cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r877639 - in /websites/production/cxf/content: ./ cache/ fediz-websphere.data/
Date Sat, 07 Sep 2013 22:48:00 GMT
Author: buildbot
Date: Sat Sep  7 22:48:00 2013
New Revision: 877639

Log:
Production update by buildbot for cxf

Added:
    websites/production/cxf/content/fediz-cxf.html
    websites/production/cxf/content/fediz-websphere.data/
    websites/production/cxf/content/fediz-websphere.data/GlobalSec.png   (with props)
    websites/production/cxf/content/fediz-websphere.data/create-interceptor.png   (with props)
    websites/production/cxf/content/fediz-websphere.data/enable-trust-assoc.png   (with props)
    websites/production/cxf/content/fediz-websphere.data/trust-association.png   (with props)
Modified:
    websites/production/cxf/content/cache/main.pageCache
    websites/production/cxf/content/fediz-websphere.html
    websites/production/cxf/content/fediz.html

Modified: websites/production/cxf/content/cache/main.pageCache
==============================================================================
Binary files - no diff available.

Added: websites/production/cxf/content/fediz-cxf.html
==============================================================================
--- websites/production/cxf/content/fediz-cxf.html (added)
+++ websites/production/cxf/content/fediz-cxf.html Sat Sep  7 22:48:00 2013
@@ -0,0 +1,273 @@
+
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!--
+
+    Licensed to the Apache Software Foundation (ASF) under one or more
+    contributor license agreements.  See the NOTICE file distributed with
+    this work for additional information regarding copyright ownership.
+    The ASF licenses this file to You under the Apache License, Version 2.0
+    (the "License"); you may not use this file except in compliance with
+    the License.  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+-->
+<html>
+  <head>
+
+<link type="text/css" rel="stylesheet" href="/resources/site.css">
+<script src='/resources/space.js'></script>
+
+<meta http-equiv="Content-type" content="text/html;charset=UTF-8">
+<meta name="keywords" content="business integration, EAI, SOA, Service Oriented Architecture,
web services, SOAP, JBI, JMS, WSDL, XML, EDI, Electronic Data Interchange, standards support,
integration standards, application integration, middleware, software, solutions, services,
CXF, open source">
+<meta name="description" content="Apache CXF, Services Framework - Fediz CXF">
+
+
+<link type="text/css" rel="stylesheet" href="/resources/highlighter/styles/shCoreCXF.css">
+<link type="text/css" rel="stylesheet" href="/resources/highlighter/styles/shThemeCXF.css">
+
+<script src='/resources/highlighter/scripts/shCore.js'></script>
+<script src='/resources/highlighter/scripts/shBrushJava.js'></script>
+<script src='/resources/highlighter/scripts/shBrushXml.js'></script>
+<script>
+  SyntaxHighlighter.defaults['toolbar'] = false;
+  SyntaxHighlighter.all();
+</script>
+
+
+    <title>
+Apache CXF -- Fediz CXF
+    </title>
+  </head>
+<body onload="init()">
+
+
+<table width="100%" cellpadding="0" cellspacing="0">
+  <tr>
+    <td id="cell-0-0" colspan="2">&nbsp;</td>
+    <td id="cell-0-1">&nbsp;</td>
+    <td id="cell-0-2" colspan="2">&nbsp;</td>
+  </tr>
+  <tr>
+    <td id="cell-1-0">&nbsp;</td>
+    <td id="cell-1-1">&nbsp;</td>
+    <td id="cell-1-2">
+      <!-- Banner -->
+<div class="banner" id="banner"><div><table border="0" cellpadding="0" cellspacing="0"
width="100%"><tr><td align="left" colspan="1" nowrap>
+<a shape="rect" href="http://cxf.apache.org/" title="Apache CXF"><span style="font-weight:
bold; font-size: 170%; color: white">Apache CXF</span></a>
+</td><td align="right" colspan="1" nowrap>
+<a shape="rect" href="http://www.apache.org/" title="The Apache Software Foundation"><img
border="0" alt="ASF Logo" src="http://cxf.apache.org/images/asf-logo.png"></a>
+</td></tr></table></div></div>
+      <!-- Banner -->
+      <div id="top-menu">
+        <table border="0" cellpadding="1" cellspacing="0" width="100%">
+          <tr>
+            <td>
+              <div align="left">
+                <!-- Breadcrumbs -->
+<a href="index.html">Index</a>&nbsp;&gt;&nbsp;<a href="fediz.html">Fediz</a>&nbsp;&gt;&nbsp;<a
href="fediz-cxf.html">Fediz CXF</a>
+                <!-- Breadcrumbs -->
+              </div>
+            </td>
+            <td>
+              <div align="right">
+                <!-- Quicklinks -->
+<div id="quicklinks"><p><a shape="rect" href="download.html" title="Download">Download</a>
| <a shape="rect" href="http://cxf.apache.org/docs/index.html">Documentation</a></p></div>
+                <!-- Quicklinks -->
+              </div>
+            </td>
+          </tr>
+        </table>
+      </div>
+    </td>
+    <td id="cell-1-3">&nbsp;</td>
+    <td id="cell-1-4">&nbsp;</td>
+  </tr>
+  <tr>
+    <td id="cell-2-0" colspan="2">&nbsp;</td>
+    <td id="cell-2-1">
+      <table>
+        <tr valign="top">
+          <td height="100%">
+            <div id="wrapper-menu-page-right">
+              <div id="wrapper-menu-page-top">
+                <div id="wrapper-menu-page-bottom">
+                  <div id="menu-page">
+                    <!-- NavigationBar -->
+<div id="navigation"><h3><a shape="rect" name="Navigation-ApacheCXFIndex"></a><a
shape="rect" href="index.html" title="Index">Apache CXF</a></h3>
+
+<ul class="alternate" type="square"><li><a shape="rect" href="index.html"
title="Index">Home</a></li><li><a shape="rect" href="download.html"
title="Download">Download</a></li><li><a shape="rect" href="people.html"
title="People">People</a></li><li><a shape="rect" href="project-status.html"
title="Project Status">Project Status</a></li><li><a shape="rect"
href="roadmap.html" title="Roadmap">Roadmap</a></li><li><a shape="rect"
href="mailing-lists.html" title="Mailing Lists">Mailing Lists</a></li><li><a
shape="rect" class="external-link" href="http://issues.apache.org/jira/browse/CXF">Issue
Reporting</a></li><li><a shape="rect" href="special-thanks.html" title="Special
Thanks">Special Thanks</a></li><li><a shape="rect" class="external-link"
href="http://www.apache.org/licenses/">License</a></li><li><a shape="rect"
href="security-advisories.html" title="Security Advisories">Security Advisories</a></li></ul>
+
+
+<h3><a shape="rect" name="Navigation-Users"></a>Users</h3>
+
+<ul class="alternate" type="square"><li><a shape="rect" href="http://cxf.apache.org/docs/index.html">User's
Guide</a></li><li><a shape="rect" href="support.html" title="Support">Support</a></li><li><a
shape="rect" href="faq.html" title="FAQ">FAQ</a></li><li><a shape="rect"
href="resources-and-articles.html" title="Resources and Articles">Resources and Articles</a></li></ul>
+
+
+<h3><a shape="rect" name="Navigation-Search"></a>Search</h3>
+<p>
+</p><form enctype="application/x-www-form-urlencoded" method="get" id="cse-search-box"
action="http://www.google.com/cse">
+  <div>
+    <input type="hidden" name="cx" value="002890367768291051730:o99qiwa09y4">
+    <input type="hidden" name="ie" value="UTF-8">
+    <input type="text" name="q" size="21">
+    <input type="submit" name="sa" value="Search">
+  </div>
+</form>
+<script type="text/javascript" src="http://www.google.com/cse/brand?form=cse-search-box&amp;lang=en"></script>
+
+
+<h3><a shape="rect" name="Navigation-Developers"></a>Developers</h3>
+
+<ul class="alternate" type="square"><li><a shape="rect" href="http://cxf.apache.org/docs/cxf-architecture.html">Architecture
Guide</a></li><li><a shape="rect" href="source-repository.html" title="Source
Repository">Source Repository</a></li><li><a shape="rect" href="building.html"
title="Building">Building</a></li><li><a shape="rect" href="automated-builds.html"
title="Automated Builds">Automated Builds</a></li><li><a shape="rect"
href="testing-debugging.html" title="Testing-Debugging">Testing-Debugging</a></li><li><a
shape="rect" href="coding-guidelines.html" title="Coding Guidelines">Coding Guidelines</a></li><li><a
shape="rect" href="getting-involved.html" title="Getting Involved">Getting Involved</a></li><li><a
shape="rect" href="release-management.html" title="Release Management">Release Management</a></li></ul>
+
+
+<h3><a shape="rect" name="Navigation-Subprojects"></a>Subprojects</h3>
+
+<ul class="alternate" type="square"><li><a shape="rect" href="distributed-osgi.html"
title="Distributed OSGi">Distributed OSGi</a></li><li><a shape="rect"
href="xjc-utils.html" title="XJC Utils">XJC Utils</a></li><li><a shape="rect"
href="build-utils.html" title="Build Utils">Build Utils</a></li><li><a
shape="rect" href="fediz.html" title="Fediz">Fediz</a></li></ul>
+
+
+<h3><a shape="rect" name="Navigation-ASF"></a><a shape="rect" class="external-link"
href="http://www.apache.org">ASF</a></h3>
+
+<ul class="alternate" type="square"><li><a shape="rect" class="external-link"
href="http://www.apache.org/foundation/how-it-works.html">How Apache Works</a></li><li><a
shape="rect" class="external-link" href="http://www.apache.org/foundation/">Foundation</a></li><li><a
shape="rect" class="external-link" href="http://www.apache.org/foundation/sponsorship.html">Sponsor
Apache</a></li><li><a shape="rect" class="external-link" href="http://www.apache.org/foundation/thanks.html">Thanks</a></li><li><a
shape="rect" class="external-link" href="http://www.apache.org/security/">Security</a></li></ul>
+</div>
+                    <!-- NavigationBar -->
+                  </div>
+              </div>
+            </div>
+          </div>
+         </td>
+         <td height="100%">
+           <!-- Content -->
+           <div class="wiki-content">
+<div id="ConfluenceContent"><h1><a shape="rect" name="FedizCXF-CXFPlugin%281.1SNAPSHOT%29"></a>CXF
Plugin (1.1 SNAPSHOT)</h1>
+<p>The subproject Fediz purpose is to provide Single Sign On for Web Applications which
is independent of an underlying Web Services framework like Apache CXF. The Fediz plugins
for Tomcat, Jetty, etc. are independent of Apache CXF, whereas the Fediz IDP leverages the
capabilities of the CXF STS to issue SAML tokens with Claims information to build applications
which use Claims Based Authorization with all the benefits.</p>
+
+<p>If the Fediz protected web application integrates with another application using
Web Services you need to bundle a Web Services framework like Apache CXF with your web application.
If it is required to support impersonation to call the Web Service, the security context of
the application server must be delegated to the Web Services stack thus it can make the Web
Service call on behalf of the browser user.</p>
+
+<p>In release 1.1, the Fediz CXF plugin supports delegating the application server
security context (SAML token) to the STS client of CXF. CXF is then able to request a security
token for the target Web Service from the STS on behalf of the browser user. Prior to release
1.1, this Java code had to be developed by the application developer.</p>
+
+<p>It is required that one of the other Fediz plugins are deployed to WS-Federation
enable the application. After this step, the Fediz CXF plugin can be installed to integrate
the Web SSO layer with the Web Services stack of Apache CXF.</p>
+
+
+<h3><a shape="rect" name="FedizCXF-Installation"></a>Installation</h3>
+<p>It's recommended to use Maven to resolve the dependencies as illustrated in the
the example <tt>wsclientWebapp</tt>.</p>
+
+<div class="code panel" style="border-style: solid;border-width: 1px;"><div class="codeHeader
panelHeader" style="border-bottom-width: 1px;border-bottom-style: solid;"><b>pom.xml</b></div><div
class="codeContent panelContent">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
+    &lt;dependency&gt;
+        &lt;groupId&gt;org.apache.cxf.fediz&lt;/groupId&gt;
+        &lt;artifactId&gt;fediz-cxf&lt;/artifactId&gt;
+        &lt;version&gt;1.1.0&lt;/version&gt;
+    &lt;/dependency&gt;
+]]></script>
+</div></div>
+
+<p>The example contains a README with instructions for building and deployment.</p>
+
+<h3><a shape="rect" name="FedizCXF-Configuration"></a>Configuration</h3>
+<p>Two configurations are required in <tt>web.xml</tt> to enable the <tt>FederationFilter</tt>
to cache the security context in the thread local storage and in the spring configuration
file <tt>applicationContext.xml</tt> to configure a callback handler to provide
the STS client the security context stored in the thread local storage. </p>
+
+<div class="code panel" style="border-style: solid;border-width: 1px;"><div class="codeHeader
panelHeader" style="border-bottom-width: 1px;border-bottom-style: solid;"><b>web.xml</b></div><div
class="codeContent panelContent">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
+    &lt;filter&gt;
+        &lt;filter-name&gt;FederationFilter&lt;/filter-name&gt;
+        &lt;filter-class&gt;org.apache.cxf.fediz.core.servlet.FederationFilter&lt;/filter-class&gt;
+    &lt;/filter&gt;
+
+    &lt;filter-mapping&gt;
+        &lt;filter-name&gt;FederationFilter&lt;/filter-name&gt;
+        &lt;url-pattern&gt;/secure/*&lt;/url-pattern&gt;
+    &lt;/filter-mapping&gt;
+]]></script>
+</div></div>
+
+<p>The <tt>FederationFilter</tt> is part of the library <tt>fediz-core</tt>.</p>
+
+<div class="code panel" style="border-style: solid;border-width: 1px;"><div class="codeHeader
panelHeader" style="border-bottom-width: 1px;border-bottom-style: solid;"><b>applicationContext.xml</b></div><div
class="codeContent panelContent">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
+    &lt;bean id="delegationCallbackHandler"
+        class="org.apache.cxf.fediz.cxf.web.ThreadLocalCallbackHandler" /&gt;
+
+    &lt;jaxws:client id="HelloServiceClient" serviceName="svc:GreeterService"
+        ...
+        wsdlLocation="WEB-INF/wsdl/hello_world.wsdl"&gt;
+        &lt;jaxws:properties&gt;
+            &lt;entry key="ws-security.sts.client"&gt;
+                &lt;bean class="org.apache.cxf.ws.security.trust.STSClient"&gt;
+                    ...
+                    &lt;property name="onBehalfOf" ref="delegationCallbackHandler" /&gt;
+                    ...
+                 &lt;/bean&gt;
+            &lt;/entry&gt;
+            &lt;entry key="ws-security.cache.issued.token.in.endpoint" value="false"
/&gt;
+        &lt;/jaxws:properties&gt;
+    &lt;/jaxws:client&gt;
+
+]]></script>
+</div></div>
+
+<p>The <tt>ThreadLocalCallbackHandler</tt> is part of the library <tt>fediz-cxf</tt>.</p>
+
+<p>If you have set the property <tt>ws-security.cache.issued.token.in.endpoint</tt>
to false, CXF will cache the issued token per security context dependent on the returned lifetime
element of the STS. When the cached token for the target web services is expired, CXF will
request a new token from the STS on-behalf-of the cached Fediz security context.</p>
+
+<p>There is no special Java code required to get this functionality as illustrated
in the following code snippet:</p>
+
+<div class="code panel" style="border-style: solid;border-width: 1px;"><div class="codeHeader
panelHeader" style="border-bottom-width: 1px;border-bottom-style: solid;"><b>FederationServlet.java</b></div><div
class="codeContent panelContent">
+<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[
+    Greeter service = (Greeter)ApplicationContextProvider.getContext().getBean("HelloServiceClient");
+    String reply = service.greetMe();
+]]></script>
+</div></div></div>
+           </div>
+           <!-- Content -->
+         </td>
+        </tr>
+      </table>
+   </td>
+   <td id="cell-2-2" colspan="2">&nbsp;</td>
+  </tr>
+  <tr>
+   <td id="cell-3-0">&nbsp;</td>
+   <td id="cell-3-1">&nbsp;</td>
+   <td id="cell-3-2">
+     <div id="footer">
+       <!-- Footer -->
+       <div id="site-footer">
+         <a href="http://cxf.apache.org/privacy-policy.html">Privacy Policy</a>
- 
+         (<a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=34018940">edit
page</a>) 
+	 (<a href="https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=34018940&amp;showComments=true&amp;showCommentArea=true#addcomment">add
comment</a>)<br>
+	Apache CXF, CXF, Apache, the Apache feather logo are trademarks of The Apache Software Foundation.<br>
+        All other marks mentioned may be trademarks or registered trademarks of their respective
owners.
+       </div>
+       <!-- Footer -->
+     </div>
+   </td>
+   <td id="cell-3-3">&nbsp;</td>
+   <td id="cell-3-4">&nbsp;</td>
+  </tr>
+  <tr>
+    <td id="cell-4-0" colspan="2">&nbsp;</td>
+    <td id="cell-4-1">&nbsp;</td>
+    <td id="cell-4-2" colspan="2">&nbsp;</td>
+  </tr>
+</table>
+
+<script type="text/javascript">
+var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
+document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
+</script>
+<script type="text/javascript">
+try {
+var pageTracker = _gat._getTracker("UA-4458903-1");
+pageTracker._trackPageview();
+} catch(err) {}</script>
+
+</body>
+</html>
+

Added: websites/production/cxf/content/fediz-websphere.data/GlobalSec.png
==============================================================================
Binary file - no diff available.

Propchange: websites/production/cxf/content/fediz-websphere.data/GlobalSec.png
------------------------------------------------------------------------------
    svn:mime-type = image/png

Added: websites/production/cxf/content/fediz-websphere.data/create-interceptor.png
==============================================================================
Binary file - no diff available.

Propchange: websites/production/cxf/content/fediz-websphere.data/create-interceptor.png
------------------------------------------------------------------------------
    svn:mime-type = image/png

Added: websites/production/cxf/content/fediz-websphere.data/enable-trust-assoc.png
==============================================================================
Binary file - no diff available.

Propchange: websites/production/cxf/content/fediz-websphere.data/enable-trust-assoc.png
------------------------------------------------------------------------------
    svn:mime-type = image/png

Added: websites/production/cxf/content/fediz-websphere.data/trust-association.png
==============================================================================
Binary file - no diff available.

Propchange: websites/production/cxf/content/fediz-websphere.data/trust-association.png
------------------------------------------------------------------------------
    svn:mime-type = image/png

Modified: websites/production/cxf/content/fediz-websphere.html
==============================================================================
--- websites/production/cxf/content/fediz-websphere.html (original)
+++ websites/production/cxf/content/fediz-websphere.html Sat Sep  7 22:48:00 2013
@@ -28,16 +28,6 @@
 <meta name="description" content="Apache CXF, Services Framework - Fediz Websphere">
 
 
-<link type="text/css" rel="stylesheet" href="/resources/highlighter/styles/shCoreCXF.css">
-<link type="text/css" rel="stylesheet" href="/resources/highlighter/styles/shThemeCXF.css">
-
-<script src='/resources/highlighter/scripts/shCore.js'></script>
-<script src='/resources/highlighter/scripts/shBrushJava.js'></script>
-<script src='/resources/highlighter/scripts/shBrushXml.js'></script>
-<script>
-  SyntaxHighlighter.defaults['toolbar'] = false;
-  SyntaxHighlighter.all();
-</script>
 
 
     <title>
@@ -146,105 +136,82 @@ Apache CXF -- Fediz Websphere
            <!-- Content -->
            <div class="wiki-content">
 <div id="ConfluenceContent"><h1><a shape="rect" name="FedizWebsphere-IBMWebspherePlugin"></a>IBM
Websphere Plugin</h1>
-<p>This page describes how to enable Federation for a IBM Websphere instance hosting
Relying Party (RP) applications. This configuration is not for a Websphere instance hosting
the Fediz IDP and IDP STS WARs but for applications that use SAML assertions for authentication.
 After this configuration is done, the Websphere-RP instance will validate the incoming SignInResponse
created by the IDP server.</p>
+<p>This page describes how to enable Federation for a IBM Websphere Application Server
(WAS) instance hosting Relying Party (RP) applications. This configuration is not for a Websphere
instance hosting the Fediz IDP and IDP STS WARs but for applications that use SAML assertions
for authentication.  After this configuration is done, the Websphere-RP instance will validate
the incoming SignInResponse created by the IDP server.</p>
 
 <p>Prior to doing this configuration, make sure you've first deployed the Fediz IDP
and STS on the separate Servlet Container instance as discussed <a shape="rect" href="fediz-idp.html"
title="Fediz IDP">here</a>, and can view the STS WSDL at the URL given on that page.
 That page also provides some tips for running multiple Tomcat instances on your machine.</p>
 
+<h3><a shape="rect" name="FedizWebsphere-WebsphereSecurity"></a>Websphere
Security</h3>
 
-<h3><a shape="rect" name="FedizWebsphere-Installation"></a>Installation</h3>
+<p>A <b>Trust Authentication Interceptor (TAI)</b> is a pluggable security
component that is installed and configured at the IBM WebSphere Application Cell level. As
such, any managed server on the Cell will have this component installed in and activated once
defined in the WAS Security configuration.<br clear="none">
+A TAI implements the WAS specific interface <tt>com.ibm.wsspi.security.tai.TrustAssociationInterceptor</tt>.
The WAS specific API for security layer customization is explained in details at the following:</p>
+
+<p><a shape="rect" class="external-link" href="http://pic.dhe.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=%2Fcom.ibm.websphere.base.doc%2Finfo%2Faes%2Fae%2Frsec_taisubcreate.html"
rel="nofollow">http://pic.dhe.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=%2Fcom.ibm.websphere.base.doc%2Finfo%2Faes%2Fae%2Frsec_taisubcreate.html</a></p>
 
-<p>You have to build the Fediz plugin on your own as it depends on IBM Websphere libraries.
If you have built the plugin on your own you'll find the required libraries in <tt>plugins/websphere/target/...zip-with-dependencies.zip</tt></p>
+<p>The Fediz Plugin for Websphere provides a TAI implementation which leverages the
<b>Fediz Core</b>.</p>
 
-<ol><li>Create sub-directory <tt>fediz</tt> in <tt>${catalina.home}/lib</tt></li><li>Update
calatina.properties in ${catalina.home}/conf<br clear="none">
-add the previously created directory to the common loader:<br clear="none">
-<tt>common.loader=${catalina.base}/lib,${catalina.base}/lib/*.jar,${catalina.home}/lib,${catalina.home}/lib/*.jar,${catalina.home}/lib/fediz/*.jar</tt></li><li>Deploy
the libraries to the directory created in (1)</li></ol>
+<p>WAS security runtime supports a notion of a security session using a specific security
token called <em>LTPA Token</em> which is implemented as a HTTP cookie. The cookie
lifetime is specified at the WAS administrative <em>Cell</em> level, which implies
that it is not possible to configure this value per request based on the requirements for
an application.<br clear="none">
+The TAI is no more involved after login once the LTPA Token is set which means a Web Application
level component must intercept each request to check the security token (ex. SAML) lifetime
and redirect the browser back to the IDP for re-authentication.<br clear="none">
+The Fediz Plugin Websphere ships a Java Servlet Filter which enforces the validity of the
lifetime of the security token. This Servlet Filter must be configured in each Web Application
module <tt>web.xml</tt> that is deployed on WAS.</p>
 
+<h3><a shape="rect" name="FedizWebsphere-BuildFedizWebsphereLibrary"></a>Build
Fediz Websphere Library</h3>
 
+<p>You have to build the Fediz plugin on your own as it depends on IBM Websphere libraries.</p>
 
-<h3><a shape="rect" name="FedizWebsphere-Configuration"></a>Configuration</h3>
+<ul><li>Checkout the Fediz sources<br clear="none">
+see <a shape="rect" href="fediz.html#Fediz-building">here</a></li></ul>
 
-<h5><a shape="rect" name="FedizWebsphere-HTTPSconfiguration"></a>HTTPS
configuration</h5>
 
-<p>It's recommended to set up a dedicated (separate) Tomcat instance for the Relying
Party. The Fediz RP web applications use the following TCP ports:</p>
-<ul><li>HTTP port: 8080 (used for Maven deployment, mvn tomcat:redeploy)</li><li>HTTPS
port: 8443 (where IDP and STS are accessed)</li><li>Server port (for shutdown
and other commands): 8005</li></ul>
+<ul><li>Add the library <tt>runtime.jar</tt> of IBM Rational Application
Developer to your Maven repository<br clear="none">
+<tt>mvn install:install-file -Dfile=&lt;path-to-file&gt; -DgroupId=com.ibm.ws
-DartifactId=runtime -Dversion=7 -Dpackaging=jar</tt></li></ul>
 
 
-<p>These are the default ports for a standard Tomcat installation.</p>
+<ul><li>run the maven command<br clear="none">
+<tt>mvn clean install -Pwebsphere</tt><br clear="none">
+The Maven profile <tt>websphere</tt> enforces building.</li></ul>
 
-<p>The Relying Party must be accessed over HTTPS to protect the security tokens issued
by the IDP.</p>
 
-<p>The Tomcat HTTP(s) configuration is done in conf/server.xml.</p>
+<ul><li>You'll find the required libraries in <tt>plugins/websphere/target/...zip-with-dependencies.zip</tt></li></ul>
 
-<p>This is a sample snippet for an HTTPS configuration:</p>
 
-<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
-<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
-    &lt;Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
-               maxThreads="150" scheme="https" secure="true"
-               keystoreFile="tomcat-rp.jks"
-               keystorePass="tompass" sslProtocol="TLS" /&gt;
-]]></script>
-</div></div>
+<h3><a shape="rect" name="FedizWebsphere-Installation"></a>Installation</h3>
 
-<p>The keystoreFile is relative to $CATALINA_HOME. See <a shape="rect" class="external-link"
href="http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html">here</a> for the Tomcat
7 configuration reference. This page also describes how to create certificates.  Sample Tomcat
keystores (not for production use, but useful for demoing Fediz and running the sample applications)
are provided in the examples/samplekeys folder of the Fediz distribution.  Note the Tomcat
keystore here is different from the one used to configure the Tomcat-IDP instance.</p>
+<h5><a shape="rect" name="FedizWebsphere-PreRequisites"></a>Pre-Requisites</h5>
 
-<p>To establish trust, there are significant keystore/truststore requirements between
the Tomcat instances and the various web applications (IDP, STS, Relying party applications,
third party web services, etc.)  See <a shape="rect" class="external-link" href="http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/samplekeys/HowToGenerateKeysREADME.html?view=co">this
page</a> for more details, it lists the trust requirements as well as sample scripts
for creating your own (self-signed) keys.</p>
+<p>The Administrative and Application security must be activated for the WAS security
layer to be able to intercept secured resources access requests. The local User Registry must
be properly configured and at least one group of users must be declared in the registry prior
any application installation.<br clear="none">
+At runtime, the WAS security layer will use the defined User/Group registry and the Fediz
plugin maps the roles in the SAML token to WAS groups from this registry using the specified
<em>Role to Group</em> mapper.<br clear="none">
+At deployment time, the declared J2EE security roles will need to be mapped to these groups,
either using the Administrative Console or using the WAS binding files.</p>
 
-<p><b>Warning:  All sample keystores provided with Fediz (including in the WAR
files for its services and examples) are for development/prototyping use only.  They'll need
to be replaced for production use, at a minimum with your own self-signed keys but strongly
recommended to use third-party signed keys.</b></p>
+<h5><a shape="rect" name="FedizWebsphere-PluginInstallation"></a>Plugin
Installation</h5>
 
-<p>If you are currently just trying to run the Fediz samples, the configuration above
is all you need (the below configuration is already provided within the samples) so you can
return now to the samples' READMEs for the next steps in running them.</p>
+<p>The Fediz Websphere plugin and its dependencies must be copied in the <tt>WAS_INSTALL_ROOT&gt;/lib/ext</tt>
directory of WebSphere Application Server, on each configured Node of the Cell (including
the Deployment Manager)</p>
 
+<p>The Fediz configuration file (ex. <tt>fediz-config.xml</tt>) and the
configured truststore should be copied in a directory with read permission for the WAS runtime
user, on each configured Node of the Cell (including the Deployment Manager).<br clear="none">
+<em>Note:</em> Using a shared filesystem is recommended.</p>
 
-<h5><a shape="rect" name="FedizWebsphere-FedizPluginconfigurationforYourWebApplication"></a>Fediz
Plugin configuration for Your Web Application</h5>
+<h5><a shape="rect" name="FedizWebsphere-WebApplicationconfiguration"></a>Web
Application configuration</h5>
 
-<p>The Fediz related configuration is done in a Servlet Container independent configuration
file which is described <a shape="rect" href="fediz-configuration.html" title="Fediz Configuration">here</a>.</p>
+<ol><li>Open the Administative Console with Administrator privileges and navigate
to Security / Global security</li><li>Ensure Application security is enabled<br
clear="none">
+ <span class="image-wrap" style=""><img src="fediz-websphere.data/GlobalSec.png"
width="800" style="border: 1px solid black"></span></li><li>Navigate
to <em>Security / Global security / Web and SIP security</em> and select <b>Trust
association</b><br clear="none">
+ <span class="image-wrap" style=""><img src="fediz-websphere.data/trust-association.png"
width="800" style="border: 1px solid black"></span></li><li>Check the
<b>Enable trust association</b> check box</li><li>Select Interceptors<br
clear="none">
+ <span class="image-wrap" style=""><img src="fediz-websphere.data/enable+trust+assoc.png"
width="800" style="border: 1px solid black"></span></li><li>Click on
New and specify the Interceptor class name as <tt>org.apache.cxf.fediz.was.tai.FedizInterceptor</tt><br
clear="none">
+ <span class="image-wrap" style=""><img src="fediz-websphere.data/create+interceptor.png"
width="800" style="border: 1px solid black"></span></li></ol>
 
-<p>The Fediz plugin requires configuring the FederationAuthenticator like any other
Valve in Tomcat. Detailed information about the Tomcat Valve concept is available <a shape="rect"
class="external-link" href="http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html">here</a>.</p>
 
-<p>A Valve can be configured on different levels like <em>Host</em> or
<em>Context</em>. The Fediz configuration file allows to configure all servlet
contexts in one file or choosing one file per Servlet Context. If you choose to have one Fediz
configuration file per Servlet Context then you must configure the FederationAuthenticator
on the <em>Context</em> level otherwise on the <em>Host</em> level
in the Tomcat configuration file <em>server.xml</em></p>
+<div class="table-wrap">
+<table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh">Property </th><th colspan="1" rowspan="1" class="confluenceTh">Value</th></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">config.file.location </td><td colspan="1"
rowspan="1" class="confluenceTd">Specify the path to the fediz-config.xml file</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">role.group.mapper </td><td colspan="1"
rowspan="1" class="confluenceTd">Specify the class of the Role to Group Mapper<br clear="none">
+<tt>org.apache.cxf.fediz.was.mapper.FileBasedRoleToGroupMapper</tt></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">groups.mapping.file </td><td colspan="1"
rowspan="1" class="confluenceTd">Specify the path to the Role - Group mapping file</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">groups.mapping.refresh.timeout </td><td
colspan="1" rowspan="1" class="confluenceTd">Specify the refresh time (in sec) to reload
the Group mapping file</td></tr></tbody></table>
+</div>
 
-<p>You can either configure the context in the server.xml or in META-INF/context.xml
as part of your WAR file.</p>
 
-<h6><a shape="rect" name="FedizWebsphere-METAINF%2Fcontext.xml"></a>META-INF/context.xml</h6>
-<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
-<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[

-  &lt;Context&gt; 
-    &lt;Valve className="org.apache.cxf.fediz.tomcat.FederationAuthenticator"
-      configFile="conf/Fediz_config.xml" /&gt;
-  &lt;/Context&gt; 
-]]></script>
-</div></div>
-
-<h6><a shape="rect" name="FedizWebsphere-Hostlevelinserver.xml"></a>Host
level in server.xml</h6>
-<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
-<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[

-  &lt;Host name="localhost"  appBase="webapps"
-        unpackWARs="true" autoDeploy="true"&gt;
-    &lt;Valve className="org.apache.cxf.fediz.tomcat.FederationAuthenticator"
-           configFile="conf/Fediz_config.xml" /&gt;
-  &lt;/Host&gt;
-]]></script>
-</div></div> 
-
-<h6><a shape="rect" name="FedizWebsphere-Contextlevelinserver.xml"></a>Context
level in server.xml</h6>
-<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
-<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[

-  &lt;Context path="/fedizhelloworld" docBase="fedizhelloworld"&gt;
-    &lt;Valve className="org.apache.cxf.fediz.tomcat.FederationAuthenticator"
-      configFile="conf/Fediz_config.xml" /&gt;
-  &lt;/Context&gt;
-]]></script>
-</div></div>
 
-<p>The Fediz configuration file is a Servlet container independent configuration file
and described <a shape="rect" href="fediz-configuration.html" title="Fediz Configuration">here</a></p>
 
-<h3><a shape="rect" name="FedizWebsphere-WebApplicationdeployment"></a>Web
Application deployment</h3>
 
-<p>Deploy your Web Application to your Tomcat installation (&lt;catalina.home&gt;/webapps).
 If you're running the Fediz examples, their README files will have instructions on how to
do this.</p>
+<h5><a shape="rect" name="FedizWebsphere-Fedizconfiguration"></a>Fediz
configuration</h5>
+<p>The Fediz related configuration is done in a Servlet Container independent configuration
file which is described <a shape="rect" href="fediz-configuration.html" title="Fediz Configuration">here</a>.</p>
 
 <h3><a shape="rect" name="FedizWebsphere-FederationMetadatadocument"></a>Federation
Metadata document</h3>
 
-<p>The Tomcat Fediz plugin supports publishing the WS-Federation Metadata document
which is described <a shape="rect" href="fediz-metadata.html" title="Fediz Metadata">here</a>.</p>
+<p>The Webpshere Fediz plugin supports publishing the WS-Federation Metadata document
which is described <a shape="rect" href="fediz-metadata.html" title="Fediz Metadata">here</a>.</p>
 
 
 </div>

Modified: websites/production/cxf/content/fediz.html
==============================================================================
--- websites/production/cxf/content/fediz.html (original)
+++ websites/production/cxf/content/fediz.html Sat Sep  7 22:48:00 2013
@@ -186,7 +186,7 @@ The RP is a web application that needs t
 <p>The Fediz plugin needs to be deployed into the Relying Party (RP) container. The
security mechanism is not specified by JEE. Even though it is very similar in each servlet
container there are some differences which require a dedicated Fediz plugin for each servlet
container implementation. Most of the configuration goes into a Servlet container independent
configuration file which is described <a shape="rect" href="fediz-configuration.html" title="Fediz
Configuration">here</a></p>
 
 <p>The following lists shows the supported containers and the location of the installation
and configuration page.</p>
-<ul><li><a shape="rect" href="fediz-tomcat.html" title="Fediz Tomcat">Tomcat
7 </a></li><li><a shape="rect" href="fediz-jetty.html" title="Fediz Jetty">Jetty
7/8 (1.1 SNAPSHOT)</a></li><li><a shape="rect" href="fediz-spring.html"
title="Fediz Spring">Spring Security 3.1 (1.1 SNAPSHOT)</a></li></ul>
+<ul><li><a shape="rect" href="fediz-tomcat.html" title="Fediz Tomcat">Tomcat
7 </a></li><li><a shape="rect" href="fediz-jetty.html" title="Fediz Jetty">Jetty
7/8 (1.1 SNAPSHOT)</a></li><li><a shape="rect" href="fediz-spring.html"
title="Fediz Spring">Spring Security 3.1 (1.1 SNAPSHOT)</a></li><li><a
shape="rect" href="fediz-cxf.html" title="Fediz CXF">CXF (1.1 SNAPSHOT) </a></li></ul>
 
 
 
@@ -201,6 +201,7 @@ The RP is a web application that needs t
 </div>
 
 
+<p><a shape="rect" href="#Fediz-building">building</a></p>
 <h2><a shape="rect" name="Fediz-Building"></a>Building</h2>
 
 <p>Check out the code from here:</p>



Mime
View raw message