You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by bu...@apache.org on 2019/05/17 15:56:52 UTC
svn commit: r1045114 - in /websites/production/cxf/content:
cache/main.pageCache fediz-idp-11.html fediz-tomcat.html
Author: buildbot
Date: Fri May 17 15:56:52 2019
New Revision: 1045114
Log:
Production update by buildbot for cxf
Modified:
websites/production/cxf/content/cache/main.pageCache
websites/production/cxf/content/fediz-idp-11.html
websites/production/cxf/content/fediz-tomcat.html
Modified: websites/production/cxf/content/cache/main.pageCache
==============================================================================
Binary files - no diff available.
Modified: websites/production/cxf/content/fediz-idp-11.html
==============================================================================
--- websites/production/cxf/content/fediz-idp-11.html (original)
+++ websites/production/cxf/content/fediz-idp-11.html Fri May 17 15:56:52 2019
@@ -100,7 +100,7 @@ Apache CXF -- Fediz IDP 1.1
<div id="wrapper-menu-page-bottom">
<div id="menu-page">
<!-- NavigationBar -->
-<div id="navigation"><h3 id="Navigation-ApacheCXF"><a shape="rect" href="index.html">Apache CXF</a></h3><ul class="alternate"><li><a shape="rect" href="index.html">Home</a></li><li><a shape="rect" href="download.html">Download</a></li><li><a shape="rect" href="people.html">People</a></li><li><a shape="rect" href="project-status.html">Project Status</a></li><li><a shape="rect" href="roadmap.html">Roadmap</a></li><li><a shape="rect" href="mailing-lists.html">Mailing Lists</a></li><li><a shape="rect" class="external-link" href="http://issues.apache.org/jira/browse/CXF">Issue Reporting</a></li><li><a shape="rect" href="special-thanks.html">Special Thanks</a></li><li><a shape="rect" class="external-link" href="http://www.apache.org/licenses/">License</a></li><li><a shape="rect" href="security-advisories.html">Security Advisories</a></li></ul><h3 id="Navigation-Users">Users</h3><ul class="alternate"><li><a shape="rect" href="http://cxf.apache.org/docs/index.html">User's Guide</a></li><li>
<a shape="rect" href="support.html">Support</a></li><li><a shape="rect" href="faq.html">FAQ</a></li><li><a shape="rect" href="resources-and-articles.html">Resources and Articles</a></li></ul><h3 id="Navigation-Search">Search</h3><form enctype="application/x-www-form-urlencoded" method="get" id="cse-search-box" action="http://www.google.com/cse"><div> <input type="hidden" name="cx" value="002890367768291051730:o99qiwa09y4"> <input type="hidden" name="ie" value="UTF-8"> <input type="text" name="q" size="21"> <input type="submit" name="sa" value="Search"> </div> </form> <script type="text/javascript" src="http://www.google.com/cse/brand?form=cse-search-box&lang=en"></script> <h3 id="Navigation-Developers">Developers</h3><ul class="alternate"><li><a shape="rect" href="http://cxf.apache.org/docs/cxf-architecture.html">Architecture Guide</a></li><li><a shape="rect" href="source-repository.html">Source Repository</a></li><li><a shape="rect" href="building.html">Building</a></li><li><a
shape="rect" href="automated-builds.html">Automated Builds</a></li><li><a shape="rect" href="testing-debugging.html">Testing-Debugging</a></li><li><a shape="rect" href="coding-guidelines.html">Coding Guidelines</a></li><li><a shape="rect" href="getting-involved.html">Getting Involved</a></li><li><a shape="rect" href="release-management.html">Release Management</a></li></ul><h3 id="Navigation-Subprojects">Subprojects</h3><ul class="alternate"><li><a shape="rect" href="distributed-osgi.html">Distributed OSGi</a></li><li><a shape="rect" href="xjc-utils.html">XJC Utils</a></li><li><a shape="rect" href="build-utils.html">Build Utils</a></li><li><a shape="rect" href="fediz.html">Fediz</a></li></ul><h3 id="Navigation-ASF"><a shape="rect" class="external-link" href="http://www.apache.org">ASF</a></h3><ul class="alternate"><li><a shape="rect" class="external-link" href="http://www.apache.org/foundation/how-it-works.html">How Apache Works</a></li><li><a shape="rect" class="external-link" href
="http://www.apache.org/foundation/">Foundation</a></li><li><a shape="rect" class="external-link" href="http://www.apache.org/foundation/sponsorship.html">Sponsor Apache</a></li><li><a shape="rect" class="external-link" href="http://www.apache.org/foundation/thanks.html">Thanks</a></li><li><a shape="rect" class="external-link" href="http://www.apache.org/security/">Security</a></li></ul><p> </p><p><a shape="rect" class="external-link" href="http://www.apache.org/events/current-event.html"><span class="confluence-embedded-file-wrapper"><img class="confluence-embedded-image confluence-external-resource" src="http://www.apache.org/events/current-event-125x125.png" data-image-src="http://www.apache.org/events/current-event-125x125.png"></span></a></p></div>
+<div id="navigation"><h3 id="Navigation-ApacheCXF"><a shape="rect" href="index.html">Apache CXF</a></h3><ul class="alternate"><li><a shape="rect" href="index.html">Home</a></li><li><a shape="rect" href="download.html">Download</a></li><li><a shape="rect" href="people.html">People</a></li><li><a shape="rect" href="project-status.html">Project Status</a></li><li><a shape="rect" href="roadmap.html">Roadmap</a></li><li><a shape="rect" href="mailing-lists.html">Mailing Lists</a></li><li><a shape="rect" class="external-link" href="http://issues.apache.org/jira/browse/CXF">Issue Reporting</a></li><li><a shape="rect" href="special-thanks.html">Special Thanks</a></li><li><a shape="rect" class="external-link" href="http://www.apache.org/licenses/">License</a></li><li><a shape="rect" href="security-advisories.html">Security Advisories</a></li></ul><h3 id="Navigation-Users">Users</h3><ul class="alternate"><li><a shape="rect" href="http://cxf.apache.org/docs/index.html">User's Guide</a></li><li>
<a shape="rect" href="support.html">Support</a></li><li><a shape="rect" href="faq.html">FAQ</a></li><li><a shape="rect" href="resources-and-articles.html">Resources and Articles</a></li></ul><h3 id="Navigation-Search">Search</h3><div class="aui-message aui-message-error"><p class="title"><strong>Error rendering macro 'html'</strong></p><p>Your Confluence administrator has disallowed the use of Javascript in the HTML macro. This setting can be changed using HTML for Confluence Configuration. Please see your administrator for details.</p></div><h3 id="Navigation-Developers">Developers</h3><ul class="alternate"><li><a shape="rect" href="http://cxf.apache.org/docs/cxf-architecture.html">Architecture Guide</a></li><li><a shape="rect" href="source-repository.html">Source Repository</a></li><li><a shape="rect" href="building.html">Building</a></li><li><a shape="rect" href="automated-builds.html">Automated Builds</a></li><li><a shape="rect" href="testing-debugging.html">Testing-Debugging
</a></li><li><a shape="rect" href="coding-guidelines.html">Coding Guidelines</a></li><li><a shape="rect" href="getting-involved.html">Getting Involved</a></li><li><a shape="rect" href="release-management.html">Release Management</a></li></ul><h3 id="Navigation-Subprojects">Subprojects</h3><ul class="alternate"><li><a shape="rect" href="distributed-osgi.html">Distributed OSGi</a></li><li><a shape="rect" href="xjc-utils.html">XJC Utils</a></li><li><a shape="rect" href="build-utils.html">Build Utils</a></li><li><a shape="rect" href="fediz.html">Fediz</a></li></ul><h3 id="Navigation-ASF"><a shape="rect" class="external-link" href="http://www.apache.org">ASF</a></h3><ul class="alternate"><li><a shape="rect" class="external-link" href="http://www.apache.org/foundation/how-it-works.html">How Apache Works</a></li><li><a shape="rect" class="external-link" href="http://www.apache.org/foundation/">Foundation</a></li><li><a shape="rect" class="external-link" href="http://www.apache.org/foundati
on/sponsorship.html">Sponsor Apache</a></li><li><a shape="rect" class="external-link" href="http://www.apache.org/foundation/thanks.html">Thanks</a></li><li><a shape="rect" class="external-link" href="http://www.apache.org/security/">Security</a></li></ul><p> </p><p><a shape="rect" class="external-link" href="http://www.apache.org/events/current-event.html"><span class="confluence-embedded-file-wrapper"><img class="confluence-embedded-image confluence-external-resource" src="http://www.apache.org/events/current-event-125x125.png" data-image-src="http://www.apache.org/events/current-event-125x125.png"></span></a></p></div>
<!-- NavigationBar -->
</div>
</div>
@@ -110,16 +110,16 @@ Apache CXF -- Fediz IDP 1.1
<td height="100%">
<!-- Content -->
<div class="wiki-content">
-<div id="ConfluenceContent"><h1 id="FedizIDP1.1-FedizIDP">Fediz IDP</h1><p><em>Note:</em> Fediz IDP 1.0 is described <a shape="rect" href="fediz-idp.html">here </a>.</p><p>The Release 1.1 introduces the following new feature:</p><ul><li>Federation Metadata<br clear="none"> The IDP supports publishing the WS-Federation Metadata document which allows to more easily integrate the IDP into platforms which support referencing a Metadata document. Metadata consists of the signing certificate, the provided claims, etc.</li></ul><ul><li>Spring Web Flow support<br clear="none"> The IDP has been refactored to use Spring Web Flow to manage the federation flow. This provides flexibility to be able to customize the IDP to company's specific requirements. The IDP is secured by Spring Security to get the benefits and flexibility of Spring Security.</li></ul><ul><li>Resource IDP and Home Realm Discovery<br clear="none"> This is the major new feature. The IDP is able to figure out from which securit
y domain/realm the browser request is coming from to redirect the sign-in request to the requestor IDP which does the authentication and issues a token which is sent to the Resource IDP. The Resource IDP will then either map the principal from one security domain to the target security domain and get claims information of the mapped principal or transform the claims information and finally issue a new token for the relying party (application).</li></ul><p>The Fediz Identity Provider (IDP) consists of two WAR files. One is the Security Token Service (STS) component, fediz-idp-sts.war, which is responsible for validating credentials, getting the requested claims data and issuing a SAML token. There is no easy way for Web browsers to issue SOAP requests to the STS directly, necessitating the second component, an IDP WAR (fediz-idp.war) which allows browser-based applications to interact with the STS. The communication between the browser and the IDP must be performed within the confine
s of the base HTTP 1.1 functionality and conform as closely as possible to the WS-Trust protocols semantic.</p><p>The Fediz STS is based on a customized CXF STS configured to support standard Federation use cases demonstrated by the examples. The Fediz STS has been enhanced to support two realms *Realm-A* and *Realm-B* with the following set of users:</p><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>User</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Password</p></th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><em>Realm A</em></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> </p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>alice</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>ecila</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>bob</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>bob</p></td></tr><tr>
<td colspan="1" rowspan="1" class="confluenceTd"><p>ted</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>det</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><em>Realm B</em></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> </p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>ALICE</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>ECILA</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>BOB</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>BOB</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>TED</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>DET</p></td></tr></tbody></table></div><p>The Fediz IDP doesn't support several realms within one WAR which requires to build a Fediz IDP WAR for Realm A (default, shipped with Fediz Distribution) and Realm B. See below how to build a Fediz IDP WAR for a specific realm.</p><h3 id="FedizIDP1.1-Installation">Insta
llation</h3><p>The Fediz IDP has been tested with Tomcat 6 and 7 but should be able to work with any commercial JEE application server.</p><p>It's recommended to set up a dedicated (separate) Tomcat instance for the IDP compared to the one hosting the RP (relying party) applications. Using one deployment of Tomcat with multiple CATALINA_BASE instances, as described <a shape="rect" class="external-link" href="http://www.shaunabram.com/multiple-tomcat-instances/" rel="nofollow">here</a> is one option but note any libs in $CATALINA_HOME/lib folder will be shared throughout each of the activated CATALINA_BASE instances. Another probably simpler alternative is to copy your Tomcat folder into a second location and edit its conf/server.xml file and <a shape="rect" class="external-link" href="http://viralpatel.net/blogs/2009/08/running-multiple-instance-apache-tomcat-single-server.html" rel="nofollow">change port values</a> (discussed below) so they don't conflict with the original Tomcat i
nstallation.</p><p>To start and stop this second Tomcat instance, it is perhaps easiest to create small startup.sh and shutdown.sh scripts that temporarily redefine $CATALINA_HOME from the first to the second instance, for example:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">CATALINA_HOME=/path/to/second/tomcat
+<div id="ConfluenceContent"><h1 id="FedizIDP1.1-FedizIDP">Fediz IDP</h1><p><em>Note:</em> Fediz IDP 1.0 is described <a shape="rect" href="fediz-idp-10.html">here </a>.</p><p>The Release 1.1 introduces the following new feature:</p><ul><li>Federation Metadata<br clear="none">The IDP supports publishing the WS-Federation Metadata document which allows to more easily integrate the IDP into platforms which support referencing a Metadata document. Metadata consists of the signing certificate, the provided claims, etc.</li></ul><ul><li>Spring Web Flow support<br clear="none">The IDP has been refactored to use Spring Web Flow to manage the federation flow. This provides flexibility to be able to customize the IDP to company's specific requirements. The IDP is secured by Spring Security to get the benefits and flexibility of Spring Security.</li></ul><ul><li>Resource IDP and Home Realm Discovery<br clear="none">This is the major new feature. The IDP is able to figure out from which securit
y domain/realm the browser request is coming from to redirect the sign-in request to the requestor IDP which does the authentication and issues a token which is sent to the Resource IDP. The Resource IDP will then either map the principal from one security domain to the target security domain and get claims information of the mapped principal or transform the claims information and finally issue a new token for the relying party (application).</li></ul><p>The Fediz Identity Provider (IDP) consists of two WAR files. One is the Security Token Service (STS) component, fediz-idp-sts.war, which is responsible for validating credentials, getting the requested claims data and issuing a SAML token. There is no easy way for Web browsers to issue SOAP requests to the STS directly, necessitating the second component, an IDP WAR (fediz-idp.war) which allows browser-based applications to interact with the STS. The communication between the browser and the IDP must be performed within the confine
s of the base HTTP 1.1 functionality and conform as closely as possible to the WS-Trust protocols semantic.</p><p>The Fediz STS is based on a customized CXF STS configured to support standard Federation use cases demonstrated by the examples. The Fediz STS has been enhanced to support two realms *Realm-A* and *Realm-B* with the following set of users:</p><div class="table-wrap"><table class="wrapped confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>User</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Password</p></th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><em>Realm A</em></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p><br clear="none"></p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>alice</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>ecila</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>bob</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>bo
b</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>ted</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>det</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><em>Realm B</em></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p><br clear="none"></p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>ALICE</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>ECILA</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>BOB</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>BOB</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>TED</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>DET</p></td></tr></tbody></table></div><p>The Fediz IDP doesn't support several realms within one WAR which requires to build a Fediz IDP WAR for Realm A (default, shipped with Fediz Distribution) and Realm B. See below how to build a Fediz IDP WAR for a specific realm.</p><h3 id="F
edizIDP1.1-Installation">Installation</h3><p>The Fediz IDP has been tested with Tomcat 6 and 7 but should be able to work with any commercial JEE application server.</p><p>It's recommended to set up a dedicated (separate) Tomcat instance for the IDP compared to the one hosting the RP (relying party) applications. Using one deployment of Tomcat with multiple CATALINA_BASE instances, as described <a shape="rect" class="external-link" href="http://www.shaunabram.com/multiple-tomcat-instances/" rel="nofollow">here</a> is one option but note any libs in $CATALINA_HOME/lib folder will be shared throughout each of the activated CATALINA_BASE instances. Another probably simpler alternative is to copy your Tomcat folder into a second location and edit its conf/server.xml file and <a shape="rect" class="external-link" href="http://viralpatel.net/blogs/2009/08/running-multiple-instance-apache-tomcat-single-server.html" rel="nofollow">change port values</a> (discussed below) so they don't confl
ict with the original Tomcat installation.</p><p>To start and stop this second Tomcat instance, it is perhaps easiest to create small startup.sh and shutdown.sh scripts that temporarily redefine $CATALINA_HOME from the first to the second instance, for example:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<pre class="brush: java; gutter: false; theme: Default">CATALINA_HOME=/path/to/second/tomcat
$CATALINA_HOME/bin/startup.sh
</pre>
</div></div><p>and</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">CATALINA_HOME=/path/to/second/tomcat
+<pre class="brush: java; gutter: false; theme: Default">CATALINA_HOME=/path/to/second/tomcat
$CATALINA_HOME/bin/shutdown.sh
</pre>
</div></div><p>If you're using the one Tomcat with multiple instance option, it's $CATALINA_BASE instead that will need to be redefined above.</p><h5 id="FedizIDP1.1-Tomcatserver.xmlconfiguration">Tomcat server.xml configuration</h5><p>The Fediz examples use the following Tomcat port values for the IDP/STS, defined in the conf/server.xml file. We use ports different from the Tomcat defaults so as not to conflict with the Tomcat instance running the RP applications.</p><ul><li>HTTP port: 9080 (used for Maven deployment, mvn tomcat:redeploy)</li><li>HTTPS port: 9443 (where IDP and STS are accessed)</li><li>Server port: 9005 (for shutdown and other commands)</li></ul><p>Here is a sample snippet for showing the configuration of the above three values:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;"><Server port="9005" shutdown="SHUTDOWN">
+<pre class="brush: java; gutter: false; theme: Default"><Server port="9005" shutdown="SHUTDOWN">
...
<!-- http configuration -->
@@ -132,8 +132,9 @@ $CATALINA_HOME/bin/shutdown.sh
<!-- https configuration -->
<Connector port="9443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
- keystoreFile="idp-ssl-server.jks"
- keystorePass="tompass" sslProtocol="TLS" />
+ clientAuth="want" sslProtocol="TLS"
+ keystoreFile="idp-ssl-key.jks" keystorePass="tompass"
+ truststoreFile="idp-ssl-trust.jks" truststorePass="ispass" />
...
<Connector port="9009" protocol="AJP/1.3" redirectPort="9443" />
@@ -141,8 +142,8 @@ $CATALINA_HOME/bin/shutdown.sh
...
</Server>
</pre>
-</div></div><p>The keystoreFile is relative to $CATALINA_BASE. See <a shape="rect" class="external-link" href="http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html">here</a> for the Tomcat 7 configuration reference. This page also describes how to create certificates. Sample Tomcat keystores (not for production use, but useful for demoing Fediz and running the sample applications) are provided in the examples/samplekeys folder of the Fediz distribution.</p><p>To establish trust, there are significant keystore/truststore requirements between the Tomcat instances and the various web applications (IDP, STS, Relying party applications, third party web services, etc.) See <a shape="rect" class="external-link" href="https://htmlpreview.github.io/?https://raw.githubusercontent.com/apache/cxf-fediz/master/examples/samplekeys/HowToGenerateKeysREADME.html" rel="nofollow">this page</a> for more details, it lists the trust requirements as well as sample scripts for creating your own (self-sig
ned) keys.</p><p><strong>Warning: All sample keystores provided with Fediz (including in the WAR files for its services and examples) are for development/prototyping use only. They'll need to be replaced for production use, at a minimum with your own self-signed keys but strongly recommended to use third-party signed keys.</strong></p><h5 id="FedizIDP1.1-BuildtheIDPWAR">Build the IDP WAR</h5><p>The Fediz 1.1 distribution ships one Fediz IDP WAR built for Realm-A by default. The distribution also contains the IDP and STS sources with two Maven Profiles <em>realm-a</em> and <em>realm-b</em>. More information is provided in the <code>README.txt</code> <a shape="rect" class="external-link" href="http://svn.apache.org/viewvc/cxf/fediz/tags/fediz-1.1.0/services/idp/README.txt?view=co">here</a></p><p>Once you deploy the IDP WAR files to your Tomcat installation (<catalina.home>/webapps), you should be able to see the Fediz STS from a browser. Assuming port 9080 as listed above, the S
TS WSDL is available at:</p><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh">Version</th><th colspan="1" rowspan="1" class="confluenceTh"><a shape="rect" class="external-link" href="http://localhost:9080/fediz-idp-sts/STSService?wsdl" rel="nofollow">STS</a> WSDL location</th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">Fediz 1.0.x</td><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="http://localhost:9080/fediz-idp-sts/STSService?wsdl" rel="nofollow">http://localhost:9080/fediz-idp-sts/STSService?wsdl</a></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">Fediz 1.1.x</td><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="http://localhost:9080/fediz-idp-sts/STSService?wsdl" rel="nofollow">http://localhost:9080/fediz-idp-sts/</a><a shape="rect" class="external-link" href="https://localhost:9443/fediz-idp-sts/REAL
MA/STSServiceTransport?wsdl" rel="nofollow">REALMA/STSServiceTransport?wsdl</a></td></tr></tbody></table></div><h3 id="FedizIDP1.1-Configuration">Configuration</h3><p>You can manage the users, their claims and the claims per application in the IDP.</p><h5 id="FedizIDP1.1-Userandpassword">User and password</h5><p>The users and passwords are configured in a Spring configuration file in <code>webapps/fediz-idp-sts/WEB-INF/passwords.xml</code>. The following users are already configured for the <em>Realm A</em> and can easily be extended.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;"> <util:map id="REALMA">
+</div></div><p>The keystoreFile is relative to $CATALINA_BASE. See <a shape="rect" class="external-link" href="http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html">here</a> for the Tomcat 7 configuration reference. This page also describes how to create certificates. Sample Tomcat keystores (not for production use, but useful for demoing Fediz and running the sample applications) are provided in the examples/samplekeys folder of the Fediz distribution.</p><p>To establish trust, there are significant keystore/truststore requirements between the Tomcat instances and the various web applications (IDP, STS, Relying party applications, third party web services, etc.) See <a shape="rect" class="external-link" href="https://htmlpreview.github.io/?https://raw.githubusercontent.com/apache/cxf-fediz/master/examples/samplekeys/HowToGenerateKeysREADME.html" rel="nofollow">this page</a> for more details, it lists the trust requirements as well as sample scripts for creating your own (self-sig
ned) keys.</p><p><strong>Warning: All sample keystores provided with Fediz (including in the WAR files for its services and examples) are for development/prototyping use only. They'll need to be replaced for production use, at a minimum with your own self-signed keys but strongly recommended to use third-party signed keys.</strong></p><h5 id="FedizIDP1.1-BuildtheIDPWAR">Build the IDP WAR</h5><p>The Fediz 1.1 distribution ships one Fediz IDP WAR built for Realm-A by default. The distribution also contains the IDP and STS sources with two Maven Profiles <em>realm-a</em> and <em>realm-b</em>. More information is provided in the <code>README.txt</code> <a shape="rect" class="external-link" href="http://svn.apache.org/viewvc/cxf/fediz/tags/fediz-1.1.0/services/idp/README.txt?view=co">here</a></p><p>Once you deploy the IDP WAR files to your Tomcat installation (<catalina.home>/webapps), you should be able to see the Fediz STS from a browser. Assuming port 9080 as listed above, the S
TS WSDL is available at:</p><div class="table-wrap"><table class="wrapped confluenceTable"><colgroup span="1"><col span="1"><col span="1"></colgroup><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh">Version</th><th colspan="1" rowspan="1" class="confluenceTh"><a shape="rect" class="external-link" href="http://localhost:9080/fediz-idp-sts/STSService?wsdl" rel="nofollow">STS</a> WSDL location</th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">Fediz 1.0.x</td><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="http://localhost:9080/fediz-idp-sts/STSService?wsdl" rel="nofollow">http://localhost:9080/fediz-idp-sts/STSService?wsdl</a></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">Fediz 1.1.x</td><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="http://localhost:9080/fediz-idp-sts/STSService?wsdl" rel="nofollow">http://localhost:9080/fediz-idp-sts/</a><a shape="rect" cla
ss="external-link" href="https://localhost:9443/fediz-idp-sts/REALMA/STSServiceTransport?wsdl" rel="nofollow">REALMA/STSServiceTransport?wsdl</a></td></tr></tbody></table></div><h3 id="FedizIDP1.1-Configuration">Configuration</h3><p>You can manage the users, their claims and the claims per application in the IDP.</p><h5 id="FedizIDP1.1-Userandpassword">User and password</h5><p>The users and passwords are configured in a Spring configuration file in <code>webapps/fediz-idp-sts/WEB-INF/data/passwords.xml</code>. The following users are already configured for the <em>Realm A</em> and can easily be extended.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<pre class="brush: java; gutter: false; theme: Default"> <util:map id="REALMA">
<entry key="alice" value="ecila" />
<entry key="bob" value="bob" />
<entry key="ted" value="det" />
@@ -154,8 +155,8 @@ $CATALINA_HOME/bin/shutdown.sh
<entry key="TED" value="DET" />
</util:map>
</pre>
-</div></div><h5 id="FedizIDP1.1-UserClaims">User Claims</h5><p>The claims of each user are configured in a spring configuration file <code>webapps/fediz-idp-sts/WEB-INF/userClaims.xml</code>. The following claims are already configured:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;"> <util:map id="userClaimsREALMA">
+</div></div><h5 id="FedizIDP1.1-UserClaims">User Claims</h5><p>The claims of each user are configured in a spring configuration file <code>webapps/fediz-idp-sts/WEB-INF/data/userClaims.xml</code>. The following claims are already configured:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<pre class="brush: java; gutter: false; theme: Default"> <util:map id="userClaimsREALMA">
<entry key="alice"
value-ref="REALMA_aliceClaims" />
<entry key="bob"
@@ -176,7 +177,7 @@ $CATALINA_HOME/bin/shutdown.sh
</util:map>
</pre>
</div></div><p>The claim id's are configured according to Section 7.5 in the specification <a shape="rect" class="external-link" href="http://docs.oasis-open.org/imi/identity/v1.0/identity.html" rel="nofollow">Identity Metasystem Interoperability</a>. The mapping of claims to a SAML attribute statement are described in Section 7.2.</p><h5 id="FedizIDP1.1-IDPconfiguration">IDP configuration</h5><p>The IDP configuration is done in the new configuration file <code>idp-config-<realm>.xml</code> which is illustrated below</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;"> <bean id="idp-realmA" class="org.apache.cxf.fediz.service.idp.model.IDPConfig">
+<pre class="brush: java; gutter: false; theme: Default"> <bean id="idp-realmA" class="org.apache.cxf.fediz.service.idp.model.IDPConfig">
<property name="realm" value="urn:org:apache:cxf:fediz:idp:realm-A" />
<property name="uri" value="realma" />
<!--<property name="hrds" value="" />--> <!-- TBD, not defined, provide list if enabled -->
@@ -212,7 +213,7 @@ $CATALINA_HOME/bin/shutdown.sh
</bean>
</pre>
</div></div><h5 id="FedizIDP1.1-RelyingParty/Applicationconfiguration">Relying Party / Application configuration</h5><p><em>Note: The configuration file</em> <code><em>RPClaims.xml</em></code> <em>has been replaced</em></p><p>The application related configuration like required claims are configured in the new IDP configuration file <code>idp-config-<realm>.xml</code> which has been enhanced to support other configuration parameters as well:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;"> <bean id="srv-fedizhelloworld" class="org.apache.cxf.fediz.service.idp.model.ServiceConfig">
+<pre class="brush: java; gutter: false; theme: Default"> <bean id="srv-fedizhelloworld" class="org.apache.cxf.fediz.service.idp.model.ServiceConfig">
<property name="realm" value="urn:org:apache:cxf:fediz:fedizhelloworld" />
<property name="protocol" value="http://docs.oasis-open.org/wsfed/federation/200706" />
<property name="serviceDisplayName" value="Fedizhelloworld" />
@@ -243,7 +244,7 @@ $CATALINA_HOME/bin/shutdown.sh
</bean>
</pre>
</div></div><h5 id="FedizIDP1.1-TrustedIDPconfiguration">Trusted IDP configuration</h5><p>This feature is new in Fediz IDP 1.1 and allows to redirect a SignIn Request to a trusted IDP. The following configuration is required:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;"> <bean id="trusted-idp-realmB" class="org.apache.cxf.fediz.service.idp.model.TrustedIDPConfig">
+<pre class="brush: java; gutter: false; theme: Default"> <bean id="trusted-idp-realmB" class="org.apache.cxf.fediz.service.idp.model.TrustedIDPConfig">
<property name="realm" value="urn:org:apache:cxf:fediz:idp:realm-B" />
<property name="url" value="https://localhost:12443/fediz-idp-remote/federation" />
<property name="certificate" value="realmb.cert" />
@@ -255,7 +256,7 @@ $CATALINA_HOME/bin/shutdown.sh
</bean>
</pre>
</div></div><h3 id="FedizIDP1.1-ConfigureLDAPdirectory">Configure LDAP directory</h3><p>The Fediz IDP can be configured to attach an LDAP directory to authenticate users and to retrieve claims information of users.</p><h5 id="FedizIDP1.1-Usernameandpasswordauthentication">Username and password authentication</h5><p>WSS4J supports username/password authentication using JAAS. The JDK provides a JAAS LoginModule for LDAP which can be configured as illustrated here in a sample jaas configuration (jaas.config):</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">myldap {
+<pre class="brush: java; gutter: false; theme: Default">myldap {
com.sun.security.auth.module.LdapLoginModule REQUIRED
userProvider=ldap://ldap.mycompany.org:389/OU=Users,DC=mycompany,DC=org"
authIdentity="cn={USERNAME},OU=Users,DC=mycompany,DC=org"
@@ -264,12 +265,12 @@ $CATALINA_HOME/bin/shutdown.sh
};
</pre>
</div></div><p>You can get more information about this LoginModule <a shape="rect" class="external-link" href="http://download.oracle.com/javase/6/docs/jre/api/security/jaas/spec/com/sun/security/auth/module/LdapLoginModule.html" rel="nofollow">here</a>.</p><p>In this example, all the users are stored in the organization unit Users within mycompany.org. The configuration filename can be chosen, e.g. <code>jaas.config</code>. The filename must be configured as a JVM argument. JVM related configurations for Tomcat can be done in the file <code>setenv.sh/bat</code> located in directory <code>tomcat/bin</code>. This script is called implicitly by <code>catalina.bat/sh</code> and might look like this for UNIX:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">#!/bin/sh
+<pre class="brush: java; gutter: false; theme: Default">#!/bin/sh
JAVA_OPTS="-Djava.security.auth.login.config=/opt/tomcat/conf/jaas.config"
export JAVA_OPTS
</pre>
</div></div><p>Next, the STS endpoint has to be configured to use the JAAS LoginModule which is accomplished by the <code>JAASUsernameTokenValidator</code>.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;"><bean
+<pre class="brush: java; gutter: false; theme: Default"><bean
class="org.apache.ws.security.validate.JAASUsernameTokenValidator"
id="jaasUTValidator">
<property name="contextName" value="myldap"/>
@@ -290,7 +291,7 @@ export JAVA_OPTS
</jaxws:endpoint>
</pre>
</div></div><p>The property <code>contextName</code> must match the context name defined in the JAAS configuration file which is <code>myldap</code> in this example.</p><h5 id="FedizIDP1.1-Claimsmanagement">Claims management</h5><p>When a STS client (IDP) requests a claim, the ClaimsManager in the STS checks every registered ClaimsHandler who can provide the data of the requested claim. The CXF STS provides <code>org.apache.cxf.sts.claims.LdapClaimsHandler</code> which is a claims handler implementation to get claims from user attributes in a LDAP directory.</p><p>You configure which claim URI maps to which LDAP user attribute. The implementation uses the Spring Ldap Module (LdapTemplate).</p><p>The following example illustrate the changes to be made in <code>webapps/fediz-idp-sts/WEB-INF/cxf-transport.xml</code>:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;"><util:list id="claimHandlerList">
+<pre class="brush: java; gutter: false; theme: Default"><util:list id="claimHandlerList">
<ref bean="ldapClaimsHandler" />
</util:list>
Modified: websites/production/cxf/content/fediz-tomcat.html
==============================================================================
--- websites/production/cxf/content/fediz-tomcat.html (original)
+++ websites/production/cxf/content/fediz-tomcat.html Fri May 17 15:56:52 2019
@@ -99,7 +99,7 @@ Apache CXF -- Fediz Tomcat
<div id="wrapper-menu-page-bottom">
<div id="menu-page">
<!-- NavigationBar -->
-<div id="navigation"><h3 id="Navigation-ApacheCXF"><a shape="rect" href="index.html">Apache CXF</a></h3><ul class="alternate"><li><a shape="rect" href="index.html">Home</a></li><li><a shape="rect" href="download.html">Download</a></li><li><a shape="rect" href="people.html">People</a></li><li><a shape="rect" href="project-status.html">Project Status</a></li><li><a shape="rect" href="roadmap.html">Roadmap</a></li><li><a shape="rect" href="mailing-lists.html">Mailing Lists</a></li><li><a shape="rect" class="external-link" href="http://issues.apache.org/jira/browse/CXF">Issue Reporting</a></li><li><a shape="rect" href="special-thanks.html">Special Thanks</a></li><li><a shape="rect" class="external-link" href="http://www.apache.org/licenses/">License</a></li><li><a shape="rect" href="security-advisories.html">Security Advisories</a></li></ul><h3 id="Navigation-Users">Users</h3><ul class="alternate"><li><a shape="rect" href="http://cxf.apache.org/docs/index.html">User's Guide</a></li><li>
<a shape="rect" href="support.html">Support</a></li><li><a shape="rect" href="faq.html">FAQ</a></li><li><a shape="rect" href="resources-and-articles.html">Resources and Articles</a></li></ul><h3 id="Navigation-Search">Search</h3><form enctype="application/x-www-form-urlencoded" method="get" id="cse-search-box" action="http://www.google.com/cse"><div> <input type="hidden" name="cx" value="002890367768291051730:o99qiwa09y4"> <input type="hidden" name="ie" value="UTF-8"> <input type="text" name="q" size="21"> <input type="submit" name="sa" value="Search"> </div> </form> <script type="text/javascript" src="http://www.google.com/cse/brand?form=cse-search-box&lang=en"></script> <h3 id="Navigation-Developers">Developers</h3><ul class="alternate"><li><a shape="rect" href="http://cxf.apache.org/docs/cxf-architecture.html">Architecture Guide</a></li><li><a shape="rect" href="source-repository.html">Source Repository</a></li><li><a shape="rect" href="building.html">Building</a></li><li><a
shape="rect" href="automated-builds.html">Automated Builds</a></li><li><a shape="rect" href="testing-debugging.html">Testing-Debugging</a></li><li><a shape="rect" href="coding-guidelines.html">Coding Guidelines</a></li><li><a shape="rect" href="getting-involved.html">Getting Involved</a></li><li><a shape="rect" href="release-management.html">Release Management</a></li></ul><h3 id="Navigation-Subprojects">Subprojects</h3><ul class="alternate"><li><a shape="rect" href="distributed-osgi.html">Distributed OSGi</a></li><li><a shape="rect" href="xjc-utils.html">XJC Utils</a></li><li><a shape="rect" href="build-utils.html">Build Utils</a></li><li><a shape="rect" href="fediz.html">Fediz</a></li></ul><h3 id="Navigation-ASF"><a shape="rect" class="external-link" href="http://www.apache.org">ASF</a></h3><ul class="alternate"><li><a shape="rect" class="external-link" href="http://www.apache.org/foundation/how-it-works.html">How Apache Works</a></li><li><a shape="rect" class="external-link" href
="http://www.apache.org/foundation/">Foundation</a></li><li><a shape="rect" class="external-link" href="http://www.apache.org/foundation/sponsorship.html">Sponsor Apache</a></li><li><a shape="rect" class="external-link" href="http://www.apache.org/foundation/thanks.html">Thanks</a></li><li><a shape="rect" class="external-link" href="http://www.apache.org/security/">Security</a></li></ul><p> </p><p><a shape="rect" class="external-link" href="http://www.apache.org/events/current-event.html"><span class="confluence-embedded-file-wrapper"><img class="confluence-embedded-image confluence-external-resource" src="http://www.apache.org/events/current-event-125x125.png" data-image-src="http://www.apache.org/events/current-event-125x125.png"></span></a></p></div>
+<div id="navigation"><h3 id="Navigation-ApacheCXF"><a shape="rect" href="index.html">Apache CXF</a></h3><ul class="alternate"><li><a shape="rect" href="index.html">Home</a></li><li><a shape="rect" href="download.html">Download</a></li><li><a shape="rect" href="people.html">People</a></li><li><a shape="rect" href="project-status.html">Project Status</a></li><li><a shape="rect" href="roadmap.html">Roadmap</a></li><li><a shape="rect" href="mailing-lists.html">Mailing Lists</a></li><li><a shape="rect" class="external-link" href="http://issues.apache.org/jira/browse/CXF">Issue Reporting</a></li><li><a shape="rect" href="special-thanks.html">Special Thanks</a></li><li><a shape="rect" class="external-link" href="http://www.apache.org/licenses/">License</a></li><li><a shape="rect" href="security-advisories.html">Security Advisories</a></li></ul><h3 id="Navigation-Users">Users</h3><ul class="alternate"><li><a shape="rect" href="http://cxf.apache.org/docs/index.html">User's Guide</a></li><li>
<a shape="rect" href="support.html">Support</a></li><li><a shape="rect" href="faq.html">FAQ</a></li><li><a shape="rect" href="resources-and-articles.html">Resources and Articles</a></li></ul><h3 id="Navigation-Search">Search</h3><div class="aui-message aui-message-error"><p class="title"><strong>Error rendering macro 'html'</strong></p><p>Your Confluence administrator has disallowed the use of Javascript in the HTML macro. This setting can be changed using HTML for Confluence Configuration. Please see your administrator for details.</p></div><h3 id="Navigation-Developers">Developers</h3><ul class="alternate"><li><a shape="rect" href="http://cxf.apache.org/docs/cxf-architecture.html">Architecture Guide</a></li><li><a shape="rect" href="source-repository.html">Source Repository</a></li><li><a shape="rect" href="building.html">Building</a></li><li><a shape="rect" href="automated-builds.html">Automated Builds</a></li><li><a shape="rect" href="testing-debugging.html">Testing-Debugging
</a></li><li><a shape="rect" href="coding-guidelines.html">Coding Guidelines</a></li><li><a shape="rect" href="getting-involved.html">Getting Involved</a></li><li><a shape="rect" href="release-management.html">Release Management</a></li></ul><h3 id="Navigation-Subprojects">Subprojects</h3><ul class="alternate"><li><a shape="rect" href="distributed-osgi.html">Distributed OSGi</a></li><li><a shape="rect" href="xjc-utils.html">XJC Utils</a></li><li><a shape="rect" href="build-utils.html">Build Utils</a></li><li><a shape="rect" href="fediz.html">Fediz</a></li></ul><h3 id="Navigation-ASF"><a shape="rect" class="external-link" href="http://www.apache.org">ASF</a></h3><ul class="alternate"><li><a shape="rect" class="external-link" href="http://www.apache.org/foundation/how-it-works.html">How Apache Works</a></li><li><a shape="rect" class="external-link" href="http://www.apache.org/foundation/">Foundation</a></li><li><a shape="rect" class="external-link" href="http://www.apache.org/foundati
on/sponsorship.html">Sponsor Apache</a></li><li><a shape="rect" class="external-link" href="http://www.apache.org/foundation/thanks.html">Thanks</a></li><li><a shape="rect" class="external-link" href="http://www.apache.org/security/">Security</a></li></ul><p> </p><p><a shape="rect" class="external-link" href="http://www.apache.org/events/current-event.html"><span class="confluence-embedded-file-wrapper"><img class="confluence-embedded-image confluence-external-resource" src="http://www.apache.org/events/current-event-125x125.png" data-image-src="http://www.apache.org/events/current-event-125x125.png"></span></a></p></div>
<!-- NavigationBar -->
</div>
</div>
@@ -109,7 +109,7 @@ Apache CXF -- Fediz Tomcat
<td height="100%">
<!-- Content -->
<div class="wiki-content">
-<div id="ConfluenceContent"><h1 id="FedizTomcat-ApacheTomcatPlugin">Apache Tomcat Plugin</h1><p>This page describes how to enable WS-Federation for an Apache Tomcat instance hosting Relying Party (RP) applications. Also note that from the 1.4.4 release, the Apache Tomcat Fediz plugin also supports SAML SSO. Recent version of Apache CXF Fediz ship two Tomcat plugins, one for Apache Tomcat 7 and one for Apache Tomcat 8.</p><p>This configuration is not for a separate Tomcat instance hosting the Fediz IDP and IDP STS WARs, or hosts for third-party applications that use Fediz STS-generated SAML assertions for authentication. After this configuration is done, the Tomcat-RP instance will validate the incoming SignInResponse created by the IDP server.</p><p>Prior to doing this configuration, make sure you've first deployed the Fediz IDP and STS on the separate Tomcat IDP instance as discussed <a shape="rect" href="fediz-idp-10.html">here</a>, and can view the STS WSDL at the URL given on th
at page. That page also provides some tips for running multiple Tomcat instances on your machine.</p><h3 id="FedizTomcat-Installation">Installation</h3><p>You can either build the Fediz plugin on your own or download the package <a shape="rect" href="fediz-downloads.html">here</a>. If you have built the plugin on your own you'll find the required libraries in <code>plugins/tomcat-${version}/target/...zip-with-dependencies.zip</code></p><ol><li>Create sub-directory <code>fediz</code> in <code>${catalina.home}/lib</code></li><li>Update catalina.properties in ${catalina.home}/conf<br clear="none"> add the previously created directory to the common loader:<br clear="none"> <code>common.loader=${catalina.base}/lib,${catalina.base}/lib/*.jar,${catalina.home}/lib,${catalina.home}/lib/*.jar,${catalina.home}/lib/fediz/*.jar</code></li><li>Deploy the libraries to the directory created in (1)</li></ol><h3 id="FedizTomcat-Configuration">Configuration</h3><h5 id="FedizTomcat-HTTPSconfiguration">
HTTPS configuration</h5><p>It's recommended to set up a dedicated (separate) Tomcat instance for the Relying Party. The Fediz RP web applications use the following TCP ports:</p><ul><li>HTTP port: 8080 (used for Maven deployment, mvn tomcat:redeploy)</li><li>HTTPS port: 8443 (where IDP and STS are accessed)</li><li>Server port (for shutdown and other commands): 8005</li></ul><p>These are the default ports for a standard Tomcat installation.</p><p>The Relying Party must be accessed over HTTPS to protect the security tokens issued by the IDP.</p><p>The Tomcat HTTP(s) configuration is done in conf/server.xml.</p><p>This is a sample snippet for an HTTPS configuration:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<div id="ConfluenceContent"><h1 id="FedizTomcat-ApacheTomcatPlugin">Apache Tomcat Plugin</h1><p>This page describes how to enable WS-Federation for an Apache Tomcat instance hosting Relying Party (RP) applications. Also note that from the 1.4.4 release, the Apache Tomcat Fediz plugin also supports SAML SSO. Recent version of Apache CXF Fediz ship two Tomcat plugins, one for Apache Tomcat 7 and one for Apache Tomcat 8.</p><p>This configuration is not for a separate Tomcat instance hosting the Fediz IDP and IDP STS WARs, or hosts for third-party applications that use Fediz STS-generated SAML assertions for authentication. After this configuration is done, the Tomcat-RP instance will validate the incoming SignInResponse created by the IDP server.</p><p>Prior to doing this configuration, make sure you've first deployed the Fediz IDP and STS on the separate Tomcat IDP instance as discussed <a shape="rect" href="fediz-idp-10.html">here</a>, and can view the STS WSDL at the URL given on th
at page. That page also provides some tips for running multiple Tomcat instances on your machine.</p><h3 id="FedizTomcat-Installation">Installation</h3><p>You can either build the Fediz plugin on your own or download the package <a shape="rect" href="fediz-downloads.html">here</a>. If you have built the plugin on your own you'll find the required libraries in <code>plugins/tomcat-${version}/target/...zip-with-dependencies.zip</code></p><ol><li>Create sub-directory <code>fediz</code> in <code>${catalina.home}/lib</code></li><li>Update catalina.properties in ${catalina.home}/conf<br clear="none">add the previously created directory to the common loader:<br clear="none"><code>common.loader=${catalina.base}/lib,${catalina.base}/lib/*.jar,${catalina.home}/lib,${catalina.home}/lib/*.jar,${catalina.home}/lib/fediz/*.jar</code></li><li>Deploy the libraries to the directory created in (1)</li></ol><h3 id="FedizTomcat-Configuration">Configuration</h3><h5 id="FedizTomcat-HTTPSconfiguration">HT
TPS configuration</h5><p>It's recommended to set up a dedicated (separate) Tomcat instance for the Relying Party. The Fediz RP web applications use the following TCP ports:</p><ul><li>HTTP port: 8080 (used for Maven deployment, mvn tomcat:redeploy)</li><li>HTTPS port: 8443 (where IDP and STS are accessed)</li><li>Server port (for shutdown and other commands): 8005</li></ul><p>These are the default ports for a standard Tomcat installation.</p><p>The Relying Party must be accessed over HTTPS to protect the security tokens issued by the IDP.</p><p>The Tomcat HTTP(s) configuration is done in conf/server.xml.</p><p>This is a sample snippet for an HTTPS configuration:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default"> <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="rp-ssl-key.jks" keyPass="tompass"
@@ -118,7 +118,7 @@ Apache CXF -- Fediz Tomcat
</div></div><p>The keystoreFile is relative to $CATALINA_HOME. See <a shape="rect" class="external-link" href="http://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html">here</a> for the Tomcat 8 configuration reference. This page also describes how to create certificates. Sample Tomcat keystores (not for production use, but useful for demoing Fediz and running the sample applications) are provided in the examples/samplekeys folder of the Fediz distribution. Note the Tomcat keystore here is different from the one used to configure the Tomcat-IDP instance.</p><p>To establish trust, there are significant keystore/truststore requirements between the Tomcat instances and the various web applications (IDP, STS, Relying party applications, third party web services, etc.) See <a shape="rect" class="external-link" href="https://htmlpreview.github.io/?https://raw.githubusercontent.com/apache/cxf-fediz/master/examples/samplekeys/HowToGenerateKeysREADME.html" rel="nofollow">this page</a> for more
details, it lists the trust requirements as well as sample scripts for creating your own (self-signed) keys.</p><p><strong>Warning: All sample keystores provided with Fediz (including in the WAR files for its services and examples) are for development/prototyping use only. They'll need to be replaced for production use, at a minimum with your own self-signed keys but strongly recommended to use third-party signed keys.</strong></p><p>If you are currently just trying to run the Fediz samples, the configuration above is all you need (the below configuration is already provided within the samples) so you can return now to the samples' READMEs for the next steps in running them.</p><h5 id="FedizTomcat-FedizPluginconfigurationforYourWebApplication">Fediz Plugin configuration for Your Web Application</h5><p>The Fediz related configuration is done in a Servlet Container independent configuration file which is described <a shape="rect" href="fediz-configuration.html">here</a>.</p><p>The Fe
diz plugin requires configuring the FederationAuthenticator like any other Valve in Tomcat. Detailed information about the Tomcat Valve concept is available <a shape="rect" class="external-link" href="http://tomcat.apache.org/tomcat-8.0-doc/config/valve.html">here</a>.</p><p>A Valve can be configured on different levels like <em>Host</em> or <em>Context</em>. The Fediz configuration file allows to configure all servlet contexts in one file or choosing one file per Servlet Context. If you choose to have one Fediz configuration file per Servlet Context then you must configure the FederationAuthenticator on the <em>Context</em> level otherwise on the <em>Host</em> level in the Tomcat configuration file <em>server.xml</em></p><p>You can either configure the context in the server.xml or in META-INF/context.xml as part of your WAR file.</p><h6 id="FedizTomcat-META-INF/context.xml">META-INF/context.xml</h6><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panel
Content pdl">
<pre class="brush: java; gutter: false; theme: Default">
<Context>
- <Valve className="org.apache.cxf.fediz.tomcat8.FederationAuthenticator"
+ <Valve className="org.apache.cxf.fediz.tomcat.FederationAuthenticator"
configFile="conf/fediz_config.xml" />
</Context>
</pre>
@@ -126,14 +126,14 @@ Apache CXF -- Fediz Tomcat
<pre class="brush: java; gutter: false; theme: Default">
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
- <Valve className="org.apache.cxf.fediz.tomcat8.FederationAuthenticator"
+ <Valve className="org.apache.cxf.fediz.tomcat.FederationAuthenticator"
configFile="conf/fediz_config.xml" />
</Host>
</pre>
</div></div><h6 id="FedizTomcat-Contextlevelinserver.xml">Context level in server.xml</h6><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default">
<Context path="/fedizhelloworld" docBase="fedizhelloworld">
- <Valve className="org.apache.cxf.fediz.tomcat8.FederationAuthenticator"
+ <Valve className="org.apache.cxf.fediz.tomcat.FederationAuthenticator"
configFile="conf/fediz_config.xml" />
</Context>
</pre>