svn commit: r817210 - in /websites/production/cxf/content: cache/docs.pageCache docs/ws-security.html

[buildbot]

Author: buildbot
Date: Fri May 11 09:48:28 2012
New Revision: 817210

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/ws-security.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/ws-security.html
==
--- websites/production/cxf/content/docs/ws-security.html (original)
+++ websites/production/cxf/content/docs/ws-security.html Fri May 11 09:48:28 
2012
@@ -374,7 +374,12 @@ CryptoCoverageChecker checker = Username Token 
Authentication
 
-WS-Security supports many ways of specifying tokens. One of these is the 
UsernameToken header. It is a standard way to communicate a username and 
password or password digest to another endpoint.  Be sure to review the OASIS 
http://tinyurl.com/65n78j"; 
rel="nofollow">UsernameToken Profile Specification for important security 
considerations when using UsernameTokens.  Note that the nonce support 
necessary for guarding against replay attacks is active by default starting 
with CXF 2.6.0 but unavailable in versions prior to that.
+WS-Security supports many ways of specifying tokens. One of these is the 
UsernameToken header. It is a standard way to communicate a username and 
password or password digest to another endpoint.  Be sure to review the OASIS 
http://tinyurl.com/65n78j"; 
rel="nofollow">UsernameToken Profile Specification for important security 
considerations when using UsernameTokens. 
+
+If a nonce is present in a UsernameToken then it should be cached by the 
message recipient to guard against replay attacks. This behaviour is enabled by 
default starting with CXF 2.6.0. This functionality is also available from 
Apache CXF 2.4.7 and 2.5.3 onwards, but is not enabled by default at all for 
backwards-compatibility reasons. The following properties control nonce 
caching:
+
+"ws-security.enable.nonce.cache" - The default value (for CXF 2.6.0) 
is "true" for message recipients, and "false" for message initiators. Set it to 
true to cache for both cases. The default value for CXF 2.4.x and 2.5.x is 
false."ws-security.nonce.cache.instance" - This holds a reference to a 
ReplayCache instance used to cache UsernameToken nonces. The default instance 
that is used is the EHCacheReplayCache, which uses Ehcache to cache the nonce 
values."ws-security.cache.config.file" - Set this property to point to 
a configuration file for the underlying caching implementation. By default the 
cxf-ehcache.xml file in the CXF rt-ws-security module is used.
+
 
 For the server side, you'll want to set up the following properties on your 
WSS4JInInterceptor (see above for code sample):
 

svn commit: r817225 - in /websites/production/cxf/content: cache/main.pageCache fediz.html

[buildbot]

Author: buildbot
Date: Fri May 11 12:48:20 2012
New Revision: 817225

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/main.pageCache
websites/production/cxf/content/fediz.html

Modified: websites/production/cxf/content/cache/main.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/fediz.html
==
--- websites/production/cxf/content/fediz.html (original)
+++ websites/production/cxf/content/fediz.html Fri May 11 12:48:20 2012
@@ -196,7 +196,13 @@ The RP is the web application which shou
 
 Building
 
-Check out the code from http://svn.apache.org/repos/asf/cxf/fediz/trunk";>http://svn.apache.org/repos/asf/cxf/fediz/trunk
+Check out the code from here:
+svn
+http://svn.apache.org/repos/asf/cxf/fediz/trunk";>http://svn.apache.org/repos/asf/cxf/fediz/trunkgit
+git://git.apache.org/cxf-fediz.git
+
+
+
 
 Building with Maven
 

svn commit: r817291 - in /websites/production/cxf/content: cache/main.pageCache tomcat.html

[buildbot]

Author: buildbot
Date: Fri May 11 20:48:01 2012
New Revision: 817291

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/main.pageCache
websites/production/cxf/content/tomcat.html

Modified: websites/production/cxf/content/cache/main.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/tomcat.html
==
--- websites/production/cxf/content/tomcat.html (original)
+++ websites/production/cxf/content/tomcat.html Fri May 11 20:48:01 2012
@@ -140,12 +140,18 @@ Apache CXF -- Tomcat
 This page describes how to enable Federation in Tomcat. This Tomcat 
instance acts as the Relying Party which means it validates the incoming 
SignInResponse which has been created by the Identity Provider (IDP) server.
 
 Installation
-tbd
 
+You can either build the plugin on your own or download the package here 
(tbd). If you have built the plugin on your own you'll find the required 
libraries in plugins/tomcat/target/...zip-with-dependencies.zip
+
+
+Create sub-directory fediz in 
${catalina.home}/libUpdate calatina.properties in 
${catalina.home}/conf
+add the previously created directory to the common loader:
+common.loader=${catalina.base}/lib,${catalina.base}/lib/*.jar,${catalina.home}/lib,${catalina.home}/lib/*.jar,${catalina.home}/lib/fediz/*.jarDeploy
 the libraries to the directory created in (1)
 
-Configuration
 
 
+Configuration
+
 The current release of the federation plugin requires to configure the 
FederationAuthenticator of Fediz like any other Valve in Tomcat which is 
described here http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html";>here.
 
 A valve can be configured on different levels like Host or 
Context. The Fediz configuration file allows to configure all servlet 
contexts in one file or choose one file per Servlet Context. If you choose to 
have one Fediz configuration file per Servlet Context then you must configure 
the FederationAuthenticator on the Context level otherwise on the 
Host level in the Tomcat configuration file server.xml
@@ -154,32 +160,40 @@ Apache CXF -- Tomcat
 You can either configure the context in the server.xml or in 
META-INF/context.xml as part of your WAR file.
 
 META-INF/context.xml
-
-  <Context> 
-<Valve 
className="org.apache.cxf.fediz.tomcat.FederationAuthenticator"
-  configFile="conf/Fediz_config.xml" />
-  </Context> 
+
+ 
+  <Context> 
+<Valve className="org.apache.cxf.fediz.tomcat.FederationAuthenticator"
+  configFile="conf/Fediz_config.xml" />
+  </Context> 
+
+
 
 Host level in 
server.xml
-  ...
-  <Host name="localhost"  appBase="webapps"
-unpackWARs="true" autoDeploy="true"
-xmlValidation="false" xmlNamespaceAware="false">
-<Valve 
className="org.apache.cxf.fediz.tomcat.FederationAuthenticator"
-   configFile="conf/Fediz_config.xml" />
-  </Host>
-  ...
-
-Context level 
in server.xml
+
+ 
+  <Host name="localhost"  appBase="webapps"
+unpackWARs="true" autoDeploy="true">
+<Valve className="org.apache.cxf.fediz.tomcat.FederationAuthenticator"
+   configFile="conf/Fediz_config.xml" 
/>
+  </Host>
+
+ 
+  <Host name="localhost"  appBase="webapps"
 
-  ...
-  <Context path="/fedizhelloworld" docBase="fedizhelloworld">
-<Valve 
className="org.apache.cxf.fediz.tomcat.FederationAuthenticator"
-  configFile="conf/Fediz_config.xml" />
-  </Context>
-  ...
+unpackWARs="true" autoDeploy="true">
 
+Context level 
in server.xml
+
+ 
+  <Context path="/fedizhelloworld" docBase="fedizhelloworld">
+<Valve className="org.apache.cxf.fediz.tomcat.FederationAuthenticator"
+  configFile="conf/Fediz_config.xml" />
+  </Context>
+
+
 
+The Fediz configuration file is container independent and described 
here.
 
 

svn commit: r817578 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-advanced-features.html

[buildbot]

Author: buildbot
Date: Mon May 14 10:48:00 2012
New Revision: 817578

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/jax-rs-advanced-features.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jax-rs-advanced-features.html
==
--- websites/production/cxf/content/docs/jax-rs-advanced-features.html 
(original)
+++ websites/production/cxf/content/docs/jax-rs-advanced-features.html Mon May 
14 10:48:00 2012
@@ -124,7 +124,7 @@ Apache CXF -- JAX-RS Advanced Features
 JAX-RS : Advanced Features
 
 
-JMS 
SupportFIQL search 
queriesIntroductionDependencies and 
ConfigurationConsuming FIQL 
queriesBuilding FIQL 
queriesUsing dates in 
queriesOneway 
invocationsSupport for 
ContinuationsServer-side c
 achingRESTful 
services without annotationsConfiguration
+JMS 
SupportFIQL search 
queriesIntroductionDependencies and 
ConfigurationConsuming FIQL 
queriesSearchBeanBuilding FIQL 
queriesUsing dates in 
queriesOneway 
invocationsSupport for 
Continuations<
 /a>Server-side 
cachingRESTful 
services without annotationsConfiguration
 
 JMS 
Support
 
@@ -222,6 +222,9 @@ An expression such as "name==CXF*" can b
 
 
 
+Note that a searchContext.getCondition(Book.class) call may return an 
arbitrary complex SearchCondition, it can be a simple primitive
+expression or a more complex one. The Book class needs to have a matching 
property per every name found in the FIQL expression, for example, given a 
'name==b;id==123' expression, the Book class would need to have 'name' and 'id' 
properties available.
+
 SearchCondition can also be used to get to all the search requirements 
(originally expressed in FIQL) and do some manual
 comparison against the local data. For example, SearchCondition provides a 
utility toSQL(String tableName, String... columnNames) method which internally 
introspects all the search expressions constituting a current query and 
converts them into an SQL expression:
 
@@ -332,11 +335,36 @@ assertEquals("SELECT LEVEL_COLUMN FROM t
 MultivaluedMap<String, String> params = ui.getQueryParameters();
 String fiqlQuery = 
params.getFirst("_s");
 // delegate to your own custom handler 
+
+// note that the original search expression 
can also be retrieved 
+// using a 
SearchContext.getSearchExpression() method
 }
 
 
 
 
+SearchBean
+
+org.apache.cxf.jaxrs.ext.search.SearchBean is a utility bean class which 
can simplify analyzing the captured FIQL expressions and converting them to the 
other language expressions, in cases where having to update the bean class such 
as Book.class with all the properties thatmay need to be supported is not 
practical. For example:
+
+
+
+// ?_s="level=gt=10"
+SearchCondition<SearchBean> sc = 
searchContext.getCondition(SearchBean.class);
+
+Map\<, String\> fieldMap = new HashMap\<String, String\>();
+fieldMap.put("level", "LEVEL_FIELD");
+
+SQLPrinterVisitor<SearchBean> visitor = new SQLPrinterVisitor<SearchBean>(fieldMap, 
"table", "LEVEL_COLUMN");
+sc.visit(visitor);
+assertEquals("SELECT LEVEL_COLUMN FROM table 
+  WHERE LEVEL_COLUMN > '10'",
+  visitor.getResult());
+
+
+
+
+
 Building FIQL queries
 
 CXF 2.4.0 introduces http://svn.apache.org/repos/asf/cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/ext/search/client/SearchConditionBuilder.java";>SearchConditionBuilder
 which makes it simpler to build FIQL queries. SearchConditionBuilder is an 
abstract class that returns a FIQL builder by default:

buildbot failure in ASF Buildbot on cxf-site-production

[buildbot]

The Buildbot has detected a new failure on builder cxf-site-production while 
building ASF Buildbot.
Full details are available at:
 http://ci.apache.org/builders/cxf-site-production/builds/1673

Buildbot URL: http://ci.apache.org/

Buildslave for this Build: bb-cms-slave

Build Reason: The Nightly scheduler named 'cxf-site-production' triggered this 
build
Build Source Stamp: [branch cxf/web] HEAD
Blamelist: 

BUILD FAILED: failed compile

sincerely,
 -The Buildbot

buildbot success in ASF Buildbot on cxf-site-production

[buildbot]

The Buildbot has detected a restored build on builder cxf-site-production while 
building ASF Buildbot.
Full details are available at:
 http://ci.apache.org/builders/cxf-site-production/builds/1674

Buildbot URL: http://ci.apache.org/

Buildslave for this Build: bb-cms-slave

Build Reason: The Nightly scheduler named 'cxf-site-production' triggered this 
build
Build Source Stamp: [branch cxf/web] HEAD
Blamelist: 

Build succeeded!

sincerely,
 -The Buildbot

svn commit: r817603 - in /websites/production/cxf/content: cache/docs.pageCache docs/client-http-transport-including-ssl-support.html

[buildbot]

Author: buildbot
Date: Mon May 14 15:48:10 2012
New Revision: 817603

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/docs.pageCache

websites/production/cxf/content/docs/client-http-transport-including-ssl-support.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==
Binary files - no diff available.

Modified: 
websites/production/cxf/content/docs/client-http-transport-including-ssl-support.html
==
--- 
websites/production/cxf/content/docs/client-http-transport-including-ssl-support.html
 (original)
+++ 
websites/production/cxf/content/docs/client-http-transport-including-ssl-support.html
 Mon May 14 15:48:10 2012
@@ -595,7 +595,7 @@ Language tags are regulated by the Inter
 Many proxy servers don't understand it, especially older proxy 
servers.   Many proxy servers want the Content-Length up front so they can 
allocate a buffer to store the request before passing it onto the real 
server.Some of the older WebServices stacks also have problems with 
Chunking.  Specifically, older versions of .NET.
 
 
-If you are getting strang errors (generally not soap faults, but other HTTP 
type errors) when trying to interact with a service, try turning off chunking 
to see if that helps.
+If you are getting strange errors (generally not soap faults, but other 
HTTP type errors) when trying to interact with a service, try turning off 
chunking to see if that helps.
 
 

svn commit: r817625 - in /websites/production/cxf/content: cache/main.pageCache fediz.html tomcat.html

[buildbot]

Author: buildbot
Date: Mon May 14 19:48:06 2012
New Revision: 817625

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/main.pageCache
websites/production/cxf/content/fediz.html
websites/production/cxf/content/tomcat.html

Modified: websites/production/cxf/content/cache/main.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/fediz.html
==
--- websites/production/cxf/content/fediz.html (original)
+++ websites/production/cxf/content/fediz.html Mon May 14 19:48:06 2012
@@ -171,16 +171,16 @@ The RP is the web application which shou
 
 It's recommended to deploy the IDP and the web application (RP) into 
different container instances as in a production deployment. The container with 
the IDP can be used during development and testing for any web application.
 
-Setting up the IDP
+Setting up the IDP
 
 The following blog entries describe how to set up the IDP:
 
 http://owulff.blogspot.com/2011/10/configure-and-deploy-cxf-25-sts-part-i.html";
 rel="nofollow">STS WAR
 http://owulff.blogspot.com/2011/10/configure-and-deploy-identity-provider.html";
 rel="nofollow">IDP WAR
 
-Set up the 
Relying Party Container
+Set up the 
Relying Party Container
 
-An individual plugin is deployed in each container. But most of the 
configuration is container independent and described here
+The Fediz plugin is deployed into the Relying Party (RP) container. The 
security mechanism is not specified by JEE. Even it is very similar in each 
Servlet Container there are some differences which requires dedicated Fediz 
plugins for each Servlet Container implementation. Most of the configuration is 
container independent and described here
 
 The following lists shows the supported containers and the location of the 
installation and configuration page.
 Tomcat 7 


Modified: websites/production/cxf/content/tomcat.html
==
--- websites/production/cxf/content/tomcat.html (original)
+++ websites/production/cxf/content/tomcat.html Mon May 14 19:48:06 2012
@@ -154,7 +154,9 @@ add the previously created directory to 
 
 Configuration
 
-The current release of the federation plugin requires to configure the 
FederationAuthenticator of Fediz like any other Valve in Tomcat which is 
described here http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html";>here.
+The Fediz related configuration is Container independent and described here.
+
+The Fediz plugin requires to configure the FederationAuthenticator like any 
other Valve in Tomcat which is described here http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html";>here.
 
 A valve can be configured on different levels like Host or 
Context. The Fediz configuration file allows to configure all servlet 
contexts in one file or choose one file per Servlet Context. If you choose to 
have one Fediz configuration file per Servlet Context then you must configure 
the FederationAuthenticator on the Context level otherwise on the 
Host level in the Tomcat configuration file server.xml
 

svn commit: r817635 - in /websites/production/cxf/content: cache/main.pageCache configuration.html

[buildbot]

Author: buildbot
Date: Mon May 14 20:48:09 2012
New Revision: 817635

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/main.pageCache
websites/production/cxf/content/configuration.html

Modified: websites/production/cxf/content/cache/main.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/configuration.html
==
--- websites/production/cxf/content/configuration.html (original)
+++ websites/production/cxf/content/configuration.html Mon May 14 20:48:09 2012
@@ -152,7 +152,9 @@ Apache CXF -- Configuration
 <audienceItem>https://localhost:8443/fedizhelloworld</audienceItem>
 </audienceUris>
 <certificateStore>
-<keyStore file="/projects/fediz/tomcat-rp2/conf/stsstore.jks" 
password="stsspass" type="JKS" />
+<trustManager>
+<keyStore file="/projects/fediz/tomcat-rp2/conf/stsstore.jks" 
password="stsspass" type="JKS" />
+</trustManager>
 </certificateStore>
 <trustedIssuers>
 <issuer name="issuer 1" certificateValidation="ChainTrust" subject=".*CN=www.sts.com.*" />

svn commit: r818160 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-redirection.html docs/jax-rs-xml-security.html

[buildbot]

Author: buildbot
Date: Fri May 18 11:48:39 2012
New Revision: 818160

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/jax-rs-redirection.html
websites/production/cxf/content/docs/jax-rs-xml-security.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jax-rs-redirection.html
==
--- websites/production/cxf/content/docs/jax-rs-redirection.html (original)
+++ websites/production/cxf/content/docs/jax-rs-redirection.html Fri May 18 
11:48:39 2012
@@ -235,6 +235,19 @@ Note that RequestDispatcherProvider can 
 Note that RequestDispatcherProvider has a 'dispatcherName' property - that 
can be handy when redirecting to named servlets (example, MyServlet) 
including
 such ones as "jsp" or "default", especially when CXFServlet handling a given 
invocation has a uri pattern that may also capture the redirection 
requestwell-known servlets such as "default", see the next section for more 
information. 
 
+Starting from CXF 2.6.1 it is possible to configure the provider to check 
if the current class has an associated view handler or not, for example:
+
+
+
+<bean id="viewHandler" class="org.apache.cxf.jaxrs.provider.RequestDispatcherProvider">
+ <property name="dispatcherName" value=jsp""/>
+ <property name="useClassNames" value="true"/>
+</bean>
+
+
+
+For example, given a simple class name such as "BookInfo", 
RequestDispatcherProvider will check if a "/WEB-INF/bookInfo.jsp" handler is 
available or not. The provider will likely be extended to check few more 
locations as needed.  
+
 Finally, a 'servletContextPath' property can be used to have some other 
ServletContext (as opposed to the current one) be used for RequestDispatcher 
look-ups. If set then the current ServletContext.getContext(servletContextPath) 
will be used to get the needed ServletContext.
 
 With 
CXFServlet

Modified: websites/production/cxf/content/docs/jax-rs-xml-security.html
==
--- websites/production/cxf/content/docs/jax-rs-xml-security.html (original)
+++ websites/production/cxf/content/docs/jax-rs-xml-security.html Fri May 18 
11:48:39 2012
@@ -657,9 +657,21 @@ The following properties can be set on i
 <bean id="xmlEncInHandlerWithProps" class="org.apache.cxf.rs.security.xml.XmlEncInHandler">
 <property name="encryptionProperties" ref="encProps"/>
 </bean>
+
+<!-- the following 
ensures that the outbound handlers will use the same algorithms that the client 
used -->  
+<bean id="xmlSigOutHandlerWithProps" class="org.apache.cxf.rs.security.xml.XmlSigOutInterceptor">
+<property name="signatureProperties" ref="sigProps"/>
+</bean>
+
+<bean id="xmlEncOutHandlerWithProps" class="org.apache.cxf.rs.security.xml.XmlEncOutInterceptor">
+<property name="encryptionProperties" ref="encProps"/>
+</bean>
 
 
 
+Getting the same SignatureProperties and EncryptionProperties beans (with 
"sigProps" and "encProps" ids) registered with the outbound
+handlers will ensure that the algorithms used by the current client have not 
only been validated on the inbound side but also used on the outbound side for 
encrypting and signing the data.
+
 Interoperability
 
 The payloads containing the enveloping XML Signatures are structured 
according to the XML Signature specification and as such can be consumed by any 
XML Signature aware consumers capable of handling the enveloping signatures and 
extracting the signed payload. 

svn commit: r818681 - in /websites/production/cxf/content: cache/docs.pageCache docs/client-http-transport-including-ssl-support.html docs/standalone-http-transport.html

[buildbot]

Author: buildbot
Date: Tue May 22 10:47:53 2012
New Revision: 818681

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/docs.pageCache

websites/production/cxf/content/docs/client-http-transport-including-ssl-support.html
websites/production/cxf/content/docs/standalone-http-transport.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==
Binary files - no diff available.

Modified: 
websites/production/cxf/content/docs/client-http-transport-including-ssl-support.html
==
--- 
websites/production/cxf/content/docs/client-http-transport-including-ssl-support.html
 (original)
+++ 
websites/production/cxf/content/docs/client-http-transport-including-ssl-support.html
 Tue May 22 10:47:53 2012
@@ -301,6 +301,7 @@ http.setClient(httpClientPolicy);
<sec:include>.*_EXPORT_.*</sec:include>
<sec:include>.*_EXPORT1024_.*</sec:include>
<sec:include>.*_WITH_DES_.*</sec:include>
+<sec:include>.*_WITH_AES_.*</sec:include>
<sec:include>.*_WITH_NULL_.*</sec:include>
<sec:exclude>.*_DH_anon_.*</sec:exclude>
  </sec:cipherSuitesFilter>

Modified: websites/production/cxf/content/docs/standalone-http-transport.html
==
--- websites/production/cxf/content/docs/standalone-http-transport.html 
(original)
+++ websites/production/cxf/content/docs/standalone-http-transport.html Tue May 
22 10:47:53 2012
@@ -168,6 +168,7 @@ Apache CXF -- Standalone HTTP Transport
<sec:include>.*_EXPORT_.*</sec:include>
<sec:include>.*_EXPORT1024_.*</sec:include>
<sec:include>.*_WITH_DES_.*</sec:include>
+<sec:include>.*_WITH_AES_.*</sec:include>
<sec:include>.*_WITH_NULL_.*</sec:include>
<sec:exclude>.*_DH_anon_.*</sec:exclude>
  </sec:cipherSuitesFilter>

svn commit: r818702 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-oauth2.html

[buildbot]

Author: buildbot
Date: Tue May 22 14:47:55 2012
New Revision: 818702

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/jax-rs-oauth2.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jax-rs-oauth2.html
==
--- websites/production/cxf/content/docs/jax-rs-oauth2.html (original)
+++ websites/production/cxf/content/docs/jax-rs-oauth2.html Tue May 22 14:47:55 
2012
@@ -125,7 +125,7 @@ Apache CXF -- JAX-RS OAuth2
 
 
 
-IntroductionMaven dependenciesDeveloping OAuth2 
ServersAuthorization ServiceAccessTokenServiceWriting 
OAuthDataProviderOAuth Server JAX-RS 
endpointsProtecting resources 
with OAuth filtersHow to get the user login 
nameClient-side supportOAuth2 without 
the Explicit AuthorizationOAuth Without a 
BrowserDesign 
considerationsControlling the 
Access to Resource ServerSharing 
the same access path between end users and clientsProviding
 different access points to end users and clientsSingle Sign 
OnWhat Is 
Next
+IntroductionMaven dependenciesDeveloping OAuth2 
ServersAuthorization ServiceAccessTokenServiceAccessTokenValidationServiceWriting 
OAuthDataProviderOAuth Server JAX-RS 
endpointsProtecting resources 
with OAuth filtersHow to get the user login
  nameClient-side supportOAuth2 
without the Explicit AuthorizationOAuth Without a 
BrowserDesign 
considerationsControlling the 
Access to Resource ServerSharing 
the same access path between end users and clientsProviding
 different access points to end users and clientsSingle Sign 
OnWhat Is Next
 
 Introduction
 
@@ -366,6 +366,9 @@ Headers: 
 
 Note that the access token key is passed as the Bearer scheme value. Other 
token types such as MAC ones, etc, can be represented differently.
 
+AccessTokenValidationService
 
+The  http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenValidationService.java";>AccessTokenValidationService
 is a CXF specific OAuth2 service for accepting the remote access token 
validation requests. Typically, OAuthRequestFilter (see on it below) may choose 
to impersonate itself as a third-party client and will ask 
AccessTokenValidationService to return the information relevant to the current 
access token, before setting up a security context. More on it below.
+
 Writing 
OAuthDataProvider
 
 Using CXF OAuth service implementations will help a lot with setting up an 
OAuth server. As you can see from the above sections, these services rely on a 
custom http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthDataProvider.java";>OAuthDataProvider
 implementation.
@@ -414,24 +417,48 @@ Most likely, you'd want to deploy Access
 
 AccessTokenService listens on a relative "/token" path. Given that 
jaxrs:server/@adress is "/oauth" and assuming a context name is "/services", 
the absolute address of AccessTokenService would be something like 
"http://localhost:8080/services/oauth/token";. 
 
-AuthorizationCodeGrantService is better to put where the main application 
endpoint is. It can be put alongside AccessTokenService - but the problem is 
that the end user is expected to authenticate itself with the resource server 
after it has been redirected by a third-party client to 
AuthorizationCodeGrantService. That would make it more complex for the OAuth 
server endpoint to manage both OAuth (third-party client) and the regular user 
authentication - that can be done, see more on it below in the Design 
considerations section, but the simpler option is to simply get 
AuthorizationCodeGrantService under the control of the security filter 
enforcing the end user authentication:
+If the remote token validation is supported then have 
AccessTokenValidationService  added too:
 
 
-
-<bean id="authorizationService" class="org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService">
-  <property name="dataProvider" ref="oauthProvider"/>
-</bean>
-
-<bean id="myApp" class="org.myapp.MyApp">
-  <property name="dataProvider" ref="oauthProvider"/>
-</bean>
-
-<jaxrs:server id="oauthServer" 
address="/myapp">
-   <jaxrs:serviceBeans>
-  <ref bean="myApp"/>
-  <ref bean="authorizationService"/>
-  </jaxrs:serviceBeans>
-</jaxrs:server>
+
+<!-- implements 
OAuthDataProvider -->
+<bean id="oauthProvider" class="oauth

svn commit: r818820 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-data-bindings.html

[buildbot]

Author: buildbot
Date: Wed May 23 10:47:52 2012
New Revision: 818820

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/jax-rs-data-bindings.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jax-rs-data-bindings.html
==
--- websites/production/cxf/content/docs/jax-rs-data-bindings.html (original)
+++ websites/production/cxf/content/docs/jax-rs-data-bindings.html Wed May 23 
10:47:52 2012
@@ -253,7 +253,7 @@ Apache CXF -- JAX-RS Data Bindings
 
 JAXB and 
Moxy
 
-For JAXBElementProvider to support [http://www.eclipse.org/eclipselink/moxy.php] a custom 
Moxy-aware JAX-RS ContextProvider implementation needs to be registered. 
+For JAXBElementProvider to support http://www.eclipse.org/eclipselink/moxy.php"; rel="nofollow">Moxy a 
custom Moxy-aware JAX-RS ContextProvider implementation needs to be registered. 

 If Moxy is used to handle beans without JAXB annotations then setting a 
'skipJaxbChecks' property on JAXBElementProvider to 'true' will be needed. 
 
 JSON support

svn commit: r818922 - in /websites/production/cxf/content: cache/docs.pageCache docs/jetty-configuration.html

[buildbot]

Author: buildbot
Date: Thu May 24 07:48:04 2012
New Revision: 818922

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/jetty-configuration.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jetty-configuration.html
==
--- websites/production/cxf/content/docs/jetty-configuration.html (original)
+++ websites/production/cxf/content/docs/jetty-configuration.html Thu May 24 
07:48:04 2012
@@ -215,12 +215,12 @@ The threadingParameters has two
   <httpj:threadingParameters minThreads="5"
  maxThreads="15" />
   <httpj:connector>
-<beans:bean class="org.mortbay.jetty.bio.SocketConnector">
+<beans:bean class="org.eclipse.jetty.server.bio.SocketConnector">
<beans:property name = "port" value="9001" 
/>
 </beans:bean>
   </httpj:connector>
   <httpj:handlers>
-<beans:bean class="org.mortbay.jetty.handler.DefaultHandler"/>
 
+<beans:bean class="org.eclipse.jetty.server.handler.DefaultHandler"/>
 
   </httpj:handlers>
   <httpj:sessionSupport>true</httpj:sessionSupport>
 </httpj:engine>

svn commit: r818925 [4/4] - in /websites/production/cxf/content: ./ cache/ using-ws-policy-in-cxf-projects.data/

[buildbot]

Modified: websites/production/cxf/content/dosgi-presentations-and-articles.html
==
--- websites/production/cxf/content/dosgi-presentations-and-articles.html 
(original)
+++ websites/production/cxf/content/dosgi-presentations-and-articles.html Thu 
May 24 08:54:44 2012
@@ -120,7 +120,7 @@ Apache CXF -- DOSGi Presentations and Ar
 
 Subprojects
 
-Distributed 
OSGiXJC 
UtilsBuild Utils
+Distributed 
OSGiXJC 
UtilsBuild UtilsFediz
 
 
 http://www.apache.org";>ASF

Modified: websites/production/cxf/content/dosgi-releases.html
==
--- websites/production/cxf/content/dosgi-releases.html (original)
+++ websites/production/cxf/content/dosgi-releases.html Thu May 24 08:54:44 2012
@@ -120,7 +120,7 @@ Apache CXF -- DOSGi Releases
 
 Subprojects
 
-Distributed 
OSGiXJC 
UtilsBuild Utils
+Distributed 
OSGiXJC 
UtilsBuild UtilsFediz
 
 
 http://www.apache.org";>ASF

Modified: websites/production/cxf/content/dosgi-spring-dm-demo-page.html
==
--- websites/production/cxf/content/dosgi-spring-dm-demo-page.html (original)
+++ websites/production/cxf/content/dosgi-spring-dm-demo-page.html Thu May 24 
08:54:44 2012
@@ -120,7 +120,7 @@ Apache CXF -- DOSGi Spring-DM Demo page
 
 Subprojects
 
-Distributed 
OSGiXJC 
UtilsBuild Utils
+Distributed 
OSGiXJC 
UtilsBuild UtilsFediz
 
 
 http://www.apache.org";>ASF

Modified: websites/production/cxf/content/download.html
==
--- websites/production/cxf/content/download.html (original)
+++ websites/production/cxf/content/download.html Thu May 24 08:54:44 2012
@@ -120,7 +120,7 @@ Apache CXF -- Download
 
 Subprojects
 
-Distributed 
OSGiXJC 
UtilsBuild Utils
+Distributed 
OSGiXJC 
UtilsBuild UtilsFediz
 
 
 http://www.apache.org";>ASF

Modified: websites/production/cxf/content/faq.html
==
--- websites/production/cxf/content/faq.html (original)
+++ websites/production/cxf/content/faq.html Thu May 24 08:54:44 2012
@@ -120,7 +120,7 @@ Apache CXF -- FAQ
 
 Subprojects
 
-Distributed 
OSGiXJC 
UtilsBuild Utils
+Distributed 
OSGiXJC 
UtilsBuild UtilsFediz
 
 
 http://www.apache.org";>ASF

Modified: websites/production/cxf/content/fediz-configuration.html
==
--- websites/production/cxf/content/fediz-configuration.html (original)
+++ websites/production/cxf/content/fediz-configuration.html Thu May 24 
08:54:44 2012
@@ -120,7 +120,7 @@ Apache CXF -- Fediz Configuration
 
 Subprojects
 
-Distributed 
OSGiXJC 
UtilsBuild Utils
+Distributed 
OSGiXJC 
UtilsBuild UtilsFediz
 
 
 http://www.apache.org";>ASF

Modified: websites/production/cxf/content/fediz-downloads.html
==
--- websites/production/cxf/content/fediz-downloads.html (original)
+++ websites/production/cxf/content/fediz-downloads.html Thu May 24 08:54:44 
2012
@@ -120,7 +120,7 @@ Apache CXF -- Fediz Downloads
 
 Subprojects
 
-Distributed 
OSGiXJC 
UtilsBuild Utils
+Distributed 
OSGiXJC 
UtilsBuild UtilsFediz
 
 
 http://www.apache.org";>ASF

Modified: websites/production/cxf/content/fediz-idp.html
==
--- websites/production/cxf/content/fediz-idp.html (original)
+++ websites/production/cxf/content/fediz-idp.html Thu May 24 08:54:44 2012
@@ -120,7 +120,7 @@ Apache CXF -- Fediz IDP
 
 Subprojects
 
-Distributed 
OSGiXJC 
UtilsBuild Utils
+Distributed 
OSGiXJC 
UtilsBuild UtilsFediz
 
 
 http://www.apache.org";>ASF

Modified: websites/production/cxf/content/fediz-tomcat.html
==
--- websites/production/cxf/content/fediz-tomcat.html (original)
+++ websites/production/cxf/content/fediz-tomcat.html Thu May 24 08:54:44 2012
@@ -120,7 +120,7 @@ Apache CXF -- Fediz Tomcat
 
 Subprojects
 
-Distributed 
OSGiXJC 
UtilsBuild Utils
+Distributed 
OSGiXJC 
UtilsBuild UtilsFediz
 
 
 http://www.apache.org";>ASF

Modified: websites/production/cxf/content/fediz.html
==
--- websites/production/cxf/content/fediz.html (original)
+++ websites/production/cxf/content/fediz.html Thu May 24 08:54:44 2012
@@ -120,7 +120,7 @@ Apache CXF -- Fediz
 
 Subprojects
 
-Distributed 
OSGiXJC 
UtilsBuild Utils
+Distributed 
OSGiXJC 
UtilsBuild UtilsFediz
 
 
 http://www.apache.org";>ASF
@@ -136,9 +136,7 @@ Apache CXF -- Fediz
  


-https://cwiki.apache.org/confluence/images/icons/emoticons/warning.gif"; 
height="16" width="16" alt="" border="0"> Under construction
-
-Apache CXF 
Fediz: An Open-Source Web

svn commit: r818932 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-ws-dispatch-api.html

[buildbot]

Author: buildbot
Date: Thu May 24 09:47:52 2012
New Revision: 818932

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/jax-ws-dispatch-api.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jax-ws-dispatch-api.html
==
--- websites/production/cxf/content/docs/jax-ws-dispatch-api.html (original)
+++ websites/production/cxf/content/docs/jax-ws-dispatch-api.html Thu May 24 
09:47:52 2012
@@ -194,15 +194,13 @@ Apache CXF -- JAX-WS Dispatch API
 To create a Dispatch object do the following:
 Create a Service object to represent the 
wsdl:service element defining the service on which the 
Dispatch object will make invocations.Create the 
Dispatch object using the Service object's 
createDispatch() method.
 
-
-public Dispatch<T> 
createDispatch(QName portName, java.lang.Class<T> type, Service.Mode mode)
+public 
Dispatch<T> createDispatch(QName portName, java.lang.Class<T> type, Service.Mode mode)
 throws WebServiceException;
 
 
 https://cwiki.apache.org/confluence/images/icons/emoticons/warning.gif"; 
width="16" height="16" alt="" border="0">If 
you are using JAXB objects the method signature for createDispatch() 
is:
 
-
-public Dispatch<T> 
createDispatch(QName portName, javax.xml.bind.JAXBContext context, Service.Mode 
mode)
+public 
Dispatch<T> createDispatch(QName portName, javax.xml.bind.JAXBContext 
context, Service.Mode mode)
 throws WebServiceException;
 
 
@@ -216,8 +214,7 @@ Apache CXF -- JAX-WS Dispatch API
 
 The code below creates a Dispatch object that works with 
DOMSource objects in payload mode.
 
-
-package com.mycompany.demo;
+package 
com.mycompany.demo;
 
 import javax.xml.namespace.QName;
 import javax.xml.ws.Service;
@@ -253,8 +250,7 @@ Apache CXF -- JAX-WS Dispatch API
 
 For consumers that make synchronous invocations that generate a response, 
you use the Dispatch object's invoke() method shown 
bellow.
 
-
-T invoke(T msg)
+T invoke(T msg)
 throws WebServiceException;
 
 
@@ -262,11 +258,10 @@ T invoke(T msg)
 https://cwiki.apache.org/confluence/images/icons/emoticons/warning.gif"; 
width="16" height="16" alt="" border="0">When 
using JAXB objects, the response and the request can be of any type the 
provided JAXBContext object can marshal and unmarshal. Also, the 
response and the request can be different JAXB objects.
 The code bellow makes a synchronous invocation on a remote service using a 
DOMSource object.
 
-
-// Creating a DOMSource Object for the 
request
+// Creating a DOMSource 
Object for 
the request
 DocumentBuilder db = DocumentBuilderFactory.newDocumentBuilder();
 Document requestDoc = db.newDocument();
-Element root = requestDoc.createElementNS("http://org.apache.cxf/stockExample", 
+Element root = requestDoc.createElementNS("http://org.apache.cxf/stockExample",
"getStockPrice");
 root.setNodeValue("DOW");
 DOMSource request = new 
DOMSource(requestDoc);
@@ -282,16 +277,14 @@ DOMSource request = 
-
-Response <T> invokeAsync(T msg)
+Response <T> invokeAsync(T msg)
 throws WebServiceException;
 
 
 
 When using the callback approach the invokeAsync() method takes an 
AsyncHandler implementation that processes the response when it is 
returned.
 
-
-Future<?> invokeAsync(T msg, AsyncHandler<T> handler)
+Future<?> invokeAsync(T msg, 
AsyncHandler<T> handler)
 throws WebServiceException;
 
 
@@ -302,8 +295,7 @@ Future<?> invokeAsync(T msg, Async
 
 When a request does not generate a response, you make remote invocations 
using the Dispatch object's invokeOneWay().
 
-
-void invokeOneWay(T msg)
+void invokeOneWay(T msg)
 throws WebServiceException;
 
 
@@ -311,8 +303,7 @@ void invokeOneWay(T msg)
 https://cwiki.apache.org/confluence/images/icons/emoticons/warning.gif"; 
width="16" height="16" alt="" border="0">When 
using JAXB objects, the response and the request can be of any type the 
provided JAXBContext object can marshal and unmarshal. Also, the 
response and the request can be different JAXB objects.
 The code bellow makes a one way invocation on a remote service using a JAXB 
object.
 
-
-// Creating a JAXBContext and an Unmarshaller for the request
+// Creating a JAXBContext 
and an Unmarshaller for the request
 JAXBContext jbc = JAXBContext.newInstance("com.mycompany.StockExample");
 Unmarshaller u = jbc.createUnmarshaller();
 
@@ -323,7 +314,15 @@ GetStockPrice request = (GetStockPrice)u
 // Dispatch disp created previously

svn commit: r818965 - in /websites/production/cxf/content: cache/main.pageCache fediz-configuration.html

[buildbot]

Author: buildbot
Date: Thu May 24 14:47:51 2012
New Revision: 818965

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/main.pageCache
websites/production/cxf/content/fediz-configuration.html

Modified: websites/production/cxf/content/cache/main.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/fediz-configuration.html
==
--- websites/production/cxf/content/fediz-configuration.html (original)
+++ websites/production/cxf/content/fediz-configuration.html Thu May 24 
14:47:51 2012
@@ -184,12 +184,16 @@ Finally, the audience URI is validated a
 
 
 XML element Name Use Description issuer  Issuer URL  Required This URL defines the location of the IDP to whom 
unauthenticated requests are redirected  authenticationType  Authentication Type  Optional  The authentication type defines what kind of 
authentication is required. This infor
 mation is provided in the SignInRequest to the IDP (parameter 
wauth)
-The WS-Federation standard defines a list of predefined URIs for wauth http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html#_Toc223174997";
 rel="nofollow">here.
+The WS-Federation standard defines a list of predefined URIs for wauth http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html#_Toc223174997";
 rel="nofollow">here. roleURI  Role Claim URI  Optional  Defines the attribute name of the SAML token which 
contains the roles  roleDelimiter  Role Value Delimiter  Optional  There are different ways to encode multi value attributes 
in SAML.
+Single attribute with multiple valuesSeveral attributes with 
the same name but only one valueSingle attribute with single value. 
Roles are delimited by roleDelimiter
+ 
claimTypesRequested  
Requested claims  
Optional  The claims 
required by the Relying Party are listed here. Claims can be optional. If a 
mandatory claim can't be provided by the IDP the issuance of the token should 
fail 
 
 
 
 
 
+
+
 Advanced 
example
 
 The following example defines the required claims and configure custom 
callback handler to define some configuration values at runtime.

svn commit: r819001 - in /websites/production/cxf/content: cache/main.pageCache fediz-configuration.html

[buildbot]

Author: buildbot
Date: Thu May 24 20:47:51 2012
New Revision: 819001

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/main.pageCache
websites/production/cxf/content/fediz-configuration.html

Modified: websites/production/cxf/content/cache/main.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/fediz-configuration.html
==
--- websites/production/cxf/content/fediz-configuration.html (original)
+++ websites/production/cxf/content/fediz-configuration.html Thu May 24 
20:47:51 2012
@@ -153,7 +153,7 @@ Apache CXF -- Fediz Configuration
 </audienceUris>
 <certificateStore>
 <trustManager>
-<keyStore file="/projects/fediz/tomcat-rp2/conf/stsstore.jks" 
password="stsspass" type="JKS" />
+<keyStore file="conf/stsstore.jks" password="stsspass" type="JKS" 
/>
 </trustManager>
 </certificateStore>
 <trustedIssuers>
@@ -175,7 +175,9 @@ Finally, the audience URI is validated a
 Configuration 
reference
 
 
-XML element Name Use Description audienceUris  Audience URI  Required  The values of the list of audience URIs are verified 
against the element AudienceRestriction in the SAML token 
 
certificateStore  Trusted 
certificate store  
Required  The list of 
keystores (JKS, PEM) includ
 es at least the certificate of the Certificate Authorities (CA) which signed 
the certificate which is used to sign the SAML token  trustedIssuers  Trusted Issuers  Required  There are two ways to configure a trusted 
issuer (IDP). Either you configure the subject name and the CA(s) who signed 
the certificate of the IDP (certificateValidation=ChainTrust) or you 
configure the certificate of the IDP and the CA(s) who signed it 
(certificateValidation=PeerTrust)
+XML element Name Use Description audienceUris  Audience URI  Required  The values of the list of audience URIs are verified 
against the element AudienceRestriction in the SAML token 
 
certificateStore  Trusted 
certificate store  
Required  The list of 
keystores (JKS, PEM) includ
 es at least the certificate of the Certificate Authorities (CA) which signed 
the certificate which is used to sign the SAML token.
+If the file location is not fully qualified it's relative to the Container 
home directory  
trustedIssuers  Trusted 
Issuers  Required 
 There are two ways to 
configure a trusted issuer (IDP). Either you configure the subject name and the 
CA(s) who signed the certificate of the IDP 
(certificateValidation=ChainTrust) or you configure the certificate of 
the IDP and the CA(s) who signed it 
(certificateValidation=PeerTrust) maximumClockSkew  Maximum Clock Skew  Optional  Maximum allowable time difference between the system
  clocks of the IDP and RP.
+Default 5 seconds. 
 
 
 
@@ -183,14 +185,22 @@ Finally, the audience URI is validated a
 WS-Federation
 protocol configuration reference 
 
 
-XML element Name Use Description issuer  Issuer URL  Required This URL defines the location of the IDP to whom 
unauthenticated requests are redirected  authenticationType  Authentication Type  Optional  The authentication type defines what kind of 
authentication is required. This infor
 mation is provided in the SignInRequest to the IDP (parameter 
wauth)
+XML element Name Use Description issuer  Issuer URL  Required This URL defines the location of the IDP to whom 
unauthenticated requests are redirected  realm  Realm  Optional  Security realm of the Relying Party / Application. This 
value is part of the SignIn request as the wtrealm
  parameter.
+Default: URL including the Servlet Context  authenticationType  Authentication Type  Optional  The authentication type defines what kind of 
authentication is required. This information is provided in the SignInRequest 
to the IDP (parameter wauth)
 The WS-Federation standard defines a list of predefined URIs for wauth http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html#_Toc223174997";
 rel="nofollow">here. roleURI  Role Claim URI  Optional  Defines the attribute name of the SAML token which 
contains the roles  roleDelimiter  Role Value Delimiter  Optional  There are different ways to encode multi value attributes 
in SAML.
 Single attribute with multiple valuesSeveral attributes with 
the same name but only one valueSingle attribute with single value. 
Roles are delimited by roleDelimiter
- 
claimTypesRequested  
Requested claims  
Optional  The claims 
required by the Relying Party are listed here. Claims can be optional. If a 
mandatory claim can't be provided by the IDP the issuance of the token should 
fail 
+ 
claimTypesRequested  
Req

svn commit: r819005 - in /websites/production/cxf/content: cache/docs.pageCache docs/jaxrs-services-configuration.html

[buildbot]

Author: buildbot
Date: Thu May 24 21:47:50 2012
New Revision: 819005

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/jaxrs-services-configuration.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jaxrs-services-configuration.html
==
--- websites/production/cxf/content/docs/jaxrs-services-configuration.html 
(original)
+++ websites/production/cxf/content/docs/jaxrs-services-configuration.html Thu 
May 24 21:47:50 2012
@@ -637,6 +637,23 @@ By default, the endpoint address is "/".
 
 In the above example, org.apache.cxf.systest.jaxrs.BookApplication is 
expected to have setName and setId setters, with a single primitive or List 
parameter type. 
 
+Note that having the web-app_2_3.dtd DTD referenced from web.xml 
will likely prevent 'param-value' containing spaces and make it difficult to 
specify multiple providers like this:
+
+
+ <init-param>
+  <param-name>jaxrs.providers</param-name>
+  <param-value>
+mypackage.Provider1 
+mypackage.Provider2  
+  </param-value>
+ </init-param>
+ <load-on-startup>1</load-on-startup>
+</servlet>
+
+
+
+In such cases consider moving to the web-app 2.5 schema or extending 
CXFNonSpringJaxrsProviders or introducing an Application.  
+
 Attaching
 JAXRS endpoints to an existing Jetty server
 
 Here is a code fragment showing how it can be done with the help of 
CxfNonSpringJaxrsServlet :

svn commit: r819759 - in /websites/production/cxf/content: cache/main.pageCache dosgi-presentations-and-articles.html

[buildbot]

Author: buildbot
Date: Thu May 31 14:47:55 2012
New Revision: 819759

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/main.pageCache
websites/production/cxf/content/dosgi-presentations-and-articles.html

Modified: websites/production/cxf/content/cache/main.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/dosgi-presentations-and-articles.html
==
--- websites/production/cxf/content/dosgi-presentations-and-articles.html 
(original)
+++ websites/production/cxf/content/dosgi-presentations-and-articles.html Thu 
May 31 14:47:55 2012
@@ -146,6 +146,9 @@ Apache CXF -- DOSGi Presentations and Ar
 Documents and 
blog articles
 
 Distributed OSGi - a simple example: http://coderthoughts.blogspot.com/2009/02/distributed-osgi-simple-example.html";
 
rel="nofollow">http://coderthoughts.blogspot.com/2009/02/distributed-osgi-simple-example.htmlA
 Distributed OSGi Powered AJAX WebApp: http://coderthoughts.blogspot.com/2009/02/distributed-osgi-powered-ajax-webapp.html";
 
rel="nofollow">http://coderthoughts.blogspot.com/2009/02/distributed-osgi-powered-ajax-webapp.htmlIntroducing
 Dynamic Discovery into OSGi Distributed Applications: http://blog.akquinet.de/2009/09/23/introducing-dynamic-discovery-into-osgi-distributed-applications/";
 
rel="nofollow">http://blog.akquinet.de/2009/09/23/introducing-dynamic-discovery-into-osgi-distributed-applications/Develop
 and Deploy Web Services as OSGi Bundles (IBM dev works): http://www.ibm.com/developerworks/webservices/library/ws-OSGi/index.html"; 
rel="nofollow">http://www.ibm.com/developerworks/webservices/library/ws-OSGi/index.html
+
+
+Eclipse RCP/RAP and Remoting with JAX-RS, Spring Data JPA and CXF 
DOSGi (Angelo Zerr): http://angelozerr.wordpress.com/about/eclipse_spring/eclipse_spring_dosgi/";
 
rel="nofollow">http://angelozerr.wordpress.com/about/eclipse_spring/eclipse_spring_dosgi/
 

svn commit: r820261 - in /websites/production/cxf/content: cache/main.pageCache fediz-configuration.html

[buildbot]

Author: buildbot
Date: Mon Jun  4 19:48:17 2012
New Revision: 820261

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/main.pageCache
websites/production/cxf/content/fediz-configuration.html

Modified: websites/production/cxf/content/cache/main.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/fediz-configuration.html
==
--- websites/production/cxf/content/fediz-configuration.html (original)
+++ websites/production/cxf/content/fediz-configuration.html Mon Jun  4 
19:48:17 2012
@@ -151,11 +151,11 @@ Apache CXF -- Fediz Configuration
 <audienceUris>
 <audienceItem>https://localhost:8443/fedizhelloworld</audienceItem>
 </audienceUris>
-<certificateStore>
+<certificateStores>
 <trustManager>
 <keyStore file="conf/stsstore.jks" password="stsspass" type="JKS" 
/>
 </trustManager>
-</certificateStore>
+</certificateStores>
 <trustedIssuers>
 <issuer name="issuer 1" certificateValidation="ChainTrust" subject=".*CN=www.sts.com.*" />
 </trustedIssuers>
@@ -175,7 +175,7 @@ Finally, the audience URI is validated a
 Configuration 
reference
 
 
-XML element Name Use Description audienceUris  Audience URI  Required  The values of the list of audience URIs are verified 
against the element AudienceRestriction in the SAML token 
 
certificateStore  Trusted 
certificate store  
Required  The list of 
keystores (JKS, PEM) includ
 es at least the certificate of the Certificate Authorities (CA) which signed 
the certificate which is used to sign the SAML token.
+XML element Name Use Description audienceUris  Audience URI  Required  The values of the list of audience URIs are verified 
against the element AudienceRestriction in the SAML token 
 
certificateStores  
Trusted certificate store  Required  The list of keystores (JKS, PEM) inclu
 des at least the certificate of the Certificate Authorities (CA) which signed 
the certificate which is used to sign the SAML token.
 If the file location is not fully qualified it's relative to the Container 
home directory  
trustedIssuers  Trusted 
Issuers  Required 
 There are two ways to 
configure a trusted issuer (IDP). Either you configure the subject name and the 
CA(s) who signed the certificate of the IDP 
(certificateValidation=ChainTrust) or you configure the certificate of 
the IDP and the CA(s) who signed it 
(certificateValidation=PeerTrust) maximumClockSkew  Maximum Clock Skew  Optional  Maximum allowable time difference between the system
  clocks of the IDP and RP.
 Default 5 seconds. 
 
@@ -216,9 +216,9 @@ The WS-Federation standard defines a lis
 <audienceUris>
 <audienceItem>https://localhost:8443/fedizhelloworld</audienceItem>
 </audienceUris>
-<certificateStore>
-<keyStore file="/projects/fediz/tomcat-rp2/conf/stsstore.jks" 
password="stsspass" type="file" />
-</certificateStore>
+<certificateStores>
+<keyStore file="conf/stsstore.jks" password="stsspass" type="file" />
+</certificateStores>
 <maximumClockSkew>10</maximumClockSkew>
 <trustedIssuers>
 <issuer name="issuer 1" certificateValidation="ChainTrust" subject=".*CN=www.sts.com.*" />

svn commit: r820382 - in /websites/production/cxf/content: cache/main.pageCache fediz.html

[buildbot]

Author: buildbot
Date: Tue Jun  5 19:48:02 2012
New Revision: 820382

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/main.pageCache
websites/production/cxf/content/fediz.html

Modified: websites/production/cxf/content/cache/main.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/fediz.html
==
--- websites/production/cxf/content/fediz.html (original)
+++ websites/production/cxf/content/fediz.html Tue Jun  5 19:48:02 2012
@@ -140,13 +140,12 @@ Apache CXF -- Fediz
 
 Overview
 
-Apache CXF Fediz is a subproject of CXF. Fediz helps you to secure your web 
applications and delegates security enforcement to the underlying application 
server. Authentication is externalized from your web application to an identity 
provider which is a dedicated server component. The supported standard is 
WS-Federation 1.2 Passive Requestor Profile. Fediz supports Claims based Access 
control beyond Role Based Access Control (RBAC).
+Apache CXF Fediz is a subproject of CXF. Fediz helps you to secure your web 
applications and delegates security enforcement to the underlying application 
server. With Fediz, authentication is externalized from your web application to 
an identity provider installed as a dedicated server component. The supported 
standard is http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html#_Toc223175002";
 rel="nofollow">WS-Federation 1.2 Passive Requestor Profile. Fediz supports 
http://en.wikipedia.org/wiki/Claims-based_identity"; rel="nofollow">Claims 
Based Access Control beyond Role Based Access Control (RBAC).
 
 
 News
 
 
-
 Features
 
 The following features are supported by the Fediz plugin 1.0
@@ -161,13 +160,13 @@ Apache CXF -- Fediz
 
 Getting started
 
-The WS-Federation specification defines the following parties involved 
during the web login:
+The WS-Federation specification defines the following parties involved 
during a web login:
 BrowserIdentity Provider (IDP)
-The IDP is a centralized, application independent runtime component which 
implements the protocol defined by WS-Federation. You can use any open source 
or commercial product as your IDP which supports WS-Federation 1.1/1.2. It's 
recommended to use the Fediz IDP for testing as it allows to test your web 
application in a sandbox without having all infrastructure components 
available. The Fediz IDP consists of two WAR components. The Security Token 
Service (STS) is doing most of the part like authenticating the user, retrieve 
claims/role data and create the SAML token. The IDP WAR translates the response 
to a HTML response thus a browser can process it.Relying Party (RP)
-The RP is the web application which should be protected. The RP must be able 
to implement the protocol as defined by WS-Federation. This component is called 
"Fediz Plugin" in this project which consists of container agnostic module/jar 
and a container specific jar. When an authenticated request is detected by the 
plugin it redirects to the IDP or authentication. The browser sends the 
response from IDP to the RP after successful authentication. The RP validates 
the response and creates the container security context.
+The IDP is a centralized, application independent runtime component which 
implements the protocol defined by WS-Federation. You can use any open source 
or commercial product that supports WS-Federation 1.1/1.2 as your IDP. It's 
recommended to use the Fediz IDP for testing as it allows for testing your web 
application in a sandbox without having all infrastructure components 
available. The Fediz IDP consists of two WAR components. The Security Token 
Service (STS) does most of the work including user authentication, claims/role 
data retrieval and creating the SAML token. The IDP WAR translates the response 
to an HTML response allowing a browser to process it.Relying Party 
(RP)
+The RP is a web application that needs to be protected. The RP must be able to 
implement the protocol as defined by WS-Federation. This component is called 
"Fediz Plugin" in this project which consists of container agnostic module/jar 
and a container specific jar. When an authenticated request is detected by the 
plugin it redirects to the IDP for authentication. The browser sends the 
response from the IDP to the RP after successful authentication. The RP 
validates the response and creates the container security context.
 
 
-It's recommended to deploy the IDP and the web application (RP) into 
different container instances as in a production deployment. The container with 
the IDP can be used during development and testing for any web application.
+It's recommended to deploy the IDP and the web application

svn commit: r820387 - in /websites/production/cxf/content: cache/main.pageCache fediz-configuration.html fediz-idp.html fediz-tomcat.html

[buildbot]

Author: buildbot
Date: Tue Jun  5 20:48:00 2012
New Revision: 820387

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/main.pageCache
websites/production/cxf/content/fediz-configuration.html
websites/production/cxf/content/fediz-idp.html
websites/production/cxf/content/fediz-tomcat.html

Modified: websites/production/cxf/content/cache/main.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/fediz-configuration.html
==
--- websites/production/cxf/content/fediz-configuration.html (original)
+++ websites/production/cxf/content/fediz-configuration.html Tue Jun  5 
20:48:00 2012
@@ -139,10 +139,10 @@ Apache CXF -- Fediz Configuration
 https://cwiki.apache.org/confluence/images/icons/emoticons/warning.gif"; 
height="16" width="16" alt="" border="0"> Under construction
 
 Fediz Plugin 
configuration
-This page describes the Fediz configuration file which is referenced by the 
security interceptor (eg. authenticator in Tomcat/Jetty).
+This page describes the Fediz configuration file referenced by the security 
interceptor (eg. authenticator in Tomcat/Jetty).
 
 Example
-The following example describes the minimum configuration for Fediz.
+The following example shows the minimum configuration for Fediz.
 
 
 <?xml version="1.0" 
encoding="UTF-8" standalone="yes"?>
@@ -167,8 +167,9 @@ Apache CXF -- Fediz Configuration
 
 
 
-The element protocol defines that you use the WS-Federation protocol. The 
issuer says to which URL authenticated requests will be redirected with the 
SignIn request.
-The IDP issues a SAML token which must be validated by the plugin. The 
validation requires the certificate store of the Certificate Authority(ies) of 
the certificate which signed the SAML token. This is defined in 
certificateStore. The signing certificate itself is not required 
because certificateValidation is set to ChainTrust. The 
subject defines the trusted signing certificate using the subject as a 
regular expression.
+The protocol element declares that the WS-Federation protocol is being 
used. The issuer element shows the URL to which authenticated requests will be 
redirected with a SignIn request.  
+
+The IDP issues a SAML token which must be validated by the plugin. The 
validation requires the certificate store of the Certificate Authority(ies) of 
the certificate which signed the SAML token. This is defined in 
certificateStore. The signing certificate itself is not required 
because certificateValidation is set to ChainTrust. The 
subject defines the trusted signing certificate using the subject as a 
regular expression.
 Finally, the audience URI is validated against the audience restriction in the 
SAML token.
 
 
@@ -176,7 +177,7 @@ Finally, the audience URI is validated a
 
 
 XML element Name Use Description audienceUris  Audience URI  Required  The values of the list of audience URIs are verified 
against the element AudienceRestriction in the SAML token 
 
certificateStores  
Trusted certificate store  Required  The list of keystores (JKS, PEM) inclu
 des at least the certificate of the Certificate Authorities (CA) which signed 
the certificate which is used to sign the SAML token.
-If the file location is not fully qualified it's relative to the Container 
home directory  
trustedIssuers  Trusted 
Issuers  Required 
 There are two ways to 
configure a trusted issuer (IDP). Either you configure the subject name and the 
CA(s) who signed the certificate of the IDP 
(certificateValidation=ChainTrust) or you configure the certificate of 
the IDP and the CA(s) who signed it 
(certificateValidation=PeerTrust) maximumClockSkew  Maximum Clock Skew  Optional  Maximum allowable time difference between the system
  clocks of the IDP and RP.
+If the file location is not fully qualified it needs to be relative to the 
Container home directory  trustedIssuers  Trusted Issuers  Required  There are two ways to configure a trusted issuer (IDP). 
Either you configure the subject name and the CA(s) who signed the certificate 
of the IDP (certificateValidation=ChainTrust) or you configure the 
certificate of the IDP and the CA(s) who signed it 
(certificateValidation=PeerTrust) maximumClockSkew  Maximum Clock Skew  Optional  Maximum allowable time difference between 
 the system clocks of the IDP and RP.
 Default 5 seconds. 
 
 
@@ -200,13 +201,13 @@ The WS-Federation standard defines a lis
 authenticationTypehomeRealmissuer
 
 
-These configuration elements provides to configure a CallbackHandler which 
gets a Callback object where the appropriate value must be set. The 
CallbackHandler implementation has access to the HttpServletRequest. The XML 
attribute type must be set to Class.
+The

svn commit: r820492 - in /websites/production/cxf/content: cache/main.pageCache fediz.html

[buildbot]

Author: buildbot
Date: Wed Jun  6 14:48:05 2012
New Revision: 820492

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/main.pageCache
websites/production/cxf/content/fediz.html

Modified: websites/production/cxf/content/cache/main.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/fediz.html
==
--- websites/production/cxf/content/fediz.html (original)
+++ websites/production/cxf/content/fediz.html Wed Jun  6 14:48:05 2012
@@ -187,12 +187,12 @@ The RP is a web application that needs t
 
 Samples
 
-The examples directory contains two sample projects:
+The examples directory contains two sample relying party applications.  
They are independent of each other, so it is not necessary to deploy both at 
once.
 
 Each sample is described in the README.txt
 
 
- Sample  Description  simpleWebapp  a simple web application which is protected by the Fediz 
IDP. The FederationServlet illustrates how to get security information using 
the standard APIs.  wsclientWebapp  a protected web application which calls a web service 
protected by the Fediz STS. The FederationServlet illustrates how to securely 
call a web service. 
+ Sample  Description  simpleWebapp  a simple web application which is protected by the Fediz 
IDP. The FederationServlet illustrates how to get security information using 
the standard APIs.  wsclientWebapp  a protected web application that calls a web service that 
uses the Fediz STS to validate credentials. Here, the same STS is used for 
token issuance (indirectly, by the web application through use of the Fediz 
IDP) and validation.  The FederationServlet illustrates how to securely call a 
web service. 
 
 
 
@@ -208,7 +208,7 @@ git://git.apache.org/cxf-fediz.git<
 
 Building with Maven
 
-You build the run the tests using the following command:
+To build and run the tests use the following command:
 
 
 mvn clean install

svn commit: r820500 [2/2] - in /websites/production/cxf/content: apache-cxf-2311-release-notes.html cache/main.pageCache cxf-248-release-notes.html cxf-254-release-notes.html cxf-261-release-notes.htm

[buildbot]

Modified: websites/production/cxf/content/download.html
==
--- websites/production/cxf/content/download.html (original)
+++ websites/production/cxf/content/download.html Wed Jun  6 15:48:28 2012
@@ -139,40 +139,42 @@ Apache CXF -- Download
 Releases
 
 
-2.6.0
-The 2.6.0 release is our latest release. For more information please see 
the http://cxf.apache.org/docs/26-migration-guide.html";>migration 
guide.
+2.6.1
+The 2.6.1 release is our latest release. For more information please see 
the  release notes and the http://cxf.apache.org/docs/26-migration-guide.html";>migration 
guide.
 
 
-DescriptionFileMD5SHA1PGPSource distributionhttp://www.apache.org/dyn/closer.cgi?path=/cxf/2.6.0/apache-cxf-2.6.0-src.tar.gz";>apache-cxf-2.6.0-src.tar.gzhttp://www.apache.org/dist/cxf/2.6.0/apache-cxf-2.6.0-src.tar.gz.md5";>apache-cxf-2.6.0-src.tar.gz.md5http://www.apache.org/dist/cxf/2.6.0/apache-cxf-2.6.0-src.tar.g
 z.sha1">apache-cxf-2.6.0-src.tar.gz.sha1http://www.apache.org/dist/cxf/2.6.0/apache-cxf-2.6.0-src.tar.gz.asc";>apache-cxf-2.6.0-src.tar.gz.asc http://www.apache.org/dyn/closer.cgi?path=/cxf/2.6.0/apache-cxf-2.6.0-src.zip";>apache-cxf-2.6.0-src.ziphttp://www.apache.org/dist/cxf/2.6.0/apache-cxf-2.6.0-src.zip.md5";>apache-cxf-2.6.0-src.zip.md5http://www.apache.org/dist/cxf/2.6.0/apache-cxf-2.6.0-src.zip.sha1";>apache-cxf-2.6.0-src.zip.sha1http://www.apache.org/dist/cxf/2.6.0/apache-cxf-2.6.0-src.zip.asc";>apache-cxf-2.6.0-src.zip.ascBinary distributionhttp://www.apache.org/dyn/closer.cgi?path=/cxf/2.6.0/apache-cxf-2.6.0.tar.gz";>apache-cxf-2.6.0.tar.gzhttp://www.apache.org/dist/cxf/2.6.0/apache-cxf-2.6.0.tar.gz.md5";>apache-cxf-2.6.0.tar.gz.md5http://www.apache.org/dist/cxf/2.6.0/apache-cxf-2.6.0.tar.gz.sha1";>apache-cxf-2.6.0.tar.gz.sha1http://www.apache.org/dist/cxf/2.6.0/apache-cxf-2.6.0.tar.gz.asc";>apache-cxf-2.6.0.tar.gz
 .asc http://www.apache.org/dyn/closer.cgi?path=/cxf/2.6.0/apache-cxf-2.6.0.zip";>apache-cxf-2.6.0.ziphttp://www.apache.org/dist/cxf/2.6.0/apache-cxf-2.6.0.zip.md5";>apache-cxf-2.6.0.zip.md5http://www.apache.org/dist/cxf/2.6.0/apache-cxf-2.6.0.zip.sha1";>apache-cxf-2.6.0.zip.sha1http://www.apache.org/dist/cxf/2.6.0/apache-cxf-2.6.0.zip.asc";>apache-cxf-2.6.0.zip.asc
+DescriptionFileMD5SHA1PGPSource distributionhttp://www.apache.org/dyn/closer.cgi?path=/cxf/2.6.1/apache-cxf-2.6.1-src.tar.gz";>apache-cxf-2.6.1-src.tar.gzhttp://www.apache.org/dist/cxf/2.6.1/apache-cxf-2.6.1-src.tar.gz.md5";>apache-cxf-2.6.1-src.tar.gz.md5http://www.apache.org/dist/cxf/2.6.1/apache-cxf-2.6.1-src.tar.g
 z.sha1">apache-cxf-2.6.1-src.tar.gz.sha1http://www.apache.org/dist/cxf/2.6.1/apache-cxf-2.6.1-src.tar.gz.asc";>apache-cxf-2.6.1-src.tar.gz.asc http://www.apache.org/dyn/closer.cgi?path=/cxf/2.6.1/apache-cxf-2.6.1-src.zip";>apache-cxf-2.6.1-src.ziphttp://www.apache.org/dist/cxf/2.6.1/apache-cxf-2.6.1-src.zip.md5";>apache-cxf-2.6.1-src.zip.md5http://www.apache.org/dist/cxf/2.6.1/apache-cxf-2.6.1-src.zip.sha1";>apache-cxf-2.6.1-src.zip.sha1http://www.apache.org/dist/cxf/2.6.1/apache-cxf-2.6.1-src.zip.asc";>apache-cxf-2.6.1-src.zip.ascBinary distributionhttp://www.apache.org/dyn/closer.cgi?path=/cxf/2.6.1/apache-cxf-2.6.1.tar.gz";>apache-cxf-2.6.1.tar.gzhttp://www.apache.org/dist/cxf/2.6.1/apache-cxf-2.6.1.tar.gz.md5";>apache-cxf-2.6.1.tar.gz.md5http://www.apache.org/dist/cxf/2.6.1/apache-cxf-2.6.1.tar.gz.sha1";>apache-cxf-2.6.1.tar.gz.sha1http://www.apache.org/dist/cxf/2.6.1/apache-cxf-2.6.1.tar.gz.asc";>apache-cxf-2.6.1.tar.gz
 .asc http://www.apache.org/dyn/closer.cgi?path=/cxf/2.6.1/apache-cxf-2.6.1.zip";>apache-cxf-2.6.1.ziphttp://www.apache.org/dist/cxf/2.6.1/apache-cxf-2.6.1.zip.md5";>apache-cxf-2.6.1.zip.md5http://www.apache.org/dist/cxf/2.6.1/apache-cxf-2.6.1.zip.sha1";>apache-cxf-2.6.1.zip.sha1http://www.apache.org/dist/cxf/2.6.1/apache-cxf-2.6.1.zip.asc";>apache-cxf-2.6.1.zip.asc
 
 
 
 
 
-2.5.3
-The 2.5.3 release is our latest patch release for 2.5.x. For more 
information please see the  release notes and the http://cxf.apache.org/docs/25-migration-guide.html";>migration 
guide.
+2.5.4
+The 2.5.4 release is our latest patch release for 2.5.x. For more 
information please see the  release notes and the http://cxf.apache.org/docs/25-migration-guide.html";>migration 
guide.
 
 
-DescriptionFileMD5SHA1PGPSource distributionhttp://www.apache.org/dyn/closer.cgi?path=/cxf/2.5.3/apache-cxf-2.5.3-src.tar.gz";>apache-cxf-2.5.3-src.tar.gzhttp://www.apache.org/dist/cxf/2.5.3/apache-cxf-2.5.3-src.tar.gz.md5";>apache-cxf-2.5.3-src.tar.gz.md5http://www.apache.org/dist/cxf/2.5.3/apache-cxf-2.5.3-src.tar.g
 z.sha1">apache-cxf-2.5.3-src.tar.gz.sha1http://www.apache.org/dist/cxf/2.5.3/apache-cxf-2.5.3-src.tar.gz.asc";>apache-cxf-2.5.3-src.tar.gz.asc http://www.apache.org/dyn/closer.cgi?path=/cxf/2.5.3/apache-cxf-2.5.3-src.zip";>apache-cxf-2.5.3-src.ziphttp://www.apache.org/dist/cxf/2.5.3/apache-cxf-2.5.3-src.zip.md5";>apache-cxf-2.5.3-src.zip.

svn commit: r820510 - in /websites/production/cxf/content: cache/main.pageCache fediz.html

[buildbot]

Author: buildbot
Date: Wed Jun  6 16:48:17 2012
New Revision: 820510

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/main.pageCache
websites/production/cxf/content/fediz.html

Modified: websites/production/cxf/content/cache/main.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/fediz.html
==
--- websites/production/cxf/content/fediz.html (original)
+++ websites/production/cxf/content/fediz.html Wed Jun  6 16:48:17 2012
@@ -200,9 +200,8 @@ The RP is a web application that needs t
 
 Check out the code from here:
 svn
-http://svn.apache.org/repos/asf/cxf/fediz/trunk";>http://svn.apache.org/repos/asf/cxf/fediz/trunkgit
-git://git.apache.org/cxf-fediz.git
-
+svn co http://svn.apache.org/repos/asf/cxf/fediz/trunk";>http://svn.apache.org/repos/asf/cxf/fediz/trunkgit
+git clone -v git://git.apache.org/cxf-fediz.git
 
 
 

svn commit: r820533 - in /websites/production/cxf/content: cache/main.pageCache fediz-idp.html fediz-tomcat.html fediz.html

[buildbot]

Author: buildbot
Date: Wed Jun  6 18:48:42 2012
New Revision: 820533

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/main.pageCache
websites/production/cxf/content/fediz-idp.html
websites/production/cxf/content/fediz-tomcat.html
websites/production/cxf/content/fediz.html

Modified: websites/production/cxf/content/cache/main.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/fediz-idp.html
==
--- websites/production/cxf/content/fediz-idp.html (original)
+++ websites/production/cxf/content/fediz-idp.html Wed Jun  6 18:48:42 2012
@@ -136,9 +136,7 @@ Apache CXF -- Fediz IDP
  


-https://cwiki.apache.org/confluence/images/icons/emoticons/warning.gif"; 
height="16" width="16" alt="" border="0"> Under construction
-
-Fediz IDP
+Fediz IDP
 
 The Fediz Identity Provider (IDP) consists of two WAR files. One is the 
Security Token Service (STS) component which is responsible for validating 
credentials, getting the requested claims data and issuing a SAML token. There 
is no easy way for Web browsers to issue SOAP requests to the STS directly, 
necessitating the second component, an IDP WAR which allows browser-based 
applications to interact with the STS. The communication between the browser 
and the IDP must be performed within the confines of the base HTTP 1.1 
functionality and conform as closely as possible to the WS-Trust protocols 
semantic.
 
@@ -171,6 +169,11 @@ Apache CXF -- Fediz IDP
 
 Deploy the WAR files to your Tomcat installation 
(<catalina.home>/webapps) and ensure that Tomcat is started thus the WAR 
files get deployed.
 
+A Relying Party application trusts the IDP/STS component that the IDP 
authenticated the browser user. The trust is established based on the 
certificate/private key used by the STS to sign the SAML token. The signing 
certificate is located in 
webapps/fediz-idp-sts/WEB-INF/classes/stsstore.jks. You must copy this 
keystore to a location where the Relying Party can reference it in its Fediz 
Configuration in the element certificateStores.
+
+This keystore contains the private key as well. In a production 
environment, you must not deploy the private key of the STS to the Relying 
Party
+
+
 Configuration
 
 You can manage the users, their claims and the claims per application in 
the IDP.

Modified: websites/production/cxf/content/fediz-tomcat.html
==
--- websites/production/cxf/content/fediz-tomcat.html (original)
+++ websites/production/cxf/content/fediz-tomcat.html Wed Jun  6 18:48:42 2012
@@ -154,9 +154,9 @@ add the previously created directory to 
 
 Configuration
 
-The Fediz related configuration is Container independent and described here.
+The Fediz related configuration is done in a Servlet Container independent 
configuration file which is described here.
 
-The Fediz plugin requires configuring the FederationAuthenticator like any 
other Valve in Tomcat which is described here http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html";>here.
+The Fediz plugin requires configuring the FederationAuthenticator like any 
other Valve in Tomcat. Detailed information about the Tomcat Valve concept is 
available http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html";>here.
 
 A valve can be configured on different levels like Host or 
Context. The Fediz configuration file allows to configure all servlet 
contexts in one file or choosing one file per Servlet Context. If you choose to 
have one Fediz configuration file per Servlet Context then you must configure 
the FederationAuthenticator on the Context level otherwise on the 
Host level in the Tomcat configuration file server.xml
 

Modified: websites/production/cxf/content/fediz.html
==
--- websites/production/cxf/content/fediz.html (original)
+++ websites/production/cxf/content/fediz.html Wed Jun  6 18:48:42 2012
@@ -174,7 +174,7 @@ The RP is a web application that needs t
 
 Set up the 
Relying Party Container
 
-The Fediz plugin needs to be deployed into the Relying Party (RP) 
container. The security mechanism is not specified by JEE. Even though it is 
very similar in each servlet container there are some differences which require 
a dedicated Fediz plugin for each servlet container implementation. Most of the 
configuration is container independent and described here
+The Fediz plugin needs to be deployed into the Relying Party (RP) 
container. The security mechanism is not specified by JEE. Even though it is 
very similar in each servlet container there are some differences which require 
a dedicated Fediz plugin

svn commit: r820540 - in /websites/production/cxf/content: cache/main.pageCache fediz-configuration.html fediz-extensions.html fediz-idp.html fediz-tomcat.html

[buildbot]

Author: buildbot
Date: Wed Jun  6 19:48:37 2012
New Revision: 820540

Log:
Production update by buildbot for cxf

Added:
websites/production/cxf/content/fediz-extensions.html
Modified:
websites/production/cxf/content/cache/main.pageCache
websites/production/cxf/content/fediz-configuration.html
websites/production/cxf/content/fediz-idp.html
websites/production/cxf/content/fediz-tomcat.html

Modified: websites/production/cxf/content/cache/main.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/fediz-configuration.html
==
--- websites/production/cxf/content/fediz-configuration.html (original)
+++ websites/production/cxf/content/fediz-configuration.html Wed Jun  6 
19:48:37 2012
@@ -136,9 +136,7 @@ Apache CXF -- Fediz Configuration
  


-https://cwiki.apache.org/confluence/images/icons/emoticons/warning.gif"; 
height="16" width="16" alt="" border="0"> Under construction
-
-Fediz Plugin 
configuration
+Fediz Plugin 
configuration
 This page describes the Fediz configuration file referenced by the security 
interceptor (eg. authenticator in Tomcat/Jetty).
 
 Example
@@ -188,13 +186,16 @@ Default 5 seconds. 
 XML element Name Use Description issuer  Issuer URL  Required This URL defines the location of the IDP to whom 
unauthenticated requests are redirected  realm  Realm  Optional  Security realm of the Relying Party / Application. This 
value is part of the SignIn request as the wtrealm
  parameter.
 Default: URL including the Servlet Context  authenticationType  Authentication Type  Optional  The authentication type defines what kind of 
authentication is required. This information is provided in the SignInRequest 
to the IDP (parameter wauth)
-The WS-Federation standard defines a list of predefined URIs for wauth http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html#_Toc223174997";
 rel="nofollow">here. roleURI  Role Claim URI  Optional  Defines the attribute name of the SAML token which 
contains the roles  roleDelimiter  Role Value Delimiter  Optional  There are different ways to encode multi value attributes 
in SAML.
+The WS-Federation standard defines a list of predefined URIs for wauth http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html#_Toc223174997";
 rel="nofollow">here. roleURI  Role Claim URI  Optional  Defines the attribute name of the SAML token which 
contains the roles.
+Required for Role Based Access Control.  roleDelimiter  Role Value Delimiter  Optional  There are different ways to encode multi value attributes 
in SAML.
 Single attribute with multiple valuesSeveral attributes with 
the same name but only one valueSingle attribute with single value. 
Roles are delimited by roleDelimiter
- 
claimTypesRequested  
Requested claims  
Optional  The claims 
required by the Relying Party are listed here. Claims can be optional. If a 
mandatory claim can't be provided by the IDP the issuance of the token should 
fail  homeRealm 
 Home Realm  Optional  Indicates the Resource IDP the home realm of 
the requestor. This may be an URL or an identifier like urn: or uuid: and 
depends on the Resource IDP implementation. This value is part of the SignIn 
request as the whr parameter 
+ 
claimTypesRequested  
Requested claims  
Optional  The claims 
required by the Relying Party are listed here. Claims can be optional. If a 
mandatory claim can't be provided by the IDP the issuance of the token should 
fail  homeRealm 
 Home Realm  Optional  Indicates the Resource IDP the home realm of 
the requestor. This may be an URL or an identifier like urn: or uuid: and 
depends on the Resource IDP implementation. This value is part of the SignIn 
request as the whr parameter  tokenValidators  TokenValidators  Optional  Custom Token validator classes can be configured here. 
The SAML Token validator is enabled by default.
+See example http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/CustomValidator.java";>here
 
 
 
 
+
 Attributes resolved 
at runtime
 
 The following attributes can be either configured statically at deployment 
time or dynamically when the initial request is received:
@@ -233,6 +234,9 @@ The WS-Federation standard defines a lis
 </claimTypesRequested>
 <authenticationType type="String" value="http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/smartcard";
 />
 <homeRealm type="Class" value="example.HomeRealmCallbackHandler" />
+<tokenValidators>
+<validator>org.apache.cxf.fediz.core.CustomVa

svn commit: r820545 - in /websites/production/cxf/content: cache/main.pageCache fediz-idp.html fediz-tomcat.html fediz.html

[buildbot]

Author: buildbot
Date: Wed Jun  6 20:48:20 2012
New Revision: 820545

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/main.pageCache
websites/production/cxf/content/fediz-idp.html
websites/production/cxf/content/fediz-tomcat.html
websites/production/cxf/content/fediz.html

Modified: websites/production/cxf/content/cache/main.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/fediz-idp.html
==
--- websites/production/cxf/content/fediz-idp.html (original)
+++ websites/production/cxf/content/fediz-idp.html Wed Jun  6 20:48:20 2012
@@ -138,7 +138,7 @@ Apache CXF -- Fediz IDP

 Fediz IDP
 
-The Fediz Identity Provider (IDP) consists of two WAR files. One is the 
Security Token Service (STS) component which is responsible for validating 
credentials, getting the requested claims data and issuing a SAML token. There 
is no easy way for Web browsers to issue SOAP requests to the STS directly, 
necessitating the second component, an IDP WAR which allows browser-based 
applications to interact with the STS. The communication between the browser 
and the IDP must be performed within the confines of the base HTTP 1.1 
functionality and conform as closely as possible to the WS-Trust protocols 
semantic.
+The Fediz Identity Provider (IDP) consists of two WAR files. One is the 
Security Token Service (STS) component, fedizidpsts.war, which is responsible 
for validating credentials, getting the requested claims data and issuing a 
SAML token. There is no easy way for Web browsers to issue SOAP requests to the 
STS directly, necessitating the second component, an IDP WAR (fedizidp.war) 
which allows browser-based applications to interact with the STS. The 
communication between the browser and the IDP must be performed within the 
confines of the base HTTP 1.1 functionality and conform as closely as possible 
to the WS-Trust protocols semantic.
 
 The Fediz STS is based on a customized CXF STS configured to support 
standard Federation use cases demonstrated by the examples.
 

Modified: websites/production/cxf/content/fediz-tomcat.html
==
--- websites/production/cxf/content/fediz-tomcat.html (original)
+++ websites/production/cxf/content/fediz-tomcat.html Wed Jun  6 20:48:20 2012
@@ -178,7 +178,7 @@ add the previously created directory to 
 
 
 
-Fediz 
configuration
+Fediz 
Plugin configuration for Your Web Application
 
 The Fediz related configuration is done in a Servlet Container independent 
configuration file which is described here.
 

Modified: websites/production/cxf/content/fediz.html
==
--- websites/production/cxf/content/fediz.html (original)
+++ websites/production/cxf/content/fediz.html Wed Jun  6 20:48:20 2012
@@ -183,7 +183,7 @@ The RP is a web application that needs t
 
 Distribution
 
-tbd
+For the moment, you'll need to check out the Fediz source and build them 
following the instructions in "Building" below.  Once built, the deployable 
WARs will be located in the fediz-idp and fediz-idp-sts "target" folders 
(fedizidp.war and fedizidpsts.war).
 
 Samples
 

svn commit: r820876 - in /websites/production/cxf/content: cache/main.pageCache fediz-idp.html

[buildbot]

Author: buildbot
Date: Fri Jun  8 20:47:47 2012
New Revision: 820876

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/main.pageCache
websites/production/cxf/content/fediz-idp.html

Modified: websites/production/cxf/content/cache/main.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/fediz-idp.html
==
--- websites/production/cxf/content/fediz-idp.html (original)
+++ websites/production/cxf/content/fediz-idp.html Fri Jun  8 20:47:47 2012
@@ -146,7 +146,7 @@ Apache CXF -- Fediz IDP
 
 The Fediz IDP has been tested with Tomcat 6 and 7 but should be able to 
work with any commercial JEE application server.
 
-Deploy the WAR files to your Tomcat installation 
(<catalina.home>/webapps).
+Deploy the WAR files to your Tomcat installation 
(<catalina.home>/webapps).  Once done, you should be able to see the 
Fediz STS from a browser at http://localhost:9080/fedizidpsts/STSService?wsdl"; 
rel="nofollow">http://localhost:9080/fedizidpsts/STSService?wsdl, assuming 
you're using port 9080 as listed below.
 
 A Relying Party application trusts the IDP/STS component that the IDP 
authenticated the browser user. The trust is established based on the 
certificate/private key used by the STS to sign the SAML token. The signing 
certificate is located in 
webapps/fediz-idp-sts/WEB-INF/classes/stsstore.jks. You must copy this 
keystore to a location where the Relying Party can reference it in its Fediz 
Configuration in the element certificateStores.
 
@@ -159,7 +159,8 @@ Apache CXF -- Fediz IDP
 
 HTTPS 
configuration
 
-It's recommended to set up a dedicated (separate) Tomcat instance for the 
IDP. The Fediz examples use the following TCP ports to interact with the 
IDP/STS:
+It's recommended to set up a dedicated (separate) Tomcat instance for the 
IDP.   Using one deployment of Tomcat with multiple CATALINA_BASE instances, as 
described http://www.shaunabram.com/multiple-tomcat-instances/"; 
rel="nofollow">here is one option but note any libs in $CATALINA_HOME/lib 
folder will be shared throughout each of the activated CATALINA_BASE instances. 
 Another probably simpler alternative is to copy your Tomcat folder into a 
second location and edit its conf/server.xml file and change http://viralpatel.net/blogs/2009/08/running-multiple-instance-apache-tomcat-single-server.html";
 rel="nofollow">these port values so they don't conflict with the original 
Tomcat installation.  The Fediz examples use the following TCP ports to 
interact with the IDP/STS:
+
 HTTP port: 9080 (used for Maven deployment, mvn 
tomcat:redeploy)HTTPS port: 9443 (where IDP and STS are 
accessed)
 
 
@@ -180,6 +181,25 @@ Apache CXF -- Fediz IDP
 
 Production: It's highly recommended to deploy certificates signed by a 
Certificate Authority
 
+To start and stop this second Tomcat instance, it is perhaps easiest to 
create small startup.sh and shutdown.sh scripts that temporarily redefine 
$CATALINA_HOME from the first to the second instance, for example:
+
+
+
+CATALINA_HOME=/path/to/second/tomcat
+$CATALINA_HOME/bin/startup.sh
+
+
+
+and
+
+
+
+CATALINA_HOME=/path/to/second/tomcat
+$CATALINA_HOME/bin/shutdown.sh
+
+
+
+If you're using the one Tomcat with multiple instance option, it's 
$CATALINA_BASE that will need to be redefined.
 
 User and password
 

svn commit: r820884 - in /websites/production/cxf/content: cache/main.pageCache fediz.html

[buildbot]

Author: buildbot
Date: Fri Jun  8 21:47:46 2012
New Revision: 820884

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/main.pageCache
websites/production/cxf/content/fediz.html

Modified: websites/production/cxf/content/cache/main.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/fediz.html
==
--- websites/production/cxf/content/fediz.html (original)
+++ websites/production/cxf/content/fediz.html Fri Jun  8 21:47:46 2012
@@ -140,7 +140,7 @@ Apache CXF -- Fediz
 
 Overview
 
-Apache CXF Fediz is a subproject of CXF. Fediz helps you to secure your web 
applications and delegates security enforcement to the underlying application 
server. With Fediz, authentication is externalized from your web application to 
an identity provider installed as a dedicated server component. The supported 
standard is http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html#_Toc223175002";
 rel="nofollow">WS-Federation 1.2 Passive Requestor Profile. Fediz supports 
http://en.wikipedia.org/wiki/Claims-based_identity"; rel="nofollow">Claims 
Based Access Control beyond Role Based Access Control (RBAC).
+Apache CXF Fediz is a subproject of CXF. Fediz helps you to secure your web 
applications and delegates security enforcement to the underlying application 
server. With Fediz, authentication is externalized from your web application to 
an identity provider installed as a dedicated server component. The supported 
standard is http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html#_Toc223175002";
 rel="nofollow">WS-Federation Passive Requestor Profile. Fediz supports http://en.wikipedia.org/wiki/Claims-based_identity"; rel="nofollow">Claims 
Based Access Control beyond Role Based Access Control (RBAC).
 
 
 News
@@ -149,7 +149,7 @@ Apache CXF -- Fediz
 Features
 
 The following features are supported by the Fediz plugin 1.0
-WS-Federation 1.1/1.2SAML 1.1/2.0 TokensCustom token 
supportPublish WS-Federation Metadata documentRole 
information encoded as AttributeStatement in SAML 1.1/2.0 tokensClaims 
information provided by FederationPrincipal interface
+WS-Federation 1.0/1.1/1.2SAML 1.1/2.0 TokensCustom 
token supportPublish WS-Federation Metadata documentRole 
information encoded as AttributeStatement in SAML 1.1/2.0 tokensClaims 
information provided by FederationPrincipal interface
 
 
 The following features are planned for the next release:

svn commit: r821227 - in /websites/production/cxf/content: cache/main.pageCache fediz-architecture.html fediz.html

[buildbot]

Author: buildbot
Date: Mon Jun 11 07:48:52 2012
New Revision: 821227

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/main.pageCache
websites/production/cxf/content/fediz-architecture.html
websites/production/cxf/content/fediz.html

Modified: websites/production/cxf/content/cache/main.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/fediz-architecture.html
==
--- websites/production/cxf/content/fediz-architecture.html (original)
+++ websites/production/cxf/content/fediz-architecture.html Mon Jun 11 07:48:52 
2012
@@ -142,7 +142,7 @@ The scope of Fediz is illustrated in the
 
 WS-Federation Design
 
-The following picture illustrates the main components of a Web Single Sign 
On (SSO) solution based on WS-Federation (Passive Requestor Profile). The Web 
Application is part of the Relying Party (RP) side whereas the Identity 
Provider (IDP/STS) is the central security server that is responsible to 
authenticate clients and issue security tokens based on the requirements by the 
RP.
+The following picture illustrates the main components of a Web Single Sign 
On (SSO) solution based on http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html";
 rel="nofollow">WS-Federation (http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html#_Toc223175002";
 rel="nofollow">Passive Requestor Profile). The Web Application is part of 
the Relying Party (RP) side whereas the Identity Provider (IDP/STS) is the 
central security server that is responsible to authenticate clients and issue 
security tokens based on the requirements by the RP.
 The IDP component leverages the STS capabilities to issue all sorts of 
security tokens.
 An browser first access the Web Application (RP) which redirects the browser 
to the IDP as the requestor is not authenticated. The IDP authenticates the 
user and requests a security token based on the requirements by the RP. The 
security token is "redirected" to the RP which validates the token and creates 
a session in the RP.
 
@@ -172,11 +172,11 @@ Fediz ships examples to illustrate how t
 
 
 
-The browser accesses the web application (1). It is then redirected to 
IDP/STS if no token or cookie is supplied in the request (2). This redirection 
process may require prompting the user (3) to authenticate himself (4). The 
IDP/STS issues a signed SAML 2.0 security token (WS-Federation doesn’t 
mandate SAML). The IDP "redirects" (5/6) the user to the application server 
including the SAML token. The application server verifies the signature of the 
SAML token. There is a trust relationship between the application server and 
the IDP/STS which doesn't require network connectivity between the application 
server and the IDP/STS (Cloud!). After successful validation, a session is 
created and the corresponding cookie is set on the browser (7). Finally, the 
request is dispatched to the application.
+The browser accesses the web application (1). It is then redirected to 
IDP/STS if no token or cookie is supplied in the request (2). This redirection 
process may require prompting the user (3) to authenticate himself (4). The 
IDP/STS issues a signed SAML 2.0 security token (WS-Federation doesn’t 
mandate http://saml.xml.org/saml-specifications"; rel="nofollow">SAML). The 
IDP "redirects" (5/6) the user to the application server including the SAML 
token. The application server verifies the signature of the SAML token. There 
is a trust relationship between the application server and the IDP/STS which 
doesn't require network connectivity between the application server and the 
IDP/STS (Cloud!). After successful validation, a session is created and the 
corresponding cookie is set on the browser (7). Finally, the request is 
dispatched to the application.
 
 As an extension to the description above, step 2 might contain specific 
claims requested by the application such as role, username, full name, email 
address, sales organization, etc. which are gathered by the STS.
 
-Requirements of the Web Application are described in the WS-Federation 
Metadata document.
+Requirements of the Web Application are described in the http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html#_Toc223174943";
 rel="nofollow">WS-Federation Metadata document.
 
 
 Components
@@ -189,14 +189,15 @@ One service provider could require a SAM
 A web service consumer requests tokens from an STS if the service provider 
defines an IssuedToken assertion in its security policy. This policy can 
contain some additional information like the address of the STS, token type, 
claims, etc.
 
 Identity provi

svn commit: r821260 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-client-api.html

[buildbot]

Author: buildbot
Date: Mon Jun 11 12:47:57 2012
New Revision: 821260

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/jax-rs-client-api.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jax-rs-client-api.html
==
--- websites/production/cxf/content/docs/jax-rs-client-api.html (original)
+++ websites/production/cxf/content/docs/jax-rs-client-api.html Mon Jun 11 
12:47:57 2012
@@ -548,7 +548,7 @@ WebClient wc = sf.createWebClient();
 
 In this example, 'http://localhost:8080' is the base service URI.
 
-Please see http://svn.apache.org/repos/asf/cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/jaxrs-https.xml";>this
 configuration file for more examples.
+Please see http://svn.apache.org/repos/asf/cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/jaxrs-https-client1.xml";>jaxrs-https-client1.xml
 and http://svn.apache.org/repos/asf/cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/jaxrs-https-client2.xml";>jaxrs-https-client2.xml
 configuration files for more examples.
 
 Also see this wiki page on how to configure 
HTTPConduits.
 

svn commit: r821512 - in /websites/production/cxf/content: cache/main.pageCache fediz-configuration.html fediz-metadata.html fediz-tomcat.html

[buildbot]

Author: buildbot
Date: Tue Jun 12 21:47:51 2012
New Revision: 821512

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/main.pageCache
websites/production/cxf/content/fediz-configuration.html
websites/production/cxf/content/fediz-metadata.html
websites/production/cxf/content/fediz-tomcat.html

Modified: websites/production/cxf/content/cache/main.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/fediz-configuration.html
==
--- websites/production/cxf/content/fediz-configuration.html (original)
+++ websites/production/cxf/content/fediz-configuration.html Tue Jun 12 
21:47:51 2012
@@ -186,13 +186,13 @@ Default 5 seconds. WS-Federation
 protocol configuration reference 
 
 
-XML element Name Use Description issuer  Issuer URL  Required This URL defines the location of the IDP to whom 
unauthenticated requests are redirected  realm  Realm  Optional  Security realm of the Relying Party / Application. This 
value is part of the SignIn request as the wtrealm
  parameter.
-Default: URL including the Servlet Context  authenticationType  Authentication Type  Optional  The authentication type defines what kind of 
authentication is required. This information is provided in the SignInRequest 
to the IDP (parameter wauth)
-The WS-Federation standard defines a list of predefined URIs for wauth http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html#_Toc223174997";
 rel="nofollow">here. roleURI  Role Claim URI  Optional  Defines the attribute name of the SAML token which 
contains the roles.
-Required for Role Based Access Control.  roleDelimiter  Role Value Delimiter  Optional  There are different ways to encode multi value attributes 
in SAML.
+XML element Name Use  
Metadata  
Description 
issuer  Issuer URL 
 Required  PassiveRequestorEndpoint This URL defines the location of 
the IDP to whom unauthenticated requests are redirected  realm  Realm  Optional  TargetScope  Security realm of the Relying Party / 
Application. This value is part of the SignIn request as the wtrealm 
parameter.
+Default: URL including the Servlet Context  authenticationType  Authentication Type  Optional  NA  
The authentication type defines what kind of authentication is required. This 
information is provided in the SignInRequest to the IDP (parameter 
wauth)
+The WS-Federation standard defines a list of predefined URIs for wauth http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html#_Toc223174997";
 rel="nofollow">here. roleURI  Role Claim URI  Optional  NA  
Defines the attribute name of the SAML token which contains the roles.
+Required for Role Based Access Control.  roleDelimiter  Role Value Delimiter  Optional  NA  
There are different ways to encode multi value attributes in SAML.
 Single attribute with multiple valuesSeveral attributes with 
the same name but only one valueSingle attribute with single value. 
Roles are delimited by roleDelimiter
- 
claimTypesRequested  
Requested claims  
Optional  The claims 
required by the Relying Party are listed here. Claims can be optional. If a 
mandatory claim can't be provided by the IDP the issuance of the token should 
fail  homeRealm 
 Home Realm  Optional  Indicates the Resource IDP the home realm of 
the requestor. This may be an URL or an identifier like urn: or uuid: and 
depends on the Resource IDP implementation. This value is part of the SignIn 
request as the whr parameter  tokenValidators  TokenValidators  Optional  Custom Token validator classes can be configured here. 
The SAML Token validator is enabled by default.
-See example http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/CustomValidator.java";>here
+ 
claimTypesRequested  
Requested claims  
Optional  
ClaimTypesRequested  The 
claims required by the Relying Party are listed here. Claims can be optional. 
If a mandatory claim can't be provided by the IDP the issuance of the token 
should fail  
homeRealm  Home Realm 
 Optional  NA  Indicates the Resource IDP the home realm of 
the requestor. This may be an URL or an identifier like urn: or uuid: and 
depends on the Resource IDP imple
 mentation. This value is part of the SignIn request as the whr 
parameter  
tokenValidators  
TokenValidators  Optional 
 NA  Custom Token validator classes can be 
configured here. The SAML Token validator is enabled by default.
+See example http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/CustomValidator.java";>here signingKey  Key for Signature  Optional  Metadata signature  If configured, the published WS-Federation Metadata 
document is signed by this key. Otherwise, not 

svn commit: r821731 - in /websites/production/cxf/content: cache/docs.pageCache docs/maven-cxf-codegen-plugin-wsdl-to-java.html

[buildbot]

Author: buildbot
Date: Thu Jun 14 14:47:54 2012
New Revision: 821731

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/docs.pageCache

websites/production/cxf/content/docs/maven-cxf-codegen-plugin-wsdl-to-java.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==
Binary files - no diff available.

Modified: 
websites/production/cxf/content/docs/maven-cxf-codegen-plugin-wsdl-to-java.html
==
--- 
websites/production/cxf/content/docs/maven-cxf-codegen-plugin-wsdl-to-java.html 
(original)
+++ 
websites/production/cxf/content/docs/maven-cxf-codegen-plugin-wsdl-to-java.html 
Thu Jun 14 14:47:54 2012
@@ -150,12 +150,14 @@ Apache CXF -- Maven cxf-codegen-plugin (
 
 In this example we're running the wsdl2java goal in the generate-sources 
phase. By running mvn generate-sources, CXF will generate artifacts in 
the <sourceRoot> directory that you specify. Each <wsdlOption> 
element corresponds to a WSDL that you're generated artifacts for. In the above 
example we're generating we're specifying the WSDL location via the 
<wsdl> option.
 
-Other configuration arguments can be included inside the <wsdlOption> 
element. These pass arguments to the tooling and correspond to the options 
outlined on the WSDL to Java page, for example:
+The following example shows some customization options.  By default, the 
codegen plugin follows the Maven convention of "target/generated-sources/cxf" 
for the output folder for the generated classes.  You can override this value 
using <sourceRoot> as shown below, but note this is usually not 
necessary, the default is fine for most people and can make it easier for some 
IDE's to detect the generated source code.  Other configuration arguments can 
be included inside the <wsdlOption> element. These pass arguments to the 
tooling and correspond to the options outlined on the WSDL to Java page.
 
 
 
 ...
-<wsdlOptions>
+<configuration>
+<sourceRoot>${project.build.directory}/generated-code/mywebservice</sourceRoot>
+<wsdlOptions>
<wsdlOption>
<wsdl>${basedir}/src/main/wsdl/myService.wsdl</wsdl>
 <extraargs>
@@ -163,15 +165,12 @@ Apache CXF -- Maven cxf-codegen-plugin (
 <extraarg>-verbose</extraarg>
 </extraargs>
</wsdlOption>
-</wsdlOptions>
+</wsdlOptions>
+</configuration>
 ...
 
 
 
-
-For CXF 2.1.4 and latter you don't need anymore to specify the 
<phase>, as generate-sources is the default.
-For CXF 2.2 and latter you don't even need to specify the <sourceRoot> 
to match maven convention for using target/generated-sources/cxf as output 
folder for generated classes.
-
 See http://www.jroller.com/gmazza/entry/web_service_tutorial"; 
rel="nofollow">this blog entry for a full service and client example that 
uses the cxf-codegen-plugin.
 
 Example
 1: Passing in a JAX-WS Binding file
@@ -179,7 +178,6 @@ For CXF 2.2 and latter you don't even ne
 
 
 <configuration>
-  <sourceRoot>${basedir}/target/generated/cxf</sourceRoot>
   <wsdlOptions>
 <wsdlOption>
   <wsdl>${basedir}/src/main/wsdl/myService.wsdl</wsdl>
@@ -191,6 +189,7 @@ For CXF 2.2 and latter you don't even ne
 </configuration>
 
 
+
 In this example we're specifying that we want CXF to use our JAX-WS binding 
file. Binding files are a way to customize the output of the artifacts that CXF 
generates. For instance, it allows you to change the package name CXF uses.
 
 Example
 2: Specifying a service to generate artifacts for
@@ -198,7 +197,6 @@ For CXF 2.2 and latter you don't even ne
 
 
 <configuration>
-  <sourceRoot>${basedir}/target/generated/src/main/java</sourceRoot>
   <wsdlOptions>
 <wsdlOption>
   <wsdl>${basedir}/src/main/wsdl/myService.wsdl</wsdl>
@@ -217,7 +215,6 @@ For CXF 2.2 and latter you don't even ne
 
 
 <configuration>
-  <sourceRoot>${basedir}/target/generated/cxf</sourceRoot>
   <defaultOptions>
   <bindingFiles>
   <bindingFile>${basedir}/src/main/jaxb/bindings.xml</bindingFile>
@@ -247,7 +244,6 @@ For CXF 2.2 and latter you don't even ne
 
 
 <configuration>
-  <sourceRoot>${basedir}/target/generated/cxf</sourceRoot>
   <defaultOptions>
   <bindingFiles>
   <bindingFile>${basedir}/src/main/jaxb/bindings.xml</bindingFile>
@@ -308,7 +304,6 @@ For CXF 2.2 and latter you don't even ne
 <id>generate-sources</id>
 <phase>generate-sources</phase>
 <configuration>
-  <sourceRoot>${basedir}/target/generated/src/main/java</sourceRoot>
   <wsdlOptions>
 <wsdlOption>
   <wsdl>${basedir}/src/main/wsdl/myService.wsdl</wsdl>

svn commit: r822402 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-basics.html

[buildbot]

Author: buildbot
Date: Tue Jun 19 18:47:50 2012
New Revision: 822402

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/jax-rs-basics.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jax-rs-basics.html
==
--- websites/production/cxf/content/docs/jax-rs-basics.html (original)
+++ websites/production/cxf/content/docs/jax-rs-basics.html Tue Jun 19 18:47:50 
2012
@@ -124,7 +124,7 @@ Apache CXF -- JAX-RS Basics
  
JAX-RS : Understanding the Basics 
 
 
-Resource 
class@PathHTTP MethodReturn typesException handlingDealing with 
ParametersParameter beansResource 
lifecyclesOverview of the selection 
algorithm.Selecting between 
multiple resource classesSelec
 ting between multiple resource methodsResource methods and media 
typesCustom selection 
between multiple resourcesContext annotationsCustom 
ContextsAnnotation 
inheritanceSub-resource 
locators.Static resolution of 
subresourcesMessage Body 
ProvidersCustom Message Body 
ProvidersRegistering 
 >custom providershref="#JAX-RSBasics-Customizingmediatypesformessagebodyproviders">Customizing 
 >media types for message body providershref="#JAX-RSBasics-AdvancedHTTP">Advanced HTTP
+Resource 
class@PathHTTP MethodReturn typesException handlingDealing with 
ParametersParameter beansResource 
lifecyclesOverview of the selection 
algorithm.Selecting between 
multiple resource classesSelec
 ting between multiple resource methodsResource methods and media 
typesCustom selection 
between multiple resourcesContext annotationsCustom 
ContextsURI calculation 
using UriInfo and UriBuilderAnnotation 
inheritanceSub-resource 
locators.Static resolution of 
subresourcesMessage Bo
 dy ProvidersCustom Message Body 
ProvidersRegistering custom 
providersCustomizing 
media types for message body providersAdvanced HTTP
 
 Resource class
 
@@ -771,14 +771,13 @@ UriInfo, SecurityContext, HttpHeaders, P
 
 Custom Context implementations may get all the information about the HTTP 
request from the current CXF message.
 
-
-
 
-h1. URI calculation using UriInfo and UriBuilder
+URI calculation 
using UriInfo and UriBuilder
 
-Mapping of a particular URI to a service that returns some resource is 
straightforward using the @Path annotation. However RESTful services are often 
connected: one service returns data that is used as the key in another service. 
Listing entities and accessing a particular entity is a typical example:
+Mapping of a particular URI to a service that returns some resource is 
straightforward using the @Path annotation. However RESTful services are often 
connected: one service returns data that is used as the key in another service. 
Listing entities and accessing a particular entity is a typical example:
 
-{code:java}
+
+
 @Path("/customers")
 public class CustomerService {
 

svn commit: r822790 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-cors.html

[buildbot]

Author: buildbot
Date: Fri Jun 22 21:47:49 2012
New Revision: 822790

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/jax-rs-cors.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jax-rs-cors.html
==
--- websites/production/cxf/content/docs/jax-rs-cors.html (original)
+++ websites/production/cxf/content/docs/jax-rs-cors.html Fri Jun 22 21:47:49 
2012
@@ -131,7 +131,9 @@ Apache CXF -- JAX-RS CORS
 
 CXF 2.5.1 introduces the http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/cors/src/main/java/org/apache/cxf/rs/security/cors/";>initial
 support for the http://www.w3.org/TR/cors/"; rel="nofollow">Cross-Origin Resource 
Sharing specification that "defines a mechanism to enable client-side 
cross-origin requests".
 
-Please see the http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/cors/src/main/java/org/apache/cxf/rs/security/cors/package.html";>package.html
 for a good introduction of CORS and the way it is supported in CXF JAX-RS.
+This https://developer.mozilla.org/en/http_access_control"; 
rel="nofollow">Mozilla.org page provides a very good explanation of 
CORS.
+
+Please see the http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/cors/src/main/java/org/apache/cxf/rs/security/cors/package.html";>package.html
 for a good introduction to CORS and the way it is supported in CXF JAX-RS.
 
 Note that the http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/cors/src/main/java/org/apache/cxf/rs/security/cors/CrossOriginResourceSharingFilter.java";>CORS
 filter uses the JAX-RS selection algorithm to ensure that the JAX-RS 
resource method capable of handling the  request does exist.
 

svn commit: r823078 - in /websites/production/cxf/content: cache/main.pageCache fediz.html

[buildbot]

Author: buildbot
Date: Mon Jun 25 08:47:59 2012
New Revision: 823078

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/main.pageCache
websites/production/cxf/content/fediz.html

Modified: websites/production/cxf/content/cache/main.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/fediz.html
==
--- websites/production/cxf/content/fediz.html (original)
+++ websites/production/cxf/content/fediz.html Mon Jun 25 08:47:59 2012
@@ -161,6 +161,10 @@ Apache CXF -- Fediz
 
 The Fediz architecture is described in more detail here.
 
+Download
+
+See here.
+
 
 Getting started
 
@@ -185,10 +189,6 @@ The RP is a web application that needs t
 
 
 
-Distribution
-
-For the moment, you'll need to check out the Fediz source and build them 
following the instructions in "Building" below.  Once built, the deployable 
WARs will be located in the fediz-idp and fediz-idp-sts "target" folders 
(fedizidp.war and fedizidpsts.war).
-
 Samples
 
 The examples directory contains two sample relying party applications.  
They are independent of each other, so it is not necessary to deploy both at 
once.

svn commit: r823082 - in /websites/production/cxf/content: cache/docs.pageCache docs/security.html

[buildbot]

Author: buildbot
Date: Mon Jun 25 09:47:50 2012
New Revision: 823082

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/security.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/security.html
==
--- websites/production/cxf/content/docs/security.html (original)
+++ websites/production/cxf/content/docs/security.html Mon Jun 25 09:47:50 2012
@@ -124,7 +124,7 @@ Apache CXF -- Security
  
Securing CXF Services 
 
 
-Secure 
transportsHTTPSWS-*
 Security (including UsernameToken and X.509 Token profiles)WS-Trust, STS, 
SSOOAuthAuthenticationAuthorizationControlling Large 
Request PayloadsXMLMultiparts
+Secure 
transportsHTTPSWS-*
 Security (including UsernameToken and X.509 Token profiles)WS-Trust, STSSAML Web SSOOAuthAuthenticationAuthorizationControlling Large Request 
PayloadsXMLMultiparts
 
 Secure transports
 
@@ -136,10 +136,14 @@ Apache CXF -- Security
 
 Please see the http://cxf.apache.org/docs/ws-support.html";>WS-* Support page for 
more information.
 
-WS-Trust, STS, 
SSO
+WS-Trust, STS
 
 Please see the https://cwiki.apache.org/CXF20DOC/ws-trust.html";>WS-Trust page for 
more information.
 
+SAML Web SSO
+
+Please see http://coheigea.blogspot.ie/2012/06/saml-web-sso-profile-support-in-apache.html";
 rel="nofollow">this blog entry announcing the support for SAML Web SSO 
profile and the [SAML Web SSO] page for more 
information.
+
 OAuth
 
 Please check http://cxf.apache.org/docs/jax-rs-oauth2.html";>OAuth2.0 and http://cxf.apache.org/docs/jax-rs-oauth.html";>OAuth1.0 
pages for the information about the support for OAuth 2.0 and OAuth 1.0 in 
CXF.

svn commit: r823098 - in /websites/production/cxf/content: cache/docs.pageCache docs/saml-web-sso.html

[buildbot]

Author: buildbot
Date: Mon Jun 25 11:47:58 2012
New Revision: 823098

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/saml-web-sso.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/saml-web-sso.html
==
--- websites/production/cxf/content/docs/saml-web-sso.html (original)
+++ websites/production/cxf/content/docs/saml-web-sso.html Mon Jun 25 11:47:58 
2012
@@ -125,7 +125,7 @@ Apache CXF -- SAML Web SSO
 
 
 
-IntroductionTypical FlowMaven dependenciesIdentity 
ProviderRequest Assertion Security 
ServiceApplication Security 
FilterSSO 
State Provider
+IntroductionTypical FlowMaven dependenciesIdentity 
ProviderApplication Security 
FilterRequest Assertion Security 
ServiceSSO 
State Provider
 
 Introduction
 
@@ -137,7 +137,7 @@ Apache CXF -- SAML Web SSO
 
 The following components are required to get SSO supported:
 
-Identity Provider (IDP) supporting 
SAML SSORequest Assertion Consumer Service (RACS)Application 
Security FilterSSO State Provider
+Identity Provider (IDP) supporting 
SAML SSORequest Assertion Consumer Service (RACS)Service 
Provider Security FilterSSO State Provider
 
 
 The following sections will describe these components in more details
@@ -147,13 +147,13 @@ Apache CXF -- SAML Web SSO
 Typically, the following flow represents the way SAML SSO is enforced:
 
 1. User accesses a custom application for the first time
-2. Application Security Filter checks if the security context is available 
+2. Service Provider Security Filter checks if the security context is 
available 
and redirects the user to IDP with a SAML SSO request
 3. IDP challenges the user with the authentication dialog and redirects the 
user to
Request Assertion Consumer Service (RACS) after the user has 
authenticated
 4. RACS validates the response from IDP, establishes a security context and 
redirects the user 
to the original application endpoint
-5. Application Security Filter enforces that a valid security context is 
available and lets the user
+5. Service Provider Security Filter enforces that a valid security context is 
available and lets the user
access the custom application.
 
 Maven 
dependencies
@@ -169,8 +169,17 @@ Apache CXF -- SAML Web SSO
 
 
 Identity 
Provider
-Request Assertion 
Security Service
+
+Identity Provider (IDP) is the service which accepts the redirect requests 
from application security filters, authenticates users and redirects them back 
to Request Assertion Security Service.
+
+CXF does not offer its own IDP SAML Web SSO implementation but might 
provide it in the future as part of the http://cxf.apache.org/fediz.html";>Fediz project.
+
+However, CXF has been tested against a number of popular IDP 
implementations which support SAML SSO and thus should be interoperable with 
whatever IDP is being used in the specific production environment. The 
interoperability tests have shown that some IDPs may process SAML request and 
produce SAML response data the way which may not be exactly 
specification-compliant and thus CXF Request Assertion Consumer Service (RACS) 
and Service Provider Security Filter implementations have a number of 
configuration properties for adjusting the way SAML requests to IDP are 
prepared and SAML responsed from IDP are processed.
+
 Application Security Filter
+
+Request Assertion 
Security Service
+
 SSO State 
Provider

svn commit: r823109 - in /websites/production/cxf/content: cache/docs.pageCache docs/saml-web-sso.html

[buildbot]

Author: buildbot
Date: Mon Jun 25 12:47:59 2012
New Revision: 823109

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/saml-web-sso.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/saml-web-sso.html
==
--- websites/production/cxf/content/docs/saml-web-sso.html (original)
+++ websites/production/cxf/content/docs/saml-web-sso.html Mon Jun 25 12:47:59 
2012
@@ -125,7 +125,7 @@ Apache CXF -- SAML Web SSO
 
 
 
-IntroductionTypical FlowMaven dependenciesIdentity 
ProviderApplication Security 
FilterRequest Assertion Security 
ServiceSSO 
State Provider
+IntroductionTypical FlowMaven dependenciesIdentity 
ProviderService Provider Security 
FilterRedirect Binding FilterPOST Binding 
FilterRequest Assertion Security 
ServiceSSO 
State Provider
 
 Introduction
 
@@ -174,9 +174,125 @@ Apache CXF -- SAML Web SSO
 
 CXF does not offer its own IDP SAML Web SSO implementation but might 
provide it in the future as part of the http://cxf.apache.org/fediz.html";>Fediz project.
 
-However, CXF has been tested against a number of popular IDP 
implementations which support SAML SSO and thus should be interoperable with 
whatever IDP is being used in the specific production environment. The 
interoperability tests have shown that some IDPs may process SAML request and 
produce SAML response data the way which may not be exactly 
specification-compliant and thus CXF Request Assertion Consumer Service (RACS) 
and Service Provider Security Filter implementations have a number of 
configuration properties for adjusting the way SAML requests to IDP are 
prepared and SAML responsed from IDP are processed.
+However, CXF has been tested against a number of popular IDP 
implementations which support SAML SSO and thus should be interoperable with 
whatever IDP is being used in the specific production environment. The 
interoperability tests have shown that some IDPs may process SAML request and 
produce SAML response data the way which may not be exactly 
specification-compliant and thus CXF Request Assertion Consumer Service (RACS) 
and Service Provider Security Filter implementations have a number of 
configuration properties for adjusting the way SAML requests to IDP are 
prepared and SAML responses from IDP are processed.
+
+Service Provider Security 
Filter
+
+SP Security Filter protects the application endpoints by checking that a 
valid SSO security context is available. If it is then the filter lets the 
request to continue, if not then it redirects the current user to IDP.
+
+CXF offers two SP Security filters, one for redirecting the user back to 
IDP via GET and another one - via POST.
+
+Redirect 
Binding Filter
+
+Redirect Binding Filter is implemented by 
org.apache.cxf.rs.security.saml.sso.SamlRedirectBindingFilter.
+
+Here is an example of a typical filter protecting a custom JAX-RS 
endpoint:
+
+
+<bean id="serviceBean" class="org.apache.cxf.samlp.sso.BookStore"/>
+
+<jaxrs:server address="/app1"> 
+   <jaxrs:serviceBeans>
+  <ref bean="serviceBean"/>
+   </jaxrs:serviceBeans>
+   <jaxrs:providers>
+  <ref bean="redirectGetFilter"/>
+   </jaxrs:providers>
+</jaxrs:server>
+
+<bean id="redirectGetFilter" class="org.apache.cxf.rs.security.saml.sso.SamlRedirectBindingFilter">
+  <property name="idpServiceAddress" value="https://localhost:9443/idp";/>
+  <!-- both relative 
and absolute URIs are supported -->
+  <property name="assertionConsumerServiceAddress" value="/racs/sso"/>
+  <property name="stateProvider" ref="stateManager"/>
+</bean>
+
+
+<bean id="stateManager" class="org.apache.cxf.rs.security.saml.sso.state.EHCacheSPStateManager">
+<constructor-arg ref="cxf"/>
+</bean>
+
+
+
+
+Note that at the very minimum the filter needs to have 3 properties 
set-up:
+1. IDP service address
+2. RACS address - it can be absolute or relative if RACS is collocated 
+  (shares the same web application context) with the application endpoint.
+3. Reference to SSO State Provider.
+
+POST Binding 
Filter
+
+POST Binding Filter is implemented by 
org.apache.cxf.rs.security.saml.sso.SamlPostBindingFilter.
+
+Here is an example of a typical filter protecting a custom JAX-RS 
endpoint.
+
+
+<bean id="serviceBean" class="org.apache.cxf.samlp.sso.BookStore"/>
+<jaxrs:server address="/app2"> 
+<jaxrs:serviceBeans&g

svn commit: r823119 - in /websites/production/cxf/content: cache/docs.pageCache docs/saml-web-sso.html

[buildbot]

Author: buildbot
Date: Mon Jun 25 13:47:50 2012
New Revision: 823119

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/saml-web-sso.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/saml-web-sso.html
==
--- websites/production/cxf/content/docs/saml-web-sso.html (original)
+++ websites/production/cxf/content/docs/saml-web-sso.html Mon Jun 25 13:47:50 
2012
@@ -125,7 +125,7 @@ Apache CXF -- SAML Web SSO
 
 
 
-IntroductionTypical FlowMaven dependenciesIdentity 
ProviderService Provider Security 
FilterRedirect Binding FilterPOST Binding 
FilterRequest Assertion Security 
ServiceSSO 
State Provider
+IntroductionTypical FlowMaven dependenciesIdentity 
ProviderService Provider Security 
FilterRedirect Binding FilterPOST Binding 
FilterSigning SAML 
Authentication RequestsFilters and State 
ManagementRequest Assertion Security 
ServiceDealing with signed SAML 
ResponsesSSO State Provider
 
 Introduction
 
@@ -180,6 +180,10 @@ Apache CXF -- SAML Web SSO
 
 SP Security Filter protects the application endpoints by checking that a 
valid SSO security context is available. If it is then the filter lets the 
request to continue, if not then it redirects the current user to IDP.
 
+When a filter redirects a user to IDP, it creates a SAML Authentication 
Request, see http://en.wikipedia.org/wiki/SAML_2.0#Web_Browser_SSO_Profile"; 
rel="nofollow">this page for the example and appends it to the IDP Service 
URI or gets it POSTed to IDP.
+Additionally, a RelayState token pointing to the state of the current user 
request is also included which IDP will 
+return to Request Assertion Consumer Service (RACS) after the user has 
authenticated. 
+
 CXF offers two SP Security filters, one for redirecting the user back to 
IDP via GET and another one - via POST.
 
 Redirect 
Binding Filter
@@ -221,6 +225,13 @@ Apache CXF -- SAML Web SSO
   (shares the same web application context) with the application endpoint.
 3. Reference to SSO State Provider.
 
+The following optional properties affecting the created SAML request may 
also be set:
+String issuerId - it defaults to the base URI of the application 
endpoint protected by this filter, for example, 
"http://localhost:8080/services/app1";.http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AuthnRequestBuilder.java?view=markup";>AuthnRequestBuilder
 authnRequestBuilder - A builder that constructs the SAML Request. It defaults 
to http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/DefaultAuthnRequestBuilder.java?view=markup";>DefaultAuthnRequestBuilder.
+
+
+The IDP address is where filters will redirect users to and the RACS 
address is where users will be redirected by IDP to.
+RACS will set up a security context and redirect the user back to the original 
application address by using the RelayState token which is included by the 
filters when users are initially redirected to IDP.
+
 POST Binding 
Filter
 
 POST Binding Filter is implemented by 
org.apache.cxf.rs.security.saml.sso.SamlPostBindingFilter.
@@ -261,11 +272,13 @@ Apache CXF -- SAML Web SSO
 
 
 
-Note that the POST binding filter has the same base properties as 
org.apache.cxf.rs.security.saml.sso.SamlRedirectBindingFilter has but also 
-sets a "useDeflateEncoding" property for getting a SAML request deflated. Some 
IDPs might not be able to process deflated SAML requests with POST binding 
redirects thus the compression may be optionally disabled.
+Note that the POST binding filter has the same 3 required properties as 
org.apache.cxf.rs.security.saml.sso.SamlRedirectBindingFilter has but also sets 
a "useDeflateEncoding" property for getting a SAML request deflated. Some IDPs 
might not be able to process deflated SAML requests with POST binding redirects 
thus the compression may be optionally disabled.
+
+What is actually different in this case from the GET-based redirect is that 
the filter prepares an instance of http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SamlRequestInfo.java";>SAMLRequestInfo
 which is subsequently bound to an XHTML view via a JSP filter. The view will 
typically have a Java Script handler which will actually redirect the user to 
IDP when it is loaded into the browser. The data to view binding is facilitated 
by org.apache.cxf.jaxrs.provider.RequestDispatcherProvider, please see http://cxf.apache.org/docs/jax-rs-redirection.html#JAX-RSRedirection-WithRequestDispatcherProvider&

buildbot failure in ASF Buildbot on cxf-site-production

[buildbot]

The Buildbot has detected a new failure on builder cxf-site-production while 
building ASF Buildbot.
Full details are available at:
 http://ci.apache.org/builders/cxf-site-production/builds/2681

Buildbot URL: http://ci.apache.org/

Buildslave for this Build: bb-cms-slave

Build Reason: The Nightly scheduler named 'cxf-site-production' triggered this 
build
Build Source Stamp: [branch cxf/web] HEAD
Blamelist: 

BUILD FAILED: failed shell

sincerely,
 -The Buildbot

buildbot success in ASF Buildbot on cxf-site-production

[buildbot]

The Buildbot has detected a restored build on builder cxf-site-production while 
building ASF Buildbot.
Full details are available at:
 http://ci.apache.org/builders/cxf-site-production/builds/2682

Buildbot URL: http://ci.apache.org/

Buildslave for this Build: bb-cms-slave

Build Reason: The Nightly scheduler named 'cxf-site-production' triggered this 
build
Build Source Stamp: [branch cxf/web] HEAD
Blamelist: 

Build succeeded!

sincerely,
 -The Buildbot

svn commit: r823135 - in /websites/production/cxf/content: cache/docs.pageCache docs/security.html

[buildbot]

Author: buildbot
Date: Mon Jun 25 16:47:47 2012
New Revision: 823135

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/security.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/security.html
==
--- websites/production/cxf/content/docs/security.html (original)
+++ websites/production/cxf/content/docs/security.html Mon Jun 25 16:47:47 2012
@@ -142,7 +142,7 @@ Apache CXF -- Security
 
 SAML Web SSO
 
-Please see http://coheigea.blogspot.ie/2012/06/saml-web-sso-profile-support-in-apache.html";
 rel="nofollow">this blog entry announcing the support for SAML Web SSO 
profile and the [SAML Web SSO] page for more 
information.
+Please see http://coheigea.blogspot.ie/2012/06/saml-web-sso-profile-support-in-apache.html";
 rel="nofollow">this blog entry announcing the support for SAML Web SSO 
profile and the https://cwiki.apache.org/confluence/display/CXF20DOC/SAML+Web+SSO";>SAML 
Web SSO page for more information.
 
 OAuth
 

svn commit: r823299 - in /websites/production/cxf/content: cache/docs.pageCache docs/ws-securitypolicy.html

[buildbot]

Author: buildbot
Date: Tue Jun 26 14:48:00 2012
New Revision: 823299

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/ws-securitypolicy.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/ws-securitypolicy.html
==
--- websites/production/cxf/content/docs/ws-securitypolicy.html (original)
+++ websites/production/cxf/content/docs/ws-securitypolicy.html Tue Jun 26 
14:48:00 2012
@@ -139,10 +139,11 @@ Apache CXF -- WS-SecurityPolicy
 
 
 Configuring the 
extra properties
-With CXF 2.2, there are several extra properties that may need to be set to 
provide the additional bits of information to the runtime:
+There are several extra properties that may need to be set to provide the 
additional bits of information to the runtime. Note that you should check that 
a particular property is supported in the version of CXF you are using.
 
 
- ws-security.username  The username used for UsernameToken policy assertions 
 
ws-security.password  The 
password used for UsernameToken policy assertions.   If not specified, the 
callback handler will be called.  ws-security.callback-handler  The WSS4J security CallbackHandler that will 
be used to retrieve passwords for keystores and UsernameTokens. 
 
ws-security.signature.properties  The properties file/object that contains the WSS4J 
properties for configuring the signature keystore and c
 rypto objects  
ws-security.encryption.properties  The properties file/object that contains the WSS4J 
properties for configuring the encryption keystore and crypto objects 
 
ws-security.signature.username  The username or alias for the key in the signature 
keystore that will be used.   If not specified, it uses the the default alias 
set in the properties file.  If that's also not set, and the keystore only 
contains a single key, that key will be used.  ws-security.encryption.username  The username or alias for the key 
in the encryption keystore that will be used.   If not specified, it uses the 
the default alias set in the propertie
 s file.  If that's also not set, and the keystore only contains a single key, 
that key will be used.  For the web service provider, the useReqSigCert keyword 
can be used to accept (encrypt to) any client whose public key is in the 
service's truststore (defined in ws-security.encryption.properties.) 
 
ws-security.signature.crypto  Instead of specifying the signature properties, this can 
point to the full http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/components/crypto/Crypto.html";>WSS4J
 Crypto object.  This can allow easier "programmatic" configuration of the 
Crypto information." ws-security.encryption.crypto  Instead of specifying the encryption 
properties, this can point to the full http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/components/crypto/Crypto.html";>WSS4J
 Crypto object.  This can allow easier "programmatic" configuration of the 
Crypto information." 
+ ws-security.username  The username used for UsernameToken policy assertions 
 
ws-security.password  The 
password used for UsernameToken policy assertions.   If not specified, the 
callback handler will be called.  ws-security.callback-handler  The WSS4J security CallbackHandler that will 
be used to retrieve passwords for keystores and UsernameTokens. 
 
ws-security.signature.properties  The properties file/object that contains the WSS4J 
properties for configuring the signature keystore and c
 rypto objects  
ws-security.encryption.properties  The properties file/object that contains the WSS4J 
properties for configuring the encryption keystore and crypto objects 
 
ws-security.signature.username  The username or alias for the key in the signature 
keystore that will be used.   If not specified, it uses the the default alias 
set in the properties file.  If that's also not set, and the keystore only 
contains a single key, that key will be used.  ws-security.encryption.username  The username or alias for the key 
in the encryption keystore that will be used.   If not specified, it uses the 
the default alias set in the propertie
 s file.  If that's also not set, and the keystore only contains a single key, 
that key will be used.  For the web service provider, the useReqSigCert keyword 
can be used to accept (encrypt to) any client whose public key is in the 
service's truststore (defined in ws-security.encryption.properties.) 
 
ws-security.signature.crypto  Instead of specifying the signature properties, this can 
point to the full http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/components/crypto/Crypto.html";

svn commit: r823315 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-advanced-features.html docs/jaxrs-services-description.html

[buildbot]

Author: buildbot
Date: Tue Jun 26 16:47:51 2012
New Revision: 823315

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/jax-rs-advanced-features.html
websites/production/cxf/content/docs/jaxrs-services-description.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jax-rs-advanced-features.html
==
--- websites/production/cxf/content/docs/jax-rs-advanced-features.html 
(original)
+++ websites/production/cxf/content/docs/jax-rs-advanced-features.html Tue Jun 
26 16:47:51 2012
@@ -124,7 +124,7 @@ Apache CXF -- JAX-RS Advanced Features
 JAX-RS : Advanced Features
 
 
-JMS 
SupportFIQL search 
queriesIntroductionDependencies and 
ConfigurationConsuming FIQL 
queriesSearchBeanBuilding FIQL 
queriesUsing dates in 
queriesOneway 
invocationsSupport for 
Continuations<
 /a>Server-side 
cachingRESTful 
services without annotationsConfiguration
+JMS 
SupportFIQL search 
queriesIntroductionDependencies and 
ConfigurationConsuming FIQL 
queriesConverting FIQL 
queriesSQLJPA 2.0Custom visitorsSearchBeanBuilding FIQL queriesUsing dates in 
queriesOneway 
invocationsSupport for 
ContinuationsServer-side 
cachingRESTful 
services without annotationsConfiguration
 
 JMS 
Support
 
@@ -195,7 +195,7 @@ An expression such as "name==CXF*" can b
 
 Consuming FIQL 
queries
 
-To work with FIQL queries, a http://svn.apache.org/repos/asf/cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/ext/search/SearchContext.java";>SearchContext
 needs be injected into an application code and used to retrieve a http://svn.apache.org/repos/asf/cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/ext/search/SearchCondition.java";>SearchCondition
 representing the current FIQL query. This SearchCondition can be used in a 
number of ways for finding the matching data.
+To work with FIQL queries, a http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/extensions/search/src/main/java/org/apache/cxf/jaxrs/ext/search/SearchContext.java";>SearchContext
 needs be injected into an application code and used to retrieve a http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/extensions/search/src/main/java/org/apache/cxf/jaxrs/ext/search/SearchCondition.java";>SearchCondition
 representing the current FIQL query. This SearchCondition can be used in a 
number of ways for finding the matching data.
 
 For example :
 
@@ -225,25 +225,14 @@ An expression such as "name==CXF*" can b
 Note that a searchContext.getCondition(Book.class) call may return an 
arbitrary complex SearchCondition, it can be a simple primitive
 expression or a more complex one. The Book class needs to have a matching 
property per every name found in the FIQL expression, for example, given a 
'name==b;id==123' expression, the Book class would need to have 'name' and 'id' 
properties available.
 
-SearchCondition can also be used to get to all the search requirements 
(originally expressed in FIQL) and do some manual
-comparison against the local data. For example, SearchCondition provides a 
utility toSQL(String tableName, String... columnNames) method which internally 
introspects all the search expressions constituting a current query and 
converts them into an SQL expression:
+Converting FIQL 
queries
 
-
-
-// find all conditions with names starting from 
'ami' 
-// and levels greater than 10 :
-// ?_s="name==ami*;level=gt=10"
-SearchCondition<Book> sc = searchContext.getCondition(Book.class);
-assertEquals("SELECT * FROM table 
-  WHERE 
-  name LIKE 'ami%' 
-  AND 
-  level > '10'",
-  sq.toSQL("table"));
-
-
+SearchCondition can also be used to convert the search requirements 
(originally expressed in FIQL) into other query languages. 
+A custom http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/extensions/search/src/main/java/org/apache/cxf/jaxrs/ext/search/SearchConditionVisitor.java";>SearchConditionVisitor
 implementation can be used to convert SearchCondition objects into custom 
expressions or typed objects. CXF ships visitors for converting expressions to 
SQL and JPA 2.0 CriteriaQuery or TypedQuery objects.
 
-The SearchCondition.toSQL() method has become deprecated in CXF 2.3.3 and 
2.4.0. Using an org.apache.cxf.jaxrs.ext.search.sql.SQLPrinterVisitor is 
recommended as it will allow for building more advanced SQL expressions. For 
example: 
+SQL
+
+org.apache.cxf.jaxrs.ext.search.sql.SQLPrinterVisitor can be used for 
creating SQL expressions. For example: 
 
 
 
@@ -267,7 +256,7 @@ assertEqu

svn commit: r823358 - in /websites/production/cxf/content: cache/main.pageCache fediz-100-release-notes.html fediz-downloads.html

[buildbot]

Author: buildbot
Date: Tue Jun 26 19:47:50 2012
New Revision: 823358

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/main.pageCache
websites/production/cxf/content/fediz-100-release-notes.html
websites/production/cxf/content/fediz-downloads.html

Modified: websites/production/cxf/content/cache/main.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/fediz-100-release-notes.html
==
--- websites/production/cxf/content/fediz-100-release-notes.html (original)
+++ websites/production/cxf/content/fediz-100-release-notes.html Tue Jun 26 
19:47:50 2012
@@ -149,7 +149,7 @@ provides the following features:
 
 Download
 
-DescriptionFileMD5SHA1PGPBinary distributionhttp://www.apache.org/dyn/closer.cgi?path=/cxf/fediz/1.0.0/apache-fediz-1.0.0.zip";>apache-fediz-1.0.0.ziphttp://www.apache.org/dist/cxf/fediz/1.0.0/apache-fediz-1.0.0.zip.md5";>apache-fediz-1.0.0.zip.md5http://www.apache.org/dist/cxf/fediz/1.0.0/apache-fediz-1.0.0.zip.sha1";
 >apache-fediz-1.0.0.zip.sha1class="confluenceTd">href="http://www.apache.org/dist/cxf/fediz/1.0.0/apache-fediz-1.0.0.zip.asc";>apache-fediz-1.0.0.zip.asc
+DescriptionFileMD5SHA1PGPBinary distributionhttp://www.apache.org/dyn/closer.cgi?path=/cxf/fediz/1.0.0/apache-fediz-1.0.0.zip";>apache-fediz-1.0.0.ziphttp://www.apache.org/dist/cxf/fediz/1.0.0/apache-fediz-1.0.0.zip.md5";>apache-fediz-1.0.0.zip.md5http://www.apache.org/dist/cxf/fediz/1.0.0/apache-fediz-1.0.0.zip.sha1";
 >apache-fediz-1.0.0.zip.sha1class="confluenceTd">href="http://www.apache.org/dist/cxf/fediz/1.0.0/apache-fediz-1.0.0.zip.asc";>apache-fediz-1.0.0.zip.asc colspan="1" rowspan="1" class="confluenceTd">Source distributioncolspan="1" rowspan="1" class="confluenceTd">class="external-link" 
 >href="http://www.apache.org/dyn/closer.cgi?path=/cxf/fediz/1.0.0/fediz-1.0.0-source-release.zip";>fediz-1.0.0-source-release.zip colspan="1" rowspan="1" class="confluenceTd">class="external-link" 
 >href="http://www.apache.org/dist/cxf/fediz/1.0.0/fediz-1.0.0-source-release.zip.md5";>fediz-1.0.0-source-release.zip.md5 colspan="1" rowspan="1" class="confluenceTd">class="external-link" 
 >href="http://www.apache.org/dist/cxf/fediz/1.0.0/fediz-1.0.0-source-release.zip.sha1";>fediz-1.0.0-source-release.zip.sha1http://www.apache.org/dist/cxf/fediz/1.0.0/fediz-1.0.0-source-release.zip.asc";>fediz-1.0.0-source-release.zip.asc
 
 
 

Modified: websites/production/cxf/content/fediz-downloads.html
==
--- websites/production/cxf/content/fediz-downloads.html (original)
+++ websites/production/cxf/content/fediz-downloads.html Tue Jun 26 19:47:50 
2012
@@ -143,32 +143,31 @@ Apache CXF -- Fediz Downloads
 The 1.0.0 release is our first release. For more information please see the 
release notes.
 
 
-DescriptionFileMD5SHA1PGPBinary distributionhttp://www.apache.org/dyn/closer.cgi?path=/cxf/fediz/1.0.0/apache-fediz-1.0.0.zip";>apache-fediz-1.0.0.ziphttp://www.apache.org/dist/cxf/fediz/1.0.0/apache-fediz-1.0.0.zip.md5";>apache-fediz-1.0.0.zip.md5http://www.apache.org/dist/cxf/fediz/1.0.0/apache-fediz-1.0.0.zip.sha1";
 >apache-fediz-1.0.0.zip.sha1class="confluenceTd">href="http://www.apache.org/dist/cxf/fediz/1.0.0/apache-fediz-1.0.0.zip.asc";>apache-fediz-1.0.0.zip.asc
+DescriptionFileMD5SHA1PGPBinary distributionhttp://www.apache.org/dyn/closer.cgi?path=/cxf/fediz/1.0.0/apache-fediz-1.0.0.zip";>apache-fediz-1.0.0.ziphttp://www.apache.org/dist/cxf/fediz/1.0.0/apache-fediz-1.0.0.zip.md5";>apache-fediz-1.0.0.zip.md5http://www.apache.org/dist/cxf/fediz/1.0.0/apache-fediz-1.0.0.zip.sha1";
 >apache-fediz-1.0.0.zip.sha1class="confluenceTd">href="http://www.apache.org/dist/cxf/fediz/1.0.0/apache-fediz-1.0.0.zip.asc";>apache-fediz-1.0.0.zip.asc colspan="1" rowspan="1" class="confluenceTd">Source distributioncolspan="1" rowspan="1" class="confluenceTd">class="external-link" 
 >href="http://www.apache.org/dyn/closer.cgi?path=/cxf/fediz/1.0.0/fediz-1.0.0-source-release.zip";>fediz-1.0.0-source-release.zip colspan="1" rowspan="1" class="confluenceTd">class="external-link" 
 >href="http://www.apache.org/dist/cxf/fediz/1.0.0/fediz-1.0.0-source-release.zip.md5";>fediz-1.0.0-source-release.

svn commit: r823586 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs.html docs/secure-jax-rs-services.html

[buildbot]

Author: buildbot
Date: Thu Jun 28 09:48:08 2012
New Revision: 823586

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/jax-rs.html
websites/production/cxf/content/docs/secure-jax-rs-services.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jax-rs.html
==
--- websites/production/cxf/content/docs/jax-rs.html (original)
+++ websites/production/cxf/content/docs/jax-rs.html Thu Jun 28 09:48:08 2012
@@ -459,7 +459,7 @@ by Java HTTPUrlConnection. When needed, 
 
 Please see the Secure JAX-RS Services page for more 
information.
 
-Please also check https://cwiki.apache.org/confluence/display/CXF20DOC/JAX-RS+XML+Security";>JAX-RS
 XML Security, JAX-RS SAML and JAX-RS OAuth pages for more information about the 
advanced security topics.
+Please also check https://cwiki.apache.org/confluence/display/CXF20DOC/JAX-RS+XML+Security";>JAX-RS
 XML Security, JAX-RS SAML and JAX-RS OAuth2 pages for more information about the 
advanced security topics.
 
 Failover and Load 
Distribution Features
 

Modified: websites/production/cxf/content/docs/secure-jax-rs-services.html
==
--- websites/production/cxf/content/docs/secure-jax-rs-services.html (original)
+++ websites/production/cxf/content/docs/secure-jax-rs-services.html Thu Jun 28 
09:48:08 2012
@@ -124,7 +124,7 @@ Apache CXF -- Secure JAX-RS Services
  
JAX-RS: Security 
 
 
-HTTPSConfiguring 
endpointsConfiguring 
clientsAuthenticationAuthorizationWS-Trust 
integrationValidating 
BasicAuth credentials with STSNote about 
SecurityManager
+HTTPSConfiguring 
endpointsConfiguring 
clientsAuthenticationAuthorizationWS-Trust 
integrationValidating 
BasicAuth credentials with STSUsing STS to 
validate SAML assertionsNote about 
SecurityManagerAdvanced SecurityRestricting large 
payloadsCross Origin Resource 
Sharing
 
 HTTPS
 
@@ -231,6 +231,8 @@ WebClient client = WebClient.create(addr
 
 HTTPConduits can also be 'bound' to proxies or WebClients using expanded 
QNames. Please see this http://cxf.apache.org/docs/jax-rs-client-api.html#JAX-RSClientAPI-ConfiguringanHTTPConduitfromSpring";>section
 for more information.
 
+Please see http://aruld.info/programming-ssl-for-jetty-based-cxf-services/"; 
rel="nofollow">this blog entry on how the HTTPConduit TLS properties can be 
set up from the code. In the code, do 
WebClient.getConfig(myClient).getHTTPConduit() and proceed from there.
+
 Authentication
 
 It is often containers like Tomcat or frameworks like Spring Security which 
handle the user authentication. Sometimes you might want to do the custom 
authentication instead. CXF HTTP Transport adds decoded Basic Authentication 
credentials into an instance of AuthorizationPolicy extension and sets it on 
the current message. Thus the easiest way is to register a custom invoker or 
RequestHandler filter which will extract a user name and password like 
this:
@@ -330,8 +332,6 @@ CXF JAX-RS SimpleAuthorizingFilter can b
 
 One of the requirements for deploying CXF endpoints into secure web service 
environments is to ensure that existing WS-Trust STS services can be used to 
protect the endpoints. JAX-WS endpoints can rely on CXF WS-Security and 
WS-Trust support. Making sure CXF JAX-RS endpoints can be additionally secured 
by STS is strategically important task. CXF provides close integration between 
JAX-WS and JAX-RS frontends thus reusing CXF JAX-WS and WS-Security is the most 
effective way toward achieving this integration.
 
-At the moment what can be done is to have Basic Authentication credentials 
validated with STS. The next step is to provide a more advanced integration 
with STS, stay tuned. 
-
 Validating
 BasicAuth credentials with STS
 
 Validating Basic Authentication credentials with STS is possible starting 
from CXF 2.4.1. JAX-RS and JAX-WS services can rely on this feature. Here is an 
example on how a jaxrs endpoint can be configured:
@@ -403,6 +403,10 @@ CXF JAX-RS SimpleAuthorizingFilter can b
 
 AuthPolicyValidatingInterceptor converts Basic Auth info into WSS4J 
UsernameToken and delegates to STS to validate.
 
+Using STS to 
validate SAML assertions
+
+Please see http://cxf.apache.org/docs/jax-rs-saml.html#JAX-RSSAML-SAMLAssertionValidation";>this
 section for more information on how STSSamlAssertionValidator can be used 
to validate the inbound SAML assertions.
+
 Note about 
SecurityManager
 
 If java.lang.SecurityManager is installed then you'll likely need 
to configure the trusted JAX-RS codebase with a 'suppressAccessChecks' 
permiss

svn commit: r823593 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-advanced-features.html

[buildbot]

Author: buildbot
Date: Thu Jun 28 10:47:59 2012
New Revision: 823593

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/jax-rs-advanced-features.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jax-rs-advanced-features.html
==
--- websites/production/cxf/content/docs/jax-rs-advanced-features.html 
(original)
+++ websites/production/cxf/content/docs/jax-rs-advanced-features.html Thu Jun 
28 10:47:59 2012
@@ -124,11 +124,16 @@ Apache CXF -- JAX-RS Advanced Features
 JAX-RS : Advanced Features
 
 
-JMS 
SupportFIQL search 
queriesIntroductionDependencies and 
ConfigurationConsuming FIQL 
queriesConverting FIQL 
queriesSQLJPA 2.0Custom visitorsSearchBeanBuilding FIQL queriesUsing dates in 
queriesOneway 
invocationsSupport for 
ContinuationsServer-side 
cachingRESTful 
services without annotationsConfiguration
+JMS 
SupportEndpointsClientFIQL search 
queriesIntroductionDependencies and 
ConfigurationConsuming FIQL 
queriesConverting FIQL 
queriesSQLJPA 2.0Custom visitorshref="#JAX-RSAdvancedFeatures-SearchBean">SearchBeanshape="rect" href="#JAX-RSAdvancedFeatures-BuildingFIQLqueries">Building FIQL 
 >querieshref="#JAX-RSAdvancedFeatures-Usingdatesinqueries">Using dates in 
 >querieshref="#JAX-RSAdvancedFeatures-Onewayinvocations">Oneway 
 >invocationshref="#JAX-RSAdvancedFeatures-SupportforContinuations">Support for 
 >Continuationshref="#JAX-RSAdvancedFeatures-Serversidecaching">Server-side 
 >cachinghref="#JAX-RSAdvancedFeatures-RESTfulserviceswithoutannotations">RESTful 
 >services without annotationshref="#JAX-RSAdvancedFeatures-Configuration">Configuration
 
 JMS 
Support
 
-CXF has been designed such that multiple transports can be supported for a 
given endpoint. If you would like your JAXRS endpoint be capable of serving not 
only HTTP but also JMS requests then you need to specify a JMS transportId, 
example :
+CXF has been designed such that multiple transports can be supported for a 
given endpoint. CXF JAX-RS endpoint and proxies can optionally 
+support the JMS transport. 
+
+Endpoints
+
+If you would like your JAXRS endpoint be capable of serving not only HTTP 
but also JMS requests then you need to specify a JMS transportId, example:
 
 
 
@@ -156,6 +161,29 @@ jaxrs:server/@address is set to "/bar" t
 
 By referencing a bean such as 'org.apache.cxf.systest.jaxrs.JMSBookStore' 
from multiple jaxrs endpoints you can ensure that both HTTP and JMS requests 
are handled by the same service bean. In such cases you may want to use a CXF 
JAXRS specific http://svn.apache.org/repos/asf/cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/ext/ProtocolHeaders.java";>ProtocolHeaders
 context which will let you get either HTTP or JMS headers. 
 
+Client
+
+Starting from CXF 2.5.5 and CXF 2.6.2 it is possible to use the client 
proxies to invoke on JMS endpoints. All one needs to do is to provide a JMS 
endpoint address and then continue working with the proxy as usual. For 
example:
+
+
+
+// setup the the client
+String endpointAddressUrlEncoded = 
"jms:jndi:dynamicQueues/test.jmstransport.text"
+ + "?jndiInitialContextFactory=org.apache.activemq.jndi.ActiveMQInitialContextFactory"
+ + "&replyToName=dynamicQueues/test.jmstransport.response"
+ + "&jndiURL=tcp://localhost:" + JMS_PORT
+ + "&jndiConnectionFactoryName=ConnectionFactory";
+   
+JMSBookStore client = JAXRSClientFactory.create(endpointAddressUrlEncoded, 
JMSBookStore.class);
+Book book = client.getBook("123");
+assertEquals("Get a wrong response code.", 
200, WebClient.client(client).getResponse().getStatus());
+assertEquals("Get a wrong book id.", 123, 
book.getId());
+
+
+
+The client runtime will set up the JMS properties described in the previous 
section according to JAX-RS and other annotations (such as 
org.apache.cxf.jaxrs.ext.Oneway) available in JMSBookStore resource class.
+
+
 FIQL 
search queries
 
 Introduction

svn commit: r823610 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs.html

[buildbot]

Author: buildbot
Date: Thu Jun 28 12:47:51 2012
New Revision: 823610

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/jax-rs.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jax-rs.html
==
--- websites/production/cxf/content/docs/jax-rs.html (original)
+++ websites/production/cxf/content/docs/jax-rs.html Thu Jun 28 12:47:51 2012
@@ -125,7 +125,7 @@ Apache CXF -- JAX-RS
 
 
 
-IntroductionProject setup and 
configurationMigrationMaven dependenciesCXF 2.3.x - CXF 
2.5.xCXF 
2.6.xSetting up the classpathCXF JAX-RS 
bundleWhat is 
NewGetting 
Started with JAX-RSUnderstanding the BasicsSupport for Data BindingsHow Request 
 >URI is MatchedClient 
 >APIhref="#JAX-RS-Filters%2CInterceptorsandInvokers">Filters, Interceptors and 
 >Invokershref="#JAX-RS-ServicelistingsandWADLsupport">Service listings and WADL 
 >supporthref="#JAX-RS-ConfiguringJAXRSservices">Configuring JAX-RS 
 >serviceshref="#JAX-RS-Debugging">Debugginghref="#JAX-RS-Logging">Logginghref="#JAX-RS-AdvancedFeatures">Advanced Featuresshape="rect" href="#JAX-RS-Multiparts">Multipartshref="#JAX-RS-SecureJAXRSservices">Secure JAX-RS servicesshape="rect" href="#JAX-RS-FailoverandLoadDistributionFeatures">Failover and 
 >Load Distribution FeaturesRedirectionXSLT and XPathComplex Search QueriesModel-View-Controller 
supportCombining JAX-WS and 
JAX-RSIntegration with Distributed 
OSGiOther 
Advanced FeaturesMaven PluginsDeploymentRESTful ResourcesHow to contribute
+IntroductionProject setup and 
configurationMigrationMaven dependenciesCXF 2.3.x - CXF 
2.5.xCXF 
2.6.xSetting up the classpathCXF JAX-RS 
bundleWhat is 
NewGetting 
Started with JAX-RSUnderstanding the BasicsSupport for Data BindingsHow Request 
 >URI is MatchedClient 
 >APIhref="#JAX-RS-Filters%2CInterceptorsandInvokers">Filters, Interceptors and 
 >Invokershref="#JAX-RS-ServicelistingsandWADLsupport">Service listings and WADL 
 >supporthref="#JAX-RS-ConfiguringJAXRSservices">Configuring JAX-RS 
 >serviceshref="#JAX-RS-Testing">Testinghref="#JAX-RS-Debugging">Debugginghref="#JAX-RS-Logging">Logginghref="#JAX-RS-AdvancedFeatures">Advanced Featuresshape="rect" href="#JAX-RS-Multiparts">Multipartshref="#JAX-RS-SecureJAXRSservices">Secure JAX-RS servicesshape="rect" href="#JAX-RS-FailoverandLoadDistributionFeatures">Failover and 
 >Load Dis
 tribution FeaturesRedirectionXSLT and XPathComplex Search QueriesModel-View-Controller 
supportCombining JAX-WS and 
JAX-RSIntegration with Distributed 
OSGiOther 
Advanced FeaturesMaven PluginsDeploymentRESTful ResourcesHow to contribute
 
 Introduction
 
@@ -372,6 +372,10 @@ Please see the configuration sections be
 
 Please see the JAXRS Services Configuration page for 
more information.
 
+Testing
+
+JAX-RS services can be easily tested using the embedded Jetty or CXF Local 
Transport.
+Please see the [JAXRS Testing] page for more 
information.
 
 Debugging
 

svn commit: r823758 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-data-bindings.html docs/servlet-transport.html

[buildbot]

Author: buildbot
Date: Fri Jun 29 17:47:58 2012
New Revision: 823758

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/jax-rs-data-bindings.html
websites/production/cxf/content/docs/servlet-transport.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jax-rs-data-bindings.html
==
--- websites/production/cxf/content/docs/jax-rs-data-bindings.html (original)
+++ websites/production/cxf/content/docs/jax-rs-data-bindings.html Fri Jun 29 
17:47:58 2012
@@ -124,7 +124,7 @@ Apache CXF -- JAX-RS Data Bindings
  
JAX-RS : Data Bindings 
 
 
-JAXB 
supportConfiguring JAXB 
providerJAXB and MoxyJSON 
supportJettisonConfiguring JSON 
providerDealing with 
JSON array serialization issuesBadgerFish 
conventionWrapping and 
Unwrapping JSON sequencesTypeConverters<
 /a>JacksonCommon JAXB and JSON 
configurationSingle 
JAXBContext and extra user classesAutomatic
 JAXBElement conversion during serializationHandling
 JAXB beans without XmlRootElement annotationsHandling explicit 
collectionsCustomizing 
JAXB XML and JSON input and outputControlling Large JAXB XML and JSON input 
payloadsJSON With PaddingForm 
payloadsAtomAegis Data BindingXMLBeansCXF 
DataBindings as JAX-RS providersJAXRS DataBindingSchema 
validationOutput 
validationFast Infoset
+JAXB 
supportConfiguring JAXB 
providerJAXB and MoxyJSON 
supportJettisonConfiguring JSON 
providerDealing with 
JSON array serialization issuesBadgerFish 
conventionWrapping and 
Unwrapping JSON sequencesTypeConverters<
 /a>JacksonCommon JAXB and JSON 
configurationSingle 
JAXBContext and extra user classesAutomatic
 JAXBElement conversion during serializationHandling
 JAXB beans without XmlRootElement annotationsHandling explicit 
collectionsCustomizing 
JAXB XML and JSON input and outputControlling Large JAXB XML and JSON input 
payloadsJSON With PaddingForm 
payloadsAtomAegis Data BindingXMLBeansCXF 
DataBindings as JAX-RS providersJAXRS DataBindingSchema 
validationSupport for 
catalogsOutput validationFast 
 >Infoset
 
 JAXB support
 
@@ -983,6 +983,33 @@ individual MessageBodyReader implementat
 
 
 
+Support 
for catalogs
+
+Available starting from CXF 2.5.5, 2.6.2
+
+XML Catalogs can be used for the main schema (which is used to validate the 
data) to get the imported or included schema resources resolved locally.
+By default, a "META-INF/jax-rs-catalog.xml" will be checked however the 
catalog location can be set either on JAXBElementProvider or JSONProvider:
+
+
+
+<bean id="jaxbProvider" class="org.apache.cxf.jaxrs.provider.JAXBElementProvider">
+   <property name="catalogLocation" value="classpath:/schemas/mycatalog.xml"/>
+</bean>
+
+
+
+
+where mycatalog.xml may look like this:
+
+
+
+<catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog"> prefer="system">
+<system systemId="http://schemas/bookid.xsd"; uri="classpath:WEB-INF/schemas/bookid.xsd"/>
+</catalog>
+
+
+
+
 Output 
validation
 
 By default, after a valid schema has been located, only JAXB Unmarshaller 
will use it to validate the input.

Modified: websites/production/cxf/content/docs/servlet-transport.html
==
--- websites/production/cxf/content/docs/servlet-transport.html (original)
+++ websites/production/cxf/content/docs/servlet-transport.html Fri Jun 29 
17:47:58 2012
@@ -265,6 +265,85 @@ Apache CXF -- Servlet Transport
 
 Finally, DefaultCXFServlet serves a requested book.html.
 
+Serving 
welcome pages
+
+Starting from CXF 2.5.5 and 2.6.2 it is possible to configure CXFServlet to 
serve welcome pages in a number of ways.
+
+For example, lets assume we have a web application called "webapp" which 
has a root resource called "index.html".
+For CXFServlet to support both "/webapp" and "/webapp/index.html" requests 
returning "index.html", while letting all other requests to proceed to the 
actual endpoints, the following can be done.
+
+Option1. Delegating to Default Servlet
+
+
+
+<servlet>
+<servlet-name>CXFServlet</servlet-name>
+<display-name>CXF Servlet</display-name>
+<servlet-class>
+org.apache.cxf.transport.servlet.CXFServlet
+</servlet-class>
+<init-param>
+<param-name>redirects-list</param-name>
+<param-value>
+  /
+  /index.html
+</param-value>
+</init-param>
+&

buildbot failure in ASF Buildbot on cxf-site-production

[buildbot]

The Buildbot has detected a new failure on builder cxf-site-production while 
building ASF Buildbot.
Full details are available at:
 http://ci.apache.org/builders/cxf-site-production/builds/2894

Buildbot URL: http://ci.apache.org/

Buildslave for this Build: bb-cms-slave

Build Reason: The Nightly scheduler named 'cxf-site-production' triggered this 
build
Build Source Stamp: [branch cxf/web] HEAD
Blamelist: 

BUILD FAILED: failed compile

sincerely,
 -The Buildbot

buildbot success in ASF Buildbot on cxf-site-production

[buildbot]

The Buildbot has detected a restored build on builder cxf-site-production while 
building ASF Buildbot.
Full details are available at:
 http://ci.apache.org/builders/cxf-site-production/builds/2895

Buildbot URL: http://ci.apache.org/

Buildslave for this Build: bb-cms-slave

Build Reason: The Nightly scheduler named 'cxf-site-production' triggered this 
build
Build Source Stamp: [branch cxf/web] HEAD
Blamelist: 

Build succeeded!

sincerely,
 -The Buildbot

buildbot success in ASF Buildbot on cxf-site-production

[buildbot]

The Buildbot has detected a restored build on builder cxf-site-production while 
building ASF Buildbot.
Full details are available at:
 http://ci.apache.org/builders/cxf-site-production/builds/2932

Buildbot URL: http://ci.apache.org/

Buildslave for this Build: bb-cms-slave

Build Reason: The Nightly scheduler named 'cxf-site-production' triggered this 
build
Build Source Stamp: [branch cxf/web] HEAD
Blamelist: 

Build succeeded!

sincerely,
 -The Buildbot

svn commit: r825051 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-saml.html docs/jax-rs.html docs/saml-web-sso.html

[buildbot]

Author: buildbot
Date: Sun Jul  8 17:47:50 2012
New Revision: 825051

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/jax-rs-saml.html
websites/production/cxf/content/docs/jax-rs.html
websites/production/cxf/content/docs/saml-web-sso.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jax-rs-saml.html
==
--- websites/production/cxf/content/docs/jax-rs-saml.html (original)
+++ websites/production/cxf/content/docs/jax-rs-saml.html Sun Jul  8 17:47:50 
2012
@@ -705,7 +705,7 @@ If the assertion signature is verified l
 
 SAML Web SSO 
Profile
 
-Please see https://cwiki.apache.org/confluence/display/CXF20DOC/SAML+Web+SSO";>this 
page for more information
+Please see this page for more information


  

Modified: websites/production/cxf/content/docs/jax-rs.html
==
--- websites/production/cxf/content/docs/jax-rs.html (original)
+++ websites/production/cxf/content/docs/jax-rs.html Sun Jul  8 17:47:50 2012
@@ -375,7 +375,7 @@ Please see the configuration sections be
 Testing
 
 JAX-RS services can be easily tested using the embedded Jetty or CXF Local 
Transport.
-Please see the [JAXRS Testing] page for more 
information.
+Please see the https://cwiki.apache.org/confluence/display/CXF20DOC/JAXRS+Testing";>JAXRS 
Testing page for more information.
 
 Debugging
 

Modified: websites/production/cxf/content/docs/saml-web-sso.html
==
--- websites/production/cxf/content/docs/saml-web-sso.html (original)
+++ websites/production/cxf/content/docs/saml-web-sso.html Sun Jul  8 17:47:50 
2012
@@ -125,7 +125,7 @@ Apache CXF -- SAML Web SSO
 
 
 
-IntroductionTypical FlowMaven dependenciesIdentity 
ProviderService Provider Security 
FilterRedirect Binding FilterPOST Binding 
FilterSigning SAML 
Authentication RequestsFilters and State 
ManagementRequest Assertion Security 
ServiceDealing with signed SAML 
ResponsesSSO State Provider
+IntroductionTypical FlowMaven dependenciesIdentity 
ProviderService Provider Security 
FilterRedirect Binding FilterPOST Binding 
FilterSigning SAML 
Authentication RequestsFilters and State 
ManagementRequest Assertion Consumer 
ServiceDealing with signed SAML 
ResponsesSSO State Provider
 
 Introduction
 
@@ -364,9 +364,9 @@ If the custom SP application is 'spread'
 
 Note that the stateTimeToLive property affects a Cookie 'Expires' property 
but also used by filters and RACS to enforce that the internal state has not 
expired.
 
-Request Assertion 
Security Service
+Request Assertion 
Consumer Service
 
-Request Assertion Security Service receives a SAML Authentication Response 
and RelayState token from IDP, uses the token to validate the response against 
the data available in the original SAML Authentication Request, creates a 
security context if it does not already exists for
+Request Assertion Consumer Service receives a SAML Authentication Response 
and RelayState token from IDP, uses the token to validate the response against 
the data available in the original SAML Authentication Request, creates a 
security context if it does not already exists for
 the current user, persists it and redirect the user back to the original 
endpoint. 
 
 The RACS processes the SAML Response, and validates it in a number of 
ways:

svn commit: r825115 - in /websites/production/cxf/content: cache/docs.pageCache docs/saml-web-sso.html

[buildbot]

Author: buildbot
Date: Mon Jul  9 09:47:50 2012
New Revision: 825115

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/saml-web-sso.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/saml-web-sso.html
==
--- websites/production/cxf/content/docs/saml-web-sso.html (original)
+++ websites/production/cxf/content/docs/saml-web-sso.html Mon Jul  9 09:47:50 
2012
@@ -125,7 +125,7 @@ Apache CXF -- SAML Web SSO
 
 
 
-IntroductionTypical FlowMaven dependenciesIdentity 
ProviderService Provider Security 
FilterRedirect Binding FilterPOST Binding 
FilterSigning SAML 
Authentication RequestsFilters and State 
ManagementRequest Assertion Consumer 
ServiceDealing with signed SAML 
ResponsesSSO State Provider
+IntroductionTypical FlowMaven dependenciesIdentity 
ProviderService Provider Security 
FilterRedirect Binding FilterPOST Binding 
FilterSigning SAML 
Authentication RequestsFilters and State 
ManagementRequest Assertion Consumer 
ServiceDealing with signed SAML 
ResponsesSSO State ProviderDistributed State 
Management
 
 Introduction
 
@@ -433,7 +433,92 @@ the current user, persists it and redire
 
 SP Security Filters and RACS depend on the custom http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/state/SPStateManager.java";>SPStateManager
 implementation for persisting the current request and security context state. 

 
-CXF ships an http://ehcache.org/"; rel="nofollow">EhCache-based http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/state/EHCacheSPStateManager.java";>implementation.
 Users can register their own custom implementations if required.
+CXF ships a basic http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/state/MemorySPStateManager.java";>MemorySPStateProvider
 and an http://ehcache.org/"; 
rel="nofollow">EhCache-based http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/state/EHCacheSPStateManager.java";>implementation
 which is memory based with an option to overflow to the disk. Users can 
customize the EhCache provider or register their own custom SPStateProvider 
implementations if required.
+
+For example, by default, the EhCache provider will overflow the data to the 
system temp directory and will not persist the data across restarts. The 
following EhCache configuration can be used to change it:
+
+
+<ehcache xsi:noNamespaceSchemaLocation="ehcache.xsd" updateCheck="false" monitoring="autodetect" dynamicConfig="true">
+
+<diskStore path="/home/username/work/ehcache"/>
+
+<defaultCache
+maxEntriesLocalHeap="5000"
+timeToIdleSeconds="3600"
+timeToLiveSeconds="3600"
+overflowToDisk="true"
+maxElementsOnDisk="1000"
+diskPersistent="true"
+diskExpiryThreadIntervalSeconds="120"
+memoryStoreEvictionPolicy="LRU"
+/>
+</ehcache>
+
+Assuming this configuration is saved in WEB-INF/ehcache.xml, the EhCache 
provider can be configured as follows:
+
+{code:xml}
+<bean id="stateManager" class="org.apache.cxf.rs.security.saml.sso.state.EHCacheSPStateManager">
+<constructor-arg value="/WEB-INF/ehcache.xml"/>
+</bean>
+
+
+
+Distributed State 
Management
+
+If you have a complex application supported by a number of wars deployed 
into different containers, one has to decide whether to have a single 
RequestAssertionConsumerService (RACS) endpoint which IDP will redirect to when 
processing the user authentication requests or have a separate RACS endpoint 
per every web application which all form a bigger application.
+
+For example, assume you have server1, server2 and server3 which all support 
a bigger application. One can have a serverRacs web application which will host 
a RACS endpoint. Next, server1, server2 and server3 SSO filters will all point 
to this standalone RACS endpoint when redirecting the user to IDP and IDP will 
eventually redirect the user to RACS which in turn will redirect the user to 
the original targer URI supported by server or server2 or server3.
+
+In this case, one has to decide how the state between SSO security filters 
protecting the individual servers and RACS will be shared.
+One appr

svn commit: r825130 - in /websites/production/cxf/content: cache/main.pageCache fediz-idp.html

[buildbot]

Author: buildbot
Date: Mon Jul  9 13:47:48 2012
New Revision: 825130

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/main.pageCache
websites/production/cxf/content/fediz-idp.html

Modified: websites/production/cxf/content/cache/main.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/fediz-idp.html
==
--- websites/production/cxf/content/fediz-idp.html (original)
+++ websites/production/cxf/content/fediz-idp.html Mon Jul  9 13:47:48 2012
@@ -337,7 +337,7 @@ export JAVA_OPTS
 
 When a STS client (IDP) requests a claim, the ClaimsManager in the STS 
checks every registered ClaimsHandler who can provide the data of the requested 
claim.  The CXF STS provides 
org.apache.cxf.sts.claims.LdapClaimsHandler which is a claims handler 
implementation to get claims from user attributes in a LDAP directory.
 
-You configure which claim URI maps to which LDAP user attribute. The 
implementation uses the Spring Ldap Module (LdapTemplate).
+You configure which claim URI maps to which LDAP user attribute. The 
implementation uses the Spring Ldap Module (LdapTemplate). 
 
 The following example illustrate the changes to be made in 
webapps/fediz-idp-sts/WEB-INF/cxf-transport.xml:
 
@@ -384,6 +384,14 @@ value="c"
 
 
+You must deploy the library for the spring ldap module and its 
dependencies. The POM of the spring ldap module is available http://repo1.maven.org/maven2/org/springframework/ldap/spring-ldap/1.2/spring-ldap-1.2.pom";
 rel="nofollow">here.
+
+You can add the dependency to spring ldap module to the Fediz STS POM, add 
the above configuration and rebuild the STS component or do the configuration 
in the deployed STS directly and add the following JAR files:
+
+lang-2.1.0.jarldapbp-1.0.jarspring-ldap-1.2.jar
+
+
+
 Configure CA 
certificates
 
 tbd

svn commit: r825144 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-cors.html

[buildbot]

Author: buildbot
Date: Mon Jul  9 16:47:47 2012
New Revision: 825144

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/jax-rs-cors.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jax-rs-cors.html
==
--- websites/production/cxf/content/docs/jax-rs-cors.html (original)
+++ websites/production/cxf/content/docs/jax-rs-cors.html Mon Jul  9 16:47:47 
2012
@@ -125,7 +125,7 @@ Apache CXF -- JAX-RS CORS
 
 
 
-IntroductionExamples
+IntroductionMaven dependenciesExamples
 
 Introduction
 
@@ -137,6 +137,18 @@ Apache CXF -- JAX-RS CORS
 
 Note that the http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/cors/src/main/java/org/apache/cxf/rs/security/cors/CrossOriginResourceSharingFilter.java";>CORS
 filter uses the JAX-RS selection algorithm to ensure that the JAX-RS 
resource method capable of handling the  request does exist.
 
+Maven 
dependencies
+
+
+
+<dependency>
+  <groupId>org.apache.cxf</groupId>
+  <artifactId>cxf-rt-rs-security-cors</artifactId>
+  <version>2.6.1</version>
+</dependency>
+
+
+
 Examples
 
 Here is the test code showing how http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/cors/src/main/java/org/apache/cxf/rs/security/cors/CrossOriginResourceSharing.java";>CrossOriginResourceSharing
 annotations can be applied at the resource and individual method levels:

svn commit: r825149 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-cors.html

[buildbot]

Author: buildbot
Date: Mon Jul  9 17:47:49 2012
New Revision: 825149

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/jax-rs-cors.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jax-rs-cors.html
==
--- websites/production/cxf/content/docs/jax-rs-cors.html (original)
+++ websites/production/cxf/content/docs/jax-rs-cors.html Mon Jul  9 17:47:49 
2012
@@ -248,7 +248,7 @@ Apache CXF -- JAX-RS CORS
 
 
 <beans>
-<bean id="cors-filter" class="org.apache.cxf.jaxrs.cors.CrossOriginResourceSharingFilter"/>
+<bean id="cors-filter" class="org.apache.cxf.rs.security.cors.CrossOriginResourceSharingFilter"/>
 
<jaxrs:server id="service" address="/rest">
<jaxrs:serviceBeans>

svn commit: r825243 - in /websites/production/cxf/content: cache/docs.pageCache docs/saml-web-sso.html

[buildbot]

Author: buildbot
Date: Tue Jul 10 12:47:48 2012
New Revision: 825243

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/saml-web-sso.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/saml-web-sso.html
==
--- websites/production/cxf/content/docs/saml-web-sso.html (original)
+++ websites/production/cxf/content/docs/saml-web-sso.html Tue Jul 10 12:47:48 
2012
@@ -467,7 +467,7 @@ Assuming this configuration is saved in 
 
 If you have a complex application supported by a number of wars deployed 
into different containers, one has to decide whether to have a single 
RequestAssertionConsumerService (RACS) endpoint which IDP will redirect to when 
processing the user authentication requests or have a separate RACS endpoint 
per every web application which all form a bigger application.
 
-For example, assume you have server1, server2 and server3 which all support 
a bigger application. One can have a serverRacs web application which will host 
a RACS endpoint. Next, server1, server2 and server3 SSO filters will all point 
to this standalone RACS endpoint when redirecting the user to IDP and IDP will 
eventually redirect the user to RACS which in turn will redirect the user to 
the original targer URI supported by server or server2 or server3.
+For example, assume you have server1, server2 and server3 which all support 
a bigger application. One can have a serverRacs web application which will host 
a RACS endpoint. Next, server1, server2 and server3 SSO filters will all point 
to this standalone RACS endpoint when redirecting the user to IDP and IDP will 
eventually redirect the user to RACS which in turn will redirect the user to 
the original target URI supported by server or server2 or server3.
 
 In this case, one has to decide how the state between SSO security filters 
protecting the individual servers and RACS will be shared.
 One approach is to setup the Ehcache provider to use http://ehcache.org/documentation/configuration/distributed-cache-configuration";
 rel="nofollow">Terracotta or RMI with the multicast or implement the 
alternative approach not involving Ehcache at all.

svn commit: r825563 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-advanced-features.html

[buildbot]

Author: buildbot
Date: Thu Jul 12 11:47:52 2012
New Revision: 825563

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/jax-rs-advanced-features.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jax-rs-advanced-features.html
==
--- websites/production/cxf/content/docs/jax-rs-advanced-features.html 
(original)
+++ websites/production/cxf/content/docs/jax-rs-advanced-features.html Thu Jul 
12 11:47:52 2012
@@ -124,7 +124,7 @@ Apache CXF -- JAX-RS Advanced Features
 JAX-RS : Advanced Features
 
 
-JMS 
SupportEndpointsClientFIQL search 
queriesIntroductionDependencies and 
ConfigurationConsuming FIQL 
queriesConverting FIQL 
queriesSQLJPA 2.0Custom visitorshref="#JAX-RSAdvancedFeatures-SearchBean">SearchBeanshape="rect" href="#JAX-RSAdvancedFeatures-BuildingFIQLqueries">Building FIQL 
 >querieshref="#JAX-RSAdvancedFeatures-Usingdatesinqueries">Using dates in 
 >querieshref="#JAX-RSAdvancedFeatures-Onewayinvocations">Oneway 
 >invocationshref="#JAX-RSAdvancedFeatures-SupportforContinuations">Support for 
 >Continuationshref="#JAX-RSAdvancedFeatures-Serversidecaching">Server-side 
 >cachinghref="#JAX-RSAdvancedFeatures-RESTfulserviceswithoutannotations">RESTful 
 >services without annotationshref="#JAX-RSAdvancedFeatures-Configuration">Configuration
+JMS 
SupportEndpointsClientFIQL search 
queriesIntroductionDependencies and 
ConfigurationConsuming FIQL 
queriesConverting FIQL 
queriesSQLJPA 2.0Custom visitorshref="#JAX-RSAdvancedFeatures-SearchBean">SearchBeanshape="rect" 
 >href="#JAX-RSAdvancedFeatures-SearchExpressionsinURIPathsegments">Search 
 >Expressions in URI Path segmentshref="#JAX-RSAdvancedFeatures-Queriesinvolvingmultipleentities">Queries 
 >involving multiple entitieshref="#JAX-RSAdvancedFeatures-Basicqueries">Basic queriesshape="rect" href="#JAX-RSAdvancedFeatures-Complexqueries">Complex 
 >querieshref="#JAX-RSAdvancedFeatures-BuildingFIQLqueries">Building FIQL 
 >querieshref="#JAX-RSAdvancedFeatures-Usingdatesinqueries">Using dates in 
 >querieshref="#JAX-RSAdvancedFeatures-Alternativequerylanguages">Alternative query 
 >languageshref="#JAX-RSAdvancedFeatures-Onewayinvocations">Oneway 
 >invocationsSupport for 
ContinuationsServer-side 
cachingRESTful 
services without annotationsConfiguration
 
 JMS 
Support
 
@@ -406,6 +406,173 @@ assertEquals("SELECT LEVEL_COLUMN FROM t
 
 
 
+Search 
Expressions in URI Path segments
+
+By default, a FIQL expression is expected to be available in either '_s' or 
'_search' query.
+For example, "find all the books with an 'id' property value less than 
123":
+
+
+GET /books?_s=id=lt=123
+
+
+
+Starting from CXF 2.6.2, it is possible to work with FIQL expressions 
included in URI path segments, for example, the same query can be expressed
+in a number of ways:
+
+
+
+
+GET /books/id=lt=123
+GET /books[id=lt=123]
+GET /books(id=lt=123)
+GET /books;id=lt=123
+
+//etc, etc
+
+
+
+
+Such expressions can be captured in the code using JAX-RS annotations:
+
+
+@Path("search")
+public class BooksResource {
+   @Context
+   private SearchContext context;
+
+   //GET /books[id=lt=123]
+   @GET
+   @Path("books[{search}]") 
+   public List<Book> 
findSelectedBooks(@PathParam("search") String searchExpression) {
+   return 
doFindSelectedBooks(searchExpression);
+   }
+
+   //GET /books(id=lt=123)
+   @GET
+   @Path("books({search})") 
+   public List<Book> 
findSelectedBooks(@PathParam("search") String searchExpression) {
+   return 
doFindSelectedBooks(searchExpression);
+   }
+
+   //GET /books/id=lt=123
+   @GET
+   @Path("books/{search}") 
+   public List<Book> 
findSelectedBooks(@PathParam("search") String searchExpression) {
+   return 
doFindSelectedBooks(searchExpression);
+   }
+
+   //GET /books;id=lt=123
+   @GET
+   @Path("books;{search}") 
+   public List<Book> 
findSelectedBooks(@PathParam("search") String searchExpression) {
+   return 
doFindSelectedBooks(searchExpression);
+   }
+
+   public List<Book> 
doFindSelectedBooks(String searchExpression) {
+   SearchCondition<Book> sc = context.getCondition(searchExpression, 
Book.class);
+   
+   // JPA2 enity manager is initialized earlier
+   JPATypedQuery<Book> visit

svn commit: r825571 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-advanced-features.html

[buildbot]

Author: buildbot
Date: Thu Jul 12 12:47:52 2012
New Revision: 825571

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/jax-rs-advanced-features.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jax-rs-advanced-features.html
==
--- websites/production/cxf/content/docs/jax-rs-advanced-features.html 
(original)
+++ websites/production/cxf/content/docs/jax-rs-advanced-features.html Thu Jul 
12 12:47:52 2012
@@ -572,7 +572,7 @@ such as "find all the chapters with id l
 
  
 
-The above code can be quite functional but not necessarilry optimal. Much 
depends on the actual relationship between the endities, whether the initial 
(JPA2) query eagerly loaded all the chapters for every given book, etc. Perhaps 
a JOIN-like query which will immediately return only the matching chapters will 
be more optimal. Support for capturing the expressions involving multiple 
entities and possibly converting them to JOIN statements will be investigated 
shortly.
+The above code can be quite functional but not be optimal. Much depends on 
the actual relationship between the entities, whether the initial (JPA2) query 
eagerly loaded all the chapters for every given book or not, etc. Perhaps a 
JOIN-like query which will immediately return only the matching chapters will 
be more optimal. Support for capturing the expressions involving multiple 
entities and possibly converting them to JOIN statements will be investigated 
shortly.
 
 
 Building FIQL queries

svn commit: r825586 - in /websites/production/cxf/content: cache/docs.pageCache docs/client-http-transport-including-ssl-support.html

[buildbot]

Author: buildbot
Date: Thu Jul 12 16:47:48 2012
New Revision: 825586

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/docs.pageCache

websites/production/cxf/content/docs/client-http-transport-including-ssl-support.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==
Binary files - no diff available.

Modified: 
websites/production/cxf/content/docs/client-http-transport-including-ssl-support.html
==
--- 
websites/production/cxf/content/docs/client-http-transport-including-ssl-support.html
 (original)
+++ 
websites/production/cxf/content/docs/client-http-transport-including-ssl-support.html
 Thu Jul 12 16:47:48 2012
@@ -319,6 +319,8 @@ http.setClient(httpClientPolicy);
 
 The first thing to notice is the "name" attribute on <http:conduit>. 
This allows CXF to associate this HTTP Conduit configuration with a particular 
WSDL Port. The name includes the service's namespace, the WSDL port name (as 
found in the wsdl:service section of the WSDL), and ".http-conduit". It follows 
this template: "{WSDL Namespace}portName.http-conduit".   Note:  it's the PORT 
name, not the service name.   Thus, it's likely something like "MyServicePort", 
not "MyService".   If you are having trouble getting the template to work, 
another (temporary) option for the name value is simply "*.http-conduit". 
 
+If you are creating the Service with wsdl location like "https://xxx?wsdl";, 
you can configure the http conduit to pick up right SSL configuration as we 
just show you. The http conduit name is "{http://cxf.apache.org";>http://cxf.apache.org\}TransportURIResolver.http-conduit".
 
+
 Another option for the name attribute is a reg-ex expression for the 
ORIGINAL URL of the endpoint.   The configuration is matched at conduit 
creation so the address used in the WSDL or used for the JAX-WS 
Service.create(...) call can be used for the name.   For example, you can 
do:
 
 
@@ -597,7 +599,6 @@ Language tags are regulated by the Inter
 
 
 If you are getting strange errors (generally not soap faults, but other 
HTTP type errors) when trying to interact with a service, try turning off 
chunking to see if that helps.
-
 

svn commit: r825997 - in /websites/production/cxf/content: cache/main.pageCache fediz.html

[buildbot]

Author: buildbot
Date: Mon Jul 16 13:47:49 2012
New Revision: 825997

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/main.pageCache
websites/production/cxf/content/fediz.html

Modified: websites/production/cxf/content/cache/main.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/fediz.html
==
--- websites/production/cxf/content/fediz.html (original)
+++ websites/production/cxf/content/fediz.html Mon Jul 16 13:47:49 2012
@@ -193,7 +193,7 @@ The RP is a web application that needs t
 
 The examples directory contains two sample relying party applications.  
They are independent of each other, so it is not necessary to deploy both at 
once.
 
-Each sample is described in the README.txt
+Each sample is described in a README.txt file located in the base 
directory of each sample.
 
 
  Sample  Description  simpleWebapp  a simple web application which is protected by the Fediz 
IDP. The FederationServlet illustrates how to get security information using 
the standard APIs.  wsclientWebapp  a protected web application that calls a web service that 
uses the Fediz STS to validate credentials. Here, the same STS is used for 
token issuance (indirectly, by the web application through use of the Fediz 
IDP) and validation.  The FederationServlet illustrates how to securely call a 
web service. 
@@ -204,21 +204,11 @@ The RP is a web application that needs t
 
 Check out the code from here:
 svn
-svn co http://svn.apache.org/repos/asf/cxf/fediz/trunk";>http://svn.apache.org/repos/asf/cxf/fediz/trunkgit
+svn co https://svn.apache.org/repos/asf/cxf/fediz/trunk";>https://svn.apache.org/repos/asf/cxf/fediz/trunkgit
 git clone -v git://git.apache.org/cxf-fediz.git
 
 
-
-Building with Maven
-
-To build and run the tests use the following command:
-
-
-mvn clean install
-
-
-
-Note: you need to use Maven 2.0.9 or newer and have the following 
environment variable set: MAVEN_OPTS=-Xmx512m
+Then follow the http://svn.apache.org/viewvc/cxf/fediz/trunk/BUILDING.txt?view=markup";>BUILDING.txt
 file in the Fediz download for full build instructions.
 
 Setting up 
Eclipse:
 

svn commit: r826005 - in /websites/production/cxf/content: cache/main.pageCache fediz-idp.html

[buildbot]

Author: buildbot
Date: Mon Jul 16 15:47:54 2012
New Revision: 826005

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/main.pageCache
websites/production/cxf/content/fediz-idp.html

Modified: websites/production/cxf/content/cache/main.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/fediz-idp.html
==
--- websites/production/cxf/content/fediz-idp.html (original)
+++ websites/production/cxf/content/fediz-idp.html Mon Jul 16 15:47:54 2012
@@ -146,20 +146,29 @@ Apache CXF -- Fediz IDP
 
 The Fediz IDP has been tested with Tomcat 6 and 7 but should be able to 
work with any commercial JEE application server.
 
-Deploy the WAR files to your Tomcat installation 
(<catalina.home>/webapps).  Once done, you should be able to see the 
Fediz STS from a browser at http://localhost:9080/fedizidpsts/STSService?wsdl"; 
rel="nofollow">http://localhost:9080/fedizidpsts/STSService?wsdl, assuming 
you're using port 9080 as listed below.
+It's recommended to set up a dedicated (separate) Tomcat instance for the 
IDP compared to the one hosting the RP (relying party) applications.   Using 
one deployment of Tomcat with multiple CATALINA_BASE instances, as described http://www.shaunabram.com/multiple-tomcat-instances/"; 
rel="nofollow">here is one option but note any libs in $CATALINA_HOME/lib 
folder will be shared throughout each of the activated CATALINA_BASE instances. 
 Another probably simpler alternative is to copy your Tomcat folder into a 
second location and edit its conf/server.xml file and change http://viralpatel.net/blogs/2009/08/running-multiple-instance-apache-tomcat-single-server.html";
 rel="nofollow">these port values so they don't conflict with the original 
Tomcat installation.  
 
-A Relying Party application trusts the IDP/STS component that the IDP 
authenticated the browser user. The trust is established based on the 
certificate/private key used by the STS to sign the SAML token. The signing 
certificate is located in 
webapps/fediz-idp-sts/WEB-INF/classes/stsstore.jks. You must copy this 
keystore to a location where the Relying Party can reference it in its Fediz 
Configuration in the element certificateStores.
-
-This keystore contains the private key as well. In a production 
environment, you must not deploy the private key of the STS to the Relying 
Party
+To start and stop this second Tomcat instance, it is perhaps easiest to 
create small startup.sh and shutdown.sh scripts that temporarily redefine 
$CATALINA_HOME from the first to the second instance, for example:
 
+
+
+CATALINA_HOME=/path/to/second/tomcat
+$CATALINA_HOME/bin/startup.sh
+
+
 
-Configuration
+and
 
-You can manage the users, their claims and the claims per application in 
the IDP.
+
+
+CATALINA_HOME=/path/to/second/tomcat
+$CATALINA_HOME/bin/shutdown.sh
+
+
 
-HTTPS 
configuration
+If you're using the one Tomcat with multiple instance option, it's 
$CATALINA_BASE that will need to be redefined.
 
-It's recommended to set up a dedicated (separate) Tomcat instance for the 
IDP.   Using one deployment of Tomcat with multiple CATALINA_BASE instances, as 
described http://www.shaunabram.com/multiple-tomcat-instances/"; 
rel="nofollow">here is one option but note any libs in $CATALINA_HOME/lib 
folder will be shared throughout each of the activated CATALINA_BASE instances. 
 Another probably simpler alternative is to copy your Tomcat folder into a 
second location and edit its conf/server.xml file and change http://viralpatel.net/blogs/2009/08/running-multiple-instance-apache-tomcat-single-server.html";
 rel="nofollow">these port values so they don't conflict with the original 
Tomcat installation.  The Fediz examples use the following TCP ports to 
interact with the IDP/STS:
+The Fediz examples use the following TCP ports for the IDP/STS:
 
 HTTP port: 9080 (used for Maven deployment, mvn 
tomcat:redeploy)HTTPS port: 9443 (where IDP and STS are 
accessed)
 
@@ -172,34 +181,22 @@ Apache CXF -- Fediz IDP
 
 <Connector port="9443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
-   keystoreFile="tomcatKeystore.jks"
+   keystoreFile="tomcat-idp.jks"
keystorePass="tompass" 
sslProtocol="TLS" />
 
 
 
 The keystoreFile is relative to $CATALINA_HOME. See http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html";>here for the 
Tomcat 7 configuration reference. This page also describes how to create 
certificates.
 
-Production: It's highly recommended to depl

svn commit: r826277 - in /websites/production/cxf/content: cache/main.pageCache fediz-tomcat.html

[buildbot]

Author: buildbot
Date: Thu Jul 19 03:48:53 2012
New Revision: 826277

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/main.pageCache
websites/production/cxf/content/fediz-tomcat.html

Modified: websites/production/cxf/content/cache/main.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/fediz-tomcat.html
==
--- websites/production/cxf/content/fediz-tomcat.html (original)
+++ websites/production/cxf/content/fediz-tomcat.html Thu Jul 19 03:48:53 2012
@@ -187,7 +187,7 @@ add the previously created directory to 
 A Valve can be configured on different levels like Host or 
Context. The Fediz configuration file allows to configure all servlet 
contexts in one file or choosing one file per Servlet Context. If you choose to 
have one Fediz configuration file per Servlet Context then you must configure 
the FederationAuthenticator on the Context level otherwise on the 
Host level in the Tomcat configuration file server.xml
 
 
-You can either configure the context in the server.xml or in 
META-INF/context.xml as part of your WAR file.
+You can either configure the context in the server.xml or in 
META-INF/context.xml as part of your WAR file.  (The sample RP applications 
bundled with Fediz already have this configured via the latter option.)
 
 META-INF/context.xml
 

svn commit: r826334 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-oauth.html docs/jax-rs-oauth2.html

[buildbot]

Author: buildbot
Date: Thu Jul 19 16:47:50 2012
New Revision: 826334

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/jax-rs-oauth.html
websites/production/cxf/content/docs/jax-rs-oauth2.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jax-rs-oauth.html
==
--- websites/production/cxf/content/docs/jax-rs-oauth.html (original)
+++ websites/production/cxf/content/docs/jax-rs-oauth.html Thu Jul 19 16:47:50 
2012
@@ -125,7 +125,7 @@ Apache CXF -- JAX-RS OAuth
 
 
 
-IntroductionMaven dependenciesDeveloping OAuth 1.0 
ServersRequestTokenServiceAuthorizationRequestServiceAccessTokenServiceWriting 
OAuthDataProviderOAuth Server JAX-RS 
endpointsProtecting resources 
with OAuth filtersHow to get the user login 
name<
 a shape="rect" href="#JAX-RSOAuth-Clientsidesupport">Client-side 
support2-leg 
OAuth FlowClient requests 
PreAuthorized RequestTokenSignature with Consumer 
Key and SecretOnly Consumer 
Key and Secret in Authorization headerOAuth Without a BrowserDesign 
considerationsControlling the Access 
to Resource ServerSharing 
th
 e same access path between end users and consumersProviding
 different access points to end users and consumersSingle Sign 
OnWhat Is 
Next
+IntroductionMaven dependenciesDeveloping OAuth 1.0 
ServersRequestTokenServiceAuthorizationRequestServiceOOB 
callbacksAccessTokenServiceWriting 
OAuthDataProviderOAuth Server JAX-RS 
endpointsProtecting resources 
with OAuth filtersHow to get the user login 
nameClient-side support2-leg OAuth 
FlowClient requests 
PreAuthorized RequestTokenSignature with Consumer 
Key and SecretOnly Consumer 
Key and Secret in Authorization headerOAuth Without a BrowserReporting the error 
detailsDesign 
considerationsControlling the Access to Resource 
ServerSharing 
the same access path between end users and consumersProviding
 different access points to end users and consumersSingle Sign 
OnWhat Is 
Next
 
 Introduction
 
@@ -354,6 +354,38 @@ Referer=[http:Assuming the decision was "allow", the consumer has now received back the 
request token and its verifier and is ready to exchange this pair for an access 
token.
 
+OOB callbacks
+
+The OAuth 1.0 mentions so called "oob" (out-of-band) callbacks. If the 
third-party client is not running as a web application or if it is known it can 
not receive the redirect response from AuthorizationRequestService for whatever 
reasons, then a callback URI can be set to "oob", when a request token is 
+requested:  
+
+
+
+Address: http://localhost:8080/services/oauth/initiate
+Encoding: ISO-8859-1
+Http-Method: POST
+Content-Type: */*
+Headers: {
+Accept=[application/x-www-form-urlencoded], 
+
+Content-Length=[0],
+
+Authorization=[OAuth oauth_callback="oob", 
+ oauth_nonce="e365fa02-772e-4e33-900d-00a766ccadf8", 
+ oauth_consumer_key="123456789", 
+ oauth_signature_method="HMAC-SHA1", 
+ oauth_timestamp="1320748683", 
+ oauth_version="1.0", 
+ oauth_signature="ztTQuqaJS7L6dNQwn%2Fqi1MdaqQQ%3D"] 
+}
+
+
+
+RequestTokenService will only accept the "oob" value if a client 
callbackURI property has been set to "oob" during the client application 
registration process. Specifically, RequestTokenService will expect that a http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/Client.java";>Client
 bean will have its callbackURI property being set to "oob".
+
+When a callback URI is set to "oob", it means that a user decision response 
needs to be presented directly to the current user - which will then make the 
request token and verifier info somehow available to the client application. In 
case of "oob", AuthorizationRequestService, instead of redirecting the user 
back to the callback URI as shown earlier on, will simply return an instance of 
http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/OOBAuthorizationResponse.java";>OOBAuthorizationResponse.
 RequestDispatcherProvider will need to be used for redirecting this data to 
the view handler exactly how it is done when a user is asked to authorize the 
client application, with the view handler formatting the data and actually 
returning it to the user 
+
+
 AccessTokenService 
 
 The role of AccessTokenService is to exchange an authorize

svn commit: r826378 - in /websites/production/cxf/content: cache/docs.pageCache docs/maven-cxf-codegen-plugin-wsdl-to-java.html

[buildbot]

Author: buildbot
Date: Thu Jul 19 20:47:49 2012
New Revision: 826378

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/docs.pageCache

websites/production/cxf/content/docs/maven-cxf-codegen-plugin-wsdl-to-java.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==
Binary files - no diff available.

Modified: 
websites/production/cxf/content/docs/maven-cxf-codegen-plugin-wsdl-to-java.html
==
--- 
websites/production/cxf/content/docs/maven-cxf-codegen-plugin-wsdl-to-java.html 
(original)
+++ 
websites/production/cxf/content/docs/maven-cxf-codegen-plugin-wsdl-to-java.html 
Thu Jul 19 20:47:49 2012
@@ -328,7 +328,16 @@ Apache CXF -- Maven cxf-codegen-plugin (
 </dependencies>
 </plugin>
 
-
+
+
+Other
 configuration options
+
+The cxf-codegen-plugin has some additional configuration options that may 
be useful:
+
+<fork>false/always/once</fork> Forks a separate JVM for the code 
generation <additionalJvmArgs>  Additional JVM args set on the forked process 
if fork is not false <encoding>UTF-8</encoding> (new in 2.6.1, requires configuring plugin to 
use very latest JAXB 2.2 impl jars)
+
+
+


  

svn commit: r826509 - in /websites/production/cxf/content: cache/main.pageCache fediz-idp.html

[buildbot]

Author: buildbot
Date: Fri Jul 20 21:47:47 2012
New Revision: 826509

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/main.pageCache
websites/production/cxf/content/fediz-idp.html

Modified: websites/production/cxf/content/cache/main.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/fediz-idp.html
==
--- websites/production/cxf/content/fediz-idp.html (original)
+++ websites/production/cxf/content/fediz-idp.html Fri Jul 20 21:47:47 2012
@@ -188,11 +188,12 @@ $CATALINA_HOME/bin/shutdown.sh
 
 The keystoreFile is relative to $CATALINA_HOME. See http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html";>here for the 
Tomcat 7 configuration reference. This page also describes how to create 
certificates.
 
-Once you deploy the IDP WAR files to your Tomcat installation 
(<catalina.home>/webapps), you should be able to see the Fediz STS from a 
browser at http://localhost:9080/fedizidpsts/STSService?wsdl"; 
rel="nofollow">http://localhost:9080/fedizidpsts/STSService?wsdl, assuming 
you're using port 9080 as listed above.
-
 To establish trust, there are significant keystore/truststore requirements 
between the Tomcat instances and the various web applications (IDP, STS, 
Relying party applications, third party web services, etc.)  See http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/samplekeys/HowToGenerateKeysREADME.html?view=co";>this
 page for more details, it lists the trust requirements as well as sample 
scripts for creating your own (self-signed) keys.
 
-Warning:  The sample keystores provided in the WAR files are for 
development/prototyping use ONLY.  They'll need to be replaced for production 
use, at a minimum with your own self-signed keys but strongly recommended to 
use third-party signed keys.
+Warning:  All sample keystores provided with Fediz (including in the WAR 
files for its services and examples) are for development/prototyping use ONLY.  
They'll need to be replaced for production use, at a minimum with your own 
self-signed keys but strongly recommended to use third-party signed 
keys.
+
+Once you deploy the IDP WAR files to your Tomcat installation 
(<catalina.home>/webapps), you should be able to see the Fediz STS from a 
browser at http://localhost:9080/fedizidpsts/STSService?wsdl"; 
rel="nofollow">http://localhost:9080/fedizidpsts/STSService?wsdl, assuming 
you're using port 9080 as listed above.
+
 
 Configuration
 

buildbot failure in ASF Buildbot on cxf-site-production

[buildbot]

The Buildbot has detected a new failure on builder cxf-site-production while 
building ASF Buildbot.
Full details are available at:
 http://ci.apache.org/builders/cxf-site-production/builds/3371

Buildbot URL: http://ci.apache.org/

Buildslave for this Build: bb-cms-slave

Build Reason: The Nightly scheduler named 'cxf-site-production' triggered this 
build
Build Source Stamp: [branch cxf/web] HEAD
Blamelist: 

BUILD FAILED: failed compile

sincerely,
 -The Buildbot

buildbot success in ASF Buildbot on cxf-site-production

[buildbot]

The Buildbot has detected a restored build on builder cxf-site-production while 
building ASF Buildbot.
Full details are available at:
 http://ci.apache.org/builders/cxf-site-production/builds/3372

Buildbot URL: http://ci.apache.org/

Buildslave for this Build: bb-cms-slave

Build Reason: The Nightly scheduler named 'cxf-site-production' triggered this 
build
Build Source Stamp: [branch cxf/web] HEAD
Blamelist: 

Build succeeded!

sincerely,
 -The Buildbot

svn commit: r827548 - in /websites/production/cxf/content: cache/docs.pageCache docs/27-migration-guide.html

[buildbot]

Author: buildbot
Date: Tue Jul 31 21:47:52 2012
New Revision: 827548

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/27-migration-guide.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/27-migration-guide.html
==
--- websites/production/cxf/content/docs/27-migration-guide.html (original)
+++ websites/production/cxf/content/docs/27-migration-guide.html Tue Jul 31 
21:47:52 2012
@@ -123,8 +123,6 @@ Apache CXF -- 2.7 Migration Guide

 New Features
 
-
-
 API Changes
 
 The HTTPConduit class has been made abstract with the 
HttpURLConnection related code moving to an URLConnectionHTTPConduit.   Several 
method calls of the HTTPConduit that used to take HttpURLConnection objects 
have been eliminated.  Also, most methods taking a URL object now take a URI 
object instead.   The HTTPConduit.WrappedOutputStream class is also now 
abstract.   If you have custom subclasses of HTTPConduit, changing them to 
subclass URLConnectionHTTPConduit will likely work.

svn commit: r827598 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-deployment.html

[buildbot]

Author: buildbot
Date: Wed Aug  1 10:47:24 2012
New Revision: 827598

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/jax-rs-deployment.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jax-rs-deployment.html
==
--- websites/production/cxf/content/docs/jax-rs-deployment.html (original)
+++ websites/production/cxf/content/docs/jax-rs-deployment.html Wed Aug  1 
10:47:24 2012
@@ -136,8 +136,10 @@ Apache CXF -- JAX-RS Deployment
 1. Make sure a cxf-rt-transport-http-jetty dependency is excluded during 
the war build
 2. If a custom JAX-RS http://jsr311.java.net/nonav/releases/1.1/index.html"; 
rel="nofollow">Application is included then
 use a http://cxf.apache.org/docs/jaxrs-services-configuration.html#JAXRSServicesConfiguration-ConfiguringJAXRSservicesincontainerwithoutSpring";>CXFNonSpringJaxrsServlet
 to reference the Application implementation class and either 
- 2.1 Disable the Jersey scanning the custom web applications (TODO: specify 
how this actually can be done) or 
- 2.2 Remove jersey-gf-server.jar from $GLASSFISH_HOME/glassfish/modules
+ 2.1 Disable the Jersey scanning the custom web applications. Setting the 
following system property may help:
+ 
"-Dcom.sun.enterprise.overrideablejavaxpackages=javax.ws.rs,javax.ws.rs.core,javax.ws.rs.ext"
+
+ 2.2 Remove jersey-gf-server.jar from $GLASSFISH_HOME/glassfish/modules
 
 JBoss
 

svn commit: r827603 - in /websites/production/cxf/content: cache/docs.pageCache docs/client-http-transport-including-ssl-support.html docs/index.html docs/jaxrs-kerberos.html docs/security.html

[buildbot]

Author: buildbot
Date: Wed Aug  1 12:47:28 2012
New Revision: 827603

Log:
Production update by buildbot for cxf

Added:
websites/production/cxf/content/docs/jaxrs-kerberos.html
Modified:
websites/production/cxf/content/cache/docs.pageCache

websites/production/cxf/content/docs/client-http-transport-including-ssl-support.html
websites/production/cxf/content/docs/index.html
websites/production/cxf/content/docs/security.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==
Binary files - no diff available.

Modified: 
websites/production/cxf/content/docs/client-http-transport-including-ssl-support.html
==
--- 
websites/production/cxf/content/docs/client-http-transport-including-ssl-support.html
 (original)
+++ 
websites/production/cxf/content/docs/client-http-transport-including-ssl-support.html
 Wed Aug  1 12:47:28 2012
@@ -122,7 +122,7 @@ Apache CXF -- Client HTTP Transport (inc


 
-AuthenticationBasic 
AuthenticationDigest
 AuthenticationSupplying
 dynamic authorizationSpnego
 Authentication (Kerberos)NTLM 
AuthenticationConfiguring
 SSL SupportAdvanced ConfigurationUsing 
ConfigurationNamespaceThe
 conduit elementThe
 client elementExample
 using the Client ElementThe
 tlsClientParameters elementUsing WSDL<
 /a>NamespaceThe
 client elementExampleUsing java 
codeHow
 to configure the HTTPConduit for the SOAP Client?How
 to override the service address ?Client
 Cache Control DirectivesA Note About 
Chunking
+AuthenticationBasic 
AuthenticationDigest
 AuthenticationSupplying
 dynamic authorizationSpnego
 Authentication (Kerberos)Credential
 DelegationNTLM 
AuthenticationConfiguring SSL SupportAdvanced
 ConfigurationUsing 
ConfigurationNamespaceThe
 conduit elementThe
 client elementExample
 using the Client ElementThe
 tlsClie
 ntParameters elementUsing 
WSDLNamespaceThe
 client elementExampleUsing java 
codeHow
 to configure the HTTPConduit for the SOAP Client?How
 to override the service address ?Client Cache Control 
DirectivesA Note 
About Chunking
 
 Authentication
 
@@ -218,6 +218,29 @@ CXFClient {
 
 
 
+Credential
 Delegation
+
+Please set an "auth.spnego.requireCredDelegation" property to "true" if you 
need to enable the credential delegation. Note that setting this property will 
let the receiving service implement the credential delegation.
+
+If the Kerberos credential is already available in the service request 
context then one can make this credential available to Spnego/Kerberos 
authentication handler by setting it on the current CXF message, using an 
'org.ietf.jgss.GSSCredential' key. 
+
+This can be done before a client invocation is made, by setting a client 
request context property, or by extending 
'org.apache.cxf.transport.http.auth.AbstractSpnegoAuthSupplier'. Please see 
this http://cxf.547215.n5.nabble.com/Kerberos-authentication-using-delegation-from-Principal-Ticket-td5711202.html";
 rel="nofollow">thread for more information on the latter option.
+
+Note in the case of reusing the existing credential, the policy 
configuration does not need to reference a login module name:
+
+HTTP conduit configuration 
for spnego with single sign on
+
+ ...
+ <conduit name="{http://example.com/}HelloWorldServicePort.http-conduit";
+   xmlns="http://cxf.apache.org/transports/http/configuration";>
+   <authorization>
+  <AuthorizationType>Negotiate</AuthorizationType>
+   </authorization>
+ </conduit>
+ ...
+
+
+
 
 NTLM 
Authentication
 

Modified: websites/production/cxf/content/docs/index.html
==
--- websites/production/cxf/content/docs/index.html (original)
+++ websites/production/cxf/content/docs/index.html Wed Aug  1 12:47:28 2012
@@ -147,7 +147,7 @@ Apache CXF -- Index
 
 
 
-OverviewWhy CXF?How do I integrate my application with 
CXF — A meta guide to integrating your 
application with CXF - including Bindings, Transports, Interceptors, 
etcHow do I develop a service? — 
A meta guide to your options with CXFHow do I develop a client? — A meta 
guide to your options with CXFHow-TosWriting a service with SpringA simple 
JAX-WS serviceRunning a service in Tomcat on zOSJax-WS Java First with jms TransportDefining Contract first webservices with wsdl generation from 
javaMigration GuidesSample Projects<
 /li>FrontendsAnnotationsDynamic 
ClientsJAX-WSDeveloping a 
ConsumerDeveloping a ServiceJAX-WS 
ConfigurationJAX-WS Dispatch APIProvider 
ServicesWebserviceContextSimpleSimple FrontendSimple Frontend ConfigurationDataBindingsAegis (2.1) — For CXF 2.1 or newerAegis 
Databinding (2.0.x) — For CXF up to 
2.0.xJAXBMTOM 
Attachments with JAXBSDOtitle="XMLBeans">X

svn commit: r827609 - in /websites/production/cxf/content: cache/docs.pageCache docs/jaxrs-kerberos.html

[buildbot]

Author: buildbot
Date: Wed Aug  1 13:47:27 2012
New Revision: 827609

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/jaxrs-kerberos.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jaxrs-kerberos.html
==
--- websites/production/cxf/content/docs/jaxrs-kerberos.html (original)
+++ websites/production/cxf/content/docs/jaxrs-kerberos.html Wed Aug  1 
13:47:27 2012
@@ -124,20 +124,66 @@ Apache CXF -- JAXRS Kerberos
  
JAX-RS Kerberos Support 
 
 
-IntroductionClient 
configurationHTTPConduitInterceptorServer 
configuration
+IntroductionKerberosHTTP Negotiate schemeGSS APIClient 
configurationHTTPConduitInterceptorAuthorization PolicyConfiguring the 
service principal nameUsing JAAS 
ConfigurationServer configurationCredential 
Delegation
 
 Introduction
+Kerberos
+HTTP 
Negotiate scheme 
+GSS API
 
-Client 
configuration
+Client 
configuration
 
-HTTPConduit
+HTTPConduit
 
 Please see http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html#ClientHTTPTransport%28includingSSLsupport%29-SpnegoAuthentication%28Kerberos%29";>this
 page for the information about Spnego/Kerberos HTTPConduit client support. 

 
-Interceptor
+Interceptor
 
+org.apache.cxf.jaxrs.security.KerberosAuthOutInterceptor can be used as an 
alternative to configuring HTTPConduit.
 
-Server 
configuration
+KerberosAuthOutInterceptor and the HTTPConduit Spnego handler share the 
same base code. Having HTTPConduit configuration can be enough in many cases
+especially when SSL is also being setup at the conduit level. Using the 
interceptor can be handy when testing as well as when setting few extra 
properties which is not easy to set up at the generic HTTP Conduit 
Authorization Policy level. 
+
+The interceptor properties are explained in the following sub-sections
+
+Authorization 
Policy
+
+As explained on http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html#ClientHTTPTransport%28includingSSLsupport%29-SpnegoAuthentication%28Kerberos%29";>this
 page, Authorization Policy typically needs to have its type set to 
"Negotiate" and its "authorization" property set to the name of the JAAS 
context. AuthorizationPolicy is set as a "policy" property on the interceptor, 
example:
+
+
+
+WebClient wc = WebClient.create("http://localhost:" + PORT + "/bookstore/books/123");
+
+KerberosAuthOutInterceptor kbInterceptor = new KerberosAuthOutInterceptor();
+
+AuthorizationPolicy policy = new 
AuthorizationPolicy();
+policy.setAuthorizationType(HttpAuthHeader.AUTH_TYPE_NEGOTIATE);
+policy.setAuthorization("KerberosClientKeyTab");
+
+kbInterceptor.setPolicy(policy);
+WebClient.getConfig(wc).getOutInterceptors().add(kbInterceptor);
+
+Book b = wc.get(Book.class);
+
+
+
+
+Configuring the 
service principal name
+
+By default, the service principal name is calculated by concatenating 
"HTTP", "/" and the name of the target host, example, when invoking on 
"http://localhost:8080/services";, the service principal name is set to 
"HTTP/localhost".
+
+The "servicePrincipalName" and "realm" properties can be used to customize 
it, example, setting "servicePrincipalName" to "HTTP/www.mycompany.com" and 
realm to "services.org" will result in the 
"HTTP/www.mycompany@services.org" service principal name being used. 
+
+Using JAAS 
Configuration
+
+Both HTTPConduit and interceptor handlers need a 
"java.security.auth.login.config" system property set up. This property needs 
to point to the file containing the configuration of the specific Kerberos 
login module.
+
+Instead of setting this system property and maintaining a configuration 
file, one might want to use an implementation of 
javax.security.auth.login.Configuration and set it on the interceptor as a 
"loginConfig" property.
+
+Server 
configuration
+
+Credential 
Delegation
+


  

svn commit: r827616 - in /websites/production/cxf/content: cache/docs.pageCache docs/jaxrs-kerberos.html docs/ws-securitypolicy.html

[buildbot]

Author: buildbot
Date: Wed Aug  1 14:47:27 2012
New Revision: 827616

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/jaxrs-kerberos.html
websites/production/cxf/content/docs/ws-securitypolicy.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jaxrs-kerberos.html
==
--- websites/production/cxf/content/docs/jaxrs-kerberos.html (original)
+++ websites/production/cxf/content/docs/jaxrs-kerberos.html Wed Aug  1 
14:47:27 2012
@@ -124,7 +124,7 @@ Apache CXF -- JAXRS Kerberos
  
JAX-RS Kerberos Support 
 
 
-IntroductionKerberosHTTP Negotiate schemeGSS APIClient 
configurationHTTPConduitInterceptorAuthorization PolicyConfiguring the 
service principal nameUsing JAAS 
ConfigurationServer configurationCredential 
Delegation
+IntroductionKerberosHTTP Negotiate schemeGSS APIClient 
configurationHTTPConduitInterceptorAuthorization PolicyConfiguring the 
service principal nameUsing JAAS 
ConfigurationServer 
configurationService 
principal name and JAAS ConfigurationCallbackHandlerCredential 
Delegation
 
 Introduction
 Kerberos
@@ -182,7 +182,103 @@ Book b = wc.get(Book.class);
 
 Server 
configuration
 
+org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter can be used to 
protected JAX-RS endpoints and enforce that a Negotiate authentication scheme 
is used by clients, example:
+
+
+
+
+<bean id="kerberosFilter" class="org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter">
+   <property name="loginContextName" value="KerberosServiceKeyTab"/>
+</bean>
+
+<jaxrs:server>
+  <jaxrs:serviceBeans>
+<bean class="org.mycompany.MyCompanyResource"/>
+  </jaxrs:serviceBeans>
+  <jaxrs:providers>
+<ref bean="kerberosFilter">
+  </jaxrs:providers>
+</jaxrs:server>
+
+
+
+KerberosAuthenticationFilter will set a CXF http://svn.apache.org/repos/asf/cxf/trunk/api/src/main/java/org/apache/cxf/security/SecurityContext.java";>SecurityContext
 on the current message if the authentication has been successful. This 
SecurityContext will return an instance of 
KerberosAuthenticationFilter$KerberosPrincipal, this Principal will return a 
'simple' and 'kerberos' source principal names, example, given 
"HTTP/localh...@myrealm.com", Principal#getName will return "HTTP/localhost", 
and KerberosPrincipal#getKerberosName will return 
"HTTP/localh...@myrealm.com".
+
+Service 
principal name and JAAS Configuration
+
+Service principal name and JAAS Configuration can be optionally set up the 
same way they can be with KerberosAuthOutInterceptor, using 
'servicePrincipalName' + 'realm' and "loginConfig" properties. 
+
+CallbackHandler
+
+javax.security.auth.callback.CallbackHandler needs to be registered if no 
Kerberos key tabs are used, here is an example of setting it up from Java:
+
+
+
+public class TestResource {
+ public static void main(String[] args) {
+   JAXRSServerFactoryBean sf = new 
JAXRSServerFactoryBean();
+   sf.setResourceClasses(BookStore.class);
+   KerberosAuthenticationFilter filter = new 
KerberosAuthenticationFilter();
+   filter.setLoginContextName("KerberosServer");
+   
+   CallbackHandler handler = 
+ new 
org.apache.cxf.interceptor.security.NamePasswordCallbackHandler("HTTP/localhost", "http"); 
+   filter.setCallbackHandler(handler);
+
+   //filter.setLoginContextName("KerberosServerKeyTab");
+   //filter.setServicePrincipalName("HTTP/ktab");
+   sf.setProvider(filter);
+   sf.setAddress("http://localhost:" + PORT + "/");
+  
+   sf.create();
+ }
+}
+
+ 
+
+
 Credential 
Delegation
+
+Please see this http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html#ClientHTTPTransport%28includingSSLsupport%29-CredentialDelegation";>section
 on the way client-side credential delegation can be both enabled and 
implemented at the HTTP conduit level.
+
+Note that if you have a JAX-RS KerberosAuthenticationFilter protecting the 
endpoints, then the filter will have an  org.ietf.jgss.GSSContext instance 
available in the current CXF SecurityContext, via its 
KerberosAuthenticationFilter$KerberosSecurityContext implementation, which can 
be used to get to  org.ietf.jgss.GSSCredential if the credential delegation is 
supported for a given source principal. The current credential if any can be 
set as a client property next, for example:
+
+
+
+
+import org.ietf.jgss.GSSCredential;
+
+import 
org.apache.cxf.jaxrs.security.KerberosAuthentica

svn commit: r827620 - in /websites/production/cxf/content: cache/docs.pageCache docs/jaxrs-kerberos.html

[buildbot]

Author: buildbot
Date: Wed Aug  1 15:47:27 2012
New Revision: 827620

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/jaxrs-kerberos.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jaxrs-kerberos.html
==
--- websites/production/cxf/content/docs/jaxrs-kerberos.html (original)
+++ websites/production/cxf/content/docs/jaxrs-kerberos.html Wed Aug  1 
15:47:27 2012
@@ -124,13 +124,37 @@ Apache CXF -- JAXRS Kerberos
  
JAX-RS Kerberos Support 
 
 
-IntroductionKerberosHTTP Negotiate schemeGSS APIClient 
configurationHTTPConduitInterceptorAuthorization PolicyConfiguring the 
service principal nameUsing JAAS 
ConfigurationServer 
configurationService 
principal name and JAAS ConfigurationCallbackHandlerCredential 
Delegation
+IntroductionSetupUnixWindowsHTTP Negotiate schemeGSS APIClient 
configurationHTTPConduitInterceptorAuthorization PolicyConfiguring the 
service principal nameUsing JAAS Configur
 ationServer 
configurationService 
principal name and JAAS ConfigurationCallbackHandlerCredential 
Delegation
 
 Introduction
-Kerberos
+
+Please see http://www.kerberos.org/software/tutorial.html"; rel="nofollow">MIT 
Kerberos Tutorial for a good introduction to Kerberos.
+The http://msdn.microsoft.com/en-us/library/aa378747%28v=vs.85%29"; 
rel="nofollow">Windows guide is also worth checking.
+
+Setup
+
+Unix
+
+TODO
+
+Windows
+
+Please check the relevant Windows configuration guide such as http://technet.microsoft.com/en-us/library/cc753173%28v=ws.10%29"; 
rel="nofollow">this one.
+
 HTTP 
Negotiate scheme 
+
+'Negotiate' authentication scheme is used to pass Kerberos service tickets 
over HTTP.
+Example:
+
+
+Authorization: Negotiate "the encrypted service 
ticket"
+
+ 
+
 GSS API
 
+Please see http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/index.html";
 rel="nofollow">this GSS API tutorial as well as check this http://www.javaactivedirectory.com/"; 
rel="nofollow">blog for a number of GSS API examples.
+
 Client 
configuration
 
 HTTPConduit

svn commit: r827701 - in /websites/production/cxf/content: cache/docs.pageCache docs/jaxrs-kerberos.html

[buildbot]

Author: buildbot
Date: Thu Aug  2 09:47:27 2012
New Revision: 827701

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/jaxrs-kerberos.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jaxrs-kerberos.html
==
--- websites/production/cxf/content/docs/jaxrs-kerberos.html (original)
+++ websites/production/cxf/content/docs/jaxrs-kerberos.html Thu Aug  2 
09:47:27 2012
@@ -124,12 +124,12 @@ Apache CXF -- JAXRS Kerberos
  
JAX-RS Kerberos Support 
 
 
-IntroductionSetupUnixWindowsHTTP Negotiate schemeGSS APIClient 
configurationHTTPConduitInterceptorAuthorization PolicyConfiguring the 
service principal nameUsing JAAS Configur
 ationServer 
configurationService 
principal name and JAAS ConfigurationCallbackHandlerCredential 
Delegation
+IntroductionSetupUnixWindowsHTTP Negotiate schemeGSS APIJAAS Kerberos Module 
ConfigurationClient 
configurationHTTPConduitInterceptorAuthorization PolicyConfiguring th
 e service principal nameUsing JAAS 
ConfigurationServer 
configurationService 
principal name and JAAS ConfigurationCallbackHandlerCredential 
Delegation
 
 Introduction
 
 Please see http://www.kerberos.org/software/tutorial.html"; rel="nofollow">MIT 
Kerberos Tutorial for a good introduction to Kerberos.
-The http://msdn.microsoft.com/en-us/library/aa378747%28v=vs.85%29"; 
rel="nofollow">Windows guide is also worth checking.
+The http://msdn.microsoft.com/en-us/library/aa378747%28v=vs.85%29"; 
rel="nofollow">Windows guide as well as http://en.wikipedia.org/wiki/Kerberos_%28protocol%29"; rel="nofollow">this 
Wikipedia page are also worth checking.
 
 Setup
 
@@ -153,7 +153,11 @@ Authorization: Negotiate GSS API
 
-Please see http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/index.html";
 rel="nofollow">this GSS API tutorial as well as check this http://www.javaactivedirectory.com/"; 
rel="nofollow">blog for a number of GSS API examples.
+Please see http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/index.html";
 rel="nofollow">this GSS API tutorial as well as check this http://www.javaactivedirectory.com/"; 
rel="nofollow">blog for a number of GSS API examples. Understanding GSS API 
may help when the way CXF Kerberos handlers work needs to be customized or when 
the available GSS credentials created outside of CXF need to be made available 
to CXF (for the credential delegation). 
+
+JAAS Kerberos Module 
Configuration
+
+http://docs.oracle.com/javase/6/docs/jre/api/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html";
 rel="nofollow">com.sun.security.auth.module.Krb5LoginModule is typically 
used to login to Kerberos servers.
 
 Client 
configuration
 

svn commit: r827704 - in /websites/production/cxf/content: cache/docs.pageCache docs/jaxrs-kerberos.html

[buildbot]

Author: buildbot
Date: Thu Aug  2 10:47:27 2012
New Revision: 827704

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/jaxrs-kerberos.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jaxrs-kerberos.html
==
--- websites/production/cxf/content/docs/jaxrs-kerberos.html (original)
+++ websites/production/cxf/content/docs/jaxrs-kerberos.html Thu Aug  2 
10:47:27 2012
@@ -135,7 +135,53 @@ The Unix
 
-TODO
+1. Install the packages
+
+> sudo apt-get install krb5-kdc krb5-admin-server
+
+During the installation enter "localhost" as the host name for Kerberos 
servers (unless you have more specific host names to enter) and set a default 
realm, example, "MYCOMPANY.COM". Follow the 1.2 step from this http://coheigea.blogspot.com/2011/10/using-kerberos-with-web-services-part-i.html";
 rel="nofollow">blog entry to get this default realm set up properly.
+
+2. Create principals
+
+From the step 1.3 at http://coheigea.blogspot.com/2011/10/using-kerberos-with-web-services-part-i.html";
 rel="nofollow">this blog entry:
+
+2.1 Create master key:
+> sudo kdb5_util create -s
+
+2.2 Create user and service principals
+
+> sudo kadmin.local 
+
+followed by
+
+> addprinc alice
+> addprinc HTTP/localhost
+
+where 'HTTP/localhost' is the typical service principal name used in the 
Negotiate scheme, replace 'localhost' if needed.
+Add more user and service principals too as required.
+
+3 Start KDC
+
+> sudo krb5kdc
+
+4. Create an optional ticket cache
+
+> klist
+
+returns an empty response
+
+> kinit alice
+
+> klist
+
+confirms a TGT for 'alice' is in the cache.
+
+2.4 Create keytabs
+
+When keytabs are available, the principal password does not have to be 
specified in the login configuration.
+Please follow the step 1.4 from http://coheigea.blogspot.com/2011/10/using-kerberos-with-web-services-part-i.html";
 rel="nofollow">this blog entry.
+
+Note, creating a keytab actually resets an original principal password, 
example, after creating a keytab for 'alice' one would not be able to use the 
original password (TODO: apparently this can be restored - find out how). Thus, 
if you'd like to experiment with keytabs then you may want to have few user and 
service principals created, with only selected principals using keytabs. 
 
 Windows
 
@@ -195,6 +241,7 @@ Book b = wc.get(Book.class);
 
 
 
+In this example, the http://svn.apache.org/repos/asf/cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/kerberos.cfg";>KerberosClientKeyTab
 policy is used which links to the available keytab; otherwise 
AuthorizationPolicy 'UserName' and 'Password' properties would most likely have 
to be set too (with the possible exceptions on Windows) 
 
 Configuring the 
service principal name
 
@@ -264,6 +311,7 @@ Book b = wc.get(Book.class);
 
  
 
+In this example, the http://svn.apache.org/repos/asf/cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/kerberos.cfg";>KerberosServer
 policy is used.
 
 Credential 
Delegation
 

svn commit: r827795 - in /websites/production/cxf/content: cache/docs.pageCache docs/ws-securitypolicy.html

[buildbot]

Author: buildbot
Date: Fri Aug  3 09:47:31 2012
New Revision: 827795

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/ws-securitypolicy.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/ws-securitypolicy.html
==
--- websites/production/cxf/content/docs/ws-securitypolicy.html (original)
+++ websites/production/cxf/content/docs/ws-securitypolicy.html Fri Aug  3 
09:47:31 2012
@@ -158,22 +158,27 @@ Apache CXF -- WS-SecurityPolicy
 
 
 
-Boolean
 configuration tags, e.g. the value should be "true" or "false".
+Note: for Symmetric bindings that specify a protection token, the 
ws-security-encryption properties are used.
+
+Boolean
 WS-Security configuration tags, e.g. the value should be "true" or 
"false".
 
 
  ws-security.validate.token  Whether to validate the password of a 
received UsernameToken or not. The default is true. ws-security.enableRevocation 
 Whether to enable 
Certificate Revocation List (CRL) checking or not when verifying trust in a 
certificate. The default value is "false". ws-security.username-token.always.encrypted 
 Whether to always 
encrypt UsernameTokens whenever possible. The default is true. ws-security.is-bsp-compliant 
 Whether to ensure 
compliance with the Basic Securit
 y Profile (BSP) 1.1 or not. The default value is "true".  
ws-security.self-sign-saml-assertion  Whether to self-sign a SAML Assertion or not. If this is 
set to true, then an enveloped signature will be generated when the SAML 
Assertion is constructed. The default is false.  ws-security.enable.nonce.cache  Whether to cache UsernameToken 
nonces. See http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#ENABLE_NONCE_CACHE";>here
 for more information. ws-security.enable.timestamp.cache  Whether to cache Timestamp Created Strings. 
See http://cxf.apache.org/
 
javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#ENABLE_TIMESTAMP_CACHE">here
 for more information.
 
 
 
-Other 
properties
+Non-boolean
 WS-Security Configuration parameters
 
 
- ws-security.subject.cert.constraints  This configuration tag is a comma separated 
String of regular expressions which will be applied to the subject DN of the 
certificate used for signature validation, after trust verification of the 
certificate chain associated with the  certificate. These constraints are not 
used when the certificate is contained in the keystore (direct trust). 
 
ws-security.timestamp.futureTimeToLive  This configuration tag specifies the time in seconds in 
the future within which the Created time of an incoming Timestamp is valid. 
WSS4J rejects by default any timestamp which is "Created" in the future, and so 
there could potentially be
- problems in a scenario where a client's clock is slightly askew. The default 
value for this parameter is "0", meaning that no future-created Timestamps are 
allowed. 
+ ws-security.timestamp.timeToLive  The time in seconds after Creation that an 
incoming Timestamp is valid for. The default value is 300 seconds (5 
minutes). 
ws-security.timestamp.futureTimeToLive  The time in seconds in the future within which the 
Created time of an incoming Timestamp is valid. The default value is "60". See 
http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#TIMESTAMP_FUTURE_TTL";>here
 for more information. ws-security.saml-role-attributename  The attribute URI of the SAML 
AttributeStatement where the role information is store
 d. The default is 
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role";. ws-security.kerberos.client 
 A reference to the 
KerberosClient class used to obtain a service ticket. ws-security.spnego.client.action 
 The SpnegoClientAction 
implementation to use for SPNEGO. This allows the user to plug in a different 
implementation to obtain a service ticket. ws-security.kerberos.jaas.context  The JAAS Context name to use for 
Kerberos. This is currently only supported for SPNEGO. ws-security.kerberos.spn  The Kerberos
  Service Provider Name (spn) to use. This is currently only supported for 
SPNEGO. 
ws-security.nonce.cache.instance  This holds a reference to a ReplayCache instance used to 
cache UsernameToken nonces. The default instance that is used is the 
EHCacheReplayCache. ws-security.timestamp.cache.instance  This holds a reference to a ReplayCache 
instance used to cache Timestamp Created Strings. The default instance that is 
used is the EHCacheReplayCache. ws-security.cache.config.file  Set this property to point to a co

svn commit: r827803 - in /websites/production/cxf/content: cache/docs.pageCache docs/ws-securitypolicy.html

[buildbot]

Author: buildbot
Date: Fri Aug  3 10:47:29 2012
New Revision: 827803

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/ws-securitypolicy.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/ws-securitypolicy.html
==
--- websites/production/cxf/content/docs/ws-securitypolicy.html (original)
+++ websites/production/cxf/content/docs/ws-securitypolicy.html Fri Aug  3 
10:47:29 2012
@@ -181,6 +181,13 @@ Apache CXF -- WS-SecurityPolicy
 
 
 
+STS Client 
Configuration tags
+
+
+ ws-security.sts.client  A reference to the STSClient class used to communicate 
with the STS. 
ws-security.sts.applies-to  The "AppliesTo" address to send to the STS. The default 
is the endpoint address of the service provider. ws-security.sts.token.usecert  Whether to write out an 
X509Certificate structure in UseKey/KeyInfo, or whether to write out a KeyValue 
structure. The default value is "false". ws-security.sts.token.do.cancel  Whether to cancel a token when 
using SecureConversation a
 fter successful invocation. The default is "false". 
ws-security.cache.issued.token.in.endpoint  Set this to "false" to not cache a SecurityToken per 
proxy object in the IssuedTokenInterceptorProvider. This should be done if a 
token is being retrieved from an STS in an intermediary. The default value is 
"true".  
ws-security.sts.disable-wsmex-call-using-epr-address   Whether to avoid STS client trying send 
WS-MetadataExchange call using STS EPR WSA address when the endpoint contract 
contains no WS-MetadataExchange info. The default value is 
"false". 
ws-security.sts.token.crypto  A Crypto object to be used for the STS. See http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#STS_TOKEN_CRYPTO";>here
 for more information. ws-security.sts.token.properties  The Crypto property configuration to use for 
the STS. See http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#STS_TOKEN_PROPERTIES";>here
 for more information. ws-security.sts.token.username  The alias name in the keystore to get the 
user's public key to send to the STS for the PublicKey KeyType 
case. 
ws-security.sts.token.act-as  The token to be sent to the STS in an "ActAs" field. See 
http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#STS_TOKEN_ACT_AS";>here
 for more information. ws-security.sts.token.on-behalf-of  The token to be sent to the STS in an 
"OnBehalfOf" field. See http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#STS_TOKEN_ON_BEHALF_OF";>here
 for more information.
+
+
+
 Configuring via Spring
 
 The properties are easily configured as client or endpoint properties--use 
the former for the SOAP client, the latter for the web service provider.

svn commit: r827806 - in /websites/production/cxf/content: cache/docs.pageCache docs/jaxrs-kerberos.html

[buildbot]

Author: buildbot
Date: Fri Aug  3 11:47:25 2012
New Revision: 827806

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/jaxrs-kerberos.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jaxrs-kerberos.html
==
--- websites/production/cxf/content/docs/jaxrs-kerberos.html (original)
+++ websites/production/cxf/content/docs/jaxrs-kerberos.html Fri Aug  3 
11:47:25 2012
@@ -124,7 +124,7 @@ Apache CXF -- JAXRS Kerberos
  
JAX-RS Kerberos Support 
 
 
-IntroductionSetupUnixWindowsHTTP Negotiate schemeGSS APIJAAS Kerberos Module 
ConfigurationClient 
configurationHTTPConduitInterceptorAuthorization PolicyConfiguring th
 e service principal nameUsing JAAS 
ConfigurationServer 
configurationService 
principal name and JAAS ConfigurationCallbackHandlerCredential 
Delegation
+IntroductionSetupUnixWindowsHTTP Negotiate schemeGSS APIJAAS Kerberos Module 
ConfigurationClient 
configurationHTTPConduitInterceptorAuthorization PolicyConfiguring th
 e service principal nameUsing JAAS 
ConfigurationHow to 
avoid setting username and password propertiesServer 
configurationService 
principal name and JAAS ConfigurationCallbackHandlerCredential 
Delegation
 
 Introduction
 
@@ -245,6 +245,8 @@ Book b = wc.get(Book.class);
 
 Configuring the 
service principal name
 
+Service principal identifies a target service.
+
 By default, the service principal name is calculated by concatenating 
"HTTP", "/" and the name of the target host, example, when invoking on 
"http://localhost:8080/services";, the service principal name is set to 
"HTTP/localhost".
 
 The "servicePrincipalName" and "realm" properties can be used to customize 
it, example, setting "servicePrincipalName" to "HTTP/www.mycompany.com" and 
realm to "services.org" will result in the 
"HTTP/www.mycompany@services.org" service principal name being used. 
@@ -255,6 +257,14 @@ Book b = wc.get(Book.class);
 
 Instead of setting this system property and maintaining a configuration 
file, one might want to use an implementation of 
javax.security.auth.login.Configuration and set it on the interceptor as a 
"loginConfig" property.
 
+How to 
avoid setting username and password properties
+
+Typically, one may have to set AuthorizationPolicy UserName and Password 
properties for the Kerberos login module to authenticate the user.
+
+The next option is to create a keytab as noted in the Setup section, which 
will let one to avoid specifying a password property.
+Finally, if the user actually owns the Java process which runs the code then 
no username and password properties have to be provided, assuming the Kerberos 
login configuration has 'useTicketCache' and possibly 'renewTGT' properties set 
to "true" 
+
+
 Server 
configuration
 
 org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter can be used to 
protected JAX-RS endpoints and enforce that a Negotiate authentication scheme 
is used by clients, example:

svn commit: r827840 - in /websites/production/cxf/content: cache/docs.pageCache docs/ws-securitypolicy.html

[buildbot]

Author: buildbot
Date: Fri Aug  3 15:47:25 2012
New Revision: 827840

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/ws-securitypolicy.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/ws-securitypolicy.html
==
--- websites/production/cxf/content/docs/ws-securitypolicy.html (original)
+++ websites/production/cxf/content/docs/ws-securitypolicy.html Fri Aug  3 
15:47:25 2012
@@ -184,7 +184,7 @@ Apache CXF -- WS-SecurityPolicy
 STS Client 
Configuration tags
 
 
- ws-security.sts.client  A reference to the STSClient class used to communicate 
with the STS. 
ws-security.sts.applies-to  The "AppliesTo" address to send to the STS. The default 
is the endpoint address of the service provider. ws-security.sts.token.usecert  Whether to write out an 
X509Certificate structure in UseKey/KeyInfo, or whether to write out a KeyValue 
structure. The default value is "false". ws-security.sts.token.do.cancel  Whether to cancel a token when 
using SecureConversation a
 fter successful invocation. The default is "false". 
ws-security.cache.issued.token.in.endpoint  Set this to "false" to not cache a SecurityToken per 
proxy object in the IssuedTokenInterceptorProvider. This should be done if a 
token is being retrieved from an STS in an intermediary. The default value is 
"true".  
ws-security.sts.disable-wsmex-call-using-epr-address   Whether to avoid STS client trying send 
WS-MetadataExchange call using STS EPR WSA address when the endpoint contract 
contains no WS-MetadataExchange info. The default value is 
"false". 
ws-security.sts.token.crypto  A Crypto object to be used for the STS. See http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#STS_TOKEN_CRYPTO";>here
 for more information. ws-security.sts.token.properties  The Crypto property configuration to use for 
the STS. See http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#STS_TOKEN_PROPERTIES";>here
 for more information. ws-security.sts.token.username  The alias name in the keystore to get the 
user's public key to send to the STS for the PublicKey KeyType 
case. 
ws-security.sts.token.act-as  The token to be sent to the STS in an "ActAs" field. See 
http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#STS_TOKEN_ACT_AS";>here
 for more information. ws-security.sts.token.on-behalf-of  The token to be sent to the STS in an 
"OnBehalfOf" field. See http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#STS_TOKEN_ON_BEHALF_OF";>here
 for more information.
+ ws-security.sts.client  A reference to the STSClient class used to communicate 
with the STS. 
ws-security.sts.applies-to  The "AppliesTo" address to send to the STS. The default 
is the endpoint address of the service provider. ws-security.sts.token.usecert  If true, writes out an 
X509Certificate structure in UseKey/KeyInfo.  If false (the default), writes 
out a KeyValue structure instead.  ws-security.sts.token.do.cancel  Whether to cancel a token when using 
SecureConversation after succe
 ssful invocation. The default is "false". ws-security.cache.issued.token.in.endpoint 
 Set this to "false" to 
not cache a SecurityToken per proxy object in the 
IssuedTokenInterceptorProvider. This should be done if a token is being 
retrieved from an STS in an intermediary. The default value is "true". 
 
ws-security.sts.disable-wsmex-call-using-epr-address   Whether to avoid STS client trying send 
WS-MetadataExchange call using STS EPR WSA address when the endpoint contract 
contains no WS-MetadataExchange info. The default value is 
"false". 
ws-security.sts.token.crypto  A Crypto object to be used for the STS. See http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#STS_TOKEN_CRYPTO";>here
 for more information. ws-security.sts.token.properties  The Crypto property configuration to use for 
the STS. See http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#STS_TOKEN_PROPERTIES";>here
 for more information. ws-security.sts.token.username  The alias name in the keystore to get the 
user's public key to send to the STS for the PublicKey KeyType 
case. 
ws-security.sts.token.act-as  The token to be sent to the STS in an "ActAs" field. See 
http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#STS_TOKEN_ACT_AS";>here
 f

svn commit: r827862 - in /websites/production/cxf/content: cache/docs.pageCache docs/27-migration-guide.html

[buildbot]

Author: buildbot
Date: Fri Aug  3 17:47:30 2012
New Revision: 827862

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/27-migration-guide.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/27-migration-guide.html
==
--- websites/production/cxf/content/docs/27-migration-guide.html (original)
+++ websites/production/cxf/content/docs/27-migration-guide.html Fri Aug  3 
17:47:30 2012
@@ -123,6 +123,10 @@ Apache CXF -- 2.7 Migration Guide

 New Features
 
+New UDP transport
+
+
+
 API Changes
 
 The HTTPConduit class has been made abstract with the 
HttpURLConnection related code moving to an URLConnectionHTTPConduit.   Several 
method calls of the HTTPConduit that used to take HttpURLConnection objects 
have been eliminated.  Also, most methods taking a URL object now take a URI 
object instead.   The HTTPConduit.WrappedOutputStream class is also now 
abstract.   If you have custom subclasses of HTTPConduit, changing them to 
subclass URLConnectionHTTPConduit will likely work.

svn commit: r828231 - in /websites/production/cxf/content: cache/docs.pageCache docs/ws-securitypolicy.html

[buildbot]

Author: buildbot
Date: Tue Aug  7 10:47:24 2012
New Revision: 828231

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/ws-securitypolicy.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/ws-securitypolicy.html
==
--- websites/production/cxf/content/docs/ws-securitypolicy.html (original)
+++ websites/production/cxf/content/docs/ws-securitypolicy.html Tue Aug  7 
10:47:24 2012
@@ -163,14 +163,14 @@ Apache CXF -- WS-SecurityPolicy
 Boolean
 WS-Security configuration tags, e.g. the value should be "true" or 
"false".
 
 
- ws-security.validate.token  Whether to validate the password of a 
received UsernameToken or not. The default is true. ws-security.enableRevocation 
 Whether to enable 
Certificate Revocation List (CRL) checking or not when verifying trust in a 
certificate. The default value is "false". ws-security.username-token.always.encrypted 
 Whether to always 
encrypt UsernameTokens whenever possible. The default is true. ws-security.is-bsp-compliant 
 Whether to ensure 
compliance with the Basic Securit
 y Profile (BSP) 1.1 or not. The default value is "true".  
ws-security.self-sign-saml-assertion  Whether to self-sign a SAML Assertion or not. If this is 
set to true, then an enveloped signature will be generated when the SAML 
Assertion is constructed. The default is false.  ws-security.enable.nonce.cache  Whether to cache UsernameToken 
nonces. See http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#ENABLE_NONCE_CACHE";>here
 for more information. ws-security.enable.timestamp.cache  Whether to cache Timestamp Created Strings. 
See http://cxf.apache.org/
 
javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#ENABLE_TIMESTAMP_CACHE">here
 for more information.
+ ws-security.validate.token  Whether to validate the password of a 
received UsernameToken or not. The default is true. ws-security.enableRevocation 
 Whether to enable 
Certificate Revocation List (CRL) checking or not when verifying trust in a 
certificate. The default value is "false". ws-security.username-token.always.encrypted 
 Whether to always 
encrypt UsernameTokens that are defined as a SupportingToken. The default is 
true. This should not be set to false in a production environment, as it 
exposes the password (or the digest of the password) on the 
wire. ws-security.is-bsp-compliant  Whether to ensure compliance with the Basic 
Security Profile (BSP) 1.1 or not. The default value is "true". 
 
ws-security.self-sign-saml-assertion  Whether to self-sign a SAML Assertion or not. If this is 
set to true, then an enveloped signature will be generated when the SAML 
Assertion is constructed. The default is false.  ws-security.enable.nonce.cache  Whether to cache UsernameToken 
nonces. See http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#ENABLE_NONCE_CACHE";>here
 for more information. ws-security.enable.timestamp.
 cache  Whether to cache 
Timestamp Created Strings. See http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#ENABLE_TIMESTAMP_CACHE";>here
 for more information.
 
 
 
 Non-boolean
 WS-Security Configuration parameters
 
 
- ws-security.timestamp.timeToLive  The time in seconds after Creation that an 
incoming Timestamp is valid for. The default value is 300 seconds (5 
minutes). 
ws-security.timestamp.futureTimeToLive  The time in seconds in the future within which the 
Created time of an incoming Timestamp is valid. The default value is "60". See 
http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#TIMESTAMP_FUTURE_TTL";>here
 for more information. ws-security.saml-role-attributename  The attribute URI of the SAML 
AttributeStatement where the role information is store
 d. The default is 
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role";. ws-security.kerberos.client 
 A reference to the 
KerberosClient class used to obtain a service ticket. ws-security.spnego.client.action 
 The SpnegoClientAction 
implementation to use for SPNEGO. This allows the user to plug in a different 
implementation to obtain a service ticket. ws-security.kerberos.jaas.context  The JAAS Context name to use for 
Kerberos. This is currently only supported for SPNEGO. ws-security.kerberos.spn  The Kerberos
  Service Provider Name (spn) to use. This is currently only supported for 
SPNEGO. 
ws-security.nonce.cache.instance  This holds a reference to a ReplayCache instance used to 
cache UsernameToken nonces. The def

svn commit: r828352 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-filters.html

[buildbot]

Author: buildbot
Date: Wed Aug  8 07:49:04 2012
New Revision: 828352

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/jax-rs-filters.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jax-rs-filters.html
==
--- websites/production/cxf/content/docs/jax-rs-filters.html (original)
+++ websites/production/cxf/content/docs/jax-rs-filters.html Wed Aug  8 
07:49:04 2012
@@ -343,7 +343,7 @@ The only option at the moment is to use 
 
 
 
-message.getExchange().put("ignore.response.writers", true);
+message.getExchange().put("ignore.message.writers", true);
 
 
 

svn commit: r828398 - in /websites/production/cxf/content: cache/docs.pageCache docs/ws-security.html

[buildbot]

Author: buildbot
Date: Wed Aug  8 16:47:32 2012
New Revision: 828398

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/ws-security.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/ws-security.html
==
--- websites/production/cxf/content/docs/ws-security.html (original)
+++ websites/production/cxf/content/docs/ws-security.html Wed Aug  8 16:47:32 
2012
@@ -127,7 +127,7 @@ Apache CXF -- WS-Security
 Pass authentication tokens between servicesEncrypt messages 
or parts of messagesSign messagesTimestamp messages
 
 
-Currently, CXF implements WS-Security by integrating http://ws.apache.org/wss4j";>WSS4J. To use the 
integration, you'll need to configure these interceptors and add them to your 
service and/or client.
+Currently, CXF implements WS-Security by integrating http://ws.apache.org/wss4j";>WSS4J. To use the 
integration, you'll need to configure these interceptors and add them to your 
service and/or client as detailed in this article. Alternatively, WS-Security 
can be implemented by using http://cxf.apache.org/docs/ws-securitypolicy.html";>WS-SecurityPolicy, 
which provides a more comprehensive and sophisticated validation of the 
security properties of a received message.
 
 Overview of encryption 
and signing
 
@@ -226,8 +226,6 @@ cxfEndpoint.getOutInterceptors().add(wss
   class="com.mycompany.webservice.ServerPasswordCallback"/>
 
<jaxws:inInterceptors>
-  <!-- SAAJ 
Interceptor needs to be explicitly declared only in CXF 2.0.x 
--> 
-  <bean class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor"/>
   <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
  <constructor-arg>
 <map>
@@ -246,7 +244,7 @@ cxfEndpoint.getOutInterceptors().add(wss
 
 
 
-The entry keys and values given in the constructor-arg element above 
(action, signaturePropFile, etc.) map to the text strings in WSS4J's http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/handler/WSHandlerConstants.html";>WSHandlerConstants
 and http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/WSConstants.html";>WSConstants
 classes for the corresponding WSHandlerConstants.X and WSConstants. 
constants you see in the section below.  So by viewing WSHandlerConstants, for 
example, you can see that the WSHandlerConstants.USERNAME_TOKEN value given 
below would need to be "UsernameToken" instead when doing Spring 
configuration.
+The entry keys and values given in the constructor-arg element above 
(action, signaturePropFile, etc.) map to the text strings in WSS4J's http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/handler/WSHandlerConstants.html";>WSHandlerConstants
 and http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/WSConstants.html";>WSConstants
 classes for the corresponding WSHandlerConstants.X and WSConstants. 
constants you see in the section below (also see the WSS4J configuration http://ws.apache.org/wss4j/config.html";>page).  So by viewing 
WSHandlerConstants, for example, you can see that the 
WSHandlerConstants.USERNAME_TOKEN value given below would need to be 
"UsernameToken" instead when doing Spring configuration.
 
 If you want to avoid looking up the text keys for the 
WSHandlerConstants.X and WSConstants. constants, you can also use the 
Spring util namespace to reference static constants in your Spring context as 
shown below.
 
@@ -378,7 +376,7 @@ CryptoCoverageChecker checker = If a nonce is present in a UsernameToken then it should be cached by the 
message recipient to guard against replay attacks. This behaviour is enabled by 
default starting with CXF 2.6.0. This functionality is also available from 
Apache CXF 2.4.7 and 2.5.3 onwards, but is not enabled by default at all for 
backwards-compatibility reasons. The following properties control nonce 
caching:
 
-"ws-security.enable.nonce.cache" - The default value (for CXF 2.6.0) 
is "true" for message recipients, and "false" for message initiators. Set it to 
true to cache for both cases. The default value for CXF 2.4.x and 2.5.x is 
false."ws-security.nonce.cache.instance" - This holds a reference to a 
ReplayCache instance used to cache UsernameToken nonces. The default instance 
that is used is the EHCacheReplayCache, which uses Ehcache to cache the nonce 
values."ws-security.cache.config.file" - Set this property to point to 
a configuration file for the underlying caching implementation

svn commit: r828410 - in /websites/production/cxf/content: cache/docs.pageCache docs/ws-security.html

[buildbot]

Author: buildbot
Date: Wed Aug  8 19:47:49 2012
New Revision: 828410

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/ws-security.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/ws-security.html
==
--- websites/production/cxf/content/docs/ws-security.html (original)
+++ websites/production/cxf/content/docs/ws-security.html Wed Aug  8 19:47:49 
2012
@@ -127,7 +127,7 @@ Apache CXF -- WS-Security
 Pass authentication tokens between servicesEncrypt messages 
or parts of messagesSign messagesTimestamp messages
 
 
-Currently, CXF implements WS-Security by integrating http://ws.apache.org/wss4j";>WSS4J. To use the 
integration, you'll need to configure these interceptors and add them to your 
service and/or client as detailed in this article. Alternatively, WS-Security 
can be implemented by using http://cxf.apache.org/docs/ws-securitypolicy.html";>WS-SecurityPolicy, 
which provides a more comprehensive and sophisticated validation of the 
security properties of a received message.
+CXF relies on http://ws.apache.org/wss4j";>WSS4J in large part to implement 
WS-Security.  Within your own services, WS-Security can be activated by using 
http://cxf.apache.org/docs/ws-securitypolicy.html";>WS-SecurityPolicy, 
which provides a comprehensive and sophisticated validation of the security 
properties of a received message.  A non-WS-SecurityPolicy approach is usually 
also possible by way of CXF interceptors added to your service and/or client as 
detailed in this article.
 
 Overview of encryption 
and signing
 

svn commit: r828463 - in /websites/production/cxf/content: cache/docs.pageCache docs/ws-securitypolicy.html

[buildbot]

Author: buildbot
Date: Thu Aug  9 14:49:22 2012
New Revision: 828463

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/ws-securitypolicy.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/ws-securitypolicy.html
==
--- websites/production/cxf/content/docs/ws-securitypolicy.html (original)
+++ websites/production/cxf/content/docs/ws-securitypolicy.html Thu Aug  9 
14:49:22 2012
@@ -163,7 +163,7 @@ Apache CXF -- WS-SecurityPolicy
 Boolean
 WS-Security configuration tags, e.g. the value should be "true" or 
"false".
 
 
- ws-security.validate.token  Whether to validate the password of a 
received UsernameToken or not. The default is true. ws-security.enableRevocation 
 Whether to enable 
Certificate Revocation List (CRL) checking or not when verifying trust in a 
certificate. The default value is "false". ws-security.username-token.always.encrypted 
 Whether to always 
encrypt UsernameTokens that are defined as a SupportingToken. The default is 
true. This should not be set to false in a production environment, as it 
exposes the password (or the digest of the password) on the 
wire. ws-security.is-bsp-compliant  Whether to ensure compliance with the Basic 
Security Profile (BSP) 1.1 or not. The default value is "true". 
 
ws-security.self-sign-saml-assertion  Whether to self-sign a SAML Assertion or not. If this is 
set to true, then an enveloped signature will be generated when the SAML 
Assertion is constructed. The default is false.  ws-security.enable.nonce.cache  Whether to cache UsernameToken 
nonces. See http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#ENABLE_NONCE_CACHE";>here
 for more information. ws-security.enable.timestamp.
 cache  Whether to cache 
Timestamp Created Strings. See http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#ENABLE_TIMESTAMP_CACHE";>here
 for more information.
+ constant  default  definition ws-security.validate.token  true  Whether to validate the password of a received 
UsernameToken or not. ws-security.enableRevocation  false  Whether to enable Certificate Revocation List (CRL) 
checking or not when verifying trust in a certificate. 
ws-security.username-token.always.encrypted  true  Whether to always encrypt 
UsernameTokens that are defined as a SupportingToken. This should not be set to 
false in a production environment, as it exposes the password (or the digest of 
the password) on the wire. ws-security.is-bsp-compliant  true  Whether to ensure compliance with the Basic Security 
Profile (BSP) 1.1 or not. ws-security.self-sign-saml-assertion  false  Whether to self-sign a SAML Assertion or not. If this is 
set to true, then an enveloped signature will be generated when the SAML 
Assertion is constructed.  ws
 -security.enable.nonce.cache  (varies)  Whether to cache UsernameToken nonces. See http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#ENABLE_NONCE_CACHE";>here
 for more information. ws-security.enable.timestamp.cache  (varies)   Whether to cache Timestamp Created Strings. See http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#ENABLE_TIMESTAMP_CACHE";>here
 for more information.
 
 
 

svn commit: r828499 - in /websites/production/cxf/content: cache/docs.pageCache docs/ws-securitypolicy.html

[buildbot]

Author: buildbot
Date: Thu Aug  9 18:47:35 2012
New Revision: 828499

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/ws-securitypolicy.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/ws-securitypolicy.html
==
--- websites/production/cxf/content/docs/ws-securitypolicy.html (original)
+++ websites/production/cxf/content/docs/ws-securitypolicy.html Thu Aug  9 
18:47:35 2012
@@ -170,7 +170,7 @@ Apache CXF -- WS-SecurityPolicy
 Non-boolean
 WS-Security Configuration parameters
 
 
- ws-security.timestamp.timeToLive  The time in seconds to append to the Creation 
value of an incoming Timestamp to determine whether to accept the Timestamp as 
valid or not. The default value is 300 seconds (5 minutes). 
ws-security.timestamp.futureTimeToLive  The time in seconds in the future within which the 
Created time of an incoming Timestamp is valid. The default value is "60". See 
http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#TIMESTAMP_FUTURE_TTL";>here
 for more information. ws-security.saml-role-attributename  The attribute URI of 
 the SAML AttributeStatement where the role information is stored. The default 
is 
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role";. ws-security.kerberos.client 
 A reference to the http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/kerberos/KerberosClient.java?view=markup";>KerberosClient
 class used to obtain a service ticket. ws-security.spnego.client.action  The http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/spnego/SpnegoClientAction.html";>SpnegoClientAction
 implementation to use for SPNEGO. This allows the user to plug in a different 
implementation to obtain a service ticket.
  
ws-security.kerberos.jaas.context  The JAAS Context name to use for Kerberos. This is 
currently only supported for SPNEGO. ws-security.kerberos.spn  The Kerberos Service Provider Name (spn) to use. This is 
currently only supported for SPNEGO. ws-security.nonce.cache.instance  This holds a reference to a http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/cache/ReplayCache.html";>ReplayCache
 instance used to cache UsernameToken nonces. The default instance that is used 
is the http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/or
 
g/apache/cxf/ws/security/cache/EHCacheReplayCache.java?view=markup">EHCacheReplayCache. 
ws-security.timestamp.cache.instance  This holds a reference to a http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/cache/ReplayCache.html";>ReplayCache
 instance used to cache Timestamp Created Strings. The default instance that is 
used is the http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/cache/EHCacheReplayCache.java?view=markup";>EHCacheReplayCache. ws-security.cache.config.file 
 Set this property to 
point to a configuration file for the underlying caching implementation. The 
default configuration file th
 at is used is http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/resources/cxf-ehcache.xml?view=markup";>cxf-ehcache.xml
 in the cxf-rt-ws-security module. org.apache.cxf.ws.security.tokenstore.TokenStore   The http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/TokenStore.java?view=markup";>TokenStore
 instance to use to cache security tokens. By default this uses the http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/EHCacheTokenStore.java?view=markup";>EHCacheTokenStore
 if EhCache is available. Otherwise it uses the http://svn.apache.org/viewvc/cxf/trunk/rt/w
 
s/security/src/main/java/org/apache/cxf/ws/security/tokenstore/MemoryTokenStore.java?view=markup">MemoryTokenStore. 
ws-security.subject.cert.constraints  A comma separated String of regular expressions which 
will be applied to the subject DN of the certificate used for signature 
validation, after trust verification of the certificate chain associated with 
the  certificate. These constraints are not used when the certificate is 
contained in the keystore (direct trust). 
+ ws-security.timestamp.timeToLive  The time in seconds to append to the Creation 
value of an incoming Timestamp to determine whether to accept the Timestamp as 
valid or not. The default value is 300 seconds (5 minutes). 
ws-security.timestamp.futureTimeToLive  The time in seconds in the future within which the 
Created time of an incoming Timestamp is valid. The defaul

svn commit: r828578 - in /websites/production/cxf/content: cache/docs.pageCache docs/jaxb.html

[buildbot]

Author: buildbot
Date: Fri Aug 10 17:47:24 2012
New Revision: 828578

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/jaxb.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jaxb.html
==
--- websites/production/cxf/content/docs/jaxb.html (original)
+++ websites/production/cxf/content/docs/jaxb.html Fri Aug 10 17:47:24 2012
@@ -123,7 +123,7 @@ Apache CXF -- JAXB

 Introduction
 
-JAXB is the default data binding for CXF. If you don't specify one of the 
other data bindings in your Spring configuration or through the API, you will 
get JAXB. CXF 2.0.x branch supplies JAXB 2.0, CXF 2.1.x and CXF 2.2.x use JAXB 
2.1.
+JAXB is the default data binding for CXF. If you don't specify one of the 
other data bindings in your Spring configuration or through the API, you will 
get JAXB. Releases of CXF since 2.3.x have used the JDK7 default of JAXB 2.2, 
however Maven users running on JDK 6 will need to use the http://docs.oracle.com/javase/6/docs/technotes/guides/standards/"; 
rel="nofollow">Java endorsed override mechanism to use JAXB 2.2 instead of 
JAXB 2.1.
 
 JAXB uses Java annotation combined with files found on the classpath to 
build the mapping between XML and Java. JAXB supports both code-first and 
schema-first programming. The schema-first support the ability to create a 
client proxy, dynamically, at runtime. See the CXF DynamicClientFactory 
class.
 
@@ -211,8 +211,7 @@ Apache CXF -- JAXB
   </jaxws:server>
 
 
-
-
+


  

svn commit: r828601 - in /websites/production/cxf/content: cache/main.pageCache fediz-idp.html

[buildbot]

Author: buildbot
Date: Fri Aug 10 23:47:24 2012
New Revision: 828601

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/main.pageCache
websites/production/cxf/content/fediz-idp.html

Modified: websites/production/cxf/content/cache/main.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/fediz-idp.html
==
--- websites/production/cxf/content/fediz-idp.html (original)
+++ websites/production/cxf/content/fediz-idp.html Fri Aug 10 23:47:24 2012
@@ -166,23 +166,33 @@ $CATALINA_HOME/bin/shutdown.sh
 
 
 
-If you're using the one Tomcat with multiple instance option, it's 
$CATALINA_BASE that will need to be redefined.
+If you're using the one Tomcat with multiple instance option, it's 
$CATALINA_BASE instead that will need to be redefined above.
 
-The Fediz examples use the following TCP ports for the IDP/STS:
+Tomcat 
server.xml configuration
 
-HTTP port: 9080 (used for Maven deployment, mvn 
tomcat:redeploy)HTTPS port: 9443 (where IDP and STS are 
accessed)
+The Fediz examples use the following Tomcat port values for the IDP/STS, 
defined in the conf/server.xml file.  We use ports different from the Tomcat 
defaults so as not to conflict with the Tomcat instance running the RP 
applications.
 
+HTTP port: 9080 (used for Maven deployment, mvn 
tomcat:redeploy)HTTPS port: 9443 (where IDP and STS are 
accessed)Server port (for shutdown and other commands): 9005
 
-The Tomcat HTTP(s) configuration is done in conf/server.xml.
 
-This is a sample snippet for an HTTPS configuration:
+Here is a sample snippet for showing the configuration of the above three 
values:
 
 
 
+<Server port="9005" 
shutdown="SHUTDOWN">
+
+<!-- http 
configuration -->
+<Connector port="9080" protocol="HTTP/1.1"
+   connectionTimeout="2"
+   redirectPort="9443" />
+...
+<!-- https 
configuration -->
 <Connector port="9443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="tomcat-idp.jks"
keystorePass="tompass" 
sslProtocol="TLS" />
+...
+</Server>
 
 
 

svn commit: r828621 - in /websites/production/cxf/content: cache/main.pageCache fediz-idp.html fediz-tomcat.html

[buildbot]

Author: buildbot
Date: Sat Aug 11 06:47:56 2012
New Revision: 828621

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/main.pageCache
websites/production/cxf/content/fediz-idp.html
websites/production/cxf/content/fediz-tomcat.html

Modified: websites/production/cxf/content/cache/main.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/fediz-idp.html
==
--- websites/production/cxf/content/fediz-idp.html (original)
+++ websites/production/cxf/content/fediz-idp.html Sat Aug 11 06:47:56 2012
@@ -180,18 +180,25 @@ $CATALINA_HOME/bin/shutdown.sh
 
 
 <Server port="9005" 
shutdown="SHUTDOWN">
+...
 
-<!-- http 
configuration -->
-<Connector port="9080" protocol="HTTP/1.1"
-   connectionTimeout="2"
-   redirectPort="9443" />
-...
-<!-- https 
configuration -->
-<Connector port="9443" protocol="HTTP/1.1" SSLEnabled="true"
-   maxThreads="150" scheme="https" secure="true"
-   keystoreFile="tomcat-idp.jks"
-   keystorePass="tompass" 
sslProtocol="TLS" />
-...
+   <!-- http 
configuration -->
+   <Connector port="9080" protocol="HTTP/1.1"
+connectionTimeout="2"
+redirectPort="9443" />
+
+   ...
+
+   <!-- https 
configuration -->
+   <Connector port="9443" protocol="HTTP/1.1" SSLEnabled="true"
+maxThreads="150" scheme="https" secure="true"
+keystoreFile="tomcat-idp.jks"
+keystorePass="tompass" 
sslProtocol="TLS" />
+   ...
+ 
+   <Connector port="9009" protocol="AJP/1.3" redirectPort="9443" />
+
+...
 </Server>
 
 

Modified: websites/production/cxf/content/fediz-tomcat.html
==
--- websites/production/cxf/content/fediz-tomcat.html (original)
+++ websites/production/cxf/content/fediz-tomcat.html Sat Aug 11 06:47:56 2012
@@ -137,7 +137,7 @@ Apache CXF -- Fediz Tomcat


 Tomcat Plugin
-This page describes how to enable Federation in Tomcat. This Tomcat 
instance acts as the Relying Party which means it validates the incoming 
SignInResponse which has been created by the Identity Provider (IDP) server.
+This page describes how to enable Federation in Tomcat. The configuration 
below is specifically for Tomcat instances hosting Relying Party (RP) 
applications, not instances just hosting the Fediz Identity Provider (IDP) and 
STS or third-party services authenticating a RP application based on SAML 
tokens provided by the IDP STS.  A Tomcat instance holdign RP webapps will 
validate the incoming SignInResponse created by the IDP server.
 
 Installation
 

svn commit: r828830 - in /websites/production/cxf/content: cache/main.pageCache fediz-idp.html

[buildbot]

Author: buildbot
Date: Mon Aug 13 20:47:36 2012
New Revision: 828830

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/main.pageCache
websites/production/cxf/content/fediz-idp.html

Modified: websites/production/cxf/content/cache/main.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/fediz-idp.html
==
--- websites/production/cxf/content/fediz-idp.html (original)
+++ websites/production/cxf/content/fediz-idp.html Mon Aug 13 20:47:36 2012
@@ -146,7 +146,7 @@ Apache CXF -- Fediz IDP
 
 The Fediz IDP has been tested with Tomcat 6 and 7 but should be able to 
work with any commercial JEE application server.
 
-It's recommended to set up a dedicated (separate) Tomcat instance for the 
IDP compared to the one hosting the RP (relying party) applications.   Using 
one deployment of Tomcat with multiple CATALINA_BASE instances, as described http://www.shaunabram.com/multiple-tomcat-instances/"; 
rel="nofollow">here is one option but note any libs in $CATALINA_HOME/lib 
folder will be shared throughout each of the activated CATALINA_BASE instances. 
 Another probably simpler alternative is to copy your Tomcat folder into a 
second location and edit its conf/server.xml file and change http://viralpatel.net/blogs/2009/08/running-multiple-instance-apache-tomcat-single-server.html";
 rel="nofollow">these port values so they don't conflict with the original 
Tomcat installation.  
+It's recommended to set up a dedicated (separate) Tomcat instance for the 
IDP compared to the one hosting the RP (relying party) applications.   Using 
one deployment of Tomcat with multiple CATALINA_BASE instances, as described http://www.shaunabram.com/multiple-tomcat-instances/"; 
rel="nofollow">here is one option but note any libs in $CATALINA_HOME/lib 
folder will be shared throughout each of the activated CATALINA_BASE instances. 
 Another probably simpler alternative is to copy your Tomcat folder into a 
second location and edit its conf/server.xml file and http://viralpatel.net/blogs/2009/08/running-multiple-instance-apache-tomcat-single-server.html";
 rel="nofollow">change port values (discussed below) so they don't conflict 
with the original Tomcat installation.  
 
 To start and stop this second Tomcat instance, it is perhaps easiest to 
create small startup.sh and shutdown.sh scripts that temporarily redefine 
$CATALINA_HOME from the first to the second instance, for example:
 

svn commit: r828833 - in /websites/production/cxf/content: cache/main.pageCache fediz-tomcat.html

[buildbot]

Author: buildbot
Date: Mon Aug 13 21:47:23 2012
New Revision: 828833

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/main.pageCache
websites/production/cxf/content/fediz-tomcat.html

Modified: websites/production/cxf/content/cache/main.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/fediz-tomcat.html
==
--- websites/production/cxf/content/fediz-tomcat.html (original)
+++ websites/production/cxf/content/fediz-tomcat.html Mon Aug 13 21:47:23 2012
@@ -137,7 +137,10 @@ Apache CXF -- Fediz Tomcat


 Tomcat Plugin
-This page describes how to enable Federation in Tomcat. The configuration 
below is specifically for Tomcat instances hosting Relying Party (RP) 
applications, not instances just hosting the Fediz Identity Provider (IDP) and 
STS or third-party services authenticating a RP application based on SAML 
tokens provided by the IDP STS.  A Tomcat instance holdign RP webapps will 
validate the incoming SignInResponse created by the IDP server.
+This page describes how to enable Federation for a Tomcat instance hosting 
Relying Party (RP) applications.  This configuration is not for a separate 
Tomcat instance hosting the Fediz IDP and IDP STS WARs, or hosts for 
third-party applications that use Fediz STS-generated SAML assertions for 
authentication.  After this configuration is done, the Tomcat-RP instance will 
validate the incoming SignInResponse created by the IDP server.
+
+Prior to doing this configuration, make sure you've first deployed the 
Fediz IDP and STS on the separate Tomcat IDP instance as discussed here, and can view the 
STS WSDL at the URL given on that page.  That page also provides some tips for 
running multiple Tomcat instances on your machine.
+
 
 Installation
 
@@ -153,10 +156,12 @@ add the previously created directory to 
 
 HTTPS 
configuration
 
-It's recommended to set up a dedicated (separate) Tomcat instance for the 
Relying Party. The Fediz examples requires configuring the following TCP 
ports:
-HTTP port: 8080 (used for Maven deployment, mvn 
tomcat:redeploy)HTTPS port: 8443 (where IDP and STS are 
accessed)
+It's recommended to set up a dedicated (separate) Tomcat instance for the 
Relying Party. The Fediz RP web applications use the following TCP ports:
+HTTP port: 8080 (used for Maven deployment, mvn 
tomcat:redeploy)HTTPS port: 8443 (where IDP and STS are 
accessed)Server port (for shutdown and other commands): 8005
 
 
+These are the default ports for a standard Tomcat installation.
+
 The Relying Party must be accessed over HTTPS to protect the security 
tokens issued by the IDP.
 
 The Tomcat HTTP(s) configuration is done in conf/server.xml.
@@ -172,12 +177,14 @@ add the previously created directory to 
 
 
 
-The keystoreFile is relative to $CATALINA_HOME. See http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html";>here for the 
Tomcat 7 configuration reference. This page also describes how to create 
certificates.  Sample Tomcat keystores (not for production use, but useful for 
demoing Fediz and running the sample applications) are provided in the 
examples/samplekeys folder of the Fediz distribution.
+The keystoreFile is relative to $CATALINA_HOME. See http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html";>here for the 
Tomcat 7 configuration reference. This page also describes how to create 
certificates.  Sample Tomcat keystores (not for production use, but useful for 
demoing Fediz and running the sample applications) are provided in the 
examples/samplekeys folder of the Fediz distribution.  Note the Tomcat keystore 
here is different from the one used to configure the Tomcat-IDP instance.
 
 To establish trust, there are significant keystore/truststore requirements 
between the Tomcat instances and the various web applications (IDP, STS, 
Relying party applications, third party web services, etc.)  See http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/samplekeys/HowToGenerateKeysREADME.html?view=co";>this
 page for more details, it lists the trust requirements as well as sample 
scripts for creating your own (self-signed) keys.
 
 Warning:  All sample keystores provided with Fediz (including in the WAR 
files for its services and examples) are for development/prototyping use only.  
They'll need to be replaced for production use, at a minimum with your own 
self-signed keys but strongly recommended to use third-party signed 
keys.
 
+If you are currently just trying to run the Fediz samples, the 
configuration above is all you need (the below configuration is already 
provided within the samples) so you can return now to the samples' READMEs for 
the next steps in running them.
+
 
 Fediz 
Plugin configuration for Your Web Application

svn commit: r829119 - in /websites/production/cxf/content: cache/docs.pageCache docs/27-migration-guide.html

[buildbot]

Author: buildbot
Date: Thu Aug 16 14:47:24 2012
New Revision: 829119

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/27-migration-guide.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/27-migration-guide.html
==
--- websites/production/cxf/content/docs/27-migration-guide.html (original)
+++ websites/production/cxf/content/docs/27-migration-guide.html Thu Aug 16 
14:47:24 2012
@@ -123,7 +123,7 @@ Apache CXF -- 2.7 Migration Guide

 New Features
 
-New UDP transport
+New UDP transportSupport for the http://docs.oasis-open.org/ws-dd/soapoverudp/1.1/wsdd-soapoverudp-1.1-spec.html";
 rel="nofollow">SOAP over UDP specification
 
 
 

svn commit: r829131 - in /websites/production/cxf/content: cache/docs.pageCache docs/27-migration-guide.html

[buildbot]

Author: buildbot
Date: Thu Aug 16 18:47:28 2012
New Revision: 829131

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/27-migration-guide.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/27-migration-guide.html
==
--- websites/production/cxf/content/docs/27-migration-guide.html (original)
+++ websites/production/cxf/content/docs/27-migration-guide.html Thu Aug 16 
18:47:28 2012
@@ -130,6 +130,10 @@ Apache CXF -- 2.7 Migration Guide
 API Changes
 
 The HTTPConduit class has been made abstract with the 
HttpURLConnection related code moving to an URLConnectionHTTPConduit.   Several 
method calls of the HTTPConduit that used to take HttpURLConnection objects 
have been eliminated.  Also, most methods taking a URL object now take a URI 
object instead.   The HTTPConduit.WrappedOutputStream class is also now 
abstract.   If you have custom subclasses of HTTPConduit, changing them to 
subclass URLConnectionHTTPConduit will likely work.
+
+
+The WS-Addressing related VersionTransformer and MAPCodec classes have 
been changed to not encode the WS-Addressing headers to  DOM elements and 
instead just use the Header list on the SoapMessage directly.  This did change 
the parameters on the encode methods to take the JAXBContext instead of the 
Marshaller.  Any custom VersionTransformers will need to be updated.  (very 
rare)
+
 

svn commit: r829215 - in /websites/production/cxf/content: cache/docs.pageCache docs/27-migration-guide.html

[buildbot]

Author: buildbot
Date: Fri Aug 17 13:47:26 2012
New Revision: 829215

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/27-migration-guide.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/27-migration-guide.html
==
--- websites/production/cxf/content/docs/27-migration-guide.html (original)
+++ websites/production/cxf/content/docs/27-migration-guide.html Fri Aug 17 
13:47:26 2012
@@ -134,6 +134,8 @@ Apache CXF -- 2.7 Migration Guide
 
 The WS-Addressing related VersionTransformer and MAPCodec classes have 
been changed to not encode the WS-Addressing headers to  DOM elements and 
instead just use the Header list on the SoapMessage directly.  This did change 
the parameters on the encode methods to take the JAXBContext instead of the 
Marshaller.  Any custom VersionTransformers will need to be updated.  (very 
rare)
 
+
+All methods that took or returned 
org.apache.cxf.feature.AbstractFeatures have been changed to just use 
org.apache.cxf.feature.Feature.
 

svn commit: r829474 - in /websites/production/cxf/content: cache/main.pageCache download.html

[buildbot]

Author: buildbot
Date: Mon Aug 20 14:47:25 2012
New Revision: 829474

Log:
Production update by buildbot for cxf

Modified:
websites/production/cxf/content/cache/main.pageCache
websites/production/cxf/content/download.html

Modified: websites/production/cxf/content/cache/main.pageCache
==
Binary files - no diff available.

Modified: websites/production/cxf/content/download.html
==
--- websites/production/cxf/content/download.html (original)
+++ websites/production/cxf/content/download.html Mon Aug 20 14:47:25 2012
@@ -168,17 +168,6 @@ Apache CXF -- Download
 
 
 
-2.3.11
-The 2.3.11 release is our latest patch release for 2.3.x. For more 
information please see the release notes.
-
-https://cwiki.apache.org/confluence/images/icons/emoticons/warning.gif"; 
width="16" height="16" alt="" border="0">2.3.11 is the last planned release for the 2.3.x series of CXF.  
Users are STRONGLY encouraged to update to a newer and supported version of 
CXF.
-
-
-DescriptionFileMD5SHA1PGPSource distributionhttp://www.apache.org/dyn/closer.cgi?path=/cxf/2.3.11/apache-cxf-2.3.11-src.tar.gz";>apache-cxf-2.3.11-src.tar.gzhttp://www.apache.org/dist/cxf/2.3.11/apache-cxf-2.3.11-src.tar.gz.md5";>apache-cxf-2.3.11-src.tar.gz.md5http://www.apache.org/dist/cxf/2.3.11/apache-cxf-2.3.11-s
 rc.tar.gz.sha1">apache-cxf-2.3.11-src.tar.gz.sha1http://www.apache.org/dist/cxf/2.3.11/apache-cxf-2.3.11-src.tar.gz.asc";>apache-cxf-2.3.11-src.tar.gz.asc http://www.apache.org/dyn/closer.cgi?path=/cxf/2.3.11/apache-cxf-2.3.11-src.zip";>apache-cxf-2.3.11-src.ziphttp://www.apache.org/dist/cxf/2.3.11/apache-cxf-2.3.11-src.zip.md5";>apache-cxf-2.3.11-src.zip.md5http://www.apache.org/dist/cxf/2.3.11/apache-cxf-2.3.11-src.zip.sha1";>apache-cxf-2.3.11-src.zip.sha1http://www.apache.org/dist/cxf/2.3.11/apache-cxf-2.3.11-src.zip.asc";>apache-cxf-2.3.11-src.zip.ascBinary distributionhttp://www.apache.org/dyn/closer.cgi?path=/cxf/2.3.11/apache-cxf-2.3.11.tar.gz";>apache-cxf-2.3.11.tar.gzhttp://www.apache.org/dist/cxf/2.3.11/apache-cxf-2.3.11.tar.gz.md5";>apache-cxf-2.3.11.tar.gz.md5http://www.apache.org/dist/cxf/2.3.11/apache-cxf-2.3.11.tar.gz.sha1";>apache-cxf-2.3.11.tar.gz.sha1http://www.apache.org/dist/cxf/2.3.11/apache-cxf-2.3.11.
 tar.gz.asc">apache-cxf-2.3.11.tar.gz.asc http://www.apache.org/dyn/closer.cgi?path=/cxf/2.3.11/apache-cxf-2.3.11.zip";>apache-cxf-2.3.11.ziphttp://www.apache.org/dist/cxf/2.3.11/apache-cxf-2.3.11.zip.md5";>apache-cxf-2.3.11.zip.md5http://www.apache.org/dist/cxf/2.3.11/apache-cxf-2.3.11.zip.sha1";>apache-cxf-2.3.11.zip.sha1http://www.apache.org/dist/cxf/2.3.11/apache-cxf-2.3.11.zip.asc";>apache-cxf-2.3.11.zip.asc
-
-
-
-
 Verifying 
Releases
 When downloading from a mirror please check the MD5 and SHA1 checksums as 
well as verifying the OpenPGP compatible signature available from the main 
Apache site. The http://www.apache.org/dist/cxf/KEYS";>KEYS file contains the public 
keys used for signing release. It is recommended that a web of trust is used to 
confirm the identity of these keys.
 
@@ -214,11 +203,11 @@ Incubator releases: Snapshot distributions can be found at: (the latest one is at the 
bottom)
 
-2.4.9 http://repository.apache.org/snapshots/org/apache/cxf/apache-cxf/2.4.9-SNAPSHOT/";>http://repository.apache.org/snapshots/org/apache/cxf/apache-cxf/2.4.9-SNAPSHOT/
  
+2.4.10 http://repository.apache.org/snapshots/org/apache/cxf/apache-cxf/2.4.10-SNAPSHOT/";>http://repository.apache.org/snapshots/org/apache/cxf/apache-cxf/2.4.10-SNAPSHOT/
  
 
-2.5.5 http://repository.apache.org/snapshots/org/apache/cxf/apache-cxf/2.5.5-SNAPSHOT/";>http://repository.apache.org/snapshots/org/apache/cxf/apache-cxf/2.5.5-SNAPSHOT/
  
+2.5.6 http://repository.apache.org/snapshots/org/apache/cxf/apache-cxf/2.5.6-SNAPSHOT/";>http://repository.apache.org/snapshots/org/apache/cxf/apache-cxf/2.5.6-SNAPSHOT/
  
 
-2.6.2 http://repository.apache.org/snapshots/org/apache/cxf/apache-cxf/2.6.2-SNAPSHOT/";>http://repository.apache.org/snapshots/org/apache/cxf/apache-cxf/2.6.2-SNAPSHOT/
  
+2.6.3 http://repository.apache.org/snapshots/org/apache/cxf/apache-cxf/2.6.3-SNAPSHOT/";>http://repository.apache.org/snapshots/org/apache/cxf/apache-cxf/2.6.3-SNAPSHOT/
  
 
 2.7.0 http://repository.apache.org/snapshots/org/apache/cxf/apache-cxf/2.7.0-SNAPSHOT/";>http://repository.apache.org/snapshots/org/apache/cxf/apache-cxf/2.7.0-SNAPSHOT/