Repository: cxf-fediz Updated Branches: refs/heads/master f1a9c0048 -> e434cfaa7
Fix wsclientWebapp by configuring client auth against STS. Thanks to Andreas Vallen for the patch. This closes #4 Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/e434cfaa Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/e434cfaa Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/e434cfaa Branch: refs/heads/master Commit: e434cfaa72fc7b618e263a5a8b6a498181895d88 Parents: f1a9c00 Author: Colm O hEigeartaigh <[email protected]> Authored: Mon Feb 23 21:07:09 2015 +0000 Committer: Colm O hEigeartaigh <[email protected]> Committed: Mon Feb 23 21:07:09 2015 +0000 ---------------------------------------------------------------------- examples/samplekeys/HowToGenerateKeysREADME.html | 16 +++++++++------- examples/samplekeys/ststrust.jks | Bin 2561 -> 3241 bytes .../webapp/src/main/resources/rp-ssl-key.jks | Bin 0 -> 1124 bytes .../main/webapp/WEB-INF/applicationContext.xml | 5 +++++ services/sts/src/main/resources/ststrust.jks | Bin 2561 -> 3241 bytes 5 files changed, 14 insertions(+), 7 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/e434cfaa/examples/samplekeys/HowToGenerateKeysREADME.html ---------------------------------------------------------------------- diff --git a/examples/samplekeys/HowToGenerateKeysREADME.html b/examples/samplekeys/HowToGenerateKeysREADME.html index 6eb2957..5b020c9 100644 --- a/examples/samplekeys/HowToGenerateKeysREADME.html +++ b/examples/samplekeys/HowToGenerateKeysREADME.html @@ -1,3 +1,4 @@ + <html> <head/> <body> @@ -14,8 +15,8 @@ is recommended.</p> <td><code>keytool -genkeypair -validity 730 -alias mytomidpkey -keystore idp-ssl-server.jks -dname "cn=localhost" -keypass tompass -storepass tompass</code><br/><br/><code>keytool -keystore idp-ssl-server.jks -storepass tompass -export -alias mytomidpkey -file MyTCIDP.cer</code></td> <td>Nobody</td><td>Fediz IDP module<br/><br/>wsclientWebapp's webapp module<br/><br/>Browser</td></tr> <tr><td>rp-ssl-server.jks (tompass)</td><td>mytomrpkey (tompass)</td><td>base folder of Tomcat instance holding the relying party applications for both samples (simpleWebapp and wsclientWebapp); STS public cert NOT imported anymore - instead use ststrust.jks</td> - <td><code>keytool -genkeypair -validity 730 -alias mytomrpkey -keystore rp-ssl-server.jks -dname "cn=localhost" -keypass tompass -storepass tompass</code></td> - <td>Nobody</td><td>Browser</td></tr> + <td><code>keytool -genkeypair -validity 730 -alias mytomrpkey -keystore rp-ssl-server.jks -dname "cn=localhost" -keypass tompass -storepass tompass</code><br/><br/><code>keytool -keystore rp-ssl-server.jks -storepass tompass -export -alias mytomrpkey -file MyTCRP.cer</code></td> + <td>Nobody</td><td>Browser<br/><br/>IDP STS</td></tr> <tr><td>wsp-ssl-server.jks (tompass)</td><td>mytomwspkey (tompass)</td><td>base folder of Tomcat instance holding the web service provider in the second (wsClientWebapp) sample</td> <td><code>keytool -genkeypair -validity 730 -alias mytomwspkey -keystore wsp-ssl-server.jks -dname "cn=localhost" -keypass tompass -storepass tompass</code><br/><br/><code>keytool -keystore wsp-ssl-server.jks -storepass tompass -export -alias mytomwspkey -file MyTCWSP.cer</code></td> <td>Nobody</td><td>wsclientWebapp's webapp module</td></tr> @@ -23,24 +24,25 @@ is recommended.</p> <tr><td>idp-ssl-trust.jks (ispass)</td><td>myidpkey (ikpass)</td><td>services/idp/src/main/resources/idp-ssl-trust.jks</td> <td><code>keytool -import -trustcacerts -keystore idp-ssl-trust.jks -storepass ispass -alias mytomidpkey -file MyTCIDP.cer -noprompt</code></td> <td>mytomidpkey (because of SSL call to IDP STS)</td><td>IDP STS</td></tr> -<tr><td>stsrealm_a.jks (storepass)</td><td>realma (realma)</td><td>services/sts/src/realms/resources/stsrealm_a.jks</td> +<tr><td>stsrealm_a.jks (storepass)</td><td>realma (realma)</td><td>services/sts/src/main/resources/stsrealm_a.jks</td> <td><code> keytool -genkeypair -keyalg RSA -validity 3600 -alias realma -keystore stsrealm_a.jks -dname "cn=REALMA" -keypass realma -storepass storepass<br/><br/> keytool -export -rfc -keystore stsrealm_a.jks -storepass storepass -alias realma -file realma.cert </code> -</td> +</td>â <td>Nobody</td><td>By Relying Party (ststrust.jks)</td></tr> -<tr><td>stsrealm_b.jks (storepass)</td><td>realmb (realmb)</td><td>services/sts/src/realms/resources/stsrealm_b.jks</td> +<tr><td>stsrealm_b.jks (storepass)</td><td>realmb (realmb)</td><td>services/sts/src/main/resources/stsrealm_b.jks</td> <td><code> keytool -genkeypair -keyalg RSA -validity 3600 -alias realma -keystore stsrealm_b.jks -dname "cn=REALMB" -keypass realmb -storepass storepass<br/><br/> keytool -export -rfc -keystore stsrealm_b.jks -storepass storepass -alias realmb -file realmb.cert </code> </td> <td>Nobody</td><td>By Relying Party (ststrust.jks)</td></tr> -<tr><td>ststrust.jks (storepass)</td><td>N/A (no key, just a truststore)</td><td>examples/samplekeys/ststrust.jks<br/><br/>services/sts/src/realms/resources/ststrust.jks</td> +<tr><td>ststrust.jks (storepass)</td><td>N/A (no key, just a truststore)</td><td>examples/samplekeys/ststrust.jks<br/><br/>services/sts/src/main/resources/ststrust.jks</td> <td><code> keytool -import -trustcacerts -keystore ststrust.jks -storepass storepass -alias realma -file realma.cert -noprompt<br/><br/> -keytool -import -trustcacerts -keystore ststrust.jks -storepass storepass -alias realmb -file realmb.cert -noprompt +keytool -import -trustcacerts -keystore ststrust.jks -storepass storepass -alias realmb -file realmb.cert -noprompt<br/><br/> +keytool -import -trustcacerts -keystore ststrust.jks -storepass storepass -alias rpcert -file MyTCRP.cer -noprompt </code> </td> <td>Nobody</td><td>By Relying Party (Fediz configuration file)</td></tr> http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/e434cfaa/examples/samplekeys/ststrust.jks ---------------------------------------------------------------------- diff --git a/examples/samplekeys/ststrust.jks b/examples/samplekeys/ststrust.jks index 911945c..bad73f4 100644 Binary files a/examples/samplekeys/ststrust.jks and b/examples/samplekeys/ststrust.jks differ http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/e434cfaa/examples/wsclientWebapp/webapp/src/main/resources/rp-ssl-key.jks ---------------------------------------------------------------------- diff --git a/examples/wsclientWebapp/webapp/src/main/resources/rp-ssl-key.jks b/examples/wsclientWebapp/webapp/src/main/resources/rp-ssl-key.jks new file mode 100644 index 0000000..c37cbbf Binary files /dev/null and b/examples/wsclientWebapp/webapp/src/main/resources/rp-ssl-key.jks differ http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/e434cfaa/examples/wsclientWebapp/webapp/src/main/webapp/WEB-INF/applicationContext.xml ---------------------------------------------------------------------- diff --git a/examples/wsclientWebapp/webapp/src/main/webapp/WEB-INF/applicationContext.xml b/examples/wsclientWebapp/webapp/src/main/webapp/WEB-INF/applicationContext.xml index 0268075..284a944 100644 --- a/examples/wsclientWebapp/webapp/src/main/webapp/WEB-INF/applicationContext.xml +++ b/examples/wsclientWebapp/webapp/src/main/webapp/WEB-INF/applicationContext.xml @@ -75,6 +75,11 @@ <sec:keyStore type="jks" password="waspass" resource="webappKeystore.jks" /> </sec:trustManagers> + <!-- new keyManager is needed for client cert authentication against STS Transport_Port, + rp-ssl-key.jks is a copy of the keystore rp-ssl-server.jks that is used for SSL by the webapp. --> + <sec:keyManagers keyPassword="tompass"> + <sec:keyStore type="jks" password="tompass" resource="rp-ssl-key.jks"/> + </sec:keyManagers> </http:tlsClientParameters> </http:conduit> http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/e434cfaa/services/sts/src/main/resources/ststrust.jks ---------------------------------------------------------------------- diff --git a/services/sts/src/main/resources/ststrust.jks b/services/sts/src/main/resources/ststrust.jks index 911945c..3a408ae 100644 Binary files a/services/sts/src/main/resources/ststrust.jks and b/services/sts/src/main/resources/ststrust.jks differ
