cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Oliver Wulff (Confluence)" <conflue...@apache.org>
Subject [CONF] Apache CXF > Fediz Websphere
Date Fri, 06 Sep 2013 10:51:00 GMT
<html>
<head>
    <base href="https://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/en/2176/1/15/_/styles/combined.css?spaceKey=CXF&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="https://cwiki.apache.org/confluence/display/CXF/Fediz+Websphere">Fediz
Websphere</a></h2>
    <h4>Page <b>edited</b> by             <a href="https://cwiki.apache.org/confluence/display/~owulff@apache.org">Oliver
Wulff</a>
    </h4>
        <br/>
                         <h4>Changes (6)</h4>
                                 
    
<div id="page-diffs">
                    <table class="diff" cellpadding="0" cellspacing="0">
    
            <tr><td class="diff-unchanged" >h1. IBM Websphere Plugin <br></td></tr>
            <tr><td class="diff-changed-lines" >This page describes how to enable
Federation for a IBM Websphere <span class="diff-added-words"style="background-color: #dfd;">Application
Server (WAS)</span> instance hosting Relying Party (RP) applications. This configuration
is not for a Websphere instance hosting the Fediz IDP and IDP STS WARs but for applications
that use SAML assertions for authentication.  After this configuration is done, the Websphere-RP
instance will validate the incoming SignInResponse created by the IDP server. <br></td></tr>
            <tr><td class="diff-unchanged" > <br>Prior to doing this configuration,
make sure you&#39;ve first deployed the Fediz IDP and STS on the separate Servlet Container
instance as discussed [here|Fediz IDP], and can view the STS WSDL at the URL given on that
page.  That page also provides some tips for running multiple Tomcat instances on your machine.
<br> <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">h3.
Websphere Security <br></td></tr>
            <tr><td class="diff-unchanged" > <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">A
*Trust Authentication Interceptor (TAI)* is a pluggable security component that is installed
and configured at the IBM WebSphere Application Cell level. <br>As such, any managed
server on the Cell will have this component installed in and activated once defined in the
WAS Security configuration. <br>A TAI implements the WAS specific interface {{com.ibm.wsspi.security.tai.TrustAssociationInterceptor}}
<br>The WAS specific API for security layer customization is explained in details at
the following: <br> <br>http://pic.dhe.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=%2Fcom.ibm.websphere.base.doc%2Finfo%2Faes%2Fae%2Frsec_taisubcreate.html
<br> <br>The Fediz Plugin for Websphere provides a TAI implementation which leverages
the *Fediz Core*. <br> <br>WAS security runtime supports a notion of a security
session using a specific security token called _LTPA Token_ which is implemented as a HTTP
cookie. The cookie lifetime is specified at the WAS administrative _Cell_ level, which implies
that it is not possible to configure this value per request based on the requirements for
an application. <br>The TAI is no more involved after login once the LTPA Token is set
which means a Web Application level component must intercept each request to check the security
token (ex. SAML) lifetime and redirect the browser back to the IDP for re-authentication.
<br> <br></td></tr>
            <tr><td class="diff-unchanged" >h3. Installation <br> <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" > <br> <br></td></tr>
            <tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">h3.
Configuration <br></td></tr>
            <tr><td class="diff-unchanged" > <br></td></tr>
            <tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">h5.
HTTPS configuration <br></td></tr>
            <tr><td class="diff-unchanged" > <br></td></tr>
            <tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">It&#39;s
recommended to set up a dedicated (separate) Tomcat instance for the Relying Party. The Fediz
RP web applications use the following TCP ports: <br>* HTTP port: 8080 (used for Maven
deployment, mvn tomcat:redeploy) <br>* HTTPS port: 8443 (where IDP and STS are accessed)
<br>* Server port (for shutdown and other commands): 8005 <br> <br>These
are the default ports for a standard Tomcat installation. <br> <br>The Relying
Party must be accessed over HTTPS to protect the security tokens issued by the IDP. <br>
<br>The Tomcat HTTP(s) configuration is done in conf/server.xml. <br> <br>This
is a sample snippet for an HTTPS configuration: <br> <br>{code:xml} <br>
   &lt;Connector port=&quot;8443&quot; protocol=&quot;HTTP/1.1&quot; SSLEnabled=&quot;true&quot;
<br>               maxThreads=&quot;150&quot; scheme=&quot;https&quot;
secure=&quot;true&quot; <br>               keystoreFile=&quot;tomcat-rp.jks&quot;
<br>               keystorePass=&quot;tompass&quot; sslProtocol=&quot;TLS&quot;
/&gt; <br>{code} <br> <br>The keystoreFile is relative to $CATALINA_HOME.
See [here|http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html] for the Tomcat 7 configuration
reference. This page also describes how to create certificates.  Sample Tomcat keystores (not
for production use, but useful for demoing Fediz and running the sample applications) are
provided in the examples/samplekeys folder of the Fediz distribution.  Note the Tomcat keystore
here is different from the one used to configure the Tomcat-IDP instance. <br> <br>To
establish trust, there are significant keystore/truststore requirements between the Tomcat
instances and the various web applications (IDP, STS, Relying party applications, third party
web services, etc.)  See [this page|http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/samplekeys/HowToGenerateKeysREADME.html?view=co]
for more details, it lists the trust requirements as well as sample scripts for creating your
own (self-signed) keys. <br> <br>*Warning:  All sample keystores provided with
Fediz (including in the WAR files for its services and examples) are for development/prototyping
use only.  They&#39;ll need to be replaced for production use, at a minimum with your
own self-signed keys but strongly recommended to use third-party signed keys.* <br>
<br>If you are currently just trying to run the Fediz samples, the configuration above
is all you need (the below configuration is already provided within the samples) so you can
return now to the samples&#39; READMEs for the next steps in running them. <br>
<br> <br>h5. Fediz Plugin configuration for Your Web Application <br> <br>The
Fediz related configuration is done in a Servlet Container independent configuration file
which is described [here|Fediz Configuration]. <br> <br>The Fediz plugin requires
configuring the FederationAuthenticator like any other Valve in Tomcat. Detailed information
about the Tomcat Valve concept is available [here|http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html].
<br> <br>A Valve can be configured on different levels like _Host_ or _Context_.
The Fediz configuration file allows to configure all servlet contexts in one file or choosing
one file per Servlet Context. If you choose to have one Fediz configuration file per Servlet
Context then you must configure the FederationAuthenticator on the _Context_ level otherwise
on the _Host_ level in the Tomcat configuration file _server.xml_ <br> <br>You
can either configure the context in the server.xml or in META-INF/context.xml as part of your
WAR file. <br> <br>h6. META-INF/context.xml <br>{code:xml}  <br> 
&lt;Context&gt;  <br>    &lt;Valve className=&quot;org.apache.cxf.fediz.tomcat.FederationAuthenticator&quot;
<br>      configFile=&quot;conf/Fediz_config.xml&quot; /&gt; <br>
 &lt;/Context&gt;  <br>{code} <br> <br>h6. Host level in server.xml
<br>{code:xml}  <br>  &lt;Host name=&quot;localhost&quot;  appBase=&quot;webapps&quot;
<br>        unpackWARs=&quot;true&quot; autoDeploy=&quot;true&quot;&gt;
<br>    &lt;Valve className=&quot;org.apache.cxf.fediz.tomcat.FederationAuthenticator&quot;
<br>           configFile=&quot;conf/Fediz_config.xml&quot; /&gt; <br>
 &lt;/Host&gt; <br>{code}  <br> <br>h6. Context level in server.xml
<br>{code:xml}  <br>  &lt;Context path=&quot;/fedizhelloworld&quot;
docBase=&quot;fedizhelloworld&quot;&gt; <br>    &lt;Valve className=&quot;org.apache.cxf.fediz.tomcat.FederationAuthenticator&quot;
<br>      configFile=&quot;conf/Fediz_config.xml&quot; /&gt; <br>
 &lt;/Context&gt; <br>{code} <br> <br>The Fediz configuration file
is a Servlet container independent configuration file and described [here|Fediz Configuration]
<br> <br>h3. Web Application deployment <br> <br>Deploy your Web Application
to your Tomcat installation (&lt;catalina.home&gt;/webapps).  If you&#39;re running
the Fediz examples, their README files will have instructions on how to do this. <br>
<br></td></tr>
            <tr><td class="diff-unchanged" >h3. Federation Metadata document <br>
<br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
    
            </table>
    </div>                            <h4>Full Content</h4>
                    <div class="notificationGreySide">
        <h1><a name="FedizWebsphere-IBMWebspherePlugin"></a>IBM Websphere
Plugin</h1>
<p>This page describes how to enable Federation for a IBM Websphere Application Server
(WAS) instance hosting Relying Party (RP) applications. This configuration is not for a Websphere
instance hosting the Fediz IDP and IDP STS WARs but for applications that use SAML assertions
for authentication.  After this configuration is done, the Websphere-RP instance will validate
the incoming SignInResponse created by the IDP server.</p>

<p>Prior to doing this configuration, make sure you've first deployed the Fediz IDP
and STS on the separate Servlet Container instance as discussed <a href="/confluence/display/CXF/Fediz+IDP"
title="Fediz IDP">here</a>, and can view the STS WSDL at the URL given on that page.
 That page also provides some tips for running multiple Tomcat instances on your machine.</p>

<h3><a name="FedizWebsphere-WebsphereSecurity"></a>Websphere Security</h3>

<p>A <b>Trust Authentication Interceptor (TAI)</b> is a pluggable security
component that is installed and configured at the IBM WebSphere Application Cell level.<br/>
As such, any managed server on the Cell will have this component installed in and activated
once defined in the WAS Security configuration.<br/>
A TAI implements the WAS specific interface <tt>com.ibm.wsspi.security.tai.TrustAssociationInterceptor</tt><br/>
The WAS specific API for security layer customization is explained in details at the following:</p>

<p><a href="http://pic.dhe.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=%2Fcom.ibm.websphere.base.doc%2Finfo%2Faes%2Fae%2Frsec_taisubcreate.html"
class="external-link" rel="nofollow">http://pic.dhe.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=%2Fcom.ibm.websphere.base.doc%2Finfo%2Faes%2Fae%2Frsec_taisubcreate.html</a></p>

<p>The Fediz Plugin for Websphere provides a TAI implementation which leverages the
<b>Fediz Core</b>.</p>

<p>WAS security runtime supports a notion of a security session using a specific security
token called <em>LTPA Token</em> which is implemented as a HTTP cookie. The cookie
lifetime is specified at the WAS administrative <em>Cell</em> level, which implies
that it is not possible to configure this value per request based on the requirements for
an application.<br/>
The TAI is no more involved after login once the LTPA Token is set which means a Web Application
level component must intercept each request to check the security token (ex. SAML) lifetime
and redirect the browser back to the IDP for re-authentication.</p>

<h3><a name="FedizWebsphere-Installation"></a>Installation</h3>

<p>You have to build the Fediz plugin on your own as it depends on IBM Websphere libraries.
If you have built the plugin on your own you'll find the required libraries in <tt>plugins/websphere/target/...zip-with-dependencies.zip</tt></p>

<ol>
	<li>Create sub-directory <tt>fediz</tt> in <tt>${catalina.home}/lib</tt></li>
	<li>Update calatina.properties in ${catalina.home}/conf<br/>
add the previously created directory to the common loader:<br/>
<tt>common.loader=${catalina.base}/lib,${catalina.base}/lib/&#42;.jar,${catalina.home}/lib,${catalina.home}/lib/&#42;.jar,${catalina.home}/lib/fediz/&#42;.jar</tt></li>
	<li>Deploy the libraries to the directory created in (1)</li>
</ol>





<h3><a name="FedizWebsphere-FederationMetadatadocument"></a>Federation Metadata
document</h3>

<p>The Tomcat Fediz plugin supports publishing the WS-Federation Metadata document which
is described <a href="/confluence/display/CXF/Fediz+Metadata" title="Fediz Metadata">here</a>.</p>



    </div>
        <div id="commentsSection" class="wiki-content pageSection">
        <div style="float: right;" class="grey">
                        <a href="https://cwiki.apache.org/confluence/users/removespacenotification.action?spaceKey=CXF">Stop
watching space</a>
            <span style="padding: 0px 5px;">|</span>
                <a href="https://cwiki.apache.org/confluence/users/editmyemailsettings.action">Change
email notification preferences</a>
</div>
        <a href="https://cwiki.apache.org/confluence/display/CXF/Fediz+Websphere">View
Online</a>
        |
        <a href="https://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=33292561&revisedVersion=2&originalVersion=1">View
Changes</a>
                |
        <a href="https://cwiki.apache.org/confluence/display/CXF/Fediz+Websphere?showComments=true&amp;showCommentArea=true#addcomment">Add
Comment</a>
            </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message