From commits-return-49960-archive-asf-public=cust-asf.ponee.io@cxf.apache.org Thu Sep 13 12:58:05 2018
Return-Path:
X-Original-To: archive-asf-public@cust-asf.ponee.io
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
by mx-eu-01.ponee.io (Postfix) with SMTP id 2002118067E
for ; Thu, 13 Sep 2018 12:58:03 +0200 (CEST)
Received: (qmail 82709 invoked by uid 500); 13 Sep 2018 10:58:03 -0000
Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm
Precedence: bulk
List-Help:
List-Unsubscribe:
List-Post:
List-Id:
Reply-To: dev@cxf.apache.org
Delivered-To: mailing list commits@cxf.apache.org
Received: (qmail 82689 invoked by uid 99); 13 Sep 2018 10:58:02 -0000
Received: from Unknown (HELO svn01-us-west.apache.org) (209.188.14.144)
by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 13 Sep 2018 10:58:02 +0000
Received: from svn01-us-west.apache.org (localhost [127.0.0.1])
by svn01-us-west.apache.org (ASF Mail Server at svn01-us-west.apache.org) with ESMTP id 4C13A3A0057
for ; Thu, 13 Sep 2018 10:58:02 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: svn commit: r1035113 - in /websites/production/cxf/content:
cache/docs.pageCache docs/33-migration-guide.html docs/jax-rs-saml.html
Date: Thu, 13 Sep 2018 10:58:01 -0000
To: commits@cxf.apache.org
From: buildbot@apache.org
X-Mailer: svnmailer-1.0.9
Message-Id: <20180913105802.4C13A3A0057@svn01-us-west.apache.org>
Author: buildbot
Date: Thu Sep 13 10:58:01 2018
New Revision: 1035113
Log:
Production update by buildbot for cxf
Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/33-migration-guide.html
websites/production/cxf/content/docs/jax-rs-saml.html
Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.
Modified: websites/production/cxf/content/docs/33-migration-guide.html
==============================================================================
--- websites/production/cxf/content/docs/33-migration-guide.html (original)
+++ websites/production/cxf/content/docs/33-migration-guide.html Thu Sep 13 10:58:01 2018
@@ -107,7 +107,7 @@ Apache CXF -- 3.3 Migration Guide
- Major Notes:- The claimType of the Claim class is now a "String" instead of a "URI". This might break existing ClaimsHandler implementations in the STS. In addition, the ClaimsHandler interface now returns a List<String> for getSupportedClaimTypes() instead of List<URI>.
- The package name of the ClaimsAuthorizingInterceptor has changed: from org.apache.cxf.rt.security.saml.interceptor.ClaimsAuthorizingInterceptor to org.apache.cxf.rt.security.claims.interceptor.ClaimsAuthorizingInterceptor.
New Features:Major dependency changes:
+ Major Notes:Claims Handling:- The claimType of the Claim class is now a "String" instead of a "URI". This might break existing ClaimsHandler implementations in the STS. In addition, the ClaimsHandler interface now returns a List<String> for getSupportedClaimTypes() instead of List<URI>.
- The Claims access control annotations/interceptors now work with JWT tokens (as well as SAML tokens). This resulted in the following package changes:
- The package name of the ClaimsAuthorizingInterceptor has changed: from org.apache.cxf.rt.security.saml.i
nterceptor.ClaimsAuthorizingInterceptor to org.apache.cxf.rt.security.claims.interceptor.ClaimsAuthorizingInterceptor.
- The package name of the ClaimsAuthorizingFilter has changed: from org.apache.cxf.rs.security.saml.authorization.ClaimsAuthorizingFilter to org.apache.cxf.rs.security.claims.ClaimsAuthorizingFilter
New Features:Major dependency changes:
|
Modified: websites/production/cxf/content/docs/jax-rs-saml.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-saml.html (original)
+++ websites/production/cxf/content/docs/jax-rs-saml.html Thu Sep 13 10:58:01 2018
@@ -121,11 +121,11 @@ Apache CXF -- JAX-RS SAML
+/*]]>*/
@@ -489,7 +489,7 @@ public class SecureClaimBookStore {
</jaxrs:providers>
</jaxrs:server>
-
An instance of org.apache.cxf.rs.security.saml.authorization.ClaimsAuthorizingFilter is used to enforce CBAC. It's a simple JAX-RS filter wrapper around ClaimsAuthorizingInterceptor. SamlEnvelopedInHandler processes and validates SAML assertions and it also relies on a simple CustomSecurityContextProvider to help it to figure out what the actual Subject name is. A more involved implementation can do some additional validation as well as override few more super class methods, more on it next. The claims themselves have already been parsed and will be made available to a resulting SecurityContext which ClaimsAuthorizingFilter will rely upon.
If you have an existing RBAC system
(based on javax.annotation.security.RolesAllowed or even org.springframework.security.annotation.Secured annotations) in place and have SAML assertions with claims that are known to represent roles, then making those claims work with the RBAC system can be achieved easily.
For example, given this code:
An instance of org.apache.cxf.rs.security.saml.authorization.ClaimsAuthorizingFilter (note org.apache.cxf.rs.security.claims.ClaimsAuthorizingFilter from CXF 3.3.0) is used to enforce CBAC. It's a simple JAX-RS filter wrapper around ClaimsAuthorizingInterceptor. SamlEnvelopedInHandler processes and validates SAML assertions and it also relies on a simple CustomSecurityContextProvider to help it to figure out what the actual Subject name is. A more involved implementation can do some additional validation as well as override few more super class methods, more on it next. The claims themselves have already been parsed and will be made available to a resulting SecurityContext which ClaimsAuthorizingFilter will rely upon.
If you have an existing RBAC system (based on javax.annotation.security.RolesAllowed or even org.springframework.security.annotation.Secured annotations) in place and have SAML assertions with claims that are known to represent roles, then making those claims work with the RBAC system can be achieved easily.
For example, given this code:
import org.springframework.security.annotation.Secured;
@Path("/bookstore")