cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r820387 - in /websites/production/cxf/content: cache/main.pageCache fediz-configuration.html fediz-idp.html fediz-tomcat.html
Date Tue, 05 Jun 2012 20:48:00 GMT
Author: buildbot
Date: Tue Jun  5 20:48:00 2012
New Revision: 820387

Log:
Production update by buildbot for cxf

Modified:
    websites/production/cxf/content/cache/main.pageCache
    websites/production/cxf/content/fediz-configuration.html
    websites/production/cxf/content/fediz-idp.html
    websites/production/cxf/content/fediz-tomcat.html

Modified: websites/production/cxf/content/cache/main.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/cxf/content/fediz-configuration.html
==============================================================================
--- websites/production/cxf/content/fediz-configuration.html (original)
+++ websites/production/cxf/content/fediz-configuration.html Tue Jun  5 20:48:00 2012
@@ -139,10 +139,10 @@ Apache CXF -- Fediz Configuration
 <div id="ConfluenceContent"><p><img align="middle" class="emoticon" src="https://cwiki.apache.org/confluence/images/icons/emoticons/warning.gif"
height="16" width="16" alt="" border="0"> Under construction</p>
 
 <h1><a shape="rect" name="FedizConfiguration-FedizPluginconfiguration"></a>Fediz
Plugin configuration</h1>
-<p>This page describes the Fediz configuration file which is referenced by the security
interceptor (eg. authenticator in Tomcat/Jetty).</p>
+<p>This page describes the Fediz configuration file referenced by the security interceptor
(eg. authenticator in Tomcat/Jetty).</p>
 
 <h3><a shape="rect" name="FedizConfiguration-Example"></a>Example</h3>
-<p>The following example describes the minimum configuration for Fediz.</p>
+<p>The following example shows the minimum configuration for Fediz.</p>
 <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
 <pre class="code-xml">
 <span class="code-tag">&lt;?xml version=<span class="code-quote">"1.0"</span>
encoding=<span class="code-quote">"UTF-8"</span> standalone=<span class="code-quote">"yes"</span>?&gt;</span>
@@ -167,8 +167,9 @@ Apache CXF -- Fediz Configuration
 </pre>
 </div></div>
 
-<p>The element protocol defines that you use the WS-Federation protocol. The issuer
says to which URL authenticated requests will be redirected with the SignIn request.<br
clear="none">
-The IDP issues a SAML token which must be validated by the plugin. The validation requires
the certificate store of the Certificate Authority(ies) of the certificate which signed the
SAML token. This is defined in <tt>certificateStore</tt>. The signing certificate
itself is not required because <tt>certificateValidation</tt> is set to <tt>ChainTrust</tt>.
The <tt>subject</tt> defines the trusted signing certificate using the subject
as a regular expression.<br clear="none">
+<p>The protocol element declares that the WS-Federation protocol is being used. The
issuer element shows the URL to which authenticated requests will be redirected with a SignIn
request.  </p>
+
+<p>The IDP issues a SAML token which must be validated by the plugin. The validation
requires the certificate store of the Certificate Authority(ies) of the certificate which
signed the SAML token. This is defined in <tt>certificateStore</tt>. The signing
certificate itself is not required because <tt>certificateValidation</tt> is set
to <tt>ChainTrust</tt>. The <tt>subject</tt> defines the trusted signing
certificate using the subject as a regular expression.<br clear="none">
 Finally, the audience URI is validated against the audience restriction in the SAML token.</p>
 
 
@@ -176,7 +177,7 @@ Finally, the audience URI is validated a
 
 <div class="table-wrap">
 <table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh">XML element </th><th colspan="1" rowspan="1" class="confluenceTh">Name
</th><th colspan="1" rowspan="1" class="confluenceTh">Use </th><th colspan="1"
rowspan="1" class="confluenceTh">Description</th></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"> audienceUris </td><td colspan="1" rowspan="1"
class="confluenceTd"> Audience URI </td><td colspan="1" rowspan="1" class="confluenceTd">
Required </td><td colspan="1" rowspan="1" class="confluenceTd"> The values of
the list of audience URIs are verified against the element <tt>AudienceRestriction</tt>
in the SAML token </td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">
certificateStores </td><td colspan="1" rowspan="1" class="confluenceTd"> Trusted
certificate store </td><td colspan="1" rowspan="1" class="confluenceTd"> Required
</td><td colspan="1" rowspan="1" class="confluenceTd"> The list of keystores (JKS,
PEM) inclu
 des at least the certificate of the Certificate Authorities (CA) which signed the certificate
which is used to sign the SAML token.<br clear="none">
-If the file location is not fully qualified it's relative to the Container home directory
</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> trustedIssuers
</td><td colspan="1" rowspan="1" class="confluenceTd"> Trusted Issuers </td><td
colspan="1" rowspan="1" class="confluenceTd"> Required </td><td colspan="1" rowspan="1"
class="confluenceTd"> There are two ways to configure a trusted issuer (IDP). Either you
configure the subject name and the CA(s) who signed the certificate of the IDP (<tt>certificateValidation=ChainTrust</tt>)
or you configure the certificate of the IDP and the CA(s) who signed it (<tt>certificateValidation=PeerTrust</tt>)</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"> maximumClockSkew </td><td colspan="1"
rowspan="1" class="confluenceTd"> Maximum Clock Skew </td><td colspan="1" rowspan="1"
class="confluenceTd"> Optional </td><td colspan="1" rowspan="1" class="confluenceTd">
Maximum allowable time difference between the system
  clocks of the IDP and RP.<br clear="none">
+If the file location is not fully qualified it needs to be relative to the Container home
directory </td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">
trustedIssuers </td><td colspan="1" rowspan="1" class="confluenceTd"> Trusted
Issuers </td><td colspan="1" rowspan="1" class="confluenceTd"> Required </td><td
colspan="1" rowspan="1" class="confluenceTd"> There are two ways to configure a trusted
issuer (IDP). Either you configure the subject name and the CA(s) who signed the certificate
of the IDP (<tt>certificateValidation=ChainTrust</tt>) or you configure the certificate
of the IDP and the CA(s) who signed it (<tt>certificateValidation=PeerTrust</tt>)</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"> maximumClockSkew </td><td colspan="1"
rowspan="1" class="confluenceTd"> Maximum Clock Skew </td><td colspan="1" rowspan="1"
class="confluenceTd"> Optional </td><td colspan="1" rowspan="1" class="confluenceTd">
Maximum allowable time difference between 
 the system clocks of the IDP and RP.<br clear="none">
 Default 5 seconds. </td></tr></tbody></table>
 </div>
 
@@ -200,13 +201,13 @@ The WS-Federation standard defines a lis
 <ul><li>authenticationType</li><li>homeRealm</li><li>issuer</li></ul>
 
 
-<p>These configuration elements provides to configure a CallbackHandler which gets
a Callback object where the appropriate value must be set. The CallbackHandler implementation
has access to the HttpServletRequest. The XML attribute <tt>type</tt> must be
set to <tt>Class</tt>.</p>
+<p>These configuration elements allows for configuring a CallbackHandler which gets
a Callback object where the appropriate value must be set. The CallbackHandler implementation
has access to the HttpServletRequest. The XML attribute <tt>type</tt> must be
set to <tt>Class</tt>.</p>
 
 
 
 <h3><a shape="rect" name="FedizConfiguration-Advancedexample"></a>Advanced
example</h3>
 
-<p>The following example defines the required claims and configure custom callback
handler to define some configuration values at runtime.</p>
+<p>The following example defines the required claims and configures a custom callback
handler to define some configuration values at runtime.</p>
 
 <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
 <pre class="code-xml">
@@ -236,10 +237,7 @@ The WS-Federation standard defines a lis
     <span class="code-tag">&lt;/contextConfig&gt;</span>
 <span class="code-tag">&lt;/FedizConfig&gt;</span>
 </pre>
-</div></div>
-
-
-</div>
+</div></div></div>
            </div>
            <!-- Content -->
          </td>

Modified: websites/production/cxf/content/fediz-idp.html
==============================================================================
--- websites/production/cxf/content/fediz-idp.html (original)
+++ websites/production/cxf/content/fediz-idp.html Tue Jun  5 20:48:00 2012
@@ -140,16 +140,16 @@ Apache CXF -- Fediz IDP
 
 <h1><a shape="rect" name="FedizIDP-FedizIDP"></a>Fediz IDP</h1>
 
-<p>The Fediz Identity Provider (IDP) consists of two WAR files. One is the Security
Token Service (STS) component which is responsible to validate credentials, getting the requested
claims data and issues a SAML token. There is no easy way for Web browsers to issue SOAP requests
to the STS directly. The second component is the IDP WAR which adapts the browser to the STS.
The communication between the browser and the IDP must be performed within the confines of
the base HTTP 1.1 functionality and conform as closely as possible to the WS-Trust protocols
semantic.</p>
+<p>The Fediz Identity Provider (IDP) consists of two WAR files. One is the Security
Token Service (STS) component which is responsible for validating credentials, getting the
requested claims data and issuing a SAML token. There is no easy way for Web browsers to issue
SOAP requests to the STS directly, necessitating the second component, an IDP WAR which allows
browser-based applications to interact with the STS. The communication between the browser
and the IDP must be performed within the confines of the base HTTP 1.1 functionality and conform
as closely as possible to the WS-Trust protocols semantic.</p>
 
-<p>The Fediz STS is based on the CXF STS configured to support the use cases required
by the examples.</p>
+<p>The Fediz STS is based on a customized CXF STS configured to support standard Federation
use cases demonstrated by the examples.</p>
 
 <h3><a shape="rect" name="FedizIDP-Installation"></a>Installation</h3>
 
-<p>The Fediz IDP has been tested with Tomcat 6 and 7 but there are no reasons why it
shouldn't work in any commercial application server.</p>
+<p>The Fediz IDP has been tested with Tomcat 6 and 7 but should be able to work with
any commercial JEE application server.</p>
 
-<p>It's recommended to set up a dedicated Tomcat instance for the IDP. The Fediz examples
use the following TCP ports to interact with the IDP/STS:</p>
-<ul><li>HTTP port: 9080 (used for maven deployment, mvn tomcat:redeploy)</li><li>HTTPS
port: 9443 (where IDP and STS are accessed)</li></ul>
+<p>It's recommended to set up a dedicated (separate) Tomcat instance for the IDP. The
Fediz examples use the following TCP ports to interact with the IDP/STS:</p>
+<ul><li>HTTP port: 9080 (used for Maven deployment, mvn tomcat:redeploy)</li><li>HTTPS
port: 9443 (where IDP and STS are accessed)</li></ul>
 
 
 <p>The Tomcat HTTP(s) configuration is done in conf/server.xml.</p>
@@ -165,7 +165,7 @@ Apache CXF -- Fediz IDP
 </pre>
 </div></div>
 
-<p>The keystoreFile is relative to catalina home. See <a shape="rect" class="external-link"
href="http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html">here</a> for Tomcat
7 configuration reference. This page also describes how to create certificates.</p>
+<p>The keystoreFile is relative to $CATALINA_HOME. See <a shape="rect" class="external-link"
href="http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html">here</a> for the Tomcat
7 configuration reference. This page also describes how to create certificates.</p>
 
 <p><b>Production: It's highly recommended to deploy certificates signed by a
Certificate Authority</b></p>
 
@@ -177,7 +177,7 @@ Apache CXF -- Fediz IDP
 
 <h5><a shape="rect" name="FedizIDP-Userandpassword"></a>User and password</h5>
 
-<p>The users and passwords are configured in a spring configuration file in <tt>webapps/fediz-idp-sts/WEB-INF/passwords.xml</tt>.
The following users are already configured and can easily be extended.</p>
+<p>The users and passwords are configured in a Spring configuration file in <tt>webapps/fediz-idp-sts/WEB-INF/passwords.xml</tt>.
The following users are already configured and can easily be extended.</p>
 <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
 <pre class="code-xml">
     <span class="code-tag">&lt;util:map id=<span class="code-quote">"passwords"</span>&gt;</span>
@@ -219,11 +219,10 @@ Apache CXF -- Fediz IDP
 </pre>
 </div></div>
 
-<p>The claim id's are configured according to chapter 7.5 in the specification <a
shape="rect" class="external-link" href="http://docs.oasis-open.org/imi/identity/v1.0/identity.html"
rel="nofollow">Identity Metasystem Interoperability</a>. The mapping of claims to
a SAML attribute statement are described in chapter 7.2.</p>
+<p>The claim id's are configured according to Section 7.5 in the specification <a
shape="rect" class="external-link" href="http://docs.oasis-open.org/imi/identity/v1.0/identity.html"
rel="nofollow">Identity Metasystem Interoperability</a>. The mapping of claims to
a SAML attribute statement are described in Section 7.2.</p>
 
 <h5><a shape="rect" name="FedizIDP-Applicationclaims"></a>Application claims</h5>
 
-
 <p>The required claims per relying party are configured in the <tt>webapps/fediz-idp/WEB-INF/RPClaims.xml</tt>.
The XML file has the following structure:</p>
 
 <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
@@ -242,14 +241,12 @@ Apache CXF -- Fediz IDP
 </pre>
 </div></div>
 
-<p>The key of each map entry must match with the <tt>wtrealm</tt> paramater
in the redirect triggered by the relying party. The required claims for the different type
of applications are grouped in beans which are a list of String as illustrated in <tt>claimsWsfedhelloworld</tt>.</p>
+<p>The key of each map entry must match with the <tt>wtrealm</tt> paramater
in the redirect triggered by the relying party. The required claims for the different type
of applications are grouped in beans which are a list of Strings as illustrated in <tt>claimsWsfedhelloworld</tt>.</p>
 
 <p>The bean <tt>realm2ClaimsMap</tt> must be named realm2ClaimsMap and
maps the different Relying Parties (applications) to one of the claim lists. This map is required
to manage which claims are required for the applications.</p>
 
 <p>The JIRA issue <a shape="rect" class="external-link" href="https://issues.apache.org/jira/browse/FEDIZ-1">FEDIZ-1</a>
will provide another option to manage the required claims on the Relying Party side.</p>
 
-
-
 <h3><a shape="rect" name="FedizIDP-ConfigureLDAPdirectory"></a>Configure
LDAP directory</h3>
 
 <p>The Fediz IDP can be configured to attach an LDAP directory to authenticate users
and to retrieve claims information of users.</p>
@@ -282,7 +279,7 @@ export JAVA_OPTS
 </pre>
 </div></div>
 
-<p>Next, the STS endpoint has to be configured to use the JAAS LoginModule which is
acomplished by the <tt>JAASUsernameTokenValidator</tt>.</p>
+<p>Next, the STS endpoint has to be configured to use the JAAS LoginModule which is
accomplished by the <tt>JAASUsernameTokenValidator</tt>.</p>
 
 <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
 <pre class="code-xml">
@@ -308,7 +305,7 @@ export JAVA_OPTS
 </pre>
 </div></div>
 
-<p>The property <tt>contextName</tt> must match with the context name defined
in the JAAS configuration file which is <tt>myldap</tt> in this example.</p>
+<p>The property <tt>contextName</tt> must match the context name defined
in the JAAS configuration file which is <tt>myldap</tt> in this example.</p>
 
 <h5><a shape="rect" name="FedizIDP-Claimsmanagement"></a>Claims management</h5>
 

Modified: websites/production/cxf/content/fediz-tomcat.html
==============================================================================
--- websites/production/cxf/content/fediz-tomcat.html (original)
+++ websites/production/cxf/content/fediz-tomcat.html Tue Jun  5 20:48:00 2012
@@ -156,9 +156,9 @@ add the previously created directory to 
 
 <p>The Fediz related configuration is Container independent and described <a shape="rect"
href="fediz-configuration.html" title="Fediz Configuration">here</a>.</p>
 
-<p>The Fediz plugin requires to configure the FederationAuthenticator like any other
Valve in Tomcat which is described here <a shape="rect" class="external-link" href="http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html">here</a>.</p>
+<p>The Fediz plugin requires configuring the FederationAuthenticator like any other
Valve in Tomcat which is described here <a shape="rect" class="external-link" href="http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html">here</a>.</p>
 
-<p>A valve can be configured on different levels like <em>Host</em> or
<em>Context</em>. The Fediz configuration file allows to configure all servlet
contexts in one file or choose one file per Servlet Context. If you choose to have one Fediz
configuration file per Servlet Context then you must configure the FederationAuthenticator
on the <em>Context</em> level otherwise on the <em>Host</em> level
in the Tomcat configuration file <em>server.xml</em></p>
+<p>A valve can be configured on different levels like <em>Host</em> or
<em>Context</em>. The Fediz configuration file allows to configure all servlet
contexts in one file or choosing one file per Servlet Context. If you choose to have one Fediz
configuration file per Servlet Context then you must configure the FederationAuthenticator
on the <em>Context</em> level otherwise on the <em>Host</em> level
in the Tomcat configuration file <em>server.xml</em></p>
 
 
 <p>You can either configure the context in the server.xml or in META-INF/context.xml
as part of your WAR file.</p>



Mime
View raw message