers/store.xml
new file mode 100644
index 00000000..9503a87d
--- /dev/null
+++ b/modules/core/distribution/src/repository/conf/identity/service-providers/store.xml
@@ -0,0 +1,60 @@
+
+
+
+ 3
+ store
+ App Manager - Store
+
+
+
+ store
+ samlsso
+
+
+
+
+
+
+
+
+ 1
+
+
+ BasicAuthenticator
+ basicauth
+ true
+
+
+ true
+ true
+
+
+ true
+ true
+
+
+
+
+
+
+
+
+ true
+
+
+
+
diff --git a/modules/core/distribution/src/repository/conf/identity/sso-idp-config.xml b/modules/core/distribution/src/repository/conf/identity/sso-idp-config.xml
new file mode 100755
index 00000000..21adc90b
--- /dev/null
+++ b/modules/core/distribution/src/repository/conf/identity/sso-idp-config.xml
@@ -0,0 +1,104 @@
+
+
+ https://stratos-local.wso2.com/carbon/tenant-register/select_domain.jsp
+
+
+ devicemgt
+
+ https://localhost:9443/devicemgt/uuf/sso/acs
+
+ https://localhost:9443/devicemgt/uuf/sso/acs
+ true
+ true
+ false
+ false
+
+ http://wso2.org/claims/role
+ http://wso2.org/claims/emailaddress
+
+ true
+ true
+
+ https://localhost:9443/oauth2/token
+
+
+ https://localhost:9443/oauth2/token
+
+
+
+ store
+
+ https://localhost:9443/store/acs
+
+ https://localhost:9443/store/acs
+ true
+ /store/login.jag
+
+
+ social
+
+ https://localhost:9443/social/acs
+
+ https://localhost:9443/social/acs
+ true
+ /social/login
+
+
+ publisher
+
+ https://localhost:9443/publisher/acs
+
+ https://localhost:9443/publisher/acs
+ true
+ /publisher/controllers/login.jag
+ true
+
+ carbonServer
+
+
+
+ API_STORE
+
+ https://localhost:9443/api-store/jagg/jaggery_acs.jag
+
+ https://localhost:9443/api-store/jagg/jaggery_acs.jag
+ true
+ true
+
+ carbonServer
+
+
+
+ portal
+
+ https://localhost:9443/portal/acs
+
+ https://localhost:9443/portal/acs
+ true
+ true
+ true
+
+ https://localhost:9443/oauth2/token
+
+
+ https://localhost:9443/oauth2/token
+
+
+
+
\ No newline at end of file
diff --git a/modules/core/distribution/src/repository/conf/security/Owasp.CsrfGuard.Carbon.properties b/modules/core/distribution/src/repository/conf/security/Owasp.CsrfGuard.Carbon.properties
new file mode 100644
index 00000000..4daf5c71
--- /dev/null
+++ b/modules/core/distribution/src/repository/conf/security/Owasp.CsrfGuard.Carbon.properties
@@ -0,0 +1,464 @@
+# The OWASP CSRFGuard Project, BSD License
+# Eric Sheridan (eric@infraredsecurity.com), Copyright (c) 2011
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+#
+# 1. Redistributions of source code must retain the above copyright notice,
+# this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+# 3. Neither the name of OWASP nor the names of its contributors may be used
+# to endorse or promote products derived from this software without specific
+# prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+# ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# From: https://github.com/esheri3/OWASP-CSRFGuard/blob/master/csrfguard-test/src/main/webapp/WEB-INF/csrfguard.properties
+
+# Common substitutions
+# %servletContext% is the servlet context (e.g. the configured app prefix or war file name, or blank.
+# e.g. if you deploy a default warfile as someApp.war, then %servletContext% will be /someApp
+# if there isnt a context it will be the empty string. So to use this in the configuration, use e.g. %servletContext%/something.html
+# which will translate to e.g. /someApp/something.html
+
+# Logger
+#
+# The logger property (org.owasp.csrfguard.Logger) defines the qualified class name of
+# the object responsible for processing all log messages produced by CSRFGuard. The default
+# CSRFGuard logger is org.owasp.csrfguard.log.ConsoleLogger. This class logs all messages
+# to System.out which JavaEE application servers redirect to a vendor specific log file.
+# Developers can customize the logging behavior of CSRFGuard by implementing the
+# org.owasp.csrfguard.log.ILogger interface and setting the logger property to the new
+# logger's qualified class name. The following configuration snippet instructs OWASP CSRFGuard
+# to capture all log messages to the console:
+#
+# org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.ConsoleLogger
+org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.JavaLogger
+
+# Which configuration provider factory you want to use. The default is org.owasp.csrfguard.config.PropertiesConfigurationProviderFactory
+# Another configuration provider has more features including config overlays: org.owasp.csrfguard.config.overlay.ConfigurationOverlayProviderFactory
+# The default configuration provider is: org.owasp.csrfguard.config.overlay.ConfigurationAutodetectProviderFactory
+# which will look for an overlay file, it is there, and the factory inside that file is set it will use it, otherwise will be PropertiesConfigurationProviderFactory
+# it needs to implement org.owasp.csrfguard.config.ConfigurationProviderFactory
+org.owasp.csrfguard.configuration.provider.factory = org.owasp.csrfguard.config.overlay.ConfigurationAutodetectProviderFactory
+
+
+# If csrfguard filter is enabled
+org.owasp.csrfguard.Enabled = true
+
+# If csrf guard filter should check even if there is no session for the user
+# Note: this changed around 2014/04, the default behavior used to be to
+# not check if there is no session. If you want the legacy behavior (if your app
+# is not susceptible to CSRF if the user has no session), set this to false
+org.owasp.csrfguard.ValidateWhenNoSessionExists = false
+
+# New Token Landing Page
+#
+# The new token landing page property (org.owasp.csrfguard.NewTokenLandingPage) defines where
+# to send a user if the token is being generated for the first time, and the use new token landing
+# page boolean property (org.owasp.csrfguard.UseNewTokenLandingPage) determines if any redirect happens.
+# UseNewTokenLandingPage defaults to false if NewTokenLandingPage is not specified, and to true
+# if it is specified.. If UseNewTokenLandingPage is set true then this request is generated
+# using auto-posting forms and will only contain the CSRF prevention token parameter, if
+# applicable. All query-string or form parameters sent with the original request will be
+# discarded. If this property is not defined, CSRFGuard will instead auto-post the user to the
+# original context and servlet path. The following configuration snippet instructs OWASP CSRFGuard to
+# redirect the user to %servletContext%/index.html when the user visits a protected resource
+# without having a corresponding CSRF token present in the HttpSession object:
+#
+# org.owasp.csrfguard.NewTokenLandingPage=%servletContext%/index.html
+
+
+# Protected Methods
+#
+# The protected methods property (org.owasp.csrfguard.ProtectedMethods) defines a comma
+# separated list of HTTP request methods that should be protected by CSRFGuard. The default
+# list is an empty list which will cause all HTTP methods to be protected, thus preserving
+# legacy behavior. This setting allows the user to inform CSRFGuard that only requests of the
+# given types should be considered for protection. All HTTP methods not in the list will be
+# considered safe (i.e. view only / unable to modify data). This should be used only when the
+# user has concrete knowledge that all requests made via methods not in the list
+# are safe (i.e. do not apply an action to any data) since it can actually introduce new
+# security vulnerabilities. For example: the user thinks that all actionable requests are
+# only available by POST requests when in fact some are available via GET requests. If the
+# user has excluded GET requests from the list then they have introduced a vulnerability.
+# The following configuration snippet instructs OWASP CSRFGuard to protect only the POST,
+# PUT, and DELETE HTTP methods.
+#
+# org.owasp.csrfguard.ProtectedMethods=POST,PUT,DELETE
+
+# or you can configure all to be protected, and specify which is unprotected. This is the preferred approach
+
+# WSO2 : Since state-changing operations are not performed via HTTP GET,
+# disabling CSRF validation for GET method.
+org.owasp.csrfguard.UnprotectedMethods=GET
+
+# Unique Per-Page Tokens
+#
+# The unique token per-page property (org.owasp.csrfguard.TokenPerPage) is a boolean value that
+# determines if CSRFGuard should make use of unique per-page (i.e. URI) prevention tokens as
+# opposed to unique per-session prevention tokens. When a user requests a protected resource,
+# CSRFGuard will determine if a page specific token has been previously generated. If a page
+# specific token has not yet been previously generated, CSRFGuard will verify the request was
+# submitted with the per-session token intact. After verifying the presence of the per-session token,
+# CSRFGuard will create a page specific token that is required for all subsequent requests to the
+# associated resource. The per-session CSRF token can only be used when requesting a resource for
+# the first time. All subsequent requests must have the per-page token intact or the request will
+# be treated as a CSRF attack. This behavior can be changed with the org.owasp.csrfguard.TokenPerPagePrecreate
+# property. Enabling this property will make CSRFGuard calculate the per page token prior to a first
+# visit. This option only works with JSTL token injection and is useful for preserving the validity of
+# links if the user pushes the back button. There may be a performance impact when enabling this option
+# if the .jsp has a large number of proctected links that need tokens to be calculated.
+# Use of the unique token per page property is currently experimental
+# but provides a significant amount of improved security. Consider the exposure of a CSRF token using
+# the legacy unique per-session model. Exposure of this token facilitates the attacker's ability to
+# carry out a CSRF attack against the victim's active session for any resource exposed by the web
+# application. Now consider the exposure of a CSRF token using the experimental unique token per-page
+# model. Exposure of this token would only allow the attacker to carry out a CSRF attack against the
+# victim's active session for a small subset of resources exposed by the web application. Use of the
+# unique token per-page property is a strong defense in depth strategy significantly reducing the
+# impact of exposed CSRF prevention tokens. The following configuration snippet instructs OWASP
+# CSRFGuard to utilize the unique token per-page model:
+#
+# org.owasp.csrfguard.TokenPerPage=true
+# org.owasp.csrfguard.TokenPerPagePrecreate=false
+
+# WSO2 : Considering overhead, necessity, as well as current unintended behaviour
+# of library after blocking a CSRF attack, disabling per-page tokens.
+org.owasp.csrfguard.TokenPerPage=false
+org.owasp.csrfguard.TokenPerPagePrecreate=false
+
+# Token Rotation
+#
+# The rotate token property (org.owasp.csrfguard.Rotate) is a boolean value that determines if
+# CSRFGuard should generate and utilize a new token after verifying the previous token. Rotation
+# helps minimize the window of opportunity an attacker has to leverage the victim's stolen token
+# in a targeted CSRF attack. However, this functionality generally causes navigation problems in
+# most applications. Specifically, the 'Back' button in the browser will often cease to function
+# properly. When a user hits the 'Back' button and interacts with the HTML, the browser may submit
+# an old token causing CSRFGuard to incorrectly believe this request is a CSRF attack in progress
+# (i.e. a 'false positive'). Users can prevent this scenario by preventing the caching of HTML pages
+# containing FORM submissions using the cache-control header. However, this may also introduce
+# performance problems as the browser will have to request HTML on a more frequent basis. The following
+# configuration snippet enables token rotation:
+#
+# org.owasp.csrfguard.Rotate=true
+
+# Ajax and XMLHttpRequest Support
+#
+# The Ajax property (org.owasp.csrfguard.Ajax) is a boolean value that indicates whether or not OWASP
+# CSRFGuard should support the injection and verification of unique per-session prevention tokens for
+# XMLHttpRequests. To leverage Ajax support, the user must not only set this property to true but must
+# also reference the JavaScript DOM Manipulation code using a script element. This dynamic script will
+# override the send method of the XMLHttpRequest object to ensure the submission of an X-Requested-With
+# header name value pair coupled with the submission of a custom header name value pair for each request.
+# The name of the custom header is the value of the token name property and the value of the header is
+# always the unique per-session token value. This custom header is analogous to the HTTP parameter name
+# value pairs submitted via traditional GET and POST requests. If the X-Requested-With header was sent
+# in the HTTP request, then CSRFGuard will look for the presence and ensure the validity of the unique
+# per-session token in the custom header name value pair. Note that verification of these headers takes
+# precedence over verification of the CSRF token supplied as an HTTP parameter. More specifically,
+# CSRFGuard does not verify the presence of the CSRF token if the Ajax support property is enabled and
+# the corresponding X-Requested-With and custom headers are embedded within the request. The following
+# configuration snippet instructs OWASP CSRFGuard to support Ajax requests by verifying the presence and
+# correctness of the X-Requested-With and custom headers:
+#
+# org.owasp.csrfguard.Ajax=true
+org.owasp.csrfguard.Ajax=true
+
+# The default behavior of CSRFGuard is to protect all pages. Pages marked as unprotected will not be protected.
+# If the Protect property is enabled, this behavior is reversed. Pages must be marked as protected to be protected.
+# All other pages will not be protected. This is useful when the CsrfGuardFilter is aggressively mapped (ex: /*),
+# but you only want to protect a few pages.
+#
+# org.owasp.csrfguard.Protect=true
+
+# Unprotected Pages:
+#
+# The unprotected pages property (org.owasp.csrfguard.unprotected.*) defines a series of pages that
+# should not be protected by CSRFGuard. Such configurations are useful when the CsrfGuardFilter is
+# aggressively mapped (ex: /*). The syntax of the property name is org.owasp.csrfguard.unprotected.[PageName],
+# where PageName is some arbitrary identifier that can be used to reference a resource. The syntax of
+# defining the uri of unprotected pages is the same as the syntax used by the JavaEE container for uri mapping.
+# Specifically, CSRFGuard will identify the first match (if any) between the requested uri and an unprotected
+# page in order of declaration. Match criteria is as follows:
+#
+# Case 1: exact match between request uri and unprotected page
+# Case 2: longest path prefix match, beginning / and ending /*
+# Case 3: extension match, beginning *.
+# Case 4: if the value starts with ^ and ends with $, it will be evaulated as a regex. Note that before the
+# regex is compiled, any common variables will be substituted (e.g. %servletContext%)
+# Default: requested resource must be validated by CSRFGuard
+#
+# The following code snippet illustrates the four use cases over four examples. The first two examples
+# (Tag and JavaScriptServlet) look for direct URI matches. The third example (Html) looks for all resources
+# ending in a .html extension. The next example (Public) looks for all resources prefixed with the URI path /MySite/Public/*.
+# The last example looks for resources that end in Public.do
+#
+# org.owasp.csrfguard.unprotected.Tag=%servletContext%/tag.jsp
+# org.owasp.csrfguard.unprotected.JavaScriptServlet=%servletContext%/JavaScriptServlet
+# org.owasp.csrfguard.unprotected.Html=*.html
+# org.owasp.csrfguard.unprotected.Public=%servletContext%/Public/*
+# regex example starts with ^ and ends with $, and the %servletContext% is evaluated before the regex
+# org.owasp.csrfguard.unprotected.PublicServlet=^%servletContext%/.*Public\.do$
+
+#org.owasp.csrfguard.unprotected.Default=%servletContext%/
+#org.owasp.csrfguard.unprotected.Upload=%servletContext%/upload.html
+#org.owasp.csrfguard.unprotected.JavaScriptServlet=%servletContext%/JavaScriptServlet
+#org.owasp.csrfguard.unprotected.Ajax=%servletContext%/ajax.html
+#org.owasp.csrfguard.unprotected.Error=%servletContext%/error.html
+#org.owasp.csrfguard.unprotected.Index=%servletContext%/index.html
+#org.owasp.csrfguard.unprotected.JavaScript=%servletContext%/javascript.html
+#org.owasp.csrfguard.unprotected.Tag=%servletContext%/tag.jsp
+#org.owasp.csrfguard.unprotected.Redirect=%servletContext%/redirect.jsp
+#org.owasp.csrfguard.unprotected.Forward=%servletContext%/forward.jsp
+#org.owasp.csrfguard.unprotected.Session=%servletContext%/session.jsp
+
+# Actions: Responding to Attacks
+#
+# The actions directive (org.owasp.csrfguard.action.*) gives the user the ability to specify one or more
+# actions that should be invoked when a CSRF attack is detected. Every action must implement the
+# org.owasp.csrfguard.action.IAction interface either directly or indirectly through the
+# org.owasp.csrfguard.action.AbstractAction helper class. Many actions accept parameters that can be specified
+# along with the action class declaration. These parameters are consumed at runtime and impact the behavior of
+# the associated action.
+#
+# The syntax for defining and configuring CSRFGuard actions is relatively straight forward. Let us assume we wish
+# to redirect the user to a default page when a CSRF attack is detected. A redirect action already exists within
+# the CSRFGuard bundle and is available via the class name org.owasp.csrfguard.actions.Redirect. In order to enable
+# this action, we capture the following declaration in the Owasp.CsrfGuard.properties file:
+#
+# syntax: org.owasp.csrfguard.action.[actionName]=[className]
+# example: org.owasp.csrfguard.action.class.Redirect=org.owasp.csrfguard.actions.Redirect
+#
+# The aforementioned directive declares an action called "Redirect" (i.e. [actionName]) referencing the Java class
+# "org.owasp.csrfguard.actions.Redirect" (i.e. [className]). Anytime a CSRF attack is detected, the Redirect action
+# will be executed. You may be asking yourself, "but how do I specify where the user is redirected?"; this is where
+# action parameters come into play. In order to specify the redirect location, we capture the following declaration
+# in the Owasp.CsrfGuard.properties file:
+#
+# syntax: org.owasp.csrfguard.action.[actionName].[parameterName]=[parameterValue]
+# example: org.owasp.csrfguard.action.Redirect.ErrorPage=%servletContext%/error.html
+#
+# The aforementioned directive declares an action parameter called "ErrorPage" (i.e. [parameterName]) with the value
+# of "%servletContext%/error.html" (i.e. [parameterValue]) for the action "Redirect" (i.e. [actionName]). The
+# Redirect action expects the "ErrorPage" parameter to be defined and will redirect the user to this location when
+# an attack is detected.
+#
+#org.owasp.csrfguard.action.Empty=org.owasp.csrfguard.action.Empty
+org.owasp.csrfguard.action.Log=org.owasp.csrfguard.action.Log
+org.owasp.csrfguard.action.Log.Message=potential cross-site request forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%, method:%request_method%, uri:%request_uri%, error:%exception_message%)
+#org.owasp.csrfguard.action.Invalidate=org.owasp.csrfguard.action.Invalidate
+
+# WSO2 : Disable redirecting user to an error page after blocking a CSRF attack
+#org.owasp.csrfguard.action.Redirect=org.owasp.csrfguard.action.Redirect
+#org.owasp.csrfguard.action.Redirect.Page=%servletContext%/error.html
+
+#org.owasp.csrfguard.action.RequestAttribute=org.owasp.csrfguard.action.RequestAttribute
+#org.owasp.csrfguard.action.RequestAttribute.AttributeName=Owasp_CsrfGuard_Exception_Key
+
+# WSO2 : Disabling token rotation after blocking a CSRF attack, since this behaviour
+# will break back navigation after blocking an attack.
+#org.owasp.csrfguard.action.Rotate=org.owasp.csrfguard.action.Rotate
+
+#org.owasp.csrfguard.action.SessionAttribute=org.owasp.csrfguard.action.SessionAttribute
+#org.owasp.csrfguard.action.SessionAttribute.AttributeName=Owasp_CsrfGuard_Exception_Key
+
+# WSO2 : Enable sending a 403 error after blocking a CSRF attack. Product teams
+# can add error page that handles 403 or “org.owasp.csrfguard.action.Error” to
+# display custom error pages.
+org.owasp.csrfguard.action.Error=org.owasp.csrfguard.action.Error
+org.owasp.csrfguard.action.Error.Code=403
+org.owasp.csrfguard.action.Error.Message=Security violation.
+
+# Token Name
+#
+# The token name property (org.owasp.csrfguard.TokenName) defines the name of the HTTP parameter
+# to contain the value of the OWASP CSRFGuard token for each request. The following configuration
+# snippet sets the CSRFGuard token parameter name to the value OWASP_CSRFTOKEN:
+#
+# org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN
+
+# WSO2 : Since, CSRFGuard will send relevant token name as HTTP header
+# “X-” prefix was added to express that this is a non-standard header.
+org.owasp.csrfguard.TokenName=X-CSRF-Token
+
+# Session Key
+#
+# The session key property (org.owasp.csrfguard.SessionKey) defines the string literal used to save
+# and lookup the CSRFGuard token from the session. This value is used by the filter and the tag
+# libraries to retrieve and set the token value in the session. Developers can use this key to
+# programmatically lookup the token within their own code. The following configuration snippet sets
+# the session key to the value OWASP_CSRFTOKEN:
+#
+# org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN
+org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN
+
+# Token Length
+#
+# The token length property (org.owasp.csrfguard.TokenLength) defines the number of characters that
+# should be found within the CSRFGuard token. Note that characters are delimited by dashes (-) in groups
+# of four. For cosmetic reasons, users are encourage to ensure the token length is divisible by four.
+# The following configuration snippet sets the token length property to 32 characters:
+#
+# org.owasp.csrfguard.TokenLength=32
+org.owasp.csrfguard.TokenLength=32
+
+# Pseudo-random Number Generator
+#
+# The pseudo-random number generator property (org.owasp.csrfguard.PRNG) defines what PRNG should be used
+# to generate the OWASP CSRFGuard token. Always ensure this value references a cryptographically strong
+# pseudo-random number generator algorithm. The following configuration snippet sets the pseudo-random number
+# generator to SHA1PRNG:
+#
+# org.owasp.csrfguard.PRNG=SHA1PRNG
+org.owasp.csrfguard.PRNG=SHA1PRNG
+
+# Pseudo-random Number Generator Provider
+
+# The pseudo-random number generator provider property (org.owasp.csrfguard.PRNG.Provider) defines which
+# provider's implementation of org.owasp.csrfguard.PRNG we should utilize. The following configuration
+# snippet instructs the JVM to leverage SUN's implementation of the algorithm denoted by the
+# org.owasp.csrfguard.PRNG property:
+
+# org.owasp.csrfguard.PRNG.Provider=SUN
+# WSO2 - Pseudo-random number generator provider should be configured based on
+# environment (SUN/IBMJCE)
+org.owasp.csrfguard.PRNG.Provider=SUN
+
+# If not specifying the print config option in the web.xml, you can specify it here, to print the config
+# on startup
+
+# WSO2 : Disable printing configuration during start-up
+org.owasp.csrfguard.Config.Print = false
+
+###########################
+## Javascript servlet settings if not set in web.xml
+## https://www.owasp.org/index.php/CSRFGuard_3_Token_Injection
+###########################
+
+# leave this blank and blank in web.xml and it will read from META-INF/csrfguard.js from the jarfile
+# Denotes the location of the JavaScript template file that should be consumed and dynamically
+# augmented by the JavaScriptServlet class. The default value is WEB-INF/Owasp.CsrfGuard.js.
+# Use of this property and the existence of the specified template file is required.
+org.owasp.csrfguard.JavascriptServlet.sourceFile =
+
+# Boolean value that determines whether or not the dynamic JavaScript code should be strict
+# with regards to what links it should inject the CSRF prevention token. With a value of true,
+# the JavaScript code will only place the token in links that point to the same exact domain
+# from which the HTML originated. With a value of false, the JavaScript code will place the
+# token in links that not only point to the same exact domain from which the HTML originated,
+# but sub-domains as well.
+org.owasp.csrfguard.JavascriptServlet.domainStrict = true
+
+# Allows the developer to specify the value of the Cache-Control header in the HTTP response
+# when serving the dynamic JavaScript file. The default value is private, maxage=28800.
+# Caching of the dynamic JavaScript file is intended to minimize traffic and improve performance.
+# Note that the Cache-Control header is always set to "no-store" when either the "Rotate"
+# "TokenPerPage" options is set to true in Owasp.CsrfGuard.properties.
+org.owasp.csrfguard.JavascriptServlet.cacheControl = private, maxage=28800
+
+# Allows the developer to specify a regular expression describing the required value of the
+# Referer header. Any attempts to access the servlet with a Referer header that does not
+# match the captured expression is discarded. Inclusion of referer header checking is to
+# help minimize the risk of JavaScript Hijacking attacks that attempt to steal tokens from
+# the dynamically generated JavaScript. While the primary defenses against JavaScript
+# Hijacking attacks are implemented within the dynamic JavaScript itself, referer header
+# checking is implemented to achieve defense in depth.
+org.owasp.csrfguard.JavascriptServlet.refererPattern = .*
+
+# Similar to javascript servlet referer pattern, but this will make sure the referer of the
+# javascript servlet matches the domain of the request. If there is no referer (proxy strips it?)
+# then it will not fail. Generally this is a good idea to be true.
+org.owasp.csrfguard.JavascriptServlet.refererMatchDomain = true
+
+# Boolean value that determines whether or not the dynamic JavaScript code should
+# inject the CSRF prevention token as a hidden field into HTML forms. The default
+# value is true. Developers are strongly discouraged from disabling this property
+# as most server-side state changing actions are triggered via a POST request.
+org.owasp.csrfguard.JavascriptServlet.injectIntoForms = true
+
+# if the token should be injected in GET forms (which will be on the URL)
+# if the HTTP method GET is unprotected, then this should likely be false
+
+# WSO2 : Disable JavaScript from injecting token value to HTTP GET based forms.
+# This prevents token leakage that could occur when sending token in URL.
+# State-changing actions should not be performed over HTTP GET
+org.owasp.csrfguard.JavascriptServlet.injectGetForms = false
+
+# if the token should be injected in the action in forms
+# note, if injectIntoForms is true, then this might not need to be true
+
+# WSO2 : Disable JavaScript from injecting token value to form action.
+# This prevents token leakage that could occur when sending token in URL.
+org.owasp.csrfguard.JavascriptServlet.injectFormAttributes = false
+
+
+# Boolean value that determines whether or not the dynamic JavaScript code should
+# inject the CSRF prevention token in the query string of src and href attributes.
+# Injecting the CSRF prevention token in a URL resource increases its general risk
+# of exposure to unauthorized parties. However, most JavaEE web applications respond
+# in the exact same manner to HTTP requests and their associated parameters regardless
+# of the HTTP method. The risk associated with not protecting GET requests in this
+# situation is perceived greater than the risk of exposing the token in protected GET
+# requests. As a result, the default value of this attribute is set to true. Developers
+# that are confident their server-side state changing controllers will only respond to
+# POST requests (i.e. discarding GET requests) are strongly encouraged to disable this property.
+
+# WSO2 : Disable JavaScript from injecting token value to “src” and “href”.
+# This prevents token leakage that could occur when sending token in URL.
+org.owasp.csrfguard.JavascriptServlet.injectIntoAttributes = false
+
+
+# WSO2 : Changing X-Request-With header text to avoid unnecessary information disclosure.
+org.owasp.csrfguard.JavascriptServlet.xRequestedWith = WSO2 CSRF Protection
+
+###########################
+## Config overlay settings if you have the provider above set to ConfigurationOverlayProvider
+## This CSRF config provider uses Internet2 Configuration Overlays (documented on Internet2 wiki)
+## By default the configuration is read from the Owasp.CsrfGuard.properties
+## (which should not be edited), and the Owasp.CsrfGuard.overlay.properties overlays
+## the base settings. See the Owasp.CsrfGuard.properties for the possible
+## settings that can be applied to the Owasp.CsrfGuard.overlay.properties
+###########################
+
+# comma separated config files that override each other (files on the right override the left)
+# each should start with file: or classpath:
+# e.g. classpath:Owasp.CsrfGuard.properties, file:c:/temp/myFile.properties
+org.owasp.csrfguard.configOverlay.hierarchy = classpath:Owasp.CsrfGuard.properties, classpath:Owasp.CsrfGuard.overlay.properties
+
+# seconds between checking to see if the config files are updated
+org.owasp.csrfguard.configOverlay.secondsBetweenUpdateChecks = 60
+
+
+###########################
+
+
+# please remove the below entry to enable protection for services.
+org.owasp.csrfguard.unprotected.Services=%servletContext%/services/*
+org.owasp.csrfguard.unprotected.oauth=%servletContext%/commonauth/*
+org.owasp.csrfguard.unprotected.samlsso=%servletContext%/samlsso/*
+org.owasp.csrfguard.unprotected.authenticationendpoint=%servletContext%/authenticationendpoint/*
+org.owasp.csrfguard.unprotected.wso2=%servletContext%/wso2/*
+org.owasp.csrfguard.unprotected.oauth2=%servletContext%/oauth2/*
+org.owasp.csrfguard.unprotected.openid=%servletContext%/openid/*
+org.owasp.csrfguard.unprotected.openidserver=%servletContext%/openidserver/*
+org.owasp.csrfguard.unprotected.passivests=%servletContext%/passivests/*
+org.owasp.csrfguard.unprotected.thrift=%servletContext%/thriftAuthenticator/*
+org.owasp.csrfguard.unprotected.publisher.rest.api=%servletContext%/api/appm/publisher/*
+org.owasp.csrfguard.unprotected.store.rest.api=%servletContext%/api/appm/store/*
+org.owasp.csrfguard.unprotected.certificate.mgt.rest.api=%servletContext%/api/certificate-mgt/*
+org.owasp.csrfguard.unprotected.device.mgt.rest.api=%servletContext%/api/device-mgt/*
+org.owasp.csrfguard.unprotected.dcr.rest.api=%servletContext%/dynamic-client-web/*
\ No newline at end of file
diff --git a/modules/core/distribution/src/repository/conf/security/sso-idp-config.xml b/modules/core/distribution/src/repository/conf/security/sso-idp-config.xml
deleted file mode 100755
index 52899820..00000000
--- a/modules/core/distribution/src/repository/conf/security/sso-idp-config.xml
+++ /dev/null
@@ -1,68 +0,0 @@
-
-
- https://stratos-local.wso2.com/carbon/tenant-register/select_domain.jsp
-
-
-
- cdm
- https://localhost:9443/cdm/acs
- true
- true
- false
- false
-
- http://wso2.org/claims/role
- http://wso2.org/claims/emailaddress
-
- false
-
- true
-
- carbonServer
-
-
-
-
- mdm
- https://localhost:9443/mdm/sso/acs
- true
- true
- false
- false
-
- http://wso2.org/claims/role
- http://wso2.org/claims/emailaddress
-
- false
-
- true
-
- carbonServer
-
-
-
-
-
diff --git a/modules/core/distribution/src/repository/jaggeryapps/api-store/site/conf/site.json b/modules/core/distribution/src/repository/jaggeryapps/api-store/site/conf/site.json
new file mode 100644
index 00000000..2978756e
--- /dev/null
+++ b/modules/core/distribution/src/repository/jaggeryapps/api-store/site/conf/site.json
@@ -0,0 +1,61 @@
+{
+ "theme" : {
+ "base" : "wso2"
+ },
+ "context" : "/api-store",
+ "showPublicStoreURL":true,
+ "showThemesMenu":false,
+ "tagWiseMode" :"false",
+ "tagGroupKey" :"-group",
+ "ssoConfiguration" : {
+ "enabled" : "true",
+ "issuer" : "API_STORE",
+ "identityProviderURL" : "https://localhost:9443/samlsso",
+ "keyStorePassword" : "",
+ "identityAlias" : "",
+ "responseSigningEnabled":"true",
+ "assertionSigningEnabled":"true",
+ "keyStoreName" :"",
+ "passive" : "true",
+ "signRequests" : "true",
+ "assertionEncryptionEnabled" : "false"
+ //"acsURL" : "https://localhost:9443/api-store/jagg/jaggery_acs.jag", //In passive or request signing mode, use only if default Assertion Consumer Service URL needs to be overidden
+ //"nameIdPolicy" : "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", //If not specified, 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified' will be used
+ },
+ "oidcConfiguration" : {
+ "enabled" : "false",
+ "issuer" : "API_STORE",
+ "identityProviderURI" : "http://localhost:8080/openid-connect-server-webapp/",
+ "authorizationEndpointURI" : "http://localhost:8080/openid-connect-server-webapp/authorize",
+ "tokenEndpointURI" : "http://localhost:8080/openid-connect-server-webapp/token",
+ "userInfoURI" : "http://localhost:8080/openid-connect-server-webapp/userinfo",
+ "jwksURI" : "http://localhost:8080/openid-connect-server-webapp/jwk",
+ "clientConfiguration" : {
+ "clientId" : "client_am_store",
+ "clientSecret" : "secret",
+ "responseType" : "code",
+ "authorizationType" : "authorization_code",
+ "scope" : "phone email address openid profile",
+ "redirectURI" : "https://localhost:9443/api-store/jagg/jaggery_oidc_acs.jag",
+ "clientAlgorithm" : "RS256"
+ }
+ },
+ "mutualAuthConfiguration" : {
+ "enabled" : "false"
+ },
+ "forum" : {
+ "topicsPerPage" : "5",
+ "repliesPerPage" : "5",
+ "resourceIdentifier" : "common"
+ },
+
+
+ "reverseProxy" : {
+ "enabled" : false, // values true , false , "auto" - will look for X-Forwarded-* headers
+ "host" : "sample.proxydomain.com", // If reverse proxy do not have a domain name use IP
+ "context":""
+ //"regContext":"" // Use only if different path is used for registry
+ },
+ "mapExistingAuthApps" : false
+
+}
diff --git a/modules/core/distribution/src/repository/jaggeryapps/portal/configs/designer.json b/modules/core/distribution/src/repository/jaggeryapps/portal/configs/designer.json
index 9667a236..ba48b0ea 100644
--- a/modules/core/distribution/src/repository/jaggeryapps/portal/configs/designer.json
+++ b/modules/core/distribution/src/repository/jaggeryapps/portal/configs/designer.json
@@ -7,16 +7,21 @@
"ignoreProviders": ["rt"]
},
"authentication": {
- "activeMethod": "basic",
+ "activeMethod": "sso",
"methods": {
"sso": {
"attributes": {
"issuer": "portal",
- "identityProviderURL": "https://localhost:9443/samlsso",
- "responseSigningEnabled": "false",
- "acs": "https://localhost:9444/portal/acs",
+ "identityProviderURL": "%https.host%/samlsso",
+ "responseSigningEnabled": true,
+ "validateAssertionValidityPeriod": true,
+ "validateAudienceRestriction": true,
+ "assertionSigningEnabled": true,
+ "acs": "%https.host%/portal/acs",
"identityAlias": "wso2carbon",
- "useTenantKey": false
+ "defaultNameIDPolicy": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
+ "useTenantKey": false,
+ "isPassive": false
}
},
"basic": {
@@ -29,15 +34,15 @@
"methods": {
"oauth": {
"attributes": {
- "idPServer": "https://localhost:9443/oauth2/token",
+ "idPServer": "%https.host%/oauth2/token",
"dynamicClientProperties": {
- "callbackUrl": "https://localhost:9443/portal",
+ "callbackUrl": "%https.host%/portal",
"clientName": "portal",
"owner": "admin",
"applicationType": "JaggeryApp",
"grantType": "password refresh_token urn:ietf:params:oauth:grant-type:saml2-bearer",
"saasApp": false,
- "dynamicClientRegistrationEndPoint": "https://localhost:9443/dynamic-client-web/register/",
+ "dynamicClientRegistrationEndPoint": "%https.host%/dynamic-client-web/register/",
"tokenScope": "Production"
}
}
@@ -54,6 +59,15 @@
"cacheSizeBytes": "1073741824",
"defaultDashboardRedirect": false,
"isCreateGadgetEnable": true,
+ "isSecureVaultEnabled" : false,
+ "assets": {
+ "gadget": {
+ "fileSizeLimit": 5
+ },
+ "layout": {
+ "fileSizeLimit": 1
+ }
+ },
"oauth": {
"username": "admin",
"password": "admin"
diff --git a/modules/core/distribution/src/repository/modules/sso/scripts/sso.client.js b/modules/core/distribution/src/repository/modules/sso/scripts/sso.client.js
index 27327a95..33f62fca 100644
--- a/modules/core/distribution/src/repository/modules/sso/scripts/sso.client.js
+++ b/modules/core/distribution/src/repository/modules/sso/scripts/sso.client.js
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2005-2014, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+ * Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
*
* WSO2 Inc. licenses this file to you under the Apache License,
* Version 2.0 (the "License"); you may not use this file except
@@ -16,6 +16,7 @@
* under the License.
*
*/
+
/**
* Following module act as a client to create a saml request and also to
* unwrap and return attributes of a returning saml response
@@ -26,7 +27,7 @@ var client = {};
(function (client) {
- var Util = Packages.org.jaggeryjs.modules.sso.common.util.Util,
+ var Util = Packages.org.wso2.store.sso.common.util.Util,
carbon = require('carbon'),
log = new Log();
@@ -36,8 +37,16 @@ var client = {};
* @return {*}
*/
client.getSamlObject = function (samlResp) {
- var decodedResp = Util.decode(samlResp);
- return Util.unmarshall(decodedResp);
+ var marshalledResponse;
+ try {
+ var decodedResp = Util.decode(samlResp);
+ marshalledResponse = Util.unmarshall(decodedResp);
+ } catch (e) {
+ log.error('Unable to unmarshall SAML response');
+ log.error(e);
+ }
+ return marshalledResponse;
+
};
/**
@@ -72,7 +81,7 @@ var client = {};
client.getEncodedSAMLAuthRequest = function (issuerId) {
return Util.encode(
Util.marshall(
- new Packages.org.jaggeryjs.modules.sso.common.builders.AuthReqBuilder().buildAuthenticationRequest(issuerId)
+ new Packages.org.wso2.store.sso.common.builders.AuthReqBuilder().buildAuthenticationRequest(issuerId)
));
};
@@ -82,8 +91,8 @@ var client = {};
client.getEncodedSAMLLogoutRequest = function (user, sessionIndex, issuerId) {
return Util.encode(
Util.marshall(
- new Packages.org.jaggeryjs.modules.sso.common.builders.LogoutRequestBuilder().buildLogoutRequest(user, sessionIndex,
- Packages.org.jaggeryjs.modules.sso.common.constants.SSOConstants.LOGOUT_USER,
+ new Packages.org.wso2.store.sso.common.builders.LogoutRequestBuilder().buildLogoutRequest(user, sessionIndex,
+ Packages.org.wso2.store.sso.common.constants.SSOConstants.LOGOUT_USER,
issuerId)));
};
@@ -145,4 +154,111 @@ var client = {};
};
+ /**
+ * The method is used to encapsulate all of the validations that
+ * should be performed on a SAML Response
+ */
+ client.validateSamlResponse = function(samlObj, props, keyStoreProps) {
+ props = props || {};
+ var Util = Packages.org.wso2.store.sso.common.util.Util;
+ var propList = createProperties(props);
+ var DEFAULT_TO_TRUE = true;
+ var DEFAULT_TO_FALSE = false;
+ var isValid = true; //Assume all validations will be succeed
+ var isAssertionValidityPeriodChecked = props.validateAssertionValidityPeriod ? props.validateAssertionValidityPeriod : DEFAULT_TO_FALSE;
+ var isAudienceRestrictionChecked = props.validateAudienceRestriction ? props.validateAudienceRestriction : DEFAULT_TO_FALSE;
+ var isAssertionSigningEnabled = props.assertionSigningEnabled ? props.assertionSigningEnabled : DEFAULT_TO_FALSE;
+ var isResponseSigningEnabled = props.responseSigningEnabled ? props.responseSigningEnabled : DEFAULT_TO_FALSE;
+
+ //Step #1: Validate the token validity period
+ if (isAssertionValidityPeriodChecked) {
+ isValid = Util.validateAssertionValidityPeriod(samlObj, propList);
+ }
+
+ //Break processing if the assertion validity period has expired
+ if (!isValid) {
+ return isValid;
+ }
+ //Step #2: Validate the assertion audience
+ if (isAudienceRestrictionChecked) {
+ isValid = Util.validateAudienceRestriction(samlObj, propList);
+ }
+ //Break processing if the audience restriction check fails
+ if (!isValid) {
+ return isValid;
+ }
+
+ //Step #3: Validate the response signature
+ if (isResponseSigningEnabled) {
+ isValid = client.validateSignature(samlObj, keyStoreProps);
+ }
+
+ //Break processing if the signature validation fails
+ if (!isValid) {
+ return isValid;
+ }
+
+ //Step #4: Perform assertion signature verification
+ if (isAssertionSigningEnabled) {
+ isValid = callValidateAssertionSignature(samlObj, keyStoreProps);
+ }
+ return isValid;
+ };
+
+ /**
+ * getting url encoded signed saml authentication request
+ */
+ client.getEncodedSignedSAMLAuthRequest = function (issuerId, destination, acsUrl, isPassive, tenantId, tenantDomain, nameIdPolicy) {
+ return Util.encode(
+ Util.marshall(
+ new Packages.org.jaggeryjs.modules.sso.common.builders.AuthReqBuilder().buildAuthenticationRequest(issuerId, destination, acsUrl,
+ isPassive, tenantId, tenantDomain, nameIdPolicy)
+ ));
+ };
+
+ /**
+ * get url encoded signed saml logout request
+ */
+ client.getEncodedSignedSAMLLogoutRequest = function (user, sessionIndex, issuerId, tenantId, tenantDomain, destination, nameIdFormat) {
+ return Util.encode(
+ Util.marshall(
+ new Packages.org.jaggeryjs.modules.sso.common.builders.LogoutRequestBuilder().buildLogoutRequest(user, sessionIndex,
+ Packages.org.wso2.store.sso.common.constants.SSOConstants.LOGOUT_USER,
+ issuerId)));
+
+ };
+
+ /**
+ * A utility method used to convert a JSON object to
+ * a properties object
+ */
+ function createProperties(props) {
+ var javaPropertyList = new java.util.Properties();
+ Object.keys(props).forEach(function(key) {
+ if (props.hasOwnProperty(key)) {
+ javaPropertyList.setProperty(key, props[key]);
+ }
+ });
+ return javaPropertyList;
+ }
+ /**
+ * Invokes the validateAssertionSignature method by first
+ * resolving tenant details
+ */
+ function callValidateAssertionSignature(samlObj, config) {
+ var Util = Packages.org.wso2.store.sso.common.util.Util;
+ var tDomain, tId;
+ var carbon = require('carbon');
+ if (config.USE_ST_KEY) {
+ tDomain = carbon.server.superTenant.domain;
+ tId = carbon.server.superTenant.tenantId;
+ } else {
+ tDomain = Util.getDomainName(samlObj);
+ tId = carbon.server.tenantId({
+ domain: tDomain
+ });
+ }
+ return Util.validateAssertionSignature(samlObj, config.KEY_STORE_NAME, config.KEY_STORE_PASSWORD, config.IDP_ALIAS, tId, tDomain);
+ }
+
}(client));
\ No newline at end of file
diff --git a/modules/core/p2-profile-gen/pom.xml b/modules/core/p2-profile-gen/pom.xml
index 0e9eb687..5a02f5ef 100644
--- a/modules/core/p2-profile-gen/pom.xml
+++ b/modules/core/p2-profile-gen/pom.xml
@@ -421,6 +421,25 @@
+
+
+ org.wso2.carbon.dashboards:org.wso2.carbon.dashboards.shindig.feature:${carbon.dashboard.version}
+
+
+ org.wso2.carbon.dashboards:org.wso2.carbon.dashboards.portal.feature:${carbon.dashboard.version}
+
+
+ org.wso2.carbon.dashboards:org.wso2.carbon.dashboards.deployment.feature:${carbon.dashboard.version}
+
+
+
+
+ org.wso2.carbon.analytics.cdmf:org.wso2.carbon.analytics.cdmf.feature:${cdmf.analytics.version}
+
+
+ org.wso2.carbon.devicemgt-plugins:org.wso2.carbon.iot.device.statistics.dashboard.feature:${carbon.device.mgt.plugin.version}
+
+
org.wso2.carbon.mediation:org.apache.synapse.wso2.feature:${carbon.mediation.version}
@@ -911,6 +930,25 @@
+
+
+ org.wso2.carbon.dashboards.shindig.feature.group
+ ${carbon.dashboard.version}
+
+
+ org.wso2.carbon.dashboards.portal.feature.group
+ ${carbon.dashboard.version}
+
+
+ org.wso2.carbon.dashboard.deployment.feature.group
+ ${carbon.dashboard.version}
+
+
+ org.wso2.carbon.iot.device.statistics.dashboard.feature.group
+ ${carbon.device.mgt.plugin.version}
+
+
+
org.wso2.carbon.apimgt.core.feature.group
@@ -3309,4 +3347,4 @@
-
+
\ No newline at end of file
diff --git a/pom.xml b/pom.xml
index 2d377f27..d3561089 100644
--- a/pom.xml
+++ b/pom.xml
@@ -1483,11 +1483,11 @@
1.3
- 0.12.6
- 1.5.2
- 1.5.2
- 1.5.2
- 1.5.2
+ 0.12.8
+ 1.5.5
+ 1.5.5
+ 1.5.5
+ 1.5.54.4.2
@@ -1648,6 +1648,7 @@
2.8.2.wso2v12.0.0.wso2v12.0.4-SNAPSHOT
+ 1.0.0-SNAPSHOT2.1.4[2.6.0,3.0.0)2.3.4-spark
@@ -1689,7 +1690,7 @@
1.0.2
- 1.0.2-SNAPSHOT
+ 1.0.3