cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Oliver Wulff (Confluence)" <conflue...@apache.org>
Subject [CONF] Apache CXF > Fediz Websphere
Date Fri, 06 Sep 2013 11:07:00 GMT
<html>
<head>
    <base href="https://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/en/2176/1/15/_/styles/combined.css?spaceKey=CXF&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="https://cwiki.apache.org/confluence/display/CXF/Fediz+Websphere">Fediz
Websphere</a></h2>
    <h4>Page <b>edited</b> by             <a href="https://cwiki.apache.org/confluence/display/~owulff@apache.org">Oliver
Wulff</a>
    </h4>
        <br/>
                         <h4>Changes (2)</h4>
                                 
    
<div id="page-diffs">
                    <table class="diff" cellpadding="0" cellspacing="0">
    
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" > <br>h3. Fediz configuration
<br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">The
Fediz related configuration is done in a Servlet Container independent configuration file
which is described here. <br></td></tr>
            <tr><td class="diff-unchanged" > <br> <br></td></tr>
            <tr><td class="diff-unchanged" >h3. Federation Metadata document <br>
<br></td></tr>
            <tr><td class="diff-changed-lines" >The <span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">Tomcat</span>
<span class="diff-added-words"style="background-color: #dfd;">Webpshere</span>
Fediz plugin supports publishing the WS-Federation Metadata document which is described [here|Fediz
Metadata]. <br></td></tr>
    
            </table>
    </div>                            <h4>Full Content</h4>
                    <div class="notificationGreySide">
        <h1><a name="FedizWebsphere-IBMWebspherePlugin"></a>IBM Websphere
Plugin</h1>
<p>This page describes how to enable Federation for a IBM Websphere Application Server
(WAS) instance hosting Relying Party (RP) applications. This configuration is not for a Websphere
instance hosting the Fediz IDP and IDP STS WARs but for applications that use SAML assertions
for authentication.  After this configuration is done, the Websphere-RP instance will validate
the incoming SignInResponse created by the IDP server.</p>

<p>Prior to doing this configuration, make sure you've first deployed the Fediz IDP
and STS on the separate Servlet Container instance as discussed <a href="/confluence/display/CXF/Fediz+IDP"
title="Fediz IDP">here</a>, and can view the STS WSDL at the URL given on that page.
 That page also provides some tips for running multiple Tomcat instances on your machine.</p>

<h3><a name="FedizWebsphere-WebsphereSecurity"></a>Websphere Security</h3>

<p>A <b>Trust Authentication Interceptor (TAI)</b> is a pluggable security
component that is installed and configured at the IBM WebSphere Application Cell level.<br/>
As such, any managed server on the Cell will have this component installed in and activated
once defined in the WAS Security configuration.<br/>
A TAI implements the WAS specific interface <tt>com.ibm.wsspi.security.tai.TrustAssociationInterceptor</tt><br/>
The WAS specific API for security layer customization is explained in details at the following:</p>

<p><a href="http://pic.dhe.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=%2Fcom.ibm.websphere.base.doc%2Finfo%2Faes%2Fae%2Frsec_taisubcreate.html"
class="external-link" rel="nofollow">http://pic.dhe.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=%2Fcom.ibm.websphere.base.doc%2Finfo%2Faes%2Fae%2Frsec_taisubcreate.html</a></p>

<p>The Fediz Plugin for Websphere provides a TAI implementation which leverages the
<b>Fediz Core</b>.</p>

<p>WAS security runtime supports a notion of a security session using a specific security
token called <em>LTPA Token</em> which is implemented as a HTTP cookie. The cookie
lifetime is specified at the WAS administrative <em>Cell</em> level, which implies
that it is not possible to configure this value per request based on the requirements for
an application.<br/>
The TAI is no more involved after login once the LTPA Token is set which means a Web Application
level component must intercept each request to check the security token (ex. SAML) lifetime
and redirect the browser back to the IDP for re-authentication.<br/>
The Fediz Plugin Websphere ships a Java Servlet Filter which enforces the validity of the
lifetime of the security token. This Servlet Filter must be configured in each Web Application
module that is deployed on WAS.</p>

<h3><a name="FedizWebsphere-BuildFedizWebsphereLibrary"></a>Build Fediz
Websphere Library</h3>

<p>You have to build the Fediz plugin on your own as it depends on IBM Websphere libraries.
If you have built the plugin on your own you'll find the required libraries in <tt>plugins/websphere/target/...zip-with-dependencies.zip</tt></p>

<h3><a name="FedizWebsphere-Installation"></a>Installation</h3>

<h5><a name="FedizWebsphere-PreRequisites"></a>Pre-Requisites</h5>

<p>The Administrative and Application security must be activated for the WAS security
layer to be able to intercept secured resources access requests. The local User Registry must
be properly configured and at least one group of users must be declared in the registry prior
any application installation.<br/>
At runtime, the WAS security layer will use the defined User/Group registry and the Fediz
plugin maps the roles in the SAML token to WAS groups from this registry using the specified
<em>Role to Group</em> mapper.<br/>
At deployment time, the declared J2EE security roles will need to be mapped to these groups,
either using the Administrative Console or using the WAS binding files.</p>

<h5><a name="FedizWebsphere-PluginInstallation"></a>Plugin Installation</h5>

<p>The Fediz Websphere plugin and its dependencies must be copied in the <tt>WAS_INSTALL_ROOT&gt;/lib/ext</tt>
directory of WebSphere Application Server, on each configured Node of the Cell (including
the Deployment Manager)</p>

<p>The Fediz configuration file (ex. <tt>fediz-config.xml</tt>) and the
configured truststore should be copied in a directory with read permission for the WAS runtime
user, on each configured Node of the Cell (including the Deployment Manager).<br/>
<em>Note:</em> Using a shared filesystem is recommended.</p>

<h3><a name="FedizWebsphere-Fedizconfiguration"></a>Fediz configuration</h3>
<p>The Fediz related configuration is done in a Servlet Container independent configuration
file which is described here.</p>


<h3><a name="FedizWebsphere-FederationMetadatadocument"></a>Federation Metadata
document</h3>

<p>The Webpshere Fediz plugin supports publishing the WS-Federation Metadata document
which is described <a href="/confluence/display/CXF/Fediz+Metadata" title="Fediz Metadata">here</a>.</p>



    </div>
        <div id="commentsSection" class="wiki-content pageSection">
        <div style="float: right;" class="grey">
                        <a href="https://cwiki.apache.org/confluence/users/removespacenotification.action?spaceKey=CXF">Stop
watching space</a>
            <span style="padding: 0px 5px;">|</span>
                <a href="https://cwiki.apache.org/confluence/users/editmyemailsettings.action">Change
email notification preferences</a>
</div>
        <a href="https://cwiki.apache.org/confluence/display/CXF/Fediz+Websphere">View
Online</a>
        |
        <a href="https://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=33292561&revisedVersion=4&originalVersion=3">View
Changes</a>
                |
        <a href="https://cwiki.apache.org/confluence/display/CXF/Fediz+Websphere?showComments=true&amp;showCommentArea=true#addcomment">Add
Comment</a>
            </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message