cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r853477 - in /websites/production/cxf/content: cache/main.pageCache fediz-spring.html
Date Thu, 07 Mar 2013 13:48:14 GMT
Author: buildbot
Date: Thu Mar  7 13:48:14 2013
New Revision: 853477

Log:
Production update by buildbot for cxf

Modified:
    websites/production/cxf/content/cache/main.pageCache
    websites/production/cxf/content/fediz-spring.html

Modified: websites/production/cxf/content/cache/main.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/cxf/content/fediz-spring.html
==============================================================================
--- websites/production/cxf/content/fediz-spring.html (original)
+++ websites/production/cxf/content/fediz-spring.html Thu Mar  7 13:48:14 2013
@@ -138,7 +138,9 @@ Apache CXF -- Fediz Spring
            <div class="wiki-content">
 <div id="ConfluenceContent"><h1><a shape="rect" name="FedizSpring-SpringSecurityPlugin%281.1SNAPSHOT%29"></a>Spring
Security Plugin (1.1 SNAPSHOT)</h1>
 
-<p>This page describes how to enable Federation for a <a shape="rect" class="external-link"
href="http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity.html"
rel="nofollow">Spring Security</a> based Web Application. Spring Security provides
more authorization capabilities than defined in the Java Servlet specification. Beyond authorizing
web requests Spring Security supports authorizing whether methods can be invoked and authorizing
access to individual domain object instances. Further, Spring Security supports two deployment
options. On the one hand, authentication and authorization is enforced by the underlying Servlet
Container or on the other hand by Spring Security embedded with the application. The former
ensures that the application is only called if authentication is successful. This can be controlled
by an administrator/operator. This option is called <a shape="rect" class="external-link"
href="http://static.springsource.org/spring-
 security/site/docs/3.1.x/reference/preauth.html" rel="nofollow">Pre-Authentication</a>.
The latter gives all the control to the application developer and removes the dependency to
security configuration in the Servlet Container. This simplifies deploying an application
into different Serlvet Container environments.</p>
+<p>This page describes how to enable Federation for a <a shape="rect" class="external-link"
href="http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity.html"
rel="nofollow">Spring Security</a> based Web Application. Spring Security provides
more authorization capabilities than defined in the Java Servlet specification. Beyond authorizing
web requests Spring Security supports authorizing whether methods can be invoked and authorizing
access to individual domain object instances.</p>
+
+<p>Spring Security supports two deployment options. On the one hand, authentication
and authorization is enforced by the underlying Servlet Container or on the other hand by
Spring Security embedded with the application. The former ensures that the application is
only called if authentication is successful. This can be controlled by an administrator/operator.
This option is called <a shape="rect" class="external-link" href="http://static.springsource.org/spring-security/site/docs/3.1.x/reference/preauth.html"
rel="nofollow">Pre-Authentication</a>. The latter gives all the control to the application
developer and removes the dependency to security configuration in the Servlet Container. This
simplifies deploying an application into different Serlvet Container environments.</p>
 
 <p>Both options are valid and it mainly depends on the policies/requirements within
a company which is a better fit. Questions to be answered are: Who should manage the security
enforcement (Application developer, Administrator)? Do you have to deploy the application
into different Servlet Container environments?</p>
 
@@ -150,31 +152,148 @@ Apache CXF -- Fediz Spring
 
 <p>It's recommended to use Maven to resolve all the dependencies as illustrated in
the two examples <em>springWebapp</em> and <em>springPreAuthWebapp</em>.
Each example contains a README with instructions for building and deployment.</p>
 
-<h3><a shape="rect" name="FedizSpring-ConfigureWebApplication%28PreAuthentication%29"></a>Configure
Web Application (Pre-Authentication)</h3>
+<h3><a shape="rect" name="FedizSpring-WebApplicationwithPreAuthenticationSpringSecurity"></a>Web
Application with Pre-Authentication Spring Security</h3>
 
 <p>The role of the Fediz Spring plugin in the case of Servlet Container managed security
is to adapt the security context of the Servlet Container to the Spring Security Context.
This allows to configure authorization for web requests and method calls based on Spring Security.</p>
 
+<p>This deployment option requires to configure Fediz into the Servlet Container which
is described here:</p>
+<ul><li><a shape="rect" href="fediz-tomcat.html" title="Fediz Tomcat">Tomcat</a></li><li><a
shape="rect" href="fediz-jetty.html" title="Fediz Jetty">Jetty</a></li></ul>
+
+
 <h5><a shape="rect" name="FedizSpring-FedizPluginconfigurationforYourWebApplication"></a>Fediz
Plugin configuration for Your Web Application</h5>
 
 <p>The Fediz related configuration is done in a Servlet Container independent configuration
file which is described <a shape="rect" href="fediz-configuration.html" title="Fediz Configuration">here</a>.</p>
 
+<h5><a shape="rect" name="FedizSpring-SpringSecurityConfiguration"></a>Spring
Security Configuration</h5>
+
+<p>The following configuration snippets illustrate the Fediz related configuration.
The complete configuration file can be found in the example <em>springPreAuthWebapp</em>.</p>
+
+<div class="code panel" style="border-style: solid;border-width: 1px;"><div class="codeHeader
panelHeader" style="border-bottom-width: 1px;border-bottom-style: solid;"><b>applicationContext-security.xml</b></div><div
class="codeContent panelContent">
+<pre class="code-xml">
+
+    &lt;bean id=<span class="code-quote">"preAuthenticatedUserDetailsService"</span>
+            class=<span class="code-quote">"org.apache.cxf.fediz.spring.preauth.PreAuthenticatedGrantedAuthoritiesUserDetailsFederationService"</span>/&gt;
   
+    
+    <span class="code-tag">&lt;bean id=<span class="code-quote">"j2eePreAuthFilter"</span>
class=<span class="code-quote">"org.apache.cxf.fediz.spring.preauth.FederationPreAuthenticatedProcessingFilter"</span>&gt;</span>
+        <span class="code-tag">&lt;property name=<span class="code-quote">"authenticationManager"</span>
ref=<span class="code-quote">"authenticationManager"</span>/&gt;</span>
+        <span class="code-tag">&lt;property name=<span class="code-quote">"authenticationDetailsSource"</span>&gt;</span>
+            <span class="code-tag">&lt;bean class=<span class="code-quote">"org.springframework.security.web.authentication.preauth.j2ee.J2eeBasedPreAuthenticatedWebAuthenticationDetailsSource"</span>&gt;</span>
+                <span class="code-tag">&lt;property name=<span class="code-quote">"mappableRolesRetriever"</span>&gt;</span>
+                    <span class="code-tag">&lt;bean class=<span class="code-quote">"org.springframework.security.web.authentication.preauth.j2ee.WebXmlMappableAttributesRetriever"</span>
/&gt;</span>
+                <span class="code-tag">&lt;/property&gt;</span>
+                <span class="code-tag">&lt;property name=<span class="code-quote">"userRoles2GrantedAuthoritiesMapper"</span>&gt;</span>
+                    <span class="code-tag">&lt;bean class=<span class="code-quote">"org.springframework.security.core.authority.mapping.SimpleAttributes2GrantedAuthoritiesMapper"</span>&gt;</span>
+                        <span class="code-tag">&lt;property name=<span class="code-quote">"convertAttributeToUpperCase"</span>
value=<span class="code-quote">"true"</span>/&gt;</span>
+                    <span class="code-tag">&lt;/bean&gt;</span>
+                <span class="code-tag">&lt;/property&gt;</span>
+            <span class="code-tag">&lt;/bean&gt;</span>
+        <span class="code-tag">&lt;/property&gt;</span>
+    <span class="code-tag">&lt;/bean&gt;</span>
+
+    <span class="code-tag">&lt;bean id=<span class="code-quote">"fsi"</span>
class=<span class="code-quote">"org.springframework.security.web.access.intercept.FilterSecurityInterceptor"</span>&gt;</span>
+        <span class="code-tag">&lt;property name=<span class="code-quote">"authenticationManager"</span>
ref=<span class="code-quote">"authenticationManager"</span>/&gt;</span>
+        <span class="code-tag">&lt;property name=<span class="code-quote">"accessDecisionManager"</span>
ref=<span class="code-quote">"httpRequestAccessDecisionManager"</span>/&gt;</span>
+        <span class="code-tag">&lt;property name=<span class="code-quote">"securityMetadataSource"</span>&gt;</span>
+            <span class="code-tag">&lt;sec:filter-invocation-definition-source&gt;</span>
+                <span class="code-tag">&lt;sec:intercept-url pattern=<span class="code-quote">"/secure/manager/**"</span>
access=<span class="code-quote">"ROLE_MANAGER"</span>/&gt;</span>
+                <span class="code-tag">&lt;sec:intercept-url pattern=<span class="code-quote">"/secure/admin/**"</span>
access=<span class="code-quote">"ROLE_ADMIN"</span>/&gt;</span>
+                <span class="code-tag">&lt;sec:intercept-url pattern=<span class="code-quote">"/secure/user/**"</span>
access=<span class="code-quote">"ROLE_USER,ROLE_ADMIN,ROLE_MANAGER"</span>/&gt;</span>
+                <span class="code-tag">&lt;sec:intercept-url pattern=<span class="code-quote">"/secure/fedservlet"</span>
access=<span class="code-quote">"ROLE_USER,ROLE_ADMIN,ROLE_MANAGER,ROLE_AUTHENTICATED"</span>/&gt;</span>
+            <span class="code-tag">&lt;/sec:filter-invocation-definition-source&gt;</span>
+        <span class="code-tag">&lt;/property&gt;</span>
+    <span class="code-tag">&lt;/bean&gt;</span>
+</pre>
+</div></div>
+
+<p>The beans <em>preAuthenticatedUserDetailsService</em> and <em>j2eePreAuthFilter</em>
are required to provide the Fediz related security information (claims, login token) to the
Spring Security Context. The bean <em>fsi</em> defines the authorization for the
web requests which looks similar to security constraints definition in <tt>web.xml</tt>.</p>
+
+<p>The following code snippet of the FederationServlet example illustrates how to get
access to the Spring Security Context of the current user.</p>
+
+<div class="code panel" style="border-style: solid;border-width: 1px;"><div class="codeHeader
panelHeader" style="border-bottom-width: 1px;border-bottom-style: solid;"><b>FederationServlet.java</b></div><div
class="codeContent panelContent">
+<pre class="code-java">
+    Authentication obj = SecurityContextHolder.getContext().getAuthentication();
+</pre>
+</div></div>
+
+<p>The <tt>Authentication</tt> object can be casted to the <tt>FederationAuthentiationToken</tt>
which provides access to Claims, login token, etc.</p>
 
+<h3><a shape="rect" name="FedizSpring-WebApplicationwith%22native%22SpringSecurity"></a>Web
Application with "native" Spring Security</h3>
 
+<p>In this case, authentication and authorization are managed by Spring Security only.
The Fediz Spring Plugin provides the implementation of WS-Federation by implementing certain
Spring Security interfaces. Finally, this results into the creation of the Spring Security
Context. You can use Spring's authorization capabilities for web requests and method calls.
The example <em>springWebapp</em> only illustrates authorizing web requests. Method
based authorization is described <a shape="rect" class="external-link" href="http://static.springsource.org/spring-security/site/docs/3.1.x/reference/ns-config.html#ns-method-security"
rel="nofollow">here</a>.</p>
 
-<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
-<pre class="code-xml"> 
+<h5><a shape="rect" name="FedizSpring-FedizPluginconfigurationforYourWebApplication"></a>Fediz
Plugin configuration for Your Web Application</h5>
+
+<p>The Fediz related configuration is done in a Servlet Container independent configuration
file which is described <a shape="rect" href="fediz-configuration.html" title="Fediz Configuration">here</a>.</p>
+
+<h5><a shape="rect" name="FedizSpring-SpringSecurityConfiguration"></a>Spring
Security Configuration</h5>
+
+<p>The following configuration snippets illustrate the Fediz related configuration.
The complete configuration file can be found in the example <em>springWebapp</em>.</p>
+
+<div class="code panel" style="border-style: solid;border-width: 1px;"><div class="codeHeader
panelHeader" style="border-bottom-width: 1px;border-bottom-style: solid;"><b>applicationContext-security.xml</b></div><div
class="codeContent panelContent">
+<pre class="code-xml">
+    <span class="code-tag">&lt;sec:http entry-point-ref=<span class="code-quote">"federationEntryPoint"</span>
use-expressions=<span class="code-quote">"true"</span>&gt;</span>
+        <span class="code-tag">&lt;sec:intercept-url pattern=<span class="code-quote">"/"</span>
access=<span class="code-quote">"permitAll"</span>/&gt;</span>
+        <span class="code-tag">&lt;sec:intercept-url pattern=<span class="code-quote">"/fediz"</span>
access=<span class="code-quote">"permitAll"</span>/&gt;</span>
+        <span class="code-tag">&lt;sec:intercept-url pattern=<span class="code-quote">"/index.html"</span>
access=<span class="code-quote">"permitAll"</span>/&gt;</span>
+        <span class="code-tag">&lt;sec:intercept-url pattern=<span class="code-quote">"/secure/fedservlet"</span>
access=<span class="code-quote">"isAuthenticated()"</span>/&gt;</span>
+        <span class="code-tag">&lt;sec:intercept-url pattern=<span class="code-quote">"/secure/manager/**"</span>
access=<span class="code-quote">"hasRole('ROLE_MANAGER')"</span>/&gt;</span>
+        <span class="code-tag">&lt;sec:intercept-url pattern=<span class="code-quote">"/secure/admin/**"</span>
access=<span class="code-quote">"hasRole('ROLE_ADMIN')"</span>/&gt;</span>
+        <span class="code-tag">&lt;sec:intercept-url pattern=<span class="code-quote">"/secure/user/**"</span>
access=<span class="code-quote">"hasAnyRole('ROLE_USER','ROLE_ADMIN','ROLE_MANAGER')"</span>/&gt;</span>
+        <span class="code-tag">&lt;sec:custom-filter ref=<span class="code-quote">"federationFilter"</span>
after=<span class="code-quote">"BASIC_AUTH_FILTER"</span> /&gt;</span>
+        <span class="code-tag">&lt;sec:session-management session-authentication-strategy-ref=<span
class="code-quote">"sas"</span>/&gt;</span>
+    <span class="code-tag">&lt;/sec:http&gt;</span>
+
+    <span class="code-tag">&lt;sec:authentication-manager alias=<span class="code-quote">"authManager"</span>&gt;</span>
+        <span class="code-tag">&lt;sec:authentication-provider ref=<span class="code-quote">"federationAuthProvider"</span>
/&gt;</span>
+    <span class="code-tag">&lt;/sec:authentication-manager&gt;</span>
+
+    &lt;bean id=<span class="code-quote">"fedizConfig"</span> class=<span
class="code-quote">"org.apache.cxf.fediz.spring.FederationConfigImpl"</span> init-method=<span
class="code-quote">"init"</span>
+        p:configFile=<span class="code-quote">"WEB-INF/fediz_config.xml"</span>
/&gt;
+
+    &lt;bean id=<span class="code-quote">"federationEntryPoint"</span>
+        class=<span class="code-quote">"org.apache.cxf.fediz.spring.web.FederationAuthenticationEntryPoint"</span>
+        p:federationConfig-ref=<span class="code-quote">"fedizConfig"</span>
/&gt;
+ 
+    &lt;bean id=<span class="code-quote">"federationFilter"</span>
+        class=<span class="code-quote">"org.apache.cxf.fediz.spring.web.FederationAuthenticationFilter"</span>
+        p:authenticationManager-ref=<span class="code-quote">"authManager"</span>&gt;
+        <span class="code-tag">&lt;property name=<span class="code-quote">"authenticationFailureHandler"</span>&gt;</span>
+            <span class="code-tag">&lt;bean class=<span class="code-quote">"org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"</span>
/&gt;</span>
+        <span class="code-tag">&lt;/property&gt;</span>
+    <span class="code-tag">&lt;/bean&gt;</span>
+    
+    &lt;bean id=<span class="code-quote">"federationAuthProvider"</span>
class=<span class="code-quote">"org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider"</span>
+        p:federationConfig-ref=<span class="code-quote">"fedizConfig"</span>&gt;
+        <span class="code-tag">&lt;property name=<span class="code-quote">"authenticationUserDetailsService"</span>&gt;</span>
+            <span class="code-tag">&lt;bean class=<span class="code-quote">"org.apache.cxf.fediz.spring.authentication.GrantedAuthoritiesUserDetailsFederationService"</span>/&gt;</span>
+        <span class="code-tag">&lt;/property&gt;</span>
+    <span class="code-tag">&lt;/bean&gt;</span>
 </pre>
 </div></div>
 
+<p>The <em>http</em> element is the key element which depends on the other
bean definitions like <em>federationFilter</em> and the <em>federationAuthProvider</em>.
Web request authorizing is configured in the <em>http</em> element as well which
looks similar to security constraints definition in <tt>web.xml</tt>.</p>
 
+<p>The following code snippet of the FederationServlet example illustrates how to get
access to the Spring Security Context of the current user and to the Federation releated information
like claims and login token.</p>
 
-<h3><a shape="rect" name="FedizSpring-WebApplicationdeployment"></a>Web
Application deployment</h3>
+<div class="code panel" style="border-style: solid;border-width: 1px;"><div class="codeHeader
panelHeader" style="border-bottom-width: 1px;border-bottom-style: solid;"><b>FederationServlet.java</b></div><div
class="codeContent panelContent">
+<pre class="code-java">
+    Authentication obj = SecurityContextHolder.getContext().getAuthentication();
+    FederationAuthenticationToken fedAuthToken = (FederationAuthenticationToken)auth;
+    <span class="code-keyword">for</span> (GrantedAuthority item : fedAuthToken.getAuthorities())
{
+        ...
+    }
+    
+    ClaimCollection claims = ((FederationUser)fedAuthToken.getUserDetails()).getClaims();
+    <span class="code-keyword">for</span> (Claim c: claims) {
+        ...
+    }
+</pre>
+</div></div>
 
-<p>Deploy your Web Application to your Jetty installation (&lt;jetty.home&gt;/webapps).
 If you're running the Fediz examples, their README files will have instructions on how to
do this.</p>
 
 <h3><a shape="rect" name="FedizSpring-FederationMetadatadocument"></a>Federation
Metadata document</h3>
 
-<p>The Jetty Fediz plugin supports publishing the WS-Federation Metadata document which
is described <a shape="rect" href="fediz-metadata.html" title="Fediz Metadata">here</a>.</p>
+<p>The Spring Security Fediz plugin supports publishing the WS-Federation Metadata
document which is described <a shape="rect" href="fediz-metadata.html" title="Fediz Metadata">here</a>.</p>
 
 
 </div>



Mime
View raw message