cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Oliver Wulff (Confluence)" <conflue...@apache.org>
Subject [CONF] Apache CXF > Fediz CXF
Date Thu, 05 Sep 2013 20:46:00 GMT
<html>
<head>
    <base href="https://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/en/2176/1/15/_/styles/combined.css?spaceKey=CXF&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="https://cwiki.apache.org/confluence/display/CXF/Fediz+CXF">Fediz
CXF</a></h2>
    <h4>Page <b>edited</b> by             <a href="https://cwiki.apache.org/confluence/display/~owulff@apache.org">Oliver
Wulff</a>
    </h4>
        <br/>
                         <h4>Changes (2)</h4>
                                 
    
<div id="page-diffs">
                    <table class="diff" cellpadding="0" cellspacing="0">
    
            <tr><td class="diff-added-lines" style="background-color: #dfd;">h1.
CXF Plugin <br>The subproject Fediz purpose is to provide Single Sign On for Web Applications
which is independent of an underlying Web Services framework like Apache CXF. The Fediz plugins
for Tomcat, Jetty, etc. are independent of Apache CXF, whereas the Fediz IDP leverages the
capabilities of the CXF STS to issue SAML tokens with Claims information to build applications
which use Claims Based Authorization with all the benefits. <br></td></tr>
            <tr><td class="diff-unchanged" > <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">If
the Fediz protected web application integrates with another application using Web Services
you need to bundle a Web Services framework like Apache CXF with your web application. If
it is required to support impersonation to call the Web Service, the security context of the
application server must be delegated to the Web Services stack thus it can make the Web Service
call on behalf of the browser user. <br> <br>In release 1.1, the Fediz CXF plugin
supports delegating the application server security context (SAML token) to the STS client
of CXF. CXF is now able to request a security token for the target Web Service from the STS
on behalf of the browser user. <br> <br>It is required that one of the other Fediz
plugins are deployed to WS-Federation enable the application. After this step, the Fediz CXF
plugin can be installed to integrate the Web SSO layer with the Web Services stack of Apache
CXF. <br> <br> <br>h3. Installation <br> <br>It&#39;s recommended
to use Maven to resolve the dependencies as illustrated in the the example {{wsclientWebapp}}.
<br> <br>{code:xml} <br>    &lt;dependency&gt; <br>      
 &lt;groupId&gt;org.apache.cxf.fediz&lt;/groupId&gt; <br>        &lt;artifactId&gt;fediz-cxf&lt;/artifactId&gt;
<br>        &lt;version&gt;1.1.0&lt;/version&gt; <br>    &lt;/dependency&gt;
<br>{code} <br> <br>The example contains a README with instructions for
building and deployment. <br> <br>h3. Configuration <br> <br>Two configurations
are required in {{web.xml}} to enable the {{FederationFilter}} to cache the security context
in the thread local storage and in the spring configuration file {{applicationContext.xml}}
to configure a callback handler to provide the STS client the security context stored in the
thread local storage.  <br> <br>{{web.xml}} <br> <br>{code:xml} <br>
   &lt;filter&gt; <br>        &lt;filter-name&gt;FederationFilter&lt;/filter-name&gt;
<br>        &lt;filter-class&gt;org.apache.cxf.fediz.core.servlet.FederationFilter&lt;/filter-class&gt;
<br>    &lt;/filter&gt; <br> <br>    &lt;filter-mapping&gt;
<br>        &lt;filter-name&gt;FederationFilter&lt;/filter-name&gt;
<br>        &lt;url-pattern&gt;/secure/*&lt;/url-pattern&gt; <br>
   &lt;/filter-mapping&gt; <br>{code} <br> <br>The {{FederationFilter}}
is part of the library {{fediz-core}}. <br> <br>{{applicationContext.xml}} <br>
<br>{code:xml} <br> <br>    &lt;bean id=&quot;delegationCallbackHandler&quot;
<br>        class=&quot;org.apache.cxf.fediz.cxf.web.ThreadLocalCallbackHandler&quot;
/&gt; <br> <br>    &lt;jaxws:client id=&quot;HelloServiceClient&quot;
serviceName=&quot;svc:GreeterService&quot; <br>        ... <br>      
 wsdlLocation=&quot;WEB-INF/wsdl/hello_world.wsdl&quot;&gt; <br>       
&lt;jaxws:properties&gt; <br>            &lt;entry key=&quot;ws-security.sts.client&quot;&gt;
<br>                &lt;bean class=&quot;org.apache.cxf.ws.security.trust.STSClient&quot;&gt;
<br>                    ... <br>                    &lt;property name=&quot;onBehalfOf&quot;
ref=&quot;delegationCallbackHandler&quot; /&gt; <br>                   
... <br>                 &lt;/bean&gt; <br>            &lt;/entry&gt;
<br>            &lt;entry key=&quot;ws-security.cache.issued.token.in.endpoint&quot;
value=&quot;false&quot; /&gt; <br>        &lt;/jaxws:properties&gt;
<br>    &lt;/jaxws:client&gt; <br> <br>{code} <br> <br>The
{{ThreadLocalCallbackHandler}} is part of the library {{fediz-cxf}}. <br> <br>If
you have set the property {{ws-security.cache.issued.token.in.endpoint}}, CXF will cache the
issued token per security context dependent on the returned lifetime element of the STS. When
the cached token for the target web services is expired, CXF will request a new token from
the STS on-behalf-of the cached Fediz security context. <br> <br>There is no special
Java code required to get this functionality as illustrated in the following code snippet:
<br> <br>{code} <br>    Greeter service = (Greeter)ApplicationContextProvider.getContext().getBean(&quot;HelloServiceClient&quot;);
<br>    String reply = service.greetMe(); <br>{code} <br></td></tr>
    
            </table>
    </div>                            <h4>Full Content</h4>
                    <div class="notificationGreySide">
        <h1><a name="FedizCXF-CXFPlugin"></a>CXF Plugin</h1>
<p>The subproject Fediz purpose is to provide Single Sign On for Web Applications which
is independent of an underlying Web Services framework like Apache CXF. The Fediz plugins
for Tomcat, Jetty, etc. are independent of Apache CXF, whereas the Fediz IDP leverages the
capabilities of the CXF STS to issue SAML tokens with Claims information to build applications
which use Claims Based Authorization with all the benefits.</p>

<p>If the Fediz protected web application integrates with another application using
Web Services you need to bundle a Web Services framework like Apache CXF with your web application.
If it is required to support impersonation to call the Web Service, the security context of
the application server must be delegated to the Web Services stack thus it can make the Web
Service call on behalf of the browser user.</p>

<p>In release 1.1, the Fediz CXF plugin supports delegating the application server security
context (SAML token) to the STS client of CXF. CXF is now able to request a security token
for the target Web Service from the STS on behalf of the browser user.</p>

<p>It is required that one of the other Fediz plugins are deployed to WS-Federation
enable the application. After this step, the Fediz CXF plugin can be installed to integrate
the Web SSO layer with the Web Services stack of Apache CXF.</p>


<h3><a name="FedizCXF-Installation"></a>Installation</h3>

<p>It's recommended to use Maven to resolve the dependencies as illustrated in the the
example <tt>wsclientWebapp</tt>.</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="theme: Default; brush: xml; gutter: false" style="font-size:12px; font-family:
ConfluenceInstalledFont,monospace;">
    &lt;dependency&gt;
        &lt;groupId&gt;org.apache.cxf.fediz&lt;/groupId&gt;
        &lt;artifactId&gt;fediz-cxf&lt;/artifactId&gt;
        &lt;version&gt;1.1.0&lt;/version&gt;
    &lt;/dependency&gt;
</pre>
</div></div>

<p>The example contains a README with instructions for building and deployment.</p>

<h3><a name="FedizCXF-Configuration"></a>Configuration</h3>

<p>Two configurations are required in <tt>web.xml</tt> to enable the <tt>FederationFilter</tt>
to cache the security context in the thread local storage and in the spring configuration
file <tt>applicationContext.xml</tt> to configure a callback handler to provide
the STS client the security context stored in the thread local storage. </p>

<p><tt>web.xml</tt></p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="theme: Default; brush: xml; gutter: false" style="font-size:12px; font-family:
ConfluenceInstalledFont,monospace;">
    &lt;filter&gt;
        &lt;filter-name&gt;FederationFilter&lt;/filter-name&gt;
        &lt;filter-class&gt;org.apache.cxf.fediz.core.servlet.FederationFilter&lt;/filter-class&gt;
    &lt;/filter&gt;

    &lt;filter-mapping&gt;
        &lt;filter-name&gt;FederationFilter&lt;/filter-name&gt;
        &lt;url-pattern&gt;/secure/*&lt;/url-pattern&gt;
    &lt;/filter-mapping&gt;
</pre>
</div></div>

<p>The <tt>FederationFilter</tt> is part of the library <tt>fediz-core</tt>.</p>

<p><tt>applicationContext.xml</tt></p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="theme: Default; brush: xml; gutter: false" style="font-size:12px; font-family:
ConfluenceInstalledFont,monospace;">

    &lt;bean id="delegationCallbackHandler"
        class="org.apache.cxf.fediz.cxf.web.ThreadLocalCallbackHandler" /&gt;

    &lt;jaxws:client id="HelloServiceClient" serviceName="svc:GreeterService"
        ...
        wsdlLocation="WEB-INF/wsdl/hello_world.wsdl"&gt;
        &lt;jaxws:properties&gt;
            &lt;entry key="ws-security.sts.client"&gt;
                &lt;bean class="org.apache.cxf.ws.security.trust.STSClient"&gt;
                    ...
                    &lt;property name="onBehalfOf" ref="delegationCallbackHandler" /&gt;
                    ...
                 &lt;/bean&gt;
            &lt;/entry&gt;
            &lt;entry key="ws-security.cache.issued.token.in.endpoint" value="false" /&gt;
        &lt;/jaxws:properties&gt;
    &lt;/jaxws:client&gt;

</pre>
</div></div>

<p>The <tt>ThreadLocalCallbackHandler</tt> is part of the library <tt>fediz-cxf</tt>.</p>

<p>If you have set the property <tt>ws-security.cache.issued.token.in.endpoint</tt>,
CXF will cache the issued token per security context dependent on the returned lifetime element
of the STS. When the cached token for the target web services is expired, CXF will request
a new token from the STS on-behalf-of the cached Fediz security context.</p>

<p>There is no special Java code required to get this functionality as illustrated in
the following code snippet:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="theme: Default; brush: java; gutter: false" style="font-size:12px; font-family:
ConfluenceInstalledFont,monospace;">
    Greeter service = (Greeter)ApplicationContextProvider.getContext().getBean("HelloServiceClient");
    String reply = service.greetMe();
</pre>
</div></div>
    </div>
        <div id="commentsSection" class="wiki-content pageSection">
        <div style="float: right;" class="grey">
                        <a href="https://cwiki.apache.org/confluence/users/removespacenotification.action?spaceKey=CXF">Stop
watching space</a>
            <span style="padding: 0px 5px;">|</span>
                <a href="https://cwiki.apache.org/confluence/users/editmyemailsettings.action">Change
email notification preferences</a>
</div>
        <a href="https://cwiki.apache.org/confluence/display/CXF/Fediz+CXF">View Online</a>
        |
        <a href="https://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=34018940&revisedVersion=2&originalVersion=1">View
Changes</a>
                |
        <a href="https://cwiki.apache.org/confluence/display/CXF/Fediz+CXF?showComments=true&amp;showCommentArea=true#addcomment">Add
Comment</a>
            </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message