cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r908118 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-saml.html docs/secure-jax-rs-services.html
Date Mon, 05 May 2014 16:46:51 GMT
Author: buildbot
Date: Mon May  5 16:46:51 2014
New Revision: 908118

Log:
Production update by buildbot for cxf

Modified:
    websites/production/cxf/content/cache/docs.pageCache
    websites/production/cxf/content/docs/jax-rs-saml.html
    websites/production/cxf/content/docs/secure-jax-rs-services.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jax-rs-saml.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-saml.html (original)
+++ websites/production/cxf/content/docs/jax-rs-saml.html Mon May  5 16:46:51 2014
@@ -118,48 +118,24 @@ Apache CXF -- JAX-RS SAML
          <td height="100%">
            <!-- Content -->
            <div class="wiki-content">
-<div id="ConfluenceContent"><p></p><p></p><p><span style="font-size:2em;font-weight:bold"> JAX-RS: SAML </span></p><p></p><p></p><p></p>
+<div id="ConfluenceContent"><p>&#160;</p><p>&#160;</p><p>&#160;</p><span style="font-size:2em;font-weight:bold"> JAX-RS: SAML </span><p>&#160;</p><p>&#160;</p><p>&#160;</p><p><style type="text/css">/*<![CDATA[*/
+div.rbtoc1399308383650 {padding: 0px;}
+div.rbtoc1399308383650 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1399308383650 li {margin-left: 0px;padding-left: 0px;}
 
-
-<style type="text/css">/*<![CDATA[*/
-div.rbtoc1396468207951 {padding: 0px;}
-div.rbtoc1396468207951 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1396468207951 li {margin-left: 0px;padding-left: 0px;}
-
-/*]]>*/</style><div class="toc-macro rbtoc1396468207951">
+/*]]>*/</style></p><div class="toc-macro rbtoc1399308383650">
 <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSSAML-Introduction">Introduction</a></li><li><a shape="rect" href="#JAX-RSSAML-Mavendependencies">Maven dependencies</a></li><li><a shape="rect" href="#JAX-RSSAML-EnvelopedSAMLassertions">Enveloped SAML assertions</a></li><li><a shape="rect" href="#JAX-RSSAML-SAMLassertionsinAuthorizationheader">SAML assertions in Authorization header</a></li><li><a shape="rect" href="#JAX-RSSAML-SAMLassertionsasFormvalues">SAML assertions as Form values</a></li><li><a shape="rect" href="#JAX-RSSAML-CreatingSAMLAssertions">Creating SAML Assertions</a></li><li><a shape="rect" href="#JAX-RSSAML-SAMLAssertionValidation">SAML Assertion Validation</a></li><li><a shape="rect" href="#JAX-RSSAML-SAMLAuthorization">SAML Authorization</a>
 <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSSAML-ClaimsBasedAccessControl">Claims Based Access Control</a></li><li><a shape="rect" href="#JAX-RSSAML-RoleBasedAccessControl">Role Based Access Control</a></li></ul>
 </li><li><a shape="rect" href="#JAX-RSSAML-SAMLWebSSOProfile">SAML Web SSO Profile</a></li></ul>
-</div>
-
-<h1 id="JAX-RSSAML-Introduction">Introduction</h1>
-
-<p>CXF 2.5.0 introduces an initial support for working with <a shape="rect" class="external-link" href="http://en.wikipedia.org/wiki/SAML_2.0" rel="nofollow">SAML2</a> assertions. So far the main focus has been put on making sure SAML assertions can be included in HTTP requests targeted at application endpoints: embedded inside XML payloads or passed as encoded HTTP header or form values.</p>
-
-<p>See also <a shape="rect" href="jax-rs-xml-security.html">JAX-RS XML Security</a>.</p>
-
-<h1 id="JAX-RSSAML-Mavendependencies">Maven dependencies</h1>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
-&lt;dependency&gt;
+</div><h1 id="JAX-RSSAML-Introduction">Introduction</h1><p>CXF 2.5.0 introduces an initial support for working with <a shape="rect" class="external-link" href="http://en.wikipedia.org/wiki/SAML_2.0" rel="nofollow">SAML2</a> assertions. So far the main focus has been put on making sure SAML assertions can be included in HTTP requests targeted at application endpoints: embedded inside XML payloads or passed as encoded HTTP header or form values.</p><p>See also <a shape="rect" href="jax-rs-xml-security.html">JAX-RS XML Security</a>.</p><h1 id="JAX-RSSAML-Mavendependencies">Maven dependencies</h1><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[&lt;dependency&gt;
   &lt;groupId&gt;org.apache.cxf&lt;/groupId&gt;
   &lt;artifactId&gt;cxf-rt-rs-security-xml&lt;/artifactId&gt;
   &lt;version&gt;2.5.0&lt;/version&gt;
 &lt;/dependency&gt;
 ]]></script>
-</div></div>
-
-<p>This module depends on CXF WS-Security and Apache WSS4J modules, due to them containing a lot of useful utility code.<br clear="none">
-We will see in time if it will make sense to exclude such dependencies or not. </p>
-
-<h1 id="JAX-RSSAML-EnvelopedSAMLassertions">Enveloped SAML assertions</h1>
-
-<p>Payload:</p>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
-&lt;env:Envelope xmlns:env=&quot;http://org.apache.cxf/rs/env&quot;&gt;
+</div></div><p>This module depends on CXF WS-Security and Apache WSS4J modules, due to them containing a lot of useful utility code.<br clear="none"> We will see in time if it will make sense to exclude such dependencies or not.</p><h1 id="JAX-RSSAML-EnvelopedSAMLassertions">Enveloped SAML assertions</h1><p>Payload:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[&lt;env:Envelope xmlns:env=&quot;http://org.apache.cxf/rs/env&quot;&gt;
 
 &lt;Book ID=&quot;67ca6441-0c4e-4430-af0e-9463ce9226aa&quot;&gt;
   &lt;id&gt;125&lt;/id&gt;
@@ -225,16 +201,8 @@ We will see in time if it will make sens
 &lt;/saml2:Assertion&gt;
 &lt;/env:Envelope&gt;
 ]]></script>
-</div></div>
-
-<p>Note that Book and SAML assertion are individually signed but the envelope wrapper itself is not.</p>
-
-
-<p>Here is another payload showing the whole enveloped signed including Book and SAML Assertion, this time only a single signature will be available:</p>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
-&lt;env:Envelope xmlns:env=&quot;http://org.apache.cxf/rs/env&quot; ID=&quot;e795cdd1-c19d-4a5c-8d86-e8a781af4787&quot;&gt;
+</div></div><p>Note that Book and SAML assertion are individually signed but the envelope wrapper itself is not.</p><p>Here is another payload showing the whole enveloped signed including Book and SAML Assertion, this time only a single signature will be available:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[&lt;env:Envelope xmlns:env=&quot;http://org.apache.cxf/rs/env&quot; ID=&quot;e795cdd1-c19d-4a5c-8d86-e8a781af4787&quot;&gt;
 
 &lt;saml2:Assertion xmlns:saml2=&quot;urn:oasis:names:tc:SAML:2.0:assertion&quot; xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot; ID=&quot;_C76E3D5BBEE4C4D87913203281641141&quot; IssueInstant=&quot;2011-11-03T13:49:24.114Z&quot; Version=&quot;2.0&quot; xsi:type=&quot;saml2:AssertionType&quot;&gt;
 &lt;saml2:Issuer&gt;https://idp.example.org/SAML2&lt;/saml2:Issuer&gt;
@@ -269,12 +237,8 @@ We will see in time if it will make sens
 
 &lt;ds:Signature xmlns:ds=&quot;http://www.w3.org/2000/09/xmldsig#&quot;&gt;&lt;ds:SignedInfo&gt;&lt;ds:CanonicalizationMethod Algorithm=&quot;http://www.w3.org/TR/2001/REC-xml-c14n-20010315&quot;/&gt;&lt;ds:SignatureMethod Algorithm=&quot;http://www.w3.org/2000/09/xmldsig#rsa-sha1&quot;/&gt;&lt;ds:Reference URI=&quot;#e795cdd1-c19d-4a5c-8d86-e8a781af4787&quot;&gt;&lt;ds:Transforms&gt;&lt;ds:Transform Algorithm=&quot;http://www.w3.org/2000/09/xmldsig#enveloped-signature&quot;/&gt;&lt;ds:Transform Algorithm=&quot;http://www.w3.org/2001/10/xml-exc-c14n#&quot;/&gt;&lt;/ds:Transforms&gt;&lt;ds:DigestMethod Algorithm=&quot;http://www.w3.org/2000/09/xmldsig#sha1&quot;/&gt;&lt;ds:DigestValue&gt;GR1pHd2JpxYiCzl6ouCmTZjq/AA=&lt;/ds:DigestValue&gt;&lt;/ds:Reference&gt;&lt;/ds:SignedInfo&gt;&lt;ds:SignatureValue&gt;C2qUDOFwart2GHFjX6kB3E3z73AMXtRR/6Qjgyp6XP/vTn/Fr2epDNub3q+gNdT0KgjLE2rSynM3QTcpHov9C8l9a8VQquItaalr0XA7BJcxdFMxB7KEATKR9XtrmIEkiw9efM8M83iVux/ufCOWrt0Te2RLz+nRwzyEY49VQOQ=&lt;/ds:S
 ignatureValue&gt;&lt;ds:KeyInfo&gt;&lt;ds:X509Data&gt;&lt;ds:X509Certificate&gt;&lt;!-- Omitted for brewity --&gt;&lt;/ds:X509Certificate&gt;&lt;/ds:X509Data&gt;&lt;ds:KeyValue&gt;&lt;ds:RSAKeyValue&gt;&lt;ds:Modulus&gt;vu747/VShQ85f16DGSc4Ixh9PVpGguyEqrCsK8q9XHOYX9l9/g5wEC6ZcR2FwfNsoaHcKNPjd5sSTzVtBWmQjfBEfIqwTR7vuihOxyNTwEzVwIJzvo7p8/aYxk+VdBtQxq4UweIcf/iFkUbM1cZ1oiXRQzciRBi+C1BQCQE0qzs=&lt;/ds:Modulus&gt;&lt;ds:Exponent&gt;AQAB&lt;/ds:Exponent&gt;&lt;/ds:RSAKeyValue&gt;&lt;/ds:KeyValue&gt;&lt;/ds:KeyInfo&gt;&lt;/ds:Signature&gt;&lt;/env:Envelope&gt;
 ]]></script>
-</div></div>
-
-<p>Server configuration fragment:</p>
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
-    &lt;bean id=&quot;serviceBean&quot; class=&quot;org.apache.cxf.systest.jaxrs.security.BookStore&quot;/&gt;
+</div></div><p>Server configuration fragment:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[    &lt;bean id=&quot;serviceBean&quot; class=&quot;org.apache.cxf.systest.jaxrs.security.BookStore&quot;/&gt;
     &lt;bean id=&quot;samlHandler&quot; class=&quot;org.apache.cxf.rs.security.saml.SamlEnvelopedInHandler&quot;/&gt;
     
     &lt;!-- only needed if the detached signature signing the application data is expected --&gt; 
@@ -298,12 +262,8 @@ We will see in time if it will make sens
         
     &lt;/jaxrs:server&gt;
 ]]></script>
-</div></div>
-
-<p>Client code:</p>
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[
-private WebClient createWebClient(String address, 
+</div></div><p>Client code:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[private WebClient createWebClient(String address, 
                                   boolean selfSigned) {
   JAXRSClientFactoryBean bean = new JAXRSClientFactoryBean();
   bean.setAddress(address);
@@ -329,39 +289,19 @@ private WebClient createWebClient(String
   return bean.createWebClient();
 }
 ]]></script>
-</div></div>
-
-<p>In the above code, the "ws-security.self-sign-saml-assertion" property, if set to true, will require SamlEnvelopedOutInterceptor to get a SAML assertion self-signed, by adding an enveloped signature to it. When we also need to sign the application payload such as Book we need to make sure that a detached XML signature for Book is created. When the whole envelope is signed then SamlEnvelopedOutInterceptor needs to be placed before XmlSigOutInterceptor hence the "new SamlEnvelopedOutInterceptor(!selfSigned)" constructor is invoked.</p>
-
-<h1 id="JAX-RSSAML-SAMLassertionsinAuthorizationheader">SAML assertions in Authorization header</h1>
-
-<p>Logging output:</p>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[
-Address: https://localhost:9000/samlheader/bookstore/books/123
+</div></div><p>In the above code, the "ws-security.self-sign-saml-assertion" property, if set to true, will require SamlEnvelopedOutInterceptor to get a SAML assertion self-signed, by adding an enveloped signature to it. When we also need to sign the application payload such as Book we need to make sure that a detached XML signature for Book is created. When the whole envelope is signed then SamlEnvelopedOutInterceptor needs to be placed before XmlSigOutInterceptor hence the "new SamlEnvelopedOutInterceptor(!selfSigned)" constructor is invoked.</p><h1 id="JAX-RSSAML-SAMLassertionsinAuthorizationheader">SAML assertions in Authorization header</h1><p>Logging output:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[Address: https://localhost:9000/samlheader/bookstore/books/123
 Http-Method: GET
 Headers: {Accept=[application/xml], Authorization=[SAML eJydV1mTokgQfu9fYTCPrs2htGKMHVEcKq2gKOLxsoFQAsqhFAjNr99CW1ud7t2ZjdAwMisr68s7/YnMwGfaACEYJ14UVmSxQ/z9wjUlBrRYiWZZiWVYlqPrDFVnmhTbwL80UZERSqEcosQMkw7BUDRdwx+qrtP1dp1qs41nLLciKgaMEVaLRZ4popIHfojapyc7RBqH7chEHmqHZgBRO7HaU6AM21iybV7wXO7kqEO4SbJvk2SWZc9Z/TmKHZKhKJpcKMOp5cLA/JT1/lu45p3AWxDfQl47ed/DDvHgDB0zidefZ+7J4vi11IuwYs/eP8PcDPY+PGkvoTM/yTvZnzZqTz0nNJM0hh/g7O8MoUiKI7GMjTznB3G9C2053EQnUjDDKPQs0/cKs4SnwMSN7ArwnSj2Ejf41miaKhXXYG7VLLoR/iDIe2i/qegOYYzMGnJN+kPXBG5gDLE7K7OJ3CF+/HcKna7psRmiTRQH6J78MywwPEI/2kO7hi4mfcD6fYVfeOn1J7Tacmj5KfKOUC2TdG9aEFXGMdx4+dBDOPVzdEk7aP1RAMhbeA/k2Rui50CU/J/g3ATmrMQw/RS+Lod0s8c74oavDxsCSoueGs8H4zUQlp0TgFvhE+Ma1jP5kJDXBDrfABTXCxR7+UJ5clXM0XjN8LG9MQxG57bTMfB9rUkaXUNKJgsRzKl+f8R2q0qr/sLB+Ub3oGEPhrIMJTegkBOM+0E4nbCLjVXYXO6MHXYhDLMWtGjKtRtNGtirfrioTvXhhnM2zalRXdXDlVVPg2Oe0Sp4Ge/eWgdRiXQwOiZWtZEfjtSwm1aH46xzNecGf2nSAL5fzVuwFCeaiXklhLItbHAFJvBVkWWhtxUEsBw5IJN54MjS1Jg4QAcq7+wO7s7rcRnFA23WBSIolImSSdpSNDRtIGV71+p1t2Zvl
 q7rb+GTomWZ4JwOh1Km+uvAysUtUHhHNXig6PxcbawC1VX4xkLUrUwRpUzRAf7F326EeUoD8/KRDoonRdcylY4ypZB0hZd6gJ5JgqsMlgveXTKuPwy491UhKQqIzme5Iq7mbKhojUwEJxBYveGue/72aaULfFg8miR1ARjxWw1kznKHgUvgmDYbOLhTV2uxG/pF7E2thpy73NjY95z0XTrEAnoatA7coj9aLjifIx02k4SXlTVhutlGRZHZtwbqeGuzaKoXRsLPA2274aWNfMj0SfOYeu4of1f1TCqMTH4rno5Rc98izWW+qxo2n2j5oTHLoGxtSK+7m60V2lrRkbeYaIXlTXivKtC8JmgSdSiQADIJAFNpKuIuk3FQnowJNeX5KOvJ8lzfcbMFtRrPfE6b7TjJmKmz6YwbLWhDn+hgVgalP5EkUQdDx/HRmlGxr9yjVdcyUVu+PQ2ilYxJtfQTrwGx9I87zHZBtbVHg6ThhGtv1ysMSnf203nPmufzAQZYtBKZCV/cLmCP9Nbo981Gj3ty64gKc43RYVbACblrOoFjMEhutOqqEy/7gR4MB6bIzwuT2YN0lYqu1m/1gOS+mbtuMuDH1aokcLGq7ldP4eHQz/P6Yc0kc4Y9TBK+EIMBx9COw42VKFCsZnqYaOfqeMz4K/NcE+RttdxV02ViTtP1FlrJhSwbqCxWuri/mcn3459+pk8cz65tTqLtNER7aGEY0CYqpRYtxTMQk3GHKJtgEFm7GkrQsxUFxGvq2R1M1Czfg2HyV9S5Pb4M6DOWB6BCFG688sVyDzq33X/fUqygjWBow7h2jFK8VaBTX//SeKzb9krFqKJGCQ+xafCbvYl+wXsTFhqFoxhsktLKb+Uu6kFqe2WbnuD2HXtW+dDj0XVzQZ+LC/bI/eJyFX5k3CkmH236fCtxw2mCsyXAvq+cyH9dEvFOgI2dQlQuiTJ2Zd4haKbeYF+IO534qQTmyVc8wcfLIp5T5A
 3m2xvkV9CuihJs1TpN4PcnlW6MPWD772XO4BXxHNdaHPnwnI3XgYxOiyV6xlMYt7P9aTJnqBzOLIk/no3Ve8k7afmmFyDyU8OlJP6XHuIXxKdpdrPV5njlxkehg4sDb7ZXj9zJv/7C/tUTd9Z+WGFiv5Z4LPO8rn9hz5eSH8X9R+j3ONJZFNu/b8Ej59cwY1CFiLtLmYCfmXvhdIgyKXENBh7ubfCmvq9/El7/AXoseyE=], ...}
 ]]></script>
-</div></div>
-
-<p>Note that the Authorization header has an encoded SAML Assertion as its value. The original SAML assertion has been optionally compressed using a deflated encoding and then base64-encoded. This encoded value can be signed itself - but it is not currently possible.</p>
-
-<p>Server configuration is similar to the one from the Enveloped SAML Assertions section, the only difference is that a SAML handler needs to be replaced:</p>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
-    &lt;bean id=&quot;serviceBean&quot; class=&quot;org.apache.cxf.systest.jaxrs.security.BookStore&quot;/&gt;
+</div></div><p>Note that the Authorization header has an encoded SAML Assertion as its value. The original SAML assertion has been optionally compressed using a deflated encoding and then base64-encoded. This encoded value can be signed itself - but it is not currently possible.</p><p>Server configuration is similar to the one from the Enveloped SAML Assertions section, the only difference is that a SAML handler needs to be replaced:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[    &lt;bean id=&quot;serviceBean&quot; class=&quot;org.apache.cxf.systest.jaxrs.security.BookStore&quot;/&gt;
     &lt;bean id=&quot;samlHandler&quot; class=&quot;org.apache.cxf.rs.security.saml.SamlHeaderInHandler&quot;/&gt;
     
     &lt;!-- same as in the Enveloped SAML Assertions section --&gt; 
 ]]></script>
-</div></div>
-
-<p>Client code:</p>
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[
-private WebClient createWebClient(String address, 
+</div></div><p>Client code:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[private WebClient createWebClient(String address, 
                                   boolean selfSigned) {
   JAXRSClientFactoryBean bean = new JAXRSClientFactoryBean();
   bean.setAddress(address);
@@ -384,70 +324,25 @@ private WebClient createWebClient(String
   return bean.createWebClient();
 }
 ]]></script>
-</div></div>
-
-
-<h1 id="JAX-RSSAML-SAMLassertionsasFormvalues">SAML assertions as Form values</h1>
-
-<p>Logging output:</p>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[
-Address: https://localhost:9000/samlform/bookstore/books
+</div></div><h1 id="JAX-RSSAML-SAMLassertionsasFormvalues">SAML assertions as Form values</h1><p>Logging output:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[Address: https://localhost:9000/samlform/bookstore/books
 Encoding: ISO-8859-1
 Http-Method: POST
 Content-Type: application/x-www-form-urlencoded
 Headers: {Accept=[application/xml], Cache-Control=[no-cache], connection=[keep-alive], Content-Length=[2206], content-type=[application/x-www-form-urlencoded], Host=[localhost:9000], Pragma=[no-cache], User-Agent=[Apache CXF ${project.version}]}
 Payload: name=CXF&amp;id=125&amp;SAMLToken=eJydV1tzqkgQfs+vsDiPWcNFjWIdUzUIGqJgQMTLyxYOI6BclAFBfv0OGo16kt1ztkrL6p6eb77u6e5pf2Ir8Lk2wBjFiReFFVnsUH8zYqPFAAkwbOsZSK2eKLI1jqlxTY5p8PVnlqrIGKdIDnFihUmH4hiWrZIPUzPYWrtWa3ONJ2K3oComijGBJSZPDFXJAz/E7eORHSqNw3ZkYQ+3QytAuJ3A9hgowzaxbFtnPuc9Oe5QbpJs2zSdZdlTVnuKYofmGIalZ8pwDF0UWJ+23n8bV70jeYjILuy1k8MWdai7YBhESb38PGmPHscvJS4mwJ69fUK5FWx9dEQvqXM/6RvbnzZujz0ntJI0Rh/k7O8cYWiGp4mNjT3nB3XZi2w5XEVHsWuFUehBy/cKq6SnoMSN7ArwnSj2Ejf41mmWKYGrKIdVyNbDHxR9S+03gW4YxtiqYtdiP7B0tEIxIuGsTHS5Q/347xQ6bjNiK8SrKA7wrfhnXFC4R360RXYVn136oPX7gF9E6eUngm05hH6KvT1SyyTdWhDhynuMVl4+9DBJ/Ryf0w7BP7oA+prenXiKhug5CCf/53KuLuYEYlp+il5qDTNiWU3Hz3qxkBCzn0aanw8K7TDvHAlcGx8Vl2s9iXcJeUmg046Q1/bNx0AVHltzNp3pb/KwtizS/nZmHNYYvG6A5G44Bj4bw4msaTYCi93Q5NfL1cBgoBvCw9DbS0GPm43UQnzfJW9JfzUs6nQ/nQh7zXb7EltbPTKPXvSeRSuvvu/LIHWEjTJqJfom5qCJn0W7lSxg34LSPlSMOmitOLyUDNc2PGWpw169tTb5rHNx54p/6dIAHS7uzRoML1qJdRG6ZVtYkQpM0Isiy93+utsF85EDMlkAjiyNTd0BBlAFZ7NzN16fzxgBaJMeEEGh6EomaXPR1LSBlG1d2O+trf4kXdbewgdFy7
 Kuc1wcSpnqLwOYi2ugCI5qCkAxhKlaXwSqqwj1mWjATBGlTDEA+SXfXkR0Sp3o8pEBigfF0DKVjTKlkAxFkPqAnUhdVxnMZ4I751x/GPCHRSEpCohOa7kiLqaNUNHqmQiOJAi86S77/vphYXSFsLh3SeoBMBLWGsic+YYQl8A+bdabtDl2tVZjxT6L/TGsy7nLv5vbvpMepF3cxQ+D1o6fvY7mM97naaeRSd3nBdS5XrZScWS9woH6vrYbeGwUZiJMA229EqSVvMsMvblPPXeUH1Qjkwozk9+Kh33U3LZoa55vHk1bSLR8V59kSIYr2uttJkuFhQs28ma6VkBPF7zHLitoXU1idgXugkwCwFKairjJZHIpD6bOjAUhyvqyPDU2/GTGLN4nPq9NNrxkTtTJeMKPZqxp6AaYlJfyqkuSaICh4/h4yakkVu4e1rRM1OZvD4NoIRNRLeMkaEAs4+MOs03w2NriQVJ3wqW36RcmYzjb8bQPp/l0QAgWrUTmwme3Bxp7dm2+vlr1Pv/g1jAT5hpnoKxAOr1pOoFjcliut2qqE89fAyMYDixRmBYWtwXpIhVd7bXVJ6X2Zm16yUB4f3yUunysqtvFQ7jbveZ5bbfkkinX2OmJUIjBgOdYx+HflShQYDPd6dqpOu4z/qI81QR9XS031XR+Mcfpco1gchbLBiqLlR7pb1by/fPPPrFHjWdXV0fTdhriLYKEBrKpSomipeQNJGLcocomGERwU8UJfoJRQL2knt0hQhX6HgqTv6LO9fL5gT5xuSPajcKVV55YzkGntvvvUwoM2hiFNoqr+yglUwU+9vUvnSfYtlcC44oaJQIirqFv5qYGT+YmYjQKRzFYJaWX39qd4UFqe2Wb1kn7jj1YHnS/dJlc8OfgQiJyO7hcjO8VN8D0vU+fZyVuOE5ItgQk9pWj+K9DYqtZDoljhMshUSahzDsUy9XqjWfqBpMclaA8+UrX9cmwSN4p+orz9Q76K2o
 XoIR4tUwT9P1KpReTCNj+ocwZMiKe7rUaRz46ZePlQcbHwRI/kVeYtLPt8WXOcPk4N2jy8WwC7yUHGvqWF2D6E+FcEv8Lh/qF8fE1u5pqczJyk6XQIcVBJttLRG7sX35R/xqJG28/vLBIXEs+0DqN61/486XlR3H/Efstueksiu3f9+Be8+s1E1KFSLpLmYCfmXvWdKgyKUkNBh7pbeiqvi9/El7+Adcbfqw=
 ]]></script>
-</div></div>
-
-<p>Note that only form 'name' and 'id' fields will remain after the SAML handler processes a SAML assertion encoded in the SAMLToken form field. The original SAML assertion has been optionally compressed using a deflated encoding and then base64-encoded. This encoded value can be signed - but it is not currently possible.</p>
-
-<p>Server configuration is similar to the one from the Enveloped SAML Assertions section, the only difference is that a SAML handler needs to be replaced:</p>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
-    &lt;bean id=&quot;serviceBean&quot; class=&quot;org.apache.cxf.systest.jaxrs.security.BookStore&quot;/&gt;
+</div></div><p>Note that only form 'name' and 'id' fields will remain after the SAML handler processes a SAML assertion encoded in the SAMLToken form field. The original SAML assertion has been optionally compressed using a deflated encoding and then base64-encoded. This encoded value can be signed - but it is not currently possible.</p><p>Server configuration is similar to the one from the Enveloped SAML Assertions section, the only difference is that a SAML handler needs to be replaced:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[    &lt;bean id=&quot;serviceBean&quot; class=&quot;org.apache.cxf.systest.jaxrs.security.BookStore&quot;/&gt;
     &lt;bean id=&quot;samlHandler&quot; class=&quot;org.apache.cxf.rs.security.saml.SamlFormInHandler&quot;/&gt;
     
     &lt;!-- same as in the Enveloped SAML Assertions section --&gt; 
 ]]></script>
-</div></div>
-
-<p>The client code is the same as in the SAML assertions in Authorization header section except than an instance of SamlFormOutInterceptor has to be registered: </p>
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[
-bean.getOutInterceptors().add(new SamlFormOutInterceptor());
+</div></div><p>The client code is the same as in the SAML assertions in Authorization header section except than an instance of SamlFormOutInterceptor has to be registered:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[bean.getOutInterceptors().add(new SamlFormOutInterceptor());
 ]]></script>
-</div></div>
-
-<h1 id="JAX-RSSAML-CreatingSAMLAssertions">Creating SAML Assertions</h1>
-
-<p>If you use CXF JAX-RS client API to experiment with SAML then all you need to do is to register an appropriate out interceptor as shown in the above code fragments. The interceptor will ensure that a SAML assertion is created and added inside the XML envelope, as a form or HTTP header value.<br clear="none">
-All of the SAML output interceptors depend on a "ws-security.saml-callback-handler" property linking to a custom javax.security.auth.callback.Callback implementation which in its handle(Callbacks) method provides the information which is needed to create a SAML assertion to a org.apache.ws.security.saml.ext.SAMLCallback Callback instance, for example, see this <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlCallbackHandler.java">custom implementation</a>.</p>
-
-<p>More involved cases with SAML assertions being created by identity providers will be supported, with the help of CXF (WS) STSClient when needed.</p>
-
-<h1 id="JAX-RSSAML-SAMLAssertionValidation">SAML Assertion Validation</h1>
-
-<p>When SAML assertions are received on the server side, they are validated to make sure that the enveloped signatures are correct. SubjectConfirmation methods (sender-vouches, holder-of-key, bearer) are also checked. <br clear="none">
-The validation can be delegated to STS if needed. By default, server side SAML handlers have a "samlValidator" property set to an instance of org.apache.ws.security.validate.SamlAssertionValidator which does a thorough validation of the assertion. If needed org.apache.cxf.ws.security.trust.STSSamlAssertionValidator can be set instead which will use STS to validate the assertion.<br clear="none">
-Custom validators extending WSS4J SamlAssertionValidator and doing the additional application-specific validation can be registered if needed.</p>
-
-<p>Note the fact that the default validation relies a lot on the code heavily utilized by the WS-Security implementation should be of no concern - it is an example of the integration on its own in order to get the validation done. For example, WS-* STS are heavily used in the enterprise today and it simply makes a complete sense to rely on it to validate a SAML assertion if it is possible.</p>
-
-<p>SubjectConfirmation sender-vouches and holder-of-key methods can be easily validated with enveloped SAML assertions given that the embedded SAML signatures and key info can be checked against the signature used to sign the envelope or a custom payload like Book.</p>
-
-<p>At the moment these methods can not be properly validated when the assertion is provided in a header or in the form, the additional signature signing the encoded SAML token will be needed - this will be supported in due time. Use "bearer" in those cases.</p>
-
-<h1 id="JAX-RSSAML-SAMLAuthorization">SAML Authorization</h1>
-
-<p>SAML assertions may contain so-called claims which are represented by a sequence of SAML AttributeStatements containing one or more Attributes, for example:</p>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
-&lt;saml2:Assertion&gt;
+</div></div><h1 id="JAX-RSSAML-CreatingSAMLAssertions">Creating SAML Assertions</h1><p>If you use CXF JAX-RS client API to experiment with SAML then all you need to do is to register an appropriate out interceptor as shown in the above code fragments. The interceptor will ensure that a SAML assertion is created and added inside the XML envelope, as a form or HTTP header value.<br clear="none"> All of the SAML output interceptors depend on a "ws-security.saml-callback-handler" property linking to a custom javax.security.auth.callback.Callback implementation which in its handle(Callbacks) method provides the information which is needed to create a SAML assertion to a org.apache.ws.security.saml.ext.SAMLCallback Callback instance, for example, see this <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlCallbackHandler.java">custom implementation</a>.</p><p>More involved 
 cases with SAML assertions being created by identity providers will be supported, with the help of CXF (WS) STSClient when needed.</p><h1 id="JAX-RSSAML-SAMLAssertionValidation">SAML Assertion Validation</h1><p>When SAML assertions are received on the server side, they are validated to make sure that the enveloped signatures are correct. SubjectConfirmation methods (sender-vouches, holder-of-key, bearer) are also checked. <br clear="none"> The validation can be delegated to STS if needed. By default, server side SAML handlers have a "samlValidator" property set to an instance of org.apache.ws.security.validate.SamlAssertionValidator which does a thorough validation of the assertion. If needed org.apache.cxf.ws.security.trust.STSTokenValidator can be set instead which will use STS to validate the assertion.<br clear="none"> Custom validators extending WSS4J SamlAssertionValidator and doing the additional application-specific validation can be registered if needed.</p><p>Note the fact
  that the default validation relies a lot on the code heavily utilized by the WS-Security implementation should be of no concern - it is an example of the integration on its own in order to get the validation done. For example, WS-* STS are heavily used in the enterprise today and it simply makes a complete sense to rely on it to validate a SAML assertion if it is possible.</p><p>SubjectConfirmation sender-vouches and holder-of-key methods can be easily validated with enveloped SAML assertions given that the embedded SAML signatures and key info can be checked against the signature used to sign the envelope or a custom payload like Book.</p><p>At the moment these methods can not be properly validated when the assertion is provided in a header or in the form, the additional signature signing the encoded SAML token will be needed - this will be supported in due time. Use "bearer" in those cases.</p><h1 id="JAX-RSSAML-SAMLAuthorization">SAML Authorization</h1><p>SAML assertions may con
 tain so-called claims which are represented by a sequence of SAML AttributeStatements containing one or more Attributes, for example:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[&lt;saml2:Assertion&gt;
  &lt;!-- ... --&gt;
  &lt;saml2:AttributeStatement&gt;
     &lt;saml2:Attribute NameFormat=&quot;http://schemas.xmlsoap.org/ws/2005/05/identity/claims&quot;
@@ -463,22 +358,8 @@ Custom validators extending WSS4J SamlAs
  &lt;!-- ... --&gt;
 &lt;/saml2:Assertion&gt;
 ]]></script>
-</div></div>
-
-<p>An individual claim is scoped by NameFormat and Name attribute. NameFormat is similar to a namespace, while Name identifies what the value of this claim represents, for example, in the above fragment two claims are provided, one has a value "user" which represents a role of the assertion's Subject, another one has a value of "password" which identifies the way Subject authenticated itself, i.e, Subject provided its password (presumably to IDP).</p>
-
-<p>Now, what is interesting is to see if it is possible to use these claims with Role-Based Access-Control (for example, with endpoints relying on @RolesAllowed annotations) as well as with the more complex authorization logic (for example, let this resource be invoked only if Subject used a password to get authenticated at IDP).</p>
-
-<h2 id="JAX-RSSAML-ClaimsBasedAccessControl">Claims Based Access Control</h2>
-
-<p>CXF JAX-RS offers an extension letting users to enforce a new fine-grained Claims Based Access Control (CBAC) based on <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/api/src/main/java/org/apache/cxf/security/claims/authorization/Claim.java">Claim</a> and <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/api/src/main/java/org/apache/cxf/security/claims/authorization/Claims.java">Claims</a> annotations as well as <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/api/src/main/java/org/apache/cxf/security/claims/authorization/ClaimMode.java">ClaimMode</a> enum class.   </p>
-
-<p><strong>Note</strong> a package for Claim, Claims and ClaimMode annotations has changed from "org.apache.cxf.rs.security.saml.authorization" to "org.apache.cxf.security.claims.authorization". Starting from CXF 2.7.1, the default name format for claims is "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" instead of "http://schemas.xmlsoap.org/ws/2005/05/identity/claims".</p>
-
-<p>Here is a simple code fragment:</p>
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[
-import org.apache.cxf.rs.security.saml.authorization.Claim;
+</div></div><p>An individual claim is scoped by NameFormat and Name attribute. NameFormat is similar to a namespace, while Name identifies what the value of this claim represents, for example, in the above fragment two claims are provided, one has a value "user" which represents a role of the assertion's Subject, another one has a value of "password" which identifies the way Subject authenticated itself, i.e, Subject provided its password (presumably to IDP).</p><p>Now, what is interesting is to see if it is possible to use these claims with Role-Based Access-Control (for example, with endpoints relying on @RolesAllowed annotations) as well as with the more complex authorization logic (for example, let this resource be invoked only if Subject used a password to get authenticated at IDP).</p><h2 id="JAX-RSSAML-ClaimsBasedAccessControl">Claims Based Access Control</h2><p>CXF JAX-RS offers an extension letting users to enforce a new fine-grained Claims Based Access Control (CBAC) based
  on <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/api/src/main/java/org/apache/cxf/security/claims/authorization/Claim.java">Claim</a> and <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/api/src/main/java/org/apache/cxf/security/claims/authorization/Claims.java">Claims</a> annotations as well as <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/api/src/main/java/org/apache/cxf/security/claims/authorization/ClaimMode.java">ClaimMode</a> enum class.</p><p><strong>Note</strong> a package for Claim, Claims and ClaimMode annotations has changed from "org.apache.cxf.rs.security.saml.authorization" to "org.apache.cxf.security.claims.authorization". Starting from CXF 2.7.1, the default name format for claims is "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" instead of "http://schemas.xmlsoap.org/ws/2005/05/identity/claims".</p><p>Here is a simple code fragment:</p><di
 v class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[import org.apache.cxf.rs.security.saml.authorization.Claim;
 import org.apache.cxf.rs.security.saml.authorization.Claims;
 
 @Path(&quot;/bookstore&quot;)
@@ -500,17 +381,8 @@ public class SecureClaimBookStore {
     
 }
 ]]></script>
-</div></div>
-
-<p>SecureClaimBookStore.addBook(Book) can only be invoked if Subject meets the following requirement: it needs to have a Claim with a value "admin" and another Claim confirming that it got authenticated using either a 'fingertip' or 'smartcard' method. Note that @Claim({"admin"}) has no name and format classifiers set - it relies on default name and format values, namely "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" and "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims" before CXF 2.7.1) respectively. These default values may change in the future depending on which claims are found to be used most often - but as you can see you can always provide name and format values which will scope a given claim value.</p>
-
-
-
-<p>Note that in the above example, a Claim with the name "http://claims/authentication-format" has two values, 'fingertip' and 'smartcard'. By default, in order to meet this Claim, Subject needs to have a Claim which has either a 'fingertip' or 'smartcard' value. If it is expected that Subject needs to have a Claim which has both 'fingertip' and 'smartcard' values, then the following change needs to be done:</p>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[
-import org.apache.cxf.security.claims.authorization.Claim;
+</div></div><p>SecureClaimBookStore.addBook(Book) can only be invoked if Subject meets the following requirement: it needs to have a Claim with a value "admin" and another Claim confirming that it got authenticated using either a 'fingertip' or 'smartcard' method. Note that @Claim({"admin"}) has no name and format classifiers set - it relies on default name and format values, namely "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" and "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims" before CXF 2.7.1) respectively. These default values may change in the future depending on which claims are found to be used most often - but as you can see you can always provide name and format values which will scope a given claim value.</p><p>Note that in the above example, a Claim with the name "http://claims/authentication-format" has two values, 'fingertip' and 'smartcard'. By default, in order to meet this Claim, Subjec
 t needs to have a Claim which has either a 'fingertip' or 'smartcard' value. If it is expected that Subject needs to have a Claim which has both 'fingertip' and 'smartcard' values, then the following change needs to be done:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[import org.apache.cxf.security.claims.authorization.Claim;
 import org.apache.cxf.security.claims.authorization.Claims;
 
 @Path(&quot;/bookstore&quot;)
@@ -533,13 +405,8 @@ public class SecureClaimBookStore {
     
 }
 ]]></script>
-</div></div>
-
-<p>Claims can be specified using individual @Claim annotation, they can be set at the class level and overridden at the method level and finally a lax mode of check can be specified:</p>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[
-import org.apache.cxf.security.claims.authorization.Claim;
+</div></div><p>Claims can be specified using individual @Claim annotation, they can be set at the class level and overridden at the method level and finally a lax mode of check can be specified:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[import org.apache.cxf.security.claims.authorization.Claim;
 import org.apache.cxf.security.claims.authorization.Claims;
 
 @Path(&quot;/bookstore&quot;)
@@ -578,40 +445,11 @@ public class SecureClaimBookStore {
     
 }
 ]]></script>
-</div></div>
-
-<p>In the above example, getBookList() can be invoked if Subject has a Claim with the value "user"; addBook() has it overridden - "admin" is expected and the authentication format Claim too; getBook() can be invoked if Subject has a Claim with the value "user" and it also must have the authentication format Claim with the value "password" - or no such Claim at all.    </p>
-
-<p>org.apache.cxf.rs.security.saml.authorization.ClaimsAuthorizingInterceptor enforces the CBAC rules. This filter can be overridden and configured with the rules directly which can be useful if no Claim-related annotations are expected in the code.  Map nameAliases and formatAliases properties are supported to make @Claim annotations look a bit simpler, for example:</p>
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[
-@Claim(name = &quot;auth-format&quot;, format = &quot;authentication&quot;, value = {&quot;password&quot; })
+</div></div><p>In the above example, getBookList() can be invoked if Subject has a Claim with the value "user"; addBook() has it overridden - "admin" is expected and the authentication format Claim too; getBook() can be invoked if Subject has a Claim with the value "user" and it also must have the authentication format Claim with the value "password" - or no such Claim at all.</p><p>org.apache.cxf.rs.security.saml.authorization.ClaimsAuthorizingInterceptor enforces the CBAC rules. This filter can be overridden and configured with the rules directly which can be useful if no Claim-related annotations are expected in the code. Map nameAliases and formatAliases properties are supported to make @Claim annotations look a bit simpler, for example:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[@Claim(name = &quot;auth-format&quot;, format = &quot;authentication&quot;, value = {&quot;password&quot; })
 ]]></script>
-</div></div>
-
-<p>where "auth-format" and "authentication" are aliases for "http://claims/authentication-format" and "http://claims/authentication" respectively.</p>
-
-
-<p>Given the above example, the question is how to extract the information available in a SAML Assertion for the current request to succeed in passing through the security filter enforcing the CBAC rules.</p>
-
-<p>The first and most important thing which needs to be done is to verify that an assertion Subject can be mapped to a recognized identity instance.</p>
-
-<p>There is a number of ways a Subject can be validated.</p>
-
-<p>If STS is asked to validate the assertion then a successful response from IDP will likely be good enough for CXF to trust the identity of the provider.<br clear="none">
-If the assertion signature is verified locally using the public key of IDP then it could a good enough confirmation too.</p>
-
-<p>Alternatively, a custom validator, extending either org.apache.ws.security.validate.SamlAssertionValidator or CXF SAML <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SecurityContextProvider.java">SecurityContextProvider</a> <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SecurityContextProviderImpl.java">implementation</a> can be registered with the server side SAML handler. </p>
-
-<p>The latter option is preferred because not only one can validate Subject - but also ensure that a resulting SecurityContext will return a user Principal with a proper name - given that the actual Subject name available in the assertion may need to be translated to a name recognized by the local security stores or application. A combination of the assertion's Subject and AttributeStatement elements may need to be checked to establish a real name.</p>
-
-<p>In cases like this you may want to register a custom SecurityContextProvider even if you have STS validating the assertion. Yet another reason is to retrieve the information about roles for a given Subject or map the assertion claims to roles for working with the RBAC to succeed, see the next section for more information.</p>
-
-<p>Have a look please at this server configuration example:</p>
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
-
-&lt;bean id=&quot;serviceBeanClaims&quot; class=&quot;org.apache.cxf.systest.jaxrs.security.saml.SecureClaimBookStore&quot;/&gt;
+</div></div><p>where "auth-format" and "authentication" are aliases for "http://claims/authentication-format" and "http://claims/authentication" respectively.</p><p>Given the above example, the question is how to extract the information available in a SAML Assertion for the current request to succeed in passing through the security filter enforcing the CBAC rules.</p><p>The first and most important thing which needs to be done is to verify that an assertion Subject can be mapped to a recognized identity instance.</p><p>There is a number of ways a Subject can be validated.</p><p>If STS is asked to validate the assertion then a successful response from IDP will likely be good enough for CXF to trust the identity of the provider.<br clear="none"> If the assertion signature is verified locally using the public key of IDP then it could a good enough confirmation too.</p><p>Alternatively, a custom validator, extending either org.apache.ws.security.validate.SamlAssertionValidator or CXF SA
 ML <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SecurityContextProvider.java">SecurityContextProvider</a> <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SecurityContextProviderImpl.java">implementation</a> can be registered with the server side SAML handler.</p><p>The latter option is preferred because not only one can validate Subject - but also ensure that a resulting SecurityContext will return a user Principal with a proper name - given that the actual Subject name available in the assertion may need to be translated to a name recognized by the local security stores or application. A combination of the assertion's Subject and AttributeStatement elements may need to be checked to establish a real name.</p><p>In cases like this you may want to reg
 ister a custom SecurityContextProvider even if you have STS validating the assertion. Yet another reason is to retrieve the information about roles for a given Subject or map the assertion claims to roles for working with the RBAC to succeed, see the next section for more information.</p><p>Have a look please at this server configuration example:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[&lt;bean id=&quot;serviceBeanClaims&quot; class=&quot;org.apache.cxf.systest.jaxrs.security.saml.SecureClaimBookStore&quot;/&gt;
 &lt;bean id=&quot;samlEnvHandler&quot; class=&quot;org.apache.cxf.rs.security.saml.SamlEnvelopedInHandler&quot;&gt;
  &lt;property name=&quot;securityContextProvider&quot;&gt;
     &lt;bean class=&quot;org.apache.cxf.systest.jaxrs.security.saml.CustomSecurityContextProvider&quot;/&gt;
@@ -633,19 +471,8 @@ If the assertion signature is verified l
        &lt;/jaxrs:providers&gt;
 &lt;/jaxrs:server&gt;
 ]]></script>
-</div></div>
-
-<p>An instance of org.apache.cxf.rs.security.saml.authorization.ClaimsAuthorizingFilter is used to enforce CBAC. It's a simple JAX-RS filter wrapper around ClaimsAuthorizingInterceptor.  SamlEnvelopedInHandler processes and validates SAML assertions and it also relies on a simple <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/CustomSecurityContextProvider.java">CustomSecurityContextProvider</a> to help it to figure out what the actual Subject name is. A more involved implementation can do some additional validation as well as override few more super class methods, more on it next. The claims themselves have already been parsed and will be made available to a resulting SecurityContext which ClaimsAuthorizingFilter will rely upon.</p>
-
-
-<h2 id="JAX-RSSAML-RoleBasedAccessControl">Role Based Access Control</h2>
-
-<p>If you have an existing RBAC system (based on javax.annotation.security.RolesAllowed or even org.springframework.security.annotation.Secured annotations) in place and have SAML assertions with claims that are known to represent roles, then making those claims work with the RBAC system can be achieved easily.</p>
-
-<p>For example, given this code:</p>
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[
-import org.springframework.security.annotation.Secured;
+</div></div><p>An instance of org.apache.cxf.rs.security.saml.authorization.ClaimsAuthorizingFilter is used to enforce CBAC. It's a simple JAX-RS filter wrapper around ClaimsAuthorizingInterceptor. SamlEnvelopedInHandler processes and validates SAML assertions and it also relies on a simple <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/CustomSecurityContextProvider.java">CustomSecurityContextProvider</a> to help it to figure out what the actual Subject name is. A more involved implementation can do some additional validation as well as override few more super class methods, more on it next. The claims themselves have already been parsed and will be made available to a resulting SecurityContext which ClaimsAuthorizingFilter will rely upon.</p><h2 id="JAX-RSSAML-RoleBasedAccessControl">Role Based Access Control</h2><p>If you have an existing RBAC system (based on javax
 .annotation.security.RolesAllowed or even org.springframework.security.annotation.Secured annotations) in place and have SAML assertions with claims that are known to represent roles, then making those claims work with the RBAC system can be achieved easily.</p><p>For example, given this code:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[import org.springframework.security.annotation.Secured;
 
 @Path(&quot;/bookstore&quot;)
 @Claim({&quot;user&quot;})
@@ -658,14 +485,8 @@ public class SecureBookStore {
     }
 }
 ]]></script>
-</div></div>
-
-<p>where @Secured can be replaced with @RoledAllowed if needed, the following configuration will do it:</p>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
-
-&lt;bean id=&quot;serviceBeanRoles&quot; class=&quot;org.apache.cxf.systest.jaxrs.security.saml.SecureBookStore&quot;/&gt;
+</div></div><p>where @Secured can be replaced with @RoledAllowed if needed, the following configuration will do it:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[&lt;bean id=&quot;serviceBeanRoles&quot; class=&quot;org.apache.cxf.systest.jaxrs.security.saml.SecureBookStore&quot;/&gt;
 &lt;bean id=&quot;samlEnvHandler&quot; class=&quot;org.apache.cxf.rs.security.saml.SamlEnvelopedInHandler&quot;&gt;
  &lt;property name=&quot;securityContextProvider&quot;&gt;
     &lt;bean class=&quot;org.apache.cxf.systest.jaxrs.security.saml.CustomSecurityContextProvider&quot;/&gt;
@@ -702,17 +523,7 @@ public class SecureBookStore {
   --&gt;
 &lt;/jaxrs:server&gt;
 ]]></script>
-</div></div>
-
-<p>That is all what is needed. Note that in order to help the default SAML SecurityContextProvider figure out which claims are roles, one can set the two properties as shown above - this not needed if it's known that claims identifying roles have NameFormat and Name values with the default values, which are "http://schemas.xmlsoap.org/ws/2005/05/identity/claims" and "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" respectively at the moment.</p>
-
-<p>Note that you can have RBAC and CBAC combined for a more sophisticated access control rules be enforced while still keeping the existing code relying on @RolesAllowed or @Secured intact. Override ClaimsAuthorizingFilter and configure it with the Claims rules directly and register it alongside SimpleAuthorizingFilter and here you go. </p>
-
-<p>Also note how SecureAnnotationsInterceptor can handle different types of role annotations, with @RoledAllowed being supported by default.   </p>
-
-<h1 id="JAX-RSSAML-SAMLWebSSOProfile">SAML Web SSO Profile</h1>
-
-<p>Please see <a shape="rect" href="saml-web-sso.html">this page</a> for more information</p></div>
+</div></div><p>That is all what is needed. Note that in order to help the default SAML SecurityContextProvider figure out which claims are roles, one can set the two properties as shown above - this not needed if it's known that claims identifying roles have NameFormat and Name values with the default values, which are "http://schemas.xmlsoap.org/ws/2005/05/identity/claims" and "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" respectively at the moment.</p><p>Note that you can have RBAC and CBAC combined for a more sophisticated access control rules be enforced while still keeping the existing code relying on @RolesAllowed or @Secured intact. Override ClaimsAuthorizingFilter and configure it with the Claims rules directly and register it alongside SimpleAuthorizingFilter and here you go.</p><p>Also note how SecureAnnotationsInterceptor can handle different types of role annotations, with @RoledAllowed being supported by default.</p><h1 id="JAX-RSSAML-SAMLWebSSOProfile">S
 AML Web SSO Profile</h1><p>Please see <a shape="rect" href="saml-web-sso.html">this page</a> for more information</p></div>
            </div>
            <!-- Content -->
          </td>

Modified: websites/production/cxf/content/docs/secure-jax-rs-services.html
==============================================================================
--- websites/production/cxf/content/docs/secure-jax-rs-services.html (original)
+++ websites/production/cxf/content/docs/secure-jax-rs-services.html Mon May  5 16:46:51 2014
@@ -118,34 +118,19 @@ Apache CXF -- Secure JAX-RS Services
          <td height="100%">
            <!-- Content -->
            <div class="wiki-content">
-<div id="ConfluenceContent"><p></p><p></p><p><span style="font-size:2em;font-weight:bold"> JAX-RS: Security </span></p><p></p><p></p><p></p>
+<div id="ConfluenceContent"><p>&#160;</p><p>&#160;</p><p>&#160;</p><span style="font-size:2em;font-weight:bold"> JAX-RS: Security </span><p>&#160;</p><p>&#160;</p><p>&#160;</p><p><style type="text/css">/*<![CDATA[*/
+div.rbtoc1399308384003 {padding: 0px;}
+div.rbtoc1399308384003 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1399308384003 li {margin-left: 0px;padding-left: 0px;}
 
-<style type="text/css">/*<![CDATA[*/
-div.rbtoc1396468210434 {padding: 0px;}
-div.rbtoc1396468210434 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1396468210434 li {margin-left: 0px;padding-left: 0px;}
-
-/*]]>*/</style><div class="toc-macro rbtoc1396468210434">
+/*]]>*/</style></p><div class="toc-macro rbtoc1399308384003">
 <ul class="toc-indentation"><li><a shape="rect" href="#SecureJAX-RSServices-HTTPS">HTTPS</a>
 <ul class="toc-indentation"><li><a shape="rect" href="#SecureJAX-RSServices-Configuringendpoints">Configuring endpoints</a></li><li><a shape="rect" href="#SecureJAX-RSServices-Configuringclients">Configuring clients</a></li></ul>
 </li><li><a shape="rect" href="#SecureJAX-RSServices-Authentication">Authentication</a></li><li><a shape="rect" href="#SecureJAX-RSServices-Authorization">Authorization</a></li><li><a shape="rect" href="#SecureJAX-RSServices-WS-Trustintegration">WS-Trust integration</a>
 <ul class="toc-indentation"><li><a shape="rect" href="#SecureJAX-RSServices-ValidatingBasicAuthcredentialswithSTS">Validating BasicAuth credentials with STS</a></li><li><a shape="rect" href="#SecureJAX-RSServices-UsingSTStovalidateSAMLassertions">Using STS to validate SAML assertions</a></li></ul>
 </li><li><a shape="rect" href="#SecureJAX-RSServices-NoteaboutSecurityManager">Note about SecurityManager</a></li><li><a shape="rect" href="#SecureJAX-RSServices-AdvancedSecurity">Advanced Security</a></li><li><a shape="rect" href="#SecureJAX-RSServices-Restrictinglargepayloads">Restricting large payloads</a></li><li><a shape="rect" href="#SecureJAX-RSServices-CrossOriginResourceSharing">Cross Origin Resource Sharing</a></li></ul>
-</div>
-
-<h1 id="SecureJAX-RSServices-HTTPS">HTTPS</h1>
-
-<p>Transport-level protection of JAX-RS endpoints can be managed by underlying Servlet containers, for example, see this <a shape="rect" class="external-link" href="http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html">Tomcat SSL Configuration section</a>. </p>
-
-<p>Additionally CXF provides support for configuring endpoints which depend on embedded Jetty. CXF JAX-RS clients can also be configured to support SSL. </p>
-
-<h2 id="SecureJAX-RSServices-Configuringendpoints">Configuring endpoints</h2>
-
-<p>JAX-RS endpoints using embedded Jetty can rely on the configuration like this one:</p>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
-&lt;beans xmlns=&quot;http://www.springframework.org/schema/beans&quot;
+</div><h1 id="SecureJAX-RSServices-HTTPS">HTTPS</h1><p>Transport-level protection of JAX-RS endpoints can be managed by underlying Servlet containers, for example, see this <a shape="rect" class="external-link" href="http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html">Tomcat SSL Configuration section</a>.</p><p>Additionally CXF provides support for configuring endpoints which depend on embedded Jetty. CXF JAX-RS clients can also be configured to support SSL.</p><h2 id="SecureJAX-RSServices-Configuringendpoints">Configuring endpoints</h2><p>JAX-RS endpoints using embedded Jetty can rely on the configuration like this one:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[&lt;beans xmlns=&quot;http://www.springframework.org/schema/beans&quot;
        xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot;
        xmlns:http=&quot;http://cxf.apache.org/transports/http/configuration&quot;
        xmlns:httpj=&quot;http://cxf.apache.org/transports/http-jetty/configuration&quot;
@@ -173,34 +158,20 @@ div.rbtoc1396468210434 li {margin-left: 
     &lt;/httpj:engine-factory&gt;
 &lt;/beans&gt;
 ]]></script>
-</div></div>
-
-<p>If you use JAXRSServerFactoryBean to create and start JAX-RS endpoints from the code then the above configuration can be utilized like this:</p>
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[
-JAXRSServerFactoryBean bean = new JAXRSServerFactoryBean();
+</div></div><p>If you use JAXRSServerFactoryBean to create and start JAX-RS endpoints from the code then the above configuration can be utilized like this:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[JAXRSServerFactoryBean bean = new JAXRSServerFactoryBean();
 SpringBusFactory bf = new SpringBusFactory();
 Bus bus = bf.createBus(&quot;configuration/beans.xml&quot;);
 bean.setBus(bus);
 bean.setAddress(&quot;http://localhost:9095/rest&quot;);
 bean.setServiceClass(CustomerService.class);
 ]]></script>
-</div></div>
-
-<p>If you also have a jaxrs:server endpoint declared in the above beans.xml, then make sure you have a 'depends-on' attribute set:</p>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
-&lt;jaxrs:server serviceClass=&quot;CustomerService.class&quot; address=&quot;http://localhost:9095/rest&quot;
+</div></div><p>If you also have a jaxrs:server endpoint declared in the above beans.xml, then make sure you have a 'depends-on' attribute set:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[&lt;jaxrs:server serviceClass=&quot;CustomerService.class&quot; address=&quot;http://localhost:9095/rest&quot;
    depends-on=&quot;port-9095-tls-config&quot;/&gt;
 ]]></script>
-</div></div> 
-
-<p>Once you have JAX-RS and Jetty HTTPS combined then you can get the application context initiated like this:</p>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[
-public class Server {
+</div></div><p>Once you have JAX-RS and Jetty HTTPS combined then you can get the application context initiated like this:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[public class Server {
 
     public void main(String[] args) throws Exception {
         Bus busLocal = new SpringBusFactory().createBus(&quot;configuration/beans.xml&quot;);
@@ -210,43 +181,16 @@ public class Server {
     }
 }
 ]]></script>
-</div></div>
-
-<p>Having JAX-RS endpoints declared alongside CXF Jetty HTTPS configuration is only needed when an embedded Jetty container is used. If you have application WARs deployed into Tomcat or Jetty then please follow container-specific guides on how to set up SSL.</p>
-
-<p>Please also see this <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/">HTTPS-based demo</a> in the CXF distribution.</p>
-
-<p>Additionally check the <a shape="rect" href="http://cxf.apache.org/docs/jetty-configuration.html">CXF Jetty Configuration</a> section.</p>
-
-<h2 id="SecureJAX-RSServices-Configuringclients">Configuring clients</h2>
-
-<p>Secure HTTPConduits for CXF JAX-RS proxies and WebClients can be configured as described in this <a shape="rect" href="http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html">section</a>. </p>
-
-<p>For example, check this <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/resources/ClientConfig.xml">configuration file</a>. Endpoint addresses used by proxies or clients have to match the pattern used in the HTTPConduit configuration.</p>
-
-<p>The configuration file can be referenced during the proxy or WebClient creation:</p>
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[
-final String address = &quot;http://localhost:9095/rest&quot;;
+</div></div><p>Having JAX-RS endpoints declared alongside CXF Jetty HTTPS configuration is only needed when an embedded Jetty container is used. If you have application WARs deployed into Tomcat or Jetty then please follow container-specific guides on how to set up SSL.</p><p>Please also see this <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/">HTTPS-based demo</a> in the CXF distribution.</p><p>Additionally check the <a shape="rect" href="http://cxf.apache.org/docs/jetty-configuration.html">CXF Jetty Configuration</a> section.</p><h2 id="SecureJAX-RSServices-Configuringclients">Configuring clients</h2><p>Secure HTTPConduits for CXF JAX-RS proxies and WebClients can be configured as described in this <a shape="rect" href="http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html">section</a>.</p><p>For example, check this <a shape="rect" class="external-link" href="http:
 //svn.apache.org/repos/asf/cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/resources/ClientConfig.xml">configuration file</a>. Endpoint addresses used by proxies or clients have to match the pattern used in the HTTPConduit configuration.</p><p>The configuration file can be referenced during the proxy or WebClient creation:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[final String address = &quot;http://localhost:9095/rest&quot;;
 final String configLocation;
 
 WebClient client = WebClient.create(address, configLocation);
 // or
 BookStore proxy = JAXRSClientFactory.create(address, configLocation, BookStore.class);
 ]]></script>
-</div></div>
-
-<p>HTTPConduits can also be 'bound' to proxies or WebClients using expanded QNames. Please see this <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-client-api.html#JAX-RSClientAPI-ConfiguringanHTTPConduitfromSpring">section</a> for more information.</p>
-
-<p>Please see <a shape="rect" class="external-link" href="http://aruld.info/programming-ssl-for-jetty-based-cxf-services/" rel="nofollow">this blog entry</a> on how the HTTPConduit TLS properties can be set up from the code. In the code, do WebClient.getConfig(myClient).getHTTPConduit() and proceed from there.</p>
-
-<h1 id="SecureJAX-RSServices-Authentication">Authentication</h1>
-
-<p>It is often containers like Tomcat or frameworks like Spring Security which handle the user authentication. Sometimes you might want to do the custom authentication instead. CXF HTTP Transport adds decoded Basic Authentication credentials into an instance of AuthorizationPolicy extension and sets it on the current message. Thus the easiest way is to register a custom invoker or <code>RequestHandler</code> filter which will extract a user name and password like this:</p>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[
-public class AuthenticationHandler implements RequestHandler {
+</div></div><p>HTTPConduits can also be 'bound' to proxies or WebClients using expanded QNames. Please see this <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-client-api.html#JAX-RSClientAPI-ConfiguringanHTTPConduitfromSpring">section</a> for more information.</p><p>Please see <a shape="rect" class="external-link" href="http://aruld.info/programming-ssl-for-jetty-based-cxf-services/" rel="nofollow">this blog entry</a> on how the HTTPConduit TLS properties can be set up from the code. In the code, do WebClient.getConfig(myClient).getHTTPConduit() and proceed from there.</p><h1 id="SecureJAX-RSServices-Authentication">Authentication</h1><p>It is often containers like Tomcat or frameworks like Spring Security which handle the user authentication. Sometimes you might want to do the custom authentication instead. CXF HTTP Transport adds decoded Basic Authentication credentials into an instance of AuthorizationPolicy extension and sets it on the current message. Thus the easiest 
 way is to register a custom invoker or <code>RequestHandler</code> filter which will extract a user name and password like this:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[public class AuthenticationHandler implements RequestHandler {
 
     public Response handleRequest(Message m, ClassResourceInfo resourceClass) {
         AuthorizationPolicy policy = (AuthorizationPolicy)m.get(AuthorizationPolicy.class);
@@ -263,21 +207,8 @@ public class AuthenticationHandler imple
 
 }
 ]]></script>
-</div></div> 
-
-<p>One other thing you may want to do, after authenticating a user, is to initialize org.apache.cxf.security.SecurityContext with Principals representing the user and its roles (if available).</p>
-
-<p>If you prefer using Spring Security then see how the authentication is handled in a <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/distribution/src/main/release/samples/jax_rs/spring_security">spring-security</a> demo.</p>
-
-<p>Next, please see the <a shape="rect" href="security.html">Security</a> section on how CXF Security interceptors can help. </p>
-
-<p>Additionally check this <a shape="rect" class="external-link" href="http://sberyozkin.blogspot.com/2010/12/authentication-and-authorization-cxf.html" rel="nofollow">blog entry</a> for more information on how CXF JAX-RS wraps the CXF security interceptors with helper filters.</p>
-
-<p>For example, see how a JAX-RS filter can be used to wrap CXF JAASLoginInterceptor:</p>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
-&lt;jaxrs:server address=&quot;/jaas&quot;&gt;
+</div></div><p>One other thing you may want to do, after authenticating a user, is to initialize org.apache.cxf.security.SecurityContext with Principals representing the user and its roles (if available).</p><p>If you prefer using Spring Security then see how the authentication is handled in a <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/distribution/src/main/release/samples/jax_rs/spring_security">spring-security</a> demo.</p><p>Next, please see the <a shape="rect" href="security.html">Security</a> section on how CXF Security interceptors can help.</p><p>Additionally check this <a shape="rect" class="external-link" href="http://sberyozkin.blogspot.com/2010/12/authentication-and-authorization-cxf.html" rel="nofollow">blog entry</a> for more information on how CXF JAX-RS wraps the CXF security interceptors with helper filters.</p><p>For example, see how a JAX-RS filter can be used to wrap CXF JAASLoginInterceptor:</p><div class="code panel pdl
 " style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[&lt;jaxrs:server address=&quot;/jaas&quot;&gt;
     &lt;jaxrs:serviceBeans&gt;
         &lt;bean class=&quot;org.apache.cxf.systest.jaxrs.security.SecureBookStoreNoAnnotations&quot;/&gt;
     &lt;/jaxrs:serviceBeans&gt;		   
@@ -296,22 +227,8 @@ public class AuthenticationHandler imple
     &lt;property name=&quot;redirectURI&quot; value=&quot;/login.jsp&quot;/&gt;
 &lt;/bean&gt;
 ]]></script>
-</div></div>
-
-<p>The filter will redirect the client to "/login.jsp" if the authentication fails. If no 'redirectURI' property is set then 401 will be returned. A "realmName" property can also be set. </p>
-
-<p>If the JAAS Authentication succeeds then the filter will set a SecurityContext instance on the message. This context can be used for authorization decisions. </p>
-
-<h1 id="SecureJAX-RSServices-Authorization">Authorization</h1>
-
-<p>It is often containers like Tomcat or frameworks like Spring Security which handle user authorization, similarly to the way the authentication is handled.</p>
-
-<p>CXF also provides two interceptors which make it easy to enforce authorization decisions, as described in the <a shape="rect" href="security.html">Security</a> section.<br clear="none">
-CXF JAX-RS SimpleAuthorizingFilter can be used to wrap those interceptors and return 403 in case of failures:</p>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
-&lt;jaxrs:server address=&quot;/jaas&quot;&gt;
+</div></div><p>The filter will redirect the client to "/login.jsp" if the authentication fails. If no 'redirectURI' property is set then 401 will be returned. A "realmName" property can also be set.</p><p>If the JAAS Authentication succeeds then the filter will set a SecurityContext instance on the message. This context can be used for authorization decisions.</p><h1 id="SecureJAX-RSServices-Authorization">Authorization</h1><p>It is often containers like Tomcat or frameworks like Spring Security which handle user authorization, similarly to the way the authentication is handled.</p><p>CXF also provides two interceptors which make it easy to enforce authorization decisions, as described in the <a shape="rect" href="security.html">Security</a> section.<br clear="none"> CXF JAX-RS SimpleAuthorizingFilter can be used to wrap those interceptors and return 403 in case of failures:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[&lt;jaxrs:server address=&quot;/jaas&quot;&gt;
     &lt;jaxrs:serviceBeans&gt;
         &lt;bean class=&quot;org.apache.cxf.systest.jaxrs.security.SecureBookStoreNoAnnotations&quot;/&gt;
     &lt;/jaxrs:serviceBeans&gt;		   
@@ -329,23 +246,8 @@ CXF JAX-RS SimpleAuthorizingFilter can b
     &lt;entry key=&quot;getBook&quot; value=&quot;ROLE_BOOK_OWNER&quot;/&gt;
 &lt;/util:map&gt;
 ]]></script>
-</div></div>
-
-<p>SimpleAuthorizingFilter can also wrap CXF SecureAnnotationsInterceptor.</p>
-
-<p>Note that wrapping CXF security interceptors with JAX-RS filters is not required; it simply makes it easier to handle authentication and authorization exceptions and return appropriate HTTP error statuses.</p>
-
-<h1 id="SecureJAX-RSServices-WS-Trustintegration">WS-Trust integration</h1>
-
-<p>One of the requirements for deploying CXF endpoints into secure web service environments is to ensure that existing WS-Trust STS services can be used to protect the endpoints. JAX-WS endpoints can rely on CXF WS-Security and WS-Trust support. Making sure CXF JAX-RS endpoints can be additionally secured by STS is strategically important task. CXF provides close integration between JAX-WS and JAX-RS frontends thus reusing CXF JAX-WS and WS-Security is the most effective way toward achieving this integration.</p>
-
-<h2 id="SecureJAX-RSServices-ValidatingBasicAuthcredentialswithSTS">Validating BasicAuth credentials with STS</h2>
-
-<p>Validating Basic Authentication credentials with STS is possible starting from CXF 2.4.1. JAX-RS and JAX-WS services can rely on this feature. Here is an example on how a jaxrs endpoint can be configured:</p>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
-&lt;jaxrs:server serviceClass=&quot;org.customers.CustomerService&quot;
+</div></div><p>SimpleAuthorizingFilter can also wrap CXF SecureAnnotationsInterceptor.</p><p>Note that wrapping CXF security interceptors with JAX-RS filters is not required; it simply makes it easier to handle authentication and authorization exceptions and return appropriate HTTP error statuses.</p><h1 id="SecureJAX-RSServices-WS-Trustintegration">WS-Trust integration</h1><p>One of the requirements for deploying CXF endpoints into secure web service environments is to ensure that existing WS-Trust STS services can be used to protect the endpoints. JAX-WS endpoints can rely on CXF WS-Security and WS-Trust support. Making sure CXF JAX-RS endpoints can be additionally secured by STS is strategically important task. CXF provides close integration between JAX-WS and JAX-RS frontends thus reusing CXF JAX-WS and WS-Security is the most effective way toward achieving this integration.</p><h2 id="SecureJAX-RSServices-ValidatingBasicAuthcredentialswithSTS">Validating BasicAuth credentials w
 ith STS</h2><p>Validating Basic Authentication credentials with STS is possible starting from CXF 2.4.1. JAX-RS and JAX-WS services can rely on this feature. Here is an example on how a jaxrs endpoint can be configured:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[&lt;jaxrs:server serviceClass=&quot;org.customers.CustomerService&quot;
     depends-on=&quot;ClientAuthHttpsSettings&quot;
     address=&quot;https://localhost:8081/rest&quot;&gt;
 
@@ -406,37 +308,12 @@ CXF JAX-RS SimpleAuthorizingFilter can b
   &lt;/http:tlsClientParameters&gt;
 &lt;/http:conduit&gt;
 ]]></script>
-</div></div>
-
-<p>AuthPolicyValidatingInterceptor converts Basic Auth info into WSS4J UsernameToken and delegates to STS to validate.</p>
-
-<h2 id="SecureJAX-RSServices-UsingSTStovalidateSAMLassertions">Using STS to validate SAML assertions</h2>
-
-<p>Please see <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-saml.html#JAX-RSSAML-SAMLAssertionValidation">this section</a> for more information on how STSSamlAssertionValidator can be used to validate the inbound SAML assertions.</p>
-
-<h1 id="SecureJAX-RSServices-NoteaboutSecurityManager">Note about SecurityManager</h1>
-
-<p>If <code>java.lang.SecurityManager</code> is installed then you'll likely need to configure the trusted JAX-RS codebase with a 'suppressAccessChecks' permission for the injection of JAXRS context or parameter fields to succeed. For example, you may want to update a Tomcat <a shape="rect" class="external-link" href="http://tomcat.apache.org/tomcat-5.5-doc/security-manager-howto.html">catalina.policy</a> with the following permission :</p>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[
-grant codeBase &quot;file:${catalina.home}/webapps/yourwebapp/lib/cxf.jar&quot; {
+</div></div><p>AuthPolicyValidatingInterceptor converts Basic Auth info into WSS4J UsernameToken and delegates to STS to validate.</p><h2 id="SecureJAX-RSServices-UsingSTStovalidateSAMLassertions">Using STS to validate SAML assertions</h2><p>Please see <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-saml.html#JAX-RSSAML-SAMLAssertionValidation">this section</a> for more information on how STSTokenValidator can be used to validate the inbound SAML assertions.</p><h1 id="SecureJAX-RSServices-NoteaboutSecurityManager">Note about SecurityManager</h1><p>If <code>java.lang.SecurityManager</code> is installed then you'll likely need to configure the trusted JAX-RS codebase with a 'suppressAccessChecks' permission for the injection of JAXRS context or parameter fields to succeed. For example, you may want to update a Tomcat <a shape="rect" class="external-link" href="http://tomcat.apache.org/tomcat-5.5-doc/security-manager-howto.html">catalina.policy</a> with the following permissio
 n :</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[grant codeBase &quot;file:${catalina.home}/webapps/yourwebapp/lib/cxf.jar&quot; {
     permission java.lang.reflect.ReflectPermission &quot;suppressAccessChecks&quot;;
 };
 ]]></script>
-</div></div>
-
-<h1 id="SecureJAX-RSServices-AdvancedSecurity">Advanced Security</h1>
-
-<p>Please check <a shape="rect" href="jax-rs-xml-security.html">JAX-RS XML Security</a>, <a shape="rect" href="jax-rs-saml.html">JAX-RS SAML</a> and <a shape="rect" href="jax-rs-oauth2.html">JAX-RS OAuth2</a> pages for more information about the advanced security topics.</p>
-
-<h1 id="SecureJAX-RSServices-Restrictinglargepayloads">Restricting large payloads</h1>
-
-<p>Please see <a shape="rect" href="https://cwiki.apache.org/confluence/display/CXF20DOC/JAX-RS+Data+Bindings#JAX-RSDataBindings-ControllingLargeJAXBXMLandJSONinputpayloads">this section</a> for more information.</p>
-
-<h1 id="SecureJAX-RSServices-CrossOriginResourceSharing">Cross Origin Resource Sharing</h1>
-
-<p>Please see <a shape="rect" href="jax-rs-cors.html">this section</a> for more information. Also check <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-data-bindings.html#JAX-RSDataBindings-JSONWithPadding">the section</a> about JSONP.</p></div>
+</div></div><h1 id="SecureJAX-RSServices-AdvancedSecurity">Advanced Security</h1><p>Please check <a shape="rect" href="jax-rs-xml-security.html">JAX-RS XML Security</a>, <a shape="rect" href="jax-rs-saml.html">JAX-RS SAML</a> and <a shape="rect" href="jax-rs-oauth2.html">JAX-RS OAuth2</a> pages for more information about the advanced security topics.</p><h1 id="SecureJAX-RSServices-Restrictinglargepayloads">Restricting large payloads</h1><p>Please see <a shape="rect" href="https://cwiki.apache.org/confluence/display/CXF20DOC/JAX-RS+Data+Bindings#JAX-RSDataBindings-ControllingLargeJAXBXMLandJSONinputpayloads">this section</a> for more information.</p><h1 id="SecureJAX-RSServices-CrossOriginResourceSharing">Cross Origin Resource Sharing</h1><p>Please see <a shape="rect" href="jax-rs-cors.html">this section</a> for more information. Also check <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-data-bindings.html#JAX-RSDataBindings-JSONWithPadding">the section</a> about JSONP.</p><
 /div>
            </div>
            <!-- Content -->
          </td>



Mime
View raw message