cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Oliver Wulff (Confluence)" <conflue...@apache.org>
Subject [CONF] Apache CXF > Fediz Spring 2
Date Sun, 10 Nov 2013 19:50:00 GMT
<html>
<head>
    <base href="https://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/de/2176/1/15/_/styles/combined.css?spaceKey=CXF&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="https://cwiki.apache.org/confluence/display/CXF/Fediz+Spring+2">Fediz
Spring 2</a></h2>
    <h4>Page <b>edited</b> by             <a href="https://cwiki.apache.org/confluence/display/~owulff@apache.org">Oliver
Wulff</a>
    </h4>
        <br/>
                         <h4>Changes (1)</h4>
                                 
    
<div id="page-diffs">
                    <table class="diff" cellpadding="0" cellspacing="0">
    
            <tr><td class="diff-changed-lines" >h1. Spring Security 2.0 Plugin
<span class="diff-changed-words">(1.1<span class="diff-deleted-chars"style="color:#999;background-color:#fdd;text-decoration:line-through;">
SNAPSHOT</span>)</span> <br></td></tr>
            <tr><td class="diff-unchanged" > <br>This page describes how
to enable Federation for a [Spring Security|http://static.springsource.org/spring-security/site/docs/2.0.x/reference/html/springsecurity.html]
based Web Application. Spring Security provides more authorization capabilities than defined
in the Java Servlet specification. Beyond authorizing web requests Spring Security supports
authorizing whether methods can be invoked and authorizing access to individual domain object
instances. <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
    
            </table>
    </div>                            <h4>Full Content</h4>
                    <div class="notificationGreySide">
        <h1><a name="FedizSpring2-SpringSecurity2.0Plugin%281.1%29"></a>Spring
Security 2.0 Plugin (1.1)</h1>

<p>This page describes how to enable Federation for a <a href="http://static.springsource.org/spring-security/site/docs/2.0.x/reference/html/springsecurity.html"
class="external-link" rel="nofollow">Spring Security</a> based Web Application. Spring
Security provides more authorization capabilities than defined in the Java Servlet specification.
Beyond authorizing web requests Spring Security supports authorizing whether methods can be
invoked and authorizing access to individual domain object instances.</p>

<p>Spring Security supports two deployment options. On the one hand, authentication
and authorization is enforced by the underlying Servlet Container or on the other hand by
Spring Security embedded with the application. The former ensures that the application is
only called if authentication is successful. This can be controlled by an administrator/operator.
This option is called <a href="http://static.springsource.org/spring-security/site/docs/2.0.x/reference/html/preauth.html"
class="external-link" rel="nofollow">Pre-Authentication</a>. The latter gives all
the control to the application developer and removes the dependency to security configuration
in the Servlet Container. This simplifies deploying an application into different Serlvet
Container environments.</p>

<p>Both options are valid and it mainly depends on the policies/requirements within
a company which is a better fit. Questions to be answered are: Who should manage the security
enforcement (Application developer, Administrator)? Do you have to deploy the application
into different Servlet Container environments?</p>

<p>Prior to doing this configuration, make sure you've first deployed the Fediz IDP
and STS on the Tomcat IDP instance as discussed <a href="/confluence/display/CXF/Fediz+IDP"
title="Fediz IDP">here</a>, and can view the STS WSDL at the URL given on that page.</p>

<h3><a name="FedizSpring2-Installation"></a>Installation</h3>

<p>You can either build the Fediz plugin on your own, download the package <a href="/confluence/display/CXF/Fediz+Downloads"
title="Fediz Downloads">here</a> or add the dependency to your Maven project. If
you have built the plugin on your own you'll find the required libraries in <tt>plugins/spring2/target/...zip-with-dependencies.zip</tt></p>

<p>It's recommended to use Maven to resolve all the dependencies as illustrated in the
example <em>spring2Webapp</em>. The README provides instructions for building
and deployment.</p>

<h3><a name="FedizSpring2-WebApplicationwith%22native%22SpringSecurity"></a>Web
Application with "native" Spring Security</h3>

<p>Authentication and authorization are managed by Spring Security only. The Fediz Spring
Plugin provides the implementation of WS-Federation by implementing certain Spring Security
interfaces. Finally, this results into the creation of the Spring Security Context. You can
use Spring's authorization capabilities for web requests and method calls. The example <em>spring2Webapp</em>
only illustrates authorizing web requests. Method based authorization is described <a href="http://static.springsource.org/spring-security/site/docs/2.0.x/reference/html/ns-config.html#ns-method-security"
class="external-link" rel="nofollow">here</a>.</p>

<h5><a name="FedizSpring2-FedizPluginconfigurationforYourWebApplication"></a>Fediz
Plugin configuration for Your Web Application</h5>

<p>The Fediz related configuration is done in a Servlet Container independent configuration
file which is described <a href="/confluence/display/CXF/Fediz+Configuration" title="Fediz
Configuration">here</a>.</p>

<h5><a name="FedizSpring2-SpringSecurityConfiguration"></a>Spring Security
Configuration</h5>

<p>The following configuration snippets illustrate the Fediz related configuration.
The complete configuration file can be found in the example <em>spring2Webapp</em>.</p>

<div class="code panel" style="border-style: solid;border-width: 1px;"><div class="codeHeader
panelHeader" style="border-bottom-width: 1px;border-bottom-style: solid;"><b>applicationContext-security.xml</b></div><div
class="codeContent panelContent">
<pre class="theme: Default; brush: xml; gutter: false" style="font-size:12px; font-family:
ConfluenceInstalledFont,monospace;">
    &lt;sec:http entry-point-ref="federationEntryPoint"&gt;
        &lt;sec:intercept-url pattern="/secure/fedservlet" access="IS_AUTHENTICATED_FULLY"/&gt;
        &lt;sec:intercept-url pattern="/secure/manager/**" access="ROLE_MANAGER"/&gt;
        &lt;sec:intercept-url pattern="/secure/admin/**" access="ROLE_ADMIN"/&gt;
        &lt;sec:intercept-url pattern="/secure/user/**" access="ROLE_USER,ROLE_ADMIN,ROLE_MANAGER"/&gt;
    &lt;/sec:http&gt;


    &lt;sec:authentication-manager alias="authManager"/&gt;

    &lt;bean id="fedizConfig" class="org.apache.cxf.fediz.spring.FederationConfigImpl"
init-method="init"
        p:configFile="WEB-INF/fediz_config.xml" p:contextName="/fedizhelloworld" /&gt;

    &lt;bean id="federationEntryPoint"
        class="org.apache.cxf.fediz.spring.web.FederationAuthenticationEntryPoint"
        p:federationConfig-ref="fedizConfig" /&gt;
 
    &lt;bean id="federationFilter"
        class="org.apache.cxf.fediz.spring.web.FederationAuthenticationFilter"
        p:authenticationManager-ref="authManager" p:defaultTargetUrl="/whatever"&gt;
        &lt;sec:custom-filter after="BASIC_PROCESSING_FILTER"/&gt;
    &lt;/bean&gt;
    
    &lt;bean id="federationAuthProvider" class="org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider"
        p:federationConfig-ref="fedizConfig"&gt;
        &lt;sec:custom-authentication-provider /&gt;
        &lt;property name="authenticationUserDetailsService"&gt;
            &lt;bean class="org.apache.cxf.fediz.spring.authentication.GrantedAuthoritiesUserDetailsFederationService"/&gt;
        &lt;/property&gt;
    &lt;/bean&gt;

</pre>
</div></div>

<p>The <em>http</em> element is the key element which depends on the other
bean definitions like <em>federationFilter</em> and the <em>federationAuthProvider</em>.
Web request authorizing is configured in the <em>http</em> element as well which
looks similar to security constraints definition in <tt>web.xml</tt>.</p>

<p>The following code snippet of the FederationServlet example illustrates how to get
access to the Spring Security Context of the current user and to the Federation releated information
like claims and login token.</p>

<div class="code panel" style="border-style: solid;border-width: 1px;"><div class="codeHeader
panelHeader" style="border-bottom-width: 1px;border-bottom-style: solid;"><b>FederationServlet.java</b></div><div
class="codeContent panelContent">
<pre class="theme: Default; brush: java; gutter: false" style="font-size:12px; font-family:
ConfluenceInstalledFont,monospace;">
    Authentication obj = SecurityContextHolder.getContext().getAuthentication();
    FederationAuthenticationToken fedAuthToken = (FederationAuthenticationToken)auth;
    for (GrantedAuthority item : fedAuthToken.getAuthorities()) {
        ...
    }
    
    ClaimCollection claims = ((FederationUser)fedAuthToken.getUserDetails()).getClaims();
    for (Claim c: claims) {
        ...
    }
</pre>
</div></div>


<h3><a name="FedizSpring2-FederationMetadatadocument"></a>Federation Metadata
document</h3>

<p>The Spring Security Fediz plugin supports publishing the WS-Federation Metadata document
which is described <a href="/confluence/display/CXF/Fediz+Metadata" title="Fediz Metadata">here</a>.</p>



    </div>
        <div id="commentsSection" class="wiki-content pageSection">
        <div style="float: right;" class="grey">
                        <a href="https://cwiki.apache.org/confluence/users/removespacenotification.action?spaceKey=CXF">Stop
watching space</a>
            <span style="padding: 0px 5px;">|</span>
                <a href="https://cwiki.apache.org/confluence/users/editmyemailsettings.action">Change
email notification preferences</a>
</div>
        <a href="https://cwiki.apache.org/confluence/display/CXF/Fediz+Spring+2">View
Online</a>
        |
        <a href="https://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=30758602&revisedVersion=2&originalVersion=1">View
Changes</a>
            </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message