cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache CXF > Fediz
Date Tue, 05 Jun 2012 19:08:00 GMT
<html>
<head>
    <base href="https://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/2042/9/15/_/styles/combined.css?spaceKey=CXF&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="https://cwiki.apache.org/confluence/display/CXF/Fediz">Fediz</a></h2>
    <h4>Page <b>edited</b> by             <a href="https://cwiki.apache.org/confluence/display/~mazzag">Glen
Mazza</a>
    </h4>
        <div id="versionComment">
        <b>Comment:</b>
        Editorial cleanup.<br />
    </div>
        <br/>
                         <h4>Changes (9)</h4>
                                 
    
<div id="page-diffs">
                    <table class="diff" cellpadding="0" cellspacing="0">
    
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >h2. Overview <br> <br></td></tr>
            <tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">Apache
CXF Fediz is a subproject of CXF. Fediz helps you to secure your web applications and delegates
security enforcement to the underlying application server. Authentication is externalized
from your web application to an identity provider which is a dedicated server component. The
supported standard is WS-Federation 1.2 Passive Requestor Profile. Fediz supports Claims based
Access control beyond Role Based Access Control (RBAC). <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">Apache
CXF Fediz is a subproject of CXF. Fediz helps you to secure your web applications and delegates
security enforcement to the underlying application server. With Fediz, authentication is externalized
from your web application to an identity provider installed as a dedicated server component.
The supported standard is [WS-Federation 1.2 Passive Requestor Profile|http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html#_Toc223175002].
Fediz supports [Claims Based Access Control|http://en.wikipedia.org/wiki/Claims-based_identity]
beyond Role Based Access Control (RBAC). <br></td></tr>
            <tr><td class="diff-unchanged" > <br> <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" > <br> <br></td></tr>
            <tr><td class="diff-unchanged" >h2. Features <br> <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >h2. Getting started <br> <br></td></tr>
            <tr><td class="diff-changed-lines" >The WS-Federation specification
defines the following parties involved during <span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">the</span>
<span class="diff-added-words"style="background-color: #dfd;">a</span> web login:
<br></td></tr>
            <tr><td class="diff-unchanged" >* Browser <br>* Identity Provider
(IDP) <br></td></tr>
            <tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">The
IDP is a centralized, application independent runtime component which implements the protocol
defined by WS-Federation. You can use any open source or commercial product as your IDP which
supports WS-Federation 1.1/1.2. It&#39;s recommended to use the Fediz IDP for testing
as it allows to test your web application in a sandbox without having all infrastructure components
available. The Fediz IDP consists of two WAR components. The Security Token Service (STS)
is doing most of the part like authenticating the user, retrieve claims/role data and create
the SAML token. The IDP WAR translates the response to a HTML response thus a browser can
process it. <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">The
IDP is a centralized, application independent runtime component which implements the protocol
defined by WS-Federation. You can use any open source or commercial product that supports
WS-Federation 1.1/1.2 as your IDP. It&#39;s recommended to use the Fediz IDP for testing
as it allows for testing your web application in a sandbox without having all infrastructure
components available. The Fediz IDP consists of two WAR components. The Security Token Service
(STS) does most of the work including user authentication, claims/role data retrieval and
creating the SAML token. The IDP WAR translates the response to an HTML response allowing
a browser to process it. <br></td></tr>
            <tr><td class="diff-unchanged" >* Relying Party (RP) <br></td></tr>
            <tr><td class="diff-changed-lines" >The RP is <span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">the</span>
<span class="diff-added-words"style="background-color: #dfd;">a</span> web application
<span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">which
should</span> <span class="diff-added-words"style="background-color: #dfd;">that
needs to</span> be protected. The RP must be able to implement the protocol as defined
by WS-Federation. This component is called &quot;Fediz Plugin&quot; in this project
which consists of container agnostic module/jar and a container specific jar. When an authenticated
request is detected by the plugin it redirects to the IDP <span class="diff-changed-words"><span
class="diff-added-chars"style="background-color: #dfd;">f</span>or</span> authentication.
The browser sends the response from <span class="diff-added-words"style="background-color:
#dfd;">the</span> IDP to the RP after successful authentication. The RP validates
the response and creates the container security context. <br></td></tr>
            <tr><td class="diff-unchanged" > <br></td></tr>
            <tr><td class="diff-changed-lines" >It&#39;s recommended to deploy
the IDP and the web application (RP) into different container instances as in a production
deployment. The container with the IDP can be used during development and testing for <span
class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">any</span>
<span class="diff-added-words"style="background-color: #dfd;">multiple</span>
web <span class="diff-changed-words">application<span class="diff-added-chars"style="background-color:
#dfd;">s needing security</span>.</span> <br></td></tr>
            <tr><td class="diff-unchanged" > <br>h3. Setting up the IDP
<br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >h3. Set up the Relying Party Container
<br> <br></td></tr>
            <tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">The
Fediz plugin is deployed into the Relying Party (RP) container. The security mechanism is
not specified by JEE. Even it is very similar in each Servlet Container there are some differences
which requires dedicated Fediz plugins for each Servlet Container implementation. Most of
the configuration is container independent and described [here|Fediz Configuration] <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">The
Fediz plugin needs to be deployed into the Relying Party (RP) container. The security mechanism
is not specified by JEE. Even though it is very similar in each servlet container there are
some differences which require a dedicated Fediz plugin for each servlet container implementation.
Most of the configuration is container independent and described [here|Fediz Configuration]
<br></td></tr>
            <tr><td class="diff-unchanged" > <br>The following lists shows
the supported containers and the location of the installation and configuration page. <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
    
            </table>
    </div>                            <h4>Full Content</h4>
                    <div class="notificationGreySide">
        <h1><a name="Fediz-ApacheCXFFediz%3AAnOpenSourceWebSecurityFramework"></a>Apache
CXF Fediz: An Open-Source Web Security Framework</h1>

<h2><a name="Fediz-Overview"></a>Overview</h2>

<p>Apache CXF Fediz is a subproject of CXF. Fediz helps you to secure your web applications
and delegates security enforcement to the underlying application server. With Fediz, authentication
is externalized from your web application to an identity provider installed as a dedicated
server component. The supported standard is <a href="http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html#_Toc223175002"
class="external-link" rel="nofollow">WS-Federation 1.2 Passive Requestor Profile</a>.
Fediz supports <a href="http://en.wikipedia.org/wiki/Claims-based_identity" class="external-link"
rel="nofollow">Claims Based Access Control</a> beyond Role Based Access Control (RBAC).</p>


<h2><a name="Fediz-News"></a>News</h2>


<h2><a name="Fediz-Features"></a>Features</h2>

<p>The following features are supported by the Fediz plugin 1.0</p>
<ul>
	<li>WS-Federation 1.1/1.2</li>
	<li>SAML 1.1/2.0 Tokens</li>
	<li>Custom token support</li>
	<li>Publish WS-Federation Metadata document</li>
	<li>Role information encoded as AttributeStatement in SAML 1.1/2.0 tokens</li>
	<li>Claims information provided by FederationPrincipal interface</li>
</ul>


<p>The following features are planned for the next release:</p>
<ul>
	<li>Support for Jetty and JBoss</li>
	<li>CXF plugin</li>
	<li>Support for encrypted SAML tokens</li>
	<li>Support for Holder-Of-Key SubjectConfirmationMethod</li>
	<li>"Resource IDP" support for Fediz IDP</li>
	<li>support for other protocols like SAML-P, OAuth</li>
</ul>


<p>You can get the current status of the issues <a href="https://issues.apache.org/jira/browse/FEDIZ"
class="external-link" rel="nofollow">here </a>.</p>

<h2><a name="Fediz-Gettingstarted"></a>Getting started</h2>

<p>The WS-Federation specification defines the following parties involved during a web
login:</p>
<ul>
	<li>Browser</li>
	<li>Identity Provider (IDP)<br/>
The IDP is a centralized, application independent runtime component which implements the protocol
defined by WS-Federation. You can use any open source or commercial product that supports
WS-Federation 1.1/1.2 as your IDP. It's recommended to use the Fediz IDP for testing as it
allows for testing your web application in a sandbox without having all infrastructure components
available. The Fediz IDP consists of two WAR components. The Security Token Service (STS)
does most of the work including user authentication, claims/role data retrieval and creating
the SAML token. The IDP WAR translates the response to an HTML response allowing a browser
to process it.</li>
	<li>Relying Party (RP)<br/>
The RP is a web application that needs to be protected. The RP must be able to implement the
protocol as defined by WS-Federation. This component is called "Fediz Plugin" in this project
which consists of container agnostic module/jar and a container specific jar. When an authenticated
request is detected by the plugin it redirects to the IDP for authentication. The browser
sends the response from the IDP to the RP after successful authentication. The RP validates
the response and creates the container security context.</li>
</ul>


<p>It's recommended to deploy the IDP and the web application (RP) into different container
instances as in a production deployment. The container with the IDP can be used during development
and testing for multiple web applications needing security.</p>

<h3><a name="Fediz-SettinguptheIDP"></a>Setting up the IDP</h3>

<p>The installation and configuration of the IDP is documented <a href="/confluence/display/CXF/Fediz+IDP"
title="Fediz IDP">here</a></p>

<h3><a name="Fediz-SetuptheRelyingPartyContainer"></a>Set up the Relying
Party Container</h3>

<p>The Fediz plugin needs to be deployed into the Relying Party (RP) container. The
security mechanism is not specified by JEE. Even though it is very similar in each servlet
container there are some differences which require a dedicated Fediz plugin for each servlet
container implementation. Most of the configuration is container independent and described
<a href="/confluence/display/CXF/Fediz+Configuration" title="Fediz Configuration">here</a></p>

<p>The following lists shows the supported containers and the location of the installation
and configuration page.</p>
<ul>
	<li><a href="/confluence/display/CXF/Fediz+Tomcat" title="Fediz Tomcat">Tomcat
7 </a></li>
</ul>



<h2><a name="Fediz-Distribution"></a>Distribution</h2>

<p>tbd</p>

<h2><a name="Fediz-Samples"></a>Samples</h2>

<p>The examples directory contains two sample projects:</p>

<p>Each sample is described in the <tt>README.txt</tt></p>

<div class='table-wrap'>
<table class='confluenceTable'><tbody>
<tr>
<th class='confluenceTh'> Sample </th>
<th class='confluenceTh'> Description </th>
</tr>
<tr>
<td class='confluenceTd'> <b>simpleWebapp</b> </td>
<td class='confluenceTd'> a simple web application which is protected by the Fediz IDP.
The FederationServlet illustrates how to get security information using the standard APIs.
</td>
</tr>
<tr>
<td class='confluenceTd'> <b>wsclientWebapp</b> </td>
<td class='confluenceTd'> a protected web application which calls a web service protected
by the Fediz STS. The FederationServlet illustrates how to securely call a web service. </td>
</tr>
</tbody></table>
</div>


<h2><a name="Fediz-Building"></a>Building</h2>

<p>Check out the code from here:</p>
<ul>
	<li>svn<br class="atl-forced-newline" />
<a href="http://svn.apache.org/repos/asf/cxf/fediz/trunk" class="external-link" rel="nofollow">http://svn.apache.org/repos/asf/cxf/fediz/trunk</a></li>
	<li>git<br/>
git://git.apache.org/cxf-fediz.git</li>
</ul>




<h5><a name="Fediz-BuildingwithMaven"></a>Building with Maven</h5>

<p>You build the run the tests using the following command:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
mvn clean install
</pre>
</div></div>

<p>Note: you need to use Maven 2.0.9 or newer and have the following environment variable
set: <tt>MAVEN_OPTS=-Xmx512m</tt></p>

<h5><a name="Fediz-SettingupEclipse%3A"></a>Setting up Eclipse:</h5>

<p>See <a href="http://cxf.apache.org/setting-up-eclipse.html" class="external-link"
rel="nofollow">this page</a> for information on using the Eclipse IDE with the Fediz
source code. This page is created for CXF but the same commands are applicable for Fediz too.</p>
    </div>
        <div id="commentsSection" class="wiki-content pageSection">
        <div style="float: right;">
            <a href="https://cwiki.apache.org/confluence/users/viewnotifications.action"
class="grey">Change Notification Preferences</a>
        </div>
        <a href="https://cwiki.apache.org/confluence/display/CXF/Fediz">View Online</a>
        |
        <a href="https://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=27845832&revisedVersion=17&originalVersion=16">View
Changes</a>
                |
        <a href="https://cwiki.apache.org/confluence/display/CXF/Fediz?showComments=true&amp;showCommentArea=true#addcomment">Add
Comment</a>
            </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message