cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dk...@apache.org
Subject svn commit: r1018074 [29/31] - in /websites/production/cxf/content: ./ 2008/04/28/ 2008/06/20/ 2008/10/23/ 2009/02/10/ 2009/08/04/ cache/ docs/
Date Tue, 12 Sep 2017 19:09:50 GMT
Modified: websites/production/cxf/content/faq.html
==============================================================================
--- websites/production/cxf/content/faq.html (original)
+++ websites/production/cxf/content/faq.html Tue Sep 12 19:09:41 2017
@@ -32,8 +32,9 @@
 <link type="text/css" rel="stylesheet" href="/resources/highlighter/styles/shThemeCXF.css">
 
 <script src='/resources/highlighter/scripts/shCore.js'></script>
-<script src='/resources/highlighter/scripts/shBrushJava.js'></script>
+<script src='/resources/highlighter/scripts/shBrushBash.js'></script>
 <script src='/resources/highlighter/scripts/shBrushXml.js'></script>
+<script src='/resources/highlighter/scripts/shBrushJava.js'></script>
 <script>
   SyntaxHighlighter.defaults['toolbar'] = false;
   SyntaxHighlighter.all();
@@ -110,11 +111,11 @@ Apache CXF -- FAQ
            <!-- Content -->
            <div class="wiki-content">
 <div id="ConfluenceContent"><h1 id="FAQ-FrequentlyAskedQuestions">Frequently Asked Questions</h1><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1494881227442 {padding: 0px;}
-div.rbtoc1494881227442 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1494881227442 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1505243065236 {padding: 0px;}
+div.rbtoc1505243065236 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1505243065236 li {margin-left: 0px;padding-left: 0px;}
 
-/*]]>*/</style></p><div class="toc-macro rbtoc1494881227442">
+/*]]>*/</style></p><div class="toc-macro rbtoc1505243065236">
 <ul class="toc-indentation"><li><a shape="rect" href="#FAQ-General">General</a>
 <ul class="toc-indentation"><li><a shape="rect" href="#FAQ-CanCXFrunwithJDK1.8/Java8?">Can CXF run with JDK 1.8/Java 8?</a></li><li><a shape="rect" href="#FAQ-CanCXFrunwithJDK1.7/Java7?">Can CXF run with JDK 1.7/Java 7?</a></li><li><a shape="rect" href="#FAQ-CanCXFrunwithJDK1.6?">Can CXF run with JDK 1.6?</a></li><li><a shape="rect" href="#FAQ-CanCXFrunwithouttheSunreferenceSAAJimplementation?">Can CXF run without the Sun reference SAAJ implementation?</a></li><li><a shape="rect" href="#FAQ-AretherecommercialofferingsofCXFthatprovideservices,support,andadditionalfeatures?">Are there commercial offerings of CXF that provide services, support, and additional features?</a></li><li><a shape="rect" href="#FAQ-IsthereanApacheCXFcertificationprogram?">Is there an Apache CXF certification program?</a></li></ul>
 </li><li><a shape="rect" href="#FAQ-JAX-WSRelated">JAX-WS Related</a>
@@ -123,7 +124,7 @@ div.rbtoc1494881227442 li {margin-left:
 <ul class="toc-indentation"><li><a shape="rect" href="#FAQ-WhenusingSpringAOPtoenablethingsliketransactionsandsecurity,thegeneratedWSDLisverymessedupwithwrongnamespaces,partnames,etc...">When using Spring AOP to enable things like transactions and security, the generated WSDL is very messed up with wrong namespaces, part names, etc...</a></li></ul>
 </li></ul>
 </div><h2 id="FAQ-General">General</h2><h3 id="FAQ-CanCXFrunwithJDK1.8/Java8?">Can CXF run with JDK 1.8/Java 8?</h3><p>Yes. CXF supports Java 8. The latest 3.x version is built using JDK 1.8.</p><h3 id="FAQ-CanCXFrunwithJDK1.7/Java7?">Can CXF run with JDK 1.7/Java 7?</h3><p>Yes. CXF supports Java 7. Since Java 7 contains the 2.2.x versions of both JAXB and JAX-WS API jars, using CXF with Java 7 is much easier than with Java 6.</p><div class="confluence-information-macro confluence-information-macro-information"><span class="aui-icon aui-icon-small aui-iconfont-info confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>CXF 3.2 no longer supports Java 7 and requires Java 8 or newer. Users are strongly encouraged to start moving to Java 8.</p></div></div><h3 id="FAQ-CanCXFrunwithJDK1.6?">Can CXF run with JDK 1.6?</h3><p>JDK 1.6 incorporates the JAXB reference implementation. However, it incorporates an old version of the RI. CXF does not support th
 is version. As of 1.6_04, this is easy to deal with: you must put the versions of JAXB RI (the 'impl' and 'xjc' jars) that we include with CXF in your classpath. As of this writing, these are version 2.2.10.</p><div class="confluence-information-macro confluence-information-macro-information"><span class="aui-icon aui-icon-small aui-iconfont-info confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>CXF 3.1 no longer supports Java 6 and requires Java 7 or newer.</p></div></div><p><span style="color: rgb(0,0,0);font-size: 1.4em;line-height: 1.5625;">Can CXF run with JDK 1.5?</span></p><p>Yes for CXF 2.6.x and older. Keep in mind though that Java 2 SE 5.0 with JDK 1.5 has reached end of life (<a shape="rect" class="external-link" href="http://www.oracle.com/technetwork/java/eol-135779.html" rel="nofollow">EOL</a>). CXF 2.7.x no longer supports Java 5. In order to upgrade to 2.7.x, you must be using Java 6 (or newer).</p><div class="confluence-info
 rmation-macro confluence-information-macro-information"><span class="aui-icon aui-icon-small aui-iconfont-info confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>There is one more planned release for the 2.6.x series of CXF. After that, there are no more planned releases of CXF that will support Java 5. Users are strongly encouraged to start moving to Java 7 and to start migrating to newer versions of CXF.</p></div></div><p>&#160;</p><h3 id="FAQ-CanCXFrunwithouttheSunreferenceSAAJimplementation?">Can CXF run without the Sun reference SAAJ implementation?</h3><p>In many cases, CXF can run without an SAAJ implementation. However, some features such as JAX-WS handlers and WS-Security do require an SAAJ implementation. By default, CXF ships with the Sun SAAJ implementation, but CXF also supports axis2-saaj version 1.4.1 as an alternative. When using a Java6 JRE, CXF can also use the SAAJ implementation built into Java.</p><h3 id="FAQ-Aretherecomm
 ercialofferingsofCXFthatprovideservices,support,andadditionalfeatures?">Are there commercial offerings of CXF that provide services, support, and additional features?</h3><p>Several companies provide services, training, documentation, support, etc... on top of CXF. Some of those companies also produce products that are either based on Apache CXF or include Apache CXF. See the <a shape="rect" href="commercial-cxf-offerings.html">Commercial CXF Offerings</a> page for a list of companies and the services they provide.</p><h3 id="FAQ-IsthereanApacheCXFcertificationprogram?">Is there an Apache CXF certification program?</h3><p>No, but Oracle's <a shape="rect" class="external-link" href="http://education.oracle.com/pls/web_prod-plq-dad/db_pages.getpage?page_id=41&amp;p_exam_id=1Z0_862" rel="nofollow">SCDJWS</a> certification covers the web services stack and related areas. Note, that the popular SCJP certification is a prerequisite to the SCDJWS. Also, check out the <a shape="rect" class=
 "external-link" href="http://www.coderanch.com/forums/f-80/java-Web-Services-SCDJWS" rel="nofollow">SCDJWS Forum</a> at the Java Ranch for healthy discussions in regards to the certification. Study notes can be found at <a shape="rect" class="external-link" href="http://java.boot.by/scdjws5-guide/" rel="nofollow">SCDJWS 5.0 Study Guide</a>, <a shape="rect" class="external-link" href="http://en.wikibooks.org/wiki/Sun_Certified_Web_Services_Developer_Certification" rel="nofollow">WikiBooks</a> and <a shape="rect" class="external-link" href="http://www.coderanch.com/how-to/content/Exam-Objectives-5.pdf" rel="nofollow">Ivan A. Krizsan Study Notes</a>. Java Ranch also provides and information <a shape="rect" class="external-link" href="http://www.coderanch.com/how-to/java/ScdjwsLinks" rel="nofollow">page</a> in regards to the certification.</p><h2 id="FAQ-JAX-WSRelated">JAX-WS Related</h2><h3 id="FAQ-Thepartsinmygeneratedwsdlhavenamesoftheform&quot;arg0&quot;,&quot;arg1&quot;,...Whydon't
 theparts(andJavageneratedfromthem)usetheniceparameternamesItypedintotheinterfacedefinition?">The parts in my generated wsdl have names of the form "arg0", "arg1", ... Why don't the parts (and Java generated from them) use the nice parameter names I typed into the interface definition?</h3><p><strong>Official answer:</strong> The JAX-WS spec (specifically section 3.6.1) mandates that it be generated this way. To customize the name, you have to use an @WebParam(name = "blah") annotation to specify better names. (You can use @WebResult for the return value, but you'll only see the results if you look at the XML.)</p><p><strong>Reason:</strong> One of the mysteries of java is that abstract methods (and thus interface methods) do NOT get their parameter names compiled into them even with debug info. Thus, when the service model is built from an interface, there is no way to determine the names that were using in the original code.</p><p>If the service is built from a concrete class (inst
 ead of an interface) AND the class was compiled with debug info, we can get the parameter names. The simple frontend does this. However, this could cause potential problems. For example, when you go from developement to production, you may turn off debug information (remove -g from javac flags) and suddenly the application may break since the generated wsdl (and thus expect soap messages) would change. Thus, the JAX-WS spec writers went the safe route and mandate that you have to use the @WebParam annotations to specify the more descriptive names.</p><h3 id="FAQ-HowcanIaddsoapheaderstotherequest/response?">How can I add soap headers to the request/response?</h3><p>There are several ways to do this depending on how your project is written (code first or wsdl first) and requirements such as portability.</p><ol><li>The "JAX-WS" standard way to do this is to write a SOAP Handler that will add the headers to the SOAP message and register the handler on the client/server. This is complete
 ly portable from jax-ws vendor to vendor, but is also more difficult and can have performance implications. You have to handle the conversion of the JAXB objects to XML yourself. It involves having the entire soap message in a DOM which breaks streaming. Requires more memory. etc... However, it doesn't require any changes to wsdl or SEI interfaces.</li><li>JAX-WS standard "java first" way: if doing java first development, you can just add an extra parameter to the method and annotate it with @WebParam(header = true). If it's a response header, make it a Holder and add the mode = Mode.OUT to @WebParam.</li><li>wsdl first way: you can add elements to the message in the wsdl and then mark them as soap:headers in the soap:binding section of the wsdl. The wsdl2java tool will generate the @WebParam(header = true) annotations as above. With CXF, you can also put the headers in their own message (not the same message as the request/response) and mark them as headers in the soap:binding, but
  you will need to pass the -exsh true flag to wsdl2java to get the paramters generated. This is not portable to other jax-ws providers. Processing headers from other messages it optional in the jaxws spec.</li><li>CXF proprietary way: In the context (BindingProvider.getRequestContext() on client, WebServiceContext on server), you can add a List&lt;org.apache.cxf.headers.Header&gt; with the key Header.HEADER_LIST. The headers in the list are streamed at the appropriate time to the wire according to the databinding object found in the Header object. Like option 1, this doesn't require changes to wsdl or method signatures. However, it's much faster as it doesn't break streaming and the memory overhead is less.</li></ol><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">List&lt;Header&gt; headers = new ArrayList&lt;Header&gt;();
+<pre class="brush: java; gutter: false; theme: Confluence" style="font-size:12px;">List&lt;Header&gt; headers = new ArrayList&lt;Header&gt;();
 Header dummyHeader = new Header(new QName("uri:org.apache.cxf", "dummy"), "decapitated",
                                 new JAXBDataBinding(String.class));
 headers.add(dummyHeader);
@@ -135,7 +136,7 @@ context.getMessageContext().put(Header.H
 ((BindingProvider)proxy).getRequestContext().put(Header.HEADER_LIST, headers);
 </pre>
 </div></div><h3 id="FAQ-HowcanIturnonschemavalidationforjaxwsendpoint?">How can I turn on schema validation for jaxws endpoint?</h3><p>For the client side</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">    &lt;jaxws:client name="{http://apache.org/hello_world_soap_http}SoapPort"
+<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">    &lt;jaxws:client name="{http://apache.org/hello_world_soap_http}SoapPort"
         createdFromAPI="true"&gt;
         &lt;jaxws:properties&gt;
             &lt;entry key="schema-validation-enabled" value="true" /&gt;
@@ -143,10 +144,10 @@ context.getMessageContext().put(Header.H
     &lt;/jaxws:client&gt;
 </pre>
 </div></div><p>You may also do this programmatically:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">((BindingProvider)port).getRequestContext().put("schema-validation-enabled", "true"); 
+<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">((BindingProvider)port).getRequestContext().put("schema-validation-enabled", "true"); 
 </pre>
 </div></div><p>For the server side</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">    &lt;jaxws:endpoint name="{http://apache.org/hello_world_soap_http}SoapPort"
+<pre class="brush: xml; gutter: false; theme: Confluence" style="font-size:12px;">    &lt;jaxws:endpoint name="{http://apache.org/hello_world_soap_http}SoapPort"
         wsdlLocation="wsdl/hello_world.wsdl"
         createdFromAPI="true"&gt;
         &lt;jaxws:properties&gt;
@@ -155,17 +156,17 @@ context.getMessageContext().put(Header.H
     &lt;/jaxws:endpoint&gt;
 </pre>
 </div></div><p>Starting with CXF 2.3 you have the additional option of using the org.apache.cxf.annotations.SchemaValidation annotation.</p><h3 id="FAQ-AreJAX-WSclientproxiesthreadsafe?">Are JAX-WS client proxies thread safe?</h3><p><strong>Official JAX-WS answer:</strong> No. According to the JAX-WS spec, the client proxies are NOT thread safe. To write portable code, you should treat them as non-thread safe and synchronize access or use a pool of instances or similar.</p><p><strong>CXF answer:</strong> CXF proxies are thread safe for MANY use cases. The exceptions are:</p><ul><li><p>Use of ((BindingProvider)proxy).getRequestContext() - per JAX-WS spec, the request context is PER INSTANCE. Thus, anything set there will affect requests on other threads. With CXF, you can do:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">((BindingProvider)proxy).getRequestContext().put("thread.local.request.context", "true");
+<pre class="brush: java; gutter: false; theme: Confluence" style="font-size:12px;">((BindingProvider)proxy).getRequestContext().put("thread.local.request.context", "true");
 </pre>
 </div></div><p>and future calls to getRequestContext() will use a thread local request context. That allows the request context to be threadsafe. (Note: the response context is always thread local in CXF)</p></li></ul><ul><li>Settings on the conduit - if you use code or configuration to directly manipulate the conduit (like to set TLS settings or similar), those are not thread safe. The conduit is per-instance and thus those settings would be shared. Also, if you use the FailoverFeature and LoadBalanceFeatures, the conduit is replaced on the fly. Thus, settings set on the conduit could get lost before being used on the setting thread.</li></ul><ul><li>Session support - if you turn on sessions support (see jaxws spec), the session cookie is stored in the conduit. Thus, it would fall into the above rules on conduit settings and thus be shared across threads.</li></ul><ul><li>WS-Security tokens - If use WS-SecureConversation or WS-Trust, the retrieved token is cached in the Endpoint/Pr
 oxy to avoid the extra (and expensive) calls to the STS to obtain tokens. Thus, multiple threads will share the token. If each thread has different security credentials or requirements, you need to use separate proxy instances.</li></ul><p>For the conduit issues, you COULD install a new ConduitSelector that uses a thread local or similar. That's a bit complex though.</p><p>For most "simple" use cases, you can use CXF proxies on multiple threads. The above outlines the workarounds for the others.</p><h3 id="FAQ-Thegeneratedwsdl(GETrequestonthe?wsdladdress)doesn'tcontainthemessages,types,portType,etc...WhatdidIdowrong?">The generated wsdl (GET request on the ?wsdl address) doesn't contain the messages, types, portType, etc... What did I do wrong?</h3><p>Usually this means the wsdl at that address contains the service and binding, but uses a &lt;wsdl:import&gt; element to import another wsdl (usually at ?wsdl=MyService1.wsdl type address) that defines the types, messages, and portType.
  The cause of this is different targetNamespaces for the Service Interface (mapped to the port type) and the service implementation (mapped to the Service/Binding). By default, the targetNamespace is derived from the package of each of those, so if they are in different packages, you will see this issue. Also, if you define a targetNamespace attribute on the @WebService annotation on one of them, but not the other, you will likely see this as well. The easiest fix is to update the @WebService annotation on BOTH to have the exact same targetNamespace defined.</p><h2 id="FAQ-SpringRelated">Spring Related</h2><h3 id="FAQ-WhenusingSpringAOPtoenablethingsliketransactionsandsecurity,thegeneratedWSDLisverymessedupwithwrongnamespaces,partnames,etc...">When using Spring AOP to enable things like transactions and security, the generated WSDL is very messed up with wrong namespaces, part names, etc...</h3><p><strong>Reason:</strong> When using Spring AOP, spring injects a proxy to the bean int
 o CXF instead of the actual bean. The Proxy does not have the annotations on it (like the @WebService annotation) so we cannot query the information directly from the object like we can in the non-AOP case. The "fix" is to also specify the actual serviceClass of the object in the spring config:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">&lt;jaxws:server 
+<pre class="brush: xml; gutter: false; theme: Confluence" style="font-size:12px;">&lt;jaxws:server 
       id="myService" 
       serviceClass="my.package.MyServiceImpl" 
       serviceBean="#myServiceImpl" 
       address="/MyService" /&gt; 
 </pre>
 </div></div><p>or:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">&lt;jaxws:endpoint
+<pre class="brush: xml; gutter: false; theme: Confluence" style="font-size:12px;">&lt;jaxws:endpoint
       id="myService" 
       implementorClass="my.package.MyServiceImpl" 
       implementor="#myServiceImpl" 

Modified: websites/production/cxf/content/fediz-configuration.html
==============================================================================
--- websites/production/cxf/content/fediz-configuration.html (original)
+++ websites/production/cxf/content/fediz-configuration.html Tue Sep 12 19:09:41 2017
@@ -109,7 +109,7 @@ Apache CXF -- Fediz Configuration
            <!-- Content -->
            <div class="wiki-content">
 <div id="ConfluenceContent"><h1 id="FedizConfiguration-FedizPluginconfiguration">Fediz Plugin configuration</h1><p>This page describes the Fediz configuration file referenced by the security interceptor of the Servlet Container (eg. authenticator in Tomcat/Jetty).</p><p>The Fediz configuration information is used to publish the federation Metadata document which is described <a shape="rect" href="fediz-metadata.html">here</a></p><h3 id="FedizConfiguration-Example">Example</h3><p>The following example shows the minimum configuration for Fediz.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">&lt;?xml version="1.0" encoding="UTF-8" standalone="yes"?&gt;
+<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">&lt;?xml version="1.0" encoding="UTF-8" standalone="yes"?&gt;
 &lt;FedizConfig&gt;
     &lt;contextConfig name="/fedizhelloworld"&gt;
         &lt;audienceUris&gt;
@@ -130,7 +130,7 @@ Apache CXF -- Fediz Configuration
 &lt;/FedizConfig&gt;
 </pre>
 </div></div><p>The protocol element declares that the WS-Federation protocol is being used. The issuer element shows the URL to which authenticated requests will be redirected with a SignIn request.</p><p>The IDP issues a SAML token which must be validated by the plugin. The validation requires the certificate store of the Certificate Authority(ies) of the certificate which signed the SAML token. This is defined in <code>certificateStore</code>. The signing certificate itself is not required because <code>certificateValidation</code> is set to <code>ChainTrust</code>. The <code>subject</code> defines the trusted signing certificate using the subject as a regular expression.<br clear="none"> Finally, the audience URI is validated against the audience restriction in the SAML token.</p><h3 id="FedizConfiguration-Configurationreference">Configuration reference</h3><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>XML el
 ement</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Name</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Use</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Description</p></th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>audienceUris</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Audience URI</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Required</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The values of the list of audience URIs are verified against the element <code>AudienceRestriction</code> in the SAML token</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>certificateStores</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Trusted certificate store</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Required</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The list of keystores (JKS, PEM) includes at least the certificate of the Certif
 icate Authorities (CA) which signed the certificate which is used to sign the SAML token.<br clear="none"> If the file location is not fully qualified it needs to be relative to the Container home directory</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>trustedIssuers</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Trusted Issuers</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Required</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>There are two ways to configure a trusted issuer (IDP). Either you configure the subject name and the CA(s) who signed the certificate of the IDP (<code>certificateValidation=ChainTrust</code>) or you configure the certificate of the IDP and the CA(s) who signed it (<code>certificateValidation=PeerTrust</code>)</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>maximumClockSkew</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Maximum Clock Skew</p></td><td colspan="1"
  rowspan="1" class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Maximum allowable time difference between the system clocks of the IDP and RP.<br clear="none"> Default 5 seconds.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>tokenReplayCache</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Token Replay Cache</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The <a shape="rect" class="external-link" href="http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/TokenReplayCache.java?view=markup">TokenReplayCache</a> implementation to use to cache tokens. The default is an implementation based on EHCache.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>signingKey</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Key for Signature</p></td><td colspan="1" rowspan=
 "1" class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>If configured, the published (WS-Federation) <a shape="rect" href="fediz-metadata.html">Metadata document</a> is signed by this key. Otherwise, not signed.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>tokenDecryptionKey</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Decryption Key</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>A Keystore used to decrypt an encrypted token.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">tokenExpirationValidation</td><td colspan="1" rowspan="1" class="confluenceTd">Token Expiration Validation</td><td colspan="1" rowspan="1" class="confluenceTd">Optional</td><td colspan="1" rowspan="1" class="confluenceTd"><p>Decision whether the token validation (e.g. lifetime) shall be performed on every request (true) or only once at i
 nitial authentication (false). The default is "false".</p></td></tr></tbody></table></div><h5 id="FedizConfiguration-WS-Federationprotocolconfigurationreference">WS-Federation protocol configuration reference</h5><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>XML element</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Name</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Use</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Metadata</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Description</p></th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>issuer</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Issuer URL</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Required</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>PassiveRequestorEndpoint</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>This URL defines the lo
 cation of the IDP to whom unauthenticated requests are redirected</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>realm</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Realm</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>TargetScope</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Security realm of the Relying Party / Application. This value is part of the SignIn request as the <code>wtrealm</code> parameter.<br clear="none"> Default: URL including the Servlet Context</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>authenticationType</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Authentication Type</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>NA</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The authentication type defines what k
 ind of authentication is required. This information is provided in the SignInRequest to the IDP (parameter <code>wauth</code>)<br clear="none"> The WS-Federation standard defines a list of predefined URIs for wauth <a shape="rect" class="external-link" href="http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html#_Toc223174997" rel="nofollow">here</a>.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>roleURI</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Role Claim URI</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>NA</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Defines the attribute name of the SAML token which contains the roles.<br clear="none"> Required for Role Based Access Control.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>roleDelimiter</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>
 Role Value Delimiter</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>NA</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>There are different ways to encode multi value attributes in SAML.</p><ul><li>Single attribute with multiple values</li><li>Several attributes with the same name but only one value</li><li>Single attribute with single value. Roles are delimited by <code>roleDelimiter</code></li></ul></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>claimTypesRequested</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Requested claims</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>ClaimTypesRequested</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The claims required by the Relying Party are listed here. Claims can be optional. If a mandatory claim can't be provided by the 
 IDP the issuance of the token should fail</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>homeRealm</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Home Realm</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>NA</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Indicates the Resource IDP the home realm of the requestor. This may be an URL or an identifier like urn: or uuid: and depends on the Resource IDP implementation. This value is part of the SignIn request as the <code>whr</code> parameter</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>freshness</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Freshness</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>NA</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The desired "freshness" of the tok
 en from the IdP. This information is provided in the SignInRequest to the IdP (parameter <code>wfresh</code>)</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">request</td><td colspan="1" rowspan="1" class="confluenceTd">Request</td><td colspan="1" rowspan="1" class="confluenceTd">Optional</td><td colspan="1" rowspan="1" class="confluenceTd">NA</td><td colspan="1" rowspan="1" class="confluenceTd">This value is part of the SignIn request as the wreq parameter. It can be used to specify a desired TokenType from the IdP.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>tokenValidators</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>TokenValidators</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>NA</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Custom Token validator classes can be configured here. The SAML Token validator is enabled by default.<br cl
 ear="none"> See example <a shape="rect" class="external-link" href="http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/CustomValidator.java">here</a></p></td></tr></tbody></table></div><h5 id="FedizConfiguration-Attributesresolvedatruntime">Attributes resolved at runtime</h5><p>The following attributes can be either configured statically at deployment time or dynamically when the initial request is received:</p><ul><li>authenticationType</li><li>homeRealm</li><li>issuer</li><li>realm</li></ul><p>These configuration elements allows for configuring a CallbackHandler which gets a Callback object where the appropriate value must be set. The CallbackHandler implementation has access to the HttpServletRequest. The XML attribute <code>type</code> must be set to <code>Class</code>.</p><p>For more information see <a shape="rect" href="fediz-extensions.html">Fediz Extensions</a>.</p><h3 id="FedizConfiguration-Advancedexample">Advanced example</h3
 ><p>The following example defines the required claims and configures a custom callback handler to define some configuration values at runtime.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">&lt;?xml version="1.0" encoding="UTF-8" standalone="yes"?&gt;
+<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">&lt;?xml version="1.0" encoding="UTF-8" standalone="yes"?&gt;
 &lt;FedizConfig&gt;
     &lt;contextConfig name="/fedizhelloworld"&gt;
         &lt;audienceUris&gt;

Modified: websites/production/cxf/content/fediz-cxf.html
==============================================================================
--- websites/production/cxf/content/fediz-cxf.html (original)
+++ websites/production/cxf/content/fediz-cxf.html Tue Sep 12 19:09:41 2017
@@ -32,8 +32,9 @@
 <link type="text/css" rel="stylesheet" href="/resources/highlighter/styles/shThemeCXF.css">
 
 <script src='/resources/highlighter/scripts/shCore.js'></script>
-<script src='/resources/highlighter/scripts/shBrushJava.js'></script>
+<script src='/resources/highlighter/scripts/shBrushBash.js'></script>
 <script src='/resources/highlighter/scripts/shBrushXml.js'></script>
+<script src='/resources/highlighter/scripts/shBrushJava.js'></script>
 <script>
   SyntaxHighlighter.defaults['toolbar'] = false;
   SyntaxHighlighter.all();
@@ -110,7 +111,7 @@ Apache CXF -- Fediz CXF
            <!-- Content -->
            <div class="wiki-content">
 <div id="ConfluenceContent"><h1 id="FedizCXF-CXFPlugin(1.1/1.2)">CXF Plugin (1.1/1.2)</h1><p>The Fediz plugin for CXF contains two separate pieces of functionality. The first is a CallbackHandler that allows the SAML Token of the Web SSO session to be used by the CXF Web Services Stack, i.e. for delegation (available since 1.1). The second is a full WS-Federation RP plugin based solely on Apache CXF JAX-RS, which is container independent (available since 1.2.0).</p><h2 id="FedizCXF-CXFPluginsupportforWS-Federation">CXF Plugin support for WS-Federation</h2><p>The new CXF plugin for WS-Federation available from Fediz 1.2.0 means that it is now possible to add support for WS-Federation to your JAX-RS CXF service without having to specify a container-specific plugin. Here is an example Spring based configuration:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>CXF spring configuration</b></div><div cl
 ass="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">&lt;bean id="serviceBean" class="org.apache.cxf.fediz.example.Service"&gt;
+<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">&lt;bean id="serviceBean" class="org.apache.cxf.fediz.example.Service"&gt;
 &lt;/bean&gt;
    
 &lt;bean id="fedizFilter" class="org.apache.cxf.fediz.cxf.plugin.FedizRedirectBindingFilter"&gt;
@@ -136,7 +137,7 @@ Apache CXF -- Fediz CXF
     &lt;/jaxrs:inInterceptors&gt;
 &lt;/jaxrs:server&gt;</pre>
 </div></div><p>Here we have a JAX-RS service which is secured via the SecureAnnotationsInterceptor. For example:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>CXF Service Bean</b></div><div class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">@Path("/secure/")
+<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">@Path("/secure/")
 @Produces("text/html")
 public class Service {
     @Context
@@ -151,14 +152,14 @@ public class Service {
     ...
 }</pre>
 </div></div><p>The FedizRedirectBindingFilter is instantiated with a link to the Fediz plugin configuration and is added as a JAX-RS provider.</p><h2 id="FedizCXF-DelegationScenario">Delegation Scenario</h2><p>The subproject Fediz purpose is to provide Single Sign On for Web Applications which is independent of an underlying Web Services framework like Apache CXF. The Fediz plugins for Tomcat, Jetty, etc. are independent of Apache CXF, whereas the Fediz IDP leverages the capabilities of the CXF STS to issue SAML tokens with Claims information to build applications which use Claims Based Authorization with all the benefits.</p><p>If the Fediz protected web application integrates with another application using Web Services you need to bundle a Web Services framework like Apache CXF with your web application. If it is required to support impersonation to call the Web Service, the security context of the application server must be delegated to the Web Services stack thus it can make the
  Web Service call on behalf of the browser user.</p><p>In release 1.1, the Fediz CXF plugin supports delegating the application server security context (SAML token) to the STS client of CXF. CXF is then able to request a security token for the target Web Service from the STS on behalf of the browser user. Prior to release 1.1, this Java code had to be developed by the application developer.</p><p>It is required that one of the other Fediz plugins are deployed to WS-Federation enable the application. After this step, the Fediz CXF plugin can be installed to integrate the Web SSO layer with the Web Services stack of Apache CXF.</p><h3 id="FedizCXF-Installation">Installation</h3><p>It's recommended to use Maven to resolve the dependencies as illustrated in the the example <code>wsclientWebapp</code>.</p><div class="code panel pdl" style="border-style: solid;border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;border-bottom-style: solid;"><b>pom.xm
 l</b></div><div class="codeContent panelContent pdl">
-<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">    &lt;dependency&gt;
+<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">    &lt;dependency&gt;
         &lt;groupId&gt;org.apache.cxf.fediz&lt;/groupId&gt;
         &lt;artifactId&gt;fediz-cxf&lt;/artifactId&gt;
         &lt;version&gt;1.1.0&lt;/version&gt;
     &lt;/dependency&gt;
 </pre>
 </div></div><p>The example contains a README with instructions for building and deployment.</p><h3 id="FedizCXF-Configuration">Configuration</h3><p>Two configurations are required in <code>web.xml</code> to enable the <code>FederationFilter</code> to cache the security context in the thread local storage and in the spring configuration file <code>applicationContext.xml</code> to configure a callback handler to provide the STS client the security context stored in the thread local storage.</p><div class="code panel pdl" style="border-style: solid;border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;border-bottom-style: solid;"><b>web.xml</b></div><div class="codeContent panelContent pdl">
-<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">    &lt;filter&gt;
+<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">    &lt;filter&gt;
         &lt;filter-name&gt;FederationFilter&lt;/filter-name&gt;
         &lt;filter-class&gt;org.apache.cxf.fediz.core.servlet.FederationFilter&lt;/filter-class&gt;
     &lt;/filter&gt;
@@ -169,7 +170,7 @@ public class Service {
     &lt;/filter-mapping&gt;
 </pre>
 </div></div><p>The <code>FederationFilter</code> is part of the library <code>fediz-core</code>.</p><div class="code panel pdl" style="border-style: solid;border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;border-bottom-style: solid;"><b>applicationContext.xml</b></div><div class="codeContent panelContent pdl">
-<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">    &lt;bean id="delegationCallbackHandler"
+<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">    &lt;bean id="delegationCallbackHandler"
         class="org.apache.cxf.fediz.cxf.web.ThreadLocalCallbackHandler" /&gt;
 
     &lt;jaxws:client id="HelloServiceClient" serviceName="svc:GreeterService"
@@ -189,7 +190,7 @@ public class Service {
 
 </pre>
 </div></div><p>The <code>ThreadLocalCallbackHandler</code> is part of the library <code>fediz-cxf</code>.</p><p>If you have set the property <code>ws-security.cache.issued.token.in.endpoint</code> to false, CXF will cache the issued token per security context dependent on the returned lifetime element of the STS. When the cached token for the target web services is expired, CXF will request a new token from the STS on-behalf-of the cached Fediz security context.</p><p>There is no special Java code required to get this functionality as illustrated in the following code snippet:</p><div class="code panel pdl" style="border-style: solid;border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;border-bottom-style: solid;"><b>FederationServlet.java</b></div><div class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">    Greeter service = (Greeter)ApplicationContextProvider.getContext().getBean("HelloServiceClient");
+<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">    Greeter service = (Greeter)ApplicationContextProvider.getContext().getBean("HelloServiceClient");
     String reply = service.greetMe();
 </pre>
 </div></div></div>

Modified: websites/production/cxf/content/fediz-downloads.html
==============================================================================
--- websites/production/cxf/content/fediz-downloads.html (original)
+++ websites/production/cxf/content/fediz-downloads.html Tue Sep 12 19:09:41 2017
@@ -32,6 +32,7 @@
 <link type="text/css" rel="stylesheet" href="/resources/highlighter/styles/shThemeCXF.css">
 
 <script src='/resources/highlighter/scripts/shCore.js'></script>
+<script src='/resources/highlighter/scripts/shBrushBash.js'></script>
 <script src='/resources/highlighter/scripts/shBrushJava.js'></script>
 <script>
   SyntaxHighlighter.defaults['toolbar'] = false;
@@ -109,14 +110,14 @@ Apache CXF -- Fediz Downloads
            <!-- Content -->
            <div class="wiki-content">
 <div id="ConfluenceContent"><h1 id="FedizDownloads-Releases">Releases</h1><h2 id="FedizDownloads-1.4.1">1.4.1</h2><p>The 1.4.1 release is our latest release. For more information please see the <a shape="rect" class="external-link" href="https://issues.apache.org/jira/projects/FEDIZ/versions/12340452">release notes</a>.</p><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Description</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>File</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>MD5</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>SHA1</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>PGP</p></th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>Source distribution</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect" class="external-link" href="http://www.apache.org/dyn/closer.lua?path=/cxf/fediz/1.4.1/fediz-1.4.1-source-release.zip">
 fediz-1.4.1-source-release.zip</a></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect" class="external-link" href="https://www.apache.org/dist/cxf/fediz/1.4.1/fediz-1.4.1-source-release.zip.md5">fediz-1.4.1-source-release.zip.md5</a></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect" class="external-link" href="https://www.apache.org/dist/cxf/fediz/1.4.1/fediz-1.4.1-source-release.zip.sha1">fediz-1.4.1-source-release.zip.sha1</a></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect" class="external-link" href="https://www.apache.org/dist/cxf/fediz/1.4.1/fediz-1.4.1-source-release.zip.asc">fediz-1.4.1-source-release.zip.asc</a></p></td></tr></tbody></table></div><h2 id="FedizDownloads-1.3.2">1.3.2</h2><p>The 1.3.2 release is our latest release of the 1.3.x branch. For more information please see the <a shape="rect" class="external-link" href="https://issues.apache.org/jira/browse/FEDIZ/fixforversion/12338091">rele
 ase notes</a>.</p><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Description</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>File</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>MD5</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>SHA1</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>PGP</p></th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>Source distribution</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect" class="external-link" href="http://www.apache.org/dyn/closer.lua?path=/cxf/fediz/1.3.2/fediz-1.3.2-source-release.zip">fediz-1.3.2-source-release.zip</a></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect" class="external-link" href="https://www.apache.org/dist/cxf/fediz/1.3.2/fediz-1.3.2-source-release.zip.md5">fediz-1.3.2-source-release.zip.md5</a></p></td><td colspan="1" rowspan="1" class="conflu
 enceTd"><p><a shape="rect" class="external-link" href="https://www.apache.org/dist/cxf/fediz/1.3.2/fediz-1.3.2-source-release.zip.sha1">fediz-1.3.2-source-release.zip.sha1</a></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p><a shape="rect" class="external-link" href="https://www.apache.org/dist/cxf/fediz/1.3.2/fediz-1.3.2-source-release.zip.asc">fediz-1.3.2-source-release.zip.asc</a></p></td></tr></tbody></table></div><h2 id="FedizDownloads-VerifyingReleases">Verifying Releases</h2><p>When downloading from a mirror please check the SHA1/MD5 checksums as well as verifying the OpenPGP compatible signature available from the main Apache site. The <a shape="rect" class="external-link" href="https://www.apache.org/dist/cxf/KEYS">KEYS</a> file contains the public keys used for signing the release. It is recommended that a web of trust is used to confirm the identity of these keys.</p><p>You can check the OpenPGP signature with GnuPG via:</p><p>&#160;</p><div class="code panel 
 pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">gpg --import KEYS
+<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">gpg --import KEYS
 gpg --verify apache-fediz-*.zip.asc
 </pre>
 </div></div><p>You can check the MD5 checksum with:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">md5sum --check apache-fediz-*.zip.md5
+<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">md5sum --check apache-fediz-*.zip.md5
 </pre>
 </div></div><p>You can check the SHA1 checksum with:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">sha1sum --check apache-fediz-*.zip.sha1
+<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">sha1sum --check apache-fediz-*.zip.sha1
 </pre>
 </div></div><h1 id="FedizDownloads-Previousreleases">Previous releases</h1><p>Previous releases are all archived in the apache archive: <a shape="rect" class="external-link" href="http://archive.apache.org/dist/cxf/fediz">http://archive.apache.org/dist/cxf/fediz</a></p><h1 id="FedizDownloads-Snapshots">Snapshots</h1><div class="confluence-information-macro confluence-information-macro-information"><p class="title">Warning about snapshots</p><span class="aui-icon aui-icon-small aui-iconfont-info confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>These are snapshot builds - untested builds provided for your convenience. They have not been tested, and are not official releases of the Apache CXF Fediz project or the Apache Software Foundation.</p></div></div><p>1.4.1 <a shape="rect" class="external-link" href="https://repository.apache.org/content/groups/snapshots/org/apache/cxf/fediz/apache-fediz/1.4.1-SNAPSHOT/">https://repository.apache.org/co
 ntent/groups/snapshots/org/apache/cxf/fediz/apache-fediz/1.4.1-SNAPSHOT/</a></p><h1 id="FedizDownloads-Maven2Repositories">Maven 2 Repositories</h1><p>If you use Maven 2 for building your applications, Apache CXF Fediz artifacts are available from the following repository URLS:</p><h3 id="FedizDownloads-Releases:">Releases:</h3><p>All supported CXF releases are synced into the Maven central repository: <a shape="rect" class="external-link" href="http://repo1.maven.org/maven2/" rel="nofollow">http://repo1.maven.org/maven2/</a></p><h3 id="FedizDownloads-Snapshots:">Snapshots:</h3><p>Snapshots are available in Apache's Maven snapshot repository: <a shape="rect" class="external-link" href="http://repository.apache.org/snapshots">http://repository.apache.org/snapshots</a></p></div>
            </div>

Modified: websites/production/cxf/content/fediz-extensions.html
==============================================================================
--- websites/production/cxf/content/fediz-extensions.html (original)
+++ websites/production/cxf/content/fediz-extensions.html Tue Sep 12 19:09:41 2017
@@ -32,6 +32,7 @@
 <link type="text/css" rel="stylesheet" href="/resources/highlighter/styles/shThemeCXF.css">
 
 <script src='/resources/highlighter/scripts/shCore.js'></script>
+<script src='/resources/highlighter/scripts/shBrushBash.js'></script>
 <script src='/resources/highlighter/scripts/shBrushJava.js'></script>
 <script>
   SyntaxHighlighter.defaults['toolbar'] = false;
@@ -109,7 +110,7 @@ Apache CXF -- Fediz Extensions
            <!-- Content -->
            <div class="wiki-content">
 <div id="ConfluenceContent"><h1 id="FedizExtensions-FedizExtensions">Fediz Extensions</h1><p>This page describes the extension points in Fediz to enrich its functionality further.</p><h3 id="FedizExtensions-CallbackHandler">Callback Handler</h3><p>The Sign-In request (Redirect URL) to the IDP contains several query parameters to customize the sign in process. Some parameters are configured statically in the <a shape="rect" href="fediz-configuration.html">Fediz configuration file</a> some others can be resolved at runtime when the initial request is received by the Fediz plugin.</p><p>The following table gives an overview of the parameters which can be resolved at runtime. It contains the XML element name of the Fediz configuration file, the query parameter name of the sign-in request to the IDP as well as the Callback class.</p><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>XML element</p></th><th colspan="1" row
 span="1" class="confluenceTh"><p>Query parameter</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Callback class</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Supported version</p></th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>authenticationType</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>wauth</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>WAuthCallback</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>1.0.0</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>homeRealm</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>whr</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>HomeRealmCallback</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>1.0.0</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>issuer</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>N.A.</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>IDPCallback</
 p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>1.0.0</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>freshness</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>wfresh</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>FreshnessCallback</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>1.0.2</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>realm</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>wtrealm</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>RealmCallback</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>1.1.0</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>N.A.</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>any</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>SignInQueryCallback</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>1.1.0</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">request</
 td><td colspan="1" rowspan="1" class="confluenceTd">wreq</td><td colspan="1" rowspan="1" class="confluenceTd">WReqCallback</td><td colspan="1" rowspan="1" class="confluenceTd">1.1.1</td></tr></tbody></table></div><p>If you configure a class which implements the interface <code>javax.security.auth.callback.CallbackHandler</code> you get the corresponding Callback object where you must set the value which is then added to the query parameter. The Callback object provides the <code>HttpServletRequest</code> object which might give you the required information to resolve the value.</p><p>Here is a snippet of the configuration to configure a CallbackHandler:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">...
+<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">...
         &lt;protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="federationProtocolType" version="1.2"&gt;
             ...
             &lt;homeRealm type="Class" value="MyCallbackHandler " /&gt;
@@ -118,7 +119,7 @@ Apache CXF -- Fediz Extensions
 ...
 </pre>
 </div></div><p>And a sample implementation of the CallbackHandler:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">public class MyCallbackHandler implements CallbackHandler {
+<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">public class MyCallbackHandler implements CallbackHandler {
     
     public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
         for (int i = 0; i &lt; callbacks.length; i++) {

Modified: websites/production/cxf/content/fediz-idp-11.html
==============================================================================
--- websites/production/cxf/content/fediz-idp-11.html (original)
+++ websites/production/cxf/content/fediz-idp-11.html Tue Sep 12 19:09:41 2017
@@ -32,8 +32,9 @@
 <link type="text/css" rel="stylesheet" href="/resources/highlighter/styles/shThemeCXF.css">
 
 <script src='/resources/highlighter/scripts/shCore.js'></script>
-<script src='/resources/highlighter/scripts/shBrushJava.js'></script>
+<script src='/resources/highlighter/scripts/shBrushBash.js'></script>
 <script src='/resources/highlighter/scripts/shBrushXml.js'></script>
+<script src='/resources/highlighter/scripts/shBrushJava.js'></script>
 <script>
   SyntaxHighlighter.defaults['toolbar'] = false;
   SyntaxHighlighter.all();
@@ -110,15 +111,15 @@ Apache CXF -- Fediz IDP 1.1
            <!-- Content -->
            <div class="wiki-content">
 <div id="ConfluenceContent"><h1 id="FedizIDP1.1-FedizIDP">Fediz IDP</h1><p><em>Note:</em> Fediz IDP 1.0 is described <a shape="rect" href="fediz-idp.html">here </a>.</p><p>The Release 1.1 introduces the following new feature:</p><ul><li>Federation Metadata<br clear="none"> The IDP supports publishing the WS-Federation Metadata document which allows to more easily integrate the IDP into platforms which support referencing a Metadata document. Metadata consists of the signing certificate, the provided claims, etc.</li></ul><ul><li>Spring Web Flow support<br clear="none"> The IDP has been refactored to use Spring Web Flow to manage the federation flow. This provides flexibility to be able to customize the IDP to company's specific requirements. The IDP is secured by Spring Security to get the benefits and flexibility of Spring Security.</li></ul><ul><li>Resource IDP and Home Realm Discovery<br clear="none"> This is the major new feature. The IDP is able to figure out from which securit
 y domain/realm the browser request is coming from to redirect the sign-in request to the requestor IDP which does the authentication and issues a token which is sent to the Resource IDP. The Resource IDP will then either map the principal from one security domain to the target security domain and get claims information of the mapped principal or transform the claims information and finally issue a new token for the relying party (application).</li></ul><p>The Fediz Identity Provider (IDP) consists of two WAR files. One is the Security Token Service (STS) component, fediz-idp-sts.war, which is responsible for validating credentials, getting the requested claims data and issuing a SAML token. There is no easy way for Web browsers to issue SOAP requests to the STS directly, necessitating the second component, an IDP WAR (fediz-idp.war) which allows browser-based applications to interact with the STS. The communication between the browser and the IDP must be performed within the confine
 s of the base HTTP 1.1 functionality and conform as closely as possible to the WS-Trust protocols semantic.</p><p>The Fediz STS is based on a customized CXF STS configured to support standard Federation use cases demonstrated by the examples. The Fediz STS has been enhanced to support two realms *Realm-A* and *Realm-B* with the following set of users:</p><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>User</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Password</p></th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><em>Realm A</em></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>&#160;</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>alice</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>ecila</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>bob</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>bob</p></td></tr><tr>
 <td colspan="1" rowspan="1" class="confluenceTd"><p>ted</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>det</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><em>Realm B</em></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>&#160;</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>ALICE</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>ECILA</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>BOB</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>BOB</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>TED</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>DET</p></td></tr></tbody></table></div><p>The Fediz IDP doesn't support several realms within one WAR which requires to build a Fediz IDP WAR for Realm A (default, shipped with Fediz Distribution) and Realm B. See below how to build a Fediz IDP WAR for a specific realm.</p><h3 id="FedizIDP1.1-Installation">Insta
 llation</h3><p>The Fediz IDP has been tested with Tomcat 6 and 7 but should be able to work with any commercial JEE application server.</p><p>It's recommended to set up a dedicated (separate) Tomcat instance for the IDP compared to the one hosting the RP (relying party) applications. Using one deployment of Tomcat with multiple CATALINA_BASE instances, as described <a shape="rect" class="external-link" href="http://www.shaunabram.com/multiple-tomcat-instances/" rel="nofollow">here</a> is one option but note any libs in $CATALINA_HOME/lib folder will be shared throughout each of the activated CATALINA_BASE instances. Another probably simpler alternative is to copy your Tomcat folder into a second location and edit its conf/server.xml file and <a shape="rect" class="external-link" href="http://viralpatel.net/blogs/2009/08/running-multiple-instance-apache-tomcat-single-server.html" rel="nofollow">change port values</a> (discussed below) so they don't conflict with the original Tomcat i
 nstallation.</p><p>To start and stop this second Tomcat instance, it is perhaps easiest to create small startup.sh and shutdown.sh scripts that temporarily redefine $CATALINA_HOME from the first to the second instance, for example:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">CATALINA_HOME=/path/to/second/tomcat
+<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">CATALINA_HOME=/path/to/second/tomcat
 $CATALINA_HOME/bin/startup.sh
 </pre>
 </div></div><p>and</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">CATALINA_HOME=/path/to/second/tomcat
+<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">CATALINA_HOME=/path/to/second/tomcat
 $CATALINA_HOME/bin/shutdown.sh
 </pre>
 </div></div><p>If you're using the one Tomcat with multiple instance option, it's $CATALINA_BASE instead that will need to be redefined above.</p><h5 id="FedizIDP1.1-Tomcatserver.xmlconfiguration">Tomcat server.xml configuration</h5><p>The Fediz examples use the following Tomcat port values for the IDP/STS, defined in the conf/server.xml file. We use ports different from the Tomcat defaults so as not to conflict with the Tomcat instance running the RP applications.</p><ul><li>HTTP port: 9080 (used for Maven deployment, mvn tomcat:redeploy)</li><li>HTTPS port: 9443 (where IDP and STS are accessed)</li><li>Server port: 9005 (for shutdown and other commands)</li></ul><p>Here is a sample snippet for showing the configuration of the above three values:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">&lt;Server port="9005" shutdown="SHUTDOWN"&gt;
+<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">&lt;Server port="9005" shutdown="SHUTDOWN"&gt;
 ...
 
    &lt;!-- http configuration --&gt;
@@ -141,7 +142,7 @@ $CATALINA_HOME/bin/shutdown.sh
 &lt;/Server&gt;
 </pre>
 </div></div><p>The keystoreFile is relative to $CATALINA_BASE. See <a shape="rect" class="external-link" href="http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html">here</a> for the Tomcat 7 configuration reference. This page also describes how to create certificates. Sample Tomcat keystores (not for production use, but useful for demoing Fediz and running the sample applications) are provided in the examples/samplekeys folder of the Fediz distribution.</p><p>To establish trust, there are significant keystore/truststore requirements between the Tomcat instances and the various web applications (IDP, STS, Relying party applications, third party web services, etc.) See <a shape="rect" class="external-link" href="http://svn.apache.org/viewvc/cxf/fediz/tags/fediz-1.1.0/examples/samplekeys/HowToGenerateKeysREADME.html?revision=1538770&amp;view=co">this page</a> for more details, it lists the trust requirements as well as sample scripts for creating your own (self-signed) keys.</p><p><s
 trong>Warning: All sample keystores provided with Fediz (including in the WAR files for its services and examples) are for development/prototyping use only. They'll need to be replaced for production use, at a minimum with your own self-signed keys but strongly recommended to use third-party signed keys.</strong></p><h5 id="FedizIDP1.1-BuildtheIDPWAR">Build the IDP WAR</h5><p>The Fediz 1.1 distribution ships one Fediz IDP WAR built for Realm-A by default. The distribution also contains the IDP and STS sources with two Maven Profiles <em>realm-a</em> and <em>realm-b</em>. More information is provided in the <code>README.txt</code> <a shape="rect" class="external-link" href="http://svn.apache.org/viewvc/cxf/fediz/tags/fediz-1.1.0/services/idp/README.txt?view=co">here</a></p><p>Once you deploy the IDP WAR files to your Tomcat installation (&lt;catalina.home&gt;/webapps), you should be able to see the Fediz STS from a browser. Assuming port 9080 as listed above, the STS WSDL is availabl
 e at:</p><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh">Version</th><th colspan="1" rowspan="1" class="confluenceTh"><a shape="rect" class="external-link" href="http://localhost:9080/fediz-idp-sts/STSService?wsdl" rel="nofollow">STS</a> WSDL location</th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">Fediz 1.0.x</td><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="http://localhost:9080/fediz-idp-sts/STSService?wsdl" rel="nofollow">http://localhost:9080/fediz-idp-sts/STSService?wsdl</a></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">Fediz 1.1.x</td><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="http://localhost:9080/fediz-idp-sts/STSService?wsdl" rel="nofollow">http://localhost:9080/fediz-idp-sts/</a><a shape="rect" class="external-link" href="https://localhost:9443/fediz-idp-sts/REALMA/STSServiceTransp
 ort?wsdl" rel="nofollow">REALMA/STSServiceTransport?wsdl</a></td></tr></tbody></table></div><h3 id="FedizIDP1.1-Configuration">Configuration</h3><p>You can manage the users, their claims and the claims per application in the IDP.</p><h5 id="FedizIDP1.1-Userandpassword">User and password</h5><p>The users and passwords are configured in a Spring configuration file in <code>webapps/fediz-idp-sts/WEB-INF/passwords.xml</code>. The following users are already configured for the <em>Realm A</em> and can easily be extended.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">    &lt;util:map id="REALMA"&gt;
+<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">    &lt;util:map id="REALMA"&gt;
         &lt;entry key="alice" value="ecila" /&gt;
         &lt;entry key="bob" value="bob" /&gt;
         &lt;entry key="ted" value="det" /&gt;
@@ -154,7 +155,7 @@ $CATALINA_HOME/bin/shutdown.sh
     &lt;/util:map&gt;
 </pre>
 </div></div><h5 id="FedizIDP1.1-UserClaims">User Claims</h5><p>The claims of each user are configured in a spring configuration file <code>webapps/fediz-idp-sts/WEB-INF/userClaims.xml</code>. The following claims are already configured:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">  &lt;util:map id="userClaimsREALMA"&gt;
+<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">  &lt;util:map id="userClaimsREALMA"&gt;
     &lt;entry key="alice"
       value-ref="REALMA_aliceClaims" /&gt;
     &lt;entry key="bob"
@@ -175,7 +176,7 @@ $CATALINA_HOME/bin/shutdown.sh
   &lt;/util:map&gt;
 </pre>
 </div></div><p>The claim id's are configured according to Section 7.5 in the specification <a shape="rect" class="external-link" href="http://docs.oasis-open.org/imi/identity/v1.0/identity.html" rel="nofollow">Identity Metasystem Interoperability</a>. The mapping of claims to a SAML attribute statement are described in Section 7.2.</p><h5 id="FedizIDP1.1-IDPconfiguration">IDP configuration</h5><p>The IDP configuration is done in the new configuration file <code>idp-config-&lt;realm&gt;.xml</code> which is illustrated below</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">    &lt;bean id="idp-realmA" class="org.apache.cxf.fediz.service.idp.model.IDPConfig"&gt;
+<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">    &lt;bean id="idp-realmA" class="org.apache.cxf.fediz.service.idp.model.IDPConfig"&gt;
         &lt;property name="realm" value="urn:org:apache:cxf:fediz:idp:realm-A" /&gt;
         &lt;property name="uri" value="realma" /&gt;
         &lt;!--&lt;property name="hrds" value="" /&gt;--&gt; &lt;!-- TBD, not defined, provide list if enabled --&gt;
@@ -211,7 +212,7 @@ $CATALINA_HOME/bin/shutdown.sh
     &lt;/bean&gt;
 </pre>
 </div></div><h5 id="FedizIDP1.1-RelyingParty/Applicationconfiguration">Relying Party / Application configuration</h5><p><em>Note: The configuration file</em> <code><em>RPClaims.xml</em></code> <em>has been replaced</em></p><p>The application related configuration like required claims are configured in the new IDP configuration file <code>idp-config-&lt;realm&gt;.xml</code> which has been enhanced to support other configuration parameters as well:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">    &lt;bean id="srv-fedizhelloworld" class="org.apache.cxf.fediz.service.idp.model.ServiceConfig"&gt;
+<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">    &lt;bean id="srv-fedizhelloworld" class="org.apache.cxf.fediz.service.idp.model.ServiceConfig"&gt;
         &lt;property name="realm" value="urn:org:apache:cxf:fediz:fedizhelloworld" /&gt;
         &lt;property name="protocol" value="http://docs.oasis-open.org/wsfed/federation/200706" /&gt;
         &lt;property name="serviceDisplayName" value="Fedizhelloworld" /&gt;
@@ -242,7 +243,7 @@ $CATALINA_HOME/bin/shutdown.sh
     &lt;/bean&gt;
 </pre>
 </div></div><h5 id="FedizIDP1.1-TrustedIDPconfiguration">Trusted IDP configuration</h5><p>This feature is new in Fediz IDP 1.1 and allows to redirect a SignIn Request to a trusted IDP. The following configuration is required:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">    &lt;bean id="trusted-idp-realmB" class="org.apache.cxf.fediz.service.idp.model.TrustedIDPConfig"&gt;
+<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">    &lt;bean id="trusted-idp-realmB" class="org.apache.cxf.fediz.service.idp.model.TrustedIDPConfig"&gt;
         &lt;property name="realm" value="urn:org:apache:cxf:fediz:idp:realm-B" /&gt;
         &lt;property name="url" value="https://localhost:12443/fediz-idp-remote/federation" /&gt;
         &lt;property name="certificate" value="realmb.cert" /&gt;
@@ -254,7 +255,7 @@ $CATALINA_HOME/bin/shutdown.sh
     &lt;/bean&gt;
 </pre>
 </div></div><h3 id="FedizIDP1.1-ConfigureLDAPdirectory">Configure LDAP directory</h3><p>The Fediz IDP can be configured to attach an LDAP directory to authenticate users and to retrieve claims information of users.</p><h5 id="FedizIDP1.1-Usernameandpasswordauthentication">Username and password authentication</h5><p>WSS4J supports username/password authentication using JAAS. The JDK provides a JAAS LoginModule for LDAP which can be configured as illustrated here in a sample jaas configuration (jaas.config):</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">myldap {
+<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">myldap {
  com.sun.security.auth.module.LdapLoginModule REQUIRED
  userProvider=ldap://ldap.mycompany.org:389/OU=Users,DC=mycompany,DC=org"
  authIdentity="cn={USERNAME},OU=Users,DC=mycompany,DC=org"
@@ -263,12 +264,12 @@ $CATALINA_HOME/bin/shutdown.sh
 };
 </pre>
 </div></div><p>You can get more information about this LoginModule <a shape="rect" class="external-link" href="http://download.oracle.com/javase/6/docs/jre/api/security/jaas/spec/com/sun/security/auth/module/LdapLoginModule.html" rel="nofollow">here</a>.</p><p>In this example, all the users are stored in the organization unit Users within mycompany.org. The configuration filename can be chosen, e.g. <code>jaas.config</code>. The filename must be configured as a JVM argument. JVM related configurations for Tomcat can be done in the file <code>setenv.sh/bat</code> located in directory <code>tomcat/bin</code>. This script is called implicitly by <code>catalina.bat/sh</code> and might look like this for UNIX:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">#!/bin/sh
+<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">#!/bin/sh
 JAVA_OPTS="-Djava.security.auth.login.config=/opt/tomcat/conf/jaas.config"
 export JAVA_OPTS
 </pre>
 </div></div><p>Next, the STS endpoint has to be configured to use the JAAS LoginModule which is accomplished by the <code>JAASUsernameTokenValidator</code>.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">&lt;bean
+<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">&lt;bean
   class="org.apache.ws.security.validate.JAASUsernameTokenValidator"
       id="jaasUTValidator"&gt;
    &lt;property name="contextName" value="myldap"/&gt;
@@ -289,7 +290,7 @@ export JAVA_OPTS
 &lt;/jaxws:endpoint&gt;
 </pre>
 </div></div><p>The property <code>contextName</code> must match the context name defined in the JAAS configuration file which is <code>myldap</code> in this example.</p><h5 id="FedizIDP1.1-Claimsmanagement">Claims management</h5><p>When a STS client (IDP) requests a claim, the ClaimsManager in the STS checks every registered ClaimsHandler who can provide the data of the requested claim. The CXF STS provides <code>org.apache.cxf.sts.claims.LdapClaimsHandler</code> which is a claims handler implementation to get claims from user attributes in a LDAP directory.</p><p>You configure which claim URI maps to which LDAP user attribute. The implementation uses the Spring Ldap Module (LdapTemplate).</p><p>The following example illustrate the changes to be made in <code>webapps/fediz-idp-sts/WEB-INF/cxf-transport.xml</code>:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">&lt;util:list id="claimHandlerList"&gt;
+<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">&lt;util:list id="claimHandlerList"&gt;
   &lt;ref bean="ldapClaimsHandler" /&gt;
 &lt;/util:list&gt;
 

Modified: websites/production/cxf/content/fediz-idp.html
==============================================================================
--- websites/production/cxf/content/fediz-idp.html (original)
+++ websites/production/cxf/content/fediz-idp.html Tue Sep 12 19:09:41 2017
@@ -32,8 +32,9 @@
 <link type="text/css" rel="stylesheet" href="/resources/highlighter/styles/shThemeCXF.css">
 
 <script src='/resources/highlighter/scripts/shCore.js'></script>
-<script src='/resources/highlighter/scripts/shBrushJava.js'></script>
+<script src='/resources/highlighter/scripts/shBrushBash.js'></script>
 <script src='/resources/highlighter/scripts/shBrushXml.js'></script>
+<script src='/resources/highlighter/scripts/shBrushJava.js'></script>
 <script>
   SyntaxHighlighter.defaults['toolbar'] = false;
   SyntaxHighlighter.all();
@@ -124,7 +125,7 @@ Apache CXF -- Fediz IDP
 <p>To start and stop this second Tomcat instance, it is perhaps easiest to create small startup.sh and shutdown.sh scripts that temporarily redefine $CATALINA_HOME from the first to the second instance, for example:</p>
 
 <div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">
+<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">
 CATALINA_HOME=/path/to/second/tomcat
 $CATALINA_HOME/bin/startup.sh
 </pre>
@@ -133,7 +134,7 @@ $CATALINA_HOME/bin/startup.sh
 <p>and</p>
 
 <div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">
+<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">
 CATALINA_HOME=/path/to/second/tomcat
 $CATALINA_HOME/bin/shutdown.sh
 </pre>
@@ -151,7 +152,7 @@ $CATALINA_HOME/bin/shutdown.sh
 <p>Here is a sample snippet for showing the configuration of the above three values:</p>
 
 <div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">
+<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">
 &lt;Server port="9005" shutdown="SHUTDOWN"&gt;
 ...
 
@@ -193,7 +194,7 @@ $CATALINA_HOME/bin/shutdown.sh
 
 <p>The users and passwords are configured in a Spring configuration file in <code>webapps/fediz-idp-sts/WEB-INF/passwords.xml</code>. The following users are already configured and can easily be extended.</p>
 <div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">
+<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">
     &lt;util:map id="passwords"&gt;
         &lt;entry key="alice"
             value="ecila" /&gt;
@@ -209,7 +210,7 @@ $CATALINA_HOME/bin/shutdown.sh
 
 <p>The claims of each user are configured in a spring configuration file <code>webapps/fediz-idp-sts/WEB-INF/userClaims.xml</code>. The following claims are already configured:</p>
 <div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">
+<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">
     &lt;util:map id="userClaims"&gt;
         &lt;entry key="alice"
             value-ref="aliceClaims" /&gt;
@@ -240,7 +241,7 @@ $CATALINA_HOME/bin/shutdown.sh
 <p>The required claims per relying party are configured in the <code>webapps/fediz-idp/WEB-INF/RPClaims.xml</code>. The XML file has the following structure:</p>
 
 <div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">
+<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">
     &lt;util:map id="realm2ClaimsMap"&gt;
         &lt;entry key="https://localhost:8443/fedizhelloworld/"
             value-ref="claimsWsfedhelloworld" /&gt;
@@ -270,7 +271,7 @@ $CATALINA_HOME/bin/shutdown.sh
 <p>WSS4J supports username/password authentication using JAAS. The JDK provides a JAAS LoginModule for LDAP which can be configured as illustrated here in a sample jaas configuration (jaas.config):</p>
 
 <div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">
+<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">
 myldap {
  com.sun.security.auth.module.LdapLoginModule REQUIRED
  userProvider=ldap://ldap.mycompany.org:389/OU=Users,DC=mycompany,DC=org"
@@ -286,7 +287,7 @@ myldap {
 <p>In this example, all the users are stored in the organization unit Users within mycompany.org. The configuration filename can be chosen, e.g. <code>jaas.config</code>. The filename must be configured as a JVM argument. JVM related configurations for Tomcat can be done in the file <code>setenv.sh/bat</code> located in directory <code>tomcat/bin</code>. This script is called implicitly by <code>catalina.bat/sh</code> and might look like this for UNIX:</p>
 
 <div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">
+<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">
 #!/bin/sh
 JAVA_OPTS="-Djava.security.auth.login.config=/opt/tomcat/conf/jaas.config"
 export JAVA_OPTS
@@ -296,7 +297,7 @@ export JAVA_OPTS
 <p>Next, the STS endpoint has to be configured to use the JAAS LoginModule which is accomplished by the <code>JAASUsernameTokenValidator</code>.</p>
 
 <div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">
+<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">
 &lt;bean
   class="org.apache.ws.security.validate.JAASUsernameTokenValidator"
       id="jaasUTValidator"&gt;
@@ -330,7 +331,7 @@ export JAVA_OPTS
 <p>The following example illustrate the changes to be made in <code>webapps/fediz-idp-sts/WEB-INF/cxf-transport.xml</code>:</p>
 
 <div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">
+<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">
 &lt;util:list id="claimHandlerList"&gt;
   &lt;ref bean="ldapClaimsHandler" /&gt;
 &lt;/util:list&gt;

Modified: websites/production/cxf/content/fediz-jetty.html
==============================================================================
--- websites/production/cxf/content/fediz-jetty.html (original)
+++ websites/production/cxf/content/fediz-jetty.html Tue Sep 12 19:09:41 2017
@@ -32,8 +32,9 @@
 <link type="text/css" rel="stylesheet" href="/resources/highlighter/styles/shThemeCXF.css">
 
 <script src='/resources/highlighter/scripts/shCore.js'></script>
-<script src='/resources/highlighter/scripts/shBrushJava.js'></script>
+<script src='/resources/highlighter/scripts/shBrushBash.js'></script>
 <script src='/resources/highlighter/scripts/shBrushXml.js'></script>
+<script src='/resources/highlighter/scripts/shBrushJava.js'></script>
 <script>
   SyntaxHighlighter.defaults['toolbar'] = false;
   SyntaxHighlighter.all();
@@ -121,7 +122,7 @@ Apache CXF -- Fediz Jetty
 
 <ol><li>Create sub-directory <code>fediz</code> in <code>${jetty.home}/lib/fediz</code></li><li>Update start.ini in ${jetty.home}/start.ini by adding <code>fediz</code> to the OPTIONS
 <div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">
+<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">
 OPTIONS=Server,fediz
 </pre>
 </div></div></li><li>Deploy the libraries to the directory created in (1)</li></ol>
@@ -167,7 +168,7 @@ OPTIONS=Server,fediz
 <p>Hint: file name must be equal to war file name</p>
 
 <div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;"> 
+<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;"> 
   &lt;Get name="securityHandler"&gt;
     &lt;Set name="loginService"&gt;
       &lt;New class="org.apache.cxf.fediz.jetty.FederationLoginService"&gt;

Modified: websites/production/cxf/content/fediz-metadata.html
==============================================================================
--- websites/production/cxf/content/fediz-metadata.html (original)
+++ websites/production/cxf/content/fediz-metadata.html Tue Sep 12 19:09:41 2017
@@ -120,7 +120,7 @@ Apache CXF -- Fediz Metadata
 
 
 <div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">
+<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">
 &lt;EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
@@ -141,7 +141,7 @@ Apache CXF -- Fediz Metadata
 
 
 <div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">
+<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">
 &lt;EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
@@ -184,7 +184,7 @@ Apache CXF -- Fediz Metadata
 <p>This is an example metadata document:</p>
 
 <div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">
+<pre class="brush: bash; gutter: false; theme: Confluence" style="font-size:12px;">
 &lt;EntityDescriptor ID="_36BF9BFBF49BA48A2D13395075556522" entityID="https://localhost:8443/fedizhelloworld/" 
    xmlns:auth="http://docs.oasis-open.org/wsfed/federation/200706" 
    xmlns:fed="http://docs.oasis-open.org/wsfed/federation/200706" 

Modified: websites/production/cxf/content/fediz-oidc.html
==============================================================================
--- websites/production/cxf/content/fediz-oidc.html (original)
+++ websites/production/cxf/content/fediz-oidc.html Tue Sep 12 19:09:41 2017
@@ -100,11 +100,11 @@ Apache CXF -- Fediz OIDC
            <!-- Content -->
            <div class="wiki-content">
 <div id="ConfluenceContent"><p>&#160;</p><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1485532114685 {padding: 0px;}
-div.rbtoc1485532114685 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1485532114685 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1505243203064 {padding: 0px;}
+div.rbtoc1505243203064 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1505243203064 li {margin-left: 0px;padding-left: 0px;}
 
-/*]]>*/</style></p><div class="toc-macro rbtoc1485532114685">
+/*]]>*/</style></p><div class="toc-macro rbtoc1505243203064">
 <ul class="toc-indentation"><li><a shape="rect" href="#FedizOIDC-Introduction">Introduction</a></li><li><a shape="rect" href="#FedizOIDC-UserAuthentication">User Authentication</a>
 <ul class="toc-indentation"><li><a shape="rect" href="#FedizOIDC-TrustedProviders">Trusted Providers</a></li></ul>
 </li><li><a shape="rect" href="#FedizOIDC-ClientRegistration">Client Registration</a></li><li><a shape="rect" href="#FedizOIDC-OIDCServices">OIDC Services</a></li><li><a shape="rect" href="#FedizOIDC-IdToken">IdToken</a></li><li><a shape="rect" href="#FedizOIDC-DataPersistence">Data Persistence</a></li><li><a shape="rect" href="#FedizOIDC-Deployment">Deployment</a></li></ul>



Mime
View raw message