You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by dk...@apache.org on 2012/07/31 21:56:07 UTC
svn commit: r827531 [4/4] - in /websites/production/cxf/content: ./ cache/
docs/
Modified: websites/production/cxf/content/docs/ws-securitypolicy.html
==============================================================================
--- websites/production/cxf/content/docs/ws-securitypolicy.html (original)
+++ websites/production/cxf/content/docs/ws-securitypolicy.html Tue Jul 31 19:56:05 2012
@@ -127,23 +127,42 @@ Apache CXF -- WS-SecurityPolicy
<h3><a shape="rect" name="WS-SecurityPolicy-EnablingWSSecurityPolicy"></a>Enabling WS-SecurityPolicy</h3>
-<p>In CXF 2.2, if the cxf-rt-ws-policy and cxf-rt-ws-security modules are available on the classpath, the WS-SecurityPolicy stuff is automatically enabled. Since the entire security runtime is policy driven, the only requirement is that the policy engine and security policies be available. </p>
-<p>If you are using the full "bundle" jar, all the security and policy stuff is already included. </p>
+<p>In CXF 2.2, if the cxf-rt-ws-policy and cxf-rt-ws-security modules are available on the classpath, the WS-SecurityPolicy stuff is automatically enabled. Since the entire security runtime is policy driven, the only requirement is that the policy engine and security policies be available.</p>
+
+<p>If you are using the full "bundle" jar, all the security and policy stuff is already included.</p>
<h3><a shape="rect" name="WS-SecurityPolicy-Policydescription"></a>Policy description</h3>
+
<p>With WS-SecurityPolicy, the binding and/or operation in the wsdl references a <a shape="rect" href="ws-policy.html" title="WS-Policy">WS-Policy</a> fragment that describes the basic security requirements for interacting with that service. The <a shape="rect" class="external-link" href="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.3/ws-securitypolicy.html" rel="nofollow">WS-SecurityPolicy specification</a> allows for specifying things like asymmetric/symmetric keys, using transports (https) for encryption, which parts/headers to encrypt or sign, whether to sign then encrypt or encrypt then sign, whether to include timestamps, whether to use derived keys, etc... Basically, it describes what actions are necessary to securely interact with the service described in the WSDL.</p>
-<p>However, the WS-SecurityPolicy fragment does not include "everything" that is required for a runtime to be able to able to create the messages. It does not describe things such as locations of key stores, user names and passwords, etc... Those need to be configured in at runtime to augment the WS-SecurityPolicy fragment. </p>
+<p>However, the WS-SecurityPolicy fragment does not include "everything" that is required for a runtime to be able to able to create the messages. It does not describe things such as locations of key stores, user names and passwords, etc... Those need to be configured in at runtime to augment the WS-SecurityPolicy fragment.</p>
<h3><a shape="rect" name="WS-SecurityPolicy-Configuringtheextraproperties"></a>Configuring the extra properties</h3>
+
<p>There are several extra properties that may need to be set to provide the additional bits of information to the runtime. Note that you should check that a particular property is supported in the version of CXF you are using.</p>
+<h4><a shape="rect" name="WS-SecurityPolicy-Userproperties"></a>User properties</h4>
+
+<div class="table-wrap">
+<table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd"> ws-security.username </td><td colspan="1" rowspan="1" class="confluenceTd"> The user's name. It is used differently by each of the WS-Security functions, see <a shape="rect" href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#USERNAME">here</a> for more information. </td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> ws-security.password </td><td colspan="1" rowspan="1" class="confluenceTd"> The user's password when "ws-security.callback-handler" is not defined. It is currently only used for the case of adding a password to a UsernameToken. </td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> ws-security.signature.username </td><td colspan="1" rowspan="1" class="confluenceTd"> The user's name for signature. It is used as the alias name in the keystore to get the user's cert and private key for signature. See <a shape="rec
t" href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#SIGNATURE_USERNAME">here</a> for more information. </td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> ws-security.encryption.username </td><td colspan="1" rowspan="1" class="confluenceTd"> The user's name for encryption. It is used as the alias name in the keystore to get the user's public key for encryption. See <a shape="rect" href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#ENCRYPT_USERNAME">here</a> for more information.</td></tr></tbody></table>
+</div>
+
+
+<h4><a shape="rect" name="WS-SecurityPolicy-CallbackClassandCryptoproperties"></a>Callback Class and Crypto properties</h4>
+
+<div class="table-wrap">
+<table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd"> ws-security.callback-handler </td><td colspan="1" rowspan="1" class="confluenceTd"> The CallbackHandler <a shape="rect" href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#CALLBACK_HANDLER">implementation</a> class used to obtain passwords.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> ws-security.saml-callback-handler </td><td colspan="1" rowspan="1" class="confluenceTd"> The SAML CallbackHandler <a shape="rect" href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#SAML_CALLBACK_HANDLER">implementation</a> class used to construct SAML Assertions.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> ws-security.signature.properties </td><td colspan="1" rowspan="1" class="confluenceTd"> The Crypto property <a shape="rect" href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/w
s/security/SecurityConstants.html#SIGNATURE_PROPERTIES">configuration</a> to use for signature, if "ws-security.signature.crypto" is not set instead.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> ws-security.encryption.properties </td><td colspan="1" rowspan="1" class="confluenceTd"> The Crypto property <a shape="rect" href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#ENCRYPT_PROPERTIES">configuration</a> to use for encryption, if "ws-security.encryption.crypto" is not set instead. </td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> ws-security.signature.crypto </td><td colspan="1" rowspan="1" class="confluenceTd"> A Crypto <a shape="rect" class="external-link" href="http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/components/crypto/Crypto.html">object</a> to be used for signature. If this is not defined then "ws-security.signature.properties" is used instead.</td></tr><tr><td colspan="1" rowspa
n="1" class="confluenceTd"> ws-security.encryption.crypto </td><td colspan="1" rowspan="1" class="confluenceTd"> A Crypto <a shape="rect" class="external-link" href="http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/components/crypto/Crypto.html">object</a> to be used for encryption. If this is not defined then "ws-security.encryption.properties" is used instead.</td></tr></tbody></table>
+</div>
+
+
+<h4><a shape="rect" name="WS-SecurityPolicy-Otherproperties"></a>Other properties</h4>
+
<div class="table-wrap">
-<table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd"> ws-security.username </td><td colspan="1" rowspan="1" class="confluenceTd"> The username used for UsernameToken policy assertions </td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> ws-security.password </td><td colspan="1" rowspan="1" class="confluenceTd"> The password used for UsernameToken policy assertions. If not specified, the callback handler will be called. </td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> ws-security.callback-handler </td><td colspan="1" rowspan="1" class="confluenceTd"> The WSS4J security CallbackHandler that will be used to retrieve passwords for keystores and UsernameTokens. </td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> ws-security.signature.properties </td><td colspan="1" rowspan="1" class="confluenceTd"> The properties file/object that contains the WSS4J properties for configuring the signature keystore and c
rypto objects </td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> ws-security.encryption.properties </td><td colspan="1" rowspan="1" class="confluenceTd"> The properties file/object that contains the WSS4J properties for configuring the encryption keystore and crypto objects </td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> ws-security.signature.username </td><td colspan="1" rowspan="1" class="confluenceTd"> The username or alias for the key in the signature keystore that will be used. If not specified, it uses the the default alias set in the properties file. If that's also not set, and the keystore only contains a single key, that key will be used. </td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> ws-security.encryption.username </td><td colspan="1" rowspan="1" class="confluenceTd"> The username or alias for the key in the encryption keystore that will be used. If not specified, it uses the the default alias set in the propertie
s file. If that's also not set, and the keystore only contains a single key, that key will be used. For the web service provider, the useReqSigCert keyword can be used to accept (encrypt to) any client whose public key is in the service's truststore (defined in ws-security.encryption.properties.) </td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> ws-security.signature.crypto </td><td colspan="1" rowspan="1" class="confluenceTd"> Instead of specifying the signature properties, this can point to the full <a shape="rect" class="external-link" href="http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/components/crypto/Crypto.html">WSS4J Crypto</a> object. This can allow easier "programmatic" configuration of the Crypto information."</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> ws-security.encryption.crypto </td><td colspan="1" rowspan="1" class="confluenceTd"> Instead of specifying the encryption properties, this can point to the full <a s
hape="rect" class="external-link" href="http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/components/crypto/Crypto.html">WSS4J Crypto</a> object. This can allow easier "programmatic" configuration of the Crypto information." </td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> ws-security.subject.cert.constraints </td><td colspan="1" rowspan="1" class="confluenceTd"> This configuration tag is a comma separated String of regular expressions which will be applied to the subject DN of the certificate used for signature validation, after trust verification of the certificate chain associated with the certificate. These constraints are not used when the certificate is contained in the keystore (direct trust).</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> ws-security.is-bsp-compliant </td><td colspan="1" rowspan="1" class="confluenceTd"> Whether to ensure compliance with the Basic Security Profile (BSP) 1.1 or not. The default value is "true".
</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> ws-security.timestamp.futureTimeToLive </td><td colspan="1" rowspan="1" class="confluenceTd"> This configuration tag specifies the time in seconds in the future within which the Created time of an incoming Timestamp is valid. WSS4J rejects by default any timestamp which is "Created" in the future, and so there could potentially be<br clear="none">
-problems in a scenario where a client's clock is slightly askew. The default value for this parameter is "0", meaning that no future-created Timestamps are allowed.</td></tr></tbody></table>
+<table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd"> ws-security.subject.cert.constraints </td><td colspan="1" rowspan="1" class="confluenceTd"> This configuration tag is a comma separated String of regular expressions which will be applied to the subject DN of the certificate used for signature validation, after trust verification of the certificate chain associated with the certificate. These constraints are not used when the certificate is contained in the keystore (direct trust). </td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> ws-security.is-bsp-compliant </td><td colspan="1" rowspan="1" class="confluenceTd"> Whether to ensure compliance with the Basic Security Profile (BSP) 1.1 or not. The default value is "true". </td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> ws-security.timestamp.futureTimeToLive </td><td colspan="1" rowspan="1" class="confluenceTd"> This configuration tag specifies the time in s
econds in the future within which the Created time of an incoming Timestamp is valid. WSS4J rejects by default any timestamp which is "Created" in the future, and so there could potentially be<br clear="none" class="atl-forced-newline">
+ problems in a scenario where a client's clock is slightly askew. The default value for this parameter is "0", meaning that no future-created Timestamps are allowed. </td></tr></tbody></table>
</div>
@@ -151,6 +170,7 @@ problems in a scenario where a client's
<h4><a shape="rect" name="WS-SecurityPolicy-ConfiguringviaSpring"></a>Configuring via Spring</h4>
+
<p>The properties are easily configured as client or endpoint properties--use the former for the SOAP client, the latter for the web service provider.</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
@@ -158,21 +178,21 @@ problems in a scenario where a client's
<beans xmlns=<span class="code-quote">"http://www.springframework.org/schema/beans"</span>
<span class="code-keyword">xmlns:xsi</span>=<span class="code-quote">"http://www.w3.org/2001/XMLSchema-instance"</span>
<span class="code-keyword">xmlns:jaxws</span>=<span class="code-quote">"http://cxf.apache.org/jaxws"</span>
- xsi:schemaLocation="http://www.springframework.org/schema/beans
+ xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
- http://cxf.apache.org/jaxws
+ http://cxf.apache.org/jaxws
http://cxf.apache.org/schemas/jaxws.xsd">
- <jaxws:client name=<span class="code-quote">"{http://cxf.apache.org}MyPortName"</span>
+ <jaxws:client name=<span class="code-quote">"{http://cxf.apache.org}MyPortName"</span>
createdFromAPI=<span class="code-quote">"true"</span>>
<span class="code-tag"><jaxws:properties></span>
- <entry key=<span class="code-quote">"ws-security.callback-handler"</span>
+ <entry key=<span class="code-quote">"ws-security.callback-handler"</span>
value=<span class="code-quote">"interop.client.KeystorePasswordCallback"</span>/>
- <entry key=<span class="code-quote">"ws-security.signature.properties"</span>
+ <entry key=<span class="code-quote">"ws-security.signature.properties"</span>
value=<span class="code-quote">"etc/client.properties"</span>/>
- <entry key=<span class="code-quote">"ws-security.encryption.properties"</span>
+ <entry key=<span class="code-quote">"ws-security.encryption.properties"</span>
value=<span class="code-quote">"etc/service.properties"</span>/>
- <entry key=<span class="code-quote">"ws-security.encryption.username"</span>
+ <entry key=<span class="code-quote">"ws-security.encryption.username"</span>
value=<span class="code-quote">"servicekeyalias"</span>/>
<span class="code-tag"></jaxws:properties></span>
<span class="code-tag"></jaxws:client></span>
@@ -188,30 +208,30 @@ problems in a scenario where a client's
<beans xmlns=<span class="code-quote">"http://www.springframework.org/schema/beans"</span>
<span class="code-keyword">xmlns:xsi</span>=<span class="code-quote">"http://www.w3.org/2001/XMLSchema-instance"</span>
<span class="code-keyword">xmlns:jaxws</span>=<span class="code-quote">"http://cxf.apache.org/jaxws"</span>
- xsi:schemaLocation="http://www.springframework.org/schema/beans
+ xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
- http://cxf.apache.org/jaxws
+ http://cxf.apache.org/jaxws
http://cxf.apache.org/schemas/jaxws.xsd">
- <jaxws:endpoint
+ <jaxws:endpoint
id=<span class="code-quote">"MyService"</span>
- address=<span class="code-quote">"https://localhost:9001/MyService"</span>
+ address=<span class="code-quote">"https://localhost:9001/MyService"</span>
serviceName=<span class="code-quote">"interop:MyService"</span>
endpointName=<span class="code-quote">"interop:MyServiceEndpoint"</span>
implementor=<span class="code-quote">"com.foo.MyService"</span>>
-
+
<span class="code-tag"><jaxws:properties></span>
- <entry key=<span class="code-quote">"ws-security.callback-handler"</span>
+ <entry key=<span class="code-quote">"ws-security.callback-handler"</span>
value=<span class="code-quote">"interop.client.UTPasswordCallback"</span>/>
- <entry key=<span class="code-quote">"ws-security.signature.properties"</span>
+ <entry key=<span class="code-quote">"ws-security.signature.properties"</span>
value=<span class="code-quote">"etc/keystore.properties"</span>/>
- <entry key=<span class="code-quote">"ws-security.encryption.properties"</span>
+ <entry key=<span class="code-quote">"ws-security.encryption.properties"</span>
value=<span class="code-quote">"etc/truststore.properties"</span>/>
- <entry key=<span class="code-quote">"ws-security.encryption.username"</span>
+ <entry key=<span class="code-quote">"ws-security.encryption.username"</span>
value=<span class="code-quote">"useReqSigCert"</span>/>
- <span class="code-tag"></jaxws:properties></span>
-
- <span class="code-tag"></jaxws:endpoint></span>
+ <span class="code-tag"></jaxws:properties></span>
+
+ <span class="code-tag"></jaxws:endpoint></span>
<span class="code-tag"></beans></span>
</pre>
</div></div>
@@ -219,6 +239,7 @@ problems in a scenario where a client's
<p>See this <a shape="rect" class="external-link" href="http://www.jroller.com/gmazza/entry/cxf_x509_profile_secpol" rel="nofollow">blog entry</a> for a more end-to-end example of using WS-SecurityPolicy with X.509 keys.</p>
<h4><a shape="rect" name="WS-SecurityPolicy-ConfiguringviaAPI%27s"></a>Configuring via API's</h4>
+
<p>Configuring the properties for the client just involves setting the properties in the client's RequestContext:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
@@ -226,11 +247,7 @@ Map<<span class="code-object">String<
ctx.put(<span class="code-quote">"ws-security.encryption.properties"</span>, properties);
port.echoString(<span class="code-quote">"hello"</span>);
</pre>
-</div></div>
-
-
-
-</div>
+</div></div></div>
</div>
<!-- Content -->
</td>
Modified: websites/production/cxf/content/docs/wsrmconfiguration.html
==============================================================================
--- websites/production/cxf/content/docs/wsrmconfiguration.html (original)
+++ websites/production/cxf/content/docs/wsrmconfiguration.html Tue Jul 31 19:56:05 2012
@@ -190,7 +190,7 @@ Apache CXF -- WSRMConfiguration
</div>
-<p>For details about the element types used in this namespace please refer to the schemas for the <a shape="rect" href="http://cxf.apache.org/ws/rm/manager">http://cxf.apache.org/ws/rm/manager</a> namespace (<a shape="rect" href="http://cxf.apache.org/schemas/configuration/wsrm-manager.xsd">http://cxf.apache.org/schemas/configuration/wsrm-manager.xsd</a> and <a shape="rect" href="http://cxf.apache.org/schemas/configuration/wsrm-manager-types.xsd">http://cxf.apache.org/schemas/configuration/wsrm-manager-types.xsd</a>). The jbdcStore element type is described below.</p>
+<p>For details about the element types used in this namespace please refer to the schemas for the <a shape="rect" href="http://cxf.apache.org/ws/rm/manager">http://cxf.apache.org/ws/rm/manager</a> namespace (<a shape="rect" href="http://cxf.apache.org/schemas/wsrm-manager.xsd">http://cxf.apache.org/schemas/wsrm-manager.xsd</a> and <a shape="rect" href="http://cxf.apache.org/schemas/wsrm-manager-types.xsd">http://cxf.apache.org/schemas/wsrm-manager-types.xsd</a>). The jbdcStore element type is described below.</p>
<p>Example (feature applied at bus level):</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
Modified: websites/production/cxf/content/fediz-idp.html
==============================================================================
--- websites/production/cxf/content/fediz-idp.html (original)
+++ websites/production/cxf/content/fediz-idp.html Tue Jul 31 19:56:05 2012
@@ -186,11 +186,11 @@ $CATALINA_HOME/bin/shutdown.sh
</pre>
</div></div>
-<p>The keystoreFile is relative to $CATALINA_HOME. See <a shape="rect" class="external-link" href="http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html">here</a> for the Tomcat 7 configuration reference. This page also describes how to create certificates.</p>
+<p>The keystoreFile is relative to $CATALINA_HOME. See <a shape="rect" class="external-link" href="http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html">here</a> for the Tomcat 7 configuration reference. This page also describes how to create certificates. Sample Tomcat keystores (not for production use, but useful for demoing Fediz and running the sample applications) are provided in the examples/samplekeys folder of the Fediz distribution.</p>
<p>To establish trust, there are significant keystore/truststore requirements between the Tomcat instances and the various web applications (IDP, STS, Relying party applications, third party web services, etc.) See <a shape="rect" class="external-link" href="http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/samplekeys/HowToGenerateKeysREADME.html?view=co">this page</a> for more details, it lists the trust requirements as well as sample scripts for creating your own (self-signed) keys.</p>
-<p><b>Warning: All sample keystores provided with Fediz (including in the WAR files for its services and examples) are for development/prototyping use ONLY. They'll need to be replaced for production use, at a minimum with your own self-signed keys but strongly recommended to use third-party signed keys.</b></p>
+<p><b>Warning: All sample keystores provided with Fediz (including in the WAR files for its services and examples) are for development/prototyping use only. They'll need to be replaced for production use, at a minimum with your own self-signed keys but strongly recommended to use third-party signed keys.</b></p>
<p>Once you deploy the IDP WAR files to your Tomcat installation (<catalina.home>/webapps), you should be able to see the Fediz STS from a browser at <a shape="rect" class="external-link" href="http://localhost:9080/fedizidpsts/STSService?wsdl" rel="nofollow">http://localhost:9080/fedizidpsts/STSService?wsdl</a>, assuming you're using port 9080 as listed above.</p>
Modified: websites/production/cxf/content/fediz-tomcat.html
==============================================================================
--- websites/production/cxf/content/fediz-tomcat.html (original)
+++ websites/production/cxf/content/fediz-tomcat.html Tue Jul 31 19:56:05 2012
@@ -167,15 +167,16 @@ add the previously created directory to
<pre class="code-xml">
<Connector port=<span class="code-quote">"8443"</span> protocol=<span class="code-quote">"HTTP/1.1"</span> SSLEnabled=<span class="code-quote">"true"</span>
maxThreads=<span class="code-quote">"150"</span> scheme=<span class="code-quote">"https"</span> secure=<span class="code-quote">"true"</span>
- keystoreFile=<span class="code-quote">"tomcatKeystore.jks"</span>
+ keystoreFile=<span class="code-quote">"tomcat-rp.jks"</span>
keystorePass=<span class="code-quote">"tompass"</span> sslProtocol=<span class="code-quote">"TLS"</span> />
</pre>
</div></div>
-<p>The <tt>keystoreFile</tt> is relative to $CATALINA_HOME. See <a shape="rect" class="external-link" href="http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html">here</a> for the Tomcat 7 configuration reference. This page also describes how to create certificates.</p>
+<p>The keystoreFile is relative to $CATALINA_HOME. See <a shape="rect" class="external-link" href="http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html">here</a> for the Tomcat 7 configuration reference. This page also describes how to create certificates. Sample Tomcat keystores (not for production use, but useful for demoing Fediz and running the sample applications) are provided in the examples/samplekeys folder of the Fediz distribution.</p>
-<p><b>Production: It's highly recommended to deploy certificates signed by a Certificate Authority</b></p>
+<p>To establish trust, there are significant keystore/truststore requirements between the Tomcat instances and the various web applications (IDP, STS, Relying party applications, third party web services, etc.) See <a shape="rect" class="external-link" href="http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/samplekeys/HowToGenerateKeysREADME.html?view=co">this page</a> for more details, it lists the trust requirements as well as sample scripts for creating your own (self-signed) keys.</p>
+<p><b>Warning: All sample keystores provided with Fediz (including in the WAR files for its services and examples) are for development/prototyping use only. They'll need to be replaced for production use, at a minimum with your own self-signed keys but strongly recommended to use third-party signed keys.</b></p>
<h5><a shape="rect" name="FedizTomcat-FedizPluginconfigurationforYourWebApplication"></a>Fediz Plugin configuration for Your Web Application</h5>
@@ -186,7 +187,6 @@ add the previously created directory to
<p>A Valve can be configured on different levels like <em>Host</em> or <em>Context</em>. The Fediz configuration file allows to configure all servlet contexts in one file or choosing one file per Servlet Context. If you choose to have one Fediz configuration file per Servlet Context then you must configure the FederationAuthenticator on the <em>Context</em> level otherwise on the <em>Host</em> level in the Tomcat configuration file <em>server.xml</em></p>
-
<p>You can either configure the context in the server.xml or in META-INF/context.xml as part of your WAR file. (The sample RP applications bundled with Fediz already have this configured via the latter option.)</p>
<h6><a shape="rect" name="FedizTomcat-METAINF%2Fcontext.xml"></a>META-INF/context.xml</h6>
Modified: websites/production/cxf/content/release-management.html
==============================================================================
--- websites/production/cxf/content/release-management.html (original)
+++ websites/production/cxf/content/release-management.html Tue Jul 31 19:56:05 2012
@@ -171,7 +171,7 @@ mvn release:perform
</div></div>
<p>That will tag the release, update the poms, etc... Then build it (off the tag) and deploy everything (including source jars and javadoc jars) to the Nexus repository location and gpg signs everything. When the build is done staging, you need to login to the Nexus repository and "close" the staging are. That is very important. After the staging are is closed, note the URL for the staging area as you will need that for the vote.</p>
<div class="panelMacro"><table class="warningMacro"><colgroup span="1"><col span="1" width="24"><col span="1"></colgroup><tr><td colspan="1" rowspan="1" valign="top"><img align="middle" src="https://cwiki.apache.org/confluence/images/icons/emoticons/forbidden.gif" width="16" height="16" alt="" border="0"></td><td colspan="1" rowspan="1">You may encounter error like<br clear="none">
-<span class="error">[INFO]</span> Unable to tag SCM<br clear="none">
+<a shape="rect" class="createlink" href="/confluence/pages/createpage.action?spaceKey=CXF&title=INFO&linkCreation=true&fromPageId=70605">INFO</a> Unable to tag SCM<br clear="none">
Provider message:<br clear="none">
The svn tag command failed.<br clear="none">
Command output:<br clear="none">