You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by bu...@apache.org on 2018/09/13 10:58:01 UTC

svn commit: r1035113 - in /websites/production/cxf/content: cache/docs.pageCache docs/33-migration-guide.html docs/jax-rs-saml.html

Author: buildbot
Date: Thu Sep 13 10:58:01 2018
New Revision: 1035113

Log:
Production update by buildbot for cxf

Modified:
    websites/production/cxf/content/cache/docs.pageCache
    websites/production/cxf/content/docs/33-migration-guide.html
    websites/production/cxf/content/docs/jax-rs-saml.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/33-migration-guide.html
==============================================================================
--- websites/production/cxf/content/docs/33-migration-guide.html (original)
+++ websites/production/cxf/content/docs/33-migration-guide.html Thu Sep 13 10:58:01 2018
@@ -107,7 +107,7 @@ Apache CXF -- 3.3 Migration Guide
          <td height="100%">
            <!-- Content -->
            <div class="wiki-content">
-<div id="ConfluenceContent"><h3 id="id-3.3MigrationGuide-MajorNotes:">Major Notes:</h3><ul><li>The claimType of the <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/security/src/main/java/org/apache/cxf/rt/security/claims/Claim.java" rel="nofollow">Claim</a> class is now a "String" instead of a "URI".&#160; This might break existing ClaimsHandler implementations in the STS. In addition, the ClaimsHandler interface now returns a List&lt;String&gt; for getSupportedClaimTypes() instead of List&lt;URI&gt;.</li><li>The package name of the ClaimsAuthorizingInterceptor has changed: from org.apache.cxf.rt.security.saml.interceptor.ClaimsAuthorizingInterceptor to org.apache.cxf.rt.security.claims.interceptor.ClaimsAuthorizingInterceptor.</li></ul><h3 id="id-3.3MigrationGuide-NewFeatures:">New Features:</h3><h3 id="id-3.3MigrationGuide-Majordependencychanges:">Major dependency changes:</h3></div>
+<div id="ConfluenceContent"><h3 id="id-3.3MigrationGuide-MajorNotes:">Major Notes:</h3><h3 id="id-3.3MigrationGuide-ClaimsHandling:">Claims Handling:</h3><ul><li>The claimType of the <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/security/src/main/java/org/apache/cxf/rt/security/claims/Claim.java" rel="nofollow">Claim</a> class is now a "String" instead of a "URI".&#160; This might break existing ClaimsHandler implementations in the STS. In addition, the ClaimsHandler interface now returns a List&lt;String&gt; for getSupportedClaimTypes() instead of List&lt;URI&gt;.</li><li>The Claims access control annotations/interceptors <a shape="rect" class="external-link" href="https://issues.apache.org/jira/browse/CXF-6727">now work</a> with JWT tokens (as well as SAML tokens). This resulted in the following package changes:<br clear="none"><ul><li>The package name of the ClaimsAuthorizingInterceptor has changed: from org.apache.cxf.rt.security.saml.i
 nterceptor.ClaimsAuthorizingInterceptor to org.apache.cxf.rt.security.claims.interceptor.ClaimsAuthorizingInterceptor.</li><li>The package name of the ClaimsAuthorizingFilter&#160; has changed: from org.apache.cxf.rs.security.saml.authorization.ClaimsAuthorizingFilter to org.apache.cxf.rs.security.claims.ClaimsAuthorizingFilter</li></ul></li></ul><h3 id="id-3.3MigrationGuide-NewFeatures:">New Features:</h3><h3 id="id-3.3MigrationGuide-Majordependencychanges:">Major dependency changes:</h3></div>
            </div>
            <!-- Content -->
          </td>

Modified: websites/production/cxf/content/docs/jax-rs-saml.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-saml.html (original)
+++ websites/production/cxf/content/docs/jax-rs-saml.html Thu Sep 13 10:58:01 2018
@@ -121,11 +121,11 @@ Apache CXF -- JAX-RS SAML
 
 
 <br clear="none"></p><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1536760574759 {padding: 0px;}
-div.rbtoc1536760574759 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1536760574759 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1536836242269 {padding: 0px;}
+div.rbtoc1536836242269 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1536836242269 li {margin-left: 0px;padding-left: 0px;}
 
-/*]]>*/</style></p><div class="toc-macro rbtoc1536760574759">
+/*]]>*/</style></p><div class="toc-macro rbtoc1536836242269">
 <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSSAML-Introduction">Introduction</a></li><li><a shape="rect" href="#JAX-RSSAML-Backwardscompatibilityconfigurationnote">Backwards compatibility configuration note</a></li><li><a shape="rect" href="#JAX-RSSAML-Mavendependencies">Maven dependencies</a></li><li><a shape="rect" href="#JAX-RSSAML-EnvelopedSAMLassertions">Enveloped SAML assertions</a></li><li><a shape="rect" href="#JAX-RSSAML-SAMLassertionsinAuthorizationheader">SAML assertions in Authorization header</a></li><li><a shape="rect" href="#JAX-RSSAML-SAMLassertionsasFormvalues">SAML assertions as Form values</a></li><li><a shape="rect" href="#JAX-RSSAML-CreatingSAMLAssertions">Creating SAML Assertions</a></li><li><a shape="rect" href="#JAX-RSSAML-SAMLAssertionValidation">SAML Assertion Validation</a></li><li><a shape="rect" href="#JAX-RSSAML-SAMLAuthorization">SAML Authorization</a>
 <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSSAML-ClaimsBasedAccessControl">Claims Based Access Control</a></li><li><a shape="rect" href="#JAX-RSSAML-RoleBasedAccessControl">Role Based Access Control</a></li></ul>
 </li><li><a shape="rect" href="#JAX-RSSAML-SAMLWebSSOProfile">SAML Web SSO Profile</a></li></ul>
@@ -489,7 +489,7 @@ public class SecureClaimBookStore {
        &lt;/jaxrs:providers&gt;
 &lt;/jaxrs:server&gt;
 </pre>
-</div></div><p>An instance of org.apache.cxf.rs.security.saml.authorization.ClaimsAuthorizingFilter is used to enforce CBAC. It's a simple JAX-RS filter wrapper around ClaimsAuthorizingInterceptor. SamlEnvelopedInHandler processes and validates SAML assertions and it also relies on a simple <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/CustomSecurityContextProvider.java" rel="nofollow">CustomSecurityContextProvider</a> to help it to figure out what the actual Subject name is. A more involved implementation can do some additional validation as well as override few more super class methods, more on it next. The claims themselves have already been parsed and will be made available to a resulting SecurityContext which ClaimsAuthorizingFilter will rely upon.</p><h2 id="JAX-RSSAML-RoleBasedAccessControl">Role Based Access Control</h2><p>If you have an existing RBAC system 
 (based on javax.annotation.security.RolesAllowed or even org.springframework.security.annotation.Secured annotations) in place and have SAML assertions with claims that are known to represent roles, then making those claims work with the RBAC system can be achieved easily.</p><p>For example, given this code:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+</div></div><p>An instance of org.apache.cxf.rs.security.saml.authorization.ClaimsAuthorizingFilter (note org.apache.cxf.rs.security.claims.ClaimsAuthorizingFilter from CXF 3.3.0) is used to enforce CBAC. It's a simple JAX-RS filter wrapper around ClaimsAuthorizingInterceptor. SamlEnvelopedInHandler processes and validates SAML assertions and it also relies on a simple <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/CustomSecurityContextProvider.java" rel="nofollow">CustomSecurityContextProvider</a> to help it to figure out what the actual Subject name is. A more involved implementation can do some additional validation as well as override few more super class methods, more on it next. The claims themselves have already been parsed and will be made available to a resulting SecurityContext which ClaimsAuthorizingFilter will rely upon.</p><h2 id="JAX-RSSAML-RoleBasedAcce
 ssControl">Role Based Access Control</h2><p>If you have an existing RBAC system (based on javax.annotation.security.RolesAllowed or even org.springframework.security.annotation.Secured annotations) in place and have SAML assertions with claims that are known to represent roles, then making those claims work with the RBAC system can be achieved easily.</p><p>For example, given this code:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
 <pre class="brush: java; gutter: false; theme: Default">import org.springframework.security.annotation.Secured;
 
 @Path("/bookstore")