cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r912104 - in /websites/production/cxf/content: cache/main.pageCache fediz-configuration.html fediz-extensions.html
Date Tue, 10 Jun 2014 10:47:27 GMT
Author: buildbot
Date: Tue Jun 10 10:47:26 2014
New Revision: 912104

Log:
Production update by buildbot for cxf

Modified:
    websites/production/cxf/content/cache/main.pageCache
    websites/production/cxf/content/fediz-configuration.html
    websites/production/cxf/content/fediz-extensions.html

Modified: websites/production/cxf/content/cache/main.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/cxf/content/fediz-configuration.html
==============================================================================
--- websites/production/cxf/content/fediz-configuration.html (original)
+++ websites/production/cxf/content/fediz-configuration.html Tue Jun 10 10:47:26 2014
@@ -108,16 +108,8 @@ Apache CXF -- Fediz Configuration
          <td height="100%">
            <!-- Content -->
            <div class="wiki-content">
-<div id="ConfluenceContent"><h1 id="FedizConfiguration-FedizPluginconfiguration">Fediz
Plugin configuration</h1>
-<p>This page describes the Fediz configuration file referenced by the security interceptor
of the Servlet Container (eg. authenticator in Tomcat/Jetty).</p>
-
-<p>The Fediz configuration information is used to publish the federation Metadata document
which is described <a shape="rect" href="fediz-metadata.html">here</a></p>
-
-<h3 id="FedizConfiguration-Example">Example</h3>
-<p>The following example shows the minimum configuration for Fediz.</p>
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent
pdl">
-<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
-&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot; standalone=&quot;yes&quot;?&gt;
+<div id="ConfluenceContent"><h1 id="FedizConfiguration-FedizPluginconfiguration">Fediz
Plugin configuration</h1><p>This page describes the Fediz configuration file referenced
by the security interceptor of the Servlet Container (eg. authenticator in Tomcat/Jetty).</p><p>The
Fediz configuration information is used to publish the federation Metadata document which
is described <a shape="rect" href="fediz-metadata.html">here</a></p><h3
id="FedizConfiguration-Example">Example</h3><p>The following example shows
the minimum configuration for Fediz.</p><div class="code panel pdl" style="border-width:
1px;"><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[&lt;?xml
version=&quot;1.0&quot; encoding=&quot;UTF-8&quot; standalone=&quot;yes&quot;?&gt;
 &lt;FedizConfig&gt;
     &lt;contextConfig name=&quot;/fedizhelloworld&quot;&gt;
         &lt;audienceUris&gt;
@@ -137,54 +129,8 @@ Apache CXF -- Fediz Configuration
     &lt;/contextConfig&gt;
 &lt;/FedizConfig&gt;
 ]]></script>
-</div></div>
-
-<p>The protocol element declares that the WS-Federation protocol is being used. The
issuer element shows the URL to which authenticated requests will be redirected with a SignIn
request.  </p>
-
-<p>The IDP issues a SAML token which must be validated by the plugin. The validation
requires the certificate store of the Certificate Authority(ies) of the certificate which
signed the SAML token. This is defined in <code>certificateStore</code>. The signing
certificate itself is not required because <code>certificateValidation</code>
is set to <code>ChainTrust</code>. The <code>subject</code> defines
the trusted signing certificate using the subject as a regular expression.<br clear="none">
-Finally, the audience URI is validated against the audience restriction in the SAML token.</p>
-
-
-<h3 id="FedizConfiguration-Configurationreference">Configuration reference</h3>
-
-<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>XML element </p></th><th
colspan="1" rowspan="1" class="confluenceTh"><p>Name </p></th><th
colspan="1" rowspan="1" class="confluenceTh"><p>Use </p></th><th colspan="1"
rowspan="1" class="confluenceTh"><p>Description</p></th></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p> audienceUris </p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p> Audience URI </p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p> Required </p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p> The values of the list of audience
URIs are verified against the element <code>AudienceRestriction</code> in the
SAML token </p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>
certificateStores </p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>
Trusted certificate store </p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>
Required 
 </p></td><td colspan="1" rowspan="1" class="confluenceTd"><p> The
list of keystores (JKS, PEM) includes at least the certificate of the Certificate Authorities
(CA) which signed the certificate which is used to sign the SAML token.<br clear="none">
-If the file location is not fully qualified it needs to be relative to the Container home
directory </p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>
trustedIssuers </p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>
Trusted Issuers </p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>
Required </p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>
There are two ways to configure a trusted issuer (IDP). Either you configure the subject name
and the CA(s) who signed the certificate of the IDP (<code>certificateValidation=ChainTrust</code>)
or you configure the certificate of the IDP and the CA(s) who signed it (<code>certificateValidation=PeerTrust</code>)</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p> maximumClockSkew </p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p> Maximum Clock Skew </p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p> Optional </p></td><td
colspan="1" rowspan="1" class="conf
 luenceTd"><p> Maximum allowable time difference between the system clocks of the
IDP and RP.<br clear="none">
-Default 5 seconds. </p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p> tokenReplayCache </p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p> Token Replay Cache </p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p> Optional </p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p> The <a shape="rect" class="external-link"
href="http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/TokenReplayCache.java?view=markup">TokenReplayCache</a>
implementation to use to cache tokens. The default is an implementation based on EHCache.
</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>
signingKey </p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>
Key for Signature </p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>
Optional </p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>
If configured, the published (WS-Federation) <a shape="rect" href="fediz-metadata.html">M
 etadata document</a> is signed by this key. Otherwise, not signed.</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p> tokenDecryptionKey </p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p> Decryption Key </p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p> Optional </p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p> A Keystore used to decrypt an encrypted
token. </p></td></tr></tbody></table></div>
-
-
-
-<h5 id="FedizConfiguration-WS-Federationprotocolconfigurationreference">WS-Federation
protocol configuration reference </h5>
-
-<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>XML element </p></th><th
colspan="1" rowspan="1" class="confluenceTh"><p>Name </p></th><th
colspan="1" rowspan="1" class="confluenceTh"><p>Use </p></th><th colspan="1"
rowspan="1" class="confluenceTh"><p> Metadata </p></th><th colspan="1"
rowspan="1" class="confluenceTh"><p> Description</p></th></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p> issuer </p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p> Issuer URL </p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p> Required </p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p> PassiveRequestorEndpoint </p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>This URL defines the location of
the IDP to whom unauthenticated requests are redirected </p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p> realm </p></td><td
colspan="1" rowspan="1" class="confluenceTd
 "><p> Realm </p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>
Optional </p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>
TargetScope </p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>
Security realm of the Relying Party / Application. This value is part of the SignIn request
as the <code>wtrealm</code> parameter.<br clear="none">
-Default: URL including the Servlet Context </p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p> authenticationType </p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p> Authentication Type </p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p> Optional </p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p> NA </p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p> The authentication type defines what kind of
authentication is required. This information is provided in the SignInRequest to the IDP (parameter
<code>wauth</code>)<br clear="none">
-The WS-Federation standard defines a list of predefined URIs for wauth <a shape="rect"
class="external-link" href="http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html#_Toc223174997"
rel="nofollow">here</a>.</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p> roleURI </p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p> Role Claim URI </p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p> Optional </p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p> NA </p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p> Defines the attribute name of the SAML token which contains
the roles.<br clear="none">
-Required for Role Based Access Control. </p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p> roleDelimiter </p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p> Role Value Delimiter </p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p> Optional </p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p> NA </p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p> There are different ways to encode multi value
attributes in SAML.</p>
-<ul><li>Single attribute with multiple values</li><li>Several attributes
with the same name but only one value</li><li>Single attribute with single value.
Roles are delimited by <code>roleDelimiter</code></li></ul>
-</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>
claimTypesRequested </p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>
Requested claims </p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>
Optional </p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>
ClaimTypesRequested </p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>
The claims required by the Relying Party are listed here. Claims can be optional. If a mandatory
claim can't be provided by the IDP the issuance of the token should fail </p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p> homeRealm </p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p> Home Realm </p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p> Optional </p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p> NA </p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p> Indicates the Resource IDP the home realm of
the requestor. This may be an URL or an identifie
 r like urn: or uuid: and depends on the Resource IDP implementation. This value is part of
the SignIn request as the <code>whr</code> parameter </p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p> freshness </p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p> Freshness </p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p> Optional </p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p> NA </p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p> The desired "freshness" of the token from the
IdP. This information is provided in the SignInRequest to the IdP (paramater <code>wfresh</code>)</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p> tokenValidators </p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p> TokenValidators </p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p> Optional </p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p> NA </p></td><td colspan="1"
rowspan="1" class="confluenceTd">
 <p> Custom Token validator classes can be configured here. The SAML Token validator
is enabled by default.<br clear="none">
-See example <a shape="rect" class="external-link" href="http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/CustomValidator.java">here</a></p></td></tr></tbody></table></div>
-
-
-
-
-<h5 id="FedizConfiguration-Attributesresolvedatruntime">Attributes resolved at runtime</h5>
-
-<p>The following attributes can be either configured statically at deployment time
or dynamically when the initial request is received:</p>
-<ul><li>authenticationType</li><li>homeRealm</li><li>issuer</li><li>realm</li></ul>
-
-
-<p>These configuration elements allows for configuring a CallbackHandler which gets
a Callback object where the appropriate value must be set. The CallbackHandler implementation
has access to the HttpServletRequest. The XML attribute <code>type</code> must
be set to <code>Class</code>.</p>
-
-<p>For more information see <a shape="rect" href="fediz-extensions.html">Fediz
Extensions</a>.</p>
-
-
-
-<h3 id="FedizConfiguration-Advancedexample">Advanced example</h3>
-
-<p>The following example defines the required claims and configures a custom callback
handler to define some configuration values at runtime.</p>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent
pdl">
-<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
-&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot; standalone=&quot;yes&quot;?&gt;
+</div></div><p>The protocol element declares that the WS-Federation protocol
is being used. The issuer element shows the URL to which authenticated requests will be redirected
with a SignIn request.</p><p>The IDP issues a SAML token which must be validated
by the plugin. The validation requires the certificate store of the Certificate Authority(ies)
of the certificate which signed the SAML token. This is defined in <code>certificateStore</code>.
The signing certificate itself is not required because <code>certificateValidation</code>
is set to <code>ChainTrust</code>. The <code>subject</code> defines
the trusted signing certificate using the subject as a regular expression.<br clear="none">
Finally, the audience URI is validated against the audience restriction in the SAML token.</p><h3
id="FedizConfiguration-Configurationreference">Configuration reference</h3><div
class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>XML el
 ement</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Name</p></th><th
colspan="1" rowspan="1" class="confluenceTh"><p>Use</p></th><th colspan="1"
rowspan="1" class="confluenceTh"><p>Description</p></th></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>audienceUris</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Audience URI</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Required</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The values of the list of audience
URIs are verified against the element <code>AudienceRestriction</code> in the
SAML token</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>certificateStores</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Trusted certificate store</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Required</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The list of keystores (JKS, PEM)
includes at least the certificate of the Certif
 icate Authorities (CA) which signed the certificate which is used to sign the SAML token.<br
clear="none"> If the file location is not fully qualified it needs to be relative to the
Container home directory</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>trustedIssuers</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Trusted Issuers</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Required</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>There are two ways to configure a trusted issuer (IDP). Either
you configure the subject name and the CA(s) who signed the certificate of the IDP (<code>certificateValidation=ChainTrust</code>)
or you configure the certificate of the IDP and the CA(s) who signed it (<code>certificateValidation=PeerTrust</code>)</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>maximumClockSkew</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Maximum Clock Skew</p></td><td
colspan="1"
  rowspan="1" class="confluenceTd"><p>Optional</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Maximum allowable time difference between the
system clocks of the IDP and RP.<br clear="none"> Default 5 seconds.</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>tokenReplayCache</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Token Replay Cache</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Optional</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The <a shape="rect" class="external-link"
href="http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/TokenReplayCache.java?view=markup">TokenReplayCache</a>
implementation to use to cache tokens. The default is an implementation based on EHCache.</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>signingKey</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Key for Signature</p></td><td
colspan="1" rowspan=
 "1" class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>If configured, the published (WS-Federation) <a shape="rect"
href="fediz-metadata.html">Metadata document</a> is signed by this key. Otherwise,
not signed.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>tokenDecryptionKey</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Decryption Key</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Optional</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>A Keystore used to decrypt an encrypted
token.</p></td></tr></tbody></table></div><h5 id="FedizConfiguration-WS-Federationprotocolconfigurationreference">WS-Federation
protocol configuration reference</h5><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>XML element</p></th><th
colspan="1" rowspan="1" class="confluenceTh"><p>Name</p></th><th colspan="1"
rowspan="1" class="confluenc
 eTh"><p>Use</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Metadata</p></th><th
colspan="1" rowspan="1" class="confluenceTh"><p>Description</p></th></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>issuer</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Issuer URL</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Required</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>PassiveRequestorEndpoint</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>This URL defines the location of
the IDP to whom unauthenticated requests are redirected</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>realm</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Realm</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Optional</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>TargetScope</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Security realm of the Relying Party
/ Application. T
 his value is part of the SignIn request as the <code>wtrealm</code> parameter.<br
clear="none"> Default: URL including the Servlet Context</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>authenticationType</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Authentication Type</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Optional</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>NA</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The authentication type defines what kind of
authentication is required. This information is provided in the SignInRequest to the IDP (parameter
<code>wauth</code>)<br clear="none"> The WS-Federation standard defines
a list of predefined URIs for wauth <a shape="rect" class="external-link" href="http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html#_Toc223174997"
rel="nofollow">here</a>.</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p>roleURI</
 p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Role Claim
URI</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Optional</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>NA</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Defines the attribute name of the SAML token
which contains the roles.<br clear="none"> Required for Role Based Access Control.</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>roleDelimiter</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Role Value Delimiter</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Optional</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>NA</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>There are different ways to encode multi value
attributes in SAML.</p><ul><li>Single attribute with multiple values</li><li>Several
attributes with the same name but only one value</li><li>Single attribute with
single value. Roles are delimited by
  <code>roleDelimiter</code></li></ul></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>claimTypesRequested</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Requested claims</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Optional</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>ClaimTypesRequested</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The claims required by the Relying
Party are listed here. Claims can be optional. If a mandatory claim can't be provided by the
IDP the issuance of the token should fail</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>homeRealm</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Home Realm</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Optional</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>NA</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Indicates the Resource IDP the home realm of
the requestor. This may be an U
 RL or an identifier like urn: or uuid: and depends on the Resource IDP implementation. This
value is part of the SignIn request as the <code>whr</code> parameter</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>freshness</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Freshness</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Optional</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>NA</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The desired "freshness" of the token from the
IdP. This information is provided in the SignInRequest to the IdP (parameter <code>wfresh</code>)</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">request</td><td colspan="1" rowspan="1"
class="confluenceTd">Request</td><td colspan="1" rowspan="1" class="confluenceTd">Optional</td><td
colspan="1" rowspan="1" class="confluenceTd">NA</td><td colspan="1" rowspan="1"
class="confluenceTd">This value is part of the SignIn request as 
 the wreq parameter. It can be used to specify a desired TokenType from the IdP.</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>tokenValidators</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>TokenValidators</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Optional</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>NA</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Custom Token validator classes can be configured
here. The SAML Token validator is enabled by default.<br clear="none"> See example <a
shape="rect" class="external-link" href="http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/CustomValidator.java">here</a></p></td></tr></tbody></table></div><h5
id="FedizConfiguration-Attributesresolvedatruntime">Attributes resolved at runtime</h5><p>The
following attributes can be either configured statically at deployment time or dynamically
when the initial request is received:</
 p><ul><li>authenticationType</li><li>homeRealm</li><li>issuer</li><li>realm</li></ul><p>These
configuration elements allows for configuring a CallbackHandler which gets a Callback object
where the appropriate value must be set. The CallbackHandler implementation has access to
the HttpServletRequest. The XML attribute <code>type</code> must be set to <code>Class</code>.</p><p>For
more information see <a shape="rect" href="fediz-extensions.html">Fediz Extensions</a>.</p><h3
id="FedizConfiguration-Advancedexample">Advanced example</h3><p>The following
example defines the required claims and configures a custom callback handler to define some
configuration values at runtime.</p><div class="code panel pdl" style="border-width:
1px;"><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[&lt;?xml
version=&quot;1.0&quot; encoding=&quot;UTF-8&quot; standalone=&quot;yes&quot;?&gt;
 &lt;FedizConfig&gt;
     &lt;contextConfig name=&quot;/fedizhelloworld&quot;&gt;
         &lt;audienceUris&gt;

Modified: websites/production/cxf/content/fediz-extensions.html
==============================================================================
--- websites/production/cxf/content/fediz-extensions.html (original)
+++ websites/production/cxf/content/fediz-extensions.html Tue Jun 10 10:47:26 2014
@@ -108,25 +108,8 @@ Apache CXF -- Fediz Extensions
          <td height="100%">
            <!-- Content -->
            <div class="wiki-content">
-<div id="ConfluenceContent"><h1 id="FedizExtensions-FedizExtensions">Fediz Extensions</h1>
-<p>This page describes the extension points in Fediz to enrich its functionality further.</p>
-
-<h3 id="FedizExtensions-CallbackHandler">Callback Handler</h3>
-
-<p>The Sign-In request (Redirect URL) to the IDP contains several query parameters
to customize the sign in process. Some parameters are configured statically in the <a shape="rect"
href="fediz-configuration.html">Fediz configuration file</a> some others can be resolved
at runtime when the initial request is received by the Fediz plugin.</p>
-
-<p>The following table gives an overview of the parameters which can be resolved at
runtime. It contains the XML element name of the Fediz configuration file, the query parameter
name of the sign-in request to the IDP as well as the Callback class.</p>
-
-<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>XML element </p></th><th
colspan="1" rowspan="1" class="confluenceTh"><p>Query parameter </p></th><th
colspan="1" rowspan="1" class="confluenceTh"><p>Callback class </p></th><th
colspan="1" rowspan="1" class="confluenceTh"><p>Supported version</p></th></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p> authenticationType </p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p> wauth </p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p> WAuthCallback </p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p> 1.0.0 </p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p> homeRealm </p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p> whr </p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p> HomeRealmCallback </p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p> 1.0.0 </p></td></tr><tr><td
colspan="1" rowsp
 an="1" class="confluenceTd"><p> issuer </p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p> N.A. </p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p> IDPCallback </p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p> 1.0.0 </p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p> freshness </p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p> wfresh </p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p> FreshnessCallback </p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p> 1.0.2 </p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p> realm </p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p> wtrealm </p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p> RealmCallback </p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p> 1.1.0 </p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p> N.A. </p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p> any </p></td><td
colsp
 an="1" rowspan="1" class="confluenceTd"><p> SignInQueryCallback </p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p> 1.1.0 </p></td></tr></tbody></table></div>
-
-
-<p>If you configure a class which implements the interface <code>javax.security.auth.callback.CallbackHandler</code>
you get the corresponding Callback object where you must set the value which is then added
to the query parameter. The Callback object provides the <code>HttpServletRequest</code>
object which might give you the required information to resolve the value.</p>
-
-<p>Here is a snippet of the configuration to configure a CallbackHandler:</p>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent
pdl">
-<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[
-...
+<div id="ConfluenceContent"><h1 id="FedizExtensions-FedizExtensions">Fediz Extensions</h1><p>This
page describes the extension points in Fediz to enrich its functionality further.</p><h3
id="FedizExtensions-CallbackHandler">Callback Handler</h3><p>The Sign-In request
(Redirect URL) to the IDP contains several query parameters to customize the sign in process.
Some parameters are configured statically in the <a shape="rect" href="fediz-configuration.html">Fediz
configuration file</a> some others can be resolved at runtime when the initial request
is received by the Fediz plugin.</p><p>The following table gives an overview of
the parameters which can be resolved at runtime. It contains the XML element name of the Fediz
configuration file, the query parameter name of the sign-in request to the IDP as well as
the Callback class.</p><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>XML element</p></th><th
colspan="1" row
 span="1" class="confluenceTh"><p>Query parameter</p></th><th colspan="1"
rowspan="1" class="confluenceTh"><p>Callback class</p></th><th colspan="1"
rowspan="1" class="confluenceTh"><p>Supported version</p></th></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>authenticationType</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>wauth</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>WAuthCallback</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>1.0.0</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>homeRealm</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>whr</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>HomeRealmCallback</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>1.0.0</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>issuer</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>N.A.</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>IDPCallback</
 p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>1.0.0</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>freshness</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>wfresh</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>FreshnessCallback</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>1.0.2</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>realm</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>wtrealm</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>RealmCallback</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>1.1.0</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>N.A.</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>any</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>SignInQueryCallback</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>1.1.0</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">request</
 td><td colspan="1" rowspan="1" class="confluenceTd">wreq</td><td colspan="1"
rowspan="1" class="confluenceTd">WReqCallback</td><td colspan="1" rowspan="1"
class="confluenceTd">1.1.1</td></tr></tbody></table></div><p>If
you configure a class which implements the interface <code>javax.security.auth.callback.CallbackHandler</code>
you get the corresponding Callback object where you must set the value which is then added
to the query parameter. The Callback object provides the <code>HttpServletRequest</code>
object which might give you the required information to resolve the value.</p><p>Here
is a snippet of the configuration to configure a CallbackHandler:</p><div class="code
panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[...
         &lt;protocol xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot;
xsi:type=&quot;federationProtocolType&quot; version=&quot;1.2&quot;&gt;
             ...
             &lt;homeRealm type=&quot;Class&quot; value=&quot;MyCallbackHandler
&quot; /&gt;
@@ -134,13 +117,8 @@ Apache CXF -- Fediz Extensions
         &lt;/protocol&gt;
 ...
 ]]></script>
-</div></div>
-
-<p>And a sample implementation of the CallbackHandler:</p>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent
pdl">
-<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[
-public class MyCallbackHandler implements CallbackHandler {
+</div></div><p>And a sample implementation of the CallbackHandler:</p><div
class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent
pdl">
+<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[public
class MyCallbackHandler implements CallbackHandler {
     
     public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException
{
         for (int i = 0; i &lt; callbacks.length; i++) {
@@ -156,12 +134,7 @@ public class MyCallbackHandler implement
     }
 }
 ]]></script>
-</div></div>
-
-
-<h3 id="FedizExtensions-CustomTokenValidator">Custom Token Validator</h3>
-
-<p>todo</p></div>
+</div></div><h3 id="FedizExtensions-CustomTokenValidator">Custom Token
Validator</h3><p>todo</p></div>
            </div>
            <!-- Content -->
          </td>



Mime
View raw message