cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r827616 - in /websites/production/cxf/content: cache/docs.pageCache docs/jaxrs-kerberos.html docs/ws-securitypolicy.html
Date Wed, 01 Aug 2012 14:47:28 GMT
Author: buildbot
Date: Wed Aug  1 14:47:27 2012
New Revision: 827616

Log:
Production update by buildbot for cxf

Modified:
    websites/production/cxf/content/cache/docs.pageCache
    websites/production/cxf/content/docs/jaxrs-kerberos.html
    websites/production/cxf/content/docs/ws-securitypolicy.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jaxrs-kerberos.html
==============================================================================
--- websites/production/cxf/content/docs/jaxrs-kerberos.html (original)
+++ websites/production/cxf/content/docs/jaxrs-kerberos.html Wed Aug  1 14:47:27 2012
@@ -124,7 +124,7 @@ Apache CXF -- JAXRS Kerberos
 <div id="ConfluenceContent"><p><span style="font-size:2em;font-weight:bold">
JAX-RS Kerberos Support </span></p>
 
 <div>
-<ul><li><a shape="rect" href="#JAXRSKerberos-Introduction">Introduction</a></li><ul><li><a
shape="rect" href="#JAXRSKerberos-Kerberos">Kerberos</a></li><li><a
shape="rect" href="#JAXRSKerberos-HTTPNegotiatescheme">HTTP Negotiate scheme</a></li><li><a
shape="rect" href="#JAXRSKerberos-GSSAPI">GSS API</a></li></ul><li><a
shape="rect" href="#JAXRSKerberos-Clientconfiguration">Client configuration</a></li><ul><li><a
shape="rect" href="#JAXRSKerberos-HTTPConduit">HTTPConduit</a></li><li><a
shape="rect" href="#JAXRSKerberos-Interceptor">Interceptor</a></li><ul><li><a
shape="rect" href="#JAXRSKerberos-AuthorizationPolicy">Authorization Policy</a></li><li><a
shape="rect" href="#JAXRSKerberos-Configuringtheserviceprincipalname">Configuring the service
principal name</a></li><li><a shape="rect" href="#JAXRSKerberos-UsingJAASConfiguration">Using
JAAS Configuration</a></li></ul></ul><li><a shape="rect"
href="#JAXRSKerberos-Serverconfiguration">Server configuration</a></li><li><a
shape="
 rect" href="#JAXRSKerberos-CredentialDelegation">Credential Delegation</a></li></ul></div>
+<ul><li><a shape="rect" href="#JAXRSKerberos-Introduction">Introduction</a></li><ul><li><a
shape="rect" href="#JAXRSKerberos-Kerberos">Kerberos</a></li><li><a
shape="rect" href="#JAXRSKerberos-HTTPNegotiatescheme">HTTP Negotiate scheme</a></li><li><a
shape="rect" href="#JAXRSKerberos-GSSAPI">GSS API</a></li></ul><li><a
shape="rect" href="#JAXRSKerberos-Clientconfiguration">Client configuration</a></li><ul><li><a
shape="rect" href="#JAXRSKerberos-HTTPConduit">HTTPConduit</a></li><li><a
shape="rect" href="#JAXRSKerberos-Interceptor">Interceptor</a></li><ul><li><a
shape="rect" href="#JAXRSKerberos-AuthorizationPolicy">Authorization Policy</a></li><li><a
shape="rect" href="#JAXRSKerberos-Configuringtheserviceprincipalname">Configuring the service
principal name</a></li><li><a shape="rect" href="#JAXRSKerberos-UsingJAASConfiguration">Using
JAAS Configuration</a></li></ul></ul><li><a shape="rect"
href="#JAXRSKerberos-Serverconfiguration">Server configuration</a></li><ul><li><a
sha
 pe="rect" href="#JAXRSKerberos-ServiceprincipalnameandJAASConfiguration">Service principal
name and JAAS Configuration</a></li><li><a shape="rect" href="#JAXRSKerberos-CallbackHandler">CallbackHandler</a></li></ul><li><a
shape="rect" href="#JAXRSKerberos-CredentialDelegation">Credential Delegation</a></li></ul></div>
 
 <h1><a shape="rect" name="JAXRSKerberos-Introduction"></a>Introduction</h1>
 <h2><a shape="rect" name="JAXRSKerberos-Kerberos"></a>Kerberos</h2>
@@ -182,7 +182,103 @@ Book b = wc.get(Book.class);
 
 <h1><a shape="rect" name="JAXRSKerberos-Serverconfiguration"></a>Server
configuration</h1>
 
+<p>org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter can be used to protected
JAX-RS endpoints and enforce that a Negotiate authentication scheme is used by clients, example:</p>
+
+<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
+<pre class="code-xml">
+
+<span class="code-tag">&lt;bean id=<span class="code-quote">"kerberosFilter"</span>
class=<span class="code-quote">"org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter"</span>&gt;</span>
+   <span class="code-tag">&lt;property name=<span class="code-quote">"loginContextName"</span>
value=<span class="code-quote">"KerberosServiceKeyTab"</span>/&gt;</span>
+<span class="code-tag">&lt;/bean&gt;</span>
+
+<span class="code-tag">&lt;jaxrs:server&gt;</span>
+  <span class="code-tag">&lt;jaxrs:serviceBeans&gt;</span>
+    <span class="code-tag">&lt;bean class=<span class="code-quote">"org.mycompany.MyCompanyResource"</span>/&gt;</span>
+  <span class="code-tag">&lt;/jaxrs:serviceBeans&gt;</span>
+  <span class="code-tag">&lt;jaxrs:providers&gt;</span>
+    <span class="code-tag">&lt;ref bean=<span class="code-quote">"kerberosFilter"</span>&gt;</span>
+  <span class="code-tag">&lt;/jaxrs:providers&gt;</span>
+<span class="code-tag">&lt;/jaxrs:server&gt;</span>
+</pre>
+</div></div>
+
+<p>KerberosAuthenticationFilter will set a CXF <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/api/src/main/java/org/apache/cxf/security/SecurityContext.java">SecurityContext</a>
on the current message if the authentication has been successful. This SecurityContext will
return an instance of KerberosAuthenticationFilter$KerberosPrincipal, this Principal will
return a 'simple' and 'kerberos' source principal names, example, given "HTTP/localhost@myrealm.com",
Principal#getName will return "HTTP/localhost", and KerberosPrincipal#getKerberosName will
return "HTTP/localhost@myrealm.com".</p>
+
+<h2><a shape="rect" name="JAXRSKerberos-ServiceprincipalnameandJAASConfiguration"></a>Service
principal name and JAAS Configuration</h2>
+
+<p>Service principal name and JAAS Configuration can be optionally set up the same
way they can be with KerberosAuthOutInterceptor, using 'servicePrincipalName' + 'realm' and
"loginConfig" properties. </p>
+
+<h2><a shape="rect" name="JAXRSKerberos-CallbackHandler"></a>CallbackHandler</h2>
+
+<p>javax.security.auth.callback.CallbackHandler needs to be registered if no Kerberos
key tabs are used, here is an example of setting it up from Java:</p>
+
+<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
+<pre class="code-java">
+<span class="code-keyword">public</span> class TestResource {
+ <span class="code-keyword">public</span> <span class="code-keyword">static</span>
void main(<span class="code-object">String</span>[] args) {
+   JAXRSServerFactoryBean sf = <span class="code-keyword">new</span> JAXRSServerFactoryBean();
+   sf.setResourceClasses(BookStore.class);
+   KerberosAuthenticationFilter filter = <span class="code-keyword">new</span>
KerberosAuthenticationFilter();
+   filter.setLoginContextName(<span class="code-quote">"KerberosServer"</span>);
+   
+   CallbackHandler handler = 
+     <span class="code-keyword">new</span> org.apache.cxf.interceptor.security.NamePasswordCallbackHandler(<span
class="code-quote">"HTTP/localhost"</span>, <span class="code-quote">"http"</span>);

+   filter.setCallbackHandler(handler);
+
+   <span class="code-comment">//filter.setLoginContextName(<span class="code-quote">"KerberosServerKeyTab"</span>);
+</span>   <span class="code-comment">//filter.setServicePrincipalName(<span
class="code-quote">"HTTP/ktab"</span>);
+</span>   sf.setProvider(filter);
+   sf.setAddress(<span class="code-quote">"http:<span class="code-comment">//localhost:"</span>
+ PORT + <span class="code-quote">"/"</span>);
+</span>      
+   sf.create();
+ }
+}
+</pre>
+</div></div> 
+
+
 <h1><a shape="rect" name="JAXRSKerberos-CredentialDelegation"></a>Credential
Delegation</h1>
+
+<p>Please see this <a shape="rect" href="http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html#ClientHTTPTransport%28includingSSLsupport%29-CredentialDelegation">section</a>
on the way client-side credential delegation can be both enabled and implemented at the HTTP
conduit level.</p>
+
+<p>Note that if you have a JAX-RS KerberosAuthenticationFilter protecting the endpoints,
then the filter will have an  org.ietf.jgss.GSSContext instance available in the current CXF
SecurityContext, via its KerberosAuthenticationFilter$KerberosSecurityContext implementation,
which can be used to get to  org.ietf.jgss.GSSCredential if the credential delegation is supported
for a given source principal. The current credential if any can be set as a client property
next, for example:</p>
+
+<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
+<pre class="code-java">
+
+<span class="code-keyword">import</span> org.ietf.jgss.GSSCredential;
+
+<span class="code-keyword">import</span> org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter;
+<span class="code-keyword">import</span> org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter.KerberosSecurityContext;
+
+@Path(<span class="code-quote">"service"</span>)
+<span class="code-keyword">public</span> class MyResource {
+
+   @Context 
+   <span class="code-keyword">private</span> javax.ws.rs.core.SecurityContext
securityContext;
+
+   @GET
+   <span class="code-keyword">public</span> Book getBookFromKerberosProtectedStore()
{
+       WebClient wc = webClient.create(<span class="code-quote">"http:<span class="code-comment">//internal.com/store"</span>);
+</span>       <span class="code-keyword">if</span> (securityContext <span
class="code-keyword">instanceof</span> KerberosSecurityContext) {
+           KerberosSecurityContext ksc = (KerberosSecurityContext)securityContext;
+           GSSCredential cred = ksc.getGSSContext().getDelegCred();
+           <span class="code-keyword">if</span> (cred != <span class="code-keyword">null</span>)
{
+               WebClient.getConfig(wc).getRequestContext().put(GSSCredential.class.getName(),
cred);
+           } 
+       }
+       <span class="code-keyword">return</span> wc.get(Book.class); 
+   }
+
+}
+</pre>
+</div></div>
+
+<p>The HTTPConduit or KerberosAuthOutInterceptor handler will use the available GSSCredential.</p>
+
+
+<p>Also note that KerberosAuthOutInterceptor can have its "credDelegation" property
set to "true" if it is used instead of HTTPConduit on the client side, when enabling the delegation
initially.</p>
+
 </div>
            </div>
            <!-- Content -->

Modified: websites/production/cxf/content/docs/ws-securitypolicy.html
==============================================================================
--- websites/production/cxf/content/docs/ws-securitypolicy.html (original)
+++ websites/production/cxf/content/docs/ws-securitypolicy.html Wed Aug  1 14:47:27 2012
@@ -158,10 +158,17 @@ Apache CXF -- WS-SecurityPolicy
 </div>
 
 
+<h4><a shape="rect" name="WS-SecurityPolicy-Booleanconfigurationtags%2Ce.g.thevalueshouldbe%22true%22or%22false%22."></a>Boolean
configuration tags, e.g. the value should be "true" or "false".</h4>
+
+<div class="table-wrap">
+<table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1"
class="confluenceTd"> ws-security.validate.token </td><td colspan="1" rowspan="1"
class="confluenceTd"> Whether to validate the password of a received UsernameToken or not.
The default is true.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">
ws-security.enableRevocation </td><td colspan="1" rowspan="1" class="confluenceTd">
Whether to enable Certificate Revocation List (CRL) checking or not when verifying trust in
a certificate. The default value is "false".</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"> ws-security.username-token.always.encrypted </td><td
colspan="1" rowspan="1" class="confluenceTd"> Whether to always encrypt UsernameTokens
whenever possible. The default is true.</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"> ws-security.is-bsp-compliant </td><td colspan="1"
rowspan="1" class="confluenceTd"> Whether to ensure compliance with the Basic Securit
 y Profile (BSP) 1.1 or not. The default value is "true". </td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"> ws-security.self-sign-saml-assertion </td><td
colspan="1" rowspan="1" class="confluenceTd"> Whether to self-sign a SAML Assertion or
not. If this is set to true, then an enveloped signature will be generated when the SAML Assertion
is constructed. The default is false. </td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"> ws-security.enable.nonce.cache </td><td colspan="1" rowspan="1"
class="confluenceTd"> Whether to cache UsernameToken nonces. See <a shape="rect" href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#ENABLE_NONCE_CACHE">here</a>
for more information.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">
ws-security.enable.timestamp.cache </td><td colspan="1" rowspan="1" class="confluenceTd">
Whether to cache Timestamp Created Strings. See <a shape="rect" href="http://cxf.apache.org/
 javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#ENABLE_TIMESTAMP_CACHE">here</a>
for more information.</td></tr></tbody></table>
+</div>
+
+
 <h4><a shape="rect" name="WS-SecurityPolicy-Otherproperties"></a>Other
properties</h4>
 
 <div class="table-wrap">
-<table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1"
class="confluenceTd"> ws-security.subject.cert.constraints </td><td colspan="1"
rowspan="1" class="confluenceTd"> This configuration tag is a comma separated String of
regular expressions which will be applied to the subject DN of the certificate used for signature
validation, after trust verification of the certificate chain associated with the  certificate.
These constraints are not used when the certificate is contained in the keystore (direct trust).
</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> ws-security.is-bsp-compliant
</td><td colspan="1" rowspan="1" class="confluenceTd"> Whether to ensure compliance
with the Basic Security Profile (BSP) 1.1 or not. The default value is "true". </td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"> ws-security.timestamp.futureTimeToLive </td><td
colspan="1" rowspan="1" class="confluenceTd"> This configuration tag specifies the time
in s
 econds in the future within which the Created time of an incoming Timestamp is valid. WSS4J
rejects by default any timestamp which is "Created" in the future, and so there could potentially
be<br clear="none" class="atl-forced-newline">
+<table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1"
class="confluenceTd"> ws-security.subject.cert.constraints </td><td colspan="1"
rowspan="1" class="confluenceTd"> This configuration tag is a comma separated String of
regular expressions which will be applied to the subject DN of the certificate used for signature
validation, after trust verification of the certificate chain associated with the  certificate.
These constraints are not used when the certificate is contained in the keystore (direct trust).
</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"> ws-security.timestamp.futureTimeToLive
</td><td colspan="1" rowspan="1" class="confluenceTd"> This configuration tag
specifies the time in seconds in the future within which the Created time of an incoming Timestamp
is valid. WSS4J rejects by default any timestamp which is "Created" in the future, and so
there could potentially be<br clear="none" class="atl-forced-newline">
  problems in a scenario where a client's clock is slightly askew. The default value for this
parameter is "0", meaning that no future-created Timestamps are allowed. </td></tr></tbody></table>
 </div>
 



Mime
View raw message