By the way I checked out head version fediz project from SVN. On Tue, May 8, 2012 at 6:36 PM, Gina Choi <[email protected]> wrote:
> Hi Oliver, > > I am using seperate Tomcat instance for IDP and application and I set up > https. Following is what I did. > > I checked out Fediz project into my local machine. As you explained on > your post > http://owulff.blogspot.com/2011/11/configure-tomcat-for-federation-part.html, > I run mvn clean install in plugins/core, pligins/tomcat and > examples/simpleWebapp/. I configued maven's settings.xml and updated > tomca-users.xml. I ran mvn tomcat:deploy under fediz\trunk\plugins, and I > am seeing both IDP and STS are deployed. > > I am just having problem with deloying sample application in another > Tomcat instance. > > 1. I created sub-directory fediz in ${catalina.home}/lib of the > tomcat-rp. > 2. I have following line in the calatina.properties in > ${catalina.home}/conf. > > > common.loader=${catalina.base}/lib,${catalina.base}/lib/*.jar,${catalina.home}/lib,${catalina.home}/lib/*.jar,${catalina.home}/lib/fediz/*.jar > 3. I deployed the built libraries and dependencies to the directory > created in (1) > I got the built libraries from > fediz-tomcat/target/fediz-tomcat-0.6-SNAPSHOT-zip-with-dependencies.zip. > After this, I am getting error messages when start Tomcat. This preventing > me step5 for deploying applicaitons properly. > If I replace generated lib/fediz jar files with old jar files that I > downloaded from your post, I am able to start tomcat without error and able > to deploy application, but couldn't run properly. > 4. since I can't find fediz_config.xml, so I configured *META-INF/context.xml > as follow. > > * <Context> > <Valve > className="org.apache<http://owulff.blogspot.com/2011/11/configure-tomcat-for-federation-part.html#> > .cxf.fediz.tomcat.FederationAuthenticator" > issuerURL="https://localhost:9443/fedizidp/"; > truststoreFile="conf/stsstore.jks" > truststorePassword="stsspass" > trustedIssuer=".*CN=www.sts.com.*" /> > </Context> > 5. If I run mvn tomcat:deploy under fediz\trunk\examples\simpleWebapp, I > am getting following error message. > > Failed to execute goal org.codehaus.mojo:tomcat-maven-plugin:1.1:deploy > (default-cli) on project simpleWebapp: Cannot invoke Tomcat manager: FAIL - > Failed to deploy application at context path /fedizhelloworld -> [Help 1] > > So, I couldn't get your application run. I hope that all these problem > caused because of missing fediz_config.xml. > > Thanks. > > Gina > On Tue, May 8, 2012 at 2:46 PM, Oliver Wulff <[email protected]> wrote: > >> Hi Gina >> >> >> >> I'll send you and checkin the fediz_config.xml as soon as I can - I'm on >> the way right now. >> >> >> >> This STS URL is fine, the Mock IDP uses the CXF STS. When the application >> works you will change in your application (fediz_config.xml) the issuerUrl >> of ADFS. >> >> >> >> Have you configured HTTPS for the IDP Tomcat instance and your >> application Tomcat instance? >> >> I recommend to use a separate instance of the IDP and your application. >> >> Do you use the port 9443? >> >> >> >> Thanks >> >> >> >> >> >> ------ >> >> Oliver Wulff >> >> Blog: http://owulff.blogspot.com >> Solution Architect >> http://coders.talend.com >> >> <http://coders.talend.com>Talend Application Integration Division >> http://www.talend.com >> ------------------------------ >> *From:* Gina Choi [[email protected]] >> *Sent:* 08 May 2012 20:20 >> >> *To:* Oliver Wulff >> *Cc:* [email protected] >> *Subject:* Re: CXF supporting scope >> >> Hi Oliver >> >> >I'd recommend to successfully deploy the wsclientWebapp sample and the >> IDP. When this works, rip&replace >one piece after the other. I'd recommend >> to choose the following approach. >> >> >1) Replace the Fediz IDP by ADFS >> > + configure the ADFS issuerUrl (context.xml) >> > + ensure that ADFS supports WS-Federation Passive Requestor Profile >> > + configure the certificate used by ADFS to sign the SAML token >> > >> >(the most recent version of fediz uses a separate xml file for the >> configuration) >> >> Somehow I couldn't deploy both fediz\trunk\services and >> fediz\trunk\examples\wsclientWebapp on Tomcat7.0.27, so I deployed them on >> Tomcat 7.0.21. I checked tomcat user name and Maven's settings file all, >> but couldn't find reason. It just said that can't involke Tomcat Manager. >> But since I was able to deploy it on tomcat 7.0.21, I decided to figure it >> out later. >> >> In the context.xml, I have following content. So, It lookis like that >> issuerURL defined inside fediz_config.xml, but I searched all directories, >> but couldn't find a file called fediz_config.xml. >> >> <Context> >> <Valve >> className="org.apache.cxf.fediz.tomcat.FederationAuthenticator" >> configFile="conf/fediz_config.xml" /> >> <!--<Valve >> className="org.apache.cxf.fediz.tomcat.FederationAuthenticator" issuerURL=" >> https://localhost:9443/fedizidp/"; truststoreFile="conf/stsstore.jks" >> truststorePassword="stsspass" trustedIssuer=".*CN=www.sts.com.*" />--> >> <!--Valve >> className="org.apache.cxf.fediz.tomcat.FederationAuthenticator" >> issuerCallbackHandler="org.apache.cxf.fediz.tomcat.DummyIDPCallbackHandler" >> truststoreFile="conf/stsstore.jks" truststorePassword="stsspass" >> />--> >> </Context> >> >> In the web.xml file of the idp, you have following content. ADFS has mex >> address. so, I assume that I need to replace value of sts.wsdl.url with >> ADFS mex address. >> >> >> <servlet> >> <servlet-name>FederationServlet</servlet-name> >> >> <servlet-class>org.apache.cxf.fediz.service.idp.IdpServlet</servlet-class> >> <init-param> >> <param-name>sts.wsdl.url</param-name> >> <param-value>https://localhost:9443/fedizidpsts/STSService?wsdl >> </param-value> >> </init-param> >> <init-param> >> <param-name>sts.wsdl.service</param-name> >> <param-value>SecurityTokenService</param-value> >> </init-param> >> >> Thanks. >> >> Gina >> On Tue, May 8, 2012 at 2:26 AM, Oliver Wulff <[email protected]> wrote: >> >>> Hi Gina >>> >>> >>> >>> >>> >>> >>> I don't mind giving up existing implementation as long as I find better >>> solution. I was hoping that Fediz project >>> >>> uses only Apache CXF instead of introducing another FrameWork - OpenSAML. >>> >>> >>> >>> >>> Apache CXF uses OpenSAML too for all SAML processing for SOAP and REST >>> based service communication. OpenSAML is widely used and bundled into other >>> frameworks like CXF and Fediz. >>> >>> >>> >>> >>> >>> >>> If I only consider passive profile at this moment, what changes are need >>> to Fediz project to point to ADFS(STS) intead of Apach CXF STS? Where did >>> you define your stsActionURL? I like to start with passive profile since it >>> is easier to start with. I can use your sample application. It doesn't >>> matter if I use Airline or not since it is a just prototype >>> >>> >>> >>> >>> I'd recommend to successfully deploy the wsclientWebapp sample and the >>> IDP. When this works, rip&replace one piece after the other. I'd recommend >>> to choose the following approach. >>> >>> >>> >>> 1) Replace the Fediz IDP by ADFS >>> >>> + configure the ADFS issuerUrl (context.xml) >>> >>> + ensure that ADFS supports WS-Federation Passive Requestor Profile >>> >>> + configure the certificate used by ADFS to sign the SAML token >>> >>> >>> >>> (the most recent version of fediz uses a separate xml file for the >>> configuration) >>> >>> >>> >>> 2) Update the webapp to generate and use the stubs of the BookingService >>> in the FederationServlet (just a test - call the simplest method). >>> Configure the ASP.NET wsdl location (usually url?wsdl). Configure the >>> ADFS STS url in the STSClient bean in the beans.xml configuration. Change >>> the property onbehalfof to actas. >>> >>> >>> >>> >>> >>> HTH >>> >>> >>> >>> >>> >>> ------ >>> >>> Oliver Wulff >>> >>> Blog: http://owulff.blogspot.com >>> Solution Architect >>> http://coders.talend.com >>> >>> <http://coders.talend.com>Talend Application Integration Division >>> http://www.talend.com >>> ------------------------------ >>> *From:* Gina Choi [[email protected]] >>> *Sent:* 08 May 2012 01:05 >>> *To:* Oliver Wulff >>> *Cc:* [email protected] >>> >>> *Subject:* Re: CXF supporting scope >>> >>> Hi Oliver, >>> >>> I am not responsible for BookingService(.NET). The other guys who >>> implemented it using WIF. You know that Microsoft created WIF and tested >>> with ADFS, so it it doesn't work, I would be surprised. >>> >Which Servlet container do you use? >>> I am using Tomcat7. >>> >>> >>> >In your current setup, how does the samlp:Response look like? >>> I sent you decoded SAML response token in seperate email. I am >>> sretrieving based64 encoded saml response token using following code. >>> >>> >>> String encodedSamlResponseTokenStr = >>> request.getParameter("SAMLResponse"); >>> >>> I don't mind giving up existing implementation as long as I find better >>> solution. I was hoping that Fediz project uses only Apache CXF instead of >>> introducing another FrameWork - OpenSAML. >>> >>> I loaded >>> http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/wsclientWebapp/webapp/ >>> to >>> the Eclipse today. >>> >>> >>> >>> Basically I need following three URL for ADFS(STS). First two is for >>> active profile and third one is for passive profile(SP initiated Redirect >>> POST bindings). If I only consider passive profile at this moment, what >>> changes are need to Fediz project to point to ADFS(STS) intead of Apach CXF >>> STS? Where did you define your stsActionURL? I like to start with passive >>> profile since it is easier to start with. I can use your sample >>> application. It doesn't matter if I use Airline or not since it is a just >>> prototype. >>> >>> *private* *static* *final* String *stsEndpoint* = " >>> https://strts01.ams.dev/adfs/services/trust/13/usernamemixed";; >>> >>> *private* *static* *final* String *stsMEXAddress* = >>> https://strts01.ams.dev/adfs/services/trust/mex; >>> >>> private static final String stsActionURL = >>> https://strts01.ams.dev/adfs/ls/; >>> >>> >>> Thanks again for your guidance. >>> >>> Gina >>> >>> On Mon, May 7, 2012 at 3:36 PM, Oliver Wulff <[email protected]> wrote: >>> >>>> Hi Gina >>>> >>>> >>>> >>>> The fediz project is used to protect your web application where the >>>> client is a browser. Right now, Fediz supports WS-Federation Passive >>>> Requestor Profile which is supported by ADFS and usually used in the .NET >>>> world as a the default mechanism. You don't have to implement that in >>>> your application - that's done by the Fediz plugin. Fediz uses opensaml for >>>> SAML processing. >>>> >>>> >>>> >>>> The original URL is stored in the wreply parameter. .NET uses a >>>> combination of the wtrealm and wctx parameter. >>>> >>>> >>>> >>>> Your Airline application can use CXF for the web services communication >>>> (for the REST communication also, if you like). The built-in support in CXF >>>> for the IssuedToken assertion (WS-SecurityPolicy) supports to get a token >>>> from ADFS using actas. In my example, just use actas instead of onbehalfof >>>> property. >>>> >>>> >>>> >>>> >>> >>>> >>>> ADFS generate SAMLtoken and this SAML token is sent back to >>>> Airline(Airline does all validation work) and cached in the session. - This >>>> part is implemented. >>>> >>>> >>> >>>> >>>> The validation work is already done by Fediz. Session management is >>>> then done by the JEE container. Your application is called after the SAML >>>> token issued by ADFS is successfully validated. The container will create >>>> the session and check every incoming request whether the used token is >>>> still valid - otherwise, the browser is redirected again to ADFS. You could >>>> also configure some roles in ADFS to protect your web application as the >>>> fediz plugin tells the container the userid as well as its roles. You could >>>> even use claims if you like. >>>> >>>> >>>> >>>> Which Servlet container do you use? >>>> >>>> >>>> >>>> In your current setup, how does the samlp:Response look like? >>>> >>>> >>>> >>>> Thanks >>>> >>>> Oli >>>> >>>> >>>> >>>> ------ >>>> >>>> Oliver Wulff >>>> >>>> Blog: http://owulff.blogspot.com >>>> Solution Architect >>>> http://coders.talend.com >>>> >>>> <http://coders.talend.com>Talend Application Integration Division >>>> http://www.talend.com >>>> ------------------------------ >>>> *From:* Gina Choi [[email protected]] >>>> *Sent:* 07 May 2012 20:24 >>>> *To:* [email protected] >>>> *Cc:* Oliver Wulff >>>> *Subject:* Re: CXF supporting scope >>>> >>>> Hi Oliver, >>>> >>>> I did notice that your sample application used both opensaml and openws >>>> libraries. Are they used by Apache CXF or just by Frediz project? >>>> >>>> I need to clarify my environment further to give you better picture. >>>> >>>> 1. All web services in my application are REST. The only reason that I >>>> use SOAP is to create a soap client to call .NET SOAP web service which >>>> resides on another application. I am working with a .NET guy to prove some >>>> prototypes. His sample application is BookingService which I provided you >>>> wsdl. I am working on Airline. >>>> >>>> BookingService: .NET4.0 SOAP >>>> Airline: Java with REST >>>> >>>> 2. Both BookingService and Airline use same ADFS as STS. We have set up >>>> relying parties for BookingService and Airline in ADFS. >>>> >>>> 3. SSO: A user will be using both Airline and BookingService. So, >>>> she/he should be able to log on once for both applications. In Airline(my >>>> application), I used SP initialed POST redirect bindings. So, when a user >>>> make a request to Airline at first time, the user will be redirected to >>>> ADFS and asked credentials. After user provide username/password, ADFS >>>> generate SAMLtoken and this SAML token is sent back to Airline(Airline does >>>> all validation work) and cached in the session. - This part is implemented. >>>> >>>> 4. Now a user call BookingService which is claim aware. So, I need to >>>> inject Assertion token get from previous step inside actas element to call >>>> STS(ADFS2.0) to get a new token. With that new token, I will be calling >>>> Booking service. >>>> >>>> So, I don't think that I am able to use Apach CXF STS part since my STS >>>> will be ADFS. So, I am hoping that Apache CXF can work with ADFS(STS) to >>>> support my prototypes. >>>> >>>> >>>> Thanks. >>>> >>>> Gina >>>> >>>> >>>> >>>> >>>> >>>> >>>> On Sat, May 5, 2012 at 6:22 AM, Oliver Wulff <[email protected]> wrote: >>>> >>>>> Hi Gina >>>>> >>>>> >>> >>>>> So, what I need is after user log on using Web SSO, the SAML token >>>>> should be cached in web context and being used as actas token when making >>>>> a >>>>> call to .NET web service. >>>>> >>> >>>>> This is supported by CXF without writing any single line of code. I >>>>> do have a sample web application here: >>>>> >>>>> http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/wsclientWebapp/webapp/ >>>>> >>>>> This example illustrates: >>>>> - fediz is configured for web sso >>>>> - SAML token is cached in the session and used to request a new token >>>>> from the STS >>>>> >>>>> The code to call the web service is in FederationServlet.doPost(): >>>>> ... >>>>> Greeter service = >>>>> (Greeter)ApplicationContextProvider.getContext().getBean("HelloServiceClient"); >>>>> String reply = service.greetMe(); >>>>> ... >>>>> >>>>> The magic is in the configuration I used here: >>>>> >>>>> http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/wsclientWebapp/webapp/src/main/webapp/WEB-INF/beans.xml?view=markup >>>>> >>>>> The following property registers a callback handler to provide the >>>>> STSClient the token of the Web Login: >>>>> <property name="onBehalfOf" ref="delegationCallbackHandler" /> >>>>> >>>>> (There is also a property for actAs) >>>>> >>>>> The above example should exactly do what you need. You just have to >>>>> change the above property to use ActAs instead of OnBehalfOf. The details >>>>> for this example are described here: >>>>> >>>>> http://owulff.blogspot.com/2012/04/sso-across-web-applications-and-web_16.html >>>>> >>>>> >>>>> To test this easily, you can use the Mock IDP as part of Fediz for the >>>>> authentication. You could also attach Active Directory in the Mock if you >>>>> like. See here: >>>>> >>>>> http://owulff.blogspot.com/2011/10/configure-ldap-directory-for-cxf-sts.html >>>>> >>>>> I use that within a customer set up to connect the CXF STS to Active >>>>> Directory. >>>>> >>>>> >>> >>>>> What is Spring role in CXF? >>>>> >>> >>>>> You can use Spring to configure your services. The above example is >>>>> based on spring. As you see, all security related stuff is enabled by >>>>> configuration (Convention of Configuration). You can also write an >>>>> application without spring but I wouldn't write an application without >>>>> spring nowadays but this is up to you. >>>>> >>>>> >>> >>>>> I don't know much LDAP, but it should be used as an attribute store. I >>>>> consider it as an alternative of Active Directory. Please correct me if I >>>>> am wrong. >>>>> >>> >>>>> Active Directory provides different interfaces. One of them is LDAP. >>>>> You can use the LDAPLoginModule of the JDK for authentication. But you >>>>> don't have to care that much as ADFS (and maybe the Fediz Mock for >>>>> testing) >>>>> will access ActiveDirectory to read the claims to add them to the SAML >>>>> token. >>>>> >>>>> Could you zip the wsdl before attaching? >>>>> >>>>> Thanks >>>>> >>>>> >>>>> >>>>> ------ >>>>> >>>>> Oliver Wulff >>>>> >>>>> Blog: http://owulff.blogspot.com<http://owulff.blogspot.com/> >>>>> Solution Architect >>>>> http://coders.talend.com >>>>> >>>>> <http://coders.talend.com>Talend Application Integration Division >>>>> http://www.talend.com >>>>> >>>>> ________________________________ >>>>> Von: Gina Choi [[email protected]] >>>>> Gesendet: Freitag, 4. Mai 2012 20:54 >>>>> Bis: [email protected] >>>>> Betreff: Re: CXF supporting scope >>>>> >>>>> Hi Oliver, >>>>> >>>>> Thanks for your response. >>>>> >>>>> >You mean that WIF is deployed in the ASP.NET<http://asp.net/> web >>>>> service using the Active Requestor Profile? >>>>> >The SAML token should contain the claims as an AttributeStatement? >>>>> >Can you share with us the WS-SecurityPolicy of this Web Service? >>>>> I have attached two wsdl file. BookingService.wsdl and >>>>> BookingService_imported.wsdl. BookingService.wsdl is importing >>>>> BookingService_imported.wsdl and if you open BookingService.wsdl, in line >>>>> 10 there is a importing statement like bellow. This .NET4.0 service is not >>>>> owned by me and I don't know if separating wsdl file is common practice. >>>>> Is >>>>> there anyway to combin them into one when generate artifact using >>>>> wsimport? >>>>> I will be calling CheckIn operation. >>>>> >>>>> <wsdl:import location=" >>>>> http://mecdevapp02.global.sdl.corp/BookingService/BookingService.svc?wsdl=wsdl0"; >>>>> namespace="http://tempuri.org/"/> >>>>> >>>>> >I haven't used ADFS using WS-Trust so far. Usually, it uses a >>>>> Symmetric and Asymmetric binding. >>>>> >What roles does ADFS 2.0 play? >>>>> >Once as the IDP for the Web application SSO and once to let issue a >>>>> token onbehalfof/actas the original token >from the Web SSO? (this is >>>>> supported by CXF-Fediz) >>>>> > >>>>> http://owulff.blogspot.com/2012/04/sso-across-web-applications-and-web_16.html >>>>> I am using Active Directory as an attribute store. So, I could say >>>>> ADFS role should be IDP. So, what I need is after user log on using Web >>>>> SSO, the SAML token should be cached in web context and being used as >>>>> actas >>>>> token when making a call to .NET web service. >>>>> >>>>> > Yes, the passive profile is supported by Fediz. Is ADFS the IDP? In >>>>> which application server is your web >application deployed? >>>>> ADFS is IDP and my Java web application is Service Provider. >>>>> >>>>> >What do you mean exactly? Is LDAP used for authentication by the STS? >>>>> Or should the service provider retrieve >the claims/roles from LDAP? >>>>> I don't know much LDAP, but it should be used as an attribute store. I >>>>> consider it as an alternative of Active Directory. Please correct me if I >>>>> am wrong. I have been reading many specifications, but I am still having >>>>> hard time to straiten up correct terms. >>>>> >>>>> >No, Spring is not a requirement. >>>>> What is Spring role in CXF? >>>>> >>>>> Thanks. >>>>> >>>>> Gina >>>>> On Thu, May 3, 2012 at 2:24 PM, Oliver Wulff <[email protected] >>>>> <mailto:[email protected]>> wrote: >>>>> >>> >>>>> 1. I have to create a client for .NET4.0 web service which claim >>>>> aware. So, >>>>> how is CXF interoperability with .NET? >>>>> >>> >>>>> You mean that WIF is deployed in the ASP.NET<http://ASP.NET> web >>>>> service using the Active Requestor Profile? >>>>> The SAML token should contain the claims as an AttributeStatement? >>>>> Can you share with us the WS-SecurityPolicy of this Web Service? >>>>> >>>>> >>> >>>>> 2. If CXF support ADFS2.0 as STS. >>>>> >>> >>>>> I haven't used ADFS using WS-Trust so far. Usually, it uses a >>>>> Symmetric and Asymmetric binding. >>>>> What roles does ADFS 2.0 play? >>>>> Once as the IDP for the Web application SSO and once to let issue a >>>>> token onbehalfof/actas the original token from the Web SSO? (this is >>>>> supported by CXF-Fediz) >>>>> >>>>> http://owulff.blogspot.com/2012/04/sso-across-web-applications-and-web_16.html >>>>> >>>>> >>> >>>>> 3. If CXF support passive profile. Especially SP initiated Redirect -> >>>>> POST >>>>> binding. >>>>> >>> >>>>> Yes, the passive profile is supported by Fediz. Is ADFS the IDP? In >>>>> which application server is your web application deployed? >>>>> >>>>> >>> >>>>> 4. If CXF can work with LDAP. >>>>> >>> >>>>> What do you mean exactly? Is LDAP used for authentication by the STS? >>>>> Or should the service provider retrieve the claims/roles from LDAP? >>>>> >>>>> >>>> >>>>> 5. My application doesn't use Spring frame work. Do I have to use >>>>> Spring >>>>> Frame work to use CXF. >>>>> >>> >>>>> No, Spring is not a requirement. >>>>> >>>>> >>>>> >>>>> >>>>> ------ >>>>> >>>>> Oliver Wulff >>>>> >>>>> Blog: http://owulff.blogspot.com >>>>> Solution Architect >>>>> http://coders.talend.com >>>>> >>>>> Talend Application Integration Division http://www.talend.com >>>>> >>>>> ________________________________________ >>>>> Von: gchoi [[email protected]<mailto:[email protected]>] >>>>> Gesendet: Mittwoch, 2. Mai 2012 17:29 >>>>> Bis: [email protected]<mailto:[email protected]> >>>>> Betreff: CXF supporting scope >>>>> >>>>> Hi All, >>>>> >>>>> So far, I evaluated several frame works, but they seem don't do what I >>>>> expect. Several people suggested me that I should consider CXF. Before >>>>> I dig >>>>> into CXF, I would like know if CXF support following things. By the >>>>> way, I >>>>> just joined this user group. >>>>> >>>>> >>>>> 1. I have to create a client for .NET4.0 web service which claim >>>>> aware. So, >>>>> how is CXF interoperability with .NET? >>>>> >>>>> 2. If CXF support ADFS2.0 as STS. >>>>> >>>>> 3. If CXF support passive profile. Especially SP initiated Redirect -> >>>>> POST >>>>> binding. >>>>> >>>>> 4. If CXF can work with LDAP. >>>>> >>>>> 5. My application doesn't use Spring frame work. Do I have to use >>>>> Spring >>>>> Frame work to use CXF. >>>>> >>>>> >>>>> >>>>> Thank in advance. >>>>> >>>>> -- >>>>> View this message in context: >>>>> http://cxf.547215.n5.nabble.com/CXF-supporting-scope-tp5680855.html >>>>> Sent from the cxf-user mailing list archive at Nabble.com. >>>>> >>>>> >>>> >>> >> >
