cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache CXF > Fediz Configuration
Date Tue, 15 Jan 2013 16:09:00 GMT
<html>
<head>
    <base href="https://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/2042/9/15/_/styles/combined.css?spaceKey=CXF&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="https://cwiki.apache.org/confluence/display/CXF/Fediz+Configuration">Fediz
Configuration</a></h2>
    <h4>Page <b>edited</b> by             <a href="https://cwiki.apache.org/confluence/display/~coheigea@apache.org">Colm
O hEigeartaigh</a>
    </h4>
        <br/>
                         <h4>Changes (2)</h4>
                                 
    
<div id="page-diffs">
                    <table class="diff" cellpadding="0" cellspacing="0">
    
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >        &lt;/trustedIssuers&gt;
<br>        &lt;protocol xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot;
xsi:type=&quot;federationProtocolType&quot; version=&quot;1.2&quot;&gt;
<br></td></tr>
            <tr><td class="diff-changed-lines" ><span class="diff-changed-words">&lt;issuer&gt;https://localhost:9443/fediz<span
class="diff-added-chars"style="background-color: #dfd;">-</span>idp/&lt;/issuer&gt;</span>
<br></td></tr>
            <tr><td class="diff-unchanged" >        &lt;/protocol&gt;
<br>    &lt;/contextConfig&gt; <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >        &lt;/signingKey&gt;
<br>        &lt;protocol xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot;
xsi:type=&quot;federationProtocolType&quot; version=&quot;1.2&quot;&gt;
<br></td></tr>
            <tr><td class="diff-changed-lines" ><span class="diff-changed-words">&lt;issuer&gt;https://localhost:9443/fediz<span
class="diff-added-chars"style="background-color: #dfd;">-</span>idp/&lt;/issuer&gt;</span>
<br></td></tr>
            <tr><td class="diff-unchanged" >            &lt;roleDelimiter&gt;,&lt;/roleDelimiter&gt;
<br>            &lt;roleURI&gt;http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role&lt;/roleURI&gt;
<br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
    
            </table>
    </div>                            <h4>Full Content</h4>
                    <div class="notificationGreySide">
        <h1><a name="FedizConfiguration-FedizPluginconfiguration"></a>Fediz
Plugin configuration</h1>
<p>This page describes the Fediz configuration file referenced by the security interceptor
of the Servlet Container (eg. authenticator in Tomcat/Jetty).</p>

<p>The Fediz configuration information is used to publish the federation Metadata document
which is described <a href="/confluence/display/CXF/Fediz+Metadata" title="Fediz Metadata">here</a></p>

<h3><a name="FedizConfiguration-Example"></a>Example</h3>
<p>The following example shows the minimum configuration for Fediz.</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
<span class="code-tag">&lt;?xml version=<span class="code-quote">"1.0"</span>
encoding=<span class="code-quote">"UTF-8"</span> standalone=<span class="code-quote">"yes"</span>?&gt;</span>
<span class="code-tag">&lt;FedizConfig&gt;</span>
    <span class="code-tag">&lt;contextConfig name=<span class="code-quote">"/fedizhelloworld"</span>&gt;</span>
        <span class="code-tag">&lt;audienceUris&gt;</span>
            <span class="code-tag">&lt;audienceItem&gt;</span>https://localhost:8443/fedizhelloworld<span
class="code-tag">&lt;/audienceItem&gt;</span>
        <span class="code-tag">&lt;/audienceUris&gt;</span>
        <span class="code-tag">&lt;certificateStores&gt;</span>
            <span class="code-tag">&lt;trustManager&gt;</span>
                <span class="code-tag">&lt;keyStore file=<span class="code-quote">"conf/stsstore.jks"</span>
password=<span class="code-quote">"stsspass"</span> type=<span class="code-quote">"JKS"</span>
/&gt;</span>
            <span class="code-tag">&lt;/trustManager&gt;</span>
        <span class="code-tag">&lt;/certificateStores&gt;</span>
        <span class="code-tag">&lt;trustedIssuers&gt;</span>
            <span class="code-tag">&lt;issuer name=<span class="code-quote">"issuer
1"</span> certificateValidation=<span class="code-quote">"ChainTrust"</span>
subject=<span class="code-quote">".*CN=www.sts.com.*"</span> /&gt;</span>
        <span class="code-tag">&lt;/trustedIssuers&gt;</span>
        <span class="code-tag">&lt;protocol <span class="code-keyword">xmlns:xsi</span>=<span
class="code-quote">"http://www.w3.org/2001/XMLSchema-instance"</span> xsi:type=<span
class="code-quote">"federationProtocolType"</span> version=<span class="code-quote">"1.2"</span>&gt;</span>
            <span class="code-tag">&lt;issuer&gt;</span>https://localhost:9443/fediz-idp/<span
class="code-tag">&lt;/issuer&gt;</span>
        <span class="code-tag">&lt;/protocol&gt;</span>
    <span class="code-tag">&lt;/contextConfig&gt;</span>
<span class="code-tag">&lt;/FedizConfig&gt;</span>
</pre>
</div></div>

<p>The protocol element declares that the WS-Federation protocol is being used. The
issuer element shows the URL to which authenticated requests will be redirected with a SignIn
request.  </p>

<p>The IDP issues a SAML token which must be validated by the plugin. The validation
requires the certificate store of the Certificate Authority(ies) of the certificate which
signed the SAML token. This is defined in <tt>certificateStore</tt>. The signing
certificate itself is not required because <tt>certificateValidation</tt> is set
to <tt>ChainTrust</tt>. The <tt>subject</tt> defines the trusted signing
certificate using the subject as a regular expression.<br/>
Finally, the audience URI is validated against the audience restriction in the SAML token.</p>


<h3><a name="FedizConfiguration-Configurationreference"></a>Configuration
reference</h3>

<div class='table-wrap'>
<table class='confluenceTable'><tbody>
<tr>
<th class='confluenceTh'>XML element </th>
<th class='confluenceTh'>Name </th>
<th class='confluenceTh'>Use </th>
<th class='confluenceTh'>Description</th>
</tr>
<tr>
<td class='confluenceTd'> audienceUris </td>
<td class='confluenceTd'> Audience URI </td>
<td class='confluenceTd'> Required </td>
<td class='confluenceTd'> The values of the list of audience URIs are verified against
the element <tt>AudienceRestriction</tt> in the SAML token </td>
</tr>
<tr>
<td class='confluenceTd'> certificateStores </td>
<td class='confluenceTd'> Trusted certificate store </td>
<td class='confluenceTd'> Required </td>
<td class='confluenceTd'> The list of keystores (JKS, PEM) includes at least the certificate
of the Certificate Authorities (CA) which signed the certificate which is used to sign the
SAML token.<br/>
If the file location is not fully qualified it needs to be relative to the Container home
directory </td>
</tr>
<tr>
<td class='confluenceTd'> trustedIssuers </td>
<td class='confluenceTd'> Trusted Issuers </td>
<td class='confluenceTd'> Required </td>
<td class='confluenceTd'> There are two ways to configure a trusted issuer (IDP). Either
you configure the subject name and the CA(s) who signed the certificate of the IDP (<tt>certificateValidation=ChainTrust</tt>)
or you configure the certificate of the IDP and the CA(s) who signed it (<tt>certificateValidation=PeerTrust</tt>)</td>
</tr>
<tr>
<td class='confluenceTd'> maximumClockSkew </td>
<td class='confluenceTd'> Maximum Clock Skew </td>
<td class='confluenceTd'> Optional </td>
<td class='confluenceTd'> Maximum allowable time difference between the system clocks
of the IDP and RP.<br/>
Default 5 seconds. </td>
</tr>
</tbody></table>
</div>



<h5><a name="FedizConfiguration-WSFederationprotocolconfigurationreference"></a>WS-Federation
protocol configuration reference </h5>

<div class='table-wrap'>
<table class='confluenceTable'><tbody>
<tr>
<th class='confluenceTh'>XML element </th>
<th class='confluenceTh'>Name </th>
<th class='confluenceTh'>Use </th>
<th class='confluenceTh'> Metadata </th>
<th class='confluenceTh'> Description</th>
</tr>
<tr>
<td class='confluenceTd'> issuer </td>
<td class='confluenceTd'> Issuer URL </td>
<td class='confluenceTd'> Required </td>
<td class='confluenceTd'> PassiveRequestorEndpoint </td>
<td class='confluenceTd'>This URL defines the location of the IDP to whom unauthenticated
requests are redirected </td>
</tr>
<tr>
<td class='confluenceTd'> realm </td>
<td class='confluenceTd'> Realm </td>
<td class='confluenceTd'> Optional </td>
<td class='confluenceTd'> TargetScope </td>
<td class='confluenceTd'> Security realm of the Relying Party / Application. This value
is part of the SignIn request as the <tt>wtrealm</tt> parameter.<br/>
Default: URL including the Servlet Context </td>
</tr>
<tr>
<td class='confluenceTd'> authenticationType </td>
<td class='confluenceTd'> Authentication Type </td>
<td class='confluenceTd'> Optional </td>
<td class='confluenceTd'> NA </td>
<td class='confluenceTd'> The authentication type defines what kind of authentication
is required. This information is provided in the SignInRequest to the IDP (parameter <tt>wauth</tt>)<br/>
The WS-Federation standard defines a list of predefined URIs for wauth <a href="http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html#_Toc223174997"
class="external-link" rel="nofollow">here</a>.</td>
</tr>
<tr>
<td class='confluenceTd'> roleURI </td>
<td class='confluenceTd'> Role Claim URI </td>
<td class='confluenceTd'> Optional </td>
<td class='confluenceTd'> NA </td>
<td class='confluenceTd'> Defines the attribute name of the SAML token which contains
the roles.<br/>
Required for Role Based Access Control. </td>
</tr>
<tr>
<td class='confluenceTd'> roleDelimiter </td>
<td class='confluenceTd'> Role Value Delimiter </td>
<td class='confluenceTd'> Optional </td>
<td class='confluenceTd'> NA </td>
<td class='confluenceTd'> There are different ways to encode multi value attributes
in SAML.
<ul>
	<li>Single attribute with multiple values</li>
	<li>Several attributes with the same name but only one value</li>
	<li>Single attribute with single value. Roles are delimited by <tt>roleDelimiter</tt></li>
</ul>
</td>
</tr>
<tr>
<td class='confluenceTd'> claimTypesRequested </td>
<td class='confluenceTd'> Requested claims </td>
<td class='confluenceTd'> Optional </td>
<td class='confluenceTd'> ClaimTypesRequested </td>
<td class='confluenceTd'> The claims required by the Relying Party are listed here.
Claims can be optional. If a mandatory claim can't be provided by the IDP the issuance of
the token should fail </td>
</tr>
<tr>
<td class='confluenceTd'> homeRealm </td>
<td class='confluenceTd'> Home Realm </td>
<td class='confluenceTd'> Optional </td>
<td class='confluenceTd'> NA </td>
<td class='confluenceTd'> Indicates the Resource IDP the home realm of the requestor.
This may be an URL or an identifier like urn: or uuid: and depends on the Resource IDP implementation.
This value is part of the SignIn request as the <tt>whr</tt> parameter </td>
</tr>
<tr>
<td class='confluenceTd'> tokenValidators </td>
<td class='confluenceTd'> TokenValidators </td>
<td class='confluenceTd'> Optional </td>
<td class='confluenceTd'> NA </td>
<td class='confluenceTd'> Custom Token validator classes can be configured here. The
SAML Token validator is enabled by default.<br/>
See example <a href="http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/CustomValidator.java"
class="external-link" rel="nofollow">here</a></td>
</tr>
<tr>
<td class='confluenceTd'> signingKey </td>
<td class='confluenceTd'> Key for Signature </td>
<td class='confluenceTd'> Optional </td>
<td class='confluenceTd'> Metadata signature </td>
<td class='confluenceTd'> If configured, the published WS-Federation <a href="/confluence/display/CXF/Fediz+Metadata"
title="Fediz Metadata">Metadata document</a> is signed by this key. Otherwise, not
signed.</td>
</tr>
</tbody></table>
</div>




<h5><a name="FedizConfiguration-Attributesresolvedatruntime"></a>Attributes
resolved at runtime</h5>

<p>The following attributes can be either configured statically at deployment time or
dynamically when the initial request is received:</p>
<ul>
	<li>authenticationType</li>
	<li>homeRealm</li>
	<li>issuer</li>
</ul>


<p>These configuration elements allows for configuring a CallbackHandler which gets
a Callback object where the appropriate value must be set. The CallbackHandler implementation
has access to the HttpServletRequest. The XML attribute <tt>type</tt> must be
set to <tt>Class</tt>.</p>

<p>For more information see <a href="/confluence/display/CXF/Fediz+Extensions" title="Fediz
Extensions">Fediz Extensions</a>.</p>



<h3><a name="FedizConfiguration-Advancedexample"></a>Advanced example</h3>

<p>The following example defines the required claims and configures a custom callback
handler to define some configuration values at runtime.</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
<span class="code-tag">&lt;?xml version=<span class="code-quote">"1.0"</span>
encoding=<span class="code-quote">"UTF-8"</span> standalone=<span class="code-quote">"yes"</span>?&gt;</span>
<span class="code-tag">&lt;FedizConfig&gt;</span>
    <span class="code-tag">&lt;contextConfig name=<span class="code-quote">"/fedizhelloworld"</span>&gt;</span>
        <span class="code-tag">&lt;audienceUris&gt;</span>
            <span class="code-tag">&lt;audienceItem&gt;</span>https://localhost:8443/fedizhelloworld<span
class="code-tag">&lt;/audienceItem&gt;</span>
        <span class="code-tag">&lt;/audienceUris&gt;</span>
        <span class="code-tag">&lt;certificateStores&gt;</span>
            <span class="code-tag">&lt;keyStore file=<span class="code-quote">"conf/stsstore.jks"</span>
password=<span class="code-quote">"stsspass"</span> type=<span class="code-quote">"file"</span>
/&gt;</span>
        <span class="code-tag">&lt;/certificateStores&gt;</span>
        <span class="code-tag">&lt;maximumClockSkew&gt;</span>10<span
class="code-tag">&lt;/maximumClockSkew&gt;</span>
        <span class="code-tag">&lt;trustedIssuers&gt;</span>
            <span class="code-tag">&lt;issuer name=<span class="code-quote">"issuer
1"</span> certificateValidation=<span class="code-quote">"ChainTrust"</span>
subject=<span class="code-quote">".*CN=www.sts.com.*"</span> /&gt;</span>
        <span class="code-tag">&lt;/trustedIssuers&gt;</span>
        <span class="code-tag">&lt;signingKey keyPassword=<span class="code-quote">"tompass"</span>&gt;</span>
            <span class="code-tag">&lt;keyStore file=<span class="code-quote">"tomcatKeystore.jks"</span>
password=<span class="code-quote">"tompass"</span> type=<span class="code-quote">"JKS"</span>
/&gt;</span>
        <span class="code-tag">&lt;/signingKey&gt;</span>
        <span class="code-tag">&lt;protocol <span class="code-keyword">xmlns:xsi</span>=<span
class="code-quote">"http://www.w3.org/2001/XMLSchema-instance"</span> xsi:type=<span
class="code-quote">"federationProtocolType"</span> version=<span class="code-quote">"1.2"</span>&gt;</span>
            <span class="code-tag">&lt;issuer&gt;</span>https://localhost:9443/fediz-idp/<span
class="code-tag">&lt;/issuer&gt;</span>
            <span class="code-tag">&lt;roleDelimiter&gt;</span>,<span
class="code-tag">&lt;/roleDelimiter&gt;</span>
            <span class="code-tag">&lt;roleURI&gt;</span>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role<span
class="code-tag">&lt;/roleURI&gt;</span>
            <span class="code-tag">&lt;claimTypesRequested&gt;</span>
                <span class="code-tag">&lt;claimType type=<span class="code-quote">"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"</span>
optional=<span class="code-quote">"true"</span> /&gt;</span>
            <span class="code-tag">&lt;/claimTypesRequested&gt;</span>
            <span class="code-tag">&lt;authenticationType type=<span class="code-quote">"String"</span>
value=<span class="code-quote">"http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/smartcard"</span>
/&gt;</span>
            <span class="code-tag">&lt;homeRealm type=<span class="code-quote">"Class"</span>
value=<span class="code-quote">"example.HomeRealmCallbackHandler"</span> /&gt;</span>
            <span class="code-tag">&lt;tokenValidators&gt;</span>
                <span class="code-tag">&lt;validator&gt;</span>org.apache.cxf.fediz.core.CustomValidator<span
class="code-tag">&lt;/validator&gt;</span>
            <span class="code-tag">&lt;/tokenValidators&gt;</span>
        <span class="code-tag">&lt;/protocol&gt;</span>
    <span class="code-tag">&lt;/contextConfig&gt;</span>
<span class="code-tag">&lt;/FedizConfig&gt;</span>
</pre>
</div></div>
    </div>
        <div id="commentsSection" class="wiki-content pageSection">
        <div style="float: right;">
            <a href="https://cwiki.apache.org/confluence/users/viewnotifications.action"
class="grey">Change Notification Preferences</a>
        </div>
        <a href="https://cwiki.apache.org/confluence/display/CXF/Fediz+Configuration">View
Online</a>
        |
        <a href="https://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=27846708&revisedVersion=18&originalVersion=17">View
Changes</a>
                |
        <a href="https://cwiki.apache.org/confluence/display/CXF/Fediz+Configuration?showComments=true&amp;showCommentArea=true#addcomment">Add
Comment</a>
            </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message