cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache CXF > Fediz Tomcat
Date Mon, 23 Jul 2012 18:15:00 GMT
<html>
<head>
    <base href="https://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/2042/9/15/_/styles/combined.css?spaceKey=CXF&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="https://cwiki.apache.org/confluence/display/CXF/Fediz+Tomcat">Fediz
Tomcat</a></h2>
    <h4>Page <b>edited</b> by             <a href="https://cwiki.apache.org/confluence/display/~mazzag">Glen
Mazza</a>
    </h4>
        <div id="versionComment">
        <b>Comment:</b>
        Updated key info.<br />
    </div>
        <br/>
                         <h4>Changes (5)</h4>
                                 
    
<div id="page-diffs">
                    <table class="diff" cellpadding="0" cellspacing="0">
    
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >    &lt;Connector port=&quot;8443&quot;
protocol=&quot;HTTP/1.1&quot; SSLEnabled=&quot;true&quot; <br>     
         maxThreads=&quot;150&quot; scheme=&quot;https&quot; secure=&quot;true&quot;
<br></td></tr>
            <tr><td class="diff-changed-lines" ><span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">keystoreFile=&quot;tomcatKeystore.jks&quot;</span>
<span class="diff-added-words"style="background-color: #dfd;">keystoreFile=&quot;tomcat-rp.jks&quot;</span>
<br></td></tr>
            <tr><td class="diff-unchanged" >               keystorePass=&quot;tompass&quot;
sslProtocol=&quot;TLS&quot; /&gt; <br>{code} <br> <br></td></tr>
            <tr><td class="diff-changed-lines" >The <span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">{{keystoreFile}}</span>
<span class="diff-added-words"style="background-color: #dfd;">keystoreFile</span>
is relative to $CATALINA_HOME. See [here|http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html]
for the Tomcat 7 configuration reference. This page also describes how to create certificates.
<span class="diff-added-words"style="background-color: #dfd;"> Sample Tomcat keystores
(not for production use, but useful for demoing Fediz and running the sample applications)
are provided in the examples/samplekeys folder of the Fediz distribution.</span> <br></td></tr>
            <tr><td class="diff-unchanged" > <br></td></tr>
            <tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">*Production:
It&#39;s highly recommended to deploy certificates signed by a Certificate Authority*
<br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">To
establish trust, there are significant keystore/truststore requirements between the Tomcat
instances and the various web applications (IDP, STS, Relying party applications, third party
web services, etc.)  See [this page|http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/samplekeys/HowToGenerateKeysREADME.html?view=co]
for more details, it lists the trust requirements as well as sample scripts for creating your
own (self-signed) keys. <br></td></tr>
            <tr><td class="diff-unchanged" > <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">*Warning:
 All sample keystores provided with Fediz (including in the WAR files for its services and
examples) are for development/prototyping use only.  They&#39;ll need to be replaced for
production use, at a minimum with your own self-signed keys but strongly recommended to use
third-party signed keys.* <br></td></tr>
            <tr><td class="diff-unchanged" > <br> <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >A Valve can be configured on different
levels like _Host_ or _Context_. The Fediz configuration file allows to configure all servlet
contexts in one file or choosing one file per Servlet Context. If you choose to have one Fediz
configuration file per Servlet Context then you must configure the FederationAuthenticator
on the _Context_ level otherwise on the _Host_ level in the Tomcat configuration file _server.xml_
<br> <br></td></tr>
            <tr><td class="diff-unchanged" >You can either configure the context
in the server.xml or in META-INF/context.xml as part of your WAR file.  (The sample RP applications
bundled with Fediz already have this configured via the latter option.) <br> <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
    
            </table>
    </div>                            <h4>Full Content</h4>
                    <div class="notificationGreySide">
        <h1><a name="FedizTomcat-TomcatPlugin"></a>Tomcat Plugin</h1>
<p>This page describes how to enable Federation in Tomcat. This Tomcat instance acts
as the Relying Party which means it validates the incoming SignInResponse which has been created
by the Identity Provider (IDP) server.</p>

<h3><a name="FedizTomcat-Installation"></a>Installation</h3>

<p>You can either build the Fediz plugin on your own or download the package <a href="/confluence/display/CXF/Fediz+Downloads"
title="Fediz Downloads">here</a>. If you have built the plugin on your own you'll
find the required libraries in <tt>plugins/tomcat/target/...zip-with-dependencies.zip</tt></p>

<ol>
	<li>Create sub-directory <tt>fediz</tt> in <tt>${catalina.home}/lib</tt></li>
	<li>Update calatina.properties in ${catalina.home}/conf<br/>
add the previously created directory to the common loader:<br/>
<tt>common.loader=${catalina.base}/lib,${catalina.base}/lib/&#42;.jar,${catalina.home}/lib,${catalina.home}/lib/&#42;.jar,${catalina.home}/lib/fediz/&#42;.jar</tt></li>
	<li>Deploy the libraries to the directory created in (1)</li>
</ol>



<h3><a name="FedizTomcat-Configuration"></a>Configuration</h3>

<h5><a name="FedizTomcat-HTTPSconfiguration"></a>HTTPS configuration</h5>

<p>It's recommended to set up a dedicated (separate) Tomcat instance for the Relying
Party. The Fediz examples requires configuring the following TCP ports:</p>
<ul>
	<li>HTTP port: 8080 (used for Maven deployment, mvn tomcat:redeploy)</li>
	<li>HTTPS port: 8443 (where IDP and STS are accessed)</li>
</ul>


<p>The Relying Party must be accessed over HTTPS to protect the security tokens issued
by the IDP.</p>

<p>The Tomcat HTTP(s) configuration is done in conf/server.xml.</p>

<p>This is a sample snippet for an HTTPS configuration:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
    &lt;Connector port=<span class="code-quote">"8443"</span> protocol=<span
class="code-quote">"HTTP/1.1"</span> SSLEnabled=<span class="code-quote">"true"</span>
               maxThreads=<span class="code-quote">"150"</span> scheme=<span
class="code-quote">"https"</span> secure=<span class="code-quote">"true"</span>
               keystoreFile=<span class="code-quote">"tomcat-rp.jks"</span>
               keystorePass=<span class="code-quote">"tompass"</span> sslProtocol=<span
class="code-quote">"TLS"</span> /&gt;
</pre>
</div></div>

<p>The keystoreFile is relative to $CATALINA_HOME. See <a href="http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html"
class="external-link" rel="nofollow">here</a> for the Tomcat 7 configuration reference.
This page also describes how to create certificates.  Sample Tomcat keystores (not for production
use, but useful for demoing Fediz and running the sample applications) are provided in the
examples/samplekeys folder of the Fediz distribution.</p>

<p>To establish trust, there are significant keystore/truststore requirements between
the Tomcat instances and the various web applications (IDP, STS, Relying party applications,
third party web services, etc.)  See <a href="http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/samplekeys/HowToGenerateKeysREADME.html?view=co"
class="external-link" rel="nofollow">this page</a> for more details, it lists the
trust requirements as well as sample scripts for creating your own (self-signed) keys.</p>

<p><b>Warning:  All sample keystores provided with Fediz (including in the WAR
files for its services and examples) are for development/prototyping use only.  They'll need
to be replaced for production use, at a minimum with your own self-signed keys but strongly
recommended to use third-party signed keys.</b></p>


<h5><a name="FedizTomcat-FedizPluginconfigurationforYourWebApplication"></a>Fediz
Plugin configuration for Your Web Application</h5>

<p>The Fediz related configuration is done in a Servlet Container independent configuration
file which is described <a href="/confluence/display/CXF/Fediz+Configuration" title="Fediz
Configuration">here</a>.</p>

<p>The Fediz plugin requires configuring the FederationAuthenticator like any other
Valve in Tomcat. Detailed information about the Tomcat Valve concept is available <a href="http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html"
class="external-link" rel="nofollow">here</a>.</p>

<p>A Valve can be configured on different levels like <em>Host</em> or <em>Context</em>.
The Fediz configuration file allows to configure all servlet contexts in one file or choosing
one file per Servlet Context. If you choose to have one Fediz configuration file per Servlet
Context then you must configure the FederationAuthenticator on the <em>Context</em>
level otherwise on the <em>Host</em> level in the Tomcat configuration file <em>server.xml</em></p>

<p>You can either configure the context in the server.xml or in META-INF/context.xml
as part of your WAR file.  (The sample RP applications bundled with Fediz already have this
configured via the latter option.)</p>

<h6><a name="FedizTomcat-METAINF%2Fcontext.xml"></a>META-INF/context.xml</h6>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml"> 
  <span class="code-tag">&lt;Context&gt;</span> 
    &lt;Valve className=<span class="code-quote">"org.apache.cxf.fediz.tomcat.FederationAuthenticator"</span>
      configFile=<span class="code-quote">"conf/Fediz_config.xml"</span> /&gt;
  <span class="code-tag">&lt;/Context&gt;</span> 
</pre>
</div></div>

<h6><a name="FedizTomcat-Hostlevelinserver.xml"></a>Host level in server.xml</h6>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml"> 
  &lt;Host name=<span class="code-quote">"localhost"</span>  appBase=<span
class="code-quote">"webapps"</span>
        unpackWARs=<span class="code-quote">"true"</span> autoDeploy=<span
class="code-quote">"true"</span>&gt;
    &lt;Valve className=<span class="code-quote">"org.apache.cxf.fediz.tomcat.FederationAuthenticator"</span>
           configFile=<span class="code-quote">"conf/Fediz_config.xml"</span>
/&gt;
  <span class="code-tag">&lt;/Host&gt;</span>
</pre>
</div></div> 

<h6><a name="FedizTomcat-Contextlevelinserver.xml"></a>Context level in
server.xml</h6>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml"> 
  <span class="code-tag">&lt;Context path=<span class="code-quote">"/fedizhelloworld"</span>
docBase=<span class="code-quote">"fedizhelloworld"</span>&gt;</span>
    &lt;Valve className=<span class="code-quote">"org.apache.cxf.fediz.tomcat.FederationAuthenticator"</span>
      configFile=<span class="code-quote">"conf/Fediz_config.xml"</span> /&gt;
  <span class="code-tag">&lt;/Context&gt;</span>
</pre>
</div></div>

<p>The Fediz configuration file is a Servlet container independent configuration file
and described <a href="/confluence/display/CXF/Fediz+Configuration" title="Fediz Configuration">here</a></p>

<h3><a name="FedizTomcat-WebApplicationdeployment"></a>Web Application deployment</h3>

<p>Deploy your Web Application to your Tomcat installation (&lt;catalina.home&gt;/webapps).</p>

<h3><a name="FedizTomcat-FederationMetadatadocument"></a>Federation Metadata
document</h3>

<p>The Tomcat Fediz plugin supports publishing the WS-Federation Metadata document which
is described <a href="/confluence/display/CXF/Fediz+Metadata" title="Fediz Metadata">here</a>.</p>



    </div>
        <div id="commentsSection" class="wiki-content pageSection">
        <div style="float: right;">
            <a href="https://cwiki.apache.org/confluence/users/viewnotifications.action"
class="grey">Change Notification Preferences</a>
        </div>
        <a href="https://cwiki.apache.org/confluence/display/CXF/Fediz+Tomcat">View
Online</a>
        |
        <a href="https://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=27846677&revisedVersion=15&originalVersion=14">View
Changes</a>
                |
        <a href="https://cwiki.apache.org/confluence/display/CXF/Fediz+Tomcat?showComments=true&amp;showCommentArea=true#addcomment">Add
Comment</a>
            </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message