Author: lmccay
Date: Fri Dec 11 00:35:38 2015
New Revision: 1719241
URL: http://svn.apache.org/viewvc?rev=1719241&view=rev
Log:
cleaned up knoxsso cookie domain description
Modified:
knox/site/books/knox-0-7-0/user-guide.html
knox/trunk/books/0.7.0/config_knox_sso.md
Modified: knox/site/books/knox-0-7-0/user-guide.html
URL:
http://svn.apache.org/viewvc/knox/site/books/knox-0-7-0/user-guide.html?rev=1719241&r1=1719240&r2=1719241&view=diff
==============================================================================
--- knox/site/books/knox-0-7-0/user-guide.html (original)
+++ knox/site/books/knox-0-7-0/user-guide.html Fri Dec 11 00:35:38 2015
@@ -2126,7 +2126,7 @@ APACHE_HOME/bin/apachectl -k stop
<tr>
<td>knoxsso.cookie.domain.suffix </td>
<td>optional: This indicates the portion of the request hostname that
represents the domain to be used for the cookie domain. For single host
development scenarios the default behavior should be fine. For production
deployments, the expected domain should be set and all configured URLs that are
related to SSO should use this domain. Otherwise, the cookie will not be
presented by the browser to mismatched URLs. </td>
- <td>Default cookie domain or a domain derived from a hostname that
includes of more than 2 dots.</td>
+ <td>Default cookie domain or a domain derived from a hostname that
includes more than 2 dots.</td>
</tr>
<tr>
<td>knoxsso.token.ttl </td>
Modified: knox/trunk/books/0.7.0/config_knox_sso.md
URL:
http://svn.apache.org/viewvc/knox/trunk/books/0.7.0/config_knox_sso.md?rev=1719241&r1=1719240&r2=1719241&view=diff
==============================================================================
--- knox/trunk/books/0.7.0/config_knox_sso.md (original)
+++ knox/trunk/books/0.7.0/config_knox_sso.md Fri Dec 11 00:35:38 2015
@@ -107,7 +107,7 @@ Parameter | Description | Default
--------- |----------- |-----------
knoxsso.cookie.secure.only | This determines whether the browser is allowed to
send the cookie over unsecured channels. This should always be set to true in
production systems. If during development a relying party is not running ssl
then you can turn this off. Running with it off exposes the cookie and
underlying token for capture and replay by others. | true
knoxsso.cookie.max.age | optional: This indicates that a cookie can only live
for a specified amount of time - in seconds. This should probably be left to
the default which makes it a session cookie. Session cookies are discarded once
the browser session is closed. | session
-knoxsso.cookie.domain.suffix | optional: This indicates the portion of the
request hostname that represents the domain to be used for the cookie domain.
For single host development scenarios the default behavior should be fine. For
production deployments, the expected domain should be set and all configured
URLs that are related to SSO should use this domain. Otherwise, the cookie will
not be presented by the browser to mismatched URLs. | Default cookie domain or
a domain derived from a hostname that includes of more than 2 dots.
+knoxsso.cookie.domain.suffix | optional: This indicates the portion of the
request hostname that represents the domain to be used for the cookie domain.
For single host development scenarios the default behavior should be fine. For
production deployments, the expected domain should be set and all configured
URLs that are related to SSO should use this domain. Otherwise, the cookie will
not be presented by the browser to mismatched URLs. | Default cookie domain or
a domain derived from a hostname that includes more than 2 dots.
knoxsso.token.ttl | This indicates the lifespan of the token within the
cookie. Once it expires a new cookie must be acquired from KnoxSSO. This is in
milliseconds. The 36000000 in the topology above gives you 10 hrs. | 30000 That
is 30 seconds.
knoxsso.token.audiences | This is a comma separated list of audiences to add
to the JWT token. This is used to ensure that a token received by a
participating application knows that the token was intended for use with that
application. It is optional. In the event that an application has expected
audiences and they are not present the token must be rejected. In the event
where the token has audiences and the application has none expected then the
token is accepted. OPEN ISSUE - not currently being populated in
WebSSOResource. | empty
knoxsso.redirect.whitelist.regex | A semicolon separated list of regex
expressions. The incoming originalUrl must match one of the expressions in
order for KnoxSSO to redirect to it after authentication. Defaults to only
relative paths and localhost with or without SSL for development usecases. This
needs to be opened up for production use and actual participating applications.
Note that cookie use is still constrained to redirect destinations in the same
domain as the KnoxSSO service - regardless of the expressions specified here. |
^/.\*$;^https?://localhost:\\d{0,9}/.\*$
