cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r904648 - in /websites/production/cxf/content: cache/docs.pageCache docs/saml-web-sso.html
Date Wed, 02 Apr 2014 11:48:01 GMT
Author: buildbot
Date: Wed Apr  2 11:48:01 2014
New Revision: 904648

Log:
Production update by buildbot for cxf

Modified:
    websites/production/cxf/content/cache/docs.pageCache
    websites/production/cxf/content/docs/saml-web-sso.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/saml-web-sso.html
==============================================================================
--- websites/production/cxf/content/docs/saml-web-sso.html (original)
+++ websites/production/cxf/content/docs/saml-web-sso.html Wed Apr  2 11:48:01 2014
@@ -118,21 +118,21 @@ Apache CXF -- SAML Web SSO
          <td height="100%">
            <!-- Content -->
            <div class="wiki-content">
-<div id="ConfluenceContent"><p><span style="font-size:2em;font-weight:bold">
JAX-RS: SAML Web SSO</span></p><p></p><p>&#160;</p><p><style
type="text/css">/*<![CDATA[*/
-div.rbtoc1395395367217 {padding: 0px;}
-div.rbtoc1395395367217 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1395395367217 li {margin-left: 0px;padding-left: 0px;}
+<div id="ConfluenceContent"><span style="font-size:2em;font-weight:bold"> JAX-RS:
SAML Web SSO</span><p>&#160;</p><p>&#160;</p><p><style
type="text/css">/*<![CDATA[*/
+div.rbtoc1396439258884 {padding: 0px;}
+div.rbtoc1396439258884 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1396439258884 li {margin-left: 0px;padding-left: 0px;}
 
-/*]]>*/</style></p><div class="toc-macro rbtoc1395395367217">
+/*]]>*/</style></p><div class="toc-macro rbtoc1396439258884">
 <ul class="toc-indentation"><li><a shape="rect" href="#SAMLWebSSO-Introduction">Introduction</a>
 <ul class="toc-indentation"><li><a shape="rect" href="#SAMLWebSSO-TypicalFlow">Typical
Flow</a></li></ul>
 </li><li><a shape="rect" href="#SAMLWebSSO-Mavendependencies">Maven dependencies</a></li><li><a
shape="rect" href="#SAMLWebSSO-IdentityProvider">Identity Provider</a></li><li><a
shape="rect" href="#SAMLWebSSO-ServiceProviderSecurityFilter">Service Provider Security
Filter</a>
 <ul class="toc-indentation"><li><a shape="rect" href="#SAMLWebSSO-RedirectBindingFilter">Redirect
Binding Filter</a></li><li><a shape="rect" href="#SAMLWebSSO-POSTBindingFilter">POST
Binding Filter</a></li><li><a shape="rect" href="#SAMLWebSSO-SigningSAMLAuthenticationRequests">Signing
SAML Authentication Requests</a></li><li><a shape="rect" href="#SAMLWebSSO-FiltersandStateManagement">Filters
and State Management</a></li></ul>
 </li><li><a shape="rect" href="#SAMLWebSSO-RequestAssertionConsumerService">Request
Assertion Consumer Service</a>
-<ul class="toc-indentation"><li><a shape="rect" href="#SAMLWebSSO-DealingwithsignedSAMLResponses">Dealing
with signed SAML Responses</a></li><li><a shape="rect" href="#SAMLWebSSO-SignatureKeyInfoValidation">Signature
Key Info Validation</a></li></ul>
+<ul class="toc-indentation"><li><a shape="rect" href="#SAMLWebSSO-DealingwithsignedSAMLResponses">Dealing
with signed SAML Responses</a></li><li><a shape="rect" href="#SAMLWebSSO-SignatureKeyInfoValidation">Signature
Key Info Validation</a></li><li><a shape="rect" href="#SAMLWebSSO-UsingRACSasEndpointFilter">Using
RACS as Endpoint Filter</a></li></ul>
 </li><li><a shape="rect" href="#SAMLWebSSO-SSOStateProvider">SSO State
Provider</a>
 <ul class="toc-indentation"><li><a shape="rect" href="#SAMLWebSSO-DistributedStateManagement">Distributed
State Management</a></li></ul>
-</li></ul>
+</li><li><a shape="rect" href="#SAMLWebSSO-LogoutService">Logout Service</a></li></ul>
 </div><h1 id="SAMLWebSSO-Introduction">Introduction</h1><p><a
shape="rect" class="external-link" href="http://en.wikipedia.org/wiki/Single_sign-on" rel="nofollow">SSO</a>
is about a user having to sign in only once when interacting with a custom web application
which may offer of a number of individual endpoints.</p><p>CXF 2.6.1 introduces
a comprehensive service provider (SP) support for the SAML Web SSO <a shape="rect" class="external-link"
href="http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf" rel="nofollow">profile</a>.
This <a shape="rect" class="external-link" href="http://en.wikipedia.org/wiki/SAML_2.0"
rel="nofollow">page</a> also offers a good overview of the <a shape="rect" class="external-link"
href="http://en.wikipedia.org/wiki/SAML_2.0#Web_Browser_SSO_Profile" rel="nofollow">profile</a>.</p><p>HTTP
Redirect(via GET) and POST bindings are supported. The module has been tested against many
IDP providers and is easily configurable.</p><p>The followin
 g components are required to get SSO supported:</p><ul class="alternate"><li>Identity
Provider (IDP) supporting SAML SSO</li><li>Request Assertion Consumer Service
(RACS)</li><li>Service Provider Security Filter</li><li>SSO State
Provider</li></ul><p>The following sections will describe these components
in more details</p><h2 id="SAMLWebSSO-TypicalFlow">Typical Flow</h2><p>Typically,
the following flow represents the way SAML SSO is enforced:</p><p>1. User accesses
a custom application for the first time<br clear="none"> 2. Service Provider Security
Filter checks if the security context is available <br clear="none"> and redirects the
user to IDP with a SAML SSO request<br clear="none"> 3. IDP challenges the user with
the authentication dialog and redirects the user to<br clear="none"> Request Assertion
Consumer Service (RACS) after the user has authenticated<br clear="none"> 4. RACS validates
the response from IDP, establishes a security context and redirects the user <br clear="no
 ne"> to the original application endpoint<br clear="none"> 5. Service Provider Security
Filter enforces that a valid security context is available and lets the user<br clear="none">
access the custom application.</p><h1 id="SAMLWebSSO-Mavendependencies">Maven
dependencies</h1><div class="code panel pdl" style="border-width: 1px;"><div
class="codeContent panelContent pdl">
 <script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[&lt;dependency&gt;
   &lt;groupId&gt;org.apache.cxf&lt;/groupId&gt;
@@ -274,7 +274,7 @@ div.rbtoc1395395367217 li {margin-left: 
         &lt;property name=&quot;callbackHandlerClass&quot; value=&quot;org.apache.cxf.samlp.sso.SSOCallbackHandler&quot;/&gt;
 &lt;/bean&gt;
 ]]></script>
-</div></div><p>In this example the "enforceAssertionsSigned" enforcing
that signed Assertions are contained in a Response is disabled by default and RACS will only
verify that the actual Responses are signed.</p><h2 id="SAMLWebSSO-SignatureKeyInfoValidation">Signature
Key Info Validation</h2><p>By default ds:Signature is expected to contain ds:KeyInfo
element.</p><p>Setting a "keyInfoMustBeAvailable" property to false will lead
to a default store alias being used to load the certificate for validating the signature.</p><h1
id="SAMLWebSSO-SSOStateProvider">SSO State Provider</h1><p>SP Security Filters
and RACS depend on the custom <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/state/SPStateManager.java">SPStateManager</a>
implementation for persisting the current request and security context state.</p><p>CXF
ships a basic <a shape="rect" class="external-link" href="http://
 svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/state/MemorySPStateManager.java">MemorySPStateProvider</a>
and an <a shape="rect" class="external-link" href="http://ehcache.org/" rel="nofollow">EhCache</a>-based
<a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/state/EHCacheSPStateManager.java">implementation</a>
which is memory based with an option to overflow to the disk. Users can customize the EhCache
provider or register their own custom SPStateProvider implementations if required.</p><p>For
example, by default, the EhCache provider will overflow the data to the system temp directory
and will not persist the data across restarts. The following EhCache configuration can be
used to change it:</p><div class="code panel pdl" style="border-width: 1px;"><div
class="codeContent panelContent pdl">
+</div></div><p>In this example the "enforceAssertionsSigned" enforcing
that signed Assertions are contained in a Response is disabled by default and RACS will only
verify that the actual Responses are signed.</p><h2 id="SAMLWebSSO-SignatureKeyInfoValidation">Signature
Key Info Validation</h2><p>By default ds:Signature is expected to contain ds:KeyInfo
element.</p><p>Setting a "keyInfoMustBeAvailable" property to false will lead
to a default store alias being used to load the certificate for validating the signature.</p><h2
id="SAMLWebSSO-UsingRACSasEndpointFilter">Using RACS as Endpoint Filter</h2><p>As
you can see from the documentation above, RACS is typically represented as an independent
service endpoint or service bean: in such cases RACS redirects the requestor back to the the
actual endpoint.</p><p>Starting from CXF 3.0.0 it is possible to set it up as
the target endpoint filter, simply add org.apache.cxf.rs.security.saml.sso.RequestionAssertionConsumerFilter
to the list of o
 ther endpoint providers.</p><p>In this case the authentication filters do not
have to set their "assertionConsumerServiceAddress" property</p><h1 id="SAMLWebSSO-SSOStateProvider">SSO
State Provider</h1><p>SP Security Filters and RACS depend on the custom <a
shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/state/SPStateManager.java">SPStateManager</a>
implementation for persisting the current request and security context state.</p><p>CXF
ships a basic <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/state/MemorySPStateManager.java">MemorySPStateProvider</a>
and an <a shape="rect" class="external-link" href="http://ehcache.org/" rel="nofollow">EhCache</a>-based
<a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/sso/saml/
 src/main/java/org/apache/cxf/rs/security/saml/sso/state/EHCacheSPStateManager.java">implementation</a>
which is memory based with an option to overflow to the disk. Users can customize the EhCache
provider or register their own custom SPStateProvider implementations if required.</p><p>For
example, by default, the EhCache provider will overflow the data to the system temp directory
and will not persist the data across restarts. The following EhCache configuration can be
used to change it:</p><div class="code panel pdl" style="border-width: 1px;"><div
class="codeContent panelContent pdl">
 <script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[&lt;ehcache
xsi:noNamespaceSchemaLocation=&quot;ehcache.xsd&quot; updateCheck=&quot;false&quot;
monitoring=&quot;autodetect&quot; dynamicConfig=&quot;true&quot;&gt;
 
     &lt;diskStore path=&quot;/home/username/work/ehcache&quot;/&gt;
@@ -328,7 +328,7 @@ Assuming this configuration is saved in 
  &lt;/bean&gt;
 
 ]]></script>
-</div></div><p>Note that a JAX-RS Client proxy to the HTTPSPStateManager
endpoint is used as SPStateManager reference.</p><p>The alternative to having
a distributed state cache be set up is to simply have a RACS endpoint collocated with every
individual web application constituting the bigger application, see the earlier section describing
SSO filters on how this can be easily set up. One possible downside of it is that there will
be no centralized store managing the state required by different filters and RACS which in
turn can make it more difficult to audit and log all the SSO-related activities spanning across
all the bigger application.</p></div>
+</div></div><p>Note that a JAX-RS Client proxy to the HTTPSPStateManager
endpoint is used as SPStateManager reference.</p><p>The alternative to having
a distributed state cache be set up is to simply have a RACS endpoint collocated with every
individual web application constituting the bigger application, see the earlier section describing
SSO filters on how this can be easily set up. One possible downside of it is that there will
be no centralized store managing the state required by different filters and RACS which in
turn can make it more difficult to audit and log all the SSO-related activities spanning across
all the bigger application.</p><p>&#160;</p><h1 id="SAMLWebSSO-LogoutService">Logout
Service</h1><p>&#160;</p><p>CXF 3.0.0 introduces <a shape="rect"
class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/LogoutService.java;h=048f7c11ccc5f8dd8fd243e4b8344901420d6652;hb
 =HEAD">LogoutService</a>. It will remove the SSO state for the logged-in user, and
can be registered as an independent endpoint or service bean.</p><p>It returns
LogoutResponse bean which is expected to be processed by the View handler.</p><p>For
example, one can imagine a user getting HTML page confirming the logout has been successful
and linking to the application front page.</p><p>&#160;</p><p>&#160;</p></div>
            </div>
            <!-- Content -->
          </td>



Mime
View raw message