You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by bu...@apache.org on 2013/09/08 00:48:00 UTC
svn commit: r877639 - in /websites/production/cxf/content: ./ cache/
fediz-websphere.data/
Author: buildbot
Date: Sat Sep 7 22:48:00 2013
New Revision: 877639
Log:
Production update by buildbot for cxf
Added:
websites/production/cxf/content/fediz-cxf.html
websites/production/cxf/content/fediz-websphere.data/
websites/production/cxf/content/fediz-websphere.data/GlobalSec.png (with props)
websites/production/cxf/content/fediz-websphere.data/create-interceptor.png (with props)
websites/production/cxf/content/fediz-websphere.data/enable-trust-assoc.png (with props)
websites/production/cxf/content/fediz-websphere.data/trust-association.png (with props)
Modified:
websites/production/cxf/content/cache/main.pageCache
websites/production/cxf/content/fediz-websphere.html
websites/production/cxf/content/fediz.html
Modified: websites/production/cxf/content/cache/main.pageCache
==============================================================================
Binary files - no diff available.
Added: websites/production/cxf/content/fediz-cxf.html
==============================================================================
--- websites/production/cxf/content/fediz-cxf.html (added)
+++ websites/production/cxf/content/fediz-cxf.html Sat Sep 7 22:48:00 2013
@@ -0,0 +1,273 @@
+
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!--
+
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<html>
+ <head>
+
+<link type="text/css" rel="stylesheet" href="/resources/site.css">
+<script src='/resources/space.js'></script>
+
+<meta http-equiv="Content-type" content="text/html;charset=UTF-8">
+<meta name="keywords" content="business integration, EAI, SOA, Service Oriented Architecture, web services, SOAP, JBI, JMS, WSDL, XML, EDI, Electronic Data Interchange, standards support, integration standards, application integration, middleware, software, solutions, services, CXF, open source">
+<meta name="description" content="Apache CXF, Services Framework - Fediz CXF">
+
+
+<link type="text/css" rel="stylesheet" href="/resources/highlighter/styles/shCoreCXF.css">
+<link type="text/css" rel="stylesheet" href="/resources/highlighter/styles/shThemeCXF.css">
+
+<script src='/resources/highlighter/scripts/shCore.js'></script>
+<script src='/resources/highlighter/scripts/shBrushJava.js'></script>
+<script src='/resources/highlighter/scripts/shBrushXml.js'></script>
+<script>
+ SyntaxHighlighter.defaults['toolbar'] = false;
+ SyntaxHighlighter.all();
+</script>
+
+
+ <title>
+Apache CXF -- Fediz CXF
+ </title>
+ </head>
+<body onload="init()">
+
+
+<table width="100%" cellpadding="0" cellspacing="0">
+ <tr>
+ <td id="cell-0-0" colspan="2"> </td>
+ <td id="cell-0-1"> </td>
+ <td id="cell-0-2" colspan="2"> </td>
+ </tr>
+ <tr>
+ <td id="cell-1-0"> </td>
+ <td id="cell-1-1"> </td>
+ <td id="cell-1-2">
+ <!-- Banner -->
+<div class="banner" id="banner"><div><table border="0" cellpadding="0" cellspacing="0" width="100%"><tr><td align="left" colspan="1" nowrap>
+<a shape="rect" href="http://cxf.apache.org/" title="Apache CXF"><span style="font-weight: bold; font-size: 170%; color: white">Apache CXF</span></a>
+</td><td align="right" colspan="1" nowrap>
+<a shape="rect" href="http://www.apache.org/" title="The Apache Software Foundation"><img border="0" alt="ASF Logo" src="http://cxf.apache.org/images/asf-logo.png"></a>
+</td></tr></table></div></div>
+ <!-- Banner -->
+ <div id="top-menu">
+ <table border="0" cellpadding="1" cellspacing="0" width="100%">
+ <tr>
+ <td>
+ <div align="left">
+ <!-- Breadcrumbs -->
+<a href="index.html">Index</a> > <a href="fediz.html">Fediz</a> > <a href="fediz-cxf.html">Fediz CXF</a>
+ <!-- Breadcrumbs -->
+ </div>
+ </td>
+ <td>
+ <div align="right">
+ <!-- Quicklinks -->
+<div id="quicklinks"><p><a shape="rect" href="download.html" title="Download">Download</a> | <a shape="rect" href="http://cxf.apache.org/docs/index.html">Documentation</a></p></div>
+ <!-- Quicklinks -->
+ </div>
+ </td>
+ </tr>
+ </table>
+ </div>
+ </td>
+ <td id="cell-1-3"> </td>
+ <td id="cell-1-4"> </td>
+ </tr>
+ <tr>
+ <td id="cell-2-0" colspan="2"> </td>
+ <td id="cell-2-1">
+ <table>
+ <tr valign="top">
+ <td height="100%">
+ <div id="wrapper-menu-page-right">
+ <div id="wrapper-menu-page-top">
+ <div id="wrapper-menu-page-bottom">
+ <div id="menu-page">
+ <!-- NavigationBar -->
+<div id="navigation"><h3><a shape="rect" name="Navigation-ApacheCXFIndex"></a><a shape="rect" href="index.html" title="Index">Apache CXF</a></h3>
+
+<ul class="alternate" type="square"><li><a shape="rect" href="index.html" title="Index">Home</a></li><li><a shape="rect" href="download.html" title="Download">Download</a></li><li><a shape="rect" href="people.html" title="People">People</a></li><li><a shape="rect" href="project-status.html" title="Project Status">Project Status</a></li><li><a shape="rect" href="roadmap.html" title="Roadmap">Roadmap</a></li><li><a shape="rect" href="mailing-lists.html" title="Mailing Lists">Mailing Lists</a></li><li><a shape="rect" class="external-link" href="http://issues.apache.org/jira/browse/CXF">Issue Reporting</a></li><li><a shape="rect" href="special-thanks.html" title="Special Thanks">Special Thanks</a></li><li><a shape="rect" class="external-link" href="http://www.apache.org/licenses/">License</a></li><li><a shape="rect" href="security-advisories.html" title="Security Advisories">Security Advisories</a></li></ul>
+
+
+<h3><a shape="rect" name="Navigation-Users"></a>Users</h3>
+
+<ul class="alternate" type="square"><li><a shape="rect" href="http://cxf.apache.org/docs/index.html">User's Guide</a></li><li><a shape="rect" href="support.html" title="Support">Support</a></li><li><a shape="rect" href="faq.html" title="FAQ">FAQ</a></li><li><a shape="rect" href="resources-and-articles.html" title="Resources and Articles">Resources and Articles</a></li></ul>
+
+
+<h3><a shape="rect" name="Navigation-Search"></a>Search</h3>
+<p>
+</p><form enctype="application/x-www-form-urlencoded" method="get" id="cse-search-box" action="http://www.google.com/cse">
+ <div>
+ <input type="hidden" name="cx" value="002890367768291051730:o99qiwa09y4">
+ <input type="hidden" name="ie" value="UTF-8">
+ <input type="text" name="q" size="21">
+ <input type="submit" name="sa" value="Search">
+ </div>
+</form>
+<script type="text/javascript" src="http://www.google.com/cse/brand?form=cse-search-box&lang=en"></script>
+
+
+<h3><a shape="rect" name="Navigation-Developers"></a>Developers</h3>
+
+<ul class="alternate" type="square"><li><a shape="rect" href="http://cxf.apache.org/docs/cxf-architecture.html">Architecture Guide</a></li><li><a shape="rect" href="source-repository.html" title="Source Repository">Source Repository</a></li><li><a shape="rect" href="building.html" title="Building">Building</a></li><li><a shape="rect" href="automated-builds.html" title="Automated Builds">Automated Builds</a></li><li><a shape="rect" href="testing-debugging.html" title="Testing-Debugging">Testing-Debugging</a></li><li><a shape="rect" href="coding-guidelines.html" title="Coding Guidelines">Coding Guidelines</a></li><li><a shape="rect" href="getting-involved.html" title="Getting Involved">Getting Involved</a></li><li><a shape="rect" href="release-management.html" title="Release Management">Release Management</a></li></ul>
+
+
+<h3><a shape="rect" name="Navigation-Subprojects"></a>Subprojects</h3>
+
+<ul class="alternate" type="square"><li><a shape="rect" href="distributed-osgi.html" title="Distributed OSGi">Distributed OSGi</a></li><li><a shape="rect" href="xjc-utils.html" title="XJC Utils">XJC Utils</a></li><li><a shape="rect" href="build-utils.html" title="Build Utils">Build Utils</a></li><li><a shape="rect" href="fediz.html" title="Fediz">Fediz</a></li></ul>
+
+
+<h3><a shape="rect" name="Navigation-ASF"></a><a shape="rect" class="external-link" href="http://www.apache.org">ASF</a></h3>
+
+<ul class="alternate" type="square"><li><a shape="rect" class="external-link" href="http://www.apache.org/foundation/how-it-works.html">How Apache Works</a></li><li><a shape="rect" class="external-link" href="http://www.apache.org/foundation/">Foundation</a></li><li><a shape="rect" class="external-link" href="http://www.apache.org/foundation/sponsorship.html">Sponsor Apache</a></li><li><a shape="rect" class="external-link" href="http://www.apache.org/foundation/thanks.html">Thanks</a></li><li><a shape="rect" class="external-link" href="http://www.apache.org/security/">Security</a></li></ul>
+</div>
+ <!-- NavigationBar -->
+ </div>
+ </div>
+ </div>
+ </div>
+ </td>
+ <td height="100%">
+ <!-- Content -->
+ <div class="wiki-content">
+<div id="ConfluenceContent"><h1><a shape="rect" name="FedizCXF-CXFPlugin%281.1SNAPSHOT%29"></a>CXF Plugin (1.1 SNAPSHOT)</h1>
+<p>The subproject Fediz purpose is to provide Single Sign On for Web Applications which is independent of an underlying Web Services framework like Apache CXF. The Fediz plugins for Tomcat, Jetty, etc. are independent of Apache CXF, whereas the Fediz IDP leverages the capabilities of the CXF STS to issue SAML tokens with Claims information to build applications which use Claims Based Authorization with all the benefits.</p>
+
+<p>If the Fediz protected web application integrates with another application using Web Services you need to bundle a Web Services framework like Apache CXF with your web application. If it is required to support impersonation to call the Web Service, the security context of the application server must be delegated to the Web Services stack thus it can make the Web Service call on behalf of the browser user.</p>
+
+<p>In release 1.1, the Fediz CXF plugin supports delegating the application server security context (SAML token) to the STS client of CXF. CXF is then able to request a security token for the target Web Service from the STS on behalf of the browser user. Prior to release 1.1, this Java code had to be developed by the application developer.</p>
+
+<p>It is required that one of the other Fediz plugins are deployed to WS-Federation enable the application. After this step, the Fediz CXF plugin can be installed to integrate the Web SSO layer with the Web Services stack of Apache CXF.</p>
+
+
+<h3><a shape="rect" name="FedizCXF-Installation"></a>Installation</h3>
+<p>It's recommended to use Maven to resolve the dependencies as illustrated in the the example <tt>wsclientWebapp</tt>.</p>
+
+<div class="code panel" style="border-style: solid;border-width: 1px;"><div class="codeHeader panelHeader" style="border-bottom-width: 1px;border-bottom-style: solid;"><b>pom.xml</b></div><div class="codeContent panelContent">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
+ <dependency>
+ <groupId>org.apache.cxf.fediz</groupId>
+ <artifactId>fediz-cxf</artifactId>
+ <version>1.1.0</version>
+ </dependency>
+]]></script>
+</div></div>
+
+<p>The example contains a README with instructions for building and deployment.</p>
+
+<h3><a shape="rect" name="FedizCXF-Configuration"></a>Configuration</h3>
+<p>Two configurations are required in <tt>web.xml</tt> to enable the <tt>FederationFilter</tt> to cache the security context in the thread local storage and in the spring configuration file <tt>applicationContext.xml</tt> to configure a callback handler to provide the STS client the security context stored in the thread local storage. </p>
+
+<div class="code panel" style="border-style: solid;border-width: 1px;"><div class="codeHeader panelHeader" style="border-bottom-width: 1px;border-bottom-style: solid;"><b>web.xml</b></div><div class="codeContent panelContent">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
+ <filter>
+ <filter-name>FederationFilter</filter-name>
+ <filter-class>org.apache.cxf.fediz.core.servlet.FederationFilter</filter-class>
+ </filter>
+
+ <filter-mapping>
+ <filter-name>FederationFilter</filter-name>
+ <url-pattern>/secure/*</url-pattern>
+ </filter-mapping>
+]]></script>
+</div></div>
+
+<p>The <tt>FederationFilter</tt> is part of the library <tt>fediz-core</tt>.</p>
+
+<div class="code panel" style="border-style: solid;border-width: 1px;"><div class="codeHeader panelHeader" style="border-bottom-width: 1px;border-bottom-style: solid;"><b>applicationContext.xml</b></div><div class="codeContent panelContent">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
+ <bean id="delegationCallbackHandler"
+ class="org.apache.cxf.fediz.cxf.web.ThreadLocalCallbackHandler" />
+
+ <jaxws:client id="HelloServiceClient" serviceName="svc:GreeterService"
+ ...
+ wsdlLocation="WEB-INF/wsdl/hello_world.wsdl">
+ <jaxws:properties>
+ <entry key="ws-security.sts.client">
+ <bean class="org.apache.cxf.ws.security.trust.STSClient">
+ ...
+ <property name="onBehalfOf" ref="delegationCallbackHandler" />
+ ...
+ </bean>
+ </entry>
+ <entry key="ws-security.cache.issued.token.in.endpoint" value="false" />
+ </jaxws:properties>
+ </jaxws:client>
+
+]]></script>
+</div></div>
+
+<p>The <tt>ThreadLocalCallbackHandler</tt> is part of the library <tt>fediz-cxf</tt>.</p>
+
+<p>If you have set the property <tt>ws-security.cache.issued.token.in.endpoint</tt> to false, CXF will cache the issued token per security context dependent on the returned lifetime element of the STS. When the cached token for the target web services is expired, CXF will request a new token from the STS on-behalf-of the cached Fediz security context.</p>
+
+<p>There is no special Java code required to get this functionality as illustrated in the following code snippet:</p>
+
+<div class="code panel" style="border-style: solid;border-width: 1px;"><div class="codeHeader panelHeader" style="border-bottom-width: 1px;border-bottom-style: solid;"><b>FederationServlet.java</b></div><div class="codeContent panelContent">
+<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[
+ Greeter service = (Greeter)ApplicationContextProvider.getContext().getBean("HelloServiceClient");
+ String reply = service.greetMe();
+]]></script>
+</div></div></div>
+ </div>
+ <!-- Content -->
+ </td>
+ </tr>
+ </table>
+ </td>
+ <td id="cell-2-2" colspan="2"> </td>
+ </tr>
+ <tr>
+ <td id="cell-3-0"> </td>
+ <td id="cell-3-1"> </td>
+ <td id="cell-3-2">
+ <div id="footer">
+ <!-- Footer -->
+ <div id="site-footer">
+ <a href="http://cxf.apache.org/privacy-policy.html">Privacy Policy</a> -
+ (<a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=34018940">edit page</a>)
+ (<a href="https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=34018940&showComments=true&showCommentArea=true#addcomment">add comment</a>)<br>
+ Apache CXF, CXF, Apache, the Apache feather logo are trademarks of The Apache Software Foundation.<br>
+ All other marks mentioned may be trademarks or registered trademarks of their respective owners.
+ </div>
+ <!-- Footer -->
+ </div>
+ </td>
+ <td id="cell-3-3"> </td>
+ <td id="cell-3-4"> </td>
+ </tr>
+ <tr>
+ <td id="cell-4-0" colspan="2"> </td>
+ <td id="cell-4-1"> </td>
+ <td id="cell-4-2" colspan="2"> </td>
+ </tr>
+</table>
+
+<script type="text/javascript">
+var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
+document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
+</script>
+<script type="text/javascript">
+try {
+var pageTracker = _gat._getTracker("UA-4458903-1");
+pageTracker._trackPageview();
+} catch(err) {}</script>
+
+</body>
+</html>
+
Added: websites/production/cxf/content/fediz-websphere.data/GlobalSec.png
==============================================================================
Binary file - no diff available.
Propchange: websites/production/cxf/content/fediz-websphere.data/GlobalSec.png
------------------------------------------------------------------------------
svn:mime-type = image/png
Added: websites/production/cxf/content/fediz-websphere.data/create-interceptor.png
==============================================================================
Binary file - no diff available.
Propchange: websites/production/cxf/content/fediz-websphere.data/create-interceptor.png
------------------------------------------------------------------------------
svn:mime-type = image/png
Added: websites/production/cxf/content/fediz-websphere.data/enable-trust-assoc.png
==============================================================================
Binary file - no diff available.
Propchange: websites/production/cxf/content/fediz-websphere.data/enable-trust-assoc.png
------------------------------------------------------------------------------
svn:mime-type = image/png
Added: websites/production/cxf/content/fediz-websphere.data/trust-association.png
==============================================================================
Binary file - no diff available.
Propchange: websites/production/cxf/content/fediz-websphere.data/trust-association.png
------------------------------------------------------------------------------
svn:mime-type = image/png
Modified: websites/production/cxf/content/fediz-websphere.html
==============================================================================
--- websites/production/cxf/content/fediz-websphere.html (original)
+++ websites/production/cxf/content/fediz-websphere.html Sat Sep 7 22:48:00 2013
@@ -28,16 +28,6 @@
<meta name="description" content="Apache CXF, Services Framework - Fediz Websphere">
-<link type="text/css" rel="stylesheet" href="/resources/highlighter/styles/shCoreCXF.css">
-<link type="text/css" rel="stylesheet" href="/resources/highlighter/styles/shThemeCXF.css">
-
-<script src='/resources/highlighter/scripts/shCore.js'></script>
-<script src='/resources/highlighter/scripts/shBrushJava.js'></script>
-<script src='/resources/highlighter/scripts/shBrushXml.js'></script>
-<script>
- SyntaxHighlighter.defaults['toolbar'] = false;
- SyntaxHighlighter.all();
-</script>
<title>
@@ -146,105 +136,82 @@ Apache CXF -- Fediz Websphere
<!-- Content -->
<div class="wiki-content">
<div id="ConfluenceContent"><h1><a shape="rect" name="FedizWebsphere-IBMWebspherePlugin"></a>IBM Websphere Plugin</h1>
-<p>This page describes how to enable Federation for a IBM Websphere instance hosting Relying Party (RP) applications. This configuration is not for a Websphere instance hosting the Fediz IDP and IDP STS WARs but for applications that use SAML assertions for authentication. After this configuration is done, the Websphere-RP instance will validate the incoming SignInResponse created by the IDP server.</p>
+<p>This page describes how to enable Federation for a IBM Websphere Application Server (WAS) instance hosting Relying Party (RP) applications. This configuration is not for a Websphere instance hosting the Fediz IDP and IDP STS WARs but for applications that use SAML assertions for authentication. After this configuration is done, the Websphere-RP instance will validate the incoming SignInResponse created by the IDP server.</p>
<p>Prior to doing this configuration, make sure you've first deployed the Fediz IDP and STS on the separate Servlet Container instance as discussed <a shape="rect" href="fediz-idp.html" title="Fediz IDP">here</a>, and can view the STS WSDL at the URL given on that page. That page also provides some tips for running multiple Tomcat instances on your machine.</p>
+<h3><a shape="rect" name="FedizWebsphere-WebsphereSecurity"></a>Websphere Security</h3>
-<h3><a shape="rect" name="FedizWebsphere-Installation"></a>Installation</h3>
+<p>A <b>Trust Authentication Interceptor (TAI)</b> is a pluggable security component that is installed and configured at the IBM WebSphere Application Cell level. As such, any managed server on the Cell will have this component installed in and activated once defined in the WAS Security configuration.<br clear="none">
+A TAI implements the WAS specific interface <tt>com.ibm.wsspi.security.tai.TrustAssociationInterceptor</tt>. The WAS specific API for security layer customization is explained in details at the following:</p>
+
+<p><a shape="rect" class="external-link" href="http://pic.dhe.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=%2Fcom.ibm.websphere.base.doc%2Finfo%2Faes%2Fae%2Frsec_taisubcreate.html" rel="nofollow">http://pic.dhe.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=%2Fcom.ibm.websphere.base.doc%2Finfo%2Faes%2Fae%2Frsec_taisubcreate.html</a></p>
-<p>You have to build the Fediz plugin on your own as it depends on IBM Websphere libraries. If you have built the plugin on your own you'll find the required libraries in <tt>plugins/websphere/target/...zip-with-dependencies.zip</tt></p>
+<p>The Fediz Plugin for Websphere provides a TAI implementation which leverages the <b>Fediz Core</b>.</p>
-<ol><li>Create sub-directory <tt>fediz</tt> in <tt>${catalina.home}/lib</tt></li><li>Update calatina.properties in ${catalina.home}/conf<br clear="none">
-add the previously created directory to the common loader:<br clear="none">
-<tt>common.loader=${catalina.base}/lib,${catalina.base}/lib/*.jar,${catalina.home}/lib,${catalina.home}/lib/*.jar,${catalina.home}/lib/fediz/*.jar</tt></li><li>Deploy the libraries to the directory created in (1)</li></ol>
+<p>WAS security runtime supports a notion of a security session using a specific security token called <em>LTPA Token</em> which is implemented as a HTTP cookie. The cookie lifetime is specified at the WAS administrative <em>Cell</em> level, which implies that it is not possible to configure this value per request based on the requirements for an application.<br clear="none">
+The TAI is no more involved after login once the LTPA Token is set which means a Web Application level component must intercept each request to check the security token (ex. SAML) lifetime and redirect the browser back to the IDP for re-authentication.<br clear="none">
+The Fediz Plugin Websphere ships a Java Servlet Filter which enforces the validity of the lifetime of the security token. This Servlet Filter must be configured in each Web Application module <tt>web.xml</tt> that is deployed on WAS.</p>
+<h3><a shape="rect" name="FedizWebsphere-BuildFedizWebsphereLibrary"></a>Build Fediz Websphere Library</h3>
+<p>You have to build the Fediz plugin on your own as it depends on IBM Websphere libraries.</p>
-<h3><a shape="rect" name="FedizWebsphere-Configuration"></a>Configuration</h3>
+<ul><li>Checkout the Fediz sources<br clear="none">
+see <a shape="rect" href="fediz.html#Fediz-building">here</a></li></ul>
-<h5><a shape="rect" name="FedizWebsphere-HTTPSconfiguration"></a>HTTPS configuration</h5>
-<p>It's recommended to set up a dedicated (separate) Tomcat instance for the Relying Party. The Fediz RP web applications use the following TCP ports:</p>
-<ul><li>HTTP port: 8080 (used for Maven deployment, mvn tomcat:redeploy)</li><li>HTTPS port: 8443 (where IDP and STS are accessed)</li><li>Server port (for shutdown and other commands): 8005</li></ul>
+<ul><li>Add the library <tt>runtime.jar</tt> of IBM Rational Application Developer to your Maven repository<br clear="none">
+<tt>mvn install:install-file -Dfile=<path-to-file> -DgroupId=com.ibm.ws -DartifactId=runtime -Dversion=7 -Dpackaging=jar</tt></li></ul>
-<p>These are the default ports for a standard Tomcat installation.</p>
+<ul><li>run the maven command<br clear="none">
+<tt>mvn clean install -Pwebsphere</tt><br clear="none">
+The Maven profile <tt>websphere</tt> enforces building.</li></ul>
-<p>The Relying Party must be accessed over HTTPS to protect the security tokens issued by the IDP.</p>
-<p>The Tomcat HTTP(s) configuration is done in conf/server.xml.</p>
+<ul><li>You'll find the required libraries in <tt>plugins/websphere/target/...zip-with-dependencies.zip</tt></li></ul>
-<p>This is a sample snippet for an HTTPS configuration:</p>
-<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
-<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
- <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
- maxThreads="150" scheme="https" secure="true"
- keystoreFile="tomcat-rp.jks"
- keystorePass="tompass" sslProtocol="TLS" />
-]]></script>
-</div></div>
+<h3><a shape="rect" name="FedizWebsphere-Installation"></a>Installation</h3>
-<p>The keystoreFile is relative to $CATALINA_HOME. See <a shape="rect" class="external-link" href="http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html">here</a> for the Tomcat 7 configuration reference. This page also describes how to create certificates. Sample Tomcat keystores (not for production use, but useful for demoing Fediz and running the sample applications) are provided in the examples/samplekeys folder of the Fediz distribution. Note the Tomcat keystore here is different from the one used to configure the Tomcat-IDP instance.</p>
+<h5><a shape="rect" name="FedizWebsphere-PreRequisites"></a>Pre-Requisites</h5>
-<p>To establish trust, there are significant keystore/truststore requirements between the Tomcat instances and the various web applications (IDP, STS, Relying party applications, third party web services, etc.) See <a shape="rect" class="external-link" href="http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/samplekeys/HowToGenerateKeysREADME.html?view=co">this page</a> for more details, it lists the trust requirements as well as sample scripts for creating your own (self-signed) keys.</p>
+<p>The Administrative and Application security must be activated for the WAS security layer to be able to intercept secured resources access requests. The local User Registry must be properly configured and at least one group of users must be declared in the registry prior any application installation.<br clear="none">
+At runtime, the WAS security layer will use the defined User/Group registry and the Fediz plugin maps the roles in the SAML token to WAS groups from this registry using the specified <em>Role to Group</em> mapper.<br clear="none">
+At deployment time, the declared J2EE security roles will need to be mapped to these groups, either using the Administrative Console or using the WAS binding files.</p>
-<p><b>Warning: All sample keystores provided with Fediz (including in the WAR files for its services and examples) are for development/prototyping use only. They'll need to be replaced for production use, at a minimum with your own self-signed keys but strongly recommended to use third-party signed keys.</b></p>
+<h5><a shape="rect" name="FedizWebsphere-PluginInstallation"></a>Plugin Installation</h5>
-<p>If you are currently just trying to run the Fediz samples, the configuration above is all you need (the below configuration is already provided within the samples) so you can return now to the samples' READMEs for the next steps in running them.</p>
+<p>The Fediz Websphere plugin and its dependencies must be copied in the <tt>WAS_INSTALL_ROOT>/lib/ext</tt> directory of WebSphere Application Server, on each configured Node of the Cell (including the Deployment Manager)</p>
+<p>The Fediz configuration file (ex. <tt>fediz-config.xml</tt>) and the configured truststore should be copied in a directory with read permission for the WAS runtime user, on each configured Node of the Cell (including the Deployment Manager).<br clear="none">
+<em>Note:</em> Using a shared filesystem is recommended.</p>
-<h5><a shape="rect" name="FedizWebsphere-FedizPluginconfigurationforYourWebApplication"></a>Fediz Plugin configuration for Your Web Application</h5>
+<h5><a shape="rect" name="FedizWebsphere-WebApplicationconfiguration"></a>Web Application configuration</h5>
-<p>The Fediz related configuration is done in a Servlet Container independent configuration file which is described <a shape="rect" href="fediz-configuration.html" title="Fediz Configuration">here</a>.</p>
+<ol><li>Open the Administative Console with Administrator privileges and navigate to Security / Global security</li><li>Ensure Application security is enabled<br clear="none">
+ <span class="image-wrap" style=""><img src="fediz-websphere.data/GlobalSec.png" width="800" style="border: 1px solid black"></span></li><li>Navigate to <em>Security / Global security / Web and SIP security</em> and select <b>Trust association</b><br clear="none">
+ <span class="image-wrap" style=""><img src="fediz-websphere.data/trust-association.png" width="800" style="border: 1px solid black"></span></li><li>Check the <b>Enable trust association</b> check box</li><li>Select Interceptors<br clear="none">
+ <span class="image-wrap" style=""><img src="fediz-websphere.data/enable+trust+assoc.png" width="800" style="border: 1px solid black"></span></li><li>Click on New and specify the Interceptor class name as <tt>org.apache.cxf.fediz.was.tai.FedizInterceptor</tt><br clear="none">
+ <span class="image-wrap" style=""><img src="fediz-websphere.data/create+interceptor.png" width="800" style="border: 1px solid black"></span></li></ol>
-<p>The Fediz plugin requires configuring the FederationAuthenticator like any other Valve in Tomcat. Detailed information about the Tomcat Valve concept is available <a shape="rect" class="external-link" href="http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html">here</a>.</p>
-<p>A Valve can be configured on different levels like <em>Host</em> or <em>Context</em>. The Fediz configuration file allows to configure all servlet contexts in one file or choosing one file per Servlet Context. If you choose to have one Fediz configuration file per Servlet Context then you must configure the FederationAuthenticator on the <em>Context</em> level otherwise on the <em>Host</em> level in the Tomcat configuration file <em>server.xml</em></p>
+<div class="table-wrap">
+<table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh">Property </th><th colspan="1" rowspan="1" class="confluenceTh">Value</th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">config.file.location </td><td colspan="1" rowspan="1" class="confluenceTd">Specify the path to the fediz-config.xml file</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">role.group.mapper </td><td colspan="1" rowspan="1" class="confluenceTd">Specify the class of the Role to Group Mapper<br clear="none">
+<tt>org.apache.cxf.fediz.was.mapper.FileBasedRoleToGroupMapper</tt></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">groups.mapping.file </td><td colspan="1" rowspan="1" class="confluenceTd">Specify the path to the Role - Group mapping file</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">groups.mapping.refresh.timeout </td><td colspan="1" rowspan="1" class="confluenceTd">Specify the refresh time (in sec) to reload the Group mapping file</td></tr></tbody></table>
+</div>
-<p>You can either configure the context in the server.xml or in META-INF/context.xml as part of your WAR file.</p>
-<h6><a shape="rect" name="FedizWebsphere-METAINF%2Fcontext.xml"></a>META-INF/context.xml</h6>
-<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
-<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
- <Context>
- <Valve className="org.apache.cxf.fediz.tomcat.FederationAuthenticator"
- configFile="conf/Fediz_config.xml" />
- </Context>
-]]></script>
-</div></div>
-
-<h6><a shape="rect" name="FedizWebsphere-Hostlevelinserver.xml"></a>Host level in server.xml</h6>
-<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
-<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
- <Host name="localhost" appBase="webapps"
- unpackWARs="true" autoDeploy="true">
- <Valve className="org.apache.cxf.fediz.tomcat.FederationAuthenticator"
- configFile="conf/Fediz_config.xml" />
- </Host>
-]]></script>
-</div></div>
-
-<h6><a shape="rect" name="FedizWebsphere-Contextlevelinserver.xml"></a>Context level in server.xml</h6>
-<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
-<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
- <Context path="/fedizhelloworld" docBase="fedizhelloworld">
- <Valve className="org.apache.cxf.fediz.tomcat.FederationAuthenticator"
- configFile="conf/Fediz_config.xml" />
- </Context>
-]]></script>
-</div></div>
-<p>The Fediz configuration file is a Servlet container independent configuration file and described <a shape="rect" href="fediz-configuration.html" title="Fediz Configuration">here</a></p>
-<h3><a shape="rect" name="FedizWebsphere-WebApplicationdeployment"></a>Web Application deployment</h3>
-<p>Deploy your Web Application to your Tomcat installation (<catalina.home>/webapps). If you're running the Fediz examples, their README files will have instructions on how to do this.</p>
+<h5><a shape="rect" name="FedizWebsphere-Fedizconfiguration"></a>Fediz configuration</h5>
+<p>The Fediz related configuration is done in a Servlet Container independent configuration file which is described <a shape="rect" href="fediz-configuration.html" title="Fediz Configuration">here</a>.</p>
<h3><a shape="rect" name="FedizWebsphere-FederationMetadatadocument"></a>Federation Metadata document</h3>
-<p>The Tomcat Fediz plugin supports publishing the WS-Federation Metadata document which is described <a shape="rect" href="fediz-metadata.html" title="Fediz Metadata">here</a>.</p>
+<p>The Webpshere Fediz plugin supports publishing the WS-Federation Metadata document which is described <a shape="rect" href="fediz-metadata.html" title="Fediz Metadata">here</a>.</p>
</div>
Modified: websites/production/cxf/content/fediz.html
==============================================================================
--- websites/production/cxf/content/fediz.html (original)
+++ websites/production/cxf/content/fediz.html Sat Sep 7 22:48:00 2013
@@ -186,7 +186,7 @@ The RP is a web application that needs t
<p>The Fediz plugin needs to be deployed into the Relying Party (RP) container. The security mechanism is not specified by JEE. Even though it is very similar in each servlet container there are some differences which require a dedicated Fediz plugin for each servlet container implementation. Most of the configuration goes into a Servlet container independent configuration file which is described <a shape="rect" href="fediz-configuration.html" title="Fediz Configuration">here</a></p>
<p>The following lists shows the supported containers and the location of the installation and configuration page.</p>
-<ul><li><a shape="rect" href="fediz-tomcat.html" title="Fediz Tomcat">Tomcat 7 </a></li><li><a shape="rect" href="fediz-jetty.html" title="Fediz Jetty">Jetty 7/8 (1.1 SNAPSHOT)</a></li><li><a shape="rect" href="fediz-spring.html" title="Fediz Spring">Spring Security 3.1 (1.1 SNAPSHOT)</a></li></ul>
+<ul><li><a shape="rect" href="fediz-tomcat.html" title="Fediz Tomcat">Tomcat 7 </a></li><li><a shape="rect" href="fediz-jetty.html" title="Fediz Jetty">Jetty 7/8 (1.1 SNAPSHOT)</a></li><li><a shape="rect" href="fediz-spring.html" title="Fediz Spring">Spring Security 3.1 (1.1 SNAPSHOT)</a></li><li><a shape="rect" href="fediz-cxf.html" title="Fediz CXF">CXF (1.1 SNAPSHOT) </a></li></ul>
@@ -201,6 +201,7 @@ The RP is a web application that needs t
</div>
+<p><a shape="rect" href="#Fediz-building">building</a></p>
<h2><a shape="rect" name="Fediz-Building"></a>Building</h2>
<p>Check out the code from here:</p>