cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r866640 - in /websites/production/cxf/content: cache/docs.pageCache docs/xml-key-management-service-xkms.html
Date Thu, 20 Jun 2013 14:48:27 GMT
Author: buildbot
Date: Thu Jun 20 14:48:27 2013
New Revision: 866640

Log:
Production update by buildbot for cxf

Modified:
    websites/production/cxf/content/cache/docs.pageCache
    websites/production/cxf/content/docs/xml-key-management-service-xkms.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/xml-key-management-service-xkms.html
==============================================================================
--- websites/production/cxf/content/docs/xml-key-management-service-xkms.html (original)
+++ websites/production/cxf/content/docs/xml-key-management-service-xkms.html Thu Jun 20 14:48:27
2013
@@ -25,6 +25,8 @@
 <meta http-equiv="Content-type" content="text/html;charset=UTF-8">
 <meta name="keywords" content="business integration, EAI, SOA, Service Oriented Architecture,
web services, SOAP, JBI, JMS, WSDL, XML, EDI, Electronic Data Interchange, standards support,
integration standards, application integration, middleware, software, solutions, services,
CXF, open source">
 <meta name="description" content="Apache CXF, Services Framework - XML Key Management
Service (XKMS)">
+
+
     <title>
 Apache CXF -- XML Key Management Service (XKMS)
     </title>
@@ -125,7 +127,7 @@ Apache CXF -- XML Key Management Service
 
 <h2><a shape="rect" name="XMLKeyManagementService%28XKMS%29-Usecase"></a>Use
case</h2>
 
-<p>CXF security uses asymmetric algorithms for different purposes: encryption of symmetric
keys and payloads, signing security tokens and messages, proof of possession.<br clear="none">
+<p>CXF uses asymmetric algorithms for different purposes: encryption of symmetric keys
and payloads, signing security tokens and messages, proof of possession.<br clear="none">
 Normally the public keys (in form of X509 certificates) are stored in java keystores.</p>
 
 <p>For example, if sender encrypts the message payload sending to the receiver, he
should have access to receiver certificate saved in local keystore. <br clear="none">
@@ -165,47 +167,95 @@ This design makes XKMS internal implemen
 For example certificate can be searched firstly in the LDAP repository by LDAP lookup handler
and, if it is not found there, additionally looked in remote PKI using appropriate lookup
handler. Validation operation logic is organized in chain is well: first validation handler
checks format and expire date of X509 certificate, next one checks certificate trust chain.</p>
 
 <p>Currently XKMS Service supports simple file based and LDAP backends.<br clear="none">
-Sample spring configuration of XKMS handlers for file backend looks like:</p>
+Sample spring configuration of XKMS handlers looks like:</p>
 <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
 <pre class="code-xml">
-   <span class="code-tag">&lt;bean id=<span class="code-quote">"dateValidator"</span>
class=<span class="code-quote">"org.apache.cxf.xkms.x509.validator.DateValidator"</span>
/&gt;</span>
+&lt;beans xmlns=<span class="code-quote">"http://www.springframework.org/schema/beans"</span>
+    <span class="code-keyword">xmlns:cxf</span>=<span class="code-quote">"http://cxf.apache.org/core"</span>
<span class="code-keyword">xmlns:jaxws</span>=<span class="code-quote">"http://cxf.apache.org/jaxws"</span>
+    <span class="code-keyword">xmlns:test</span>=<span class="code-quote">"http://apache.org/hello_world_soap_http"</span>
<span class="code-keyword">xmlns:xsi</span>=<span class="code-quote">"http://www.w3.org/2001/XMLSchema-instance"</span>
+    <span class="code-keyword">xmlns:util</span>=<span class="code-quote">"http://www.springframework.org/schema/util"</span>
+    xsi:schemaLocation="
+        http://cxf.apache.org/core
+        http://cxf.apache.org/schemas/core.xsd
+        http://www.springframework.org/schema/beans
+        http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
+        http://cxf.apache.org/jaxws                                     
+        http://cxf.apache.org/schemas/jaxws.xsd
+        http://www.springframework.org/schema/util
+        http://www.springframework.org/schema/util/spring-util-2.0.xsd"&gt;
+
+
+    <span class="code-tag">&lt;bean id=<span class="code-quote">"dateValidator"</span>
class=<span class="code-quote">"org.apache.cxf.xkms.x509.validator.DateValidator"</span>
/&gt;</span>
+
+    &lt;bean id=<span class="code-quote">"trustedAuthorityValidator"</span>
+        class=<span class="code-quote">"org.apache.cxf.xkms.x509.validator.TrustedAuthorityValidator"</span>&gt;
+        <span class="code-tag">&lt;constructor-arg ref=<span class="code-quote">"certificateRepo"</span>
/&gt;</span>
+    <span class="code-tag">&lt;/bean&gt;</span>
+
+    <span class="code-tag">&lt;bean id=<span class="code-quote">"x509Locator"</span>
class=<span class="code-quote">"org.apache.cxf.xkms.x509.handlers.X509Locator"</span>&gt;</span>
+        <span class="code-tag">&lt;constructor-arg ref=<span class="code-quote">"certificateRepo"</span>
/&gt;</span>
+    <span class="code-tag">&lt;/bean&gt;</span>
+
+    &lt;bean id=<span class="code-quote">"x509Register"</span>
+        class=<span class="code-quote">"org.apache.cxf.xkms.x509.handlers.x509Register"</span>&gt;
+        <span class="code-tag">&lt;constructor-arg ref=<span class="code-quote">"certificateRepo"</span>
/&gt;</span>
+    <span class="code-tag">&lt;/bean&gt;</span>
+
+
+    <span class="code-tag"><span class="code-comment">&lt;!-- LDAP based
implementation --&gt;</span></span>
+
+    &lt;bean id=<span class="code-quote">"certificateRepo"</span>
+        class=<span class="code-quote">"org.apache.cxf.xkms.x509.repo.ldap.LdapCertificateRepo"</span>&gt;
+        <span class="code-tag">&lt;constructor-arg ref=<span class="code-quote">"ldapServerConfig"</span>
/&gt;</span>
+        <span class="code-tag">&lt;constructor-arg ref=<span class="code-quote">"ldapSchemaConfig"</span>
/&gt;</span>
+        <span class="code-tag">&lt;constructor-arg value=<span class="code-quote">"dc=example,dc=com"</span>
/&gt;</span>
+    <span class="code-tag">&lt;/bean&gt;</span>
+
+    <span class="code-tag">&lt;bean id=<span class="code-quote">"ldapServerConfig"</span>
class=<span class="code-quote">"org.apache.cxf.xkms.x509.repo.ldap.LdapServerConfig"</span>&gt;</span>
+        <span class="code-tag">&lt;constructor-arg value=<span class="code-quote">"ldap://localhost:2389"</span>
/&gt;</span>
+        <span class="code-tag">&lt;constructor-arg value=<span class="code-quote">"cn=Directory
Manager,dc=example,dc=com"</span> /&gt;</span>
+        <span class="code-tag">&lt;constructor-arg value=<span class="code-quote">"test"</span>
/&gt;</span>
+        <span class="code-tag">&lt;constructor-arg value=<span class="code-quote">"2"</span>
/&gt;</span>
+    <span class="code-tag">&lt;/bean&gt;</span>
+
+    <span class="code-tag">&lt;bean id=<span class="code-quote">"ldapSchemaConfig"</span>
class=<span class="code-quote">"org.apache.cxf.xkms.x509.repo.ldap.LdapSchemaConfig"</span>&gt;</span>
+        <span class="code-tag">&lt;property name=<span class="code-quote">"certObjectClass"</span>
value=<span class="code-quote">"inetOrgPerson"</span> /&gt;</span>
+        <span class="code-tag">&lt;property name=<span class="code-quote">"attrUID"</span>
value=<span class="code-quote">"uid"</span> /&gt;</span>
+        <span class="code-tag">&lt;property name=<span class="code-quote">"attrIssuerID"</span>
value=<span class="code-quote">"manager"</span> /&gt;</span>
+        <span class="code-tag">&lt;property name=<span class="code-quote">"attrSerialNumber"</span>
value=<span class="code-quote">"employeeNumber"</span> /&gt;</span>
+        <span class="code-tag">&lt;property name=<span class="code-quote">"attrCrtBinary"</span>
value=<span class="code-quote">"userCertificate;binary"</span> /&gt;</span>
+        <span class="code-tag">&lt;property name=<span class="code-quote">"constAttrNamesCSV"</span>
value=<span class="code-quote">"sn"</span> /&gt;</span>
+        <span class="code-tag">&lt;property name=<span class="code-quote">"constAttrValuesCSV"</span>
value=<span class="code-quote">"X509 certificate"</span> /&gt;</span>
+        <span class="code-tag">&lt;property name=<span class="code-quote">"serviceCertRDNTemplate"</span>
value=<span class="code-quote">"cn=%s,ou=services"</span> /&gt;</span>
+        <span class="code-tag">&lt;property name=<span class="code-quote">"serviceCertUIDTemplate"</span>
value=<span class="code-quote">"cn=%s"</span> /&gt;</span>
+	<span class="code-tag">&lt;property name=<span class="code-quote">"trustedAuthorityFilter"</span>
value=<span class="code-quote">"(&amp;#038;(objectClass=inetOrgPerson)(ou:dn:=CAs))"</span>
/&gt;</span>
+	<span class="code-tag">&lt;property name=<span class="code-quote">"intermediateFilter"</span>
value=<span class="code-quote">"(objectClass=inetOrgPerson)"</span> /&gt;</span>
+    <span class="code-tag">&lt;/bean&gt;</span>
+
+
+    <span class="code-tag"><span class="code-comment">&lt;!-- File based
implementation --&gt;</span></span>
+
+    &lt;!-- bean id=<span class="code-quote">"certificateRepo"</span>
+        class=<span class="code-quote">"org.apache.cxf.xkms.x509.repo.file.FileCertificateRepo"</span>&gt;
+        <span class="code-tag">&lt;constructor-arg value=<span class="code-quote">"../conf/certs"</span>
/&gt;</span>
+    <span class="code-tag">&lt;/bean--&gt;</span>
 
-   <span class="code-tag">&lt;bean id=<span class="code-quote">"x509FileLocator"</span>
class=<span class="code-quote">"org.apache.cxf.xkms.x509.locator.FileLocator"</span>&gt;</span>
-      <span class="code-tag">&lt;constructor-arg value=<span class="code-quote">"../conf/certs"</span>
/&gt;</span>
-   <span class="code-tag">&lt;/bean&gt;</span>
-
-   <span class="code-tag">&lt;bean id=<span class="code-quote">"fileRegisterHandler"</span>
class=<span class="code-quote">"org.apache.cxf.xkms.x509.handlers.FileRegisterHandler"</span>&gt;</span>
-      <span class="code-tag">&lt;constructor-arg value=<span class="code-quote">"../conf/certs"</span>
/&gt;</span>
-   <span class="code-tag">&lt;/bean&gt;</span>
-
-   <span class="code-tag">&lt;bean id=<span class="code-quote">"xkmsProviderBean"</span>
class=<span class="code-quote">"org.apache.cxf.xkms.service.XKMSService"</span>&gt;</span>
-      <span class="code-tag">&lt;property name=<span class="code-quote">"validators"</span>&gt;</span>
-         <span class="code-tag">&lt;list&gt;</span>
-            <span class="code-tag">&lt;ref bean=<span class="code-quote">"dateValidator"</span>
/&gt;</span>
-         <span class="code-tag">&lt;/list&gt;</span>
-      <span class="code-tag">&lt;/property&gt;</span>
-      <span class="code-tag">&lt;property name=<span class="code-quote">"locators"</span>&gt;</span>
-         <span class="code-tag">&lt;list&gt;</span>
-            <span class="code-tag">&lt;ref bean=<span class="code-quote">"x509FileLocator"</span>
/&gt;</span>
-         <span class="code-tag">&lt;/list&gt;</span>
-      <span class="code-tag">&lt;/property&gt;</span>
-      <span class="code-tag">&lt;property name=<span class="code-quote">"keyRegisterHandlers"</span>&gt;</span>
-         <span class="code-tag">&lt;list&gt;</span>
-            <span class="code-tag">&lt;ref bean=<span class="code-quote">"fileRegisterHandler"</span>
/&gt;</span>
-         <span class="code-tag">&lt;/list&gt;</span>
-      <span class="code-tag">&lt;/property&gt;</span>
-   <span class="code-tag">&lt;/bean&gt;</span>
-
-   &lt;jaxws:endpoint id=<span class="code-quote">"XKMSService"</span> <span
class="code-keyword">xmlns:serviceNamespace</span>=<span class="code-quote">"http://www.w3.org/2002/03/xkms#wsdl"</span>
-      serviceName=<span class="code-quote">"serviceNamespace:XKMSService"</span>
endpointName=<span class="code-quote">"serviceNamespace:XKMSPort"</span>
-      implementor=<span class="code-quote">"#xkmsProviderBean"</span> address=<span
class="code-quote">"/XKMS"</span>&gt;
-   <span class="code-tag">&lt;/jaxws:endpoint&gt;</span>
+<span class="code-tag">&lt;/beans&gt;</span>
 </pre>
 </div></div>
 
-<h4><a shape="rect" name="XMLKeyManagementService%28XKMS%29-IntegrationXKMSclientintoCXFsecurity."></a>Integration
XKMS client into CXF security.</h4>
+<p>dateValidator and trustedAuthorityValidator beans are implementations of Validator
interface for validity date and trusted chain validation. <br clear="none">
+x509Locator and x509Register are implementations of Locator and Register interfaces for X509
certificates.<br clear="none">
+certificateRepo is repository implementation for LDAP backend. LdapServerConfig and LdapSchemaConfig
contain LDAP configuration described in the following table:</p>
+
+<div class="table-wrap">
+<table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh">Property</th><th colspan="1" rowspan="1" class="confluenceTh">Sample
Value</th><th colspan="1" rowspan="1" class="confluenceTh">Description</th></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">ldapServerConfig arguments</td><td
colspan="1" rowspan="1" class="confluenceTd">&#160;</td><td colspan="1" rowspan="1"
class="confluenceTd"> URL, baseDN and credentials of LDAP Server</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">certObjectClass</td><td colspan="1"
rowspan="1" class="confluenceTd">inetOrgPerson</td><td colspan="1" rowspan="1"
class="confluenceTd">LDAP object class used to store certificates</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">attrUID</td><td colspan="1" rowspan="1"
class="confluenceTd">uid</td><td colspan="1" rowspan="1" class="confluenceTd">Attribute
containing X509 subject DN</td></tr><tr><td colspan="1" rowspan="1" class="conf
 luenceTd">attrIssuerID</td><td colspan="1" rowspan="1" class="confluenceTd">manager</td><td
colspan="1" rowspan="1" class="confluenceTd">LDAP attribute containing X509 issuer DN</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">attrSerialNumber</td><td colspan="1"
rowspan="1" class="confluenceTd">employeeNumber</td><td colspan="1" rowspan="1"
class="confluenceTd">LDAP attribute containing X509 serial number</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">attrCrtBinary</td><td colspan="1"
rowspan="1" class="confluenceTd">userCertificate</td><td colspan="1" rowspan="1"
class="confluenceTd">LDAP attribute containing X509 certificate content</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">constAttrNamesCSV</td><td colspan="1"
rowspan="1" class="confluenceTd">sn</td><td colspan="1" rowspan="1" class="confluenceTd">Comma
separated list of mandatory LDAP attributes</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">constAttrValuesC
 SV</td><td colspan="1" rowspan="1" class="confluenceTd">X509 certificate</td><td
colspan="1" rowspan="1" class="confluenceTd">Comma separated list of mandatory LDAP attributes
values</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">serviceCertRDNTemplate</td><td
colspan="1" rowspan="1" class="confluenceTd">cn=%s,ou=services</td><td colspan="1"
rowspan="1" class="confluenceTd">Relative distinguished name for service certificates</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">serviceCertUIDTemplate</td><td colspan="1"
rowspan="1" class="confluenceTd">cn=%s</td><td colspan="1" rowspan="1" class="confluenceTd">Template
to transform service QName to DN for storing into attrUID</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">trustedAuthorityFilter</td><td colspan="1"
rowspan="1" class="confluenceTd">(&amp;(objectClass=inetOrgPerson)(ou:dn:=CAs))</td><td
colspan="1" rowspan="1" class="confluenceTd">Filter to determine trusted CAs for truste
 d chain validation</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">intermediateFilter</td><td
colspan="1" rowspan="1" class="confluenceTd">(objectClass=inetOrgPerson)</td><td
colspan="1" rowspan="1" class="confluenceTd">Filter to determine intermediate certificates
for trusted chain validation</td></tr></tbody></table>
+</div>
+
+
+<h4><a shape="rect" name="XMLKeyManagementService%28XKMS%29-IntegrationXKMSclientintoCXFruntime."></a>Integration
XKMS client into CXF runtime.</h4>
 
-<p>XKMS client can be integrated into CXF and WSS4J using custom Crypto provider implementation.
In this case XKMS service will be automatically invoked when WSS4J requires or validates certificate.
Details are described in this <a shape="rect" class="external-link" href="http://ashakirin.blogspot.de/2013/04/cxf-security-getting-certificates-from.html"
rel="nofollow">blog</a>.</p>
+<p>XKMS client can be integrated into CXF and WSS4J using custom Crypto provider implementation.
In this case XKMS service will be automatically invoked when WSS4J requires or validates certificate.
Details are described in this <a shape="rect" class="external-link" href="http://ashakirin.blogspot.de/2013/04/cxf-security-getting-certificates-from.html"
rel="nofollow">blog</a>. Sample XKMS based implementation of WSS4J Crypto interface
is contributed into XKMS Client component. </p>
 
 <h4><a shape="rect" name="XMLKeyManagementService%28XKMS%29-DataFormats"></a>Data
Formats</h4>
 



Mime
View raw message