cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r825115 - in /websites/production/cxf/content: cache/docs.pageCache docs/saml-web-sso.html
Date Mon, 09 Jul 2012 09:47:51 GMT
Author: buildbot
Date: Mon Jul  9 09:47:50 2012
New Revision: 825115

Log:
Production update by buildbot for cxf

Modified:
    websites/production/cxf/content/cache/docs.pageCache
    websites/production/cxf/content/docs/saml-web-sso.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/saml-web-sso.html
==============================================================================
--- websites/production/cxf/content/docs/saml-web-sso.html (original)
+++ websites/production/cxf/content/docs/saml-web-sso.html Mon Jul  9 09:47:50 2012
@@ -125,7 +125,7 @@ Apache CXF -- SAML Web SSO
 
 
 <div>
-<ul><li><a shape="rect" href="#SAMLWebSSO-Introduction">Introduction</a></li><ul><li><a
shape="rect" href="#SAMLWebSSO-TypicalFlow">Typical Flow</a></li></ul><li><a
shape="rect" href="#SAMLWebSSO-Mavendependencies">Maven dependencies</a></li><li><a
shape="rect" href="#SAMLWebSSO-IdentityProvider">Identity Provider</a></li><li><a
shape="rect" href="#SAMLWebSSO-ServiceProviderSecurityFilter">Service Provider Security
Filter</a></li><ul><li><a shape="rect" href="#SAMLWebSSO-RedirectBindingFilter">Redirect
Binding Filter</a></li><li><a shape="rect" href="#SAMLWebSSO-POSTBindingFilter">POST
Binding Filter</a></li><li><a shape="rect" href="#SAMLWebSSO-SigningSAMLAuthenticationRequests">Signing
SAML Authentication Requests</a></li><li><a shape="rect" href="#SAMLWebSSO-FiltersandStateManagement">Filters
and State Management</a></li></ul><li><a shape="rect" href="#SAMLWebSSO-RequestAssertionConsumerService">Request
Assertion Consumer Service</a></li><ul><li><a shape="rect" href="#SAM
 LWebSSO-DealingwithsignedSAMLResponses">Dealing with signed SAML Responses</a></li></ul><li><a
shape="rect" href="#SAMLWebSSO-SSOStateProvider">SSO State Provider</a></li></ul></div>
+<ul><li><a shape="rect" href="#SAMLWebSSO-Introduction">Introduction</a></li><ul><li><a
shape="rect" href="#SAMLWebSSO-TypicalFlow">Typical Flow</a></li></ul><li><a
shape="rect" href="#SAMLWebSSO-Mavendependencies">Maven dependencies</a></li><li><a
shape="rect" href="#SAMLWebSSO-IdentityProvider">Identity Provider</a></li><li><a
shape="rect" href="#SAMLWebSSO-ServiceProviderSecurityFilter">Service Provider Security
Filter</a></li><ul><li><a shape="rect" href="#SAMLWebSSO-RedirectBindingFilter">Redirect
Binding Filter</a></li><li><a shape="rect" href="#SAMLWebSSO-POSTBindingFilter">POST
Binding Filter</a></li><li><a shape="rect" href="#SAMLWebSSO-SigningSAMLAuthenticationRequests">Signing
SAML Authentication Requests</a></li><li><a shape="rect" href="#SAMLWebSSO-FiltersandStateManagement">Filters
and State Management</a></li></ul><li><a shape="rect" href="#SAMLWebSSO-RequestAssertionConsumerService">Request
Assertion Consumer Service</a></li><ul><li><a shape="rect" href="#SAM
 LWebSSO-DealingwithsignedSAMLResponses">Dealing with signed SAML Responses</a></li></ul><li><a
shape="rect" href="#SAMLWebSSO-SSOStateProvider">SSO State Provider</a></li><ul><li><a
shape="rect" href="#SAMLWebSSO-DistributedStateManagement">Distributed State Management</a></li></ul></ul></div>
 
 <h1><a shape="rect" name="SAMLWebSSO-Introduction"></a>Introduction</h1>
 
@@ -433,7 +433,92 @@ the current user, persists it and redire
 
 <p>SP Security Filters and RACS depend on the custom <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/state/SPStateManager.java">SPStateManager</a>
implementation for persisting the current request and security context state. </p>
 
-<p>CXF ships an <a shape="rect" class="external-link" href="http://ehcache.org/"
rel="nofollow">EhCache</a>-based <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/state/EHCacheSPStateManager.java">implementation</a>.
Users can register their own custom implementations if required.</p></div>
+<p>CXF ships a basic <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/state/MemorySPStateManager.java">MemorySPStateProvider</a>
and an <a shape="rect" class="external-link" href="http://ehcache.org/" rel="nofollow">EhCache</a>-based
<a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/state/EHCacheSPStateManager.java">implementation</a>
which is memory based with an option to overflow to the disk. Users can customize the EhCache
provider or register their own custom SPStateProvider implementations if required.</p>
+
+<p>For example, by default, the EhCache provider will overflow the data to the system
temp directory and will not persist the data across restarts. The following EhCache configuration
can be used to change it:</p>
+<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
+<pre class="code-xml">
+<span class="code-tag">&lt;ehcache xsi:noNamespaceSchemaLocation=<span class="code-quote">"ehcache.xsd"</span>
updateCheck=<span class="code-quote">"false"</span> monitoring=<span class="code-quote">"autodetect"</span>
dynamicConfig=<span class="code-quote">"true"</span>&gt;</span>
+
+    <span class="code-tag">&lt;diskStore path=<span class="code-quote">"/home/username/work/ehcache"</span>/&gt;</span>
+
+    &lt;defaultCache
+            maxEntriesLocalHeap=<span class="code-quote">"5000"</span>
+            timeToIdleSeconds=<span class="code-quote">"3600"</span>
+            timeToLiveSeconds=<span class="code-quote">"3600"</span>
+            overflowToDisk=<span class="code-quote">"true"</span>
+            maxElementsOnDisk=<span class="code-quote">"10000000"</span>
+            diskPersistent=<span class="code-quote">"true"</span>
+            diskExpiryThreadIntervalSeconds=<span class="code-quote">"120"</span>
+            memoryStoreEvictionPolicy=<span class="code-quote">"LRU"</span>
+            /&gt;
+<span class="code-tag">&lt;/ehcache&gt;</span>
+
+Assuming this configuration is saved in WEB-INF/ehcache.xml, the EhCache provider can be
configured as follows:
+
+{code:xml}
+<span class="code-tag">&lt;bean id=<span class="code-quote">"stateManager"</span>
class=<span class="code-quote">"org.apache.cxf.rs.security.saml.sso.state.EHCacheSPStateManager"</span>&gt;</span>
+    <span class="code-tag">&lt;constructor-arg value=<span class="code-quote">"/WEB-INF/ehcache.xml"</span>/&gt;</span>
+<span class="code-tag">&lt;/bean&gt;</span>
+</pre>
+</div></div>
+
+<h2><a shape="rect" name="SAMLWebSSO-DistributedStateManagement"></a>Distributed
State Management</h2>
+
+<p>If you have a complex application supported by a number of wars deployed into different
containers, one has to decide whether to have a single RequestAssertionConsumerService (RACS)
endpoint which IDP will redirect to when processing the user authentication requests or have
a separate RACS endpoint per every web application which all form a bigger application.</p>
+
+<p>For example, assume you have server1, server2 and server3 which all support a bigger
application. One can have a serverRacs web application which will host a RACS endpoint. Next,
server1, server2 and server3 SSO filters will all point to this standalone RACS endpoint when
redirecting the user to IDP and IDP will eventually redirect the user to RACS which in turn
will redirect the user to the original targer URI supported by server or server2 or server3.</p>
+
+<p>In this case, one has to decide how the state between SSO security filters protecting
the individual servers and RACS will be shared.<br clear="none">
+One approach is to setup the Ehcache provider to use <a shape="rect" class="external-link"
href="http://ehcache.org/documentation/configuration/distributed-cache-configuration" rel="nofollow">Terracotta
or RMI with the multicast</a> or implement the alternative approach not involving Ehcache
at all.</p>
+
+<p>CXF offers a simple <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/state/HTTPSPStateManager.java">HTTPSPStateManager</a>
provider which can be used to simplify the task of setting up the distributed state cache,
which can be used for simple distributed web applications or to support the more advanced
applications at the proof-of-concept stage.</p>
+
+<p>For example, the following jaxrs:endpoint can be deployed alongside the RACS endpoint
running in its own web application:</p>
+<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
+<pre class="code-xml">
+    <span class="code-tag">&lt;bean id=<span class="code-quote">"stateManager"</span>
class=<span class="code-quote">"org.apache.cxf.rs.security.saml.sso.state.HTTPSPStateManager"</span>/&gt;</span>
+
+    <span class="code-tag">&lt;bean id=<span class="code-quote">"consumerService"</span>
class=<span class="code-quote">"org.apache.cxf.rs.security.saml.sso.RequestAssertionConsumerService"</span>&gt;</span>
+        <span class="code-tag">&lt;property name=<span class="code-quote">"stateProvider"</span>
ref=<span class="code-quote">"stateManager"</span>/&gt;</span>
+        <span class="code-tag">&lt;property name=<span class="code-quote">"signaturePropertiesFile"</span>
value=<span class="code-quote">"serviceKeystore.properties"</span>/&gt;</span>
+        <span class="code-tag">&lt;property name=<span class="code-quote">"callbackHandlerClass"</span>
value=<span class="code-quote">"oauth2.sso.SSOCallbackHandler"</span>/&gt;</span>
+    <span class="code-tag">&lt;/bean&gt;</span>
+    
+    <span class="code-tag">&lt;jaxrs:server address=<span class="code-quote">"/"</span>&gt;</span>

+       <span class="code-tag">&lt;jaxrs:serviceBeans&gt;</span>
+          <span class="code-tag">&lt;ref bean=<span class="code-quote">"consumerService"</span>/&gt;</span>
+          <span class="code-tag">&lt;ref bean=<span class="code-quote">"stateManager"</span>/&gt;</span>

+       <span class="code-tag">&lt;/jaxrs:serviceBeans&gt;</span>
+    <span class="code-tag">&lt;/jaxrs:server&gt;</span>
+</pre>
+</div></div>
+
+<p>Note that the RACS bean itself directly uses HTTPSPStateManager which is also available
as an HTTP endpoint for all the SSO security filters to work with.<br clear="none">
+Here is an example of how the SPStateManagers at the individual SSO filter end can use this
HTTP endpoint:</p>
+
+<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
+<pre class="code-xml">
+
+&lt;jaxrs:client id=<span class="code-quote">"stateManager"</span>
+         address=<span class="code-quote">"https://localhost:${racs.port}/racs"</span>
+         serviceClass=<span class="code-quote">"org.apache.cxf.rs.security.saml.sso.state.HTTPSPStateManager"</span>/&gt;
+         
+ <span class="code-tag">&lt;bean id=<span class="code-quote">"ssoRedirectURI"</span>
class=<span class="code-quote">"org.apache.cxf.rs.security.saml.sso.SamlRedirectBindingFilter"</span>&gt;</span>
+    <span class="code-tag">&lt;property name=<span class="code-quote">"idpServiceAddress"</span>
value=<span class="code-quote">"${idp.address}"</span>/&gt;</span>
+    &lt;property name=<span class="code-quote">"assertionConsumerServiceAddress"</span>

+               value=<span class="code-quote">"https://localhost:${racs.port}/racs/sso"</span>/&gt;
+    <span class="code-tag">&lt;property name=<span class="code-quote">"stateProvider"</span>
ref=<span class="code-quote">"stateManager"</span>/&gt;</span>
+    <span class="code-tag">&lt;property name=<span class="code-quote">"addWebAppContext"</span>
value=<span class="code-quote">"false"</span>/&gt;</span> 
+ <span class="code-tag">&lt;/bean&gt;</span>
+
+</pre>
+</div></div>
+
+
+<p>Note that a JAX-RS Client proxy to the HTTPSPStateManager endpoint is used as SPStateManager
reference.</p>
+
+<p>The alternative to having a distributed state cache be set up is to simply have
a RACS endpoint collocated with every individual web application constituting the bigger application,
see the earlier section describing SSO filters on how this can be easily set up. One possible
downside of it is that there will be no centralized store managing the state required by different
filters and RACS which in turn can make it more difficult to audit and log all the SSO-related
activities spanning across all the bigger application.  </p></div>
            </div>
            <!-- Content -->
          </td>



Mime
View raw message