cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache CXF Documentation > JAX-RS SAML
Date Thu, 03 Nov 2011 13:35:00 GMT
<html>
<head>
    <base href="https://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/2042/9/1/_/styles/combined.css?spaceKey=CXF20DOC&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="https://cwiki.apache.org/confluence/display/CXF20DOC/JAX-RS+SAML">JAX-RS
SAML</a></h2>
    <h4>Page <b>edited</b> by             <a href="https://cwiki.apache.org/confluence/display/~sergey_beryozkin">Sergey
Beryozkin</a>
    </h4>
        <br/>
                         <h4>Changes (2)</h4>
                                 
    
<div id="page-diffs">
                    <table class="diff" cellpadding="0" cellspacing="0">
    
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >h1. Introduction <br> <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">CXF
2.5.0 introduces an initial support for working with [SAML2|http://en.wikipedia.org/wiki/SAML_2.0]
assertions. So far the main focus has been put on making sure SAML assertions can be included
in HTTP requests targeted at application endpoints: embedded inside XML payloads or passed
as encoded HTTP header or form values. Support for advanced SAML features such as Web Browser
SSO Profile will be coming in due time. <br> <br></td></tr>
            <tr><td class="diff-unchanged" >h1. Maven dependencies <br>
<br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >&lt;/dependency&gt; <br>{code}
<br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">
<br>h1. Enveloped SAML assertions <br> <br>Payload: <br> <br>{code:xml}
<br>&lt;env:Envelope xmlns:env=&quot;http://org.apache.cxf/rs/env&quot;&gt;
<br> <br>&lt;Book ID=&quot;67ca6441-0c4e-4430-af0e-9463ce9226aa&quot;&gt;
<br>  &lt;id&gt;125&lt;/id&gt; <br>  &lt;name&gt;CXF&lt;/name&gt;
<br>&lt;/Book&gt; <br>&lt;ds:Signature xmlns:ds=&quot;http://www.w3.org/2000/09/xmldsig#&quot;&gt;
<br>  &lt;!-- Book signature, omitted for brewity --&gt; <br>&lt;/ds:Signature&gt;
<br> <br>&lt;!-- SAML assertion with an enveloped signature --&gt;  <br>&lt;saml2:Assertion
xmlns:saml2=&quot;urn:oasis:names:tc:SAML:2.0:assertion&quot; xmlns:xs=&quot;http://www.w3.org/2001/XMLSchema&quot;
xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot; ID=&quot;_62D574706635C0B9F413203247720501&quot;
IssueInstant=&quot;2011-11-03T12:52:52.050Z&quot; Version=&quot;2.0&quot;
xsi:type=&quot;saml2:AssertionType&quot;&gt; <br> <br>&lt;saml2:Issuer&gt;https://idp.example.org/SAML2&lt;/saml2:Issuer&gt;
<br> <br>&lt;ds:Signature xmlns:ds=&quot;http://www.w3.org/2000/09/xmldsig#&quot;&gt;
<br>   &lt;ds:SignedInfo&gt; <br>    &lt;ds:CanonicalizationMethod
Algorithm=&quot;http://www.w3.org/2001/10/xml-exc-c14n#&quot;/&gt; <br>
   &lt;ds:SignatureMethod Algorithm=&quot;http://www.w3.org/2000/09/xmldsig#rsa-sha1&quot;/&gt;
<br>    &lt;ds:Reference URI=&quot;#_62D574706635C0B9F413203247720501&quot;&gt;
<br>      &lt;ds:Transforms&gt; <br>       &lt;ds:Transform Algorithm=&quot;http://www.w3.org/2000/09/xmldsig#enveloped-signature&quot;/&gt;
<br>       &lt;ds:Transform Algorithm=&quot;http://www.w3.org/2001/10/xml-exc-c14n#&quot;&gt;
<br>         &lt;ec:InclusiveNamespaces xmlns:ec=&quot;http://www.w3.org/2001/10/xml-exc-c14n#&quot;
PrefixList=&quot;xs&quot;/&gt; <br>       &lt;/ds:Transform&gt;
<br>      &lt;/ds:Transforms&gt; <br>      &lt;ds:DigestMethod Algorithm=&quot;http://www.w3.org/2000/09/xmldsig#sha1&quot;/&gt;
<br>      &lt;ds:DigestValue&gt;IDD9nFocVm/7FpUbiGI3ZvpY2ps=&lt;/ds:DigestValue&gt;
<br>    &lt;/ds:Reference&gt; <br>   &lt;/ds:SignedInfo&gt; <br>
  &lt;ds:SignatureValue&gt;JA2I7u/SmNsXGgWNdrLSovkipiM3JmGHsmpoP0EeIOwPwnLMx0WvV0C3xNGNiT1jOBe2uv8+WchtPoppGTC2JTJVX/t8PmKQCYZo4kVJo6Nmsjbn5kp7ejWuOYynvrUheQeTLU8e5CQmuS6L4VYaMVV2ETtb0VvpKjoQKHOC+co=&lt;/ds:SignatureValue&gt;
<br>   &lt;ds:KeyInfo&gt; <br>    &lt;ds:X509Data&gt; <br>
    &lt;ds:X509Certificate&gt;&lt;!-- Omitted for brewity --&gt; &lt;/ds:X509Certificate&gt;
<br>    &lt;/ds:X509Data&gt; <br>   &lt;/ds:KeyInfo&gt; <br>
&lt;/ds:Signature&gt; <br> <br> &lt;saml2:Subject&gt; <br>
  &lt;saml2:NameID Format=&quot;urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified&quot;
NameQualifier=&quot;www.mock-sts.com&quot;&gt;uid=sts-client,o=mock-sts.com&lt;/saml2:NameID&gt;
<br>   &lt;saml2:SubjectConfirmation Method=&quot;urn:oasis:names:tc:SAML:2.0:cm:sender-vouches&quot;/&gt;
<br> &lt;/saml2:Subject&gt; <br> <br> &lt;saml2:Conditions NotBefore=&quot;2011-11-03T12:52:52.063Z&quot;
NotOnOrAfter=&quot;2011-11-03T12:52:52.063Z&quot;&gt; <br>  &lt;saml2:AudienceRestriction&gt;
<br>   &lt;saml2:Audience&gt;https://sp.example.com/SAML2&lt;/saml2:Audience&gt;
<br>  &lt;/saml2:AudienceRestriction&gt; <br> &lt;/saml2:Conditions&gt;
<br> &lt;saml2:AuthnStatement AuthnInstant=&quot;2011-11-03T12:52:51.981Z&quot;
SessionIndex=&quot;123456&quot;&gt; <br>    &lt;saml2:AuthnContext&gt;&lt;saml2:AuthnContextClassRef/&gt;&lt;/saml2:AuthnContext&gt;
<br> &lt;/saml2:AuthnStatement&gt; <br> <br> &lt;saml2:AttributeStatement&gt;
<br>    &lt;saml2:Attribute FriendlyName=&quot;subject-role&quot;  <br>
                    Name=&quot;http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role&quot;
 <br>                     NameFormat=&quot;http://schemas.xmlsoap.org/ws/2005/05/identity/claims&quot;&gt;
<br>       &lt;saml2:AttributeValue xsi:type=&quot;xs:string&quot;&gt;user&lt;/saml2:AttributeValue&gt;
<br>    &lt;/saml2:Attribute&gt; <br>    &lt;saml2:Attribute Name=&quot;http://claims/authentication&quot;
 <br>                     NameFormat=&quot;http://claims/authentication-format&quot;&gt;
<br>       &lt;saml2:AttributeValue xsi:type=&quot;xs:string&quot;&gt;password&lt;/saml2:AttributeValue&gt;
<br>    &lt;/saml2:Attribute&gt; <br> &lt;/saml2:AttributeStatement&gt;
<br>&lt;/saml2:Assertion&gt; <br>&lt;/env:Envelope&gt; <br>{code}
<br> <br>Server configuration fragment: <br>{code:xml} <br>    &lt;bean
id=&quot;serviceBean&quot; class=&quot;org.apache.cxf.systest.jaxrs.security.BookStore&quot;/&gt;
<br>    &lt;bean id=&quot;samlEnvHandler&quot; class=&quot;org.apache.cxf.rs.security.saml.SamlEnvelopedInHandler&quot;/&gt;
<br> <br>    &lt;!-- only needed if the detached signature signing the application
data is expected --&gt;  <br>    &lt;bean id=&quot;xmlSigHandler&quot;
class=&quot;org.apache.cxf.rs.security.xml.XmlSigInHandler&quot;/&gt; <br>
<br> <br>    &lt;jaxrs:server  <br>       address=&quot;https://localhost:${testutil.ports.jaxrs-saml}/samlxml&quot;&gt;
 <br>       &lt;jaxrs:serviceBeans&gt; <br>          &lt;ref bean=&quot;serviceBean&quot;/&gt;
<br>       &lt;/jaxrs:serviceBeans&gt; <br>       &lt;jaxrs:providers&gt;
<br>          &lt;ref bean=&quot;xmlSigHandler&quot;/&gt; <br>
         &lt;ref bean=&quot;samlEnvHandler&quot;/&gt; <br>       &lt;/jaxrs:providers&gt;
<br> <br>       &lt;jaxrs:properties&gt; <br>           &lt;entry
key=&quot;ws-security.signature.properties&quot;  <br>                  value=&quot;org/apache/cxf/systest/jaxrs/security/alice.properties&quot;/&gt;
<br>       &lt;/jaxrs:properties&gt; <br> <br>    &lt;/jaxrs:server&gt;
<br>{code} <br> <br>h1. SAML assertions in Authorization header <br>
<br>Logging output: <br> <br>{code:java} <br>Address: https://localhost:9000/samlheader/bookstore/books/123
<br>Http-Method: GET <br>Headers: {Accept=[application/xml], Authorization=[SAML
eJydV1mTokgQfu9fYTCPrs2htGKMHVEcKq2gKOLxsoFQAsqhFAjNr99CW1ud7t2ZjdAwMisr68s7/YnMwGfaACEYJ14UVmSxQ/z9wjUlBrRYiWZZiWVYlqPrDFVnmhTbwL80UZERSqEcosQMkw7BUDRdwx+qrtP1dp1qs41nLLciKgaMEVaLRZ4popIHfojapyc7RBqH7chEHmqHZgBRO7HaU6AM21iybV7wXO7kqEO4SbJvk2SWZc9Z/TmKHZKhKJpcKMOp5cLA/JT1/lu45p3AWxDfQl47ed/DDvHgDB0zidefZ+7J4vi11IuwYs/eP8PcDPY+PGkvoTM/yTvZnzZqTz0nNJM0hh/g7O8MoUiKI7GMjTznB3G9C2053EQnUjDDKPQs0/cKs4SnwMSN7ArwnSj2Ejf41miaKhXXYG7VLLoR/iDIe2i/qegOYYzMGnJN+kPXBG5gDLE7K7OJ3CF+/HcKna7psRmiTRQH6J78MywwPEI/2kO7hi4mfcD6fYVfeOn1J7Tacmj5KfKOUC2TdG9aEFXGMdx4+dBDOPVzdEk7aP1RAMhbeA/k2Rui50CU/J/g3ATmrMQw/RS+Lod0s8c74oavDxsCSoueGs8H4zUQlp0TgFvhE+Ma1jP5kJDXBDrfABTXCxR7+UJ5clXM0XjN8LG9MQxG57bTMfB9rUkaXUNKJgsRzKl+f8R2q0qr/sLB+Ub3oGEPhrIMJTegkBOM+0E4nbCLjVXYXO6MHXYhDLMWtGjKtRtNGtirfrioTvXhhnM2zalRXdXDlVVPg2Oe0Sp4Ge/eWgdRiXQwOiZWtZEfjtSwm1aH46xzNecGf2nSAL5fzVuwFCeaiXklhLItbHAFJvBVkWWhtxUEsBw5IJN54MjS1Jg4QAcq7+wO7s7rcRnFA23WBSIolImSSdpSNDRtIGV71+p1t2Zvlq7rb+GTomWZ4JwOh1Km+uvAysUtUHhHNXig6PxcbawC1VX4xkLUrUwRpUzRAf7F326EeUoD8/KRDoonRdcylY4ypZB0hZd6gJ5JgqsMlgveXTKuPwy491UhKQqIzme5Iq7mbKhojUwEJxBYveGue/72aaULfFg8miR1ARjxWw1kznKHgUvgmDYbOLhTV2uxG/pF7E2thpy73NjY95z0XTrEAnoatA7coj9aLjifIx02k4SXlTVhutlGRZHZtwbqeGuzaKoXRsLPA2274aWNfMj0SfOYeu4of1f1TCqMTH4rno5Rc98izWW+qxo2n2j5oTHLoGxtSK+7m60V2lrRkbeYaIXlTXivKtC8JmgSdSiQADIJAFNpKuIuk3FQnowJNeX5KOvJ8lzfcbMFtRrPfE6b7TjJmKmz6YwbLWhDn+hgVgalP5EkUQdDx/HRmlGxr9yjVdcyUVu+PQ2ilYxJtfQTrwGx9I87zHZBtbVHg6ThhGtv1ysMSnf203nPmufzAQZYtBKZCV/cLmCP9Nbo981Gj3ty64gKc43RYVbACblrOoFjMEhutOqqEy/7gR4MB6bIzwuT2YN0lYqu1m/1gOS+mbtuMuDH1aokcLGq7ldP4eHQz/P6Yc0kc4Y9TBK+EIMBx9COw42VKFCsZnqYaOfqeMz4K/NcE+RttdxV02ViTtP1FlrJhSwbqCxWuri/mcn3459+pk8cz65tTqLtNER7aGEY0CYqpRYtxTMQk3GHKJtgEFm7GkrQsxUFxGvq2R1M1Czfg2HyV9S5Pb4M6DOWB6BCFG688sVyDzq33X/fUqygjWBow7h2jFK8VaBTX//SeKzb9krFqKJGCQ+xafCbvYl+wXsTFhqFoxhsktLKb+Uu6kFqe2WbnuD2HXtW+dDj0XVzQZ+LC/bI/eJyFX5k3CkmH236fCtxw2mCsyXAvq+cyH9dEvFOgI2dQlQuiTJ2Zd4haKbeYF+IO534qQTmyVc8wcfLIp5T5A3m2xvkV9CuihJs1TpN4PcnlW6MPWD772XO4BXxHNdaHPnwnI3XgYxOiyV6xlMYt7P9aTJnqBzOLIk/no3Ve8k7afmmFyDyU8OlJP6XHuIXxKdpdrPV5njlxkehg4sDb7ZXj9zJv/7C/tUTd9Z+WGFiv5Z4LPO8rn9hz5eSH8X9R+j3ONJZFNu/b8Ej59cwY1CFiLtLmYCfmXvhdIgyKXENBh7ubfCmvq9/El7/AXoseyE=],
...} <br>{code} <br> <br> <br>h1. SAML assertions as Form values <br>
<br>Logging output: <br> <br>{code:java} <br>Address: https://localhost:9000/samlform/bookstore/books
<br>Encoding: ISO-8859-1 <br>Http-Method: POST <br>Content-Type: application/x-www-form-urlencoded
<br>Headers: {Accept=[application/xml], Cache-Control=[no-cache], connection=[keep-alive],
Content-Length=[2206], content-type=[application/x-www-form-urlencoded], Host=[localhost:9000],
Pragma=[no-cache], User-Agent=[Apache CXF ${project.version}]} <br>Payload: name=CXF&amp;id=125&amp;SAMLToken=eJydV1tzqkgQfs+vsDiPWcNFjWIdUzUIGqJgQMTLyxYOI6BclAFBfv0OGo16kt1ztkrL6p6eb77u6e5pf2Ir8Lk2wBjFiReFFVnsUH8zYqPFAAkwbOsZSK2eKLI1jqlxTY5p8PVnlqrIGKdIDnFihUmH4hiWrZIPUzPYWrtWa3ONJ2K3oComijGBJSZPDFXJAz/E7eORHSqNw3ZkYQ+3QytAuJ3A9hgowzaxbFtnPuc9Oe5QbpJs2zSdZdlTVnuKYofmGIalZ8pwDF0UWJ+23n8bV70jeYjILuy1k8MWdai7YBhESb38PGmPHscvJS4mwJ69fUK5FWx9dEQvqXM/6RvbnzZujz0ntJI0Rh/k7O8cYWiGp4mNjT3nB3XZi2w5XEVHsWuFUehBy/cKq6SnoMSN7ArwnSj2Ejf41mmWKYGrKIdVyNbDHxR9S+03gW4YxtiqYtdiP7B0tEIxIuGsTHS5Q/347xQ6bjNiK8SrKA7wrfhnXFC4R360RXYVn136oPX7gF9E6eUngm05hH6KvT1SyyTdWhDhynuMVl4+9DBJ/Ryf0w7BP7oA+prenXiKhug5CCf/53KuLuYEYlp+il5qDTNiWU3Hz3qxkBCzn0aanw8K7TDvHAlcGx8Vl2s9iXcJeUmg046Q1/bNx0AVHltzNp3pb/KwtizS/nZmHNYYvG6A5G44Bj4bw4msaTYCi93Q5NfL1cBgoBvCw9DbS0GPm43UQnzfJW9JfzUs6nQ/nQh7zXb7EltbPTKPXvSeRSuvvu/LIHWEjTJqJfom5qCJn0W7lSxg34LSPlSMOmitOLyUDNc2PGWpw169tTb5rHNx54p/6dIAHS7uzRoML1qJdRG6ZVtYkQpM0Isiy93+utsF85EDMlkAjiyNTd0BBlAFZ7NzN16fzxgBaJMeEEGh6EomaXPR1LSBlG1d2O+trf4kXdbewgdFy7Kuc1wcSpnqLwOYi2ugCI5qCkAxhKlaXwSqqwj1mWjATBGlTDEA+SXfXkR0Sp3o8pEBigfF0DKVjTKlkAxFkPqAnUhdVxnMZ4I751x/GPCHRSEpCohOa7kiLqaNUNHqmQiOJAi86S77/vphYXSFsLh3SeoBMBLWGsic+YYQl8A+bdabtDl2tVZjxT6L/TGsy7nLv5vbvpMepF3cxQ+D1o6fvY7mM97naaeRSd3nBdS5XrZScWS9woH6vrYbeGwUZiJMA229EqSVvMsMvblPPXeUH1Qjkwozk9+Kh33U3LZoa55vHk1bSLR8V59kSIYr2uttJkuFhQs28ma6VkBPF7zHLitoXU1idgXugkwCwFKairjJZHIpD6bOjAUhyvqyPDU2/GTGLN4nPq9NNrxkTtTJeMKPZqxp6AaYlJfyqkuSaICh4/h4yakkVu4e1rRM1OZvD4NoIRNRLeMkaEAs4+MOs03w2NriQVJ3wqW36RcmYzjb8bQPp/l0QAgWrUTmwme3Bxp7dm2+vlr1Pv/g1jAT5hpnoKxAOr1pOoFjcliut2qqE89fAyMYDixRmBYWtwXpIhVd7bXVJ6X2Zm16yUB4f3yUunysqtvFQ7jbveZ5bbfkkinX2OmJUIjBgOdYx+HflShQYDPd6dqpOu4z/qI81QR9XS031XR+Mcfpco1gchbLBiqLlR7pb1by/fPPPrFHjWdXV0fTdhriLYKEBrKpSomipeQNJGLcocomGERwU8UJfoJRQL2knt0hQhX6HgqTv6LO9fL5gT5xuSPajcKVV55YzkGntvvvUwoM2hiFNoqr+yglUwU+9vUvnSfYtlcC44oaJQIirqFv5qYGT+YmYjQKRzFYJaWX39qd4UFqe2Wb1kn7jj1YHnS/dJlc8OfgQiJyO7hcjO8VN8D0vU+fZyVuOE5ItgQk9pWj+K9DYqtZDoljhMshUSahzDsUy9XqjWfqBpMclaA8+UrX9cmwSN4p+orz9Q76K2oXoIR4tUwT9P1KpReTCNj+ocwZMiKe7rUaRz46ZePlQcbHwRI/kVeYtLPt8WXOcPk4N2jy8WwC7yUHGvqWF2D6E+FcEv8Lh/qF8fE1u5pqczJyk6XQIcVBJttLRG7sX35R/xqJG28/vLBIXEs+0DqN61/486XlR3H/Efstueksiu3f9+Be8+s1E1KFSLpLmYCfmXvWdKgyKUkNBh7pbeiqvi9/El7+Adcbfqw=
<br>{code} <br> <br>h1. SAML Authorization <br></td></tr>
    
            </table>
    </div>                            <h4>Full Content</h4>
                    <div class="notificationGreySide">
        <p><span style="font-size:2em;font-weight:bold"> JAX-RS: SAML </span></p>


<div>
<ul>
    <li><a href='#JAX-RSSAML-Introduction'>Introduction</a></li>
    <li><a href='#JAX-RSSAML-Mavendependencies'>Maven dependencies</a></li>
    <li><a href='#JAX-RSSAML-EnvelopedSAMLassertions'>Enveloped SAML assertions</a></li>
    <li><a href='#JAX-RSSAML-SAMLassertionsinAuthorizationheader'>SAML assertions
in Authorization header</a></li>
    <li><a href='#JAX-RSSAML-SAMLassertionsasFormvalues'>SAML assertions as Form
values</a></li>
    <li><a href='#JAX-RSSAML-SAMLAuthorization'>SAML Authorization</a></li>
</ul></div>

<h1><a name="JAX-RSSAML-Introduction"></a>Introduction</h1>

<p>CXF 2.5.0 introduces an initial support for working with <a href="http://en.wikipedia.org/wiki/SAML_2.0"
class="external-link" rel="nofollow">SAML2</a> assertions. So far the main focus
has been put on making sure SAML assertions can be included in HTTP requests targeted at application
endpoints: embedded inside XML payloads or passed as encoded HTTP header or form values. Support
for advanced SAML features such as Web Browser SSO Profile will be coming in due time.</p>

<h1><a name="JAX-RSSAML-Mavendependencies"></a>Maven dependencies</h1>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
<span class="code-tag">&lt;dependency&gt;</span>
  <span class="code-tag">&lt;groupId&gt;</span>org.apache.cxf<span
class="code-tag">&lt;/groupId&gt;</span>
  <span class="code-tag">&lt;artifactId&gt;</span>cxf-rt-rs-security-xml<span
class="code-tag">&lt;/artifactId&gt;</span>
  <span class="code-tag">&lt;version&gt;</span>2.5.0<span class="code-tag">&lt;/version&gt;</span>
<span class="code-tag">&lt;/dependency&gt;</span>
</pre>
</div></div>

<h1><a name="JAX-RSSAML-EnvelopedSAMLassertions"></a>Enveloped SAML assertions</h1>

<p>Payload:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
<span class="code-tag">&lt;env:Envelope <span class="code-keyword">xmlns:env</span>=<span
class="code-quote">"http://org.apache.cxf/rs/env"</span>&gt;</span>

<span class="code-tag">&lt;Book ID=<span class="code-quote">"67ca6441-0c4e-4430-af0e-9463ce9226aa"</span>&gt;</span>
  <span class="code-tag">&lt;id&gt;</span>125<span class="code-tag">&lt;/id&gt;</span>
  <span class="code-tag">&lt;name&gt;</span>CXF<span class="code-tag">&lt;/name&gt;</span>
<span class="code-tag">&lt;/Book&gt;</span>
<span class="code-tag">&lt;ds:Signature <span class="code-keyword">xmlns:ds</span>=<span
class="code-quote">"http://www.w3.org/2000/09/xmldsig#"</span>&gt;</span>
  <span class="code-tag"><span class="code-comment">&lt;!-- Book signature,
omitted for brewity --&gt;</span></span>
<span class="code-tag">&lt;/ds:Signature&gt;</span>

<span class="code-tag"><span class="code-comment">&lt;!-- SAML assertion with
an enveloped signature --&gt;</span></span> 
<span class="code-tag">&lt;saml2:Assertion <span class="code-keyword">xmlns:saml2</span>=<span
class="code-quote">"urn:oasis:names:tc:SAML:2.0:assertion"</span> <span class="code-keyword">xmlns:xs</span>=<span
class="code-quote">"http://www.w3.org/2001/XMLSchema"</span> <span class="code-keyword">xmlns:xsi</span>=<span
class="code-quote">"http://www.w3.org/2001/XMLSchema-instance"</span> ID=<span
class="code-quote">"_62D574706635C0B9F413203247720501"</span> IssueInstant=<span
class="code-quote">"2011-11-03T12:52:52.050Z"</span> Version=<span class="code-quote">"2.0"</span>
xsi:type=<span class="code-quote">"saml2:AssertionType"</span>&gt;</span>

<span class="code-tag">&lt;saml2:Issuer&gt;</span>https://idp.example.org/SAML2<span
class="code-tag">&lt;/saml2:Issuer&gt;</span>

<span class="code-tag">&lt;ds:Signature <span class="code-keyword">xmlns:ds</span>=<span
class="code-quote">"http://www.w3.org/2000/09/xmldsig#"</span>&gt;</span>
   <span class="code-tag">&lt;ds:SignedInfo&gt;</span>
    <span class="code-tag">&lt;ds:CanonicalizationMethod Algorithm=<span class="code-quote">"http://www.w3.org/2001/10/xml-exc-c14n#"</span>/&gt;</span>
    <span class="code-tag">&lt;ds:SignatureMethod Algorithm=<span class="code-quote">"http://www.w3.org/2000/09/xmldsig#rsa-sha1"</span>/&gt;</span>
    <span class="code-tag">&lt;ds:Reference URI=<span class="code-quote">"#_62D574706635C0B9F413203247720501"</span>&gt;</span>
      <span class="code-tag">&lt;ds:Transforms&gt;</span>
       <span class="code-tag">&lt;ds:Transform Algorithm=<span class="code-quote">"http://www.w3.org/2000/09/xmldsig#enveloped-signature"</span>/&gt;</span>
       <span class="code-tag">&lt;ds:Transform Algorithm=<span class="code-quote">"http://www.w3.org/2001/10/xml-exc-c14n#"</span>&gt;</span>
         <span class="code-tag">&lt;ec:InclusiveNamespaces <span class="code-keyword">xmlns:ec</span>=<span
class="code-quote">"http://www.w3.org/2001/10/xml-exc-c14n#"</span> PrefixList=<span
class="code-quote">"xs"</span>/&gt;</span>
       <span class="code-tag">&lt;/ds:Transform&gt;</span>
      <span class="code-tag">&lt;/ds:Transforms&gt;</span>
      <span class="code-tag">&lt;ds:DigestMethod Algorithm=<span class="code-quote">"http://www.w3.org/2000/09/xmldsig#sha1"</span>/&gt;</span>
      <span class="code-tag">&lt;ds:DigestValue&gt;</span>IDD9nFocVm/7FpUbiGI3ZvpY2ps=<span
class="code-tag">&lt;/ds:DigestValue&gt;</span>
    <span class="code-tag">&lt;/ds:Reference&gt;</span>
   <span class="code-tag">&lt;/ds:SignedInfo&gt;</span>
   <span class="code-tag">&lt;ds:SignatureValue&gt;</span>JA2I7u/SmNsXGgWNdrLSovkipiM3JmGHsmpoP0EeIOwPwnLMx0WvV0C3xNGNiT1jOBe2uv8+WchtPoppGTC2JTJVX/t8PmKQCYZo4kVJo6Nmsjbn5kp7ejWuOYynvrUheQeTLU8e5CQmuS6L4VYaMVV2ETtb0VvpKjoQKHOC+co=<span
class="code-tag">&lt;/ds:SignatureValue&gt;</span>
   <span class="code-tag">&lt;ds:KeyInfo&gt;</span>
    <span class="code-tag">&lt;ds:X509Data&gt;</span>
     <span class="code-tag">&lt;ds:X509Certificate&gt;</span><span
class="code-tag"><span class="code-comment">&lt;!-- Omitted for brewity --&gt;</span></span>
<span class="code-tag">&lt;/ds:X509Certificate&gt;</span>
    <span class="code-tag">&lt;/ds:X509Data&gt;</span>
   <span class="code-tag">&lt;/ds:KeyInfo&gt;</span>
 <span class="code-tag">&lt;/ds:Signature&gt;</span>

 <span class="code-tag">&lt;saml2:Subject&gt;</span>
   <span class="code-tag">&lt;saml2:NameID Format=<span class="code-quote">"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"</span>
NameQualifier=<span class="code-quote">"www.mock-sts.com"</span>&gt;</span>uid=sts-client,o=mock-sts.com<span
class="code-tag">&lt;/saml2:NameID&gt;</span>
   <span class="code-tag">&lt;saml2:SubjectConfirmation Method=<span class="code-quote">"urn:oasis:names:tc:SAML:2.0:cm:sender-vouches"</span>/&gt;</span>
 <span class="code-tag">&lt;/saml2:Subject&gt;</span>

 <span class="code-tag">&lt;saml2:Conditions NotBefore=<span class="code-quote">"2011-11-03T12:52:52.063Z"</span>
NotOnOrAfter=<span class="code-quote">"2011-11-03T12:52:52.063Z"</span>&gt;</span>
  <span class="code-tag">&lt;saml2:AudienceRestriction&gt;</span>
   <span class="code-tag">&lt;saml2:Audience&gt;</span>https://sp.example.com/SAML2<span
class="code-tag">&lt;/saml2:Audience&gt;</span>
  <span class="code-tag">&lt;/saml2:AudienceRestriction&gt;</span>
 <span class="code-tag">&lt;/saml2:Conditions&gt;</span>
 <span class="code-tag">&lt;saml2:AuthnStatement AuthnInstant=<span class="code-quote">"2011-11-03T12:52:51.981Z"</span>
SessionIndex=<span class="code-quote">"123456"</span>&gt;</span>
    <span class="code-tag">&lt;saml2:AuthnContext&gt;</span><span class="code-tag">&lt;saml2:AuthnContextClassRef/&gt;</span><span
class="code-tag">&lt;/saml2:AuthnContext&gt;</span>
 <span class="code-tag">&lt;/saml2:AuthnStatement&gt;</span>

 <span class="code-tag">&lt;saml2:AttributeStatement&gt;</span>
    &lt;saml2:Attribute FriendlyName=<span class="code-quote">"subject-role"</span>

                     Name=<span class="code-quote">"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"</span>

                     NameFormat=<span class="code-quote">"http://schemas.xmlsoap.org/ws/2005/05/identity/claims"</span>&gt;
       <span class="code-tag">&lt;saml2:AttributeValue xsi:type=<span class="code-quote">"xs:string"</span>&gt;</span>user<span
class="code-tag">&lt;/saml2:AttributeValue&gt;</span>
    <span class="code-tag">&lt;/saml2:Attribute&gt;</span>
    &lt;saml2:Attribute Name=<span class="code-quote">"http://claims/authentication"</span>

                     NameFormat=<span class="code-quote">"http://claims/authentication-format"</span>&gt;
       <span class="code-tag">&lt;saml2:AttributeValue xsi:type=<span class="code-quote">"xs:string"</span>&gt;</span>password<span
class="code-tag">&lt;/saml2:AttributeValue&gt;</span>
    <span class="code-tag">&lt;/saml2:Attribute&gt;</span>
 <span class="code-tag">&lt;/saml2:AttributeStatement&gt;</span>
<span class="code-tag">&lt;/saml2:Assertion&gt;</span>
<span class="code-tag">&lt;/env:Envelope&gt;</span>
</pre>
</div></div>

<p>Server configuration fragment:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
    <span class="code-tag">&lt;bean id=<span class="code-quote">"serviceBean"</span>
class=<span class="code-quote">"org.apache.cxf.systest.jaxrs.security.BookStore"</span>/&gt;</span>
    <span class="code-tag">&lt;bean id=<span class="code-quote">"samlEnvHandler"</span>
class=<span class="code-quote">"org.apache.cxf.rs.security.saml.SamlEnvelopedInHandler"</span>/&gt;</span>
    
    <span class="code-tag"><span class="code-comment">&lt;!-- only needed
if the detached signature signing the application data is expected --&gt;</span></span>

    <span class="code-tag">&lt;bean id=<span class="code-quote">"xmlSigHandler"</span>
class=<span class="code-quote">"org.apache.cxf.rs.security.xml.XmlSigInHandler"</span>/&gt;</span>
    
    
    &lt;jaxrs:server 
       address=<span class="code-quote">"https://localhost:${testutil.ports.jaxrs-saml}/samlxml"</span>&gt;

       <span class="code-tag">&lt;jaxrs:serviceBeans&gt;</span>
          <span class="code-tag">&lt;ref bean=<span class="code-quote">"serviceBean"</span>/&gt;</span>
       <span class="code-tag">&lt;/jaxrs:serviceBeans&gt;</span>
       <span class="code-tag">&lt;jaxrs:providers&gt;</span>
          <span class="code-tag">&lt;ref bean=<span class="code-quote">"xmlSigHandler"</span>/&gt;</span>
          <span class="code-tag">&lt;ref bean=<span class="code-quote">"samlEnvHandler"</span>/&gt;</span>
       <span class="code-tag">&lt;/jaxrs:providers&gt;</span>
       
       <span class="code-tag">&lt;jaxrs:properties&gt;</span>
           &lt;entry key=<span class="code-quote">"ws-security.signature.properties"</span>

                  value=<span class="code-quote">"org/apache/cxf/systest/jaxrs/security/alice.properties"</span>/&gt;
       <span class="code-tag">&lt;/jaxrs:properties&gt;</span>
        
    <span class="code-tag">&lt;/jaxrs:server&gt;</span>
</pre>
</div></div>

<h1><a name="JAX-RSSAML-SAMLassertionsinAuthorizationheader"></a>SAML assertions
in Authorization header</h1>

<p>Logging output:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
Address: https:<span class="code-comment">//localhost:9000/samlheader/bookstore/books/123
</span>Http-Method: GET
Headers: {Accept=[application/xml], Authorization=[SAML eJydV1mTokgQfu9fYTCPrs2htGKMHVEcKq2gKOLxsoFQAsqhFAjNr99CW1ud7t2ZjdAwMisr68s7/YnMwGfaACEYJ14UVmSxQ/z9wjUlBrRYiWZZiWVYlqPrDFVnmhTbwL80UZERSqEcosQMkw7BUDRdwx+qrtP1dp1qs41nLLciKgaMEVaLRZ4popIHfojapyc7RBqH7chEHmqHZgBRO7HaU6AM21iybV7wXO7kqEO4SbJvk2SWZc9Z/TmKHZKhKJpcKMOp5cLA/JT1/lu45p3AWxDfQl47ed/DDvHgDB0zidefZ+7J4vi11IuwYs/eP8PcDPY+PGkvoTM/yTvZnzZqTz0nNJM0hh/g7O8MoUiKI7GMjTznB3G9C2053EQnUjDDKPQs0/cKs4SnwMSN7ArwnSj2Ejf41miaKhXXYG7VLLoR/iDIe2i/qegOYYzMGnJN+kPXBG5gDLE7K7OJ3CF+/HcKna7psRmiTRQH6J78MywwPEI/2kO7hi4mfcD6fYVfeOn1J7Tacmj5KfKOUC2TdG9aEFXGMdx4+dBDOPVzdEk7aP1RAMhbeA/k2Rui50CU/J/g3ATmrMQw/RS+Lod0s8c74oavDxsCSoueGs8H4zUQlp0TgFvhE+Ma1jP5kJDXBDrfABTXCxR7+UJ5clXM0XjN8LG9MQxG57bTMfB9rUkaXUNKJgsRzKl+f8R2q0qr/sLB+Ub3oGEPhrIMJTegkBOM+0E4nbCLjVXYXO6MHXYhDLMWtGjKtRtNGtirfrioTvXhhnM2zalRXdXDlVVPg2Oe0Sp4Ge/eWgdRiXQwOiZWtZEfjtSwm1aH46xzNecGf2nSAL5fzVuwFCeaiXklhLItbHAFJvBVkWWhtxUEsBw5IJN54MjS1Jg4QAcq7+wO7s7rcRnFA23WBSIolImSSdpSNDRtIGV71+p1t2Zvlq7rb+GTomWZ4JwOh1Km+uvAysUtUHhHNXig6PxcbawC1VX4xkLUrUwRpUzRAf7F326EeUoD8/KRDoonRdcylY4ypZB0hZd6gJ5JgqsMlgveXTKuPwy491UhKQqIzme5Iq7mbKhojUwEJxBYveGue/72aaULfFg8miR1ARjxWw1kznKHgUvgmDYbOLhTV2uxG/pF7E2thpy73NjY95z0XTrEAnoatA7coj9aLjifIx02k4SXlTVhutlGRZHZtwbqeGuzaKoXRsLPA2274aWNfMj0SfOYeu4of1f1TCqMTH4rno5Rc98izWW+qxo2n2j5oTHLoGxtSK+7m60V2lrRkbeYaIXlTXivKtC8JmgSdSiQADIJAFNpKuIuk3FQnowJNeX5KOvJ8lzfcbMFtRrPfE6b7TjJmKmz6YwbLWhDn+hgVgalP5EkUQdDx/HRmlGxr9yjVdcyUVu+PQ2ilYxJtfQTrwGx9I87zHZBtbVHg6ThhGtv1ysMSnf203nPmufzAQZYtBKZCV/cLmCP9Nbo981Gj3ty64gKc43RYVbACblrOoFjMEhutOqqEy/7gR4MB6bIzwuT2YN0lYqu1m/1gOS+mbtuMuDH1aokcLGq7ldP4eHQz/P6Yc0kc4Y9TBK+EIMBx9COw42VKFCsZnqYaOfqeMz4K/NcE+RttdxV02ViTtP1FlrJhSwbqCxWuri/mcn3459+pk8cz65tTqLtNER7aGEY0CYqpRYtxTMQk3GHKJtgEFm7GkrQsxUFxGvq2R1M1Czfg2HyV9S5Pb4M6DOWB6BCFG688sVyDzq33X/fUqygjWBow7h2jFK8VaBTX<span
class="code-comment">//SeKzb9krFqKJGCQ+xafCbvYl+wXsTFhqFoxhsktLKb+Uu6kFqe2WbnuD2HXtW+dDj0XVzQZ+LC/bI/eJyFX5k3CkmH236fCtxw2mCsyXAvq+cyH9dEvFOgI2dQlQuiTJ2Zd4haKbeYF+IO534qQTmyVc8wcfLIp5T5A3m2xvkV9CuihJs1TpN4PcnlW6MPWD772XO4BXxHNdaHPnwnI3XgYxOiyV6xlMYt7P9aTJnqBzOLIk/no3Ve8k7afmmFyDyU8OlJP6XHuIXxKdpdrPV5njlxkehg4sDb7ZXj9zJv/7C/tUTd9Z+WGFiv5Z4LPO8rn9hz5eSH8X9R+j3ONJZFNu/b8Ej59cwY1CFiLtLmYCfmXvhdIgyKXENBh7ubfCmvq9/El7/AXoseyE=],
...}</span>
</pre>
</div></div>


<h1><a name="JAX-RSSAML-SAMLassertionsasFormvalues"></a>SAML assertions
as Form values</h1>

<p>Logging output:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
Address: https:<span class="code-comment">//localhost:9000/samlform/bookstore/books
</span>Encoding: ISO-8859-1
Http-Method: POST
Content-Type: application/x-www-form-urlencoded
Headers: {Accept=[application/xml], Cache-Control=[no-cache], connection=[keep-alive], Content-Length=[2206],
content-type=[application/x-www-form-urlencoded], Host=[localhost:9000], Pragma=[no-cache],
User-Agent=[Apache CXF ${project.version}]}
Payload: name=CXF&amp;id=125&amp;SAMLToken=eJydV1tzqkgQfs+vsDiPWcNFjWIdUzUIGqJgQMTLyxYOI6BclAFBfv0OGo16kt1ztkrL6p6eb77u6e5pf2Ir8Lk2wBjFiReFFVnsUH8zYqPFAAkwbOsZSK2eKLI1jqlxTY5p8PVnlqrIGKdIDnFihUmH4hiWrZIPUzPYWrtWa3ONJ2K3oComijGBJSZPDFXJAz/E7eORHSqNw3ZkYQ+3QytAuJ3A9hgowzaxbFtnPuc9Oe5QbpJs2zSdZdlTVnuKYofmGIalZ8pwDF0UWJ+23n8bV70jeYjILuy1k8MWdai7YBhESb38PGmPHscvJS4mwJ69fUK5FWx9dEQvqXM/6RvbnzZujz0ntJI0Rh/k7O8cYWiGp4mNjT3nB3XZi2w5XEVHsWuFUehBy/cKq6SnoMSN7ArwnSj2Ejf41mmWKYGrKIdVyNbDHxR9S+03gW4YxtiqYtdiP7B0tEIxIuGsTHS5Q/347xQ6bjNiK8SrKA7wrfhnXFC4R360RXYVn136oPX7gF9E6eUngm05hH6KvT1SyyTdWhDhynuMVl4+9DBJ/Ryf0w7BP7oA+prenXiKhug5CCf/53KuLuYEYlp+il5qDTNiWU3Hz3qxkBCzn0aanw8K7TDvHAlcGx8Vl2s9iXcJeUmg046Q1/bNx0AVHltzNp3pb/KwtizS/nZmHNYYvG6A5G44Bj4bw4msaTYCi93Q5NfL1cBgoBvCw9DbS0GPm43UQnzfJW9JfzUs6nQ/nQh7zXb7EltbPTKPXvSeRSuvvu/LIHWEjTJqJfom5qCJn0W7lSxg34LSPlSMOmitOLyUDNc2PGWpw169tTb5rHNx54p/6dIAHS7uzRoML1qJdRG6ZVtYkQpM0Isiy93+utsF85EDMlkAjiyNTd0BBlAFZ7NzN16fzxgBaJMeEEGh6EomaXPR1LSBlG1d2O+trf4kXdbewgdFy7Kuc1wcSpnqLwOYi2ugCI5qCkAxhKlaXwSqqwj1mWjATBGlTDEA+SXfXkR0Sp3o8pEBigfF0DKVjTKlkAxFkPqAnUhdVxnMZ4I751x/GPCHRSEpCohOa7kiLqaNUNHqmQiOJAi86S77/vphYXSFsLh3SeoBMBLWGsic+YYQl8A+bdabtDl2tVZjxT6L/TGsy7nLv5vbvpMepF3cxQ+D1o6fvY7mM97naaeRSd3nBdS5XrZScWS9woH6vrYbeGwUZiJMA229EqSVvMsMvblPPXeUH1Qjkwozk9+Kh33U3LZoa55vHk1bSLR8V59kSIYr2uttJkuFhQs28ma6VkBPF7zHLitoXU1idgXugkwCwFKairjJZHIpD6bOjAUhyvqyPDU2/GTGLN4nPq9NNrxkTtTJeMKPZqxp6AaYlJfyqkuSaICh4/h4yakkVu4e1rRM1OZvD4NoIRNRLeMkaEAs4+MOs03w2NriQVJ3wqW36RcmYzjb8bQPp/l0QAgWrUTmwme3Bxp7dm2+vlr1Pv/g1jAT5hpnoKxAOr1pOoFjcliut2qqE89fAyMYDixRmBYWtwXpIhVd7bXVJ6X2Zm16yUB4f3yUunysqtvFQ7jbveZ5bbfkkinX2OmJUIjBgOdYx+HflShQYDPd6dqpOu4z/qI81QR9XS031XR+Mcfpco1gchbLBiqLlR7pb1by/fPPPrFHjWdXV0fTdhriLYKEBrKpSomipeQNJGLcocomGERwU8UJfoJRQL2knt0hQhX6HgqTv6LO9fL5gT5xuSPajcKVV55YzkGntvvvUwoM2hiFNoqr+yglUwU+9vUvnSfYtlcC44oaJQIirqFv5qYGT+YmYjQKRzFYJaWX39qd4UFqe2Wb1kn7jj1YHnS/dJlc8OfgQiJyO7hcjO8VN8D0vU+fZyVuOE5ItgQk9pWj+K9DYqtZDoljhMshUSahzDsUy9XqjWfqBpMclaA8+UrX9cmwSN4p+orz9Q76K2oXoIR4tUwT9P1KpReTCNj+ocwZMiKe7rUaRz46ZePlQcbHwRI/kVeYtLPt8WXOcPk4N2jy8WwC7yUHGvqWF2D6E+FcEv8Lh/qF8fE1u5pqczJyk6XQIcVBJttLRG7sX35R/xqJG28/vLBIXEs+0DqN61/486XlR3H/Efstueksiu3f9+Be8+s1E1KFSLpLmYCfmXvWdKgyKUkNBh7pbeiqvi9/El7+Adcbfqw=
</pre>
</div></div>

<h1><a name="JAX-RSSAML-SAMLAuthorization"></a>SAML Authorization</h1>
    </div>
        <div id="commentsSection" class="wiki-content pageSection">
        <div style="float: right;">
            <a href="https://cwiki.apache.org/confluence/users/viewnotifications.action"
class="grey">Change Notification Preferences</a>
        </div>
        <a href="https://cwiki.apache.org/confluence/display/CXF20DOC/JAX-RS+SAML">View
Online</a>
        |
        <a href="https://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=27830327&revisedVersion=2&originalVersion=1">View
Changes</a>
                |
        <a href="https://cwiki.apache.org/confluence/display/CXF20DOC/JAX-RS+SAML?showComments=true&amp;showCommentArea=true#addcomment">Add
Comment</a>
            </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message