Author: buildbot
Date: Mon Jul 9 09:47:50 2012
New Revision: 825115
Log:
Production update by buildbot for cxf
Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/saml-web-sso.html
Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.
Modified: websites/production/cxf/content/docs/saml-web-sso.html
==============================================================================
--- websites/production/cxf/content/docs/saml-web-sso.html (original)
+++ websites/production/cxf/content/docs/saml-web-sso.html Mon Jul 9 09:47:50
2012
@@ -125,7 +125,7 @@ Apache CXF -- SAML Web SSO
<div>
-<ul><li><a shape="rect"
href="#SAMLWebSSO-Introduction">Introduction</a></li><ul><li><a shape="rect"
href="#SAMLWebSSO-TypicalFlow">Typical Flow</a></li></ul><li><a shape="rect"
href="#SAMLWebSSO-Mavendependencies">Maven dependencies</a></li><li><a
shape="rect" href="#SAMLWebSSO-IdentityProvider">Identity
Provider</a></li><li><a shape="rect"
href="#SAMLWebSSO-ServiceProviderSecurityFilter">Service Provider Security
Filter</a></li><ul><li><a shape="rect"
href="#SAMLWebSSO-RedirectBindingFilter">Redirect Binding Filter</a></li><li><a
shape="rect" href="#SAMLWebSSO-POSTBindingFilter">POST Binding
Filter</a></li><li><a shape="rect"
href="#SAMLWebSSO-SigningSAMLAuthenticationRequests">Signing SAML
Authentication Requests</a></li><li><a shape="rect"
href="#SAMLWebSSO-FiltersandStateManagement">Filters and State
Management</a></li></ul><li><a shape="rect"
href="#SAMLWebSSO-RequestAssertionConsumerService">Request Assertion Consumer
Service</a></li><ul><li><a shape="rect" href="#SAM
LWebSSO-DealingwithsignedSAMLResponses">Dealing with signed SAML
Responses</a></li></ul><li><a shape="rect"
href="#SAMLWebSSO-SSOStateProvider">SSO State Provider</a></li></ul></div>
+<ul><li><a shape="rect"
href="#SAMLWebSSO-Introduction">Introduction</a></li><ul><li><a shape="rect"
href="#SAMLWebSSO-TypicalFlow">Typical Flow</a></li></ul><li><a shape="rect"
href="#SAMLWebSSO-Mavendependencies">Maven dependencies</a></li><li><a
shape="rect" href="#SAMLWebSSO-IdentityProvider">Identity
Provider</a></li><li><a shape="rect"
href="#SAMLWebSSO-ServiceProviderSecurityFilter">Service Provider Security
Filter</a></li><ul><li><a shape="rect"
href="#SAMLWebSSO-RedirectBindingFilter">Redirect Binding Filter</a></li><li><a
shape="rect" href="#SAMLWebSSO-POSTBindingFilter">POST Binding
Filter</a></li><li><a shape="rect"
href="#SAMLWebSSO-SigningSAMLAuthenticationRequests">Signing SAML
Authentication Requests</a></li><li><a shape="rect"
href="#SAMLWebSSO-FiltersandStateManagement">Filters and State
Management</a></li></ul><li><a shape="rect"
href="#SAMLWebSSO-RequestAssertionConsumerService">Request Assertion Consumer
Service</a></li><ul><li><a shape="rect" href="#SAM
LWebSSO-DealingwithsignedSAMLResponses">Dealing with signed SAML
Responses</a></li></ul><li><a shape="rect"
href="#SAMLWebSSO-SSOStateProvider">SSO State Provider</a></li><ul><li><a
shape="rect" href="#SAMLWebSSO-DistributedStateManagement">Distributed State
Management</a></li></ul></ul></div>
<h1><a shape="rect" name="SAMLWebSSO-Introduction"></a>Introduction</h1>
@@ -433,7 +433,92 @@ the current user, persists it and redire
<p>SP Security Filters and RACS depend on the custom <a shape="rect"
class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/state/SPStateManager.java";>SPStateManager</a>
implementation for persisting the current request and security context state.
</p>
-<p>CXF ships an <a shape="rect" class="external-link"
href="http://ehcache.org/"; rel="nofollow">EhCache</a>-based <a shape="rect"
class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/state/EHCacheSPStateManager.java";>implementation</a>.
Users can register their own custom implementations if required.</p></div>
+<p>CXF ships a basic <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/state/MemorySPStateManager.java";>MemorySPStateProvider</a>
and an <a shape="rect" class="external-link" href="http://ehcache.org/";
rel="nofollow">EhCache</a>-based <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/state/EHCacheSPStateManager.java";>implementation</a>
which is memory based with an option to overflow to the disk. Users can
customize the EhCache provider or register their own custom SPStateProvider
implementations if required.</p>
+
+<p>For example, by default, the EhCache provider will overflow the data to the
system temp directory and will not persist the data across restarts. The
following EhCache configuration can be used to change it:</p>
+<div class="code panel" style="border-width: 1px;"><div class="codeContent
panelContent">
+<pre class="code-xml">
+<span class="code-tag"><ehcache xsi:noNamespaceSchemaLocation=<span
class="code-quote">"ehcache.xsd"</span> updateCheck=<span
class="code-quote">"false"</span> monitoring=<span
class="code-quote">"autodetect"</span> dynamicConfig=<span
class="code-quote">"true"</span>></span>
+
+ <span class="code-tag"><diskStore path=<span
class="code-quote">"/home/username/work/ehcache"</span>/></span>
+
+ <defaultCache
+ maxEntriesLocalHeap=<span class="code-quote">"5000"</span>
+ timeToIdleSeconds=<span class="code-quote">"3600"</span>
+ timeToLiveSeconds=<span class="code-quote">"3600"</span>
+ overflowToDisk=<span class="code-quote">"true"</span>
+ maxElementsOnDisk=<span class="code-quote">"10000000"</span>
+ diskPersistent=<span class="code-quote">"true"</span>
+ diskExpiryThreadIntervalSeconds=<span
class="code-quote">"120"</span>
+ memoryStoreEvictionPolicy=<span class="code-quote">"LRU"</span>
+ />
+<span class="code-tag"></ehcache></span>
+
+Assuming this configuration is saved in WEB-INF/ehcache.xml, the EhCache
provider can be configured as follows:
+
+{code:xml}
+<span class="code-tag"><bean id=<span
class="code-quote">"stateManager"</span> class=<span
class="code-quote">"org.apache.cxf.rs.security.saml.sso.state.EHCacheSPStateManager"</span>></span>
+ <span class="code-tag"><constructor-arg value=<span
class="code-quote">"/WEB-INF/ehcache.xml"</span>/></span>
+<span class="code-tag"></bean></span>
+</pre>
+</div></div>
+
+<h2><a shape="rect"
name="SAMLWebSSO-DistributedStateManagement"></a>Distributed State
Management</h2>
+
+<p>If you have a complex application supported by a number of wars deployed
into different containers, one has to decide whether to have a single
RequestAssertionConsumerService (RACS) endpoint which IDP will redirect to when
processing the user authentication requests or have a separate RACS endpoint
per every web application which all form a bigger application.</p>
+
+<p>For example, assume you have server1, server2 and server3 which all support
a bigger application. One can have a serverRacs web application which will host
a RACS endpoint. Next, server1, server2 and server3 SSO filters will all point
to this standalone RACS endpoint when redirecting the user to IDP and IDP will
eventually redirect the user to RACS which in turn will redirect the user to
the original targer URI supported by server or server2 or server3.</p>
+
+<p>In this case, one has to decide how the state between SSO security filters
protecting the individual servers and RACS will be shared.<br clear="none">
+One approach is to setup the Ehcache provider to use <a shape="rect"
class="external-link"
href="http://ehcache.org/documentation/configuration/distributed-cache-configuration";
rel="nofollow">Terracotta or RMI with the multicast</a> or implement the
alternative approach not involving Ehcache at all.</p>
+
+<p>CXF offers a simple <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/state/HTTPSPStateManager.java";>HTTPSPStateManager</a>
provider which can be used to simplify the task of setting up the distributed
state cache, which can be used for simple distributed web applications or to
support the more advanced applications at the proof-of-concept stage.</p>
+
+<p>For example, the following jaxrs:endpoint can be deployed alongside the
RACS endpoint running in its own web application:</p>
+<div class="code panel" style="border-width: 1px;"><div class="codeContent
panelContent">
+<pre class="code-xml">
+ <span class="code-tag"><bean id=<span
class="code-quote">"stateManager"</span> class=<span
class="code-quote">"org.apache.cxf.rs.security.saml.sso.state.HTTPSPStateManager"</span>/></span>
+
+ <span class="code-tag"><bean id=<span
class="code-quote">"consumerService"</span> class=<span
class="code-quote">"org.apache.cxf.rs.security.saml.sso.RequestAssertionConsumerService"</span>></span>
+ <span class="code-tag"><property name=<span
class="code-quote">"stateProvider"</span> ref=<span
class="code-quote">"stateManager"</span>/></span>
+ <span class="code-tag"><property name=<span
class="code-quote">"signaturePropertiesFile"</span> value=<span
class="code-quote">"serviceKeystore.properties"</span>/></span>
+ <span class="code-tag"><property name=<span
class="code-quote">"callbackHandlerClass"</span> value=<span
class="code-quote">"oauth2.sso.SSOCallbackHandler"</span>/></span>
+ <span class="code-tag"></bean></span>
+
+ <span class="code-tag"><jaxrs:server address=<span
class="code-quote">"/"</span>></span>
+ <span class="code-tag"><jaxrs:serviceBeans></span>
+ <span class="code-tag"><ref bean=<span
class="code-quote">"consumerService"</span>/></span>
+ <span class="code-tag"><ref bean=<span
class="code-quote">"stateManager"</span>/></span>
+ <span class="code-tag"></jaxrs:serviceBeans></span>
+ <span class="code-tag"></jaxrs:server></span>
+</pre>
+</div></div>
+
+<p>Note that the RACS bean itself directly uses HTTPSPStateManager which is
also available as an HTTP endpoint for all the SSO security filters to work
with.<br clear="none">
+Here is an example of how the SPStateManagers at the individual SSO filter end
can use this HTTP endpoint:</p>
+
+<div class="code panel" style="border-width: 1px;"><div class="codeContent
panelContent">
+<pre class="code-xml">
+
+<jaxrs:client id=<span class="code-quote">"stateManager"</span>
+ address=<span
class="code-quote">"https://localhost:${racs.port}/racs";</span>
+ serviceClass=<span
class="code-quote">"org.apache.cxf.rs.security.saml.sso.state.HTTPSPStateManager"</span>/>
+
+ <span class="code-tag"><bean id=<span
class="code-quote">"ssoRedirectURI"</span> class=<span
class="code-quote">"org.apache.cxf.rs.security.saml.sso.SamlRedirectBindingFilter"</span>></span>
+ <span class="code-tag"><property name=<span
class="code-quote">"idpServiceAddress"</span> value=<span
class="code-quote">"${idp.address}"</span>/></span>
+ <property name=<span
class="code-quote">"assertionConsumerServiceAddress"</span>
+ value=<span
class="code-quote">"https://localhost:${racs.port}/racs/sso";</span>/>
+ <span class="code-tag"><property name=<span
class="code-quote">"stateProvider"</span> ref=<span
class="code-quote">"stateManager"</span>/></span>
+ <span class="code-tag"><property name=<span
class="code-quote">"addWebAppContext"</span> value=<span
class="code-quote">"false"</span>/></span>
+ <span class="code-tag"></bean></span>
+
+</pre>
+</div></div>
+
+
+<p>Note that a JAX-RS Client proxy to the HTTPSPStateManager endpoint is used
as SPStateManager reference.</p>
+
+<p>The alternative to having a distributed state cache be set up is to simply
have a RACS endpoint collocated with every individual web application
constituting the bigger application, see the earlier section describing SSO
filters on how this can be easily set up. One possible downside of it is that
there will be no centralized store managing the state required by different
filters and RACS which in turn can make it more difficult to audit and log all
the SSO-related activities spanning across all the bigger application.
</p></div>
</div>
<!-- Content -->
</td>
