Author: buildbot
Date: Tue Apr 25 11:47:45 2017
New Revision: 1011115
Log:
Production update by buildbot for cxf
Modified:
websites/production/cxf/content/cache/main.pageCache
websites/production/cxf/content/fediz-downloads.html
websites/production/cxf/content/fediz.html
Modified: websites/production/cxf/content/cache/main.pageCache
==============================================================================
Binary files - no diff available.
Modified: websites/production/cxf/content/fediz-downloads.html
==============================================================================
--- websites/production/cxf/content/fediz-downloads.html (original)
+++ websites/production/cxf/content/fediz-downloads.html Tue Apr 25 11:47:45
2017
@@ -108,7 +108,7 @@ Apache CXF -- Fediz Downloads
<td height="100%">
<!-- Content -->
<div class="wiki-content">
-<div id="ConfluenceContent"><h1 id="FedizDownloads-Releases">Releases</h1><h2
id="FedizDownloads-1.3.1">1.3.1</h2><p>The 1.3.1 release is our latest
release.</p><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Description</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>File</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>MD5</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>SHA1</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>PGP</p></th></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>Source distribution</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p><a shape="rect" class="external-link"
href="http://www.apache.org/dyn/closer.lua?path=/cxf/fediz/1.3.1/fediz-1.3.1-source-release.zip";>fediz-1.3.1-source-release.zip</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link" href="https://www.apache.org/di
st/cxf/fediz/1.3.1/fediz-1.3.1-source-release.zip.md5">fediz-1.3.1-source-release.zip.md5</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://www.apache.org/dist/cxf/fediz/1.3.1/fediz-1.3.1-source-release.zip.sha1";>fediz-1.3.1-source-release.zip.sha1</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://www.apache.org/dist/cxf/fediz/1.3.1/fediz-1.3.1-source-release.zip.asc";>fediz-1.3.1-source-release.zip.asc</a></p></td></tr></tbody></table></div><h2
id="FedizDownloads-1.2.3">1.2.3</h2><p>The 1.2.3 release is our latest release
of the 1.2.x branch. For more information please see the <a shape="rect"
class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf-fediz.git;a=blob;f=release_notes.txt;h=e19f9299a676d4d2d12355bdfef016ec248461ea;hb=f579bd61e708a6600f90e2b09dfa1daada5e9160";>release
notes</a>.</p><div class="table-wrap"><table class="confl
uenceTable"><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Description</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>File</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>MD5</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>SHA1</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>PGP</p></th></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>Binary distribution</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p><a shape="rect" class="external-link"
href="http://www.apache.org/dyn/closer.lua?path=/cxf/fediz/1.2.3/apache-fediz-1.2.3.zip";>apache-fediz-1.2.3.zip</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://www.apache.org/dist/cxf/fediz/1.2.3/apache-fediz-1.2.3.zip.md5";>apache-fediz-1.2.3.zip.md5</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link" href="https://www.apache.org/dist/cxf/fediz/
1.2.3/apache-fediz-1.2.3.zip.sha1">apache-fediz-1.2.3.zip.sha1</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://www.apache.org/dist/cxf/fediz/1.2.3/apache-fediz-1.2.3.zip.asc";>apache-fediz-1.2.3.zip.asc</a></p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>Source
distribution</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p><a
shape="rect" class="external-link"
href="http://www.apache.org/dyn/closer.lua?path=/cxf/fediz/1.2.3/fediz-1.2.3-source-release.zip";>fediz-1.2.3-source-release.zip</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://www.apache.org/dist/cxf/fediz/1.2.3/fediz-1.2.3-source-release.zip.md5";>fediz-1.2.3-source-release.zip.md5</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://www.apache.org/dist/cxf/fediz/1.2.3/fediz-1.2.3-source-release.zip.sh
a1">fediz-1.2.3-source-release.zip.sha1</a></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><a shape="rect" class="external-link"
href="https://www.apache.org/dist/cxf/fediz/1.2.3/fediz-1.2.3-source-release.zip.asc";>fediz-1.2.3-source-release.zip.asc</a></p></td></tr></tbody></table></div><h2
id="FedizDownloads-VerifyingReleases">Verifying Releases</h2><p>When
downloading from a mirror please check the SHA1/MD5 checksums as well as
verifying the OpenPGP compatible signature available from the main Apache site.
The <a shape="rect" class="external-link"
href="https://www.apache.org/dist/cxf/KEYS";>KEYS</a> file contains the public
keys used for signing the release. It is recommended that a web of trust is
used to confirm the identity of these keys.</p><p>You can check the OpenPGP
signature with GnuPG via:</p><p> </p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<div id="ConfluenceContent"><h1 id="FedizDownloads-Releases">Releases</h1><h2
id="FedizDownloads-1.3.2">1.3.2</h2><p>The 1.3.2 release is our latest release.
For more information please see the <a shape="rect" class="external-link"
href="https://issues.apache.org/jira/browse/FEDIZ/fixforversion/12338091";>release
notes</a>.</p><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Description</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>File</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>MD5</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>SHA1</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>PGP</p></th></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>Source distribution</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p><a shape="rect" class="external-link"
href="http://www.apache.org/dyn/closer.lua?path=/cxf/fediz/1.3.2/fediz-1.3.2-source-release.zi
p">fediz-1.3.2-source-release.zip</a></p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p><a shape="rect" class="external-link"
href="https://www.apache.org/dist/cxf/fediz/1.3.2/fediz-1.3.2-source-release.zip.md5";>fediz-1.3.2-source-release.zip.md5</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://www.apache.org/dist/cxf/fediz/1.3.2/fediz-1.3.2-source-release.zip.sha1";>fediz-1.3.2-source-release.zip.sha1</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://www.apache.org/dist/cxf/fediz/1.3.2/fediz-1.3.2-source-release.zip.asc";>fediz-1.3.2-source-release.zip.asc</a></p></td></tr></tbody></table></div><h2
id="FedizDownloads-1.2.4">1.2.4</h2><p>The 1.2.4 release is our latest release
of the 1.2.x branch. For more information please see the <a shape="rect"
class="external-link"
href="https://issues.apache.org/jira/browse/FEDIZ/fixforversion/12338219";>r
elease notes</a>.</p><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Description</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>File</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>MD5</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>SHA1</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>PGP</p></th></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>Binary distribution</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p><a shape="rect" class="external-link"
href="http://www.apache.org/dyn/closer.lua?path=/cxf/fediz/1.2.4/apache-fediz-1.2.4.zip";>apache-fediz-1.2.4.zip</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://www.apache.org/dist/cxf/fediz/1.2.4/apache-fediz-1.2.4.zip.md5";>apache-fediz-1.2.4.zip.md5</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect" cl
ass="external-link"
href="https://www.apache.org/dist/cxf/fediz/1.2.4/apache-fediz-1.2.4.zip.sha1";>apache-fediz-1.2.4.zip.sha1</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://www.apache.org/dist/cxf/fediz/1.2.4/apache-fediz-1.2.4.zip.asc";>apache-fediz-1.2.4.zip.asc</a></p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>Source
distribution</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p><a
shape="rect" class="external-link"
href="http://www.apache.org/dyn/closer.lua?path=/cxf/fediz/1.2.4/fediz-1.2.4-source-release.zip";>fediz-1.2.4-source-release.zip</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://www.apache.org/dist/cxf/fediz/1.2.4/fediz-1.2.4-source-release.zip.md5";>fediz-1.2.4-source-release.zip.md5</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link" href="https://www.a
pache.org/dist/cxf/fediz/1.2.4/fediz-1.2.4-source-release.zip.sha1">fediz-1.2.4-source-release.zip.sha1</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://www.apache.org/dist/cxf/fediz/1.2.4/fediz-1.2.4-source-release.zip.asc";>fediz-1.2.4-source-release.zip.asc</a></p></td></tr></tbody></table></div><h2
id="FedizDownloads-VerifyingReleases">Verifying Releases</h2><p>When
downloading from a mirror please check the SHA1/MD5 checksums as well as
verifying the OpenPGP compatible signature available from the main Apache site.
The <a shape="rect" class="external-link"
href="https://www.apache.org/dist/cxf/KEYS";>KEYS</a> file contains the public
keys used for signing the release. It is recommended that a web of trust is
used to confirm the identity of these keys.</p><p>You can check the OpenPGP
signature with GnuPG via:</p><p> </p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeContent panelContent
pdl">
<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">gpg --import KEYS
gpg --verify apache-fediz-*.zip.asc
</pre>
@@ -118,7 +118,7 @@ gpg --verify apache-fediz-*.zip.asc
</div></div><p>You can check the SHA1 checksum with:</p><div class="code panel
pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">sha1sum --check apache-fediz-*.zip.sha1
</pre>
-</div></div><h1 id="FedizDownloads-Previousreleases">Previous
releases</h1><p>Previous releases are all archived in the apache archive: <a
shape="rect" class="external-link"
href="http://archive.apache.org/dist/cxf/fediz";>http://archive.apache.org/dist/cxf/fediz</a></p><h1
id="FedizDownloads-Snapshots">Snapshots</h1><div
class="confluence-information-macro
confluence-information-macro-information"><p class="title">Warning about
snapshots</p><span class="aui-icon aui-icon-small aui-iconfont-info
confluence-information-macro-icon"></span><div
class="confluence-information-macro-body"><p>These are snapshot builds -
untested builds provided for your convenience. They have not been tested, and
are not official releases of the Apache CXF Fediz project or the Apache
Software Foundation.</p></div></div><p>1.3.2 <a shape="rect"
class="external-link"
href="https://repository.apache.org/content/groups/snapshots/org/apache/cxf/fediz/apache-fediz/1.3.2-SNAPSHOT/";>https://repository.apache.org/co
ntent/groups/snapshots/org/apache/cxf/fediz/apache-fediz/1.3.2-SNAPSHOT/</a></p><h1
id="FedizDownloads-Maven2Repositories">Maven 2 Repositories</h1><p>If you use
Maven 2 for building your applications, Apache CXF Fediz artifacts are
available from the following repository URLS:</p><h3
id="FedizDownloads-Releases:">Releases:</h3><p>All supported CXF releases are
synced into the Maven central repository: <a shape="rect" class="external-link"
href="http://repo1.maven.org/maven2/";
rel="nofollow">http://repo1.maven.org/maven2/</a></p><h3
id="FedizDownloads-Snapshots:">Snapshots:</h3><p>Snapshots are available in
Apache's Maven snapshot repository: <a shape="rect" class="external-link"
href="http://repository.apache.org/snapshots";>http://repository.apache.org/snapshots</a></p></div>
+</div></div><h1 id="FedizDownloads-Previousreleases">Previous
releases</h1><p>Previous releases are all archived in the apache archive: <a
shape="rect" class="external-link"
href="http://archive.apache.org/dist/cxf/fediz";>http://archive.apache.org/dist/cxf/fediz</a></p><h1
id="FedizDownloads-Snapshots">Snapshots</h1><div
class="confluence-information-macro
confluence-information-macro-information"><p class="title">Warning about
snapshots</p><span class="aui-icon aui-icon-small aui-iconfont-info
confluence-information-macro-icon"></span><div
class="confluence-information-macro-body"><p>These are snapshot builds -
untested builds provided for your convenience. They have not been tested, and
are not official releases of the Apache CXF Fediz project or the Apache
Software Foundation.</p></div></div><p>1.4.1 <a shape="rect"
class="external-link"
href="https://repository.apache.org/content/groups/snapshots/org/apache/cxf/fediz/apache-fediz/1.4.1-SNAPSHOT/";>https://repository.apache.org/co
ntent/groups/snapshots/org/apache/cxf/fediz/apache-fediz/1.4.1-SNAPSHOT/</a></p><h1
id="FedizDownloads-Maven2Repositories">Maven 2 Repositories</h1><p>If you use
Maven 2 for building your applications, Apache CXF Fediz artifacts are
available from the following repository URLS:</p><h3
id="FedizDownloads-Releases:">Releases:</h3><p>All supported CXF releases are
synced into the Maven central repository: <a shape="rect" class="external-link"
href="http://repo1.maven.org/maven2/";
rel="nofollow">http://repo1.maven.org/maven2/</a></p><h3
id="FedizDownloads-Snapshots:">Snapshots:</h3><p>Snapshots are available in
Apache's Maven snapshot repository: <a shape="rect" class="external-link"
href="http://repository.apache.org/snapshots";>http://repository.apache.org/snapshots</a></p></div>
</div>
<!-- Content -->
</td>
Modified: websites/production/cxf/content/fediz.html
==============================================================================
--- websites/production/cxf/content/fediz.html (original)
+++ websites/production/cxf/content/fediz.html Tue Apr 25 11:47:45 2017
@@ -99,7 +99,7 @@ Apache CXF -- Fediz
<td height="100%">
<!-- Content -->
<div class="wiki-content">
-<div id="ConfluenceContent"><h1
id="Fediz-ApacheCXFFediz:AnOpen-SourceWebSecurityFramework">Apache CXF Fediz:
An Open-Source Web Security Framework</h1><h2
id="Fediz-Overview">Overview</h2><p>Apache CXF Fediz is a subproject of CXF.
Fediz helps you to secure your web applications and delegates security
enforcement to the underlying application server. With Fediz, authentication is
externalized from your web application to an identity provider installed as a
dedicated server component. The supported standard is <a shape="rect"
class="external-link"
href="http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html#_Toc223175002";
rel="nofollow">WS-Federation Passive Requestor Profile</a>. Fediz supports <a
shape="rect" class="external-link"
href="http://en.wikipedia.org/wiki/Claims-based_identity"; rel="nofollow">Claims
Based Access Control</a> beyond Role Based Access Control (RBAC).</p><h2
id="Fediz-News">News</h2><p><strong><strong>September 8, 2016 - Apache CX
F Fediz 1.3.1 and 1.2.3 released<br
clear="none"></strong></strong></p><p>Apache CXF Fediz 1.3.1 and 1.2.3 have
been released.</p><p>For more information and to download the new releases,
please go <a shape="rect"
href="fediz-downloads.html">here</a>.</p><p><strong><strong><strong>September
8, 2016</strong></strong> - A new security advisory for Apache CXF Fediz
is released</strong></p><p>A security issue was fixed in the latest Fediz
releases (1.3.1 + 1.2.3):</p><ul><li><a shape="rect"
href="http://cxf.apache.org/security-advisories.data/CVE-2016-4464.txt.asc?version=1&modificationDate=1473350153000&api=v2";>CVE-2016-4464</a>:
Apache CXF Fediz application plugins do not match the SAML AudienceRestriction
values against the list of configured audience URIs</li></ul><p>Please upgrade
to the latest releases as soon as possible.</p><h2
id="Fediz-Features">Features</h2><p>The following features are supported by
Fediz 1.2</p><ul><li>WS-Federation 1.0/1.1/1.2</li><li>SAML 1.1/
2.0 Tokens</li><li>Support for encrypted SAML Tokens (Release
1.1)</li><li>Support for Holder-Of-Key SubjectConfirmationMethod
(1.1)</li><li>Custom token Support</li><li>Publish WS-Federation Metadata
document</li><li>Role information encoded as AttributeStatement in SAML 1.1/2.0
tokens</li><li>Claims information provided by FederationPrincipal
Interface</li><li>Support for Tomcat, Jetty, Websphere, Spring Security and CXF
(1.1)</li><li>Fediz IDP supports "Resource IDP" role as well (1.1)</li><li>A
new REST API for the IdP (1.2)</li><li>Support for logout in both the RP and
IdP (1.2)</li><li>Support for logging on to the IdP via Kerberos and TLS client
authentication (1.2)</li><li>A new container-independent CXF plugin for
WS-Federation (1.2)</li><li>Support to use the IdP as an identity broker with a
remote SAML SSO IdP (1.2)</li></ul><p>The following features are planned for
the next release:</p><ul><li>support for other protocols like
OAuth</li></ul><p>You can get the current sta
tus of the enhancements <a shape="rect" class="external-link"
href="https://issues.apache.org/jira/browse/FEDIZ";>here </a>.</p><h2
id="Fediz-Architecture">Architecture</h2><p>The Fediz architecture is described
in more detail <a shape="rect" href="fediz-architecture.html">here</a>.</p><h2
id="Fediz-Download">Download</h2><p>See <a shape="rect"
href="fediz-downloads.html">here</a>.</p><h2 id="Fediz-Gettingstarted">Getting
started</h2><p>The WS-Federation specification defines the following parties
involved during a web login:</p><ul><li>Browser</li><li>Identity Provider
(IDP)<br clear="none"> The IDP is a centralized, application independent
runtime component which implements the protocol defined by WS-Federation. You
can use any open source or commercial product that supports WS-Federation
1.1/1.2 as your IDP. It's recommended to use the Fediz IDP for testing as it
allows for testing your web application in a sandbox without having all
infrastructure components available. The Fediz
IDP consists of two WAR components. The Security Token Service (STS) does most
of the work including user authentication, claims/role data retrieval and
creating the SAML token. The IDP WAR translates the response to an HTML
response allowing a browser to process it.</li><li>Relying Party (RP)<br
clear="none"> The RP is a web application that needs to be protected. The RP
must be able to implement the protocol as defined by WS-Federation. This
component is called "Fediz Plugin" in this project which consists of container
agnostic module/jar and a container specific jar. When an authenticated request
is detected by the plugin it redirects to the IDP for authentication. The
browser sends the response from the IDP to the RP after successful
authentication. The RP validates the response and creates the container
security context.</li></ul><p>It's recommended to deploy the IDP and the web
application (RP) into different container instances as in a production
deployment. The container wit
h the IDP can be used during development and testing for multiple web
applications needing security.</p><h3 id="Fediz-SettinguptheIDP">Setting up the
IDP</h3><p>The installation and configuration of the IDP is documented <a
shape="rect" href="fediz-idp-11.html">here</a></p><h3
id="Fediz-SetuptheRelyingPartyContainer">Set up the Relying Party
Container</h3><p>The Fediz plugin needs to be deployed into the Relying Party
(RP) container. The security mechanism is not specified by JEE. Even though it
is very similar in each servlet container there are some differences which
require a dedicated Fediz plugin for each servlet container implementation.
Most of the configuration goes into a Servlet container independent
configuration file which is described <a shape="rect"
href="fediz-configuration.html">here</a></p><p>The following lists shows the
supported containers and the location of the installation and configuration
page.</p><ul><li><a shape="rect" href="fediz-tomcat.html">Tomcat 7 </a
></li><li><a shape="rect" href="fediz-jetty.html">Jetty 7/8
>(1.1)</a></li><li><a shape="rect" href="fediz-spring.html">Spring Security
>3.1 (1.1)</a></li><li><a shape="rect" href="fediz-websphere.html">Websphere
>7/8 (1.1)</a></li><li><a shape="rect" href="fediz-cxf.html">CXF (1.1)
></a></li></ul><h2 id="Fediz-Samples">Samples</h2><p>The examples directory
>contains two sample relying party applications. They are independent of each
>other, so it is not necessary to deploy both at once.</p><p>Each sample is
>described in a <code>README.txt</code> file located in the base directory of
>each sample.</p><div class="table-wrap"><table
>class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1"
>class="confluenceTh"><p>Sample</p></th><th colspan="1" rowspan="1"
>class="confluenceTh"><p>Description</p></th></tr><tr><td colspan="1"
>rowspan="1" class="confluenceTd"><p><strong>simpleWebapp</strong></p></td><td
>colspan="1" rowspan="1" class="confluenceTd"><p>a simple web application
>which is protec
ted by the Fediz IDP. The FederationServlet illustrates how to get security
information using the standard APIs.</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p><strong>wsclientWebapp</strong></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>a protected web application
that calls a web service that uses the Fediz STS to validate credentials. Here,
the same STS is used for token issuance (indirectly, by the web application
through use of the Fediz IDP) and validation. The FederationServlet illustrates
how to securely call a web service.</p></td></tr></tbody></table></div><p><span
class="confluence-anchor-link" id="Fediz-building"></span></p><h2
id="Fediz-Building">Building</h2><p>Check out the code from
here:</p><ul><li>git clone -v <a shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf/cxf-fediz.git";>https://git-wip-us.apache.org/repos/asf/cxf-fediz.git</a></li></ul><p>Then
follow the <a shape="rect" class="external-link"
href="http://svn.apache.org/viewvc/cxf/fediz/trunk/BUILDING.txt?view=markup";>BUILDING.txt</a>
file in the Fediz download for full build instructions.</p><h5
id="Fediz-SettingupEclipse:">Setting up Eclipse:</h5><p>See <a shape="rect"
href="http://cxf.apache.org/setting-up-eclipse.html";>this page</a> for
information on using the Eclipse IDE with the Fediz source code. This page is
created for CXF but the same commands are applicable for Fediz too.</p></div>
+<div id="ConfluenceContent"><h1
id="Fediz-ApacheCXFFediz:AnOpen-SourceWebSecurityFramework">Apache CXF Fediz:
An Open-Source Web Security Framework</h1><h2
id="Fediz-Overview">Overview</h2><p>Apache CXF Fediz is a subproject of CXF.
Fediz helps you to secure your web applications and delegates security
enforcement to the underlying application server. With Fediz, authentication is
externalized from your web application to an identity provider installed as a
dedicated server component. The supported standard is <a shape="rect"
class="external-link"
href="http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html#_Toc223175002";
rel="nofollow">WS-Federation Passive Requestor Profile</a>. Fediz supports <a
shape="rect" class="external-link"
href="http://en.wikipedia.org/wiki/Claims-based_identity"; rel="nofollow">Claims
Based Access Control</a> beyond Role Based Access Control (RBAC).</p><h2
id="Fediz-News">News</h2><p><strong><strong>April 25, 2017 - Apache CXF F
ediz 1.3.2 and 1.2.4 released<br clear="none"></strong></strong></p><p>Apache
CXF Fediz 1.3.2 and 1.2.4 have been released.</p><p>For more information and to
download the new releases, please go <a shape="rect"
href="fediz-downloads.html">here</a>.</p><p><strong><strong><strong>September
8, 2016</strong></strong> - A new security advisory for Apache CXF Fediz
is released</strong></p><p>A security issue was fixed in the latest Fediz
releases (1.3.1 + 1.2.3):</p><ul><li><a shape="rect"
href="http://cxf.apache.org/security-advisories.data/CVE-2016-4464.txt.asc?version=1&modificationDate=1473350153000&api=v2";>CVE-2016-4464</a>:
Apache CXF Fediz application plugins do not match the SAML AudienceRestriction
values against the list of configured audience URIs</li></ul><p>Please upgrade
to the latest releases as soon as possible.</p><h2
id="Fediz-Features">Features</h2><p>The following features are supported by
Fediz 1.2</p><ul><li>WS-Federation 1.0/1.1/1.2</li><li>SAML 1.1/2.0
Tokens</li><li>Support for encrypted SAML Tokens (Release
1.1)</li><li>Support for Holder-Of-Key SubjectConfirmationMethod
(1.1)</li><li>Custom token Support</li><li>Publish WS-Federation Metadata
document</li><li>Role information encoded as AttributeStatement in SAML 1.1/2.0
tokens</li><li>Claims information provided by FederationPrincipal
Interface</li><li>Support for Tomcat, Jetty, Websphere, Spring Security and CXF
(1.1)</li><li>Fediz IDP supports "Resource IDP" role as well (1.1)</li><li>A
new REST API for the IdP (1.2)</li><li>Support for logout in both the RP and
IdP (1.2)</li><li>Support for logging on to the IdP via Kerberos and TLS client
authentication (1.2)</li><li>A new container-independent CXF plugin for
WS-Federation (1.2)</li><li>Support to use the IdP as an identity broker with a
remote SAML SSO IdP (1.2)</li></ul><p>The following features are planned for
the next release:</p><ul><li>support for other protocols like
OAuth</li></ul><p>You can get the current status
of the enhancements <a shape="rect" class="external-link"
href="https://issues.apache.org/jira/browse/FEDIZ";>here </a>.</p><h2
id="Fediz-Architecture">Architecture</h2><p>The Fediz architecture is described
in more detail <a shape="rect" href="fediz-architecture.html">here</a>.</p><h2
id="Fediz-Download">Download</h2><p>See <a shape="rect"
href="fediz-downloads.html">here</a>.</p><h2 id="Fediz-Gettingstarted">Getting
started</h2><p>The WS-Federation specification defines the following parties
involved during a web login:</p><ul><li>Browser</li><li>Identity Provider
(IDP)<br clear="none"> The IDP is a centralized, application independent
runtime component which implements the protocol defined by WS-Federation. You
can use any open source or commercial product that supports WS-Federation
1.1/1.2 as your IDP. It's recommended to use the Fediz IDP for testing as it
allows for testing your web application in a sandbox without having all
infrastructure components available. The Fediz IDP
consists of two WAR components. The Security Token Service (STS) does most of
the work including user authentication, claims/role data retrieval and creating
the SAML token. The IDP WAR translates the response to an HTML response
allowing a browser to process it.</li><li>Relying Party (RP)<br clear="none">
The RP is a web application that needs to be protected. The RP must be able to
implement the protocol as defined by WS-Federation. This component is called
"Fediz Plugin" in this project which consists of container agnostic module/jar
and a container specific jar. When an authenticated request is detected by the
plugin it redirects to the IDP for authentication. The browser sends the
response from the IDP to the RP after successful authentication. The RP
validates the response and creates the container security
context.</li></ul><p>It's recommended to deploy the IDP and the web application
(RP) into different container instances as in a production deployment. The
container with t
he IDP can be used during development and testing for multiple web
applications needing security.</p><h3 id="Fediz-SettinguptheIDP">Setting up the
IDP</h3><p>The installation and configuration of the IDP is documented <a
shape="rect" href="fediz-idp-11.html">here</a></p><h3
id="Fediz-SetuptheRelyingPartyContainer">Set up the Relying Party
Container</h3><p>The Fediz plugin needs to be deployed into the Relying Party
(RP) container. The security mechanism is not specified by JEE. Even though it
is very similar in each servlet container there are some differences which
require a dedicated Fediz plugin for each servlet container implementation.
Most of the configuration goes into a Servlet container independent
configuration file which is described <a shape="rect"
href="fediz-configuration.html">here</a></p><p>The following lists shows the
supported containers and the location of the installation and configuration
page.</p><ul><li><a shape="rect" href="fediz-tomcat.html">Tomcat 7 </a></
li><li><a shape="rect" href="fediz-jetty.html">Jetty 7/8 (1.1)</a></li><li><a
shape="rect" href="fediz-spring.html">Spring Security 3.1 (1.1)</a></li><li><a
shape="rect" href="fediz-websphere.html">Websphere 7/8 (1.1)</a></li><li><a
shape="rect" href="fediz-cxf.html">CXF (1.1) </a></li></ul><h2
id="Fediz-Samples">Samples</h2><p>The examples directory contains two sample
relying party applications. They are independent of each other, so it is not
necessary to deploy both at once.</p><p>Each sample is described in a
<code>README.txt</code> file located in the base directory of each
sample.</p><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Sample</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>Description</p></th></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p><strong>simpleWebapp</strong></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>a simple web application which
is protected
by the Fediz IDP. The FederationServlet illustrates how to get security
information using the standard APIs.</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p><strong>wsclientWebapp</strong></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>a protected web application
that calls a web service that uses the Fediz STS to validate credentials. Here,
the same STS is used for token issuance (indirectly, by the web application
through use of the Fediz IDP) and validation. The FederationServlet illustrates
how to securely call a web service.</p></td></tr></tbody></table></div><p><span
class="confluence-anchor-link" id="Fediz-building"></span></p><h2
id="Fediz-Building">Building</h2><p>Check out the code from
here:</p><ul><li>git clone -v <a shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf/cxf-fediz.git";>https://git-wip-us.apache.org/repos/asf/cxf-fediz.git</a></li></ul><p>Then
follow the <a shape="rect" class="external-link" hre
f="http://svn.apache.org/viewvc/cxf/fediz/trunk/BUILDING.txt?view=markup";>BUILDING.txt</a>
file in the Fediz download for full build instructions.</p><h5
id="Fediz-SettingupEclipse:">Setting up Eclipse:</h5><p>See <a shape="rect"
href="http://cxf.apache.org/setting-up-eclipse.html";>this page</a> for
information on using the Eclipse IDE with the Fediz source code. This page is
created for CXF but the same commands are applicable for Fediz too.</p></div>
</div>
<!-- Content -->
</td>
