cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r819001 - in /websites/production/cxf/content: cache/main.pageCache fediz-configuration.html
Date Thu, 24 May 2012 20:47:51 GMT
Author: buildbot
Date: Thu May 24 20:47:51 2012
New Revision: 819001

Log:
Production update by buildbot for cxf

Modified:
    websites/production/cxf/content/cache/main.pageCache
    websites/production/cxf/content/fediz-configuration.html

Modified: websites/production/cxf/content/cache/main.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/cxf/content/fediz-configuration.html
==============================================================================
--- websites/production/cxf/content/fediz-configuration.html (original)
+++ websites/production/cxf/content/fediz-configuration.html Thu May 24 20:47:51 2012
@@ -153,7 +153,7 @@ Apache CXF -- Fediz Configuration
         <span class="code-tag">&lt;/audienceUris&gt;</span>
         <span class="code-tag">&lt;certificateStore&gt;</span>
             <span class="code-tag">&lt;trustManager&gt;</span>
-                <span class="code-tag">&lt;keyStore file=<span class="code-quote">"/projects/fediz/tomcat-rp2/conf/stsstore.jks"</span>
password=<span class="code-quote">"stsspass"</span> type=<span class="code-quote">"JKS"</span>
/&gt;</span>
+                <span class="code-tag">&lt;keyStore file=<span class="code-quote">"conf/stsstore.jks"</span>
password=<span class="code-quote">"stsspass"</span> type=<span class="code-quote">"JKS"</span>
/&gt;</span>
             <span class="code-tag">&lt;/trustManager&gt;</span>
         <span class="code-tag">&lt;/certificateStore&gt;</span>
         <span class="code-tag">&lt;trustedIssuers&gt;</span>
@@ -175,7 +175,9 @@ Finally, the audience URI is validated a
 <h3><a shape="rect" name="FedizConfiguration-Configurationreference"></a>Configuration
reference</h3>
 
 <div class="table-wrap">
-<table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh">XML element </th><th colspan="1" rowspan="1" class="confluenceTh">Name
</th><th colspan="1" rowspan="1" class="confluenceTh">Use </th><th colspan="1"
rowspan="1" class="confluenceTh">Description</th></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"> audienceUris </td><td colspan="1" rowspan="1"
class="confluenceTd"> Audience URI </td><td colspan="1" rowspan="1" class="confluenceTd">
Required </td><td colspan="1" rowspan="1" class="confluenceTd"> The values of
the list of audience URIs are verified against the element <tt>AudienceRestriction</tt>
in the SAML token </td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">
certificateStore </td><td colspan="1" rowspan="1" class="confluenceTd"> Trusted
certificate store </td><td colspan="1" rowspan="1" class="confluenceTd"> Required
</td><td colspan="1" rowspan="1" class="confluenceTd"> The list of keystores (JKS,
PEM) includ
 es at least the certificate of the Certificate Authorities (CA) which signed the certificate
which is used to sign the SAML token </td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"> trustedIssuers </td><td colspan="1" rowspan="1" class="confluenceTd">
Trusted Issuers </td><td colspan="1" rowspan="1" class="confluenceTd"> Required
</td><td colspan="1" rowspan="1" class="confluenceTd"> There are two ways to configure
a trusted issuer (IDP). Either you configure the subject name and the CA(s) who signed the
certificate of the IDP (<tt>certificateValidation=ChainTrust</tt>) or you configure
the certificate of the IDP and the CA(s) who signed it (<tt>certificateValidation=PeerTrust</tt>)</td></tr></tbody></table>
+<table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh">XML element </th><th colspan="1" rowspan="1" class="confluenceTh">Name
</th><th colspan="1" rowspan="1" class="confluenceTh">Use </th><th colspan="1"
rowspan="1" class="confluenceTh">Description</th></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"> audienceUris </td><td colspan="1" rowspan="1"
class="confluenceTd"> Audience URI </td><td colspan="1" rowspan="1" class="confluenceTd">
Required </td><td colspan="1" rowspan="1" class="confluenceTd"> The values of
the list of audience URIs are verified against the element <tt>AudienceRestriction</tt>
in the SAML token </td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">
certificateStore </td><td colspan="1" rowspan="1" class="confluenceTd"> Trusted
certificate store </td><td colspan="1" rowspan="1" class="confluenceTd"> Required
</td><td colspan="1" rowspan="1" class="confluenceTd"> The list of keystores (JKS,
PEM) includ
 es at least the certificate of the Certificate Authorities (CA) which signed the certificate
which is used to sign the SAML token.<br clear="none">
+If the file location is not fully qualified it's relative to the Container home directory
</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> trustedIssuers
</td><td colspan="1" rowspan="1" class="confluenceTd"> Trusted Issuers </td><td
colspan="1" rowspan="1" class="confluenceTd"> Required </td><td colspan="1" rowspan="1"
class="confluenceTd"> There are two ways to configure a trusted issuer (IDP). Either you
configure the subject name and the CA(s) who signed the certificate of the IDP (<tt>certificateValidation=ChainTrust</tt>)
or you configure the certificate of the IDP and the CA(s) who signed it (<tt>certificateValidation=PeerTrust</tt>)</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"> maximumClockSkew </td><td colspan="1"
rowspan="1" class="confluenceTd"> Maximum Clock Skew </td><td colspan="1" rowspan="1"
class="confluenceTd"> Optional </td><td colspan="1" rowspan="1" class="confluenceTd">
Maximum allowable time difference between the system
  clocks of the IDP and RP.<br clear="none">
+Default 5 seconds. </td></tr></tbody></table>
 </div>
 
 
@@ -183,14 +185,22 @@ Finally, the audience URI is validated a
 <h5><a shape="rect" name="FedizConfiguration-WSFederationprotocolconfigurationreference"></a>WS-Federation
protocol configuration reference </h5>
 
 <div class="table-wrap">
-<table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh">XML element </th><th colspan="1" rowspan="1" class="confluenceTh">Name
</th><th colspan="1" rowspan="1" class="confluenceTh">Use </th><th colspan="1"
rowspan="1" class="confluenceTh">Description</th></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"> issuer </td><td colspan="1" rowspan="1" class="confluenceTd">
Issuer URL </td><td colspan="1" rowspan="1" class="confluenceTd"> Required </td><td
colspan="1" rowspan="1" class="confluenceTd">This URL defines the location of the IDP to
whom unauthenticated requests are redirected </td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"> authenticationType </td><td colspan="1" rowspan="1"
class="confluenceTd"> Authentication Type </td><td colspan="1" rowspan="1" class="confluenceTd">
Optional </td><td colspan="1" rowspan="1" class="confluenceTd"> The authentication
type defines what kind of authentication is required. This infor
 mation is provided in the SignInRequest to the IDP (parameter <tt>wauth</tt>)<br
clear="none">
+<table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh">XML element </th><th colspan="1" rowspan="1" class="confluenceTh">Name
</th><th colspan="1" rowspan="1" class="confluenceTh">Use </th><th colspan="1"
rowspan="1" class="confluenceTh">Description</th></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"> issuer </td><td colspan="1" rowspan="1" class="confluenceTd">
Issuer URL </td><td colspan="1" rowspan="1" class="confluenceTd"> Required </td><td
colspan="1" rowspan="1" class="confluenceTd">This URL defines the location of the IDP to
whom unauthenticated requests are redirected </td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"> realm </td><td colspan="1" rowspan="1" class="confluenceTd">
Realm </td><td colspan="1" rowspan="1" class="confluenceTd"> Optional </td><td
colspan="1" rowspan="1" class="confluenceTd"> Security realm of the Relying Party / Application.
This value is part of the SignIn request as the <tt>wtrealm
 </tt> parameter.<br clear="none">
+Default: URL including the Servlet Context </td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"> authenticationType </td><td colspan="1" rowspan="1"
class="confluenceTd"> Authentication Type </td><td colspan="1" rowspan="1" class="confluenceTd">
Optional </td><td colspan="1" rowspan="1" class="confluenceTd"> The authentication
type defines what kind of authentication is required. This information is provided in the
SignInRequest to the IDP (parameter <tt>wauth</tt>)<br clear="none">
 The WS-Federation standard defines a list of predefined URIs for wauth <a shape="rect"
class="external-link" href="http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html#_Toc223174997"
rel="nofollow">here</a>.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"> roleURI </td><td colspan="1" rowspan="1" class="confluenceTd">
Role Claim URI </td><td colspan="1" rowspan="1" class="confluenceTd"> Optional
</td><td colspan="1" rowspan="1" class="confluenceTd"> Defines the attribute name
of the SAML token which contains the roles </td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"> roleDelimiter </td><td colspan="1" rowspan="1"
class="confluenceTd"> Role Value Delimiter </td><td colspan="1" rowspan="1" class="confluenceTd">
Optional </td><td colspan="1" rowspan="1" class="confluenceTd"> There are different
ways to encode multi value attributes in SAML.
 <ul><li>Single attribute with multiple values</li><li>Several attributes
with the same name but only one value</li><li>Single attribute with single value.
Roles are delimited by <tt>roleDelimiter</tt></li></ul>
-</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> claimTypesRequested
</td><td colspan="1" rowspan="1" class="confluenceTd"> Requested claims </td><td
colspan="1" rowspan="1" class="confluenceTd"> Optional </td><td colspan="1" rowspan="1"
class="confluenceTd"> The claims required by the Relying Party are listed here. Claims
can be optional. If a mandatory claim can't be provided by the IDP the issuance of the token
should fail </td></tr></tbody></table>
+</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> claimTypesRequested
</td><td colspan="1" rowspan="1" class="confluenceTd"> Requested claims </td><td
colspan="1" rowspan="1" class="confluenceTd"> Optional </td><td colspan="1" rowspan="1"
class="confluenceTd"> The claims required by the Relying Party are listed here. Claims
can be optional. If a mandatory claim can't be provided by the IDP the issuance of the token
should fail </td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">
homeRealm </td><td colspan="1" rowspan="1" class="confluenceTd"> Home Realm </td><td
colspan="1" rowspan="1" class="confluenceTd"> Optional </td><td colspan="1" rowspan="1"
class="confluenceTd"> Indicates the Resource IDP the home realm of the requestor. This
may be an URL or an identifier like urn: or uuid: and depends on the Resource IDP implementation.
This value is part of the SignIn request as the <tt>whr</tt> parameter </td></tr></tbody></table>
 </div>
 
 
 
+<h5><a shape="rect" name="FedizConfiguration-Attributesresolvedatruntime"></a>Attributes
resolved at runtime</h5>
+
+<p>The following attributes can be either configured statically at deployment time
or dynamically when the initial request is received:</p>
+<ul><li>authenticationType</li><li>homeRealm</li><li>issuer</li></ul>
+
+
+<p>These configuration elements provides to configure a CallbackHandler which gets
a Callback object where the appropriate value must be set. The CallbackHandler implementation
has access to the HttpServletRequest. The XML attribute <tt>type</tt> must be
set to <tt>Class</tt>.</p>
 
 
 
@@ -209,10 +219,11 @@ The WS-Federation standard defines a lis
         <span class="code-tag">&lt;certificateStore&gt;</span>
             <span class="code-tag">&lt;keyStore file=<span class="code-quote">"/projects/fediz/tomcat-rp2/conf/stsstore.jks"</span>
password=<span class="code-quote">"stsspass"</span> type=<span class="code-quote">"file"</span>
/&gt;</span>
         <span class="code-tag">&lt;/certificateStore&gt;</span>
+        <span class="code-tag">&lt;maximumClockSkew&gt;</span>10<span
class="code-tag">&lt;/maximumClockSkew&gt;</span>
         <span class="code-tag">&lt;trustedIssuers&gt;</span>
             <span class="code-tag">&lt;issuer name=<span class="code-quote">"issuer
1"</span> certificateValidation=<span class="code-quote">"ChainTrust"</span>
subject=<span class="code-quote">".*CN=www.sts.com.*"</span> /&gt;</span>
         <span class="code-tag">&lt;/trustedIssuers&gt;</span>
-        <span class="code-tag">&lt;protocol <span class="code-keyword">xmlns:xsi</span>=<span
class="code-quote">"http://www.w3.org/2001/XMLSchema-instance"</span> xsi:type=<span
class="code-quote">"federationProtocolType"</span> version=<span class="code-quote">"1.0.0"</span>&gt;</span>
+        <span class="code-tag">&lt;protocol <span class="code-keyword">xmlns:xsi</span>=<span
class="code-quote">"http://www.w3.org/2001/XMLSchema-instance"</span> xsi:type=<span
class="code-quote">"federationProtocolType"</span> version=<span class="code-quote">"1.2"</span>&gt;</span>
             <span class="code-tag">&lt;issuer&gt;</span>https://localhost:9443/fedizidp/<span
class="code-tag">&lt;/issuer&gt;</span>
             <span class="code-tag">&lt;roleDelimiter&gt;</span>,<span
class="code-tag">&lt;/roleDelimiter&gt;</span>
             <span class="code-tag">&lt;roleURI&gt;</span>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role<span
class="code-tag">&lt;/roleURI&gt;</span>
@@ -220,15 +231,13 @@ The WS-Federation standard defines a lis
                 <span class="code-tag">&lt;claimType type=<span class="code-quote">"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"</span>
optional=<span class="code-quote">"true"</span> /&gt;</span>
             <span class="code-tag">&lt;/claimTypesRequested&gt;</span>
             <span class="code-tag">&lt;authenticationType type=<span class="code-quote">"String"</span>
value=<span class="code-quote">"http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/smartcard"</span>
/&gt;</span>
-            <span class="code-tag">&lt;homeRealm type=<span class="code-quote">"Class"</span>
value=<span class="code-quote">"example.HomeRealmCallbackHandler.class"</span>
/&gt;</span>
+            <span class="code-tag">&lt;homeRealm type=<span class="code-quote">"Class"</span>
value=<span class="code-quote">"example.HomeRealmCallbackHandler"</span> /&gt;</span>
         <span class="code-tag">&lt;/protocol&gt;</span>
     <span class="code-tag">&lt;/contextConfig&gt;</span>
 <span class="code-tag">&lt;/FedizConfig&gt;</span>
 </pre>
 </div></div>
 
-<p><a shape="rect" class="external-link" href="http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html#_Toc223174997"
rel="nofollow">http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html#_Toc223174997</a></p>
-
 
 </div>
            </div>



Mime
View raw message