Author: buildbot
Date: Wed Aug 1 14:47:27 2012
New Revision: 827616
Log:
Production update by buildbot for cxf
Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/jaxrs-kerberos.html
websites/production/cxf/content/docs/ws-securitypolicy.html
Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.
Modified: websites/production/cxf/content/docs/jaxrs-kerberos.html
==============================================================================
--- websites/production/cxf/content/docs/jaxrs-kerberos.html (original)
+++ websites/production/cxf/content/docs/jaxrs-kerberos.html Wed Aug 1
14:47:27 2012
@@ -124,7 +124,7 @@ Apache CXF -- JAXRS Kerberos
<div id="ConfluenceContent"><p><span style="font-size:2em;font-weight:bold">
JAX-RS Kerberos Support </span></p>
<div>
-<ul><li><a shape="rect"
href="#JAXRSKerberos-Introduction">Introduction</a></li><ul><li><a shape="rect"
href="#JAXRSKerberos-Kerberos">Kerberos</a></li><li><a shape="rect"
href="#JAXRSKerberos-HTTPNegotiatescheme">HTTP Negotiate scheme</a></li><li><a
shape="rect" href="#JAXRSKerberos-GSSAPI">GSS API</a></li></ul><li><a
shape="rect" href="#JAXRSKerberos-Clientconfiguration">Client
configuration</a></li><ul><li><a shape="rect"
href="#JAXRSKerberos-HTTPConduit">HTTPConduit</a></li><li><a shape="rect"
href="#JAXRSKerberos-Interceptor">Interceptor</a></li><ul><li><a shape="rect"
href="#JAXRSKerberos-AuthorizationPolicy">Authorization Policy</a></li><li><a
shape="rect"
href="#JAXRSKerberos-Configuringtheserviceprincipalname">Configuring the
service principal name</a></li><li><a shape="rect"
href="#JAXRSKerberos-UsingJAASConfiguration">Using JAAS
Configuration</a></li></ul></ul><li><a shape="rect"
href="#JAXRSKerberos-Serverconfiguration">Server configuration</a></li><li><a
shape="
rect" href="#JAXRSKerberos-CredentialDelegation">Credential
Delegation</a></li></ul></div>
+<ul><li><a shape="rect"
href="#JAXRSKerberos-Introduction">Introduction</a></li><ul><li><a shape="rect"
href="#JAXRSKerberos-Kerberos">Kerberos</a></li><li><a shape="rect"
href="#JAXRSKerberos-HTTPNegotiatescheme">HTTP Negotiate scheme</a></li><li><a
shape="rect" href="#JAXRSKerberos-GSSAPI">GSS API</a></li></ul><li><a
shape="rect" href="#JAXRSKerberos-Clientconfiguration">Client
configuration</a></li><ul><li><a shape="rect"
href="#JAXRSKerberos-HTTPConduit">HTTPConduit</a></li><li><a shape="rect"
href="#JAXRSKerberos-Interceptor">Interceptor</a></li><ul><li><a shape="rect"
href="#JAXRSKerberos-AuthorizationPolicy">Authorization Policy</a></li><li><a
shape="rect"
href="#JAXRSKerberos-Configuringtheserviceprincipalname">Configuring the
service principal name</a></li><li><a shape="rect"
href="#JAXRSKerberos-UsingJAASConfiguration">Using JAAS
Configuration</a></li></ul></ul><li><a shape="rect"
href="#JAXRSKerberos-Serverconfiguration">Server
configuration</a></li><ul><li><a sha
pe="rect"
href="#JAXRSKerberos-ServiceprincipalnameandJAASConfiguration">Service
principal name and JAAS Configuration</a></li><li><a shape="rect"
href="#JAXRSKerberos-CallbackHandler">CallbackHandler</a></li></ul><li><a
shape="rect" href="#JAXRSKerberos-CredentialDelegation">Credential
Delegation</a></li></ul></div>
<h1><a shape="rect" name="JAXRSKerberos-Introduction"></a>Introduction</h1>
<h2><a shape="rect" name="JAXRSKerberos-Kerberos"></a>Kerberos</h2>
@@ -182,7 +182,103 @@ Book b = wc.get(Book.class);
<h1><a shape="rect" name="JAXRSKerberos-Serverconfiguration"></a>Server
configuration</h1>
+<p>org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter can be used to
protected JAX-RS endpoints and enforce that a Negotiate authentication scheme
is used by clients, example:</p>
+
+<div class="code panel" style="border-width: 1px;"><div class="codeContent
panelContent">
+<pre class="code-xml">
+
+<span class="code-tag"><bean id=<span
class="code-quote">"kerberosFilter"</span> class=<span
class="code-quote">"org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter"</span>></span>
+ <span class="code-tag"><property name=<span
class="code-quote">"loginContextName"</span> value=<span
class="code-quote">"KerberosServiceKeyTab"</span>/></span>
+<span class="code-tag"></bean></span>
+
+<span class="code-tag"><jaxrs:server></span>
+ <span class="code-tag"><jaxrs:serviceBeans></span>
+ <span class="code-tag"><bean class=<span
class="code-quote">"org.mycompany.MyCompanyResource"</span>/></span>
+ <span class="code-tag"></jaxrs:serviceBeans></span>
+ <span class="code-tag"><jaxrs:providers></span>
+ <span class="code-tag"><ref bean=<span
class="code-quote">"kerberosFilter"</span>></span>
+ <span class="code-tag"></jaxrs:providers></span>
+<span class="code-tag"></jaxrs:server></span>
+</pre>
+</div></div>
+
+<p>KerberosAuthenticationFilter will set a CXF <a shape="rect"
class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/api/src/main/java/org/apache/cxf/security/SecurityContext.java";>SecurityContext</a>
on the current message if the authentication has been successful. This
SecurityContext will return an instance of
KerberosAuthenticationFilter$KerberosPrincipal, this Principal will return a
'simple' and 'kerberos' source principal names, example, given
"HTTP/[email protected]", Principal#getName will return "HTTP/localhost",
and KerberosPrincipal#getKerberosName will return
"HTTP/[email protected]".</p>
+
+<h2><a shape="rect"
name="JAXRSKerberos-ServiceprincipalnameandJAASConfiguration"></a>Service
principal name and JAAS Configuration</h2>
+
+<p>Service principal name and JAAS Configuration can be optionally set up the
same way they can be with KerberosAuthOutInterceptor, using
'servicePrincipalName' + 'realm' and "loginConfig" properties. </p>
+
+<h2><a shape="rect"
name="JAXRSKerberos-CallbackHandler"></a>CallbackHandler</h2>
+
+<p>javax.security.auth.callback.CallbackHandler needs to be registered if no
Kerberos key tabs are used, here is an example of setting it up from Java:</p>
+
+<div class="code panel" style="border-width: 1px;"><div class="codeContent
panelContent">
+<pre class="code-java">
+<span class="code-keyword">public</span> class TestResource {
+ <span class="code-keyword">public</span> <span
class="code-keyword">static</span> void main(<span
class="code-object">String</span>[] args) {
+ JAXRSServerFactoryBean sf = <span class="code-keyword">new</span>
JAXRSServerFactoryBean();
+ sf.setResourceClasses(BookStore.class);
+ KerberosAuthenticationFilter filter = <span class="code-keyword">new</span>
KerberosAuthenticationFilter();
+ filter.setLoginContextName(<span
class="code-quote">"KerberosServer"</span>);
+
+ CallbackHandler handler =
+ <span class="code-keyword">new</span>
org.apache.cxf.interceptor.security.NamePasswordCallbackHandler(<span
class="code-quote">"HTTP/localhost"</span>, <span
class="code-quote">"http"</span>);
+ filter.setCallbackHandler(handler);
+
+ <span class="code-comment">//filter.setLoginContextName(<span
class="code-quote">"KerberosServerKeyTab"</span>);
+</span> <span class="code-comment">//filter.setServicePrincipalName(<span
class="code-quote">"HTTP/ktab"</span>);
+</span> sf.setProvider(filter);
+ sf.setAddress(<span class="code-quote">"http:<span
class="code-comment">//localhost:"</span> + PORT + <span
class="code-quote">"/"</span>);
+</span>
+ sf.create();
+ }
+}
+</pre>
+</div></div>
+
+
<h1><a shape="rect" name="JAXRSKerberos-CredentialDelegation"></a>Credential
Delegation</h1>
+
+<p>Please see this <a shape="rect"
href="http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html#ClientHTTPTransport%28includingSSLsupport%29-CredentialDelegation";>section</a>
on the way client-side credential delegation can be both enabled and
implemented at the HTTP conduit level.</p>
+
+<p>Note that if you have a JAX-RS KerberosAuthenticationFilter protecting the
endpoints, then the filter will have an org.ietf.jgss.GSSContext instance
available in the current CXF SecurityContext, via its
KerberosAuthenticationFilter$KerberosSecurityContext implementation, which can
be used to get to org.ietf.jgss.GSSCredential if the credential delegation is
supported for a given source principal. The current credential if any can be
set as a client property next, for example:</p>
+
+<div class="code panel" style="border-width: 1px;"><div class="codeContent
panelContent">
+<pre class="code-java">
+
+<span class="code-keyword">import</span> org.ietf.jgss.GSSCredential;
+
+<span class="code-keyword">import</span>
org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter;
+<span class="code-keyword">import</span>
org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter.KerberosSecurityContext;
+
+@Path(<span class="code-quote">"service"</span>)
+<span class="code-keyword">public</span> class MyResource {
+
+ @Context
+ <span class="code-keyword">private</span> javax.ws.rs.core.SecurityContext
securityContext;
+
+ @GET
+ <span class="code-keyword">public</span> Book
getBookFromKerberosProtectedStore() {
+ WebClient wc = webClient.create(<span class="code-quote">"http:<span
class="code-comment">//internal.com/store"</span>);
+</span> <span class="code-keyword">if</span> (securityContext <span
class="code-keyword">instanceof</span> KerberosSecurityContext) {
+ KerberosSecurityContext ksc =
(KerberosSecurityContext)securityContext;
+ GSSCredential cred = ksc.getGSSContext().getDelegCred();
+ <span class="code-keyword">if</span> (cred != <span
class="code-keyword">null</span>) {
+
WebClient.getConfig(wc).getRequestContext().put(GSSCredential.class.getName(),
cred);
+ }
+ }
+ <span class="code-keyword">return</span> wc.get(Book.class);
+ }
+
+}
+</pre>
+</div></div>
+
+<p>The HTTPConduit or KerberosAuthOutInterceptor handler will use the
available GSSCredential.</p>
+
+
+<p>Also note that KerberosAuthOutInterceptor can have its "credDelegation"
property set to "true" if it is used instead of HTTPConduit on the client side,
when enabling the delegation initially.</p>
+
</div>
</div>
<!-- Content -->
Modified: websites/production/cxf/content/docs/ws-securitypolicy.html
==============================================================================
--- websites/production/cxf/content/docs/ws-securitypolicy.html (original)
+++ websites/production/cxf/content/docs/ws-securitypolicy.html Wed Aug 1
14:47:27 2012
@@ -158,10 +158,17 @@ Apache CXF -- WS-SecurityPolicy
</div>
+<h4><a shape="rect"
name="WS-SecurityPolicy-Booleanconfigurationtags%2Ce.g.thevalueshouldbe%22true%22or%22false%22."></a>Boolean
configuration tags, e.g. the value should be "true" or "false".</h4>
+
+<div class="table-wrap">
+<table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1"
class="confluenceTd"> ws-security.validate.token </td><td colspan="1"
rowspan="1" class="confluenceTd"> Whether to validate the password of a
received UsernameToken or not. The default is true.</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"> ws-security.enableRevocation
</td><td colspan="1" rowspan="1" class="confluenceTd"> Whether to enable
Certificate Revocation List (CRL) checking or not when verifying trust in a
certificate. The default value is "false".</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"> ws-security.username-token.always.encrypted
</td><td colspan="1" rowspan="1" class="confluenceTd"> Whether to always
encrypt UsernameTokens whenever possible. The default is true.</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"> ws-security.is-bsp-compliant
</td><td colspan="1" rowspan="1" class="confluenceTd"> Whether to ensure
compliance with the Basic Securit
y Profile (BSP) 1.1 or not. The default value is "true". </td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">
ws-security.self-sign-saml-assertion </td><td colspan="1" rowspan="1"
class="confluenceTd"> Whether to self-sign a SAML Assertion or not. If this is
set to true, then an enveloped signature will be generated when the SAML
Assertion is constructed. The default is false. </td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"> ws-security.enable.nonce.cache </td><td
colspan="1" rowspan="1" class="confluenceTd"> Whether to cache UsernameToken
nonces. See <a shape="rect"
href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#ENABLE_NONCE_CACHE";>here</a>
for more information.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"> ws-security.enable.timestamp.cache </td><td colspan="1"
rowspan="1" class="confluenceTd"> Whether to cache Timestamp Created Strings.
See <a shape="rect" href="http://cxf.apache.org/
javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#ENABLE_TIMESTAMP_CACHE">here</a>
for more information.</td></tr></tbody></table>
+</div>
+
+
<h4><a shape="rect" name="WS-SecurityPolicy-Otherproperties"></a>Other
properties</h4>
<div class="table-wrap">
-<table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1"
class="confluenceTd"> ws-security.subject.cert.constraints </td><td colspan="1"
rowspan="1" class="confluenceTd"> This configuration tag is a comma separated
String of regular expressions which will be applied to the subject DN of the
certificate used for signature validation, after trust verification of the
certificate chain associated with the certificate. These constraints are not
used when the certificate is contained in the keystore (direct trust).
</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">
ws-security.is-bsp-compliant </td><td colspan="1" rowspan="1"
class="confluenceTd"> Whether to ensure compliance with the Basic Security
Profile (BSP) 1.1 or not. The default value is "true". </td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">
ws-security.timestamp.futureTimeToLive </td><td colspan="1" rowspan="1"
class="confluenceTd"> This configuration tag specifies the time in s
econds in the future within which the Created time of an incoming Timestamp is
valid. WSS4J rejects by default any timestamp which is "Created" in the future,
and so there could potentially be<br clear="none" class="atl-forced-newline">
+<table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1"
class="confluenceTd"> ws-security.subject.cert.constraints </td><td colspan="1"
rowspan="1" class="confluenceTd"> This configuration tag is a comma separated
String of regular expressions which will be applied to the subject DN of the
certificate used for signature validation, after trust verification of the
certificate chain associated with the certificate. These constraints are not
used when the certificate is contained in the keystore (direct trust).
</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">
ws-security.timestamp.futureTimeToLive </td><td colspan="1" rowspan="1"
class="confluenceTd"> This configuration tag specifies the time in seconds in
the future within which the Created time of an incoming Timestamp is valid.
WSS4J rejects by default any timestamp which is "Created" in the future, and so
there could potentially be<br clear="none" class="atl-forced-newline">
problems in a scenario where a client's clock is slightly askew. The default
value for this parameter is "0", meaning that no future-created Timestamps are
allowed. </td></tr></tbody></table>
</div>
