cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r823109 - in /websites/production/cxf/content: cache/docs.pageCache docs/saml-web-sso.html
Date Mon, 25 Jun 2012 12:48:00 GMT
Author: buildbot
Date: Mon Jun 25 12:47:59 2012
New Revision: 823109

Log:
Production update by buildbot for cxf

Modified:
    websites/production/cxf/content/cache/docs.pageCache
    websites/production/cxf/content/docs/saml-web-sso.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/saml-web-sso.html
==============================================================================
--- websites/production/cxf/content/docs/saml-web-sso.html (original)
+++ websites/production/cxf/content/docs/saml-web-sso.html Mon Jun 25 12:47:59 2012
@@ -125,7 +125,7 @@ Apache CXF -- SAML Web SSO
 
 
 <div>
-<ul><li><a shape="rect" href="#SAMLWebSSO-Introduction">Introduction</a></li><ul><li><a
shape="rect" href="#SAMLWebSSO-TypicalFlow">Typical Flow</a></li></ul><li><a
shape="rect" href="#SAMLWebSSO-Mavendependencies">Maven dependencies</a></li><li><a
shape="rect" href="#SAMLWebSSO-IdentityProvider">Identity Provider</a></li><li><a
shape="rect" href="#SAMLWebSSO-ApplicationSecurityFilter">Application Security Filter</a></li><li><a
shape="rect" href="#SAMLWebSSO-RequestAssertionSecurityService">Request Assertion Security
Service</a></li><li><a shape="rect" href="#SAMLWebSSO-SSOStateProvider">SSO
State Provider</a></li></ul></div>
+<ul><li><a shape="rect" href="#SAMLWebSSO-Introduction">Introduction</a></li><ul><li><a
shape="rect" href="#SAMLWebSSO-TypicalFlow">Typical Flow</a></li></ul><li><a
shape="rect" href="#SAMLWebSSO-Mavendependencies">Maven dependencies</a></li><li><a
shape="rect" href="#SAMLWebSSO-IdentityProvider">Identity Provider</a></li><li><a
shape="rect" href="#SAMLWebSSO-ServiceProviderSecurityFilter">Service Provider Security
Filter</a></li><ul><li><a shape="rect" href="#SAMLWebSSO-RedirectBindingFilter">Redirect
Binding Filter</a></li><li><a shape="rect" href="#SAMLWebSSO-POSTBindingFilter">POST
Binding Filter</a></li></ul><li><a shape="rect" href="#SAMLWebSSO-RequestAssertionSecurityService">Request
Assertion Security Service</a></li><li><a shape="rect" href="#SAMLWebSSO-SSOStateProvider">SSO
State Provider</a></li></ul></div>
 
 <h1><a shape="rect" name="SAMLWebSSO-Introduction"></a>Introduction</h1>
 
@@ -174,9 +174,125 @@ Apache CXF -- SAML Web SSO
 
 <p>CXF does not offer its own IDP SAML Web SSO implementation but might provide it
in the future as part of the <a shape="rect" href="http://cxf.apache.org/fediz.html">Fediz</a>
project.</p>
 
-<p>However, CXF has been tested against a number of popular IDP implementations which
support SAML SSO and thus should be interoperable with whatever IDP is being used in the specific
production environment. The interoperability tests have shown that some IDPs may process SAML
request and produce SAML response data the way which may not be exactly specification-compliant
and thus CXF Request Assertion Consumer Service (RACS) and Service Provider Security Filter
implementations have a number of configuration properties for adjusting the way SAML requests
to IDP are prepared and SAML responsed from IDP are processed.</p>
+<p>However, CXF has been tested against a number of popular IDP implementations which
support SAML SSO and thus should be interoperable with whatever IDP is being used in the specific
production environment. The interoperability tests have shown that some IDPs may process SAML
request and produce SAML response data the way which may not be exactly specification-compliant
and thus CXF Request Assertion Consumer Service (RACS) and Service Provider Security Filter
implementations have a number of configuration properties for adjusting the way SAML requests
to IDP are prepared and SAML responses from IDP are processed.</p>
+
+<h1><a shape="rect" name="SAMLWebSSO-ServiceProviderSecurityFilter"></a>Service
Provider Security Filter</h1>
+
+<p>SP Security Filter protects the application endpoints by checking that a valid SSO
security context is available. If it is then the filter lets the request to continue, if not
then it redirects the current user to IDP.</p>
+
+<p>CXF offers two SP Security filters, one for redirecting the user back to IDP via
GET and another one - via POST.</p>
+
+<h2><a shape="rect" name="SAMLWebSSO-RedirectBindingFilter"></a>Redirect
Binding Filter</h2>
+
+<p>Redirect Binding Filter is implemented by org.apache.cxf.rs.security.saml.sso.SamlRedirectBindingFilter.</p>
+
+<p>Here is an example of a typical filter protecting a custom JAX-RS endpoint:</p>
+<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
+<pre class="code-xml">
+<span class="code-tag">&lt;bean id=<span class="code-quote">"serviceBean"</span>
class=<span class="code-quote">"org.apache.cxf.samlp.sso.BookStore"</span>/&gt;</span>
+
+<span class="code-tag">&lt;jaxrs:server address=<span class="code-quote">"/app1"</span>&gt;</span>

+       <span class="code-tag">&lt;jaxrs:serviceBeans&gt;</span>
+          <span class="code-tag">&lt;ref bean=<span class="code-quote">"serviceBean"</span>/&gt;</span>
+       <span class="code-tag">&lt;/jaxrs:serviceBeans&gt;</span>
+       <span class="code-tag">&lt;jaxrs:providers&gt;</span>
+          <span class="code-tag">&lt;ref bean=<span class="code-quote">"redirectGetFilter"</span>/&gt;</span>
+       <span class="code-tag">&lt;/jaxrs:providers&gt;</span>
+<span class="code-tag">&lt;/jaxrs:server&gt;</span>
+
+<span class="code-tag">&lt;bean id=<span class="code-quote">"redirectGetFilter"</span>
class=<span class="code-quote">"org.apache.cxf.rs.security.saml.sso.SamlRedirectBindingFilter"</span>&gt;</span>
+      <span class="code-tag">&lt;property name=<span class="code-quote">"idpServiceAddress"</span>
value=<span class="code-quote">"https://localhost:9443/idp"</span>/&gt;</span>
+      <span class="code-tag"><span class="code-comment">&lt;!-- both relative
and absolute URIs are supported --&gt;</span></span>
+      <span class="code-tag">&lt;property name=<span class="code-quote">"assertionConsumerServiceAddress"</span>
value=<span class="code-quote">"/racs/sso"</span>/&gt;</span>
+      <span class="code-tag">&lt;property name=<span class="code-quote">"stateProvider"</span>
ref=<span class="code-quote">"stateManager"</span>/&gt;</span>
+<span class="code-tag">&lt;/bean&gt;</span>
+
+
+<span class="code-tag">&lt;bean id=<span class="code-quote">"stateManager"</span>
class=<span class="code-quote">"org.apache.cxf.rs.security.saml.sso.state.EHCacheSPStateManager"</span>&gt;</span>
+    <span class="code-tag">&lt;constructor-arg ref=<span class="code-quote">"cxf"</span>/&gt;</span>
+<span class="code-tag">&lt;/bean&gt;</span>
+
+</pre>
+</div></div>
+
+<p>Note that at the very minimum the filter needs to have 3 properties set-up:<br
clear="none">
+1. IDP service address<br clear="none">
+2. RACS address - it can be absolute or relative if RACS is collocated <br clear="none">
+  (shares the same web application context) with the application endpoint.<br clear="none">
+3. Reference to SSO State Provider.</p>
+
+<h2><a shape="rect" name="SAMLWebSSO-POSTBindingFilter"></a>POST Binding
Filter</h2>
+
+<p>POST Binding Filter is implemented by org.apache.cxf.rs.security.saml.sso.SamlPostBindingFilter.</p>
+
+<p>Here is an example of a typical filter protecting a custom JAX-RS endpoint.</p>
+<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
+<pre class="code-xml">
+<span class="code-tag">&lt;bean id=<span class="code-quote">"serviceBean"</span>
class=<span class="code-quote">"org.apache.cxf.samlp.sso.BookStore"</span>/&gt;</span>
+<span class="code-tag">&lt;jaxrs:server address=<span class="code-quote">"/app2"</span>&gt;</span>

+    <span class="code-tag">&lt;jaxrs:serviceBeans&gt;</span>
+       <span class="code-tag">&lt;ref bean=<span class="code-quote">"serviceBean"</span>/&gt;</span>
+     <span class="code-tag">&lt;/jaxrs:serviceBeans&gt;</span>
+     <span class="code-tag">&lt;jaxrs:providers&gt;</span>
+          <span class="code-tag">&lt;ref bean=<span class="code-quote">"ssoRedirectPOST"</span>/&gt;</span>
+          <span class="code-tag">&lt;ref bean=<span class="code-quote">"samlRequestFormCreator"</span>/&gt;</span>

+     <span class="code-tag">&lt;/jaxrs:providers&gt;</span>
+       
+<span class="code-tag">&lt;/jaxrs:server&gt;</span>
+
+<span class="code-tag">&lt;bean id=<span class="code-quote">"ssoRedirectPOST"</span>
class=<span class="code-quote">"org.apache.cxf.rs.security.saml.sso.SamlPostBindingFilter"</span>&gt;</span>
+        <span class="code-tag">&lt;property name=<span class="code-quote">"idpServiceAddress"</span>
value=<span class="code-quote">"https://localhost:9443/idp"</span>/&gt;</span>
+        <span class="code-tag">&lt;property name=<span class="code-quote">"assertionConsumerServiceAddress"</span>
value=<span class="code-quote">"/racs/sso"</span>/&gt;</span>
+        <span class="code-tag">&lt;property name=<span class="code-quote">"stateProvider"</span>
ref=<span class="code-quote">"stateManager"</span>/&gt;</span>
+
+        <span class="code-tag">&lt;property name=<span class="code-quote">"useDeflateEncoding"</span>
value=<span class="code-quote">"true"</span>/&gt;</span>
+&lt;/bean
+
+<span class="code-tag">&lt;bean id=<span class="code-quote">"samlRequestFormCreator"</span>
class=<span class="code-quote">"org.apache.cxf.jaxrs.provider.RequestDispatcherProvider"</span>&gt;</span>
+      <span class="code-tag">&lt;property name=<span class="code-quote">"dispatcherName"</span>
value=<span class="code-quote">"jsp"</span>/&gt;</span>
+      <span class="code-tag">&lt;property name=<span class="code-quote">"useClassNames"</span>
value=<span class="code-quote">"true"</span>/&gt;</span>
+<span class="code-tag">&lt;/bean&gt;</span>
+    
+<span class="code-tag">&lt;bean id=<span class="code-quote">"stateManager"</span>
class=<span class="code-quote">"org.apache.cxf.rs.security.saml.sso.state.EHCacheSPStateManager"</span>&gt;</span>
+    <span class="code-tag">&lt;constructor-arg ref=<span class="code-quote">"cxf"</span>/&gt;</span>
+<span class="code-tag">&lt;/bean&gt;</span>
+
+
+</pre>
+</div></div>
+
+<p>Note that the POST binding filter has the same base properties as org.apache.cxf.rs.security.saml.sso.SamlRedirectBindingFilter
has but also <br clear="none">
+sets a "useDeflateEncoding" property for getting a SAML request deflated. Some IDPs might
not be able to process deflated SAML requests with POST binding redirects thus the compression
may be optionally disabled.</p>
+
+<p>What is actually different in this case from the GET-based redirect is that the
filter prepares an instance of <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SamlRequestInfo.java">SAMLRequestInfo</a>
which is subsequently bound to an XHTML view via a JSP filter. The view will typically have
a Java Script handler which will actually redirect the user to IDP when it is loaded into
the browser. The data to view binding is facilitated by org.apache.cxf.jaxrs.provider.RequestDispatcherProvider,
please see <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-redirection.html#JAX-RSRedirection-WithRequestDispatcherProvider">this
page</a> for more information.<br clear="none">
+Here is a typical JSP handler for binding org.apache.cxf.rs.security.saml.sso.SAMLRequestInfo
to the view:</p>
+
+<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
+<pre class="code-xml">
+<span class="code-tag">&lt;%@ page import=<span class="code-quote">"javax.servlet.http.HttpServletRequest,org.apache.cxf.rs.security.saml.sso.SamlRequestInfo"</span>
%&gt;</span>
+
+&lt;%
+    SamlRequestInfo data = (SamlRequestInfo)request.getAttribute(<span class="code-quote">"samlrequestinfo"</span>);
+%&gt;
+<span class="code-tag">&lt;html xmlns=<span class="code-quote">"http://www.w3.org/1999/xhtml"</span>&gt;</span>
+<span class="code-tag">&lt;body onLoad=<span class="code-quote">"document.forms[0].submit();"</span>&gt;</span>
+   <span class="code-tag">&lt;form action=<span class="code-quote">"&lt;%=
data.getIdpServiceAddress() %&gt;</span>"</span> method=<span class="code-quote">"POST"</span>&gt;
+       <span class="code-tag">&lt;div&gt;</span>             
+        &lt;input type=<span class="code-quote">"hidden"</span> name=<span
class="code-quote">"SAMLRequest"</span>
+                value=<span class="code-quote">"<span class="code-tag">&lt;%=
data.getSamlRequest() %&gt;</span>"</span>/&gt;
+        &lt;input type=<span class="code-quote">"hidden"</span> name=<span
class="code-quote">"RelayState"</span>
+                value=<span class="code-quote">"<span class="code-tag">&lt;%=
data.getRelayState() %&gt;</span>"</span>/&gt;
+       <span class="code-tag">&lt;/div&gt;</span>
+        <span class="code-tag">&lt;div&gt;</span>
+         <span class="code-tag">&lt;input type=<span class="code-quote">"submit"</span>
value=<span class="code-quote">"Continue"</span>/&gt;</span>
+       <span class="code-tag">&lt;/div&gt;</span>
+   <span class="code-tag">&lt;/form&gt;</span>
+ 
+<span class="code-tag">&lt;/body&gt;</span>
+<span class="code-tag">&lt;/html&gt;</span>
+</pre>
+</div></div>
 
-<h1><a shape="rect" name="SAMLWebSSO-ApplicationSecurityFilter"></a>Application
Security Filter</h1>
 
 <h1><a shape="rect" name="SAMLWebSSO-RequestAssertionSecurityService"></a>Request
Assertion Security Service</h1>
 



Mime
View raw message