Author: buildbot
Date: Fri Apr 24 14:46:55 2015
New Revision: 949042
Log:
Production update by buildbot for cxf
Added:
websites/production/cxf/content/docs/security-configuration.html
Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/31-migration-guide.html
websites/production/cxf/content/docs/index.html
websites/production/cxf/content/docs/jax-rs-saml.html
websites/production/cxf/content/docs/jax-rs-xml-security.html
websites/production/cxf/content/docs/security.html
websites/production/cxf/content/docs/ws-securitypolicy.html
Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.
Modified: websites/production/cxf/content/docs/31-migration-guide.html
==============================================================================
--- websites/production/cxf/content/docs/31-migration-guide.html (original)
+++ websites/production/cxf/content/docs/31-migration-guide.html Fri Apr 24
14:46:55 2015
@@ -116,7 +116,7 @@ Apache CXF -- 3.1 Migration Guide
<td height="100%">
<!-- Content -->
<div class="wiki-content">
-<div id="ConfluenceContent"><h3 id="id-3.1MigrationGuide-MajorNotes">Major
Notes</h3><ul><li>CXF 3.1 no longer supports Java 6.   You must use Java 7
or Java 8.</li><li>The JAX-WS/Simple frontend ServerFactoryBean will
automatically call reset at the end of the create() call.   This allows
resources to be cleaned up and garbage collected sooner.  However, it also
prevents multiple calls to create() from sharing the same
ServerInfo/EndpointInfo/etc... objects like they would we 3.0.x.   That
sharing has caused many problems in the past due to sharing of properties (like
token caches) that are stored on those objects so the new behavior is more
"correct", but it is different than previous versions so care must be taken
while upgrading.</li><li>The Karaf features.xml file for CXF 3.1 no longer will
install spring or spring-dm when installing the "cxf" feature.  If you
require spring/spring-dm, you will need to install those features prior to
installing the CXF
feature.</li></ul><h3 id="id-3.1MigrationGuide-Securitychanges">Security
changes</h3><ul><li>The STS (Security Token Service) now issues tokens using
the RSA-SHA256 signature algorithm by default (previously RSA-SHA1), and the
SHA-256 digest algorithm (previously SHA-1).</li><li>Some security
configuration tags have been renamed from "ws-security.*" to "security.*", as
they are now shared with (some of) the JAX-RS stack. The old tags will continue
to work as before however without any change.</li><li>The SAML/XACML
functionality previously available in the cxf-rt-security module is now in the
cxf-rt-security-saml module.</li><li>If you are explicitly specifying the SAML
version in a SAML CallbackHandler, then this is changed in CXF 3.1 due to the
migration to use OpenSAML 3.1. The version is now set on the SAMLCallback using
a org.apache.wss4j.common.saml.bean.Version class. Previously there was a
dependency on OpenSAML's SAMLVersion class.</li></ul><h3
id="id-3.1MigrationGuide-NewF
eatures">New Features</h3><ul><li>The CXF JAX-WS code generator has a new
option "seiSuper" that can be used to specify additional super interfaces for
the SEI.  This makes the code nonportable to other JAX-WS containers.
  The primary use would be to add AutoCloseable to the interface to allow
use of the clients in Java7 try with resource blocks.</li><li>New Metrics
feature for collecting metrics about a CXF services.   Codahale/DropWizard
based collector included.</li><li>New Throttling feature for easily throttling
CXF services.  Sample included that uses the Metrics component to help
make the throttling decisions.</li><li>New Logging feature for more advanced
logging than the logging available in cxf-core</li><li>New Metadata service for
SAML SSO to allow you to publish SAML SSO metadata for your service
provider.</li><li><p>The "cxf" frontend to the JAX-WS code generator (-fe cxf)
now generates code that is a bit more "Java7" friendly as the return type of t
he getPort(...) calls is a sub-interface of the SEI that also implements
AutoCloseable, BindingProvider, and Client.   Code that used to look
like:</p><div class="code panel pdl" style="border-width: 1px;"><div
class="codeContent panelContent pdl">
+<div id="ConfluenceContent"><h3 id="id-3.1MigrationGuide-MajorNotes">Major
Notes</h3><ul><li>CXF 3.1 no longer supports Java 6.   You must use Java 7
or Java 8.</li><li>The JAX-WS/Simple frontend ServerFactoryBean will
automatically call reset at the end of the create() call.   This allows
resources to be cleaned up and garbage collected sooner.  However, it also
prevents multiple calls to create() from sharing the same
ServerInfo/EndpointInfo/etc... objects like they would we 3.0.x.   That
sharing has caused many problems in the past due to sharing of properties (like
token caches) that are stored on those objects so the new behavior is more
"correct", but it is different than previous versions so care must be taken
while upgrading.</li><li>The Karaf features.xml file for CXF 3.1 no longer will
install spring or spring-dm when installing the "cxf" feature.  If you
require spring/spring-dm, you will need to install those features prior to
installing the CXF
feature.</li></ul><h3 id="id-3.1MigrationGuide-Securitychanges">Security
changes</h3><ul><li>The STS (Security Token Service) now issues tokens using
the RSA-SHA256 signature algorithm by default (previously RSA-SHA1), and the
SHA-256 digest algorithm (previously SHA-1).</li><li>Some security
configuration tags have been renamed from "ws-security.*" to "security.*", as
they are now shared with (some of) the JAX-RS stack. The old tags will continue
to work as before however without any change. See the <a shape="rect"
href="security-configuration.html">Security Configuration </a>page for more
information.</li><li>The SAML/XACML functionality previously available in the
cxf-rt-security module is now in the cxf-rt-security-saml module.</li><li>If
you are explicitly specifying the SAML version in a SAML CallbackHandler, then
this is changed in CXF 3.1 due to the migration to use OpenSAML 3.1. The
version is now set on the SAMLCallback using a
org.apache.wss4j.common.saml.bean.Version cla
ss. Previously there was a dependency on OpenSAML's SAMLVersion
class.</li></ul><h3 id="id-3.1MigrationGuide-NewFeatures">New
Features</h3><ul><li>The CXF JAX-WS code generator has a new option "seiSuper"
that can be used to specify additional super interfaces for the SEI.  This
makes the code nonportable to other JAX-WS containers.   The primary use
would be to add AutoCloseable to the interface to allow use of the clients in
Java7 try with resource blocks.</li><li>New Metrics feature for collecting
metrics about a CXF services.   Codahale/DropWizard based collector
included.</li><li>New Throttling feature for easily throttling CXF services.
 Sample included that uses the Metrics component to help make the
throttling decisions.</li><li>New Logging feature for more advanced logging
than the logging available in cxf-core</li><li>New Metadata service for SAML
SSO to allow you to publish SAML SSO metadata for your service
provider.</li><li><p>The "cxf" frontend to t
he JAX-WS code generator (-fe cxf) now generates code that is a bit more
"Java7" friendly as the return type of the getPort(...) calls is a
sub-interface of the SEI that also implements AutoCloseable, BindingProvider,
and Client.   Code that used to look like:</p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeContent panelContent pdl">
<script class="theme: Default; brush: java; gutter: false"
type="syntaxhighlighter"><![CDATA[(AddNumbersPortType port =
service.getAddNumbersPort();
((BindingProvider)port).getRequestContext()
.put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, address);
Modified: websites/production/cxf/content/docs/index.html
==============================================================================
--- websites/production/cxf/content/docs/index.html (original)
+++ websites/production/cxf/content/docs/index.html Fri Apr 24 14:46:55 2015
@@ -113,7 +113,7 @@ Apache CXF -- Index
<input maxlength="255" type="text" name="queryString" size="15"
value="value">
<input type="submit" name="btnG" value="Search">
</form>
-</div><ul><li><a shape="rect" href="overview.html">Overview</a><ul
class="childpages-macro"><li><a shape="rect" href="why-cxf.html">Why
CXF?</a></li><li><a shape="rect"
href="how-do-i-integrate-my-application-with-cxf.html">How do I integrate my
application with CXF</a> — <span class="smalltext">A meta guide to
integrating your application with CXF - including Bindings, Transports,
Interceptors, etc</span></li><li><a shape="rect"
href="how-do-i-develop-a-service.html">How do I develop a service?</a> —
<span class="smalltext">A meta guide to your options with CXF</span></li><li><a
shape="rect" href="how-do-i-develop-a-client.html">How do I develop a
client?</a> — <span class="smalltext">A meta guide to your options with
CXF</span></li></ul></li><li><a shape="rect" href="how-tos.html">How-Tos</a><ul
class="childpages-macro"><li><a shape="rect"
href="writing-a-service-with-spring.html">Writing a service with
Spring</a></li><li><a shape="rect" href="a-simple-jax-ws-ser
vice.html">A simple JAX-WS service</a></li><li><a shape="rect"
href="running-a-service-in-tomcat-on-zos.html">Running a service in Tomcat on
zOS</a></li><li><a shape="rect"
href="defining-contract-first-webservices-with-wsdl-generation-from-java.html">Defining
Contract first webservices with wsdl generation from java</a></li><li><a
shape="rect" href="migration-guides.html">Migration Guides</a></li><li><a
shape="rect" href="sample-projects.html">Sample
Projects</a></li></ul></li><li><a shape="rect"
href="frontends.html">Frontends</a><ul class="childpages-macro"><li><a
shape="rect" href="annotations.html">Annotations</a></li><li><a shape="rect"
href="dynamic-clients.html">Dynamic Clients</a></li><li><a shape="rect"
href="jax-ws.html">JAX-WS</a><ul class="childpages-macro"><li><a shape="rect"
href="developing-a-consumer.html">Developing a Consumer</a></li><li><a
shape="rect" href="developing-a-service.html">Developing a
Service</a></li><li><a shape="rect" href="jax-ws-configuration.htm
l">JAX-WS Configuration</a></li><li><a shape="rect"
href="jax-ws-dispatch-api.html">JAX-WS Dispatch API</a></li><li><a shape="rect"
href="provider-services.html">Provider Services</a></li><li><a shape="rect"
href="webservicecontext.html">WebserviceContext</a></li></ul></li><li><a
shape="rect" href="simple.html">Simple</a><ul class="childpages-macro"><li><a
shape="rect" href="simple-frontend.html">Simple Frontend</a></li><li><a
shape="rect" href="simple-frontend-configuration.html">Simple Frontend
Configuration</a></li></ul></li></ul></li><li><a shape="rect"
href="databindings.html">DataBindings</a><ul class="childpages-macro"><li><a
shape="rect" href="aegis-21.html">Aegis (2.1)</a> — <span
class="smalltext">For CXF 2.1 or newer</span></li><li><a shape="rect"
href="aegis-databinding-20x.html">Aegis Databinding (2.0.x)</a> — <span
class="smalltext">For CXF up to 2.0.x</span></li><li><a shape="rect"
href="jaxb.html">JAXB</a></li><li><a shape="rect" href="mtom-attachments-wi
th-jaxb.html">MTOM Attachments with JAXB</a></li><li><a shape="rect"
href="sdo.html">SDO</a></li><li><a shape="rect"
href="xmlbeans.html">XMLBeans</a></li></ul></li><li><a shape="rect"
href="transports.html">Transports</a><ul class="childpages-macro"><li><a
shape="rect" href="http-transport.html">HTTP Transport</a><ul
class="childpages-macro"><li><a shape="rect"
href="asynchronous-client-http-transport.html">Asynchronous Client HTTP
Transport</a></li><li><a shape="rect"
href="client-http-transport-including-ssl-support.html">Client HTTP Transport
(including SSL support)</a></li><li><a shape="rect"
href="jetty-configuration.html">Jetty Configuration</a></li><li><a shape="rect"
href="server-http-transport.html">Server HTTP Transport</a></li><li><a
shape="rect" href="servlet-transport.html">Servlet Transport</a></li><li><a
shape="rect" href="standalone-http-transport.html">Standalone HTTP
Transport</a></li></ul></li><li><a shape="rect" href="jms-transport.html">JMS
Transport</a><ul cla
ss="childpages-macro"><li><a shape="rect"
href="cxf-2x-jms-configuration-removed-in-cxf-3.html">CXF 2.x JMS configuration
(removed in CXF 3)</a></li><li><a shape="rect"
href="jms-performance-and-pooling.html">JMS performance and
pooling</a></li><li><a shape="rect" href="jms-transactions.html">JMS
transactions</a></li><li><a shape="rect"
href="soap-over-jms-10-support.html">SOAP over JMS 1.0 support</a></li><li><a
shape="rect" href="using-the-jmsconfigfeature.html">Using the
JMSConfigFeature</a></li></ul></li><li><a shape="rect"
href="local-transport.html">Local Transport</a></li><li><a shape="rect"
href="udp-transport.html">UDP Transport</a><ul class="childpages-macro"><li><a
shape="rect" href="soap-over-udp.html">SOAP over UDP</a></li></ul></li><li><a
shape="rect" href="custom-transport.html">Custom Transport</a></li><li><a
shape="rect" href="coloc-feature.html">Coloc Feature</a></li><li><a
shape="rect" href="apache-camel-transport.html">Apache Camel
Transport</a></li><li><a shape=
"rect" href="websocket.html">WebSocket</a></li></ul></li><li><a shape="rect"
href="configuration.html">Configuration</a><ul class="childpages-macro"><li><a
shape="rect" href="bus-configuration.html">Bus Configuration</a></li><li><a
shape="rect" href="featureslist.html">FeaturesList</a></li><li><a shape="rect"
href="jmx-management.html">JMX Management</a></li><li><a shape="rect"
href="wsaconfiguration.html">WSAConfiguration</a></li><li><a shape="rect"
href="wspconfiguration.html">WSPConfiguration</a></li><li><a shape="rect"
href="wsrmconfiguration.html">WSRMConfiguration</a></li></ul></li><li><a
shape="rect" href="debugging-and-logging.html">Debugging and
Logging</a></li><li><a shape="rect" href="tools.html">Tools</a><ul
class="childpages-macro"><li><a shape="rect"
href="cxf-tools-in-eclipse.html">CXF tools in Eclipse</a></li><li><a
shape="rect" href="idl-to-wsdl.html">IDL to WSDL</a></li><li><a shape="rect"
href="java-to-javascript.html">Java to Javascript</a></li><li><a shape="rect
" href="java-to-ws.html">Java to WS</a></li><li><a shape="rect"
href="java-to-wsdl.html">Java to WSDL</a></li><li><a shape="rect"
href="maven-cxf-codegen-plugin-wsdl-to-java.html">Maven cxf-codegen-plugin
(WSDL to Java)</a></li><li><a shape="rect"
href="maven-java2wsdl-plugin-cxf-20x-only-removed-in-21-and-replaced-with-java2ws.html">Maven
Java2WSDL plugin (CXF 2.0.x only. Removed in 2.1 and replaced with
Java2WS)</a></li><li><a shape="rect" href="maven-java2ws-plugin.html">Maven
Java2WS plugin</a></li><li><a shape="rect"
href="using-cxf-with-maven.html">Using CXF with maven</a></li><li><a
shape="rect" href="wsdl-to-corba.html">WSDL to CORBA</a></li><li><a
shape="rect" href="wsdl-to-java.html">WSDL to Java</a></li><li><a shape="rect"
href="wsdl-to-javascript.html">WSDL to Javascript</a></li><li><a shape="rect"
href="wsdl-to-service.html">WSDL to Service</a></li><li><a shape="rect"
href="wsdl-to-soap.html">WSDL to SOAP</a></li><li><a shape="rect"
href="wsdl-to-xml.html">WSDL to XML<
/a></li><li><a shape="rect"
href="wsdlvalidator.html">WSDLValidator</a></li><li><a shape="rect"
href="xsd-to-wsdl.html">XSD to WSDL</a></li></ul></li><li><a shape="rect"
href="restful-services.html">RESTful Services</a><ul
class="childpages-macro"><li><a shape="rect" href="http-binding.html">HTTP
Binding</a></li><li><a shape="rect" href="jax-rs.html">JAX-RS</a></li><li><a
shape="rect" href="jax-rs-jsr-311.html">JAX-RS (JSR-311)</a></li><li><a
shape="rect" href="rest-with-jax-ws-provider-and-dispatch.html">REST with
JAX-WS Provider and Dispatch</a></li><li><a shape="rect"
href="json-support.html">JSON Support</a></li></ul></li><li><a shape="rect"
href="wsdl-bindings.html">WSDL Bindings</a><ul class="childpages-macro"><li><a
shape="rect" href="mtom.html">MTOM</a></li><li><a shape="rect"
href="pure-xml.html">Pure XML</a></li><li><a shape="rect"
href="soap-11.html">SOAP 1.1</a></li><li><a shape="rect"
href="soap-12.html">SOAP 1.2</a></li></ul></li><li><a shape="rect"
href="service-routi
ng.html">Service Routing</a></li><li><a shape="rect"
href="dynamic-languages.html">Dynamic Languages</a><ul
class="childpages-macro"><li><a shape="rect"
href="javascript.html">JavaScript</a></li><li><a shape="rect"
href="javascript-clients.html">JavaScript Clients</a></li></ul></li><li><a
shape="rect" href="ws-support.html">WS-* Support</a><ul
class="childpages-macro"><li><a shape="rect"
href="ws-addressing.html">WS-Addressing</a></li><li><a shape="rect"
href="ws-discovery.html">WS-Discovery</a></li><li><a shape="rect"
href="ws-metadataexchange.html">WS-MetadataExchange</a></li><li><a shape="rect"
href="ws-policy.html">WS-Policy</a></li><li><a shape="rect"
href="ws-reliablemessaging.html">WS-ReliableMessaging</a></li><li><a
shape="rect"
href="ws-secureconversation.html">WS-SecureConversation</a></li><li><a
shape="rect" href="ws-security.html">WS-Security</a></li><li><a shape="rect"
href="ws-securitypolicy.html">WS-SecurityPolicy</a></li><li><a shape="rect"
href="ws-trust.html">WS-Tr
ust</a></li></ul></li><li><a shape="rect" href="security.html">Security</a><ul
class="childpages-macro"><li><a shape="rect" href="jaxrs-kerberos.html">JAXRS
Kerberos</a></li><li><a shape="rect" href="saml-web-sso.html">SAML Web
SSO</a></li></ul></li><li><a shape="rect"
href="advanced-integration.html">Advanced Integration</a><ul
class="childpages-macro"><li><a shape="rect"
href="features.html">Features</a></li><li><a shape="rect"
href="interceptors.html">Interceptors</a></li><li><a shape="rect"
href="invokers.html">Invokers</a></li><li><a shape="rect"
href="multiplexed-endpointreferences.html">Multiplexed
EndpointReferences</a></li><li><a shape="rect"
href="server-service-and-client-factorybeans.html">Server, Service, and Client
FactoryBeans</a></li></ul></li><li><a shape="rect"
href="deployment.html">Deployment</a><ul class="childpages-macro"><li><a
shape="rect"
href="application-server-specific-configuration-guide.html">Application Server
Specific Configuration Guide</a></li><li><
a shape="rect" href="embedding-cxf-inside-spring.html">Embedding CXF inside
Spring</a></li><li><a shape="rect"
href="using-cxf-and-cdi-1112-jsr-346-in-osgi-environment.html">Using CXF and
CDI 1.1/1.2 (JSR-346) in OSGi environment</a></li><li><a shape="rect"
href="using-cxf-and-cdi-11-jsr-346.html">Using CXF and CDI 1.1
(JSR-346)</a></li><li><a shape="rect"
href="using-cxf-jca-rar-in-application-server.html">Using CXF-JCA RAR in
Application Server</a></li></ul></li><li><a shape="rect"
href="schemas-and-namespaces.html">Use of Schemas and Namespaces</a></li><li><a
shape="rect" href="javadoc.html">Javadoc</a></li></ul><h3
id="Index-OtherSourcesofDocumentationandInformation">Other Sources of
Documentation and Information</h3><p>There are several companies that provide
extra documentation, examples, tutorials, etc... that users may find useful.
See the <a shape="rect"
href="http://cxf.apache.org/commercial-cxf-offerings.html";>Commercial CXF
Offerings</a> page for more details.</p><p>Also
, many users have created excellent blog posts and other articles that may
provide extra information. See the <a shape="rect"
href="http://cxf.apache.org/resources-and-articles.html";>Resources and
Articles</a> page for a listing.</p><h2 id="Index-DeveloperGuide">Developer
Guide</h2><ul><li><a shape="rect" href="cxf-architecture.html">CXF
Architecture</a></li><li><a shape="rect"
href="configuration-for-developers.html">Configuration for
Developers</a></li><li><a shape="rect" href="cxf-dependency-graphs.html">CXF
Dependency Graphs</a></li><li><a shape="rect"
href="documentation-todos.html">Documentation TODOs</a></li></ul></div>
+</div><ul><li><a shape="rect" href="overview.html">Overview</a><ul
class="childpages-macro"><li><a shape="rect" href="why-cxf.html">Why
CXF?</a></li><li><a shape="rect"
href="how-do-i-integrate-my-application-with-cxf.html">How do I integrate my
application with CXF</a> — <span class="smalltext">A meta guide to
integrating your application with CXF - including Bindings, Transports,
Interceptors, etc</span></li><li><a shape="rect"
href="how-do-i-develop-a-service.html">How do I develop a service?</a> —
<span class="smalltext">A meta guide to your options with CXF</span></li><li><a
shape="rect" href="how-do-i-develop-a-client.html">How do I develop a
client?</a> — <span class="smalltext">A meta guide to your options with
CXF</span></li></ul></li><li><a shape="rect" href="how-tos.html">How-Tos</a><ul
class="childpages-macro"><li><a shape="rect"
href="writing-a-service-with-spring.html">Writing a service with
Spring</a></li><li><a shape="rect" href="a-simple-jax-ws-ser
vice.html">A simple JAX-WS service</a></li><li><a shape="rect"
href="running-a-service-in-tomcat-on-zos.html">Running a service in Tomcat on
zOS</a></li><li><a shape="rect"
href="defining-contract-first-webservices-with-wsdl-generation-from-java.html">Defining
Contract first webservices with wsdl generation from java</a></li><li><a
shape="rect" href="migration-guides.html">Migration Guides</a></li><li><a
shape="rect" href="sample-projects.html">Sample
Projects</a></li></ul></li><li><a shape="rect"
href="frontends.html">Frontends</a><ul class="childpages-macro"><li><a
shape="rect" href="annotations.html">Annotations</a></li><li><a shape="rect"
href="dynamic-clients.html">Dynamic Clients</a></li><li><a shape="rect"
href="jax-ws.html">JAX-WS</a><ul class="childpages-macro"><li><a shape="rect"
href="developing-a-consumer.html">Developing a Consumer</a></li><li><a
shape="rect" href="developing-a-service.html">Developing a
Service</a></li><li><a shape="rect" href="jax-ws-configuration.htm
l">JAX-WS Configuration</a></li><li><a shape="rect"
href="jax-ws-dispatch-api.html">JAX-WS Dispatch API</a></li><li><a shape="rect"
href="provider-services.html">Provider Services</a></li><li><a shape="rect"
href="webservicecontext.html">WebserviceContext</a></li></ul></li><li><a
shape="rect" href="simple.html">Simple</a><ul class="childpages-macro"><li><a
shape="rect" href="simple-frontend.html">Simple Frontend</a></li><li><a
shape="rect" href="simple-frontend-configuration.html">Simple Frontend
Configuration</a></li></ul></li></ul></li><li><a shape="rect"
href="databindings.html">DataBindings</a><ul class="childpages-macro"><li><a
shape="rect" href="aegis-21.html">Aegis (2.1)</a> — <span
class="smalltext">For CXF 2.1 or newer</span></li><li><a shape="rect"
href="aegis-databinding-20x.html">Aegis Databinding (2.0.x)</a> — <span
class="smalltext">For CXF up to 2.0.x</span></li><li><a shape="rect"
href="jaxb.html">JAXB</a></li><li><a shape="rect" href="mtom-attachments-wi
th-jaxb.html">MTOM Attachments with JAXB</a></li><li><a shape="rect"
href="sdo.html">SDO</a></li><li><a shape="rect"
href="xmlbeans.html">XMLBeans</a></li></ul></li><li><a shape="rect"
href="transports.html">Transports</a><ul class="childpages-macro"><li><a
shape="rect" href="http-transport.html">HTTP Transport</a><ul
class="childpages-macro"><li><a shape="rect"
href="asynchronous-client-http-transport.html">Asynchronous Client HTTP
Transport</a></li><li><a shape="rect"
href="client-http-transport-including-ssl-support.html">Client HTTP Transport
(including SSL support)</a></li><li><a shape="rect"
href="jetty-configuration.html">Jetty Configuration</a></li><li><a shape="rect"
href="server-http-transport.html">Server HTTP Transport</a></li><li><a
shape="rect" href="servlet-transport.html">Servlet Transport</a></li><li><a
shape="rect" href="standalone-http-transport.html">Standalone HTTP
Transport</a></li></ul></li><li><a shape="rect" href="jms-transport.html">JMS
Transport</a><ul cla
ss="childpages-macro"><li><a shape="rect"
href="cxf-2x-jms-configuration-removed-in-cxf-3.html">CXF 2.x JMS configuration
(removed in CXF 3)</a></li><li><a shape="rect"
href="jms-performance-and-pooling.html">JMS performance and
pooling</a></li><li><a shape="rect" href="jms-transactions.html">JMS
transactions</a></li><li><a shape="rect"
href="soap-over-jms-10-support.html">SOAP over JMS 1.0 support</a></li><li><a
shape="rect" href="using-the-jmsconfigfeature.html">Using the
JMSConfigFeature</a></li></ul></li><li><a shape="rect"
href="local-transport.html">Local Transport</a></li><li><a shape="rect"
href="udp-transport.html">UDP Transport</a><ul class="childpages-macro"><li><a
shape="rect" href="soap-over-udp.html">SOAP over UDP</a></li></ul></li><li><a
shape="rect" href="custom-transport.html">Custom Transport</a></li><li><a
shape="rect" href="coloc-feature.html">Coloc Feature</a></li><li><a
shape="rect" href="apache-camel-transport.html">Apache Camel
Transport</a></li><li><a shape=
"rect" href="websocket.html">WebSocket</a></li></ul></li><li><a shape="rect"
href="configuration.html">Configuration</a><ul class="childpages-macro"><li><a
shape="rect" href="bus-configuration.html">Bus Configuration</a></li><li><a
shape="rect" href="featureslist.html">FeaturesList</a></li><li><a shape="rect"
href="jmx-management.html">JMX Management</a></li><li><a shape="rect"
href="wsaconfiguration.html">WSAConfiguration</a></li><li><a shape="rect"
href="wspconfiguration.html">WSPConfiguration</a></li><li><a shape="rect"
href="wsrmconfiguration.html">WSRMConfiguration</a></li></ul></li><li><a
shape="rect" href="debugging-and-logging.html">Debugging and
Logging</a></li><li><a shape="rect" href="tools.html">Tools</a><ul
class="childpages-macro"><li><a shape="rect"
href="cxf-tools-in-eclipse.html">CXF tools in Eclipse</a></li><li><a
shape="rect" href="idl-to-wsdl.html">IDL to WSDL</a></li><li><a shape="rect"
href="java-to-javascript.html">Java to Javascript</a></li><li><a shape="rect
" href="java-to-ws.html">Java to WS</a></li><li><a shape="rect"
href="java-to-wsdl.html">Java to WSDL</a></li><li><a shape="rect"
href="maven-cxf-codegen-plugin-wsdl-to-java.html">Maven cxf-codegen-plugin
(WSDL to Java)</a></li><li><a shape="rect"
href="maven-java2wsdl-plugin-cxf-20x-only-removed-in-21-and-replaced-with-java2ws.html">Maven
Java2WSDL plugin (CXF 2.0.x only. Removed in 2.1 and replaced with
Java2WS)</a></li><li><a shape="rect" href="maven-java2ws-plugin.html">Maven
Java2WS plugin</a></li><li><a shape="rect"
href="using-cxf-with-maven.html">Using CXF with maven</a></li><li><a
shape="rect" href="wsdl-to-corba.html">WSDL to CORBA</a></li><li><a
shape="rect" href="wsdl-to-java.html">WSDL to Java</a></li><li><a shape="rect"
href="wsdl-to-javascript.html">WSDL to Javascript</a></li><li><a shape="rect"
href="wsdl-to-service.html">WSDL to Service</a></li><li><a shape="rect"
href="wsdl-to-soap.html">WSDL to SOAP</a></li><li><a shape="rect"
href="wsdl-to-xml.html">WSDL to XML<
/a></li><li><a shape="rect"
href="wsdlvalidator.html">WSDLValidator</a></li><li><a shape="rect"
href="xsd-to-wsdl.html">XSD to WSDL</a></li></ul></li><li><a shape="rect"
href="restful-services.html">RESTful Services</a><ul
class="childpages-macro"><li><a shape="rect" href="http-binding.html">HTTP
Binding</a></li><li><a shape="rect" href="jax-rs.html">JAX-RS</a></li><li><a
shape="rect" href="jax-rs-jsr-311.html">JAX-RS (JSR-311)</a></li><li><a
shape="rect" href="rest-with-jax-ws-provider-and-dispatch.html">REST with
JAX-WS Provider and Dispatch</a></li><li><a shape="rect"
href="json-support.html">JSON Support</a></li></ul></li><li><a shape="rect"
href="wsdl-bindings.html">WSDL Bindings</a><ul class="childpages-macro"><li><a
shape="rect" href="mtom.html">MTOM</a></li><li><a shape="rect"
href="pure-xml.html">Pure XML</a></li><li><a shape="rect"
href="soap-11.html">SOAP 1.1</a></li><li><a shape="rect"
href="soap-12.html">SOAP 1.2</a></li></ul></li><li><a shape="rect"
href="service-routi
ng.html">Service Routing</a></li><li><a shape="rect"
href="dynamic-languages.html">Dynamic Languages</a><ul
class="childpages-macro"><li><a shape="rect"
href="javascript.html">JavaScript</a></li><li><a shape="rect"
href="javascript-clients.html">JavaScript Clients</a></li></ul></li><li><a
shape="rect" href="ws-support.html">WS-* Support</a><ul
class="childpages-macro"><li><a shape="rect"
href="ws-addressing.html">WS-Addressing</a></li><li><a shape="rect"
href="ws-discovery.html">WS-Discovery</a></li><li><a shape="rect"
href="ws-metadataexchange.html">WS-MetadataExchange</a></li><li><a shape="rect"
href="ws-policy.html">WS-Policy</a></li><li><a shape="rect"
href="ws-reliablemessaging.html">WS-ReliableMessaging</a></li><li><a
shape="rect"
href="ws-secureconversation.html">WS-SecureConversation</a></li><li><a
shape="rect" href="ws-security.html">WS-Security</a></li><li><a shape="rect"
href="ws-securitypolicy.html">WS-SecurityPolicy</a></li><li><a shape="rect"
href="ws-trust.html">WS-Tr
ust</a></li></ul></li><li><a shape="rect" href="security.html">Security</a><ul
class="childpages-macro"><li><a shape="rect" href="jaxrs-kerberos.html">JAXRS
Kerberos</a></li><li><a shape="rect" href="saml-web-sso.html">SAML Web
SSO</a></li><li><a shape="rect" href="security-configuration.html">Security
Configuration</a></li></ul></li><li><a shape="rect"
href="advanced-integration.html">Advanced Integration</a><ul
class="childpages-macro"><li><a shape="rect"
href="features.html">Features</a></li><li><a shape="rect"
href="interceptors.html">Interceptors</a></li><li><a shape="rect"
href="invokers.html">Invokers</a></li><li><a shape="rect"
href="multiplexed-endpointreferences.html">Multiplexed
EndpointReferences</a></li><li><a shape="rect"
href="server-service-and-client-factorybeans.html">Server, Service, and Client
FactoryBeans</a></li></ul></li><li><a shape="rect"
href="deployment.html">Deployment</a><ul class="childpages-macro"><li><a
shape="rect" href="application-server-specific-c
onfiguration-guide.html">Application Server Specific Configuration
Guide</a></li><li><a shape="rect"
href="embedding-cxf-inside-spring.html">Embedding CXF inside
Spring</a></li><li><a shape="rect"
href="using-cxf-and-cdi-1112-jsr-346-in-osgi-environment.html">Using CXF and
CDI 1.1/1.2 (JSR-346) in OSGi environment</a></li><li><a shape="rect"
href="using-cxf-and-cdi-11-jsr-346.html">Using CXF and CDI 1.1
(JSR-346)</a></li><li><a shape="rect"
href="using-cxf-jca-rar-in-application-server.html">Using CXF-JCA RAR in
Application Server</a></li></ul></li><li><a shape="rect"
href="schemas-and-namespaces.html">Use of Schemas and Namespaces</a></li><li><a
shape="rect" href="javadoc.html">Javadoc</a></li></ul><h3
id="Index-OtherSourcesofDocumentationandInformation">Other Sources of
Documentation and Information</h3><p>There are several companies that provide
extra documentation, examples, tutorials, etc... that users may find useful.
See the <a shape="rect" href="http://cxf.apache.org/commerc
ial-cxf-offerings.html">Commercial CXF Offerings</a> page for more
details.</p><p>Also, many users have created excellent blog posts and other
articles that may provide extra information. See the <a shape="rect"
href="http://cxf.apache.org/resources-and-articles.html";>Resources and
Articles</a> page for a listing.</p><h2 id="Index-DeveloperGuide">Developer
Guide</h2><ul><li><a shape="rect" href="cxf-architecture.html">CXF
Architecture</a></li><li><a shape="rect"
href="configuration-for-developers.html">Configuration for
Developers</a></li><li><a shape="rect" href="cxf-dependency-graphs.html">CXF
Dependency Graphs</a></li><li><a shape="rect"
href="documentation-todos.html">Documentation TODOs</a></li></ul></div>
</div>
<!-- Content -->
</td>
Modified: websites/production/cxf/content/docs/jax-rs-saml.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-saml.html (original)
+++ websites/production/cxf/content/docs/jax-rs-saml.html Fri Apr 24 14:46:55
2015
@@ -117,23 +117,23 @@ Apache CXF -- JAX-RS SAML
<td height="100%">
<!-- Content -->
<div class="wiki-content">
-<div
id="ConfluenceContent"><p> </p><p> </p><p> </p><p></p><p><span
class="inline-first-p" style="font-size:2em;font-weight:bold"> JAX-RS: SAML
</span></p><p></p><p> </p><p> </p><p> </p><p><style
type="text/css">/*<![CDATA[*/
-div.rbtoc1419015866024 {padding: 0px;}
-div.rbtoc1419015866024 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1419015866024 li {margin-left: 0px;padding-left: 0px;}
+<div
id="ConfluenceContent"><p> </p><p> </p><p> </p><p> <span
class="inline-first-p" style="font-size:2em;font-weight:bold">JAX-RS:
SAML</span> </p><p> </p><p> </p><p> </p><p><style
type="text/css">/*<![CDATA[*/
+div.rbtoc1429886791424 {padding: 0px;}
+div.rbtoc1429886791424 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1429886791424 li {margin-left: 0px;padding-left: 0px;}
-/*]]>*/</style></p><div class="toc-macro rbtoc1419015866024">
-<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSSAML-Introduction">Introduction</a></li><li><a shape="rect"
href="#JAX-RSSAML-Mavendependencies">Maven dependencies</a></li><li><a
shape="rect" href="#JAX-RSSAML-EnvelopedSAMLassertions">Enveloped SAML
assertions</a></li><li><a shape="rect"
href="#JAX-RSSAML-SAMLassertionsinAuthorizationheader">SAML assertions in
Authorization header</a></li><li><a shape="rect"
href="#JAX-RSSAML-SAMLassertionsasFormvalues">SAML assertions as Form
values</a></li><li><a shape="rect"
href="#JAX-RSSAML-CreatingSAMLAssertions">Creating SAML
Assertions</a></li><li><a shape="rect"
href="#JAX-RSSAML-SAMLAssertionValidation">SAML Assertion
Validation</a></li><li><a shape="rect"
href="#JAX-RSSAML-SAMLAuthorization">SAML Authorization</a>
+/*]]>*/</style></p><div class="toc-macro rbtoc1429886791424">
+<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSSAML-Introduction">Introduction</a></li><li><a shape="rect"
href="#JAX-RSSAML-Backwardscompatibilityconfigurationnote">Backwards
compatibility configuration note</a></li><li><a shape="rect"
href="#JAX-RSSAML-Mavendependencies">Maven dependencies</a></li><li><a
shape="rect" href="#JAX-RSSAML-EnvelopedSAMLassertions">Enveloped SAML
assertions</a></li><li><a shape="rect"
href="#JAX-RSSAML-SAMLassertionsinAuthorizationheader">SAML assertions in
Authorization header</a></li><li><a shape="rect"
href="#JAX-RSSAML-SAMLassertionsasFormvalues">SAML assertions as Form
values</a></li><li><a shape="rect"
href="#JAX-RSSAML-CreatingSAMLAssertions">Creating SAML
Assertions</a></li><li><a shape="rect"
href="#JAX-RSSAML-SAMLAssertionValidation">SAML Assertion
Validation</a></li><li><a shape="rect"
href="#JAX-RSSAML-SAMLAuthorization">SAML Authorization</a>
<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSSAML-ClaimsBasedAccessControl">Claims Based Access
Control</a></li><li><a shape="rect"
href="#JAX-RSSAML-RoleBasedAccessControl">Role Based Access
Control</a></li></ul>
</li><li><a shape="rect" href="#JAX-RSSAML-SAMLWebSSOProfile">SAML Web SSO
Profile</a></li></ul>
-</div><h1 id="JAX-RSSAML-Introduction">Introduction</h1><p>CXF 2.5.0
introduces an initial support for working with <a shape="rect"
class="external-link" href="http://en.wikipedia.org/wiki/SAML_2.0";
rel="nofollow">SAML2</a> assertions. So far the main focus has been put on
making sure SAML assertions can be included in HTTP requests targeted at
application endpoints: embedded inside XML payloads or passed as encoded HTTP
header or form values.</p><p>See also <a shape="rect"
href="jax-rs-xml-security.html">JAX-RS XML Security</a>.</p><h1
id="JAX-RSSAML-Mavendependencies">Maven dependencies</h1><div class="code panel
pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+</div><h1 id="JAX-RSSAML-Introduction">Introduction</h1><p>CXF 2.5.0
introduces an initial support for working with <a shape="rect"
class="external-link" href="http://en.wikipedia.org/wiki/SAML_2.0";
rel="nofollow">SAML2</a> assertions. So far the main focus has been put on
making sure SAML assertions can be included in HTTP requests targeted at
application endpoints: embedded inside XML payloads or passed as encoded HTTP
header or form values.</p><p>See also <a shape="rect"
href="jax-rs-xml-security.html">JAX-RS XML Security</a>.</p><h1
id="JAX-RSSAML-Backwardscompatibilityconfigurationnote">Backwards compatibility
configuration note</h1><p>From Apache CXF 3.1.0, the WS-Security based
configuration tags used to configure XML Signature or Encryption
("ws-security-*") have been changed to just start with "security-". Apart from
this they are exactly the same. Older "ws-security-" values continue to be
accepted in CXF 3.1.0. To use any of the configuration examples in this page
with an
older version of CXF, simply add a "ws-" prefix to the configuration
tag.</p><h1 id="JAX-RSSAML-Mavendependencies">Maven dependencies</h1><div
class="code panel pdl" style="border-width: 1px;"><div class="codeContent
panelContent pdl">
<script class="theme: Default; brush: xml; gutter: false"
type="syntaxhighlighter"><![CDATA[<dependency>
<groupId>org.apache.cxf</groupId>
<artifactId>cxf-rt-rs-security-xml</artifactId>
<version>2.5.0</version>
</dependency>
]]></script>
-</div></div><p>This module depends on CXF WS-Security and Apache WSS4J
modules, due to them containing a lot of useful utility code.<br clear="none">
We will see in time if it will make sense to exclude such dependencies or
not.</p><h1 id="JAX-RSSAML-EnvelopedSAMLassertions">Enveloped SAML
assertions</h1><p>Payload:</p><div class="code panel pdl" style="border-width:
1px;"><div class="codeContent panelContent pdl">
+</div></div><p>This module depends on Apache WSS4J, as it contains a lot of
useful utility code based around OpenSAML.</p><h1
id="JAX-RSSAML-EnvelopedSAMLassertions">Enveloped SAML
assertions</h1><p>Payload:</p><div class="code panel pdl" style="border-width:
1px;"><div class="codeContent panelContent pdl">
<script class="theme: Default; brush: xml; gutter: false"
type="syntaxhighlighter"><![CDATA[<env:Envelope
xmlns:env="http://org.apache.cxf/rs/env">
<Book ID="67ca6441-0c4e-4430-af0e-9463ce9226aa">
@@ -255,29 +255,25 @@ div.rbtoc1419015866024 li {margin-left:
</jaxrs:providers>
<jaxrs:properties>
- <entry key="ws-security.signature.properties"
+ <entry key="security.signature.properties"
value="org/apache/cxf/systest/jaxrs/security/alice.properties"/>
</jaxrs:properties>
</jaxrs:server>
]]></script>
</div></div><p>Client code:</p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="theme: Default; brush: java; gutter: false"
type="syntaxhighlighter"><![CDATA[private WebClient createWebClient(String
address,
- boolean selfSigned) {
+<script class="theme: Default; brush: java; gutter: false"
type="syntaxhighlighter"><![CDATA[private WebClient createWebClient(String
address) {
JAXRSClientFactoryBean bean = new JAXRSClientFactoryBean();
bean.setAddress(address);
Map<String, Object> properties = new HashMap<String, Object>();
- properties.put("ws-security.callback-handler",
+ properties.put("security.callback-handler",
"org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback");
- properties.put("ws-security.saml-callback-handler",
+ properties.put("security.saml-callback-handler",
"org.apache.cxf.systest.jaxrs.security.saml.SamlCallbackHandler");
- properties.put("ws-security.signature.username",
"alice");
- properties.put("ws-security.signature.properties",
+ properties.put("security.signature.username", "alice");
+ properties.put("security.signature.properties",
"org/apache/cxf/systest/jaxrs/security/alice.properties");
- if (selfSigned) {
- properties.put("ws-security.self-sign-saml-assertion",
"true");
- }
bean.setProperties(properties);
bean.getOutInterceptors().add(new SamlEnvelopedOutInterceptor(!selfSigned));
@@ -288,10 +284,22 @@ div.rbtoc1419015866024 li {margin-left:
return bean.createWebClient();
}
]]></script>
-</div></div><p>In the above code, the "ws-security.self-sign-saml-assertion"
property, if set to true, will require SamlEnvelopedOutInterceptor to get a
SAML assertion self-signed, by adding an enveloped signature to it. When we
also need to sign the application payload such as Book we need to make sure
that a detached XML signature for Book is created. When the whole envelope is
signed then SamlEnvelopedOutInterceptor needs to be placed before
XmlSigOutInterceptor hence the "new SamlEnvelopedOutInterceptor(!selfSigned)"
constructor is invoked.</p><h1
id="JAX-RSSAML-SAMLassertionsinAuthorizationheader">SAML assertions in
Authorization header</h1><p>Logging output:</p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeContent panelContent pdl">
+</div></div><p>When we also need to sign the application payload such as Book
we need to make sure that a detached XML signature for Book is created. When
the whole envelope is signed then SamlEnvelopedOutInterceptor needs to be
placed before XmlSigOutInterceptor hence the "new
SamlEnvelopedOutInterceptor(!selfSigned)" constructor is invoked.</p><h1
id="JAX-RSSAML-SAMLassertionsinAuthorizationheader">SAML assertions in
Authorization header</h1><p>Logging output:</p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeContent panelContent pdl">
<script class="theme: Default; brush: java; gutter: false"
type="syntaxhighlighter"><![CDATA[Address:
https://localhost:9000/samlheader/bookstore/books/123
Http-Method: GET
-Headers: {Accept=[application/xml], Authorization=[SAML
eJydV1mTokgQfu9fYTCPrs2htGKMHVEcKq2gKOLxsoFQAsqhFAjNr99CW1ud7t2ZjdAwMisr68s7/YnMwGfaACEYJ14UVmSxQ/z9wjUlBrRYiWZZiWVYlqPrDFVnmhTbwL80UZERSqEcosQMkw7BUDRdwx+qrtP1dp1qs41nLLciKgaMEVaLRZ4popIHfojapyc7RBqH7chEHmqHZgBRO7HaU6AM21iybV7wXO7kqEO4SbJvk2SWZc9Z/TmKHZKhKJpcKMOp5cLA/JT1/lu45p3AWxDfQl47ed/DDvHgDB0zidefZ+7J4vi11IuwYs/eP8PcDPY+PGkvoTM/yTvZnzZqTz0nNJM0hh/g7O8MoUiKI7GMjTznB3G9C2053EQnUjDDKPQs0/cKs4SnwMSN7ArwnSj2Ejf41miaKhXXYG7VLLoR/iDIe2i/qegOYYzMGnJN+kPXBG5gDLE7K7OJ3CF+/HcKna7psRmiTRQH6J78MywwPEI/2kO7hi4mfcD6fYVfeOn1J7Tacmj5KfKOUC2TdG9aEFXGMdx4+dBDOPVzdEk7aP1RAMhbeA/k2Rui50CU/J/g3ATmrMQw/RS+Lod0s8c74oavDxsCSoueGs8H4zUQlp0TgFvhE+Ma1jP5kJDXBDrfABTXCxR7+UJ5clXM0XjN8LG9MQxG57bTMfB9rUkaXUNKJgsRzKl+f8R2q0qr/sLB+Ub3oGEPhrIMJTegkBOM+0E4nbCLjVXYXO6MHXYhDLMWtGjKtRtNGtirfrioTvXhhnM2zalRXdXDlVVPg2Oe0Sp4Ge/eWgdRiXQwOiZWtZEfjtSwm1aH46xzNecGf2nSAL5fzVuwFCeaiXklhLItbHAFJvBVkWWhtxUEsBw5IJN54MjS1Jg4QAcq7+wO7s7rcRnFA23WBSIolImSSdpSNDRtIGV71+p1t2Zvl
q7rb+GTomWZ4JwOh1Km+uvAysUtUHhHNXig6PxcbawC1VX4xkLUrUwRpUzRAf7F326EeUoD8/KRDoonRdcylY4ypZB0hZd6gJ5JgqsMlgveXTKuPwy491UhKQqIzme5Iq7mbKhojUwEJxBYveGue/72aaULfFg8miR1ARjxWw1kznKHgUvgmDYbOLhTV2uxG/pF7E2thpy73NjY95z0XTrEAnoatA7coj9aLjifIx02k4SXlTVhutlGRZHZtwbqeGuzaKoXRsLPA2274aWNfMj0SfOYeu4of1f1TCqMTH4rno5Rc98izWW+qxo2n2j5oTHLoGxtSK+7m60V2lrRkbeYaIXlTXivKtC8JmgSdSiQADIJAFNpKuIuk3FQnowJNeX5KOvJ8lzfcbMFtRrPfE6b7TjJmKmz6YwbLWhDn+hgVgalP5EkUQdDx/HRmlGxr9yjVdcyUVu+PQ2ilYxJtfQTrwGx9I87zHZBtbVHg6ThhGtv1ysMSnf203nPmufzAQZYtBKZCV/cLmCP9Nbo981Gj3ty64gKc43RYVbACblrOoFjMEhutOqqEy/7gR4MB6bIzwuT2YN0lYqu1m/1gOS+mbtuMuDH1aokcLGq7ldP4eHQz/P6Yc0kc4Y9TBK+EIMBx9COw42VKFCsZnqYaOfqeMz4K/NcE+RttdxV02ViTtP1FlrJhSwbqCxWuri/mcn3459+pk8cz65tTqLtNER7aGEY0CYqpRYtxTMQk3GHKJtgEFm7GkrQsxUFxGvq2R1M1Czfg2HyV9S5Pb4M6DOWB6BCFG688sVyDzq33X/fUqygjWBow7h2jFK8VaBTX//SeKzb9krFqKJGCQ+xafCbvYl+wXsTFhqFoxhsktLKb+Uu6kFqe2WbnuD2HXtW+dDj0XVzQZ+LC/bI/eJyFX5k3CkmH236fCtxw2mCsyXAvq+cyH9dEvFOgI2dQlQuiTJ2Zd4haKbeYF+IO534qQTmyVc8wcfLIp5T5A
3m2xvkV9CuihJs1TpN4PcnlW6MPWD772XO4BXxHNdaHPnwnI3XgYxOiyV6xlMYt7P9aTJnqBzOLIk/no3Ve8k7afmmFyDyU8OlJP6XHuIXxKdpdrPV5njlxkehg4sDb7ZXj9zJv/7C/tUTd9Z+WGFiv5Z4LPO8rn9hz5eSH8X9R+j3ONJZFNu/b8Ej59cwY1CFiLtLmYCfmXvhdIgyKXENBh7ubfCmvq9/El7/AXoseyE=],
...}
+Headers: {Accept=[application/xml], Authorization=[SAML
eJydV1mTokgQfu9fYTCPrs2htGKMHVEcKq2gKOLxsoFQAsqhFAjNr99CW1ud7t2ZjdAwMisr68s7/YnMwGfaACEYJ14UVmSxQ/z9wjUlBrRYiWZZiWVYlqPrDFVnmhTbwL80UZERSqEcosQMkw7BUDRdwx+qrtP1dp1qs41nLLciKgaMEVaLRZ4popIHfojapyc7RBqH7chEHmqHZgBRO7HaU6AM21iybV7wXO7kqEO4SbJvk2SWZc9Z/Tm
+KHZKhKJpcKMOp5cLA/JT1/lu45p3AWxDfQl47ed/DDvHgDB0zidefZ+7J4vi11IuwYs/eP8PcDPY+PGkvoTM/yTvZnzZqTz0nNJM0hh/g7O8MoUiKI7GMjTznB3G9C2053EQnUjDDKPQs0/cKs4SnwMSN7
+ArwnSj2Ejf41miaKhXXYG7VLLoR/iDIe2i/qegOYYzMGnJN+kPXBG5gDLE7K7OJ3CF+/HcKna7psRmiTRQH6J78MywwPEI/2kO7hi4mfcD6fYVfeOn1J7Tacmj5KfKOUC2TdG9aEFXGMdx4+dBDOPVzdEk
+7aP1RAMhbeA/k2Rui50CU/J/g3ATmrMQw/RS+Lod0s8c74oavDxsCSoueGs8H4zUQlp0TgFvhE+Ma1jP5kJDXBDrfABTXCxR7+UJ5clXM0XjN8LG9MQxG57bTMfB9rUkaXUNKJgsRzKl+f8R2q0qr/sLB+
+Ub3oGEPhrIMJTegkBOM+0E4nbCLjVXYXO6MHXYhDLMWtGjKtRtNGtirfrioTvXhhnM2zalRXdXDlVVPg2Oe0Sp4Ge/eWgdRiXQwOiZWtZEfjtSwm1aH46xzNecGf2nSAL5fzVuwFCeaiXklhLItbHAFJvB
+VkWWhtxUEsBw5IJN54MjS1Jg4QAcq7+wO7s7rcRnFA23WBSIolImSSdpSNDRtIGV71+p1t2Zvlq7rb+GTomWZ4JwOh1Km+uvAysUtUHhHNXig6PxcbawC1VX4xkLUrUwRpUzRAf7F326EeUoD8/KRDoonR
+dcylY4ypZB0hZd6gJ5JgqsMlgveXTKuPwy491UhKQqIzme5Iq7mbKhojUwEJxBYveGue/72aaULfFg8miR1ARjxWw1kznKHgUvgmDYbOLhTV2uxG/pF7E2thpy73NjY95z0XTrEAnoatA7coj9aLjifIx02k4SXlTVhutlGRZHZtwbqeGuzaKoXRsLPA2274aWNfMj0SfOYeu4of1f1TCqMTH4rno5Rc98izWW+qxo2n2j5oTHLoGxtSK+7m60V2lrRkbeYaIX
+lTXivKtC8JmgSdSiQADIJAFNpKuIuk3FQnowJNeX5KOvJ8lzfcbMFtRrPfE6b7TjJmKmz6YwbLWhDn+hgVgalP5EkUQdDx/HRmlGxr9yjVdcyUVu+PQ2ilYxJtfQTrwGx9I87zHZBtbVHg6ThhGtv1ysMS
+nf203nPmufzAQZYtBKZCV/cLmCP9Nbo981Gj3ty64gKc43RYVbACblrOoFjMEhutOqqEy/7gR4MB6bIzwuT2YN0lYqu1m/1gOS+mbtuMuDH1aokcLGq7ldP4eHQz/P6Yc0kc4Y9TBK+EIMBx9COw42VKFC
+sZnqYaOfqeMz4K/NcE+RttdxV02ViTtP1FlrJhSwbqCxWuri/mcn3459+pk8cz65tTqLtNER7aGEY0CYqpRYtxTMQk3GHKJtgEFm7GkrQsxUFxGvq2R1M1Czfg2HyV9S5Pb4M6DOWB6BCFG688sVyDzq33
+X/fUqygjWBow7h2jFK8VaBTX//SeKzb9krFqKJGCQ+xafCbvYl+wXsTFhqFoxhsktLKb+Uu6kFqe2WbnuD2HXtW+dDj0XVzQZ+LC/bI/eJyFX5k3CkmH236fCtxw2mCsyXAvq+cyH9dEvFOgI2dQlQuiTJ2Zd4haKbeYF+IO534qQTmyVc8wcfLIp5T5A3m2xvkV9CuihJs1TpN4PcnlW6MPWD772XO4BXxHNdaHPnwnI3XgYxOiyV6xlMYt7P
+9aTJnqBzOLIk/no3Ve8k7afmmFyDyU8OlJP6XHuIXxKdpdrPV5njlxkehg4sDb7ZXj9zJv/7C/tUTd9Z+WGFiv5Z4LPO8rn9hz5eSH8X9R+j3ONJZFNu/b8Ej59cwY1CFiLtLmYCfmXvhdIgyKXENBh7ub
+fCmvq9/El7/AXoseyE=], ...}
]]></script>
</div></div><p>Note that the Authorization header has an encoded SAML
Assertion as its value. The original SAML assertion has been optionally
compressed using a deflated encoding and then base64-encoded. This encoded
value can be signed itself - but it is not currently possible.</p><p>Server
configuration is similar to the one from the Enveloped SAML Assertions section,
the only difference is that a SAML handler needs to be replaced:</p><div
class="code panel pdl" style="border-width: 1px;"><div class="codeContent
panelContent pdl">
<script class="theme: Default; brush: xml; gutter: false"
type="syntaxhighlighter"><![CDATA[ <bean id="serviceBean"
class="org.apache.cxf.systest.jaxrs.security.BookStore"/>
@@ -300,22 +308,19 @@ Headers: {Accept=[application/xml], Auth
<!-- same as in the Enveloped SAML Assertions section -->
]]></script>
</div></div><p>Client code:</p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="theme: Default; brush: java; gutter: false"
type="syntaxhighlighter"><![CDATA[private WebClient createWebClient(String
address,
- boolean selfSigned) {
+<script class="theme: Default; brush: java; gutter: false"
type="syntaxhighlighter"><![CDATA[private WebClient createWebClient(String
address) {
JAXRSClientFactoryBean bean = new JAXRSClientFactoryBean();
bean.setAddress(address);
Map<String, Object> properties = new HashMap<String, Object>();
- properties.put("ws-security.callback-handler",
+ properties.put("security.callback-handler",
"org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback");
- properties.put("ws-security.saml-callback-handler",
+ properties.put("security.saml-callback-handler",
"org.apache.cxf.systest.jaxrs.security.saml.SamlCallbackHandler");
- properties.put("ws-security.signature.username",
"alice");
- properties.put("ws-security.signature.properties",
+ properties.put("security.signature.username", "alice");
+ properties.put("security.signature.properties",
"org/apache/cxf/systest/jaxrs/security/alice.properties");
- if (selfSigned) {
- properties.put("ws-security.self-sign-saml-assertion",
"true");
- }
+
bean.setProperties(properties);
bean.getOutInterceptors().add(new SamlHeaderOutInterceptor());
@@ -328,8 +333,20 @@ Headers: {Accept=[application/xml], Auth
Encoding: ISO-8859-1
Http-Method: POST
Content-Type: application/x-www-form-urlencoded
-Headers: {Accept=[application/xml], Cache-Control=[no-cache],
connection=[keep-alive], Content-Length=[2206],
content-type=[application/x-www-form-urlencoded], Host=[localhost:9000],
Pragma=[no-cache], User-Agent=[Apache CXF ${project.version}]}
-Payload:
name=CXF&id=125&SAMLToken=eJydV1tzqkgQfs+vsDiPWcNFjWIdUzUIGqJgQMTLyxYOI6BclAFBfv0OGo16kt1ztkrL6p6eb77u6e5pf2Ir8Lk2wBjFiReFFVnsUH8zYqPFAAkwbOsZSK2eKLI1jqlxTY5p8PVnlqrIGKdIDnFihUmH4hiWrZIPUzPYWrtWa3ONJ2K3oComijGBJSZPDFXJAz/E7eORHSqNw3ZkYQ+3QytAuJ3A9hgowzaxbFtnPuc9Oe5QbpJs2zSdZdlTVnuKYofmGIalZ8pwDF0UWJ+23n8bV70jeYjILuy1k8MWdai7YBhESb38PGmPHscvJS4mwJ69fUK5FWx9dEQvqXM/6RvbnzZujz0ntJI0Rh/k7O8cYWiGp4mNjT3nB3XZi2w5XEVHsWuFUehBy/cKq6SnoMSN7ArwnSj2Ejf41mmWKYGrKIdVyNbDHxR9S+03gW4YxtiqYtdiP7B0tEIxIuGsTHS5Q/347xQ6bjNiK8SrKA7wrfhnXFC4R360RXYVn136oPX7gF9E6eUngm05hH6KvT1SyyTdWhDhynuMVl4+9DBJ/Ryf0w7BP7oA+prenXiKhug5CCf/53KuLuYEYlp+il5qDTNiWU3Hz3qxkBCzn0aanw8K7TDvHAlcGx8Vl2s9iXcJeUmg046Q1/bNx0AVHltzNp3pb/KwtizS/nZmHNYYvG6A5G44Bj4bw4msaTYCi93Q5NfL1cBgoBvCw9DbS0GPm43UQnzfJW9JfzUs6nQ/nQh7zXb7EltbPTKPXvSeRSuvvu/LIHWEjTJqJfom5qCJn0W7lSxg34LSPlSMOmitOLyUDNc2PGWpw169tTb5rHNx54p/6dIAHS7uzRoML1qJdRG6ZVtYkQpM0Isiy93+utsF85EDMlkAjiyNTd0BBlAFZ7NzN16fzxgBaJMeEEGh6EomaXPR1LSBlG1d2O+trf4kXdbewgdFy7
Kuc1wcSpnqLwOYi2ugCI5qCkAxhKlaXwSqqwj1mWjATBGlTDEA+SXfXkR0Sp3o8pEBigfF0DKVjTKlkAxFkPqAnUhdVxnMZ4I751x/GPCHRSEpCohOa7kiLqaNUNHqmQiOJAi86S77/vphYXSFsLh3SeoBMBLWGsic+YYQl8A+bdabtDl2tVZjxT6L/TGsy7nLv5vbvpMepF3cxQ+D1o6fvY7mM97naaeRSd3nBdS5XrZScWS9woH6vrYbeGwUZiJMA229EqSVvMsMvblPPXeUH1Qjkwozk9+Kh33U3LZoa55vHk1bSLR8V59kSIYr2uttJkuFhQs28ma6VkBPF7zHLitoXU1idgXugkwCwFKairjJZHIpD6bOjAUhyvqyPDU2/GTGLN4nPq9NNrxkTtTJeMKPZqxp6AaYlJfyqkuSaICh4/h4yakkVu4e1rRM1OZvD4NoIRNRLeMkaEAs4+MOs03w2NriQVJ3wqW36RcmYzjb8bQPp/l0QAgWrUTmwme3Bxp7dm2+vlr1Pv/g1jAT5hpnoKxAOr1pOoFjcliut2qqE89fAyMYDixRmBYWtwXpIhVd7bXVJ6X2Zm16yUB4f3yUunysqtvFQ7jbveZ5bbfkkinX2OmJUIjBgOdYx+HflShQYDPd6dqpOu4z/qI81QR9XS031XR+Mcfpco1gchbLBiqLlR7pb1by/fPPPrFHjWdXV0fTdhriLYKEBrKpSomipeQNJGLcocomGERwU8UJfoJRQL2knt0hQhX6HgqTv6LO9fL5gT5xuSPajcKVV55YzkGntvvvUwoM2hiFNoqr+yglUwU+9vUvnSfYtlcC44oaJQIirqFv5qYGT+YmYjQKRzFYJaWX39qd4UFqe2Wb1kn7jj1YHnS/dJlc8OfgQiJyO7hcjO8VN8D0vU+fZyVuOE5ItgQk9pWj+K9DYqtZDoljhMshUSahzDsUy9XqjWfqBpMclaA8+UrX9cmwSN4p+orz9Q76K2o
XoIR4tUwT9P1KpReTCNj+ocwZMiKe7rUaRz46ZePlQcbHwRI/kVeYtLPt8WXOcPk4N2jy8WwC7yUHGvqWF2D6E+FcEv8Lh/qF8fE1u5pqczJyk6XQIcVBJttLRG7sX35R/xqJG28/vLBIXEs+0DqN61/486XlR3H/Efstueksiu3f9+Be8+s1E1KFSLpLmYCfmXvWdKgyKUkNBh7pbeiqvi9/El7+Adcbfqw=
+Headers: {Accept=[application/xml], Cache-Control=[no-cache],
connection=[keep-alive], Content-Length=[2206],
content-type=[application/x-www-form-urlencoded],
+Host=[localhost:9000], Pragma=[no-cache], User-Agent=[Apache CXF
${project.version}]}
+Payload:
name=CXF&id=125&SAMLToken=eJydV1tzqkgQfs+vsDiPWcNFjWIdUzUIGqJgQMTLyxYOI6BclAFBfv0OGo16kt1ztkrL6p6eb77u6e5pf2Ir8Lk2wBjFiReFFVnsUH8zYqPFAAkwbOsZSK2eKLI1jqlxTY5p8P
+VnlqrIGKdIDnFihUmH4hiWrZIPUzPYWrtWa3ONJ2K3oComijGBJSZPDFXJAz/E7eORHSqNw3ZkYQ+3QytAuJ3A9hgowzaxbFtnPuc9Oe5QbpJs2zSdZdlTVnuKYofmGIalZ8pwDF0UWJ+23n8bV70jeYjILuy1k8MWdai7YBh
+ESb38PGmPHscvJS4mwJ69fUK5FWx9dEQvqXM/6RvbnzZujz0ntJI0Rh/k7O8cYWiGp4mNjT3nB3XZi2w5XEVHsWuFUehBy/cKq6SnoMSN7ArwnSj2Ejf41mmWKYGrKIdVyNbDHxR9S+03gW4YxtiqYtdiP7B0tEIxIuGsTHS5
+Q/347xQ6bjNiK8SrKA7wrfhnXFC4R360RXYVn136oPX7gF9E6eUngm05hH6KvT1SyyTdWhDhynuMVl4+9DBJ/Ryf0w7BP7oA+prenXiKhug5CCf/53KuLuYEYlp+il5qDTNiWU3Hz3qxkBCzn0aanw8K7TDvHAlcGx8Vl2s9i
+XcJeUmg046Q1/bNx0AVHltzNp3pb/KwtizS/nZmHNYYvG6A5G44Bj4bw4msaTYCi93Q5NfL1cBgoBvCw9DbS0GPm43UQnzfJW9JfzUs6nQ/nQh7zXb7EltbPTKPXvSeRSuvvu/LIHWEjTJqJfom5qCJn0W7lSxg34LSPlSMOm
+itOLyUDNc2PGWpw169tTb5rHNx54p/6dIAHS7uzRoML1qJdRG6ZVtYkQpM0Isiy93+utsF85EDMlkAjiyNTd0BBlAFZ7NzN16fzxgBaJMeEEGh6EomaXPR1LSBlG1d2O+trf4kXdbewgdFy7Kuc1wcSpnqLwOYi2ugCI5qCkA
+xhKlaXwSqqwj1mWjATBGlTDEA+SXfXkR0Sp3o8pEBigfF0DKVjTKlkAxFkPqAnUhdVxnMZ4I751x/GPCHRSEpCohOa7kiLqaNUNHqmQiOJAi86S77/vphYXSFsLh3SeoBMBLWGsic+YYQl8A+bdabtDl2tVZjxT6L/TGsy7nLv5vbvpMepF3cxQ+D1o6fvY7mM97naaeRSd3nBdS5XrZScWS9woH6vrYbeGwUZiJMA229EqSVvMsMvblPPXeUH1Qjkwozk9+Kh33U3LZoa55vHk1bSLR8V59kSIYr2uttJkuFhQs28ma6VkBPF7zHLitoXU1idgXug
+kwCwFKairjJZHIpD6bOjAUhyvqyPDU2/GTGLN4nPq9NNrxkTtTJeMKPZqxp6AaYlJfyqkuSaICh4/h4yakkVu4e1rRM1OZvD4NoIRNRLeMkaEAs4+MOs03w2NriQVJ3wqW36RcmYzjb8bQPp/l0QAgWrUTmwme3Bxp7dm2+vl
+r1Pv/g1jAT5hpnoKxAOr1pOoFjcliut2qqE89fAyMYDixRmBYWtwXpIhVd7bXVJ6X2Zm16yUB4f3yUunysqtvFQ7jbveZ5bbfkkinX2OmJUIjBgOdYx+HflShQYDPd6dqpOu4z/qI81QR9XS031XR+Mcfpco1gchbLBiqLlR7
+pb1by/fPPPrFHjWdXV0fTdhriLYKEBrKpSomipeQNJGLcocomGERwU8UJfoJRQL2knt0hQhX6HgqTv6LO9fL5gT5xuSPajcKVV55YzkGntvvvUwoM2hiFNoqr+yglUwU+9vUvnSfYtlcC44oaJQIirqFv5qYGT+YmYjQKRzFY
+JaWX39qd4UFqe2Wb1kn7jj1YHnS/dJlc8OfgQiJyO7hcjO8VN8D0vU+fZyVuOE5ItgQk9pWj+K9DYqtZDoljhMshUSahzDsUy9XqjWfqBpMclaA8+UrX9cmwSN4p+orz9Q76K2oXoIR4tUwT9P1KpReTCNj+ocwZMiKe7rUaR
+z46ZePlQcbHwRI/kVeYtLPt8WXOcPk4N2jy8WwC7yUHGvqWF2D6E+FcEv8Lh/qF8fE1u5pqczJyk6XQIcVBJttLRG7sX35R/xqJG28/vLBIXEs+0DqN61/486XlR3H/Efstueksiu3f9+Be8+s1E1KFSLpLmYCfmXvWdKgyKUkNBh7pbeiqvi9/El7+Adcbfqw=
]]></script>
</div></div><p>Note that only form 'name' and 'id' fields will remain after
the SAML handler processes a SAML assertion encoded in the SAMLToken form
field. The original SAML assertion has been optionally compressed using a
deflated encoding and then base64-encoded. This encoded value can be signed -
but it is not currently possible.</p><p>Server configuration is similar to the
one from the Enveloped SAML Assertions section, the only difference is that a
SAML handler needs to be replaced:</p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeContent panelContent pdl">
<script class="theme: Default; brush: xml; gutter: false"
type="syntaxhighlighter"><![CDATA[ <bean id="serviceBean"
class="org.apache.cxf.systest.jaxrs.security.BookStore"/>
@@ -340,7 +357,7 @@ Payload: name=CXF&id=125&SAMLTok
</div></div><p>The client code is the same as in the SAML assertions in
Authorization header section except than an instance of SamlFormOutInterceptor
has to be registered:</p><div class="code panel pdl" style="border-width:
1px;"><div class="codeContent panelContent pdl">
<script class="theme: Default; brush: java; gutter: false"
type="syntaxhighlighter"><![CDATA[bean.getOutInterceptors().add(new
SamlFormOutInterceptor());
]]></script>
-</div></div><h1 id="JAX-RSSAML-CreatingSAMLAssertions">Creating SAML
Assertions</h1><p>If you use CXF JAX-RS client API to experiment with SAML then
all you need to do is to register an appropriate out interceptor as shown in
the above code fragments. The interceptor will ensure that a SAML assertion is
created and added inside the XML envelope, as a form or HTTP header value.<br
clear="none"> All of the SAML output interceptors depend on a
"ws-security.saml-callback-handler" property linking to a custom
javax.security.auth.callback.Callback implementation which in its
handle(Callbacks) method provides the information which is needed to create a
SAML assertion to a org.apache.ws.security.saml.ext.SAMLCallback Callback
instance, for example, see this <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlCallbackHandler.java";>custom
implementation</a>.</p><p>More involved
cases with SAML assertions being created by identity providers will be
supported, with the help of CXF (WS) STSClient when needed.</p><h1
id="JAX-RSSAML-SAMLAssertionValidation">SAML Assertion Validation</h1><p>When
SAML assertions are received on the server side, they are validated to make
sure that the enveloped signatures are correct. SubjectConfirmation methods
(sender-vouches, holder-of-key, bearer) are also checked. <br clear="none"> The
validation can be delegated to STS if needed. By default, server side SAML
handlers have a "samlValidator" property set to an instance of
org.apache.ws.security.validate.SamlAssertionValidator which does a thorough
validation of the assertion. If needed
org.apache.cxf.ws.security.trust.STSTokenValidator can be set instead which
will use STS to validate the assertion.<br clear="none"> Custom validators
extending WSS4J SamlAssertionValidator and doing the additional
application-specific validation can be registered if needed.</p><p>Note the fact
that the default validation relies a lot on the code heavily utilized by the
WS-Security implementation should be of no concern - it is an example of the
integration on its own in order to get the validation done. For example, WS-*
STS are heavily used in the enterprise today and it simply makes a complete
sense to rely on it to validate a SAML assertion if it is
possible.</p><p>SubjectConfirmation sender-vouches and holder-of-key methods
can be easily validated with enveloped SAML assertions given that the embedded
SAML signatures and key info can be checked against the signature used to sign
the envelope or a custom payload like Book.</p><p>At the moment these methods
can not be properly validated when the assertion is provided in a header or in
the form, the additional signature signing the encoded SAML token will be
needed - this will be supported in due time. Use "bearer" in those
cases.</p><h1 id="JAX-RSSAML-SAMLAuthorization">SAML Authorization</h1><p>SAML
assertions may con
tain so-called claims which are represented by a sequence of SAML
AttributeStatements containing one or more Attributes, for example:</p><div
class="code panel pdl" style="border-width: 1px;"><div class="codeContent
panelContent pdl">
+</div></div><h1 id="JAX-RSSAML-CreatingSAMLAssertions">Creating SAML
Assertions</h1><p>If you use CXF JAX-RS client API to experiment with SAML then
all you need to do is to register an appropriate out interceptor as shown in
the above code fragments. The interceptor will ensure that a SAML assertion is
created and added inside the XML envelope, as a form or HTTP header value.<br
clear="none"> All of the SAML output interceptors depend on a
"security.saml-callback-handler" property linking to a custom
javax.security.auth.callback.Callback implementation which in its
handle(Callbacks) method provides the information which is needed to create a
SAML assertion to a org.apache.ws.security.saml.ext.SAMLCallback Callback
instance, for example, see this <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlCallbackHandler.java";>custom
implementation</a>.</p><p>More involved cas
es with SAML assertions being created by identity providers will be supported,
with the help of CXF (WS) STSClient when needed.</p><h1
id="JAX-RSSAML-SAMLAssertionValidation">SAML Assertion Validation</h1><p>When
SAML assertions are received on the server side, they are validated to make
sure that the enveloped signatures are correct. SubjectConfirmation methods
(sender-vouches, holder-of-key, bearer) are also checked. <br clear="none"> The
validation can be delegated to STS if needed. By default, server side SAML
handlers have a "samlValidator" property set to an instance of
org.apache.ws.security.validate.SamlAssertionValidator which does a thorough
validation of the assertion. If needed
org.apache.cxf.ws.security.trust.STSTokenValidator can be set instead which
will use STS to validate the assertion.<br clear="none"> Custom validators
extending WSS4J SamlAssertionValidator and doing the additional
application-specific validation can be registered if needed.</p><p>Note the
fact th
at the default validation relies a lot on the code heavily utilized by the
WS-Security implementation should be of no concern - it is an example of the
integration on its own in order to get the validation done. For example, WS-*
STS are heavily used in the enterprise today and it simply makes a complete
sense to rely on it to validate a SAML assertion if it is
possible.</p><p>SubjectConfirmation sender-vouches and holder-of-key methods
can be easily validated with enveloped SAML assertions given that the embedded
SAML signatures and key info can be checked against the signature used to sign
the envelope or a custom payload like Book.</p><p>At the moment these methods
can not be properly validated when the assertion is provided in a header or in
the form, the additional signature signing the encoded SAML token will be
needed - this will be supported in due time. Use "bearer" in those
cases.</p><h1 id="JAX-RSSAML-SAMLAuthorization">SAML Authorization</h1><p>SAML
assertions may contai
n so-called claims which are represented by a sequence of SAML
AttributeStatements containing one or more Attributes, for example:</p><div
class="code panel pdl" style="border-width: 1px;"><div class="codeContent
panelContent pdl">
<script class="theme: Default; brush: xml; gutter: false"
type="syntaxhighlighter"><![CDATA[<saml2:Assertion>
<!-- ... -->
<saml2:AttributeStatement>
Modified: websites/production/cxf/content/docs/jax-rs-xml-security.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-xml-security.html (original)
+++ websites/production/cxf/content/docs/jax-rs-xml-security.html Fri Apr 24
14:46:55 2015
@@ -117,13 +117,13 @@ Apache CXF -- JAX-RS XML Security
<td height="100%">
<!-- Content -->
<div class="wiki-content">
-<div id="ConfluenceContent"><p></p><p></p><p><span class="inline-first-p"
style="font-size:2em;font-weight:bold"> JAX-RS: XML Security
</span></p><p></p><p></p><p></p><p> </p><p><style
type="text/css">/*<![CDATA[*/
-div.rbtoc1419015873155 {padding: 0px;}
-div.rbtoc1419015873155 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1419015873155 li {margin-left: 0px;padding-left: 0px;}
+<div id="ConfluenceContent"><p> </p><p> </p><p> <span
class="inline-first-p" style="font-size:2em;font-weight:bold">JAX-RS: XML
Security</span> </p><p> </p><p> </p><p> </p><p><style
type="text/css">/*<![CDATA[*/
+div.rbtoc1429886791674 {padding: 0px;}
+div.rbtoc1429886791674 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1429886791674 li {margin-left: 0px;padding-left: 0px;}
-/*]]>*/</style></p><div class="toc-macro rbtoc1419015873155">
-<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSXMLSecurity-Introduction">Introduction</a></li><li><a shape="rect"
href="#JAX-RSXMLSecurity-Mavendependencies">Maven dependencies</a></li><li><a
shape="rect" href="#JAX-RSXMLSecurity-XMLSignature">XML Signature</a>
+/*]]>*/</style></p><div class="toc-macro rbtoc1429886791674">
+<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSXMLSecurity-Introduction">Introduction</a></li><li><a shape="rect"
href="#JAX-RSXMLSecurity-Mavendependencies">Maven dependencies</a></li><li><a
shape="rect"
href="#JAX-RSXMLSecurity-Backwardscompatibilityconfigurationnote">Backwards
compatibility configuration note</a></li><li><a shape="rect"
href="#JAX-RSXMLSecurity-XMLSignature">XML Signature</a>
<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSXMLSecurity-Envelopedsignatures">Enveloped
signatures</a></li><li><a shape="rect"
href="#JAX-RSXMLSecurity-Envelopingsignatures">Enveloping
signatures</a></li><li><a shape="rect"
href="#JAX-RSXMLSecurity-Detachedsignatures">Detached signatures</a></li><li><a
shape="rect" href="#JAX-RSXMLSecurity-Customizingthesignature">Customizing the
signature</a></li><li><a shape="rect"
href="#JAX-RSXMLSecurity-SignatureKeyInfoValidation">Signature Key Info
Validation</a></li></ul>
</li><li><a shape="rect" href="#JAX-RSXMLSecurity-XMLEncryption">XML
Encryption</a>
<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSXMLSecurity-Usingtherequestsignaturecertificatesfortheencryption">Using
the request signature certificates for the encryption</a></li><li><a
shape="rect" href="#JAX-RSXMLSecurity-Customizingtheencryption">Customizing the
encryption</a></li><li><a shape="rect"
href="#JAX-RSXMLSecurity-GCMAlgorithmandBouncyCastleprovider">GCM Algorithm and
BouncyCastle provider</a></li></ul>
@@ -135,7 +135,7 @@ div.rbtoc1419015873155 li {margin-left:
<version>2.5.2</version>
</dependency>
]]></script>
-</div></div><h1 id="JAX-RSXMLSecurity-XMLSignature">XML Signature</h1><p><a
shape="rect" class="external-link" href="http://www.w3.org/TR/xmldsig-core/";
rel="nofollow">XML Signature</a> defines 3 types of signatures: enveloped,
enveloping and detached. All the three types are supported by CXF
JAX-RS.</p><p><strong>New</strong> Starting from CXF 2.5.2 it is also possible
to add XML Signatures on the server side and get them validated on the client
side.</p><h2 id="JAX-RSXMLSecurity-Envelopedsignatures">Enveloped
signatures</h2><p>Payload:</p><div class="code panel pdl" style="border-width:
1px;"><div class="codeContent panelContent pdl">
+</div></div><h1
id="JAX-RSXMLSecurity-Backwardscompatibilityconfigurationnote">Backwards
compatibility configuration note</h1><p>From Apache CXF 3.1.0, the WS-Security
based configuration tags used to configure XML Signature or Encryption
("ws-security-*") have been changed to just start with "security-". Apart from
this they are exactly the same. Older "ws-security-" values continue to be
accepted in CXF 3.1.0. To use any of the configuration examples in this page
with an older version of CXF, simply add a "ws-" prefix to the configuration
tag.</p><h1 id="JAX-RSXMLSecurity-XMLSignature">XML Signature</h1><p><a
shape="rect" class="external-link" href="http://www.w3.org/TR/xmldsig-core/";
rel="nofollow">XML Signature</a> defines 3 types of signatures: enveloped,
enveloping and detached. All the three types are supported by CXF
JAX-RS.</p><p><strong>New</strong> Starting from CXF 2.5.2 it is also possible
to add XML Signatures on the server side and get them validated on the client
sid
e.</p><h2 id="JAX-RSXMLSecurity-Envelopedsignatures">Enveloped
signatures</h2><p>Payload:</p><div class="code panel pdl" style="border-width:
1px;"><div class="codeContent panelContent pdl">
<script class="theme: Default; brush: xml; gutter: false"
type="syntaxhighlighter"><![CDATA[<Book
ID="4bd59819-7b78-47a5-bb61-cc08348e9d48">
<id>126</id>
<name>CXF</name>
@@ -153,10 +153,17 @@ div.rbtoc1419015873155 li {margin-left:
<ds:DigestValue>eFduzs6Cg1/Wd6jagUmr8vRYxHY=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
-<ds:SignatureValue>DLD+wU85G+Q+H/SNoMr1I7tOCAZAjd3lYE84sBGU5tuMtzbwxKOIgg10g2F1SUbpujy1CZZ9BPkQNA+gA1CH4FE3uiBzp3DDSVv6o5l6Q76Ci0XI28ylO7O1OCY+q2nbP0WtERFWOn9f9nniVKbduz6YQHjv6cNLd8pf4+k2U3g=</ds:SignatureValue>
+<ds:SignatureValue>DLD+wU85G+Q+H/SNoMr1I7tOCAZAjd3lYE84sBGU5tuMtzbwxKOIgg10g2F1SUbpujy1CZZ9BPkQNA+gA1CH4
+FE3uiBzp3DDSVv6o5l6Q76Ci0XI28ylO7O1OCY+q2nbP0WtERFWOn9f9nniVKbduz6YQHjv6cNLd8pf4+k2U3g=</ds:SignatureValue>
<ds:KeyInfo>
-
<ds:X509Data><ds:X509Certificate>MIICGjCCAYOgAwIBAgIESVRgATANBgkqhkiG9w0BAQUFADAzMRMwEQYDVQQKEwphcGFjaGUub3JnMQwwCgYDVQQLEwNlbmcxDjAMBgNVBAMTBWN4ZmNhMB4XDTcwMDEwMTAwMDAwMFoXDTM4MDExOTAzMTQwN1owMzETMBEGA1UEChMKYXBhY2hlLm9yZzEMMAoGA1UECxMDZW5nMQ4wDAYDVQQDEwVhbGljZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvu747/VShQ85f16DGSc4Ixh9PVpGguyEqrCsK8q9XHOYX9l9/g5wEC6ZcR2FwfNsoaHcKNPjd5sSTzVtBWmQjfBEfIqwTR7vuihOxyNTwEzVwIJzvo7p8/aYxk+VdBtQxq4UweIcf/iFkUbM1cZ1oiXRQzciRBi+C1BQCQE0qzsCAwEAAaM7MDkwIQYDVR0SBBowGIIWTk9UX0ZPUl9QUk9EVUNUSU9OX1VTRTAUBgNVHREEDTALgglsb2NhbGhvc3QwDQYJKoZIhvcNAQEFBQADgYEAhLwkm+8psKt4gnbikGzV0TgpSWGcWxWKBi+z8tI2n6hFA5v1jVHHa4G9h3s0nxQ2TewzeR/k7gmgV2sI483NgrYHmTmLKaDBWza2pAuZuDhQH8GAEhJakFtKBP++EC9rNNpZnqqHxx3qb2tW25qRtBzDmK921gg9PMomMc7uqRQ=</ds:X509Certificate>
+
<ds:X509Data><ds:X509Certificate>MIICGjCCAYOgAwIBAgIESVRgATANBgkqhkiG9w0BAQUFADAzMRMwEQYDVQQKEwphcGFjaGUub3JnMQwwCgYDVQQL
+EwNlbmcxDjAMBgNVBAMTBWN4ZmNhMB4XDTcwMDEwMTAwMDAwMFoXDTM4MDExOTAzMTQwN1owMzETMBEGA1UEChMKYXBhY2hlLm9yZzEMMAoGA1UECxMDZW5nMQ4wDAYDVQ
+QDEwVhbGljZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvu747/VShQ85f16DGSc4Ixh9PVpGguyEqrCsK8q9XHOYX9l9/g5wEC6ZcR2FwfNsoaHcKNPjd5sSTzVt
+BWmQjfBEfIqwTR7vuihOxyNTwEzVwIJzvo7p8/aYxk+VdBtQxq4UweIcf/iFkUbM1cZ1oiXRQzciRBi+C1BQCQE0qzsCAwEAAaM7MDkwIQYDVR0SBBowGIIWTk9UX0ZPUl
+9QUk9EVUNUSU9OX1VTRTAUBgNVHREEDTALgglsb2NhbGhvc3QwDQYJKoZI
+hvcNAQEFBQADgYEAhLwkm+8psKt4gnbikGzV0TgpSWGcWxWKBi+z8tI2n6hFA5v1jVHHa4G9h3s0nxQ2TewzeR/k7gmgV2sI483NgrYHmTmLKaDBWza2pAuZuDhQH8GAEh
+JakFtKBP++EC9rNNpZnqqHxx3qb2tW25qRtBzDmK921gg9PMomMc7uqRQ=</ds:X509Certificate>
</ds:X509Data>
<ds:KeyValue>
@@ -194,9 +201,9 @@ div.rbtoc1419015873155 li {margin-left:
</jaxrs:outInterceptors>
<jaxrs:properties>
- <entry key="ws-security.callback-handler"
+ <entry key="security.callback-handler"
value="org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"/>
- <entry key="ws-security.signature.properties"
+ <entry key="security.signature.properties"
value="org/apache/cxf/systest/jaxrs/security/alice.properties"/>
</jaxrs:properties>
</jaxrs:server>
@@ -209,10 +216,10 @@ bean.setAddress(address);
// setup properties
Map<String, Object> properties = new HashMap<String, Object>();
-properties.put("ws-security.callback-handler",
+properties.put("security.callback-handler",
"org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback");
-properties.put("ws-security.signature.username", "alice");
-properties.put("ws-security.signature.properties",
+properties.put("security.signature.username", "alice");
+properties.put("security.signature.properties",
"org/apache/cxf/systest/jaxrs/security/alice.properties");
bean.setProperties(properties);
@@ -337,7 +344,8 @@ sigInterceptor.setStyle("detached&q
<ds:X509Certificate><!-- Omitted for brevity
--></ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
-
<xenc:CipherData><xenc:CipherValue>tPtZz4pnVWquaV2a7O0y+VrHoeWwk3Eu5Jnu3RHz5rGDB/MLyG6rBamhit03J2xWaV52zUtDAPEj8sr4oy5y2KLB09Hu317IbQjinePabUpd+DLnwNn5iHZpHWJPfndkh07JdYZSrMwqOvJ3fqrNJ+LQeLzZDneT8sC1vRyhSDU=</xenc:CipherValue>
+
<xenc:CipherData><xenc:CipherValue>tPtZz4pnVWquaV2a7O0y+VrHoeWwk3Eu5Jnu3RHz5rGDB/MLyG6rBamhit03J2xWaV52zUtDAPEj8sr4oy5y2KLB09Hu317IbQjinePabUpd
++DLnwNn5iHZpHWJPfndkh07JdYZSrMwqOvJ3fqrNJ+LQeLzZDneT8sC1vRyhSDU=</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedKey>
</ds:KeyInfo>
@@ -360,11 +368,11 @@ sigInterceptor.setStyle("detached&q
<ref bean="xmlSigHandler"/>
</jaxrs:providers>
<jaxrs:properties>
- <entry key="ws-security.callback-handler"
+ <entry key="security.callback-handler"
value="org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"/>
- <entry key="ws-security.encryption.properties"
+ <entry key="security.encryption.properties"
value="org/apache/cxf/systest/jaxrs/security/bob.properties"/>
- <entry key="ws-security.signature.properties"
+ <entry key="security.signature.properties"
value="org/apache/cxf/systest/jaxrs/security/alice.properties"/>
</jaxrs:properties>
</jaxrs:server>
@@ -378,15 +386,15 @@ bean.setAddress(address);
// setup properties
Map<String, Object> properties = new HashMap<String, Object>();
-properties.put("ws-security.callback-handler",
+properties.put("security.callback-handler",
"org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback");
-properties.put("ws-security.encryption.username", "bob");
-properties.put("ws-security.encryption.properties",
+properties.put("security.encryption.username", "bob");
+properties.put("security.encryption.properties",
"org/apache/cxf/systest/jaxrs/security/bob.properties");
// if signature required:
-properties.put("ws-security.signature.username", "alice");
-properties.put("ws-security.signature.properties",
+properties.put("security.signature.username", "alice");
+properties.put("security.signature.properties",
"org/apache/cxf/systest/jaxrs/security/alice.properties");
bean.setProperties(properties);
@@ -430,11 +438,11 @@ assertEquals(200, r.getStatus());
<ref bean="xmlEncOutHandler"/>
</jaxrs:outInterceptors>
<jaxrs:properties>
- <entry key="ws-security.callback-handler"
+ <entry key="security.callback-handler"
value="org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"/>
- <entry key="ws-security.encryption.properties"
+ <entry key="security.encryption.properties"
value="org/apache/cxf/systest/jaxrs/security/alice.properties"/>
- <entry key="ws-security.signature.properties"
+ <entry key="security.signature.properties"
value="org/apache/cxf/systest/jaxrs/security/bob.properties"/>
</jaxrs:properties>
@@ -451,30 +459,30 @@ bean.getInInterceptors().add(sigInInterc
<script class="theme: Default; brush: xml; gutter: false"
type="syntaxhighlighter"><![CDATA[<!-- server -->
<jaxrs:server>
<jaxrs:properties>
- <entry key="ws-security.callback-handler"
+ <entry key="security.callback-handler"
value="org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"/>
- <entry key="ws-security.encryption.properties"
+ <entry key="security.encryption.properties"
value="org/apache/cxf/systest/jaxrs/security/alice.properties"/>
- <entry key="ws-security.encryption.username"
value="useReqSigCert"/>
- <entry key="ws-security.signature.properties"
+ <entry key="security.encryption.username"
value="useReqSigCert"/>
+ <entry key="security.signature.properties"
value="org/apache/cxf/systest/jaxrs/security/bob.properties"/>
</jaxrs:properties>
</jaxrs:server>
<jaxrs:client>
<jaxrs:properties>
- <entry key="ws-security.callback-handler"
+ <entry key="security.callback-handler"
value="org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"/>
- <entry key="ws-security.encryption.properties"
+ <entry key="security.encryption.properties"
value="org/apache/cxf/systest/jaxrs/security/bob.properties"/>
- <entry key="ws-security.encryption.username"
value="bob"/>
- <entry key="ws-security.signature.properties"
+ <entry key="security.encryption.username"
value="bob"/>
+ <entry key="security.signature.properties"
value="org/apache/cxf/systest/jaxrs/security/alice.properties"/>
- <entry key="ws-security.signature.username"
value="alice"/>
+ <entry key="security.signature.username"
value="alice"/>
</jaxrs:properties>
</jaxrs:client>
]]></script>
-</div></div><p>The "ws-security.encryption.username" server property is set to
"useReqSigCert".</p><p>Note that the client configuration assumes Alice (with
its alice.properties) represents a given client, Bob (with its bob.properties)
- the receiver/server.</p><p>On the server side the encryption properties point
to alice.properties and signature.properties to bob.properties. This is because
the outbound signature needs to be done with the Bob's certificate and the
encryption - with either the specific Alice's certificate or the certificate
from the inbound signature. Note that the in encryption handler will check the
signature properties first - this will ensure that the Bob's certificate used
to encrypt the data on the client side can be validated, similarly for the in
signature handler.</p><h2
id="JAX-RSXMLSecurity-Customizingtheencryption">Customizing the
encryption</h2><p>org.apache.cxf.rs.security.xml.XmlEncOutInterceptor manages
the encryption process.<br clear="none"> The f
ollowing properties can be set on it at the moment:<br clear="none">
"symmetricEncAlgorithm": default is
"http://www.w3.org/2001/04/xmlenc#aes256-cbc";, complete URIs or short
identifiers are supported, for example, "aes128-cbc" or
"http://www.w3.org/2001/04/xmlenc#aes256-cbc";. <br clear="none">
"digestAlgorithm": optional, example "http://www.w3.org/2001/04/xmlenc#sha256";
can be set.<br clear="none"> "keyEncAlgorithm": default is
"http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p";<br clear="none">
"keyIdentifierType": default is "X509_KEY", "X509_ISSUER_SERIAL" is also
supported - useful when the whole x509Certificate should not be embedded</p><h2
id="JAX-RSXMLSecurity-GCMAlgorithmandBouncyCastleprovider">GCM Algorithm and
BouncyCastle provider</h2><p>Please see Colm's <a shape="rect"
class="external-link"
href="http://coheigea.blogspot.com/2012/04/note-on-cve-2011-1096.html";
rel="nofollow">blog</a> for the information about the possible attack against
XML Encryption and the GCM algor
ithm which needs to be used in order to prevent it.</p><h1
id="JAX-RSXMLSecurity-Restrictingencryptionandsignaturealgorithms">Restricting
encryption and signature algorithms</h1><p><strong>From CXF 2.6.1 and
2.5.4:</strong></p><p>It is possible to configure the in encryption and
signature handlers with the properties restricting the encryption and signature
algorithms that clients can use, for example:</p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeContent panelContent pdl">
+</div></div><p>The "security.encryption.username" server property is set to
"useReqSigCert".</p><p>Note that the client configuration assumes Alice (with
its alice.properties) represents a given client, Bob (with its bob.properties)
- the receiver/server.</p><p>On the server side the encryption properties point
to alice.properties and signature.properties to bob.properties. This is because
the outbound signature needs to be done with the Bob's certificate and the
encryption - with either the specific Alice's certificate or the certificate
from the inbound signature. Note that the in encryption handler will check the
signature properties first - this will ensure that the Bob's certificate used
to encrypt the data on the client side can be validated, similarly for the in
signature handler.</p><h2
id="JAX-RSXMLSecurity-Customizingtheencryption">Customizing the
encryption</h2><p>org.apache.cxf.rs.security.xml.XmlEncOutInterceptor manages
the encryption process.<br clear="none"> The foll
owing properties can be set on it at the moment:<br clear="none">
"symmetricEncAlgorithm": default is
"http://www.w3.org/2001/04/xmlenc#aes256-cbc";, complete URIs or short
identifiers are supported, for example, "aes128-cbc" or
"http://www.w3.org/2001/04/xmlenc#aes256-cbc";. <br clear="none">
"digestAlgorithm": optional, example "http://www.w3.org/2001/04/xmlenc#sha256";
can be set.<br clear="none"> "keyEncAlgorithm": default is
"http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p";<br clear="none">
"keyIdentifierType": default is "X509_KEY", "X509_ISSUER_SERIAL" is also
supported - useful when the whole x509Certificate should not be embedded</p><h2
id="JAX-RSXMLSecurity-GCMAlgorithmandBouncyCastleprovider">GCM Algorithm and
BouncyCastle provider</h2><p>Please see Colm's <a shape="rect"
class="external-link"
href="http://coheigea.blogspot.com/2012/04/note-on-cve-2011-1096.html";
rel="nofollow">blog</a> for the information about the possible attack against
XML Encryption and the GCM algorith
m which needs to be used in order to prevent it.</p><h1
id="JAX-RSXMLSecurity-Restrictingencryptionandsignaturealgorithms">Restricting
encryption and signature algorithms</h1><p><strong>From CXF 2.6.1 and
2.5.4:</strong></p><p>It is possible to configure the in encryption and
signature handlers with the properties restricting the encryption and signature
algorithms that clients can use, for example:</p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeContent panelContent pdl">
<script class="theme: Default; brush: xml; gutter: false"
type="syntaxhighlighter"><