cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r967955 - in /websites/production/cxf/content: cache/main.pageCache fediz-configuration.html
Date Tue, 06 Oct 2015 15:47:30 GMT
Author: buildbot
Date: Tue Oct  6 15:47:30 2015
New Revision: 967955

Log:
Production update by buildbot for cxf

Modified:
    websites/production/cxf/content/cache/main.pageCache
    websites/production/cxf/content/fediz-configuration.html

Modified: websites/production/cxf/content/cache/main.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/cxf/content/fediz-configuration.html
==============================================================================
--- websites/production/cxf/content/fediz-configuration.html (original)
+++ websites/production/cxf/content/fediz-configuration.html Tue Oct  6 15:47:30 2015
@@ -129,7 +129,7 @@ Apache CXF -- Fediz Configuration
     </contextConfig>
 </FedizConfig>
 </pre>
-</div></div><p>The protocol element declares that the WS-Federation protocol
is being used. The issuer element shows the URL to which authenticated requests will be redirected
with a SignIn request.</p><p>The IDP issues a SAML token which must be validated
by the plugin. The validation requires the certificate store of the Certificate Authority(ies)
of the certificate which signed the SAML token. This is defined in <code>certificateStore</code>.
The signing certificate itself is not required because <code>certificateValidation</code>
is set to <code>ChainTrust</code>. The <code>subject</code> defines
the trusted signing certificate using the subject as a regular expression.<br clear="none">
Finally, the audience URI is validated against the audience restriction in the SAML token.</p><h3
id="FedizConfiguration-Configurationreference">Configuration reference</h3><div
class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>XML el
 ement</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Name</p></th><th
colspan="1" rowspan="1" class="confluenceTh"><p>Use</p></th><th colspan="1"
rowspan="1" class="confluenceTh"><p>Description</p></th></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>audienceUris</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Audience URI</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Required</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The values of the list of audience
URIs are verified against the element <code>AudienceRestriction</code> in the
SAML token</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>certificateStores</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Trusted certificate store</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Required</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The list of keystores (JKS, PEM)
includes at least the certificate of the Certif
 icate Authorities (CA) which signed the certificate which is used to sign the SAML token.<br
clear="none"> If the file location is not fully qualified it needs to be relative to the
Container home directory</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>trustedIssuers</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Trusted Issuers</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Required</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>There are two ways to configure a trusted issuer (IDP). Either
you configure the subject name and the CA(s) who signed the certificate of the IDP (<code>certificateValidation=ChainTrust</code>)
or you configure the certificate of the IDP and the CA(s) who signed it (<code>certificateValidation=PeerTrust</code>)</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>maximumClockSkew</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Maximum Clock Skew</p></td><td
colspan="1"
  rowspan="1" class="confluenceTd"><p>Optional</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Maximum allowable time difference between the
system clocks of the IDP and RP.<br clear="none"> Default 5 seconds.</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>tokenReplayCache</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Token Replay Cache</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Optional</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The <a shape="rect" class="external-link"
href="http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/TokenReplayCache.java?view=markup">TokenReplayCache</a>
implementation to use to cache tokens. The default is an implementation based on EHCache.</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>signingKey</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Key for Signature</p></td><td
colspan="1" rowspan=
 "1" class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>If configured, the published (WS-Federation) <a shape="rect"
href="fediz-metadata.html">Metadata document</a> is signed by this key. Otherwise,
not signed.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>tokenDecryptionKey</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Decryption Key</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Optional</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>A Keystore used to decrypt an encrypted
token.</p></td></tr></tbody></table></div><h5 id="FedizConfiguration-WS-Federationprotocolconfigurationreference">WS-Federation
protocol configuration reference</h5><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>XML element</p></th><th
colspan="1" rowspan="1" class="confluenceTh"><p>Name</p></th><th colspan="1"
rowspan="1" class="confluenc
 eTh"><p>Use</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Metadata</p></th><th
colspan="1" rowspan="1" class="confluenceTh"><p>Description</p></th></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>issuer</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Issuer URL</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Required</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>PassiveRequestorEndpoint</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>This URL defines the location of
the IDP to whom unauthenticated requests are redirected</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>realm</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Realm</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Optional</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>TargetScope</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Security realm of the Relying Party
/ Application. T
 his value is part of the SignIn request as the <code>wtrealm</code> parameter.<br
clear="none"> Default: URL including the Servlet Context</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>authenticationType</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Authentication Type</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Optional</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>NA</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The authentication type defines what kind of
authentication is required. This information is provided in the SignInRequest to the IDP (parameter
<code>wauth</code>)<br clear="none"> The WS-Federation standard defines
a list of predefined URIs for wauth <a shape="rect" class="external-link" href="http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html#_Toc223174997"
rel="nofollow">here</a>.</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p>roleURI</
 p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Role Claim
URI</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Optional</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>NA</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Defines the attribute name of the SAML token
which contains the roles.<br clear="none"> Required for Role Based Access Control.</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>roleDelimiter</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Role Value Delimiter</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Optional</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>NA</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>There are different ways to encode multi value
attributes in SAML.</p><ul><li>Single attribute with multiple values</li><li>Several
attributes with the same name but only one value</li><li>Single attribute with
single value. Roles are delimited by
  <code>roleDelimiter</code></li></ul></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>claimTypesRequested</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Requested claims</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Optional</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>ClaimTypesRequested</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The claims required by the Relying
Party are listed here. Claims can be optional. If a mandatory claim can't be provided by the
IDP the issuance of the token should fail</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>homeRealm</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Home Realm</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Optional</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>NA</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Indicates the Resource IDP the home realm of
the requestor. This may be an U
 RL or an identifier like urn: or uuid: and depends on the Resource IDP implementation. This
value is part of the SignIn request as the <code>whr</code> parameter</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>freshness</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Freshness</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Optional</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>NA</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The desired "freshness" of the token from the
IdP. This information is provided in the SignInRequest to the IdP (parameter <code>wfresh</code>)</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">request</td><td colspan="1" rowspan="1"
class="confluenceTd">Request</td><td colspan="1" rowspan="1" class="confluenceTd">Optional</td><td
colspan="1" rowspan="1" class="confluenceTd">NA</td><td colspan="1" rowspan="1"
class="confluenceTd">This value is part of the SignIn request as 
 the wreq parameter. It can be used to specify a desired TokenType from the IdP.</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>tokenValidators</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>TokenValidators</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Optional</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>NA</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Custom Token validator classes can be configured
here. The SAML Token validator is enabled by default.<br clear="none"> See example <a
shape="rect" class="external-link" href="http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/CustomValidator.java">here</a></p></td></tr></tbody></table></div><h5
id="FedizConfiguration-Attributesresolvedatruntime">Attributes resolved at runtime</h5><p>The
following attributes can be either configured statically at deployment time or dynamically
when the initial request is received:</
 p><ul><li>authenticationType</li><li>homeRealm</li><li>issuer</li><li>realm</li></ul><p>These
configuration elements allows for configuring a CallbackHandler which gets a Callback object
where the appropriate value must be set. The CallbackHandler implementation has access to
the HttpServletRequest. The XML attribute <code>type</code> must be set to <code>Class</code>.</p><p>For
more information see <a shape="rect" href="fediz-extensions.html">Fediz Extensions</a>.</p><h3
id="FedizConfiguration-Advancedexample">Advanced example</h3><p>The following
example defines the required claims and configures a custom callback handler to define some
configuration values at runtime.</p><div class="code panel pdl" style="border-width:
1px;"><div class="codeContent panelContent pdl">
+</div></div><p>The protocol element declares that the WS-Federation protocol
is being used. The issuer element shows the URL to which authenticated requests will be redirected
with a SignIn request.</p><p>The IDP issues a SAML token which must be validated
by the plugin. The validation requires the certificate store of the Certificate Authority(ies)
of the certificate which signed the SAML token. This is defined in <code>certificateStore</code>.
The signing certificate itself is not required because <code>certificateValidation</code>
is set to <code>ChainTrust</code>. The <code>subject</code> defines
the trusted signing certificate using the subject as a regular expression.<br clear="none">
Finally, the audience URI is validated against the audience restriction in the SAML token.</p><h3
id="FedizConfiguration-Configurationreference">Configuration reference</h3><div
class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>XML el
 ement</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Name</p></th><th
colspan="1" rowspan="1" class="confluenceTh"><p>Use</p></th><th colspan="1"
rowspan="1" class="confluenceTh"><p>Description</p></th></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>audienceUris</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Audience URI</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Required</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The values of the list of audience
URIs are verified against the element <code>AudienceRestriction</code> in the
SAML token</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>certificateStores</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Trusted certificate store</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Required</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The list of keystores (JKS, PEM)
includes at least the certificate of the Certif
 icate Authorities (CA) which signed the certificate which is used to sign the SAML token.<br
clear="none"> If the file location is not fully qualified it needs to be relative to the
Container home directory</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>trustedIssuers</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Trusted Issuers</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Required</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>There are two ways to configure a trusted issuer (IDP). Either
you configure the subject name and the CA(s) who signed the certificate of the IDP (<code>certificateValidation=ChainTrust</code>)
or you configure the certificate of the IDP and the CA(s) who signed it (<code>certificateValidation=PeerTrust</code>)</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>maximumClockSkew</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Maximum Clock Skew</p></td><td
colspan="1"
  rowspan="1" class="confluenceTd"><p>Optional</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Maximum allowable time difference between the
system clocks of the IDP and RP.<br clear="none"> Default 5 seconds.</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>tokenReplayCache</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Token Replay Cache</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Optional</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The <a shape="rect" class="external-link"
href="http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/TokenReplayCache.java?view=markup">TokenReplayCache</a>
implementation to use to cache tokens. The default is an implementation based on EHCache.</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>signingKey</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Key for Signature</p></td><td
colspan="1" rowspan=
 "1" class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>If configured, the published (WS-Federation) <a shape="rect"
href="fediz-metadata.html">Metadata document</a> is signed by this key. Otherwise,
not signed.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>tokenDecryptionKey</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Decryption Key</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Optional</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>A Keystore used to decrypt an encrypted
token.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">tokenExpirationValidation</td><td
colspan="1" rowspan="1" class="confluenceTd">Token Expiration Validation</td><td
colspan="1" rowspan="1" class="confluenceTd">Optional</td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Decision whether the token validation (e.g. lifetime) shall
be performed on every request (true) or only once at i
 nitial authentication (false). The default is "false".</p></td></tr></tbody></table></div><h5
id="FedizConfiguration-WS-Federationprotocolconfigurationreference">WS-Federation protocol
configuration reference</h5><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>XML element</p></th><th
colspan="1" rowspan="1" class="confluenceTh"><p>Name</p></th><th colspan="1"
rowspan="1" class="confluenceTh"><p>Use</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>Metadata</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>Description</p></th></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>issuer</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Issuer URL</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Required</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>PassiveRequestorEndpoint</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>This URL defines the lo
 cation of the IDP to whom unauthenticated requests are redirected</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>realm</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Realm</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Optional</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>TargetScope</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Security realm of the Relying Party
/ Application. This value is part of the SignIn request as the <code>wtrealm</code>
parameter.<br clear="none"> Default: URL including the Servlet Context</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>authenticationType</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Authentication Type</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Optional</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>NA</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The authentication type defines what k
 ind of authentication is required. This information is provided in the SignInRequest to the
IDP (parameter <code>wauth</code>)<br clear="none"> The WS-Federation standard
defines a list of predefined URIs for wauth <a shape="rect" class="external-link" href="http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html#_Toc223174997"
rel="nofollow">here</a>.</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p>roleURI</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Role Claim URI</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Optional</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>NA</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Defines the attribute name of the SAML token which contains
the roles.<br clear="none"> Required for Role Based Access Control.</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>roleDelimiter</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>
 Role Value Delimiter</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Optional</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>NA</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>There are different ways to encode multi value
attributes in SAML.</p><ul><li>Single attribute with multiple values</li><li>Several
attributes with the same name but only one value</li><li>Single attribute with
single value. Roles are delimited by <code>roleDelimiter</code></li></ul></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>claimTypesRequested</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Requested claims</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Optional</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>ClaimTypesRequested</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The claims required by the Relying
Party are listed here. Claims can be optional. If a mandatory claim can't be provided by the

 IDP the issuance of the token should fail</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>homeRealm</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Home Realm</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Optional</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>NA</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Indicates the Resource IDP the home realm of
the requestor. This may be an URL or an identifier like urn: or uuid: and depends on the Resource
IDP implementation. This value is part of the SignIn request as the <code>whr</code>
parameter</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>freshness</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Freshness</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Optional</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>NA</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The desired "freshness" of the tok
 en from the IdP. This information is provided in the SignInRequest to the IdP (parameter
<code>wfresh</code>)</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd">request</td><td colspan="1" rowspan="1" class="confluenceTd">Request</td><td
colspan="1" rowspan="1" class="confluenceTd">Optional</td><td colspan="1" rowspan="1"
class="confluenceTd">NA</td><td colspan="1" rowspan="1" class="confluenceTd">This
value is part of the SignIn request as the wreq parameter. It can be used to specify a desired
TokenType from the IdP.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>tokenValidators</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>TokenValidators</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Optional</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>NA</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Custom Token validator classes can be configured
here. The SAML Token validator is enabled by default.<br cl
 ear="none"> See example <a shape="rect" class="external-link" href="http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/CustomValidator.java">here</a></p></td></tr></tbody></table></div><h5
id="FedizConfiguration-Attributesresolvedatruntime">Attributes resolved at runtime</h5><p>The
following attributes can be either configured statically at deployment time or dynamically
when the initial request is received:</p><ul><li>authenticationType</li><li>homeRealm</li><li>issuer</li><li>realm</li></ul><p>These
configuration elements allows for configuring a CallbackHandler which gets a Callback object
where the appropriate value must be set. The CallbackHandler implementation has access to
the HttpServletRequest. The XML attribute <code>type</code> must be set to <code>Class</code>.</p><p>For
more information see <a shape="rect" href="fediz-extensions.html">Fediz Extensions</a>.</p><h3
id="FedizConfiguration-Advancedexample">Advanced example</h3
 ><p>The following example defines the required claims and configures a custom callback
handler to define some configuration values at runtime.</p><div class="code panel
pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
 <pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">&lt;?xml
version="1.0" encoding="UTF-8" standalone="yes"?&gt;
 &lt;FedizConfig&gt;
     &lt;contextConfig name="/fedizhelloworld"&gt;



Mime
View raw message