Author: buildbot
Date: Tue Sep 12 11:57:14 2017
New Revision: 1018045
Log:
Production update by buildbot for cxf
Modified:
websites/production/cxf/content/cache/main.pageCache
websites/production/cxf/content/fediz.html
Modified: websites/production/cxf/content/cache/main.pageCache
==============================================================================
Binary files - no diff available.
Modified: websites/production/cxf/content/fediz.html
==============================================================================
--- websites/production/cxf/content/fediz.html (original)
+++ websites/production/cxf/content/fediz.html Tue Sep 12 11:57:14 2017
@@ -28,6 +28,15 @@
<meta name="description" content="Apache CXF, Services Framework - Fediz">
+<link type="text/css" rel="stylesheet"
href="/resources/highlighter/styles/shCoreCXF.css">
+<link type="text/css" rel="stylesheet"
href="/resources/highlighter/styles/shThemeCXF.css">
+
+<script src='/resources/highlighter/scripts/shCore.js'></script>
+<script src='/resources/highlighter/scripts/shBrushJava.js'></script>
+<script>
+ SyntaxHighlighter.defaults['toolbar'] = false;
+ SyntaxHighlighter.all();
+</script>
<title>
@@ -99,7 +108,9 @@ Apache CXF -- Fediz
<td height="100%">
<!-- Content -->
<div class="wiki-content">
-<div id="ConfluenceContent"><h1
id="Fediz-ApacheCXFFediz:AnOpen-SourceWebSecurityFramework">Apache CXF Fediz:
An Open-Source Web Security Framework</h1><h2
id="Fediz-Overview">Overview</h2><p>Apache CXF Fediz is a subproject of CXF.
Fediz helps you to secure your web applications and delegates security
enforcement to the underlying application server. With Fediz, authentication is
externalized from your web application to an identity provider installed as a
dedicated server component. The supported standard is <a shape="rect"
class="external-link"
href="http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html#_Toc223175002";
rel="nofollow">WS-Federation Passive Requestor Profile</a>. Fediz supports <a
shape="rect" class="external-link"
href="http://en.wikipedia.org/wiki/Claims-based_identity"; rel="nofollow">Claims
Based Access Control</a> beyond Role Based Access Control (RBAC).</p><h2
id="Fediz-News">News</h2><p><strong><strong>August 18, 2017 - <strong><st
rong>Apache CXF Fediz 1.4.</strong></strong>1
released</strong></strong></p><p>Apache CXF Fediz 1.4.1 has been
released.</p><p>For more information and to download the new release, please go
<a shape="rect" href="fediz-downloads.html">here</a>.</p><p><strong><strong>May
16, 2017 - Two new security advisories for Apache CXF Fediz are
released</strong></strong></p><p>Two new security advisories have been released
for issues that are fixed in the latest releases (1.4.0, 1.3.2 and
1.2.4):</p><ul><li><a shape="rect"
href="http://cxf.apache.org/security-advisories.data/CVE-2017-7661.txt.asc?version=1&modificationDate=1494949364764&api=v2";>CVE-2017-7661</a>:
The Apache CXF Fediz Jetty and Spring plugins are vulnerable to CSRF
attacks.</li><li><a shape="rect"
href="http://cxf.apache.org/security-advisories.data/CVE-2017-7662.txt.asc?version=1&modificationDate=1494949377300&api=v2";>CVE-2017-7662</a>:
The Apache CXF Fediz OIDC Client Registration Service is vulnerable to CSRF
attacks.</li></ul><p>Please upgrade to the latest releases as soon as
possible.</p><p><strong><strong>April 28, 2017 - Apache CXF Fediz 1.4.0, 1.3.2
and 1.2.4 released<br clear="none"></strong></strong></p><p>Apache CXF Fediz
1.4.0, 1.3.2 and 1.2.4 have been released.</p><p>For more information and to
download the new releases, please go <a shape="rect"
href="fediz-downloads.html">here</a>.</p><h2
id="Fediz-Features">Features</h2><p>The following features are supported by
Fediz 1.2</p><ul><li>WS-Federation 1.0/1.1/1.2</li><li>SAML 1.1/2.0
Tokens</li><li>Support for encrypted SAML Tokens (Release 1.1)</li><li>Support
for Holder-Of-Key SubjectConfirmationMethod (1.1)</li><li>Custom token
Support</li><li>Publish WS-Federation Metadata document</li><li>Role
information encoded as AttributeStatement in SAML 1.1/2.0 tokens</li><li>Claims
information provided by FederationPrincipal Interface</li><li>Support for
Tomcat, Jetty, Websphere, Spring Security and CXF (1.1)</li><li>Fediz IDP suppo
rts "Resource IDP" role as well (1.1)</li><li>A new REST API for the IdP
(1.2)</li><li>Support for logout in both the RP and IdP (1.2)</li><li>Support
for logging on to the IdP via Kerberos and TLS client authentication
(1.2)</li><li>A new container-independent CXF plugin for WS-Federation
(1.2)</li><li>Support to use the IdP as an identity broker with a remote SAML
SSO IdP (1.2)</li></ul><p>The following features are planned for the next
release:</p><ul><li>support for other protocols like OAuth</li></ul><p>You can
get the current status of the enhancements <a shape="rect"
class="external-link" href="https://issues.apache.org/jira/browse/FEDIZ";>here
</a>.</p><h2 id="Fediz-Architecture">Architecture</h2><p>The Fediz architecture
is described in more detail <a shape="rect"
href="fediz-architecture.html">here</a>.</p><h2
id="Fediz-Download">Download</h2><p>See <a shape="rect"
href="fediz-downloads.html">here</a>.</p><h2 id="Fediz-Gettingstarted">Getting
started</h2><p>The WS-Federatio
n specification defines the following parties involved during a web
login:</p><ul><li>Browser</li><li>Identity Provider (IDP)<br clear="none"> The
IDP is a centralized, application independent runtime component which
implements the protocol defined by WS-Federation. You can use any open source
or commercial product that supports WS-Federation 1.1/1.2 as your IDP. It's
recommended to use the Fediz IDP for testing as it allows for testing your web
application in a sandbox without having all infrastructure components
available. The Fediz IDP consists of two WAR components. The Security Token
Service (STS) does most of the work including user authentication, claims/role
data retrieval and creating the SAML token. The IDP WAR translates the response
to an HTML response allowing a browser to process it.</li><li>Relying Party
(RP)<br clear="none"> The RP is a web application that needs to be protected.
The RP must be able to implement the protocol as defined by WS-Federation. This
componen
t is called "Fediz Plugin" in this project which consists of container
agnostic module/jar and a container specific jar. When an authenticated request
is detected by the plugin it redirects to the IDP for authentication. The
browser sends the response from the IDP to the RP after successful
authentication. The RP validates the response and creates the container
security context.</li></ul><p>It's recommended to deploy the IDP and the web
application (RP) into different container instances as in a production
deployment. The container with the IDP can be used during development and
testing for multiple web applications needing security.</p><h3
id="Fediz-SettinguptheIDP">Setting up the IDP</h3><p>The installation and
configuration of the IDP is documented <a shape="rect"
href="fediz-idp-11.html">here</a></p><h3
id="Fediz-SetuptheRelyingPartyContainer">Set up the Relying Party
Container</h3><p>The Fediz plugin needs to be deployed into the Relying Party
(RP) container. The security mecha
nism is not specified by JEE. Even though it is very similar in each servlet
container there are some differences which require a dedicated Fediz plugin for
each servlet container implementation. Most of the configuration goes into a
Servlet container independent configuration file which is described <a
shape="rect" href="fediz-configuration.html">here</a></p><p>The following lists
shows the supported containers and the location of the installation and
configuration page.</p><ul><li><a shape="rect" href="fediz-tomcat.html">Tomcat
7 </a></li><li><a shape="rect" href="fediz-jetty.html">Jetty 7/8
(1.1)</a></li><li><a shape="rect" href="fediz-spring.html">Spring Security 3.1
(1.1)</a></li><li><a shape="rect" href="fediz-websphere.html">Websphere 7/8
(1.1)</a></li><li><a shape="rect" href="fediz-cxf.html">CXF (1.1)
</a></li></ul><h2 id="Fediz-Samples">Samples</h2><p>The examples directory
contains two sample relying party applications. They are independent of each
other, so it is not nec
essary to deploy both at once.</p><p>Each sample is described in a
<code>README.txt</code> file located in the base directory of each
sample.</p><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Sample</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>Description</p></th></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p><strong>simpleWebapp</strong></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>a simple web application which
is protected by the Fediz IDP. The FederationServlet illustrates how to get
security information using the standard APIs.</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p><strong>wsclientWebapp</strong></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>a protected web application
that calls a web service that uses the Fediz STS to validate credentials. Here,
the same STS is used for token issuance (indirectly, by the web applicatio
n through use of the Fediz IDP) and validation. The FederationServlet
illustrates how to securely call a web
service.</p></td></tr></tbody></table></div><p><span
class="confluence-anchor-link" id="Fediz-building"></span></p><h2
id="Fediz-Building">Building</h2><p>Check out the code from
here:</p><ul><li>git clone -v <a shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf/cxf-fediz.git";>https://git-wip-us.apache.org/repos/asf/cxf-fediz.git</a></li></ul><p>Then
follow the <a shape="rect" class="external-link"
href="http://svn.apache.org/viewvc/cxf/fediz/trunk/BUILDING.txt?view=markup";>BUILDING.txt</a>
file in the Fediz download for full build instructions.</p><h5
id="Fediz-SettingupEclipse:">Setting up Eclipse:</h5><p>See <a shape="rect"
href="http://cxf.apache.org/setting-up-eclipse.html";>this page</a> for
information on using the Eclipse IDE with the Fediz source code. This page is
created for CXF but the same commands are applicable for Fediz too.</p></d
iv>
+<div id="ConfluenceContent"><h1
id="Fediz-ApacheCXFFediz:AnOpen-SourceWebSecurityFramework">Apache CXF Fediz:
An Open-Source Web Security Framework</h1><h2
id="Fediz-Overview">Overview</h2><p>Apache CXF Fediz is a subproject of CXF.
Fediz helps you to secure your web applications and delegates security
enforcement to the underlying application server. With Fediz, authentication is
externalized from your web application to an identity provider installed as a
dedicated server component. The supported standard is <a shape="rect"
class="external-link"
href="http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html#_Toc223175002";
rel="nofollow">WS-Federation Passive Requestor Profile</a>. Fediz supports <a
shape="rect" class="external-link"
href="http://en.wikipedia.org/wiki/Claims-based_identity"; rel="nofollow">Claims
Based Access Control</a> beyond Role Based Access Control (RBAC).</p><h2
id="Fediz-News">News</h2><p><strong><strong>August 18, 2017 - <strong><st
rong>Apache CXF Fediz 1.4.</strong></strong>1
released</strong></strong></p><p>Apache CXF Fediz 1.4.1 has been
released.</p><p>For more information and to download the new release, please go
<a shape="rect" href="fediz-downloads.html">here</a>.</p><p><strong><strong>May
16, 2017 - Two new security advisories for Apache CXF Fediz are
released</strong></strong></p><p>Two new security advisories have been released
for issues that are fixed in the latest releases (1.4.0, 1.3.2 and
1.2.4):</p><ul><li><a shape="rect"
href="http://cxf.apache.org/security-advisories.data/CVE-2017-7661.txt.asc?version=1&modificationDate=1494949364764&api=v2";>CVE-2017-7661</a>:
The Apache CXF Fediz Jetty and Spring plugins are vulnerable to CSRF
attacks.</li><li><a shape="rect"
href="http://cxf.apache.org/security-advisories.data/CVE-2017-7662.txt.asc?version=1&modificationDate=1494949377300&api=v2";>CVE-2017-7662</a>:
The Apache CXF Fediz OIDC Client Registration Service is vulnerable to CSRF
attacks.</li></ul><p>Please upgrade to the latest releases as soon as
possible.</p><p><strong><strong>April 28, 2017 - Apache CXF Fediz 1.4.0, 1.3.2
and 1.2.4 released<br clear="none"></strong></strong></p><p>Apache CXF Fediz
1.4.0, 1.3.2 and 1.2.4 have been released.</p><p>For more information and to
download the new releases, please go <a shape="rect"
href="fediz-downloads.html">here</a>.</p><h2
id="Fediz-Features">Features</h2><p>The following features are supported by
Fediz 1.2</p><ul><li>WS-Federation 1.0/1.1/1.2</li><li>SAML 1.1/2.0
Tokens</li><li>Support for encrypted SAML Tokens (Release 1.1)</li><li>Support
for Holder-Of-Key SubjectConfirmationMethod (1.1)</li><li>Custom token
Support</li><li>Publish WS-Federation Metadata document</li><li>Role
information encoded as AttributeStatement in SAML 1.1/2.0 tokens</li><li>Claims
information provided by FederationPrincipal Interface</li><li>Support for
Tomcat, Jetty, Websphere, Spring Security and CXF (1.1)</li><li>Fediz IDP suppo
rts "Resource IDP" role as well (1.1)</li><li>A new REST API for the IdP
(1.2)</li><li>Support for logout in both the RP and IdP (1.2)</li><li>Support
for logging on to the IdP via Kerberos and TLS client authentication
(1.2)</li><li>A new container-independent CXF plugin for WS-Federation
(1.2)</li><li>Support to use the IdP as an identity broker with a remote SAML
SSO IdP (1.2)</li></ul><p>The following features are planned for the next
release:</p><ul><li>support for other protocols like OAuth</li></ul><p>You can
get the current status of the enhancements <a shape="rect"
class="external-link" href="https://issues.apache.org/jira/browse/FEDIZ";>here
</a>.</p><h2 id="Fediz-Architecture">Architecture</h2><p>The Fediz architecture
is described in more detail <a shape="rect"
href="fediz-architecture.html">here</a>.</p><h2
id="Fediz-Download">Download</h2><p>See <a shape="rect"
href="fediz-downloads.html">here</a>.</p><h2 id="Fediz-Gettingstarted">Getting
started</h2><p>The WS-Federatio
n specification defines the following parties involved during a web
login:</p><ul><li>Browser</li><li>Identity Provider (IDP)<br clear="none"> The
IDP is a centralized, application independent runtime component which
implements the protocol defined by WS-Federation. You can use any open source
or commercial product that supports WS-Federation 1.1/1.2 as your IDP. It's
recommended to use the Fediz IDP for testing as it allows for testing your web
application in a sandbox without having all infrastructure components
available. The Fediz IDP consists of two WAR components. The Security Token
Service (STS) does most of the work including user authentication, claims/role
data retrieval and creating the SAML token. The IDP WAR translates the response
to an HTML response allowing a browser to process it.</li><li>Relying Party
(RP)<br clear="none"> The RP is a web application that needs to be protected.
The RP must be able to implement the protocol as defined by WS-Federation. This
componen
t is called "Fediz Plugin" in this project which consists of container
agnostic module/jar and a container specific jar. When an authenticated request
is detected by the plugin it redirects to the IDP for authentication. The
browser sends the response from the IDP to the RP after successful
authentication. The RP validates the response and creates the container
security context.</li></ul><p>It's recommended to deploy the IDP and the web
application (RP) into different container instances as in a production
deployment. The container with the IDP can be used during development and
testing for multiple web applications needing security.</p><h3
id="Fediz-SettinguptheIDP">Setting up the IDP</h3><p>The installation and
configuration of the IDP is documented <a shape="rect"
href="fediz-idp-11.html">here</a></p><h3
id="Fediz-SetuptheRelyingPartyContainer">Set up the Relying Party
Container</h3><p>The Fediz plugin needs to be deployed into the Relying Party
(RP) container. The security mecha
nism is not specified by JEE. Even though it is very similar in each servlet
container there are some differences which require a dedicated Fediz plugin for
each servlet container implementation. Most of the configuration goes into a
Servlet container independent configuration file which is described <a
shape="rect" href="fediz-configuration.html">here</a></p><p>The following lists
shows the supported containers and the location of the installation and
configuration page.</p><ul><li><a shape="rect" href="fediz-tomcat.html">Tomcat
7 </a></li><li><a shape="rect" href="fediz-jetty.html">Jetty 7/8
(1.1)</a></li><li><a shape="rect" href="fediz-spring.html">Spring Security 3.1
(1.1)</a></li><li><a shape="rect" href="fediz-websphere.html">Websphere 7/8
(1.1)</a></li><li><a shape="rect" href="fediz-cxf.html">CXF (1.1)
</a></li></ul><h2 id="Fediz-Samples">Samples</h2><p>The examples directory
contains two sample relying party applications. They are independent of each
other, so it is not nec
essary to deploy both at once.</p><p>Each sample is described in a
<code>README.txt</code> file located in the base directory of each
sample.</p><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Sample</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>Description</p></th></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p><strong>simpleWebapp</strong></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>a simple web application which
is protected by the Fediz IDP. The FederationServlet illustrates how to get
security information using the standard APIs.</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p><strong>wsclientWebapp</strong></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>a protected web application
that calls a web service that uses the Fediz STS to validate credentials. Here,
the same STS is used for token issuance (indirectly, by the web applicatio
n through use of the Fediz IDP) and validation. The FederationServlet
illustrates how to securely call a web
service.</p></td></tr></tbody></table></div><p><span
class="confluence-anchor-link" id="Fediz-building"></span></p><h2
id="Fediz-Checkout">Checkout</h2><p>The CXF sources are hosted at <a
shape="rect" class="external-link" href="https://gitbox.apache.org/";>Apache
gitbox</a>. This includes a full two way sync with github. As github provides
the nicer user interface we now recommend to directly work on the github cxf
repo.</p><h2 id="Fediz-Webbrowsing">Web browsing</h2><p><a shape="rect"
class="external-link" href="https://github.com/apache/cxf-fediz";
rel="nofollow">https://github.com/apache/cxf-fediz</a></p><h2
id="Fediz-CheckingoutfromGIT">Checking out from GIT</h2><div class="code panel
pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<pre class="brush: bash; gutter: false; theme: Confluence"
style="font-size:12px;">git clone g...@github.com:apache/cxf-fediz.git</pre>
+</div></div><h2 id="Fediz-Committing">Committing</h2><p>CXF committers can
directly commit to github after doing the <a shape="rect"
class="external-link"
href="https://gitbox.apache.org/setup/";>Apache gitbox setup</a>. Be aware
that the sync might take half an hour before you are added to the cxf github
group.</p><h2 id="Fediz-Forkingandpullrequests">Forking and pull
requests</h2><p>See <a shape="rect"
href="https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=69407398";>Getting
Involved</a></p><h2 id="Fediz-Building">Building</h2><p>Then follow the <a
shape="rect" class="external-link"
href="http://svn.apache.org/viewvc/cxf/fediz/trunk/BUILDING.txt?view=markup";>BUILDING.txt</a>
file in the Fediz download for full build instructions.</p><h2
id="Fediz-SettingupEclipse">Setting up Eclipse</h2><p>See <a shape="rect"
href="http://cxf.apache.org/setting-up-eclipse.html";>this page</a> for
information on using the Eclipse IDE with the Fediz source code. This page
is created for CXF but the same commands are applicable for Fediz
too.</p><p> </p></div>
</div>
<!-- Content -->
</td>
