cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache CXF > Fediz Spring
Date Thu, 07 Mar 2013 12:54:00 GMT
<html>
<head>
    <base href="https://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/2042/9/15/_/styles/combined.css?spaceKey=CXF&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="https://cwiki.apache.org/confluence/display/CXF/Fediz+Spring">Fediz
Spring</a></h2>
    <h4>Page <b>edited</b> by             <a href="https://cwiki.apache.org/confluence/display/~owulff@apache.org">Oliver
Wulff</a>
    </h4>
        <br/>
                         <h4>Changes (10)</h4>
                                 
    
<div id="page-diffs">
                    <table class="diff" cellpadding="0" cellspacing="0">
    
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >The Fediz related configuration is
done in a Servlet Container independent configuration file which is described [here|Fediz
Configuration]. <br> <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">h5.
Spring Security Configuration <br></td></tr>
            <tr><td class="diff-unchanged" > <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">The
following configuration snippets illustrate the Fediz related configuration. The complete
configuration file can be found in the example _springPreAuthWebapp_. <br></td></tr>
            <tr><td class="diff-unchanged" > <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">{code:xml|title=applicationContext-security.xml|borderStyle=solid}
<br></td></tr>
            <tr><td class="diff-unchanged" > <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">
   &lt;bean id=&quot;preAuthenticatedUserDetailsService&quot; <br></td></tr>
            <tr><td class="diff-changed-lines" ><span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">{code:xml}</span>
<span class="diff-added-words"style="background-color: #dfd;">class=&quot;org.apache.cxf.fediz.spring.preauth.PreAuthenticatedGrantedAuthoritiesUserDetailsFederationService&quot;/&gt;</span>
<br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">
<br>    &lt;bean id=&quot;j2eePreAuthFilter&quot; class=&quot;org.apache.cxf.fediz.spring.preauth.FederationPreAuthenticatedProcessingFilter&quot;&gt;
<br>        &lt;property name=&quot;authenticationManager&quot; ref=&quot;authenticationManager&quot;/&gt;
<br>        &lt;property name=&quot;authenticationDetailsSource&quot;&gt;
<br>            &lt;bean class=&quot;org.springframework.security.web.authentication.preauth.j2ee.J2eeBasedPreAuthenticatedWebAuthenticationDetailsSource&quot;&gt;
<br>                &lt;property name=&quot;mappableRolesRetriever&quot;&gt;
<br>                    &lt;bean class=&quot;org.springframework.security.web.authentication.preauth.j2ee.WebXmlMappableAttributesRetriever&quot;
/&gt; <br>                &lt;/property&gt; <br>                &lt;property
name=&quot;userRoles2GrantedAuthoritiesMapper&quot;&gt; <br>           
        &lt;bean class=&quot;org.springframework.security.core.authority.mapping.SimpleAttributes2GrantedAuthoritiesMapper&quot;&gt;
<br>                        &lt;property name=&quot;convertAttributeToUpperCase&quot;
value=&quot;true&quot;/&gt; <br>                    &lt;/bean&gt;
<br>                &lt;/property&gt; <br>            &lt;/bean&gt;
<br>        &lt;/property&gt; <br>    &lt;/bean&gt; <br>
<br>    &lt;bean id=&quot;fsi&quot; class=&quot;org.springframework.security.web.access.intercept.FilterSecurityInterceptor&quot;&gt;
<br>        &lt;property name=&quot;authenticationManager&quot; ref=&quot;authenticationManager&quot;/&gt;
<br>        &lt;property name=&quot;accessDecisionManager&quot; ref=&quot;httpRequestAccessDecisionManager&quot;/&gt;
<br>        &lt;property name=&quot;securityMetadataSource&quot;&gt;
<br>            &lt;sec:filter-invocation-definition-source&gt; <br> 
              &lt;sec:intercept-url pattern=&quot;/secure/manager/**&quot; access=&quot;ROLE_MANAGER&quot;/&gt;
<br>                &lt;sec:intercept-url pattern=&quot;/secure/admin/**&quot;
access=&quot;ROLE_ADMIN&quot;/&gt; <br>                &lt;sec:intercept-url
pattern=&quot;/secure/user/**&quot; access=&quot;ROLE_USER,ROLE_ADMIN,ROLE_MANAGER&quot;/&gt;
<br>                &lt;sec:intercept-url pattern=&quot;/secure/fedservlet&quot;
access=&quot;ROLE_USER,ROLE_ADMIN,ROLE_MANAGER,ROLE_AUTHENTICATED&quot;/&gt; <br>
           &lt;/sec:filter-invocation-definition-source&gt; <br>        &lt;/property&gt;
<br>    &lt;/bean&gt; <br></td></tr>
            <tr><td class="diff-unchanged" >{code} <br> <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">The
beans _preAuthenticatedUserDetailsService_ and _j2eePreAuthFilter_ are required to provide
the Fediz related security information (claims, login token) to the Spring Security Context.
The bean _fsi_ defines the authorization for the web requests which looks similar to security
constraints definition in {{web.xml}}. <br></td></tr>
            <tr><td class="diff-unchanged" > <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">The
following code snippet of the FederationServlet example illustrates how to get access to the
Spring Security Context of the current user. <br></td></tr>
            <tr><td class="diff-unchanged" > <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">{code:title=FederationServlet.java|borderStyle=solid}
<br>    Authentication obj = SecurityContextHolder.getContext().getAuthentication();
<br>{code} <br> <br>The {{Authentication}} object can be casted to the {{FederationAuthentiationToken}}
which provides access to Claims, login token, etc. <br> <br></td></tr>
            <tr><td class="diff-unchanged" >h3. Web Application deployment <br>
<br></td></tr>
            <tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">Deploy
your Web Application to your Jetty installation (&lt;jetty.home&gt;/webapps).  If
you&#39;re running the Fediz examples, their README files will have instructions on how
to do this. <br></td></tr>
            <tr><td class="diff-unchanged" > <br>h3. Federation Metadata
document <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
    
            </table>
    </div>                            <h4>Full Content</h4>
                    <div class="notificationGreySide">
        <h1><a name="FedizSpring-SpringSecurityPlugin%281.1SNAPSHOT%29"></a>Spring
Security Plugin (1.1 SNAPSHOT)</h1>

<p>This page describes how to enable Federation for a <a href="http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity.html"
class="external-link" rel="nofollow">Spring Security</a> based Web Application. Spring
Security provides more authorization capabilities than defined in the Java Servlet specification.
Beyond authorizing web requests Spring Security supports authorizing whether methods can be
invoked and authorizing access to individual domain object instances. Further, Spring Security
supports two deployment options. On the one hand, authentication and authorization is enforced
by the underlying Servlet Container or on the other hand by Spring Security embedded with
the application. The former ensures that the application is only called if authentication
is successful. This can be controlled by an administrator/operator. This option is called
<a href="http://static.springsource.org/spring-security/site/docs/3.1.x/reference/preauth.html"
class="external-link" rel="nofollow">Pre-Authentication</a>. The latter gives all
the control to the application developer and removes the dependency to security configuration
in the Servlet Container. This simplifies deploying an application into different Serlvet
Container environments.</p>

<p>Both options are valid and it mainly depends on the policies/requirements within
a company which is a better fit. Questions to be answered are: Who should manage the security
enforcement (Application developer, Administrator)? Do you have to deploy the application
into different Servlet Container environments?</p>

<p>Prior to doing this configuration, make sure you've first deployed the Fediz IDP
and STS on the Tomcat IDP instance as discussed <a href="/confluence/display/CXF/Fediz+IDP"
title="Fediz IDP">here</a>, and can view the STS WSDL at the URL given on that page.</p>

<h3><a name="FedizSpring-Installation"></a>Installation</h3>

<p>You can either build the Fediz plugin on your own, download the package <a href="/confluence/display/CXF/Fediz+Downloads"
title="Fediz Downloads">here</a> or add the dependency to your Maven project. If
you have built the plugin on your own you'll find the required libraries in <tt>plugins/spring/target/...zip-with-dependencies.zip</tt></p>

<p>It's recommended to use Maven to resolve all the dependencies as illustrated in the
two examples <em>springWebapp</em> and <em>springPreAuthWebapp</em>.
Each example contains a README with instructions for building and deployment.</p>

<h3><a name="FedizSpring-ConfigureWebApplication%28PreAuthentication%29"></a>Configure
Web Application (Pre-Authentication)</h3>

<p>The role of the Fediz Spring plugin in the case of Servlet Container managed security
is to adapt the security context of the Servlet Container to the Spring Security Context.
This allows to configure authorization for web requests and method calls based on Spring Security.</p>

<h5><a name="FedizSpring-FedizPluginconfigurationforYourWebApplication"></a>Fediz
Plugin configuration for Your Web Application</h5>

<p>The Fediz related configuration is done in a Servlet Container independent configuration
file which is described <a href="/confluence/display/CXF/Fediz+Configuration" title="Fediz
Configuration">here</a>.</p>

<h5><a name="FedizSpring-SpringSecurityConfiguration"></a>Spring Security
Configuration</h5>

<p>The following configuration snippets illustrate the Fediz related configuration.
The complete configuration file can be found in the example <em>springPreAuthWebapp</em>.</p>

<div class="code panel" style="border-style: solid;border-width: 1px;"><div class="codeHeader
panelHeader" style="border-bottom-width: 1px;border-bottom-style: solid;"><b>applicationContext-security.xml</b></div><div
class="codeContent panelContent">
<pre class="code-xml">

    &lt;bean id=<span class="code-quote">"preAuthenticatedUserDetailsService"</span>
            class=<span class="code-quote">"org.apache.cxf.fediz.spring.preauth.PreAuthenticatedGrantedAuthoritiesUserDetailsFederationService"</span>/&gt;
   
    
    <span class="code-tag">&lt;bean id=<span class="code-quote">"j2eePreAuthFilter"</span>
class=<span class="code-quote">"org.apache.cxf.fediz.spring.preauth.FederationPreAuthenticatedProcessingFilter"</span>&gt;</span>
        <span class="code-tag">&lt;property name=<span class="code-quote">"authenticationManager"</span>
ref=<span class="code-quote">"authenticationManager"</span>/&gt;</span>
        <span class="code-tag">&lt;property name=<span class="code-quote">"authenticationDetailsSource"</span>&gt;</span>
            <span class="code-tag">&lt;bean class=<span class="code-quote">"org.springframework.security.web.authentication.preauth.j2ee.J2eeBasedPreAuthenticatedWebAuthenticationDetailsSource"</span>&gt;</span>
                <span class="code-tag">&lt;property name=<span class="code-quote">"mappableRolesRetriever"</span>&gt;</span>
                    <span class="code-tag">&lt;bean class=<span class="code-quote">"org.springframework.security.web.authentication.preauth.j2ee.WebXmlMappableAttributesRetriever"</span>
/&gt;</span>
                <span class="code-tag">&lt;/property&gt;</span>
                <span class="code-tag">&lt;property name=<span class="code-quote">"userRoles2GrantedAuthoritiesMapper"</span>&gt;</span>
                    <span class="code-tag">&lt;bean class=<span class="code-quote">"org.springframework.security.core.authority.mapping.SimpleAttributes2GrantedAuthoritiesMapper"</span>&gt;</span>
                        <span class="code-tag">&lt;property name=<span class="code-quote">"convertAttributeToUpperCase"</span>
value=<span class="code-quote">"true"</span>/&gt;</span>
                    <span class="code-tag">&lt;/bean&gt;</span>
                <span class="code-tag">&lt;/property&gt;</span>
            <span class="code-tag">&lt;/bean&gt;</span>
        <span class="code-tag">&lt;/property&gt;</span>
    <span class="code-tag">&lt;/bean&gt;</span>

    <span class="code-tag">&lt;bean id=<span class="code-quote">"fsi"</span>
class=<span class="code-quote">"org.springframework.security.web.access.intercept.FilterSecurityInterceptor"</span>&gt;</span>
        <span class="code-tag">&lt;property name=<span class="code-quote">"authenticationManager"</span>
ref=<span class="code-quote">"authenticationManager"</span>/&gt;</span>
        <span class="code-tag">&lt;property name=<span class="code-quote">"accessDecisionManager"</span>
ref=<span class="code-quote">"httpRequestAccessDecisionManager"</span>/&gt;</span>
        <span class="code-tag">&lt;property name=<span class="code-quote">"securityMetadataSource"</span>&gt;</span>
            <span class="code-tag">&lt;sec:filter-invocation-definition-source&gt;</span>
                <span class="code-tag">&lt;sec:intercept-url pattern=<span class="code-quote">"/secure/manager/**"</span>
access=<span class="code-quote">"ROLE_MANAGER"</span>/&gt;</span>
                <span class="code-tag">&lt;sec:intercept-url pattern=<span class="code-quote">"/secure/admin/**"</span>
access=<span class="code-quote">"ROLE_ADMIN"</span>/&gt;</span>
                <span class="code-tag">&lt;sec:intercept-url pattern=<span class="code-quote">"/secure/user/**"</span>
access=<span class="code-quote">"ROLE_USER,ROLE_ADMIN,ROLE_MANAGER"</span>/&gt;</span>
                <span class="code-tag">&lt;sec:intercept-url pattern=<span class="code-quote">"/secure/fedservlet"</span>
access=<span class="code-quote">"ROLE_USER,ROLE_ADMIN,ROLE_MANAGER,ROLE_AUTHENTICATED"</span>/&gt;</span>
            <span class="code-tag">&lt;/sec:filter-invocation-definition-source&gt;</span>
        <span class="code-tag">&lt;/property&gt;</span>
    <span class="code-tag">&lt;/bean&gt;</span>
</pre>
</div></div>

<p>The beans <em>preAuthenticatedUserDetailsService</em> and <em>j2eePreAuthFilter</em>
are required to provide the Fediz related security information (claims, login token) to the
Spring Security Context. The bean <em>fsi</em> defines the authorization for the
web requests which looks similar to security constraints definition in <tt>web.xml</tt>.</p>

<p>The following code snippet of the FederationServlet example illustrates how to get
access to the Spring Security Context of the current user.</p>

<div class="code panel" style="border-style: solid;border-width: 1px;"><div class="codeHeader
panelHeader" style="border-bottom-width: 1px;border-bottom-style: solid;"><b>FederationServlet.java</b></div><div
class="codeContent panelContent">
<pre class="code-java">
    Authentication obj = SecurityContextHolder.getContext().getAuthentication();
</pre>
</div></div>

<p>The <tt>Authentication</tt> object can be casted to the <tt>FederationAuthentiationToken</tt>
which provides access to Claims, login token, etc.</p>

<h3><a name="FedizSpring-WebApplicationdeployment"></a>Web Application deployment</h3>


<h3><a name="FedizSpring-FederationMetadatadocument"></a>Federation Metadata
document</h3>

<p>The Jetty Fediz plugin supports publishing the WS-Federation Metadata document which
is described <a href="/confluence/display/CXF/Fediz+Metadata" title="Fediz Metadata">here</a>.</p>



    </div>
        <div id="commentsSection" class="wiki-content pageSection">
        <div style="float: right;">
            <a href="https://cwiki.apache.org/confluence/users/viewnotifications.action"
class="grey">Change Notification Preferences</a>
        </div>
        <a href="https://cwiki.apache.org/confluence/display/CXF/Fediz+Spring">View
Online</a>
        |
        <a href="https://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=30756705&revisedVersion=4&originalVersion=3">View
Changes</a>
                |
        <a href="https://cwiki.apache.org/confluence/display/CXF/Fediz+Spring?showComments=true&amp;showCommentArea=true#addcomment">Add
Comment</a>
            </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message