cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dk...@apache.org
Subject svn commit: r827531 [4/4] - in /websites/production/cxf/content: ./ cache/ docs/
Date Tue, 31 Jul 2012 19:56:07 GMT
Modified: websites/production/cxf/content/docs/ws-securitypolicy.html
==============================================================================
--- websites/production/cxf/content/docs/ws-securitypolicy.html (original)
+++ websites/production/cxf/content/docs/ws-securitypolicy.html Tue Jul 31 19:56:05 2012
@@ -127,23 +127,42 @@ Apache CXF -- WS-SecurityPolicy
 
 
 <h3><a shape="rect" name="WS-SecurityPolicy-EnablingWSSecurityPolicy"></a>Enabling
WS-SecurityPolicy</h3>
-<p>In CXF 2.2, if the cxf-rt-ws-policy and cxf-rt-ws-security modules are available
on the classpath, the WS-SecurityPolicy stuff is automatically enabled.   Since the entire
security runtime is policy driven, the only requirement is that the policy engine and security
policies be available.  </p>
 
-<p>If you are using the full "bundle" jar, all the security and policy stuff is already
included.   </p>
+<p>In CXF 2.2, if the cxf-rt-ws-policy and cxf-rt-ws-security modules are available
on the classpath, the WS-SecurityPolicy stuff is automatically enabled.   Since the entire
security runtime is policy driven, the only requirement is that the policy engine and security
policies be available.</p>
+
+<p>If you are using the full "bundle" jar, all the security and policy stuff is already
included.</p>
 
 
 <h3><a shape="rect" name="WS-SecurityPolicy-Policydescription"></a>Policy
description</h3>
+
 <p>With WS-SecurityPolicy, the binding and/or operation in the wsdl references a <a
shape="rect" href="ws-policy.html" title="WS-Policy">WS-Policy</a> fragment that
describes the basic security requirements for interacting with that service.   The <a shape="rect"
class="external-link" href="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.3/ws-securitypolicy.html"
rel="nofollow">WS-SecurityPolicy specification</a> allows for specifying things like
asymmetric/symmetric keys, using transports (https) for encryption, which parts/headers to
encrypt or sign, whether to sign then encrypt or encrypt then sign, whether to include timestamps,
whether to use derived keys, etc...   Basically, it describes what actions are necessary to
securely interact with the service described in the WSDL.</p>
 
-<p>However, the WS-SecurityPolicy fragment does not include "everything" that is required
for a runtime to be able to able to create the messages.  It does not describe things such
as locations of key stores, user names and passwords, etc...  Those need to be configured
in at runtime to augment the WS-SecurityPolicy fragment.  </p>
+<p>However, the WS-SecurityPolicy fragment does not include "everything" that is required
for a runtime to be able to able to create the messages.  It does not describe things such
as locations of key stores, user names and passwords, etc...  Those need to be configured
in at runtime to augment the WS-SecurityPolicy fragment.</p>
 
 
 <h3><a shape="rect" name="WS-SecurityPolicy-Configuringtheextraproperties"></a>Configuring
the extra properties</h3>
+
 <p>There are several extra properties that may need to be set to provide the additional
bits of information to the runtime. Note that you should check that a particular property
is supported in the version of CXF you are using.</p>
 
+<h4><a shape="rect" name="WS-SecurityPolicy-Userproperties"></a>User properties</h4>
+
+<div class="table-wrap">
+<table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1"
class="confluenceTd"> ws-security.username </td><td colspan="1" rowspan="1" class="confluenceTd">
The user's name. It is used differently by each of the WS-Security functions, see <a shape="rect"
href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#USERNAME">here</a>
for more information. </td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">
ws-security.password </td><td colspan="1" rowspan="1" class="confluenceTd"> The
user's password when "ws-security.callback-handler" is not defined. It is currently only used
for the case of adding a password to a UsernameToken. </td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"> ws-security.signature.username </td><td
colspan="1" rowspan="1" class="confluenceTd"> The user's name for signature. It is used
as the alias name in the keystore to get the user's cert and private key for signature. See
<a shape="rec
 t" href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#SIGNATURE_USERNAME">here</a>
for more information. </td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">
ws-security.encryption.username </td><td colspan="1" rowspan="1" class="confluenceTd">
The user's name for encryption. It is used as the alias name in the keystore to get the user's
public key for encryption. See <a shape="rect" href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#ENCRYPT_USERNAME">here</a>
for more information.</td></tr></tbody></table>
+</div>
+
+
+<h4><a shape="rect" name="WS-SecurityPolicy-CallbackClassandCryptoproperties"></a>Callback
Class and Crypto properties</h4>
+
+<div class="table-wrap">
+<table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1"
class="confluenceTd"> ws-security.callback-handler </td><td colspan="1" rowspan="1"
class="confluenceTd"> The CallbackHandler <a shape="rect" href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#CALLBACK_HANDLER">implementation</a>
class used to obtain passwords.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"> ws-security.saml-callback-handler </td><td colspan="1" rowspan="1"
class="confluenceTd"> The SAML CallbackHandler <a shape="rect" href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#SAML_CALLBACK_HANDLER">implementation</a>
class used to construct SAML Assertions.</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"> ws-security.signature.properties </td><td colspan="1"
rowspan="1" class="confluenceTd"> The Crypto property <a shape="rect" href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/w
 s/security/SecurityConstants.html#SIGNATURE_PROPERTIES">configuration</a> to use
for signature, if "ws-security.signature.crypto" is not set instead.</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"> ws-security.encryption.properties </td><td
colspan="1" rowspan="1" class="confluenceTd"> The Crypto property <a shape="rect" href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#ENCRYPT_PROPERTIES">configuration</a>
to use for encryption, if "ws-security.encryption.crypto" is not set instead. </td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"> ws-security.signature.crypto </td><td
colspan="1" rowspan="1" class="confluenceTd"> A Crypto <a shape="rect" class="external-link"
href="http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/components/crypto/Crypto.html">object</a>
to be used for signature. If this is not defined then "ws-security.signature.properties" is
used instead.</td></tr><tr><td colspan="1" rowspa
 n="1" class="confluenceTd"> ws-security.encryption.crypto </td><td colspan="1"
rowspan="1" class="confluenceTd"> A Crypto <a shape="rect" class="external-link" href="http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/components/crypto/Crypto.html">object</a>
to be used for encryption. If this is not defined then "ws-security.encryption.properties"
is used instead.</td></tr></tbody></table>
+</div>
+
+
+<h4><a shape="rect" name="WS-SecurityPolicy-Otherproperties"></a>Other
properties</h4>
+
 <div class="table-wrap">
-<table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1"
class="confluenceTd"> ws-security.username </td><td colspan="1" rowspan="1" class="confluenceTd">
The username used for UsernameToken policy assertions </td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"> ws-security.password </td><td colspan="1"
rowspan="1" class="confluenceTd"> The password used for UsernameToken policy assertions.
  If not specified, the callback handler will be called. </td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"> ws-security.callback-handler </td><td
colspan="1" rowspan="1" class="confluenceTd"> The WSS4J security CallbackHandler that will
be used to retrieve passwords for keystores and UsernameTokens. </td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"> ws-security.signature.properties </td><td
colspan="1" rowspan="1" class="confluenceTd"> The properties file/object that contains
the WSS4J properties for configuring the signature keystore and c
 rypto objects </td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">
ws-security.encryption.properties </td><td colspan="1" rowspan="1" class="confluenceTd">
The properties file/object that contains the WSS4J properties for configuring the encryption
keystore and crypto objects </td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"> ws-security.signature.username </td><td colspan="1" rowspan="1"
class="confluenceTd"> The username or alias for the key in the signature keystore that
will be used.   If not specified, it uses the the default alias set in the properties file.
 If that's also not set, and the keystore only contains a single key, that key will be used.
</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> ws-security.encryption.username
</td><td colspan="1" rowspan="1" class="confluenceTd"> The username or alias for
the key in the encryption keystore that will be used.   If not specified, it uses the the
default alias set in the propertie
 s file.  If that's also not set, and the keystore only contains a single key, that key will
be used.  For the web service provider, the useReqSigCert keyword can be used to accept (encrypt
to) any client whose public key is in the service's truststore (defined in ws-security.encryption.properties.)
</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> ws-security.signature.crypto
</td><td colspan="1" rowspan="1" class="confluenceTd"> Instead of specifying the
signature properties, this can point to the full <a shape="rect" class="external-link"
href="http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/components/crypto/Crypto.html">WSS4J
Crypto</a> object.  This can allow easier "programmatic" configuration of the Crypto
information."</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">
ws-security.encryption.crypto </td><td colspan="1" rowspan="1" class="confluenceTd">
Instead of specifying the encryption properties, this can point to the full <a s
 hape="rect" class="external-link" href="http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/components/crypto/Crypto.html">WSS4J
Crypto</a> object.  This can allow easier "programmatic" configuration of the Crypto
information." </td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">
ws-security.subject.cert.constraints </td><td colspan="1" rowspan="1" class="confluenceTd">
This configuration tag is a comma separated String of regular expressions which will be applied
to the subject DN of the certificate used for signature validation, after trust verification
of the certificate chain associated with the  certificate. These constraints are not used
when the certificate is contained in the keystore (direct trust).</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"> ws-security.is-bsp-compliant </td><td
colspan="1" rowspan="1" class="confluenceTd"> Whether to ensure compliance with the Basic
Security Profile (BSP) 1.1 or not. The default value is "true".
 </td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> ws-security.timestamp.futureTimeToLive
</td><td colspan="1" rowspan="1" class="confluenceTd">  This configuration tag
specifies the time in seconds in the future within which the Created time of an incoming Timestamp
is valid. WSS4J rejects by default any timestamp which is "Created" in the future, and so
there could potentially be<br clear="none">
-problems in a scenario where a client's clock is slightly askew. The default value for this
parameter is "0", meaning that no future-created Timestamps are allowed.</td></tr></tbody></table>
+<table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1"
class="confluenceTd"> ws-security.subject.cert.constraints </td><td colspan="1"
rowspan="1" class="confluenceTd"> This configuration tag is a comma separated String of
regular expressions which will be applied to the subject DN of the certificate used for signature
validation, after trust verification of the certificate chain associated with the  certificate.
These constraints are not used when the certificate is contained in the keystore (direct trust).
</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> ws-security.is-bsp-compliant
</td><td colspan="1" rowspan="1" class="confluenceTd"> Whether to ensure compliance
with the Basic Security Profile (BSP) 1.1 or not. The default value is "true". </td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"> ws-security.timestamp.futureTimeToLive </td><td
colspan="1" rowspan="1" class="confluenceTd"> This configuration tag specifies the time
in s
 econds in the future within which the Created time of an incoming Timestamp is valid. WSS4J
rejects by default any timestamp which is "Created" in the future, and so there could potentially
be<br clear="none" class="atl-forced-newline">
+ problems in a scenario where a client's clock is slightly askew. The default value for this
parameter is "0", meaning that no future-created Timestamps are allowed. </td></tr></tbody></table>
 </div>
 
 
@@ -151,6 +170,7 @@ problems in a scenario where a client's 
 
 
 <h4><a shape="rect" name="WS-SecurityPolicy-ConfiguringviaSpring"></a>Configuring
via Spring</h4>
+
 <p>The properties are easily configured as client or endpoint properties--use the former
for the SOAP client, the latter for the web service provider.</p>
 
 <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
@@ -158,21 +178,21 @@ problems in a scenario where a client's 
 &lt;beans xmlns=<span class="code-quote">"http://www.springframework.org/schema/beans"</span>
    <span class="code-keyword">xmlns:xsi</span>=<span class="code-quote">"http://www.w3.org/2001/XMLSchema-instance"</span>
    <span class="code-keyword">xmlns:jaxws</span>=<span class="code-quote">"http://cxf.apache.org/jaxws"</span>
-   xsi:schemaLocation="http://www.springframework.org/schema/beans 
+   xsi:schemaLocation="http://www.springframework.org/schema/beans
    http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
-   http://cxf.apache.org/jaxws 
+   http://cxf.apache.org/jaxws
    http://cxf.apache.org/schemas/jaxws.xsd"&gt;
 
-   &lt;jaxws:client name=<span class="code-quote">"{http://cxf.apache.org}MyPortName"</span>

+   &lt;jaxws:client name=<span class="code-quote">"{http://cxf.apache.org}MyPortName"</span>
       createdFromAPI=<span class="code-quote">"true"</span>&gt;
       <span class="code-tag">&lt;jaxws:properties&gt;</span>
-         &lt;entry key=<span class="code-quote">"ws-security.callback-handler"</span>

+         &lt;entry key=<span class="code-quote">"ws-security.callback-handler"</span>
              value=<span class="code-quote">"interop.client.KeystorePasswordCallback"</span>/&gt;
-         &lt;entry key=<span class="code-quote">"ws-security.signature.properties"</span>

+         &lt;entry key=<span class="code-quote">"ws-security.signature.properties"</span>
              value=<span class="code-quote">"etc/client.properties"</span>/&gt;
-         &lt;entry key=<span class="code-quote">"ws-security.encryption.properties"</span>

+         &lt;entry key=<span class="code-quote">"ws-security.encryption.properties"</span>
              value=<span class="code-quote">"etc/service.properties"</span>/&gt;
-         &lt;entry key=<span class="code-quote">"ws-security.encryption.username"</span>

+         &lt;entry key=<span class="code-quote">"ws-security.encryption.username"</span>
              value=<span class="code-quote">"servicekeyalias"</span>/&gt;
       <span class="code-tag">&lt;/jaxws:properties&gt;</span>
    <span class="code-tag">&lt;/jaxws:client&gt;</span>
@@ -188,30 +208,30 @@ problems in a scenario where a client's 
 &lt;beans xmlns=<span class="code-quote">"http://www.springframework.org/schema/beans"</span>
    <span class="code-keyword">xmlns:xsi</span>=<span class="code-quote">"http://www.w3.org/2001/XMLSchema-instance"</span>
    <span class="code-keyword">xmlns:jaxws</span>=<span class="code-quote">"http://cxf.apache.org/jaxws"</span>
-   xsi:schemaLocation="http://www.springframework.org/schema/beans 
+   xsi:schemaLocation="http://www.springframework.org/schema/beans
    http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
-   http://cxf.apache.org/jaxws 
+   http://cxf.apache.org/jaxws
    http://cxf.apache.org/schemas/jaxws.xsd"&gt;
 
-   &lt;jaxws:endpoint 
+   &lt;jaxws:endpoint
       id=<span class="code-quote">"MyService"</span>
-      address=<span class="code-quote">"https://localhost:9001/MyService"</span>

+      address=<span class="code-quote">"https://localhost:9001/MyService"</span>
       serviceName=<span class="code-quote">"interop:MyService"</span>
       endpointName=<span class="code-quote">"interop:MyServiceEndpoint"</span>
       implementor=<span class="code-quote">"com.foo.MyService"</span>&gt;
-        
+
       <span class="code-tag">&lt;jaxws:properties&gt;</span>
-         &lt;entry key=<span class="code-quote">"ws-security.callback-handler"</span>

+         &lt;entry key=<span class="code-quote">"ws-security.callback-handler"</span>
              value=<span class="code-quote">"interop.client.UTPasswordCallback"</span>/&gt;
-         &lt;entry key=<span class="code-quote">"ws-security.signature.properties"</span>

+         &lt;entry key=<span class="code-quote">"ws-security.signature.properties"</span>
              value=<span class="code-quote">"etc/keystore.properties"</span>/&gt;
-         &lt;entry key=<span class="code-quote">"ws-security.encryption.properties"</span>

+         &lt;entry key=<span class="code-quote">"ws-security.encryption.properties"</span>
              value=<span class="code-quote">"etc/truststore.properties"</span>/&gt;
-         &lt;entry key=<span class="code-quote">"ws-security.encryption.username"</span>

+         &lt;entry key=<span class="code-quote">"ws-security.encryption.username"</span>
              value=<span class="code-quote">"useReqSigCert"</span>/&gt;
-      <span class="code-tag">&lt;/jaxws:properties&gt;</span> 
-     
-   <span class="code-tag">&lt;/jaxws:endpoint&gt;</span> 
+      <span class="code-tag">&lt;/jaxws:properties&gt;</span>
+
+   <span class="code-tag">&lt;/jaxws:endpoint&gt;</span>
 <span class="code-tag">&lt;/beans&gt;</span>
 </pre>
 </div></div>
@@ -219,6 +239,7 @@ problems in a scenario where a client's 
 <p>See this <a shape="rect" class="external-link" href="http://www.jroller.com/gmazza/entry/cxf_x509_profile_secpol"
rel="nofollow">blog entry</a> for a more end-to-end example of using WS-SecurityPolicy
with X.509 keys.</p>
 
 <h4><a shape="rect" name="WS-SecurityPolicy-ConfiguringviaAPI%27s"></a>Configuring
via API's</h4>
+
 <p>Configuring the properties for the client just involves setting the properties in
the client's RequestContext:</p>
 <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
 <pre class="code-java">
@@ -226,11 +247,7 @@ Map&lt;<span class="code-object">String<
 ctx.put(<span class="code-quote">"ws-security.encryption.properties"</span>,
properties);
 port.echoString(<span class="code-quote">"hello"</span>);
 </pre>
-</div></div>
-
-
-
-</div>
+</div></div></div>
            </div>
            <!-- Content -->
          </td>

Modified: websites/production/cxf/content/docs/wsrmconfiguration.html
==============================================================================
--- websites/production/cxf/content/docs/wsrmconfiguration.html (original)
+++ websites/production/cxf/content/docs/wsrmconfiguration.html Tue Jul 31 19:56:05 2012
@@ -190,7 +190,7 @@ Apache CXF -- WSRMConfiguration
 </div>
 
 
-<p>For details about the element types used in this namespace please refer to the schemas
for the <a shape="rect" href="http://cxf.apache.org/ws/rm/manager">http://cxf.apache.org/ws/rm/manager</a>
namespace (<a shape="rect" href="http://cxf.apache.org/schemas/configuration/wsrm-manager.xsd">http://cxf.apache.org/schemas/configuration/wsrm-manager.xsd</a>
and <a shape="rect" href="http://cxf.apache.org/schemas/configuration/wsrm-manager-types.xsd">http://cxf.apache.org/schemas/configuration/wsrm-manager-types.xsd</a>).
The jbdcStore element type is described below.</p>
+<p>For details about the element types used in this namespace please refer to the schemas
for the <a shape="rect" href="http://cxf.apache.org/ws/rm/manager">http://cxf.apache.org/ws/rm/manager</a>
namespace (<a shape="rect" href="http://cxf.apache.org/schemas/wsrm-manager.xsd">http://cxf.apache.org/schemas/wsrm-manager.xsd</a>
and <a shape="rect" href="http://cxf.apache.org/schemas/wsrm-manager-types.xsd">http://cxf.apache.org/schemas/wsrm-manager-types.xsd</a>).
The jbdcStore element type is described below.</p>
 
 <p>Example (feature applied at bus level):</p>
 <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">

Modified: websites/production/cxf/content/fediz-idp.html
==============================================================================
--- websites/production/cxf/content/fediz-idp.html (original)
+++ websites/production/cxf/content/fediz-idp.html Tue Jul 31 19:56:05 2012
@@ -186,11 +186,11 @@ $CATALINA_HOME/bin/shutdown.sh
 </pre>
 </div></div>
 
-<p>The keystoreFile is relative to $CATALINA_HOME. See <a shape="rect" class="external-link"
href="http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html">here</a> for the Tomcat
7 configuration reference. This page also describes how to create certificates.</p>
+<p>The keystoreFile is relative to $CATALINA_HOME. See <a shape="rect" class="external-link"
href="http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html">here</a> for the Tomcat
7 configuration reference. This page also describes how to create certificates.  Sample Tomcat
keystores (not for production use, but useful for demoing Fediz and running the sample applications)
are provided in the examples/samplekeys folder of the Fediz distribution.</p>
 
 <p>To establish trust, there are significant keystore/truststore requirements between
the Tomcat instances and the various web applications (IDP, STS, Relying party applications,
third party web services, etc.)  See <a shape="rect" class="external-link" href="http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/samplekeys/HowToGenerateKeysREADME.html?view=co">this
page</a> for more details, it lists the trust requirements as well as sample scripts
for creating your own (self-signed) keys.</p>
 
-<p><b>Warning:  All sample keystores provided with Fediz (including in the WAR
files for its services and examples) are for development/prototyping use ONLY.  They'll need
to be replaced for production use, at a minimum with your own self-signed keys but strongly
recommended to use third-party signed keys.</b></p>
+<p><b>Warning:  All sample keystores provided with Fediz (including in the WAR
files for its services and examples) are for development/prototyping use only.  They'll need
to be replaced for production use, at a minimum with your own self-signed keys but strongly
recommended to use third-party signed keys.</b></p>
 
 <p>Once you deploy the IDP WAR files to your Tomcat installation (&lt;catalina.home&gt;/webapps),
you should be able to see the Fediz STS from a browser at <a shape="rect" class="external-link"
href="http://localhost:9080/fedizidpsts/STSService?wsdl" rel="nofollow">http://localhost:9080/fedizidpsts/STSService?wsdl</a>,
assuming you're using port 9080 as listed above.</p>
 

Modified: websites/production/cxf/content/fediz-tomcat.html
==============================================================================
--- websites/production/cxf/content/fediz-tomcat.html (original)
+++ websites/production/cxf/content/fediz-tomcat.html Tue Jul 31 19:56:05 2012
@@ -167,15 +167,16 @@ add the previously created directory to 
 <pre class="code-xml">
     &lt;Connector port=<span class="code-quote">"8443"</span> protocol=<span
class="code-quote">"HTTP/1.1"</span> SSLEnabled=<span class="code-quote">"true"</span>
                maxThreads=<span class="code-quote">"150"</span> scheme=<span
class="code-quote">"https"</span> secure=<span class="code-quote">"true"</span>
-               keystoreFile=<span class="code-quote">"tomcatKeystore.jks"</span>
+               keystoreFile=<span class="code-quote">"tomcat-rp.jks"</span>
                keystorePass=<span class="code-quote">"tompass"</span> sslProtocol=<span
class="code-quote">"TLS"</span> /&gt;
 </pre>
 </div></div>
 
-<p>The <tt>keystoreFile</tt> is relative to $CATALINA_HOME. See <a shape="rect"
class="external-link" href="http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html">here</a>
for the Tomcat 7 configuration reference. This page also describes how to create certificates.</p>
+<p>The keystoreFile is relative to $CATALINA_HOME. See <a shape="rect" class="external-link"
href="http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html">here</a> for the Tomcat
7 configuration reference. This page also describes how to create certificates.  Sample Tomcat
keystores (not for production use, but useful for demoing Fediz and running the sample applications)
are provided in the examples/samplekeys folder of the Fediz distribution.</p>
 
-<p><b>Production: It's highly recommended to deploy certificates signed by a
Certificate Authority</b></p>
+<p>To establish trust, there are significant keystore/truststore requirements between
the Tomcat instances and the various web applications (IDP, STS, Relying party applications,
third party web services, etc.)  See <a shape="rect" class="external-link" href="http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/samplekeys/HowToGenerateKeysREADME.html?view=co">this
page</a> for more details, it lists the trust requirements as well as sample scripts
for creating your own (self-signed) keys.</p>
 
+<p><b>Warning:  All sample keystores provided with Fediz (including in the WAR
files for its services and examples) are for development/prototyping use only.  They'll need
to be replaced for production use, at a minimum with your own self-signed keys but strongly
recommended to use third-party signed keys.</b></p>
 
 
 <h5><a shape="rect" name="FedizTomcat-FedizPluginconfigurationforYourWebApplication"></a>Fediz
Plugin configuration for Your Web Application</h5>
@@ -186,7 +187,6 @@ add the previously created directory to 
 
 <p>A Valve can be configured on different levels like <em>Host</em> or
<em>Context</em>. The Fediz configuration file allows to configure all servlet
contexts in one file or choosing one file per Servlet Context. If you choose to have one Fediz
configuration file per Servlet Context then you must configure the FederationAuthenticator
on the <em>Context</em> level otherwise on the <em>Host</em> level
in the Tomcat configuration file <em>server.xml</em></p>
 
-
 <p>You can either configure the context in the server.xml or in META-INF/context.xml
as part of your WAR file.  (The sample RP applications bundled with Fediz already have this
configured via the latter option.)</p>
 
 <h6><a shape="rect" name="FedizTomcat-METAINF%2Fcontext.xml"></a>META-INF/context.xml</h6>

Modified: websites/production/cxf/content/release-management.html
==============================================================================
--- websites/production/cxf/content/release-management.html (original)
+++ websites/production/cxf/content/release-management.html Tue Jul 31 19:56:05 2012
@@ -171,7 +171,7 @@ mvn release:perform
 </div></div>
 <p>That will tag the release, update the poms, etc...  Then build it (off the tag)
and deploy everything (including source jars and javadoc jars) to the Nexus repository location
and gpg signs everything.  When the build is done staging, you need to login to the Nexus
repository and "close" the staging are.    That is very important.   After the staging are
is closed, note the URL for the staging area as you will need that for the vote.</p>
 <div class="panelMacro"><table class="warningMacro"><colgroup span="1"><col
span="1" width="24"><col span="1"></colgroup><tr><td colspan="1" rowspan="1"
valign="top"><img align="middle" src="https://cwiki.apache.org/confluence/images/icons/emoticons/forbidden.gif"
width="16" height="16" alt="" border="0"></td><td colspan="1" rowspan="1">You
may encounter error like<br clear="none">
-<span class="error">[INFO]</span> Unable to tag SCM<br clear="none">
+<a shape="rect" class="createlink" href="/confluence/pages/createpage.action?spaceKey=CXF&amp;title=INFO&amp;linkCreation=true&amp;fromPageId=70605">INFO</a>
Unable to tag SCM<br clear="none">
 Provider message:<br clear="none">
 The svn tag command failed.<br clear="none">
 Command output:<br clear="none">



Mime
View raw message