You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by dk...@apache.org on 2017/09/13 15:05:57 UTC
svn commit: r1018111 [32/33] - in /websites/production/cxf/content: ./
cache/ docs/
Modified: websites/production/cxf/content/fediz-cxf.html
==============================================================================
--- websites/production/cxf/content/fediz-cxf.html (original)
+++ websites/production/cxf/content/fediz-cxf.html Wed Sep 13 15:05:52 2017
@@ -111,7 +111,7 @@ Apache CXF -- Fediz CXF
<!-- Content -->
<div class="wiki-content">
<div id="ConfluenceContent"><h1 id="FedizCXF-CXFPlugin(1.1/1.2)">CXF Plugin (1.1/1.2)</h1><p>The Fediz plugin for CXF contains two separate pieces of functionality. The first is a CallbackHandler that allows the SAML Token of the Web SSO session to be used by the CXF Web Services Stack, i.e. for delegation (available since 1.1). The second is a full WS-Federation RP plugin based solely on Apache CXF JAX-RS, which is container independent (available since 1.2.0).</p><h2 id="FedizCXF-CXFPluginsupportforWS-Federation">CXF Plugin support for WS-Federation</h2><p>The new CXF plugin for WS-Federation available from Fediz 1.2.0 means that it is now possible to add support for WS-Federation to your JAX-RS CXF service without having to specify a container-specific plugin. Here is an example Spring based configuration:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>CXF spring configuration</b></div><div cl
ass="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;"><bean id="serviceBean" class="org.apache.cxf.fediz.example.Service">
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;"><bean id="serviceBean" class="org.apache.cxf.fediz.example.Service">
</bean>
<bean id="fedizFilter" class="org.apache.cxf.fediz.cxf.plugin.FedizRedirectBindingFilter">
@@ -137,7 +137,7 @@ Apache CXF -- Fediz CXF
</jaxrs:inInterceptors>
</jaxrs:server></pre>
</div></div><p>Here we have a JAX-RS service which is secured via the SecureAnnotationsInterceptor. For example:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>CXF Service Bean</b></div><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">@Path("/secure/")
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">@Path("/secure/")
@Produces("text/html")
public class Service {
@Context
@@ -152,14 +152,14 @@ public class Service {
...
}</pre>
</div></div><p>The FedizRedirectBindingFilter is instantiated with a link to the Fediz plugin configuration and is added as a JAX-RS provider.</p><h2 id="FedizCXF-DelegationScenario">Delegation Scenario</h2><p>The subproject Fediz purpose is to provide Single Sign On for Web Applications which is independent of an underlying Web Services framework like Apache CXF. The Fediz plugins for Tomcat, Jetty, etc. are independent of Apache CXF, whereas the Fediz IDP leverages the capabilities of the CXF STS to issue SAML tokens with Claims information to build applications which use Claims Based Authorization with all the benefits.</p><p>If the Fediz protected web application integrates with another application using Web Services you need to bundle a Web Services framework like Apache CXF with your web application. If it is required to support impersonation to call the Web Service, the security context of the application server must be delegated to the Web Services stack thus it can make the
Web Service call on behalf of the browser user.</p><p>In release 1.1, the Fediz CXF plugin supports delegating the application server security context (SAML token) to the STS client of CXF. CXF is then able to request a security token for the target Web Service from the STS on behalf of the browser user. Prior to release 1.1, this Java code had to be developed by the application developer.</p><p>It is required that one of the other Fediz plugins are deployed to WS-Federation enable the application. After this step, the Fediz CXF plugin can be installed to integrate the Web SSO layer with the Web Services stack of Apache CXF.</p><h3 id="FedizCXF-Installation">Installation</h3><p>It's recommended to use Maven to resolve the dependencies as illustrated in the the example <code>wsclientWebapp</code>.</p><div class="code panel pdl" style="border-style: solid;border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;border-bottom-style: solid;"><b>pom.xm
l</b></div><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;"> <dependency>
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;"> <dependency>
<groupId>org.apache.cxf.fediz</groupId>
<artifactId>fediz-cxf</artifactId>
<version>1.1.0</version>
</dependency>
</pre>
</div></div><p>The example contains a README with instructions for building and deployment.</p><h3 id="FedizCXF-Configuration">Configuration</h3><p>Two configurations are required in <code>web.xml</code> to enable the <code>FederationFilter</code> to cache the security context in the thread local storage and in the spring configuration file <code>applicationContext.xml</code> to configure a callback handler to provide the STS client the security context stored in the thread local storage.</p><div class="code panel pdl" style="border-style: solid;border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;border-bottom-style: solid;"><b>web.xml</b></div><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;"> <filter>
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;"> <filter>
<filter-name>FederationFilter</filter-name>
<filter-class>org.apache.cxf.fediz.core.servlet.FederationFilter</filter-class>
</filter>
@@ -170,7 +170,7 @@ public class Service {
</filter-mapping>
</pre>
</div></div><p>The <code>FederationFilter</code> is part of the library <code>fediz-core</code>.</p><div class="code panel pdl" style="border-style: solid;border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;border-bottom-style: solid;"><b>applicationContext.xml</b></div><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;"> <bean id="delegationCallbackHandler"
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;"> <bean id="delegationCallbackHandler"
class="org.apache.cxf.fediz.cxf.web.ThreadLocalCallbackHandler" />
<jaxws:client id="HelloServiceClient" serviceName="svc:GreeterService"
@@ -190,7 +190,7 @@ public class Service {
</pre>
</div></div><p>The <code>ThreadLocalCallbackHandler</code> is part of the library <code>fediz-cxf</code>.</p><p>If you have set the property <code>ws-security.cache.issued.token.in.endpoint</code> to false, CXF will cache the issued token per security context dependent on the returned lifetime element of the STS. When the cached token for the target web services is expired, CXF will request a new token from the STS on-behalf-of the cached Fediz security context.</p><p>There is no special Java code required to get this functionality as illustrated in the following code snippet:</p><div class="code panel pdl" style="border-style: solid;border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;border-bottom-style: solid;"><b>FederationServlet.java</b></div><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;"> Greeter service = (Greeter)ApplicationContextProvider.getContext().getBean("HelloServiceClient");
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;"> Greeter service = (Greeter)ApplicationContextProvider.getContext().getBean("HelloServiceClient");
String reply = service.greetMe();
</pre>
</div></div></div>
Modified: websites/production/cxf/content/fediz-downloads.html
==============================================================================
--- websites/production/cxf/content/fediz-downloads.html (original)
+++ websites/production/cxf/content/fediz-downloads.html Wed Sep 13 15:05:52 2017
@@ -110,14 +110,14 @@ Apache CXF -- Fediz Downloads
<!-- Content -->
<div class="wiki-content">
<div id="ConfluenceContent"><h1 id="FedizDownloads-Releases">Releases</h1><h2 id="FedizDownloads-1.4.1">1.4.1</h2><p>The 1.4.1 release is our latest release. For more information please see the <a shape="rect" class="external-link" href="https://issues.apache.org/jira/projects/FEDIZ/versions/12340452">release notes</a>.</p><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Description</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>File</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>MD5</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>SHA1</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>PGP</p></th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>Source distribution</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect" class="external-link" href="http://www.apache.org/dyn/closer.lua?path=/cxf/fediz/1.4.1/fediz-1.4.1-source-release.zip">
fediz-1.4.1-source-release.zip</a></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect" class="external-link" href="https://www.apache.org/dist/cxf/fediz/1.4.1/fediz-1.4.1-source-release.zip.md5">fediz-1.4.1-source-release.zip.md5</a></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect" class="external-link" href="https://www.apache.org/dist/cxf/fediz/1.4.1/fediz-1.4.1-source-release.zip.sha1">fediz-1.4.1-source-release.zip.sha1</a></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect" class="external-link" href="https://www.apache.org/dist/cxf/fediz/1.4.1/fediz-1.4.1-source-release.zip.asc">fediz-1.4.1-source-release.zip.asc</a></p></td></tr></tbody></table></div><h2 id="FedizDownloads-1.3.2">1.3.2</h2><p>The 1.3.2 release is our latest release of the 1.3.x branch. For more information please see the <a shape="rect" class="external-link" href="https://issues.apache.org/jira/browse/FEDIZ/fixforversion/12338091">rele
ase notes</a>.</p><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Description</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>File</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>MD5</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>SHA1</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>PGP</p></th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>Source distribution</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect" class="external-link" href="http://www.apache.org/dyn/closer.lua?path=/cxf/fediz/1.3.2/fediz-1.3.2-source-release.zip">fediz-1.3.2-source-release.zip</a></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect" class="external-link" href="https://www.apache.org/dist/cxf/fediz/1.3.2/fediz-1.3.2-source-release.zip.md5">fediz-1.3.2-source-release.zip.md5</a></p></td><td colspan="1" rowspan="1" class="conflu
enceTd"><p><a shape="rect" class="external-link" href="https://www.apache.org/dist/cxf/fediz/1.3.2/fediz-1.3.2-source-release.zip.sha1">fediz-1.3.2-source-release.zip.sha1</a></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect" class="external-link" href="https://www.apache.org/dist/cxf/fediz/1.3.2/fediz-1.3.2-source-release.zip.asc">fediz-1.3.2-source-release.zip.asc</a></p></td></tr></tbody></table></div><h2 id="FedizDownloads-VerifyingReleases">Verifying Releases</h2><p>When downloading from a mirror please check the SHA1/MD5 checksums as well as verifying the OpenPGP compatible signature available from the main Apache site. The <a shape="rect" class="external-link" href="https://www.apache.org/dist/cxf/KEYS">KEYS</a> file contains the public keys used for signing the release. It is recommended that a web of trust is used to confirm the identity of these keys.</p><p>You can check the OpenPGP signature with GnuPG via:</p><p> </p><div class="code panel
pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">gpg --import KEYS
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">gpg --import KEYS
gpg --verify apache-fediz-*.zip.asc
</pre>
</div></div><p>You can check the MD5 checksum with:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">md5sum --check apache-fediz-*.zip.md5
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">md5sum --check apache-fediz-*.zip.md5
</pre>
</div></div><p>You can check the SHA1 checksum with:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">sha1sum --check apache-fediz-*.zip.sha1
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">sha1sum --check apache-fediz-*.zip.sha1
</pre>
</div></div><h1 id="FedizDownloads-Previousreleases">Previous releases</h1><p>Previous releases are all archived in the apache archive: <a shape="rect" class="external-link" href="http://archive.apache.org/dist/cxf/fediz">http://archive.apache.org/dist/cxf/fediz</a></p><h1 id="FedizDownloads-Snapshots">Snapshots</h1><div class="confluence-information-macro confluence-information-macro-information"><p class="title">Warning about snapshots</p><span class="aui-icon aui-icon-small aui-iconfont-info confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>These are snapshot builds - untested builds provided for your convenience. They have not been tested, and are not official releases of the Apache CXF Fediz project or the Apache Software Foundation.</p></div></div><p>1.4.1 <a shape="rect" class="external-link" href="https://repository.apache.org/content/groups/snapshots/org/apache/cxf/fediz/apache-fediz/1.4.1-SNAPSHOT/">https://repository.apache.org/co
ntent/groups/snapshots/org/apache/cxf/fediz/apache-fediz/1.4.1-SNAPSHOT/</a></p><h1 id="FedizDownloads-Maven2Repositories">Maven 2 Repositories</h1><p>If you use Maven 2 for building your applications, Apache CXF Fediz artifacts are available from the following repository URLS:</p><h3 id="FedizDownloads-Releases:">Releases:</h3><p>All supported CXF releases are synced into the Maven central repository: <a shape="rect" class="external-link" href="http://repo1.maven.org/maven2/" rel="nofollow">http://repo1.maven.org/maven2/</a></p><h3 id="FedizDownloads-Snapshots:">Snapshots:</h3><p>Snapshots are available in Apache's Maven snapshot repository: <a shape="rect" class="external-link" href="http://repository.apache.org/snapshots">http://repository.apache.org/snapshots</a></p></div>
</div>
Modified: websites/production/cxf/content/fediz-extensions.html
==============================================================================
--- websites/production/cxf/content/fediz-extensions.html (original)
+++ websites/production/cxf/content/fediz-extensions.html Wed Sep 13 15:05:52 2017
@@ -110,7 +110,7 @@ Apache CXF -- Fediz Extensions
<!-- Content -->
<div class="wiki-content">
<div id="ConfluenceContent"><h1 id="FedizExtensions-FedizExtensions">Fediz Extensions</h1><p>This page describes the extension points in Fediz to enrich its functionality further.</p><h3 id="FedizExtensions-CallbackHandler">Callback Handler</h3><p>The Sign-In request (Redirect URL) to the IDP contains several query parameters to customize the sign in process. Some parameters are configured statically in the <a shape="rect" href="fediz-configuration.html">Fediz configuration file</a> some others can be resolved at runtime when the initial request is received by the Fediz plugin.</p><p>The following table gives an overview of the parameters which can be resolved at runtime. It contains the XML element name of the Fediz configuration file, the query parameter name of the sign-in request to the IDP as well as the Callback class.</p><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>XML element</p></th><th colspan="1" row
span="1" class="confluenceTh"><p>Query parameter</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Callback class</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Supported version</p></th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>authenticationType</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>wauth</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>WAuthCallback</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>1.0.0</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>homeRealm</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>whr</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>HomeRealmCallback</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>1.0.0</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>issuer</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>N.A.</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>IDPCallback</
p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>1.0.0</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>freshness</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>wfresh</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>FreshnessCallback</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>1.0.2</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>realm</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>wtrealm</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>RealmCallback</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>1.1.0</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>N.A.</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>any</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>SignInQueryCallback</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>1.1.0</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">request</
td><td colspan="1" rowspan="1" class="confluenceTd">wreq</td><td colspan="1" rowspan="1" class="confluenceTd">WReqCallback</td><td colspan="1" rowspan="1" class="confluenceTd">1.1.1</td></tr></tbody></table></div><p>If you configure a class which implements the interface <code>javax.security.auth.callback.CallbackHandler</code> you get the corresponding Callback object where you must set the value which is then added to the query parameter. The Callback object provides the <code>HttpServletRequest</code> object which might give you the required information to resolve the value.</p><p>Here is a snippet of the configuration to configure a CallbackHandler:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">...
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">...
<protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="federationProtocolType" version="1.2">
...
<homeRealm type="Class" value="MyCallbackHandler " />
@@ -119,7 +119,7 @@ Apache CXF -- Fediz Extensions
...
</pre>
</div></div><p>And a sample implementation of the CallbackHandler:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">public class MyCallbackHandler implements CallbackHandler {
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">public class MyCallbackHandler implements CallbackHandler {
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
for (int i = 0; i < callbacks.length; i++) {
Modified: websites/production/cxf/content/fediz-idp-11.html
==============================================================================
--- websites/production/cxf/content/fediz-idp-11.html (original)
+++ websites/production/cxf/content/fediz-idp-11.html Wed Sep 13 15:05:52 2017
@@ -111,15 +111,15 @@ Apache CXF -- Fediz IDP 1.1
<!-- Content -->
<div class="wiki-content">
<div id="ConfluenceContent"><h1 id="FedizIDP1.1-FedizIDP">Fediz IDP</h1><p><em>Note:</em> Fediz IDP 1.0 is described <a shape="rect" href="fediz-idp.html">here </a>.</p><p>The Release 1.1 introduces the following new feature:</p><ul><li>Federation Metadata<br clear="none"> The IDP supports publishing the WS-Federation Metadata document which allows to more easily integrate the IDP into platforms which support referencing a Metadata document. Metadata consists of the signing certificate, the provided claims, etc.</li></ul><ul><li>Spring Web Flow support<br clear="none"> The IDP has been refactored to use Spring Web Flow to manage the federation flow. This provides flexibility to be able to customize the IDP to company's specific requirements. The IDP is secured by Spring Security to get the benefits and flexibility of Spring Security.</li></ul><ul><li>Resource IDP and Home Realm Discovery<br clear="none"> This is the major new feature. The IDP is able to figure out from which securit
y domain/realm the browser request is coming from to redirect the sign-in request to the requestor IDP which does the authentication and issues a token which is sent to the Resource IDP. The Resource IDP will then either map the principal from one security domain to the target security domain and get claims information of the mapped principal or transform the claims information and finally issue a new token for the relying party (application).</li></ul><p>The Fediz Identity Provider (IDP) consists of two WAR files. One is the Security Token Service (STS) component, fediz-idp-sts.war, which is responsible for validating credentials, getting the requested claims data and issuing a SAML token. There is no easy way for Web browsers to issue SOAP requests to the STS directly, necessitating the second component, an IDP WAR (fediz-idp.war) which allows browser-based applications to interact with the STS. The communication between the browser and the IDP must be performed within the confine
s of the base HTTP 1.1 functionality and conform as closely as possible to the WS-Trust protocols semantic.</p><p>The Fediz STS is based on a customized CXF STS configured to support standard Federation use cases demonstrated by the examples. The Fediz STS has been enhanced to support two realms *Realm-A* and *Realm-B* with the following set of users:</p><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>User</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Password</p></th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><em>Realm A</em></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> </p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>alice</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>ecila</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>bob</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>bob</p></td></tr><tr>
<td colspan="1" rowspan="1" class="confluenceTd"><p>ted</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>det</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><em>Realm B</em></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> </p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>ALICE</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>ECILA</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>BOB</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>BOB</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>TED</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>DET</p></td></tr></tbody></table></div><p>The Fediz IDP doesn't support several realms within one WAR which requires to build a Fediz IDP WAR for Realm A (default, shipped with Fediz Distribution) and Realm B. See below how to build a Fediz IDP WAR for a specific realm.</p><h3 id="FedizIDP1.1-Installation">Insta
llation</h3><p>The Fediz IDP has been tested with Tomcat 6 and 7 but should be able to work with any commercial JEE application server.</p><p>It's recommended to set up a dedicated (separate) Tomcat instance for the IDP compared to the one hosting the RP (relying party) applications. Using one deployment of Tomcat with multiple CATALINA_BASE instances, as described <a shape="rect" class="external-link" href="http://www.shaunabram.com/multiple-tomcat-instances/" rel="nofollow">here</a> is one option but note any libs in $CATALINA_HOME/lib folder will be shared throughout each of the activated CATALINA_BASE instances. Another probably simpler alternative is to copy your Tomcat folder into a second location and edit its conf/server.xml file and <a shape="rect" class="external-link" href="http://viralpatel.net/blogs/2009/08/running-multiple-instance-apache-tomcat-single-server.html" rel="nofollow">change port values</a> (discussed below) so they don't conflict with the original Tomcat i
nstallation.</p><p>To start and stop this second Tomcat instance, it is perhaps easiest to create small startup.sh and shutdown.sh scripts that temporarily redefine $CATALINA_HOME from the first to the second instance, for example:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">CATALINA_HOME=/path/to/second/tomcat
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">CATALINA_HOME=/path/to/second/tomcat
$CATALINA_HOME/bin/startup.sh
</pre>
</div></div><p>and</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">CATALINA_HOME=/path/to/second/tomcat
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">CATALINA_HOME=/path/to/second/tomcat
$CATALINA_HOME/bin/shutdown.sh
</pre>
</div></div><p>If you're using the one Tomcat with multiple instance option, it's $CATALINA_BASE instead that will need to be redefined above.</p><h5 id="FedizIDP1.1-Tomcatserver.xmlconfiguration">Tomcat server.xml configuration</h5><p>The Fediz examples use the following Tomcat port values for the IDP/STS, defined in the conf/server.xml file. We use ports different from the Tomcat defaults so as not to conflict with the Tomcat instance running the RP applications.</p><ul><li>HTTP port: 9080 (used for Maven deployment, mvn tomcat:redeploy)</li><li>HTTPS port: 9443 (where IDP and STS are accessed)</li><li>Server port: 9005 (for shutdown and other commands)</li></ul><p>Here is a sample snippet for showing the configuration of the above three values:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;"><Server port="9005" shutdown="SHUTDOWN">
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;"><Server port="9005" shutdown="SHUTDOWN">
...
<!-- http configuration -->
@@ -142,7 +142,7 @@ $CATALINA_HOME/bin/shutdown.sh
</Server>
</pre>
</div></div><p>The keystoreFile is relative to $CATALINA_BASE. See <a shape="rect" class="external-link" href="http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html">here</a> for the Tomcat 7 configuration reference. This page also describes how to create certificates. Sample Tomcat keystores (not for production use, but useful for demoing Fediz and running the sample applications) are provided in the examples/samplekeys folder of the Fediz distribution.</p><p>To establish trust, there are significant keystore/truststore requirements between the Tomcat instances and the various web applications (IDP, STS, Relying party applications, third party web services, etc.) See <a shape="rect" class="external-link" href="http://svn.apache.org/viewvc/cxf/fediz/tags/fediz-1.1.0/examples/samplekeys/HowToGenerateKeysREADME.html?revision=1538770&view=co">this page</a> for more details, it lists the trust requirements as well as sample scripts for creating your own (self-signed) keys.</p><p><s
trong>Warning: All sample keystores provided with Fediz (including in the WAR files for its services and examples) are for development/prototyping use only. They'll need to be replaced for production use, at a minimum with your own self-signed keys but strongly recommended to use third-party signed keys.</strong></p><h5 id="FedizIDP1.1-BuildtheIDPWAR">Build the IDP WAR</h5><p>The Fediz 1.1 distribution ships one Fediz IDP WAR built for Realm-A by default. The distribution also contains the IDP and STS sources with two Maven Profiles <em>realm-a</em> and <em>realm-b</em>. More information is provided in the <code>README.txt</code> <a shape="rect" class="external-link" href="http://svn.apache.org/viewvc/cxf/fediz/tags/fediz-1.1.0/services/idp/README.txt?view=co">here</a></p><p>Once you deploy the IDP WAR files to your Tomcat installation (<catalina.home>/webapps), you should be able to see the Fediz STS from a browser. Assuming port 9080 as listed above, the STS WSDL is availabl
e at:</p><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh">Version</th><th colspan="1" rowspan="1" class="confluenceTh"><a shape="rect" class="external-link" href="http://localhost:9080/fediz-idp-sts/STSService?wsdl" rel="nofollow">STS</a> WSDL location</th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">Fediz 1.0.x</td><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="http://localhost:9080/fediz-idp-sts/STSService?wsdl" rel="nofollow">http://localhost:9080/fediz-idp-sts/STSService?wsdl</a></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">Fediz 1.1.x</td><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="http://localhost:9080/fediz-idp-sts/STSService?wsdl" rel="nofollow">http://localhost:9080/fediz-idp-sts/</a><a shape="rect" class="external-link" href="https://localhost:9443/fediz-idp-sts/REALMA/STSServiceTransp
ort?wsdl" rel="nofollow">REALMA/STSServiceTransport?wsdl</a></td></tr></tbody></table></div><h3 id="FedizIDP1.1-Configuration">Configuration</h3><p>You can manage the users, their claims and the claims per application in the IDP.</p><h5 id="FedizIDP1.1-Userandpassword">User and password</h5><p>The users and passwords are configured in a Spring configuration file in <code>webapps/fediz-idp-sts/WEB-INF/passwords.xml</code>. The following users are already configured for the <em>Realm A</em> and can easily be extended.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;"> <util:map id="REALMA">
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;"> <util:map id="REALMA">
<entry key="alice" value="ecila" />
<entry key="bob" value="bob" />
<entry key="ted" value="det" />
@@ -155,7 +155,7 @@ $CATALINA_HOME/bin/shutdown.sh
</util:map>
</pre>
</div></div><h5 id="FedizIDP1.1-UserClaims">User Claims</h5><p>The claims of each user are configured in a spring configuration file <code>webapps/fediz-idp-sts/WEB-INF/userClaims.xml</code>. The following claims are already configured:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;"> <util:map id="userClaimsREALMA">
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;"> <util:map id="userClaimsREALMA">
<entry key="alice"
value-ref="REALMA_aliceClaims" />
<entry key="bob"
@@ -176,7 +176,7 @@ $CATALINA_HOME/bin/shutdown.sh
</util:map>
</pre>
</div></div><p>The claim id's are configured according to Section 7.5 in the specification <a shape="rect" class="external-link" href="http://docs.oasis-open.org/imi/identity/v1.0/identity.html" rel="nofollow">Identity Metasystem Interoperability</a>. The mapping of claims to a SAML attribute statement are described in Section 7.2.</p><h5 id="FedizIDP1.1-IDPconfiguration">IDP configuration</h5><p>The IDP configuration is done in the new configuration file <code>idp-config-<realm>.xml</code> which is illustrated below</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;"> <bean id="idp-realmA" class="org.apache.cxf.fediz.service.idp.model.IDPConfig">
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;"> <bean id="idp-realmA" class="org.apache.cxf.fediz.service.idp.model.IDPConfig">
<property name="realm" value="urn:org:apache:cxf:fediz:idp:realm-A" />
<property name="uri" value="realma" />
<!--<property name="hrds" value="" />--> <!-- TBD, not defined, provide list if enabled -->
@@ -212,7 +212,7 @@ $CATALINA_HOME/bin/shutdown.sh
</bean>
</pre>
</div></div><h5 id="FedizIDP1.1-RelyingParty/Applicationconfiguration">Relying Party / Application configuration</h5><p><em>Note: The configuration file</em> <code><em>RPClaims.xml</em></code> <em>has been replaced</em></p><p>The application related configuration like required claims are configured in the new IDP configuration file <code>idp-config-<realm>.xml</code> which has been enhanced to support other configuration parameters as well:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;"> <bean id="srv-fedizhelloworld" class="org.apache.cxf.fediz.service.idp.model.ServiceConfig">
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;"> <bean id="srv-fedizhelloworld" class="org.apache.cxf.fediz.service.idp.model.ServiceConfig">
<property name="realm" value="urn:org:apache:cxf:fediz:fedizhelloworld" />
<property name="protocol" value="http://docs.oasis-open.org/wsfed/federation/200706" />
<property name="serviceDisplayName" value="Fedizhelloworld" />
@@ -243,7 +243,7 @@ $CATALINA_HOME/bin/shutdown.sh
</bean>
</pre>
</div></div><h5 id="FedizIDP1.1-TrustedIDPconfiguration">Trusted IDP configuration</h5><p>This feature is new in Fediz IDP 1.1 and allows to redirect a SignIn Request to a trusted IDP. The following configuration is required:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;"> <bean id="trusted-idp-realmB" class="org.apache.cxf.fediz.service.idp.model.TrustedIDPConfig">
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;"> <bean id="trusted-idp-realmB" class="org.apache.cxf.fediz.service.idp.model.TrustedIDPConfig">
<property name="realm" value="urn:org:apache:cxf:fediz:idp:realm-B" />
<property name="url" value="https://localhost:12443/fediz-idp-remote/federation" />
<property name="certificate" value="realmb.cert" />
@@ -255,7 +255,7 @@ $CATALINA_HOME/bin/shutdown.sh
</bean>
</pre>
</div></div><h3 id="FedizIDP1.1-ConfigureLDAPdirectory">Configure LDAP directory</h3><p>The Fediz IDP can be configured to attach an LDAP directory to authenticate users and to retrieve claims information of users.</p><h5 id="FedizIDP1.1-Usernameandpasswordauthentication">Username and password authentication</h5><p>WSS4J supports username/password authentication using JAAS. The JDK provides a JAAS LoginModule for LDAP which can be configured as illustrated here in a sample jaas configuration (jaas.config):</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">myldap {
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">myldap {
com.sun.security.auth.module.LdapLoginModule REQUIRED
userProvider=ldap://ldap.mycompany.org:389/OU=Users,DC=mycompany,DC=org"
authIdentity="cn={USERNAME},OU=Users,DC=mycompany,DC=org"
@@ -264,12 +264,12 @@ $CATALINA_HOME/bin/shutdown.sh
};
</pre>
</div></div><p>You can get more information about this LoginModule <a shape="rect" class="external-link" href="http://download.oracle.com/javase/6/docs/jre/api/security/jaas/spec/com/sun/security/auth/module/LdapLoginModule.html" rel="nofollow">here</a>.</p><p>In this example, all the users are stored in the organization unit Users within mycompany.org. The configuration filename can be chosen, e.g. <code>jaas.config</code>. The filename must be configured as a JVM argument. JVM related configurations for Tomcat can be done in the file <code>setenv.sh/bat</code> located in directory <code>tomcat/bin</code>. This script is called implicitly by <code>catalina.bat/sh</code> and might look like this for UNIX:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">#!/bin/sh
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">#!/bin/sh
JAVA_OPTS="-Djava.security.auth.login.config=/opt/tomcat/conf/jaas.config"
export JAVA_OPTS
</pre>
</div></div><p>Next, the STS endpoint has to be configured to use the JAAS LoginModule which is accomplished by the <code>JAASUsernameTokenValidator</code>.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;"><bean
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;"><bean
class="org.apache.ws.security.validate.JAASUsernameTokenValidator"
id="jaasUTValidator">
<property name="contextName" value="myldap"/>
@@ -290,7 +290,7 @@ export JAVA_OPTS
</jaxws:endpoint>
</pre>
</div></div><p>The property <code>contextName</code> must match the context name defined in the JAAS configuration file which is <code>myldap</code> in this example.</p><h5 id="FedizIDP1.1-Claimsmanagement">Claims management</h5><p>When a STS client (IDP) requests a claim, the ClaimsManager in the STS checks every registered ClaimsHandler who can provide the data of the requested claim. The CXF STS provides <code>org.apache.cxf.sts.claims.LdapClaimsHandler</code> which is a claims handler implementation to get claims from user attributes in a LDAP directory.</p><p>You configure which claim URI maps to which LDAP user attribute. The implementation uses the Spring Ldap Module (LdapTemplate).</p><p>The following example illustrate the changes to be made in <code>webapps/fediz-idp-sts/WEB-INF/cxf-transport.xml</code>:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;"><util:list id="claimHandlerList">
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;"><util:list id="claimHandlerList">
<ref bean="ldapClaimsHandler" />
</util:list>
Modified: websites/production/cxf/content/fediz-idp.html
==============================================================================
--- websites/production/cxf/content/fediz-idp.html (original)
+++ websites/production/cxf/content/fediz-idp.html Wed Sep 13 15:05:52 2017
@@ -125,7 +125,7 @@ Apache CXF -- Fediz IDP
<p>To start and stop this second Tomcat instance, it is perhaps easiest to create small startup.sh and shutdown.sh scripts that temporarily redefine $CATALINA_HOME from the first to the second instance, for example:</p>
<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">
CATALINA_HOME=/path/to/second/tomcat
$CATALINA_HOME/bin/startup.sh
</pre>
@@ -134,7 +134,7 @@ $CATALINA_HOME/bin/startup.sh
<p>and</p>
<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">
CATALINA_HOME=/path/to/second/tomcat
$CATALINA_HOME/bin/shutdown.sh
</pre>
@@ -152,7 +152,7 @@ $CATALINA_HOME/bin/shutdown.sh
<p>Here is a sample snippet for showing the configuration of the above three values:</p>
<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">
<Server port="9005" shutdown="SHUTDOWN">
...
@@ -194,7 +194,7 @@ $CATALINA_HOME/bin/shutdown.sh
<p>The users and passwords are configured in a Spring configuration file in <code>webapps/fediz-idp-sts/WEB-INF/passwords.xml</code>. The following users are already configured and can easily be extended.</p>
<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">
<util:map id="passwords">
<entry key="alice"
value="ecila" />
@@ -210,7 +210,7 @@ $CATALINA_HOME/bin/shutdown.sh
<p>The claims of each user are configured in a spring configuration file <code>webapps/fediz-idp-sts/WEB-INF/userClaims.xml</code>. The following claims are already configured:</p>
<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">
<util:map id="userClaims">
<entry key="alice"
value-ref="aliceClaims" />
@@ -241,7 +241,7 @@ $CATALINA_HOME/bin/shutdown.sh
<p>The required claims per relying party are configured in the <code>webapps/fediz-idp/WEB-INF/RPClaims.xml</code>. The XML file has the following structure:</p>
<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">
<util:map id="realm2ClaimsMap">
<entry key="https://localhost:8443/fedizhelloworld/"
value-ref="claimsWsfedhelloworld" />
@@ -271,7 +271,7 @@ $CATALINA_HOME/bin/shutdown.sh
<p>WSS4J supports username/password authentication using JAAS. The JDK provides a JAAS LoginModule for LDAP which can be configured as illustrated here in a sample jaas configuration (jaas.config):</p>
<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">
myldap {
com.sun.security.auth.module.LdapLoginModule REQUIRED
userProvider=ldap://ldap.mycompany.org:389/OU=Users,DC=mycompany,DC=org"
@@ -287,7 +287,7 @@ myldap {
<p>In this example, all the users are stored in the organization unit Users within mycompany.org. The configuration filename can be chosen, e.g. <code>jaas.config</code>. The filename must be configured as a JVM argument. JVM related configurations for Tomcat can be done in the file <code>setenv.sh/bat</code> located in directory <code>tomcat/bin</code>. This script is called implicitly by <code>catalina.bat/sh</code> and might look like this for UNIX:</p>
<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">
#!/bin/sh
JAVA_OPTS="-Djava.security.auth.login.config=/opt/tomcat/conf/jaas.config"
export JAVA_OPTS
@@ -297,7 +297,7 @@ export JAVA_OPTS
<p>Next, the STS endpoint has to be configured to use the JAAS LoginModule which is accomplished by the <code>JAASUsernameTokenValidator</code>.</p>
<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">
<bean
class="org.apache.ws.security.validate.JAASUsernameTokenValidator"
id="jaasUTValidator">
@@ -331,7 +331,7 @@ export JAVA_OPTS
<p>The following example illustrate the changes to be made in <code>webapps/fediz-idp-sts/WEB-INF/cxf-transport.xml</code>:</p>
<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">
<util:list id="claimHandlerList">
<ref bean="ldapClaimsHandler" />
</util:list>
Modified: websites/production/cxf/content/fediz-jetty.html
==============================================================================
--- websites/production/cxf/content/fediz-jetty.html (original)
+++ websites/production/cxf/content/fediz-jetty.html Wed Sep 13 15:05:52 2017
@@ -122,7 +122,7 @@ Apache CXF -- Fediz Jetty
<ol><li>Create sub-directory <code>fediz</code> in <code>${jetty.home}/lib/fediz</code></li><li>Update start.ini in ${jetty.home}/start.ini by adding <code>fediz</code> to the OPTIONS
<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">
OPTIONS=Server,fediz
</pre>
</div></div></li><li>Deploy the libraries to the directory created in (1)</li></ol>
@@ -168,7 +168,7 @@ OPTIONS=Server,fediz
<p>Hint: file name must be equal to war file name</p>
<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">
<Get name="securityHandler">
<Set name="loginService">
<New class="org.apache.cxf.fediz.jetty.FederationLoginService">
Modified: websites/production/cxf/content/fediz-metadata.html
==============================================================================
--- websites/production/cxf/content/fediz-metadata.html (original)
+++ websites/production/cxf/content/fediz-metadata.html Wed Sep 13 15:05:52 2017
@@ -120,7 +120,7 @@ Apache CXF -- Fediz Metadata
<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
@@ -141,7 +141,7 @@ Apache CXF -- Fediz Metadata
<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
@@ -184,7 +184,7 @@ Apache CXF -- Fediz Metadata
<p>This is an example metadata document:</p>
<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">
<EntityDescriptor ID="_36BF9BFBF49BA48A2D13395075556522" entityID="https://localhost:8443/fedizhelloworld/"
xmlns:auth="http://docs.oasis-open.org/wsfed/federation/200706"
xmlns:fed="http://docs.oasis-open.org/wsfed/federation/200706"
Modified: websites/production/cxf/content/fediz-oidc.html
==============================================================================
--- websites/production/cxf/content/fediz-oidc.html (original)
+++ websites/production/cxf/content/fediz-oidc.html Wed Sep 13 15:05:52 2017
@@ -100,11 +100,11 @@ Apache CXF -- Fediz OIDC
<!-- Content -->
<div class="wiki-content">
<div id="ConfluenceContent"><p> </p><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1505243203064 {padding: 0px;}
-div.rbtoc1505243203064 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1505243203064 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1505315088213 {padding: 0px;}
+div.rbtoc1505315088213 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1505315088213 li {margin-left: 0px;padding-left: 0px;}
-/*]]>*/</style></p><div class="toc-macro rbtoc1505243203064">
+/*]]>*/</style></p><div class="toc-macro rbtoc1505315088213">
<ul class="toc-indentation"><li><a shape="rect" href="#FedizOIDC-Introduction">Introduction</a></li><li><a shape="rect" href="#FedizOIDC-UserAuthentication">User Authentication</a>
<ul class="toc-indentation"><li><a shape="rect" href="#FedizOIDC-TrustedProviders">Trusted Providers</a></li></ul>
</li><li><a shape="rect" href="#FedizOIDC-ClientRegistration">Client Registration</a></li><li><a shape="rect" href="#FedizOIDC-OIDCServices">OIDC Services</a></li><li><a shape="rect" href="#FedizOIDC-IdToken">IdToken</a></li><li><a shape="rect" href="#FedizOIDC-DataPersistence">Data Persistence</a></li><li><a shape="rect" href="#FedizOIDC-Deployment">Deployment</a></li></ul>
Modified: websites/production/cxf/content/fediz-spring-2.html
==============================================================================
--- websites/production/cxf/content/fediz-spring-2.html (original)
+++ websites/production/cxf/content/fediz-spring-2.html Wed Sep 13 15:05:52 2017
@@ -139,7 +139,7 @@ Apache CXF -- Fediz Spring 2
<p>The following configuration snippets illustrate the Fediz related configuration. The complete configuration file can be found in the example <em>spring2Webapp</em>.</p>
<div class="code panel pdl" style="border-style: solid;border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;border-bottom-style: solid;"><b>applicationContext-security.xml</b></div><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">
<sec:http entry-point-ref="federationEntryPoint">
<sec:intercept-url pattern="/secure/fedservlet" access="IS_AUTHENTICATED_FULLY"/>
<sec:intercept-url pattern="/secure/manager/**" access="ROLE_MANAGER"/>
@@ -179,7 +179,7 @@ Apache CXF -- Fediz Spring 2
<p>The following code snippet of the FederationServlet example illustrates how to get access to the Spring Security Context of the current user and to the Federation releated information like claims and login token.</p>
<div class="code panel pdl" style="border-style: solid;border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;border-bottom-style: solid;"><b>FederationServlet.java</b></div><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">
Authentication obj = SecurityContextHolder.getContext().getAuthentication();
FederationAuthenticationToken fedAuthToken = (FederationAuthenticationToken)auth;
for (GrantedAuthority item : fedAuthToken.getAuthorities()) {
Modified: websites/production/cxf/content/fediz-spring.html
==============================================================================
--- websites/production/cxf/content/fediz-spring.html (original)
+++ websites/production/cxf/content/fediz-spring.html Wed Sep 13 15:05:52 2017
@@ -143,7 +143,7 @@ Apache CXF -- Fediz Spring
<p>The following configuration snippets illustrate the Fediz related configuration. The complete configuration file can be found in the example <em>springPreAuthWebapp</em>.</p>
<div class="code panel pdl" style="border-style: solid;border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;border-bottom-style: solid;"><b>applicationContext-security.xml</b></div><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">
<bean id="preAuthenticatedUserDetailsService"
class="org.apache.cxf.fediz.spring.preauth.PreAuthenticatedGrantedAuthoritiesUserDetailsFederationService"/>
@@ -184,7 +184,7 @@ Apache CXF -- Fediz Spring
<p>The following code snippet of the FederationServlet example illustrates how to get access to the Spring Security Context of the current user.</p>
<div class="code panel pdl" style="border-style: solid;border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;border-bottom-style: solid;"><b>FederationServlet.java</b></div><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">
Authentication obj = SecurityContextHolder.getContext().getAuthentication();
</pre>
</div></div>
@@ -204,7 +204,7 @@ Apache CXF -- Fediz Spring
<p>The following configuration snippets illustrate the Fediz related configuration. The complete configuration file can be found in the example <em>springWebapp</em>.</p>
<div class="code panel pdl" style="border-style: solid;border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;border-bottom-style: solid;"><b>applicationContext-security.xml</b></div><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">
<sec:http entry-point-ref="federationEntryPoint" use-expressions="true">
<sec:intercept-url pattern="/" access="permitAll"/>
<sec:intercept-url pattern="/fediz" access="permitAll"/>
@@ -250,7 +250,7 @@ Apache CXF -- Fediz Spring
<p>The following code snippet of the FederationServlet example illustrates how to get access to the Spring Security Context of the current user and to the Federation releated information like claims and login token.</p>
<div class="code panel pdl" style="border-style: solid;border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;border-bottom-style: solid;"><b>FederationServlet.java</b></div><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">
Authentication obj = SecurityContextHolder.getContext().getAuthentication();
FederationAuthenticationToken fedAuthToken = (FederationAuthenticationToken)auth;
for (GrantedAuthority item : fedAuthToken.getAuthorities()) {
Modified: websites/production/cxf/content/fediz-tomcat.html
==============================================================================
--- websites/production/cxf/content/fediz-tomcat.html (original)
+++ websites/production/cxf/content/fediz-tomcat.html Wed Sep 13 15:05:52 2017
@@ -109,20 +109,20 @@ Apache CXF -- Fediz Tomcat
<!-- Content -->
<div class="wiki-content">
<div id="ConfluenceContent"><h1 id="FedizTomcat-TomcatPlugin">Tomcat Plugin</h1><p>This page describes how to enable Federation for a Tomcat instance hosting Relying Party (RP) applications. This configuration is not for a separate Tomcat instance hosting the Fediz IDP and IDP STS WARs, or hosts for third-party applications that use Fediz STS-generated SAML assertions for authentication. After this configuration is done, the Tomcat-RP instance will validate the incoming SignInResponse created by the IDP server.</p><p>Prior to doing this configuration, make sure you've first deployed the Fediz IDP and STS on the separate Tomcat IDP instance as discussed <a shape="rect" href="fediz-idp.html">here</a>, and can view the STS WSDL at the URL given on that page. That page also provides some tips for running multiple Tomcat instances on your machine.</p><h3 id="FedizTomcat-Installation">Installation</h3><p>You can either build the Fediz plugin on your own or download the package <a shape="r
ect" href="fediz-downloads.html">here</a>. If you have built the plugin on your own you'll find the required libraries in <code>plugins/tomcat/target/...zip-with-dependencies.zip</code></p><ol><li>Create sub-directory <code>fediz</code> in <code>${catalina.home}/lib</code></li><li>Update calatina.properties in ${catalina.home}/conf<br clear="none"> add the previously created directory to the common loader:<br clear="none"> <code>common.loader=${catalina.base}/lib,${catalina.base}/lib/*.jar,${catalina.home}/lib,${catalina.home}/lib/*.jar,${catalina.home}/lib/fediz/*.jar</code></li><li>Deploy the libraries to the directory created in (1)</li></ol><h3 id="FedizTomcat-Configuration">Configuration</h3><h5 id="FedizTomcat-HTTPSconfiguration">HTTPS configuration</h5><p>It's recommended to set up a dedicated (separate) Tomcat instance for the Relying Party. The Fediz RP web applications use the following TCP ports:</p><ul><li>HTTP port: 8080 (used for Maven deployment, mvn tomcat:redeploy)<
/li><li>HTTPS port: 8443 (where IDP and STS are accessed)</li><li>Server port (for shutdown and other commands): 8005</li></ul><p>These are the default ports for a standard Tomcat installation.</p><p>The Relying Party must be accessed over HTTPS to protect the security tokens issued by the IDP.</p><p>The Tomcat HTTP(s) configuration is done in conf/server.xml.</p><p>This is a sample snippet for an HTTPS configuration:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;"> <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;"> <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="rp-ssl-key.jks" keyPass="tompass"
keystorePass="tompass" sslProtocol="TLS" />
</pre>
</div></div><p>The keystoreFile is relative to $CATALINA_HOME. See <a shape="rect" class="external-link" href="http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html">here</a> for the Tomcat 7 configuration reference. This page also describes how to create certificates. Sample Tomcat keystores (not for production use, but useful for demoing Fediz and running the sample applications) are provided in the examples/samplekeys folder of the Fediz distribution. Note the Tomcat keystore here is different from the one used to configure the Tomcat-IDP instance.</p><p>To establish trust, there are significant keystore/truststore requirements between the Tomcat instances and the various web applications (IDP, STS, Relying party applications, third party web services, etc.) See <a shape="rect" class="external-link" href="http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/samplekeys/HowToGenerateKeysREADME.html?view=co">this page</a> for more details, it lists the trust requirements as well a
s sample scripts for creating your own (self-signed) keys.</p><p><strong>Warning: All sample keystores provided with Fediz (including in the WAR files for its services and examples) are for development/prototyping use only. They'll need to be replaced for production use, at a minimum with your own self-signed keys but strongly recommended to use third-party signed keys.</strong></p><p>If you are currently just trying to run the Fediz samples, the configuration above is all you need (the below configuration is already provided within the samples) so you can return now to the samples' READMEs for the next steps in running them.</p><h5 id="FedizTomcat-FedizPluginconfigurationforYourWebApplication">Fediz Plugin configuration for Your Web Application</h5><p>The Fediz related configuration is done in a Servlet Container independent configuration file which is described <a shape="rect" href="fediz-configuration.html">here</a>.</p><p>The Fediz plugin requires configuring the FederationAuthe
nticator like any other Valve in Tomcat. Detailed information about the Tomcat Valve concept is available <a shape="rect" class="external-link" href="http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html">here</a>.</p><p>A Valve can be configured on different levels like <em>Host</em> or <em>Context</em>. The Fediz configuration file allows to configure all servlet contexts in one file or choosing one file per Servlet Context. If you choose to have one Fediz configuration file per Servlet Context then you must configure the FederationAuthenticator on the <em>Context</em> level otherwise on the <em>Host</em> level in the Tomcat configuration file <em>server.xml</em></p><p>You can either configure the context in the server.xml or in META-INF/context.xml as part of your WAR file.</p><h6 id="FedizTomcat-META-INF/context.xml">META-INF/context.xml</h6><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">
<Context>
<Valve className="org.apache.cxf.fediz.tomcat.FederationAuthenticator"
configFile="conf/fediz_config.xml" />
</Context>
</pre>
</div></div><h6 id="FedizTomcat-Hostlevelinserver.xml">Host level in server.xml</h6><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<Valve className="org.apache.cxf.fediz.tomcat.FederationAuthenticator"
@@ -130,7 +130,7 @@ Apache CXF -- Fediz Tomcat
</Host>
</pre>
</div></div><h6 id="FedizTomcat-Contextlevelinserver.xml">Context level in server.xml</h6><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">
<Context path="/fedizhelloworld" docBase="fedizhelloworld">
<Valve className="org.apache.cxf.fediz.tomcat.FederationAuthenticator"
configFile="conf/fediz_config.xml" />
Modified: websites/production/cxf/content/fediz-websphere.html
==============================================================================
--- websites/production/cxf/content/fediz-websphere.html (original)
+++ websites/production/cxf/content/fediz-websphere.html Wed Sep 13 15:05:52 2017
@@ -176,7 +176,7 @@ At deployment time, the declared J2EE se
<p>The file defined in <code>groups.mapping.file</code> must have the following structure:</p>
<div class="code panel pdl" style="border-style: solid;border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;border-bottom-style: solid;"><b>roleGroupMapping.xml</b></div><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">
<?xml version="1.0" encoding="UTF-8"?>
<mapping>
<samlToJ2EE>
Modified: websites/production/cxf/content/fediz.html
==============================================================================
--- websites/production/cxf/content/fediz.html (original)
+++ websites/production/cxf/content/fediz.html Wed Sep 13 15:05:52 2017
@@ -110,7 +110,7 @@ Apache CXF -- Fediz
<!-- Content -->
<div class="wiki-content">
<div id="ConfluenceContent"><h1 id="Fediz-ApacheCXFFediz:AnOpen-SourceWebSecurityFramework">Apache CXF Fediz: An Open-Source Web Security Framework</h1><h2 id="Fediz-Overview">Overview</h2><p>Apache CXF Fediz is a subproject of CXF. Fediz helps you to secure your web applications and delegates security enforcement to the underlying application server. With Fediz, authentication is externalized from your web application to an identity provider installed as a dedicated server component. The supported standard is <a shape="rect" class="external-link" href="http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html#_Toc223175002" rel="nofollow">WS-Federation Passive Requestor Profile</a>. Fediz supports <a shape="rect" class="external-link" href="http://en.wikipedia.org/wiki/Claims-based_identity" rel="nofollow">Claims Based Access Control</a> beyond Role Based Access Control (RBAC).</p><h2 id="Fediz-News">News</h2><p><strong><strong>August 18, 2017 - <strong><st
rong>Apache CXF Fediz 1.4.</strong></strong>1 released</strong></strong></p><p>Apache CXF Fediz 1.4.1 has been released.</p><p>For more information and to download the new release, please go <a shape="rect" href="fediz-downloads.html">here</a>.</p><p><strong><strong>May 16, 2017 - Two new security advisories for Apache CXF Fediz are released</strong></strong></p><p>Two new security advisories have been released for issues that are fixed in the latest releases (1.4.0, 1.3.2 and 1.2.4):</p><ul><li><a shape="rect" href="http://cxf.apache.org/security-advisories.data/CVE-2017-7661.txt.asc?version=1&modificationDate=1494949364764&api=v2">CVE-2017-7661</a>: The Apache CXF Fediz Jetty and Spring plugins are vulnerable to CSRF attacks.</li><li><a shape="rect" href="http://cxf.apache.org/security-advisories.data/CVE-2017-7662.txt.asc?version=1&modificationDate=1494949377300&api=v2">CVE-2017-7662</a>: The Apache CXF Fediz OIDC Client Registration Service is vulnerable to CSRF
attacks.</li></ul><p>Please upgrade to the latest releases as soon as possible.</p><p><strong><strong>April 28, 2017 - Apache CXF Fediz 1.4.0, 1.3.2 and 1.2.4 released<br clear="none"></strong></strong></p><p>Apache CXF Fediz 1.4.0, 1.3.2 and 1.2.4 have been released.</p><p>For more information and to download the new releases, please go <a shape="rect" href="fediz-downloads.html">here</a>.</p><h2 id="Fediz-Features">Features</h2><p>The following features are supported by Fediz 1.2</p><ul><li>WS-Federation 1.0/1.1/1.2</li><li>SAML 1.1/2.0 Tokens</li><li>Support for encrypted SAML Tokens (Release 1.1)</li><li>Support for Holder-Of-Key SubjectConfirmationMethod (1.1)</li><li>Custom token Support</li><li>Publish WS-Federation Metadata document</li><li>Role information encoded as AttributeStatement in SAML 1.1/2.0 tokens</li><li>Claims information provided by FederationPrincipal Interface</li><li>Support for Tomcat, Jetty, Websphere, Spring Security and CXF (1.1)</li><li>Fediz IDP suppo
rts "Resource IDP" role as well (1.1)</li><li>A new REST API for the IdP (1.2)</li><li>Support for logout in both the RP and IdP (1.2)</li><li>Support for logging on to the IdP via Kerberos and TLS client authentication (1.2)</li><li>A new container-independent CXF plugin for WS-Federation (1.2)</li><li>Support to use the IdP as an identity broker with a remote SAML SSO IdP (1.2)</li></ul><p>The following features are planned for the next release:</p><ul><li>support for other protocols like OAuth</li></ul><p>You can get the current status of the enhancements <a shape="rect" class="external-link" href="https://issues.apache.org/jira/browse/FEDIZ">here </a>.</p><h2 id="Fediz-Architecture">Architecture</h2><p>The Fediz architecture is described in more detail <a shape="rect" href="fediz-architecture.html">here</a>.</p><h2 id="Fediz-Download">Download</h2><p>See <a shape="rect" href="fediz-downloads.html">here</a>.</p><h2 id="Fediz-Gettingstarted">Getting started</h2><p>The WS-Federatio
n specification defines the following parties involved during a web login:</p><ul><li>Browser</li><li>Identity Provider (IDP)<br clear="none"> The IDP is a centralized, application independent runtime component which implements the protocol defined by WS-Federation. You can use any open source or commercial product that supports WS-Federation 1.1/1.2 as your IDP. It's recommended to use the Fediz IDP for testing as it allows for testing your web application in a sandbox without having all infrastructure components available. The Fediz IDP consists of two WAR components. The Security Token Service (STS) does most of the work including user authentication, claims/role data retrieval and creating the SAML token. The IDP WAR translates the response to an HTML response allowing a browser to process it.</li><li>Relying Party (RP)<br clear="none"> The RP is a web application that needs to be protected. The RP must be able to implement the protocol as defined by WS-Federation. This componen
t is called "Fediz Plugin" in this project which consists of container agnostic module/jar and a container specific jar. When an authenticated request is detected by the plugin it redirects to the IDP for authentication. The browser sends the response from the IDP to the RP after successful authentication. The RP validates the response and creates the container security context.</li></ul><p>It's recommended to deploy the IDP and the web application (RP) into different container instances as in a production deployment. The container with the IDP can be used during development and testing for multiple web applications needing security.</p><h3 id="Fediz-SettinguptheIDP">Setting up the IDP</h3><p>The installation and configuration of the IDP is documented <a shape="rect" href="fediz-idp-11.html">here</a></p><h3 id="Fediz-SetuptheRelyingPartyContainer">Set up the Relying Party Container</h3><p>The Fediz plugin needs to be deployed into the Relying Party (RP) container. The security mecha
nism is not specified by JEE. Even though it is very similar in each servlet container there are some differences which require a dedicated Fediz plugin for each servlet container implementation. Most of the configuration goes into a Servlet container independent configuration file which is described <a shape="rect" href="fediz-configuration.html">here</a></p><p>The following lists shows the supported containers and the location of the installation and configuration page.</p><ul><li><a shape="rect" href="fediz-tomcat.html">Tomcat 7 </a></li><li><a shape="rect" href="fediz-jetty.html">Jetty 7/8 (1.1)</a></li><li><a shape="rect" href="fediz-spring.html">Spring Security 3.1 (1.1)</a></li><li><a shape="rect" href="fediz-websphere.html">Websphere 7/8 (1.1)</a></li><li><a shape="rect" href="fediz-cxf.html">CXF (1.1) </a></li></ul><h2 id="Fediz-Samples">Samples</h2><p>The examples directory contains two sample relying party applications. They are independent of each other, so it is not nec
essary to deploy both at once.</p><p>Each sample is described in a <code>README.txt</code> file located in the base directory of each sample.</p><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Sample</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Description</p></th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><strong>simpleWebapp</strong></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>a simple web application which is protected by the Fediz IDP. The FederationServlet illustrates how to get security information using the standard APIs.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><strong>wsclientWebapp</strong></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>a protected web application that calls a web service that uses the Fediz STS to validate credentials. Here, the same STS is used for token issuance (indirectly, by the web applicatio
n through use of the Fediz IDP) and validation. The FederationServlet illustrates how to securely call a web service.</p></td></tr></tbody></table></div><p><span class="confluence-anchor-link" id="Fediz-building"></span></p><h2 id="Fediz-Checkout">Checkout</h2><p>The CXF sources are hosted at <a shape="rect" class="external-link" href="https://gitbox.apache.org/">Apache gitbox</a>. This includes a full two way sync with github. As github provides the nicer user interface we now recommend to directly work on the github cxf repo.</p><h2 id="Fediz-Webbrowsing">Web browsing</h2><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz" rel="nofollow">https://github.com/apache/cxf-fediz</a></p><h2 id="Fediz-CheckingoutfromGIT">Checking out from GIT</h2><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">git clone git@github.com:apache/cxf-fediz.git</pre>
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">git clone git@github.com:apache/cxf-fediz.git</pre>
</div></div><h2 id="Fediz-Committing">Committing</h2><p>CXF committers can directly commit to github after doing the <a shape="rect" class="external-link" href="https://gitbox.apache.org/setup/">Apache gitbox setup</a>. Be aware that the sync might take half an hour before you are added to the cxf github group.</p><h2 id="Fediz-Forkingandpullrequests">Forking and pull requests</h2><p>See <a shape="rect" href="https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=69407398">Getting Involved</a></p><h2 id="Fediz-Building">Building</h2><p>Then follow the <a shape="rect" class="external-link" href="http://svn.apache.org/viewvc/cxf/fediz/trunk/BUILDING.txt?view=markup">BUILDING.txt</a> file in the Fediz download for full build instructions.</p><h2 id="Fediz-SettingupEclipse">Setting up Eclipse</h2><p>See <a shape="rect" href="http://cxf.apache.org/setting-up-eclipse.html">this page</a> for information on using the Eclipse IDE with the Fediz source code. This page
is created for CXF but the same commands are applicable for Fediz too.</p><p> </p></div>
</div>
<!-- Content -->
Modified: websites/production/cxf/content/migration-guide-11.html
==============================================================================
--- websites/production/cxf/content/migration-guide-11.html (original)
+++ websites/production/cxf/content/migration-guide-11.html Wed Sep 13 15:05:52 2017
@@ -136,7 +136,7 @@ Apache CXF -- Migration Guide 1.1
<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">
<issuer certificateValidation="PeerTrust" />
</pre>
</div></div></div>
Modified: websites/production/cxf/content/release-management.html
==============================================================================
--- websites/production/cxf/content/release-management.html (original)
+++ websites/production/cxf/content/release-management.html Wed Sep 13 15:05:52 2017
@@ -110,7 +110,7 @@ Apache CXF -- Release Management
<!-- Content -->
<div class="wiki-content">
<div id="ConfluenceContent"><h2 id="ReleaseManagement-Deployingsnapshots">Deploying snapshots</h2><p>Snapshots are automatically deployed every night to the Nexus snapshot repository at <a shape="rect" class="external-link" href="https://repository.apache.org/content/groups/snapshots-group/">https://repository.apache.org/content/groups/snapshots-group/</a> . There is no need to manually deploy snapshots anymore.</p><h2 id="ReleaseManagement-Maintainingafixesbranch">Maintaining a fixes branch</h2><p>dkulp: I'm adding this section to document what worked for ME when maintaining the 2.7.x-fixes branch for the 2.7.x releases. Each Release Manager may have their own style or tools or whatever. This is not a "set in stone" type thing.</p><p>Basically, almost all development and fixes and such are usually done by the various developers right on master. Thus, the main job of the fixes branch maintainer is to triage the commits on master and merge pure fixes to the fixes branches, resolve co
nflicts, run the tests, and periodically deploy snapshots. For the most part, when things go well, it doesn't take too much time or effort. An hour or two every couple days is about it.</p><p>To set up, you'll want to:</p><ol><li>use git branch to make a branch.</li><li>On the branch, create a .gitmergeinfo file with a single line of "origin/master" to say the branch will be merging from there.</li></ol><p><span style="background-color: transparent;line-height: 1.4285715;">In trunk/bin, there is a DoMerges.java program that assists in the merging. If the branch is setup with .gitmergeinfo, if you run it from the root directory of the checkout, it will prompt for every commit on master to see if you want to "Merge" it, "Block" it, or "Ignore" it. It displays the commit log first so you can see what was involved. You can also check the </span> <a shape="rect" class="external-link" href="http://www.nabble.com/cxf-commits-f23851.html" rel="nofollow" style="background-color: transparent;
line-height: 1.4285715;">cxf-commits</a> <span style="background-color: transparent;line-height: 1.4285715;"> archive to see the full details of the commit to help decide what action to take. If you select "Merge", it will merge the change and then prompt before committing. That will allow you to look at the merge and resolve any conflicts. (or even revert it if you didn't mean to hit Merge)</span></p><h2 id="ReleaseManagement-Performingarelease">Performing a release</h2><p>The first step is to update the release_notes.txt in the distribution/src/main/release. This file's JIRA list of solved Bugs, Improvements, etc. can be obtained from the <a shape="rect" class="external-link" href="https://issues.apache.org/jira/browse/CXF#selectedTab=com.atlassian.jira.plugin.system.project%3Aroadmap-panel">"Road Map" JIRA tab</a>, selecting the desired version's Release Notes, and then the Configure Release Notes button (choose Text output).</p><div class="confluence-information-macro confluence
-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>Don't manually update the POM versions from X.Y.Z-SNAPSHOT to X.Y.Z, the Maven Release Plugin commands below will automatically take care of that. Also, prior to performing the release you'll need to have your Apache LDAP information configured in your Maven settings.xml file:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">...
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">...
<server>
<id>apache.releases.https</id>
<username>apacheID</username>
@@ -123,7 +123,7 @@ Apache CXF -- Release Management
mvn release:perform -Peverything,jaxws22
</pre>
</div></div><div class="confluence-information-macro confluence-information-macro-warning"><span class="aui-icon aui-icon-small aui-iconfont-error confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>If you are performing the release on a Mac, it is advisable to add -DpushChanges=false to the "release:prepare" step above. The version of git that Apple ships with some versions of OSX has problems pushing the changes in quick succession from the release plugin and can become corrupt. Having the release plugin NOT push the changes and then running "git push -tags origin master" works around that problem.</p></div></div><div class="confluence-information-macro confluence-information-macro-warning"><span class="aui-icon aui-icon-small aui-iconfont-error confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>It is recommended to name the local maintenance branches the same as the remote ones ("2.7.x-fixes", "3.0.x
-fixes", ...) to avoid issue with the branch names when running the release plugin.</p></div></div><p> </p><p>The above commands tag the release, update the poms versions, etc., then build it (off the tag), gpg sign and deploy everything (including source jars and javadoc jars) to the <a shape="rect" class="external-link" href="https://repository.apache.org">Nexus repository location</a>. When the build is done staging, you next need to login to the Nexus repository and "close" the staging area (click on Staging Repositories in the left-side menu, select the repo you just uploaded and then select the close button.) Closing is very important. After the staging area is closed, note the URL for the staging area as you will need that for the vote.</p><p>At this point, everything "pre-vote" is done. Call the vote.</p><h2 id="ReleaseManagement-Releasingtheartifacts">Releasing the artifacts</h2><ul><li>Maven artifacts - After the vote passes, you'll need to promote that staging reposi
tory to the main location. Login to <a shape="rect" class="external-link" href="https://repository.apache.org">Nexus repository location</a> to do that as well, find the staging repository and click the Release button.</li></ul><ul><li><p>Distributions - You will need to commit the distributions into the special svn distribution area: <a shape="rect" class="external-link" href="https://dist.apache.org/repos/dist/release/cxf">https://dist.apache.org/repos/dist/release/cxf</a> <br clear="none"> after you commit they will be live on dist.apache.org fairly quickly, but it will still take time for the mirrors to get copies. It's likely easier to make the directory via an svn command, check out just that directory, and then add the files. The dist area is rather large (400MB or so) so checking out the entire thing may be slow.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">svn mkdir https://dist.apache.org/repos/dist/release/cxf/2.6.3
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">svn mkdir https://dist.apache.org/repos/dist/release/cxf/2.6.3
svn checkout https://dist.apache.org/repos/dist/release/cxf/2.6.3
.... add files to 2.6.3 .....
svn commit
Modified: websites/production/cxf/content/scalable-cxf-applications-using-jms-transport.html
==============================================================================
--- websites/production/cxf/content/scalable-cxf-applications-using-jms-transport.html (original)
+++ websites/production/cxf/content/scalable-cxf-applications-using-jms-transport.html Wed Sep 13 15:05:52 2017
@@ -121,7 +121,7 @@ b) define jms address in port element.</
<p>WSDL binding and port should look like:</p>
<div class="code panel pdl" style="border-style: solid;border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">
<wsdl:definitions
xmlns:jms="http://cxf.apache.org/transports/jms"
...
@@ -165,7 +165,7 @@ org.springframework.jms.listener.Default
<p>CachingConnectionFactory provides session pooling, consumers and producers cache. Bellow is a sample configuration of CachingConnectionFactory:</p>
<div class="code panel pdl" style="border-style: solid;border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">
<bean id="cachingConnectionFactory" class="org.springframework.jms.connection.CachingConnectionFactory">
<property name="targetConnectionFactory">
<bean class="org.apache.activemq.ActiveMQConnectionFactory">
@@ -185,7 +185,7 @@ org.springframework.jms.listener.Default
<p>DefaultMessageListenerContainer enables getting messages from the destination in parallel, using multiple threads.<br clear="none">
Configuration of DefaultMessageListenerContainer looks like:</p>
<div class="code panel pdl" style="border-style: solid;border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">
<bean id="queueContainerListener"
class="org.springframework.jms.listener.DefaultMessageListenerContainer">
<property name="connectionFactory" ref="connectionFactory" />
@@ -215,7 +215,7 @@ CXF allows to configure details of the J
<h3 id="ScalableCXFapplicationsusingJMStransport-Serverconfiguration">Server configuration</h3>
<div class="code panel pdl" style="border-style: solid;border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">
<bean id="cachingConnectionFactory" class="org.springframework.jms.connection.CachingConnectionFactory">
<property name="targetConnectionFactory">
<bean class="org.apache.activemq.ActiveMQConnectionFactory">
@@ -253,7 +253,7 @@ Using this configuration the server appl
<h3 id="ScalableCXFapplicationsusingJMStransport-Clientconfiguration">Client configuration</h3>
<div class="code panel pdl" style="border-style: solid;border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">
<bean id="cachingConnectionFactory" class="org.springframework.jms.connection.CachingConnectionFactory">
<property name="targetConnectionFactory">
<bean class="org.apache.activemq.ActiveMQConnectionFactory">