You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by bu...@apache.org on 2017/10/25 11:57:41 UTC
svn commit: r1020032 - in /websites/production/cxf/content:
cache/main.pageCache fediz-configuration.html fediz-idp-11.html
fediz-jetty.html fediz-tomcat.html
Author: buildbot
Date: Wed Oct 25 11:57:41 2017
New Revision: 1020032
Log:
Production update by buildbot for cxf
Modified:
websites/production/cxf/content/cache/main.pageCache
websites/production/cxf/content/fediz-configuration.html
websites/production/cxf/content/fediz-idp-11.html
websites/production/cxf/content/fediz-jetty.html
websites/production/cxf/content/fediz-tomcat.html
Modified: websites/production/cxf/content/cache/main.pageCache
==============================================================================
Binary files - no diff available.
Modified: websites/production/cxf/content/fediz-configuration.html
==============================================================================
--- websites/production/cxf/content/fediz-configuration.html (original)
+++ websites/production/cxf/content/fediz-configuration.html Wed Oct 25 11:57:41 2017
@@ -32,8 +32,8 @@
<link type="text/css" rel="stylesheet" href="/resources/highlighter/styles/shThemeCXF.css">
<script src='/resources/highlighter/scripts/shCore.js'></script>
-<script src='/resources/highlighter/scripts/shBrushXml.js'></script>
<script src='/resources/highlighter/scripts/shBrushJava.js'></script>
+<script src='/resources/highlighter/scripts/shBrushXml.js'></script>
<script>
SyntaxHighlighter.defaults['toolbar'] = false;
SyntaxHighlighter.all();
@@ -130,7 +130,7 @@ Apache CXF -- Fediz Configuration
</contextConfig>
</FedizConfig>
</pre>
-</div></div><p>The protocol element declares that the WS-Federation protocol is being used. The issuer element shows the URL to which authenticated requests will be redirected with a SignIn request.</p><p>The IDP issues a SAML token which must be validated by the plugin. The validation requires the certificate store of the Certificate Authority(ies) of the certificate which signed the SAML token. This is defined in <code>certificateStore</code>. The signing certificate itself is not required because <code>certificateValidation</code> is set to <code>ChainTrust</code>. The <code>subject</code> defines the trusted signing certificate using the subject as a regular expression.<br clear="none"> Finally, the audience URI is validated against the audience restriction in the SAML token.</p><h3 id="FedizConfiguration-Configurationreference">Configuration reference</h3><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>XML el
ement</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Name</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Use</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Description</p></th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>audienceUris</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Audience URI</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Required</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The values of the list of audience URIs are verified against the element <code>AudienceRestriction</code> in the SAML token</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>certificateStores</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Trusted certificate store</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Required</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The list of keystores (JKS, PEM) includes at least the certificate of the Certif
icate Authorities (CA) which signed the certificate which is used to sign the SAML token.<br clear="none"> If the file location is not fully qualified it needs to be relative to the Container home directory</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>trustedIssuers</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Trusted Issuers</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Required</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>There are two ways to configure a trusted issuer (IDP). Either you configure the subject name and the CA(s) who signed the certificate of the IDP (<code>certificateValidation=ChainTrust</code>) or you configure the certificate of the IDP and the CA(s) who signed it (<code>certificateValidation=PeerTrust</code>)</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>maximumClockSkew</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Maximum Clock Skew</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Maximum allowable time difference between the system clocks of the IDP and RP.<br clear="none"> Default 5 seconds.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>tokenReplayCache</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Token Replay Cache</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The <a shape="rect" class="external-link" href="http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/TokenReplayCache.java?view=markup">TokenReplayCache</a> implementation to use to cache tokens. The default is an implementation based on EHCache.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>signingKey</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Key for Signature</p></td><td colspan="1" rowspan=
"1" class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>If configured, the published (WS-Federation) <a shape="rect" href="fediz-metadata.html">Metadata document</a> is signed by this key. Otherwise, not signed.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>tokenDecryptionKey</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Decryption Key</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>A Keystore used to decrypt an encrypted token.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">tokenExpirationValidation</td><td colspan="1" rowspan="1" class="confluenceTd">Token Expiration Validation</td><td colspan="1" rowspan="1" class="confluenceTd">Optional</td><td colspan="1" rowspan="1" class="confluenceTd"><p>Decision whether the token validation (e.g. lifetime) shall be performed on every request (true) or only once at i
nitial authentication (false). The default is "false".</p></td></tr></tbody></table></div><h5 id="FedizConfiguration-WS-Federationprotocolconfigurationreference">WS-Federation protocol configuration reference</h5><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>XML element</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Name</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Use</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Metadata</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Description</p></th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>issuer</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Issuer URL</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Required</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>PassiveRequestorEndpoint</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>This URL defines the lo
cation of the IDP to whom unauthenticated requests are redirected</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>realm</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Realm</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>TargetScope</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Security realm of the Relying Party / Application. This value is part of the SignIn request as the <code>wtrealm</code> parameter.<br clear="none"> Default: URL including the Servlet Context</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>authenticationType</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Authentication Type</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>NA</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The authentication type defines what k
ind of authentication is required. This information is provided in the SignInRequest to the IDP (parameter <code>wauth</code>)<br clear="none"> The WS-Federation standard defines a list of predefined URIs for wauth <a shape="rect" class="external-link" href="http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html#_Toc223174997" rel="nofollow">here</a>.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>roleURI</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Role Claim URI</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>NA</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Defines the attribute name of the SAML token which contains the roles.<br clear="none"> Required for Role Based Access Control.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>roleDelimiter</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>
Role Value Delimiter</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>NA</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>There are different ways to encode multi value attributes in SAML.</p><ul><li>Single attribute with multiple values</li><li>Several attributes with the same name but only one value</li><li>Single attribute with single value. Roles are delimited by <code>roleDelimiter</code></li></ul></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>claimTypesRequested</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Requested claims</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>ClaimTypesRequested</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The claims required by the Relying Party are listed here. Claims can be optional. If a mandatory claim can't be provided by the
IDP the issuance of the token should fail</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>homeRealm</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Home Realm</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>NA</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Indicates the Resource IDP the home realm of the requestor. This may be an URL or an identifier like urn: or uuid: and depends on the Resource IDP implementation. This value is part of the SignIn request as the <code>whr</code> parameter</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>freshness</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Freshness</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>NA</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The desired "freshness" of the tok
en from the IdP. This information is provided in the SignInRequest to the IdP (parameter <code>wfresh</code>)</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">request</td><td colspan="1" rowspan="1" class="confluenceTd">Request</td><td colspan="1" rowspan="1" class="confluenceTd">Optional</td><td colspan="1" rowspan="1" class="confluenceTd">NA</td><td colspan="1" rowspan="1" class="confluenceTd">This value is part of the SignIn request as the wreq parameter. It can be used to specify a desired TokenType from the IdP.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>tokenValidators</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>TokenValidators</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>NA</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Custom Token validator classes can be configured here. The SAML Token validator is enabled by default.<br cl
ear="none"> See example <a shape="rect" class="external-link" href="http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/CustomValidator.java">here</a></p></td></tr></tbody></table></div><h5 id="FedizConfiguration-Attributesresolvedatruntime">Attributes resolved at runtime</h5><p>The following attributes can be either configured statically at deployment time or dynamically when the initial request is received:</p><ul><li>authenticationType</li><li>homeRealm</li><li>issuer</li><li>realm</li></ul><p>These configuration elements allows for configuring a CallbackHandler which gets a Callback object where the appropriate value must be set. The CallbackHandler implementation has access to the HttpServletRequest. The XML attribute <code>type</code> must be set to <code>Class</code>.</p><p>For more information see <a shape="rect" href="fediz-extensions.html">Fediz Extensions</a>.</p><h3 id="FedizConfiguration-Advancedexample">Advanced example</h3
><p>The following example defines the required claims and configures a custom callback handler to define some configuration values at runtime.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+</div></div><p>The protocol element declares that the WS-Federation protocol is being used. The issuer element shows the URL to which authenticated requests will be redirected with a SignIn request.</p><p>The IDP issues a SAML token which must be validated by the plugin. The validation requires the certificate store of the Certificate Authority(ies) of the certificate which signed the SAML token. This is defined in <code>certificateStore</code>. The signing certificate itself is not required because <code>certificateValidation</code> is set to <code>ChainTrust</code>. The <code>subject</code> defines the trusted signing certificate using the subject as a regular expression.<br clear="none"> Finally, the audience URI is validated against the audience restriction in the SAML token.</p><h3 id="FedizConfiguration-Configurationreference">Configuration reference</h3><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>XML el
ement</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Name</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Use</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Description</p></th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>audienceUris</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Audience URI</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Required</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The values of the list of audience URIs are verified against the element <code>AudienceRestriction</code> in the SAML token</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>certificateStores</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Trusted certificate store</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Required</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The list of keystores (JKS, PEM) includes at least the certificate of the Certif
icate Authorities (CA) which signed the certificate which is used to sign the SAML token.<br clear="none"> If the file location is not fully qualified it needs to be relative to the Container home directory</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>trustedIssuers</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Trusted Issuers</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Required</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>There are two ways to configure a trusted issuer (IDP). Either you configure the subject name and the CA(s) who signed the certificate of the IDP (<code>certificateValidation=ChainTrust</code>) or you configure the certificate of the IDP and the CA(s) who signed it (<code>certificateValidation=PeerTrust</code>)</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>maximumClockSkew</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Maximum Clock Skew</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Maximum allowable time difference between the system clocks of the IDP and RP.<br clear="none"> Default 5 seconds.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>tokenReplayCache</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Token Replay Cache</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The <a shape="rect" class="external-link" href="https://svn.apache.org/repos/asf/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/cache/ReplayCache.java">ReplayCache</a> implementation to use to cache tokens. The default is an implementation based on EHCache.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>signingKey</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Key for Signature</p></td><td colspan="1" rowspan=
"1" class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>If configured, the published (WS-Federation) <a shape="rect" href="fediz-metadata.html">Metadata document</a> is signed by this key. Otherwise, not signed.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>tokenDecryptionKey</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Decryption Key</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>A Keystore used to decrypt an encrypted token.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">tokenExpirationValidation</td><td colspan="1" rowspan="1" class="confluenceTd">Token Expiration Validation</td><td colspan="1" rowspan="1" class="confluenceTd">Optional</td><td colspan="1" rowspan="1" class="confluenceTd"><p>Decision whether the token validation (e.g. lifetime) shall be performed on every request (true) or only once at i
nitial authentication (false). The default is "false".</p></td></tr></tbody></table></div><h5 id="FedizConfiguration-WS-Federationprotocolconfigurationreference">WS-Federation protocol configuration reference</h5><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>XML element</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Name</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Use</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Metadata</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Description</p></th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>issuer</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Issuer URL</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Required</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>PassiveRequestorEndpoint</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>This URL defines the lo
cation of the IDP to whom unauthenticated requests are redirected</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>realm</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Realm</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>TargetScope</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Security realm of the Relying Party / Application. This value is part of the SignIn request as the <code>wtrealm</code> parameter.<br clear="none"> Default: URL including the Servlet Context</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>authenticationType</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Authentication Type</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>NA</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The authentication type defines what k
ind of authentication is required. This information is provided in the SignInRequest to the IDP (parameter <code>wauth</code>)<br clear="none"> The WS-Federation standard defines a list of predefined URIs for wauth <a shape="rect" class="external-link" href="http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html#_Toc223174997" rel="nofollow">here</a>.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>roleURI</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Role Claim URI</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>NA</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Defines the attribute name of the SAML token which contains the roles.<br clear="none"> Required for Role Based Access Control.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>roleDelimiter</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>
Role Value Delimiter</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>NA</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>There are different ways to encode multi value attributes in SAML.</p><ul><li>Single attribute with multiple values</li><li>Several attributes with the same name but only one value</li><li>Single attribute with single value. Roles are delimited by <code>roleDelimiter</code></li></ul></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>claimTypesRequested</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Requested claims</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>ClaimTypesRequested</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The claims required by the Relying Party are listed here. Claims can be optional. If a mandatory claim can't be provided by the
IDP the issuance of the token should fail</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>homeRealm</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Home Realm</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>NA</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Indicates the Resource IDP the home realm of the requestor. This may be an URL or an identifier like urn: or uuid: and depends on the Resource IDP implementation. This value is part of the SignIn request as the <code>whr</code> parameter</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>freshness</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Freshness</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>NA</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The desired "freshness" of the tok
en from the IdP. This information is provided in the SignInRequest to the IdP (parameter <code>wfresh</code>)</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">request</td><td colspan="1" rowspan="1" class="confluenceTd">Request</td><td colspan="1" rowspan="1" class="confluenceTd">Optional</td><td colspan="1" rowspan="1" class="confluenceTd">NA</td><td colspan="1" rowspan="1" class="confluenceTd">This value is part of the SignIn request as the wreq parameter. It can be used to specify a desired TokenType from the IdP.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>tokenValidators</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>TokenValidators</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>NA</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Custom Token validator classes can be configured here. The SAML Token validator is enabled by default.<br cl
ear="none"> See example <a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/blob/master/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/CustomValidator.java" rel="nofollow">here</a></p></td></tr></tbody></table></div><h5 id="FedizConfiguration-Attributesresolvedatruntime">Attributes resolved at runtime</h5><p>The following attributes can be either configured statically at deployment time or dynamically when the initial request is received:</p><ul><li>authenticationType</li><li>homeRealm</li><li>issuer</li><li>realm</li></ul><p>These configuration elements allows for configuring a CallbackHandler which gets a Callback object where the appropriate value must be set. The CallbackHandler implementation has access to the HttpServletRequest. The XML attribute <code>type</code> must be set to <code>Class</code>.</p><p>For more information see <a shape="rect" href="fediz-extensions.html">Fediz Extensions</a>.</p><h3 id="FedizConfiguration-Advanced
example">Advanced example</h3><p>The following example defines the required claims and configures a custom callback handler to define some configuration values at runtime.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;"><?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<FedizConfig>
<contextConfig name="/fedizhelloworld">
Modified: websites/production/cxf/content/fediz-idp-11.html
==============================================================================
--- websites/production/cxf/content/fediz-idp-11.html (original)
+++ websites/production/cxf/content/fediz-idp-11.html Wed Oct 25 11:57:41 2017
@@ -32,9 +32,9 @@
<link type="text/css" rel="stylesheet" href="/resources/highlighter/styles/shThemeCXF.css">
<script src='/resources/highlighter/scripts/shCore.js'></script>
-<script src='/resources/highlighter/scripts/shBrushBash.js'></script>
-<script src='/resources/highlighter/scripts/shBrushXml.js'></script>
<script src='/resources/highlighter/scripts/shBrushJava.js'></script>
+<script src='/resources/highlighter/scripts/shBrushXml.js'></script>
+<script src='/resources/highlighter/scripts/shBrushBash.js'></script>
<script>
SyntaxHighlighter.defaults['toolbar'] = false;
SyntaxHighlighter.all();
@@ -141,7 +141,7 @@ $CATALINA_HOME/bin/shutdown.sh
...
</Server>
</pre>
-</div></div><p>The keystoreFile is relative to $CATALINA_BASE. See <a shape="rect" class="external-link" href="http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html">here</a> for the Tomcat 7 configuration reference. This page also describes how to create certificates. Sample Tomcat keystores (not for production use, but useful for demoing Fediz and running the sample applications) are provided in the examples/samplekeys folder of the Fediz distribution.</p><p>To establish trust, there are significant keystore/truststore requirements between the Tomcat instances and the various web applications (IDP, STS, Relying party applications, third party web services, etc.) See <a shape="rect" class="external-link" href="http://svn.apache.org/viewvc/cxf/fediz/tags/fediz-1.1.0/examples/samplekeys/HowToGenerateKeysREADME.html?revision=1538770&view=co">this page</a> for more details, it lists the trust requirements as well as sample scripts for creating your own (self-signed) keys.</p><p><s
trong>Warning: All sample keystores provided with Fediz (including in the WAR files for its services and examples) are for development/prototyping use only. They'll need to be replaced for production use, at a minimum with your own self-signed keys but strongly recommended to use third-party signed keys.</strong></p><h5 id="FedizIDP1.1-BuildtheIDPWAR">Build the IDP WAR</h5><p>The Fediz 1.1 distribution ships one Fediz IDP WAR built for Realm-A by default. The distribution also contains the IDP and STS sources with two Maven Profiles <em>realm-a</em> and <em>realm-b</em>. More information is provided in the <code>README.txt</code> <a shape="rect" class="external-link" href="http://svn.apache.org/viewvc/cxf/fediz/tags/fediz-1.1.0/services/idp/README.txt?view=co">here</a></p><p>Once you deploy the IDP WAR files to your Tomcat installation (<catalina.home>/webapps), you should be able to see the Fediz STS from a browser. Assuming port 9080 as listed above, the STS WSDL is availabl
e at:</p><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh">Version</th><th colspan="1" rowspan="1" class="confluenceTh"><a shape="rect" class="external-link" href="http://localhost:9080/fediz-idp-sts/STSService?wsdl" rel="nofollow">STS</a> WSDL location</th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">Fediz 1.0.x</td><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="http://localhost:9080/fediz-idp-sts/STSService?wsdl" rel="nofollow">http://localhost:9080/fediz-idp-sts/STSService?wsdl</a></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">Fediz 1.1.x</td><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="http://localhost:9080/fediz-idp-sts/STSService?wsdl" rel="nofollow">http://localhost:9080/fediz-idp-sts/</a><a shape="rect" class="external-link" href="https://localhost:9443/fediz-idp-sts/REALMA/STSServiceTransp
ort?wsdl" rel="nofollow">REALMA/STSServiceTransport?wsdl</a></td></tr></tbody></table></div><h3 id="FedizIDP1.1-Configuration">Configuration</h3><p>You can manage the users, their claims and the claims per application in the IDP.</p><h5 id="FedizIDP1.1-Userandpassword">User and password</h5><p>The users and passwords are configured in a Spring configuration file in <code>webapps/fediz-idp-sts/WEB-INF/passwords.xml</code>. The following users are already configured for the <em>Realm A</em> and can easily be extended.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+</div></div><p>The keystoreFile is relative to $CATALINA_BASE. See <a shape="rect" class="external-link" href="http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html">here</a> for the Tomcat 7 configuration reference. This page also describes how to create certificates. Sample Tomcat keystores (not for production use, but useful for demoing Fediz and running the sample applications) are provided in the examples/samplekeys folder of the Fediz distribution.</p><p>To establish trust, there are significant keystore/truststore requirements between the Tomcat instances and the various web applications (IDP, STS, Relying party applications, third party web services, etc.) See <a shape="rect" class="external-link" href="https://htmlpreview.github.io/?https://raw.githubusercontent.com/apache/cxf-fediz/master/examples/samplekeys/HowToGenerateKeysREADME.html" rel="nofollow">this page</a> for more details, it lists the trust requirements as well as sample scripts for creating your own (self-sig
ned) keys.</p><p><strong>Warning: All sample keystores provided with Fediz (including in the WAR files for its services and examples) are for development/prototyping use only. They'll need to be replaced for production use, at a minimum with your own self-signed keys but strongly recommended to use third-party signed keys.</strong></p><h5 id="FedizIDP1.1-BuildtheIDPWAR">Build the IDP WAR</h5><p>The Fediz 1.1 distribution ships one Fediz IDP WAR built for Realm-A by default. The distribution also contains the IDP and STS sources with two Maven Profiles <em>realm-a</em> and <em>realm-b</em>. More information is provided in the <code>README.txt</code> <a shape="rect" class="external-link" href="http://svn.apache.org/viewvc/cxf/fediz/tags/fediz-1.1.0/services/idp/README.txt?view=co">here</a></p><p>Once you deploy the IDP WAR files to your Tomcat installation (<catalina.home>/webapps), you should be able to see the Fediz STS from a browser. Assuming port 9080 as listed above, the S
TS WSDL is available at:</p><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh">Version</th><th colspan="1" rowspan="1" class="confluenceTh"><a shape="rect" class="external-link" href="http://localhost:9080/fediz-idp-sts/STSService?wsdl" rel="nofollow">STS</a> WSDL location</th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">Fediz 1.0.x</td><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="http://localhost:9080/fediz-idp-sts/STSService?wsdl" rel="nofollow">http://localhost:9080/fediz-idp-sts/STSService?wsdl</a></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">Fediz 1.1.x</td><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="http://localhost:9080/fediz-idp-sts/STSService?wsdl" rel="nofollow">http://localhost:9080/fediz-idp-sts/</a><a shape="rect" class="external-link" href="https://localhost:9443/fediz-idp-sts/REAL
MA/STSServiceTransport?wsdl" rel="nofollow">REALMA/STSServiceTransport?wsdl</a></td></tr></tbody></table></div><h3 id="FedizIDP1.1-Configuration">Configuration</h3><p>You can manage the users, their claims and the claims per application in the IDP.</p><h5 id="FedizIDP1.1-Userandpassword">User and password</h5><p>The users and passwords are configured in a Spring configuration file in <code>webapps/fediz-idp-sts/WEB-INF/passwords.xml</code>. The following users are already configured for the <em>Realm A</em> and can easily be extended.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;"> <util:map id="REALMA">
<entry key="alice" value="ecila" />
<entry key="bob" value="bob" />
Modified: websites/production/cxf/content/fediz-jetty.html
==============================================================================
--- websites/production/cxf/content/fediz-jetty.html (original)
+++ websites/production/cxf/content/fediz-jetty.html Wed Oct 25 11:57:41 2017
@@ -32,9 +32,9 @@
<link type="text/css" rel="stylesheet" href="/resources/highlighter/styles/shThemeCXF.css">
<script src='/resources/highlighter/scripts/shCore.js'></script>
-<script src='/resources/highlighter/scripts/shBrushBash.js'></script>
-<script src='/resources/highlighter/scripts/shBrushXml.js'></script>
<script src='/resources/highlighter/scripts/shBrushJava.js'></script>
+<script src='/resources/highlighter/scripts/shBrushXml.js'></script>
+<script src='/resources/highlighter/scripts/shBrushBash.js'></script>
<script>
SyntaxHighlighter.defaults['toolbar'] = false;
SyntaxHighlighter.all();
@@ -110,64 +110,10 @@ Apache CXF -- Fediz Jetty
<td height="100%">
<!-- Content -->
<div class="wiki-content">
-<div id="ConfluenceContent"><h1 id="FedizJetty-JettyPlugin(1.1)">Jetty Plugin (1.1)</h1>
-<p>This page describes how to enable Federation for a Jetty 7/8 instance hosting Relying Party (RP) applications. This configuration is not for a separate Tomcat instance hosting the Fediz IDP and IDP STS WARs, or hosts for third-party applications that use Fediz STS-generated SAML assertions for authentication. After this configuration is done, the Jetty-RP instance will validate the incoming SignInResponse created by the IDP server.</p>
-
-<p>Prior to doing this configuration, make sure you've first deployed the Fediz IDP and STS on the Tomcat IDP instance as discussed <a shape="rect" href="fediz-idp.html">here</a>, and can view the STS WSDL at the URL given on that page. That page also provides some tips for running multiple Tomcat instances on your machine.</p>
-
-
-<h3 id="FedizJetty-Installation">Installation</h3>
-
-<p>You can either build the Fediz plugin on your own or download the package <a shape="rect" href="fediz-downloads.html">here</a>. If you have built the plugin on your own you'll find the required libraries in <code>plugins/jetty/target/...zip-with-dependencies.zip</code></p>
-
-<ol><li>Create sub-directory <code>fediz</code> in <code>${jetty.home}/lib/fediz</code></li><li>Update start.ini in ${jetty.home}/start.ini by adding <code>fediz</code> to the OPTIONS
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">
-OPTIONS=Server,fediz
+<div id="ConfluenceContent"><h1 id="FedizJetty-JettyPlugin(1.1)">Jetty Plugin (1.1)</h1><p>This page describes how to enable Federation for a Jetty 7/8 instance hosting Relying Party (RP) applications. This configuration is not for a separate Tomcat instance hosting the Fediz IDP and IDP STS WARs, or hosts for third-party applications that use Fediz STS-generated SAML assertions for authentication. After this configuration is done, the Jetty-RP instance will validate the incoming SignInResponse created by the IDP server.</p><p>Prior to doing this configuration, make sure you've first deployed the Fediz IDP and STS on the Tomcat IDP instance as discussed <a shape="rect" href="fediz-idp.html">here</a>, and can view the STS WSDL at the URL given on that page. That page also provides some tips for running multiple Tomcat instances on your machine.</p><h3 id="FedizJetty-Installation">Installation</h3><p>You can either build the Fediz plugin on your own or download the package <a shape="r
ect" href="fediz-downloads.html">here</a>. If you have built the plugin on your own you'll find the required libraries in <code>plugins/jetty/target/...zip-with-dependencies.zip</code></p><ol><li>Create sub-directory <code>fediz</code> in <code>${jetty.home}/lib/fediz</code></li><li><p>Update start.ini in ${jetty.home}/start.ini by adding <code>fediz</code> to the OPTIONS</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">OPTIONS=Server,fediz
</pre>
-</div></div></li><li>Deploy the libraries to the directory created in (1)</li></ol>
-
-
-
-<h3 id="FedizJetty-Configuration">Configuration</h3>
-
-<h5 id="FedizJetty-HTTPSconfiguration">HTTPS configuration</h5>
-
-<p>It's recommended to set up a dedicated (separate) Jetty instance for the Relying Party. The Fediz RP web applications use the following TCP ports:</p>
-<ul><li>HTTP port: 8080</li><li>HTTPS port: 8443 (where IDP and STS are accessed)</li></ul>
-
-
-<p>These are the default ports for a standard Jetty installation.</p>
-
-<p>The Relying Party must be accessed over HTTPS to protect the security tokens issued by the IDP.</p>
-
-<p>The Jetty HTTP(s) configuration is done in etc/jetty-ssl.xml.</p>
-
-<p>The configuration is described in detail <a shape="rect" class="external-link" href="http://wiki.eclipse.org/Jetty/Howto/Configure_SSL" rel="nofollow">here</a></p>
-
-<p>This page also describes how to create certificates. Sample Jetty keystores (not for production use, but useful for demoing Fediz and running the sample applications) are provided in the examples/samplekeys folder of the Fediz distribution. Note the Jetty keystore here is different from the one used to configure the Tomcat-IDP instance.</p>
-
-<p>To establish trust, there are significant keystore/truststore requirements between the Servlet Container instances and the various web applications (IDP, STS, Relying party applications, third party web services, etc.) See <a shape="rect" class="external-link" href="http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/samplekeys/HowToGenerateKeysREADME.html?view=co">this page</a> for more details, it lists the trust requirements as well as sample scripts for creating your own (self-signed) keys.</p>
-
-<p><strong>Warning: All sample keystores provided with Fediz (including in the WAR files for its services and examples) are for development/prototyping use only. They'll need to be replaced for production use, at a minimum with your own self-signed keys but strongly recommended to use third-party signed keys.</strong></p>
-
-<p>If you are currently just trying to run the Fediz samples, the configuration above is all you need (the below configuration is already provided within the samples) so you can return now to the samples' READMEs for the next steps in running them.</p>
-
-
-<h5 id="FedizJetty-FedizPluginconfigurationforYourWebApplication">Fediz Plugin configuration for Your Web Application</h5>
-
-<p>The Fediz related configuration is done in a Servlet Container independent configuration file which is described <a shape="rect" href="fediz-configuration.html">here</a>.</p>
-
-<p>The Fediz plugin requires configuring the FederationAuthenticator like any other authenticator in Jetty. Detailed information about the Authenticators and SecurityHandler is available <a shape="rect" class="external-link" href="http://wiki.eclipse.org/Jetty/Tutorial/Realms" rel="nofollow">here</a>.</p>
-
-<p>The Fediz configuration file allows to configure all servlet contexts in one file or choosing one file per Servlet Context.</p>
-
-<p>You can configure the context in context configuration file located in <jetty.home>/contexts.</p>
-
-<h6 id="FedizJetty-fedizhelloworld.xml">fedizhelloworld.xml</h6>
-<p>Hint: file name must be equal to war file name</p>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+</div></div></li><li>Deploy the libraries to the directory created in (1)</li></ol><h3 id="FedizJetty-Configuration">Configuration</h3><h5 id="FedizJetty-HTTPSconfiguration">HTTPS configuration</h5><p>It's recommended to set up a dedicated (separate) Jetty instance for the Relying Party. The Fediz RP web applications use the following TCP ports:</p><ul><li>HTTP port: 8080</li><li>HTTPS port: 8443 (where IDP and STS are accessed)</li></ul><p>These are the default ports for a standard Jetty installation.</p><p>The Relying Party must be accessed over HTTPS to protect the security tokens issued by the IDP.</p><p>The Jetty HTTP(s) configuration is done in etc/jetty-ssl.xml.</p><p>The configuration is described in detail <a shape="rect" class="external-link" href="http://wiki.eclipse.org/Jetty/Howto/Configure_SSL" rel="nofollow">here</a></p><p>This page also describes how to create certificates. Sample Jetty keystores (not for production use, but useful for demoing Fediz and running the s
ample applications) are provided in the examples/samplekeys folder of the Fediz distribution. Note the Jetty keystore here is different from the one used to configure the Tomcat-IDP instance.</p><p>To establish trust, there are significant keystore/truststore requirements between the Servlet Container instances and the various web applications (IDP, STS, Relying party applications, third party web services, etc.) See <a shape="rect" class="external-link" href="https://htmlpreview.github.io/?https://raw.githubusercontent.com/apache/cxf-fediz/master/examples/samplekeys/HowToGenerateKeysREADME.html" rel="nofollow">this page</a> for more details, it lists the trust requirements as well as sample scripts for creating your own (self-signed) keys.</p><p><strong>Warning: All sample keystores provided with Fediz (including in the WAR files for its services and examples) are for development/prototyping use only. They'll need to be replaced for production use, at a minimum with your own self-s
igned keys but strongly recommended to use third-party signed keys.</strong></p><p>If you are currently just trying to run the Fediz samples, the configuration above is all you need (the below configuration is already provided within the samples) so you can return now to the samples' READMEs for the next steps in running them.</p><h5 id="FedizJetty-FedizPluginconfigurationforYourWebApplication">Fediz Plugin configuration for Your Web Application</h5><p>The Fediz related configuration is done in a Servlet Container independent configuration file which is described <a shape="rect" href="fediz-configuration.html">here</a>.</p><p>The Fediz plugin requires configuring the FederationAuthenticator like any other authenticator in Jetty. Detailed information about the Authenticators and SecurityHandler is available <a shape="rect" class="external-link" href="http://wiki.eclipse.org/Jetty/Tutorial/Realms" rel="nofollow">here</a>.</p><p>The Fediz configuration file allows to configure all serv
let contexts in one file or choosing one file per Servlet Context.</p><p>You can configure the context in context configuration file located in <jetty.home>/contexts.</p><h6 id="FedizJetty-fedizhelloworld.xml">fedizhelloworld.xml</h6><p>Hint: file name must be equal to war file name</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">
<Get name="securityHandler">
<Set name="loginService">
@@ -182,20 +128,7 @@ OPTIONS=Server,fediz
</Set>
</Get>
</pre>
-</div></div>
-
-
-<p>The Fediz configuration file is a Servlet container independent configuration file and described <a shape="rect" href="fediz-configuration.html">here</a></p>
-
-<h3 id="FedizJetty-WebApplicationdeployment">Web Application deployment</h3>
-
-<p>Deploy your Web Application to your Jetty installation (<jetty.home>/webapps). If you're running the Fediz examples, their README files will have instructions on how to do this.</p>
-
-<h3 id="FedizJetty-FederationMetadatadocument">Federation Metadata document</h3>
-
-<p>The Jetty Fediz plugin supports publishing the WS-Federation Metadata document which is described <a shape="rect" href="fediz-metadata.html">here</a>.</p>
-
-</div>
+</div></div><p>The Fediz configuration file is a Servlet container independent configuration file and described <a shape="rect" href="fediz-configuration.html">here</a></p><h3 id="FedizJetty-WebApplicationdeployment">Web Application deployment</h3><p>Deploy your Web Application to your Jetty installation (<jetty.home>/webapps). If you're running the Fediz examples, their README files will have instructions on how to do this.</p><h3 id="FedizJetty-FederationMetadatadocument">Federation Metadata document</h3><p>The Jetty Fediz plugin supports publishing the WS-Federation Metadata document which is described <a shape="rect" href="fediz-metadata.html">here</a>.</p></div>
</div>
<!-- Content -->
</td>
Modified: websites/production/cxf/content/fediz-tomcat.html
==============================================================================
--- websites/production/cxf/content/fediz-tomcat.html (original)
+++ websites/production/cxf/content/fediz-tomcat.html Wed Oct 25 11:57:41 2017
@@ -32,8 +32,8 @@
<link type="text/css" rel="stylesheet" href="/resources/highlighter/styles/shThemeCXF.css">
<script src='/resources/highlighter/scripts/shCore.js'></script>
-<script src='/resources/highlighter/scripts/shBrushXml.js'></script>
<script src='/resources/highlighter/scripts/shBrushJava.js'></script>
+<script src='/resources/highlighter/scripts/shBrushXml.js'></script>
<script>
SyntaxHighlighter.defaults['toolbar'] = false;
SyntaxHighlighter.all();
@@ -115,7 +115,7 @@ Apache CXF -- Fediz Tomcat
keystoreFile="rp-ssl-key.jks" keyPass="tompass"
keystorePass="tompass" sslProtocol="TLS" />
</pre>
-</div></div><p>The keystoreFile is relative to $CATALINA_HOME. See <a shape="rect" class="external-link" href="http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html">here</a> for the Tomcat 7 configuration reference. This page also describes how to create certificates. Sample Tomcat keystores (not for production use, but useful for demoing Fediz and running the sample applications) are provided in the examples/samplekeys folder of the Fediz distribution. Note the Tomcat keystore here is different from the one used to configure the Tomcat-IDP instance.</p><p>To establish trust, there are significant keystore/truststore requirements between the Tomcat instances and the various web applications (IDP, STS, Relying party applications, third party web services, etc.) See <a shape="rect" class="external-link" href="http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/samplekeys/HowToGenerateKeysREADME.html?view=co">this page</a> for more details, it lists the trust requirements as well a
s sample scripts for creating your own (self-signed) keys.</p><p><strong>Warning: All sample keystores provided with Fediz (including in the WAR files for its services and examples) are for development/prototyping use only. They'll need to be replaced for production use, at a minimum with your own self-signed keys but strongly recommended to use third-party signed keys.</strong></p><p>If you are currently just trying to run the Fediz samples, the configuration above is all you need (the below configuration is already provided within the samples) so you can return now to the samples' READMEs for the next steps in running them.</p><h5 id="FedizTomcat-FedizPluginconfigurationforYourWebApplication">Fediz Plugin configuration for Your Web Application</h5><p>The Fediz related configuration is done in a Servlet Container independent configuration file which is described <a shape="rect" href="fediz-configuration.html">here</a>.</p><p>The Fediz plugin requires configuring the FederationAuthe
nticator like any other Valve in Tomcat. Detailed information about the Tomcat Valve concept is available <a shape="rect" class="external-link" href="http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html">here</a>.</p><p>A Valve can be configured on different levels like <em>Host</em> or <em>Context</em>. The Fediz configuration file allows to configure all servlet contexts in one file or choosing one file per Servlet Context. If you choose to have one Fediz configuration file per Servlet Context then you must configure the FederationAuthenticator on the <em>Context</em> level otherwise on the <em>Host</em> level in the Tomcat configuration file <em>server.xml</em></p><p>You can either configure the context in the server.xml or in META-INF/context.xml as part of your WAR file.</p><h6 id="FedizTomcat-META-INF/context.xml">META-INF/context.xml</h6><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+</div></div><p>The keystoreFile is relative to $CATALINA_HOME. See <a shape="rect" class="external-link" href="http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html">here</a> for the Tomcat 7 configuration reference. This page also describes how to create certificates. Sample Tomcat keystores (not for production use, but useful for demoing Fediz and running the sample applications) are provided in the examples/samplekeys folder of the Fediz distribution. Note the Tomcat keystore here is different from the one used to configure the Tomcat-IDP instance.</p><p>To establish trust, there are significant keystore/truststore requirements between the Tomcat instances and the various web applications (IDP, STS, Relying party applications, third party web services, etc.) See <a shape="rect" class="external-link" href="https://htmlpreview.github.io/?https://raw.githubusercontent.com/apache/cxf-fediz/master/examples/samplekeys/HowToGenerateKeysREADME.html" rel="nofollow">this page</a> for more
details, it lists the trust requirements as well as sample scripts for creating your own (self-signed) keys.</p><p><strong>Warning: All sample keystores provided with Fediz (including in the WAR files for its services and examples) are for development/prototyping use only. They'll need to be replaced for production use, at a minimum with your own self-signed keys but strongly recommended to use third-party signed keys.</strong></p><p>If you are currently just trying to run the Fediz samples, the configuration above is all you need (the below configuration is already provided within the samples) so you can return now to the samples' READMEs for the next steps in running them.</p><h5 id="FedizTomcat-FedizPluginconfigurationforYourWebApplication">Fediz Plugin configuration for Your Web Application</h5><p>The Fediz related configuration is done in a Servlet Container independent configuration file which is described <a shape="rect" href="fediz-configuration.html">here</a>.</p><p>The Fe
diz plugin requires configuring the FederationAuthenticator like any other Valve in Tomcat. Detailed information about the Tomcat Valve concept is available <a shape="rect" class="external-link" href="http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html">here</a>.</p><p>A Valve can be configured on different levels like <em>Host</em> or <em>Context</em>. The Fediz configuration file allows to configure all servlet contexts in one file or choosing one file per Servlet Context. If you choose to have one Fediz configuration file per Servlet Context then you must configure the FederationAuthenticator on the <em>Context</em> level otherwise on the <em>Host</em> level in the Tomcat configuration file <em>server.xml</em></p><p>You can either configure the context in the server.xml or in META-INF/context.xml as part of your WAR file.</p><h6 id="FedizTomcat-META-INF/context.xml">META-INF/context.xml</h6><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panel
Content pdl">
<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">
<Context>
<Valve className="org.apache.cxf.fediz.tomcat.FederationAuthenticator"