Modified: websites/production/cxf/content/fediz-cxf.html
==============================================================================
--- websites/production/cxf/content/fediz-cxf.html (original)
+++ websites/production/cxf/content/fediz-cxf.html Wed Sep 13 15:05:52 2017
@@ -111,7 +111,7 @@ Apache CXF -- Fediz CXF
<!-- Content -->
<div class="wiki-content">
<div id="ConfluenceContent"><h1 id="FedizCXF-CXFPlugin(1.1/1.2)">CXF Plugin
(1.1/1.2)</h1><p>The Fediz plugin for CXF contains two separate pieces of
functionality. The first is a CallbackHandler that allows the SAML Token of the
Web SSO session to be used by the CXF Web Services Stack, i.e. for delegation
(available since 1.1). The second is a full WS-Federation RP plugin based
solely on Apache CXF JAX-RS, which is container independent (available since
1.2.0).</p><h2 id="FedizCXF-CXFPluginsupportforWS-Federation">CXF Plugin
support for WS-Federation</h2><p>The new CXF plugin for WS-Federation available
from Fediz 1.2.0 means that it is now possible to add support for WS-Federation
to your JAX-RS CXF service without having to specify a container-specific
plugin. Here is an example Spring based configuration:</p><div class="code
panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl"
style="border-bottom-width: 1px;"><b>CXF spring configuration</b></div><div cl
ass="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence"
style="font-size:12px;"><bean id="serviceBean"
class="org.apache.cxf.fediz.example.Service">
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;"><bean id="serviceBean"
class="org.apache.cxf.fediz.example.Service">
</bean>
<bean id="fedizFilter"
class="org.apache.cxf.fediz.cxf.plugin.FedizRedirectBindingFilter">
@@ -137,7 +137,7 @@ Apache CXF -- Fediz CXF
</jaxrs:inInterceptors>
</jaxrs:server></pre>
</div></div><p>Here we have a JAX-RS service which is secured via the
SecureAnnotationsInterceptor. For example:</p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeHeader panelHeader pdl"
style="border-bottom-width: 1px;"><b>CXF Service Bean</b></div><div
class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence"
style="font-size:12px;">@Path("/secure/")
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">@Path("/secure/")
@Produces("text/html")
public class Service {
@Context
@@ -152,14 +152,14 @@ public class Service {
...
}</pre>
</div></div><p>The FedizRedirectBindingFilter is instantiated with a link to
the Fediz plugin configuration and is added as a JAX-RS provider.</p><h2
id="FedizCXF-DelegationScenario">Delegation Scenario</h2><p>The subproject
Fediz purpose is to provide Single Sign On for Web Applications which is
independent of an underlying Web Services framework like Apache CXF. The Fediz
plugins for Tomcat, Jetty, etc. are independent of Apache CXF, whereas the
Fediz IDP leverages the capabilities of the CXF STS to issue SAML tokens with
Claims information to build applications which use Claims Based Authorization
with all the benefits.</p><p>If the Fediz protected web application integrates
with another application using Web Services you need to bundle a Web Services
framework like Apache CXF with your web application. If it is required to
support impersonation to call the Web Service, the security context of the
application server must be delegated to the Web Services stack thus it can make
the
Web Service call on behalf of the browser user.</p><p>In release 1.1, the
Fediz CXF plugin supports delegating the application server security context
(SAML token) to the STS client of CXF. CXF is then able to request a security
token for the target Web Service from the STS on behalf of the browser user.
Prior to release 1.1, this Java code had to be developed by the application
developer.</p><p>It is required that one of the other Fediz plugins are
deployed to WS-Federation enable the application. After this step, the Fediz
CXF plugin can be installed to integrate the Web SSO layer with the Web
Services stack of Apache CXF.</p><h3
id="FedizCXF-Installation">Installation</h3><p>It's recommended to use Maven to
resolve the dependencies as illustrated in the the example
<code>wsclientWebapp</code>.</p><div class="code panel pdl"
style="border-style: solid;border-width: 1px;"><div class="codeHeader
panelHeader pdl" style="border-bottom-width: 1px;border-bottom-style:
solid;"><b>pom.xm
l</b></div><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence"
style="font-size:12px;"> <dependency>
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;"> <dependency>
<groupId>org.apache.cxf.fediz</groupId>
<artifactId>fediz-cxf</artifactId>
<version>1.1.0</version>
</dependency>
</pre>
</div></div><p>The example contains a README with instructions for building
and deployment.</p><h3 id="FedizCXF-Configuration">Configuration</h3><p>Two
configurations are required in <code>web.xml</code> to enable the
<code>FederationFilter</code> to cache the security context in the thread local
storage and in the spring configuration file
<code>applicationContext.xml</code> to configure a callback handler to provide
the STS client the security context stored in the thread local storage.</p><div
class="code panel pdl" style="border-style: solid;border-width: 1px;"><div
class="codeHeader panelHeader pdl" style="border-bottom-width:
1px;border-bottom-style: solid;"><b>web.xml</b></div><div class="codeContent
panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence"
style="font-size:12px;"> <filter>
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;"> <filter>
<filter-name>FederationFilter</filter-name>
<filter-class>org.apache.cxf.fediz.core.servlet.FederationFilter</filter-class>
</filter>
@@ -170,7 +170,7 @@ public class Service {
</filter-mapping>
</pre>
</div></div><p>The <code>FederationFilter</code> is part of the library
<code>fediz-core</code>.</p><div class="code panel pdl" style="border-style:
solid;border-width: 1px;"><div class="codeHeader panelHeader pdl"
style="border-bottom-width: 1px;border-bottom-style:
solid;"><b>applicationContext.xml</b></div><div class="codeContent panelContent
pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence"
style="font-size:12px;"> <bean id="delegationCallbackHandler"
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;"> <bean id="delegationCallbackHandler"
class="org.apache.cxf.fediz.cxf.web.ThreadLocalCallbackHandler" />
<jaxws:client id="HelloServiceClient" serviceName="svc:GreeterService"
@@ -190,7 +190,7 @@ public class Service {
</pre>
</div></div><p>The <code>ThreadLocalCallbackHandler</code> is part of the
library <code>fediz-cxf</code>.</p><p>If you have set the property
<code>ws-security.cache.issued.token.in.endpoint</code> to false, CXF will
cache the issued token per security context dependent on the returned lifetime
element of the STS. When the cached token for the target web services is
expired, CXF will request a new token from the STS on-behalf-of the cached
Fediz security context.</p><p>There is no special Java code required to get
this functionality as illustrated in the following code snippet:</p><div
class="code panel pdl" style="border-style: solid;border-width: 1px;"><div
class="codeHeader panelHeader pdl" style="border-bottom-width:
1px;border-bottom-style: solid;"><b>FederationServlet.java</b></div><div
class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence"
style="font-size:12px;"> Greeter service =
(Greeter)ApplicationContextProvider.getContext().getBean("HelloServiceClient");
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;"> Greeter service =
(Greeter)ApplicationContextProvider.getContext().getBean("HelloServiceClient");
String reply = service.greetMe();
</pre>
</div></div></div>
Modified: websites/production/cxf/content/fediz-downloads.html
==============================================================================
--- websites/production/cxf/content/fediz-downloads.html (original)
+++ websites/production/cxf/content/fediz-downloads.html Wed Sep 13 15:05:52
2017
@@ -110,14 +110,14 @@ Apache CXF -- Fediz Downloads
<!-- Content -->
<div class="wiki-content">
<div id="ConfluenceContent"><h1 id="FedizDownloads-Releases">Releases</h1><h2
id="FedizDownloads-1.4.1">1.4.1</h2><p>The 1.4.1 release is our latest release.
For more information please see the <a shape="rect" class="external-link"
href="https://issues.apache.org/jira/projects/FEDIZ/versions/12340452";>release
notes</a>.</p><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Description</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>File</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>MD5</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>SHA1</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>PGP</p></th></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>Source distribution</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p><a shape="rect" class="external-link"
href="http://www.apache.org/dyn/closer.lua?path=/cxf/fediz/1.4.1/fediz-1.4.1-source-release.zip";>
fediz-1.4.1-source-release.zip</a></p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p><a shape="rect" class="external-link"
href="https://www.apache.org/dist/cxf/fediz/1.4.1/fediz-1.4.1-source-release.zip.md5";>fediz-1.4.1-source-release.zip.md5</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://www.apache.org/dist/cxf/fediz/1.4.1/fediz-1.4.1-source-release.zip.sha1";>fediz-1.4.1-source-release.zip.sha1</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://www.apache.org/dist/cxf/fediz/1.4.1/fediz-1.4.1-source-release.zip.asc";>fediz-1.4.1-source-release.zip.asc</a></p></td></tr></tbody></table></div><h2
id="FedizDownloads-1.3.2">1.3.2</h2><p>The 1.3.2 release is our latest release
of the 1.3.x branch. For more information please see the <a shape="rect"
class="external-link"
href="https://issues.apache.org/jira/browse/FEDIZ/fixforversion/12338091";>rele
ase notes</a>.</p><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Description</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>File</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>MD5</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>SHA1</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>PGP</p></th></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>Source distribution</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p><a shape="rect" class="external-link"
href="http://www.apache.org/dyn/closer.lua?path=/cxf/fediz/1.3.2/fediz-1.3.2-source-release.zip";>fediz-1.3.2-source-release.zip</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://www.apache.org/dist/cxf/fediz/1.3.2/fediz-1.3.2-source-release.zip.md5";>fediz-1.3.2-source-release.zip.md5</a></p></td><td
colspan="1" rowspan="1" class="conflu
enceTd"><p><a shape="rect" class="external-link"
href="https://www.apache.org/dist/cxf/fediz/1.3.2/fediz-1.3.2-source-release.zip.sha1";>fediz-1.3.2-source-release.zip.sha1</a></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect"
class="external-link"
href="https://www.apache.org/dist/cxf/fediz/1.3.2/fediz-1.3.2-source-release.zip.asc";>fediz-1.3.2-source-release.zip.asc</a></p></td></tr></tbody></table></div><h2
id="FedizDownloads-VerifyingReleases">Verifying Releases</h2><p>When
downloading from a mirror please check the SHA1/MD5 checksums as well as
verifying the OpenPGP compatible signature available from the main Apache site.
The <a shape="rect" class="external-link"
href="https://www.apache.org/dist/cxf/KEYS";>KEYS</a> file contains the public
keys used for signing the release. It is recommended that a web of trust is
used to confirm the identity of these keys.</p><p>You can check the OpenPGP
signature with GnuPG via:</p><p> </p><div class="code panel
pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence"
style="font-size:12px;">gpg --import KEYS
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">gpg --import KEYS
gpg --verify apache-fediz-*.zip.asc
</pre>
</div></div><p>You can check the MD5 checksum with:</p><div class="code panel
pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence"
style="font-size:12px;">md5sum --check apache-fediz-*.zip.md5
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">md5sum --check apache-fediz-*.zip.md5
</pre>
</div></div><p>You can check the SHA1 checksum with:</p><div class="code panel
pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence"
style="font-size:12px;">sha1sum --check apache-fediz-*.zip.sha1
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">sha1sum --check apache-fediz-*.zip.sha1
</pre>
</div></div><h1 id="FedizDownloads-Previousreleases">Previous
releases</h1><p>Previous releases are all archived in the apache archive: <a
shape="rect" class="external-link"
href="http://archive.apache.org/dist/cxf/fediz";>http://archive.apache.org/dist/cxf/fediz</a></p><h1
id="FedizDownloads-Snapshots">Snapshots</h1><div
class="confluence-information-macro
confluence-information-macro-information"><p class="title">Warning about
snapshots</p><span class="aui-icon aui-icon-small aui-iconfont-info
confluence-information-macro-icon"></span><div
class="confluence-information-macro-body"><p>These are snapshot builds -
untested builds provided for your convenience. They have not been tested, and
are not official releases of the Apache CXF Fediz project or the Apache
Software Foundation.</p></div></div><p>1.4.1 <a shape="rect"
class="external-link"
href="https://repository.apache.org/content/groups/snapshots/org/apache/cxf/fediz/apache-fediz/1.4.1-SNAPSHOT/";>https://repository.apache.org/co
ntent/groups/snapshots/org/apache/cxf/fediz/apache-fediz/1.4.1-SNAPSHOT/</a></p><h1
id="FedizDownloads-Maven2Repositories">Maven 2 Repositories</h1><p>If you use
Maven 2 for building your applications, Apache CXF Fediz artifacts are
available from the following repository URLS:</p><h3
id="FedizDownloads-Releases:">Releases:</h3><p>All supported CXF releases are
synced into the Maven central repository: <a shape="rect" class="external-link"
href="http://repo1.maven.org/maven2/";
rel="nofollow">http://repo1.maven.org/maven2/</a></p><h3
id="FedizDownloads-Snapshots:">Snapshots:</h3><p>Snapshots are available in
Apache's Maven snapshot repository: <a shape="rect" class="external-link"
href="http://repository.apache.org/snapshots";>http://repository.apache.org/snapshots</a></p></div>
</div>
Modified: websites/production/cxf/content/fediz-extensions.html
==============================================================================
--- websites/production/cxf/content/fediz-extensions.html (original)
+++ websites/production/cxf/content/fediz-extensions.html Wed Sep 13 15:05:52
2017
@@ -110,7 +110,7 @@ Apache CXF -- Fediz Extensions
<!-- Content -->
<div class="wiki-content">
<div id="ConfluenceContent"><h1 id="FedizExtensions-FedizExtensions">Fediz
Extensions</h1><p>This page describes the extension points in Fediz to enrich
its functionality further.</p><h3 id="FedizExtensions-CallbackHandler">Callback
Handler</h3><p>The Sign-In request (Redirect URL) to the IDP contains several
query parameters to customize the sign in process. Some parameters are
configured statically in the <a shape="rect"
href="fediz-configuration.html">Fediz configuration file</a> some others can be
resolved at runtime when the initial request is received by the Fediz
plugin.</p><p>The following table gives an overview of the parameters which can
be resolved at runtime. It contains the XML element name of the Fediz
configuration file, the query parameter name of the sign-in request to the IDP
as well as the Callback class.</p><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>XML element</p></th><th colspan="1" row
span="1" class="confluenceTh"><p>Query parameter</p></th><th colspan="1"
rowspan="1" class="confluenceTh"><p>Callback class</p></th><th colspan="1"
rowspan="1" class="confluenceTh"><p>Supported version</p></th></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>authenticationType</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>wauth</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>WAuthCallback</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>1.0.0</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p>homeRealm</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>whr</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>HomeRealmCallback</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>1.0.0</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>issuer</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>N.A.</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>IDPCallback</
p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>1.0.0</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>freshness</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>wfresh</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>FreshnessCallback</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>1.0.2</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>realm</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>wtrealm</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>RealmCallback</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>1.1.0</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>N.A.</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>any</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>SignInQueryCallback</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>1.1.0</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">request</
td><td colspan="1" rowspan="1" class="confluenceTd">wreq</td><td colspan="1"
rowspan="1" class="confluenceTd">WReqCallback</td><td colspan="1" rowspan="1"
class="confluenceTd">1.1.1</td></tr></tbody></table></div><p>If you configure a
class which implements the interface
<code>javax.security.auth.callback.CallbackHandler</code> you get the
corresponding Callback object where you must set the value which is then added
to the query parameter. The Callback object provides the
<code>HttpServletRequest</code> object which might give you the required
information to resolve the value.</p><p>Here is a snippet of the configuration
to configure a CallbackHandler:</p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence"
style="font-size:12px;">...
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">...
<protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="federationProtocolType" version="1.2">
...
<homeRealm type="Class" value="MyCallbackHandler " />
@@ -119,7 +119,7 @@ Apache CXF -- Fediz Extensions
...
</pre>
</div></div><p>And a sample implementation of the CallbackHandler:</p><div
class="code panel pdl" style="border-width: 1px;"><div class="codeContent
panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence"
style="font-size:12px;">public class MyCallbackHandler implements
CallbackHandler {
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">public class MyCallbackHandler implements
CallbackHandler {
public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
for (int i = 0; i < callbacks.length; i++) {
Modified: websites/production/cxf/content/fediz-idp-11.html
==============================================================================
--- websites/production/cxf/content/fediz-idp-11.html (original)
+++ websites/production/cxf/content/fediz-idp-11.html Wed Sep 13 15:05:52 2017
@@ -111,15 +111,15 @@ Apache CXF -- Fediz IDP 1.1
<!-- Content -->
<div class="wiki-content">
<div id="ConfluenceContent"><h1 id="FedizIDP1.1-FedizIDP">Fediz
IDP</h1><p><em>Note:</em> Fediz IDP 1.0 is described <a shape="rect"
href="fediz-idp.html">here </a>.</p><p>The Release 1.1 introduces the following
new feature:</p><ul><li>Federation Metadata<br clear="none"> The IDP supports
publishing the WS-Federation Metadata document which allows to more easily
integrate the IDP into platforms which support referencing a Metadata document.
Metadata consists of the signing certificate, the provided claims,
etc.</li></ul><ul><li>Spring Web Flow support<br clear="none"> The IDP has been
refactored to use Spring Web Flow to manage the federation flow. This provides
flexibility to be able to customize the IDP to company's specific requirements.
The IDP is secured by Spring Security to get the benefits and flexibility of
Spring Security.</li></ul><ul><li>Resource IDP and Home Realm Discovery<br
clear="none"> This is the major new feature. The IDP is able to figure out from
which securit
y domain/realm the browser request is coming from to redirect the sign-in
request to the requestor IDP which does the authentication and issues a token
which is sent to the Resource IDP. The Resource IDP will then either map the
principal from one security domain to the target security domain and get claims
information of the mapped principal or transform the claims information and
finally issue a new token for the relying party (application).</li></ul><p>The
Fediz Identity Provider (IDP) consists of two WAR files. One is the Security
Token Service (STS) component, fediz-idp-sts.war, which is responsible for
validating credentials, getting the requested claims data and issuing a SAML
token. There is no easy way for Web browsers to issue SOAP requests to the STS
directly, necessitating the second component, an IDP WAR (fediz-idp.war) which
allows browser-based applications to interact with the STS. The communication
between the browser and the IDP must be performed within the confine
s of the base HTTP 1.1 functionality and conform as closely as possible to the
WS-Trust protocols semantic.</p><p>The Fediz STS is based on a customized CXF
STS configured to support standard Federation use cases demonstrated by the
examples. The Fediz STS has been enhanced to support two realms *Realm-A* and
*Realm-B* with the following set of users:</p><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>User</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>Password</p></th></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><em>Realm A</em></p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p> </p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>alice</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>ecila</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>bob</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>bob</p></td></tr><tr>
<td colspan="1" rowspan="1" class="confluenceTd"><p>ted</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>det</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p><em>Realm B</em></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p> </p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>ALICE</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>ECILA</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p>BOB</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>BOB</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>TED</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>DET</p></td></tr></tbody></table></div><p>The Fediz IDP
doesn't support several realms within one WAR which requires to build a Fediz
IDP WAR for Realm A (default, shipped with Fediz Distribution) and Realm B. See
below how to build a Fediz IDP WAR for a specific realm.</p><h3
id="FedizIDP1.1-Installation">Insta
llation</h3><p>The Fediz IDP has been tested with Tomcat 6 and 7 but should be
able to work with any commercial JEE application server.</p><p>It's recommended
to set up a dedicated (separate) Tomcat instance for the IDP compared to the
one hosting the RP (relying party) applications. Using one deployment of Tomcat
with multiple CATALINA_BASE instances, as described <a shape="rect"
class="external-link"
href="http://www.shaunabram.com/multiple-tomcat-instances/";
rel="nofollow">here</a> is one option but note any libs in $CATALINA_HOME/lib
folder will be shared throughout each of the activated CATALINA_BASE instances.
Another probably simpler alternative is to copy your Tomcat folder into a
second location and edit its conf/server.xml file and <a shape="rect"
class="external-link"
href="http://viralpatel.net/blogs/2009/08/running-multiple-instance-apache-tomcat-single-server.html";
rel="nofollow">change port values</a> (discussed below) so they don't conflict
with the original Tomcat i
nstallation.</p><p>To start and stop this second Tomcat instance, it is
perhaps easiest to create small startup.sh and shutdown.sh scripts that
temporarily redefine $CATALINA_HOME from the first to the second instance, for
example:</p><div class="code panel pdl" style="border-width: 1px;"><div
class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence"
style="font-size:12px;">CATALINA_HOME=/path/to/second/tomcat
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">CATALINA_HOME=/path/to/second/tomcat
$CATALINA_HOME/bin/startup.sh
</pre>
</div></div><p>and</p><div class="code panel pdl" style="border-width:
1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence"
style="font-size:12px;">CATALINA_HOME=/path/to/second/tomcat
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">CATALINA_HOME=/path/to/second/tomcat
$CATALINA_HOME/bin/shutdown.sh
</pre>
</div></div><p>If you're using the one Tomcat with multiple instance option,
it's $CATALINA_BASE instead that will need to be redefined above.</p><h5
id="FedizIDP1.1-Tomcatserver.xmlconfiguration">Tomcat server.xml
configuration</h5><p>The Fediz examples use the following Tomcat port values
for the IDP/STS, defined in the conf/server.xml file. We use ports different
from the Tomcat defaults so as not to conflict with the Tomcat instance running
the RP applications.</p><ul><li>HTTP port: 9080 (used for Maven deployment, mvn
tomcat:redeploy)</li><li>HTTPS port: 9443 (where IDP and STS are
accessed)</li><li>Server port: 9005 (for shutdown and other
commands)</li></ul><p>Here is a sample snippet for showing the configuration of
the above three values:</p><div class="code panel pdl" style="border-width:
1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence"
style="font-size:12px;"><Server port="9005" shutdown="SHUTDOWN">
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;"><Server port="9005" shutdown="SHUTDOWN">
...
<!-- http configuration -->
@@ -142,7 +142,7 @@ $CATALINA_HOME/bin/shutdown.sh
</Server>
</pre>
</div></div><p>The keystoreFile is relative to $CATALINA_BASE. See <a
shape="rect" class="external-link"
href="http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html";>here</a> for the
Tomcat 7 configuration reference. This page also describes how to create
certificates. Sample Tomcat keystores (not for production use, but useful for
demoing Fediz and running the sample applications) are provided in the
examples/samplekeys folder of the Fediz distribution.</p><p>To establish trust,
there are significant keystore/truststore requirements between the Tomcat
instances and the various web applications (IDP, STS, Relying party
applications, third party web services, etc.) See <a shape="rect"
class="external-link"
href="http://svn.apache.org/viewvc/cxf/fediz/tags/fediz-1.1.0/examples/samplekeys/HowToGenerateKeysREADME.html?revision=1538770&view=co";>this
page</a> for more details, it lists the trust requirements as well as sample
scripts for creating your own (self-signed) keys.</p><p><s
trong>Warning: All sample keystores provided with Fediz (including in the WAR
files for its services and examples) are for development/prototyping use only.
They'll need to be replaced for production use, at a minimum with your own
self-signed keys but strongly recommended to use third-party signed
keys.</strong></p><h5 id="FedizIDP1.1-BuildtheIDPWAR">Build the IDP
WAR</h5><p>The Fediz 1.1 distribution ships one Fediz IDP WAR built for Realm-A
by default. The distribution also contains the IDP and STS sources with two
Maven Profiles <em>realm-a</em> and <em>realm-b</em>. More information is
provided in the <code>README.txt</code> <a shape="rect" class="external-link"
href="http://svn.apache.org/viewvc/cxf/fediz/tags/fediz-1.1.0/services/idp/README.txt?view=co";>here</a></p><p>Once
you deploy the IDP WAR files to your Tomcat installation
(<catalina.home>/webapps), you should be able to see the Fediz STS from a
browser. Assuming port 9080 as listed above, the STS WSDL is availabl
e at:</p><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th
colspan="1" rowspan="1" class="confluenceTh">Version</th><th colspan="1"
rowspan="1" class="confluenceTh"><a shape="rect" class="external-link"
href="http://localhost:9080/fediz-idp-sts/STSService?wsdl";
rel="nofollow">STS</a> WSDL location</th></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">Fediz 1.0.x</td><td colspan="1" rowspan="1"
class="confluenceTd"><a shape="rect" class="external-link"
href="http://localhost:9080/fediz-idp-sts/STSService?wsdl";
rel="nofollow">http://localhost:9080/fediz-idp-sts/STSService?wsdl</a></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">Fediz 1.1.x</td><td colspan="1"
rowspan="1" class="confluenceTd"><a shape="rect" class="external-link"
href="http://localhost:9080/fediz-idp-sts/STSService?wsdl";
rel="nofollow">http://localhost:9080/fediz-idp-sts/</a><a shape="rect"
class="external-link"
href="https://localhost:9443/fediz-idp-sts/REALMA/STSServiceTransp
ort?wsdl"
rel="nofollow">REALMA/STSServiceTransport?wsdl</a></td></tr></tbody></table></div><h3
id="FedizIDP1.1-Configuration">Configuration</h3><p>You can manage the users,
their claims and the claims per application in the IDP.</p><h5
id="FedizIDP1.1-Userandpassword">User and password</h5><p>The users and
passwords are configured in a Spring configuration file in
<code>webapps/fediz-idp-sts/WEB-INF/passwords.xml</code>. The following users
are already configured for the <em>Realm A</em> and can easily be
extended.</p><div class="code panel pdl" style="border-width: 1px;"><div
class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence"
style="font-size:12px;"> <util:map id="REALMA">
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;"> <util:map id="REALMA">
<entry key="alice" value="ecila" />
<entry key="bob" value="bob" />
<entry key="ted" value="det" />
@@ -155,7 +155,7 @@ $CATALINA_HOME/bin/shutdown.sh
</util:map>
</pre>
</div></div><h5 id="FedizIDP1.1-UserClaims">User Claims</h5><p>The claims of
each user are configured in a spring configuration file
<code>webapps/fediz-idp-sts/WEB-INF/userClaims.xml</code>. The following claims
are already configured:</p><div class="code panel pdl" style="border-width:
1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence"
style="font-size:12px;"> <util:map id="userClaimsREALMA">
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;"> <util:map id="userClaimsREALMA">
<entry key="alice"
value-ref="REALMA_aliceClaims" />
<entry key="bob"
@@ -176,7 +176,7 @@ $CATALINA_HOME/bin/shutdown.sh
</util:map>
</pre>
</div></div><p>The claim id's are configured according to Section 7.5 in the
specification <a shape="rect" class="external-link"
href="http://docs.oasis-open.org/imi/identity/v1.0/identity.html";
rel="nofollow">Identity Metasystem Interoperability</a>. The mapping of claims
to a SAML attribute statement are described in Section 7.2.</p><h5
id="FedizIDP1.1-IDPconfiguration">IDP configuration</h5><p>The IDP
configuration is done in the new configuration file
<code>idp-config-<realm>.xml</code> which is illustrated below</p><div
class="code panel pdl" style="border-width: 1px;"><div class="codeContent
panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence"
style="font-size:12px;"> <bean id="idp-realmA"
class="org.apache.cxf.fediz.service.idp.model.IDPConfig">
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;"> <bean id="idp-realmA"
class="org.apache.cxf.fediz.service.idp.model.IDPConfig">
<property name="realm" value="urn:org:apache:cxf:fediz:idp:realm-A"
/>
<property name="uri" value="realma" />
<!--<property name="hrds" value="" />--> <!-- TBD, not
defined, provide list if enabled -->
@@ -212,7 +212,7 @@ $CATALINA_HOME/bin/shutdown.sh
</bean>
</pre>
</div></div><h5 id="FedizIDP1.1-RelyingParty/Applicationconfiguration">Relying
Party / Application configuration</h5><p><em>Note: The configuration file</em>
<code><em>RPClaims.xml</em></code> <em>has been replaced</em></p><p>The
application related configuration like required claims are configured in the
new IDP configuration file <code>idp-config-<realm>.xml</code> which has
been enhanced to support other configuration parameters as well:</p><div
class="code panel pdl" style="border-width: 1px;"><div class="codeContent
panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence"
style="font-size:12px;"> <bean id="srv-fedizhelloworld"
class="org.apache.cxf.fediz.service.idp.model.ServiceConfig">
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;"> <bean id="srv-fedizhelloworld"
class="org.apache.cxf.fediz.service.idp.model.ServiceConfig">
<property name="realm"
value="urn:org:apache:cxf:fediz:fedizhelloworld" />
<property name="protocol"
value="http://docs.oasis-open.org/wsfed/federation/200706"; />
<property name="serviceDisplayName" value="Fedizhelloworld" />
@@ -243,7 +243,7 @@ $CATALINA_HOME/bin/shutdown.sh
</bean>
</pre>
</div></div><h5 id="FedizIDP1.1-TrustedIDPconfiguration">Trusted IDP
configuration</h5><p>This feature is new in Fediz IDP 1.1 and allows to
redirect a SignIn Request to a trusted IDP. The following configuration is
required:</p><div class="code panel pdl" style="border-width: 1px;"><div
class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence"
style="font-size:12px;"> <bean id="trusted-idp-realmB"
class="org.apache.cxf.fediz.service.idp.model.TrustedIDPConfig">
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;"> <bean id="trusted-idp-realmB"
class="org.apache.cxf.fediz.service.idp.model.TrustedIDPConfig">
<property name="realm" value="urn:org:apache:cxf:fediz:idp:realm-B"
/>
<property name="url"
value="https://localhost:12443/fediz-idp-remote/federation"; />
<property name="certificate" value="realmb.cert" />
@@ -255,7 +255,7 @@ $CATALINA_HOME/bin/shutdown.sh
</bean>
</pre>
</div></div><h3 id="FedizIDP1.1-ConfigureLDAPdirectory">Configure LDAP
directory</h3><p>The Fediz IDP can be configured to attach an LDAP directory to
authenticate users and to retrieve claims information of users.</p><h5
id="FedizIDP1.1-Usernameandpasswordauthentication">Username and password
authentication</h5><p>WSS4J supports username/password authentication using
JAAS. The JDK provides a JAAS LoginModule for LDAP which can be configured as
illustrated here in a sample jaas configuration (jaas.config):</p><div
class="code panel pdl" style="border-width: 1px;"><div class="codeContent
panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence"
style="font-size:12px;">myldap {
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">myldap {
com.sun.security.auth.module.LdapLoginModule REQUIRED
userProvider=ldap://ldap.mycompany.org:389/OU=Users,DC=mycompany,DC=org";
authIdentity="cn={USERNAME},OU=Users,DC=mycompany,DC=org"
@@ -264,12 +264,12 @@ $CATALINA_HOME/bin/shutdown.sh
};
</pre>
</div></div><p>You can get more information about this LoginModule <a
shape="rect" class="external-link"
href="http://download.oracle.com/javase/6/docs/jre/api/security/jaas/spec/com/sun/security/auth/module/LdapLoginModule.html";
rel="nofollow">here</a>.</p><p>In this example, all the users are stored in
the organization unit Users within mycompany.org. The configuration filename
can be chosen, e.g. <code>jaas.config</code>. The filename must be configured
as a JVM argument. JVM related configurations for Tomcat can be done in the
file <code>setenv.sh/bat</code> located in directory <code>tomcat/bin</code>.
This script is called implicitly by <code>catalina.bat/sh</code> and might look
like this for UNIX:</p><div class="code panel pdl" style="border-width:
1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence"
style="font-size:12px;">#!/bin/sh
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">#!/bin/sh
JAVA_OPTS="-Djava.security.auth.login.config=/opt/tomcat/conf/jaas.config"
export JAVA_OPTS
</pre>
</div></div><p>Next, the STS endpoint has to be configured to use the JAAS
LoginModule which is accomplished by the
<code>JAASUsernameTokenValidator</code>.</p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence"
style="font-size:12px;"><bean
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;"><bean
class="org.apache.ws.security.validate.JAASUsernameTokenValidator"
id="jaasUTValidator">
<property name="contextName" value="myldap"/>
@@ -290,7 +290,7 @@ export JAVA_OPTS
</jaxws:endpoint>
</pre>
</div></div><p>The property <code>contextName</code> must match the context
name defined in the JAAS configuration file which is <code>myldap</code> in
this example.</p><h5 id="FedizIDP1.1-Claimsmanagement">Claims
management</h5><p>When a STS client (IDP) requests a claim, the ClaimsManager
in the STS checks every registered ClaimsHandler who can provide the data of
the requested claim. The CXF STS provides
<code>org.apache.cxf.sts.claims.LdapClaimsHandler</code> which is a claims
handler implementation to get claims from user attributes in a LDAP
directory.</p><p>You configure which claim URI maps to which LDAP user
attribute. The implementation uses the Spring Ldap Module
(LdapTemplate).</p><p>The following example illustrate the changes to be made
in <code>webapps/fediz-idp-sts/WEB-INF/cxf-transport.xml</code>:</p><div
class="code panel pdl" style="border-width: 1px;"><div class="codeContent
panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence"
style="font-size:12px;"><util:list id="claimHandlerList">
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;"><util:list id="claimHandlerList">
<ref bean="ldapClaimsHandler" />
</util:list>
Modified: websites/production/cxf/content/fediz-idp.html
==============================================================================
--- websites/production/cxf/content/fediz-idp.html (original)
+++ websites/production/cxf/content/fediz-idp.html Wed Sep 13 15:05:52 2017
@@ -125,7 +125,7 @@ Apache CXF -- Fediz IDP
<p>To start and stop this second Tomcat instance, it is perhaps easiest to
create small startup.sh and shutdown.sh scripts that temporarily redefine
$CATALINA_HOME from the first to the second instance, for example:</p>
<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent
panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence"
style="font-size:12px;">
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">
CATALINA_HOME=/path/to/second/tomcat
$CATALINA_HOME/bin/startup.sh
</pre>
@@ -134,7 +134,7 @@ $CATALINA_HOME/bin/startup.sh
<p>and</p>
<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent
panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence"
style="font-size:12px;">
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">
CATALINA_HOME=/path/to/second/tomcat
$CATALINA_HOME/bin/shutdown.sh
</pre>
@@ -152,7 +152,7 @@ $CATALINA_HOME/bin/shutdown.sh
<p>Here is a sample snippet for showing the configuration of the above three
values:</p>
<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent
panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence"
style="font-size:12px;">
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">
<Server port="9005" shutdown="SHUTDOWN">
...
@@ -194,7 +194,7 @@ $CATALINA_HOME/bin/shutdown.sh
<p>The users and passwords are configured in a Spring configuration file in
<code>webapps/fediz-idp-sts/WEB-INF/passwords.xml</code>. The following users
are already configured and can easily be extended.</p>
<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent
panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence"
style="font-size:12px;">
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">
<util:map id="passwords">
<entry key="alice"
value="ecila" />
@@ -210,7 +210,7 @@ $CATALINA_HOME/bin/shutdown.sh
<p>The claims of each user are configured in a spring configuration file
<code>webapps/fediz-idp-sts/WEB-INF/userClaims.xml</code>. The following claims
are already configured:</p>
<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent
panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence"
style="font-size:12px;">
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">
<util:map id="userClaims">
<entry key="alice"
value-ref="aliceClaims" />
@@ -241,7 +241,7 @@ $CATALINA_HOME/bin/shutdown.sh
<p>The required claims per relying party are configured in the
<code>webapps/fediz-idp/WEB-INF/RPClaims.xml</code>. The XML file has the
following structure:</p>
<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent
panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence"
style="font-size:12px;">
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">
<util:map id="realm2ClaimsMap">
<entry key="https://localhost:8443/fedizhelloworld/";
value-ref="claimsWsfedhelloworld" />
@@ -271,7 +271,7 @@ $CATALINA_HOME/bin/shutdown.sh
<p>WSS4J supports username/password authentication using JAAS. The JDK
provides a JAAS LoginModule for LDAP which can be configured as illustrated
here in a sample jaas configuration (jaas.config):</p>
<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent
panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence"
style="font-size:12px;">
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">
myldap {
com.sun.security.auth.module.LdapLoginModule REQUIRED
userProvider=ldap://ldap.mycompany.org:389/OU=Users,DC=mycompany,DC=org";
@@ -287,7 +287,7 @@ myldap {
<p>In this example, all the users are stored in the organization unit Users
within mycompany.org. The configuration filename can be chosen, e.g.
<code>jaas.config</code>. The filename must be configured as a JVM argument.
JVM related configurations for Tomcat can be done in the file
<code>setenv.sh/bat</code> located in directory <code>tomcat/bin</code>. This
script is called implicitly by <code>catalina.bat/sh</code> and might look like
this for UNIX:</p>
<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent
panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence"
style="font-size:12px;">
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">
#!/bin/sh
JAVA_OPTS="-Djava.security.auth.login.config=/opt/tomcat/conf/jaas.config"
export JAVA_OPTS
@@ -297,7 +297,7 @@ export JAVA_OPTS
<p>Next, the STS endpoint has to be configured to use the JAAS LoginModule
which is accomplished by the <code>JAASUsernameTokenValidator</code>.</p>
<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent
panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence"
style="font-size:12px;">
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">
<bean
class="org.apache.ws.security.validate.JAASUsernameTokenValidator"
id="jaasUTValidator">
@@ -331,7 +331,7 @@ export JAVA_OPTS
<p>The following example illustrate the changes to be made in
<code>webapps/fediz-idp-sts/WEB-INF/cxf-transport.xml</code>:</p>
<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent
panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence"
style="font-size:12px;">
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">
<util:list id="claimHandlerList">
<ref bean="ldapClaimsHandler" />
</util:list>
Modified: websites/production/cxf/content/fediz-jetty.html
==============================================================================
--- websites/production/cxf/content/fediz-jetty.html (original)
+++ websites/production/cxf/content/fediz-jetty.html Wed Sep 13 15:05:52 2017
@@ -122,7 +122,7 @@ Apache CXF -- Fediz Jetty
<ol><li>Create sub-directory <code>fediz</code> in
<code>${jetty.home}/lib/fediz</code></li><li>Update start.ini in
${jetty.home}/start.ini by adding <code>fediz</code> to the OPTIONS
<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent
panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence"
style="font-size:12px;">
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">
OPTIONS=Server,fediz
</pre>
</div></div></li><li>Deploy the libraries to the directory created in
(1)</li></ol>
@@ -168,7 +168,7 @@ OPTIONS=Server,fediz
<p>Hint: file name must be equal to war file name</p>
<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent
panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence"
style="font-size:12px;">
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">
<Get name="securityHandler">
<Set name="loginService">
<New class="org.apache.cxf.fediz.jetty.FederationLoginService">
Modified: websites/production/cxf/content/fediz-metadata.html
==============================================================================
--- websites/production/cxf/content/fediz-metadata.html (original)
+++ websites/production/cxf/content/fediz-metadata.html Wed Sep 13 15:05:52 2017
@@ -120,7 +120,7 @@ Apache CXF -- Fediz Metadata
<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent
panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence"
style="font-size:12px;">
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
@@ -141,7 +141,7 @@ Apache CXF -- Fediz Metadata
<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent
panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence"
style="font-size:12px;">
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
@@ -184,7 +184,7 @@ Apache CXF -- Fediz Metadata
<p>This is an example metadata document:</p>
<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent
panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence"
style="font-size:12px;">
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">
<EntityDescriptor ID="_36BF9BFBF49BA48A2D13395075556522"
entityID="https://localhost:8443/fedizhelloworld/";
xmlns:auth="http://docs.oasis-open.org/wsfed/federation/200706";
xmlns:fed="http://docs.oasis-open.org/wsfed/federation/200706";
Modified: websites/production/cxf/content/fediz-oidc.html
==============================================================================
--- websites/production/cxf/content/fediz-oidc.html (original)
+++ websites/production/cxf/content/fediz-oidc.html Wed Sep 13 15:05:52 2017
@@ -100,11 +100,11 @@ Apache CXF -- Fediz OIDC
<!-- Content -->
<div class="wiki-content">
<div id="ConfluenceContent"><p> </p><p><style
type="text/css">/*<![CDATA[*/
-div.rbtoc1505243203064 {padding: 0px;}
-div.rbtoc1505243203064 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1505243203064 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1505315088213 {padding: 0px;}
+div.rbtoc1505315088213 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1505315088213 li {margin-left: 0px;padding-left: 0px;}
-/*]]>*/</style></p><div class="toc-macro rbtoc1505243203064">
+/*]]>*/</style></p><div class="toc-macro rbtoc1505315088213">
<ul class="toc-indentation"><li><a shape="rect"
href="#FedizOIDC-Introduction">Introduction</a></li><li><a shape="rect"
href="#FedizOIDC-UserAuthentication">User Authentication</a>
<ul class="toc-indentation"><li><a shape="rect"
href="#FedizOIDC-TrustedProviders">Trusted Providers</a></li></ul>
</li><li><a shape="rect" href="#FedizOIDC-ClientRegistration">Client
Registration</a></li><li><a shape="rect" href="#FedizOIDC-OIDCServices">OIDC
Services</a></li><li><a shape="rect"
href="#FedizOIDC-IdToken">IdToken</a></li><li><a shape="rect"
href="#FedizOIDC-DataPersistence">Data Persistence</a></li><li><a shape="rect"
href="#FedizOIDC-Deployment">Deployment</a></li></ul>
Modified: websites/production/cxf/content/fediz-spring-2.html
==============================================================================
--- websites/production/cxf/content/fediz-spring-2.html (original)
+++ websites/production/cxf/content/fediz-spring-2.html Wed Sep 13 15:05:52 2017
@@ -139,7 +139,7 @@ Apache CXF -- Fediz Spring 2
<p>The following configuration snippets illustrate the Fediz related
configuration. The complete configuration file can be found in the example
<em>spring2Webapp</em>.</p>
<div class="code panel pdl" style="border-style: solid;border-width:
1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width:
1px;border-bottom-style:
solid;"><b>applicationContext-security.xml</b></div><div class="codeContent
panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence"
style="font-size:12px;">
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">
<sec:http entry-point-ref="federationEntryPoint">
<sec:intercept-url pattern="/secure/fedservlet"
access="IS_AUTHENTICATED_FULLY"/>
<sec:intercept-url pattern="/secure/manager/**"
access="ROLE_MANAGER"/>
@@ -179,7 +179,7 @@ Apache CXF -- Fediz Spring 2
<p>The following code snippet of the FederationServlet example illustrates how
to get access to the Spring Security Context of the current user and to the
Federation releated information like claims and login token.</p>
<div class="code panel pdl" style="border-style: solid;border-width:
1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width:
1px;border-bottom-style: solid;"><b>FederationServlet.java</b></div><div
class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence"
style="font-size:12px;">
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">
Authentication obj =
SecurityContextHolder.getContext().getAuthentication();
FederationAuthenticationToken fedAuthToken =
(FederationAuthenticationToken)auth;
for (GrantedAuthority item : fedAuthToken.getAuthorities()) {
Modified: websites/production/cxf/content/fediz-spring.html
==============================================================================
--- websites/production/cxf/content/fediz-spring.html (original)
+++ websites/production/cxf/content/fediz-spring.html Wed Sep 13 15:05:52 2017
@@ -143,7 +143,7 @@ Apache CXF -- Fediz Spring
<p>The following configuration snippets illustrate the Fediz related
configuration. The complete configuration file can be found in the example
<em>springPreAuthWebapp</em>.</p>
<div class="code panel pdl" style="border-style: solid;border-width:
1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width:
1px;border-bottom-style:
solid;"><b>applicationContext-security.xml</b></div><div class="codeContent
panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence"
style="font-size:12px;">
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">
<bean id="preAuthenticatedUserDetailsService"
class="org.apache.cxf.fediz.spring.preauth.PreAuthenticatedGrantedAuthoritiesUserDetailsFederationService"/>
@@ -184,7 +184,7 @@ Apache CXF -- Fediz Spring
<p>The following code snippet of the FederationServlet example illustrates how
to get access to the Spring Security Context of the current user.</p>
<div class="code panel pdl" style="border-style: solid;border-width:
1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width:
1px;border-bottom-style: solid;"><b>FederationServlet.java</b></div><div
class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence"
style="font-size:12px;">
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">
Authentication obj =
SecurityContextHolder.getContext().getAuthentication();
</pre>
</div></div>
@@ -204,7 +204,7 @@ Apache CXF -- Fediz Spring
<p>The following configuration snippets illustrate the Fediz related
configuration. The complete configuration file can be found in the example
<em>springWebapp</em>.</p>
<div class="code panel pdl" style="border-style: solid;border-width:
1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width:
1px;border-bottom-style:
solid;"><b>applicationContext-security.xml</b></div><div class="codeContent
panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence"
style="font-size:12px;">
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">
<sec:http entry-point-ref="federationEntryPoint"
use-expressions="true">
<sec:intercept-url pattern="/" access="permitAll"/>
<sec:intercept-url pattern="/fediz" access="permitAll"/>
@@ -250,7 +250,7 @@ Apache CXF -- Fediz Spring
<p>The following code snippet of the FederationServlet example illustrates how
to get access to the Spring Security Context of the current user and to the
Federation releated information like claims and login token.</p>
<div class="code panel pdl" style="border-style: solid;border-width:
1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width:
1px;border-bottom-style: solid;"><b>FederationServlet.java</b></div><div
class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence"
style="font-size:12px;">
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">
Authentication obj =
SecurityContextHolder.getContext().getAuthentication();
FederationAuthenticationToken fedAuthToken =
(FederationAuthenticationToken)auth;
for (GrantedAuthority item : fedAuthToken.getAuthorities()) {
Modified: websites/production/cxf/content/fediz-tomcat.html
==============================================================================
--- websites/production/cxf/content/fediz-tomcat.html (original)
+++ websites/production/cxf/content/fediz-tomcat.html Wed Sep 13 15:05:52 2017
@@ -109,20 +109,20 @@ Apache CXF -- Fediz Tomcat
<!-- Content -->
<div class="wiki-content">
<div id="ConfluenceContent"><h1 id="FedizTomcat-TomcatPlugin">Tomcat
Plugin</h1><p>This page describes how to enable Federation for a Tomcat
instance hosting Relying Party (RP) applications. This configuration is not for
a separate Tomcat instance hosting the Fediz IDP and IDP STS WARs, or hosts for
third-party applications that use Fediz STS-generated SAML assertions for
authentication. After this configuration is done, the Tomcat-RP instance will
validate the incoming SignInResponse created by the IDP server.</p><p>Prior to
doing this configuration, make sure you've first deployed the Fediz IDP and STS
on the separate Tomcat IDP instance as discussed <a shape="rect"
href="fediz-idp.html">here</a>, and can view the STS WSDL at the URL given on
that page. That page also provides some tips for running multiple Tomcat
instances on your machine.</p><h3
id="FedizTomcat-Installation">Installation</h3><p>You can either build the
Fediz plugin on your own or download the package <a shape="r
ect" href="fediz-downloads.html">here</a>. If you have built the plugin on
your own you'll find the required libraries in
<code>plugins/tomcat/target/...zip-with-dependencies.zip</code></p><ol><li>Create
sub-directory <code>fediz</code> in
<code>${catalina.home}/lib</code></li><li>Update calatina.properties in
${catalina.home}/conf<br clear="none"> add the previously created directory to
the common loader:<br clear="none">
<code>common.loader=${catalina.base}/lib,${catalina.base}/lib/*.jar,${catalina.home}/lib,${catalina.home}/lib/*.jar,${catalina.home}/lib/fediz/*.jar</code></li><li>Deploy
the libraries to the directory created in (1)</li></ol><h3
id="FedizTomcat-Configuration">Configuration</h3><h5
id="FedizTomcat-HTTPSconfiguration">HTTPS configuration</h5><p>It's recommended
to set up a dedicated (separate) Tomcat instance for the Relying Party. The
Fediz RP web applications use the following TCP ports:</p><ul><li>HTTP port:
8080 (used for Maven deployment, mvn tomcat:redeploy)<
/li><li>HTTPS port: 8443 (where IDP and STS are accessed)</li><li>Server port
(for shutdown and other commands): 8005</li></ul><p>These are the default ports
for a standard Tomcat installation.</p><p>The Relying Party must be accessed
over HTTPS to protect the security tokens issued by the IDP.</p><p>The Tomcat
HTTP(s) configuration is done in conf/server.xml.</p><p>This is a sample
snippet for an HTTPS configuration:</p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence"
style="font-size:12px;"> <Connector port="8443"
protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;"> <Connector port="8443"
protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="rp-ssl-key.jks" keyPass="tompass"
keystorePass="tompass" sslProtocol="TLS" />
</pre>
</div></div><p>The keystoreFile is relative to $CATALINA_HOME. See <a
shape="rect" class="external-link"
href="http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html";>here</a> for the
Tomcat 7 configuration reference. This page also describes how to create
certificates. Sample Tomcat keystores (not for production use, but useful for
demoing Fediz and running the sample applications) are provided in the
examples/samplekeys folder of the Fediz distribution. Note the Tomcat keystore
here is different from the one used to configure the Tomcat-IDP
instance.</p><p>To establish trust, there are significant keystore/truststore
requirements between the Tomcat instances and the various web applications
(IDP, STS, Relying party applications, third party web services, etc.) See <a
shape="rect" class="external-link"
href="http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/samplekeys/HowToGenerateKeysREADME.html?view=co";>this
page</a> for more details, it lists the trust requirements as well a
s sample scripts for creating your own (self-signed)
keys.</p><p><strong>Warning: All sample keystores provided with Fediz
(including in the WAR files for its services and examples) are for
development/prototyping use only. They'll need to be replaced for production
use, at a minimum with your own self-signed keys but strongly recommended to
use third-party signed keys.</strong></p><p>If you are currently just trying to
run the Fediz samples, the configuration above is all you need (the below
configuration is already provided within the samples) so you can return now to
the samples' READMEs for the next steps in running them.</p><h5
id="FedizTomcat-FedizPluginconfigurationforYourWebApplication">Fediz Plugin
configuration for Your Web Application</h5><p>The Fediz related configuration
is done in a Servlet Container independent configuration file which is
described <a shape="rect" href="fediz-configuration.html">here</a>.</p><p>The
Fediz plugin requires configuring the FederationAuthe
nticator like any other Valve in Tomcat. Detailed information about the Tomcat
Valve concept is available <a shape="rect" class="external-link"
href="http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html";>here</a>.</p><p>A
Valve can be configured on different levels like <em>Host</em> or
<em>Context</em>. The Fediz configuration file allows to configure all servlet
contexts in one file or choosing one file per Servlet Context. If you choose to
have one Fediz configuration file per Servlet Context then you must configure
the FederationAuthenticator on the <em>Context</em> level otherwise on the
<em>Host</em> level in the Tomcat configuration file
<em>server.xml</em></p><p>You can either configure the context in the
server.xml or in META-INF/context.xml as part of your WAR file.</p><h6
id="FedizTomcat-META-INF/context.xml">META-INF/context.xml</h6><div class="code
panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence"
style="font-size:12px;">
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">
<Context>
<Valve className="org.apache.cxf.fediz.tomcat.FederationAuthenticator"
configFile="conf/fediz_config.xml" />
</Context>
</pre>
</div></div><h6 id="FedizTomcat-Hostlevelinserver.xml">Host level in
server.xml</h6><div class="code panel pdl" style="border-width: 1px;"><div
class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence"
style="font-size:12px;">
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<Valve className="org.apache.cxf.fediz.tomcat.FederationAuthenticator"
@@ -130,7 +130,7 @@ Apache CXF -- Fediz Tomcat
</Host>
</pre>
</div></div><h6 id="FedizTomcat-Contextlevelinserver.xml">Context level in
server.xml</h6><div class="code panel pdl" style="border-width: 1px;"><div
class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence"
style="font-size:12px;">
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">
<Context path="/fedizhelloworld" docBase="fedizhelloworld">
<Valve className="org.apache.cxf.fediz.tomcat.FederationAuthenticator"
configFile="conf/fediz_config.xml" />
Modified: websites/production/cxf/content/fediz-websphere.html
==============================================================================
--- websites/production/cxf/content/fediz-websphere.html (original)
+++ websites/production/cxf/content/fediz-websphere.html Wed Sep 13 15:05:52
2017
@@ -176,7 +176,7 @@ At deployment time, the declared J2EE se
<p>The file defined in <code>groups.mapping.file</code> must have the
following structure:</p>
<div class="code panel pdl" style="border-style: solid;border-width:
1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width:
1px;border-bottom-style: solid;"><b>roleGroupMapping.xml</b></div><div
class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence"
style="font-size:12px;">
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">
<?xml version="1.0" encoding="UTF-8"?>
<mapping>
<samlToJ2EE>
Modified: websites/production/cxf/content/fediz.html
==============================================================================
--- websites/production/cxf/content/fediz.html (original)
+++ websites/production/cxf/content/fediz.html Wed Sep 13 15:05:52 2017
@@ -110,7 +110,7 @@ Apache CXF -- Fediz
<!-- Content -->
<div class="wiki-content">
<div id="ConfluenceContent"><h1
id="Fediz-ApacheCXFFediz:AnOpen-SourceWebSecurityFramework">Apache CXF Fediz:
An Open-Source Web Security Framework</h1><h2
id="Fediz-Overview">Overview</h2><p>Apache CXF Fediz is a subproject of CXF.
Fediz helps you to secure your web applications and delegates security
enforcement to the underlying application server. With Fediz, authentication is
externalized from your web application to an identity provider installed as a
dedicated server component. The supported standard is <a shape="rect"
class="external-link"
href="http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html#_Toc223175002";
rel="nofollow">WS-Federation Passive Requestor Profile</a>. Fediz supports <a
shape="rect" class="external-link"
href="http://en.wikipedia.org/wiki/Claims-based_identity"; rel="nofollow">Claims
Based Access Control</a> beyond Role Based Access Control (RBAC).</p><h2
id="Fediz-News">News</h2><p><strong><strong>August 18, 2017 - <strong><st
rong>Apache CXF Fediz 1.4.</strong></strong>1
released</strong></strong></p><p>Apache CXF Fediz 1.4.1 has been
released.</p><p>For more information and to download the new release, please go
<a shape="rect" href="fediz-downloads.html">here</a>.</p><p><strong><strong>May
16, 2017 - Two new security advisories for Apache CXF Fediz are
released</strong></strong></p><p>Two new security advisories have been released
for issues that are fixed in the latest releases (1.4.0, 1.3.2 and
1.2.4):</p><ul><li><a shape="rect"
href="http://cxf.apache.org/security-advisories.data/CVE-2017-7661.txt.asc?version=1&modificationDate=1494949364764&api=v2";>CVE-2017-7661</a>:
The Apache CXF Fediz Jetty and Spring plugins are vulnerable to CSRF
attacks.</li><li><a shape="rect"
href="http://cxf.apache.org/security-advisories.data/CVE-2017-7662.txt.asc?version=1&modificationDate=1494949377300&api=v2";>CVE-2017-7662</a>:
The Apache CXF Fediz OIDC Client Registration Service is vulnerable to CSRF
attacks.</li></ul><p>Please upgrade to the latest releases as soon as
possible.</p><p><strong><strong>April 28, 2017 - Apache CXF Fediz 1.4.0, 1.3.2
and 1.2.4 released<br clear="none"></strong></strong></p><p>Apache CXF Fediz
1.4.0, 1.3.2 and 1.2.4 have been released.</p><p>For more information and to
download the new releases, please go <a shape="rect"
href="fediz-downloads.html">here</a>.</p><h2
id="Fediz-Features">Features</h2><p>The following features are supported by
Fediz 1.2</p><ul><li>WS-Federation 1.0/1.1/1.2</li><li>SAML 1.1/2.0
Tokens</li><li>Support for encrypted SAML Tokens (Release 1.1)</li><li>Support
for Holder-Of-Key SubjectConfirmationMethod (1.1)</li><li>Custom token
Support</li><li>Publish WS-Federation Metadata document</li><li>Role
information encoded as AttributeStatement in SAML 1.1/2.0 tokens</li><li>Claims
information provided by FederationPrincipal Interface</li><li>Support for
Tomcat, Jetty, Websphere, Spring Security and CXF (1.1)</li><li>Fediz IDP suppo
rts "Resource IDP" role as well (1.1)</li><li>A new REST API for the IdP
(1.2)</li><li>Support for logout in both the RP and IdP (1.2)</li><li>Support
for logging on to the IdP via Kerberos and TLS client authentication
(1.2)</li><li>A new container-independent CXF plugin for WS-Federation
(1.2)</li><li>Support to use the IdP as an identity broker with a remote SAML
SSO IdP (1.2)</li></ul><p>The following features are planned for the next
release:</p><ul><li>support for other protocols like OAuth</li></ul><p>You can
get the current status of the enhancements <a shape="rect"
class="external-link" href="https://issues.apache.org/jira/browse/FEDIZ";>here
</a>.</p><h2 id="Fediz-Architecture">Architecture</h2><p>The Fediz architecture
is described in more detail <a shape="rect"
href="fediz-architecture.html">here</a>.</p><h2
id="Fediz-Download">Download</h2><p>See <a shape="rect"
href="fediz-downloads.html">here</a>.</p><h2 id="Fediz-Gettingstarted">Getting
started</h2><p>The WS-Federatio
n specification defines the following parties involved during a web
login:</p><ul><li>Browser</li><li>Identity Provider (IDP)<br clear="none"> The
IDP is a centralized, application independent runtime component which
implements the protocol defined by WS-Federation. You can use any open source
or commercial product that supports WS-Federation 1.1/1.2 as your IDP. It's
recommended to use the Fediz IDP for testing as it allows for testing your web
application in a sandbox without having all infrastructure components
available. The Fediz IDP consists of two WAR components. The Security Token
Service (STS) does most of the work including user authentication, claims/role
data retrieval and creating the SAML token. The IDP WAR translates the response
to an HTML response allowing a browser to process it.</li><li>Relying Party
(RP)<br clear="none"> The RP is a web application that needs to be protected.
The RP must be able to implement the protocol as defined by WS-Federation. This
componen
t is called "Fediz Plugin" in this project which consists of container
agnostic module/jar and a container specific jar. When an authenticated request
is detected by the plugin it redirects to the IDP for authentication. The
browser sends the response from the IDP to the RP after successful
authentication. The RP validates the response and creates the container
security context.</li></ul><p>It's recommended to deploy the IDP and the web
application (RP) into different container instances as in a production
deployment. The container with the IDP can be used during development and
testing for multiple web applications needing security.</p><h3
id="Fediz-SettinguptheIDP">Setting up the IDP</h3><p>The installation and
configuration of the IDP is documented <a shape="rect"
href="fediz-idp-11.html">here</a></p><h3
id="Fediz-SetuptheRelyingPartyContainer">Set up the Relying Party
Container</h3><p>The Fediz plugin needs to be deployed into the Relying Party
(RP) container. The security mecha
nism is not specified by JEE. Even though it is very similar in each servlet
container there are some differences which require a dedicated Fediz plugin for
each servlet container implementation. Most of the configuration goes into a
Servlet container independent configuration file which is described <a
shape="rect" href="fediz-configuration.html">here</a></p><p>The following lists
shows the supported containers and the location of the installation and
configuration page.</p><ul><li><a shape="rect" href="fediz-tomcat.html">Tomcat
7 </a></li><li><a shape="rect" href="fediz-jetty.html">Jetty 7/8
(1.1)</a></li><li><a shape="rect" href="fediz-spring.html">Spring Security 3.1
(1.1)</a></li><li><a shape="rect" href="fediz-websphere.html">Websphere 7/8
(1.1)</a></li><li><a shape="rect" href="fediz-cxf.html">CXF (1.1)
</a></li></ul><h2 id="Fediz-Samples">Samples</h2><p>The examples directory
contains two sample relying party applications. They are independent of each
other, so it is not nec
essary to deploy both at once.</p><p>Each sample is described in a
<code>README.txt</code> file located in the base directory of each
sample.</p><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Sample</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>Description</p></th></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p><strong>simpleWebapp</strong></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>a simple web application which
is protected by the Fediz IDP. The FederationServlet illustrates how to get
security information using the standard APIs.</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p><strong>wsclientWebapp</strong></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>a protected web application
that calls a web service that uses the Fediz STS to validate credentials. Here,
the same STS is used for token issuance (indirectly, by the web applicatio
n through use of the Fediz IDP) and validation. The FederationServlet
illustrates how to securely call a web
service.</p></td></tr></tbody></table></div><p><span
class="confluence-anchor-link" id="Fediz-building"></span></p><h2
id="Fediz-Checkout">Checkout</h2><p>The CXF sources are hosted at <a
shape="rect" class="external-link" href="https://gitbox.apache.org/";>Apache
gitbox</a>. This includes a full two way sync with github. As github provides
the nicer user interface we now recommend to directly work on the github cxf
repo.</p><h2 id="Fediz-Webbrowsing">Web browsing</h2><p><a shape="rect"
class="external-link" href="https://github.com/apache/cxf-fediz";
rel="nofollow">https://github.com/apache/cxf-fediz</a></p><h2
id="Fediz-CheckingoutfromGIT">Checking out from GIT</h2><div class="code panel
pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence"
style="font-size:12px;">git clone [email protected]:apache/cxf-fediz.git</pre>
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">git clone [email protected]:apache/cxf-fediz.git</pre>
</div></div><h2 id="Fediz-Committing">Committing</h2><p>CXF committers can
directly commit to github after doing the <a shape="rect"
class="external-link"
href="https://gitbox.apache.org/setup/";>Apache gitbox setup</a>. Be aware
that the sync might take half an hour before you are added to the cxf github
group.</p><h2 id="Fediz-Forkingandpullrequests">Forking and pull
requests</h2><p>See <a shape="rect"
href="https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=69407398";>Getting
Involved</a></p><h2 id="Fediz-Building">Building</h2><p>Then follow the <a
shape="rect" class="external-link"
href="http://svn.apache.org/viewvc/cxf/fediz/trunk/BUILDING.txt?view=markup";>BUILDING.txt</a>
file in the Fediz download for full build instructions.</p><h2
id="Fediz-SettingupEclipse">Setting up Eclipse</h2><p>See <a shape="rect"
href="http://cxf.apache.org/setting-up-eclipse.html";>this page</a> for
information on using the Eclipse IDE with the Fediz source code. This page
is created for CXF but the same commands are applicable for Fediz
too.</p><p> </p></div>
</div>
<!-- Content -->
Modified: websites/production/cxf/content/migration-guide-11.html
==============================================================================
--- websites/production/cxf/content/migration-guide-11.html (original)
+++ websites/production/cxf/content/migration-guide-11.html Wed Sep 13 15:05:52
2017
@@ -136,7 +136,7 @@ Apache CXF -- Migration Guide 1.1
<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent
panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence"
style="font-size:12px;">
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">
<issuer certificateValidation="PeerTrust" />
</pre>
</div></div></div>
Modified: websites/production/cxf/content/release-management.html
==============================================================================
--- websites/production/cxf/content/release-management.html (original)
+++ websites/production/cxf/content/release-management.html Wed Sep 13 15:05:52
2017
@@ -110,7 +110,7 @@ Apache CXF -- Release Management
<!-- Content -->
<div class="wiki-content">
<div id="ConfluenceContent"><h2
id="ReleaseManagement-Deployingsnapshots">Deploying snapshots</h2><p>Snapshots
are automatically deployed every night to the Nexus snapshot repository at <a
shape="rect" class="external-link"
href="https://repository.apache.org/content/groups/snapshots-group/";>https://repository.apache.org/content/groups/snapshots-group/</a>
. There is no need to manually deploy snapshots anymore.</p><h2
id="ReleaseManagement-Maintainingafixesbranch">Maintaining a fixes
branch</h2><p>dkulp: I'm adding this section to document what worked for ME
when maintaining the 2.7.x-fixes branch for the 2.7.x releases. Each Release
Manager may have their own style or tools or whatever. This is not a "set in
stone" type thing.</p><p>Basically, almost all development and fixes and such
are usually done by the various developers right on master. Thus, the main job
of the fixes branch maintainer is to triage the commits on master and merge
pure fixes to the fixes branches, resolve co
nflicts, run the tests, and periodically deploy snapshots. For the most part,
when things go well, it doesn't take too much time or effort. An hour or two
every couple days is about it.</p><p>To set up, you'll want to:</p><ol><li>use
git branch to make a branch.</li><li>On the branch, create a .gitmergeinfo file
with a single line of "origin/master" to say the branch will be merging from
there.</li></ol><p><span style="background-color: transparent;line-height:
1.4285715;">In trunk/bin, there is a DoMerges.java program that assists in the
merging. If the branch is setup with .gitmergeinfo, if you run it from the root
directory of the checkout, it will prompt for every commit on master to see if
you want to "Merge" it, "Block" it, or "Ignore" it. It displays the commit log
first so you can see what was involved. You can also check the </span> <a
shape="rect" class="external-link"
href="http://www.nabble.com/cxf-commits-f23851.html"; rel="nofollow"
style="background-color: transparent;
line-height: 1.4285715;">cxf-commits</a> <span style="background-color:
transparent;line-height: 1.4285715;"> archive to see the full details of the
commit to help decide what action to take. If you select "Merge", it will merge
the change and then prompt before committing. That will allow you to look at
the merge and resolve any conflicts. (or even revert it if you didn't mean to
hit Merge)</span></p><h2 id="ReleaseManagement-Performingarelease">Performing a
release</h2><p>The first step is to update the release_notes.txt in the
distribution/src/main/release. This file's JIRA list of solved Bugs,
Improvements, etc. can be obtained from the <a shape="rect"
class="external-link"
href="https://issues.apache.org/jira/browse/CXF#selectedTab=com.atlassian.jira.plugin.system.project%3Aroadmap-panel";>"Road
Map" JIRA tab</a>, selecting the desired version's Release Notes, and then the
Configure Release Notes button (choose Text output).</p><div
class="confluence-information-macro confluence
-information-macro-note"><span class="aui-icon aui-icon-small
aui-iconfont-warning confluence-information-macro-icon"></span><div
class="confluence-information-macro-body"><p>Don't manually update the POM
versions from X.Y.Z-SNAPSHOT to X.Y.Z, the Maven Release Plugin commands below
will automatically take care of that. Also, prior to performing the release
you'll need to have your Apache LDAP information configured in your Maven
settings.xml file:</p><div class="code panel pdl" style="border-width:
1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence"
style="font-size:12px;">...
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">...
<server>
<id>apache.releases.https</id>
<username>apacheID</username>
@@ -123,7 +123,7 @@ Apache CXF -- Release Management
mvn release:perform -Peverything,jaxws22
</pre>
</div></div><div class="confluence-information-macro
confluence-information-macro-warning"><span class="aui-icon aui-icon-small
aui-iconfont-error confluence-information-macro-icon"></span><div
class="confluence-information-macro-body"><p>If you are performing the release
on a Mac, it is advisable to add -DpushChanges=false to the "release:prepare"
step above. The version of git that Apple ships with some versions of OSX has
problems pushing the changes in quick succession from the release plugin and
can become corrupt. Having the release plugin NOT push the changes and then
running "git push -tags origin master" works around that
problem.</p></div></div><div class="confluence-information-macro
confluence-information-macro-warning"><span class="aui-icon aui-icon-small
aui-iconfont-error confluence-information-macro-icon"></span><div
class="confluence-information-macro-body"><p>It is recommended to name the
local maintenance branches the same as the remote ones ("2.7.x-fixes", "3.0.x
-fixes", ...) to avoid issue with the branch names when running the release
plugin.</p></div></div><p> </p><p>The above commands tag the release,
update the poms versions, etc., then build it (off the tag), gpg sign and
deploy everything (including source jars and javadoc jars) to the <a
shape="rect" class="external-link" href="https://repository.apache.org";>Nexus
repository location</a>. When the build is done staging, you next need to login
to the Nexus repository and "close" the staging area (click on Staging
Repositories in the left-side menu, select the repo you just uploaded and then
select the close button.) Closing is very important. After the staging area is
closed, note the URL for the staging area as you will need that for the
vote.</p><p>At this point, everything "pre-vote" is done. Call the vote.</p><h2
id="ReleaseManagement-Releasingtheartifacts">Releasing the
artifacts</h2><ul><li>Maven artifacts - After the vote passes, you'll need to
promote that staging reposi
tory to the main location. Login to <a shape="rect" class="external-link"
href="https://repository.apache.org";>Nexus repository location</a> to do that
as well, find the staging repository and click the Release
button.</li></ul><ul><li><p>Distributions - You will need to commit the
distributions into the special svn distribution area: <a shape="rect"
class="external-link"
href="https://dist.apache.org/repos/dist/release/cxf";>https://dist.apache.org/repos/dist/release/cxf</a>
<br clear="none"> after you commit they will be live on dist.apache.org fairly
quickly, but it will still take time for the mirrors to get copies. It's likely
easier to make the directory via an svn command, check out just that directory,
and then add the files. The dist area is rather large (400MB or so) so checking
out the entire thing may be slow.</p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence"
style="font-size:12px;">svn mkdir
https://dist.apache.org/repos/dist/release/cxf/2.6.3
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">svn mkdir
https://dist.apache.org/repos/dist/release/cxf/2.6.3
svn checkout https://dist.apache.org/repos/dist/release/cxf/2.6.3
.... add files to 2.6.3 .....
svn commit
Modified:
websites/production/cxf/content/scalable-cxf-applications-using-jms-transport.html
==============================================================================
---
websites/production/cxf/content/scalable-cxf-applications-using-jms-transport.html
(original)
+++
websites/production/cxf/content/scalable-cxf-applications-using-jms-transport.html
Wed Sep 13 15:05:52 2017
@@ -121,7 +121,7 @@ b) define jms address in port element.</
<p>WSDL binding and port should look like:</p>
<div class="code panel pdl" style="border-style: solid;border-width:
1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence"
style="font-size:12px;">
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">
<wsdl:definitions
xmlns:jms="http://cxf.apache.org/transports/jms";
...
@@ -165,7 +165,7 @@ org.springframework.jms.listener.Default
<p>CachingConnectionFactory provides session pooling, consumers and producers
cache. Bellow is a sample configuration of CachingConnectionFactory:</p>
<div class="code panel pdl" style="border-style: solid;border-width:
1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence"
style="font-size:12px;">
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">
<bean id="cachingConnectionFactory"
class="org.springframework.jms.connection.CachingConnectionFactory">
<property name="targetConnectionFactory">
<bean
class="org.apache.activemq.ActiveMQConnectionFactory">
@@ -185,7 +185,7 @@ org.springframework.jms.listener.Default
<p>DefaultMessageListenerContainer enables getting messages from the
destination in parallel, using multiple threads.<br clear="none">
Configuration of DefaultMessageListenerContainer looks like:</p>
<div class="code panel pdl" style="border-style: solid;border-width:
1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence"
style="font-size:12px;">
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">
<bean id="queueContainerListener"
class="org.springframework.jms.listener.DefaultMessageListenerContainer">
<property name="connectionFactory" ref="connectionFactory"
/>
@@ -215,7 +215,7 @@ CXF allows to configure details of the J
<h3 id="ScalableCXFapplicationsusingJMStransport-Serverconfiguration">Server
configuration</h3>
<div class="code panel pdl" style="border-style: solid;border-width:
1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence"
style="font-size:12px;">
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">
<bean id="cachingConnectionFactory"
class="org.springframework.jms.connection.CachingConnectionFactory">
<property name="targetConnectionFactory">
<bean
class="org.apache.activemq.ActiveMQConnectionFactory">
@@ -253,7 +253,7 @@ Using this configuration the server appl
<h3 id="ScalableCXFapplicationsusingJMStransport-Clientconfiguration">Client
configuration</h3>
<div class="code panel pdl" style="border-style: solid;border-width:
1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence"
style="font-size:12px;">
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">
<bean id="cachingConnectionFactory"
class="org.springframework.jms.connection.CachingConnectionFactory">
<property name="targetConnectionFactory">
<bean
class="org.apache.activemq.ActiveMQConnectionFactory">
