Hi Gina >>> But I still don't understand why I have to copy stsstore.jks file into RP. stsstore.jks is the keystore file of STS and it should be sitting on somewhere on tomcat-idp not tomcat-rp. And ttomcat-rp should have it's own keystore file, for example clientstore.jks. When client issue AuthnRequest to STS, it will sign AuthnRequest with STS signing certificate. Vise versa, when STS issue Assertion token, it will be signed by client signing certificate. In fediz project senario, RP will be the client and it will never have keystore file of STS. I just looked at content of stsstore.jks and it looks like that you combined sts, client and service keystore file into one - stsstore.jks. In other words, stsstore.jks is being used as a keystore file for all three - client, service and sts. Is that correct? I think that they should be separated. Kind of confusing until list content of stsstore.jks. >>> You're right - this is confusing. The STS signs the SAML token with the private which correlates to the STS certificate. The RP requires the CA certificates and the STS certificate (if self-signed as in this demo case) to validate the SAML token.
I was too lazy in creating two keystores (I just copied the keystore used by the CXF STS distribution). In a production environment, one keystore contains the private key and the certificate for the STS and the other contains the certificate only for the RP. I've started documentating fediz here: http://cxf.apache.org/fediz.html It would make sense to add a section what to consider for production implementation. I'll add that. Thanks ------ Oliver Wulff Blog: http://owulff.blogspot.com Solution Architect http://coders.talend.com Talend Application Integration Division http://www.talend.com ________________________________________ From: Gina Choi [[email protected]] Sent: 14 May 2012 18:00 To: Oliver Wulff Cc: [email protected] Subject: Re: CXF supporting scope Hi Oliver, Thanks for your response. I copied over stsstore.jks into tomcat rp and I am seeing saml token now. >The SAML token issued by the IDP/STS is signed and the used certificate must be referenced to >validate the signature: ><trustedIssuerItem provider=".*CN=www.sts.com.*"> >< keyStore file="/projects/fediz/tomcat-rp2/conf/stsstore.jks" password="stsspass" type="file" /> >< /trustedIssuerItem> >In this example, I used a self-signed certificate and I was too lazy in separating the keystore into >one with the private key and into one without. >You find the stsstore.jks in fedizidpsts.war. Just copy it to the RP. But I still don't understand why I have to copy stsstore.jks file into RP. stsstore.jks is the keystore file of STS and it should be sitting on somewhere on tomcat-idp not tomcat-rp. And ttomcat-rp should have it's own keystore file, for example clientstore.jks. When client issue AuthnRequest to STS, it will sign AuthnRequest with STS signing certificate. Vise versa, when STS issue Assertion token, it will be signed by client signing certificate. In fediz project senario, RP will be the client and it will never have keystore file of STS. I just looked at content of stsstore.jks and it looks like that you combined sts, client and service keystore file into one - stsstore.jks. In other words, stsstore.jks is being used as a keystore file for all three - client, service and sts. Is that correct? I think that they should be separated. Kind of confusing until list content of stsstore.jks. Thanks. Gina On Fri, May 11, 2012 at 2:55 AM, Oliver Wulff <[email protected]> wrote: > Hi Gina > > > > The SAML token issued by the IDP/STS is signed and the used certificate > must be referenced to validate the signature: > > > > <trustedIssuerItem provider=".*CN=www.sts.com.*"> > <keyStore file="/projects/fediz/tomcat-rp2/conf/stsstore.jks" > password="stsspass" type="file" /> > </trustedIssuerItem> > > In this example, I used a self-signed certificate and I was too lazy in > separating the keystore into one with the private key and into one without. > > > > You find the stsstore.jks in fedizidpsts.war. Just copy it to the RP. > > > > In your scenario with ADFS. You must import the CA certs which signed the > ADFS cert into a keystore and configure the CN name as a regular expression > in the attribute "provider". (The name provider is misleaing, will fix that) > > > > Thanks > > > > > > ------ > > Oliver Wulff > > Blog: http://owulff.blogspot.com > Solution Architect > http://coders.talend.com > > <http://coders.talend.com>Talend Application Integration Division > http://www.talend.com > ------------------------------ > *From:* Gina Choi [[email protected]] > *Sent:* 11 May 2012 00:44 > > *To:* Oliver Wulff > *Cc:* [email protected] > *Subject:* Re: CXF supporting scope > > Hi Oliver, > > Until this afternoon, I didn't have time to work with Fediz. Finally I > have successfully deployed idp, sts and simpleWebapp on Tomcat7.0.27. > Everything went well. I guess that on the other day, I thought doing some > thing, but I probably did something else. :) > After type https://localhost:8443/fedizhelloworld/secureservlet/fed on > the browser, I inputed test user name and password, but it failed. > > > org.apache.ws.security.components.crypto.CredentialException: Proxy file > (/projects/fediz/tomcat-rp2/conf/stsstore.jks) not found. > > > In your fediz_config.xml, you have following lines. Why do we put sts key > store file on RP server? Does web application need to know where is sts > keystore file? > > <trustedIssuers> > <trustedIssuerItem provider=".*CN=www.sts.com.*"> > <keyStore file="/projects/fediz/tomcat-rp2/conf/stsstore.jks" > password="stsspass" type="file" /> > </trustedIssuerItem> > </trustedIssuers> > > > Thanks. > > Gina > > On Wed, May 9, 2012 at 1:45 AM, Oliver Wulff <[email protected]> wrote: > >> Hi Gina >> >> The steps are absolutely correct. Not sure about the failing deployment >> step for the application. Have you also updated tomcat-users.xml of the >> second tomcat instance? Or was the application already deployed once and >> you must run "mvn clean install tomcat:redeploy"? Is anything logged on >> catalina.out? >> Otherwise, just copy the war manually from target/fedizhelloworld.war to >> <tomcat-dir>/webapps. >> >> I've checked in fediz_config.xml in examples/simpleWebapp/src/main/config >> (sorry for that). Please manually copy it to the location you've configured >> in the context.xml. Ensure that the IDP url (later ADFS): >> <issuer>https://localhost:9443/fedizidp/</issuer> >> and the location of the trusted keystore is updated: >> <keyStore file="/projects/fediz/tomcat-rp2/conf/stsstore.jks" >> password="stsspass" type="file" /> >> >> It will be supported in the next days to also configure a relative >> location to catalina.home. >> >> >> Thanks >> Oli >> >> >> >> ------ >> >> Oliver Wulff >> >> Blog: http://owulff.blogspot.com >> Solution Architect >> http://coders.talend.com >> >> <http://coders.talend.com>Talend Application Integration Division >> http://www.talend.com >> ------------------------------ >> *From:* Gina Choi [[email protected]] >> *Sent:* 09 May 2012 00:55 >> >> *To:* Oliver Wulff >> *Cc:* [email protected] >> *Subject:* Re: CXF supporting scope >> >> By the way I checked out head version fediz project from SVN. >> >> On Tue, May 8, 2012 at 6:36 PM, Gina Choi <[email protected]> wrote: >> >>> Hi Oliver, >>> >>> I am using seperate Tomcat instance for IDP and application and I set up >>> https. Following is what I did. >>> >>> I checked out Fediz project into my local machine. As you explained on >>> your post >>> http://owulff.blogspot.com/2011/11/configure-tomcat-for-federation-part.html, >>> I run mvn clean install in plugins/core, pligins/tomcat and >>> examples/simpleWebapp/. I configued maven's settings.xml and updated >>> tomca-users.xml. I ran mvn tomcat:deploy under fediz\trunk\plugins, and I >>> am seeing both IDP and STS are deployed. >>> >>> I am just having problem with deloying sample application in another >>> Tomcat instance. >>> >>> 1. I created sub-directory fediz in ${catalina.home}/lib of the >>> tomcat-rp. >>> 2. I have following line in the calatina.properties in >>> ${catalina.home}/conf. >>> >>> >>> common.loader=${catalina.base}/lib,${catalina.base}/lib/*.jar,${catalina.home}/lib,${catalina.home}/lib/*.jar,${catalina.home}/lib/fediz/*.jar >>> 3. I deployed the built libraries and dependencies to the directory >>> created in (1) >>> I got the built libraries from >>> fediz-tomcat/target/fediz-tomcat-0.6-SNAPSHOT-zip-with-dependencies.zip. >>> After this, I am getting error messages when start Tomcat. This preventing >>> me step5 for deploying applicaitons properly. >>> If I replace generated lib/fediz jar files with old jar files that I >>> downloaded from your post, I am able to start tomcat without error and able >>> to deploy application, but couldn't run properly. >>> 4. since I can't find fediz_config.xml, so I configured >>> *META-INF/context.xml >>> as follow. >>> >>> * <Context> >>> <Valve >>> className="org.apache<http://owulff.blogspot.com/2011/11/configure-tomcat-for-federation-part.html#> >>> .cxf.fediz.tomcat.FederationAuthenticator" >>> issuerURL="https://localhost:9443/fedizidp/"; >>> truststoreFile="conf/stsstore.jks" >>> truststorePassword="stsspass" >>> trustedIssuer=".*CN=www.sts.com.*" /> >>> </Context> >>> 5. If I run mvn tomcat:deploy under fediz\trunk\examples\simpleWebapp, I >>> am getting following error message. >>> >>> Failed to execute goal org.codehaus.mojo:tomcat-maven-plugin:1.1:deploy >>> (default-cli) on project simpleWebapp: Cannot invoke Tomcat manager: FAIL - >>> Failed to deploy application at context path /fedizhelloworld -> [Help 1] >>> >>> So, I couldn't get your application run. I hope that all these problem >>> caused because of missing fediz_config.xml. >>> >>> Thanks. >>> >>> Gina >>> On Tue, May 8, 2012 at 2:46 PM, Oliver Wulff <[email protected]>wrote: >>> >>>> Hi Gina >>>> >>>> >>>> >>>> I'll send you and checkin the fediz_config.xml as soon as I can - I'm >>>> on the way right now. >>>> >>>> >>>> >>>> This STS URL is fine, the Mock IDP uses the CXF STS. When the >>>> application works you will change in your application (fediz_config.xml) >>>> the issuerUrl of ADFS. >>>> >>>> >>>> >>>> Have you configured HTTPS for the IDP Tomcat instance and your >>>> application Tomcat instance? >>>> >>>> I recommend to use a separate instance of the IDP and your application. >>>> >>>> Do you use the port 9443? >>>> >>>> >>>> >>>> Thanks >>>> >>>> >>>> >>>> >>>> >>>> ------ >>>> >>>> Oliver Wulff >>>> >>>> Blog: http://owulff.blogspot.com >>>> Solution Architect >>>> http://coders.talend.com >>>> >>>> <http://coders.talend.com>Talend Application Integration Division >>>> http://www.talend.com >>>> ------------------------------ >>>> *From:* Gina Choi [[email protected]] >>>> *Sent:* 08 May 2012 20:20 >>>> >>>> *To:* Oliver Wulff >>>> *Cc:* [email protected] >>>> *Subject:* Re: CXF supporting scope >>>> >>>> Hi Oliver >>>> >>>> >I'd recommend to successfully deploy the wsclientWebapp sample and the >>>> IDP. When this works, rip&replace >one piece after the other. I'd recommend >>>> to choose the following approach. >>>> >>>> >1) Replace the Fediz IDP by ADFS >>>> > + configure the ADFS issuerUrl (context.xml) >>>> > + ensure that ADFS supports WS-Federation Passive Requestor >>>> Profile >>>> > + configure the certificate used by ADFS to sign the SAML token >>>> > >>>> >(the most recent version of fediz uses a separate xml file for the >>>> configuration) >>>> >>>> Somehow I couldn't deploy both fediz\trunk\services and >>>> fediz\trunk\examples\wsclientWebapp on Tomcat7.0.27, so I deployed them on >>>> Tomcat 7.0.21. I checked tomcat user name and Maven's settings file all, >>>> but couldn't find reason. It just said that can't involke Tomcat Manager. >>>> But since I was able to deploy it on tomcat 7.0.21, I decided to figure it >>>> out later. >>>> >>>> In the context.xml, I have following content. So, It lookis like that >>>> issuerURL defined inside fediz_config.xml, but I searched all directories, >>>> but couldn't find a file called fediz_config.xml. >>>> >>>> <Context> >>>> <Valve >>>> className="org.apache.cxf.fediz.tomcat.FederationAuthenticator" >>>> configFile="conf/fediz_config.xml" /> >>>> <!--<Valve >>>> className="org.apache.cxf.fediz.tomcat.FederationAuthenticator" issuerURL=" >>>> https://localhost:9443/fedizidp/"; truststoreFile="conf/stsstore.jks" >>>> truststorePassword="stsspass" trustedIssuer=".*CN=www.sts.com.*" />--> >>>> <!--Valve >>>> className="org.apache.cxf.fediz.tomcat.FederationAuthenticator" >>>> issuerCallbackHandler="org.apache.cxf.fediz.tomcat.DummyIDPCallbackHandler" >>>> truststoreFile="conf/stsstore.jks" truststorePassword="stsspass" >>>> />--> >>>> </Context> >>>> >>>> In the web.xml file of the idp, you have following content. ADFS has >>>> mex address. so, I assume that I need to replace value of sts.wsdl.url with >>>> ADFS mex address. >>>> >>>> >>>> <servlet> >>>> <servlet-name>FederationServlet</servlet-name> >>>> >>>> >>>> <servlet-class>org.apache.cxf.fediz.service.idp.IdpServlet</servlet-class> >>>> <init-param> >>>> <param-name>sts.wsdl.url</param-name> >>>> <param-value>https://localhost:9443/fedizidpsts/STSService?wsdl >>>> </param-value> >>>> </init-param> >>>> <init-param> >>>> <param-name>sts.wsdl.service</param-name> >>>> <param-value>SecurityTokenService</param-value> >>>> </init-param> >>>> >>>> Thanks. >>>> >>>> Gina >>>> On Tue, May 8, 2012 at 2:26 AM, Oliver Wulff <[email protected]>wrote: >>>> >>>>> Hi Gina >>>>> >>>>> >>>>> >>>>> >>> >>>>> >>>>> I don't mind giving up existing implementation as long as I find >>>>> better solution. I was hoping that Fediz project >>>>> >>>>> uses only Apache CXF instead of introducing another FrameWork - >>>>> OpenSAML. >>>>> >>>>> >>> >>>>> >>>>> Apache CXF uses OpenSAML too for all SAML processing for SOAP and REST >>>>> based service communication. OpenSAML is widely used and bundled into >>>>> other >>>>> frameworks like CXF and Fediz. >>>>> >>>>> >>>>> >>>>> >>> >>>>> >>>>> If I only consider passive profile at this moment, what changes are >>>>> need to Fediz project to point to ADFS(STS) intead of Apach CXF STS? Where >>>>> did you define your stsActionURL? I like to start with passive profile >>>>> since it is easier to start with. I can use your sample application. It >>>>> doesn't matter if I use Airline or not since it is a just prototype >>>>> >>>>> >>> >>>>> >>>>> I'd recommend to successfully deploy the wsclientWebapp sample and the >>>>> IDP. When this works, rip&replace one piece after the other. I'd recommend >>>>> to choose the following approach. >>>>> >>>>> >>>>> >>>>> 1) Replace the Fediz IDP by ADFS >>>>> >>>>> + configure the ADFS issuerUrl (context.xml) >>>>> >>>>> + ensure that ADFS supports WS-Federation Passive Requestor >>>>> Profile >>>>> >>>>> + configure the certificate used by ADFS to sign the SAML token >>>>> >>>>> >>>>> >>>>> (the most recent version of fediz uses a separate xml file for the >>>>> configuration) >>>>> >>>>> >>>>> >>>>> 2) Update the webapp to generate and use the stubs of the >>>>> BookingService in the FederationServlet (just a test - call the simplest >>>>> method). Configure the ASP.NET wsdl location (usually url?wsdl). >>>>> Configure the ADFS STS url in the STSClient bean in the beans.xml >>>>> configuration. Change the property onbehalfof to actas. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> HTH >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> ------ >>>>> >>>>> Oliver Wulff >>>>> >>>>> Blog: http://owulff.blogspot.com >>>>> Solution Architect >>>>> http://coders.talend.com >>>>> >>>>> <http://coders.talend.com>Talend Application Integration Division >>>>> http://www.talend.com >>>>> ------------------------------ >>>>> *From:* Gina Choi [[email protected]] >>>>> *Sent:* 08 May 2012 01:05 >>>>> *To:* Oliver Wulff >>>>> *Cc:* [email protected] >>>>> >>>>> *Subject:* Re: CXF supporting scope >>>>> >>>>> Hi Oliver, >>>>> >>>>> I am not responsible for BookingService(.NET). The other guys who >>>>> implemented it using WIF. You know that Microsoft created WIF and tested >>>>> with ADFS, so it it doesn't work, I would be surprised. >>>>> >Which Servlet container do you use? >>>>> I am using Tomcat7. >>>>> >>>>> >>>>> >In your current setup, how does the samlp:Response look like? >>>>> I sent you decoded SAML response token in seperate email. I am >>>>> sretrieving based64 encoded saml response token using following code. >>>>> >>>>> >>>>> String encodedSamlResponseTokenStr = >>>>> request.getParameter("SAMLResponse"); >>>>> >>>>> I don't mind giving up existing implementation as long as I find >>>>> better solution. I was hoping that Fediz project uses only Apache CXF >>>>> instead of introducing another FrameWork - OpenSAML. >>>>> >>>>> I loaded >>>>> http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/wsclientWebapp/webapp/ >>>>> to >>>>> the Eclipse today. >>>>> >>>>> >>>>> >>>>> Basically I need following three URL for ADFS(STS). First two is for >>>>> active profile and third one is for passive profile(SP initiated Redirect >>>>> POST bindings). If I only consider passive profile at this moment, what >>>>> changes are need to Fediz project to point to ADFS(STS) intead of Apach >>>>> CXF >>>>> STS? Where did you define your stsActionURL? I like to start with passive >>>>> profile since it is easier to start with. I can use your sample >>>>> application. It doesn't matter if I use Airline or not since it is a just >>>>> prototype. >>>>> >>>>> *private* *static* *final* String *stsEndpoint* = " >>>>> https://strts01.ams.dev/adfs/services/trust/13/usernamemixed";; >>>>> >>>>> *private* *static* *final* String *stsMEXAddress* = >>>>> https://strts01.ams.dev/adfs/services/trust/mex; >>>>> >>>>> private static final String stsActionURL = >>>>> https://strts01.ams.dev/adfs/ls/; >>>>> >>>>> >>>>> Thanks again for your guidance. >>>>> >>>>> Gina >>>>> >>>>> On Mon, May 7, 2012 at 3:36 PM, Oliver Wulff <[email protected]>wrote: >>>>> >>>>>> Hi Gina >>>>>> >>>>>> >>>>>> >>>>>> The fediz project is used to protect your web application where the >>>>>> client is a browser. Right now, Fediz supports WS-Federation Passive >>>>>> Requestor Profile which is supported by ADFS and usually used in the .NET >>>>>> world as a the default mechanism. You don't have to implement that in >>>>>> your application - that's done by the Fediz plugin. Fediz uses opensaml >>>>>> for >>>>>> SAML processing. >>>>>> >>>>>> >>>>>> >>>>>> The original URL is stored in the wreply parameter. .NET uses a >>>>>> combination of the wtrealm and wctx parameter. >>>>>> >>>>>> >>>>>> >>>>>> Your Airline application can use CXF for the web services >>>>>> communication (for the REST communication also, if you like). The >>>>>> built-in >>>>>> support in CXF for the IssuedToken assertion (WS-SecurityPolicy) supports >>>>>> to get a token from ADFS using actas. In my example, just use actas >>>>>> instead >>>>>> of onbehalfof property. >>>>>> >>>>>> >>>>>> >>>>>> >>> >>>>>> >>>>>> ADFS generate SAMLtoken and this SAML token is sent back to >>>>>> Airline(Airline does all validation work) and cached in the session. - >>>>>> This >>>>>> part is implemented. >>>>>> >>>>>> >>> >>>>>> >>>>>> The validation work is already done by Fediz. Session management is >>>>>> then done by the JEE container. Your application is called after the SAML >>>>>> token issued by ADFS is successfully validated. The container will create >>>>>> the session and check every incoming request whether the used token is >>>>>> still valid - otherwise, the browser is redirected again to ADFS. You >>>>>> could >>>>>> also configure some roles in ADFS to protect your web application as the >>>>>> fediz plugin tells the container the userid as well as its roles. You >>>>>> could >>>>>> even use claims if you like. >>>>>> >>>>>> >>>>>> >>>>>> Which Servlet container do you use? >>>>>> >>>>>> >>>>>> >>>>>> In your current setup, how does the samlp:Response look like? >>>>>> >>>>>> >>>>>> >>>>>> Thanks >>>>>> >>>>>> Oli >>>>>> >>>>>> >>>>>> >>>>>> ------ >>>>>> >>>>>> Oliver Wulff >>>>>> >>>>>> Blog: http://owulff.blogspot.com >>>>>> Solution Architect >>>>>> http://coders.talend.com >>>>>> >>>>>> <http://coders.talend.com>Talend Application Integration Division >>>>>> http://www.talend.com >>>>>> ------------------------------ >>>>>> *From:* Gina Choi [[email protected]] >>>>>> *Sent:* 07 May 2012 20:24 >>>>>> *To:* [email protected] >>>>>> *Cc:* Oliver Wulff >>>>>> *Subject:* Re: CXF supporting scope >>>>>> >>>>>> Hi Oliver, >>>>>> >>>>>> I did notice that your sample application used both opensaml and >>>>>> openws libraries. Are they used by Apache CXF or just by Frediz project? >>>>>> >>>>>> I need to clarify my environment further to give you better picture. >>>>>> >>>>>> 1. All web services in my application are REST. The only reason that >>>>>> I use SOAP is to create a soap client to call .NET SOAP web service which >>>>>> resides on another application. I am working with a .NET guy to prove >>>>>> some >>>>>> prototypes. His sample application is BookingService which I provided you >>>>>> wsdl. I am working on Airline. >>>>>> >>>>>> BookingService: .NET4.0 SOAP >>>>>> Airline: Java with REST >>>>>> >>>>>> 2. Both BookingService and Airline use same ADFS as STS. We have set >>>>>> up relying parties for BookingService and Airline in ADFS. >>>>>> >>>>>> 3. SSO: A user will be using both Airline and BookingService. So, >>>>>> she/he should be able to log on once for both applications. In Airline(my >>>>>> application), I used SP initialed POST redirect bindings. So, when a user >>>>>> make a request to Airline at first time, the user will be redirected to >>>>>> ADFS and asked credentials. After user provide username/password, ADFS >>>>>> generate SAMLtoken and this SAML token is sent back to Airline(Airline >>>>>> does >>>>>> all validation work) and cached in the session. - This part is >>>>>> implemented. >>>>>> >>>>>> 4. Now a user call BookingService which is claim aware. So, I need to >>>>>> inject Assertion token get from previous step inside actas element to >>>>>> call >>>>>> STS(ADFS2.0) to get a new token. With that new token, I will be calling >>>>>> Booking service. >>>>>> >>>>>> So, I don't think that I am able to use Apach CXF STS part since my >>>>>> STS will be ADFS. So, I am hoping that Apache CXF can work with ADFS(STS) >>>>>> to support my prototypes. >>>>>> >>>>>> >>>>>> Thanks. >>>>>> >>>>>> Gina >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Sat, May 5, 2012 at 6:22 AM, Oliver Wulff <[email protected]>wrote: >>>>>> >>>>>>> Hi Gina >>>>>>> >>>>>>> >>> >>>>>>> So, what I need is after user log on using Web SSO, the SAML token >>>>>>> should be cached in web context and being used as actas token when >>>>>>> making a >>>>>>> call to .NET web service. >>>>>>> >>> >>>>>>> This is supported by CXF without writing any single line of code. I >>>>>>> do have a sample web application here: >>>>>>> >>>>>>> http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/wsclientWebapp/webapp/ >>>>>>> >>>>>>> This example illustrates: >>>>>>> - fediz is configured for web sso >>>>>>> - SAML token is cached in the session and used to request a new >>>>>>> token from the STS >>>>>>> >>>>>>> The code to call the web service is in FederationServlet.doPost(): >>>>>>> ... >>>>>>> Greeter service = >>>>>>> (Greeter)ApplicationContextProvider.getContext().getBean("HelloServiceClient"); >>>>>>> String reply = service.greetMe(); >>>>>>> ... >>>>>>> >>>>>>> The magic is in the configuration I used here: >>>>>>> >>>>>>> http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/wsclientWebapp/webapp/src/main/webapp/WEB-INF/beans.xml?view=markup >>>>>>> >>>>>>> The following property registers a callback handler to provide the >>>>>>> STSClient the token of the Web Login: >>>>>>> <property name="onBehalfOf" ref="delegationCallbackHandler" /> >>>>>>> >>>>>>> (There is also a property for actAs) >>>>>>> >>>>>>> The above example should exactly do what you need. You just have to >>>>>>> change the above property to use ActAs instead of OnBehalfOf. The >>>>>>> details >>>>>>> for this example are described here: >>>>>>> >>>>>>> http://owulff.blogspot.com/2012/04/sso-across-web-applications-and-web_16.html >>>>>>> >>>>>>> >>>>>>> To test this easily, you can use the Mock IDP as part of Fediz for >>>>>>> the authentication. You could also attach Active Directory in the Mock >>>>>>> if >>>>>>> you like. See here: >>>>>>> >>>>>>> http://owulff.blogspot.com/2011/10/configure-ldap-directory-for-cxf-sts.html >>>>>>> >>>>>>> I use that within a customer set up to connect the CXF STS to Active >>>>>>> Directory. >>>>>>> >>>>>>> >>> >>>>>>> What is Spring role in CXF? >>>>>>> >>> >>>>>>> You can use Spring to configure your services. The above example is >>>>>>> based on spring. As you see, all security related stuff is enabled by >>>>>>> configuration (Convention of Configuration). You can also write an >>>>>>> application without spring but I wouldn't write an application without >>>>>>> spring nowadays but this is up to you. >>>>>>> >>>>>>> >>> >>>>>>> I don't know much LDAP, but it should be used as an attribute store. >>>>>>> I consider it as an alternative of Active Directory. Please correct me >>>>>>> if I >>>>>>> am wrong. >>>>>>> >>> >>>>>>> Active Directory provides different interfaces. One of them is >>>>>>> LDAP. You can use the LDAPLoginModule of the JDK for authentication. But >>>>>>> you don't have to care that much as ADFS (and maybe the Fediz Mock for >>>>>>> testing) will access ActiveDirectory to read the claims to add them to >>>>>>> the >>>>>>> SAML token. >>>>>>> >>>>>>> Could you zip the wsdl before attaching? >>>>>>> >>>>>>> Thanks >>>>>>> >>>>>>> >>>>>>> >>>>>>> ------ >>>>>>> >>>>>>> Oliver Wulff >>>>>>> >>>>>>> Blog: http://owulff.blogspot.com<http://owulff.blogspot.com/> >>>>>>> Solution Architect >>>>>>> http://coders.talend.com >>>>>>> >>>>>>> <http://coders.talend.com>Talend Application Integration Division >>>>>>> http://www.talend.com >>>>>>> >>>>>>> ________________________________ >>>>>>> Von: Gina Choi [[email protected]] >>>>>>> Gesendet: Freitag, 4. Mai 2012 20:54 >>>>>>> Bis: [email protected] >>>>>>> Betreff: Re: CXF supporting scope >>>>>>> >>>>>>> Hi Oliver, >>>>>>> >>>>>>> Thanks for your response. >>>>>>> >>>>>>> >You mean that WIF is deployed in the ASP.NET<http://asp.net/> web >>>>>>> service using the Active Requestor Profile? >>>>>>> >The SAML token should contain the claims as an AttributeStatement? >>>>>>> >Can you share with us the WS-SecurityPolicy of this Web Service? >>>>>>> I have attached two wsdl file. BookingService.wsdl and >>>>>>> BookingService_imported.wsdl. BookingService.wsdl is importing >>>>>>> BookingService_imported.wsdl and if you open BookingService.wsdl, in >>>>>>> line >>>>>>> 10 there is a importing statement like bellow. This .NET4.0 service is >>>>>>> not >>>>>>> owned by me and I don't know if separating wsdl file is common >>>>>>> practice. Is >>>>>>> there anyway to combin them into one when generate artifact using >>>>>>> wsimport? >>>>>>> I will be calling CheckIn operation. >>>>>>> >>>>>>> <wsdl:import location=" >>>>>>> http://mecdevapp02.global.sdl.corp/BookingService/BookingService.svc?wsdl=wsdl0"; >>>>>>> namespace="http://tempuri.org/"/> >>>>>>> >>>>>>> >I haven't used ADFS using WS-Trust so far. Usually, it uses a >>>>>>> Symmetric and Asymmetric binding. >>>>>>> >What roles does ADFS 2.0 play? >>>>>>> >Once as the IDP for the Web application SSO and once to let issue a >>>>>>> token onbehalfof/actas the original token >from the Web SSO? (this is >>>>>>> supported by CXF-Fediz) >>>>>>> > >>>>>>> http://owulff.blogspot.com/2012/04/sso-across-web-applications-and-web_16.html >>>>>>> I am using Active Directory as an attribute store. So, I could say >>>>>>> ADFS role should be IDP. So, what I need is after user log on using Web >>>>>>> SSO, the SAML token should be cached in web context and being used as >>>>>>> actas >>>>>>> token when making a call to .NET web service. >>>>>>> >>>>>>> > Yes, the passive profile is supported by Fediz. Is ADFS the IDP? >>>>>>> In which application server is your web >application deployed? >>>>>>> ADFS is IDP and my Java web application is Service Provider. >>>>>>> >>>>>>> >What do you mean exactly? Is LDAP used for authentication by the >>>>>>> STS? Or should the service provider retrieve >the claims/roles from >>>>>>> LDAP? >>>>>>> I don't know much LDAP, but it should be used as an attribute store. >>>>>>> I consider it as an alternative of Active Directory. Please correct me >>>>>>> if I >>>>>>> am wrong. I have been reading many specifications, but I am still having >>>>>>> hard time to straiten up correct terms. >>>>>>> >>>>>>> >No, Spring is not a requirement. >>>>>>> What is Spring role in CXF? >>>>>>> >>>>>>> Thanks. >>>>>>> >>>>>>> Gina >>>>>>> On Thu, May 3, 2012 at 2:24 PM, Oliver Wulff <[email protected] >>>>>>> <mailto:[email protected]>> wrote: >>>>>>> >>> >>>>>>> 1. I have to create a client for .NET4.0 web service which claim >>>>>>> aware. So, >>>>>>> how is CXF interoperability with .NET? >>>>>>> >>> >>>>>>> You mean that WIF is deployed in the ASP.NET<http://ASP.NET> web >>>>>>> service using the Active Requestor Profile? >>>>>>> The SAML token should contain the claims as an AttributeStatement? >>>>>>> Can you share with us the WS-SecurityPolicy of this Web Service? >>>>>>> >>>>>>> >>> >>>>>>> 2. If CXF support ADFS2.0 as STS. >>>>>>> >>> >>>>>>> I haven't used ADFS using WS-Trust so far. Usually, it uses a >>>>>>> Symmetric and Asymmetric binding. >>>>>>> What roles does ADFS 2.0 play? >>>>>>> Once as the IDP for the Web application SSO and once to let issue a >>>>>>> token onbehalfof/actas the original token from the Web SSO? (this is >>>>>>> supported by CXF-Fediz) >>>>>>> >>>>>>> http://owulff.blogspot.com/2012/04/sso-across-web-applications-and-web_16.html >>>>>>> >>>>>>> >>> >>>>>>> 3. If CXF support passive profile. Especially SP initiated Redirect >>>>>>> -> POST >>>>>>> binding. >>>>>>> >>> >>>>>>> Yes, the passive profile is supported by Fediz. Is ADFS the IDP? In >>>>>>> which application server is your web application deployed? >>>>>>> >>>>>>> >>> >>>>>>> 4. If CXF can work with LDAP. >>>>>>> >>> >>>>>>> What do you mean exactly? Is LDAP used for authentication by the >>>>>>> STS? Or should the service provider retrieve the claims/roles from LDAP? >>>>>>> >>>>>>> >>>> >>>>>>> 5. My application doesn't use Spring frame work. Do I have to use >>>>>>> Spring >>>>>>> Frame work to use CXF. >>>>>>> >>> >>>>>>> No, Spring is not a requirement. >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> ------ >>>>>>> >>>>>>> Oliver Wulff >>>>>>> >>>>>>> Blog: http://owulff.blogspot.com >>>>>>> Solution Architect >>>>>>> http://coders.talend.com >>>>>>> >>>>>>> Talend Application Integration Division http://www.talend.com >>>>>>> >>>>>>> ________________________________________ >>>>>>> Von: gchoi [[email protected]<mailto:[email protected]>] >>>>>>> Gesendet: Mittwoch, 2. Mai 2012 17:29 >>>>>>> Bis: [email protected]<mailto:[email protected]> >>>>>>> Betreff: CXF supporting scope >>>>>>> >>>>>>> Hi All, >>>>>>> >>>>>>> So far, I evaluated several frame works, but they seem don't do what >>>>>>> I >>>>>>> expect. Several people suggested me that I should consider CXF. >>>>>>> Before I dig >>>>>>> into CXF, I would like know if CXF support following things. By the >>>>>>> way, I >>>>>>> just joined this user group. >>>>>>> >>>>>>> >>>>>>> 1. I have to create a client for .NET4.0 web service which claim >>>>>>> aware. So, >>>>>>> how is CXF interoperability with .NET? >>>>>>> >>>>>>> 2. If CXF support ADFS2.0 as STS. >>>>>>> >>>>>>> 3. If CXF support passive profile. Especially SP initiated Redirect >>>>>>> -> POST >>>>>>> binding. >>>>>>> >>>>>>> 4. If CXF can work with LDAP. >>>>>>> >>>>>>> 5. My application doesn't use Spring frame work. Do I have to use >>>>>>> Spring >>>>>>> Frame work to use CXF. >>>>>>> >>>>>>> >>>>>>> >>>>>>> Thank in advance. >>>>>>> >>>>>>> -- >>>>>>> View this message in context: >>>>>>> http://cxf.547215.n5.nabble.com/CXF-supporting-scope-tp5680855.html >>>>>>> Sent from the cxf-user mailing list archive at Nabble.com. >>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >
