@@ -101,8 +109,8 @@ Apache CXF -- FAQ

Search

- - +

@@ -187,52 +195,52 @@ Apache CXF -- FAQ

-List<Header> headers = new ArrayList<Header>();
-Header dummyHeader = new Header(new QName("uri:org.apache.cxf", "dummy"), "decapitated",
-                                new JAXBDataBinding(String.class));
+

How can I turn on schema validation for jaxws endpoint?

For the client side

-    <jaxws:client name="{http://apache.org/hello_world_soap_http}SoapPort"
-        createdFromAPI="true">
-        <jaxws:properties>
-            <entry key="schema-validation-enabled" value="true" />
-        </jaxws:properties>
-    </jaxws:client>
-

You may also do this programmatically:

-((BindingProvider)port).getRequestContext().put("schema-validation-enabled", "true"); 
-

For the server side

-    <jaxws:endpoint name="{http://apache.org/hello_world_soap_http}SoapPort"
-        wsdlLocation="wsdl/hello_world.wsdl"
-        createdFromAPI="true">
+

Starting with CXF 2.3 you have the additional option of using the org.apache.cxf.annotations.SchemaValidation annotation.

@@ -245,9 +253,9 @@ headers.add(dummyHeader);

Use of ((BindingProvider)proxy).getRequestContext() - per JAX-WS spec, the request context is PER INSTANCE. Thus, anything set there will affect requests on other threads. With CXF, you can do:
-
```
-((BindingProvider)proxy).getRequestContext().put("thread.local.request.context", "true");
-
```
+
and future calls to getRequestContext() will use a thread local request context. That allows the request context to be threadsafe. (Note: the response context is always thread local in CXF)

@@ -277,23 +285,23 @@ headers.add(dummyHeader);

Reason: When using Spring AOP, spring injects a proxy to the bean into CXF instead of the actual bean. The Proxy does not have the annotations on it (like the @WebService annotation) so we cannot query the information directly from the object like we can in the non-AOP case. The "fix" is to also specify the actual serviceClass of the object in the spring config:

or:

Modified: websites/production/cxf/content/fediz-architecture.html ============================================================================== --- websites/production/cxf/content/fediz-architecture.html (original) +++ websites/production/cxf/content/fediz-architecture.html Mon Jun 24 17:10:51 2013 @@ -25,6 +25,8 @@ + + Apache CXF -- Fediz Architecture @@ -42,19 +44,15 @@ Apache CXF -- Fediz Architecture

- +

@@ -101,8 +99,8 @@ Apache CXF -- Fediz Architecture

Search

- - +

Modified: websites/production/cxf/content/fediz-configuration.html ============================================================================== --- websites/production/cxf/content/fediz-configuration.html (original) +++ websites/production/cxf/content/fediz-configuration.html Mon Jun 24 17:10:51 2013 @@ -25,6 +25,18 @@ + + + + + + + + + Apache CXF -- Fediz Configuration @@ -42,19 +54,15 @@ Apache CXF -- Fediz Configuration

- +

@@ -101,8 +109,8 @@ Apache CXF -- Fediz Configuration

Search

- - +

@@ -144,27 +152,27 @@ Apache CXF -- Fediz Configuration

Example

The following example shows the minimum configuration for Fediz.

-<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
-<FedizConfig>
-    <contextConfig name="/fedizhelloworld">
-        <audienceUris>
-            <audienceItem>https://localhost:8443/fedizhelloworld</audienceItem>
-        </audienceUris>
-        <certificateStores>
-            <trustManager>
-                <keyStore file="conf/stsstore.jks" password="stsspass" type="JKS" />
-            </trustManager>
-        </certificateStores>
-        <trustedIssuers>
-            <issuer name="issuer 1" certificateValidation="ChainTrust" subject=".*CN=www.sts.com.*" />
-        </trustedIssuers>
-        <protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="federationProtocolType" version="1.2">
-            <issuer>https://localhost:9443/fediz-idp/</issuer>
-        </protocol>
-    </contextConfig>
-</FedizConfig>
-

The protocol element declares that the WS-Federation protocol is being used. The issuer element shows the URL to which authenticated requests will be redirected with a SignIn request.

@@ -215,39 +223,39 @@ See example

-<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
-<FedizConfig>
-    <contextConfig name="/fedizhelloworld">
-        <audienceUris>
-            <audienceItem>https://localhost:8443/fedizhelloworld</audienceItem>
-        </audienceUris>
-        <certificateStores>
-            <keyStore file="conf/stsstore.jks" password="stsspass" type="file" />
-        </certificateStores>
-        <maximumClockSkew>10</maximumClockSkew>
-        <trustedIssuers>
-            <issuer name="issuer 1" certificateValidation="ChainTrust" subject=".*CN=www.sts.com.*" />
-        </trustedIssuers>
-        <signingKey keyPassword="tompass">
-            <keyStore file="tomcatKeystore.jks" password="tompass" type="JKS" />
-        </signingKey>
-        <protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="federationProtocolType" version="1.2">
-            <issuer>https://localhost:9443/fediz-idp/</issuer>
-            <roleDelimiter>,</roleDelimiter>
-            <roleURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</roleURI>
-            <claimTypesRequested>
-                <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" optional="true" />
-            </claimTypesRequested>
-            <authenticationType type="String" value="http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/smartcard" />
-            <homeRealm type="Class" value="example.HomeRealmCallbackHandler" />
-            <tokenValidators>
-                <validator>org.apache.cxf.fediz.core.CustomValidator</validator>
-            </tokenValidators>
-        </protocol>
-    </contextConfig>
-</FedizConfig>
-

Modified: websites/production/cxf/content/fediz-downloads.html ============================================================================== --- websites/production/cxf/content/fediz-downloads.html (original) +++ websites/production/cxf/content/fediz-downloads.html Mon Jun 24 17:10:51 2013 @@ -25,6 +25,17 @@ + + + + + + + + Apache CXF -- Fediz Downloads @@ -42,19 +53,15 @@ Apache CXF -- Fediz Downloads

- +

@@ -101,8 +108,8 @@ Apache CXF -- Fediz Downloads

Search

- - +

@@ -152,23 +159,23 @@ Apache CXF -- Fediz Downloads

You can check the OpenPGP signature with:

You can check the MD5 checksum with:

You can check the SHA1 checksum with:

Previous releases

Modified: websites/production/cxf/content/fediz-extensions.html ============================================================================== --- websites/production/cxf/content/fediz-extensions.html (original) +++ websites/production/cxf/content/fediz-extensions.html Mon Jun 24 17:10:51 2013 @@ -25,6 +25,17 @@ + + + + + + + + Apache CXF -- Fediz Extensions @@ -42,19 +53,15 @@ Apache CXF -- Fediz Extensions

- +

@@ -101,8 +108,8 @@ Apache CXF -- Fediz Extensions

Search

- - +

@@ -155,37 +162,37 @@ Apache CXF -- Fediz Extensions

Here is a snippet of the configuration to configure a CallbackHandler:

And a sample implementation of the CallbackHandler:

-public class MyCallbackHandler implements CallbackHandler {
+

Modified: websites/production/cxf/content/fediz-idp.html ============================================================================== --- websites/production/cxf/content/fediz-idp.html (original) +++ websites/production/cxf/content/fediz-idp.html Mon Jun 24 17:10:51 2013 @@ -25,6 +25,18 @@ + + + + + + + + + Apache CXF -- Fediz IDP @@ -42,19 +54,15 @@ Apache CXF -- Fediz IDP

- +

@@ -101,8 +109,8 @@ Apache CXF -- Fediz IDP

Search

- - +

@@ -151,19 +159,19 @@ Apache CXF -- Fediz IDP

To start and stop this second Tomcat instance, it is perhaps easiest to create small startup.sh and shutdown.sh scripts that temporarily redefine $CATALINA_HOME from the first to the second instance, for example:

and

If you're using the one Tomcat with multiple instance option, it's $CATALINA_BASE instead that will need to be redefined above.

@@ -178,29 +186,29 @@ $CATALINA_HOME/bin/shutdown.sh

Here is a sample snippet for showing the configuration of the above three values:

-<Server port="9005" shutdown="SHUTDOWN">
+

The keystoreFile is relative to $CATALINA_HOME. See here for the Tomcat 7 configuration reference. This page also describes how to create certificates. Sample Tomcat keystores (not for production use, but useful for demoing Fediz and running the sample applications) are provided in the examples/samplekeys folder of the Fediz distribution.

@@ -220,44 +228,44 @@ $CATALINA_HOME/bin/shutdown.sh

The users and passwords are configured in a Spring configuration file in webapps/fediz-idp-sts/WEB-INF/passwords.xml. The following users are already configured and can easily be extended.

-    <util:map id="passwords">
-        <entry key="alice"
-            value="ecila" />
-        <entry key="bob"
-            value="bob" />
-        <entry key="ted"
-            value="det" />
-    </util:map>
-

User Claims

The claims of each user are configured in a spring configuration file webapps/fediz-idp-sts/WEB-INF/userClaims.xml. The following claims are already configured:

-    <util:map id="userClaims">
-        <entry key="alice"
-            value-ref="aliceClaims" />
-        <entry key="bob"
-            value-ref="bobClaims" />
-        <entry key="ted"
-            value-ref="tedClaims" />
-    </util:map>
+

The claim id's are configured according to Section 7.5 in the specification Identity Metasystem Interoperability. The mapping of claims to a SAML attribute statement are described in Section 7.2.

@@ -267,19 +275,19 @@ $CATALINA_HOME/bin/shutdown.sh

The required claims per relying party are configured in the webapps/fediz-idp/WEB-INF/RPClaims.xml. The XML file has the following structure:

-    <util:map id="realm2ClaimsMap">
-        <entry key="https://localhost:8443/fedizhelloworld/"
-            value-ref="claimsWsfedhelloworld" />
-    </util:map>
-
-    <util:list id="claimsWsfedhelloworld">
-        <value>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname</value>
-        <value>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname</value>
-        <value>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress</value>
-        <value>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</value>
-    </util:list>   
-

The key of each map entry must match with the wtrealm paramater in the redirect triggered by the relying party. The required claims for the different type of applications are grouped in beans which are a list of Strings as illustrated in claimsWsfedhelloworld.

@@ -297,15 +305,15 @@ $CATALINA_HOME/bin/shutdown.sh

WSS4J supports username/password authentication using JAAS. The JDK provides a JAAS LoginModule for LDAP which can be configured as illustrated here in a sample jaas configuration (jaas.config):

You can get more information about this LoginModule here.

@@ -313,37 +321,37 @@ myldap {

In this example, all the users are stored in the organization unit Users within mycompany.org. The configuration filename can be chosen, e.g. jaas.config. The filename must be configured as a JVM argument. JVM related configurations for Tomcat can be done in the file setenv.sh/bat located in directory tomcat/bin. This script is called implicitly by catalina.bat/sh and might look like this for UNIX:

Next, the STS endpoint has to be configured to use the JAAS LoginModule which is accomplished by the JAASUsernameTokenValidator.

The property contextName must match the context name defined in the JAAS configuration file which is myldap in this example.

@@ -357,46 +365,46 @@ export JAVA_OPTS

The following example illustrate the changes to be made in webapps/fediz-idp-sts/WEB-INF/cxf-transport.xml:

-<util:list id="claimHandlerList">
-  <ref bean="ldapClaimsHandler" />
-</util:list>
-
-<bean id="contextSource"
-   class="org.springframework.ldap.core.support.LdapContextSource">
-  <property name="url" value="ldap://ldap.mycompany.org:389" />
-  <property name="userDn"
-    value="CN=techUser,OU=Users,DC=mycompany,DC=org" />
-  <property name="password" value="mypassword" />
-</bean>
-
-<bean id="ldapTemplate"
-   class="org.springframework.ldap.core.LdapTemplate">
-  <constructor-arg ref="contextSource" />
-</bean>
+

You must deploy the library for the spring ldap module and its dependencies. The POM of the spring ldap module is available here.

Modified: websites/production/cxf/content/fediz-jetty.html ============================================================================== --- websites/production/cxf/content/fediz-jetty.html (original) +++ websites/production/cxf/content/fediz-jetty.html Mon Jun 24 17:10:51 2013 @@ -25,6 +25,18 @@ + + + + + + + + + Apache CXF -- Fediz Jetty @@ -42,19 +54,15 @@ Apache CXF -- Fediz Jetty

- +

@@ -101,8 +109,8 @@ Apache CXF -- Fediz Jetty

Search

- - +

@@ -148,9 +156,9 @@ Apache CXF -- Fediz Jetty

Create sub-directory fediz in ${jetty.home}/lib/fediz
Update start.ini in ${jetty.home}/start.ini by adding fediz to the OPTIONS
-
```
+
 
```
Deploy the libraries to the directory created in (1)

@@ -194,20 +202,20 @@ OPTIONS=Server,fediz

Hint: file name must be equal to war file name

 
-  <Get name="securityHandler">
-    <Set name="loginService">
-      <New class="org.apache.cxf.fediz.jetty.FederationLoginService">
-        <Set name="name">WSFED</Set>
-      </New>
-    </Set>
-    <Set name="authenticator">
-      <New class="org.apache.cxf.fediz.jetty.FederationAuthenticator">
-        <Set name="configFile"><SystemProperty name="jetty.home" default="."/>/etc/fediz_config.xml</Set>
-      </New>
-    </Set>
-  </Get>
-

Modified: websites/production/cxf/content/fediz-metadata.html ============================================================================== --- websites/production/cxf/content/fediz-metadata.html (original) +++ websites/production/cxf/content/fediz-metadata.html Mon Jun 24 17:10:51 2013 @@ -25,6 +25,18 @@ + + + + + + + + + Apache CXF -- Fediz Metadata @@ -42,19 +54,15 @@ Apache CXF -- Fediz Metadata

- +

@@ -101,8 +109,8 @@ Apache CXF -- Fediz Metadata

Search

- - +

@@ -148,20 +156,20 @@ Apache CXF -- Fediz Metadata

-<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
-   xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-   xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-   entityID="...">
-   <ds:Signature>...</ds:Signature>
-   <RoleDescriptor xsi:type="fed:ApplicationServiceType"
-          protocolSupportEnumeration="http://docs.oasis-open.org/wsfed/federation/200706"
-          "http://docs.oasis-open.org/ws-sx/ws-trust/200512">
+

@@ -169,20 +177,20 @@ Apache CXF -- Fediz Metadata

-<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
-   xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-   xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-   entityID="...">
-   <ds:Signature>...</ds:Signature>
-   <RoleDescriptor xsi:type="fed:SecurityTokenServiceType"
-          protocolSupportEnumeration="http://docs.oasis-open.org/wsfed/federation/200706"
-          "http://docs.oasis-open.org/ws-sx/ws-trust/200512">
+

Usage

@@ -212,55 +220,55 @@ Apache CXF -- Fediz Metadata

This is an example metadata document:

-<EntityDescriptor ID="_36BF9BFBF49BA48A2D13395075556522" entityID="https://localhost:8443/fedizhelloworld/" 
-   xmlns:auth="http://docs.oasis-open.org/wsfed/federation/200706" 
-   xmlns:fed="http://docs.oasis-open.org/wsfed/federation/200706" 
-   xmlns:wsa="http://www.w3.org/2005/08/addressing" 
-   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
-   <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
-      <SignedInfo>
-         <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
-         <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
-         <Reference URI="#_36BF9BFBF49BA48A2D13395075556522">
-            <Transforms>
-               <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
-            </Transforms>
-            <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
-            <DigestValue>GP0clMqrkm58j17R/IlG+ksITDQ=</DigestValue>
-         </Reference>
-      </SignedInfo>
-      <SignatureValue>REMOVED</SignatureValue>
-      <KeyInfo>
-         <X509Data>
-            <X509SubjectName>CN=localhost</X509SubjectName>
-            <X509Certificate>REMOVED</X509Certificate>
-         </X509Data>
-      </KeyInfo>
-   </Signature>
-   <fed:RoleDescriptor protocolSupportEnumeration="http://docs.oasis-open.org/wsfed/federation/200706" 
-      xsi:type="fed:ApplicationServiceType">
-      <fed:ApplicationServiceEndpoint>
-         <wsa:EndpointReference>
-            <wsa:Address>https://localhost:8443/fedizhelloworld/</wsa:Address>
-         </wsa:EndpointReference>
-      </fed:ApplicationServiceEndpoint>
-      <fed:TargetScope>
-         <wsa:EndpointReference>
-            <wsa:Address/>
-         </wsa:EndpointReference>
-         </fed:TargetScope>
-      <fed:ClaimTypesRequested>
-         <auth:ClaimType Optional="true" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"/>
-      </fed:ClaimTypesRequested>
-      <fed:PassiveRequestorEndpoint>
-         <wsa:EndpointReference>
-            <wsa:Address>https://localhost:9443/fediz-idp/</wsa:Address>
-         </wsa:EndpointReference>
-      </fed:PassiveRequestorEndpoint>
-   </fed:RoleDescriptor>
-</EntityDescriptor>
-

Modified: websites/production/cxf/content/fediz-spring-2.html ============================================================================== --- websites/production/cxf/content/fediz-spring-2.html (original) +++ websites/production/cxf/content/fediz-spring-2.html Mon Jun 24 17:10:51 2013 @@ -25,6 +25,18 @@ + + + + + + + + + Apache CXF -- Fediz Spring 2 @@ -42,19 +54,15 @@ Apache CXF -- Fediz Spring 2

- +

@@ -101,8 +109,8 @@ Apache CXF -- Fediz Spring 2

Search

- - +

@@ -165,39 +173,39 @@ Apache CXF -- Fediz Spring 2

The following configuration snippets illustrate the Fediz related configuration. The complete configuration file can be found in the example spring2Webapp.

applicationContext-security.xml

-    <sec:http entry-point-ref="federationEntryPoint">
-        <sec:intercept-url pattern="/secure/fedservlet" access="IS_AUTHENTICATED_FULLY"/>
-        <sec:intercept-url pattern="/secure/manager/**" access="ROLE_MANAGER"/>
-        <sec:intercept-url pattern="/secure/admin/**" access="ROLE_ADMIN"/>
-        <sec:intercept-url pattern="/secure/user/**" access="ROLE_USER,ROLE_ADMIN,ROLE_MANAGER"/>
-    </sec:http>
-
-
-    <sec:authentication-manager alias="authManager"/>
-
-    <bean id="fedizConfig" class="org.apache.cxf.fediz.spring.FederationConfigImpl" init-method="init"
-        p:configFile="WEB-INF/fediz_config.xml" p:contextName="/fedizhelloworld" />
-
-    <bean id="federationEntryPoint"
-        class="org.apache.cxf.fediz.spring.web.FederationAuthenticationEntryPoint"
-        p:federationConfig-ref="fedizConfig" />
+

The http element is the key element which depends on the other bean definitions like federationFilter and the federationAuthProvider. Web request authorizing is configured in the http element as well which looks similar to security constraints definition in web.xml.

@@ -205,18 +213,18 @@ Apache CXF -- Fediz Spring 2

The following code snippet of the FederationServlet example illustrates how to get access to the Spring Security Context of the current user and to the Federation releated information like claims and login token.

FederationServlet.java