You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by bu...@apache.org on 2012/08/01 16:47:28 UTC
svn commit: r827616 - in /websites/production/cxf/content:
cache/docs.pageCache docs/jaxrs-kerberos.html docs/ws-securitypolicy.html
Author: buildbot
Date: Wed Aug 1 14:47:27 2012
New Revision: 827616
Log:
Production update by buildbot for cxf
Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/jaxrs-kerberos.html
websites/production/cxf/content/docs/ws-securitypolicy.html
Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.
Modified: websites/production/cxf/content/docs/jaxrs-kerberos.html
==============================================================================
--- websites/production/cxf/content/docs/jaxrs-kerberos.html (original)
+++ websites/production/cxf/content/docs/jaxrs-kerberos.html Wed Aug 1 14:47:27 2012
@@ -124,7 +124,7 @@ Apache CXF -- JAXRS Kerberos
<div id="ConfluenceContent"><p><span style="font-size:2em;font-weight:bold"> JAX-RS Kerberos Support </span></p>
<div>
-<ul><li><a shape="rect" href="#JAXRSKerberos-Introduction">Introduction</a></li><ul><li><a shape="rect" href="#JAXRSKerberos-Kerberos">Kerberos</a></li><li><a shape="rect" href="#JAXRSKerberos-HTTPNegotiatescheme">HTTP Negotiate scheme</a></li><li><a shape="rect" href="#JAXRSKerberos-GSSAPI">GSS API</a></li></ul><li><a shape="rect" href="#JAXRSKerberos-Clientconfiguration">Client configuration</a></li><ul><li><a shape="rect" href="#JAXRSKerberos-HTTPConduit">HTTPConduit</a></li><li><a shape="rect" href="#JAXRSKerberos-Interceptor">Interceptor</a></li><ul><li><a shape="rect" href="#JAXRSKerberos-AuthorizationPolicy">Authorization Policy</a></li><li><a shape="rect" href="#JAXRSKerberos-Configuringtheserviceprincipalname">Configuring the service principal name</a></li><li><a shape="rect" href="#JAXRSKerberos-UsingJAASConfiguration">Using JAAS Configuration</a></li></ul></ul><li><a shape="rect" href="#JAXRSKerberos-Serverconfiguration">Server configuration</a></li><li><a shape="
rect" href="#JAXRSKerberos-CredentialDelegation">Credential Delegation</a></li></ul></div>
+<ul><li><a shape="rect" href="#JAXRSKerberos-Introduction">Introduction</a></li><ul><li><a shape="rect" href="#JAXRSKerberos-Kerberos">Kerberos</a></li><li><a shape="rect" href="#JAXRSKerberos-HTTPNegotiatescheme">HTTP Negotiate scheme</a></li><li><a shape="rect" href="#JAXRSKerberos-GSSAPI">GSS API</a></li></ul><li><a shape="rect" href="#JAXRSKerberos-Clientconfiguration">Client configuration</a></li><ul><li><a shape="rect" href="#JAXRSKerberos-HTTPConduit">HTTPConduit</a></li><li><a shape="rect" href="#JAXRSKerberos-Interceptor">Interceptor</a></li><ul><li><a shape="rect" href="#JAXRSKerberos-AuthorizationPolicy">Authorization Policy</a></li><li><a shape="rect" href="#JAXRSKerberos-Configuringtheserviceprincipalname">Configuring the service principal name</a></li><li><a shape="rect" href="#JAXRSKerberos-UsingJAASConfiguration">Using JAAS Configuration</a></li></ul></ul><li><a shape="rect" href="#JAXRSKerberos-Serverconfiguration">Server configuration</a></li><ul><li><a sha
pe="rect" href="#JAXRSKerberos-ServiceprincipalnameandJAASConfiguration">Service principal name and JAAS Configuration</a></li><li><a shape="rect" href="#JAXRSKerberos-CallbackHandler">CallbackHandler</a></li></ul><li><a shape="rect" href="#JAXRSKerberos-CredentialDelegation">Credential Delegation</a></li></ul></div>
<h1><a shape="rect" name="JAXRSKerberos-Introduction"></a>Introduction</h1>
<h2><a shape="rect" name="JAXRSKerberos-Kerberos"></a>Kerberos</h2>
@@ -182,7 +182,103 @@ Book b = wc.get(Book.class);
<h1><a shape="rect" name="JAXRSKerberos-Serverconfiguration"></a>Server configuration</h1>
+<p>org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter can be used to protected JAX-RS endpoints and enforce that a Negotiate authentication scheme is used by clients, example:</p>
+
+<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
+<pre class="code-xml">
+
+<span class="code-tag"><bean id=<span class="code-quote">"kerberosFilter"</span> class=<span class="code-quote">"org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter"</span>></span>
+ <span class="code-tag"><property name=<span class="code-quote">"loginContextName"</span> value=<span class="code-quote">"KerberosServiceKeyTab"</span>/></span>
+<span class="code-tag"></bean></span>
+
+<span class="code-tag"><jaxrs:server></span>
+ <span class="code-tag"><jaxrs:serviceBeans></span>
+ <span class="code-tag"><bean class=<span class="code-quote">"org.mycompany.MyCompanyResource"</span>/></span>
+ <span class="code-tag"></jaxrs:serviceBeans></span>
+ <span class="code-tag"><jaxrs:providers></span>
+ <span class="code-tag"><ref bean=<span class="code-quote">"kerberosFilter"</span>></span>
+ <span class="code-tag"></jaxrs:providers></span>
+<span class="code-tag"></jaxrs:server></span>
+</pre>
+</div></div>
+
+<p>KerberosAuthenticationFilter will set a CXF <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/api/src/main/java/org/apache/cxf/security/SecurityContext.java">SecurityContext</a> on the current message if the authentication has been successful. This SecurityContext will return an instance of KerberosAuthenticationFilter$KerberosPrincipal, this Principal will return a 'simple' and 'kerberos' source principal names, example, given "HTTP/localhost@myrealm.com", Principal#getName will return "HTTP/localhost", and KerberosPrincipal#getKerberosName will return "HTTP/localhost@myrealm.com".</p>
+
+<h2><a shape="rect" name="JAXRSKerberos-ServiceprincipalnameandJAASConfiguration"></a>Service principal name and JAAS Configuration</h2>
+
+<p>Service principal name and JAAS Configuration can be optionally set up the same way they can be with KerberosAuthOutInterceptor, using 'servicePrincipalName' + 'realm' and "loginConfig" properties. </p>
+
+<h2><a shape="rect" name="JAXRSKerberos-CallbackHandler"></a>CallbackHandler</h2>
+
+<p>javax.security.auth.callback.CallbackHandler needs to be registered if no Kerberos key tabs are used, here is an example of setting it up from Java:</p>
+
+<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
+<pre class="code-java">
+<span class="code-keyword">public</span> class TestResource {
+ <span class="code-keyword">public</span> <span class="code-keyword">static</span> void main(<span class="code-object">String</span>[] args) {
+ JAXRSServerFactoryBean sf = <span class="code-keyword">new</span> JAXRSServerFactoryBean();
+ sf.setResourceClasses(BookStore.class);
+ KerberosAuthenticationFilter filter = <span class="code-keyword">new</span> KerberosAuthenticationFilter();
+ filter.setLoginContextName(<span class="code-quote">"KerberosServer"</span>);
+
+ CallbackHandler handler =
+ <span class="code-keyword">new</span> org.apache.cxf.interceptor.security.NamePasswordCallbackHandler(<span class="code-quote">"HTTP/localhost"</span>, <span class="code-quote">"http"</span>);
+ filter.setCallbackHandler(handler);
+
+ <span class="code-comment">//filter.setLoginContextName(<span class="code-quote">"KerberosServerKeyTab"</span>);
+</span> <span class="code-comment">//filter.setServicePrincipalName(<span class="code-quote">"HTTP/ktab"</span>);
+</span> sf.setProvider(filter);
+ sf.setAddress(<span class="code-quote">"http:<span class="code-comment">//localhost:"</span> + PORT + <span class="code-quote">"/"</span>);
+</span>
+ sf.create();
+ }
+}
+</pre>
+</div></div>
+
+
<h1><a shape="rect" name="JAXRSKerberos-CredentialDelegation"></a>Credential Delegation</h1>
+
+<p>Please see this <a shape="rect" href="http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html#ClientHTTPTransport%28includingSSLsupport%29-CredentialDelegation">section</a> on the way client-side credential delegation can be both enabled and implemented at the HTTP conduit level.</p>
+
+<p>Note that if you have a JAX-RS KerberosAuthenticationFilter protecting the endpoints, then the filter will have an org.ietf.jgss.GSSContext instance available in the current CXF SecurityContext, via its KerberosAuthenticationFilter$KerberosSecurityContext implementation, which can be used to get to org.ietf.jgss.GSSCredential if the credential delegation is supported for a given source principal. The current credential if any can be set as a client property next, for example:</p>
+
+<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
+<pre class="code-java">
+
+<span class="code-keyword">import</span> org.ietf.jgss.GSSCredential;
+
+<span class="code-keyword">import</span> org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter;
+<span class="code-keyword">import</span> org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter.KerberosSecurityContext;
+
+@Path(<span class="code-quote">"service"</span>)
+<span class="code-keyword">public</span> class MyResource {
+
+ @Context
+ <span class="code-keyword">private</span> javax.ws.rs.core.SecurityContext securityContext;
+
+ @GET
+ <span class="code-keyword">public</span> Book getBookFromKerberosProtectedStore() {
+ WebClient wc = webClient.create(<span class="code-quote">"http:<span class="code-comment">//internal.com/store"</span>);
+</span> <span class="code-keyword">if</span> (securityContext <span class="code-keyword">instanceof</span> KerberosSecurityContext) {
+ KerberosSecurityContext ksc = (KerberosSecurityContext)securityContext;
+ GSSCredential cred = ksc.getGSSContext().getDelegCred();
+ <span class="code-keyword">if</span> (cred != <span class="code-keyword">null</span>) {
+ WebClient.getConfig(wc).getRequestContext().put(GSSCredential.class.getName(), cred);
+ }
+ }
+ <span class="code-keyword">return</span> wc.get(Book.class);
+ }
+
+}
+</pre>
+</div></div>
+
+<p>The HTTPConduit or KerberosAuthOutInterceptor handler will use the available GSSCredential.</p>
+
+
+<p>Also note that KerberosAuthOutInterceptor can have its "credDelegation" property set to "true" if it is used instead of HTTPConduit on the client side, when enabling the delegation initially.</p>
+
</div>
</div>
<!-- Content -->
Modified: websites/production/cxf/content/docs/ws-securitypolicy.html
==============================================================================
--- websites/production/cxf/content/docs/ws-securitypolicy.html (original)
+++ websites/production/cxf/content/docs/ws-securitypolicy.html Wed Aug 1 14:47:27 2012
@@ -158,10 +158,17 @@ Apache CXF -- WS-SecurityPolicy
</div>
+<h4><a shape="rect" name="WS-SecurityPolicy-Booleanconfigurationtags%2Ce.g.thevalueshouldbe%22true%22or%22false%22."></a>Boolean configuration tags, e.g. the value should be "true" or "false".</h4>
+
+<div class="table-wrap">
+<table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd"> ws-security.validate.token </td><td colspan="1" rowspan="1" class="confluenceTd"> Whether to validate the password of a received UsernameToken or not. The default is true.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> ws-security.enableRevocation </td><td colspan="1" rowspan="1" class="confluenceTd"> Whether to enable Certificate Revocation List (CRL) checking or not when verifying trust in a certificate. The default value is "false".</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> ws-security.username-token.always.encrypted </td><td colspan="1" rowspan="1" class="confluenceTd"> Whether to always encrypt UsernameTokens whenever possible. The default is true.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> ws-security.is-bsp-compliant </td><td colspan="1" rowspan="1" class="confluenceTd"> Whether to ensure compliance with the Basic Securit
y Profile (BSP) 1.1 or not. The default value is "true". </td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> ws-security.self-sign-saml-assertion </td><td colspan="1" rowspan="1" class="confluenceTd"> Whether to self-sign a SAML Assertion or not. If this is set to true, then an enveloped signature will be generated when the SAML Assertion is constructed. The default is false. </td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> ws-security.enable.nonce.cache </td><td colspan="1" rowspan="1" class="confluenceTd"> Whether to cache UsernameToken nonces. See <a shape="rect" href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#ENABLE_NONCE_CACHE">here</a> for more information.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> ws-security.enable.timestamp.cache </td><td colspan="1" rowspan="1" class="confluenceTd"> Whether to cache Timestamp Created Strings. See <a shape="rect" href="http://cxf.apache.org/
javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#ENABLE_TIMESTAMP_CACHE">here</a> for more information.</td></tr></tbody></table>
+</div>
+
+
<h4><a shape="rect" name="WS-SecurityPolicy-Otherproperties"></a>Other properties</h4>
<div class="table-wrap">
-<table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd"> ws-security.subject.cert.constraints </td><td colspan="1" rowspan="1" class="confluenceTd"> This configuration tag is a comma separated String of regular expressions which will be applied to the subject DN of the certificate used for signature validation, after trust verification of the certificate chain associated with the certificate. These constraints are not used when the certificate is contained in the keystore (direct trust). </td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> ws-security.is-bsp-compliant </td><td colspan="1" rowspan="1" class="confluenceTd"> Whether to ensure compliance with the Basic Security Profile (BSP) 1.1 or not. The default value is "true". </td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> ws-security.timestamp.futureTimeToLive </td><td colspan="1" rowspan="1" class="confluenceTd"> This configuration tag specifies the time in s
econds in the future within which the Created time of an incoming Timestamp is valid. WSS4J rejects by default any timestamp which is "Created" in the future, and so there could potentially be<br clear="none" class="atl-forced-newline">
+<table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd"> ws-security.subject.cert.constraints </td><td colspan="1" rowspan="1" class="confluenceTd"> This configuration tag is a comma separated String of regular expressions which will be applied to the subject DN of the certificate used for signature validation, after trust verification of the certificate chain associated with the certificate. These constraints are not used when the certificate is contained in the keystore (direct trust). </td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> ws-security.timestamp.futureTimeToLive </td><td colspan="1" rowspan="1" class="confluenceTd"> This configuration tag specifies the time in seconds in the future within which the Created time of an incoming Timestamp is valid. WSS4J rejects by default any timestamp which is "Created" in the future, and so there could potentially be<br clear="none" class="atl-forced-newline">
problems in a scenario where a client's clock is slightly askew. The default value for this parameter is "0", meaning that no future-created Timestamps are allowed. </td></tr></tbody></table>
</div>