cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache CXF > Fediz Spring
Date Thu, 07 Mar 2013 12:44:00 GMT
<html>
<head>
    <base href="https://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/2042/9/15/_/styles/combined.css?spaceKey=CXF&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="https://cwiki.apache.org/confluence/display/CXF/Fediz+Spring">Fediz
Spring</a></h2>
    <h4>Page <b>edited</b> by             <a href="https://cwiki.apache.org/confluence/display/~owulff@apache.org">Oliver
Wulff</a>
    </h4>
        <br/>
                         <h4>Changes (17)</h4>
                                 
    
<div id="page-diffs">
                    <table class="diff" cellpadding="0" cellspacing="0">
    
            <tr><td class="diff-unchanged" >h1. Spring Security Plugin (1.1 SNAPSHOT)
<br> <br></td></tr>
            <tr><td class="diff-changed-lines" >This page describes how to enable
Federation for a <span class="diff-changed-words"><span class="diff-added-chars"style="background-color:
#dfd;">[</span>Spring Security<span class="diff-added-chars"style="background-color:
#dfd;">|http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity.html]</span></span>
based Web Application. Spring Security <span class="diff-changed-words">provide<span
class="diff-added-chars"style="background-color: #dfd;">s</span></span> more
authorization capabilities than defined in the Java Servlet specification. Beyond authorizing
web requests Spring Security supports authorizing whether methods can be invoked and authorizing
access to individual domain object instances. Further, Spring Security supports two deployment
options. On the one hand, authentication and authorization is enforced by the underlying Servlet
Container or on the other hand by Spring Security embedded with the application. The former
ensures that the application is only called if authentication is successful. This can be controlled
by an administrator/operator. This option is called [Pre-Authentication|http://static.springsource.org/spring-security/site/docs/3.1.x/reference/preauth.html].
The latter gives all the control to the application developer and removes the dependency to
security configuration in the Servlet Container. This simplifies deploying an application
into different Serlvet Container environments. <br></td></tr>
            <tr><td class="diff-unchanged" > <br>Both options are valid
and it mainly depends on the policies/requirements within a company which is a better fit.
Questions to be answered are: Who should manage the security enforcement (Application developer,
Administrator)? Do you have to deploy the application into different Servlet Container environments?
<br> <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">Prior
to doing this configuration, make sure you&#39;ve first deployed the Fediz IDP and STS
on the Tomcat IDP instance as discussed [here|Fediz IDP], and can view the STS WSDL at the
URL given on that page. <br></td></tr>
            <tr><td class="diff-unchanged" > <br></td></tr>
            <tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">
<br> <br> <br>This configuration is not for a separate Tomcat instance hosting
the Fediz IDP and IDP STS WARs, or hosts for third-party applications that use Fediz STS-generated
SAML assertions for authentication.  After this configuration is done, the Jetty-RP instance
will validate the incoming SignInResponse created by the IDP server. <br> <br>Prior
to doing this configuration, make sure you&#39;ve first deployed the Fediz IDP and STS
on the Tomcat IDP instance as discussed [here|Fediz IDP], and can view the STS WSDL at the
URL given on that page.  That page also provides some tips for running multiple Tomcat instances
on your machine. <br> <br> <br></td></tr>
            <tr><td class="diff-unchanged" >h3. Installation <br> <br></td></tr>
            <tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">You
can either build the Fediz plugin on your own or download the package [here|Fediz Downloads].
If you have built the plugin on your own you&#39;ll find the required libraries in {{plugins/jetty/target/...zip-with-dependencies.zip}}
<br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">You
can either build the Fediz plugin on your own, download the package [here|Fediz Downloads]
or add the dependency to your Maven project. If you have built the plugin on your own you&#39;ll
find the required libraries in {{plugins/spring/target/...zip-with-dependencies.zip}} <br></td></tr>
            <tr><td class="diff-unchanged" > <br></td></tr>
            <tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">#
Create sub-directory {{fediz}} in {{$\{jetty.home\}/lib/fediz}} <br># Update start.ini
in $\{jetty.home\}/start.ini by adding {{fediz}} to the OPTIONS <br>{code} <br>OPTIONS=Server,fediz
<br>{code} <br># Deploy the libraries to the directory created in (1) <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">It&#39;s
recommended to use Maven to resolve all the dependencies as illustrated in the two examples
_springWebapp_ and _springPreAuthWebapp_. Each example contains a README with instructions
for building and deployment. <br></td></tr>
            <tr><td class="diff-unchanged" > <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">h3.
Configure Web Application (Pre-Authentication) <br></td></tr>
            <tr><td class="diff-unchanged" > <br></td></tr>
            <tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">h3.
Configuration <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">The
role of the Fediz Spring plugin in the case of Servlet Container managed security is to adapt
the security context of the Servlet Container to the Spring Security Context. This allows
to configure authorization for web requests and method calls based on Spring Security. <br></td></tr>
            <tr><td class="diff-unchanged" > <br></td></tr>
            <tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">h5.
HTTPS configuration <br> <br>It&#39;s recommended to set up a dedicated (separate)
Jetty instance for the Relying Party. The Fediz RP web applications use the following TCP
ports: <br>* HTTP port: 8080 <br>* HTTPS port: 8443 (where IDP and STS are accessed)
<br> <br>These are the default ports for a standard Jetty installation. <br>
<br>The Relying Party must be accessed over HTTPS to protect the security tokens issued
by the IDP. <br> <br>The Jetty HTTP(s) configuration is done in etc/jetty-ssl.xml.
<br> <br>The configuration is described in detail [here|http://wiki.eclipse.org/Jetty/Howto/Configure_SSL]
<br> <br>This page also describes how to create certificates.  Sample Jetty keystores
(not for production use, but useful for demoing Fediz and running the sample applications)
are provided in the examples/samplekeys folder of the Fediz distribution.  Note the Jetty
keystore here is different from the one used to configure the Tomcat-IDP instance. <br>
<br>To establish trust, there are significant keystore/truststore requirements between
the Servlet Container instances and the various web applications (IDP, STS, Relying party
applications, third party web services, etc.)  See [this page|http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/samplekeys/HowToGenerateKeysREADME.html?view=co]
for more details, it lists the trust requirements as well as sample scripts for creating your
own (self-signed) keys. <br> <br>*Warning:  All sample keystores provided with
Fediz (including in the WAR files for its services and examples) are for development/prototyping
use only.  They&#39;ll need to be replaced for production use, at a minimum with your
own self-signed keys but strongly recommended to use third-party signed keys.* <br>
<br>If you are currently just trying to run the Fediz samples, the configuration above
is all you need (the below configuration is already provided within the samples) so you can
return now to the samples&#39; READMEs for the next steps in running them. <br>
<br> <br></td></tr>
            <tr><td class="diff-unchanged" >h5. Fediz Plugin configuration for
Your Web Application <br> <br>The Fediz related configuration is done in a Servlet
Container independent configuration file which is described [here|Fediz Configuration]. <br>
<br></td></tr>
            <tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">The
Fediz plugin requires configuring the FederationAuthenticator like any other authenticator
in Jetty. Detailed information about the Authenticators and SecurityHandler is available [here|http://wiki.eclipse.org/Jetty/Tutorial/Realms].
<br></td></tr>
            <tr><td class="diff-unchanged" > <br></td></tr>
            <tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">The
Fediz configuration file allows to configure all servlet contexts in one file or choosing
one file per Servlet Context. <br></td></tr>
            <tr><td class="diff-unchanged" > <br></td></tr>
            <tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">You
can configure the context in context configuration file located in &lt;jetty.home&gt;/contexts.
<br></td></tr>
            <tr><td class="diff-unchanged" > <br></td></tr>
            <tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">h6.
fedizhelloworld.xml <br>Hint: file name must be equal to war file name <br> <br></td></tr>
            <tr><td class="diff-unchanged" >{code:xml}  <br></td></tr>
            <tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">
 &lt;Get name=&quot;securityHandler&quot;&gt; <br>    &lt;Set name=&quot;loginService&quot;&gt;
<br>      &lt;New class=&quot;org.apache.cxf.fediz.jetty.FederationLoginService&quot;&gt;
<br>        &lt;Set name=&quot;name&quot;&gt;WSFED&lt;/Set&gt;
<br>      &lt;/New&gt; <br>    &lt;/Set&gt; <br>    &lt;Set
name=&quot;authenticator&quot;&gt; <br>      &lt;New class=&quot;org.apache.cxf.fediz.jetty.FederationAuthenticator&quot;&gt;
<br>        &lt;Set name=&quot;configFile&quot;&gt;&lt;SystemProperty
name=&quot;jetty.home&quot; default=&quot;.&quot;/&gt;/etc/fediz_config.xml&lt;/Set&gt;
<br>      &lt;/New&gt; <br>    &lt;/Set&gt; <br>  &lt;/Get&gt;
<br></td></tr>
            <tr><td class="diff-unchanged" >{code} <br> <br> <br></td></tr>
            <tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">The
Fediz configuration file is a Servlet container independent configuration file and described
[here|Fediz Configuration] <br></td></tr>
            <tr><td class="diff-unchanged" > <br>h3. Web Application deployment
<br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
    
            </table>
    </div>                            <h4>Full Content</h4>
                    <div class="notificationGreySide">
        <h1><a name="FedizSpring-SpringSecurityPlugin%281.1SNAPSHOT%29"></a>Spring
Security Plugin (1.1 SNAPSHOT)</h1>

<p>This page describes how to enable Federation for a <a href="http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity.html"
class="external-link" rel="nofollow">Spring Security</a> based Web Application. Spring
Security provides more authorization capabilities than defined in the Java Servlet specification.
Beyond authorizing web requests Spring Security supports authorizing whether methods can be
invoked and authorizing access to individual domain object instances. Further, Spring Security
supports two deployment options. On the one hand, authentication and authorization is enforced
by the underlying Servlet Container or on the other hand by Spring Security embedded with
the application. The former ensures that the application is only called if authentication
is successful. This can be controlled by an administrator/operator. This option is called
<a href="http://static.springsource.org/spring-security/site/docs/3.1.x/reference/preauth.html"
class="external-link" rel="nofollow">Pre-Authentication</a>. The latter gives all
the control to the application developer and removes the dependency to security configuration
in the Servlet Container. This simplifies deploying an application into different Serlvet
Container environments.</p>

<p>Both options are valid and it mainly depends on the policies/requirements within
a company which is a better fit. Questions to be answered are: Who should manage the security
enforcement (Application developer, Administrator)? Do you have to deploy the application
into different Servlet Container environments?</p>

<p>Prior to doing this configuration, make sure you've first deployed the Fediz IDP
and STS on the Tomcat IDP instance as discussed <a href="/confluence/display/CXF/Fediz+IDP"
title="Fediz IDP">here</a>, and can view the STS WSDL at the URL given on that page.</p>

<h3><a name="FedizSpring-Installation"></a>Installation</h3>

<p>You can either build the Fediz plugin on your own, download the package <a href="/confluence/display/CXF/Fediz+Downloads"
title="Fediz Downloads">here</a> or add the dependency to your Maven project. If
you have built the plugin on your own you'll find the required libraries in <tt>plugins/spring/target/...zip-with-dependencies.zip</tt></p>

<p>It's recommended to use Maven to resolve all the dependencies as illustrated in the
two examples <em>springWebapp</em> and <em>springPreAuthWebapp</em>.
Each example contains a README with instructions for building and deployment.</p>

<h3><a name="FedizSpring-ConfigureWebApplication%28PreAuthentication%29"></a>Configure
Web Application (Pre-Authentication)</h3>

<p>The role of the Fediz Spring plugin in the case of Servlet Container managed security
is to adapt the security context of the Servlet Container to the Spring Security Context.
This allows to configure authorization for web requests and method calls based on Spring Security.</p>

<h5><a name="FedizSpring-FedizPluginconfigurationforYourWebApplication"></a>Fediz
Plugin configuration for Your Web Application</h5>

<p>The Fediz related configuration is done in a Servlet Container independent configuration
file which is described <a href="/confluence/display/CXF/Fediz+Configuration" title="Fediz
Configuration">here</a>.</p>




<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml"> 
</pre>
</div></div>



<h3><a name="FedizSpring-WebApplicationdeployment"></a>Web Application deployment</h3>

<p>Deploy your Web Application to your Jetty installation (&lt;jetty.home&gt;/webapps).
 If you're running the Fediz examples, their README files will have instructions on how to
do this.</p>

<h3><a name="FedizSpring-FederationMetadatadocument"></a>Federation Metadata
document</h3>

<p>The Jetty Fediz plugin supports publishing the WS-Federation Metadata document which
is described <a href="/confluence/display/CXF/Fediz+Metadata" title="Fediz Metadata">here</a>.</p>



    </div>
        <div id="commentsSection" class="wiki-content pageSection">
        <div style="float: right;">
            <a href="https://cwiki.apache.org/confluence/users/viewnotifications.action"
class="grey">Change Notification Preferences</a>
        </div>
        <a href="https://cwiki.apache.org/confluence/display/CXF/Fediz+Spring">View
Online</a>
        |
        <a href="https://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=30756705&revisedVersion=3&originalVersion=2">View
Changes</a>
                |
        <a href="https://cwiki.apache.org/confluence/display/CXF/Fediz+Spring?showComments=true&amp;showCommentArea=true#addcomment">Add
Comment</a>
            </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message