cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject svn commit: r954480 - in /websites/production/cxf/content: cache/main.pageCache fediz-tomcat.html
Date Thu, 11 Jun 2015 09:47:02 GMT
Author: buildbot
Date: Thu Jun 11 09:47:01 2015
New Revision: 954480

Production update by buildbot for cxf


Modified: websites/production/cxf/content/cache/main.pageCache
Binary files - no diff available.

Modified: websites/production/cxf/content/fediz-tomcat.html
--- websites/production/cxf/content/fediz-tomcat.html (original)
+++ websites/production/cxf/content/fediz-tomcat.html Thu Jun 11 09:47:01 2015
@@ -109,9 +109,9 @@ Apache CXF -- Fediz Tomcat
            <!-- Content -->
            <div class="wiki-content">
 <div id="ConfluenceContent"><h1 id="FedizTomcat-TomcatPlugin">Tomcat Plugin</h1><p>This
page describes how to enable Federation for a Tomcat instance hosting Relying Party (RP) applications.
This configuration is not for a separate Tomcat instance hosting the Fediz IDP and IDP STS
WARs, or hosts for third-party applications that use Fediz STS-generated SAML assertions for
authentication. After this configuration is done, the Tomcat-RP instance will validate the
incoming SignInResponse created by the IDP server.</p><p>Prior to doing this configuration,
make sure you've first deployed the Fediz IDP and STS on the separate Tomcat IDP instance
as discussed <a shape="rect" href="fediz-idp.html">here</a>, and can view the
STS WSDL at the URL given on that page. That page also provides some tips for running multiple
Tomcat instances on your machine.</p><h3 id="FedizTomcat-Installation">Installation</h3><p>You
can either build the Fediz plugin on your own or download the package <a shape="r
 ect" href="fediz-downloads.html">here</a>. If you have built the plugin on your
own you'll find the required libraries in <code>plugins/tomcat/target/</code></p><ol><li>Create
sub-directory <code>fediz</code> in <code>${catalina.home}/lib</code></li><li>Update in ${catalina.home}/conf<br clear="none"> add the previously created
directory to the common loader:<br clear="none"> <code>common.loader=${catalina.base}/lib,${catalina.base}/lib/*.jar,${catalina.home}/lib,${catalina.home}/lib/*.jar,${catalina.home}/lib/fediz/*.jar</code></li><li>Deploy
the libraries to the directory created in (1)</li></ol><h3 id="FedizTomcat-Configuration">Configuration</h3><h5
id="FedizTomcat-HTTPSconfiguration">HTTPS configuration</h5><p>It's recommended
to set up a dedicated (separate) Tomcat instance for the Relying Party. The Fediz RP web applications
use the following TCP ports:</p><ul><li>HTTP port: 8080 (used for Maven
deployment, mvn tomcat:redeploy)<
 /li><li>HTTPS port: 8443 (where IDP and STS are accessed)</li><li>Server
port (for shutdown and other commands): 8005</li></ul><p>These are the default
ports for a standard Tomcat installation.</p><p>The Relying Party must be accessed
over HTTPS to protect the security tokens issued by the IDP.</p><p>The Tomcat
HTTP(s) configuration is done in conf/server.xml.</p><p>This is a sample snippet
for an HTTPS configuration:</p><div class="code panel pdl" style="border-width: 1px;"><div
class="codeContent panelContent pdl">
-<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
   &lt;Connector port=&quot;8443&quot; protocol=&quot;HTTP/1.1&quot; SSLEnabled=&quot;true&quot;
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
   &lt;Connector port=&quot;8443&quot; protocol=&quot;org.apache.coyote.http11.Http11Protocol&quot;
                maxThreads=&quot;150&quot; scheme=&quot;https&quot; secure=&quot;true&quot;
-               keystoreFile=&quot;rp-ssl-server.jks&quot;
+               keystoreFile=&quot;rp-ssl-key.jks&quot; keyPass=&quot;tompass&quot;
                keystorePass=&quot;tompass&quot; sslProtocol=&quot;TLS&quot;
 </div></div><p>The keystoreFile is relative to $CATALINA_HOME. See <a
shape="rect" class="external-link" href="">here</a>
for the Tomcat 7 configuration reference. This page also describes how to create certificates.
Sample Tomcat keystores (not for production use, but useful for demoing Fediz and running
the sample applications) are provided in the examples/samplekeys folder of the Fediz distribution.
Note the Tomcat keystore here is different from the one used to configure the Tomcat-IDP instance.</p><p>To
establish trust, there are significant keystore/truststore requirements between the Tomcat
instances and the various web applications (IDP, STS, Relying party applications, third party
web services, etc.) See <a shape="rect" class="external-link" href="">this
page</a> for more details, it lists the trust requirements as well a
 s sample scripts for creating your own (self-signed) keys.</p><p><strong>Warning:
All sample keystores provided with Fediz (including in the WAR files for its services and
examples) are for development/prototyping use only. They'll need to be replaced for production
use, at a minimum with your own self-signed keys but strongly recommended to use third-party
signed keys.</strong></p><p>If you are currently just trying to run the
Fediz samples, the configuration above is all you need (the below configuration is already
provided within the samples) so you can return now to the samples' READMEs for the next steps
in running them.</p><h5 id="FedizTomcat-FedizPluginconfigurationforYourWebApplication">Fediz
Plugin configuration for Your Web Application</h5><p>The Fediz related configuration
is done in a Servlet Container independent configuration file which is described <a shape="rect"
href="fediz-configuration.html">here</a>.</p><p>The Fediz plugin requires
configuring the FederationAuthe
 nticator like any other Valve in Tomcat. Detailed information about the Tomcat Valve concept
is available <a shape="rect" class="external-link" href="">here</a>.</p><p>A
Valve can be configured on different levels like <em>Host</em> or <em>Context</em>.
The Fediz configuration file allows to configure all servlet contexts in one file or choosing
one file per Servlet Context. If you choose to have one Fediz configuration file per Servlet
Context then you must configure the FederationAuthenticator on the <em>Context</em>
level otherwise on the <em>Host</em> level in the Tomcat configuration file <em>server.xml</em></p><p>You
can either configure the context in the server.xml or in META-INF/context.xml as part of your
WAR file.</p><h6 id="FedizTomcat-META-INF/context.xml">META-INF/context.xml</h6><div
class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent

View raw message