cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r1034953 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-saml.html
Date Mon, 10 Sep 2018 16:57:30 GMT
Author: buildbot
Date: Mon Sep 10 16:57:30 2018
New Revision: 1034953

Log:
Production update by buildbot for cxf

Modified:
    websites/production/cxf/content/cache/docs.pageCache
    websites/production/cxf/content/docs/jax-rs-saml.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jax-rs-saml.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-saml.html (original)
+++ websites/production/cxf/content/docs/jax-rs-saml.html Mon Sep 10 16:57:30 2018
@@ -117,27 +117,27 @@ Apache CXF -- JAX-RS SAML
          <td height="100%">
            <!-- Content -->
            <div class="wiki-content">
-<div id="ConfluenceContent"><p>&#160;</p><p>&#160;</p><p>&#160;</p><p>&#160;<span
style="font-size:2em;font-weight:bold">JAX-RS: SAML</span>
+<div id="ConfluenceContent"><p>&#160;<span style="font-size:2em;font-weight:bold">JAX-RS:
SAML</span>
 
 
-&#160;</p><p>&#160;</p><p>&#160;</p><p>&#160;</p><p><style
type="text/css">/*<![CDATA[*/
-div.rbtoc1524513412775 {padding: 0px;}
-div.rbtoc1524513412775 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1524513412775 li {margin-left: 0px;padding-left: 0px;}
+<br clear="none"></p><p><style type="text/css">/*<![CDATA[*/
+div.rbtoc1536598610095 {padding: 0px;}
+div.rbtoc1536598610095 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1536598610095 li {margin-left: 0px;padding-left: 0px;}
 
-/*]]>*/</style></p><div class="toc-macro rbtoc1524513412775">
+/*]]>*/</style></p><div class="toc-macro rbtoc1536598610095">
 <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSSAML-Introduction">Introduction</a></li><li><a
shape="rect" href="#JAX-RSSAML-Backwardscompatibilityconfigurationnote">Backwards compatibility
configuration note</a></li><li><a shape="rect" href="#JAX-RSSAML-Mavendependencies">Maven
dependencies</a></li><li><a shape="rect" href="#JAX-RSSAML-EnvelopedSAMLassertions">Enveloped
SAML assertions</a></li><li><a shape="rect" href="#JAX-RSSAML-SAMLassertionsinAuthorizationheader">SAML
assertions in Authorization header</a></li><li><a shape="rect" href="#JAX-RSSAML-SAMLassertionsasFormvalues">SAML
assertions as Form values</a></li><li><a shape="rect" href="#JAX-RSSAML-CreatingSAMLAssertions">Creating
SAML Assertions</a></li><li><a shape="rect" href="#JAX-RSSAML-SAMLAssertionValidation">SAML
Assertion Validation</a></li><li><a shape="rect" href="#JAX-RSSAML-SAMLAuthorization">SAML
Authorization</a>
 <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSSAML-ClaimsBasedAccessControl">Claims
Based Access Control</a></li><li><a shape="rect" href="#JAX-RSSAML-RoleBasedAccessControl">Role
Based Access Control</a></li></ul>
 </li><li><a shape="rect" href="#JAX-RSSAML-SAMLWebSSOProfile">SAML Web
SSO Profile</a></li></ul>
 </div><h1 id="JAX-RSSAML-Introduction">Introduction</h1><p>CXF 2.5.0
introduces an initial support for working with <a shape="rect" class="external-link" href="http://en.wikipedia.org/wiki/SAML_2.0"
rel="nofollow">SAML2</a> assertions. So far the main focus has been put on making
sure SAML assertions can be included in HTTP requests targeted at application endpoints: embedded
inside XML payloads or passed as encoded HTTP header or form values.</p><p>See
also <a shape="rect" href="jax-rs-xml-security.html">JAX-RS XML Security</a>.</p><h1
id="JAX-RSSAML-Backwardscompatibilityconfigurationnote">Backwards compatibility configuration
note</h1><p>From Apache CXF 3.1.0, the WS-Security based configuration tags used
to configure XML Signature or Encryption ("ws-security-*") have been changed to just start
with "security-". Apart from this they are exactly the same. Older "ws-security-" values continue
to be accepted in CXF 3.1.0. To use any of the configuration examples in this page with an
  older version of CXF, simply add a "ws-" prefix to the configuration tag.</p><h1
id="JAX-RSSAML-Mavendependencies">Maven dependencies</h1><div class="code panel
pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">&lt;dependency&gt;
+<pre class="brush: java; gutter: false; theme: Default">&lt;dependency&gt;
   &lt;groupId&gt;org.apache.cxf&lt;/groupId&gt;
   &lt;artifactId&gt;cxf-rt-rs-security-xml&lt;/artifactId&gt;
   &lt;version&gt;2.5.0&lt;/version&gt;
 &lt;/dependency&gt;
 </pre>
 </div></div><p>This module depends on Apache WSS4J, as it contains a lot
of useful utility code based around OpenSAML.</p><h1 id="JAX-RSSAML-EnvelopedSAMLassertions">Enveloped
SAML assertions</h1><p>Payload:</p><div class="code panel pdl" style="border-width:
1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">&lt;env:Envelope
xmlns:env="http://org.apache.cxf/rs/env"&gt;
+<pre class="brush: java; gutter: false; theme: Default">&lt;env:Envelope xmlns:env="http://org.apache.cxf/rs/env"&gt;
 
 &lt;Book ID="67ca6441-0c4e-4430-af0e-9463ce9226aa"&gt;
   &lt;id&gt;125&lt;/id&gt;
@@ -148,7 +148,8 @@ div.rbtoc1524513412775 li {margin-left:
 &lt;/ds:Signature&gt;
 
 &lt;!-- SAML assertion with an enveloped signature --&gt; 
-&lt;saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="_62D574706635C0B9F413203247720501"
IssueInstant="2011-11-03T12:52:52.050Z" Version="2.0" xsi:type="saml2:AssertionType"&gt;
+&lt;saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
+  ID="_62D574706635C0B9F413203247720501" IssueInstant="2011-11-03T12:52:52.050Z" Version="2.0"
xsi:type="saml2:AssertionType"&gt;
 
 &lt;saml2:Issuer&gt;https://idp.example.org/SAML2&lt;/saml2:Issuer&gt;
 
@@ -167,7 +168,7 @@ div.rbtoc1524513412775 li {margin-left:
       &lt;ds:DigestValue&gt;IDD9nFocVm/7FpUbiGI3ZvpY2ps=&lt;/ds:DigestValue&gt;
     &lt;/ds:Reference&gt;
    &lt;/ds:SignedInfo&gt;
-   &lt;ds:SignatureValue&gt;JA2I7u/SmNsXGgWNdrLSovkipiM3JmGHsmpoP0EeIOwPwnLMx0WvV0C3xNGNiT1jOBe2uv8+WchtPoppGTC2JTJVX/t8PmKQCYZo4kVJo6Nmsjbn5kp7ejWuOYynvrUheQeTLU8e5CQmuS6L4VYaMVV2ETtb0VvpKjoQKHOC+co=&lt;/ds:SignatureValue&gt;
+   &lt;ds:SignatureValue&gt;JA2I7u/SmNsXGgWNdrLSovkipiM3JmGHsmpoP0EeIOwPwnLMx0WvV0C3xNGNiT1jOBe2uv8+WchtPoppGTC2JTJVX/t8PmKQCYZo4kVJo6Nms...&lt;/ds:SignatureValue&gt;
    &lt;ds:KeyInfo&gt;
     &lt;ds:X509Data&gt;
      &lt;ds:X509Certificate&gt;&lt;!-- Omitted for brewity --&gt; &lt;/ds:X509Certificate&gt;
@@ -204,9 +205,10 @@ div.rbtoc1524513412775 li {margin-left:
 &lt;/env:Envelope&gt;
 </pre>
 </div></div><p>Note that Book and SAML assertion are individually signed
but the envelope wrapper itself is not.</p><p>Here is another payload showing
the whole enveloped signed including Book and SAML Assertion, this time only a single signature
will be available:</p><div class="code panel pdl" style="border-width: 1px;"><div
class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">&lt;env:Envelope
xmlns:env="http://org.apache.cxf/rs/env" ID="e795cdd1-c19d-4a5c-8d86-e8a781af4787"&gt;
+<pre class="brush: java; gutter: false; theme: Default">&lt;env:Envelope xmlns:env="http://org.apache.cxf/rs/env"
ID="e795cdd1-c19d-4a5c-8d86-e8a781af4787"&gt;
 
-&lt;saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
ID="_C76E3D5BBEE4C4D87913203281641141" IssueInstant="2011-11-03T13:49:24.114Z" Version="2.0"
xsi:type="saml2:AssertionType"&gt;
+&lt;saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

+  ID="_C76E3D5BBEE4C4D87913203281641141" IssueInstant="2011-11-03T13:49:24.114Z" Version="2.0"
xsi:type="saml2:AssertionType"&gt;
 &lt;saml2:Issuer&gt;https://idp.example.org/SAML2&lt;/saml2:Issuer&gt;
 &lt;saml2:Subject&gt;
 &lt;saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="www.mock-sts.com"&gt;uid=sts-client,o=mock-sts.com&lt;/saml2:NameID&gt;
@@ -223,7 +225,8 @@ div.rbtoc1524513412775 li {margin-left:
 &lt;/saml2:AuthnContext&gt;
 &lt;/saml2:AuthnStatement&gt;
 &lt;saml2:AttributeStatement&gt;
-&lt;saml2:Attribute FriendlyName="subject-role" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"
NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims"&gt;
+&lt;saml2:Attribute FriendlyName="subject-role" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"

+    NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims"&gt;
 &lt;saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string"&gt;user&lt;/saml2:AttributeValue&gt;
 &lt;/saml2:Attribute&gt;
 &lt;saml2:Attribute Name="http://claims/authentication" NameFormat="http://claims/authentication-format"&gt;
@@ -237,10 +240,29 @@ div.rbtoc1524513412775 li {margin-left:
 &lt;name&gt;CXF&lt;/name&gt;
 &lt;/Book&gt;
 
-&lt;ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"&gt;&lt;ds:SignedInfo&gt;&lt;ds:CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/&gt;&lt;ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/&gt;&lt;ds:Reference URI="#e795cdd1-c19d-4a5c-8d86-e8a781af4787"&gt;&lt;ds:Transforms&gt;&lt;ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/&gt;&lt;ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/&gt;&lt;/ds:Transforms&gt;&lt;ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/&gt;&lt;ds:DigestValue&gt;GR1pHd2JpxYiCzl6ouCmTZjq/AA=&lt;/ds:DigestValue&gt;&lt;/ds:Reference&gt;&lt;/ds:SignedInfo&gt;&lt;ds:SignatureValue&gt;C2qUDOFwart2GHFjX6kB3E3z73AMXtRR/6Qjgyp6XP/vTn/Fr2epDNub3q+gNdT0KgjLE2rSynM3QTcpHov9C8l9a8VQquItaalr0XA7BJcxdFMxB7KEATKR9XtrmIEkiw9efM8M83iVux/ufCOWrt0Te2RLz+nRwzyEY49VQOQ=&lt;/ds:SignatureValue&gt;&lt;ds:KeyInfo&gt;&lt;ds:X509Data&gt;&lt;ds:X509Certi
 ficate&gt;&lt;!-- Omitted for brewity --&gt;&lt;/ds:X509Certificate&gt;&lt;/ds:X509Data&gt;&lt;ds:KeyValue&gt;&lt;ds:RSAKeyValue&gt;&lt;ds:Modulus&gt;vu747/VShQ85f16DGSc4Ixh9PVpGguyEqrCsK8q9XHOYX9l9/g5wEC6ZcR2FwfNsoaHcKNPjd5sSTzVtBWmQjfBEfIqwTR7vuihOxyNTwEzVwIJzvo7p8/aYxk+VdBtQxq4UweIcf/iFkUbM1cZ1oiXRQzciRBi+C1BQCQE0qzs=&lt;/ds:Modulus&gt;&lt;ds:Exponent&gt;AQAB&lt;/ds:Exponent&gt;&lt;/ds:RSAKeyValue&gt;&lt;/ds:KeyValue&gt;&lt;/ds:KeyInfo&gt;&lt;/ds:Signature&gt;&lt;/env:Envelope&gt;
+&lt;ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"&gt;
+  &lt;ds:SignedInfo&gt;
+    &lt;ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/&gt;
+    &lt;ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/&gt;
+    &lt;ds:Reference URI="#e795cdd1-c19d-4a5c-8d86-e8a781af4787"&gt;
+      &lt;ds:Transforms&gt;
+        &lt;ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/&gt;
+        &lt;ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/&gt;
+      &lt;/ds:Transforms&gt;
+      &lt;ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/&gt;
+      &lt;ds:DigestValue&gt;GR1pHd2JpxYiCzl6ouCmTZjq/AA=&lt;/ds:DigestValue&gt;
+    &lt;/ds:Reference&gt;
+  &lt;/ds:SignedInfo&gt;
+  &lt;ds:SignatureValue&gt;C2qUDOFwart2GHFjX6kB3E3z73AMXtRR/6Qjgyp6XP/vTn/Fr2epDNub3q+gNdT0KgjLE2rSynM3QTcpHov9C8...&lt;/ds:SignatureValue&gt;
+  &lt;ds:KeyInfo&gt;
+    &lt;ds:X509Data&gt;&lt;ds:X509Certificate&gt;&lt;!-- Omitted for
brewity --&gt;&lt;/ds:X509Certificate&gt;&lt;/ds:X509Data&gt;
+    &lt;ds:KeyValue&gt;&lt;ds:RSAKeyValue&gt;&lt;ds:Modulus&gt;vu747/VShQ85f16DGSc4Ixh9...&lt;/ds:Modulus&gt;&lt;ds:Exponent&gt;AQAB&lt;/ds:Exponent&gt;&lt;/ds:RSAKeyValue&gt;&lt;/ds:KeyValue&gt;
+  &lt;/ds:KeyInfo&gt;
+&lt;/ds:Signature&gt;
+&lt;/env:Envelope&gt;
 </pre>
 </div></div><p>Server configuration fragment:</p><div class="code
panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">  
 &lt;bean id="serviceBean" class="org.apache.cxf.systest.jaxrs.security.BookStore"/&gt;
+<pre class="brush: java; gutter: false; theme: Default">    &lt;bean id="serviceBean"
class="org.apache.cxf.systest.jaxrs.security.BookStore"/&gt;
     &lt;bean id="samlHandler" class="org.apache.cxf.rs.security.saml.SamlEnvelopedInHandler"/&gt;
     
     &lt;!-- only needed if the detached signature signing the application data is expected
--&gt; 
@@ -265,7 +287,7 @@ div.rbtoc1524513412775 li {margin-left:
     &lt;/jaxrs:server&gt;
 </pre>
 </div></div><p>Client code:</p><div class="code panel pdl" style="border-width:
1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">private
WebClient createWebClient(String address) {
+<pre class="brush: java; gutter: false; theme: Default">private WebClient createWebClient(String
address) {
   JAXRSClientFactoryBean bean = new JAXRSClientFactoryBean();
   bean.setAddress(address);
   
@@ -288,30 +310,18 @@ div.rbtoc1524513412775 li {margin-left:
 }
 </pre>
 </div></div><p>When we also need to sign the application payload such as
Book we need to make sure that a detached XML signature for Book is created. When the whole
envelope is signed then SamlEnvelopedOutInterceptor needs to be placed before XmlSigOutInterceptor
hence the "new SamlEnvelopedOutInterceptor(!selfSigned)" constructor is invoked.</p><h1
id="JAX-RSSAML-SAMLassertionsinAuthorizationheader">SAML assertions in Authorization header</h1><p>Logging
output:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent
panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">Address:
https://localhost:9000/samlheader/bookstore/books/123
+<pre class="brush: java; gutter: false; theme: Default">Address: https://localhost:9000/samlheader/bookstore/books/123
 Http-Method: GET
-Headers: {Accept=[application/xml], Authorization=[SAML eJydV1mTokgQfu9fYTCPrs2htGKMHVEcKq2gKOLxsoFQAsqhFAjNr99CW1ud7t2ZjdAwMisr68s7/YnMwGfaACEYJ14UVmSxQ/z9wjUlBrRYiWZZiWVYlqPrDFVnmhTbwL80UZERSqEcosQMkw7BUDRdwx+qrtP1dp1qs41nLLciKgaMEVaLRZ4popIHfojapyc7RBqH7chEHmqHZgBRO7HaU6AM21iybV7wXO7kqEO4SbJvk2SWZc9Z/Tm
-KHZKhKJpcKMOp5cLA/JT1/lu45p3AWxDfQl47ed/DDvHgDB0zidefZ+7J4vi11IuwYs/eP8PcDPY+PGkvoTM/yTvZnzZqTz0nNJM0hh/g7O8MoUiKI7GMjTznB3G9C2053EQnUjDDKPQs0/cKs4SnwMSN7
-ArwnSj2Ejf41miaKhXXYG7VLLoR/iDIe2i/qegOYYzMGnJN+kPXBG5gDLE7K7OJ3CF+/HcKna7psRmiTRQH6J78MywwPEI/2kO7hi4mfcD6fYVfeOn1J7Tacmj5KfKOUC2TdG9aEFXGMdx4+dBDOPVzdEk
-7aP1RAMhbeA/k2Rui50CU/J/g3ATmrMQw/RS+Lod0s8c74oavDxsCSoueGs8H4zUQlp0TgFvhE+Ma1jP5kJDXBDrfABTXCxR7+UJ5clXM0XjN8LG9MQxG57bTMfB9rUkaXUNKJgsRzKl+f8R2q0qr/sLB+
-Ub3oGEPhrIMJTegkBOM+0E4nbCLjVXYXO6MHXYhDLMWtGjKtRtNGtirfrioTvXhhnM2zalRXdXDlVVPg2Oe0Sp4Ge/eWgdRiXQwOiZWtZEfjtSwm1aH46xzNecGf2nSAL5fzVuwFCeaiXklhLItbHAFJvB
-VkWWhtxUEsBw5IJN54MjS1Jg4QAcq7+wO7s7rcRnFA23WBSIolImSSdpSNDRtIGV71+p1t2Zvlq7rb+GTomWZ4JwOh1Km+uvAysUtUHhHNXig6PxcbawC1VX4xkLUrUwRpUzRAf7F326EeUoD8/KRDoonR
-dcylY4ypZB0hZd6gJ5JgqsMlgveXTKuPwy491UhKQqIzme5Iq7mbKhojUwEJxBYveGue/72aaULfFg8miR1ARjxWw1kznKHgUvgmDYbOLhTV2uxG/pF7E2thpy73NjY95z0XTrEAnoatA7coj9aLjifIx02k4SXlTVhutlGRZHZtwbqeGuzaKoXRsLPA2274aWNfMj0SfOYeu4of1f1TCqMTH4rno5Rc98izWW+qxo2n2j5oTHLoGxtSK+7m60V2lrRkbeYaIX
-lTXivKtC8JmgSdSiQADIJAFNpKuIuk3FQnowJNeX5KOvJ8lzfcbMFtRrPfE6b7TjJmKmz6YwbLWhDn+hgVgalP5EkUQdDx/HRmlGxr9yjVdcyUVu+PQ2ilYxJtfQTrwGx9I87zHZBtbVHg6ThhGtv1ysMS
-nf203nPmufzAQZYtBKZCV/cLmCP9Nbo981Gj3ty64gKc43RYVbACblrOoFjMEhutOqqEy/7gR4MB6bIzwuT2YN0lYqu1m/1gOS+mbtuMuDH1aokcLGq7ldP4eHQz/P6Yc0kc4Y9TBK+EIMBx9COw42VKFC
-sZnqYaOfqeMz4K/NcE+RttdxV02ViTtP1FlrJhSwbqCxWuri/mcn3459+pk8cz65tTqLtNER7aGEY0CYqpRYtxTMQk3GHKJtgEFm7GkrQsxUFxGvq2R1M1Czfg2HyV9S5Pb4M6DOWB6BCFG688sVyDzq33
-X/fUqygjWBow7h2jFK8VaBTX//SeKzb9krFqKJGCQ+xafCbvYl+wXsTFhqFoxhsktLKb+Uu6kFqe2WbnuD2HXtW+dDj0XVzQZ+LC/bI/eJyFX5k3CkmH236fCtxw2mCsyXAvq+cyH9dEvFOgI2dQlQuiTJ2Zd4haKbeYF+IO534qQTmyVc8wcfLIp5T5A3m2xvkV9CuihJs1TpN4PcnlW6MPWD772XO4BXxHNdaHPnwnI3XgYxOiyV6xlMYt7P
-9aTJnqBzOLIk/no3Ve8k7afmmFyDyU8OlJP6XHuIXxKdpdrPV5njlxkehg4sDb7ZXj9zJv/7C/tUTd9Z+WGFiv5Z4LPO8rn9hz5eSH8X9R+j3ONJZFNu/b8Ej59cwY1CFiLtLmYCfmXvhdIgyKXENBh7ub
-fCmvq9/El7/AXoseyE=], ...}
+Headers: {Accept=[application/xml], Authorization=[SAML eJydV1mTokgQfu9fYTCPrs2htGKMHVEcKq2gKOLxsoFQAsqhFAjNr99CW1ud7t2ZjdA...],
...}
 </pre>
 </div></div><p>Note that the Authorization header has an encoded SAML Assertion
as its value. The original SAML assertion has been optionally compressed using a deflated
encoding and then base64-encoded. This encoded value can be signed itself - but it is not
currently possible.</p><p>Server configuration is similar to the one from the
Enveloped SAML Assertions section, the only difference is that a SAML handler needs to be
replaced:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent
panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">  
 &lt;bean id="serviceBean" class="org.apache.cxf.systest.jaxrs.security.BookStore"/&gt;
+<pre class="brush: java; gutter: false; theme: Default">    &lt;bean id="serviceBean"
class="org.apache.cxf.systest.jaxrs.security.BookStore"/&gt;
     &lt;bean id="samlHandler" class="org.apache.cxf.rs.security.saml.SamlHeaderInHandler"/&gt;
     
     &lt;!-- same as in the Enveloped SAML Assertions section --&gt; 
 </pre>
 </div></div><p>Client code:</p><div class="code panel pdl" style="border-width:
1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">private
WebClient createWebClient(String address) {
+<pre class="brush: java; gutter: false; theme: Default">private WebClient createWebClient(String
address) {
   JAXRSClientFactoryBean bean = new JAXRSClientFactoryBean();
   bean.setAddress(address);
   
@@ -332,36 +342,25 @@ fCmvq9/El7/AXoseyE=], ...}
 }
 </pre>
 </div></div><h1 id="JAX-RSSAML-SAMLassertionsasFormvalues">SAML assertions
as Form values</h1><p>Logging output:</p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">Address:
https://localhost:9000/samlform/bookstore/books
+<pre class="brush: java; gutter: false; theme: Default">Address: https://localhost:9000/samlform/bookstore/books
 Encoding: ISO-8859-1
 Http-Method: POST
 Content-Type: application/x-www-form-urlencoded
 Headers: {Accept=[application/xml], Cache-Control=[no-cache], connection=[keep-alive], Content-Length=[2206],
content-type=[application/x-www-form-urlencoded], 
 Host=[localhost:9000], Pragma=[no-cache], User-Agent=[Apache CXF ${project.version}]}
-Payload: name=CXF&amp;id=125&amp;SAMLToken=eJydV1tzqkgQfs+vsDiPWcNFjWIdUzUIGqJgQMTLyxYOI6BclAFBfv0OGo16kt1ztkrL6p6eb77u6e5pf2Ir8Lk2wBjFiReFFVnsUH8zYqPFAAkwbOsZSK2eKLI1jqlxTY5p8P
-VnlqrIGKdIDnFihUmH4hiWrZIPUzPYWrtWa3ONJ2K3oComijGBJSZPDFXJAz/E7eORHSqNw3ZkYQ+3QytAuJ3A9hgowzaxbFtnPuc9Oe5QbpJs2zSdZdlTVnuKYofmGIalZ8pwDF0UWJ+23n8bV70jeYjILuy1k8MWdai7YBh
-ESb38PGmPHscvJS4mwJ69fUK5FWx9dEQvqXM/6RvbnzZujz0ntJI0Rh/k7O8cYWiGp4mNjT3nB3XZi2w5XEVHsWuFUehBy/cKq6SnoMSN7ArwnSj2Ejf41mmWKYGrKIdVyNbDHxR9S+03gW4YxtiqYtdiP7B0tEIxIuGsTHS5
-Q/347xQ6bjNiK8SrKA7wrfhnXFC4R360RXYVn136oPX7gF9E6eUngm05hH6KvT1SyyTdWhDhynuMVl4+9DBJ/Ryf0w7BP7oA+prenXiKhug5CCf/53KuLuYEYlp+il5qDTNiWU3Hz3qxkBCzn0aanw8K7TDvHAlcGx8Vl2s9i
-XcJeUmg046Q1/bNx0AVHltzNp3pb/KwtizS/nZmHNYYvG6A5G44Bj4bw4msaTYCi93Q5NfL1cBgoBvCw9DbS0GPm43UQnzfJW9JfzUs6nQ/nQh7zXb7EltbPTKPXvSeRSuvvu/LIHWEjTJqJfom5qCJn0W7lSxg34LSPlSMOm
-itOLyUDNc2PGWpw169tTb5rHNx54p/6dIAHS7uzRoML1qJdRG6ZVtYkQpM0Isiy93+utsF85EDMlkAjiyNTd0BBlAFZ7NzN16fzxgBaJMeEEGh6EomaXPR1LSBlG1d2O+trf4kXdbewgdFy7Kuc1wcSpnqLwOYi2ugCI5qCkA
-xhKlaXwSqqwj1mWjATBGlTDEA+SXfXkR0Sp3o8pEBigfF0DKVjTKlkAxFkPqAnUhdVxnMZ4I751x/GPCHRSEpCohOa7kiLqaNUNHqmQiOJAi86S77/vphYXSFsLh3SeoBMBLWGsic+YYQl8A+bdabtDl2tVZjxT6L/TGsy7nLv5vbvpMepF3cxQ+D1o6fvY7mM97naaeRSd3nBdS5XrZScWS9woH6vrYbeGwUZiJMA229EqSVvMsMvblPPXeUH1Qjkwozk9+Kh33U3LZoa55vHk1bSLR8V59kSIYr2uttJkuFhQs28ma6VkBPF7zHLitoXU1idgXug
-kwCwFKairjJZHIpD6bOjAUhyvqyPDU2/GTGLN4nPq9NNrxkTtTJeMKPZqxp6AaYlJfyqkuSaICh4/h4yakkVu4e1rRM1OZvD4NoIRNRLeMkaEAs4+MOs03w2NriQVJ3wqW36RcmYzjb8bQPp/l0QAgWrUTmwme3Bxp7dm2+vl
-r1Pv/g1jAT5hpnoKxAOr1pOoFjcliut2qqE89fAyMYDixRmBYWtwXpIhVd7bXVJ6X2Zm16yUB4f3yUunysqtvFQ7jbveZ5bbfkkinX2OmJUIjBgOdYx+HflShQYDPd6dqpOu4z/qI81QR9XS031XR+Mcfpco1gchbLBiqLlR7
-pb1by/fPPPrFHjWdXV0fTdhriLYKEBrKpSomipeQNJGLcocomGERwU8UJfoJRQL2knt0hQhX6HgqTv6LO9fL5gT5xuSPajcKVV55YzkGntvvvUwoM2hiFNoqr+yglUwU+9vUvnSfYtlcC44oaJQIirqFv5qYGT+YmYjQKRzFY
-JaWX39qd4UFqe2Wb1kn7jj1YHnS/dJlc8OfgQiJyO7hcjO8VN8D0vU+fZyVuOE5ItgQk9pWj+K9DYqtZDoljhMshUSahzDsUy9XqjWfqBpMclaA8+UrX9cmwSN4p+orz9Q76K2oXoIR4tUwT9P1KpReTCNj+ocwZMiKe7rUaR
-z46ZePlQcbHwRI/kVeYtLPt8WXOcPk4N2jy8WwC7yUHGvqWF2D6E+FcEv8Lh/qF8fE1u5pqczJyk6XQIcVBJttLRG7sX35R/xqJG28/vLBIXEs+0DqN61/486XlR3H/Efstueksiu3f9+Be8+s1E1KFSLpLmYCfmXvWdKgyKUkNBh7pbeiqvi9/El7+Adcbfqw=
+Payload: name=CXF&amp;id=125&amp;SAMLToken=eJydV1tzqkgQfs+vsDiPWcNFjWIdUzUIGqJgQMTLyxYOI6BclAFBfv0OGo16kt1ztk...
 </pre>
 </div></div><p>Note that only form 'name' and 'id' fields will remain after
the SAML handler processes a SAML assertion encoded in the SAMLToken form field. The original
SAML assertion has been optionally compressed using a deflated encoding and then base64-encoded.
This encoded value can be signed - but it is not currently possible.</p><p>Server
configuration is similar to the one from the Enveloped SAML Assertions section, the only difference
is that a SAML handler needs to be replaced:</p><div class="code panel pdl" style="border-width:
1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">  
 &lt;bean id="serviceBean" class="org.apache.cxf.systest.jaxrs.security.BookStore"/&gt;
+<pre class="brush: java; gutter: false; theme: Default">    &lt;bean id="serviceBean"
class="org.apache.cxf.systest.jaxrs.security.BookStore"/&gt;
     &lt;bean id="samlHandler" class="org.apache.cxf.rs.security.saml.SamlFormInHandler"/&gt;
     
     &lt;!-- same as in the Enveloped SAML Assertions section --&gt; 
 </pre>
 </div></div><p>The client code is the same as in the SAML assertions in
Authorization header section except than an instance of SamlFormOutInterceptor has to be registered:</p><div
class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent
pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">bean.getOutInterceptors().add(new
SamlFormOutInterceptor());
+<pre class="brush: java; gutter: false; theme: Default">bean.getOutInterceptors().add(new
SamlFormOutInterceptor());
 </pre>
 </div></div><h1 id="JAX-RSSAML-CreatingSAMLAssertions">Creating SAML Assertions</h1><p>If
you use CXF JAX-RS client API to experiment with SAML then all you need to do is to register
an appropriate out interceptor as shown in the above code fragments. The interceptor will
ensure that a SAML assertion is created and added inside the XML envelope, as a form or HTTP
header value.<br clear="none"> All of the SAML output interceptors depend on a "security.saml-callback-handler"
property linking to a custom javax.security.auth.callback.Callback implementation which in
its handle(Callbacks) method provides the information which is needed to create a SAML assertion
to a org.apache.ws.security.saml.ext.SAMLCallback Callback instance, for example, see this
<a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlCallbackHandler.java">custom
implementation</a>.</p><p>More involved cas
 es with SAML assertions being created by identity providers will be supported, with the help
of CXF (WS) STSClient when needed.</p><h1 id="JAX-RSSAML-SAMLAssertionValidation">SAML
Assertion Validation</h1><p>When SAML assertions are received on the server side,
they are validated to make sure that the enveloped signatures are correct. SubjectConfirmation
methods (sender-vouches, holder-of-key, bearer) are also checked. <br clear="none">
The validation can be delegated to STS if needed. By default, server side SAML handlers have
a "samlValidator" property set to an instance of org.apache.ws.security.validate.SamlAssertionValidator
which does a thorough validation of the assertion. If needed org.apache.cxf.ws.security.trust.STSTokenValidator
can be set instead which will use STS to validate the assertion.<br clear="none"> Custom
validators extending WSS4J SamlAssertionValidator and doing the additional application-specific
validation can be registered if needed.</p><p>Note the fact th
 at the default validation relies a lot on the code heavily utilized by the WS-Security implementation
should be of no concern - it is an example of the integration on its own in order to get the
validation done. For example, WS-* STS are heavily used in the enterprise today and it simply
makes a complete sense to rely on it to validate a SAML assertion if it is possible.</p><p>SubjectConfirmation
sender-vouches and holder-of-key methods can be easily validated with enveloped SAML assertions
given that the embedded SAML signatures and key info can be checked against the signature
used to sign the envelope or a custom payload like Book.</p><p>At the moment these
methods can not be properly validated when the assertion is provided in a header or in the
form, the additional signature signing the encoded SAML token will be needed - this will be
supported in due time. Use "bearer" in those cases.</p><h1 id="JAX-RSSAML-SAMLAuthorization">SAML
Authorization</h1><p>SAML assertions may contai
 n so-called claims which are represented by a sequence of SAML AttributeStatements containing
one or more Attributes, for example:</p><div class="code panel pdl" style="border-width:
1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">&lt;saml2:Assertion&gt;
+<pre class="brush: java; gutter: false; theme: Default">&lt;saml2:Assertion&gt;
  &lt;!-- ... --&gt;
  &lt;saml2:AttributeStatement&gt;
     &lt;saml2:Attribute NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims"
@@ -378,7 +377,7 @@ z46ZePlQcbHwRI/kVeYtLPt8WXOcPk4N2jy8WwC7
 &lt;/saml2:Assertion&gt;
 </pre>
 </div></div><p>An individual claim is scoped by NameFormat and Name attribute.
NameFormat is similar to a namespace, while Name identifies what the value of this claim represents,
for example, in the above fragment two claims are provided, one has a value "user" which represents
a role of the assertion's Subject, another one has a value of "password" which identifies
the way Subject authenticated itself, i.e, Subject provided its password (presumably to IDP).</p><p>Now,
what is interesting is to see if it is possible to use these claims with Role-Based Access-Control
(for example, with endpoints relying on @RolesAllowed annotations) as well as with the more
complex authorization logic (for example, let this resource be invoked only if Subject used
a password to get authenticated at IDP).</p><h2 id="JAX-RSSAML-ClaimsBasedAccessControl">Claims
Based Access Control</h2><p>CXF JAX-RS offers an extension letting users to enforce
a new fine-grained Claims Based Access Control (CBAC) based
  on <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/api/src/main/java/org/apache/cxf/security/claims/authorization/Claim.java">Claim</a>
and <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/api/src/main/java/org/apache/cxf/security/claims/authorization/Claims.java">Claims</a>
annotations as well as <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/api/src/main/java/org/apache/cxf/security/claims/authorization/ClaimMode.java">ClaimMode</a>
enum class.</p><p><strong>Note</strong> a package for Claim, Claims
and ClaimMode annotations has changed from "org.apache.cxf.rs.security.saml.authorization"
to "org.apache.cxf.security.claims.authorization". Starting from CXF 2.7.1, the default name
format for claims is "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" instead of
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims".</p><p>Here is a simple
code fragment:</p><di
 v class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent
pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">import
org.apache.cxf.rs.security.saml.authorization.Claim;
+<pre class="brush: java; gutter: false; theme: Default">import org.apache.cxf.rs.security.saml.authorization.Claim;
 import org.apache.cxf.rs.security.saml.authorization.Claims;
 
 @Path("/bookstore")
@@ -401,7 +400,7 @@ public class SecureClaimBookStore {
 }
 </pre>
 </div></div><p>SecureClaimBookStore.addBook(Book) can only be invoked if
Subject meets the following requirement: it needs to have a Claim with a value "admin" and
another Claim confirming that it got authenticated using either a 'fingertip' or 'smartcard'
method. Note that @Claim({"admin"}) has no name and format classifiers set - it relies on
default name and format values, namely "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"
and "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims"
before CXF 2.7.1) respectively. These default values may change in the future depending on
which claims are found to be used most often - but as you can see you can always provide name
and format values which will scope a given claim value.</p><p>Note that in the
above example, a Claim with the name "http://claims/authentication-format" has two values,
'fingertip' and 'smartcard'. By default, in order to meet this Claim, Subjec
 t needs to have a Claim which has either a 'fingertip' or 'smartcard' value. If it is expected
that Subject needs to have a Claim which has both 'fingertip' and 'smartcard' values, then
the following change needs to be done:</p><div class="code panel pdl" style="border-width:
1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">import
org.apache.cxf.security.claims.authorization.Claim;
+<pre class="brush: java; gutter: false; theme: Default">import org.apache.cxf.security.claims.authorization.Claim;
 import org.apache.cxf.security.claims.authorization.Claims;
 
 @Path("/bookstore")
@@ -425,7 +424,7 @@ public class SecureClaimBookStore {
 }
 </pre>
 </div></div><p>Claims can be specified using individual @Claim annotation,
they can be set at the class level and overridden at the method level and finally a lax mode
of check can be specified:</p><div class="code panel pdl" style="border-width: 1px;"><div
class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">import
org.apache.cxf.security.claims.authorization.Claim;
+<pre class="brush: java; gutter: false; theme: Default">import org.apache.cxf.security.claims.authorization.Claim;
 import org.apache.cxf.security.claims.authorization.Claims;
 
 @Path("/bookstore")
@@ -465,10 +464,10 @@ public class SecureClaimBookStore {
 }
 </pre>
 </div></div><p>In the above example, getBookList() can be invoked if Subject
has a Claim with the value "user"; addBook() has it overridden - "admin" is expected and the
authentication format Claim too; getBook() can be invoked if Subject has a Claim with the
value "user" and it also must have the authentication format Claim with the value "password"
- or no such Claim at all.</p><p>org.apache.cxf.rs.security.saml.authorization.ClaimsAuthorizingInterceptor
enforces the CBAC rules. This filter can be overridden and configured with the rules directly
which can be useful if no Claim-related annotations are expected in the code. Map nameAliases
and formatAliases properties are supported to make @Claim annotations look a bit simpler,
for example:</p><div class="code panel pdl" style="border-width: 1px;"><div
class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">@Claim(name
= "auth-format", format = "authentication", value = {"password" })
+<pre class="brush: java; gutter: false; theme: Default">@Claim(name = "auth-format",
format = "authentication", value = {"password" })
 </pre>
 </div></div><p>where "auth-format" and "authentication" are aliases for
"http://claims/authentication-format" and "http://claims/authentication" respectively.</p><p>Given
the above example, the question is how to extract the information available in a SAML Assertion
for the current request to succeed in passing through the security filter enforcing the CBAC
rules.</p><p>The first and most important thing which needs to be done is to verify
that an assertion Subject can be mapped to a recognized identity instance.</p><p>There
is a number of ways a Subject can be validated.</p><p>If STS is asked to validate
the assertion then a successful response from IDP will likely be good enough for CXF to trust
the identity of the provider.<br clear="none"> If the assertion signature is verified
locally using the public key of IDP then it could a good enough confirmation too.</p><p>Alternatively,
a custom validator, extending either org.apache.ws.security.validate.SamlAssertionValidator
or CXF SA
 ML <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SecurityContextProvider.java">SecurityContextProvider</a>
<a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/authorization/SecurityContextProviderImpl.java">implementation</a>
can be registered with the server side SAML handler.</p><p>The latter option is
preferred because not only one can validate Subject - but also ensure that a resulting SecurityContext
will return a user Principal with a proper name - given that the actual Subject name available
in the assertion may need to be translated to a name recognized by the local security stores
or application. A combination of the assertion's Subject and AttributeStatement elements may
need to be checked to establish a real name.</p><p>In cases like this you may
want to reg
 ister a custom SecurityContextProvider even if you have STS validating the assertion. Yet
another reason is to retrieve the information about roles for a given Subject or map the assertion
claims to roles for working with the RBAC to succeed, see the next section for more information.</p><p>Have
a look please at this server configuration example:</p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">&lt;bean
id="serviceBeanClaims" class="org.apache.cxf.systest.jaxrs.security.saml.SecureClaimBookStore"/&gt;
+<pre class="brush: java; gutter: false; theme: Default">&lt;bean id="serviceBeanClaims"
class="org.apache.cxf.systest.jaxrs.security.saml.SecureClaimBookStore"/&gt;
 &lt;bean id="samlEnvHandler" class="org.apache.cxf.rs.security.saml.SamlEnvelopedInHandler"&gt;
  &lt;property name="securityContextProvider"&gt;
     &lt;bean class="org.apache.cxf.systest.jaxrs.security.saml.CustomSecurityContextProvider"/&gt;
@@ -491,7 +490,7 @@ public class SecureClaimBookStore {
 &lt;/jaxrs:server&gt;
 </pre>
 </div></div><p>An instance of org.apache.cxf.rs.security.saml.authorization.ClaimsAuthorizingFilter
is used to enforce CBAC. It's a simple JAX-RS filter wrapper around ClaimsAuthorizingInterceptor.
SamlEnvelopedInHandler processes and validates SAML assertions and it also relies on a simple
<a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/CustomSecurityContextProvider.java">CustomSecurityContextProvider</a>
to help it to figure out what the actual Subject name is. A more involved implementation can
do some additional validation as well as override few more super class methods, more on it
next. The claims themselves have already been parsed and will be made available to a resulting
SecurityContext which ClaimsAuthorizingFilter will rely upon.</p><h2 id="JAX-RSSAML-RoleBasedAccessControl">Role
Based Access Control</h2><p>If you have an existing RBAC system (based on javax
 .annotation.security.RolesAllowed or even org.springframework.security.annotation.Secured
annotations) in place and have SAML assertions with claims that are known to represent roles,
then making those claims work with the RBAC system can be achieved easily.</p><p>For
example, given this code:</p><div class="code panel pdl" style="border-width: 1px;"><div
class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">import
org.springframework.security.annotation.Secured;
+<pre class="brush: java; gutter: false; theme: Default">import org.springframework.security.annotation.Secured;
 
 @Path("/bookstore")
 @Claim({"user"})
@@ -505,7 +504,7 @@ public class SecureBookStore {
 }
 </pre>
 </div></div><p>where @Secured can be replaced with @RoledAllowed if needed,
the following configuration will do it:</p><div class="code panel pdl" style="border-width:
1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">&lt;bean
id="serviceBeanRoles" class="org.apache.cxf.systest.jaxrs.security.saml.SecureBookStore"/&gt;
+<pre class="brush: java; gutter: false; theme: Default">&lt;bean id="serviceBeanRoles"
class="org.apache.cxf.systest.jaxrs.security.saml.SecureBookStore"/&gt;
 &lt;bean id="samlEnvHandler" class="org.apache.cxf.rs.security.saml.SamlEnvelopedInHandler"&gt;
  &lt;property name="securityContextProvider"&gt;
     &lt;bean class="org.apache.cxf.systest.jaxrs.security.saml.CustomSecurityContextProvider"/&gt;



Mime
View raw message