svn commit: r817210 - in /websites/production/cxf/content: cache/docs.pageCache docs/ws-security.html
Author: buildbot Date: Fri May 11 09:48:28 2012 New Revision: 817210 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/docs.pageCache websites/production/cxf/content/docs/ws-security.html Modified: websites/production/cxf/content/cache/docs.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/docs/ws-security.html == --- websites/production/cxf/content/docs/ws-security.html (original) +++ websites/production/cxf/content/docs/ws-security.html Fri May 11 09:48:28 2012 @@ -374,7 +374,12 @@ CryptoCoverageChecker checker = Username Token Authentication -WS-Security supports many ways of specifying tokens. One of these is the UsernameToken header. It is a standard way to communicate a username and password or password digest to another endpoint. Be sure to review the OASIS http://tinyurl.com/65n78j"; rel="nofollow">UsernameToken Profile Specification for important security considerations when using UsernameTokens. Note that the nonce support necessary for guarding against replay attacks is active by default starting with CXF 2.6.0 but unavailable in versions prior to that. +WS-Security supports many ways of specifying tokens. One of these is the UsernameToken header. It is a standard way to communicate a username and password or password digest to another endpoint. Be sure to review the OASIS http://tinyurl.com/65n78j"; rel="nofollow">UsernameToken Profile Specification for important security considerations when using UsernameTokens. + +If a nonce is present in a UsernameToken then it should be cached by the message recipient to guard against replay attacks. This behaviour is enabled by default starting with CXF 2.6.0. This functionality is also available from Apache CXF 2.4.7 and 2.5.3 onwards, but is not enabled by default at all for backwards-compatibility reasons. The following properties control nonce caching: + +"ws-security.enable.nonce.cache" - The default value (for CXF 2.6.0) is "true" for message recipients, and "false" for message initiators. Set it to true to cache for both cases. The default value for CXF 2.4.x and 2.5.x is false."ws-security.nonce.cache.instance" - This holds a reference to a ReplayCache instance used to cache UsernameToken nonces. The default instance that is used is the EHCacheReplayCache, which uses Ehcache to cache the nonce values."ws-security.cache.config.file" - Set this property to point to a configuration file for the underlying caching implementation. By default the cxf-ehcache.xml file in the CXF rt-ws-security module is used. + For the server side, you'll want to set up the following properties on your WSS4JInInterceptor (see above for code sample):
svn commit: r817225 - in /websites/production/cxf/content: cache/main.pageCache fediz.html
Author: buildbot Date: Fri May 11 12:48:20 2012 New Revision: 817225 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/main.pageCache websites/production/cxf/content/fediz.html Modified: websites/production/cxf/content/cache/main.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/fediz.html == --- websites/production/cxf/content/fediz.html (original) +++ websites/production/cxf/content/fediz.html Fri May 11 12:48:20 2012 @@ -196,7 +196,13 @@ The RP is the web application which shou Building -Check out the code from http://svn.apache.org/repos/asf/cxf/fediz/trunk";>http://svn.apache.org/repos/asf/cxf/fediz/trunk +Check out the code from here: +svn +http://svn.apache.org/repos/asf/cxf/fediz/trunk";>http://svn.apache.org/repos/asf/cxf/fediz/trunkgit +git://git.apache.org/cxf-fediz.git + + + Building with Maven
svn commit: r817291 - in /websites/production/cxf/content: cache/main.pageCache tomcat.html
Author: buildbot Date: Fri May 11 20:48:01 2012 New Revision: 817291 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/main.pageCache websites/production/cxf/content/tomcat.html Modified: websites/production/cxf/content/cache/main.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/tomcat.html == --- websites/production/cxf/content/tomcat.html (original) +++ websites/production/cxf/content/tomcat.html Fri May 11 20:48:01 2012 @@ -140,12 +140,18 @@ Apache CXF -- Tomcat This page describes how to enable Federation in Tomcat. This Tomcat instance acts as the Relying Party which means it validates the incoming SignInResponse which has been created by the Identity Provider (IDP) server. Installation -tbd +You can either build the plugin on your own or download the package here (tbd). If you have built the plugin on your own you'll find the required libraries in plugins/tomcat/target/...zip-with-dependencies.zip + + +Create sub-directory fediz in ${catalina.home}/libUpdate calatina.properties in ${catalina.home}/conf +add the previously created directory to the common loader: +common.loader=${catalina.base}/lib,${catalina.base}/lib/*.jar,${catalina.home}/lib,${catalina.home}/lib/*.jar,${catalina.home}/lib/fediz/*.jarDeploy the libraries to the directory created in (1) -Configuration +Configuration + The current release of the federation plugin requires to configure the FederationAuthenticator of Fediz like any other Valve in Tomcat which is described here http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html";>here. A valve can be configured on different levels like Host or Context. The Fediz configuration file allows to configure all servlet contexts in one file or choose one file per Servlet Context. If you choose to have one Fediz configuration file per Servlet Context then you must configure the FederationAuthenticator on the Context level otherwise on the Host level in the Tomcat configuration file server.xml @@ -154,32 +160,40 @@ Apache CXF -- Tomcat You can either configure the context in the server.xml or in META-INF/context.xml as part of your WAR file. META-INF/context.xml - - <Context> -<Valve className="org.apache.cxf.fediz.tomcat.FederationAuthenticator" - configFile="conf/Fediz_config.xml" /> - </Context> + + + <Context> +<Valve className="org.apache.cxf.fediz.tomcat.FederationAuthenticator" + configFile="conf/Fediz_config.xml" /> + </Context> + + Host level in server.xml - ... - <Host name="localhost" appBase="webapps" -unpackWARs="true" autoDeploy="true" -xmlValidation="false" xmlNamespaceAware="false"> -<Valve className="org.apache.cxf.fediz.tomcat.FederationAuthenticator" - configFile="conf/Fediz_config.xml" /> - </Host> - ... - -Context level in server.xml + + + <Host name="localhost" appBase="webapps" +unpackWARs="true" autoDeploy="true"> +<Valve className="org.apache.cxf.fediz.tomcat.FederationAuthenticator" + configFile="conf/Fediz_config.xml" /> + </Host> + + + <Host name="localhost" appBase="webapps" - ... - <Context path="/fedizhelloworld" docBase="fedizhelloworld"> -<Valve className="org.apache.cxf.fediz.tomcat.FederationAuthenticator" - configFile="conf/Fediz_config.xml" /> - </Context> - ... +unpackWARs="true" autoDeploy="true"> +Context level in server.xml + + + <Context path="/fedizhelloworld" docBase="fedizhelloworld"> +<Valve className="org.apache.cxf.fediz.tomcat.FederationAuthenticator" + configFile="conf/Fediz_config.xml" /> + </Context> + + +The Fediz configuration file is container independent and described here.
svn commit: r817578 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-advanced-features.html
Author: buildbot Date: Mon May 14 10:48:00 2012 New Revision: 817578 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/docs.pageCache websites/production/cxf/content/docs/jax-rs-advanced-features.html Modified: websites/production/cxf/content/cache/docs.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/docs/jax-rs-advanced-features.html == --- websites/production/cxf/content/docs/jax-rs-advanced-features.html (original) +++ websites/production/cxf/content/docs/jax-rs-advanced-features.html Mon May 14 10:48:00 2012 @@ -124,7 +124,7 @@ Apache CXF -- JAX-RS Advanced Features JAX-RS : Advanced Features -JMS SupportFIQL search queriesIntroductionDependencies and ConfigurationConsuming FIQL queriesBuilding FIQL queriesUsing dates in queriesOneway invocationsSupport for ContinuationsServer-side c achingRESTful services without annotationsConfiguration +JMS SupportFIQL search queriesIntroductionDependencies and ConfigurationConsuming FIQL queriesSearchBeanBuilding FIQL queriesUsing dates in queriesOneway invocationsSupport for Continuations< /a>Server-side cachingRESTful services without annotationsConfiguration JMS Support @@ -222,6 +222,9 @@ An expression such as "name==CXF*" can b +Note that a searchContext.getCondition(Book.class) call may return an arbitrary complex SearchCondition, it can be a simple primitive +expression or a more complex one. The Book class needs to have a matching property per every name found in the FIQL expression, for example, given a 'name==b;id==123' expression, the Book class would need to have 'name' and 'id' properties available. + SearchCondition can also be used to get to all the search requirements (originally expressed in FIQL) and do some manual comparison against the local data. For example, SearchCondition provides a utility toSQL(String tableName, String... columnNames) method which internally introspects all the search expressions constituting a current query and converts them into an SQL expression: @@ -332,11 +335,36 @@ assertEquals("SELECT LEVEL_COLUMN FROM t MultivaluedMap<String, String> params = ui.getQueryParameters(); String fiqlQuery = params.getFirst("_s"); // delegate to your own custom handler + +// note that the original search expression can also be retrieved +// using a SearchContext.getSearchExpression() method } +SearchBean + +org.apache.cxf.jaxrs.ext.search.SearchBean is a utility bean class which can simplify analyzing the captured FIQL expressions and converting them to the other language expressions, in cases where having to update the bean class such as Book.class with all the properties thatmay need to be supported is not practical. For example: + + + +// ?_s="level=gt=10" +SearchCondition<SearchBean> sc = searchContext.getCondition(SearchBean.class); + +Map\<, String\> fieldMap = new HashMap\<String, String\>(); +fieldMap.put("level", "LEVEL_FIELD"); + +SQLPrinterVisitor<SearchBean> visitor = new SQLPrinterVisitor<SearchBean>(fieldMap, "table", "LEVEL_COLUMN"); +sc.visit(visitor); +assertEquals("SELECT LEVEL_COLUMN FROM table + WHERE LEVEL_COLUMN > '10'", + visitor.getResult()); + + + + + Building FIQL queries CXF 2.4.0 introduces http://svn.apache.org/repos/asf/cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/ext/search/client/SearchConditionBuilder.java";>SearchConditionBuilder which makes it simpler to build FIQL queries. SearchConditionBuilder is an abstract class that returns a FIQL builder by default:
buildbot failure in ASF Buildbot on cxf-site-production
The Buildbot has detected a new failure on builder cxf-site-production while building ASF Buildbot. Full details are available at: http://ci.apache.org/builders/cxf-site-production/builds/1673 Buildbot URL: http://ci.apache.org/ Buildslave for this Build: bb-cms-slave Build Reason: The Nightly scheduler named 'cxf-site-production' triggered this build Build Source Stamp: [branch cxf/web] HEAD Blamelist: BUILD FAILED: failed compile sincerely, -The Buildbot
buildbot success in ASF Buildbot on cxf-site-production
The Buildbot has detected a restored build on builder cxf-site-production while building ASF Buildbot. Full details are available at: http://ci.apache.org/builders/cxf-site-production/builds/1674 Buildbot URL: http://ci.apache.org/ Buildslave for this Build: bb-cms-slave Build Reason: The Nightly scheduler named 'cxf-site-production' triggered this build Build Source Stamp: [branch cxf/web] HEAD Blamelist: Build succeeded! sincerely, -The Buildbot
svn commit: r817603 - in /websites/production/cxf/content: cache/docs.pageCache docs/client-http-transport-including-ssl-support.html
Author: buildbot Date: Mon May 14 15:48:10 2012 New Revision: 817603 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/docs.pageCache websites/production/cxf/content/docs/client-http-transport-including-ssl-support.html Modified: websites/production/cxf/content/cache/docs.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/docs/client-http-transport-including-ssl-support.html == --- websites/production/cxf/content/docs/client-http-transport-including-ssl-support.html (original) +++ websites/production/cxf/content/docs/client-http-transport-including-ssl-support.html Mon May 14 15:48:10 2012 @@ -595,7 +595,7 @@ Language tags are regulated by the Inter Many proxy servers don't understand it, especially older proxy servers. Many proxy servers want the Content-Length up front so they can allocate a buffer to store the request before passing it onto the real server.Some of the older WebServices stacks also have problems with Chunking. Specifically, older versions of .NET. -If you are getting strang errors (generally not soap faults, but other HTTP type errors) when trying to interact with a service, try turning off chunking to see if that helps. +If you are getting strange errors (generally not soap faults, but other HTTP type errors) when trying to interact with a service, try turning off chunking to see if that helps.
svn commit: r817625 - in /websites/production/cxf/content: cache/main.pageCache fediz.html tomcat.html
Author: buildbot Date: Mon May 14 19:48:06 2012 New Revision: 817625 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/main.pageCache websites/production/cxf/content/fediz.html websites/production/cxf/content/tomcat.html Modified: websites/production/cxf/content/cache/main.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/fediz.html == --- websites/production/cxf/content/fediz.html (original) +++ websites/production/cxf/content/fediz.html Mon May 14 19:48:06 2012 @@ -171,16 +171,16 @@ The RP is the web application which shou It's recommended to deploy the IDP and the web application (RP) into different container instances as in a production deployment. The container with the IDP can be used during development and testing for any web application. -Setting up the IDP +Setting up the IDP The following blog entries describe how to set up the IDP: http://owulff.blogspot.com/2011/10/configure-and-deploy-cxf-25-sts-part-i.html"; rel="nofollow">STS WAR http://owulff.blogspot.com/2011/10/configure-and-deploy-identity-provider.html"; rel="nofollow">IDP WAR -Set up the Relying Party Container +Set up the Relying Party Container -An individual plugin is deployed in each container. But most of the configuration is container independent and described here +The Fediz plugin is deployed into the Relying Party (RP) container. The security mechanism is not specified by JEE. Even it is very similar in each Servlet Container there are some differences which requires dedicated Fediz plugins for each Servlet Container implementation. Most of the configuration is container independent and described here The following lists shows the supported containers and the location of the installation and configuration page. Tomcat 7 Modified: websites/production/cxf/content/tomcat.html == --- websites/production/cxf/content/tomcat.html (original) +++ websites/production/cxf/content/tomcat.html Mon May 14 19:48:06 2012 @@ -154,7 +154,9 @@ add the previously created directory to Configuration -The current release of the federation plugin requires to configure the FederationAuthenticator of Fediz like any other Valve in Tomcat which is described here http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html";>here. +The Fediz related configuration is Container independent and described here. + +The Fediz plugin requires to configure the FederationAuthenticator like any other Valve in Tomcat which is described here http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html";>here. A valve can be configured on different levels like Host or Context. The Fediz configuration file allows to configure all servlet contexts in one file or choose one file per Servlet Context. If you choose to have one Fediz configuration file per Servlet Context then you must configure the FederationAuthenticator on the Context level otherwise on the Host level in the Tomcat configuration file server.xml
svn commit: r817635 - in /websites/production/cxf/content: cache/main.pageCache configuration.html
Author: buildbot Date: Mon May 14 20:48:09 2012 New Revision: 817635 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/main.pageCache websites/production/cxf/content/configuration.html Modified: websites/production/cxf/content/cache/main.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/configuration.html == --- websites/production/cxf/content/configuration.html (original) +++ websites/production/cxf/content/configuration.html Mon May 14 20:48:09 2012 @@ -152,7 +152,9 @@ Apache CXF -- Configuration <audienceItem>https://localhost:8443/fedizhelloworld</audienceItem> </audienceUris> <certificateStore> -<keyStore file="/projects/fediz/tomcat-rp2/conf/stsstore.jks" password="stsspass" type="JKS" /> +<trustManager> +<keyStore file="/projects/fediz/tomcat-rp2/conf/stsstore.jks" password="stsspass" type="JKS" /> +</trustManager> </certificateStore> <trustedIssuers> <issuer name="issuer 1" certificateValidation="ChainTrust" subject=".*CN=www.sts.com.*" />
svn commit: r818160 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-redirection.html docs/jax-rs-xml-security.html
Author: buildbot Date: Fri May 18 11:48:39 2012 New Revision: 818160 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/docs.pageCache websites/production/cxf/content/docs/jax-rs-redirection.html websites/production/cxf/content/docs/jax-rs-xml-security.html Modified: websites/production/cxf/content/cache/docs.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/docs/jax-rs-redirection.html == --- websites/production/cxf/content/docs/jax-rs-redirection.html (original) +++ websites/production/cxf/content/docs/jax-rs-redirection.html Fri May 18 11:48:39 2012 @@ -235,6 +235,19 @@ Note that RequestDispatcherProvider can Note that RequestDispatcherProvider has a 'dispatcherName' property - that can be handy when redirecting to named servlets (example, MyServlet) including such ones as "jsp" or "default", especially when CXFServlet handling a given invocation has a uri pattern that may also capture the redirection requestwell-known servlets such as "default", see the next section for more information. +Starting from CXF 2.6.1 it is possible to configure the provider to check if the current class has an associated view handler or not, for example: + + + +<bean id="viewHandler" class="org.apache.cxf.jaxrs.provider.RequestDispatcherProvider"> + <property name="dispatcherName" value=jsp""/> + <property name="useClassNames" value="true"/> +</bean> + + + +For example, given a simple class name such as "BookInfo", RequestDispatcherProvider will check if a "/WEB-INF/bookInfo.jsp" handler is available or not. The provider will likely be extended to check few more locations as needed. + Finally, a 'servletContextPath' property can be used to have some other ServletContext (as opposed to the current one) be used for RequestDispatcher look-ups. If set then the current ServletContext.getContext(servletContextPath) will be used to get the needed ServletContext. With CXFServlet Modified: websites/production/cxf/content/docs/jax-rs-xml-security.html == --- websites/production/cxf/content/docs/jax-rs-xml-security.html (original) +++ websites/production/cxf/content/docs/jax-rs-xml-security.html Fri May 18 11:48:39 2012 @@ -657,9 +657,21 @@ The following properties can be set on i <bean id="xmlEncInHandlerWithProps" class="org.apache.cxf.rs.security.xml.XmlEncInHandler"> <property name="encryptionProperties" ref="encProps"/> </bean> + +<!-- the following ensures that the outbound handlers will use the same algorithms that the client used --> +<bean id="xmlSigOutHandlerWithProps" class="org.apache.cxf.rs.security.xml.XmlSigOutInterceptor"> +<property name="signatureProperties" ref="sigProps"/> +</bean> + +<bean id="xmlEncOutHandlerWithProps" class="org.apache.cxf.rs.security.xml.XmlEncOutInterceptor"> +<property name="encryptionProperties" ref="encProps"/> +</bean> +Getting the same SignatureProperties and EncryptionProperties beans (with "sigProps" and "encProps" ids) registered with the outbound +handlers will ensure that the algorithms used by the current client have not only been validated on the inbound side but also used on the outbound side for encrypting and signing the data. + Interoperability The payloads containing the enveloping XML Signatures are structured according to the XML Signature specification and as such can be consumed by any XML Signature aware consumers capable of handling the enveloping signatures and extracting the signed payload.
svn commit: r818681 - in /websites/production/cxf/content: cache/docs.pageCache docs/client-http-transport-including-ssl-support.html docs/standalone-http-transport.html
Author: buildbot Date: Tue May 22 10:47:53 2012 New Revision: 818681 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/docs.pageCache websites/production/cxf/content/docs/client-http-transport-including-ssl-support.html websites/production/cxf/content/docs/standalone-http-transport.html Modified: websites/production/cxf/content/cache/docs.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/docs/client-http-transport-including-ssl-support.html == --- websites/production/cxf/content/docs/client-http-transport-including-ssl-support.html (original) +++ websites/production/cxf/content/docs/client-http-transport-including-ssl-support.html Tue May 22 10:47:53 2012 @@ -301,6 +301,7 @@ http.setClient(httpClientPolicy); <sec:include>.*_EXPORT_.*</sec:include> <sec:include>.*_EXPORT1024_.*</sec:include> <sec:include>.*_WITH_DES_.*</sec:include> +<sec:include>.*_WITH_AES_.*</sec:include> <sec:include>.*_WITH_NULL_.*</sec:include> <sec:exclude>.*_DH_anon_.*</sec:exclude> </sec:cipherSuitesFilter> Modified: websites/production/cxf/content/docs/standalone-http-transport.html == --- websites/production/cxf/content/docs/standalone-http-transport.html (original) +++ websites/production/cxf/content/docs/standalone-http-transport.html Tue May 22 10:47:53 2012 @@ -168,6 +168,7 @@ Apache CXF -- Standalone HTTP Transport <sec:include>.*_EXPORT_.*</sec:include> <sec:include>.*_EXPORT1024_.*</sec:include> <sec:include>.*_WITH_DES_.*</sec:include> +<sec:include>.*_WITH_AES_.*</sec:include> <sec:include>.*_WITH_NULL_.*</sec:include> <sec:exclude>.*_DH_anon_.*</sec:exclude> </sec:cipherSuitesFilter>
svn commit: r818702 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-oauth2.html
Author: buildbot Date: Tue May 22 14:47:55 2012 New Revision: 818702 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/docs.pageCache websites/production/cxf/content/docs/jax-rs-oauth2.html Modified: websites/production/cxf/content/cache/docs.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/docs/jax-rs-oauth2.html == --- websites/production/cxf/content/docs/jax-rs-oauth2.html (original) +++ websites/production/cxf/content/docs/jax-rs-oauth2.html Tue May 22 14:47:55 2012 @@ -125,7 +125,7 @@ Apache CXF -- JAX-RS OAuth2 -IntroductionMaven dependenciesDeveloping OAuth2 ServersAuthorization ServiceAccessTokenServiceWriting OAuthDataProviderOAuth Server JAX-RS endpointsProtecting resources with OAuth filtersHow to get the user login nameClient-side supportOAuth2 without the Explicit AuthorizationOAuth Without a BrowserDesign considerationsControlling the Access to Resource ServerSharing the same access path between end users and clientsProviding different access points to end users and clientsSingle Sign OnWhat Is Next +IntroductionMaven dependenciesDeveloping OAuth2 ServersAuthorization ServiceAccessTokenServiceAccessTokenValidationServiceWriting OAuthDataProviderOAuth Server JAX-RS endpointsProtecting resources with OAuth filtersHow to get the user login nameClient-side supportOAuth2 without the Explicit AuthorizationOAuth Without a BrowserDesign considerationsControlling the Access to Resource ServerSharing the same access path between end users and clientsProviding different access points to end users and clientsSingle Sign OnWhat Is Next Introduction @@ -366,6 +366,9 @@ Headers: Note that the access token key is passed as the Bearer scheme value. Other token types such as MAC ones, etc, can be represented differently. +AccessTokenValidationService +The http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenValidationService.java";>AccessTokenValidationService is a CXF specific OAuth2 service for accepting the remote access token validation requests. Typically, OAuthRequestFilter (see on it below) may choose to impersonate itself as a third-party client and will ask AccessTokenValidationService to return the information relevant to the current access token, before setting up a security context. More on it below. + Writing OAuthDataProvider Using CXF OAuth service implementations will help a lot with setting up an OAuth server. As you can see from the above sections, these services rely on a custom http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthDataProvider.java";>OAuthDataProvider implementation. @@ -414,24 +417,48 @@ Most likely, you'd want to deploy Access AccessTokenService listens on a relative "/token" path. Given that jaxrs:server/@adress is "/oauth" and assuming a context name is "/services", the absolute address of AccessTokenService would be something like "http://localhost:8080/services/oauth/token";. -AuthorizationCodeGrantService is better to put where the main application endpoint is. It can be put alongside AccessTokenService - but the problem is that the end user is expected to authenticate itself with the resource server after it has been redirected by a third-party client to AuthorizationCodeGrantService. That would make it more complex for the OAuth server endpoint to manage both OAuth (third-party client) and the regular user authentication - that can be done, see more on it below in the Design considerations section, but the simpler option is to simply get AuthorizationCodeGrantService under the control of the security filter enforcing the end user authentication: +If the remote token validation is supported then have AccessTokenValidationService added too: - -<bean id="authorizationService" class="org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService"> - <property name="dataProvider" ref="oauthProvider"/> -</bean> - -<bean id="myApp" class="org.myapp.MyApp"> - <property name="dataProvider" ref="oauthProvider"/> -</bean> - -<jaxrs:server id="oauthServer" address="/myapp"> - <jaxrs:serviceBeans> - <ref bean="myApp"/> - <ref bean="authorizationService"/> - </jaxrs:serviceBeans> -</jaxrs:server> + +<!-- implements OAuthDataProvider --> +<bean id="oauthProvider" class="oauth
svn commit: r818820 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-data-bindings.html
Author: buildbot Date: Wed May 23 10:47:52 2012 New Revision: 818820 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/docs.pageCache websites/production/cxf/content/docs/jax-rs-data-bindings.html Modified: websites/production/cxf/content/cache/docs.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/docs/jax-rs-data-bindings.html == --- websites/production/cxf/content/docs/jax-rs-data-bindings.html (original) +++ websites/production/cxf/content/docs/jax-rs-data-bindings.html Wed May 23 10:47:52 2012 @@ -253,7 +253,7 @@ Apache CXF -- JAX-RS Data Bindings JAXB and Moxy -For JAXBElementProvider to support [http://www.eclipse.org/eclipselink/moxy.php] a custom Moxy-aware JAX-RS ContextProvider implementation needs to be registered. +For JAXBElementProvider to support http://www.eclipse.org/eclipselink/moxy.php"; rel="nofollow">Moxy a custom Moxy-aware JAX-RS ContextProvider implementation needs to be registered. If Moxy is used to handle beans without JAXB annotations then setting a 'skipJaxbChecks' property on JAXBElementProvider to 'true' will be needed. JSON support
svn commit: r818922 - in /websites/production/cxf/content: cache/docs.pageCache docs/jetty-configuration.html
Author: buildbot Date: Thu May 24 07:48:04 2012 New Revision: 818922 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/docs.pageCache websites/production/cxf/content/docs/jetty-configuration.html Modified: websites/production/cxf/content/cache/docs.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/docs/jetty-configuration.html == --- websites/production/cxf/content/docs/jetty-configuration.html (original) +++ websites/production/cxf/content/docs/jetty-configuration.html Thu May 24 07:48:04 2012 @@ -215,12 +215,12 @@ The threadingParameters has two <httpj:threadingParameters minThreads="5" maxThreads="15" /> <httpj:connector> -<beans:bean class="org.mortbay.jetty.bio.SocketConnector"> +<beans:bean class="org.eclipse.jetty.server.bio.SocketConnector"> <beans:property name = "port" value="9001" /> </beans:bean> </httpj:connector> <httpj:handlers> -<beans:bean class="org.mortbay.jetty.handler.DefaultHandler"/> +<beans:bean class="org.eclipse.jetty.server.handler.DefaultHandler"/> </httpj:handlers> <httpj:sessionSupport>true</httpj:sessionSupport> </httpj:engine>
svn commit: r818925 [4/4] - in /websites/production/cxf/content: ./ cache/ using-ws-policy-in-cxf-projects.data/
Modified: websites/production/cxf/content/dosgi-presentations-and-articles.html == --- websites/production/cxf/content/dosgi-presentations-and-articles.html (original) +++ websites/production/cxf/content/dosgi-presentations-and-articles.html Thu May 24 08:54:44 2012 @@ -120,7 +120,7 @@ Apache CXF -- DOSGi Presentations and Ar Subprojects -Distributed OSGiXJC UtilsBuild Utils +Distributed OSGiXJC UtilsBuild UtilsFediz http://www.apache.org";>ASF Modified: websites/production/cxf/content/dosgi-releases.html == --- websites/production/cxf/content/dosgi-releases.html (original) +++ websites/production/cxf/content/dosgi-releases.html Thu May 24 08:54:44 2012 @@ -120,7 +120,7 @@ Apache CXF -- DOSGi Releases Subprojects -Distributed OSGiXJC UtilsBuild Utils +Distributed OSGiXJC UtilsBuild UtilsFediz http://www.apache.org";>ASF Modified: websites/production/cxf/content/dosgi-spring-dm-demo-page.html == --- websites/production/cxf/content/dosgi-spring-dm-demo-page.html (original) +++ websites/production/cxf/content/dosgi-spring-dm-demo-page.html Thu May 24 08:54:44 2012 @@ -120,7 +120,7 @@ Apache CXF -- DOSGi Spring-DM Demo page Subprojects -Distributed OSGiXJC UtilsBuild Utils +Distributed OSGiXJC UtilsBuild UtilsFediz http://www.apache.org";>ASF Modified: websites/production/cxf/content/download.html == --- websites/production/cxf/content/download.html (original) +++ websites/production/cxf/content/download.html Thu May 24 08:54:44 2012 @@ -120,7 +120,7 @@ Apache CXF -- Download Subprojects -Distributed OSGiXJC UtilsBuild Utils +Distributed OSGiXJC UtilsBuild UtilsFediz http://www.apache.org";>ASF Modified: websites/production/cxf/content/faq.html == --- websites/production/cxf/content/faq.html (original) +++ websites/production/cxf/content/faq.html Thu May 24 08:54:44 2012 @@ -120,7 +120,7 @@ Apache CXF -- FAQ Subprojects -Distributed OSGiXJC UtilsBuild Utils +Distributed OSGiXJC UtilsBuild UtilsFediz http://www.apache.org";>ASF Modified: websites/production/cxf/content/fediz-configuration.html == --- websites/production/cxf/content/fediz-configuration.html (original) +++ websites/production/cxf/content/fediz-configuration.html Thu May 24 08:54:44 2012 @@ -120,7 +120,7 @@ Apache CXF -- Fediz Configuration Subprojects -Distributed OSGiXJC UtilsBuild Utils +Distributed OSGiXJC UtilsBuild UtilsFediz http://www.apache.org";>ASF Modified: websites/production/cxf/content/fediz-downloads.html == --- websites/production/cxf/content/fediz-downloads.html (original) +++ websites/production/cxf/content/fediz-downloads.html Thu May 24 08:54:44 2012 @@ -120,7 +120,7 @@ Apache CXF -- Fediz Downloads Subprojects -Distributed OSGiXJC UtilsBuild Utils +Distributed OSGiXJC UtilsBuild UtilsFediz http://www.apache.org";>ASF Modified: websites/production/cxf/content/fediz-idp.html == --- websites/production/cxf/content/fediz-idp.html (original) +++ websites/production/cxf/content/fediz-idp.html Thu May 24 08:54:44 2012 @@ -120,7 +120,7 @@ Apache CXF -- Fediz IDP Subprojects -Distributed OSGiXJC UtilsBuild Utils +Distributed OSGiXJC UtilsBuild UtilsFediz http://www.apache.org";>ASF Modified: websites/production/cxf/content/fediz-tomcat.html == --- websites/production/cxf/content/fediz-tomcat.html (original) +++ websites/production/cxf/content/fediz-tomcat.html Thu May 24 08:54:44 2012 @@ -120,7 +120,7 @@ Apache CXF -- Fediz Tomcat Subprojects -Distributed OSGiXJC UtilsBuild Utils +Distributed OSGiXJC UtilsBuild UtilsFediz http://www.apache.org";>ASF Modified: websites/production/cxf/content/fediz.html == --- websites/production/cxf/content/fediz.html (original) +++ websites/production/cxf/content/fediz.html Thu May 24 08:54:44 2012 @@ -120,7 +120,7 @@ Apache CXF -- Fediz Subprojects -Distributed OSGiXJC UtilsBuild Utils +Distributed OSGiXJC UtilsBuild UtilsFediz http://www.apache.org";>ASF @@ -136,9 +136,7 @@ Apache CXF -- Fediz -https://cwiki.apache.org/confluence/images/icons/emoticons/warning.gif"; height="16" width="16" alt="" border="0"> Under construction - -Apache CXF Fediz: An Open-Source Web
svn commit: r818932 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-ws-dispatch-api.html
Author: buildbot Date: Thu May 24 09:47:52 2012 New Revision: 818932 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/docs.pageCache websites/production/cxf/content/docs/jax-ws-dispatch-api.html Modified: websites/production/cxf/content/cache/docs.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/docs/jax-ws-dispatch-api.html == --- websites/production/cxf/content/docs/jax-ws-dispatch-api.html (original) +++ websites/production/cxf/content/docs/jax-ws-dispatch-api.html Thu May 24 09:47:52 2012 @@ -194,15 +194,13 @@ Apache CXF -- JAX-WS Dispatch API To create a Dispatch object do the following: Create a Service object to represent the wsdl:service element defining the service on which the Dispatch object will make invocations.Create the Dispatch object using the Service object's createDispatch() method. - -public Dispatch<T> createDispatch(QName portName, java.lang.Class<T> type, Service.Mode mode) +public Dispatch<T> createDispatch(QName portName, java.lang.Class<T> type, Service.Mode mode) throws WebServiceException; https://cwiki.apache.org/confluence/images/icons/emoticons/warning.gif"; width="16" height="16" alt="" border="0">If you are using JAXB objects the method signature for createDispatch() is: - -public Dispatch<T> createDispatch(QName portName, javax.xml.bind.JAXBContext context, Service.Mode mode) +public Dispatch<T> createDispatch(QName portName, javax.xml.bind.JAXBContext context, Service.Mode mode) throws WebServiceException; @@ -216,8 +214,7 @@ Apache CXF -- JAX-WS Dispatch API The code below creates a Dispatch object that works with DOMSource objects in payload mode. - -package com.mycompany.demo; +package com.mycompany.demo; import javax.xml.namespace.QName; import javax.xml.ws.Service; @@ -253,8 +250,7 @@ Apache CXF -- JAX-WS Dispatch API For consumers that make synchronous invocations that generate a response, you use the Dispatch object's invoke() method shown bellow. - -T invoke(T msg) +T invoke(T msg) throws WebServiceException; @@ -262,11 +258,10 @@ T invoke(T msg) https://cwiki.apache.org/confluence/images/icons/emoticons/warning.gif"; width="16" height="16" alt="" border="0">When using JAXB objects, the response and the request can be of any type the provided JAXBContext object can marshal and unmarshal. Also, the response and the request can be different JAXB objects. The code bellow makes a synchronous invocation on a remote service using a DOMSource object. - -// Creating a DOMSource Object for the request +// Creating a DOMSource Object for the request DocumentBuilder db = DocumentBuilderFactory.newDocumentBuilder(); Document requestDoc = db.newDocument(); -Element root = requestDoc.createElementNS("http://org.apache.cxf/stockExample", +Element root = requestDoc.createElementNS("http://org.apache.cxf/stockExample", "getStockPrice"); root.setNodeValue("DOW"); DOMSource request = new DOMSource(requestDoc); @@ -282,16 +277,14 @@ DOMSource request = - -Response <T> invokeAsync(T msg) +Response <T> invokeAsync(T msg) throws WebServiceException; When using the callback approach the invokeAsync() method takes an AsyncHandler implementation that processes the response when it is returned. - -Future<?> invokeAsync(T msg, AsyncHandler<T> handler) +Future<?> invokeAsync(T msg, AsyncHandler<T> handler) throws WebServiceException; @@ -302,8 +295,7 @@ Future<?> invokeAsync(T msg, Async When a request does not generate a response, you make remote invocations using the Dispatch object's invokeOneWay(). - -void invokeOneWay(T msg) +void invokeOneWay(T msg) throws WebServiceException; @@ -311,8 +303,7 @@ void invokeOneWay(T msg) https://cwiki.apache.org/confluence/images/icons/emoticons/warning.gif"; width="16" height="16" alt="" border="0">When using JAXB objects, the response and the request can be of any type the provided JAXBContext object can marshal and unmarshal. Also, the response and the request can be different JAXB objects. The code bellow makes a one way invocation on a remote service using a JAXB object. - -// Creating a JAXBContext and an Unmarshaller for the request +// Creating a JAXBContext and an Unmarshaller for the request JAXBContext jbc = JAXBContext.newInstance("com.mycompany.StockExample"); Unmarshaller u = jbc.createUnmarshaller(); @@ -323,7 +314,15 @@ GetStockPrice request = (GetStockPrice)u // Dispatch disp created previously
svn commit: r818965 - in /websites/production/cxf/content: cache/main.pageCache fediz-configuration.html
Author: buildbot Date: Thu May 24 14:47:51 2012 New Revision: 818965 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/main.pageCache websites/production/cxf/content/fediz-configuration.html Modified: websites/production/cxf/content/cache/main.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/fediz-configuration.html == --- websites/production/cxf/content/fediz-configuration.html (original) +++ websites/production/cxf/content/fediz-configuration.html Thu May 24 14:47:51 2012 @@ -184,12 +184,16 @@ Finally, the audience URI is validated a XML element Name Use Description issuer Issuer URL Required This URL defines the location of the IDP to whom unauthenticated requests are redirected authenticationType Authentication Type Optional The authentication type defines what kind of authentication is required. This infor mation is provided in the SignInRequest to the IDP (parameter wauth) -The WS-Federation standard defines a list of predefined URIs for wauth http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html#_Toc223174997"; rel="nofollow">here. +The WS-Federation standard defines a list of predefined URIs for wauth http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html#_Toc223174997"; rel="nofollow">here. roleURI Role Claim URI Optional Defines the attribute name of the SAML token which contains the roles roleDelimiter Role Value Delimiter Optional There are different ways to encode multi value attributes in SAML. +Single attribute with multiple valuesSeveral attributes with the same name but only one valueSingle attribute with single value. Roles are delimited by roleDelimiter + claimTypesRequested Requested claims Optional The claims required by the Relying Party are listed here. Claims can be optional. If a mandatory claim can't be provided by the IDP the issuance of the token should fail + + Advanced example The following example defines the required claims and configure custom callback handler to define some configuration values at runtime.
svn commit: r819001 - in /websites/production/cxf/content: cache/main.pageCache fediz-configuration.html
Author: buildbot Date: Thu May 24 20:47:51 2012 New Revision: 819001 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/main.pageCache websites/production/cxf/content/fediz-configuration.html Modified: websites/production/cxf/content/cache/main.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/fediz-configuration.html == --- websites/production/cxf/content/fediz-configuration.html (original) +++ websites/production/cxf/content/fediz-configuration.html Thu May 24 20:47:51 2012 @@ -153,7 +153,7 @@ Apache CXF -- Fediz Configuration </audienceUris> <certificateStore> <trustManager> -<keyStore file="/projects/fediz/tomcat-rp2/conf/stsstore.jks" password="stsspass" type="JKS" /> +<keyStore file="conf/stsstore.jks" password="stsspass" type="JKS" /> </trustManager> </certificateStore> <trustedIssuers> @@ -175,7 +175,9 @@ Finally, the audience URI is validated a Configuration reference -XML element Name Use Description audienceUris Audience URI Required The values of the list of audience URIs are verified against the element AudienceRestriction in the SAML token certificateStore Trusted certificate store Required The list of keystores (JKS, PEM) includ es at least the certificate of the Certificate Authorities (CA) which signed the certificate which is used to sign the SAML token trustedIssuers Trusted Issuers Required There are two ways to configure a trusted issuer (IDP). Either you configure the subject name and the CA(s) who signed the certificate of the IDP (certificateValidation=ChainTrust) or you configure the certificate of the IDP and the CA(s) who signed it (certificateValidation=PeerTrust) +XML element Name Use Description audienceUris Audience URI Required The values of the list of audience URIs are verified against the element AudienceRestriction in the SAML token certificateStore Trusted certificate store Required The list of keystores (JKS, PEM) includ es at least the certificate of the Certificate Authorities (CA) which signed the certificate which is used to sign the SAML token. +If the file location is not fully qualified it's relative to the Container home directory trustedIssuers Trusted Issuers Required There are two ways to configure a trusted issuer (IDP). Either you configure the subject name and the CA(s) who signed the certificate of the IDP (certificateValidation=ChainTrust) or you configure the certificate of the IDP and the CA(s) who signed it (certificateValidation=PeerTrust) maximumClockSkew Maximum Clock Skew Optional Maximum allowable time difference between the system clocks of the IDP and RP. +Default 5 seconds. @@ -183,14 +185,22 @@ Finally, the audience URI is validated a WS-Federation protocol configuration reference -XML element Name Use Description issuer Issuer URL Required This URL defines the location of the IDP to whom unauthenticated requests are redirected authenticationType Authentication Type Optional The authentication type defines what kind of authentication is required. This infor mation is provided in the SignInRequest to the IDP (parameter wauth) +XML element Name Use Description issuer Issuer URL Required This URL defines the location of the IDP to whom unauthenticated requests are redirected realm Realm Optional Security realm of the Relying Party / Application. This value is part of the SignIn request as the wtrealm parameter. +Default: URL including the Servlet Context authenticationType Authentication Type Optional The authentication type defines what kind of authentication is required. This information is provided in the SignInRequest to the IDP (parameter wauth) The WS-Federation standard defines a list of predefined URIs for wauth http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html#_Toc223174997"; rel="nofollow">here. roleURI Role Claim URI Optional Defines the attribute name of the SAML token which contains the roles roleDelimiter Role Value Delimiter Optional There are different ways to encode multi value attributes in SAML. Single attribute with multiple valuesSeveral attributes with the same name but only one valueSingle attribute with single value. Roles are delimited by roleDelimiter - claimTypesRequested Requested claims Optional The claims required by the Relying Party are listed here. Claims can be optional. If a mandatory claim can't be provided by the IDP the issuance of the token should fail + claimTypesRequested Req
svn commit: r819005 - in /websites/production/cxf/content: cache/docs.pageCache docs/jaxrs-services-configuration.html
Author: buildbot Date: Thu May 24 21:47:50 2012 New Revision: 819005 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/docs.pageCache websites/production/cxf/content/docs/jaxrs-services-configuration.html Modified: websites/production/cxf/content/cache/docs.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/docs/jaxrs-services-configuration.html == --- websites/production/cxf/content/docs/jaxrs-services-configuration.html (original) +++ websites/production/cxf/content/docs/jaxrs-services-configuration.html Thu May 24 21:47:50 2012 @@ -637,6 +637,23 @@ By default, the endpoint address is "/". In the above example, org.apache.cxf.systest.jaxrs.BookApplication is expected to have setName and setId setters, with a single primitive or List parameter type. +Note that having the web-app_2_3.dtd DTD referenced from web.xml will likely prevent 'param-value' containing spaces and make it difficult to specify multiple providers like this: + + + <init-param> + <param-name>jaxrs.providers</param-name> + <param-value> +mypackage.Provider1 +mypackage.Provider2 + </param-value> + </init-param> + <load-on-startup>1</load-on-startup> +</servlet> + + + +In such cases consider moving to the web-app 2.5 schema or extending CXFNonSpringJaxrsProviders or introducing an Application. + Attaching JAXRS endpoints to an existing Jetty server Here is a code fragment showing how it can be done with the help of CxfNonSpringJaxrsServlet :
svn commit: r819759 - in /websites/production/cxf/content: cache/main.pageCache dosgi-presentations-and-articles.html
Author: buildbot Date: Thu May 31 14:47:55 2012 New Revision: 819759 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/main.pageCache websites/production/cxf/content/dosgi-presentations-and-articles.html Modified: websites/production/cxf/content/cache/main.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/dosgi-presentations-and-articles.html == --- websites/production/cxf/content/dosgi-presentations-and-articles.html (original) +++ websites/production/cxf/content/dosgi-presentations-and-articles.html Thu May 31 14:47:55 2012 @@ -146,6 +146,9 @@ Apache CXF -- DOSGi Presentations and Ar Documents and blog articles Distributed OSGi - a simple example: http://coderthoughts.blogspot.com/2009/02/distributed-osgi-simple-example.html"; rel="nofollow">http://coderthoughts.blogspot.com/2009/02/distributed-osgi-simple-example.htmlA Distributed OSGi Powered AJAX WebApp: http://coderthoughts.blogspot.com/2009/02/distributed-osgi-powered-ajax-webapp.html"; rel="nofollow">http://coderthoughts.blogspot.com/2009/02/distributed-osgi-powered-ajax-webapp.htmlIntroducing Dynamic Discovery into OSGi Distributed Applications: http://blog.akquinet.de/2009/09/23/introducing-dynamic-discovery-into-osgi-distributed-applications/"; rel="nofollow">http://blog.akquinet.de/2009/09/23/introducing-dynamic-discovery-into-osgi-distributed-applications/Develop and Deploy Web Services as OSGi Bundles (IBM dev works): http://www.ibm.com/developerworks/webservices/library/ws-OSGi/index.html"; rel="nofollow">http://www.ibm.com/developerworks/webservices/library/ws-OSGi/index.html + + +Eclipse RCP/RAP and Remoting with JAX-RS, Spring Data JPA and CXF DOSGi (Angelo Zerr): http://angelozerr.wordpress.com/about/eclipse_spring/eclipse_spring_dosgi/"; rel="nofollow">http://angelozerr.wordpress.com/about/eclipse_spring/eclipse_spring_dosgi/
svn commit: r820261 - in /websites/production/cxf/content: cache/main.pageCache fediz-configuration.html
Author: buildbot Date: Mon Jun 4 19:48:17 2012 New Revision: 820261 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/main.pageCache websites/production/cxf/content/fediz-configuration.html Modified: websites/production/cxf/content/cache/main.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/fediz-configuration.html == --- websites/production/cxf/content/fediz-configuration.html (original) +++ websites/production/cxf/content/fediz-configuration.html Mon Jun 4 19:48:17 2012 @@ -151,11 +151,11 @@ Apache CXF -- Fediz Configuration <audienceUris> <audienceItem>https://localhost:8443/fedizhelloworld</audienceItem> </audienceUris> -<certificateStore> +<certificateStores> <trustManager> <keyStore file="conf/stsstore.jks" password="stsspass" type="JKS" /> </trustManager> -</certificateStore> +</certificateStores> <trustedIssuers> <issuer name="issuer 1" certificateValidation="ChainTrust" subject=".*CN=www.sts.com.*" /> </trustedIssuers> @@ -175,7 +175,7 @@ Finally, the audience URI is validated a Configuration reference -XML element Name Use Description audienceUris Audience URI Required The values of the list of audience URIs are verified against the element AudienceRestriction in the SAML token certificateStore Trusted certificate store Required The list of keystores (JKS, PEM) includ es at least the certificate of the Certificate Authorities (CA) which signed the certificate which is used to sign the SAML token. +XML element Name Use Description audienceUris Audience URI Required The values of the list of audience URIs are verified against the element AudienceRestriction in the SAML token certificateStores Trusted certificate store Required The list of keystores (JKS, PEM) inclu des at least the certificate of the Certificate Authorities (CA) which signed the certificate which is used to sign the SAML token. If the file location is not fully qualified it's relative to the Container home directory trustedIssuers Trusted Issuers Required There are two ways to configure a trusted issuer (IDP). Either you configure the subject name and the CA(s) who signed the certificate of the IDP (certificateValidation=ChainTrust) or you configure the certificate of the IDP and the CA(s) who signed it (certificateValidation=PeerTrust) maximumClockSkew Maximum Clock Skew Optional Maximum allowable time difference between the system clocks of the IDP and RP. Default 5 seconds. @@ -216,9 +216,9 @@ The WS-Federation standard defines a lis <audienceUris> <audienceItem>https://localhost:8443/fedizhelloworld</audienceItem> </audienceUris> -<certificateStore> -<keyStore file="/projects/fediz/tomcat-rp2/conf/stsstore.jks" password="stsspass" type="file" /> -</certificateStore> +<certificateStores> +<keyStore file="conf/stsstore.jks" password="stsspass" type="file" /> +</certificateStores> <maximumClockSkew>10</maximumClockSkew> <trustedIssuers> <issuer name="issuer 1" certificateValidation="ChainTrust" subject=".*CN=www.sts.com.*" />
svn commit: r820382 - in /websites/production/cxf/content: cache/main.pageCache fediz.html
Author: buildbot Date: Tue Jun 5 19:48:02 2012 New Revision: 820382 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/main.pageCache websites/production/cxf/content/fediz.html Modified: websites/production/cxf/content/cache/main.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/fediz.html == --- websites/production/cxf/content/fediz.html (original) +++ websites/production/cxf/content/fediz.html Tue Jun 5 19:48:02 2012 @@ -140,13 +140,12 @@ Apache CXF -- Fediz Overview -Apache CXF Fediz is a subproject of CXF. Fediz helps you to secure your web applications and delegates security enforcement to the underlying application server. Authentication is externalized from your web application to an identity provider which is a dedicated server component. The supported standard is WS-Federation 1.2 Passive Requestor Profile. Fediz supports Claims based Access control beyond Role Based Access Control (RBAC). +Apache CXF Fediz is a subproject of CXF. Fediz helps you to secure your web applications and delegates security enforcement to the underlying application server. With Fediz, authentication is externalized from your web application to an identity provider installed as a dedicated server component. The supported standard is http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html#_Toc223175002"; rel="nofollow">WS-Federation 1.2 Passive Requestor Profile. Fediz supports http://en.wikipedia.org/wiki/Claims-based_identity"; rel="nofollow">Claims Based Access Control beyond Role Based Access Control (RBAC). News - Features The following features are supported by the Fediz plugin 1.0 @@ -161,13 +160,13 @@ Apache CXF -- Fediz Getting started -The WS-Federation specification defines the following parties involved during the web login: +The WS-Federation specification defines the following parties involved during a web login: BrowserIdentity Provider (IDP) -The IDP is a centralized, application independent runtime component which implements the protocol defined by WS-Federation. You can use any open source or commercial product as your IDP which supports WS-Federation 1.1/1.2. It's recommended to use the Fediz IDP for testing as it allows to test your web application in a sandbox without having all infrastructure components available. The Fediz IDP consists of two WAR components. The Security Token Service (STS) is doing most of the part like authenticating the user, retrieve claims/role data and create the SAML token. The IDP WAR translates the response to a HTML response thus a browser can process it.Relying Party (RP) -The RP is the web application which should be protected. The RP must be able to implement the protocol as defined by WS-Federation. This component is called "Fediz Plugin" in this project which consists of container agnostic module/jar and a container specific jar. When an authenticated request is detected by the plugin it redirects to the IDP or authentication. The browser sends the response from IDP to the RP after successful authentication. The RP validates the response and creates the container security context. +The IDP is a centralized, application independent runtime component which implements the protocol defined by WS-Federation. You can use any open source or commercial product that supports WS-Federation 1.1/1.2 as your IDP. It's recommended to use the Fediz IDP for testing as it allows for testing your web application in a sandbox without having all infrastructure components available. The Fediz IDP consists of two WAR components. The Security Token Service (STS) does most of the work including user authentication, claims/role data retrieval and creating the SAML token. The IDP WAR translates the response to an HTML response allowing a browser to process it.Relying Party (RP) +The RP is a web application that needs to be protected. The RP must be able to implement the protocol as defined by WS-Federation. This component is called "Fediz Plugin" in this project which consists of container agnostic module/jar and a container specific jar. When an authenticated request is detected by the plugin it redirects to the IDP for authentication. The browser sends the response from the IDP to the RP after successful authentication. The RP validates the response and creates the container security context. -It's recommended to deploy the IDP and the web application (RP) into different container instances as in a production deployment. The container with the IDP can be used during development and testing for any web application. +It's recommended to deploy the IDP and the web application
svn commit: r820387 - in /websites/production/cxf/content: cache/main.pageCache fediz-configuration.html fediz-idp.html fediz-tomcat.html
Author: buildbot Date: Tue Jun 5 20:48:00 2012 New Revision: 820387 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/main.pageCache websites/production/cxf/content/fediz-configuration.html websites/production/cxf/content/fediz-idp.html websites/production/cxf/content/fediz-tomcat.html Modified: websites/production/cxf/content/cache/main.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/fediz-configuration.html == --- websites/production/cxf/content/fediz-configuration.html (original) +++ websites/production/cxf/content/fediz-configuration.html Tue Jun 5 20:48:00 2012 @@ -139,10 +139,10 @@ Apache CXF -- Fediz Configuration https://cwiki.apache.org/confluence/images/icons/emoticons/warning.gif"; height="16" width="16" alt="" border="0"> Under construction Fediz Plugin configuration -This page describes the Fediz configuration file which is referenced by the security interceptor (eg. authenticator in Tomcat/Jetty). +This page describes the Fediz configuration file referenced by the security interceptor (eg. authenticator in Tomcat/Jetty). Example -The following example describes the minimum configuration for Fediz. +The following example shows the minimum configuration for Fediz. <?xml version="1.0" encoding="UTF-8" standalone="yes"?> @@ -167,8 +167,9 @@ Apache CXF -- Fediz Configuration -The element protocol defines that you use the WS-Federation protocol. The issuer says to which URL authenticated requests will be redirected with the SignIn request. -The IDP issues a SAML token which must be validated by the plugin. The validation requires the certificate store of the Certificate Authority(ies) of the certificate which signed the SAML token. This is defined in certificateStore. The signing certificate itself is not required because certificateValidation is set to ChainTrust. The subject defines the trusted signing certificate using the subject as a regular expression. +The protocol element declares that the WS-Federation protocol is being used. The issuer element shows the URL to which authenticated requests will be redirected with a SignIn request. + +The IDP issues a SAML token which must be validated by the plugin. The validation requires the certificate store of the Certificate Authority(ies) of the certificate which signed the SAML token. This is defined in certificateStore. The signing certificate itself is not required because certificateValidation is set to ChainTrust. The subject defines the trusted signing certificate using the subject as a regular expression. Finally, the audience URI is validated against the audience restriction in the SAML token. @@ -176,7 +177,7 @@ Finally, the audience URI is validated a XML element Name Use Description audienceUris Audience URI Required The values of the list of audience URIs are verified against the element AudienceRestriction in the SAML token certificateStores Trusted certificate store Required The list of keystores (JKS, PEM) inclu des at least the certificate of the Certificate Authorities (CA) which signed the certificate which is used to sign the SAML token. -If the file location is not fully qualified it's relative to the Container home directory trustedIssuers Trusted Issuers Required There are two ways to configure a trusted issuer (IDP). Either you configure the subject name and the CA(s) who signed the certificate of the IDP (certificateValidation=ChainTrust) or you configure the certificate of the IDP and the CA(s) who signed it (certificateValidation=PeerTrust) maximumClockSkew Maximum Clock Skew Optional Maximum allowable time difference between the system clocks of the IDP and RP. +If the file location is not fully qualified it needs to be relative to the Container home directory trustedIssuers Trusted Issuers Required There are two ways to configure a trusted issuer (IDP). Either you configure the subject name and the CA(s) who signed the certificate of the IDP (certificateValidation=ChainTrust) or you configure the certificate of the IDP and the CA(s) who signed it (certificateValidation=PeerTrust) maximumClockSkew Maximum Clock Skew Optional Maximum allowable time difference between the system clocks of the IDP and RP. Default 5 seconds. @@ -200,13 +201,13 @@ The WS-Federation standard defines a lis authenticationTypehomeRealmissuer -These configuration elements provides to configure a CallbackHandler which gets a Callback object where the appropriate value must be set. The CallbackHandler implementation has access to the HttpServletRequest. The XML attribute type must be set to Class. +The
svn commit: r820492 - in /websites/production/cxf/content: cache/main.pageCache fediz.html
Author: buildbot Date: Wed Jun 6 14:48:05 2012 New Revision: 820492 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/main.pageCache websites/production/cxf/content/fediz.html Modified: websites/production/cxf/content/cache/main.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/fediz.html == --- websites/production/cxf/content/fediz.html (original) +++ websites/production/cxf/content/fediz.html Wed Jun 6 14:48:05 2012 @@ -187,12 +187,12 @@ The RP is a web application that needs t Samples -The examples directory contains two sample projects: +The examples directory contains two sample relying party applications. They are independent of each other, so it is not necessary to deploy both at once. Each sample is described in the README.txt - Sample Description simpleWebapp a simple web application which is protected by the Fediz IDP. The FederationServlet illustrates how to get security information using the standard APIs. wsclientWebapp a protected web application which calls a web service protected by the Fediz STS. The FederationServlet illustrates how to securely call a web service. + Sample Description simpleWebapp a simple web application which is protected by the Fediz IDP. The FederationServlet illustrates how to get security information using the standard APIs. wsclientWebapp a protected web application that calls a web service that uses the Fediz STS to validate credentials. Here, the same STS is used for token issuance (indirectly, by the web application through use of the Fediz IDP) and validation. The FederationServlet illustrates how to securely call a web service. @@ -208,7 +208,7 @@ git://git.apache.org/cxf-fediz.git< Building with Maven -You build the run the tests using the following command: +To build and run the tests use the following command: mvn clean install
svn commit: r820500 [2/2] - in /websites/production/cxf/content: apache-cxf-2311-release-notes.html cache/main.pageCache cxf-248-release-notes.html cxf-254-release-notes.html cxf-261-release-notes.htm
Modified: websites/production/cxf/content/download.html == --- websites/production/cxf/content/download.html (original) +++ websites/production/cxf/content/download.html Wed Jun 6 15:48:28 2012 @@ -139,40 +139,42 @@ Apache CXF -- Download Releases -2.6.0 -The 2.6.0 release is our latest release. For more information please see the http://cxf.apache.org/docs/26-migration-guide.html";>migration guide. +2.6.1 +The 2.6.1 release is our latest release. For more information please see the release notes and the http://cxf.apache.org/docs/26-migration-guide.html";>migration guide. -DescriptionFileMD5SHA1PGPSource distributionhttp://www.apache.org/dyn/closer.cgi?path=/cxf/2.6.0/apache-cxf-2.6.0-src.tar.gz";>apache-cxf-2.6.0-src.tar.gzhttp://www.apache.org/dist/cxf/2.6.0/apache-cxf-2.6.0-src.tar.gz.md5";>apache-cxf-2.6.0-src.tar.gz.md5http://www.apache.org/dist/cxf/2.6.0/apache-cxf-2.6.0-src.tar.g z.sha1">apache-cxf-2.6.0-src.tar.gz.sha1http://www.apache.org/dist/cxf/2.6.0/apache-cxf-2.6.0-src.tar.gz.asc";>apache-cxf-2.6.0-src.tar.gz.asc http://www.apache.org/dyn/closer.cgi?path=/cxf/2.6.0/apache-cxf-2.6.0-src.zip";>apache-cxf-2.6.0-src.ziphttp://www.apache.org/dist/cxf/2.6.0/apache-cxf-2.6.0-src.zip.md5";>apache-cxf-2.6.0-src.zip.md5http://www.apache.org/dist/cxf/2.6.0/apache-cxf-2.6.0-src.zip.sha1";>apache-cxf-2.6.0-src.zip.sha1http://www.apache.org/dist/cxf/2.6.0/apache-cxf-2.6.0-src.zip.asc";>apache-cxf-2.6.0-src.zip.ascBinary distributionhttp://www.apache.org/dyn/closer.cgi?path=/cxf/2.6.0/apache-cxf-2.6.0.tar.gz";>apache-cxf-2.6.0.tar.gzhttp://www.apache.org/dist/cxf/2.6.0/apache-cxf-2.6.0.tar.gz.md5";>apache-cxf-2.6.0.tar.gz.md5http://www.apache.org/dist/cxf/2.6.0/apache-cxf-2.6.0.tar.gz.sha1";>apache-cxf-2.6.0.tar.gz.sha1http://www.apache.org/dist/cxf/2.6.0/apache-cxf-2.6.0.tar.gz.asc";>apache-cxf-2.6.0.tar.gz .asc http://www.apache.org/dyn/closer.cgi?path=/cxf/2.6.0/apache-cxf-2.6.0.zip";>apache-cxf-2.6.0.ziphttp://www.apache.org/dist/cxf/2.6.0/apache-cxf-2.6.0.zip.md5";>apache-cxf-2.6.0.zip.md5http://www.apache.org/dist/cxf/2.6.0/apache-cxf-2.6.0.zip.sha1";>apache-cxf-2.6.0.zip.sha1http://www.apache.org/dist/cxf/2.6.0/apache-cxf-2.6.0.zip.asc";>apache-cxf-2.6.0.zip.asc +DescriptionFileMD5SHA1PGPSource distributionhttp://www.apache.org/dyn/closer.cgi?path=/cxf/2.6.1/apache-cxf-2.6.1-src.tar.gz";>apache-cxf-2.6.1-src.tar.gzhttp://www.apache.org/dist/cxf/2.6.1/apache-cxf-2.6.1-src.tar.gz.md5";>apache-cxf-2.6.1-src.tar.gz.md5http://www.apache.org/dist/cxf/2.6.1/apache-cxf-2.6.1-src.tar.g z.sha1">apache-cxf-2.6.1-src.tar.gz.sha1http://www.apache.org/dist/cxf/2.6.1/apache-cxf-2.6.1-src.tar.gz.asc";>apache-cxf-2.6.1-src.tar.gz.asc http://www.apache.org/dyn/closer.cgi?path=/cxf/2.6.1/apache-cxf-2.6.1-src.zip";>apache-cxf-2.6.1-src.ziphttp://www.apache.org/dist/cxf/2.6.1/apache-cxf-2.6.1-src.zip.md5";>apache-cxf-2.6.1-src.zip.md5http://www.apache.org/dist/cxf/2.6.1/apache-cxf-2.6.1-src.zip.sha1";>apache-cxf-2.6.1-src.zip.sha1http://www.apache.org/dist/cxf/2.6.1/apache-cxf-2.6.1-src.zip.asc";>apache-cxf-2.6.1-src.zip.ascBinary distributionhttp://www.apache.org/dyn/closer.cgi?path=/cxf/2.6.1/apache-cxf-2.6.1.tar.gz";>apache-cxf-2.6.1.tar.gzhttp://www.apache.org/dist/cxf/2.6.1/apache-cxf-2.6.1.tar.gz.md5";>apache-cxf-2.6.1.tar.gz.md5http://www.apache.org/dist/cxf/2.6.1/apache-cxf-2.6.1.tar.gz.sha1";>apache-cxf-2.6.1.tar.gz.sha1http://www.apache.org/dist/cxf/2.6.1/apache-cxf-2.6.1.tar.gz.asc";>apache-cxf-2.6.1.tar.gz .asc http://www.apache.org/dyn/closer.cgi?path=/cxf/2.6.1/apache-cxf-2.6.1.zip";>apache-cxf-2.6.1.ziphttp://www.apache.org/dist/cxf/2.6.1/apache-cxf-2.6.1.zip.md5";>apache-cxf-2.6.1.zip.md5http://www.apache.org/dist/cxf/2.6.1/apache-cxf-2.6.1.zip.sha1";>apache-cxf-2.6.1.zip.sha1http://www.apache.org/dist/cxf/2.6.1/apache-cxf-2.6.1.zip.asc";>apache-cxf-2.6.1.zip.asc -2.5.3 -The 2.5.3 release is our latest patch release for 2.5.x. For more information please see the release notes and the http://cxf.apache.org/docs/25-migration-guide.html";>migration guide. +2.5.4 +The 2.5.4 release is our latest patch release for 2.5.x. For more information please see the release notes and the http://cxf.apache.org/docs/25-migration-guide.html";>migration guide. -DescriptionFileMD5SHA1PGPSource distributionhttp://www.apache.org/dyn/closer.cgi?path=/cxf/2.5.3/apache-cxf-2.5.3-src.tar.gz";>apache-cxf-2.5.3-src.tar.gzhttp://www.apache.org/dist/cxf/2.5.3/apache-cxf-2.5.3-src.tar.gz.md5";>apache-cxf-2.5.3-src.tar.gz.md5http://www.apache.org/dist/cxf/2.5.3/apache-cxf-2.5.3-src.tar.g z.sha1">apache-cxf-2.5.3-src.tar.gz.sha1http://www.apache.org/dist/cxf/2.5.3/apache-cxf-2.5.3-src.tar.gz.asc";>apache-cxf-2.5.3-src.tar.gz.asc http://www.apache.org/dyn/closer.cgi?path=/cxf/2.5.3/apache-cxf-2.5.3-src.zip";>apache-cxf-2.5.3-src.ziphttp://www.apache.org/dist/cxf/2.5.3/apache-cxf-2.5.3-src.zip.md5";>apache-cxf-2.5.3-src.zip.
svn commit: r820510 - in /websites/production/cxf/content: cache/main.pageCache fediz.html
Author: buildbot Date: Wed Jun 6 16:48:17 2012 New Revision: 820510 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/main.pageCache websites/production/cxf/content/fediz.html Modified: websites/production/cxf/content/cache/main.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/fediz.html == --- websites/production/cxf/content/fediz.html (original) +++ websites/production/cxf/content/fediz.html Wed Jun 6 16:48:17 2012 @@ -200,9 +200,8 @@ The RP is a web application that needs t Check out the code from here: svn -http://svn.apache.org/repos/asf/cxf/fediz/trunk";>http://svn.apache.org/repos/asf/cxf/fediz/trunkgit -git://git.apache.org/cxf-fediz.git - +svn co http://svn.apache.org/repos/asf/cxf/fediz/trunk";>http://svn.apache.org/repos/asf/cxf/fediz/trunkgit +git clone -v git://git.apache.org/cxf-fediz.git
svn commit: r820533 - in /websites/production/cxf/content: cache/main.pageCache fediz-idp.html fediz-tomcat.html fediz.html
Author: buildbot Date: Wed Jun 6 18:48:42 2012 New Revision: 820533 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/main.pageCache websites/production/cxf/content/fediz-idp.html websites/production/cxf/content/fediz-tomcat.html websites/production/cxf/content/fediz.html Modified: websites/production/cxf/content/cache/main.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/fediz-idp.html == --- websites/production/cxf/content/fediz-idp.html (original) +++ websites/production/cxf/content/fediz-idp.html Wed Jun 6 18:48:42 2012 @@ -136,9 +136,7 @@ Apache CXF -- Fediz IDP -https://cwiki.apache.org/confluence/images/icons/emoticons/warning.gif"; height="16" width="16" alt="" border="0"> Under construction - -Fediz IDP +Fediz IDP The Fediz Identity Provider (IDP) consists of two WAR files. One is the Security Token Service (STS) component which is responsible for validating credentials, getting the requested claims data and issuing a SAML token. There is no easy way for Web browsers to issue SOAP requests to the STS directly, necessitating the second component, an IDP WAR which allows browser-based applications to interact with the STS. The communication between the browser and the IDP must be performed within the confines of the base HTTP 1.1 functionality and conform as closely as possible to the WS-Trust protocols semantic. @@ -171,6 +169,11 @@ Apache CXF -- Fediz IDP Deploy the WAR files to your Tomcat installation (<catalina.home>/webapps) and ensure that Tomcat is started thus the WAR files get deployed. +A Relying Party application trusts the IDP/STS component that the IDP authenticated the browser user. The trust is established based on the certificate/private key used by the STS to sign the SAML token. The signing certificate is located in webapps/fediz-idp-sts/WEB-INF/classes/stsstore.jks. You must copy this keystore to a location where the Relying Party can reference it in its Fediz Configuration in the element certificateStores. + +This keystore contains the private key as well. In a production environment, you must not deploy the private key of the STS to the Relying Party + + Configuration You can manage the users, their claims and the claims per application in the IDP. Modified: websites/production/cxf/content/fediz-tomcat.html == --- websites/production/cxf/content/fediz-tomcat.html (original) +++ websites/production/cxf/content/fediz-tomcat.html Wed Jun 6 18:48:42 2012 @@ -154,9 +154,9 @@ add the previously created directory to Configuration -The Fediz related configuration is Container independent and described here. +The Fediz related configuration is done in a Servlet Container independent configuration file which is described here. -The Fediz plugin requires configuring the FederationAuthenticator like any other Valve in Tomcat which is described here http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html";>here. +The Fediz plugin requires configuring the FederationAuthenticator like any other Valve in Tomcat. Detailed information about the Tomcat Valve concept is available http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html";>here. A valve can be configured on different levels like Host or Context. The Fediz configuration file allows to configure all servlet contexts in one file or choosing one file per Servlet Context. If you choose to have one Fediz configuration file per Servlet Context then you must configure the FederationAuthenticator on the Context level otherwise on the Host level in the Tomcat configuration file server.xml Modified: websites/production/cxf/content/fediz.html == --- websites/production/cxf/content/fediz.html (original) +++ websites/production/cxf/content/fediz.html Wed Jun 6 18:48:42 2012 @@ -174,7 +174,7 @@ The RP is a web application that needs t Set up the Relying Party Container -The Fediz plugin needs to be deployed into the Relying Party (RP) container. The security mechanism is not specified by JEE. Even though it is very similar in each servlet container there are some differences which require a dedicated Fediz plugin for each servlet container implementation. Most of the configuration is container independent and described here +The Fediz plugin needs to be deployed into the Relying Party (RP) container. The security mechanism is not specified by JEE. Even though it is very similar in each servlet container there are some differences which require a dedicated Fediz plugin
svn commit: r820540 - in /websites/production/cxf/content: cache/main.pageCache fediz-configuration.html fediz-extensions.html fediz-idp.html fediz-tomcat.html
Author: buildbot Date: Wed Jun 6 19:48:37 2012 New Revision: 820540 Log: Production update by buildbot for cxf Added: websites/production/cxf/content/fediz-extensions.html Modified: websites/production/cxf/content/cache/main.pageCache websites/production/cxf/content/fediz-configuration.html websites/production/cxf/content/fediz-idp.html websites/production/cxf/content/fediz-tomcat.html Modified: websites/production/cxf/content/cache/main.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/fediz-configuration.html == --- websites/production/cxf/content/fediz-configuration.html (original) +++ websites/production/cxf/content/fediz-configuration.html Wed Jun 6 19:48:37 2012 @@ -136,9 +136,7 @@ Apache CXF -- Fediz Configuration -https://cwiki.apache.org/confluence/images/icons/emoticons/warning.gif"; height="16" width="16" alt="" border="0"> Under construction - -Fediz Plugin configuration +Fediz Plugin configuration This page describes the Fediz configuration file referenced by the security interceptor (eg. authenticator in Tomcat/Jetty). Example @@ -188,13 +186,16 @@ Default 5 seconds. XML element Name Use Description issuer Issuer URL Required This URL defines the location of the IDP to whom unauthenticated requests are redirected realm Realm Optional Security realm of the Relying Party / Application. This value is part of the SignIn request as the wtrealm parameter. Default: URL including the Servlet Context authenticationType Authentication Type Optional The authentication type defines what kind of authentication is required. This information is provided in the SignInRequest to the IDP (parameter wauth) -The WS-Federation standard defines a list of predefined URIs for wauth http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html#_Toc223174997"; rel="nofollow">here. roleURI Role Claim URI Optional Defines the attribute name of the SAML token which contains the roles roleDelimiter Role Value Delimiter Optional There are different ways to encode multi value attributes in SAML. +The WS-Federation standard defines a list of predefined URIs for wauth http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html#_Toc223174997"; rel="nofollow">here. roleURI Role Claim URI Optional Defines the attribute name of the SAML token which contains the roles. +Required for Role Based Access Control. roleDelimiter Role Value Delimiter Optional There are different ways to encode multi value attributes in SAML. Single attribute with multiple valuesSeveral attributes with the same name but only one valueSingle attribute with single value. Roles are delimited by roleDelimiter - claimTypesRequested Requested claims Optional The claims required by the Relying Party are listed here. Claims can be optional. If a mandatory claim can't be provided by the IDP the issuance of the token should fail homeRealm Home Realm Optional Indicates the Resource IDP the home realm of the requestor. This may be an URL or an identifier like urn: or uuid: and depends on the Resource IDP implementation. This value is part of the SignIn request as the whr parameter + claimTypesRequested Requested claims Optional The claims required by the Relying Party are listed here. Claims can be optional. If a mandatory claim can't be provided by the IDP the issuance of the token should fail homeRealm Home Realm Optional Indicates the Resource IDP the home realm of the requestor. This may be an URL or an identifier like urn: or uuid: and depends on the Resource IDP implementation. This value is part of the SignIn request as the whr parameter tokenValidators TokenValidators Optional Custom Token validator classes can be configured here. The SAML Token validator is enabled by default. +See example http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/CustomValidator.java";>here + Attributes resolved at runtime The following attributes can be either configured statically at deployment time or dynamically when the initial request is received: @@ -233,6 +234,9 @@ The WS-Federation standard defines a lis </claimTypesRequested> <authenticationType type="String" value="http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/smartcard"; /> <homeRealm type="Class" value="example.HomeRealmCallbackHandler" /> +<tokenValidators> +<validator>org.apache.cxf.fediz.core.CustomVa
svn commit: r820545 - in /websites/production/cxf/content: cache/main.pageCache fediz-idp.html fediz-tomcat.html fediz.html
Author: buildbot Date: Wed Jun 6 20:48:20 2012 New Revision: 820545 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/main.pageCache websites/production/cxf/content/fediz-idp.html websites/production/cxf/content/fediz-tomcat.html websites/production/cxf/content/fediz.html Modified: websites/production/cxf/content/cache/main.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/fediz-idp.html == --- websites/production/cxf/content/fediz-idp.html (original) +++ websites/production/cxf/content/fediz-idp.html Wed Jun 6 20:48:20 2012 @@ -138,7 +138,7 @@ Apache CXF -- Fediz IDP Fediz IDP -The Fediz Identity Provider (IDP) consists of two WAR files. One is the Security Token Service (STS) component which is responsible for validating credentials, getting the requested claims data and issuing a SAML token. There is no easy way for Web browsers to issue SOAP requests to the STS directly, necessitating the second component, an IDP WAR which allows browser-based applications to interact with the STS. The communication between the browser and the IDP must be performed within the confines of the base HTTP 1.1 functionality and conform as closely as possible to the WS-Trust protocols semantic. +The Fediz Identity Provider (IDP) consists of two WAR files. One is the Security Token Service (STS) component, fedizidpsts.war, which is responsible for validating credentials, getting the requested claims data and issuing a SAML token. There is no easy way for Web browsers to issue SOAP requests to the STS directly, necessitating the second component, an IDP WAR (fedizidp.war) which allows browser-based applications to interact with the STS. The communication between the browser and the IDP must be performed within the confines of the base HTTP 1.1 functionality and conform as closely as possible to the WS-Trust protocols semantic. The Fediz STS is based on a customized CXF STS configured to support standard Federation use cases demonstrated by the examples. Modified: websites/production/cxf/content/fediz-tomcat.html == --- websites/production/cxf/content/fediz-tomcat.html (original) +++ websites/production/cxf/content/fediz-tomcat.html Wed Jun 6 20:48:20 2012 @@ -178,7 +178,7 @@ add the previously created directory to -Fediz configuration +Fediz Plugin configuration for Your Web Application The Fediz related configuration is done in a Servlet Container independent configuration file which is described here. Modified: websites/production/cxf/content/fediz.html == --- websites/production/cxf/content/fediz.html (original) +++ websites/production/cxf/content/fediz.html Wed Jun 6 20:48:20 2012 @@ -183,7 +183,7 @@ The RP is a web application that needs t Distribution -tbd +For the moment, you'll need to check out the Fediz source and build them following the instructions in "Building" below. Once built, the deployable WARs will be located in the fediz-idp and fediz-idp-sts "target" folders (fedizidp.war and fedizidpsts.war). Samples
svn commit: r820876 - in /websites/production/cxf/content: cache/main.pageCache fediz-idp.html
Author: buildbot Date: Fri Jun 8 20:47:47 2012 New Revision: 820876 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/main.pageCache websites/production/cxf/content/fediz-idp.html Modified: websites/production/cxf/content/cache/main.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/fediz-idp.html == --- websites/production/cxf/content/fediz-idp.html (original) +++ websites/production/cxf/content/fediz-idp.html Fri Jun 8 20:47:47 2012 @@ -146,7 +146,7 @@ Apache CXF -- Fediz IDP The Fediz IDP has been tested with Tomcat 6 and 7 but should be able to work with any commercial JEE application server. -Deploy the WAR files to your Tomcat installation (<catalina.home>/webapps). +Deploy the WAR files to your Tomcat installation (<catalina.home>/webapps). Once done, you should be able to see the Fediz STS from a browser at http://localhost:9080/fedizidpsts/STSService?wsdl"; rel="nofollow">http://localhost:9080/fedizidpsts/STSService?wsdl, assuming you're using port 9080 as listed below. A Relying Party application trusts the IDP/STS component that the IDP authenticated the browser user. The trust is established based on the certificate/private key used by the STS to sign the SAML token. The signing certificate is located in webapps/fediz-idp-sts/WEB-INF/classes/stsstore.jks. You must copy this keystore to a location where the Relying Party can reference it in its Fediz Configuration in the element certificateStores. @@ -159,7 +159,8 @@ Apache CXF -- Fediz IDP HTTPS configuration -It's recommended to set up a dedicated (separate) Tomcat instance for the IDP. The Fediz examples use the following TCP ports to interact with the IDP/STS: +It's recommended to set up a dedicated (separate) Tomcat instance for the IDP. Using one deployment of Tomcat with multiple CATALINA_BASE instances, as described http://www.shaunabram.com/multiple-tomcat-instances/"; rel="nofollow">here is one option but note any libs in $CATALINA_HOME/lib folder will be shared throughout each of the activated CATALINA_BASE instances. Another probably simpler alternative is to copy your Tomcat folder into a second location and edit its conf/server.xml file and change http://viralpatel.net/blogs/2009/08/running-multiple-instance-apache-tomcat-single-server.html"; rel="nofollow">these port values so they don't conflict with the original Tomcat installation. The Fediz examples use the following TCP ports to interact with the IDP/STS: + HTTP port: 9080 (used for Maven deployment, mvn tomcat:redeploy)HTTPS port: 9443 (where IDP and STS are accessed) @@ -180,6 +181,25 @@ Apache CXF -- Fediz IDP Production: It's highly recommended to deploy certificates signed by a Certificate Authority +To start and stop this second Tomcat instance, it is perhaps easiest to create small startup.sh and shutdown.sh scripts that temporarily redefine $CATALINA_HOME from the first to the second instance, for example: + + + +CATALINA_HOME=/path/to/second/tomcat +$CATALINA_HOME/bin/startup.sh + + + +and + + + +CATALINA_HOME=/path/to/second/tomcat +$CATALINA_HOME/bin/shutdown.sh + + + +If you're using the one Tomcat with multiple instance option, it's $CATALINA_BASE that will need to be redefined. User and password
svn commit: r820884 - in /websites/production/cxf/content: cache/main.pageCache fediz.html
Author: buildbot Date: Fri Jun 8 21:47:46 2012 New Revision: 820884 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/main.pageCache websites/production/cxf/content/fediz.html Modified: websites/production/cxf/content/cache/main.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/fediz.html == --- websites/production/cxf/content/fediz.html (original) +++ websites/production/cxf/content/fediz.html Fri Jun 8 21:47:46 2012 @@ -140,7 +140,7 @@ Apache CXF -- Fediz Overview -Apache CXF Fediz is a subproject of CXF. Fediz helps you to secure your web applications and delegates security enforcement to the underlying application server. With Fediz, authentication is externalized from your web application to an identity provider installed as a dedicated server component. The supported standard is http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html#_Toc223175002"; rel="nofollow">WS-Federation 1.2 Passive Requestor Profile. Fediz supports http://en.wikipedia.org/wiki/Claims-based_identity"; rel="nofollow">Claims Based Access Control beyond Role Based Access Control (RBAC). +Apache CXF Fediz is a subproject of CXF. Fediz helps you to secure your web applications and delegates security enforcement to the underlying application server. With Fediz, authentication is externalized from your web application to an identity provider installed as a dedicated server component. The supported standard is http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html#_Toc223175002"; rel="nofollow">WS-Federation Passive Requestor Profile. Fediz supports http://en.wikipedia.org/wiki/Claims-based_identity"; rel="nofollow">Claims Based Access Control beyond Role Based Access Control (RBAC). News @@ -149,7 +149,7 @@ Apache CXF -- Fediz Features The following features are supported by the Fediz plugin 1.0 -WS-Federation 1.1/1.2SAML 1.1/2.0 TokensCustom token supportPublish WS-Federation Metadata documentRole information encoded as AttributeStatement in SAML 1.1/2.0 tokensClaims information provided by FederationPrincipal interface +WS-Federation 1.0/1.1/1.2SAML 1.1/2.0 TokensCustom token supportPublish WS-Federation Metadata documentRole information encoded as AttributeStatement in SAML 1.1/2.0 tokensClaims information provided by FederationPrincipal interface The following features are planned for the next release:
svn commit: r821227 - in /websites/production/cxf/content: cache/main.pageCache fediz-architecture.html fediz.html
Author: buildbot Date: Mon Jun 11 07:48:52 2012 New Revision: 821227 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/main.pageCache websites/production/cxf/content/fediz-architecture.html websites/production/cxf/content/fediz.html Modified: websites/production/cxf/content/cache/main.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/fediz-architecture.html == --- websites/production/cxf/content/fediz-architecture.html (original) +++ websites/production/cxf/content/fediz-architecture.html Mon Jun 11 07:48:52 2012 @@ -142,7 +142,7 @@ The scope of Fediz is illustrated in the WS-Federation Design -The following picture illustrates the main components of a Web Single Sign On (SSO) solution based on WS-Federation (Passive Requestor Profile). The Web Application is part of the Relying Party (RP) side whereas the Identity Provider (IDP/STS) is the central security server that is responsible to authenticate clients and issue security tokens based on the requirements by the RP. +The following picture illustrates the main components of a Web Single Sign On (SSO) solution based on http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html"; rel="nofollow">WS-Federation (http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html#_Toc223175002"; rel="nofollow">Passive Requestor Profile). The Web Application is part of the Relying Party (RP) side whereas the Identity Provider (IDP/STS) is the central security server that is responsible to authenticate clients and issue security tokens based on the requirements by the RP. The IDP component leverages the STS capabilities to issue all sorts of security tokens. An browser first access the Web Application (RP) which redirects the browser to the IDP as the requestor is not authenticated. The IDP authenticates the user and requests a security token based on the requirements by the RP. The security token is "redirected" to the RP which validates the token and creates a session in the RP. @@ -172,11 +172,11 @@ Fediz ships examples to illustrate how t -The browser accesses the web application (1). It is then redirected to IDP/STS if no token or cookie is supplied in the request (2). This redirection process may require prompting the user (3) to authenticate himself (4). The IDP/STS issues a signed SAML 2.0 security token (WS-Federation doesn’t mandate SAML). The IDP "redirects" (5/6) the user to the application server including the SAML token. The application server verifies the signature of the SAML token. There is a trust relationship between the application server and the IDP/STS which doesn't require network connectivity between the application server and the IDP/STS (Cloud!). After successful validation, a session is created and the corresponding cookie is set on the browser (7). Finally, the request is dispatched to the application. +The browser accesses the web application (1). It is then redirected to IDP/STS if no token or cookie is supplied in the request (2). This redirection process may require prompting the user (3) to authenticate himself (4). The IDP/STS issues a signed SAML 2.0 security token (WS-Federation doesn’t mandate http://saml.xml.org/saml-specifications"; rel="nofollow">SAML). The IDP "redirects" (5/6) the user to the application server including the SAML token. The application server verifies the signature of the SAML token. There is a trust relationship between the application server and the IDP/STS which doesn't require network connectivity between the application server and the IDP/STS (Cloud!). After successful validation, a session is created and the corresponding cookie is set on the browser (7). Finally, the request is dispatched to the application. As an extension to the description above, step 2 might contain specific claims requested by the application such as role, username, full name, email address, sales organization, etc. which are gathered by the STS. -Requirements of the Web Application are described in the WS-Federation Metadata document. +Requirements of the Web Application are described in the http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html#_Toc223174943"; rel="nofollow">WS-Federation Metadata document. Components @@ -189,14 +189,15 @@ One service provider could require a SAM A web service consumer requests tokens from an STS if the service provider defines an IssuedToken assertion in its security policy. This policy can contain some additional information like the address of the STS, token type, claims, etc. Identity provi
svn commit: r821260 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-client-api.html
Author: buildbot Date: Mon Jun 11 12:47:57 2012 New Revision: 821260 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/docs.pageCache websites/production/cxf/content/docs/jax-rs-client-api.html Modified: websites/production/cxf/content/cache/docs.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/docs/jax-rs-client-api.html == --- websites/production/cxf/content/docs/jax-rs-client-api.html (original) +++ websites/production/cxf/content/docs/jax-rs-client-api.html Mon Jun 11 12:47:57 2012 @@ -548,7 +548,7 @@ WebClient wc = sf.createWebClient(); In this example, 'http://localhost:8080' is the base service URI. -Please see http://svn.apache.org/repos/asf/cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/jaxrs-https.xml";>this configuration file for more examples. +Please see http://svn.apache.org/repos/asf/cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/jaxrs-https-client1.xml";>jaxrs-https-client1.xml and http://svn.apache.org/repos/asf/cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/jaxrs-https-client2.xml";>jaxrs-https-client2.xml configuration files for more examples. Also see this wiki page on how to configure HTTPConduits.
svn commit: r821512 - in /websites/production/cxf/content: cache/main.pageCache fediz-configuration.html fediz-metadata.html fediz-tomcat.html
Author: buildbot Date: Tue Jun 12 21:47:51 2012 New Revision: 821512 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/main.pageCache websites/production/cxf/content/fediz-configuration.html websites/production/cxf/content/fediz-metadata.html websites/production/cxf/content/fediz-tomcat.html Modified: websites/production/cxf/content/cache/main.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/fediz-configuration.html == --- websites/production/cxf/content/fediz-configuration.html (original) +++ websites/production/cxf/content/fediz-configuration.html Tue Jun 12 21:47:51 2012 @@ -186,13 +186,13 @@ Default 5 seconds. WS-Federation protocol configuration reference -XML element Name Use Description issuer Issuer URL Required This URL defines the location of the IDP to whom unauthenticated requests are redirected realm Realm Optional Security realm of the Relying Party / Application. This value is part of the SignIn request as the wtrealm parameter. -Default: URL including the Servlet Context authenticationType Authentication Type Optional The authentication type defines what kind of authentication is required. This information is provided in the SignInRequest to the IDP (parameter wauth) -The WS-Federation standard defines a list of predefined URIs for wauth http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html#_Toc223174997"; rel="nofollow">here. roleURI Role Claim URI Optional Defines the attribute name of the SAML token which contains the roles. -Required for Role Based Access Control. roleDelimiter Role Value Delimiter Optional There are different ways to encode multi value attributes in SAML. +XML element Name Use Metadata Description issuer Issuer URL Required PassiveRequestorEndpoint This URL defines the location of the IDP to whom unauthenticated requests are redirected realm Realm Optional TargetScope Security realm of the Relying Party / Application. This value is part of the SignIn request as the wtrealm parameter. +Default: URL including the Servlet Context authenticationType Authentication Type Optional NA The authentication type defines what kind of authentication is required. This information is provided in the SignInRequest to the IDP (parameter wauth) +The WS-Federation standard defines a list of predefined URIs for wauth http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html#_Toc223174997"; rel="nofollow">here. roleURI Role Claim URI Optional NA Defines the attribute name of the SAML token which contains the roles. +Required for Role Based Access Control. roleDelimiter Role Value Delimiter Optional NA There are different ways to encode multi value attributes in SAML. Single attribute with multiple valuesSeveral attributes with the same name but only one valueSingle attribute with single value. Roles are delimited by roleDelimiter - claimTypesRequested Requested claims Optional The claims required by the Relying Party are listed here. Claims can be optional. If a mandatory claim can't be provided by the IDP the issuance of the token should fail homeRealm Home Realm Optional Indicates the Resource IDP the home realm of the requestor. This may be an URL or an identifier like urn: or uuid: and depends on the Resource IDP implementation. This value is part of the SignIn request as the whr parameter tokenValidators TokenValidators Optional Custom Token validator classes can be configured here. The SAML Token validator is enabled by default. -See example http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/CustomValidator.java";>here + claimTypesRequested Requested claims Optional ClaimTypesRequested The claims required by the Relying Party are listed here. Claims can be optional. If a mandatory claim can't be provided by the IDP the issuance of the token should fail homeRealm Home Realm Optional NA Indicates the Resource IDP the home realm of the requestor. This may be an URL or an identifier like urn: or uuid: and depends on the Resource IDP imple mentation. This value is part of the SignIn request as the whr parameter tokenValidators TokenValidators Optional NA Custom Token validator classes can be configured here. The SAML Token validator is enabled by default. +See example http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/CustomValidator.java";>here signingKey Key for Signature Optional Metadata signature If configured, the published WS-Federation Metadata document is signed by this key. Otherwise, not
svn commit: r821731 - in /websites/production/cxf/content: cache/docs.pageCache docs/maven-cxf-codegen-plugin-wsdl-to-java.html
Author: buildbot Date: Thu Jun 14 14:47:54 2012 New Revision: 821731 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/docs.pageCache websites/production/cxf/content/docs/maven-cxf-codegen-plugin-wsdl-to-java.html Modified: websites/production/cxf/content/cache/docs.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/docs/maven-cxf-codegen-plugin-wsdl-to-java.html == --- websites/production/cxf/content/docs/maven-cxf-codegen-plugin-wsdl-to-java.html (original) +++ websites/production/cxf/content/docs/maven-cxf-codegen-plugin-wsdl-to-java.html Thu Jun 14 14:47:54 2012 @@ -150,12 +150,14 @@ Apache CXF -- Maven cxf-codegen-plugin ( In this example we're running the wsdl2java goal in the generate-sources phase. By running mvn generate-sources, CXF will generate artifacts in the <sourceRoot> directory that you specify. Each <wsdlOption> element corresponds to a WSDL that you're generated artifacts for. In the above example we're generating we're specifying the WSDL location via the <wsdl> option. -Other configuration arguments can be included inside the <wsdlOption> element. These pass arguments to the tooling and correspond to the options outlined on the WSDL to Java page, for example: +The following example shows some customization options. By default, the codegen plugin follows the Maven convention of "target/generated-sources/cxf" for the output folder for the generated classes. You can override this value using <sourceRoot> as shown below, but note this is usually not necessary, the default is fine for most people and can make it easier for some IDE's to detect the generated source code. Other configuration arguments can be included inside the <wsdlOption> element. These pass arguments to the tooling and correspond to the options outlined on the WSDL to Java page. ... -<wsdlOptions> +<configuration> +<sourceRoot>${project.build.directory}/generated-code/mywebservice</sourceRoot> +<wsdlOptions> <wsdlOption> <wsdl>${basedir}/src/main/wsdl/myService.wsdl</wsdl> <extraargs> @@ -163,15 +165,12 @@ Apache CXF -- Maven cxf-codegen-plugin ( <extraarg>-verbose</extraarg> </extraargs> </wsdlOption> -</wsdlOptions> +</wsdlOptions> +</configuration> ... - -For CXF 2.1.4 and latter you don't need anymore to specify the <phase>, as generate-sources is the default. -For CXF 2.2 and latter you don't even need to specify the <sourceRoot> to match maven convention for using target/generated-sources/cxf as output folder for generated classes. - See http://www.jroller.com/gmazza/entry/web_service_tutorial"; rel="nofollow">this blog entry for a full service and client example that uses the cxf-codegen-plugin. Example 1: Passing in a JAX-WS Binding file @@ -179,7 +178,6 @@ For CXF 2.2 and latter you don't even ne <configuration> - <sourceRoot>${basedir}/target/generated/cxf</sourceRoot> <wsdlOptions> <wsdlOption> <wsdl>${basedir}/src/main/wsdl/myService.wsdl</wsdl> @@ -191,6 +189,7 @@ For CXF 2.2 and latter you don't even ne </configuration> + In this example we're specifying that we want CXF to use our JAX-WS binding file. Binding files are a way to customize the output of the artifacts that CXF generates. For instance, it allows you to change the package name CXF uses. Example 2: Specifying a service to generate artifacts for @@ -198,7 +197,6 @@ For CXF 2.2 and latter you don't even ne <configuration> - <sourceRoot>${basedir}/target/generated/src/main/java</sourceRoot> <wsdlOptions> <wsdlOption> <wsdl>${basedir}/src/main/wsdl/myService.wsdl</wsdl> @@ -217,7 +215,6 @@ For CXF 2.2 and latter you don't even ne <configuration> - <sourceRoot>${basedir}/target/generated/cxf</sourceRoot> <defaultOptions> <bindingFiles> <bindingFile>${basedir}/src/main/jaxb/bindings.xml</bindingFile> @@ -247,7 +244,6 @@ For CXF 2.2 and latter you don't even ne <configuration> - <sourceRoot>${basedir}/target/generated/cxf</sourceRoot> <defaultOptions> <bindingFiles> <bindingFile>${basedir}/src/main/jaxb/bindings.xml</bindingFile> @@ -308,7 +304,6 @@ For CXF 2.2 and latter you don't even ne <id>generate-sources</id> <phase>generate-sources</phase> <configuration> - <sourceRoot>${basedir}/target/generated/src/main/java</sourceRoot> <wsdlOptions> <wsdlOption> <wsdl>${basedir}/src/main/wsdl/myService.wsdl</wsdl>
svn commit: r822402 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-basics.html
Author: buildbot Date: Tue Jun 19 18:47:50 2012 New Revision: 822402 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/docs.pageCache websites/production/cxf/content/docs/jax-rs-basics.html Modified: websites/production/cxf/content/cache/docs.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/docs/jax-rs-basics.html == --- websites/production/cxf/content/docs/jax-rs-basics.html (original) +++ websites/production/cxf/content/docs/jax-rs-basics.html Tue Jun 19 18:47:50 2012 @@ -124,7 +124,7 @@ Apache CXF -- JAX-RS Basics JAX-RS : Understanding the Basics -Resource class@PathHTTP MethodReturn typesException handlingDealing with ParametersParameter beansResource lifecyclesOverview of the selection algorithm.Selecting between multiple resource classesSelec ting between multiple resource methodsResource methods and media typesCustom selection between multiple resourcesContext annotationsCustom ContextsAnnotation inheritanceSub-resource locators.Static resolution of subresourcesMessage Body ProvidersCustom Message Body ProvidersRegistering >custom providershref="#JAX-RSBasics-Customizingmediatypesformessagebodyproviders">Customizing >media types for message body providershref="#JAX-RSBasics-AdvancedHTTP">Advanced HTTP +Resource class@PathHTTP MethodReturn typesException handlingDealing with ParametersParameter beansResource lifecyclesOverview of the selection algorithm.Selecting between multiple resource classesSelec ting between multiple resource methodsResource methods and media typesCustom selection between multiple resourcesContext annotationsCustom ContextsURI calculation using UriInfo and UriBuilderAnnotation inheritanceSub-resource locators.Static resolution of subresourcesMessage Bo dy ProvidersCustom Message Body ProvidersRegistering custom providersCustomizing media types for message body providersAdvanced HTTP Resource class @@ -771,14 +771,13 @@ UriInfo, SecurityContext, HttpHeaders, P Custom Context implementations may get all the information about the HTTP request from the current CXF message. - - -h1. URI calculation using UriInfo and UriBuilder +URI calculation using UriInfo and UriBuilder -Mapping of a particular URI to a service that returns some resource is straightforward using the @Path annotation. However RESTful services are often connected: one service returns data that is used as the key in another service. Listing entities and accessing a particular entity is a typical example: +Mapping of a particular URI to a service that returns some resource is straightforward using the @Path annotation. However RESTful services are often connected: one service returns data that is used as the key in another service. Listing entities and accessing a particular entity is a typical example: -{code:java} + + @Path("/customers") public class CustomerService {
svn commit: r822790 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-cors.html
Author: buildbot Date: Fri Jun 22 21:47:49 2012 New Revision: 822790 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/docs.pageCache websites/production/cxf/content/docs/jax-rs-cors.html Modified: websites/production/cxf/content/cache/docs.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/docs/jax-rs-cors.html == --- websites/production/cxf/content/docs/jax-rs-cors.html (original) +++ websites/production/cxf/content/docs/jax-rs-cors.html Fri Jun 22 21:47:49 2012 @@ -131,7 +131,9 @@ Apache CXF -- JAX-RS CORS CXF 2.5.1 introduces the http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/cors/src/main/java/org/apache/cxf/rs/security/cors/";>initial support for the http://www.w3.org/TR/cors/"; rel="nofollow">Cross-Origin Resource Sharing specification that "defines a mechanism to enable client-side cross-origin requests". -Please see the http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/cors/src/main/java/org/apache/cxf/rs/security/cors/package.html";>package.html for a good introduction of CORS and the way it is supported in CXF JAX-RS. +This https://developer.mozilla.org/en/http_access_control"; rel="nofollow">Mozilla.org page provides a very good explanation of CORS. + +Please see the http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/cors/src/main/java/org/apache/cxf/rs/security/cors/package.html";>package.html for a good introduction to CORS and the way it is supported in CXF JAX-RS. Note that the http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/cors/src/main/java/org/apache/cxf/rs/security/cors/CrossOriginResourceSharingFilter.java";>CORS filter uses the JAX-RS selection algorithm to ensure that the JAX-RS resource method capable of handling the request does exist.
svn commit: r823078 - in /websites/production/cxf/content: cache/main.pageCache fediz.html
Author: buildbot Date: Mon Jun 25 08:47:59 2012 New Revision: 823078 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/main.pageCache websites/production/cxf/content/fediz.html Modified: websites/production/cxf/content/cache/main.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/fediz.html == --- websites/production/cxf/content/fediz.html (original) +++ websites/production/cxf/content/fediz.html Mon Jun 25 08:47:59 2012 @@ -161,6 +161,10 @@ Apache CXF -- Fediz The Fediz architecture is described in more detail here. +Download + +See here. + Getting started @@ -185,10 +189,6 @@ The RP is a web application that needs t -Distribution - -For the moment, you'll need to check out the Fediz source and build them following the instructions in "Building" below. Once built, the deployable WARs will be located in the fediz-idp and fediz-idp-sts "target" folders (fedizidp.war and fedizidpsts.war). - Samples The examples directory contains two sample relying party applications. They are independent of each other, so it is not necessary to deploy both at once.
svn commit: r823082 - in /websites/production/cxf/content: cache/docs.pageCache docs/security.html
Author: buildbot Date: Mon Jun 25 09:47:50 2012 New Revision: 823082 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/docs.pageCache websites/production/cxf/content/docs/security.html Modified: websites/production/cxf/content/cache/docs.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/docs/security.html == --- websites/production/cxf/content/docs/security.html (original) +++ websites/production/cxf/content/docs/security.html Mon Jun 25 09:47:50 2012 @@ -124,7 +124,7 @@ Apache CXF -- Security Securing CXF Services -Secure transportsHTTPSWS-* Security (including UsernameToken and X.509 Token profiles)WS-Trust, STS, SSOOAuthAuthenticationAuthorizationControlling Large Request PayloadsXMLMultiparts +Secure transportsHTTPSWS-* Security (including UsernameToken and X.509 Token profiles)WS-Trust, STSSAML Web SSOOAuthAuthenticationAuthorizationControlling Large Request PayloadsXMLMultiparts Secure transports @@ -136,10 +136,14 @@ Apache CXF -- Security Please see the http://cxf.apache.org/docs/ws-support.html";>WS-* Support page for more information. -WS-Trust, STS, SSO +WS-Trust, STS Please see the https://cwiki.apache.org/CXF20DOC/ws-trust.html";>WS-Trust page for more information. +SAML Web SSO + +Please see http://coheigea.blogspot.ie/2012/06/saml-web-sso-profile-support-in-apache.html"; rel="nofollow">this blog entry announcing the support for SAML Web SSO profile and the [SAML Web SSO] page for more information. + OAuth Please check http://cxf.apache.org/docs/jax-rs-oauth2.html";>OAuth2.0 and http://cxf.apache.org/docs/jax-rs-oauth.html";>OAuth1.0 pages for the information about the support for OAuth 2.0 and OAuth 1.0 in CXF.
svn commit: r823098 - in /websites/production/cxf/content: cache/docs.pageCache docs/saml-web-sso.html
Author: buildbot Date: Mon Jun 25 11:47:58 2012 New Revision: 823098 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/docs.pageCache websites/production/cxf/content/docs/saml-web-sso.html Modified: websites/production/cxf/content/cache/docs.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/docs/saml-web-sso.html == --- websites/production/cxf/content/docs/saml-web-sso.html (original) +++ websites/production/cxf/content/docs/saml-web-sso.html Mon Jun 25 11:47:58 2012 @@ -125,7 +125,7 @@ Apache CXF -- SAML Web SSO -IntroductionTypical FlowMaven dependenciesIdentity ProviderRequest Assertion Security ServiceApplication Security FilterSSO State Provider +IntroductionTypical FlowMaven dependenciesIdentity ProviderApplication Security FilterRequest Assertion Security ServiceSSO State Provider Introduction @@ -137,7 +137,7 @@ Apache CXF -- SAML Web SSO The following components are required to get SSO supported: -Identity Provider (IDP) supporting SAML SSORequest Assertion Consumer Service (RACS)Application Security FilterSSO State Provider +Identity Provider (IDP) supporting SAML SSORequest Assertion Consumer Service (RACS)Service Provider Security FilterSSO State Provider The following sections will describe these components in more details @@ -147,13 +147,13 @@ Apache CXF -- SAML Web SSO Typically, the following flow represents the way SAML SSO is enforced: 1. User accesses a custom application for the first time -2. Application Security Filter checks if the security context is available +2. Service Provider Security Filter checks if the security context is available and redirects the user to IDP with a SAML SSO request 3. IDP challenges the user with the authentication dialog and redirects the user to Request Assertion Consumer Service (RACS) after the user has authenticated 4. RACS validates the response from IDP, establishes a security context and redirects the user to the original application endpoint -5. Application Security Filter enforces that a valid security context is available and lets the user +5. Service Provider Security Filter enforces that a valid security context is available and lets the user access the custom application. Maven dependencies @@ -169,8 +169,17 @@ Apache CXF -- SAML Web SSO Identity Provider -Request Assertion Security Service + +Identity Provider (IDP) is the service which accepts the redirect requests from application security filters, authenticates users and redirects them back to Request Assertion Security Service. + +CXF does not offer its own IDP SAML Web SSO implementation but might provide it in the future as part of the http://cxf.apache.org/fediz.html";>Fediz project. + +However, CXF has been tested against a number of popular IDP implementations which support SAML SSO and thus should be interoperable with whatever IDP is being used in the specific production environment. The interoperability tests have shown that some IDPs may process SAML request and produce SAML response data the way which may not be exactly specification-compliant and thus CXF Request Assertion Consumer Service (RACS) and Service Provider Security Filter implementations have a number of configuration properties for adjusting the way SAML requests to IDP are prepared and SAML responsed from IDP are processed. + Application Security Filter + +Request Assertion Security Service + SSO State Provider
svn commit: r823109 - in /websites/production/cxf/content: cache/docs.pageCache docs/saml-web-sso.html
Author: buildbot Date: Mon Jun 25 12:47:59 2012 New Revision: 823109 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/docs.pageCache websites/production/cxf/content/docs/saml-web-sso.html Modified: websites/production/cxf/content/cache/docs.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/docs/saml-web-sso.html == --- websites/production/cxf/content/docs/saml-web-sso.html (original) +++ websites/production/cxf/content/docs/saml-web-sso.html Mon Jun 25 12:47:59 2012 @@ -125,7 +125,7 @@ Apache CXF -- SAML Web SSO -IntroductionTypical FlowMaven dependenciesIdentity ProviderApplication Security FilterRequest Assertion Security ServiceSSO State Provider +IntroductionTypical FlowMaven dependenciesIdentity ProviderService Provider Security FilterRedirect Binding FilterPOST Binding FilterRequest Assertion Security ServiceSSO State Provider Introduction @@ -174,9 +174,125 @@ Apache CXF -- SAML Web SSO CXF does not offer its own IDP SAML Web SSO implementation but might provide it in the future as part of the http://cxf.apache.org/fediz.html";>Fediz project. -However, CXF has been tested against a number of popular IDP implementations which support SAML SSO and thus should be interoperable with whatever IDP is being used in the specific production environment. The interoperability tests have shown that some IDPs may process SAML request and produce SAML response data the way which may not be exactly specification-compliant and thus CXF Request Assertion Consumer Service (RACS) and Service Provider Security Filter implementations have a number of configuration properties for adjusting the way SAML requests to IDP are prepared and SAML responsed from IDP are processed. +However, CXF has been tested against a number of popular IDP implementations which support SAML SSO and thus should be interoperable with whatever IDP is being used in the specific production environment. The interoperability tests have shown that some IDPs may process SAML request and produce SAML response data the way which may not be exactly specification-compliant and thus CXF Request Assertion Consumer Service (RACS) and Service Provider Security Filter implementations have a number of configuration properties for adjusting the way SAML requests to IDP are prepared and SAML responses from IDP are processed. + +Service Provider Security Filter + +SP Security Filter protects the application endpoints by checking that a valid SSO security context is available. If it is then the filter lets the request to continue, if not then it redirects the current user to IDP. + +CXF offers two SP Security filters, one for redirecting the user back to IDP via GET and another one - via POST. + +Redirect Binding Filter + +Redirect Binding Filter is implemented by org.apache.cxf.rs.security.saml.sso.SamlRedirectBindingFilter. + +Here is an example of a typical filter protecting a custom JAX-RS endpoint: + + +<bean id="serviceBean" class="org.apache.cxf.samlp.sso.BookStore"/> + +<jaxrs:server address="/app1"> + <jaxrs:serviceBeans> + <ref bean="serviceBean"/> + </jaxrs:serviceBeans> + <jaxrs:providers> + <ref bean="redirectGetFilter"/> + </jaxrs:providers> +</jaxrs:server> + +<bean id="redirectGetFilter" class="org.apache.cxf.rs.security.saml.sso.SamlRedirectBindingFilter"> + <property name="idpServiceAddress" value="https://localhost:9443/idp";/> + <!-- both relative and absolute URIs are supported --> + <property name="assertionConsumerServiceAddress" value="/racs/sso"/> + <property name="stateProvider" ref="stateManager"/> +</bean> + + +<bean id="stateManager" class="org.apache.cxf.rs.security.saml.sso.state.EHCacheSPStateManager"> +<constructor-arg ref="cxf"/> +</bean> + + + + +Note that at the very minimum the filter needs to have 3 properties set-up: +1. IDP service address +2. RACS address - it can be absolute or relative if RACS is collocated + (shares the same web application context) with the application endpoint. +3. Reference to SSO State Provider. + +POST Binding Filter + +POST Binding Filter is implemented by org.apache.cxf.rs.security.saml.sso.SamlPostBindingFilter. + +Here is an example of a typical filter protecting a custom JAX-RS endpoint. + + +<bean id="serviceBean" class="org.apache.cxf.samlp.sso.BookStore"/> +<jaxrs:server address="/app2"> +<jaxrs:serviceBeans&g
svn commit: r823119 - in /websites/production/cxf/content: cache/docs.pageCache docs/saml-web-sso.html
Author: buildbot Date: Mon Jun 25 13:47:50 2012 New Revision: 823119 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/docs.pageCache websites/production/cxf/content/docs/saml-web-sso.html Modified: websites/production/cxf/content/cache/docs.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/docs/saml-web-sso.html == --- websites/production/cxf/content/docs/saml-web-sso.html (original) +++ websites/production/cxf/content/docs/saml-web-sso.html Mon Jun 25 13:47:50 2012 @@ -125,7 +125,7 @@ Apache CXF -- SAML Web SSO -IntroductionTypical FlowMaven dependenciesIdentity ProviderService Provider Security FilterRedirect Binding FilterPOST Binding FilterRequest Assertion Security ServiceSSO State Provider +IntroductionTypical FlowMaven dependenciesIdentity ProviderService Provider Security FilterRedirect Binding FilterPOST Binding FilterSigning SAML Authentication RequestsFilters and State ManagementRequest Assertion Security ServiceDealing with signed SAML ResponsesSSO State Provider Introduction @@ -180,6 +180,10 @@ Apache CXF -- SAML Web SSO SP Security Filter protects the application endpoints by checking that a valid SSO security context is available. If it is then the filter lets the request to continue, if not then it redirects the current user to IDP. +When a filter redirects a user to IDP, it creates a SAML Authentication Request, see http://en.wikipedia.org/wiki/SAML_2.0#Web_Browser_SSO_Profile"; rel="nofollow">this page for the example and appends it to the IDP Service URI or gets it POSTed to IDP. +Additionally, a RelayState token pointing to the state of the current user request is also included which IDP will +return to Request Assertion Consumer Service (RACS) after the user has authenticated. + CXF offers two SP Security filters, one for redirecting the user back to IDP via GET and another one - via POST. Redirect Binding Filter @@ -221,6 +225,13 @@ Apache CXF -- SAML Web SSO (shares the same web application context) with the application endpoint. 3. Reference to SSO State Provider. +The following optional properties affecting the created SAML request may also be set: +String issuerId - it defaults to the base URI of the application endpoint protected by this filter, for example, "http://localhost:8080/services/app1";.http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AuthnRequestBuilder.java?view=markup";>AuthnRequestBuilder authnRequestBuilder - A builder that constructs the SAML Request. It defaults to http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/DefaultAuthnRequestBuilder.java?view=markup";>DefaultAuthnRequestBuilder. + + +The IDP address is where filters will redirect users to and the RACS address is where users will be redirected by IDP to. +RACS will set up a security context and redirect the user back to the original application address by using the RelayState token which is included by the filters when users are initially redirected to IDP. + POST Binding Filter POST Binding Filter is implemented by org.apache.cxf.rs.security.saml.sso.SamlPostBindingFilter. @@ -261,11 +272,13 @@ Apache CXF -- SAML Web SSO -Note that the POST binding filter has the same base properties as org.apache.cxf.rs.security.saml.sso.SamlRedirectBindingFilter has but also -sets a "useDeflateEncoding" property for getting a SAML request deflated. Some IDPs might not be able to process deflated SAML requests with POST binding redirects thus the compression may be optionally disabled. +Note that the POST binding filter has the same 3 required properties as org.apache.cxf.rs.security.saml.sso.SamlRedirectBindingFilter has but also sets a "useDeflateEncoding" property for getting a SAML request deflated. Some IDPs might not be able to process deflated SAML requests with POST binding redirects thus the compression may be optionally disabled. + +What is actually different in this case from the GET-based redirect is that the filter prepares an instance of http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SamlRequestInfo.java";>SAMLRequestInfo which is subsequently bound to an XHTML view via a JSP filter. The view will typically have a Java Script handler which will actually redirect the user to IDP when it is loaded into the browser. The data to view binding is facilitated by org.apache.cxf.jaxrs.provider.RequestDispatcherProvider, please see http://cxf.apache.org/docs/jax-rs-redirection.html#JAX-RSRedirection-WithRequestDispatcherProvider&
buildbot failure in ASF Buildbot on cxf-site-production
The Buildbot has detected a new failure on builder cxf-site-production while building ASF Buildbot. Full details are available at: http://ci.apache.org/builders/cxf-site-production/builds/2681 Buildbot URL: http://ci.apache.org/ Buildslave for this Build: bb-cms-slave Build Reason: The Nightly scheduler named 'cxf-site-production' triggered this build Build Source Stamp: [branch cxf/web] HEAD Blamelist: BUILD FAILED: failed shell sincerely, -The Buildbot
buildbot success in ASF Buildbot on cxf-site-production
The Buildbot has detected a restored build on builder cxf-site-production while building ASF Buildbot. Full details are available at: http://ci.apache.org/builders/cxf-site-production/builds/2682 Buildbot URL: http://ci.apache.org/ Buildslave for this Build: bb-cms-slave Build Reason: The Nightly scheduler named 'cxf-site-production' triggered this build Build Source Stamp: [branch cxf/web] HEAD Blamelist: Build succeeded! sincerely, -The Buildbot
svn commit: r823135 - in /websites/production/cxf/content: cache/docs.pageCache docs/security.html
Author: buildbot Date: Mon Jun 25 16:47:47 2012 New Revision: 823135 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/docs.pageCache websites/production/cxf/content/docs/security.html Modified: websites/production/cxf/content/cache/docs.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/docs/security.html == --- websites/production/cxf/content/docs/security.html (original) +++ websites/production/cxf/content/docs/security.html Mon Jun 25 16:47:47 2012 @@ -142,7 +142,7 @@ Apache CXF -- Security SAML Web SSO -Please see http://coheigea.blogspot.ie/2012/06/saml-web-sso-profile-support-in-apache.html"; rel="nofollow">this blog entry announcing the support for SAML Web SSO profile and the [SAML Web SSO] page for more information. +Please see http://coheigea.blogspot.ie/2012/06/saml-web-sso-profile-support-in-apache.html"; rel="nofollow">this blog entry announcing the support for SAML Web SSO profile and the https://cwiki.apache.org/confluence/display/CXF20DOC/SAML+Web+SSO";>SAML Web SSO page for more information. OAuth
svn commit: r823299 - in /websites/production/cxf/content: cache/docs.pageCache docs/ws-securitypolicy.html
Author: buildbot Date: Tue Jun 26 14:48:00 2012 New Revision: 823299 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/docs.pageCache websites/production/cxf/content/docs/ws-securitypolicy.html Modified: websites/production/cxf/content/cache/docs.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/docs/ws-securitypolicy.html == --- websites/production/cxf/content/docs/ws-securitypolicy.html (original) +++ websites/production/cxf/content/docs/ws-securitypolicy.html Tue Jun 26 14:48:00 2012 @@ -139,10 +139,11 @@ Apache CXF -- WS-SecurityPolicy Configuring the extra properties -With CXF 2.2, there are several extra properties that may need to be set to provide the additional bits of information to the runtime: +There are several extra properties that may need to be set to provide the additional bits of information to the runtime. Note that you should check that a particular property is supported in the version of CXF you are using. - ws-security.username The username used for UsernameToken policy assertions ws-security.password The password used for UsernameToken policy assertions. If not specified, the callback handler will be called. ws-security.callback-handler The WSS4J security CallbackHandler that will be used to retrieve passwords for keystores and UsernameTokens. ws-security.signature.properties The properties file/object that contains the WSS4J properties for configuring the signature keystore and c rypto objects ws-security.encryption.properties The properties file/object that contains the WSS4J properties for configuring the encryption keystore and crypto objects ws-security.signature.username The username or alias for the key in the signature keystore that will be used. If not specified, it uses the the default alias set in the properties file. If that's also not set, and the keystore only contains a single key, that key will be used. ws-security.encryption.username The username or alias for the key in the encryption keystore that will be used. If not specified, it uses the the default alias set in the propertie s file. If that's also not set, and the keystore only contains a single key, that key will be used. For the web service provider, the useReqSigCert keyword can be used to accept (encrypt to) any client whose public key is in the service's truststore (defined in ws-security.encryption.properties.) ws-security.signature.crypto Instead of specifying the signature properties, this can point to the full http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/components/crypto/Crypto.html";>WSS4J Crypto object. This can allow easier "programmatic" configuration of the Crypto information." ws-security.encryption.crypto Instead of specifying the encryption properties, this can point to the full http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/components/crypto/Crypto.html";>WSS4J Crypto object. This can allow easier "programmatic" configuration of the Crypto information." + ws-security.username The username used for UsernameToken policy assertions ws-security.password The password used for UsernameToken policy assertions. If not specified, the callback handler will be called. ws-security.callback-handler The WSS4J security CallbackHandler that will be used to retrieve passwords for keystores and UsernameTokens. ws-security.signature.properties The properties file/object that contains the WSS4J properties for configuring the signature keystore and c rypto objects ws-security.encryption.properties The properties file/object that contains the WSS4J properties for configuring the encryption keystore and crypto objects ws-security.signature.username The username or alias for the key in the signature keystore that will be used. If not specified, it uses the the default alias set in the properties file. If that's also not set, and the keystore only contains a single key, that key will be used. ws-security.encryption.username The username or alias for the key in the encryption keystore that will be used. If not specified, it uses the the default alias set in the propertie s file. If that's also not set, and the keystore only contains a single key, that key will be used. For the web service provider, the useReqSigCert keyword can be used to accept (encrypt to) any client whose public key is in the service's truststore (defined in ws-security.encryption.properties.) ws-security.signature.crypto Instead of specifying the signature properties, this can point to the full http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/components/crypto/Crypto.html";
svn commit: r823315 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-advanced-features.html docs/jaxrs-services-description.html
Author: buildbot Date: Tue Jun 26 16:47:51 2012 New Revision: 823315 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/docs.pageCache websites/production/cxf/content/docs/jax-rs-advanced-features.html websites/production/cxf/content/docs/jaxrs-services-description.html Modified: websites/production/cxf/content/cache/docs.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/docs/jax-rs-advanced-features.html == --- websites/production/cxf/content/docs/jax-rs-advanced-features.html (original) +++ websites/production/cxf/content/docs/jax-rs-advanced-features.html Tue Jun 26 16:47:51 2012 @@ -124,7 +124,7 @@ Apache CXF -- JAX-RS Advanced Features JAX-RS : Advanced Features -JMS SupportFIQL search queriesIntroductionDependencies and ConfigurationConsuming FIQL queriesSearchBeanBuilding FIQL queriesUsing dates in queriesOneway invocationsSupport for Continuations< /a>Server-side cachingRESTful services without annotationsConfiguration +JMS SupportFIQL search queriesIntroductionDependencies and ConfigurationConsuming FIQL queriesConverting FIQL queriesSQLJPA 2.0Custom visitorsSearchBeanBuilding FIQL queriesUsing dates in queriesOneway invocationsSupport for ContinuationsServer-side cachingRESTful services without annotationsConfiguration JMS Support @@ -195,7 +195,7 @@ An expression such as "name==CXF*" can b Consuming FIQL queries -To work with FIQL queries, a http://svn.apache.org/repos/asf/cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/ext/search/SearchContext.java";>SearchContext needs be injected into an application code and used to retrieve a http://svn.apache.org/repos/asf/cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/ext/search/SearchCondition.java";>SearchCondition representing the current FIQL query. This SearchCondition can be used in a number of ways for finding the matching data. +To work with FIQL queries, a http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/extensions/search/src/main/java/org/apache/cxf/jaxrs/ext/search/SearchContext.java";>SearchContext needs be injected into an application code and used to retrieve a http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/extensions/search/src/main/java/org/apache/cxf/jaxrs/ext/search/SearchCondition.java";>SearchCondition representing the current FIQL query. This SearchCondition can be used in a number of ways for finding the matching data. For example : @@ -225,25 +225,14 @@ An expression such as "name==CXF*" can b Note that a searchContext.getCondition(Book.class) call may return an arbitrary complex SearchCondition, it can be a simple primitive expression or a more complex one. The Book class needs to have a matching property per every name found in the FIQL expression, for example, given a 'name==b;id==123' expression, the Book class would need to have 'name' and 'id' properties available. -SearchCondition can also be used to get to all the search requirements (originally expressed in FIQL) and do some manual -comparison against the local data. For example, SearchCondition provides a utility toSQL(String tableName, String... columnNames) method which internally introspects all the search expressions constituting a current query and converts them into an SQL expression: +Converting FIQL queries - - -// find all conditions with names starting from 'ami' -// and levels greater than 10 : -// ?_s="name==ami*;level=gt=10" -SearchCondition<Book> sc = searchContext.getCondition(Book.class); -assertEquals("SELECT * FROM table - WHERE - name LIKE 'ami%' - AND - level > '10'", - sq.toSQL("table")); - - +SearchCondition can also be used to convert the search requirements (originally expressed in FIQL) into other query languages. +A custom http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/extensions/search/src/main/java/org/apache/cxf/jaxrs/ext/search/SearchConditionVisitor.java";>SearchConditionVisitor implementation can be used to convert SearchCondition objects into custom expressions or typed objects. CXF ships visitors for converting expressions to SQL and JPA 2.0 CriteriaQuery or TypedQuery objects. -The SearchCondition.toSQL() method has become deprecated in CXF 2.3.3 and 2.4.0. Using an org.apache.cxf.jaxrs.ext.search.sql.SQLPrinterVisitor is recommended as it will allow for building more advanced SQL expressions. For example: +SQL + +org.apache.cxf.jaxrs.ext.search.sql.SQLPrinterVisitor can be used for creating SQL expressions. For example: @@ -267,7 +256,7 @@ assertEqu
svn commit: r823358 - in /websites/production/cxf/content: cache/main.pageCache fediz-100-release-notes.html fediz-downloads.html
Author: buildbot Date: Tue Jun 26 19:47:50 2012 New Revision: 823358 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/main.pageCache websites/production/cxf/content/fediz-100-release-notes.html websites/production/cxf/content/fediz-downloads.html Modified: websites/production/cxf/content/cache/main.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/fediz-100-release-notes.html == --- websites/production/cxf/content/fediz-100-release-notes.html (original) +++ websites/production/cxf/content/fediz-100-release-notes.html Tue Jun 26 19:47:50 2012 @@ -149,7 +149,7 @@ provides the following features: Download -DescriptionFileMD5SHA1PGPBinary distributionhttp://www.apache.org/dyn/closer.cgi?path=/cxf/fediz/1.0.0/apache-fediz-1.0.0.zip";>apache-fediz-1.0.0.ziphttp://www.apache.org/dist/cxf/fediz/1.0.0/apache-fediz-1.0.0.zip.md5";>apache-fediz-1.0.0.zip.md5http://www.apache.org/dist/cxf/fediz/1.0.0/apache-fediz-1.0.0.zip.sha1"; >apache-fediz-1.0.0.zip.sha1class="confluenceTd">href="http://www.apache.org/dist/cxf/fediz/1.0.0/apache-fediz-1.0.0.zip.asc";>apache-fediz-1.0.0.zip.asc +DescriptionFileMD5SHA1PGPBinary distributionhttp://www.apache.org/dyn/closer.cgi?path=/cxf/fediz/1.0.0/apache-fediz-1.0.0.zip";>apache-fediz-1.0.0.ziphttp://www.apache.org/dist/cxf/fediz/1.0.0/apache-fediz-1.0.0.zip.md5";>apache-fediz-1.0.0.zip.md5http://www.apache.org/dist/cxf/fediz/1.0.0/apache-fediz-1.0.0.zip.sha1"; >apache-fediz-1.0.0.zip.sha1class="confluenceTd">href="http://www.apache.org/dist/cxf/fediz/1.0.0/apache-fediz-1.0.0.zip.asc";>apache-fediz-1.0.0.zip.asc colspan="1" rowspan="1" class="confluenceTd">Source distributioncolspan="1" rowspan="1" class="confluenceTd">class="external-link" >href="http://www.apache.org/dyn/closer.cgi?path=/cxf/fediz/1.0.0/fediz-1.0.0-source-release.zip";>fediz-1.0.0-source-release.zip colspan="1" rowspan="1" class="confluenceTd">class="external-link" >href="http://www.apache.org/dist/cxf/fediz/1.0.0/fediz-1.0.0-source-release.zip.md5";>fediz-1.0.0-source-release.zip.md5 colspan="1" rowspan="1" class="confluenceTd">class="external-link" >href="http://www.apache.org/dist/cxf/fediz/1.0.0/fediz-1.0.0-source-release.zip.sha1";>fediz-1.0.0-source-release.zip.sha1http://www.apache.org/dist/cxf/fediz/1.0.0/fediz-1.0.0-source-release.zip.asc";>fediz-1.0.0-source-release.zip.asc Modified: websites/production/cxf/content/fediz-downloads.html == --- websites/production/cxf/content/fediz-downloads.html (original) +++ websites/production/cxf/content/fediz-downloads.html Tue Jun 26 19:47:50 2012 @@ -143,32 +143,31 @@ Apache CXF -- Fediz Downloads The 1.0.0 release is our first release. For more information please see the release notes. -DescriptionFileMD5SHA1PGPBinary distributionhttp://www.apache.org/dyn/closer.cgi?path=/cxf/fediz/1.0.0/apache-fediz-1.0.0.zip";>apache-fediz-1.0.0.ziphttp://www.apache.org/dist/cxf/fediz/1.0.0/apache-fediz-1.0.0.zip.md5";>apache-fediz-1.0.0.zip.md5http://www.apache.org/dist/cxf/fediz/1.0.0/apache-fediz-1.0.0.zip.sha1"; >apache-fediz-1.0.0.zip.sha1class="confluenceTd">href="http://www.apache.org/dist/cxf/fediz/1.0.0/apache-fediz-1.0.0.zip.asc";>apache-fediz-1.0.0.zip.asc +DescriptionFileMD5SHA1PGPBinary distributionhttp://www.apache.org/dyn/closer.cgi?path=/cxf/fediz/1.0.0/apache-fediz-1.0.0.zip";>apache-fediz-1.0.0.ziphttp://www.apache.org/dist/cxf/fediz/1.0.0/apache-fediz-1.0.0.zip.md5";>apache-fediz-1.0.0.zip.md5http://www.apache.org/dist/cxf/fediz/1.0.0/apache-fediz-1.0.0.zip.sha1"; >apache-fediz-1.0.0.zip.sha1class="confluenceTd">href="http://www.apache.org/dist/cxf/fediz/1.0.0/apache-fediz-1.0.0.zip.asc";>apache-fediz-1.0.0.zip.asc colspan="1" rowspan="1" class="confluenceTd">Source distributioncolspan="1" rowspan="1" class="confluenceTd">class="external-link" >href="http://www.apache.org/dyn/closer.cgi?path=/cxf/fediz/1.0.0/fediz-1.0.0-source-release.zip";>fediz-1.0.0-source-release.zip colspan="1" rowspan="1" class="confluenceTd">class="external-link" >href="http://www.apache.org/dist/cxf/fediz/1.0.0/fediz-1.0.0-source-release.zip.md5";>fediz-1.0.0-source-release.
svn commit: r823586 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs.html docs/secure-jax-rs-services.html
Author: buildbot Date: Thu Jun 28 09:48:08 2012 New Revision: 823586 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/docs.pageCache websites/production/cxf/content/docs/jax-rs.html websites/production/cxf/content/docs/secure-jax-rs-services.html Modified: websites/production/cxf/content/cache/docs.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/docs/jax-rs.html == --- websites/production/cxf/content/docs/jax-rs.html (original) +++ websites/production/cxf/content/docs/jax-rs.html Thu Jun 28 09:48:08 2012 @@ -459,7 +459,7 @@ by Java HTTPUrlConnection. When needed, Please see the Secure JAX-RS Services page for more information. -Please also check https://cwiki.apache.org/confluence/display/CXF20DOC/JAX-RS+XML+Security";>JAX-RS XML Security, JAX-RS SAML and JAX-RS OAuth pages for more information about the advanced security topics. +Please also check https://cwiki.apache.org/confluence/display/CXF20DOC/JAX-RS+XML+Security";>JAX-RS XML Security, JAX-RS SAML and JAX-RS OAuth2 pages for more information about the advanced security topics. Failover and Load Distribution Features Modified: websites/production/cxf/content/docs/secure-jax-rs-services.html == --- websites/production/cxf/content/docs/secure-jax-rs-services.html (original) +++ websites/production/cxf/content/docs/secure-jax-rs-services.html Thu Jun 28 09:48:08 2012 @@ -124,7 +124,7 @@ Apache CXF -- Secure JAX-RS Services JAX-RS: Security -HTTPSConfiguring endpointsConfiguring clientsAuthenticationAuthorizationWS-Trust integrationValidating BasicAuth credentials with STSNote about SecurityManager +HTTPSConfiguring endpointsConfiguring clientsAuthenticationAuthorizationWS-Trust integrationValidating BasicAuth credentials with STSUsing STS to validate SAML assertionsNote about SecurityManagerAdvanced SecurityRestricting large payloadsCross Origin Resource Sharing HTTPS @@ -231,6 +231,8 @@ WebClient client = WebClient.create(addr HTTPConduits can also be 'bound' to proxies or WebClients using expanded QNames. Please see this http://cxf.apache.org/docs/jax-rs-client-api.html#JAX-RSClientAPI-ConfiguringanHTTPConduitfromSpring";>section for more information. +Please see http://aruld.info/programming-ssl-for-jetty-based-cxf-services/"; rel="nofollow">this blog entry on how the HTTPConduit TLS properties can be set up from the code. In the code, do WebClient.getConfig(myClient).getHTTPConduit() and proceed from there. + Authentication It is often containers like Tomcat or frameworks like Spring Security which handle the user authentication. Sometimes you might want to do the custom authentication instead. CXF HTTP Transport adds decoded Basic Authentication credentials into an instance of AuthorizationPolicy extension and sets it on the current message. Thus the easiest way is to register a custom invoker or RequestHandler filter which will extract a user name and password like this: @@ -330,8 +332,6 @@ CXF JAX-RS SimpleAuthorizingFilter can b One of the requirements for deploying CXF endpoints into secure web service environments is to ensure that existing WS-Trust STS services can be used to protect the endpoints. JAX-WS endpoints can rely on CXF WS-Security and WS-Trust support. Making sure CXF JAX-RS endpoints can be additionally secured by STS is strategically important task. CXF provides close integration between JAX-WS and JAX-RS frontends thus reusing CXF JAX-WS and WS-Security is the most effective way toward achieving this integration. -At the moment what can be done is to have Basic Authentication credentials validated with STS. The next step is to provide a more advanced integration with STS, stay tuned. - Validating BasicAuth credentials with STS Validating Basic Authentication credentials with STS is possible starting from CXF 2.4.1. JAX-RS and JAX-WS services can rely on this feature. Here is an example on how a jaxrs endpoint can be configured: @@ -403,6 +403,10 @@ CXF JAX-RS SimpleAuthorizingFilter can b AuthPolicyValidatingInterceptor converts Basic Auth info into WSS4J UsernameToken and delegates to STS to validate. +Using STS to validate SAML assertions + +Please see http://cxf.apache.org/docs/jax-rs-saml.html#JAX-RSSAML-SAMLAssertionValidation";>this section for more information on how STSSamlAssertionValidator can be used to validate the inbound SAML assertions. + Note about SecurityManager If java.lang.SecurityManager is installed then you'll likely need to configure the trusted JAX-RS codebase with a 'suppressAccessChecks' permiss
svn commit: r823593 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-advanced-features.html
Author: buildbot Date: Thu Jun 28 10:47:59 2012 New Revision: 823593 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/docs.pageCache websites/production/cxf/content/docs/jax-rs-advanced-features.html Modified: websites/production/cxf/content/cache/docs.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/docs/jax-rs-advanced-features.html == --- websites/production/cxf/content/docs/jax-rs-advanced-features.html (original) +++ websites/production/cxf/content/docs/jax-rs-advanced-features.html Thu Jun 28 10:47:59 2012 @@ -124,11 +124,16 @@ Apache CXF -- JAX-RS Advanced Features JAX-RS : Advanced Features -JMS SupportFIQL search queriesIntroductionDependencies and ConfigurationConsuming FIQL queriesConverting FIQL queriesSQLJPA 2.0Custom visitorsSearchBeanBuilding FIQL queriesUsing dates in queriesOneway invocationsSupport for ContinuationsServer-side cachingRESTful services without annotationsConfiguration +JMS SupportEndpointsClientFIQL search queriesIntroductionDependencies and ConfigurationConsuming FIQL queriesConverting FIQL queriesSQLJPA 2.0Custom visitorshref="#JAX-RSAdvancedFeatures-SearchBean">SearchBeanshape="rect" href="#JAX-RSAdvancedFeatures-BuildingFIQLqueries">Building FIQL >querieshref="#JAX-RSAdvancedFeatures-Usingdatesinqueries">Using dates in >querieshref="#JAX-RSAdvancedFeatures-Onewayinvocations">Oneway >invocationshref="#JAX-RSAdvancedFeatures-SupportforContinuations">Support for >Continuationshref="#JAX-RSAdvancedFeatures-Serversidecaching">Server-side >cachinghref="#JAX-RSAdvancedFeatures-RESTfulserviceswithoutannotations">RESTful >services without annotationshref="#JAX-RSAdvancedFeatures-Configuration">Configuration JMS Support -CXF has been designed such that multiple transports can be supported for a given endpoint. If you would like your JAXRS endpoint be capable of serving not only HTTP but also JMS requests then you need to specify a JMS transportId, example : +CXF has been designed such that multiple transports can be supported for a given endpoint. CXF JAX-RS endpoint and proxies can optionally +support the JMS transport. + +Endpoints + +If you would like your JAXRS endpoint be capable of serving not only HTTP but also JMS requests then you need to specify a JMS transportId, example: @@ -156,6 +161,29 @@ jaxrs:server/@address is set to "/bar" t By referencing a bean such as 'org.apache.cxf.systest.jaxrs.JMSBookStore' from multiple jaxrs endpoints you can ensure that both HTTP and JMS requests are handled by the same service bean. In such cases you may want to use a CXF JAXRS specific http://svn.apache.org/repos/asf/cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/ext/ProtocolHeaders.java";>ProtocolHeaders context which will let you get either HTTP or JMS headers. +Client + +Starting from CXF 2.5.5 and CXF 2.6.2 it is possible to use the client proxies to invoke on JMS endpoints. All one needs to do is to provide a JMS endpoint address and then continue working with the proxy as usual. For example: + + + +// setup the the client +String endpointAddressUrlEncoded = "jms:jndi:dynamicQueues/test.jmstransport.text" + + "?jndiInitialContextFactory=org.apache.activemq.jndi.ActiveMQInitialContextFactory" + + "&replyToName=dynamicQueues/test.jmstransport.response" + + "&jndiURL=tcp://localhost:" + JMS_PORT + + "&jndiConnectionFactoryName=ConnectionFactory"; + +JMSBookStore client = JAXRSClientFactory.create(endpointAddressUrlEncoded, JMSBookStore.class); +Book book = client.getBook("123"); +assertEquals("Get a wrong response code.", 200, WebClient.client(client).getResponse().getStatus()); +assertEquals("Get a wrong book id.", 123, book.getId()); + + + +The client runtime will set up the JMS properties described in the previous section according to JAX-RS and other annotations (such as org.apache.cxf.jaxrs.ext.Oneway) available in JMSBookStore resource class. + + FIQL search queries Introduction
svn commit: r823610 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs.html
Author: buildbot Date: Thu Jun 28 12:47:51 2012 New Revision: 823610 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/docs.pageCache websites/production/cxf/content/docs/jax-rs.html Modified: websites/production/cxf/content/cache/docs.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/docs/jax-rs.html == --- websites/production/cxf/content/docs/jax-rs.html (original) +++ websites/production/cxf/content/docs/jax-rs.html Thu Jun 28 12:47:51 2012 @@ -125,7 +125,7 @@ Apache CXF -- JAX-RS -IntroductionProject setup and configurationMigrationMaven dependenciesCXF 2.3.x - CXF 2.5.xCXF 2.6.xSetting up the classpathCXF JAX-RS bundleWhat is NewGetting Started with JAX-RSUnderstanding the BasicsSupport for Data BindingsHow Request >URI is MatchedClient >APIhref="#JAX-RS-Filters%2CInterceptorsandInvokers">Filters, Interceptors and >Invokershref="#JAX-RS-ServicelistingsandWADLsupport">Service listings and WADL >supporthref="#JAX-RS-ConfiguringJAXRSservices">Configuring JAX-RS >serviceshref="#JAX-RS-Debugging">Debugginghref="#JAX-RS-Logging">Logginghref="#JAX-RS-AdvancedFeatures">Advanced Featuresshape="rect" href="#JAX-RS-Multiparts">Multipartshref="#JAX-RS-SecureJAXRSservices">Secure JAX-RS servicesshape="rect" href="#JAX-RS-FailoverandLoadDistributionFeatures">Failover and >Load Distribution FeaturesRedirectionXSLT and XPathComplex Search QueriesModel-View-Controller supportCombining JAX-WS and JAX-RSIntegration with Distributed OSGiOther Advanced FeaturesMaven PluginsDeploymentRESTful ResourcesHow to contribute +IntroductionProject setup and configurationMigrationMaven dependenciesCXF 2.3.x - CXF 2.5.xCXF 2.6.xSetting up the classpathCXF JAX-RS bundleWhat is NewGetting Started with JAX-RSUnderstanding the BasicsSupport for Data BindingsHow Request >URI is MatchedClient >APIhref="#JAX-RS-Filters%2CInterceptorsandInvokers">Filters, Interceptors and >Invokershref="#JAX-RS-ServicelistingsandWADLsupport">Service listings and WADL >supporthref="#JAX-RS-ConfiguringJAXRSservices">Configuring JAX-RS >serviceshref="#JAX-RS-Testing">Testinghref="#JAX-RS-Debugging">Debugginghref="#JAX-RS-Logging">Logginghref="#JAX-RS-AdvancedFeatures">Advanced Featuresshape="rect" href="#JAX-RS-Multiparts">Multipartshref="#JAX-RS-SecureJAXRSservices">Secure JAX-RS servicesshape="rect" href="#JAX-RS-FailoverandLoadDistributionFeatures">Failover and >Load Dis tribution FeaturesRedirectionXSLT and XPathComplex Search QueriesModel-View-Controller supportCombining JAX-WS and JAX-RSIntegration with Distributed OSGiOther Advanced FeaturesMaven PluginsDeploymentRESTful ResourcesHow to contribute Introduction @@ -372,6 +372,10 @@ Please see the configuration sections be Please see the JAXRS Services Configuration page for more information. +Testing + +JAX-RS services can be easily tested using the embedded Jetty or CXF Local Transport. +Please see the [JAXRS Testing] page for more information. Debugging
svn commit: r823758 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-data-bindings.html docs/servlet-transport.html
Author: buildbot Date: Fri Jun 29 17:47:58 2012 New Revision: 823758 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/docs.pageCache websites/production/cxf/content/docs/jax-rs-data-bindings.html websites/production/cxf/content/docs/servlet-transport.html Modified: websites/production/cxf/content/cache/docs.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/docs/jax-rs-data-bindings.html == --- websites/production/cxf/content/docs/jax-rs-data-bindings.html (original) +++ websites/production/cxf/content/docs/jax-rs-data-bindings.html Fri Jun 29 17:47:58 2012 @@ -124,7 +124,7 @@ Apache CXF -- JAX-RS Data Bindings JAX-RS : Data Bindings -JAXB supportConfiguring JAXB providerJAXB and MoxyJSON supportJettisonConfiguring JSON providerDealing with JSON array serialization issuesBadgerFish conventionWrapping and Unwrapping JSON sequencesTypeConverters< /a>JacksonCommon JAXB and JSON configurationSingle JAXBContext and extra user classesAutomatic JAXBElement conversion during serializationHandling JAXB beans without XmlRootElement annotationsHandling explicit collectionsCustomizing JAXB XML and JSON input and outputControlling Large JAXB XML and JSON input payloadsJSON With PaddingForm payloadsAtomAegis Data BindingXMLBeansCXF DataBindings as JAX-RS providersJAXRS DataBindingSchema validationOutput validationFast Infoset +JAXB supportConfiguring JAXB providerJAXB and MoxyJSON supportJettisonConfiguring JSON providerDealing with JSON array serialization issuesBadgerFish conventionWrapping and Unwrapping JSON sequencesTypeConverters< /a>JacksonCommon JAXB and JSON configurationSingle JAXBContext and extra user classesAutomatic JAXBElement conversion during serializationHandling JAXB beans without XmlRootElement annotationsHandling explicit collectionsCustomizing JAXB XML and JSON input and outputControlling Large JAXB XML and JSON input payloadsJSON With PaddingForm payloadsAtomAegis Data BindingXMLBeansCXF DataBindings as JAX-RS providersJAXRS DataBindingSchema validationSupport for catalogsOutput validationFast >Infoset JAXB support @@ -983,6 +983,33 @@ individual MessageBodyReader implementat +Support for catalogs + +Available starting from CXF 2.5.5, 2.6.2 + +XML Catalogs can be used for the main schema (which is used to validate the data) to get the imported or included schema resources resolved locally. +By default, a "META-INF/jax-rs-catalog.xml" will be checked however the catalog location can be set either on JAXBElementProvider or JSONProvider: + + + +<bean id="jaxbProvider" class="org.apache.cxf.jaxrs.provider.JAXBElementProvider"> + <property name="catalogLocation" value="classpath:/schemas/mycatalog.xml"/> +</bean> + + + + +where mycatalog.xml may look like this: + + + +<catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog"> prefer="system"> +<system systemId="http://schemas/bookid.xsd"; uri="classpath:WEB-INF/schemas/bookid.xsd"/> +</catalog> + + + + Output validation By default, after a valid schema has been located, only JAXB Unmarshaller will use it to validate the input. Modified: websites/production/cxf/content/docs/servlet-transport.html == --- websites/production/cxf/content/docs/servlet-transport.html (original) +++ websites/production/cxf/content/docs/servlet-transport.html Fri Jun 29 17:47:58 2012 @@ -265,6 +265,85 @@ Apache CXF -- Servlet Transport Finally, DefaultCXFServlet serves a requested book.html. +Serving welcome pages + +Starting from CXF 2.5.5 and 2.6.2 it is possible to configure CXFServlet to serve welcome pages in a number of ways. + +For example, lets assume we have a web application called "webapp" which has a root resource called "index.html". +For CXFServlet to support both "/webapp" and "/webapp/index.html" requests returning "index.html", while letting all other requests to proceed to the actual endpoints, the following can be done. + +Option1. Delegating to Default Servlet + + + +<servlet> +<servlet-name>CXFServlet</servlet-name> +<display-name>CXF Servlet</display-name> +<servlet-class> +org.apache.cxf.transport.servlet.CXFServlet +</servlet-class> +<init-param> +<param-name>redirects-list</param-name> +<param-value> + / + /index.html +</param-value> +</init-param> +&
buildbot failure in ASF Buildbot on cxf-site-production
The Buildbot has detected a new failure on builder cxf-site-production while building ASF Buildbot. Full details are available at: http://ci.apache.org/builders/cxf-site-production/builds/2894 Buildbot URL: http://ci.apache.org/ Buildslave for this Build: bb-cms-slave Build Reason: The Nightly scheduler named 'cxf-site-production' triggered this build Build Source Stamp: [branch cxf/web] HEAD Blamelist: BUILD FAILED: failed compile sincerely, -The Buildbot
buildbot success in ASF Buildbot on cxf-site-production
The Buildbot has detected a restored build on builder cxf-site-production while building ASF Buildbot. Full details are available at: http://ci.apache.org/builders/cxf-site-production/builds/2895 Buildbot URL: http://ci.apache.org/ Buildslave for this Build: bb-cms-slave Build Reason: The Nightly scheduler named 'cxf-site-production' triggered this build Build Source Stamp: [branch cxf/web] HEAD Blamelist: Build succeeded! sincerely, -The Buildbot
buildbot success in ASF Buildbot on cxf-site-production
The Buildbot has detected a restored build on builder cxf-site-production while building ASF Buildbot. Full details are available at: http://ci.apache.org/builders/cxf-site-production/builds/2932 Buildbot URL: http://ci.apache.org/ Buildslave for this Build: bb-cms-slave Build Reason: The Nightly scheduler named 'cxf-site-production' triggered this build Build Source Stamp: [branch cxf/web] HEAD Blamelist: Build succeeded! sincerely, -The Buildbot
svn commit: r825051 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-saml.html docs/jax-rs.html docs/saml-web-sso.html
Author: buildbot Date: Sun Jul 8 17:47:50 2012 New Revision: 825051 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/docs.pageCache websites/production/cxf/content/docs/jax-rs-saml.html websites/production/cxf/content/docs/jax-rs.html websites/production/cxf/content/docs/saml-web-sso.html Modified: websites/production/cxf/content/cache/docs.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/docs/jax-rs-saml.html == --- websites/production/cxf/content/docs/jax-rs-saml.html (original) +++ websites/production/cxf/content/docs/jax-rs-saml.html Sun Jul 8 17:47:50 2012 @@ -705,7 +705,7 @@ If the assertion signature is verified l SAML Web SSO Profile -Please see https://cwiki.apache.org/confluence/display/CXF20DOC/SAML+Web+SSO";>this page for more information +Please see this page for more information Modified: websites/production/cxf/content/docs/jax-rs.html == --- websites/production/cxf/content/docs/jax-rs.html (original) +++ websites/production/cxf/content/docs/jax-rs.html Sun Jul 8 17:47:50 2012 @@ -375,7 +375,7 @@ Please see the configuration sections be Testing JAX-RS services can be easily tested using the embedded Jetty or CXF Local Transport. -Please see the [JAXRS Testing] page for more information. +Please see the https://cwiki.apache.org/confluence/display/CXF20DOC/JAXRS+Testing";>JAXRS Testing page for more information. Debugging Modified: websites/production/cxf/content/docs/saml-web-sso.html == --- websites/production/cxf/content/docs/saml-web-sso.html (original) +++ websites/production/cxf/content/docs/saml-web-sso.html Sun Jul 8 17:47:50 2012 @@ -125,7 +125,7 @@ Apache CXF -- SAML Web SSO -IntroductionTypical FlowMaven dependenciesIdentity ProviderService Provider Security FilterRedirect Binding FilterPOST Binding FilterSigning SAML Authentication RequestsFilters and State ManagementRequest Assertion Security ServiceDealing with signed SAML ResponsesSSO State Provider +IntroductionTypical FlowMaven dependenciesIdentity ProviderService Provider Security FilterRedirect Binding FilterPOST Binding FilterSigning SAML Authentication RequestsFilters and State ManagementRequest Assertion Consumer ServiceDealing with signed SAML ResponsesSSO State Provider Introduction @@ -364,9 +364,9 @@ If the custom SP application is 'spread' Note that the stateTimeToLive property affects a Cookie 'Expires' property but also used by filters and RACS to enforce that the internal state has not expired. -Request Assertion Security Service +Request Assertion Consumer Service -Request Assertion Security Service receives a SAML Authentication Response and RelayState token from IDP, uses the token to validate the response against the data available in the original SAML Authentication Request, creates a security context if it does not already exists for +Request Assertion Consumer Service receives a SAML Authentication Response and RelayState token from IDP, uses the token to validate the response against the data available in the original SAML Authentication Request, creates a security context if it does not already exists for the current user, persists it and redirect the user back to the original endpoint. The RACS processes the SAML Response, and validates it in a number of ways:
svn commit: r825115 - in /websites/production/cxf/content: cache/docs.pageCache docs/saml-web-sso.html
Author: buildbot Date: Mon Jul 9 09:47:50 2012 New Revision: 825115 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/docs.pageCache websites/production/cxf/content/docs/saml-web-sso.html Modified: websites/production/cxf/content/cache/docs.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/docs/saml-web-sso.html == --- websites/production/cxf/content/docs/saml-web-sso.html (original) +++ websites/production/cxf/content/docs/saml-web-sso.html Mon Jul 9 09:47:50 2012 @@ -125,7 +125,7 @@ Apache CXF -- SAML Web SSO -IntroductionTypical FlowMaven dependenciesIdentity ProviderService Provider Security FilterRedirect Binding FilterPOST Binding FilterSigning SAML Authentication RequestsFilters and State ManagementRequest Assertion Consumer ServiceDealing with signed SAML ResponsesSSO State Provider +IntroductionTypical FlowMaven dependenciesIdentity ProviderService Provider Security FilterRedirect Binding FilterPOST Binding FilterSigning SAML Authentication RequestsFilters and State ManagementRequest Assertion Consumer ServiceDealing with signed SAML ResponsesSSO State ProviderDistributed State Management Introduction @@ -433,7 +433,92 @@ the current user, persists it and redire SP Security Filters and RACS depend on the custom http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/state/SPStateManager.java";>SPStateManager implementation for persisting the current request and security context state. -CXF ships an http://ehcache.org/"; rel="nofollow">EhCache-based http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/state/EHCacheSPStateManager.java";>implementation. Users can register their own custom implementations if required. +CXF ships a basic http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/state/MemorySPStateManager.java";>MemorySPStateProvider and an http://ehcache.org/"; rel="nofollow">EhCache-based http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/state/EHCacheSPStateManager.java";>implementation which is memory based with an option to overflow to the disk. Users can customize the EhCache provider or register their own custom SPStateProvider implementations if required. + +For example, by default, the EhCache provider will overflow the data to the system temp directory and will not persist the data across restarts. The following EhCache configuration can be used to change it: + + +<ehcache xsi:noNamespaceSchemaLocation="ehcache.xsd" updateCheck="false" monitoring="autodetect" dynamicConfig="true"> + +<diskStore path="/home/username/work/ehcache"/> + +<defaultCache +maxEntriesLocalHeap="5000" +timeToIdleSeconds="3600" +timeToLiveSeconds="3600" +overflowToDisk="true" +maxElementsOnDisk="1000" +diskPersistent="true" +diskExpiryThreadIntervalSeconds="120" +memoryStoreEvictionPolicy="LRU" +/> +</ehcache> + +Assuming this configuration is saved in WEB-INF/ehcache.xml, the EhCache provider can be configured as follows: + +{code:xml} +<bean id="stateManager" class="org.apache.cxf.rs.security.saml.sso.state.EHCacheSPStateManager"> +<constructor-arg value="/WEB-INF/ehcache.xml"/> +</bean> + + + +Distributed State Management + +If you have a complex application supported by a number of wars deployed into different containers, one has to decide whether to have a single RequestAssertionConsumerService (RACS) endpoint which IDP will redirect to when processing the user authentication requests or have a separate RACS endpoint per every web application which all form a bigger application. + +For example, assume you have server1, server2 and server3 which all support a bigger application. One can have a serverRacs web application which will host a RACS endpoint. Next, server1, server2 and server3 SSO filters will all point to this standalone RACS endpoint when redirecting the user to IDP and IDP will eventually redirect the user to RACS which in turn will redirect the user to the original targer URI supported by server or server2 or server3. + +In this case, one has to decide how the state between SSO security filters protecting the individual servers and RACS will be shared. +One appr
svn commit: r825130 - in /websites/production/cxf/content: cache/main.pageCache fediz-idp.html
Author: buildbot Date: Mon Jul 9 13:47:48 2012 New Revision: 825130 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/main.pageCache websites/production/cxf/content/fediz-idp.html Modified: websites/production/cxf/content/cache/main.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/fediz-idp.html == --- websites/production/cxf/content/fediz-idp.html (original) +++ websites/production/cxf/content/fediz-idp.html Mon Jul 9 13:47:48 2012 @@ -337,7 +337,7 @@ export JAVA_OPTS When a STS client (IDP) requests a claim, the ClaimsManager in the STS checks every registered ClaimsHandler who can provide the data of the requested claim. The CXF STS provides org.apache.cxf.sts.claims.LdapClaimsHandler which is a claims handler implementation to get claims from user attributes in a LDAP directory. -You configure which claim URI maps to which LDAP user attribute. The implementation uses the Spring Ldap Module (LdapTemplate). +You configure which claim URI maps to which LDAP user attribute. The implementation uses the Spring Ldap Module (LdapTemplate). The following example illustrate the changes to be made in webapps/fediz-idp-sts/WEB-INF/cxf-transport.xml: @@ -384,6 +384,14 @@ value="c" +You must deploy the library for the spring ldap module and its dependencies. The POM of the spring ldap module is available http://repo1.maven.org/maven2/org/springframework/ldap/spring-ldap/1.2/spring-ldap-1.2.pom"; rel="nofollow">here. + +You can add the dependency to spring ldap module to the Fediz STS POM, add the above configuration and rebuild the STS component or do the configuration in the deployed STS directly and add the following JAR files: + +lang-2.1.0.jarldapbp-1.0.jarspring-ldap-1.2.jar + + + Configure CA certificates tbd
svn commit: r825144 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-cors.html
Author: buildbot Date: Mon Jul 9 16:47:47 2012 New Revision: 825144 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/docs.pageCache websites/production/cxf/content/docs/jax-rs-cors.html Modified: websites/production/cxf/content/cache/docs.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/docs/jax-rs-cors.html == --- websites/production/cxf/content/docs/jax-rs-cors.html (original) +++ websites/production/cxf/content/docs/jax-rs-cors.html Mon Jul 9 16:47:47 2012 @@ -125,7 +125,7 @@ Apache CXF -- JAX-RS CORS -IntroductionExamples +IntroductionMaven dependenciesExamples Introduction @@ -137,6 +137,18 @@ Apache CXF -- JAX-RS CORS Note that the http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/cors/src/main/java/org/apache/cxf/rs/security/cors/CrossOriginResourceSharingFilter.java";>CORS filter uses the JAX-RS selection algorithm to ensure that the JAX-RS resource method capable of handling the request does exist. +Maven dependencies + + + +<dependency> + <groupId>org.apache.cxf</groupId> + <artifactId>cxf-rt-rs-security-cors</artifactId> + <version>2.6.1</version> +</dependency> + + + Examples Here is the test code showing how http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/cors/src/main/java/org/apache/cxf/rs/security/cors/CrossOriginResourceSharing.java";>CrossOriginResourceSharing annotations can be applied at the resource and individual method levels:
svn commit: r825149 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-cors.html
Author: buildbot Date: Mon Jul 9 17:47:49 2012 New Revision: 825149 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/docs.pageCache websites/production/cxf/content/docs/jax-rs-cors.html Modified: websites/production/cxf/content/cache/docs.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/docs/jax-rs-cors.html == --- websites/production/cxf/content/docs/jax-rs-cors.html (original) +++ websites/production/cxf/content/docs/jax-rs-cors.html Mon Jul 9 17:47:49 2012 @@ -248,7 +248,7 @@ Apache CXF -- JAX-RS CORS <beans> -<bean id="cors-filter" class="org.apache.cxf.jaxrs.cors.CrossOriginResourceSharingFilter"/> +<bean id="cors-filter" class="org.apache.cxf.rs.security.cors.CrossOriginResourceSharingFilter"/> <jaxrs:server id="service" address="/rest"> <jaxrs:serviceBeans>
svn commit: r825243 - in /websites/production/cxf/content: cache/docs.pageCache docs/saml-web-sso.html
Author: buildbot Date: Tue Jul 10 12:47:48 2012 New Revision: 825243 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/docs.pageCache websites/production/cxf/content/docs/saml-web-sso.html Modified: websites/production/cxf/content/cache/docs.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/docs/saml-web-sso.html == --- websites/production/cxf/content/docs/saml-web-sso.html (original) +++ websites/production/cxf/content/docs/saml-web-sso.html Tue Jul 10 12:47:48 2012 @@ -467,7 +467,7 @@ Assuming this configuration is saved in If you have a complex application supported by a number of wars deployed into different containers, one has to decide whether to have a single RequestAssertionConsumerService (RACS) endpoint which IDP will redirect to when processing the user authentication requests or have a separate RACS endpoint per every web application which all form a bigger application. -For example, assume you have server1, server2 and server3 which all support a bigger application. One can have a serverRacs web application which will host a RACS endpoint. Next, server1, server2 and server3 SSO filters will all point to this standalone RACS endpoint when redirecting the user to IDP and IDP will eventually redirect the user to RACS which in turn will redirect the user to the original targer URI supported by server or server2 or server3. +For example, assume you have server1, server2 and server3 which all support a bigger application. One can have a serverRacs web application which will host a RACS endpoint. Next, server1, server2 and server3 SSO filters will all point to this standalone RACS endpoint when redirecting the user to IDP and IDP will eventually redirect the user to RACS which in turn will redirect the user to the original target URI supported by server or server2 or server3. In this case, one has to decide how the state between SSO security filters protecting the individual servers and RACS will be shared. One approach is to setup the Ehcache provider to use http://ehcache.org/documentation/configuration/distributed-cache-configuration"; rel="nofollow">Terracotta or RMI with the multicast or implement the alternative approach not involving Ehcache at all.
svn commit: r825563 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-advanced-features.html
Author: buildbot Date: Thu Jul 12 11:47:52 2012 New Revision: 825563 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/docs.pageCache websites/production/cxf/content/docs/jax-rs-advanced-features.html Modified: websites/production/cxf/content/cache/docs.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/docs/jax-rs-advanced-features.html == --- websites/production/cxf/content/docs/jax-rs-advanced-features.html (original) +++ websites/production/cxf/content/docs/jax-rs-advanced-features.html Thu Jul 12 11:47:52 2012 @@ -124,7 +124,7 @@ Apache CXF -- JAX-RS Advanced Features JAX-RS : Advanced Features -JMS SupportEndpointsClientFIQL search queriesIntroductionDependencies and ConfigurationConsuming FIQL queriesConverting FIQL queriesSQLJPA 2.0Custom visitorshref="#JAX-RSAdvancedFeatures-SearchBean">SearchBeanshape="rect" href="#JAX-RSAdvancedFeatures-BuildingFIQLqueries">Building FIQL >querieshref="#JAX-RSAdvancedFeatures-Usingdatesinqueries">Using dates in >querieshref="#JAX-RSAdvancedFeatures-Onewayinvocations">Oneway >invocationshref="#JAX-RSAdvancedFeatures-SupportforContinuations">Support for >Continuationshref="#JAX-RSAdvancedFeatures-Serversidecaching">Server-side >cachinghref="#JAX-RSAdvancedFeatures-RESTfulserviceswithoutannotations">RESTful >services without annotationshref="#JAX-RSAdvancedFeatures-Configuration">Configuration +JMS SupportEndpointsClientFIQL search queriesIntroductionDependencies and ConfigurationConsuming FIQL queriesConverting FIQL queriesSQLJPA 2.0Custom visitorshref="#JAX-RSAdvancedFeatures-SearchBean">SearchBeanshape="rect" >href="#JAX-RSAdvancedFeatures-SearchExpressionsinURIPathsegments">Search >Expressions in URI Path segmentshref="#JAX-RSAdvancedFeatures-Queriesinvolvingmultipleentities">Queries >involving multiple entitieshref="#JAX-RSAdvancedFeatures-Basicqueries">Basic queriesshape="rect" href="#JAX-RSAdvancedFeatures-Complexqueries">Complex >querieshref="#JAX-RSAdvancedFeatures-BuildingFIQLqueries">Building FIQL >querieshref="#JAX-RSAdvancedFeatures-Usingdatesinqueries">Using dates in >querieshref="#JAX-RSAdvancedFeatures-Alternativequerylanguages">Alternative query >languageshref="#JAX-RSAdvancedFeatures-Onewayinvocations">Oneway >invocationsSupport for ContinuationsServer-side cachingRESTful services without annotationsConfiguration JMS Support @@ -406,6 +406,173 @@ assertEquals("SELECT LEVEL_COLUMN FROM t +Search Expressions in URI Path segments + +By default, a FIQL expression is expected to be available in either '_s' or '_search' query. +For example, "find all the books with an 'id' property value less than 123": + + +GET /books?_s=id=lt=123 + + + +Starting from CXF 2.6.2, it is possible to work with FIQL expressions included in URI path segments, for example, the same query can be expressed +in a number of ways: + + + + +GET /books/id=lt=123 +GET /books[id=lt=123] +GET /books(id=lt=123) +GET /books;id=lt=123 + +//etc, etc + + + + +Such expressions can be captured in the code using JAX-RS annotations: + + +@Path("search") +public class BooksResource { + @Context + private SearchContext context; + + //GET /books[id=lt=123] + @GET + @Path("books[{search}]") + public List<Book> findSelectedBooks(@PathParam("search") String searchExpression) { + return doFindSelectedBooks(searchExpression); + } + + //GET /books(id=lt=123) + @GET + @Path("books({search})") + public List<Book> findSelectedBooks(@PathParam("search") String searchExpression) { + return doFindSelectedBooks(searchExpression); + } + + //GET /books/id=lt=123 + @GET + @Path("books/{search}") + public List<Book> findSelectedBooks(@PathParam("search") String searchExpression) { + return doFindSelectedBooks(searchExpression); + } + + //GET /books;id=lt=123 + @GET + @Path("books;{search}") + public List<Book> findSelectedBooks(@PathParam("search") String searchExpression) { + return doFindSelectedBooks(searchExpression); + } + + public List<Book> doFindSelectedBooks(String searchExpression) { + SearchCondition<Book> sc = context.getCondition(searchExpression, Book.class); + + // JPA2 enity manager is initialized earlier + JPATypedQuery<Book> visit
svn commit: r825571 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-advanced-features.html
Author: buildbot Date: Thu Jul 12 12:47:52 2012 New Revision: 825571 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/docs.pageCache websites/production/cxf/content/docs/jax-rs-advanced-features.html Modified: websites/production/cxf/content/cache/docs.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/docs/jax-rs-advanced-features.html == --- websites/production/cxf/content/docs/jax-rs-advanced-features.html (original) +++ websites/production/cxf/content/docs/jax-rs-advanced-features.html Thu Jul 12 12:47:52 2012 @@ -572,7 +572,7 @@ such as "find all the chapters with id l -The above code can be quite functional but not necessarilry optimal. Much depends on the actual relationship between the endities, whether the initial (JPA2) query eagerly loaded all the chapters for every given book, etc. Perhaps a JOIN-like query which will immediately return only the matching chapters will be more optimal. Support for capturing the expressions involving multiple entities and possibly converting them to JOIN statements will be investigated shortly. +The above code can be quite functional but not be optimal. Much depends on the actual relationship between the entities, whether the initial (JPA2) query eagerly loaded all the chapters for every given book or not, etc. Perhaps a JOIN-like query which will immediately return only the matching chapters will be more optimal. Support for capturing the expressions involving multiple entities and possibly converting them to JOIN statements will be investigated shortly. Building FIQL queries
svn commit: r825586 - in /websites/production/cxf/content: cache/docs.pageCache docs/client-http-transport-including-ssl-support.html
Author: buildbot Date: Thu Jul 12 16:47:48 2012 New Revision: 825586 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/docs.pageCache websites/production/cxf/content/docs/client-http-transport-including-ssl-support.html Modified: websites/production/cxf/content/cache/docs.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/docs/client-http-transport-including-ssl-support.html == --- websites/production/cxf/content/docs/client-http-transport-including-ssl-support.html (original) +++ websites/production/cxf/content/docs/client-http-transport-including-ssl-support.html Thu Jul 12 16:47:48 2012 @@ -319,6 +319,8 @@ http.setClient(httpClientPolicy); The first thing to notice is the "name" attribute on <http:conduit>. This allows CXF to associate this HTTP Conduit configuration with a particular WSDL Port. The name includes the service's namespace, the WSDL port name (as found in the wsdl:service section of the WSDL), and ".http-conduit". It follows this template: "{WSDL Namespace}portName.http-conduit". Note: it's the PORT name, not the service name. Thus, it's likely something like "MyServicePort", not "MyService". If you are having trouble getting the template to work, another (temporary) option for the name value is simply "*.http-conduit". +If you are creating the Service with wsdl location like "https://xxx?wsdl";, you can configure the http conduit to pick up right SSL configuration as we just show you. The http conduit name is "{http://cxf.apache.org";>http://cxf.apache.org\}TransportURIResolver.http-conduit". + Another option for the name attribute is a reg-ex expression for the ORIGINAL URL of the endpoint. The configuration is matched at conduit creation so the address used in the WSDL or used for the JAX-WS Service.create(...) call can be used for the name. For example, you can do: @@ -597,7 +599,6 @@ Language tags are regulated by the Inter If you are getting strange errors (generally not soap faults, but other HTTP type errors) when trying to interact with a service, try turning off chunking to see if that helps. -
svn commit: r825997 - in /websites/production/cxf/content: cache/main.pageCache fediz.html
Author: buildbot Date: Mon Jul 16 13:47:49 2012 New Revision: 825997 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/main.pageCache websites/production/cxf/content/fediz.html Modified: websites/production/cxf/content/cache/main.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/fediz.html == --- websites/production/cxf/content/fediz.html (original) +++ websites/production/cxf/content/fediz.html Mon Jul 16 13:47:49 2012 @@ -193,7 +193,7 @@ The RP is a web application that needs t The examples directory contains two sample relying party applications. They are independent of each other, so it is not necessary to deploy both at once. -Each sample is described in the README.txt +Each sample is described in a README.txt file located in the base directory of each sample. Sample Description simpleWebapp a simple web application which is protected by the Fediz IDP. The FederationServlet illustrates how to get security information using the standard APIs. wsclientWebapp a protected web application that calls a web service that uses the Fediz STS to validate credentials. Here, the same STS is used for token issuance (indirectly, by the web application through use of the Fediz IDP) and validation. The FederationServlet illustrates how to securely call a web service. @@ -204,21 +204,11 @@ The RP is a web application that needs t Check out the code from here: svn -svn co http://svn.apache.org/repos/asf/cxf/fediz/trunk";>http://svn.apache.org/repos/asf/cxf/fediz/trunkgit +svn co https://svn.apache.org/repos/asf/cxf/fediz/trunk";>https://svn.apache.org/repos/asf/cxf/fediz/trunkgit git clone -v git://git.apache.org/cxf-fediz.git - -Building with Maven - -To build and run the tests use the following command: - - -mvn clean install - - - -Note: you need to use Maven 2.0.9 or newer and have the following environment variable set: MAVEN_OPTS=-Xmx512m +Then follow the http://svn.apache.org/viewvc/cxf/fediz/trunk/BUILDING.txt?view=markup";>BUILDING.txt file in the Fediz download for full build instructions. Setting up Eclipse:
svn commit: r826005 - in /websites/production/cxf/content: cache/main.pageCache fediz-idp.html
Author: buildbot Date: Mon Jul 16 15:47:54 2012 New Revision: 826005 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/main.pageCache websites/production/cxf/content/fediz-idp.html Modified: websites/production/cxf/content/cache/main.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/fediz-idp.html == --- websites/production/cxf/content/fediz-idp.html (original) +++ websites/production/cxf/content/fediz-idp.html Mon Jul 16 15:47:54 2012 @@ -146,20 +146,29 @@ Apache CXF -- Fediz IDP The Fediz IDP has been tested with Tomcat 6 and 7 but should be able to work with any commercial JEE application server. -Deploy the WAR files to your Tomcat installation (<catalina.home>/webapps). Once done, you should be able to see the Fediz STS from a browser at http://localhost:9080/fedizidpsts/STSService?wsdl"; rel="nofollow">http://localhost:9080/fedizidpsts/STSService?wsdl, assuming you're using port 9080 as listed below. +It's recommended to set up a dedicated (separate) Tomcat instance for the IDP compared to the one hosting the RP (relying party) applications. Using one deployment of Tomcat with multiple CATALINA_BASE instances, as described http://www.shaunabram.com/multiple-tomcat-instances/"; rel="nofollow">here is one option but note any libs in $CATALINA_HOME/lib folder will be shared throughout each of the activated CATALINA_BASE instances. Another probably simpler alternative is to copy your Tomcat folder into a second location and edit its conf/server.xml file and change http://viralpatel.net/blogs/2009/08/running-multiple-instance-apache-tomcat-single-server.html"; rel="nofollow">these port values so they don't conflict with the original Tomcat installation. -A Relying Party application trusts the IDP/STS component that the IDP authenticated the browser user. The trust is established based on the certificate/private key used by the STS to sign the SAML token. The signing certificate is located in webapps/fediz-idp-sts/WEB-INF/classes/stsstore.jks. You must copy this keystore to a location where the Relying Party can reference it in its Fediz Configuration in the element certificateStores. - -This keystore contains the private key as well. In a production environment, you must not deploy the private key of the STS to the Relying Party +To start and stop this second Tomcat instance, it is perhaps easiest to create small startup.sh and shutdown.sh scripts that temporarily redefine $CATALINA_HOME from the first to the second instance, for example: + + +CATALINA_HOME=/path/to/second/tomcat +$CATALINA_HOME/bin/startup.sh + + -Configuration +and -You can manage the users, their claims and the claims per application in the IDP. + + +CATALINA_HOME=/path/to/second/tomcat +$CATALINA_HOME/bin/shutdown.sh + + -HTTPS configuration +If you're using the one Tomcat with multiple instance option, it's $CATALINA_BASE that will need to be redefined. -It's recommended to set up a dedicated (separate) Tomcat instance for the IDP. Using one deployment of Tomcat with multiple CATALINA_BASE instances, as described http://www.shaunabram.com/multiple-tomcat-instances/"; rel="nofollow">here is one option but note any libs in $CATALINA_HOME/lib folder will be shared throughout each of the activated CATALINA_BASE instances. Another probably simpler alternative is to copy your Tomcat folder into a second location and edit its conf/server.xml file and change http://viralpatel.net/blogs/2009/08/running-multiple-instance-apache-tomcat-single-server.html"; rel="nofollow">these port values so they don't conflict with the original Tomcat installation. The Fediz examples use the following TCP ports to interact with the IDP/STS: +The Fediz examples use the following TCP ports for the IDP/STS: HTTP port: 9080 (used for Maven deployment, mvn tomcat:redeploy)HTTPS port: 9443 (where IDP and STS are accessed) @@ -172,34 +181,22 @@ Apache CXF -- Fediz IDP <Connector port="9443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" - keystoreFile="tomcatKeystore.jks" + keystoreFile="tomcat-idp.jks" keystorePass="tompass" sslProtocol="TLS" /> The keystoreFile is relative to $CATALINA_HOME. See http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html";>here for the Tomcat 7 configuration reference. This page also describes how to create certificates. -Production: It's highly recommended to depl
svn commit: r826277 - in /websites/production/cxf/content: cache/main.pageCache fediz-tomcat.html
Author: buildbot Date: Thu Jul 19 03:48:53 2012 New Revision: 826277 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/main.pageCache websites/production/cxf/content/fediz-tomcat.html Modified: websites/production/cxf/content/cache/main.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/fediz-tomcat.html == --- websites/production/cxf/content/fediz-tomcat.html (original) +++ websites/production/cxf/content/fediz-tomcat.html Thu Jul 19 03:48:53 2012 @@ -187,7 +187,7 @@ add the previously created directory to A Valve can be configured on different levels like Host or Context. The Fediz configuration file allows to configure all servlet contexts in one file or choosing one file per Servlet Context. If you choose to have one Fediz configuration file per Servlet Context then you must configure the FederationAuthenticator on the Context level otherwise on the Host level in the Tomcat configuration file server.xml -You can either configure the context in the server.xml or in META-INF/context.xml as part of your WAR file. +You can either configure the context in the server.xml or in META-INF/context.xml as part of your WAR file. (The sample RP applications bundled with Fediz already have this configured via the latter option.) META-INF/context.xml
svn commit: r826334 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-oauth.html docs/jax-rs-oauth2.html
Author: buildbot Date: Thu Jul 19 16:47:50 2012 New Revision: 826334 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/docs.pageCache websites/production/cxf/content/docs/jax-rs-oauth.html websites/production/cxf/content/docs/jax-rs-oauth2.html Modified: websites/production/cxf/content/cache/docs.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/docs/jax-rs-oauth.html == --- websites/production/cxf/content/docs/jax-rs-oauth.html (original) +++ websites/production/cxf/content/docs/jax-rs-oauth.html Thu Jul 19 16:47:50 2012 @@ -125,7 +125,7 @@ Apache CXF -- JAX-RS OAuth -IntroductionMaven dependenciesDeveloping OAuth 1.0 ServersRequestTokenServiceAuthorizationRequestServiceAccessTokenServiceWriting OAuthDataProviderOAuth Server JAX-RS endpointsProtecting resources with OAuth filtersHow to get the user login name< a shape="rect" href="#JAX-RSOAuth-Clientsidesupport">Client-side support2-leg OAuth FlowClient requests PreAuthorized RequestTokenSignature with Consumer Key and SecretOnly Consumer Key and Secret in Authorization headerOAuth Without a BrowserDesign considerationsControlling the Access to Resource ServerSharing th e same access path between end users and consumersProviding different access points to end users and consumersSingle Sign OnWhat Is Next +IntroductionMaven dependenciesDeveloping OAuth 1.0 ServersRequestTokenServiceAuthorizationRequestServiceOOB callbacksAccessTokenServiceWriting OAuthDataProviderOAuth Server JAX-RS endpointsProtecting resources with OAuth filtersHow to get the user login nameClient-side support2-leg OAuth FlowClient requests PreAuthorized RequestTokenSignature with Consumer Key and SecretOnly Consumer Key and Secret in Authorization headerOAuth Without a BrowserReporting the error detailsDesign considerationsControlling the Access to Resource ServerSharing the same access path between end users and consumersProviding different access points to end users and consumersSingle Sign OnWhat Is Next Introduction @@ -354,6 +354,38 @@ Referer=[http:Assuming the decision was "allow", the consumer has now received back the request token and its verifier and is ready to exchange this pair for an access token. +OOB callbacks + +The OAuth 1.0 mentions so called "oob" (out-of-band) callbacks. If the third-party client is not running as a web application or if it is known it can not receive the redirect response from AuthorizationRequestService for whatever reasons, then a callback URI can be set to "oob", when a request token is +requested: + + + +Address: http://localhost:8080/services/oauth/initiate +Encoding: ISO-8859-1 +Http-Method: POST +Content-Type: */* +Headers: { +Accept=[application/x-www-form-urlencoded], + +Content-Length=[0], + +Authorization=[OAuth oauth_callback="oob", + oauth_nonce="e365fa02-772e-4e33-900d-00a766ccadf8", + oauth_consumer_key="123456789", + oauth_signature_method="HMAC-SHA1", + oauth_timestamp="1320748683", + oauth_version="1.0", + oauth_signature="ztTQuqaJS7L6dNQwn%2Fqi1MdaqQQ%3D"] +} + + + +RequestTokenService will only accept the "oob" value if a client callbackURI property has been set to "oob" during the client application registration process. Specifically, RequestTokenService will expect that a http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/Client.java";>Client bean will have its callbackURI property being set to "oob". + +When a callback URI is set to "oob", it means that a user decision response needs to be presented directly to the current user - which will then make the request token and verifier info somehow available to the client application. In case of "oob", AuthorizationRequestService, instead of redirecting the user back to the callback URI as shown earlier on, will simply return an instance of http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/OOBAuthorizationResponse.java";>OOBAuthorizationResponse. RequestDispatcherProvider will need to be used for redirecting this data to the view handler exactly how it is done when a user is asked to authorize the client application, with the view handler formatting the data and actually returning it to the user + + AccessTokenService The role of AccessTokenService is to exchange an authorize
svn commit: r826378 - in /websites/production/cxf/content: cache/docs.pageCache docs/maven-cxf-codegen-plugin-wsdl-to-java.html
Author: buildbot Date: Thu Jul 19 20:47:49 2012 New Revision: 826378 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/docs.pageCache websites/production/cxf/content/docs/maven-cxf-codegen-plugin-wsdl-to-java.html Modified: websites/production/cxf/content/cache/docs.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/docs/maven-cxf-codegen-plugin-wsdl-to-java.html == --- websites/production/cxf/content/docs/maven-cxf-codegen-plugin-wsdl-to-java.html (original) +++ websites/production/cxf/content/docs/maven-cxf-codegen-plugin-wsdl-to-java.html Thu Jul 19 20:47:49 2012 @@ -328,7 +328,16 @@ Apache CXF -- Maven cxf-codegen-plugin ( </dependencies> </plugin> - + + +Other configuration options + +The cxf-codegen-plugin has some additional configuration options that may be useful: + +<fork>false/always/once</fork> Forks a separate JVM for the code generation <additionalJvmArgs> Additional JVM args set on the forked process if fork is not false <encoding>UTF-8</encoding> (new in 2.6.1, requires configuring plugin to use very latest JAXB 2.2 impl jars) + + +
svn commit: r826509 - in /websites/production/cxf/content: cache/main.pageCache fediz-idp.html
Author: buildbot Date: Fri Jul 20 21:47:47 2012 New Revision: 826509 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/main.pageCache websites/production/cxf/content/fediz-idp.html Modified: websites/production/cxf/content/cache/main.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/fediz-idp.html == --- websites/production/cxf/content/fediz-idp.html (original) +++ websites/production/cxf/content/fediz-idp.html Fri Jul 20 21:47:47 2012 @@ -188,11 +188,12 @@ $CATALINA_HOME/bin/shutdown.sh The keystoreFile is relative to $CATALINA_HOME. See http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html";>here for the Tomcat 7 configuration reference. This page also describes how to create certificates. -Once you deploy the IDP WAR files to your Tomcat installation (<catalina.home>/webapps), you should be able to see the Fediz STS from a browser at http://localhost:9080/fedizidpsts/STSService?wsdl"; rel="nofollow">http://localhost:9080/fedizidpsts/STSService?wsdl, assuming you're using port 9080 as listed above. - To establish trust, there are significant keystore/truststore requirements between the Tomcat instances and the various web applications (IDP, STS, Relying party applications, third party web services, etc.) See http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/samplekeys/HowToGenerateKeysREADME.html?view=co";>this page for more details, it lists the trust requirements as well as sample scripts for creating your own (self-signed) keys. -Warning: The sample keystores provided in the WAR files are for development/prototyping use ONLY. They'll need to be replaced for production use, at a minimum with your own self-signed keys but strongly recommended to use third-party signed keys. +Warning: All sample keystores provided with Fediz (including in the WAR files for its services and examples) are for development/prototyping use ONLY. They'll need to be replaced for production use, at a minimum with your own self-signed keys but strongly recommended to use third-party signed keys. + +Once you deploy the IDP WAR files to your Tomcat installation (<catalina.home>/webapps), you should be able to see the Fediz STS from a browser at http://localhost:9080/fedizidpsts/STSService?wsdl"; rel="nofollow">http://localhost:9080/fedizidpsts/STSService?wsdl, assuming you're using port 9080 as listed above. + Configuration
buildbot failure in ASF Buildbot on cxf-site-production
The Buildbot has detected a new failure on builder cxf-site-production while building ASF Buildbot. Full details are available at: http://ci.apache.org/builders/cxf-site-production/builds/3371 Buildbot URL: http://ci.apache.org/ Buildslave for this Build: bb-cms-slave Build Reason: The Nightly scheduler named 'cxf-site-production' triggered this build Build Source Stamp: [branch cxf/web] HEAD Blamelist: BUILD FAILED: failed compile sincerely, -The Buildbot
buildbot success in ASF Buildbot on cxf-site-production
The Buildbot has detected a restored build on builder cxf-site-production while building ASF Buildbot. Full details are available at: http://ci.apache.org/builders/cxf-site-production/builds/3372 Buildbot URL: http://ci.apache.org/ Buildslave for this Build: bb-cms-slave Build Reason: The Nightly scheduler named 'cxf-site-production' triggered this build Build Source Stamp: [branch cxf/web] HEAD Blamelist: Build succeeded! sincerely, -The Buildbot
svn commit: r827548 - in /websites/production/cxf/content: cache/docs.pageCache docs/27-migration-guide.html
Author: buildbot Date: Tue Jul 31 21:47:52 2012 New Revision: 827548 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/docs.pageCache websites/production/cxf/content/docs/27-migration-guide.html Modified: websites/production/cxf/content/cache/docs.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/docs/27-migration-guide.html == --- websites/production/cxf/content/docs/27-migration-guide.html (original) +++ websites/production/cxf/content/docs/27-migration-guide.html Tue Jul 31 21:47:52 2012 @@ -123,8 +123,6 @@ Apache CXF -- 2.7 Migration Guide New Features - - API Changes The HTTPConduit class has been made abstract with the HttpURLConnection related code moving to an URLConnectionHTTPConduit. Several method calls of the HTTPConduit that used to take HttpURLConnection objects have been eliminated. Also, most methods taking a URL object now take a URI object instead. The HTTPConduit.WrappedOutputStream class is also now abstract. If you have custom subclasses of HTTPConduit, changing them to subclass URLConnectionHTTPConduit will likely work.
svn commit: r827598 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-deployment.html
Author: buildbot Date: Wed Aug 1 10:47:24 2012 New Revision: 827598 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/docs.pageCache websites/production/cxf/content/docs/jax-rs-deployment.html Modified: websites/production/cxf/content/cache/docs.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/docs/jax-rs-deployment.html == --- websites/production/cxf/content/docs/jax-rs-deployment.html (original) +++ websites/production/cxf/content/docs/jax-rs-deployment.html Wed Aug 1 10:47:24 2012 @@ -136,8 +136,10 @@ Apache CXF -- JAX-RS Deployment 1. Make sure a cxf-rt-transport-http-jetty dependency is excluded during the war build 2. If a custom JAX-RS http://jsr311.java.net/nonav/releases/1.1/index.html"; rel="nofollow">Application is included then use a http://cxf.apache.org/docs/jaxrs-services-configuration.html#JAXRSServicesConfiguration-ConfiguringJAXRSservicesincontainerwithoutSpring";>CXFNonSpringJaxrsServlet to reference the Application implementation class and either - 2.1 Disable the Jersey scanning the custom web applications (TODO: specify how this actually can be done) or - 2.2 Remove jersey-gf-server.jar from $GLASSFISH_HOME/glassfish/modules + 2.1 Disable the Jersey scanning the custom web applications. Setting the following system property may help: + "-Dcom.sun.enterprise.overrideablejavaxpackages=javax.ws.rs,javax.ws.rs.core,javax.ws.rs.ext" + + 2.2 Remove jersey-gf-server.jar from $GLASSFISH_HOME/glassfish/modules JBoss
svn commit: r827603 - in /websites/production/cxf/content: cache/docs.pageCache docs/client-http-transport-including-ssl-support.html docs/index.html docs/jaxrs-kerberos.html docs/security.html
Author: buildbot Date: Wed Aug 1 12:47:28 2012 New Revision: 827603 Log: Production update by buildbot for cxf Added: websites/production/cxf/content/docs/jaxrs-kerberos.html Modified: websites/production/cxf/content/cache/docs.pageCache websites/production/cxf/content/docs/client-http-transport-including-ssl-support.html websites/production/cxf/content/docs/index.html websites/production/cxf/content/docs/security.html Modified: websites/production/cxf/content/cache/docs.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/docs/client-http-transport-including-ssl-support.html == --- websites/production/cxf/content/docs/client-http-transport-including-ssl-support.html (original) +++ websites/production/cxf/content/docs/client-http-transport-including-ssl-support.html Wed Aug 1 12:47:28 2012 @@ -122,7 +122,7 @@ Apache CXF -- Client HTTP Transport (inc -AuthenticationBasic AuthenticationDigest AuthenticationSupplying dynamic authorizationSpnego Authentication (Kerberos)NTLM AuthenticationConfiguring SSL SupportAdvanced ConfigurationUsing ConfigurationNamespaceThe conduit elementThe client elementExample using the Client ElementThe tlsClientParameters elementUsing WSDL< /a>NamespaceThe client elementExampleUsing java codeHow to configure the HTTPConduit for the SOAP Client?How to override the service address ?Client Cache Control DirectivesA Note About Chunking +AuthenticationBasic AuthenticationDigest AuthenticationSupplying dynamic authorizationSpnego Authentication (Kerberos)Credential DelegationNTLM AuthenticationConfiguring SSL SupportAdvanced ConfigurationUsing ConfigurationNamespaceThe conduit elementThe client elementExample using the Client ElementThe tlsClie ntParameters elementUsing WSDLNamespaceThe client elementExampleUsing java codeHow to configure the HTTPConduit for the SOAP Client?How to override the service address ?Client Cache Control DirectivesA Note About Chunking Authentication @@ -218,6 +218,29 @@ CXFClient { +Credential Delegation + +Please set an "auth.spnego.requireCredDelegation" property to "true" if you need to enable the credential delegation. Note that setting this property will let the receiving service implement the credential delegation. + +If the Kerberos credential is already available in the service request context then one can make this credential available to Spnego/Kerberos authentication handler by setting it on the current CXF message, using an 'org.ietf.jgss.GSSCredential' key. + +This can be done before a client invocation is made, by setting a client request context property, or by extending 'org.apache.cxf.transport.http.auth.AbstractSpnegoAuthSupplier'. Please see this http://cxf.547215.n5.nabble.com/Kerberos-authentication-using-delegation-from-Principal-Ticket-td5711202.html"; rel="nofollow">thread for more information on the latter option. + +Note in the case of reusing the existing credential, the policy configuration does not need to reference a login module name: + +HTTP conduit configuration for spnego with single sign on + + ... + <conduit name="{http://example.com/}HelloWorldServicePort.http-conduit"; + xmlns="http://cxf.apache.org/transports/http/configuration";> + <authorization> + <AuthorizationType>Negotiate</AuthorizationType> + </authorization> + </conduit> + ... + + + NTLM Authentication Modified: websites/production/cxf/content/docs/index.html == --- websites/production/cxf/content/docs/index.html (original) +++ websites/production/cxf/content/docs/index.html Wed Aug 1 12:47:28 2012 @@ -147,7 +147,7 @@ Apache CXF -- Index -OverviewWhy CXF?How do I integrate my application with CXF — A meta guide to integrating your application with CXF - including Bindings, Transports, Interceptors, etcHow do I develop a service? — A meta guide to your options with CXFHow do I develop a client? — A meta guide to your options with CXFHow-TosWriting a service with SpringA simple JAX-WS serviceRunning a service in Tomcat on zOSJax-WS Java First with jms TransportDefining Contract first webservices with wsdl generation from javaMigration GuidesSample Projects< /li>FrontendsAnnotationsDynamic ClientsJAX-WSDeveloping a ConsumerDeveloping a ServiceJAX-WS ConfigurationJAX-WS Dispatch APIProvider ServicesWebserviceContextSimpleSimple FrontendSimple Frontend ConfigurationDataBindingsAegis (2.1) — For CXF 2.1 or newerAegis Databinding (2.0.x) — For CXF up to 2.0.xJAXBMTOM Attachments with JAXBSDOtitle="XMLBeans">X
svn commit: r827609 - in /websites/production/cxf/content: cache/docs.pageCache docs/jaxrs-kerberos.html
Author: buildbot Date: Wed Aug 1 13:47:27 2012 New Revision: 827609 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/docs.pageCache websites/production/cxf/content/docs/jaxrs-kerberos.html Modified: websites/production/cxf/content/cache/docs.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/docs/jaxrs-kerberos.html == --- websites/production/cxf/content/docs/jaxrs-kerberos.html (original) +++ websites/production/cxf/content/docs/jaxrs-kerberos.html Wed Aug 1 13:47:27 2012 @@ -124,20 +124,66 @@ Apache CXF -- JAXRS Kerberos JAX-RS Kerberos Support -IntroductionClient configurationHTTPConduitInterceptorServer configuration +IntroductionKerberosHTTP Negotiate schemeGSS APIClient configurationHTTPConduitInterceptorAuthorization PolicyConfiguring the service principal nameUsing JAAS ConfigurationServer configurationCredential Delegation Introduction +Kerberos +HTTP Negotiate scheme +GSS API -Client configuration +Client configuration -HTTPConduit +HTTPConduit Please see http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html#ClientHTTPTransport%28includingSSLsupport%29-SpnegoAuthentication%28Kerberos%29";>this page for the information about Spnego/Kerberos HTTPConduit client support. -Interceptor +Interceptor +org.apache.cxf.jaxrs.security.KerberosAuthOutInterceptor can be used as an alternative to configuring HTTPConduit. -Server configuration +KerberosAuthOutInterceptor and the HTTPConduit Spnego handler share the same base code. Having HTTPConduit configuration can be enough in many cases +especially when SSL is also being setup at the conduit level. Using the interceptor can be handy when testing as well as when setting few extra properties which is not easy to set up at the generic HTTP Conduit Authorization Policy level. + +The interceptor properties are explained in the following sub-sections + +Authorization Policy + +As explained on http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html#ClientHTTPTransport%28includingSSLsupport%29-SpnegoAuthentication%28Kerberos%29";>this page, Authorization Policy typically needs to have its type set to "Negotiate" and its "authorization" property set to the name of the JAAS context. AuthorizationPolicy is set as a "policy" property on the interceptor, example: + + + +WebClient wc = WebClient.create("http://localhost:" + PORT + "/bookstore/books/123"); + +KerberosAuthOutInterceptor kbInterceptor = new KerberosAuthOutInterceptor(); + +AuthorizationPolicy policy = new AuthorizationPolicy(); +policy.setAuthorizationType(HttpAuthHeader.AUTH_TYPE_NEGOTIATE); +policy.setAuthorization("KerberosClientKeyTab"); + +kbInterceptor.setPolicy(policy); +WebClient.getConfig(wc).getOutInterceptors().add(kbInterceptor); + +Book b = wc.get(Book.class); + + + + +Configuring the service principal name + +By default, the service principal name is calculated by concatenating "HTTP", "/" and the name of the target host, example, when invoking on "http://localhost:8080/services";, the service principal name is set to "HTTP/localhost". + +The "servicePrincipalName" and "realm" properties can be used to customize it, example, setting "servicePrincipalName" to "HTTP/www.mycompany.com" and realm to "services.org" will result in the "HTTP/www.mycompany@services.org" service principal name being used. + +Using JAAS Configuration + +Both HTTPConduit and interceptor handlers need a "java.security.auth.login.config" system property set up. This property needs to point to the file containing the configuration of the specific Kerberos login module. + +Instead of setting this system property and maintaining a configuration file, one might want to use an implementation of javax.security.auth.login.Configuration and set it on the interceptor as a "loginConfig" property. + +Server configuration + +Credential Delegation +
svn commit: r827616 - in /websites/production/cxf/content: cache/docs.pageCache docs/jaxrs-kerberos.html docs/ws-securitypolicy.html
Author: buildbot Date: Wed Aug 1 14:47:27 2012 New Revision: 827616 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/docs.pageCache websites/production/cxf/content/docs/jaxrs-kerberos.html websites/production/cxf/content/docs/ws-securitypolicy.html Modified: websites/production/cxf/content/cache/docs.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/docs/jaxrs-kerberos.html == --- websites/production/cxf/content/docs/jaxrs-kerberos.html (original) +++ websites/production/cxf/content/docs/jaxrs-kerberos.html Wed Aug 1 14:47:27 2012 @@ -124,7 +124,7 @@ Apache CXF -- JAXRS Kerberos JAX-RS Kerberos Support -IntroductionKerberosHTTP Negotiate schemeGSS APIClient configurationHTTPConduitInterceptorAuthorization PolicyConfiguring the service principal nameUsing JAAS ConfigurationServer configurationCredential Delegation +IntroductionKerberosHTTP Negotiate schemeGSS APIClient configurationHTTPConduitInterceptorAuthorization PolicyConfiguring the service principal nameUsing JAAS ConfigurationServer configurationService principal name and JAAS ConfigurationCallbackHandlerCredential Delegation Introduction Kerberos @@ -182,7 +182,103 @@ Book b = wc.get(Book.class); Server configuration +org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter can be used to protected JAX-RS endpoints and enforce that a Negotiate authentication scheme is used by clients, example: + + + + +<bean id="kerberosFilter" class="org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter"> + <property name="loginContextName" value="KerberosServiceKeyTab"/> +</bean> + +<jaxrs:server> + <jaxrs:serviceBeans> +<bean class="org.mycompany.MyCompanyResource"/> + </jaxrs:serviceBeans> + <jaxrs:providers> +<ref bean="kerberosFilter"> + </jaxrs:providers> +</jaxrs:server> + + + +KerberosAuthenticationFilter will set a CXF http://svn.apache.org/repos/asf/cxf/trunk/api/src/main/java/org/apache/cxf/security/SecurityContext.java";>SecurityContext on the current message if the authentication has been successful. This SecurityContext will return an instance of KerberosAuthenticationFilter$KerberosPrincipal, this Principal will return a 'simple' and 'kerberos' source principal names, example, given "HTTP/localh...@myrealm.com", Principal#getName will return "HTTP/localhost", and KerberosPrincipal#getKerberosName will return "HTTP/localh...@myrealm.com". + +Service principal name and JAAS Configuration + +Service principal name and JAAS Configuration can be optionally set up the same way they can be with KerberosAuthOutInterceptor, using 'servicePrincipalName' + 'realm' and "loginConfig" properties. + +CallbackHandler + +javax.security.auth.callback.CallbackHandler needs to be registered if no Kerberos key tabs are used, here is an example of setting it up from Java: + + + +public class TestResource { + public static void main(String[] args) { + JAXRSServerFactoryBean sf = new JAXRSServerFactoryBean(); + sf.setResourceClasses(BookStore.class); + KerberosAuthenticationFilter filter = new KerberosAuthenticationFilter(); + filter.setLoginContextName("KerberosServer"); + + CallbackHandler handler = + new org.apache.cxf.interceptor.security.NamePasswordCallbackHandler("HTTP/localhost", "http"); + filter.setCallbackHandler(handler); + + //filter.setLoginContextName("KerberosServerKeyTab"); + //filter.setServicePrincipalName("HTTP/ktab"); + sf.setProvider(filter); + sf.setAddress("http://localhost:" + PORT + "/"); + + sf.create(); + } +} + + + + Credential Delegation + +Please see this http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html#ClientHTTPTransport%28includingSSLsupport%29-CredentialDelegation";>section on the way client-side credential delegation can be both enabled and implemented at the HTTP conduit level. + +Note that if you have a JAX-RS KerberosAuthenticationFilter protecting the endpoints, then the filter will have an org.ietf.jgss.GSSContext instance available in the current CXF SecurityContext, via its KerberosAuthenticationFilter$KerberosSecurityContext implementation, which can be used to get to org.ietf.jgss.GSSCredential if the credential delegation is supported for a given source principal. The current credential if any can be set as a client property next, for example: + + + + +import org.ietf.jgss.GSSCredential; + +import org.apache.cxf.jaxrs.security.KerberosAuthentica
svn commit: r827620 - in /websites/production/cxf/content: cache/docs.pageCache docs/jaxrs-kerberos.html
Author: buildbot Date: Wed Aug 1 15:47:27 2012 New Revision: 827620 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/docs.pageCache websites/production/cxf/content/docs/jaxrs-kerberos.html Modified: websites/production/cxf/content/cache/docs.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/docs/jaxrs-kerberos.html == --- websites/production/cxf/content/docs/jaxrs-kerberos.html (original) +++ websites/production/cxf/content/docs/jaxrs-kerberos.html Wed Aug 1 15:47:27 2012 @@ -124,13 +124,37 @@ Apache CXF -- JAXRS Kerberos JAX-RS Kerberos Support -IntroductionKerberosHTTP Negotiate schemeGSS APIClient configurationHTTPConduitInterceptorAuthorization PolicyConfiguring the service principal nameUsing JAAS ConfigurationServer configurationService principal name and JAAS ConfigurationCallbackHandlerCredential Delegation +IntroductionSetupUnixWindowsHTTP Negotiate schemeGSS APIClient configurationHTTPConduitInterceptorAuthorization PolicyConfiguring the service principal nameUsing JAAS Configur ationServer configurationService principal name and JAAS ConfigurationCallbackHandlerCredential Delegation Introduction -Kerberos + +Please see http://www.kerberos.org/software/tutorial.html"; rel="nofollow">MIT Kerberos Tutorial for a good introduction to Kerberos. +The http://msdn.microsoft.com/en-us/library/aa378747%28v=vs.85%29"; rel="nofollow">Windows guide is also worth checking. + +Setup + +Unix + +TODO + +Windows + +Please check the relevant Windows configuration guide such as http://technet.microsoft.com/en-us/library/cc753173%28v=ws.10%29"; rel="nofollow">this one. + HTTP Negotiate scheme + +'Negotiate' authentication scheme is used to pass Kerberos service tickets over HTTP. +Example: + + +Authorization: Negotiate "the encrypted service ticket" + + + GSS API +Please see http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/index.html"; rel="nofollow">this GSS API tutorial as well as check this http://www.javaactivedirectory.com/"; rel="nofollow">blog for a number of GSS API examples. + Client configuration HTTPConduit
svn commit: r827701 - in /websites/production/cxf/content: cache/docs.pageCache docs/jaxrs-kerberos.html
Author: buildbot Date: Thu Aug 2 09:47:27 2012 New Revision: 827701 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/docs.pageCache websites/production/cxf/content/docs/jaxrs-kerberos.html Modified: websites/production/cxf/content/cache/docs.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/docs/jaxrs-kerberos.html == --- websites/production/cxf/content/docs/jaxrs-kerberos.html (original) +++ websites/production/cxf/content/docs/jaxrs-kerberos.html Thu Aug 2 09:47:27 2012 @@ -124,12 +124,12 @@ Apache CXF -- JAXRS Kerberos JAX-RS Kerberos Support -IntroductionSetupUnixWindowsHTTP Negotiate schemeGSS APIClient configurationHTTPConduitInterceptorAuthorization PolicyConfiguring the service principal nameUsing JAAS Configur ationServer configurationService principal name and JAAS ConfigurationCallbackHandlerCredential Delegation +IntroductionSetupUnixWindowsHTTP Negotiate schemeGSS APIJAAS Kerberos Module ConfigurationClient configurationHTTPConduitInterceptorAuthorization PolicyConfiguring th e service principal nameUsing JAAS ConfigurationServer configurationService principal name and JAAS ConfigurationCallbackHandlerCredential Delegation Introduction Please see http://www.kerberos.org/software/tutorial.html"; rel="nofollow">MIT Kerberos Tutorial for a good introduction to Kerberos. -The http://msdn.microsoft.com/en-us/library/aa378747%28v=vs.85%29"; rel="nofollow">Windows guide is also worth checking. +The http://msdn.microsoft.com/en-us/library/aa378747%28v=vs.85%29"; rel="nofollow">Windows guide as well as http://en.wikipedia.org/wiki/Kerberos_%28protocol%29"; rel="nofollow">this Wikipedia page are also worth checking. Setup @@ -153,7 +153,11 @@ Authorization: Negotiate GSS API -Please see http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/index.html"; rel="nofollow">this GSS API tutorial as well as check this http://www.javaactivedirectory.com/"; rel="nofollow">blog for a number of GSS API examples. +Please see http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/index.html"; rel="nofollow">this GSS API tutorial as well as check this http://www.javaactivedirectory.com/"; rel="nofollow">blog for a number of GSS API examples. Understanding GSS API may help when the way CXF Kerberos handlers work needs to be customized or when the available GSS credentials created outside of CXF need to be made available to CXF (for the credential delegation). + +JAAS Kerberos Module Configuration + +http://docs.oracle.com/javase/6/docs/jre/api/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html"; rel="nofollow">com.sun.security.auth.module.Krb5LoginModule is typically used to login to Kerberos servers. Client configuration
svn commit: r827704 - in /websites/production/cxf/content: cache/docs.pageCache docs/jaxrs-kerberos.html
Author: buildbot Date: Thu Aug 2 10:47:27 2012 New Revision: 827704 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/docs.pageCache websites/production/cxf/content/docs/jaxrs-kerberos.html Modified: websites/production/cxf/content/cache/docs.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/docs/jaxrs-kerberos.html == --- websites/production/cxf/content/docs/jaxrs-kerberos.html (original) +++ websites/production/cxf/content/docs/jaxrs-kerberos.html Thu Aug 2 10:47:27 2012 @@ -135,7 +135,53 @@ The Unix -TODO +1. Install the packages + +> sudo apt-get install krb5-kdc krb5-admin-server + +During the installation enter "localhost" as the host name for Kerberos servers (unless you have more specific host names to enter) and set a default realm, example, "MYCOMPANY.COM". Follow the 1.2 step from this http://coheigea.blogspot.com/2011/10/using-kerberos-with-web-services-part-i.html"; rel="nofollow">blog entry to get this default realm set up properly. + +2. Create principals + +From the step 1.3 at http://coheigea.blogspot.com/2011/10/using-kerberos-with-web-services-part-i.html"; rel="nofollow">this blog entry: + +2.1 Create master key: +> sudo kdb5_util create -s + +2.2 Create user and service principals + +> sudo kadmin.local + +followed by + +> addprinc alice +> addprinc HTTP/localhost + +where 'HTTP/localhost' is the typical service principal name used in the Negotiate scheme, replace 'localhost' if needed. +Add more user and service principals too as required. + +3 Start KDC + +> sudo krb5kdc + +4. Create an optional ticket cache + +> klist + +returns an empty response + +> kinit alice + +> klist + +confirms a TGT for 'alice' is in the cache. + +2.4 Create keytabs + +When keytabs are available, the principal password does not have to be specified in the login configuration. +Please follow the step 1.4 from http://coheigea.blogspot.com/2011/10/using-kerberos-with-web-services-part-i.html"; rel="nofollow">this blog entry. + +Note, creating a keytab actually resets an original principal password, example, after creating a keytab for 'alice' one would not be able to use the original password (TODO: apparently this can be restored - find out how). Thus, if you'd like to experiment with keytabs then you may want to have few user and service principals created, with only selected principals using keytabs. Windows @@ -195,6 +241,7 @@ Book b = wc.get(Book.class); +In this example, the http://svn.apache.org/repos/asf/cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/kerberos.cfg";>KerberosClientKeyTab policy is used which links to the available keytab; otherwise AuthorizationPolicy 'UserName' and 'Password' properties would most likely have to be set too (with the possible exceptions on Windows) Configuring the service principal name @@ -264,6 +311,7 @@ Book b = wc.get(Book.class); +In this example, the http://svn.apache.org/repos/asf/cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/kerberos.cfg";>KerberosServer policy is used. Credential Delegation
svn commit: r827795 - in /websites/production/cxf/content: cache/docs.pageCache docs/ws-securitypolicy.html
Author: buildbot Date: Fri Aug 3 09:47:31 2012 New Revision: 827795 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/docs.pageCache websites/production/cxf/content/docs/ws-securitypolicy.html Modified: websites/production/cxf/content/cache/docs.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/docs/ws-securitypolicy.html == --- websites/production/cxf/content/docs/ws-securitypolicy.html (original) +++ websites/production/cxf/content/docs/ws-securitypolicy.html Fri Aug 3 09:47:31 2012 @@ -158,22 +158,27 @@ Apache CXF -- WS-SecurityPolicy -Boolean configuration tags, e.g. the value should be "true" or "false". +Note: for Symmetric bindings that specify a protection token, the ws-security-encryption properties are used. + +Boolean WS-Security configuration tags, e.g. the value should be "true" or "false". ws-security.validate.token Whether to validate the password of a received UsernameToken or not. The default is true. ws-security.enableRevocation Whether to enable Certificate Revocation List (CRL) checking or not when verifying trust in a certificate. The default value is "false". ws-security.username-token.always.encrypted Whether to always encrypt UsernameTokens whenever possible. The default is true. ws-security.is-bsp-compliant Whether to ensure compliance with the Basic Securit y Profile (BSP) 1.1 or not. The default value is "true". ws-security.self-sign-saml-assertion Whether to self-sign a SAML Assertion or not. If this is set to true, then an enveloped signature will be generated when the SAML Assertion is constructed. The default is false. ws-security.enable.nonce.cache Whether to cache UsernameToken nonces. See http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#ENABLE_NONCE_CACHE";>here for more information. ws-security.enable.timestamp.cache Whether to cache Timestamp Created Strings. See http://cxf.apache.org/ javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#ENABLE_TIMESTAMP_CACHE">here for more information. -Other properties +Non-boolean WS-Security Configuration parameters - ws-security.subject.cert.constraints This configuration tag is a comma separated String of regular expressions which will be applied to the subject DN of the certificate used for signature validation, after trust verification of the certificate chain associated with the certificate. These constraints are not used when the certificate is contained in the keystore (direct trust). ws-security.timestamp.futureTimeToLive This configuration tag specifies the time in seconds in the future within which the Created time of an incoming Timestamp is valid. WSS4J rejects by default any timestamp which is "Created" in the future, and so there could potentially be - problems in a scenario where a client's clock is slightly askew. The default value for this parameter is "0", meaning that no future-created Timestamps are allowed. + ws-security.timestamp.timeToLive The time in seconds after Creation that an incoming Timestamp is valid for. The default value is 300 seconds (5 minutes). ws-security.timestamp.futureTimeToLive The time in seconds in the future within which the Created time of an incoming Timestamp is valid. The default value is "60". See http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#TIMESTAMP_FUTURE_TTL";>here for more information. ws-security.saml-role-attributename The attribute URI of the SAML AttributeStatement where the role information is store d. The default is "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role";. ws-security.kerberos.client A reference to the KerberosClient class used to obtain a service ticket. ws-security.spnego.client.action The SpnegoClientAction implementation to use for SPNEGO. This allows the user to plug in a different implementation to obtain a service ticket. ws-security.kerberos.jaas.context The JAAS Context name to use for Kerberos. This is currently only supported for SPNEGO. ws-security.kerberos.spn The Kerberos Service Provider Name (spn) to use. This is currently only supported for SPNEGO. ws-security.nonce.cache.instance This holds a reference to a ReplayCache instance used to cache UsernameToken nonces. The default instance that is used is the EHCacheReplayCache. ws-security.timestamp.cache.instance This holds a reference to a ReplayCache instance used to cache Timestamp Created Strings. The default instance that is used is the EHCacheReplayCache. ws-security.cache.config.file Set this property to point to a co
svn commit: r827803 - in /websites/production/cxf/content: cache/docs.pageCache docs/ws-securitypolicy.html
Author: buildbot Date: Fri Aug 3 10:47:29 2012 New Revision: 827803 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/docs.pageCache websites/production/cxf/content/docs/ws-securitypolicy.html Modified: websites/production/cxf/content/cache/docs.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/docs/ws-securitypolicy.html == --- websites/production/cxf/content/docs/ws-securitypolicy.html (original) +++ websites/production/cxf/content/docs/ws-securitypolicy.html Fri Aug 3 10:47:29 2012 @@ -181,6 +181,13 @@ Apache CXF -- WS-SecurityPolicy +STS Client Configuration tags + + + ws-security.sts.client A reference to the STSClient class used to communicate with the STS. ws-security.sts.applies-to The "AppliesTo" address to send to the STS. The default is the endpoint address of the service provider. ws-security.sts.token.usecert Whether to write out an X509Certificate structure in UseKey/KeyInfo, or whether to write out a KeyValue structure. The default value is "false". ws-security.sts.token.do.cancel Whether to cancel a token when using SecureConversation a fter successful invocation. The default is "false". ws-security.cache.issued.token.in.endpoint Set this to "false" to not cache a SecurityToken per proxy object in the IssuedTokenInterceptorProvider. This should be done if a token is being retrieved from an STS in an intermediary. The default value is "true". ws-security.sts.disable-wsmex-call-using-epr-address Whether to avoid STS client trying send WS-MetadataExchange call using STS EPR WSA address when the endpoint contract contains no WS-MetadataExchange info. The default value is "false". ws-security.sts.token.crypto A Crypto object to be used for the STS. See http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#STS_TOKEN_CRYPTO";>here for more information. ws-security.sts.token.properties The Crypto property configuration to use for the STS. See http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#STS_TOKEN_PROPERTIES";>here for more information. ws-security.sts.token.username The alias name in the keystore to get the user's public key to send to the STS for the PublicKey KeyType case. ws-security.sts.token.act-as The token to be sent to the STS in an "ActAs" field. See http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#STS_TOKEN_ACT_AS";>here for more information. ws-security.sts.token.on-behalf-of The token to be sent to the STS in an "OnBehalfOf" field. See http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#STS_TOKEN_ON_BEHALF_OF";>here for more information. + + + Configuring via Spring The properties are easily configured as client or endpoint properties--use the former for the SOAP client, the latter for the web service provider.
svn commit: r827806 - in /websites/production/cxf/content: cache/docs.pageCache docs/jaxrs-kerberos.html
Author: buildbot Date: Fri Aug 3 11:47:25 2012 New Revision: 827806 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/docs.pageCache websites/production/cxf/content/docs/jaxrs-kerberos.html Modified: websites/production/cxf/content/cache/docs.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/docs/jaxrs-kerberos.html == --- websites/production/cxf/content/docs/jaxrs-kerberos.html (original) +++ websites/production/cxf/content/docs/jaxrs-kerberos.html Fri Aug 3 11:47:25 2012 @@ -124,7 +124,7 @@ Apache CXF -- JAXRS Kerberos JAX-RS Kerberos Support -IntroductionSetupUnixWindowsHTTP Negotiate schemeGSS APIJAAS Kerberos Module ConfigurationClient configurationHTTPConduitInterceptorAuthorization PolicyConfiguring th e service principal nameUsing JAAS ConfigurationServer configurationService principal name and JAAS ConfigurationCallbackHandlerCredential Delegation +IntroductionSetupUnixWindowsHTTP Negotiate schemeGSS APIJAAS Kerberos Module ConfigurationClient configurationHTTPConduitInterceptorAuthorization PolicyConfiguring th e service principal nameUsing JAAS ConfigurationHow to avoid setting username and password propertiesServer configurationService principal name and JAAS ConfigurationCallbackHandlerCredential Delegation Introduction @@ -245,6 +245,8 @@ Book b = wc.get(Book.class); Configuring the service principal name +Service principal identifies a target service. + By default, the service principal name is calculated by concatenating "HTTP", "/" and the name of the target host, example, when invoking on "http://localhost:8080/services";, the service principal name is set to "HTTP/localhost". The "servicePrincipalName" and "realm" properties can be used to customize it, example, setting "servicePrincipalName" to "HTTP/www.mycompany.com" and realm to "services.org" will result in the "HTTP/www.mycompany@services.org" service principal name being used. @@ -255,6 +257,14 @@ Book b = wc.get(Book.class); Instead of setting this system property and maintaining a configuration file, one might want to use an implementation of javax.security.auth.login.Configuration and set it on the interceptor as a "loginConfig" property. +How to avoid setting username and password properties + +Typically, one may have to set AuthorizationPolicy UserName and Password properties for the Kerberos login module to authenticate the user. + +The next option is to create a keytab as noted in the Setup section, which will let one to avoid specifying a password property. +Finally, if the user actually owns the Java process which runs the code then no username and password properties have to be provided, assuming the Kerberos login configuration has 'useTicketCache' and possibly 'renewTGT' properties set to "true" + + Server configuration org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter can be used to protected JAX-RS endpoints and enforce that a Negotiate authentication scheme is used by clients, example:
svn commit: r827840 - in /websites/production/cxf/content: cache/docs.pageCache docs/ws-securitypolicy.html
Author: buildbot Date: Fri Aug 3 15:47:25 2012 New Revision: 827840 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/docs.pageCache websites/production/cxf/content/docs/ws-securitypolicy.html Modified: websites/production/cxf/content/cache/docs.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/docs/ws-securitypolicy.html == --- websites/production/cxf/content/docs/ws-securitypolicy.html (original) +++ websites/production/cxf/content/docs/ws-securitypolicy.html Fri Aug 3 15:47:25 2012 @@ -184,7 +184,7 @@ Apache CXF -- WS-SecurityPolicy STS Client Configuration tags - ws-security.sts.client A reference to the STSClient class used to communicate with the STS. ws-security.sts.applies-to The "AppliesTo" address to send to the STS. The default is the endpoint address of the service provider. ws-security.sts.token.usecert Whether to write out an X509Certificate structure in UseKey/KeyInfo, or whether to write out a KeyValue structure. The default value is "false". ws-security.sts.token.do.cancel Whether to cancel a token when using SecureConversation a fter successful invocation. The default is "false". ws-security.cache.issued.token.in.endpoint Set this to "false" to not cache a SecurityToken per proxy object in the IssuedTokenInterceptorProvider. This should be done if a token is being retrieved from an STS in an intermediary. The default value is "true". ws-security.sts.disable-wsmex-call-using-epr-address Whether to avoid STS client trying send WS-MetadataExchange call using STS EPR WSA address when the endpoint contract contains no WS-MetadataExchange info. The default value is "false". ws-security.sts.token.crypto A Crypto object to be used for the STS. See http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#STS_TOKEN_CRYPTO";>here for more information. ws-security.sts.token.properties The Crypto property configuration to use for the STS. See http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#STS_TOKEN_PROPERTIES";>here for more information. ws-security.sts.token.username The alias name in the keystore to get the user's public key to send to the STS for the PublicKey KeyType case. ws-security.sts.token.act-as The token to be sent to the STS in an "ActAs" field. See http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#STS_TOKEN_ACT_AS";>here for more information. ws-security.sts.token.on-behalf-of The token to be sent to the STS in an "OnBehalfOf" field. See http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#STS_TOKEN_ON_BEHALF_OF";>here for more information. + ws-security.sts.client A reference to the STSClient class used to communicate with the STS. ws-security.sts.applies-to The "AppliesTo" address to send to the STS. The default is the endpoint address of the service provider. ws-security.sts.token.usecert If true, writes out an X509Certificate structure in UseKey/KeyInfo. If false (the default), writes out a KeyValue structure instead. ws-security.sts.token.do.cancel Whether to cancel a token when using SecureConversation after succe ssful invocation. The default is "false". ws-security.cache.issued.token.in.endpoint Set this to "false" to not cache a SecurityToken per proxy object in the IssuedTokenInterceptorProvider. This should be done if a token is being retrieved from an STS in an intermediary. The default value is "true". ws-security.sts.disable-wsmex-call-using-epr-address Whether to avoid STS client trying send WS-MetadataExchange call using STS EPR WSA address when the endpoint contract contains no WS-MetadataExchange info. The default value is "false". ws-security.sts.token.crypto A Crypto object to be used for the STS. See http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#STS_TOKEN_CRYPTO";>here for more information. ws-security.sts.token.properties The Crypto property configuration to use for the STS. See http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#STS_TOKEN_PROPERTIES";>here for more information. ws-security.sts.token.username The alias name in the keystore to get the user's public key to send to the STS for the PublicKey KeyType case. ws-security.sts.token.act-as The token to be sent to the STS in an "ActAs" field. See http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#STS_TOKEN_ACT_AS";>here f
svn commit: r827862 - in /websites/production/cxf/content: cache/docs.pageCache docs/27-migration-guide.html
Author: buildbot Date: Fri Aug 3 17:47:30 2012 New Revision: 827862 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/docs.pageCache websites/production/cxf/content/docs/27-migration-guide.html Modified: websites/production/cxf/content/cache/docs.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/docs/27-migration-guide.html == --- websites/production/cxf/content/docs/27-migration-guide.html (original) +++ websites/production/cxf/content/docs/27-migration-guide.html Fri Aug 3 17:47:30 2012 @@ -123,6 +123,10 @@ Apache CXF -- 2.7 Migration Guide New Features +New UDP transport + + + API Changes The HTTPConduit class has been made abstract with the HttpURLConnection related code moving to an URLConnectionHTTPConduit. Several method calls of the HTTPConduit that used to take HttpURLConnection objects have been eliminated. Also, most methods taking a URL object now take a URI object instead. The HTTPConduit.WrappedOutputStream class is also now abstract. If you have custom subclasses of HTTPConduit, changing them to subclass URLConnectionHTTPConduit will likely work.
svn commit: r828231 - in /websites/production/cxf/content: cache/docs.pageCache docs/ws-securitypolicy.html
Author: buildbot Date: Tue Aug 7 10:47:24 2012 New Revision: 828231 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/docs.pageCache websites/production/cxf/content/docs/ws-securitypolicy.html Modified: websites/production/cxf/content/cache/docs.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/docs/ws-securitypolicy.html == --- websites/production/cxf/content/docs/ws-securitypolicy.html (original) +++ websites/production/cxf/content/docs/ws-securitypolicy.html Tue Aug 7 10:47:24 2012 @@ -163,14 +163,14 @@ Apache CXF -- WS-SecurityPolicy Boolean WS-Security configuration tags, e.g. the value should be "true" or "false". - ws-security.validate.token Whether to validate the password of a received UsernameToken or not. The default is true. ws-security.enableRevocation Whether to enable Certificate Revocation List (CRL) checking or not when verifying trust in a certificate. The default value is "false". ws-security.username-token.always.encrypted Whether to always encrypt UsernameTokens whenever possible. The default is true. ws-security.is-bsp-compliant Whether to ensure compliance with the Basic Securit y Profile (BSP) 1.1 or not. The default value is "true". ws-security.self-sign-saml-assertion Whether to self-sign a SAML Assertion or not. If this is set to true, then an enveloped signature will be generated when the SAML Assertion is constructed. The default is false. ws-security.enable.nonce.cache Whether to cache UsernameToken nonces. See http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#ENABLE_NONCE_CACHE";>here for more information. ws-security.enable.timestamp.cache Whether to cache Timestamp Created Strings. See http://cxf.apache.org/ javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#ENABLE_TIMESTAMP_CACHE">here for more information. + ws-security.validate.token Whether to validate the password of a received UsernameToken or not. The default is true. ws-security.enableRevocation Whether to enable Certificate Revocation List (CRL) checking or not when verifying trust in a certificate. The default value is "false". ws-security.username-token.always.encrypted Whether to always encrypt UsernameTokens that are defined as a SupportingToken. The default is true. This should not be set to false in a production environment, as it exposes the password (or the digest of the password) on the wire. ws-security.is-bsp-compliant Whether to ensure compliance with the Basic Security Profile (BSP) 1.1 or not. The default value is "true". ws-security.self-sign-saml-assertion Whether to self-sign a SAML Assertion or not. If this is set to true, then an enveloped signature will be generated when the SAML Assertion is constructed. The default is false. ws-security.enable.nonce.cache Whether to cache UsernameToken nonces. See http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#ENABLE_NONCE_CACHE";>here for more information. ws-security.enable.timestamp. cache Whether to cache Timestamp Created Strings. See http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#ENABLE_TIMESTAMP_CACHE";>here for more information. Non-boolean WS-Security Configuration parameters - ws-security.timestamp.timeToLive The time in seconds after Creation that an incoming Timestamp is valid for. The default value is 300 seconds (5 minutes). ws-security.timestamp.futureTimeToLive The time in seconds in the future within which the Created time of an incoming Timestamp is valid. The default value is "60". See http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#TIMESTAMP_FUTURE_TTL";>here for more information. ws-security.saml-role-attributename The attribute URI of the SAML AttributeStatement where the role information is store d. The default is "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role";. ws-security.kerberos.client A reference to the KerberosClient class used to obtain a service ticket. ws-security.spnego.client.action The SpnegoClientAction implementation to use for SPNEGO. This allows the user to plug in a different implementation to obtain a service ticket. ws-security.kerberos.jaas.context The JAAS Context name to use for Kerberos. This is currently only supported for SPNEGO. ws-security.kerberos.spn The Kerberos Service Provider Name (spn) to use. This is currently only supported for SPNEGO. ws-security.nonce.cache.instance This holds a reference to a ReplayCache instance used to cache UsernameToken nonces. The def
svn commit: r828352 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-filters.html
Author: buildbot Date: Wed Aug 8 07:49:04 2012 New Revision: 828352 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/docs.pageCache websites/production/cxf/content/docs/jax-rs-filters.html Modified: websites/production/cxf/content/cache/docs.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/docs/jax-rs-filters.html == --- websites/production/cxf/content/docs/jax-rs-filters.html (original) +++ websites/production/cxf/content/docs/jax-rs-filters.html Wed Aug 8 07:49:04 2012 @@ -343,7 +343,7 @@ The only option at the moment is to use -message.getExchange().put("ignore.response.writers", true); +message.getExchange().put("ignore.message.writers", true);
svn commit: r828398 - in /websites/production/cxf/content: cache/docs.pageCache docs/ws-security.html
Author: buildbot Date: Wed Aug 8 16:47:32 2012 New Revision: 828398 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/docs.pageCache websites/production/cxf/content/docs/ws-security.html Modified: websites/production/cxf/content/cache/docs.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/docs/ws-security.html == --- websites/production/cxf/content/docs/ws-security.html (original) +++ websites/production/cxf/content/docs/ws-security.html Wed Aug 8 16:47:32 2012 @@ -127,7 +127,7 @@ Apache CXF -- WS-Security Pass authentication tokens between servicesEncrypt messages or parts of messagesSign messagesTimestamp messages -Currently, CXF implements WS-Security by integrating http://ws.apache.org/wss4j";>WSS4J. To use the integration, you'll need to configure these interceptors and add them to your service and/or client. +Currently, CXF implements WS-Security by integrating http://ws.apache.org/wss4j";>WSS4J. To use the integration, you'll need to configure these interceptors and add them to your service and/or client as detailed in this article. Alternatively, WS-Security can be implemented by using http://cxf.apache.org/docs/ws-securitypolicy.html";>WS-SecurityPolicy, which provides a more comprehensive and sophisticated validation of the security properties of a received message. Overview of encryption and signing @@ -226,8 +226,6 @@ cxfEndpoint.getOutInterceptors().add(wss class="com.mycompany.webservice.ServerPasswordCallback"/> <jaxws:inInterceptors> - <!-- SAAJ Interceptor needs to be explicitly declared only in CXF 2.0.x --> - <bean class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor"/> <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor"> <constructor-arg> <map> @@ -246,7 +244,7 @@ cxfEndpoint.getOutInterceptors().add(wss -The entry keys and values given in the constructor-arg element above (action, signaturePropFile, etc.) map to the text strings in WSS4J's http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/handler/WSHandlerConstants.html";>WSHandlerConstants and http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/WSConstants.html";>WSConstants classes for the corresponding WSHandlerConstants.X and WSConstants. constants you see in the section below. So by viewing WSHandlerConstants, for example, you can see that the WSHandlerConstants.USERNAME_TOKEN value given below would need to be "UsernameToken" instead when doing Spring configuration. +The entry keys and values given in the constructor-arg element above (action, signaturePropFile, etc.) map to the text strings in WSS4J's http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/handler/WSHandlerConstants.html";>WSHandlerConstants and http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/WSConstants.html";>WSConstants classes for the corresponding WSHandlerConstants.X and WSConstants. constants you see in the section below (also see the WSS4J configuration http://ws.apache.org/wss4j/config.html";>page). So by viewing WSHandlerConstants, for example, you can see that the WSHandlerConstants.USERNAME_TOKEN value given below would need to be "UsernameToken" instead when doing Spring configuration. If you want to avoid looking up the text keys for the WSHandlerConstants.X and WSConstants. constants, you can also use the Spring util namespace to reference static constants in your Spring context as shown below. @@ -378,7 +376,7 @@ CryptoCoverageChecker checker = If a nonce is present in a UsernameToken then it should be cached by the message recipient to guard against replay attacks. This behaviour is enabled by default starting with CXF 2.6.0. This functionality is also available from Apache CXF 2.4.7 and 2.5.3 onwards, but is not enabled by default at all for backwards-compatibility reasons. The following properties control nonce caching: -"ws-security.enable.nonce.cache" - The default value (for CXF 2.6.0) is "true" for message recipients, and "false" for message initiators. Set it to true to cache for both cases. The default value for CXF 2.4.x and 2.5.x is false."ws-security.nonce.cache.instance" - This holds a reference to a ReplayCache instance used to cache UsernameToken nonces. The default instance that is used is the EHCacheReplayCache, which uses Ehcache to cache the nonce values."ws-security.cache.config.file" - Set this property to point to a configuration file for the underlying caching implementation
svn commit: r828410 - in /websites/production/cxf/content: cache/docs.pageCache docs/ws-security.html
Author: buildbot Date: Wed Aug 8 19:47:49 2012 New Revision: 828410 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/docs.pageCache websites/production/cxf/content/docs/ws-security.html Modified: websites/production/cxf/content/cache/docs.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/docs/ws-security.html == --- websites/production/cxf/content/docs/ws-security.html (original) +++ websites/production/cxf/content/docs/ws-security.html Wed Aug 8 19:47:49 2012 @@ -127,7 +127,7 @@ Apache CXF -- WS-Security Pass authentication tokens between servicesEncrypt messages or parts of messagesSign messagesTimestamp messages -Currently, CXF implements WS-Security by integrating http://ws.apache.org/wss4j";>WSS4J. To use the integration, you'll need to configure these interceptors and add them to your service and/or client as detailed in this article. Alternatively, WS-Security can be implemented by using http://cxf.apache.org/docs/ws-securitypolicy.html";>WS-SecurityPolicy, which provides a more comprehensive and sophisticated validation of the security properties of a received message. +CXF relies on http://ws.apache.org/wss4j";>WSS4J in large part to implement WS-Security. Within your own services, WS-Security can be activated by using http://cxf.apache.org/docs/ws-securitypolicy.html";>WS-SecurityPolicy, which provides a comprehensive and sophisticated validation of the security properties of a received message. A non-WS-SecurityPolicy approach is usually also possible by way of CXF interceptors added to your service and/or client as detailed in this article. Overview of encryption and signing
svn commit: r828463 - in /websites/production/cxf/content: cache/docs.pageCache docs/ws-securitypolicy.html
Author: buildbot Date: Thu Aug 9 14:49:22 2012 New Revision: 828463 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/docs.pageCache websites/production/cxf/content/docs/ws-securitypolicy.html Modified: websites/production/cxf/content/cache/docs.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/docs/ws-securitypolicy.html == --- websites/production/cxf/content/docs/ws-securitypolicy.html (original) +++ websites/production/cxf/content/docs/ws-securitypolicy.html Thu Aug 9 14:49:22 2012 @@ -163,7 +163,7 @@ Apache CXF -- WS-SecurityPolicy Boolean WS-Security configuration tags, e.g. the value should be "true" or "false". - ws-security.validate.token Whether to validate the password of a received UsernameToken or not. The default is true. ws-security.enableRevocation Whether to enable Certificate Revocation List (CRL) checking or not when verifying trust in a certificate. The default value is "false". ws-security.username-token.always.encrypted Whether to always encrypt UsernameTokens that are defined as a SupportingToken. The default is true. This should not be set to false in a production environment, as it exposes the password (or the digest of the password) on the wire. ws-security.is-bsp-compliant Whether to ensure compliance with the Basic Security Profile (BSP) 1.1 or not. The default value is "true". ws-security.self-sign-saml-assertion Whether to self-sign a SAML Assertion or not. If this is set to true, then an enveloped signature will be generated when the SAML Assertion is constructed. The default is false. ws-security.enable.nonce.cache Whether to cache UsernameToken nonces. See http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#ENABLE_NONCE_CACHE";>here for more information. ws-security.enable.timestamp. cache Whether to cache Timestamp Created Strings. See http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#ENABLE_TIMESTAMP_CACHE";>here for more information. + constant default definition ws-security.validate.token true Whether to validate the password of a received UsernameToken or not. ws-security.enableRevocation false Whether to enable Certificate Revocation List (CRL) checking or not when verifying trust in a certificate. ws-security.username-token.always.encrypted true Whether to always encrypt UsernameTokens that are defined as a SupportingToken. This should not be set to false in a production environment, as it exposes the password (or the digest of the password) on the wire. ws-security.is-bsp-compliant true Whether to ensure compliance with the Basic Security Profile (BSP) 1.1 or not. ws-security.self-sign-saml-assertion false Whether to self-sign a SAML Assertion or not. If this is set to true, then an enveloped signature will be generated when the SAML Assertion is constructed. ws -security.enable.nonce.cache (varies) Whether to cache UsernameToken nonces. See http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#ENABLE_NONCE_CACHE";>here for more information. ws-security.enable.timestamp.cache (varies) Whether to cache Timestamp Created Strings. See http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#ENABLE_TIMESTAMP_CACHE";>here for more information.
svn commit: r828499 - in /websites/production/cxf/content: cache/docs.pageCache docs/ws-securitypolicy.html
Author: buildbot Date: Thu Aug 9 18:47:35 2012 New Revision: 828499 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/docs.pageCache websites/production/cxf/content/docs/ws-securitypolicy.html Modified: websites/production/cxf/content/cache/docs.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/docs/ws-securitypolicy.html == --- websites/production/cxf/content/docs/ws-securitypolicy.html (original) +++ websites/production/cxf/content/docs/ws-securitypolicy.html Thu Aug 9 18:47:35 2012 @@ -170,7 +170,7 @@ Apache CXF -- WS-SecurityPolicy Non-boolean WS-Security Configuration parameters - ws-security.timestamp.timeToLive The time in seconds to append to the Creation value of an incoming Timestamp to determine whether to accept the Timestamp as valid or not. The default value is 300 seconds (5 minutes). ws-security.timestamp.futureTimeToLive The time in seconds in the future within which the Created time of an incoming Timestamp is valid. The default value is "60". See http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#TIMESTAMP_FUTURE_TTL";>here for more information. ws-security.saml-role-attributename The attribute URI of the SAML AttributeStatement where the role information is stored. The default is "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role";. ws-security.kerberos.client A reference to the http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/kerberos/KerberosClient.java?view=markup";>KerberosClient class used to obtain a service ticket. ws-security.spnego.client.action The http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/spnego/SpnegoClientAction.html";>SpnegoClientAction implementation to use for SPNEGO. This allows the user to plug in a different implementation to obtain a service ticket. ws-security.kerberos.jaas.context The JAAS Context name to use for Kerberos. This is currently only supported for SPNEGO. ws-security.kerberos.spn The Kerberos Service Provider Name (spn) to use. This is currently only supported for SPNEGO. ws-security.nonce.cache.instance This holds a reference to a http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/cache/ReplayCache.html";>ReplayCache instance used to cache UsernameToken nonces. The default instance that is used is the http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/or g/apache/cxf/ws/security/cache/EHCacheReplayCache.java?view=markup">EHCacheReplayCache. ws-security.timestamp.cache.instance This holds a reference to a http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/cache/ReplayCache.html";>ReplayCache instance used to cache Timestamp Created Strings. The default instance that is used is the http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/cache/EHCacheReplayCache.java?view=markup";>EHCacheReplayCache. ws-security.cache.config.file Set this property to point to a configuration file for the underlying caching implementation. The default configuration file th at is used is http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/resources/cxf-ehcache.xml?view=markup";>cxf-ehcache.xml in the cxf-rt-ws-security module. org.apache.cxf.ws.security.tokenstore.TokenStore The http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/TokenStore.java?view=markup";>TokenStore instance to use to cache security tokens. By default this uses the http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/EHCacheTokenStore.java?view=markup";>EHCacheTokenStore if EhCache is available. Otherwise it uses the http://svn.apache.org/viewvc/cxf/trunk/rt/w s/security/src/main/java/org/apache/cxf/ws/security/tokenstore/MemoryTokenStore.java?view=markup">MemoryTokenStore. ws-security.subject.cert.constraints A comma separated String of regular expressions which will be applied to the subject DN of the certificate used for signature validation, after trust verification of the certificate chain associated with the certificate. These constraints are not used when the certificate is contained in the keystore (direct trust). + ws-security.timestamp.timeToLive The time in seconds to append to the Creation value of an incoming Timestamp to determine whether to accept the Timestamp as valid or not. The default value is 300 seconds (5 minutes). ws-security.timestamp.futureTimeToLive The time in seconds in the future within which the Created time of an incoming Timestamp is valid. The defaul
svn commit: r828578 - in /websites/production/cxf/content: cache/docs.pageCache docs/jaxb.html
Author: buildbot Date: Fri Aug 10 17:47:24 2012 New Revision: 828578 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/docs.pageCache websites/production/cxf/content/docs/jaxb.html Modified: websites/production/cxf/content/cache/docs.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/docs/jaxb.html == --- websites/production/cxf/content/docs/jaxb.html (original) +++ websites/production/cxf/content/docs/jaxb.html Fri Aug 10 17:47:24 2012 @@ -123,7 +123,7 @@ Apache CXF -- JAXB Introduction -JAXB is the default data binding for CXF. If you don't specify one of the other data bindings in your Spring configuration or through the API, you will get JAXB. CXF 2.0.x branch supplies JAXB 2.0, CXF 2.1.x and CXF 2.2.x use JAXB 2.1. +JAXB is the default data binding for CXF. If you don't specify one of the other data bindings in your Spring configuration or through the API, you will get JAXB. Releases of CXF since 2.3.x have used the JDK7 default of JAXB 2.2, however Maven users running on JDK 6 will need to use the http://docs.oracle.com/javase/6/docs/technotes/guides/standards/"; rel="nofollow">Java endorsed override mechanism to use JAXB 2.2 instead of JAXB 2.1. JAXB uses Java annotation combined with files found on the classpath to build the mapping between XML and Java. JAXB supports both code-first and schema-first programming. The schema-first support the ability to create a client proxy, dynamically, at runtime. See the CXF DynamicClientFactory class. @@ -211,8 +211,7 @@ Apache CXF -- JAXB </jaxws:server> - - +
svn commit: r828601 - in /websites/production/cxf/content: cache/main.pageCache fediz-idp.html
Author: buildbot Date: Fri Aug 10 23:47:24 2012 New Revision: 828601 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/main.pageCache websites/production/cxf/content/fediz-idp.html Modified: websites/production/cxf/content/cache/main.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/fediz-idp.html == --- websites/production/cxf/content/fediz-idp.html (original) +++ websites/production/cxf/content/fediz-idp.html Fri Aug 10 23:47:24 2012 @@ -166,23 +166,33 @@ $CATALINA_HOME/bin/shutdown.sh -If you're using the one Tomcat with multiple instance option, it's $CATALINA_BASE that will need to be redefined. +If you're using the one Tomcat with multiple instance option, it's $CATALINA_BASE instead that will need to be redefined above. -The Fediz examples use the following TCP ports for the IDP/STS: +Tomcat server.xml configuration -HTTP port: 9080 (used for Maven deployment, mvn tomcat:redeploy)HTTPS port: 9443 (where IDP and STS are accessed) +The Fediz examples use the following Tomcat port values for the IDP/STS, defined in the conf/server.xml file. We use ports different from the Tomcat defaults so as not to conflict with the Tomcat instance running the RP applications. +HTTP port: 9080 (used for Maven deployment, mvn tomcat:redeploy)HTTPS port: 9443 (where IDP and STS are accessed)Server port (for shutdown and other commands): 9005 -The Tomcat HTTP(s) configuration is done in conf/server.xml. -This is a sample snippet for an HTTPS configuration: +Here is a sample snippet for showing the configuration of the above three values: +<Server port="9005" shutdown="SHUTDOWN"> + +<!-- http configuration --> +<Connector port="9080" protocol="HTTP/1.1" + connectionTimeout="2" + redirectPort="9443" /> +... +<!-- https configuration --> <Connector port="9443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" keystoreFile="tomcat-idp.jks" keystorePass="tompass" sslProtocol="TLS" /> +... +</Server>
svn commit: r828621 - in /websites/production/cxf/content: cache/main.pageCache fediz-idp.html fediz-tomcat.html
Author: buildbot Date: Sat Aug 11 06:47:56 2012 New Revision: 828621 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/main.pageCache websites/production/cxf/content/fediz-idp.html websites/production/cxf/content/fediz-tomcat.html Modified: websites/production/cxf/content/cache/main.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/fediz-idp.html == --- websites/production/cxf/content/fediz-idp.html (original) +++ websites/production/cxf/content/fediz-idp.html Sat Aug 11 06:47:56 2012 @@ -180,18 +180,25 @@ $CATALINA_HOME/bin/shutdown.sh <Server port="9005" shutdown="SHUTDOWN"> +... -<!-- http configuration --> -<Connector port="9080" protocol="HTTP/1.1" - connectionTimeout="2" - redirectPort="9443" /> -... -<!-- https configuration --> -<Connector port="9443" protocol="HTTP/1.1" SSLEnabled="true" - maxThreads="150" scheme="https" secure="true" - keystoreFile="tomcat-idp.jks" - keystorePass="tompass" sslProtocol="TLS" /> -... + <!-- http configuration --> + <Connector port="9080" protocol="HTTP/1.1" +connectionTimeout="2" +redirectPort="9443" /> + + ... + + <!-- https configuration --> + <Connector port="9443" protocol="HTTP/1.1" SSLEnabled="true" +maxThreads="150" scheme="https" secure="true" +keystoreFile="tomcat-idp.jks" +keystorePass="tompass" sslProtocol="TLS" /> + ... + + <Connector port="9009" protocol="AJP/1.3" redirectPort="9443" /> + +... </Server> Modified: websites/production/cxf/content/fediz-tomcat.html == --- websites/production/cxf/content/fediz-tomcat.html (original) +++ websites/production/cxf/content/fediz-tomcat.html Sat Aug 11 06:47:56 2012 @@ -137,7 +137,7 @@ Apache CXF -- Fediz Tomcat Tomcat Plugin -This page describes how to enable Federation in Tomcat. This Tomcat instance acts as the Relying Party which means it validates the incoming SignInResponse which has been created by the Identity Provider (IDP) server. +This page describes how to enable Federation in Tomcat. The configuration below is specifically for Tomcat instances hosting Relying Party (RP) applications, not instances just hosting the Fediz Identity Provider (IDP) and STS or third-party services authenticating a RP application based on SAML tokens provided by the IDP STS. A Tomcat instance holdign RP webapps will validate the incoming SignInResponse created by the IDP server. Installation
svn commit: r828830 - in /websites/production/cxf/content: cache/main.pageCache fediz-idp.html
Author: buildbot Date: Mon Aug 13 20:47:36 2012 New Revision: 828830 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/main.pageCache websites/production/cxf/content/fediz-idp.html Modified: websites/production/cxf/content/cache/main.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/fediz-idp.html == --- websites/production/cxf/content/fediz-idp.html (original) +++ websites/production/cxf/content/fediz-idp.html Mon Aug 13 20:47:36 2012 @@ -146,7 +146,7 @@ Apache CXF -- Fediz IDP The Fediz IDP has been tested with Tomcat 6 and 7 but should be able to work with any commercial JEE application server. -It's recommended to set up a dedicated (separate) Tomcat instance for the IDP compared to the one hosting the RP (relying party) applications. Using one deployment of Tomcat with multiple CATALINA_BASE instances, as described http://www.shaunabram.com/multiple-tomcat-instances/"; rel="nofollow">here is one option but note any libs in $CATALINA_HOME/lib folder will be shared throughout each of the activated CATALINA_BASE instances. Another probably simpler alternative is to copy your Tomcat folder into a second location and edit its conf/server.xml file and change http://viralpatel.net/blogs/2009/08/running-multiple-instance-apache-tomcat-single-server.html"; rel="nofollow">these port values so they don't conflict with the original Tomcat installation. +It's recommended to set up a dedicated (separate) Tomcat instance for the IDP compared to the one hosting the RP (relying party) applications. Using one deployment of Tomcat with multiple CATALINA_BASE instances, as described http://www.shaunabram.com/multiple-tomcat-instances/"; rel="nofollow">here is one option but note any libs in $CATALINA_HOME/lib folder will be shared throughout each of the activated CATALINA_BASE instances. Another probably simpler alternative is to copy your Tomcat folder into a second location and edit its conf/server.xml file and http://viralpatel.net/blogs/2009/08/running-multiple-instance-apache-tomcat-single-server.html"; rel="nofollow">change port values (discussed below) so they don't conflict with the original Tomcat installation. To start and stop this second Tomcat instance, it is perhaps easiest to create small startup.sh and shutdown.sh scripts that temporarily redefine $CATALINA_HOME from the first to the second instance, for example:
svn commit: r828833 - in /websites/production/cxf/content: cache/main.pageCache fediz-tomcat.html
Author: buildbot Date: Mon Aug 13 21:47:23 2012 New Revision: 828833 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/main.pageCache websites/production/cxf/content/fediz-tomcat.html Modified: websites/production/cxf/content/cache/main.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/fediz-tomcat.html == --- websites/production/cxf/content/fediz-tomcat.html (original) +++ websites/production/cxf/content/fediz-tomcat.html Mon Aug 13 21:47:23 2012 @@ -137,7 +137,10 @@ Apache CXF -- Fediz Tomcat Tomcat Plugin -This page describes how to enable Federation in Tomcat. The configuration below is specifically for Tomcat instances hosting Relying Party (RP) applications, not instances just hosting the Fediz Identity Provider (IDP) and STS or third-party services authenticating a RP application based on SAML tokens provided by the IDP STS. A Tomcat instance holdign RP webapps will validate the incoming SignInResponse created by the IDP server. +This page describes how to enable Federation for a Tomcat instance hosting Relying Party (RP) applications. This configuration is not for a separate Tomcat instance hosting the Fediz IDP and IDP STS WARs, or hosts for third-party applications that use Fediz STS-generated SAML assertions for authentication. After this configuration is done, the Tomcat-RP instance will validate the incoming SignInResponse created by the IDP server. + +Prior to doing this configuration, make sure you've first deployed the Fediz IDP and STS on the separate Tomcat IDP instance as discussed here, and can view the STS WSDL at the URL given on that page. That page also provides some tips for running multiple Tomcat instances on your machine. + Installation @@ -153,10 +156,12 @@ add the previously created directory to HTTPS configuration -It's recommended to set up a dedicated (separate) Tomcat instance for the Relying Party. The Fediz examples requires configuring the following TCP ports: -HTTP port: 8080 (used for Maven deployment, mvn tomcat:redeploy)HTTPS port: 8443 (where IDP and STS are accessed) +It's recommended to set up a dedicated (separate) Tomcat instance for the Relying Party. The Fediz RP web applications use the following TCP ports: +HTTP port: 8080 (used for Maven deployment, mvn tomcat:redeploy)HTTPS port: 8443 (where IDP and STS are accessed)Server port (for shutdown and other commands): 8005 +These are the default ports for a standard Tomcat installation. + The Relying Party must be accessed over HTTPS to protect the security tokens issued by the IDP. The Tomcat HTTP(s) configuration is done in conf/server.xml. @@ -172,12 +177,14 @@ add the previously created directory to -The keystoreFile is relative to $CATALINA_HOME. See http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html";>here for the Tomcat 7 configuration reference. This page also describes how to create certificates. Sample Tomcat keystores (not for production use, but useful for demoing Fediz and running the sample applications) are provided in the examples/samplekeys folder of the Fediz distribution. +The keystoreFile is relative to $CATALINA_HOME. See http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html";>here for the Tomcat 7 configuration reference. This page also describes how to create certificates. Sample Tomcat keystores (not for production use, but useful for demoing Fediz and running the sample applications) are provided in the examples/samplekeys folder of the Fediz distribution. Note the Tomcat keystore here is different from the one used to configure the Tomcat-IDP instance. To establish trust, there are significant keystore/truststore requirements between the Tomcat instances and the various web applications (IDP, STS, Relying party applications, third party web services, etc.) See http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/samplekeys/HowToGenerateKeysREADME.html?view=co";>this page for more details, it lists the trust requirements as well as sample scripts for creating your own (self-signed) keys. Warning: All sample keystores provided with Fediz (including in the WAR files for its services and examples) are for development/prototyping use only. They'll need to be replaced for production use, at a minimum with your own self-signed keys but strongly recommended to use third-party signed keys. +If you are currently just trying to run the Fediz samples, the configuration above is all you need (the below configuration is already provided within the samples) so you can return now to the samples' READMEs for the next steps in running them. + Fediz Plugin configuration for Your Web Application
svn commit: r829119 - in /websites/production/cxf/content: cache/docs.pageCache docs/27-migration-guide.html
Author: buildbot Date: Thu Aug 16 14:47:24 2012 New Revision: 829119 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/docs.pageCache websites/production/cxf/content/docs/27-migration-guide.html Modified: websites/production/cxf/content/cache/docs.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/docs/27-migration-guide.html == --- websites/production/cxf/content/docs/27-migration-guide.html (original) +++ websites/production/cxf/content/docs/27-migration-guide.html Thu Aug 16 14:47:24 2012 @@ -123,7 +123,7 @@ Apache CXF -- 2.7 Migration Guide New Features -New UDP transport +New UDP transportSupport for the http://docs.oasis-open.org/ws-dd/soapoverudp/1.1/wsdd-soapoverudp-1.1-spec.html"; rel="nofollow">SOAP over UDP specification
svn commit: r829131 - in /websites/production/cxf/content: cache/docs.pageCache docs/27-migration-guide.html
Author: buildbot Date: Thu Aug 16 18:47:28 2012 New Revision: 829131 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/docs.pageCache websites/production/cxf/content/docs/27-migration-guide.html Modified: websites/production/cxf/content/cache/docs.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/docs/27-migration-guide.html == --- websites/production/cxf/content/docs/27-migration-guide.html (original) +++ websites/production/cxf/content/docs/27-migration-guide.html Thu Aug 16 18:47:28 2012 @@ -130,6 +130,10 @@ Apache CXF -- 2.7 Migration Guide API Changes The HTTPConduit class has been made abstract with the HttpURLConnection related code moving to an URLConnectionHTTPConduit. Several method calls of the HTTPConduit that used to take HttpURLConnection objects have been eliminated. Also, most methods taking a URL object now take a URI object instead. The HTTPConduit.WrappedOutputStream class is also now abstract. If you have custom subclasses of HTTPConduit, changing them to subclass URLConnectionHTTPConduit will likely work. + + +The WS-Addressing related VersionTransformer and MAPCodec classes have been changed to not encode the WS-Addressing headers to DOM elements and instead just use the Header list on the SoapMessage directly. This did change the parameters on the encode methods to take the JAXBContext instead of the Marshaller. Any custom VersionTransformers will need to be updated. (very rare) +
svn commit: r829215 - in /websites/production/cxf/content: cache/docs.pageCache docs/27-migration-guide.html
Author: buildbot Date: Fri Aug 17 13:47:26 2012 New Revision: 829215 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/docs.pageCache websites/production/cxf/content/docs/27-migration-guide.html Modified: websites/production/cxf/content/cache/docs.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/docs/27-migration-guide.html == --- websites/production/cxf/content/docs/27-migration-guide.html (original) +++ websites/production/cxf/content/docs/27-migration-guide.html Fri Aug 17 13:47:26 2012 @@ -134,6 +134,8 @@ Apache CXF -- 2.7 Migration Guide The WS-Addressing related VersionTransformer and MAPCodec classes have been changed to not encode the WS-Addressing headers to DOM elements and instead just use the Header list on the SoapMessage directly. This did change the parameters on the encode methods to take the JAXBContext instead of the Marshaller. Any custom VersionTransformers will need to be updated. (very rare) + +All methods that took or returned org.apache.cxf.feature.AbstractFeatures have been changed to just use org.apache.cxf.feature.Feature.
svn commit: r829474 - in /websites/production/cxf/content: cache/main.pageCache download.html
Author: buildbot Date: Mon Aug 20 14:47:25 2012 New Revision: 829474 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/main.pageCache websites/production/cxf/content/download.html Modified: websites/production/cxf/content/cache/main.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/download.html == --- websites/production/cxf/content/download.html (original) +++ websites/production/cxf/content/download.html Mon Aug 20 14:47:25 2012 @@ -168,17 +168,6 @@ Apache CXF -- Download -2.3.11 -The 2.3.11 release is our latest patch release for 2.3.x. For more information please see the release notes. - -https://cwiki.apache.org/confluence/images/icons/emoticons/warning.gif"; width="16" height="16" alt="" border="0">2.3.11 is the last planned release for the 2.3.x series of CXF. Users are STRONGLY encouraged to update to a newer and supported version of CXF. - - -DescriptionFileMD5SHA1PGPSource distributionhttp://www.apache.org/dyn/closer.cgi?path=/cxf/2.3.11/apache-cxf-2.3.11-src.tar.gz";>apache-cxf-2.3.11-src.tar.gzhttp://www.apache.org/dist/cxf/2.3.11/apache-cxf-2.3.11-src.tar.gz.md5";>apache-cxf-2.3.11-src.tar.gz.md5http://www.apache.org/dist/cxf/2.3.11/apache-cxf-2.3.11-s rc.tar.gz.sha1">apache-cxf-2.3.11-src.tar.gz.sha1http://www.apache.org/dist/cxf/2.3.11/apache-cxf-2.3.11-src.tar.gz.asc";>apache-cxf-2.3.11-src.tar.gz.asc http://www.apache.org/dyn/closer.cgi?path=/cxf/2.3.11/apache-cxf-2.3.11-src.zip";>apache-cxf-2.3.11-src.ziphttp://www.apache.org/dist/cxf/2.3.11/apache-cxf-2.3.11-src.zip.md5";>apache-cxf-2.3.11-src.zip.md5http://www.apache.org/dist/cxf/2.3.11/apache-cxf-2.3.11-src.zip.sha1";>apache-cxf-2.3.11-src.zip.sha1http://www.apache.org/dist/cxf/2.3.11/apache-cxf-2.3.11-src.zip.asc";>apache-cxf-2.3.11-src.zip.ascBinary distributionhttp://www.apache.org/dyn/closer.cgi?path=/cxf/2.3.11/apache-cxf-2.3.11.tar.gz";>apache-cxf-2.3.11.tar.gzhttp://www.apache.org/dist/cxf/2.3.11/apache-cxf-2.3.11.tar.gz.md5";>apache-cxf-2.3.11.tar.gz.md5http://www.apache.org/dist/cxf/2.3.11/apache-cxf-2.3.11.tar.gz.sha1";>apache-cxf-2.3.11.tar.gz.sha1http://www.apache.org/dist/cxf/2.3.11/apache-cxf-2.3.11. tar.gz.asc">apache-cxf-2.3.11.tar.gz.asc http://www.apache.org/dyn/closer.cgi?path=/cxf/2.3.11/apache-cxf-2.3.11.zip";>apache-cxf-2.3.11.ziphttp://www.apache.org/dist/cxf/2.3.11/apache-cxf-2.3.11.zip.md5";>apache-cxf-2.3.11.zip.md5http://www.apache.org/dist/cxf/2.3.11/apache-cxf-2.3.11.zip.sha1";>apache-cxf-2.3.11.zip.sha1http://www.apache.org/dist/cxf/2.3.11/apache-cxf-2.3.11.zip.asc";>apache-cxf-2.3.11.zip.asc - - - - Verifying Releases When downloading from a mirror please check the MD5 and SHA1 checksums as well as verifying the OpenPGP compatible signature available from the main Apache site. The http://www.apache.org/dist/cxf/KEYS";>KEYS file contains the public keys used for signing release. It is recommended that a web of trust is used to confirm the identity of these keys. @@ -214,11 +203,11 @@ Incubator releases: Snapshot distributions can be found at: (the latest one is at the bottom) -2.4.9 http://repository.apache.org/snapshots/org/apache/cxf/apache-cxf/2.4.9-SNAPSHOT/";>http://repository.apache.org/snapshots/org/apache/cxf/apache-cxf/2.4.9-SNAPSHOT/ +2.4.10 http://repository.apache.org/snapshots/org/apache/cxf/apache-cxf/2.4.10-SNAPSHOT/";>http://repository.apache.org/snapshots/org/apache/cxf/apache-cxf/2.4.10-SNAPSHOT/ -2.5.5 http://repository.apache.org/snapshots/org/apache/cxf/apache-cxf/2.5.5-SNAPSHOT/";>http://repository.apache.org/snapshots/org/apache/cxf/apache-cxf/2.5.5-SNAPSHOT/ +2.5.6 http://repository.apache.org/snapshots/org/apache/cxf/apache-cxf/2.5.6-SNAPSHOT/";>http://repository.apache.org/snapshots/org/apache/cxf/apache-cxf/2.5.6-SNAPSHOT/ -2.6.2 http://repository.apache.org/snapshots/org/apache/cxf/apache-cxf/2.6.2-SNAPSHOT/";>http://repository.apache.org/snapshots/org/apache/cxf/apache-cxf/2.6.2-SNAPSHOT/ +2.6.3 http://repository.apache.org/snapshots/org/apache/cxf/apache-cxf/2.6.3-SNAPSHOT/";>http://repository.apache.org/snapshots/org/apache/cxf/apache-cxf/2.6.3-SNAPSHOT/ 2.7.0 http://repository.apache.org/snapshots/org/apache/cxf/apache-cxf/2.7.0-SNAPSHOT/";>http://repository.apache.org/snapshots/org/apache/cxf/apache-cxf/2.7.0-SNAPSHOT/