Author: buildbot
Date: Mon Jun 25 12:47:59 2012
New Revision: 823109
Log:
Production update by buildbot for cxf
Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/saml-web-sso.html
Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.
Modified: websites/production/cxf/content/docs/saml-web-sso.html
==============================================================================
--- websites/production/cxf/content/docs/saml-web-sso.html (original)
+++ websites/production/cxf/content/docs/saml-web-sso.html Mon Jun 25 12:47:59
2012
@@ -125,7 +125,7 @@ Apache CXF -- SAML Web SSO
<div>
-<ul><li><a shape="rect"
href="#SAMLWebSSO-Introduction">Introduction</a></li><ul><li><a shape="rect"
href="#SAMLWebSSO-TypicalFlow">Typical Flow</a></li></ul><li><a shape="rect"
href="#SAMLWebSSO-Mavendependencies">Maven dependencies</a></li><li><a
shape="rect" href="#SAMLWebSSO-IdentityProvider">Identity
Provider</a></li><li><a shape="rect"
href="#SAMLWebSSO-ApplicationSecurityFilter">Application Security
Filter</a></li><li><a shape="rect"
href="#SAMLWebSSO-RequestAssertionSecurityService">Request Assertion Security
Service</a></li><li><a shape="rect" href="#SAMLWebSSO-SSOStateProvider">SSO
State Provider</a></li></ul></div>
+<ul><li><a shape="rect"
href="#SAMLWebSSO-Introduction">Introduction</a></li><ul><li><a shape="rect"
href="#SAMLWebSSO-TypicalFlow">Typical Flow</a></li></ul><li><a shape="rect"
href="#SAMLWebSSO-Mavendependencies">Maven dependencies</a></li><li><a
shape="rect" href="#SAMLWebSSO-IdentityProvider">Identity
Provider</a></li><li><a shape="rect"
href="#SAMLWebSSO-ServiceProviderSecurityFilter">Service Provider Security
Filter</a></li><ul><li><a shape="rect"
href="#SAMLWebSSO-RedirectBindingFilter">Redirect Binding Filter</a></li><li><a
shape="rect" href="#SAMLWebSSO-POSTBindingFilter">POST Binding
Filter</a></li></ul><li><a shape="rect"
href="#SAMLWebSSO-RequestAssertionSecurityService">Request Assertion Security
Service</a></li><li><a shape="rect" href="#SAMLWebSSO-SSOStateProvider">SSO
State Provider</a></li></ul></div>
<h1><a shape="rect" name="SAMLWebSSO-Introduction"></a>Introduction</h1>
@@ -174,9 +174,125 @@ Apache CXF -- SAML Web SSO
<p>CXF does not offer its own IDP SAML Web SSO implementation but might
provide it in the future as part of the <a shape="rect"
href="http://cxf.apache.org/fediz.html";>Fediz</a> project.</p>
-<p>However, CXF has been tested against a number of popular IDP
implementations which support SAML SSO and thus should be interoperable with
whatever IDP is being used in the specific production environment. The
interoperability tests have shown that some IDPs may process SAML request and
produce SAML response data the way which may not be exactly
specification-compliant and thus CXF Request Assertion Consumer Service (RACS)
and Service Provider Security Filter implementations have a number of
configuration properties for adjusting the way SAML requests to IDP are
prepared and SAML responsed from IDP are processed.</p>
+<p>However, CXF has been tested against a number of popular IDP
implementations which support SAML SSO and thus should be interoperable with
whatever IDP is being used in the specific production environment. The
interoperability tests have shown that some IDPs may process SAML request and
produce SAML response data the way which may not be exactly
specification-compliant and thus CXF Request Assertion Consumer Service (RACS)
and Service Provider Security Filter implementations have a number of
configuration properties for adjusting the way SAML requests to IDP are
prepared and SAML responses from IDP are processed.</p>
+
+<h1><a shape="rect"
name="SAMLWebSSO-ServiceProviderSecurityFilter"></a>Service Provider Security
Filter</h1>
+
+<p>SP Security Filter protects the application endpoints by checking that a
valid SSO security context is available. If it is then the filter lets the
request to continue, if not then it redirects the current user to IDP.</p>
+
+<p>CXF offers two SP Security filters, one for redirecting the user back to
IDP via GET and another one - via POST.</p>
+
+<h2><a shape="rect" name="SAMLWebSSO-RedirectBindingFilter"></a>Redirect
Binding Filter</h2>
+
+<p>Redirect Binding Filter is implemented by
org.apache.cxf.rs.security.saml.sso.SamlRedirectBindingFilter.</p>
+
+<p>Here is an example of a typical filter protecting a custom JAX-RS
endpoint:</p>
+<div class="code panel" style="border-width: 1px;"><div class="codeContent
panelContent">
+<pre class="code-xml">
+<span class="code-tag"><bean id=<span
class="code-quote">"serviceBean"</span> class=<span
class="code-quote">"org.apache.cxf.samlp.sso.BookStore"</span>/></span>
+
+<span class="code-tag"><jaxrs:server address=<span
class="code-quote">"/app1"</span>></span>
+ <span class="code-tag"><jaxrs:serviceBeans></span>
+ <span class="code-tag"><ref bean=<span
class="code-quote">"serviceBean"</span>/></span>
+ <span class="code-tag"></jaxrs:serviceBeans></span>
+ <span class="code-tag"><jaxrs:providers></span>
+ <span class="code-tag"><ref bean=<span
class="code-quote">"redirectGetFilter"</span>/></span>
+ <span class="code-tag"></jaxrs:providers></span>
+<span class="code-tag"></jaxrs:server></span>
+
+<span class="code-tag"><bean id=<span
class="code-quote">"redirectGetFilter"</span> class=<span
class="code-quote">"org.apache.cxf.rs.security.saml.sso.SamlRedirectBindingFilter"</span>></span>
+ <span class="code-tag"><property name=<span
class="code-quote">"idpServiceAddress"</span> value=<span
class="code-quote">"https://localhost:9443/idp";</span>/></span>
+ <span class="code-tag"><span class="code-comment"><!-- both relative
and absolute URIs are supported --></span></span>
+ <span class="code-tag"><property name=<span
class="code-quote">"assertionConsumerServiceAddress"</span> value=<span
class="code-quote">"/racs/sso"</span>/></span>
+ <span class="code-tag"><property name=<span
class="code-quote">"stateProvider"</span> ref=<span
class="code-quote">"stateManager"</span>/></span>
+<span class="code-tag"></bean></span>
+
+
+<span class="code-tag"><bean id=<span
class="code-quote">"stateManager"</span> class=<span
class="code-quote">"org.apache.cxf.rs.security.saml.sso.state.EHCacheSPStateManager"</span>></span>
+ <span class="code-tag"><constructor-arg ref=<span
class="code-quote">"cxf"</span>/></span>
+<span class="code-tag"></bean></span>
+
+</pre>
+</div></div>
+
+<p>Note that at the very minimum the filter needs to have 3 properties
set-up:<br clear="none">
+1. IDP service address<br clear="none">
+2. RACS address - it can be absolute or relative if RACS is collocated <br
clear="none">
+ (shares the same web application context) with the application endpoint.<br
clear="none">
+3. Reference to SSO State Provider.</p>
+
+<h2><a shape="rect" name="SAMLWebSSO-POSTBindingFilter"></a>POST Binding
Filter</h2>
+
+<p>POST Binding Filter is implemented by
org.apache.cxf.rs.security.saml.sso.SamlPostBindingFilter.</p>
+
+<p>Here is an example of a typical filter protecting a custom JAX-RS
endpoint.</p>
+<div class="code panel" style="border-width: 1px;"><div class="codeContent
panelContent">
+<pre class="code-xml">
+<span class="code-tag"><bean id=<span
class="code-quote">"serviceBean"</span> class=<span
class="code-quote">"org.apache.cxf.samlp.sso.BookStore"</span>/></span>
+<span class="code-tag"><jaxrs:server address=<span
class="code-quote">"/app2"</span>></span>
+ <span class="code-tag"><jaxrs:serviceBeans></span>
+ <span class="code-tag"><ref bean=<span
class="code-quote">"serviceBean"</span>/></span>
+ <span class="code-tag"></jaxrs:serviceBeans></span>
+ <span class="code-tag"><jaxrs:providers></span>
+ <span class="code-tag"><ref bean=<span
class="code-quote">"ssoRedirectPOST"</span>/></span>
+ <span class="code-tag"><ref bean=<span
class="code-quote">"samlRequestFormCreator"</span>/></span>
+ <span class="code-tag"></jaxrs:providers></span>
+
+<span class="code-tag"></jaxrs:server></span>
+
+<span class="code-tag"><bean id=<span
class="code-quote">"ssoRedirectPOST"</span> class=<span
class="code-quote">"org.apache.cxf.rs.security.saml.sso.SamlPostBindingFilter"</span>></span>
+ <span class="code-tag"><property name=<span
class="code-quote">"idpServiceAddress"</span> value=<span
class="code-quote">"https://localhost:9443/idp";</span>/></span>
+ <span class="code-tag"><property name=<span
class="code-quote">"assertionConsumerServiceAddress"</span> value=<span
class="code-quote">"/racs/sso"</span>/></span>
+ <span class="code-tag"><property name=<span
class="code-quote">"stateProvider"</span> ref=<span
class="code-quote">"stateManager"</span>/></span>
+
+ <span class="code-tag"><property name=<span
class="code-quote">"useDeflateEncoding"</span> value=<span
class="code-quote">"true"</span>/></span>
+</bean
+
+<span class="code-tag"><bean id=<span
class="code-quote">"samlRequestFormCreator"</span> class=<span
class="code-quote">"org.apache.cxf.jaxrs.provider.RequestDispatcherProvider"</span>></span>
+ <span class="code-tag"><property name=<span
class="code-quote">"dispatcherName"</span> value=<span
class="code-quote">"jsp"</span>/></span>
+ <span class="code-tag"><property name=<span
class="code-quote">"useClassNames"</span> value=<span
class="code-quote">"true"</span>/></span>
+<span class="code-tag"></bean></span>
+
+<span class="code-tag"><bean id=<span
class="code-quote">"stateManager"</span> class=<span
class="code-quote">"org.apache.cxf.rs.security.saml.sso.state.EHCacheSPStateManager"</span>></span>
+ <span class="code-tag"><constructor-arg ref=<span
class="code-quote">"cxf"</span>/></span>
+<span class="code-tag"></bean></span>
+
+
+</pre>
+</div></div>
+
+<p>Note that the POST binding filter has the same base properties as
org.apache.cxf.rs.security.saml.sso.SamlRedirectBindingFilter has but also <br
clear="none">
+sets a "useDeflateEncoding" property for getting a SAML request deflated. Some
IDPs might not be able to process deflated SAML requests with POST binding
redirects thus the compression may be optionally disabled.</p>
+
+<p>What is actually different in this case from the GET-based redirect is that
the filter prepares an instance of <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SamlRequestInfo.java";>SAMLRequestInfo</a>
which is subsequently bound to an XHTML view via a JSP filter. The view will
typically have a Java Script handler which will actually redirect the user to
IDP when it is loaded into the browser. The data to view binding is facilitated
by org.apache.cxf.jaxrs.provider.RequestDispatcherProvider, please see <a
shape="rect"
href="http://cxf.apache.org/docs/jax-rs-redirection.html#JAX-RSRedirection-WithRequestDispatcherProvider";>this
page</a> for more information.<br clear="none">
+Here is a typical JSP handler for binding
org.apache.cxf.rs.security.saml.sso.SAMLRequestInfo to the view:</p>
+
+<div class="code panel" style="border-width: 1px;"><div class="codeContent
panelContent">
+<pre class="code-xml">
+<span class="code-tag"><%@ page import=<span
class="code-quote">"javax.servlet.http.HttpServletRequest,org.apache.cxf.rs.security.saml.sso.SamlRequestInfo"</span>
%></span>
+
+<%
+ SamlRequestInfo data = (SamlRequestInfo)request.getAttribute(<span
class="code-quote">"samlrequestinfo"</span>);
+%>
+<span class="code-tag"><html xmlns=<span
class="code-quote">"http://www.w3.org/1999/xhtml";</span>></span>
+<span class="code-tag"><body onLoad=<span
class="code-quote">"document.forms[0].submit();"</span>></span>
+ <span class="code-tag"><form action=<span class="code-quote">"<%=
data.getIdpServiceAddress() %></span>"</span> method=<span
class="code-quote">"POST"</span>>
+ <span class="code-tag"><div></span>
+ <input type=<span class="code-quote">"hidden"</span> name=<span
class="code-quote">"SAMLRequest"</span>
+ value=<span class="code-quote">"<span class="code-tag"><%=
data.getSamlRequest() %></span>"</span>/>
+ <input type=<span class="code-quote">"hidden"</span> name=<span
class="code-quote">"RelayState"</span>
+ value=<span class="code-quote">"<span class="code-tag"><%=
data.getRelayState() %></span>"</span>/>
+ <span class="code-tag"></div></span>
+ <span class="code-tag"><div></span>
+ <span class="code-tag"><input type=<span
class="code-quote">"submit"</span> value=<span
class="code-quote">"Continue"</span>/></span>
+ <span class="code-tag"></div></span>
+ <span class="code-tag"></form></span>
+
+<span class="code-tag"></body></span>
+<span class="code-tag"></html></span>
+</pre>
+</div></div>
-<h1><a shape="rect"
name="SAMLWebSSO-ApplicationSecurityFilter"></a>Application Security Filter</h1>
<h1><a shape="rect"
name="SAMLWebSSO-RequestAssertionSecurityService"></a>Request Assertion
Security Service</h1>
