Author: buildbot
Date: Tue Jun 5 20:48:00 2012
New Revision: 820387
Log:
Production update by buildbot for cxf
Modified:
websites/production/cxf/content/cache/main.pageCache
websites/production/cxf/content/fediz-configuration.html
websites/production/cxf/content/fediz-idp.html
websites/production/cxf/content/fediz-tomcat.html
Modified: websites/production/cxf/content/cache/main.pageCache
==============================================================================
Binary files - no diff available.
Modified: websites/production/cxf/content/fediz-configuration.html
==============================================================================
--- websites/production/cxf/content/fediz-configuration.html (original)
+++ websites/production/cxf/content/fediz-configuration.html Tue Jun 5
20:48:00 2012
@@ -139,10 +139,10 @@ Apache CXF -- Fediz Configuration
<div id="ConfluenceContent"><p><img align="middle" class="emoticon"
src="https://cwiki.apache.org/confluence/images/icons/emoticons/warning.gif";
height="16" width="16" alt="" border="0"> Under construction</p>
<h1><a shape="rect"
name="FedizConfiguration-FedizPluginconfiguration"></a>Fediz Plugin
configuration</h1>
-<p>This page describes the Fediz configuration file which is referenced by the
security interceptor (eg. authenticator in Tomcat/Jetty).</p>
+<p>This page describes the Fediz configuration file referenced by the security
interceptor (eg. authenticator in Tomcat/Jetty).</p>
<h3><a shape="rect" name="FedizConfiguration-Example"></a>Example</h3>
-<p>The following example describes the minimum configuration for Fediz.</p>
+<p>The following example shows the minimum configuration for Fediz.</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent
panelContent">
<pre class="code-xml">
<span class="code-tag"><?xml version=<span class="code-quote">"1.0"</span>
encoding=<span class="code-quote">"UTF-8"</span> standalone=<span
class="code-quote">"yes"</span>?></span>
@@ -167,8 +167,9 @@ Apache CXF -- Fediz Configuration
</pre>
</div></div>
-<p>The element protocol defines that you use the WS-Federation protocol. The
issuer says to which URL authenticated requests will be redirected with the
SignIn request.<br clear="none">
-The IDP issues a SAML token which must be validated by the plugin. The
validation requires the certificate store of the Certificate Authority(ies) of
the certificate which signed the SAML token. This is defined in
<tt>certificateStore</tt>. The signing certificate itself is not required
because <tt>certificateValidation</tt> is set to <tt>ChainTrust</tt>. The
<tt>subject</tt> defines the trusted signing certificate using the subject as a
regular expression.<br clear="none">
+<p>The protocol element declares that the WS-Federation protocol is being
used. The issuer element shows the URL to which authenticated requests will be
redirected with a SignIn request. </p>
+
+<p>The IDP issues a SAML token which must be validated by the plugin. The
validation requires the certificate store of the Certificate Authority(ies) of
the certificate which signed the SAML token. This is defined in
<tt>certificateStore</tt>. The signing certificate itself is not required
because <tt>certificateValidation</tt> is set to <tt>ChainTrust</tt>. The
<tt>subject</tt> defines the trusted signing certificate using the subject as a
regular expression.<br clear="none">
Finally, the audience URI is validated against the audience restriction in the
SAML token.</p>
@@ -176,7 +177,7 @@ Finally, the audience URI is validated a
<div class="table-wrap">
<table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh">XML element </th><th colspan="1" rowspan="1"
class="confluenceTh">Name </th><th colspan="1" rowspan="1"
class="confluenceTh">Use </th><th colspan="1" rowspan="1"
class="confluenceTh">Description</th></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"> audienceUris </td><td colspan="1" rowspan="1"
class="confluenceTd"> Audience URI </td><td colspan="1" rowspan="1"
class="confluenceTd"> Required </td><td colspan="1" rowspan="1"
class="confluenceTd"> The values of the list of audience URIs are verified
against the element <tt>AudienceRestriction</tt> in the SAML token
</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">
certificateStores </td><td colspan="1" rowspan="1" class="confluenceTd">
Trusted certificate store </td><td colspan="1" rowspan="1"
class="confluenceTd"> Required </td><td colspan="1" rowspan="1"
class="confluenceTd"> The list of keystores (JKS, PEM) inclu
des at least the certificate of the Certificate Authorities (CA) which signed
the certificate which is used to sign the SAML token.<br clear="none">
-If the file location is not fully qualified it's relative to the Container
home directory </td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">
trustedIssuers </td><td colspan="1" rowspan="1" class="confluenceTd"> Trusted
Issuers </td><td colspan="1" rowspan="1" class="confluenceTd"> Required
</td><td colspan="1" rowspan="1" class="confluenceTd"> There are two ways to
configure a trusted issuer (IDP). Either you configure the subject name and the
CA(s) who signed the certificate of the IDP
(<tt>certificateValidation=ChainTrust</tt>) or you configure the certificate of
the IDP and the CA(s) who signed it
(<tt>certificateValidation=PeerTrust</tt>)</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"> maximumClockSkew </td><td colspan="1"
rowspan="1" class="confluenceTd"> Maximum Clock Skew </td><td colspan="1"
rowspan="1" class="confluenceTd"> Optional </td><td colspan="1" rowspan="1"
class="confluenceTd"> Maximum allowable time difference between the system
clocks of the IDP and RP.<br clear="none">
+If the file location is not fully qualified it needs to be relative to the
Container home directory </td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"> trustedIssuers </td><td colspan="1" rowspan="1"
class="confluenceTd"> Trusted Issuers </td><td colspan="1" rowspan="1"
class="confluenceTd"> Required </td><td colspan="1" rowspan="1"
class="confluenceTd"> There are two ways to configure a trusted issuer (IDP).
Either you configure the subject name and the CA(s) who signed the certificate
of the IDP (<tt>certificateValidation=ChainTrust</tt>) or you configure the
certificate of the IDP and the CA(s) who signed it
(<tt>certificateValidation=PeerTrust</tt>)</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"> maximumClockSkew </td><td colspan="1"
rowspan="1" class="confluenceTd"> Maximum Clock Skew </td><td colspan="1"
rowspan="1" class="confluenceTd"> Optional </td><td colspan="1" rowspan="1"
class="confluenceTd"> Maximum allowable time difference between
the system clocks of the IDP and RP.<br clear="none">
Default 5 seconds. </td></tr></tbody></table>
</div>
@@ -200,13 +201,13 @@ The WS-Federation standard defines a lis
<ul><li>authenticationType</li><li>homeRealm</li><li>issuer</li></ul>
-<p>These configuration elements provides to configure a CallbackHandler which
gets a Callback object where the appropriate value must be set. The
CallbackHandler implementation has access to the HttpServletRequest. The XML
attribute <tt>type</tt> must be set to <tt>Class</tt>.</p>
+<p>These configuration elements allows for configuring a CallbackHandler which
gets a Callback object where the appropriate value must be set. The
CallbackHandler implementation has access to the HttpServletRequest. The XML
attribute <tt>type</tt> must be set to <tt>Class</tt>.</p>
<h3><a shape="rect" name="FedizConfiguration-Advancedexample"></a>Advanced
example</h3>
-<p>The following example defines the required claims and configure custom
callback handler to define some configuration values at runtime.</p>
+<p>The following example defines the required claims and configures a custom
callback handler to define some configuration values at runtime.</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent
panelContent">
<pre class="code-xml">
@@ -236,10 +237,7 @@ The WS-Federation standard defines a lis
<span class="code-tag"></contextConfig></span>
<span class="code-tag"></FedizConfig></span>
</pre>
-</div></div>
-
-
-</div>
+</div></div></div>
</div>
<!-- Content -->
</td>
Modified: websites/production/cxf/content/fediz-idp.html
==============================================================================
--- websites/production/cxf/content/fediz-idp.html (original)
+++ websites/production/cxf/content/fediz-idp.html Tue Jun 5 20:48:00 2012
@@ -140,16 +140,16 @@ Apache CXF -- Fediz IDP
<h1><a shape="rect" name="FedizIDP-FedizIDP"></a>Fediz IDP</h1>
-<p>The Fediz Identity Provider (IDP) consists of two WAR files. One is the
Security Token Service (STS) component which is responsible to validate
credentials, getting the requested claims data and issues a SAML token. There
is no easy way for Web browsers to issue SOAP requests to the STS directly. The
second component is the IDP WAR which adapts the browser to the STS. The
communication between the browser and the IDP must be performed within the
confines of the base HTTP 1.1 functionality and conform as closely as possible
to the WS-Trust protocols semantic.</p>
+<p>The Fediz Identity Provider (IDP) consists of two WAR files. One is the
Security Token Service (STS) component which is responsible for validating
credentials, getting the requested claims data and issuing a SAML token. There
is no easy way for Web browsers to issue SOAP requests to the STS directly,
necessitating the second component, an IDP WAR which allows browser-based
applications to interact with the STS. The communication between the browser
and the IDP must be performed within the confines of the base HTTP 1.1
functionality and conform as closely as possible to the WS-Trust protocols
semantic.</p>
-<p>The Fediz STS is based on the CXF STS configured to support the use cases
required by the examples.</p>
+<p>The Fediz STS is based on a customized CXF STS configured to support
standard Federation use cases demonstrated by the examples.</p>
<h3><a shape="rect" name="FedizIDP-Installation"></a>Installation</h3>
-<p>The Fediz IDP has been tested with Tomcat 6 and 7 but there are no reasons
why it shouldn't work in any commercial application server.</p>
+<p>The Fediz IDP has been tested with Tomcat 6 and 7 but should be able to
work with any commercial JEE application server.</p>
-<p>It's recommended to set up a dedicated Tomcat instance for the IDP. The
Fediz examples use the following TCP ports to interact with the IDP/STS:</p>
-<ul><li>HTTP port: 9080 (used for maven deployment, mvn
tomcat:redeploy)</li><li>HTTPS port: 9443 (where IDP and STS are
accessed)</li></ul>
+<p>It's recommended to set up a dedicated (separate) Tomcat instance for the
IDP. The Fediz examples use the following TCP ports to interact with the
IDP/STS:</p>
+<ul><li>HTTP port: 9080 (used for Maven deployment, mvn
tomcat:redeploy)</li><li>HTTPS port: 9443 (where IDP and STS are
accessed)</li></ul>
<p>The Tomcat HTTP(s) configuration is done in conf/server.xml.</p>
@@ -165,7 +165,7 @@ Apache CXF -- Fediz IDP
</pre>
</div></div>
-<p>The keystoreFile is relative to catalina home. See <a shape="rect"
class="external-link"
href="http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html";>here</a> for
Tomcat 7 configuration reference. This page also describes how to create
certificates.</p>
+<p>The keystoreFile is relative to $CATALINA_HOME. See <a shape="rect"
class="external-link"
href="http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html";>here</a> for the
Tomcat 7 configuration reference. This page also describes how to create
certificates.</p>
<p><b>Production: It's highly recommended to deploy certificates signed by a
Certificate Authority</b></p>
@@ -177,7 +177,7 @@ Apache CXF -- Fediz IDP
<h5><a shape="rect" name="FedizIDP-Userandpassword"></a>User and password</h5>
-<p>The users and passwords are configured in a spring configuration file in
<tt>webapps/fediz-idp-sts/WEB-INF/passwords.xml</tt>. The following users are
already configured and can easily be extended.</p>
+<p>The users and passwords are configured in a Spring configuration file in
<tt>webapps/fediz-idp-sts/WEB-INF/passwords.xml</tt>. The following users are
already configured and can easily be extended.</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent
panelContent">
<pre class="code-xml">
<span class="code-tag"><util:map id=<span
class="code-quote">"passwords"</span>></span>
@@ -219,11 +219,10 @@ Apache CXF -- Fediz IDP
</pre>
</div></div>
-<p>The claim id's are configured according to chapter 7.5 in the specification
<a shape="rect" class="external-link"
href="http://docs.oasis-open.org/imi/identity/v1.0/identity.html";
rel="nofollow">Identity Metasystem Interoperability</a>. The mapping of claims
to a SAML attribute statement are described in chapter 7.2.</p>
+<p>The claim id's are configured according to Section 7.5 in the specification
<a shape="rect" class="external-link"
href="http://docs.oasis-open.org/imi/identity/v1.0/identity.html";
rel="nofollow">Identity Metasystem Interoperability</a>. The mapping of claims
to a SAML attribute statement are described in Section 7.2.</p>
<h5><a shape="rect" name="FedizIDP-Applicationclaims"></a>Application
claims</h5>
-
<p>The required claims per relying party are configured in the
<tt>webapps/fediz-idp/WEB-INF/RPClaims.xml</tt>. The XML file has the following
structure:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent
panelContent">
@@ -242,14 +241,12 @@ Apache CXF -- Fediz IDP
</pre>
</div></div>
-<p>The key of each map entry must match with the <tt>wtrealm</tt> paramater in
the redirect triggered by the relying party. The required claims for the
different type of applications are grouped in beans which are a list of String
as illustrated in <tt>claimsWsfedhelloworld</tt>.</p>
+<p>The key of each map entry must match with the <tt>wtrealm</tt> paramater in
the redirect triggered by the relying party. The required claims for the
different type of applications are grouped in beans which are a list of Strings
as illustrated in <tt>claimsWsfedhelloworld</tt>.</p>
<p>The bean <tt>realm2ClaimsMap</tt> must be named realm2ClaimsMap and maps
the different Relying Parties (applications) to one of the claim lists. This
map is required to manage which claims are required for the applications.</p>
<p>The JIRA issue <a shape="rect" class="external-link"
href="https://issues.apache.org/jira/browse/FEDIZ-1";>FEDIZ-1</a> will provide
another option to manage the required claims on the Relying Party side.</p>
-
-
<h3><a shape="rect" name="FedizIDP-ConfigureLDAPdirectory"></a>Configure LDAP
directory</h3>
<p>The Fediz IDP can be configured to attach an LDAP directory to authenticate
users and to retrieve claims information of users.</p>
@@ -282,7 +279,7 @@ export JAVA_OPTS
</pre>
</div></div>
-<p>Next, the STS endpoint has to be configured to use the JAAS LoginModule
which is acomplished by the <tt>JAASUsernameTokenValidator</tt>.</p>
+<p>Next, the STS endpoint has to be configured to use the JAAS LoginModule
which is accomplished by the <tt>JAASUsernameTokenValidator</tt>.</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent
panelContent">
<pre class="code-xml">
@@ -308,7 +305,7 @@ export JAVA_OPTS
</pre>
</div></div>
-<p>The property <tt>contextName</tt> must match with the context name defined
in the JAAS configuration file which is <tt>myldap</tt> in this example.</p>
+<p>The property <tt>contextName</tt> must match the context name defined in
the JAAS configuration file which is <tt>myldap</tt> in this example.</p>
<h5><a shape="rect" name="FedizIDP-Claimsmanagement"></a>Claims management</h5>
Modified: websites/production/cxf/content/fediz-tomcat.html
==============================================================================
--- websites/production/cxf/content/fediz-tomcat.html (original)
+++ websites/production/cxf/content/fediz-tomcat.html Tue Jun 5 20:48:00 2012
@@ -156,9 +156,9 @@ add the previously created directory to
<p>The Fediz related configuration is Container independent and described <a
shape="rect" href="fediz-configuration.html" title="Fediz
Configuration">here</a>.</p>
-<p>The Fediz plugin requires to configure the FederationAuthenticator like any
other Valve in Tomcat which is described here <a shape="rect"
class="external-link"
href="http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html";>here</a>.</p>
+<p>The Fediz plugin requires configuring the FederationAuthenticator like any
other Valve in Tomcat which is described here <a shape="rect"
class="external-link"
href="http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html";>here</a>.</p>
-<p>A valve can be configured on different levels like <em>Host</em> or
<em>Context</em>. The Fediz configuration file allows to configure all servlet
contexts in one file or choose one file per Servlet Context. If you choose to
have one Fediz configuration file per Servlet Context then you must configure
the FederationAuthenticator on the <em>Context</em> level otherwise on the
<em>Host</em> level in the Tomcat configuration file <em>server.xml</em></p>
+<p>A valve can be configured on different levels like <em>Host</em> or
<em>Context</em>. The Fediz configuration file allows to configure all servlet
contexts in one file or choosing one file per Servlet Context. If you choose to
have one Fediz configuration file per Servlet Context then you must configure
the FederationAuthenticator on the <em>Context</em> level otherwise on the
<em>Host</em> level in the Tomcat configuration file <em>server.xml</em></p>
<p>You can either configure the context in the server.xml or in
META-INF/context.xml as part of your WAR file.</p>
![https://cwiki.apache.org/confluence/images/icons/emoticons/warning.gif"](https://cwiki.apache.org/confluence/images/icons/emoticons/warning.gif"){kind=link}