cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache CXF > Configuration
Date Fri, 11 May 2012 20:55:00 GMT
<html>
<head>
    <base href="https://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/2042/9/15/_/styles/combined.css?spaceKey=CXF&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="https://cwiki.apache.org/confluence/display/CXF/Configuration">Configuration</a></h2>
    <h4>Page <b>edited</b> by             <a href="https://cwiki.apache.org/confluence/display/~owulff@apache.org">Oliver
Wulff</a>
    </h4>
        <br/>
                         <h4>Changes (3)</h4>
                                 
    
<div id="page-diffs">
                    <table class="diff" cellpadding="0" cellspacing="0">
    
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" > <br>h3. Example <br></td></tr>
            <tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">
<br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">The
following example describes the minimum configuration for Fediz. <br></td></tr>
            <tr><td class="diff-unchanged" >{code:xml} <br>&lt;?xml
version=&quot;1.0&quot; encoding=&quot;UTF-8&quot; standalone=&quot;yes&quot;?&gt;
<br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >{code} <br> <br></td></tr>
            <tr><td class="diff-changed-lines" ><span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">This
example describes the minimum configuration.</span> The element protocol defines that
you use the WS-Federation protocol. The issuer says to which URL authenticated requests will
be redirected with the SignIn request. <br></td></tr>
            <tr><td class="diff-unchanged" >The IDP issues a SAML token which
must be validated by the plugin. The validation requires the certificate store of the Certificate
Authority(ies) of the certificate which signed the SAML token. This is defined in {{certificateStore}}.
The signing certificate itself is not required because {{certificateValidation}} is set to
{{ChainTrust}}. The {{subject}} defines the trusted signing certificate using the subject
as a regular expression. <br>Finally, the audience URI is validated against the audience
restriction in the SAML token. <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
    
            </table>
    </div>                            <h4>Full Content</h4>
                    <div class="notificationGreySide">
        <h1><a name="Configuration-Fedizconfiguration"></a>Fediz configuration</h1>
<p>This page describes the Fediz configuration file which is referenced by the security
interceptor (eg. authenticator in Tomcat/Jetty).</p>

<h3><a name="Configuration-Example"></a>Example</h3>
<p>The following example describes the minimum configuration for Fediz.</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
<span class="code-tag">&lt;?xml version=<span class="code-quote">"1.0"</span>
encoding=<span class="code-quote">"UTF-8"</span> standalone=<span class="code-quote">"yes"</span>?&gt;</span>
<span class="code-tag">&lt;FedizConfig&gt;</span>
    <span class="code-tag">&lt;contextConfig name=<span class="code-quote">"/fedizhelloworld"</span>&gt;</span>
        <span class="code-tag">&lt;audienceUris&gt;</span>
            <span class="code-tag">&lt;audienceItem&gt;</span>https://localhost:8443/fedizhelloworld<span
class="code-tag">&lt;/audienceItem&gt;</span>
        <span class="code-tag">&lt;/audienceUris&gt;</span>
        <span class="code-tag">&lt;certificateStore&gt;</span>
            <span class="code-tag">&lt;keyStore file=<span class="code-quote">"/projects/fediz/tomcat-rp2/conf/stsstore.jks"</span>
password=<span class="code-quote">"stsspass"</span> type=<span class="code-quote">"JKS"</span>
/&gt;</span>
        <span class="code-tag">&lt;/certificateStore&gt;</span>
        <span class="code-tag">&lt;trustedIssuers&gt;</span>
            <span class="code-tag">&lt;issuer name=<span class="code-quote">"issuer
1"</span> certificateValidation=<span class="code-quote">"ChainTrust"</span>
subject=<span class="code-quote">".*CN=www.sts.com.*"</span> /&gt;</span>
        <span class="code-tag">&lt;/trustedIssuers&gt;</span>
        <span class="code-tag">&lt;protocol <span class="code-keyword">xmlns:xsi</span>=<span
class="code-quote">"http://www.w3.org/2001/XMLSchema-instance"</span> xsi:type=<span
class="code-quote">"federationProtocolType"</span> version=<span class="code-quote">"1.2"</span>&gt;</span>
            <span class="code-tag">&lt;issuer&gt;</span>https://localhost:9443/fedizidp/<span
class="code-tag">&lt;/issuer&gt;</span>
        <span class="code-tag">&lt;/protocol&gt;</span>
    <span class="code-tag">&lt;/contextConfig&gt;</span>
<span class="code-tag">&lt;/FedizConfig&gt;</span>
</pre>
</div></div>

<p>The element protocol defines that you use the WS-Federation protocol. The issuer
says to which URL authenticated requests will be redirected with the SignIn request.<br/>
The IDP issues a SAML token which must be validated by the plugin. The validation requires
the certificate store of the Certificate Authority(ies) of the certificate which signed the
SAML token. This is defined in <tt>certificateStore</tt>. The signing certificate
itself is not required because <tt>certificateValidation</tt> is set to <tt>ChainTrust</tt>.
The <tt>subject</tt> defines the trusted signing certificate using the subject
as a regular expression.<br/>
Finally, the audience URI is validated against the audience restriction in the SAML token.</p>


<h3><a name="Configuration-Configurationreference"></a>Configuration reference</h3>

<div class='table-wrap'>
<table class='confluenceTable'><tbody>
<tr>
<th class='confluenceTh'>XML element </th>
<th class='confluenceTh'>Name </th>
<th class='confluenceTh'>Use </th>
<th class='confluenceTh'>Description</th>
</tr>
<tr>
<td class='confluenceTd'> audienceUris </td>
<td class='confluenceTd'> Audience URI </td>
<td class='confluenceTd'> Required </td>
<td class='confluenceTd'> The values of the list of audience URIs are verified against
the element <tt>AudienceRestriction</tt> in the SAML token </td>
</tr>
<tr>
<td class='confluenceTd'> certificateStore </td>
<td class='confluenceTd'> Trusted certificate store </td>
<td class='confluenceTd'> Required </td>
<td class='confluenceTd'> The list of keystores (JKS, PEM) includes at least the certificate
of the Certificate Authorities (CA) which signed the certificate which is used to sign the
SAML token </td>
</tr>
<tr>
<td class='confluenceTd'> trustedIssuers </td>
<td class='confluenceTd'> Trusted Issuers </td>
<td class='confluenceTd'> Required </td>
<td class='confluenceTd'> There are two ways to configure a trusted issuer (IDP). Either
you configure the subject name and the CA(s) who signed the certificate of the IDP (<tt>certificateValidation=ChainTrust</tt>)
or you configure the certificate of the IDP and the CA(s) who signed it (<tt>certificateValidation=PeerTrust</tt>)</td>
</tr>
</tbody></table>
</div>



<h5><a name="Configuration-WSFederationprotocolconfigurationreference"></a>WS-Federation
protocol configuration reference </h5>

<div class='table-wrap'>
<table class='confluenceTable'><tbody>
<tr>
<th class='confluenceTh'>XML element </th>
<th class='confluenceTh'>Name </th>
<th class='confluenceTh'>Use </th>
<th class='confluenceTh'>Description</th>
</tr>
<tr>
<td class='confluenceTd'> issuer </td>
<td class='confluenceTd'> Issuer URL </td>
<td class='confluenceTd'> Required </td>
<td class='confluenceTd'>This URL defines the location of the IDP to whom unauthenticated
requests are redirected </td>
</tr>
<tr>
<td class='confluenceTd'> authenticationType </td>
<td class='confluenceTd'> Authentication Type </td>
<td class='confluenceTd'> Optional </td>
<td class='confluenceTd'> The authentication type defines what kind of authentication
is required. This information is provided in the SignInRequest to the IDP (parameter <tt>wauth</tt>)<br/>
The WS-Federation standard defines a list of predefined URIs for wauth <a href="http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html#_Toc223174997"
class="external-link" rel="nofollow">here</a>.</td>
</tr>
</tbody></table>
</div>




<h3><a name="Configuration-Advancedexample"></a>Advanced example</h3>

<p>The following example defines the required claims and configure custom callback handler
to define some configuration values at runtime.</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
<span class="code-tag">&lt;?xml version=<span class="code-quote">"1.0"</span>
encoding=<span class="code-quote">"UTF-8"</span> standalone=<span class="code-quote">"yes"</span>?&gt;</span>
<span class="code-tag">&lt;FedizConfig&gt;</span>
    <span class="code-tag">&lt;contextConfig name=<span class="code-quote">"/fedizhelloworld"</span>&gt;</span>
        <span class="code-tag">&lt;audienceUris&gt;</span>
            <span class="code-tag">&lt;audienceItem&gt;</span>https://localhost:8443/fedizhelloworld<span
class="code-tag">&lt;/audienceItem&gt;</span>
        <span class="code-tag">&lt;/audienceUris&gt;</span>
        <span class="code-tag">&lt;certificateStore&gt;</span>
            <span class="code-tag">&lt;keyStore file=<span class="code-quote">"/projects/fediz/tomcat-rp2/conf/stsstore.jks"</span>
password=<span class="code-quote">"stsspass"</span> type=<span class="code-quote">"file"</span>
/&gt;</span>
        <span class="code-tag">&lt;/certificateStore&gt;</span>
        <span class="code-tag">&lt;trustedIssuers&gt;</span>
            <span class="code-tag">&lt;issuer name=<span class="code-quote">"issuer
1"</span> certificateValidation=<span class="code-quote">"ChainTrust"</span>
subject=<span class="code-quote">".*CN=www.sts.com.*"</span> /&gt;</span>
        <span class="code-tag">&lt;/trustedIssuers&gt;</span>
        <span class="code-tag">&lt;protocol <span class="code-keyword">xmlns:xsi</span>=<span
class="code-quote">"http://www.w3.org/2001/XMLSchema-instance"</span> xsi:type=<span
class="code-quote">"federationProtocolType"</span> version=<span class="code-quote">"1.0.0"</span>&gt;</span>
            <span class="code-tag">&lt;issuer&gt;</span>https://localhost:9443/fedizidp/<span
class="code-tag">&lt;/issuer&gt;</span>
            <span class="code-tag">&lt;roleDelimiter&gt;</span>,<span
class="code-tag">&lt;/roleDelimiter&gt;</span>
            <span class="code-tag">&lt;roleURI&gt;</span>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role<span
class="code-tag">&lt;/roleURI&gt;</span>
            <span class="code-tag">&lt;claimTypesRequested&gt;</span>
                <span class="code-tag">&lt;claimType type=<span class="code-quote">"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"</span>
optional=<span class="code-quote">"true"</span> /&gt;</span>
            <span class="code-tag">&lt;/claimTypesRequested&gt;</span>
            <span class="code-tag">&lt;authenticationType type=<span class="code-quote">"String"</span>
value=<span class="code-quote">"http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/smartcard"</span>
/&gt;</span>
            <span class="code-tag">&lt;homeRealm type=<span class="code-quote">"Class"</span>
value=<span class="code-quote">"example.HomeRealmCallbackHandler.class"</span>
/&gt;</span>
        <span class="code-tag">&lt;/protocol&gt;</span>
    <span class="code-tag">&lt;/contextConfig&gt;</span>
<span class="code-tag">&lt;/FedizConfig&gt;</span>
</pre>
</div></div>

<p><a href="http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html#_Toc223174997"
class="external-link" rel="nofollow">http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html#_Toc223174997</a></p>



    </div>
        <div id="commentsSection" class="wiki-content pageSection">
        <div style="float: right;">
            <a href="https://cwiki.apache.org/confluence/users/viewnotifications.action"
class="grey">Change Notification Preferences</a>
        </div>
        <a href="https://cwiki.apache.org/confluence/display/CXF/Configuration">View
Online</a>
        |
        <a href="https://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=27846708&revisedVersion=2&originalVersion=1">View
Changes</a>
                |
        <a href="https://cwiki.apache.org/confluence/display/CXF/Configuration?showComments=true&amp;showCommentArea=true#addcomment">Add
Comment</a>
            </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message