cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Oliver Wulff (Confluence)" <>
Subject [CONF] Apache CXF > Fediz Websphere
Date Fri, 06 Sep 2013 12:05:00 GMT
    <base href="">
            <link rel="stylesheet" href="/confluence/s/en/2176/1/15/_/styles/combined.css?spaceKey=CXF&amp;forWysiwyg=true"
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="">Fediz
    <h4>Page <b>edited</b> by             <a href="">Oliver
                         <h4>Changes (2)</h4>
<div id="page-diffs">
                    <table class="diff" cellpadding="0" cellspacing="0">
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" > <br>* run the maven command
            <tr><td class="diff-changed-lines" >{{mvn clean install <span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">-Pwas}}</span>
<span class="diff-added-words"style="background-color: #dfd;">-Pwebsphere}}</span>
            <tr><td class="diff-changed-lines" >The Maven profile <span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">{{was}}</span>
<span class="diff-added-words"style="background-color: #dfd;">{{websphere}}</span>
enforces building. <br></td></tr>
            <tr><td class="diff-unchanged" > <br>* You&#39;ll find the
required libraries in {{plugins/websphere/target/}} <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
    </div>                            <h4>Full Content</h4>
                    <div class="notificationGreySide">
        <h1><a name="FedizWebsphere-IBMWebspherePlugin"></a>IBM Websphere
<p>This page describes how to enable Federation for a IBM Websphere Application Server
(WAS) instance hosting Relying Party (RP) applications. This configuration is not for a Websphere
instance hosting the Fediz IDP and IDP STS WARs but for applications that use SAML assertions
for authentication.  After this configuration is done, the Websphere-RP instance will validate
the incoming SignInResponse created by the IDP server.</p>

<p>Prior to doing this configuration, make sure you've first deployed the Fediz IDP
and STS on the separate Servlet Container instance as discussed <a href="/confluence/display/CXF/Fediz+IDP"
title="Fediz IDP">here</a>, and can view the STS WSDL at the URL given on that page.
 That page also provides some tips for running multiple Tomcat instances on your machine.</p>

<h3><a name="FedizWebsphere-WebsphereSecurity"></a>Websphere Security</h3>

<p>A <b>Trust Authentication Interceptor (TAI)</b> is a pluggable security
component that is installed and configured at the IBM WebSphere Application Cell level. As
such, any managed server on the Cell will have this component installed in and activated once
defined in the WAS Security configuration.<br/>
A TAI implements the WAS specific interface <tt></tt>.
The WAS specific API for security layer customization is explained in details at the following:</p>

<p><a href=""
class="external-link" rel="nofollow"></a></p>

<p>The Fediz Plugin for Websphere provides a TAI implementation which leverages the
<b>Fediz Core</b>.</p>

<p>WAS security runtime supports a notion of a security session using a specific security
token called <em>LTPA Token</em> which is implemented as a HTTP cookie. The cookie
lifetime is specified at the WAS administrative <em>Cell</em> level, which implies
that it is not possible to configure this value per request based on the requirements for
an application.<br/>
The TAI is no more involved after login once the LTPA Token is set which means a Web Application
level component must intercept each request to check the security token (ex. SAML) lifetime
and redirect the browser back to the IDP for re-authentication.<br/>
The Fediz Plugin Websphere ships a Java Servlet Filter which enforces the validity of the
lifetime of the security token. This Servlet Filter must be configured in each Web Application
module <tt>web.xml</tt> that is deployed on WAS.</p>

<h3><a name="FedizWebsphere-BuildFedizWebsphereLibrary"></a>Build Fediz
Websphere Library</h3>

<p>You have to build the Fediz plugin on your own as it depends on IBM Websphere libraries.</p>

	<li>Checkout the Fediz sources<br/>
see <a href="/confluence/display/CXF/Fediz#Fediz-building">here</a></li>

	<li>Add the library <tt>runtime.jar</tt> of IBM Rational Application Developer
to your Maven repository<br/>
<tt>mvn install:install-file -Dfile=&lt;path-to-file&gt;
-DartifactId=runtime -Dversion=7 -Dpackaging=jar</tt></li>

	<li>run the maven command<br/>
<tt>mvn clean install -Pwebsphere</tt><br/>
The Maven profile <tt>websphere</tt> enforces building.</li>

	<li>You'll find the required libraries in <tt>plugins/websphere/target/</tt></li>

<h3><a name="FedizWebsphere-Installation"></a>Installation</h3>

<h5><a name="FedizWebsphere-PreRequisites"></a>Pre-Requisites</h5>

<p>The Administrative and Application security must be activated for the WAS security
layer to be able to intercept secured resources access requests. The local User Registry must
be properly configured and at least one group of users must be declared in the registry prior
any application installation.<br/>
At runtime, the WAS security layer will use the defined User/Group registry and the Fediz
plugin maps the roles in the SAML token to WAS groups from this registry using the specified
<em>Role to Group</em> mapper.<br/>
At deployment time, the declared J2EE security roles will need to be mapped to these groups,
either using the Administrative Console or using the WAS binding files.</p>

<h5><a name="FedizWebsphere-PluginInstallation"></a>Plugin Installation</h5>

<p>The Fediz Websphere plugin and its dependencies must be copied in the <tt>WAS_INSTALL_ROOT&gt;/lib/ext</tt>
directory of WebSphere Application Server, on each configured Node of the Cell (including
the Deployment Manager)</p>

<p>The Fediz configuration file (ex. <tt>fediz-config.xml</tt>) and the
configured truststore should be copied in a directory with read permission for the WAS runtime
user, on each configured Node of the Cell (including the Deployment Manager).<br/>
<em>Note:</em> Using a shared filesystem is recommended.</p>

<h5><a name="FedizWebsphere-WebApplicationconfiguration"></a>Web Application

	<li>Open the Administative Console with Administrator privileges and navigate to Security
/ Global security</li>
	<li>Ensure Application security is enabled</li>

<p><span class="image-wrap" style=""><img src="/confluence/download/attachments/33292561/GlobalSec.png?version=1&amp;modificationDate=1378468360741"
width="800" style="border: 1px solid black" /></span></p>

	<li>Navigate to <em>Security / Global security / Web and SIP security</em>
and select <b>Trust association</b></li>

<p><span class="image-wrap" style=""><img src="/confluence/download/attachments/33292561/trust-association.png?version=1&amp;modificationDate=1378468952728"
width="800" style="border: 1px solid black" /></span></p>

	<li>Check the <b>Enable trust association</b> check box</li>
	<li>Select Interceptors</li>

<p><span class="image-wrap" style=""><img src="/confluence/download/attachments/33292561/enable+trust+assoc.png?version=1&amp;modificationDate=1378468780589"
width="800" style="border: 1px solid black" /></span></p>

	<li>Click on New and specify the Interceptor class name as <tt>org.apache.cxf.fediz.was.tai.FedizInterceptor</tt></li>

<p><span class="image-wrap" style=""><img src="/confluence/download/attachments/33292561/create+interceptor.png?version=1&amp;modificationDate=1378469002585"
width="800" style="border: 1px solid black" /></span></p>

<h5><a name="FedizWebsphere-Fedizconfiguration"></a>Fediz configuration</h5>
<p>The Fediz related configuration is done in a Servlet Container independent configuration
file which is described <a href="/confluence/display/CXF/Fediz+Configuration" title="Fediz

<h3><a name="FedizWebsphere-FederationMetadatadocument"></a>Federation Metadata

<p>The Webpshere Fediz plugin supports publishing the WS-Federation Metadata document
which is described <a href="/confluence/display/CXF/Fediz+Metadata" title="Fediz Metadata">here</a>.</p>

        <div id="commentsSection" class="wiki-content pageSection">
        <div style="float: right;" class="grey">
                        <a href="">Stop
watching space</a>
            <span style="padding: 0px 5px;">|</span>
                <a href="">Change
email notification preferences</a>
        <a href="">View
        <a href="">View
        <a href=";showCommentArea=true#addcomment">Add

View raw message