You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by dk...@apache.org on 2013/06/24 19:10:57 UTC
svn commit: r867253 [25/46] - in /websites/production/cxf/content: ./
2008/04/28/ 2008/06/20/ 2009/02/10/ 2009/08/04/ cache/ docs/
docs/cxf-architecture.thumbs/ docs/cxf-dependency-graphs.thumbs/
docs/logbrowser-configuration.thumbs/ docs/logbrowser-so...
Modified: websites/production/cxf/content/docs/jax-rs-saml.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-saml.html (original)
+++ websites/production/cxf/content/docs/jax-rs-saml.html Mon Jun 24 17:10:51 2013
@@ -25,6 +25,18 @@
<meta http-equiv="Content-type" content="text/html;charset=UTF-8">
<meta name="keywords" content="business integration, EAI, SOA, Service Oriented Architecture, web services, SOAP, JBI, JMS, WSDL, XML, EDI, Electronic Data Interchange, standards support, integration standards, application integration, middleware, software, solutions, services, CXF, open source">
<meta name="description" content="Apache CXF, Services Framework - JAX-RS SAML">
+
+ <link href='http://cxf.apache.org/resources/highlighter/styles/shCore.css' rel='stylesheet' type='text/css' />
+ <link href='http://cxf.apache.org/resources/highlighter/styles/shThemeCXF.css' rel='stylesheet' type='text/css' />
+ <script src='http://cxf.apache.org/resources/highlighter/scripts/shCore.js' type='text/javascript'></script>
+ <script src='http://cxf.apache.org/resources/highlighter/scripts/shBrushJava.js' type='text/javascript'></script>
+ <script src='http://cxf.apache.org/resources/highlighter/scripts/shBrushXml.js' type='text/javascript'></script>
+
+ <script type="text/javascript">
+ SyntaxHighlighter.defaults['toolbar'] = false;
+ SyntaxHighlighter.all();
+ </script>
+
<title>
Apache CXF -- JAX-RS SAML
</title>
@@ -42,19 +54,15 @@ Apache CXF -- JAX-RS SAML
<td id="cell-1-0"> </td>
<td id="cell-1-1"> </td>
<td id="cell-1-2">
- <div style="padding: 5px;">
- <div id="banner">
- <!-- Banner -->
-<div id="banner-content">
+ <!-- Banner -->
+<div class="banner" id="banner"><p>
<table border="0" cellpadding="0" cellspacing="0" width="100%"><tr><td align="left" colspan="1" nowrap>
<a shape="rect" href="http://cxf.apache.org/" title="Apache CXF"><span style="font-weight: bold; font-size: 170%; color: white">Apache CXF</span></a>
</td><td align="right" colspan="1" nowrap>
<a shape="rect" href="http://www.apache.org/" title="The Apache Sofware Foundation"><img border="0" alt="ASF Logo" src="http://cxf.apache.org/images/asf-logo.png"></a>
</td></tr></table>
-</div>
- <!-- Banner -->
- </div>
- </div>
+</p></div>
+ <!-- Banner -->
<div id="top-menu">
<table border="0" cellpadding="1" cellspacing="0" width="100%">
<tr>
@@ -94,7 +102,7 @@ Apache CXF -- JAX-RS SAML
<hr>
-<ul class="alternate" type="square"><li>Search
+<ul class="alternate" type="square"><li>Search<br clear="none">
<form enctype="application/x-www-form-urlencoded" method="get" id="cse-search-box" action="http://www.google.com/cse">
<div>
@@ -136,13 +144,13 @@ Apache CXF -- JAX-RS SAML
<h1><a shape="rect" name="JAX-RSSAML-Mavendependencies"></a>Maven dependencies</h1>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
-<pre class="code-xml">
-<span class="code-tag"><dependency></span>
- <span class="code-tag"><groupId></span>org.apache.cxf<span class="code-tag"></groupId></span>
- <span class="code-tag"><artifactId></span>cxf-rt-rs-security-xml<span class="code-tag"></artifactId></span>
- <span class="code-tag"><version></span>2.5.0<span class="code-tag"></version></span>
-<span class="code-tag"></dependency></span>
-</pre>
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
+<dependency>
+ <groupId>org.apache.cxf</groupId>
+ <artifactId>cxf-rt-rs-security-xml</artifactId>
+ <version>2.5.0</version>
+</dependency>
+]]></script>
</div></div>
<p>This module depends on CXF WS-Security and Apache WSS4J modules, due to them containing a lot of useful utility code.<br clear="none">
@@ -153,73 +161,73 @@ We will see in time if it will make sens
<p>Payload:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
-<pre class="code-xml">
-<span class="code-tag"><env:Envelope <span class="code-keyword">xmlns:env</span>=<span class="code-quote">"http://org.apache.cxf/rs/env"</span>></span>
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
+<env:Envelope xmlns:env="http://org.apache.cxf/rs/env">
-<span class="code-tag"><Book ID=<span class="code-quote">"67ca6441-0c4e-4430-af0e-9463ce9226aa"</span>></span>
- <span class="code-tag"><id></span>125<span class="code-tag"></id></span>
- <span class="code-tag"><name></span>CXF<span class="code-tag"></name></span>
-<span class="code-tag"></Book></span>
-<span class="code-tag"><ds:Signature <span class="code-keyword">xmlns:ds</span>=<span class="code-quote">"http://www.w3.org/2000/09/xmldsig#"</span>></span>
- <span class="code-tag"><span class="code-comment"><!-- Book signature, omitted for brewity --></span></span>
-<span class="code-tag"></ds:Signature></span>
-
-<span class="code-tag"><span class="code-comment"><!-- SAML assertion with an enveloped signature --></span></span>
-<span class="code-tag"><saml2:Assertion <span class="code-keyword">xmlns:saml2</span>=<span class="code-quote">"urn:oasis:names:tc:SAML:2.0:assertion"</span> <span class="code-keyword">xmlns:xs</span>=<span class="code-quote">"http://www.w3.org/2001/XMLSchema"</span> <span class="code-keyword">xmlns:xsi</span>=<span class="code-quote">"http://www.w3.org/2001/XMLSchema-instance"</span> ID=<span class="code-quote">"_62D574706635C0B9F413203247720501"</span> IssueInstant=<span class="code-quote">"2011-11-03T12:52:52.050Z"</span> Version=<span class="code-quote">"2.0"</span> xsi:type=<span class="code-quote">"saml2:AssertionType"</span>></span>
-
-<span class="code-tag"><saml2:Issuer></span>https://idp.example.org/SAML2<span class="code-tag"></saml2:Issuer></span>
-
-<span class="code-tag"><ds:Signature <span class="code-keyword">xmlns:ds</span>=<span class="code-quote">"http://www.w3.org/2000/09/xmldsig#"</span>></span>
- <span class="code-tag"><ds:SignedInfo></span>
- <span class="code-tag"><ds:CanonicalizationMethod Algorithm=<span class="code-quote">"http://www.w3.org/2001/10/xml-exc-c14n#"</span>/></span>
- <span class="code-tag"><ds:SignatureMethod Algorithm=<span class="code-quote">"http://www.w3.org/2000/09/xmldsig#rsa-sha1"</span>/></span>
- <span class="code-tag"><ds:Reference URI=<span class="code-quote">"#_62D574706635C0B9F413203247720501"</span>></span>
- <span class="code-tag"><ds:Transforms></span>
- <span class="code-tag"><ds:Transform Algorithm=<span class="code-quote">"http://www.w3.org/2000/09/xmldsig#enveloped-signature"</span>/></span>
- <span class="code-tag"><ds:Transform Algorithm=<span class="code-quote">"http://www.w3.org/2001/10/xml-exc-c14n#"</span>></span>
- <span class="code-tag"><ec:InclusiveNamespaces <span class="code-keyword">xmlns:ec</span>=<span class="code-quote">"http://www.w3.org/2001/10/xml-exc-c14n#"</span> PrefixList=<span class="code-quote">"xs"</span>/></span>
- <span class="code-tag"></ds:Transform></span>
- <span class="code-tag"></ds:Transforms></span>
- <span class="code-tag"><ds:DigestMethod Algorithm=<span class="code-quote">"http://www.w3.org/2000/09/xmldsig#sha1"</span>/></span>
- <span class="code-tag"><ds:DigestValue></span>IDD9nFocVm/7FpUbiGI3ZvpY2ps=<span class="code-tag"></ds:DigestValue></span>
- <span class="code-tag"></ds:Reference></span>
- <span class="code-tag"></ds:SignedInfo></span>
- <span class="code-tag"><ds:SignatureValue></span>JA2I7u/SmNsXGgWNdrLSovkipiM3JmGHsmpoP0EeIOwPwnLMx0WvV0C3xNGNiT1jOBe2uv8+WchtPoppGTC2JTJVX/t8PmKQCYZo4kVJo6Nmsjbn5kp7ejWuOYynvrUheQeTLU8e5CQmuS6L4VYaMVV2ETtb0VvpKjoQKHOC+co=<span class="code-tag"></ds:SignatureValue></span>
- <span class="code-tag"><ds:KeyInfo></span>
- <span class="code-tag"><ds:X509Data></span>
- <span class="code-tag"><ds:X509Certificate></span><span class="code-tag"><span class="code-comment"><!-- Omitted for brewity --></span></span> <span class="code-tag"></ds:X509Certificate></span>
- <span class="code-tag"></ds:X509Data></span>
- <span class="code-tag"></ds:KeyInfo></span>
- <span class="code-tag"></ds:Signature></span>
-
- <span class="code-tag"><saml2:Subject></span>
- <span class="code-tag"><saml2:NameID Format=<span class="code-quote">"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"</span> NameQualifier=<span class="code-quote">"www.mock-sts.com"</span>></span>uid=sts-client,o=mock-sts.com<span class="code-tag"></saml2:NameID></span>
- <span class="code-tag"><saml2:SubjectConfirmation Method=<span class="code-quote">"urn:oasis:names:tc:SAML:2.0:cm:sender-vouches"</span>/></span>
- <span class="code-tag"></saml2:Subject></span>
-
- <span class="code-tag"><saml2:Conditions NotBefore=<span class="code-quote">"2011-11-03T12:52:52.063Z"</span> NotOnOrAfter=<span class="code-quote">"2011-11-03T12:52:52.063Z"</span>></span>
- <span class="code-tag"><saml2:AudienceRestriction></span>
- <span class="code-tag"><saml2:Audience></span>https://sp.example.com/SAML2<span class="code-tag"></saml2:Audience></span>
- <span class="code-tag"></saml2:AudienceRestriction></span>
- <span class="code-tag"></saml2:Conditions></span>
- <span class="code-tag"><saml2:AuthnStatement AuthnInstant=<span class="code-quote">"2011-11-03T12:52:51.981Z"</span> SessionIndex=<span class="code-quote">"123456"</span>></span>
- <span class="code-tag"><saml2:AuthnContext></span><span class="code-tag"><saml2:AuthnContextClassRef/></span><span class="code-tag"></saml2:AuthnContext></span>
- <span class="code-tag"></saml2:AuthnStatement></span>
-
- <span class="code-tag"><saml2:AttributeStatement></span>
- <saml2:Attribute FriendlyName=<span class="code-quote">"subject-role"</span>
- Name=<span class="code-quote">"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"</span>
- NameFormat=<span class="code-quote">"http://schemas.xmlsoap.org/ws/2005/05/identity/claims"</span>>
- <span class="code-tag"><saml2:AttributeValue xsi:type=<span class="code-quote">"xs:string"</span>></span>user<span class="code-tag"></saml2:AttributeValue></span>
- <span class="code-tag"></saml2:Attribute></span>
- <saml2:Attribute Name=<span class="code-quote">"http://claims/authentication"</span>
- NameFormat=<span class="code-quote">"http://claims/authentication-format"</span>>
- <span class="code-tag"><saml2:AttributeValue xsi:type=<span class="code-quote">"xs:string"</span>></span>password<span class="code-tag"></saml2:AttributeValue></span>
- <span class="code-tag"></saml2:Attribute></span>
- <span class="code-tag"></saml2:AttributeStatement></span>
-<span class="code-tag"></saml2:Assertion></span>
-<span class="code-tag"></env:Envelope></span>
-</pre>
+<Book ID="67ca6441-0c4e-4430-af0e-9463ce9226aa">
+ <id>125</id>
+ <name>CXF</name>
+</Book>
+<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+ <!-- Book signature, omitted for brewity -->
+</ds:Signature>
+
+<!-- SAML assertion with an enveloped signature -->
+<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="_62D574706635C0B9F413203247720501" IssueInstant="2011-11-03T12:52:52.050Z" Version="2.0" xsi:type="saml2:AssertionType">
+
+<saml2:Issuer>https://idp.example.org/SAML2</saml2:Issuer>
+
+<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+ <ds:SignedInfo>
+ <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+ <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+ <ds:Reference URI="#_62D574706635C0B9F413203247720501">
+ <ds:Transforms>
+ <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+ <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
+ <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/>
+ </ds:Transform>
+ </ds:Transforms>
+ <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+ <ds:DigestValue>IDD9nFocVm/7FpUbiGI3ZvpY2ps=</ds:DigestValue>
+ </ds:Reference>
+ </ds:SignedInfo>
+ <ds:SignatureValue>JA2I7u/SmNsXGgWNdrLSovkipiM3JmGHsmpoP0EeIOwPwnLMx0WvV0C3xNGNiT1jOBe2uv8+WchtPoppGTC2JTJVX/t8PmKQCYZo4kVJo6Nmsjbn5kp7ejWuOYynvrUheQeTLU8e5CQmuS6L4VYaMVV2ETtb0VvpKjoQKHOC+co=</ds:SignatureValue>
+ <ds:KeyInfo>
+ <ds:X509Data>
+ <ds:X509Certificate><!-- Omitted for brewity --> </ds:X509Certificate>
+ </ds:X509Data>
+ </ds:KeyInfo>
+ </ds:Signature>
+
+ <saml2:Subject>
+ <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="www.mock-sts.com">uid=sts-client,o=mock-sts.com</saml2:NameID>
+ <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:sender-vouches"/>
+ </saml2:Subject>
+
+ <saml2:Conditions NotBefore="2011-11-03T12:52:52.063Z" NotOnOrAfter="2011-11-03T12:52:52.063Z">
+ <saml2:AudienceRestriction>
+ <saml2:Audience>https://sp.example.com/SAML2</saml2:Audience>
+ </saml2:AudienceRestriction>
+ </saml2:Conditions>
+ <saml2:AuthnStatement AuthnInstant="2011-11-03T12:52:51.981Z" SessionIndex="123456">
+ <saml2:AuthnContext><saml2:AuthnContextClassRef/></saml2:AuthnContext>
+ </saml2:AuthnStatement>
+
+ <saml2:AttributeStatement>
+ <saml2:Attribute FriendlyName="subject-role"
+ Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"
+ NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
+ <saml2:AttributeValue xsi:type="xs:string">user</saml2:AttributeValue>
+ </saml2:Attribute>
+ <saml2:Attribute Name="http://claims/authentication"
+ NameFormat="http://claims/authentication-format">
+ <saml2:AttributeValue xsi:type="xs:string">password</saml2:AttributeValue>
+ </saml2:Attribute>
+ </saml2:AttributeStatement>
+</saml2:Assertion>
+</env:Envelope>
+]]></script>
</div></div>
<p>Note that Book and SAML assertion are individually signed but the envelope wrapper itself is not.</p>
@@ -228,102 +236,102 @@ We will see in time if it will make sens
<p>Here is another payload showing the whole enveloped signed including Book and SAML Assertion, this time only a single signature will be available:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
-<pre class="code-xml">
-<span class="code-tag"><env:Envelope <span class="code-keyword">xmlns:env</span>=<span class="code-quote">"http://org.apache.cxf/rs/env"</span> ID=<span class="code-quote">"e795cdd1-c19d-4a5c-8d86-e8a781af4787"</span>></span>
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
+<env:Envelope xmlns:env="http://org.apache.cxf/rs/env" ID="e795cdd1-c19d-4a5c-8d86-e8a781af4787">
-<span class="code-tag"><saml2:Assertion <span class="code-keyword">xmlns:saml2</span>=<span class="code-quote">"urn:oasis:names:tc:SAML:2.0:assertion"</span> <span class="code-keyword">xmlns:xsi</span>=<span class="code-quote">"http://www.w3.org/2001/XMLSchema-instance"</span> ID=<span class="code-quote">"_C76E3D5BBEE4C4D87913203281641141"</span> IssueInstant=<span class="code-quote">"2011-11-03T13:49:24.114Z"</span> Version=<span class="code-quote">"2.0"</span> xsi:type=<span class="code-quote">"saml2:AssertionType"</span>></span>
-<span class="code-tag"><saml2:Issuer></span>https://idp.example.org/SAML2<span class="code-tag"></saml2:Issuer></span>
-<span class="code-tag"><saml2:Subject></span>
-<span class="code-tag"><saml2:NameID Format=<span class="code-quote">"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"</span> NameQualifier=<span class="code-quote">"www.mock-sts.com"</span>></span>uid=sts-client,o=mock-sts.com<span class="code-tag"></saml2:NameID></span>
-<span class="code-tag"><saml2:SubjectConfirmation Method=<span class="code-quote">"urn:oasis:names:tc:SAML:2.0:cm:sender-vouches"</span>/></span>
-<span class="code-tag"></saml2:Subject></span>
-<span class="code-tag"><saml2:Conditions NotBefore=<span class="code-quote">"2011-11-03T13:49:24.127Z"</span> NotOnOrAfter=<span class="code-quote">"2011-11-03T13:49:24.127Z"</span>></span>
-<span class="code-tag"><saml2:AudienceRestriction></span>
-<span class="code-tag"><saml2:Audience></span>https://sp.example.com/SAML2<span class="code-tag"></saml2:Audience></span>
-<span class="code-tag"></saml2:AudienceRestriction></span>
-<span class="code-tag"></saml2:Conditions></span>
-<span class="code-tag"><saml2:AuthnStatement AuthnInstant=<span class="code-quote">"2011-11-03T13:49:24.044Z"</span> SessionIndex=<span class="code-quote">"123456"</span>></span>
-<span class="code-tag"><saml2:AuthnContext></span>
-<span class="code-tag"><saml2:AuthnContextClassRef/></span>
-<span class="code-tag"></saml2:AuthnContext></span>
-<span class="code-tag"></saml2:AuthnStatement></span>
-<span class="code-tag"><saml2:AttributeStatement></span>
-<span class="code-tag"><saml2:Attribute FriendlyName=<span class="code-quote">"subject-role"</span> Name=<span class="code-quote">"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"</span> NameFormat=<span class="code-quote">"http://schemas.xmlsoap.org/ws/2005/05/identity/claims"</span>></span>
-<span class="code-tag"><saml2:AttributeValue <span class="code-keyword">xmlns:xs</span>=<span class="code-quote">"http://www.w3.org/2001/XMLSchema"</span> xsi:type=<span class="code-quote">"xs:string"</span>></span>user<span class="code-tag"></saml2:AttributeValue></span>
-<span class="code-tag"></saml2:Attribute></span>
-<span class="code-tag"><saml2:Attribute Name=<span class="code-quote">"http://claims/authentication"</span> NameFormat=<span class="code-quote">"http://claims/authentication-format"</span>></span>
-<span class="code-tag"><saml2:AttributeValue <span class="code-keyword">xmlns:xs</span>=<span class="code-quote">"http://www.w3.org/2001/XMLSchema"</span> xsi:type=<span class="code-quote">"xs:string"</span>></span>password<span class="code-tag"></saml2:AttributeValue></span>
-<span class="code-tag"></saml2:Attribute></span>
-<span class="code-tag"></saml2:AttributeStatement></span>
-<span class="code-tag"></saml2:Assertion></span>
-
-<span class="code-tag"><Book></span>
-<span class="code-tag"><id></span>125<span class="code-tag"></id></span>
-<span class="code-tag"><name></span>CXF<span class="code-tag"></name></span>
-<span class="code-tag"></Book></span>
+<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="_C76E3D5BBEE4C4D87913203281641141" IssueInstant="2011-11-03T13:49:24.114Z" Version="2.0" xsi:type="saml2:AssertionType">
+<saml2:Issuer>https://idp.example.org/SAML2</saml2:Issuer>
+<saml2:Subject>
+<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="www.mock-sts.com">uid=sts-client,o=mock-sts.com</saml2:NameID>
+<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:sender-vouches"/>
+</saml2:Subject>
+<saml2:Conditions NotBefore="2011-11-03T13:49:24.127Z" NotOnOrAfter="2011-11-03T13:49:24.127Z">
+<saml2:AudienceRestriction>
+<saml2:Audience>https://sp.example.com/SAML2</saml2:Audience>
+</saml2:AudienceRestriction>
+</saml2:Conditions>
+<saml2:AuthnStatement AuthnInstant="2011-11-03T13:49:24.044Z" SessionIndex="123456">
+<saml2:AuthnContext>
+<saml2:AuthnContextClassRef/>
+</saml2:AuthnContext>
+</saml2:AuthnStatement>
+<saml2:AttributeStatement>
+<saml2:Attribute FriendlyName="subject-role" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
+<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">user</saml2:AttributeValue>
+</saml2:Attribute>
+<saml2:Attribute Name="http://claims/authentication" NameFormat="http://claims/authentication-format">
+<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">password</saml2:AttributeValue>
+</saml2:Attribute>
+</saml2:AttributeStatement>
+</saml2:Assertion>
+
+<Book>
+<id>125</id>
+<name>CXF</name>
+</Book>
-<span class="code-tag"><ds:Signature <span class="code-keyword">xmlns:ds</span>=<span class="code-quote">"http://www.w3.org/2000/09/xmldsig#"</span>></span><span class="code-tag"><ds:SignedInfo></span><span class="code-tag"><ds:CanonicalizationMethod Algorithm=<span class="code-quote">"http://www.w3.org/TR/2001/REC-xml-c14n-20010315"</span>/></span><span class="code-tag"><ds:SignatureMethod Algorithm=<span class="code-quote">"http://www.w3.org/2000/09/xmldsig#rsa-sha1"</span>/></span><span class="code-tag"><ds:Reference URI=<span class="code-quote">"#e795cdd1-c19d-4a5c-8d86-e8a781af4787"</span>></span><span class="code-tag"><ds:Transforms></span><span class="code-tag"><ds:Transform Algorithm=<span class="code-quote">"http://www.w3.org/2000/09/xmldsig#enveloped-signature"</span>/></span><span class="code-tag"><ds:Transform Algorithm=<span class="code-quote">"http://www.w3.org/2001/10/xml-exc-c14n#"</span>/></span><span class="co
de-tag"></ds:Transforms></span><span class="code-tag"><ds:DigestMethod Algorithm=<span class="code-quote">"http://www.w3.org/2000/09/xmldsig#sha1"</span>/></span><span class="code-tag"><ds:DigestValue></span>GR1pHd2JpxYiCzl6ouCmTZjq/AA=<span class="code-tag"></ds:DigestValue></span><span class="code-tag"></ds:Reference></span><span class="code-tag"></ds:SignedInfo></span><span class="code-tag"><ds:SignatureValue></span>C2qUDOFwart2GHFjX6kB3E3z73AMXtRR/6Qjgyp6XP/vTn/Fr2epDNub3q+gNdT0KgjLE2rSynM3QTcpHov9C8l9a8VQquItaalr0XA7BJcxdFMxB7KEATKR9XtrmIEkiw9efM8M83iVux/ufCOWrt0Te2RLz+nRwzyEY49VQOQ=<span class="code-tag"></ds:SignatureValue></span><span class="code-tag"><ds:KeyInfo></span><span class="code-tag"><ds:X509Data></span><span class="code-tag"><ds:X509Certificate></span><span class="code-tag"><span class="code-comment"><!-- Omitted for brewity --></span></span><span class="code-tag"></ds:X509Certificat
e></span><span class="code-tag"></ds:X509Data></span><span class="code-tag"><ds:KeyValue></span><span class="code-tag"><ds:RSAKeyValue></span><span class="code-tag"><ds:Modulus></span>vu747/VShQ85f16DGSc4Ixh9PVpGguyEqrCsK8q9XHOYX9l9/g5wEC6ZcR2FwfNsoaHcKNPjd5sSTzVtBWmQjfBEfIqwTR7vuihOxyNTwEzVwIJzvo7p8/aYxk+VdBtQxq4UweIcf/iFkUbM1cZ1oiXRQzciRBi+C1BQCQE0qzs=<span class="code-tag"></ds:Modulus></span><span class="code-tag"><ds:Exponent></span>AQAB<span class="code-tag"></ds:Exponent></span><span class="code-tag"></ds:RSAKeyValue></span><span class="code-tag"></ds:KeyValue></span><span class="code-tag"></ds:KeyInfo></span><span class="code-tag"></ds:Signature></span><span class="code-tag"></env:Envelope></span>
-</pre>
+<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#e795cdd1-c19d-4a5c-8d86-e8a781af4787"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>GR1pHd2JpxYiCzl6ouCmTZjq/AA=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>C2qUDOFwart2GHFjX6kB3E3z73AMXtRR/6Qjgyp6XP/vTn/Fr2epDNub3q+gNdT0KgjLE2rSynM3QTcpHov9C8l9a8VQquItaalr0XA7BJcxdFMxB7KEATKR9XtrmIEkiw9efM8M83iVux/ufCOWrt0Te2RLz+nRwzyEY49VQOQ=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X
509Certificate><!-- Omitted for brewity --></ds:X509Certificate></ds:X509Data><ds:KeyValue><ds:RSAKeyValue><ds:Modulus>vu747/VShQ85f16DGSc4Ixh9PVpGguyEqrCsK8q9XHOYX9l9/g5wEC6ZcR2FwfNsoaHcKNPjd5sSTzVtBWmQjfBEfIqwTR7vuihOxyNTwEzVwIJzvo7p8/aYxk+VdBtQxq4UweIcf/iFkUbM1cZ1oiXRQzciRBi+C1BQCQE0qzs=</ds:Modulus><ds:Exponent>AQAB</ds:Exponent></ds:RSAKeyValue></ds:KeyValue></ds:KeyInfo></ds:Signature></env:Envelope>
+]]></script>
</div></div>
<p>Server configuration fragment:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
-<pre class="code-xml">
- <span class="code-tag"><bean id=<span class="code-quote">"serviceBean"</span> class=<span class="code-quote">"org.apache.cxf.systest.jaxrs.security.BookStore"</span>/></span>
- <span class="code-tag"><bean id=<span class="code-quote">"samlHandler"</span> class=<span class="code-quote">"org.apache.cxf.rs.security.saml.SamlEnvelopedInHandler"</span>/></span>
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
+ <bean id="serviceBean" class="org.apache.cxf.systest.jaxrs.security.BookStore"/>
+ <bean id="samlHandler" class="org.apache.cxf.rs.security.saml.SamlEnvelopedInHandler"/>
- <span class="code-tag"><span class="code-comment"><!-- only needed if the detached signature signing the application data is expected --></span></span>
- <span class="code-tag"><bean id=<span class="code-quote">"xmlSigHandler"</span> class=<span class="code-quote">"org.apache.cxf.rs.security.xml.XmlSigInHandler"</span>/></span>
+ <!-- only needed if the detached signature signing the application data is expected -->
+ <bean id="xmlSigHandler" class="org.apache.cxf.rs.security.xml.XmlSigInHandler"/>
<jaxrs:server
- address=<span class="code-quote">"https://localhost:${testutil.ports.jaxrs-saml}/samlxml"</span>>
- <span class="code-tag"><jaxrs:serviceBeans></span>
- <span class="code-tag"><ref bean=<span class="code-quote">"serviceBean"</span>/></span>
- <span class="code-tag"></jaxrs:serviceBeans></span>
- <span class="code-tag"><jaxrs:providers></span>
- <span class="code-tag"><ref bean=<span class="code-quote">"xmlSigHandler"</span>/></span>
- <span class="code-tag"><ref bean=<span class="code-quote">"samlHandler"</span>/></span>
- <span class="code-tag"></jaxrs:providers></span>
+ address="https://localhost:${testutil.ports.jaxrs-saml}/samlxml">
+ <jaxrs:serviceBeans>
+ <ref bean="serviceBean"/>
+ </jaxrs:serviceBeans>
+ <jaxrs:providers>
+ <ref bean="xmlSigHandler"/>
+ <ref bean="samlHandler"/>
+ </jaxrs:providers>
- <span class="code-tag"><jaxrs:properties></span>
- <entry key=<span class="code-quote">"ws-security.signature.properties"</span>
- value=<span class="code-quote">"org/apache/cxf/systest/jaxrs/security/alice.properties"</span>/>
- <span class="code-tag"></jaxrs:properties></span>
+ <jaxrs:properties>
+ <entry key="ws-security.signature.properties"
+ value="org/apache/cxf/systest/jaxrs/security/alice.properties"/>
+ </jaxrs:properties>
- <span class="code-tag"></jaxrs:server></span>
-</pre>
+ </jaxrs:server>
+]]></script>
</div></div>
<p>Client code:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
-<pre class="code-java">
-<span class="code-keyword">private</span> WebClient createWebClient(<span class="code-object">String</span> address,
- <span class="code-object">boolean</span> selfSigned) {
- JAXRSClientFactoryBean bean = <span class="code-keyword">new</span> JAXRSClientFactoryBean();
+<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[
+private WebClient createWebClient(String address,
+ boolean selfSigned) {
+ JAXRSClientFactoryBean bean = new JAXRSClientFactoryBean();
bean.setAddress(address);
- Map<<span class="code-object">String</span>, <span class="code-object">Object</span>> properties = <span class="code-keyword">new</span> HashMap<<span class="code-object">String</span>, <span class="code-object">Object</span>>();
- properties.put(<span class="code-quote">"ws-security.callback-handler"</span>,
- <span class="code-quote">"org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"</span>);
- properties.put(<span class="code-quote">"ws-security.saml-callback-handler"</span>,
- <span class="code-quote">"org.apache.cxf.systest.jaxrs.security.saml.SamlCallbackHandler"</span>);
- properties.put(<span class="code-quote">"ws-security.signature.username"</span>, <span class="code-quote">"alice"</span>);
- properties.put(<span class="code-quote">"ws-security.signature.properties"</span>,
- <span class="code-quote">"org/apache/cxf/systest/jaxrs/security/alice.properties"</span>);
- <span class="code-keyword">if</span> (selfSigned) {
- properties.put(<span class="code-quote">"ws-security.self-sign-saml-assertion"</span>, <span class="code-quote">"<span class="code-keyword">true</span>"</span>);
+ Map<String, Object> properties = new HashMap<String, Object>();
+ properties.put("ws-security.callback-handler",
+ "org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback");
+ properties.put("ws-security.saml-callback-handler",
+ "org.apache.cxf.systest.jaxrs.security.saml.SamlCallbackHandler");
+ properties.put("ws-security.signature.username", "alice");
+ properties.put("ws-security.signature.properties",
+ "org/apache/cxf/systest/jaxrs/security/alice.properties");
+ if (selfSigned) {
+ properties.put("ws-security.self-sign-saml-assertion", "true");
}
bean.setProperties(properties);
- bean.getOutInterceptors().add(<span class="code-keyword">new</span> SamlEnvelopedOutInterceptor(!selfSigned));
- XmlSigOutInterceptor xmlSig = <span class="code-keyword">new</span> XmlSigOutInterceptor();
- <span class="code-keyword">if</span> (selfSigned) {
+ bean.getOutInterceptors().add(new SamlEnvelopedOutInterceptor(!selfSigned));
+ XmlSigOutInterceptor xmlSig = new XmlSigOutInterceptor();
+ if (selfSigned) {
xmlSig.setStyle(XmlSigOutInterceptor.DETACHED_SIG);
}
- <span class="code-keyword">return</span> bean.createWebClient();
+ return bean.createWebClient();
}
-</pre>
+]]></script>
</div></div>
<p>In the above code, the "ws-security.self-sign-saml-assertion" property, if set to true, will require SamlEnvelopedOutInterceptor to get a SAML assertion self-signed, by adding an enveloped signature to it. When we also need to sign the application payload such as Book we need to make sure that a detached XML signature for Book is created. When the whole envelope is signed then SamlEnvelopedOutInterceptor needs to be placed before XmlSigOutInterceptor hence the "new SamlEnvelopedOutInterceptor(!selfSigned)" constructor is invoked.</p>
@@ -333,11 +341,11 @@ We will see in time if it will make sens
<p>Logging output:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
-<pre class="code-java">
-Address: https:<span class="code-comment">//localhost:9000/samlheader/bookstore/books/123
-</span>Http-Method: GET
-Headers: {Accept=[application/xml], Authorization=[SAML eJydV1mTokgQfu9fYTCPrs2htGKMHVEcKq2gKOLxsoFQAsqhFAjNr99CW1ud7t2ZjdAwMisr68s7/YnMwGfaACEYJ14UVmSxQ/z9wjUlBrRYiWZZiWVYlqPrDFVnmhTbwL80UZERSqEcosQMkw7BUDRdwx+qrtP1dp1qs41nLLciKgaMEVaLRZ4popIHfojapyc7RBqH7chEHmqHZgBRO7HaU6AM21iybV7wXO7kqEO4SbJvk2SWZc9Z/TmKHZKhKJpcKMOp5cLA/JT1/lu45p3AWxDfQl47ed/DDvHgDB0zidefZ+7J4vi11IuwYs/eP8PcDPY+PGkvoTM/yTvZnzZqTz0nNJM0hh/g7O8MoUiKI7GMjTznB3G9C2053EQnUjDDKPQs0/cKs4SnwMSN7ArwnSj2Ejf41miaKhXXYG7VLLoR/iDIe2i/qegOYYzMGnJN+kPXBG5gDLE7K7OJ3CF+/HcKna7psRmiTRQH6J78MywwPEI/2kO7hi4mfcD6fYVfeOn1J7Tacmj5KfKOUC2TdG9aEFXGMdx4+dBDOPVzdEk7aP1RAMhbeA/k2Rui50CU/J/g3ATmrMQw/RS+Lod0s8c74oavDxsCSoueGs8H4zUQlp0TgFvhE+Ma1jP5kJDXBDrfABTXCxR7+UJ5clXM0XjN8LG9MQxG57bTMfB9rUkaXUNKJgsRzKl+f8R2q0qr/sLB+Ub3oGEPhrIMJTegkBOM+0E4nbCLjVXYXO6MHXYhDLMWtGjKtRtNGtirfrioTvXhhnM2zalRXdXDlVVPg2Oe0Sp4Ge/eWgdRiXQwOiZWtZEfjtSwm1aH46xzNecGf2nSAL5fzVuwFCeaiXklhLItbHAFJvBVkWWhtxUEsBw5IJN54MjS1Jg4QAcq7+wO7s7rcRnFA23WBSIolImSSdpSNDRtIGV71
+p1t2Zvlq7rb+GTomWZ4JwOh1Km+uvAysUtUHhHNXig6PxcbawC1VX4xkLUrUwRpUzRAf7F326EeUoD8/KRDoonRdcylY4ypZB0hZd6gJ5JgqsMlgveXTKuPwy491UhKQqIzme5Iq7mbKhojUwEJxBYveGue/72aaULfFg8miR1ARjxWw1kznKHgUvgmDYbOLhTV2uxG/pF7E2thpy73NjY95z0XTrEAnoatA7coj9aLjifIx02k4SXlTVhutlGRZHZtwbqeGuzaKoXRsLPA2274aWNfMj0SfOYeu4of1f1TCqMTH4rno5Rc98izWW+qxo2n2j5oTHLoGxtSK+7m60V2lrRkbeYaIXlTXivKtC8JmgSdSiQADIJAFNpKuIuk3FQnowJNeX5KOvJ8lzfcbMFtRrPfE6b7TjJmKmz6YwbLWhDn+hgVgalP5EkUQdDx/HRmlGxr9yjVdcyUVu+PQ2ilYxJtfQTrwGx9I87zHZBtbVHg6ThhGtv1ysMSnf203nPmufzAQZYtBKZCV/cLmCP9Nbo981Gj3ty64gKc43RYVbACblrOoFjMEhutOqqEy/7gR4MB6bIzwuT2YN0lYqu1m/1gOS+mbtuMuDH1aokcLGq7ldP4eHQz/P6Yc0kc4Y9TBK+EIMBx9COw42VKFCsZnqYaOfqeMz4K/NcE+RttdxV02ViTtP1FlrJhSwbqCxWuri/mcn3459+pk8cz65tTqLtNER7aGEY0CYqpRYtxTMQk3GHKJtgEFm7GkrQsxUFxGvq2R1M1Czfg2HyV9S5Pb4M6DOWB6BCFG688sVyDzq33X/fUqygjWBow7h2jFK8VaBTX<span class="code-comment">//SeKzb9krFqKJGCQ+xafCbvYl+wXsTFhqFoxhsktLKb+Uu6kFqe2WbnuD2HXtW+dDj0XVzQZ+LC/bI/eJyFX5k3CkmH236fCtxw2mCsyXAvq+cyH9dEvFOgI2
dQlQuiTJ2Zd4haKbeYF+IO534qQTmyVc8wcfLIp5T5A3m2xvkV9CuihJs1TpN4PcnlW6MPWD772XO4BXxHNdaHPnwnI3XgYxOiyV6xlMYt7P9aTJnqBzOLIk/no3Ve8k7afmmFyDyU8OlJP6XHuIXxKdpdrPV5njlxkehg4sDb7ZXj9zJv/7C/tUTd9Z+WGFiv5Z4LPO8rn9hz5eSH8X9R+j3ONJZFNu/b8Ej59cwY1CFiLtLmYCfmXvhdIgyKXENBh7ubfCmvq9/El7/AXoseyE=], ...}</span>
-</pre>
+<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[
+Address: https://localhost:9000/samlheader/bookstore/books/123
+Http-Method: GET
+Headers: {Accept=[application/xml], Authorization=[SAML eJydV1mTokgQfu9fYTCPrs2htGKMHVEcKq2gKOLxsoFQAsqhFAjNr99CW1ud7t2ZjdAwMisr68s7/YnMwGfaACEYJ14UVmSxQ/z9wjUlBrRYiWZZiWVYlqPrDFVnmhTbwL80UZERSqEcosQMkw7BUDRdwx+qrtP1dp1qs41nLLciKgaMEVaLRZ4popIHfojapyc7RBqH7chEHmqHZgBRO7HaU6AM21iybV7wXO7kqEO4SbJvk2SWZc9Z/TmKHZKhKJpcKMOp5cLA/JT1/lu45p3AWxDfQl47ed/DDvHgDB0zidefZ+7J4vi11IuwYs/eP8PcDPY+PGkvoTM/yTvZnzZqTz0nNJM0hh/g7O8MoUiKI7GMjTznB3G9C2053EQnUjDDKPQs0/cKs4SnwMSN7ArwnSj2Ejf41miaKhXXYG7VLLoR/iDIe2i/qegOYYzMGnJN+kPXBG5gDLE7K7OJ3CF+/HcKna7psRmiTRQH6J78MywwPEI/2kO7hi4mfcD6fYVfeOn1J7Tacmj5KfKOUC2TdG9aEFXGMdx4+dBDOPVzdEk7aP1RAMhbeA/k2Rui50CU/J/g3ATmrMQw/RS+Lod0s8c74oavDxsCSoueGs8H4zUQlp0TgFvhE+Ma1jP5kJDXBDrfABTXCxR7+UJ5clXM0XjN8LG9MQxG57bTMfB9rUkaXUNKJgsRzKl+f8R2q0qr/sLB+Ub3oGEPhrIMJTegkBOM+0E4nbCLjVXYXO6MHXYhDLMWtGjKtRtNGtirfrioTvXhhnM2zalRXdXDlVVPg2Oe0Sp4Ge/eWgdRiXQwOiZWtZEfjtSwm1aH46xzNecGf2nSAL5fzVuwFCeaiXklhLItbHAFJvBVkWWhtxUEsBw5IJN54MjS1Jg4QAcq7+wO7s7rcRnFA23WBSIolImSSdpSNDRtIGV71
+p1t2Zvlq7rb+GTomWZ4JwOh1Km+uvAysUtUHhHNXig6PxcbawC1VX4xkLUrUwRpUzRAf7F326EeUoD8/KRDoonRdcylY4ypZB0hZd6gJ5JgqsMlgveXTKuPwy491UhKQqIzme5Iq7mbKhojUwEJxBYveGue/72aaULfFg8miR1ARjxWw1kznKHgUvgmDYbOLhTV2uxG/pF7E2thpy73NjY95z0XTrEAnoatA7coj9aLjifIx02k4SXlTVhutlGRZHZtwbqeGuzaKoXRsLPA2274aWNfMj0SfOYeu4of1f1TCqMTH4rno5Rc98izWW+qxo2n2j5oTHLoGxtSK+7m60V2lrRkbeYaIXlTXivKtC8JmgSdSiQADIJAFNpKuIuk3FQnowJNeX5KOvJ8lzfcbMFtRrPfE6b7TjJmKmz6YwbLWhDn+hgVgalP5EkUQdDx/HRmlGxr9yjVdcyUVu+PQ2ilYxJtfQTrwGx9I87zHZBtbVHg6ThhGtv1ysMSnf203nPmufzAQZYtBKZCV/cLmCP9Nbo981Gj3ty64gKc43RYVbACblrOoFjMEhutOqqEy/7gR4MB6bIzwuT2YN0lYqu1m/1gOS+mbtuMuDH1aokcLGq7ldP4eHQz/P6Yc0kc4Y9TBK+EIMBx9COw42VKFCsZnqYaOfqeMz4K/NcE+RttdxV02ViTtP1FlrJhSwbqCxWuri/mcn3459+pk8cz65tTqLtNER7aGEY0CYqpRYtxTMQk3GHKJtgEFm7GkrQsxUFxGvq2R1M1Czfg2HyV9S5Pb4M6DOWB6BCFG688sVyDzq33X/fUqygjWBow7h2jFK8VaBTX//SeKzb9krFqKJGCQ+xafCbvYl+wXsTFhqFoxhsktLKb+Uu6kFqe2WbnuD2HXtW+dDj0XVzQZ+LC/bI/eJyFX5k3CkmH236fCtxw2mCsyXAvq+cyH9dEvFOgI2dQlQuiTJ2Zd4haKbeYF+IO534qQ
TmyVc8wcfLIp5T5A3m2xvkV9CuihJs1TpN4PcnlW6MPWD772XO4BXxHNdaHPnwnI3XgYxOiyV6xlMYt7P9aTJnqBzOLIk/no3Ve8k7afmmFyDyU8OlJP6XHuIXxKdpdrPV5njlxkehg4sDb7ZXj9zJv/7C/tUTd9Z+WGFiv5Z4LPO8rn9hz5eSH8X9R+j3ONJZFNu/b8Ej59cwY1CFiLtLmYCfmXvhdIgyKXENBh7ubfCmvq9/El7/AXoseyE=], ...}
+]]></script>
</div></div>
<p>Note that the Authorization header has an encoded SAML Assertion as its value. The original SAML assertion has been optionally compressed using a deflated encoding and then base64-encoded. This encoded value can be signed itself - but it is not currently possible.</p>
@@ -345,40 +353,40 @@ Headers: {Accept=[application/xml], Auth
<p>Server configuration is similar to the one from the Enveloped SAML Assertions section, the only difference is that a SAML handler needs to be replaced:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
-<pre class="code-xml">
- <span class="code-tag"><bean id=<span class="code-quote">"serviceBean"</span> class=<span class="code-quote">"org.apache.cxf.systest.jaxrs.security.BookStore"</span>/></span>
- <span class="code-tag"><bean id=<span class="code-quote">"samlHandler"</span> class=<span class="code-quote">"org.apache.cxf.rs.security.saml.SamlHeaderInHandler"</span>/></span>
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
+ <bean id="serviceBean" class="org.apache.cxf.systest.jaxrs.security.BookStore"/>
+ <bean id="samlHandler" class="org.apache.cxf.rs.security.saml.SamlHeaderInHandler"/>
- <span class="code-tag"><span class="code-comment"><!-- same as in the Enveloped SAML Assertions section --></span></span>
-</pre>
+ <!-- same as in the Enveloped SAML Assertions section -->
+]]></script>
</div></div>
<p>Client code:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
-<pre class="code-java">
-<span class="code-keyword">private</span> WebClient createWebClient(<span class="code-object">String</span> address,
- <span class="code-object">boolean</span> selfSigned) {
- JAXRSClientFactoryBean bean = <span class="code-keyword">new</span> JAXRSClientFactoryBean();
+<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[
+private WebClient createWebClient(String address,
+ boolean selfSigned) {
+ JAXRSClientFactoryBean bean = new JAXRSClientFactoryBean();
bean.setAddress(address);
- Map<<span class="code-object">String</span>, <span class="code-object">Object</span>> properties = <span class="code-keyword">new</span> HashMap<<span class="code-object">String</span>, <span class="code-object">Object</span>>();
- properties.put(<span class="code-quote">"ws-security.callback-handler"</span>,
- <span class="code-quote">"org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"</span>);
- properties.put(<span class="code-quote">"ws-security.saml-callback-handler"</span>,
- <span class="code-quote">"org.apache.cxf.systest.jaxrs.security.saml.SamlCallbackHandler"</span>);
- properties.put(<span class="code-quote">"ws-security.signature.username"</span>, <span class="code-quote">"alice"</span>);
- properties.put(<span class="code-quote">"ws-security.signature.properties"</span>,
- <span class="code-quote">"org/apache/cxf/systest/jaxrs/security/alice.properties"</span>);
- <span class="code-keyword">if</span> (selfSigned) {
- properties.put(<span class="code-quote">"ws-security.self-sign-saml-assertion"</span>, <span class="code-quote">"<span class="code-keyword">true</span>"</span>);
+ Map<String, Object> properties = new HashMap<String, Object>();
+ properties.put("ws-security.callback-handler",
+ "org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback");
+ properties.put("ws-security.saml-callback-handler",
+ "org.apache.cxf.systest.jaxrs.security.saml.SamlCallbackHandler");
+ properties.put("ws-security.signature.username", "alice");
+ properties.put("ws-security.signature.properties",
+ "org/apache/cxf/systest/jaxrs/security/alice.properties");
+ if (selfSigned) {
+ properties.put("ws-security.self-sign-saml-assertion", "true");
}
bean.setProperties(properties);
- bean.getOutInterceptors().add(<span class="code-keyword">new</span> SamlHeaderOutInterceptor());
+ bean.getOutInterceptors().add(new SamlHeaderOutInterceptor());
- <span class="code-keyword">return</span> bean.createWebClient();
+ return bean.createWebClient();
}
-</pre>
+]]></script>
</div></div>
@@ -387,14 +395,14 @@ Headers: {Accept=[application/xml], Auth
<p>Logging output:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
-<pre class="code-java">
-Address: https:<span class="code-comment">//localhost:9000/samlform/bookstore/books
-</span>Encoding: ISO-8859-1
+<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[
+Address: https://localhost:9000/samlform/bookstore/books
+Encoding: ISO-8859-1
Http-Method: POST
Content-Type: application/x-www-form-urlencoded
Headers: {Accept=[application/xml], Cache-Control=[no-cache], connection=[keep-alive], Content-Length=[2206], content-type=[application/x-www-form-urlencoded], Host=[localhost:9000], Pragma=[no-cache], User-Agent=[Apache CXF ${project.version}]}
Payload: name=CXF&id=125&SAMLToken=eJydV1tzqkgQfs+vsDiPWcNFjWIdUzUIGqJgQMTLyxYOI6BclAFBfv0OGo16kt1ztkrL6p6eb77u6e5pf2Ir8Lk2wBjFiReFFVnsUH8zYqPFAAkwbOsZSK2eKLI1jqlxTY5p8PVnlqrIGKdIDnFihUmH4hiWrZIPUzPYWrtWa3ONJ2K3oComijGBJSZPDFXJAz/E7eORHSqNw3ZkYQ+3QytAuJ3A9hgowzaxbFtnPuc9Oe5QbpJs2zSdZdlTVnuKYofmGIalZ8pwDF0UWJ+23n8bV70jeYjILuy1k8MWdai7YBhESb38PGmPHscvJS4mwJ69fUK5FWx9dEQvqXM/6RvbnzZujz0ntJI0Rh/k7O8cYWiGp4mNjT3nB3XZi2w5XEVHsWuFUehBy/cKq6SnoMSN7ArwnSj2Ejf41mmWKYGrKIdVyNbDHxR9S+03gW4YxtiqYtdiP7B0tEIxIuGsTHS5Q/347xQ6bjNiK8SrKA7wrfhnXFC4R360RXYVn136oPX7gF9E6eUngm05hH6KvT1SyyTdWhDhynuMVl4+9DBJ/Ryf0w7BP7oA+prenXiKhug5CCf/53KuLuYEYlp+il5qDTNiWU3Hz3qxkBCzn0aanw8K7TDvHAlcGx8Vl2s9iXcJeUmg046Q1/bNx0AVHltzNp3pb/KwtizS/nZmHNYYvG6A5G44Bj4bw4msaTYCi93Q5NfL1cBgoBvCw9DbS0GPm43UQnzfJW9JfzUs6nQ/nQh7zXb7EltbPTKPXvSeRSuvvu/LIHWEjTJqJfom5qCJn0W7lSxg34LSPlSMOmitOLyUDNc2PGWpw169tTb5rHNx54p/6dIAHS7uzRoML1qJdRG6ZVtYkQpM0Isiy93+utsF85EDMlkAjiyNTd0BBlAFZ7NzN16fzxgBaJMeEEGh6EomaXPR1LSBlG1d2O+trf4kXd
bewgdFy7Kuc1wcSpnqLwOYi2ugCI5qCkAxhKlaXwSqqwj1mWjATBGlTDEA+SXfXkR0Sp3o8pEBigfF0DKVjTKlkAxFkPqAnUhdVxnMZ4I751x/GPCHRSEpCohOa7kiLqaNUNHqmQiOJAi86S77/vphYXSFsLh3SeoBMBLWGsic+YYQl8A+bdabtDl2tVZjxT6L/TGsy7nLv5vbvpMepF3cxQ+D1o6fvY7mM97naaeRSd3nBdS5XrZScWS9woH6vrYbeGwUZiJMA229EqSVvMsMvblPPXeUH1Qjkwozk9+Kh33U3LZoa55vHk1bSLR8V59kSIYr2uttJkuFhQs28ma6VkBPF7zHLitoXU1idgXugkwCwFKairjJZHIpD6bOjAUhyvqyPDU2/GTGLN4nPq9NNrxkTtTJeMKPZqxp6AaYlJfyqkuSaICh4/h4yakkVu4e1rRM1OZvD4NoIRNRLeMkaEAs4+MOs03w2NriQVJ3wqW36RcmYzjb8bQPp/l0QAgWrUTmwme3Bxp7dm2+vlr1Pv/g1jAT5hpnoKxAOr1pOoFjcliut2qqE89fAyMYDixRmBYWtwXpIhVd7bXVJ6X2Zm16yUB4f3yUunysqtvFQ7jbveZ5bbfkkinX2OmJUIjBgOdYx+HflShQYDPd6dqpOu4z/qI81QR9XS031XR+Mcfpco1gchbLBiqLlR7pb1by/fPPPrFHjWdXV0fTdhriLYKEBrKpSomipeQNJGLcocomGERwU8UJfoJRQL2knt0hQhX6HgqTv6LO9fL5gT5xuSPajcKVV55YzkGntvvvUwoM2hiFNoqr+yglUwU+9vUvnSfYtlcC44oaJQIirqFv5qYGT+YmYjQKRzFYJaWX39qd4UFqe2Wb1kn7jj1YHnS/dJlc8OfgQiJyO7hcjO8VN8D0vU+fZyVuOE5ItgQk9pWj+K9DYqtZDoljhMshUSahzDsUy9XqjWfqBpMclaA8+UrX9cm
wSN4p+orz9Q76K2oXoIR4tUwT9P1KpReTCNj+ocwZMiKe7rUaRz46ZePlQcbHwRI/kVeYtLPt8WXOcPk4N2jy8WwC7yUHGvqWF2D6E+FcEv8Lh/qF8fE1u5pqczJyk6XQIcVBJttLRG7sX35R/xqJG28/vLBIXEs+0DqN61/486XlR3H/Efstueksiu3f9+Be8+s1E1KFSLpLmYCfmXvWdKgyKUkNBh7pbeiqvi9/El7+Adcbfqw=
-</pre>
+]]></script>
</div></div>
<p>Note that only form 'name' and 'id' fields will remain after the SAML handler processes a SAML assertion encoded in the SAMLToken form field. The original SAML assertion has been optionally compressed using a deflated encoding and then base64-encoded. This encoded value can be signed - but it is not currently possible.</p>
@@ -402,19 +410,19 @@ Payload: name=CXF&id=125&SAMLTok
<p>Server configuration is similar to the one from the Enveloped SAML Assertions section, the only difference is that a SAML handler needs to be replaced:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
-<pre class="code-xml">
- <span class="code-tag"><bean id=<span class="code-quote">"serviceBean"</span> class=<span class="code-quote">"org.apache.cxf.systest.jaxrs.security.BookStore"</span>/></span>
- <span class="code-tag"><bean id=<span class="code-quote">"samlHandler"</span> class=<span class="code-quote">"org.apache.cxf.rs.security.saml.SamlFormInHandler"</span>/></span>
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
+ <bean id="serviceBean" class="org.apache.cxf.systest.jaxrs.security.BookStore"/>
+ <bean id="samlHandler" class="org.apache.cxf.rs.security.saml.SamlFormInHandler"/>
- <span class="code-tag"><span class="code-comment"><!-- same as in the Enveloped SAML Assertions section --></span></span>
-</pre>
+ <!-- same as in the Enveloped SAML Assertions section -->
+]]></script>
</div></div>
<p>The client code is the same as in the SAML assertions in Authorization header section except than an instance of SamlFormOutInterceptor has to be registered: </p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
-<pre class="code-java">
-bean.getOutInterceptors().add(<span class="code-keyword">new</span> SamlFormOutInterceptor());
-</pre>
+<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[
+bean.getOutInterceptors().add(new SamlFormOutInterceptor());
+]]></script>
</div></div>
<h1><a shape="rect" name="JAX-RSSAML-CreatingSAMLAssertions"></a>Creating SAML Assertions</h1>
@@ -441,23 +449,23 @@ Custom validators extending WSS4J SamlAs
<p>SAML assertions may contain so-called claims which are represented by a sequence of SAML AttributeStatements containing one or more Attributes, for example:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
-<pre class="code-xml">
-<span class="code-tag"><saml2:Assertion></span>
- <span class="code-tag"><span class="code-comment"><!-- ... --></span></span>
- <span class="code-tag"><saml2:AttributeStatement></span>
- <saml2:Attribute NameFormat=<span class="code-quote">"http://schemas.xmlsoap.org/ws/2005/05/identity/claims"</span>
- Name=<span class="code-quote">"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"</span>
- FriendlyName=<span class="code-quote">"subject-role"</span>>
- <span class="code-tag"><saml2:AttributeValue <span class="code-keyword">xmlns:xs</span>=<span class="code-quote">"http://www.w3.org/2001/XMLSchema"</span> xsi:type=<span class="code-quote">"xs:string"</span>></span>user<span class="code-tag"></saml2:AttributeValue></span>
- <span class="code-tag"></saml2:Attribute></span>
- <saml2:Attribute NameFormat=<span class="code-quote">"http://claims/authentication"</span>
- Name=<span class="code-quote">"http://claims/authentication-format"</span>>
- <span class="code-tag"><saml2:AttributeValue <span class="code-keyword">xmlns:xs</span>=<span class="code-quote">"http://www.w3.org/2001/XMLSchema"</span> xsi:type=<span class="code-quote">"xs:string"</span>></span>password<span class="code-tag"></saml2:AttributeValue></span>
- <span class="code-tag"></saml2:Attribute></span>
- <span class="code-tag"></saml2:AttributeStatement></span>
- <span class="code-tag"><span class="code-comment"><!-- ... --></span></span>
-<span class="code-tag"></saml2:Assertion></span>
-</pre>
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
+<saml2:Assertion>
+ <!-- ... -->
+ <saml2:AttributeStatement>
+ <saml2:Attribute NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims"
+ Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"
+ FriendlyName="subject-role">
+ <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">user</saml2:AttributeValue>
+ </saml2:Attribute>
+ <saml2:Attribute NameFormat="http://claims/authentication"
+ Name="http://claims/authentication-format">
+ <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">password</saml2:AttributeValue>
+ </saml2:Attribute>
+ </saml2:AttributeStatement>
+ <!-- ... -->
+</saml2:Assertion>
+]]></script>
</div></div>
<p>An individual claim is scoped by NameFormat and Name attribute. NameFormat is similar to a namespace, while Name identifies what the value of this claim represents, for example, in the above fragment two claims are provided, one has a value "user" which represents a role of the assertion's Subject, another one has a value of "password" which identifies the way Subject authenticated itself, i.e, Subject provided its password (presumably to IDP).</p>
@@ -472,29 +480,29 @@ Custom validators extending WSS4J SamlAs
<p>Here is a simple code fragment:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
-<pre class="code-java">
-<span class="code-keyword">import</span> org.apache.cxf.rs.security.saml.authorization.Claim;
-<span class="code-keyword">import</span> org.apache.cxf.rs.security.saml.authorization.Claims;
+<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[
+import org.apache.cxf.rs.security.saml.authorization.Claim;
+import org.apache.cxf.rs.security.saml.authorization.Claims;
-@Path(<span class="code-quote">"/bookstore"</span>)
-<span class="code-keyword">public</span> class SecureClaimBookStore {
+@Path("/bookstore")
+public class SecureClaimBookStore {
@POST
- @Path(<span class="code-quote">"/books"</span>)
- @Produces(<span class="code-quote">"application/xml"</span>)
- @Consumes(<span class="code-quote">"application/xml"</span>)
+ @Path("/books")
+ @Produces("application/xml")
+ @Consumes("application/xml")
@Claims({
- @Claim({<span class="code-quote">"admin"</span> }),
- @Claim(name = <span class="code-quote">"http:<span class="code-comment">//claims/authentication-format"</span>,
-</span> format = <span class="code-quote">"http:<span class="code-comment">//claims/authentication"</span>,
-</span> value = {<span class="code-quote">"fingertip"</span>, <span class="code-quote">"smartcard"</span> })
+ @Claim({"admin" }),
+ @Claim(name = "http://claims/authentication-format",
+ format = "http://claims/authentication",
+ value = {"fingertip", "smartcard" })
})
- <span class="code-keyword">public</span> Book addBook(Book book) {
- <span class="code-keyword">return</span> book;
+ public Book addBook(Book book) {
+ return book;
}
}
-</pre>
+]]></script>
</div></div>
<p>SecureClaimBookStore.addBook(Book) can only be invoked if Subject meets the following requirement: it needs to have a Claim with a value "admin" and another Claim confirming that it got authenticated using either a 'fingertip' or 'smartcard' method. Note that @Claim({"admin"}) has no name and format classifiers set - it relies on default name and format values, namely "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" and "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims" before CXF 2.7.1) respectively. These default values may change in the future depending on which claims are found to be used most often - but as you can see you can always provide name and format values which will scope a given claim value.</p>
@@ -504,84 +512,84 @@ Custom validators extending WSS4J SamlAs
<p>Note that in the above example, a Claim with the name "http://claims/authentication-format" has two values, 'fingertip' and 'smartcard'. By default, in order to meet this Claim, Subject needs to have a Claim which has either a 'fingertip' or 'smartcard' value. If it is expected that Subject needs to have a Claim which has both 'fingertip' and 'smartcard' values, then the following change needs to be done:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
-<pre class="code-java">
-<span class="code-keyword">import</span> org.apache.cxf.security.claims.authorization.Claim;
-<span class="code-keyword">import</span> org.apache.cxf.security.claims.authorization.Claims;
+<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[
+import org.apache.cxf.security.claims.authorization.Claim;
+import org.apache.cxf.security.claims.authorization.Claims;
-@Path(<span class="code-quote">"/bookstore"</span>)
-<span class="code-keyword">public</span> class SecureClaimBookStore {
+@Path("/bookstore")
+public class SecureClaimBookStore {
@POST
- @Path(<span class="code-quote">"/books"</span>)
- @Produces(<span class="code-quote">"application/xml"</span>)
- @Consumes(<span class="code-quote">"application/xml"</span>)
+ @Path("/books")
+ @Produces("application/xml")
+ @Consumes("application/xml")
@Claims({
- @Claim({<span class="code-quote">"admin"</span> }),
- @Claim(name = <span class="code-quote">"http:<span class="code-comment">//claims/authentication-format"</span>,
-</span> format = <span class="code-quote">"http:<span class="code-comment">//claims/authentication"</span>,
-</span> value = {<span class="code-quote">"fingertip"</span>, <span class="code-quote">"smartcard"</span> },
- matchAll = <span class="code-keyword">true</span>)
+ @Claim({"admin" }),
+ @Claim(name = "http://claims/authentication-format",
+ format = "http://claims/authentication",
+ value = {"fingertip", "smartcard" },
+ matchAll = true)
})
- <span class="code-keyword">public</span> Book addBook(Book book) {
- <span class="code-keyword">return</span> book;
+ public Book addBook(Book book) {
+ return book;
}
}
-</pre>
+]]></script>
</div></div>
<p>Claims can be specified using individual @Claim annotation, they can be set at the class level and overridden at the method level and finally a lax mode of check can be specified:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
-<pre class="code-java">
-<span class="code-keyword">import</span> org.apache.cxf.security.claims.authorization.Claim;
-<span class="code-keyword">import</span> org.apache.cxf.security.claims.authorization.Claims;
-
-@Path(<span class="code-quote">"/bookstore"</span>)
-@Claim({<span class="code-quote">"user"</span>})
-<span class="code-keyword">public</span> class SecureClaimBookStore {
+<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[
+import org.apache.cxf.security.claims.authorization.Claim;
+import org.apache.cxf.security.claims.authorization.Claims;
+
+@Path("/bookstore")
+@Claim({"user"})
+public class SecureClaimBookStore {
@POST
- @Path(<span class="code-quote">"/books"</span>)
- @Produces(<span class="code-quote">"application/xml"</span>)
- @Consumes(<span class="code-quote">"application/xml"</span>)
+ @Path("/books")
+ @Produces("application/xml")
+ @Consumes("application/xml")
@Claims({
- @Claim({<span class="code-quote">"admin"</span> }),
- @Claim(name = <span class="code-quote">"http:<span class="code-comment">//claims/authentication-format"</span>,
-</span> format = <span class="code-quote">"http:<span class="code-comment">//claims/authentication"</span>,
-</span> value = {<span class="code-quote">"fingertip"</span>, <span class="code-quote">"smartcard"</span> },
- matchAll = <span class="code-keyword">true</span>)
+ @Claim({"admin" }),
+ @Claim(name = "http://claims/authentication-format",
+ format = "http://claims/authentication",
+ value = {"fingertip", "smartcard" },
+ matchAll = true)
})
- <span class="code-keyword">public</span> Book addBook(Book book) {
- <span class="code-keyword">return</span> book;
+ public Book addBook(Book book) {
+ return book;
}
@GET
- @Claim(name = <span class="code-quote">"http:<span class="code-comment">//claims/authentication-format"</span>,
-</span> format = <span class="code-quote">"http:<span class="code-comment">//claims/authentication"</span>,
-</span> value = {<span class="code-quote">"password"</span> },
+ @Claim(name = "http://claims/authentication-format",
+ format = "http://claims/authentication",
+ value = {"password" },
mode = ClaimMode.LAX)
- <span class="code-keyword">public</span> Book getBook() {
- <span class="code-comment">//...
-</span> }
+ public Book getBook() {
+ //...
+ }
@GET
- <span class="code-keyword">public</span> BookList getBookList() {
- <span class="code-comment">//...
-</span> }
+ public BookList getBookList() {
+ //...
+ }
}
-</pre>
+]]></script>
</div></div>
<p>In the above example, getBookList() can be invoked if Subject has a Claim with the value "user"; addBook() has it overridden - "admin" is expected and the authentication format Claim too; getBook() can be invoked if Subject has a Claim with the value "user" and it also must have the authentication format Claim with the value "password" - or no such Claim at all. </p>
<p>org.apache.cxf.rs.security.saml.authorization.ClaimsAuthorizingInterceptor enforces the CBAC rules. This filter can be overridden and configured with the rules directly which can be useful if no Claim-related annotations are expected in the code. Map nameAliases and formatAliases properties are supported to make @Claim annotations look a bit simpler, for example:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
-<pre class="code-java">
-@Claim(name = <span class="code-quote">"auth-format"</span>, format = <span class="code-quote">"authentication"</span>, value = {<span class="code-quote">"password"</span> })
-</pre>
+<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[
+@Claim(name = "auth-format", format = "authentication", value = {"password" })
+]]></script>
</div></div>
<p>where "auth-format" and "authentication" are aliases for "http://claims/authentication-format" and "http://claims/authentication" respectively.</p>
@@ -604,30 +612,30 @@ If the assertion signature is verified l
<p>Have a look please at this server configuration example:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
-<pre class="code-xml">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
-<span class="code-tag"><bean id=<span class="code-quote">"serviceBeanClaims"</span> class=<span class="code-quote">"org.apache.cxf.systest.jaxrs.security.saml.SecureClaimBookStore"</span>/></span>
-<span class="code-tag"><bean id=<span class="code-quote">"samlEnvHandler"</span> class=<span class="code-quote">"org.apache.cxf.rs.security.saml.SamlEnvelopedInHandler"</span>></span>
- <span class="code-tag"><property name=<span class="code-quote">"securityContextProvider"</span>></span>
- <span class="code-tag"><bean class=<span class="code-quote">"org.apache.cxf.systest.jaxrs.security.saml.CustomSecurityContextProvider"</span>/></span>
- <span class="code-tag"></property></span>
-<span class="code-tag"></bean></span>
-
-<bean id=<span class="code-quote">"claimsHandler"</span>
- class=<span class="code-quote">"org.apache.cxf.rs.security.saml.authorization.ClaimsAuthorizingFilter"</span>>
- <span class="code-tag"><property name=<span class="code-quote">"securedObject"</span> ref=<span class="code-quote">"serviceBeanClaims"</span>/></span>
-<span class="code-tag"></bean></span>
-
-<span class="code-tag"><jaxrs:server address=<span class="code-quote">"/saml-claims"</span>></span>
- <span class="code-tag"><jaxrs:serviceBeans></span>
- <span class="code-tag"><ref bean=<span class="code-quote">"serviceBeanClaims"</span>/></span>
- <span class="code-tag"></jaxrs:serviceBeans></span>
- <span class="code-tag"><jaxrs:providers></span>
- <span class="code-tag"><ref bean=<span class="code-quote">"samlEnvHandler"</span>/></span>
- <span class="code-tag"><ref bean=<span class="code-quote">"claimsHandler"</span>/></span>
- <span class="code-tag"></jaxrs:providers></span>
-<span class="code-tag"></jaxrs:server></span>
-</pre>
+<bean id="serviceBeanClaims" class="org.apache.cxf.systest.jaxrs.security.saml.SecureClaimBookStore"/>
+<bean id="samlEnvHandler" class="org.apache.cxf.rs.security.saml.SamlEnvelopedInHandler">
+ <property name="securityContextProvider">
+ <bean class="org.apache.cxf.systest.jaxrs.security.saml.CustomSecurityContextProvider"/>
+ </property>
+</bean>
+
+<bean id="claimsHandler"
+ class="org.apache.cxf.rs.security.saml.authorization.ClaimsAuthorizingFilter">
+ <property name="securedObject" ref="serviceBeanClaims"/>
+</bean>
+
+<jaxrs:server address="/saml-claims">
+ <jaxrs:serviceBeans>
+ <ref bean="serviceBeanClaims"/>
+ </jaxrs:serviceBeans>
+ <jaxrs:providers>
+ <ref bean="samlEnvHandler"/>
+ <ref bean="claimsHandler"/>
+ </jaxrs:providers>
+</jaxrs:server>
+]]></script>
</div></div>
<p>An instance of org.apache.cxf.rs.security.saml.authorization.ClaimsAuthorizingFilter is used to enforce CBAC. It's a simple JAX-RS filter wrapper around ClaimsAuthorizingInterceptor. SamlEnvelopedInHandler processes and validates SAML assertions and it also relies on a simple <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/CustomSecurityContextProvider.java">CustomSecurityContextProvider</a> to help it to figure out what the actual Subject name is. A more involved implementation can do some additional validation as well as override few more super class methods, more on it next. The claims themselves have already been parsed and will be made available to a resulting SecurityContext which ClaimsAuthorizingFilter will rely upon.</p>
@@ -639,64 +647,64 @@ If the assertion signature is verified l
<p>For example, given this code:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
-<pre class="code-java">
-<span class="code-keyword">import</span> org.springframework.security.annotation.Secured;
+<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[
+import org.springframework.security.annotation.Secured;
-@Path(<span class="code-quote">"/bookstore"</span>)
-@Claim({<span class="code-quote">"user"</span>})
-<span class="code-keyword">public</span> class SecureBookStore {
+@Path("/bookstore")
+@Claim({"user"})
+public class SecureBookStore {
@POST
- @Secured(<span class="code-quote">"admin"</span>)
- <span class="code-keyword">public</span> Book addBook(Book book) {
- <span class="code-keyword">return</span> book;
+ @Secured("admin")
+ public Book addBook(Book book) {
+ return book;
}
}
-</pre>
+]]></script>
</div></div>
<p>where @Secured can be replaced with @RoledAllowed if needed, the following configuration will do it:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
-<pre class="code-xml">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
-<span class="code-tag"><bean id=<span class="code-quote">"serviceBeanRoles"</span> class=<span class="code-quote">"org.apache.cxf.systest.jaxrs.security.saml.SecureBookStore"</span>/></span>
-<span class="code-tag"><bean id=<span class="code-quote">"samlEnvHandler"</span> class=<span class="code-quote">"org.apache.cxf.rs.security.saml.SamlEnvelopedInHandler"</span>></span>
- <span class="code-tag"><property name=<span class="code-quote">"securityContextProvider"</span>></span>
- <span class="code-tag"><bean class=<span class="code-quote">"org.apache.cxf.systest.jaxrs.security.saml.CustomSecurityContextProvider"</span>/></span>
- <span class="code-tag"></property></span>
-<span class="code-tag"></bean></span>
-
-<span class="code-tag"><bean id=<span class="code-quote">"authorizationInterceptor"</span> class=<span class="code-quote">"org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor"</span>></span>
- <span class="code-tag"><property name=<span class="code-quote">"securedObject"</span> ref=<span class="code-quote">"serviceBean"</span>/></span>
- <property name=<span class="code-quote">"annotationClassName"</span>
- value=<span class="code-quote">"org.springframework.security.annotation.Secured"</span>/>
-<span class="code-tag"></bean></span>
-
-<span class="code-tag"><bean id=<span class="code-quote">"rolesHandler"</span> class=<span class="code-quote">"org.apache.cxf.jaxrs.security.SimpleAuthorizingFilter"</span>></span>
- <span class="code-tag"><property name=<span class="code-quote">"interceptor"</span> ref=<span class="code-quote">"authorizationInterceptor"</span>/></span>
-<span class="code-tag"></bean></span>
-
-<span class="code-tag"><jaxrs:server address=<span class="code-quote">"/saml-roles"</span>></span>
- <span class="code-tag"><jaxrs:serviceBeans></span>
- <span class="code-tag"><ref bean=<span class="code-quote">"serviceBeanRoles"</span>/></span>
- <span class="code-tag"></jaxrs:serviceBeans></span>
- <span class="code-tag"><jaxrs:providers></span>
- <span class="code-tag"><ref bean=<span class="code-quote">"samlEnvHandler"</span>/></span>
- <span class="code-tag"><ref bean=<span class="code-quote">"rolesHandler"</span>/></span>
- <span class="code-tag"></jaxrs:providers></span>
+<bean id="serviceBeanRoles" class="org.apache.cxf.systest.jaxrs.security.saml.SecureBookStore"/>
+<bean id="samlEnvHandler" class="org.apache.cxf.rs.security.saml.SamlEnvelopedInHandler">
+ <property name="securityContextProvider">
+ <bean class="org.apache.cxf.systest.jaxrs.security.saml.CustomSecurityContextProvider"/>
+ </property>
+</bean>
+
+<bean id="authorizationInterceptor" class="org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor">
+ <property name="securedObject" ref="serviceBean"/>
+ <property name="annotationClassName"
+ value="org.springframework.security.annotation.Secured"/>
+</bean>
+
+<bean id="rolesHandler" class="org.apache.cxf.jaxrs.security.SimpleAuthorizingFilter">
+ <property name="interceptor" ref="authorizationInterceptor"/>
+</bean>
+
+<jaxrs:server address="/saml-roles">
+ <jaxrs:serviceBeans>
+ <ref bean="serviceBeanRoles"/>
+ </jaxrs:serviceBeans>
+ <jaxrs:providers>
+ <ref bean="samlEnvHandler"/>
+ <ref bean="rolesHandler"/>
+ </jaxrs:providers>
<!-- If default role qualifier and format are not supported:
- <span class="code-tag"><jaxrs:properties></span>
- <entry key=<span class="code-quote">"org.apache.cxf.saml.claims.role.nameformat"</span>
- value=<span class="code-quote">"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"</span>/>
- <entry key=<span class="code-quote">"org.apache.cxf.saml.claims.role.qualifier"</span>
- value=<span class="code-quote">"urn:oid:1.3.6.1.4.1.5923.1.1.1.1"</span>/>
- <span class="code-tag"></jaxrs:properties></span>
+ <jaxrs:properties>
+ <entry key="org.apache.cxf.saml.claims.role.nameformat"
+ value="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
+ <entry key="org.apache.cxf.saml.claims.role.qualifier"
+ value="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"/>
+ </jaxrs:properties>
-->
-<span class="code-tag"></jaxrs:server></span>
-</pre>
+</jaxrs:server>
+]]></script>
</div></div>
<p>That is all what is needed. Note that in order to help the default SAML SecurityContextProvider figure out which claims are roles, one can set the two properties as shown above - this not needed if it's known that claims identifying roles have NameFormat and Name values with the default values, which are "http://schemas.xmlsoap.org/ws/2005/05/identity/claims" and "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" respectively at the moment.</p>