Changeset 6788 for TI12-security/trunk/NDGSecurity

Timestamp:

30/03/10 13:22:59 (11 years ago)

Author:

pjkersha

Message:

Contains important fix for OpenIDProviderMiddleware - moved OpenIDResponse object from class member to session key to preserve separation between user sessions in sign in process. This bug was manifest in users being incorrectly redirected following login.

Location:

TI12-security/trunk/NDGSecurity/python

Files:

• ndg_security_common/ndg/security/common/authz/xacml (added)
• ndg_security_common/ndg/security/common/authz/xacml/parsers (added)
• ndg_security_common/ndg/security/common/soap/client.py (modified) (1 diff)
• ndg_security_common/ndg/security/common/utils/factory.py (modified) (1 diff)
• ndg_security_common/setup.py (modified) (1 diff)
• ndg_security_server/ndg/security/server/attributeauthority.py (modified) (6 diffs)
• ndg_security_server/ndg/security/server/wsgi/authz/__init__.py (modified) (7 diffs)
• ndg_security_server/ndg/security/server/wsgi/openid/provider/__init__.py (modified) (4 diffs)
• ndg_security_server/ndg/security/server/wsgi/session.py (modified) (6 diffs)
• ndg_security_test/ndg/security/test/integration/__init__.py (modified) (2 diffs)
• ndg_security_test/ndg/security/test/integration/authz_lite/policy.xml (modified) (2 diffs)
• ndg_security_test/ndg/security/test/integration/authz_lite/securedapp.ini (modified) (3 diffs)
• ndg_security_test/ndg/security/test/integration/authz_lite/securityservices.ini (modified) (9 diffs)
• ndg_security_test/ndg/security/test/unit/__init__.py (modified) (1 diff)
• ndg_security_test/ndg/security/test/unit/authz/xacml (added)
• ndg_security_test/ndg/security/test/unit/soap-attribute-query.xml (added)
• ndg_security_test/ndg/security/test/unit/wsgi/authz/README (modified) (1 diff)
• ndg_security_test/ndg/security/test/unit/wsgi/authz/ndg-policy.xml (deleted)
• ndg_security_test/ndg/security/test/unit/wsgi/authz/ndg-test.ini (deleted)
• ndg_security_test/ndg/security/test/unit/wsgi/authz/pep-result-handler-test.ini (modified) (1 diff)
• ndg_security_test/ndg/security/test/unit/wsgi/authz/saml-policy.xml (modified) (3 diffs)
• ndg_security_test/ndg/security/test/unit/wsgi/authz/saml-test.ini (modified) (1 diff)
• ndg_security_test/ndg/security/test/unit/wsgi/authz/test_authz.py (modified) (9 diffs)

TI12-security/trunk/NDGSecurity/python/ndg_security_common/ndg/security/common/soap/client.py

@@ -25 +25 @@
 class SOAPClientBase(object):
     """Handle client request to a SOAP Service
-    @cvar RESPONSE_CONTENT_TYPES: expected content type to be returned in a response
-    from a service
+    @cvar RESPONSE_CONTENT_TYPES: expected content type to be returned in a 
+    response from a service
     @type RESPONSE_CONTENT_TYPES: string
     """

TI12-security/trunk/NDGSecurity/python/ndg_security_common/ndg/security/common/utils/factory.py

@@ -34 +34 @@
                 objectName = objectName.split('.')
         else: 
-            _moduleName, objectName = moduleName.rsplit('.', 1)
+            try:
+                _moduleName, objectName = moduleName.rsplit('.', 1)
+            except ValueError:
+                raise ValueError('Invalid module name %r set for import: %s' %
+                                 (moduleName, traceback.format_exc()))
+                
             objectName = [objectName]
     else:

TI12-security/trunk/NDGSecurity/python/ndg_security_common/setup.py

@@ -24 +24 @@
 # TODO: subdivide these into server and client specific and comon dependencies
 _pkgDependencies = [
-    'PyXML', # include as a separate dependency to force correct download link
     'ZSI',
     '4Suite-XML',
     'M2Crypto',
-    'ndg_security_saml'
+    'ndg_saml'
     ]
-
-# TODO: configure an option so that database support can be set for the 
-# Credential Repository.  MySQL package may need to be in its own option
-# eventually
-credentialRepositoryDbSupport = False
-if credentialRepositoryDbSupport:
-    _pkgDependencies += [
-    'SQLObject',
-    'MySQL-python', # TODO: fix gcc error: unrecognized option `-restrict'
-]
 
 # Python 2.5 includes ElementTree by default

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/attributeauthority.py

@@ -38 +38 @@
 from ndg.security.common.saml_utils.esg import EsgSamlNamespaces
 from ndg.security.common.X509 import X500DN
-from ndg.security.common.utils import TypedList, RestrictedKeyNamesDict
+from ndg.security.common.utils import TypedList
 from ndg.security.common.utils.classfactory import instantiateClass
 from ndg.security.common.utils.configfileparsers import (
@@ -63 +63 @@
     interface for Earth System Grid
     
-    @type propertyDefaults: dict
-    @cvar propertyDefaults: valid configuration property keywords
+    @type PROPERTY_DEFAULTS: dict
+    @cvar PROPERTY_DEFAULTS: valid configuration property keywords
     
     @type ATTRIBUTE_INTERFACE_PROPERTY_DEFAULTS: dict
@@ -109 +109 @@
     # Values set to not NotImplemented here denote keys which must be specified
     # in the config
-    propertyDefaults = { 
+    PROPERTY_DEFAULTS = { 
         ISSUER_NAME_OPTNAME:            '',
         ASSERTION_LIFETIME_OPTNAME:     -1,
@@ -135 +135 @@
         self.__propPrefix = ''
         
-        self.__attributeInterfaceCfg = RestrictedKeyNamesDict(
-                    AttributeAuthority.ATTRIBUTE_INTERFACE_PROPERTY_DEFAULTS)
+        self.__attributeInterfaceCfg = \
+                AttributeAuthority.ATTRIBUTE_INTERFACE_PROPERTY_DEFAULTS.copy()
         
     def __getstate__(self):
@@ -390 +390 @@
                 continue
             
-            if name not in AttributeAuthority.propertyDefaults:
+            if name not in AttributeAuthority.PROPERTY_DEFAULTS:
                 raise AttributeError('Invalid attribute name "%s"' % name)
             
@@ -396 +396 @@
                 val = os.path.expandvars(val)
             
-            if isinstance(AttributeAuthority.propertyDefaults[name], list):
+            if isinstance(AttributeAuthority.PROPERTY_DEFAULTS[name], list):
                 val = AttributeAuthority.CONFIG_LIST_SEP_PAT.split(val)
                 

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/authz/__init__.py

@@ -26 +26 @@
                                                 AttributeQuerySslSOAPBinding
 
-from ndg.security.common.credentialwallet import (NDGCredentialWallet,
-                                                  SAMLCredentialWallet)
+from ndg.security.common.credentialwallet import SAMLCredentialWallet
 from ndg.security.server.wsgi import (NDGSecurityMiddlewareBase, 
                                       NDGSecurityMiddlewareConfigError)
@@ -43 +42 @@
                                            PIPAttributeResponse)
 
-# The NDG Interface Subject type includes support for Session Manager related
-# keywords which are not needed by the newer SamlPIPMiddleware
-from ndg.security.common.authz.pip.ndginterface import PIP, Subject
-from ndg.security.common.authz.msi import (Policy, PDP, Request, 
-                                           Response, Resource)
+from ndg.security.common.authz import Subject
+from ndg.security.common.authz.msi import (Policy, PDP, Request, Response, 
+                                           Resource)
 
 
@@ -56 +53 @@
 class PEPFilterConfigError(PEPFilterError):
     """Configuration related error for PEPFilter"""
+
 
 class PEPFilter(SessionMiddlewareBase):
@@ -154 +152 @@
                   "user authorisation ...")
         
-        # Make a request object to pass to the PDP.  Set an NDG type Subject
-        # which has the extra keyword support for Session Manager and 
-        # Session ID needed by NdgPIPMiddleware.  This can be deprecated in a 
-        # future release when the SOAP/WSL attribute interface is withdrawn
-        # and completely replaced by the SAML one
-        request = Request(subject=Subject())
+        # Make a request object to pass to the PDP.  
+        request = Request()
         request.subject[Subject.USERID_NS] = session['username']
-        
-        # IdP Session Manager specific settings:
-        #
-        # The following won't be set if the IdP running the OpenID Provider
-        # hasn't also deployed a Session Manager.  In this case, the
-        # Attribute Authority will be queried directly from here without a
-        # remote Session Manager intermediary to cache credentials
-        request.subject[Subject.SESSIONID_NS] = session.get('sessionId')
-        request.subject[Subject.SESSIONMANAGERURI_NS] = session.get(
-                                                        'sessionManagerURI')
         request.resource[Resource.URI_NS] = resourceURI
 
@@ -304 +288 @@
 
    
-class NdgPIPMiddlewareError(Exception):
-    """Base class for Policy Information Point WSGI middleware exception types
-    """
-    
-class NdgPIPMiddlewareConfigError(NdgPIPMiddlewareError):
-    """Configuration related error for Policy Information Point WSGI middleware
-    """    
-    
-class NdgPIPMiddleware(PIP, NDGSecurityMiddlewareBase):
-    '''Extend Policy Information Point to enable caching of credentials in
-    a NDGCredentialWallet object held in beaker.session
-    '''
-    ENVIRON_KEYNAME = 'ndg.security.server.wsgi.authz.NdgPIPMiddleware'
-       
-    propertyDefaults = {
-        'sessionKey': 'beaker.session.ndg.security',
-    }
-    propertyDefaults.update(NDGSecurityMiddlewareBase.propertyDefaults)
-  
-    def __init__(self, app, global_conf, prefix='', **local_conf):
-        '''
-        @type app: callable following WSGI interface
-        @param app: next middleware application in the chain      
-        @type global_conf: dict        
-        @param global_conf: PasteDeploy global configuration dictionary
-        @type prefix: basestring
-        @param prefix: prefix for configuration items
-        @type local_conf: dict        
-        @param local_conf: PasteDeploy application specific configuration 
-        dictionary
-        '''
-        
-        # Pre-process list items splitting as needed
-        if isinstance(local_conf.get('caCertFilePathList'), basestring):
-            local_conf[
-                'caCertFilePathList'] = NDGSecurityMiddlewareBase.parseListItem(
-                                            local_conf['caCertFilePathList'])
-            
-        if isinstance(local_conf.get('sslCACertFilePathList'), basestring):
-            local_conf[
-                'sslCACertFilePathList'
-                ] = NDGSecurityMiddlewareBase.parseListItem(
-                                        local_conf['sslCACertFilePathList'])
-            
-        PIP.__init__(self, prefix=prefix, **local_conf)
-        
-        for k in local_conf.keys():
-            if k.startswith(prefix):
-                del local_conf[k]
-                
-        NDGSecurityMiddlewareBase.__init__(self,
-                                           app,
-                                           global_conf,
-                                           prefix=prefix,
-                                           **local_conf)
-        
-    def __call__(self, environ, start_response):
-        """Take a copy of the session object so that it is in scope for
-        _getAttributeCertificate call and add this instance to the environ
-        so that the PEPFilter can retrieve it and pass on to the PDP
-        
-        @type environ: dict
-        @param environ: WSGI environment variables dictionary
-        @type start_response: function
-        @param start_response: standard WSGI start response function
-        @rtype: iterable
-        @return: response
-        """
-        self.session = environ.get(self.sessionKey)
-        if self.session is None:
-            raise NdgPIPMiddlewareConfigError('No beaker session key "%s" found '
-                                           'in environ' % self.sessionKey)
-        environ[NdgPIPMiddleware.ENVIRON_KEYNAME] = self
-        
-        return self._app(environ, start_response)
-               
-    def _getAttributeCertificate(self, attributeAuthorityURI, **kw):
-        '''Extend base class implementation to make use of the 
-        NDGCredentialWallet Attribute Certificate cache held in the beaker 
-        session.  If no suitable certificate is present invoke default behaviour 
-        and retrieve an Attribute Certificate from the Attribute Authority or 
-        Session Manager specified
-
-        @type attributeAuthorityURI: basestring
-        @param attributeAuthorityURI: URI to Attribute Authority service
-        @type username: basestring
-        @param username: subject user identifier - could be an OpenID        
-        @type sessionId: basestring
-        @param sessionId: Session Manager session handle
-        @type sessionManagerURI: basestring
-        @param sessionManagerURI: URI to remote session manager service
-        @rtype: ndg.security.common.AttCert.AttCert
-        @return: Attribute Certificate containing user roles
-        '''
-        # Check for a wallet in the current session - if not present, create
-        # one.  See ndg.security.server.wsgi.authn.SessionHandlerMiddleware
-        # for session keys.  The 'credentialWallet' key is deleted along with
-        # any other security keys when the user logs out
-        if not 'credentialWallet' in self.session:
-            log.debug("NdgPIPMiddleware._getAttributeCertificate: adding a "
-                      "Credential Wallet to user session [%s] ...",
-                      self.session['username'])
-            
-            self.session['credentialWallet'] = NDGCredentialWallet(
-                                            userId=self.session['username'])
-            self.session.save()
-            
-        # Take reference to wallet for efficiency
-        credentialWallet = self.session['credentialWallet']    
-        
-        # Check for existing credentials cached in wallet            
-        credentialItem = credentialWallet.credentialsKeyedByURI.get(
-                                                        attributeAuthorityURI)        
-        if credentialItem is not None:
-            log.debug("NdgPIPMiddleware._getAttributeCertificate: retrieved "
-                      "existing Attribute Certificate cached in Credential "
-                      "Wallet for user session [%s]",
-                      self.session['username'])
-
-            # Existing cached credential found - skip call to remote Session
-            # Manager / Attribute Authority and return this certificate instead
-            return credentialItem.credential
-        else:   
-            attrCert = PIP._getAttributeCertificate(self,
-                                                    attributeAuthorityURI,
-                                                    **kw)
-            
-            log.debug("NdgPIPMiddleware._getAttributeCertificate: updating "
-                      "Credential Wallet with retrieved Attribute "
-                      "Certificate for user session [%s]",
-                      self.session['username'])
-        
-            # Update the wallet with this Attribute Certificate so that it's 
-            # cached for future calls
-            credentialWallet.addCredential(attrCert,
-                                attributeAuthorityURI=attributeAuthorityURI)
-            
-            return attrCert
-
-   
 class SamlPIPMiddlewareError(Exception):
     """Base class for SAML based Policy Information Point WSGI middleware 
@@ -450 +294 @@
 
   
-class SamlPIPMiddlewareConfigError(NdgPIPMiddlewareError):
-    """Configuration related error for Policy Information Point WSGI middleware
+class SamlPIPMiddlewareConfigError(SamlPIPMiddlewareError):
+    """Configuration related error for SAML Policy Information Point WSGI 
+    middleware
     """
     
@@ -730 +575 @@
 
         super(AuthorizationMiddlewareBase, self).__init__(app, {})
- 
-
-class NDGAuthorizationMiddleware(AuthorizationMiddlewareBase):
-    """Implementation of AuthorizationMiddlewareBase using the NDG Policy
-    Information Point interface.  This retrieves attributes over the SOAP/WSDL
-    Attribute Authority interface 
-    (ndg.security.server.wsgi.attributeauthority.AttributeAuthoritySOAPBindingMiddleware)
-    and caches NDG Attribute Certificates in an 
-    ndg.security.common.credentialWallet.NDGCredentialWallet
-    """      
-    PIP_MIDDLEWARE_CLASS = NdgPIPMiddleware   
-
-
-class AuthorizationMiddleware(NDGAuthorizationMiddleware):
-    """Include this class for backwards compatibility - see warning message
-    in FUTURE_DEPRECATION_WARNING_MSG class variable"""
-    FUTURE_DEPRECATION_WARNING_MSG = (
-        "AuthorizationMiddleware will be deprecated in future releases.  "
-        "NDGAuthorizationMiddleware is a drop in replacement but should be "
-        "replaced with SAMLAuthorizationMiddleware instead")
-    
-    def __init__(self, *arg, **kw):
-        warnings.warn(AuthorizationMiddleware.FUTURE_DEPRECATION_WARNING_MSG,
-                      PendingDeprecationWarning)
-        log.warning(AuthorizationMiddleware.FUTURE_DEPRECATION_WARNING_MSG) 
-        super(AuthorizationMiddleware, self).__init__(*arg, **kw)
 
 

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/openid/provider/__init__.py

@@ -180 +180 @@
     APPROVED_FLAG_SESSION_KEYNAME = 'approved'
     LAST_CHECKID_REQUEST_SESSION_KEYNAME = 'lastCheckIDRequest'
+    OID_RESPONSE_SESSION_KEYNAME = 'oidResponse'
+    
     PARAM_PREFIX = 'openid.provider.'
     
@@ -217 +219 @@
         self.__trustedRelyingParties = ()
         self.__axResponse = None
-        
-        # See _createResponse method
-        self.__oidResponse = None
 
         opt = OpenIDProviderMiddleware.defOpt.copy()
@@ -1450 +1449 @@
 
     def getOidResponse(self):
-        return self.__oidResponse
+        return self.__session.get(
+                        OpenIDProviderMiddleware.OID_RESPONSE_SESSION_KEYNAME)
 
     def getSregResponse(self):
@@ -1472 +1472 @@
                             '"oidResponse" attribute; got %r' %
                             type(value))
-        self.__oidResponse = value
+        self.__session[OpenIDProviderMiddleware.OID_RESPONSE_SESSION_KEYNAME
+                       ] = value
 
     def setSregResponse(self, value):

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/session.py

@@ -86 +86 @@
     SIGNOUT_PATH_PARAMNAME = 'signoutPath'
     SESSION_KEY_PARAMNAME = 'sessionKey'
+    DEFAULT_LOGOUT_RETURN2URI_PARAMNAME = 'defaultLogoutReturnToURI'
+    
     propertyDefaults = {
         SIGNOUT_PATH_PARAMNAME: None,
-        SESSION_KEY_PARAMNAME: 'beaker.session.ndg.security'
+        SESSION_KEY_PARAMNAME: 'beaker.session.ndg.security',
+        DEFAULT_LOGOUT_RETURN2URI_PARAMNAME: '/'
     }
     
@@ -94 +97 @@
     
     LOGOUT_RETURN2URI_ARGNAME = 'ndg.security.logout.r'
+    LOGOUT_REDIRECT_STATUS_CODE = 302
     
     PARAM_PREFIX = 'sessionHandler.'
@@ -109 +113 @@
         dictionary
         '''
-        signoutPathParamName = prefix + \
-                                SessionHandlerMiddleware.SIGNOUT_PATH_PARAMNAME
+        cls = SessionHandlerMiddleware
+        signoutPathParamName = prefix + cls.SIGNOUT_PATH_PARAMNAME
         
         if signoutPathParamName not in app_conf:
             authKitSignOutPath = app_conf.get(
-                    SessionHandlerMiddleware.AUTHKIT_COOKIE_SIGNOUT_PARAMNAME)
+                                        cls.AUTHKIT_COOKIE_SIGNOUT_PARAMNAME)
             
             if authKitSignOutPath:
@@ -120 +124 @@
                 
                 log.info('Set signoutPath=%s from "%s" setting', 
-                     authKitSignOutPath,
-                     SessionHandlerMiddleware.AUTHKIT_COOKIE_SIGNOUT_PARAMNAME)
+                         authKitSignOutPath,
+                         cls.AUTHKIT_COOKIE_SIGNOUT_PARAMNAME)
             else:
                 raise SessionHandlerMiddlewareConfigError(
                                         '"signoutPath" parameter is not set')
-            
+                
+        defaultLogoutReturnToURIParamName = prefix + \
+                                        cls.DEFAULT_LOGOUT_RETURN2URI_PARAMNAME
+        
+        self.__defaultLogoutReturnToURI = app_conf.get(
+                defaultLogoutReturnToURIParamName,
+                cls.propertyDefaults[cls.DEFAULT_LOGOUT_RETURN2URI_PARAMNAME])
+        
         super(SessionHandlerMiddleware, self).__init__(app,
                                                        global_conf,
@@ -184 +195 @@
         session.save()
         
+        
         if self.__class__.LOGOUT_RETURN2URI_ARGNAME in environ['QUERY_STRING']:
             params = dict(parse_querystring(environ))
@@ -191 +203 @@
                                 self.__class__.LOGOUT_RETURN2URI_ARGNAME, '')
             referrer = urllib.unquote(quotedReferrer)
+            
+            log.debug('Set redirect URI following logout based on %r URI query '
+                      'string = %r', 
+                      self.__class__.LOGOUT_RETURN2URI_ARGNAME,
+                      referrer)
         else:
             referrer = environ.get('HTTP_REFERER')
-        
-        if referrer is not None:
-            def _start_response(status, header, exc_info=None):
-                """Alter the header to send a redirect to the logout
-                referrer address"""
-                filteredHeader = [(field, val) for field, val in header 
-                                  if field.lower() != 'location']        
-                filteredHeader.extend([('Location', referrer)])
-                return start_response(self.getStatusMessage(302), 
-                                      filteredHeader,
-                                      exc_info)
-                
-            return _start_response
-        else:
-            log.error('No referrer set for redirect following logout')
-            return start_response
+            if referrer is None:
+                log.warning('No HTTP return to URI set for redirect following '
+                            'logout, either via the return to query string %r '
+                            'or the "HTTP_REFERER" environment variable: '
+                            'redirecting based on the %r config file option = '
+                            '%r', 
+                            self.__class__.LOGOUT_RETURN2URI_ARGNAME,
+                            self.__class__.DEFAULT_LOGOUT_RETURN2URI_PARAMNAME,
+                            self.__defaultLogoutReturnToURI)
+                
+                referrer = self.__defaultLogoutReturnToURI
+            else:
+                log.debug('Set redirect URI following logout based on '
+                          '"HTTP_REFERER" environment variable = %r',
+                          referrer)
+                
+        def _start_response(status, header, exc_info=None):
+            """Alter the header to send a redirect to the logout referrer 
+            address"""
+            
+            # Filter out any existing location field setting
+            filteredHeader = [(field, val) for field, val in header 
+                              if field.lower() != 'location']  
+            
+            # Add redirect destination to new location field setting      
+            filteredHeader.extend([('Location', referrer)])
+            
+            statusMsg = self.getStatusMessage(
+                                    self.__class__.LOGOUT_REDIRECT_STATUS_CODE)
+            
+            return start_response(statusMsg, filteredHeader, exc_info)
+                
+        return _start_response
         
     def _setSession(self, environ, session):

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/__init__.py

@@ -20 +20 @@
 "/test_403": "test_403",
 "/test_securedURI": "test_securedURI",
-"/test_accessDeniedToSecuredURI": "test_accessDeniedToSecuredURI"
+"/test_accessDeniedToSecuredURI": "test_accessDeniedToSecuredURI",
+"/logout?ndg.security.logout.r=/test_logoutWithReturn2QueryArg": 
+    "test_logoutWithReturn2QueryArg",
+"/test_logoutWithReturn2QueryArg": "test_logoutWithReturn2QueryArg"
     }
     header = """        <h1>Authorisation Integration Tests:</h1>
@@ -196 +199 @@
                         ('Content-length', str(len(response)))])
         return response
-   
+
+    def test_logoutWithReturn2QueryArg(self, environ, start_response):
+        """Test logout setting a return to argument to explicitly set the
+        URI to return to following the logout action
+        """
+        response = """<html>
+    <head/>
+    <body>
+        <h1>Logged Out</h1>
+        <p>Successfully redirected to specified return to UIR query argument 
+        ndg.security.logout.r=%s following logout.  
+        <a href="/">Return to tests</a></p>
+    </body>
+</html>
+""" % environ['PATH_INFO']
+
+        start_response('200 OK', 
+                       [('Content-type', 'text/html'),
+                        ('Content-length', str(len(response)))])
+        return response
+    
     @classmethod
     def app_factory(cls, globalConfig, **localConfig):

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/authz_lite/policy.xml

@@ -8 +8 @@
             <Attribute>
                 <Name>urn:siteA:security:authz:1.0:attr:staff</Name>
-                <AttributeAuthorityURI>https://localhost:7443/AttributeAuthority/saml</AttributeAuthorityURI>
+                <AttributeAuthorityURI>https://localhost:7443/AttributeAuthority</AttributeAuthorityURI>
             </Attribute>
         </Attributes>
@@ -17 +17 @@
             <Attribute>
                 <Name>urn:siteA:security:authz:1.0:attr:forbidden</Name>
-                <AttributeAuthorityURI>https://localhost:7443/AttributeAuthority/saml</AttributeAuthorityURI>
+                <AttributeAuthorityURI>https://localhost:7443/AttributeAuthority</AttributeAuthorityURI>
             </Attribute>
             <Attribute>
                 <Name>urn:siteA:security:authz:1.0:attr:keepout</Name>
-                <AttributeAuthorityURI>https://localhost:7443/AttributeAuthority/saml</AttributeAuthorityURI>
+                <AttributeAuthorityURI>https://localhost:7443/AttributeAuthority</AttributeAuthorityURI>
             </Attribute>
         </Attributes>

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/authz_lite/securedapp.ini

@@ -49 +49 @@
 beaker.session.data_dir = %(here)s/authn/beaker/sessions
 
-beaker.session.cookie_domain = .localhost
+#beaker.session.cookie_domain = .localhost
 
 [filter:AuthenticationFilter]
@@ -57 +57 @@
 # Set redirect for OpenID Relying Party in the Security Services app instance
 authN.redirectURI = https://localhost:7443/verify
-# Test with an SSL endpoint
-#authN.redirectURI = https://localhost/verify
+
+# Default URI to return to if middleware wasn't able to set via HTTP_REFERER or
+# passed return to query argument
+authN.sessionHandler.defaultLogoutReturnToURI = https://localhost:7443/
 
 # AuthKit Set-up
@@ -74 +76 @@
 
 #authkit.cookie.params.expires = 2
-authkit.cookie.params.domain = .localhost
+#authkit.cookie.params.domain = .localhost
 
 # environ key name for beaker session

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/authz_lite/securityservices.ini

@@ -25 +25 @@
 
 # Global Attribute Authority Settings
-attributeAuthorityEnvironKeyName = ndg.security.server.attributeauthority.AttributeAuthority
 attributeQueryInterfaceEnvironKeyName = ndg.security.server.attributeauthority.attributeQueryInterface
 
@@ -56 +55 @@
 # Ordering of filters and app is critical
 [pipeline:main]
-pipeline = wsseSignatureVerificationFilter 
-                   AttributeAuthorityFilter 
-                   AttributeAuthorityWsdlSoapBindingFilter
-           wsseSignatureFilter 
+pipeline = AttributeAuthorityFilter 
            AttributeAuthoritySamlSoapBindingFilter
                    SessionMiddlewareFilter
@@ -82 +78 @@
 beaker.session.cookie_expires = True
 
-beaker.session.cookie_domain = .localhost
+#beaker.session.cookie_domain = .localhost
 
 # Key name for keying into environ dictionary
@@ -104 +100 @@
 cookie.includeip = False
 
-cookie.params.domain = .localhost
+#cookie.params.domain = .localhost
 
 # SSL Client Certificate based authentication is invoked if the client passed
@@ -164 +160 @@
 authkit.cookie.secret=9wvZObs9anUEhSIAnJNoY2iJq59FfYZr
 authkit.cookie.signoutpath = /logout
-authkit.cookie.params.domain = .localhost
+#authkit.cookie.params.domain = .localhost
 
 # Disable inclusion of client IP address from cookie signature due to 
@@ -334 +330 @@
 prefix = attributeAuthority.
 
-# Key name by which the WSDL SOAP based interface may reference this
-# service
-attributeAuthority.environKeyName = %(attributeAuthorityEnvironKeyName)s
-
-# Key name for the SAML SOAP binding based interface to reference this
-# service's attribute query method
-attributeAuthority.environKeyNameAttributeQueryInterface: %(attributeQueryInterfaceEnvironKeyName)s
-
-# Attribute Authority settings
-# 'name' setting MUST agree with map config file 'thisHost' name attribute
-attributeAuthority.name: Site A
-
 # Lifetime is measured in seconds
-attributeAuthority.attCertLifetime: 28800 
-
-# Allow an offset for clock skew between servers running 
-# security services. NB, measured in seconds - use a minus sign for time in the
-# past
-attributeAuthority.attCertNotBeforeOff: 0
-
-# All Attribute Certificates issued are recorded in this dir
-attributeAuthority.attCertDir: %(testConfigDir)s/attributeauthority/sitea/attributeCertificateLog
-
-# Files in attCertDir are stored using a rotating file handler
-# attCertFileLogCnt sets the max number of files created before the first is 
-# overwritten
-attributeAuthority.attCertFileName: ac.xml
-attributeAuthority.attCertFileLogCnt: 16
-attributeAuthority.dnSeparator:/
-
-# Location of role mapping file
-attributeAuthority.mapConfigFilePath: %(testConfigDir)s/attributeauthority/sitea/siteAMapConfig.xml
+attributeAuthority.assertionLifetime: 28800 
 
 # Settings for custom AttributeInterface derived class to get user roles for given 
@@ -373 +339 @@
 #attributeAuthority.attributeInterface.className: TestUserRoles
 
+# Key name for the SAML SOAP binding based interface to reference this
+# service's attribute query method
+attributeAuthority.environKeyNameAttributeQueryInterface: %(attributeQueryInterfaceEnvironKeyName)s
+
 # SQLAlchemy Attribute Interface
 attributeAuthority.attributeInterface.connectionString: %(dbConnectionString)s
-attributeAuthority.attributeInterface.modName: ndg.security.server.attributeauthority
-attributeAuthority.attributeInterface.className: SQLAlchemyAttributeInterface
-attributeAuthority.attributeInterface.issuerName = /O=Site A/CN=Attribute Authority
+attributeAuthority.attributeInterface.className: ndg.security.server.attributeauthority.SQLAlchemyAttributeInterface
 attributeAuthority.attributeInterface.samlSubjectSqlQuery = select count(*) from users where openid = '${userId}'
 attributeAuthority.attributeInterface.samlAttribute2SqlQuery.1 = "urn:esg:first:name" "select firstname from users where openid = '${userId}'"
@@ -387 +355 @@
                                                            /CN=test/O=NDG/OU=BADC
 
-# Config for XML signature of Attribute Certificate
-attributeAuthority.signingPriKeyFilePath: %(testConfigDir)s/attributeauthority/sitea/siteA-aa.key
-attributeAuthority.signingCertFilePath: %(testConfigDir)s/attributeauthority/sitea/siteA-aa.crt
-attributeAuthority.caCertFilePathList: %(testConfigDir)s/ca/ndg-test-ca.crt
-
-
-# SOAP WSDL Based Binding to the Attribute Authority
-[filter:AttributeAuthorityWsdlSoapBindingFilter]
-paste.filter_app_factory = ndg.security.server.wsgi.attributeauthority:AttributeAuthoritySOAPBindingMiddleware.filter_app_factory
-prefix = service.soap.binding.
-attributeAuthoritySOAPBindingPrefix = attributeauthority.service.soap.binding.
-
-service.soap.binding.referencedFilters = filter:wsseSignatureVerificationFilter
-service.soap.binding.path = /AttributeAuthority
-service.soap.binding.enableWSDLQuery = True
-service.soap.binding.charset = utf-8
-service.soap.binding.serviceSOAPBindingEnvironKeyName = ndg.security.server.wsgi.attributeauthority.AttributeAuthoritySOAPBindingMiddleware
-
-attributeauthority.service.soap.binding.attributeAuthorityEnvironKeyName = %(attributeAuthorityEnvironKeyName)s
-attributeauthority.service.soap.binding.wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter
-
-
 # SAML SOAP Binding to the Attribute Authority
 [filter:AttributeAuthoritySamlSoapBindingFilter]
@@ -419 +365 @@
 saml.soapbinding.serialise = ndg.security.common.saml_utils.esg.xml.etree:EsgResponseElementTree.toXML
 
-saml.soapbinding.pathMatchList = /AttributeAuthority/saml
+saml.soapbinding.pathMatchList = /AttributeAuthority
 saml.soapbinding.queryInterfaceKeyName = %(attributeQueryInterfaceEnvironKeyName)s
 
-
-#______________________________________________________________________________
-# WS-Security Signature Verification
-[filter:wsseSignatureVerificationFilter]
-paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:SignatureVerificationFilter.filter_app_factory
-filterID = %(__name__)s
-
-# Settings for WS-Security SignatureHandler class used by this filter
-wsseCfgFilePrefix = wssecurity
-
-# Verify against known CAs - Provide a space separated list of file paths
-wssecurity.caCertFilePathList=%(testConfigDir)s/ca/ndg-test-ca.crt
-
-
-#______________________________________________________________________________
-# Apply WS-Security Signature 
-[filter:wsseSignatureFilter]
-paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:ApplySignatureFilter.filter_app_factory
-
-# Reference the verification filter in order to be able to apply signature
-# confirmation
-referencedFilters = filter:wsseSignatureVerificationFilter
-wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter
-
-# Last filter in chain of SOAP handlers writes the response
-writeResponse = True
-
-# Settings for WS-Security SignatureHandler class used by this filter
-wsseCfgFilePrefix = wssecurity
-
-# Certificate associated with private key used to sign a message.  The sign 
-# method will add this to the BinarySecurityToken element of the WSSE header.  
-wssecurity.signingCertFilePath=%(testConfigDir)s/pki/wsse-server.crt
-
-# PEM encoded private key file
-wssecurity.signingPriKeyFilePath=%(testConfigDir)s/pki/wsse-server.key
-
-# Set the ValueType for the BinarySecurityToken added to the WSSE header for a
-# signed message.  See __setReqBinSecTokValType method and binSecTokValType 
-# class variable for options - it may be one of X509, X509v3, X509PKIPathv1 or 
-# give full namespace to alternative - see 
-# ZSI.wstools.Namespaces.OASIS.X509TOKEN
-#
-# binSecTokValType determines whether signingCert or signingCertChain 
-# attributes will be used.
-wssecurity.reqBinSecTokValType=X509v3
-
-# Add a timestamp element to an outbound message
-wssecurity.addTimestamp=True
-
-# For WSSE 1.1 - service returns signature confirmation containing signature 
-# value sent by client
-wssecurity.applySignatureConfirmation=True
+# Clock skew for SAML Attribute Queries - allow clockSkew number of seconds
+# tolerance for query issueInstant parameter. Set here to 3 minutes
+saml.soapbinding.clockSkewTolerance: 180.0
+
+saml.soapbinding.issuer: /O=Site A/CN=Attribute Authority
+
 
 # Logging configuration

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/__init__.py

@@ -68 +68 @@
     SITEA_SSL_ATTRIBUTEAUTHORITY_PORTNUM = 5443
     SITEA_SSL_ATTRIBUTEAUTHORITY_SAML_URI = \
-        'https://localhost:%d/AttributeAuthority/saml' % \
+        'https://localhost:%d/AttributeAuthority' % \
                                     SITEA_SSL_ATTRIBUTEAUTHORITY_PORTNUM
     SSL_CERT_DN = "/C=UK/ST=Oxfordshire/O=BADC/OU=Security/CN=localhost"

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/authz/README

@@ -2 +2 @@
 ========================================
 These tests call ndg.security.server.wsgi.authz.SAMLAuthorizationMiddleware 
-and ndg.security.server.wsgi.authz.NDGAuthorizationMiddleware via
-paste.fixture.  An attribute authority service needs to be running in order
-for the middleware to check user attributes,  In a separate terminal start
-this service:
+via paste.fixture.  An attribute authority service is also started as a separate
+thread.
 
-$ python ../../../config/attributeauthority/sitea/siteAServerApp.py
-
-Then, to run the tests:
+To run the tests:
 
 $ python test_authz.py
 
-P J Kershaw 22/05/09
+P J Kershaw 22/03/10

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/authz/pep-result-handler-test.ini

@@ -32 +32 @@
 # If omitted, DN of SSL Cert is used
 pip.attributeQuery.issuerName = 
-pip.attributeQuery.clockSkew = 0.
+pip.attributeQuery.clockSkewTolerance = 0.
 pip.attributeQuery.queryAttributes.0 = urn:siteA:security:authz:1.0:attr, , http://www.w3.org/2001/XMLSchema#string
 pip.attributeQuery.sslCACertDir=%(testConfigDir)s/ca

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/authz/saml-policy.xml

@@ -9 +9 @@
                 <Name>urn:siteA:security:authz:1.0:attr:staff</Name>
                 <!-- Endpoint is for SOAP/SAML based ESG Interface -->
-                <AttributeAuthorityURI>https://localhost:5443/AttributeAuthority/saml</AttributeAuthorityURI>
+                <AttributeAuthorityURI>https://localhost:5443/AttributeAuthority</AttributeAuthorityURI>
             </Attribute>
         </Attributes>
@@ -18 +18 @@
             <Attribute>
                 <Name>urn:siteA:security:authz:1.0:attr:forbidden</Name>
-                <AttributeAuthorityURI>https://localhost:5443/AttributeAuthority/saml</AttributeAuthorityURI>
+                <AttributeAuthorityURI>https://localhost:5443/AttributeAuthority</AttributeAuthorityURI>
             </Attribute>
             <Attribute>
                 <Name>urn:siteA:security:authz:1.0:attr:keepout</Name>
-                <AttributeAuthorityURI>https://localhost:5443/AttributeAuthority/saml</AttributeAuthorityURI>
+                <AttributeAuthorityURI>https://localhost:5443/AttributeAuthority</AttributeAuthorityURI>
             </Attribute>
         </Attributes>
@@ -35 +35 @@
             <Attribute>
                 <Name>urn:siteA:security:authz:1.0:attr:admin</Name>
-                <AttributeAuthorityURI>https://localhost:5443/AttributeAuthority/saml</AttributeAuthorityURI>
+                <AttributeAuthorityURI>https://localhost:5443/AttributeAuthority</AttributeAuthorityURI>
             </Attribute>
         </Attributes>

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/authz/saml-test.ini

@@ -31 +31 @@
 # If omitted, DN of SSL Cert is used
 pip.attributeQuery.issuerName = 
-pip.attributeQuery.clockSkew = 0.
+pip.attributeQuery.clockSkewTolerance = 0.
 pip.attributeQuery.queryAttributes.0 = urn:siteA:security:authz:1.0:attr, , http://www.w3.org/2001/XMLSchema#string
 pip.attributeQuery.sslCACertDir=%(testConfigDir)s/ca

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/authz/test_authz.py

@@ -32 +32 @@
 from ndg.security.server.wsgi.authz.result_handler.redirect import \
     HTTPRedirectPEPResultHandlerMiddleware
-from ndg.security.server.wsgi.authz import (NdgPIPMiddlewareConfigError,
-                                            SamlPIPMiddlewareConfigError)
+from ndg.security.server.wsgi.authz import SamlPIPMiddlewareConfigError
 from ndg.security.common.authz.msi import Response
 
@@ -98 +97 @@
     def save(self):
         pass
+
+        
+class TestAuthZMiddleware(object):
+    '''Test Application for the Authentication handler to protect'''
+    response = "Test Authorization application"
+       
+    def __init__(self, app_conf, **local_conf):
+        pass
+    
+    def __call__(self, environ, start_response):
+        
+        if environ['PATH_INFO'] == '/test_401':
+            status = "401 Unauthorized"
+            
+        elif environ['PATH_INFO'] == '/test_403':
+            status = "403 Forbidden"
+            
+        elif environ['PATH_INFO'] == '/test_200':
+            status = "200 OK"
+            
+        elif environ['PATH_INFO'] == '/test_accessDeniedToSecuredURI':
+            # Nb. AuthZ middleware should intercept the request and bypass this
+            # response
+            status = "200 OK"
+            
+        elif environ['PATH_INFO'] == '/test_accessGrantedToSecuredURI':
+            status = "200 OK"
+        else:
+            status = "404 Not found"
+                
+        start_response(status,
+                       [('Content-length', 
+                         str(len(TestAuthZMiddleware.response))),
+                        ('Content-type', 'text/plain')])
+        return [TestAuthZMiddleware.response]
+
+
+class BeakerSessionStub(dict):
+    """Emulate beaker.session session object for purposes of the unit tests
+    """
+    def save(self):
+        pass
  
     
-class NdgWSGIAuthZTestCase(BaseTestCase):
-    INI_FILE = 'ndg-test.ini'
+class SamlWSGIAuthZTestCase(BaseTestCase):
+    INI_FILE = 'saml-test.ini'
     THIS_DIR = os.path.dirname(os.path.abspath(__file__))
-    def __init__(self, *args, **kwargs):
+    def __init__(self, *args, **kwargs):       
         BaseTestCase.__init__(self, *args, **kwargs)
-        
-        
-        wsgiapp = loadapp('config:'+NdgWSGIAuthZTestCase.INI_FILE, 
-                          relative_to=NdgWSGIAuthZTestCase.THIS_DIR)
+
+        
+        wsgiapp = loadapp('config:'+SamlWSGIAuthZTestCase.INI_FILE, 
+                          relative_to=SamlWSGIAuthZTestCase.THIS_DIR)
         self.app = paste.fixture.TestApp(wsgiapp)
         
-        self.startSiteAAttributeAuthority()
-        
+        self.startSiteAAttributeAuthority(withSSL=True,
+            port=SamlWSGIAuthZTestCase.SITEA_SSL_ATTRIBUTEAUTHORITY_PORTNUM)
+        
+
     def test01CatchNoBeakerSessionFound(self):
         
@@ -119 +162 @@
         try:
             response = self.app.get('/test_200')
-        except NdgPIPMiddlewareConfigError, e:
+        except SamlPIPMiddlewareConfigError, e:
             print("ok - expected: %s exception: %s" % (e.__class__, e))
        
@@ -138 +181 @@
         # even though a user is set in the session
         
-        extra_environ={'beaker.session.ndg.security':
-                       BeakerSessionStub(username='testuser')}
+        extra_environ = {
+            'beaker.session.ndg.security':
+                BeakerSessionStub(username=SamlWSGIAuthZTestCase.OPENID_URI)
+        }
         response = self.app.get('/test_401', 
                                 extra_environ=extra_environ,
@@ -150 +195 @@
         # even though a user is set in the session
         
-        extra_environ={'beaker.session.ndg.security':
-                       BeakerSessionStub(username='testuser')}
+        extra_environ = {
+            'beaker.session.ndg.security':
+                BeakerSessionStub(username=SamlWSGIAuthZTestCase.OPENID_URI)
+        }
         response = self.app.get('/test_403', 
                                 extra_environ=extra_environ,
@@ -172 +219 @@
         # User is logged in but doesn't have the required credentials for 
         # access
-        extra_environ={'beaker.session.ndg.security':
-                       BeakerSessionStub(username='testuser')}
+        extra_environ = {
+            'beaker.session.ndg.security':
+                BeakerSessionStub(username=SamlWSGIAuthZTestCase.OPENID_URI)
+        }
         
         response = self.app.get('/test_accessDeniedToSecuredURI',
                                 extra_environ=extra_environ,
                                 status=403)
+        print response
         self.assert_("Insufficient privileges to access the "
                      "resource" in response)
-        print response
 
     def test07AccessGrantedForSecuredURI(self):
@@ -186 +235 @@
         # User is logged in and has credentials for access to a URI secured
         # by the policy file
-        extra_environ={'beaker.session.ndg.security':
-                       BeakerSessionStub(username='testuser')}
+        extra_environ = {
+            'beaker.session.ndg.security':
+                BeakerSessionStub(username=SamlWSGIAuthZTestCase.OPENID_URI)
+        }
         
         response = self.app.get('/test_accessGrantedToSecuredURI',
@@ -199 +250 @@
         # User is logged in but doesn't have the required credentials for 
         # access
-        extra_environ={'beaker.session.ndg.security':
-                       BeakerSessionStub(username='testuser')}
+        extra_environ = {
+            'beaker.session.ndg.security':
+                BeakerSessionStub(username=SamlWSGIAuthZTestCase.OPENID_URI)
+        }
         
         # Try this URI with the query arg admin=1.  This will be picked up
@@ -219 +272 @@
         print response
 
-        
-class TestAuthZMiddleware(object):
-    '''Test Application for the Authentication handler to protect'''
-    response = "Test Authorization application"
-       
-    def __init__(self, app_conf, **local_conf):
-        pass
-    
-    def __call__(self, environ, start_response):
-        
-        if environ['PATH_INFO'] == '/test_401':
-            status = "401 Unauthorized"
-            
-        elif environ['PATH_INFO'] == '/test_403':
-            status = "403 Forbidden"
-            
-        elif environ['PATH_INFO'] == '/test_200':
-            status = "200 OK"
-            
-        elif environ['PATH_INFO'] == '/test_accessDeniedToSecuredURI':
-            # Nb. AuthZ middleware should intercept the request and bypass this
-            # response
-            status = "200 OK"
-            
-        elif environ['PATH_INFO'] == '/test_accessGrantedToSecuredURI':
-            status = "200 OK"
-        else:
-            status = "404 Not found"
-                
-        start_response(status,
-                       [('Content-length', 
-                         str(len(TestAuthZMiddleware.response))),
-                        ('Content-type', 'text/plain')])
-        return [TestAuthZMiddleware.response]
-
-
-class BeakerSessionStub(dict):
-    """Emulate beaker.session session object for purposes of the unit tests
-    """
-    def save(self):
-        pass
- 
-    
-class SamlWSGIAuthZTestCase(BaseTestCase):
-    INI_FILE = 'saml-test.ini'
-    THIS_DIR = os.path.dirname(os.path.abspath(__file__))
-    def __init__(self, *args, **kwargs):       
-        BaseTestCase.__init__(self, *args, **kwargs)
-
-        
-        wsgiapp = loadapp('config:'+SamlWSGIAuthZTestCase.INI_FILE, 
-                          relative_to=SamlWSGIAuthZTestCase.THIS_DIR)
-        self.app = paste.fixture.TestApp(wsgiapp)
-        
-        self.startSiteAAttributeAuthority(withSSL=True,
-            port=SamlWSGIAuthZTestCase.SITEA_SSL_ATTRIBUTEAUTHORITY_PORTNUM)
-        
-
-    def test01CatchNoBeakerSessionFound(self):
-        
-        # PEPFilterConfigError is raised if no beaker.session is set in 
-        # environ
-        try:
-            response = self.app.get('/test_200')
-        except SamlPIPMiddlewareConfigError, e:
-            print("ok - expected: %s exception: %s" % (e.__class__, e))
-       
-    def test02Ensure200WithNotLoggedInAndUnsecuredURI(self):
-        
-        # Check the authZ middleware leaves the response alone if the URI 
-        # is not matched in the policy
-        
-        # Simulate a beaker.session in the environ
-        extra_environ={'beaker.session.ndg.security':BeakerSessionStub()}
-        response = self.app.get('/test_200',
-                                extra_environ=extra_environ)
-
-    def test03Catch401WithLoggedIn(self):
-        
-        # Check that the application being secured can raise a HTTP 401
-        # response and that this respected by the Authorization middleware
-        # even though a user is set in the session
-        
-        extra_environ = {
-            'beaker.session.ndg.security':
-                BeakerSessionStub(username=SamlWSGIAuthZTestCase.OPENID_URI)
-        }
-        response = self.app.get('/test_401', 
-                                extra_environ=extra_environ,
-                                status=401)
-
-    def test04Catch403WithLoggedIn(self):
-        
-        # Check that the application being secured can raise a HTTP 403
-        # response and that this respected by the Authorization middleware
-        # even though a user is set in the session
-        
-        extra_environ = {
-            'beaker.session.ndg.security':
-                BeakerSessionStub(username=SamlWSGIAuthZTestCase.OPENID_URI)
-        }
-        response = self.app.get('/test_403', 
-                                extra_environ=extra_environ,
-                                status=403)
-
-    def test05Catch401WithNotLoggedInAndSecuredURI(self):
-        
-        # AuthZ middleware grants access because the URI requested is not 
-        # targeted in the policy
-        
-        # AuthZ middleware checks for username key in session set by AuthN
-        # handler
-        extra_environ={'beaker.session.ndg.security':BeakerSessionStub()}        
-        response = self.app.get('/test_accessDeniedToSecuredURI',
-                                extra_environ=extra_environ,
-                                status=401)
-        
-    def test06AccessDeniedForSecuredURI(self):
-        
-        # User is logged in but doesn't have the required credentials for 
-        # access
-        extra_environ = {
-            'beaker.session.ndg.security':
-                BeakerSessionStub(username=SamlWSGIAuthZTestCase.OPENID_URI)
-        }
-        
-        response = self.app.get('/test_accessDeniedToSecuredURI',
-                                extra_environ=extra_environ,
-                                status=403)
-        self.assert_("Insufficient privileges to access the "
-                     "resource" in response)
-        print response
-
-    def test07AccessGrantedForSecuredURI(self):
-        
-        # User is logged in and has credentials for access to a URI secured
-        # by the policy file
-        extra_environ = {
-            'beaker.session.ndg.security':
-                BeakerSessionStub(username=SamlWSGIAuthZTestCase.OPENID_URI)
-        }
-        
-        response = self.app.get('/test_accessGrantedToSecuredURI',
-                                extra_environ=extra_environ,
-                                status=200)
-        self.assert_(TestAuthZMiddleware.response in response)
-        print response
-
-    def test08AccessDeniedForAdminQueryArg(self):
-        
-        # User is logged in but doesn't have the required credentials for 
-        # access
-        extra_environ = {
-            'beaker.session.ndg.security':
-                BeakerSessionStub(username=SamlWSGIAuthZTestCase.OPENID_URI)
-        }
-        
-        # Try this URI with the query arg admin=1.  This will be picked up
-        # by the policy as a request requiring admin rights.  The request is
-        # denied as the user doesn't have these rights but this then calls
-        # into play the PEP result handler defined in this module,
-        # RedirectFollowingAccessDenied.  This class reinvokes the request
-        # but without the admin query argument.  Access is then granted for
-        # the redirected request
-        response = self.app.get('/test_accessGrantedToSecuredURI',
-                                params={'admin': 1},
-                                extra_environ=extra_environ,
-                                status=302)
-        try:
-            redirectResponse = response.follow(extra_environ=extra_environ)
-        except paste.fixture.AppError, e:
-            self.failIf(TestAuthZMiddleware.response not in response)
-        print response
-
 
 class PEPResultHandlerTestCase(BaseTestCase):