cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oliver Wulff <owu...@talend.com>
Subject RE: CXF supporting scope
Date Mon, 14 May 2012 19:51:32 GMT
Hi Gina

>>>
It looks like that you don't encrypt RST and RSTR, but you said that
both RST and RSTR are signed. I need to import signing cert from ADFS to
stsstore.jks keystore. Which one is key alias for RP? You have clientkey,
myservicekey and mystskey. Vise versa, I need to export signing cert from
RP to import it to ADFS. Do you have signing cert somewhere or I have to
export it myself?
>>>
Neither the RST nor the RSTR are encrypted. It's planned for the next release of the Fediz plugin to support encrypted token which are embedded in RSTR.

Is it required to support encrypted tokens initially? I should have this functionality by end of may.

You have to export the signing cert from ADFS and import into a java keystore. Don't import it into stsstore.jks as this should be used for this demo IDP only.

Thanks
Oli



------

Oliver Wulff

Blog: http://owulff.blogspot.com
Solution Architect
http://coders.talend.com

Talend Application Integration Division http://www.talend.com

________________________________________
From: Gina Choi [ginachoi88@gmail.com]
Sent: 14 May 2012 21:23
To: users@cxf.apache.org
Subject: Re: CXF supporting scope

Hi Oliver,

>You're right - this is confusing. The STS signs the SAML token with the
private which correlates to >the STS certificate. The RP requires the CA
certificates and the STS certificate (if self-signed as in >this demo case)
to validate the SAML token.

Thanks for response. I looked request and response message between RP and
STS. It looks like that you don't encrypt RST and RSTR, but you said that
both RST and RSTR are signed. I need to import signing cert from ADFS to
stsstore.jks keystore. Which one is key alias for RP? You have clientkey,
myservicekey and mystskey. Vise versa, I need to export signing cert from
RP to import it to ADFS. Do you have signing cert somewhere or I have to
export it myself?

Thanks.

Gina


On Mon, May 14, 2012 at 2:19 PM, Oliver Wulff <owulff@talend.com> wrote:

> Hi Gina
>
> >>>
> But I still don't understand why I have to copy stsstore.jks file into RP.
> stsstore.jks is the keystore file of STS and it should be sitting on
> somewhere on tomcat-idp not tomcat-rp. And ttomcat-rp should have it's own
> keystore file, for example clientstore.jks.
> When client issue AuthnRequest to STS, it will sign AuthnRequest with STS
> signing certificate. Vise versa, when STS issue Assertion token, it will be
> signed by client signing certificate.
> In fediz project senario, RP will be the client and it will never have
> keystore file of STS.
> I just looked at content of stsstore.jks and it looks like that you
> combined sts, client and service keystore file into one - stsstore.jks. In
> other words, stsstore.jks is being used as a keystore file for all three -
> client, service and sts. Is that correct? I think that they should be
> separated. Kind of confusing until list content of stsstore.jks.
> >>>
> You're right - this is confusing. The STS signs the SAML token with the
> private which correlates to the STS certificate. The RP requires the CA
> certificates and the STS certificate (if self-signed as in this demo case)
> to validate the SAML token.
>
> I was too lazy in creating two keystores (I just copied the keystore used
> by the CXF STS distribution). In a production environment, one keystore
> contains the private key and the certificate for the STS and the other
> contains the certificate only for the RP.
>
> I've started documentating fediz here:
> http://cxf.apache.org/fediz.html
>
> It would make sense to add a section what to consider for production
> implementation. I'll add that.
>
> Thanks
>
> ------
>
> Oliver Wulff
>
> Blog: http://owulff.blogspot.com
> Solution Architect
> http://coders.talend.com
>
> Talend Application Integration Division http://www.talend.com
>
> ________________________________________
> From: Gina Choi [ginachoi88@gmail.com]
> Sent: 14 May 2012 18:00
> To: Oliver Wulff
> Cc: users@cxf.apache.org
> Subject: Re: CXF supporting scope
>
> Hi Oliver,
>
> Thanks for your response. I copied over stsstore.jks into tomcat rp and I
> am seeing saml token now.
>
> >The SAML token issued by the IDP/STS is signed and the used certificate
> must be referenced to >validate the signature:
>
>  ><trustedIssuerItem provider=".*CN=www.sts.com.*">
> >< keyStore file="/projects/fediz/tomcat-rp2/conf/stsstore.jks"
> password="stsspass" type="file" />
> >< /trustedIssuerItem>
>
> >In this example, I used a self-signed certificate and I was too lazy in
> separating the keystore into >one with the private key and into one
> without.
>
> >You find the stsstore.jks in fedizidpsts.war. Just copy it to the RP.
>
> But I still don't understand why I have to copy stsstore.jks file into RP.
> stsstore.jks is the keystore file of STS and it should be sitting on
> somewhere on tomcat-idp not tomcat-rp. And ttomcat-rp should have it's own
> keystore file, for example clientstore.jks.
>
> When client issue AuthnRequest to STS, it will sign AuthnRequest with STS
> signing certificate. Vise versa, when STS issue Assertion token, it will be
> signed by client signing certificate.
>
> In fediz project senario, RP will be the client and it will never have
> keystore file of STS.
>
> I just looked at content of stsstore.jks and it looks like that you
> combined sts, client and service keystore file into one - stsstore.jks. In
> other words, stsstore.jks is being used as a keystore file for all three -
> client, service and sts. Is that correct? I think that they should be
> separated. Kind of confusing until list content of stsstore.jks.
>
> Thanks.
>
> Gina
>
>
> On Fri, May 11, 2012 at 2:55 AM, Oliver Wulff <owulff@talend.com> wrote:
>
> >  Hi Gina
> >
> >
> >
> > The SAML token issued by the IDP/STS is signed and the used certificate
> > must be referenced to validate the signature:
> >
> >
> >
> >  <trustedIssuerItem provider=".*CN=www.sts.com.*">
> > <keyStore file="/projects/fediz/tomcat-rp2/conf/stsstore.jks"
> > password="stsspass" type="file" />
> > </trustedIssuerItem>
> >
> > In this example, I used a self-signed certificate and I was too lazy in
> > separating the keystore into one with the private key and into one
> without.
> >
> >
> >
> > You find the stsstore.jks in fedizidpsts.war. Just copy it to the RP.
> >
> >
> >
> > In your scenario with ADFS. You must import the CA certs which signed the
> > ADFS cert into a keystore and configure the CN name as a regular
> expression
> > in the attribute "provider". (The name provider is misleaing, will fix
> that)
> >
> >
> >
> > Thanks
> >
> >
> >
> >
> >
> > ------
> >
> > Oliver Wulff
> >
> > Blog: http://owulff.blogspot.com
> > Solution Architect
> > http://coders.talend.com
> >
> > <http://coders.talend.com>Talend Application Integration Division
> > http://www.talend.com
> >   ------------------------------
> > *From:* Gina Choi [ginachoi88@gmail.com]
> > *Sent:* 11 May 2012 00:44
> >
> > *To:* Oliver Wulff
> > *Cc:* users@cxf.apache.org
> > *Subject:* Re: CXF supporting scope
> >
> >   Hi Oliver,
> >
> > Until this afternoon, I didn't have time to work with Fediz. Finally I
> > have successfully deployed idp, sts and simpleWebapp on Tomcat7.0.27.
> > Everything went well. I guess that on the other day, I thought doing some
> > thing, but I probably did something else. :)
> > After type https://localhost:8443/fedizhelloworld/secureservlet/fed on
> > the browser, I inputed test user name and password, but it failed.
> >
> >
> > org.apache.ws.security.components.crypto.CredentialException: Proxy file
> (/projects/fediz/tomcat-rp2/conf/stsstore.jks) not found.
> >
> >
> > In your fediz_config.xml, you have following lines. Why do we put sts key
> > store file on RP server? Does web application need to know where is sts
> > keystore file?
> >
> >   <trustedIssuers>
> >    <trustedIssuerItem provider=".*CN=www.sts.com.*">
> >     <keyStore file="/projects/fediz/tomcat-rp2/conf/stsstore.jks"
> > password="stsspass" type="file" />
> >    </trustedIssuerItem>
> >   </trustedIssuers>
> >
> >
> > Thanks.
> >
> > Gina
> >
> >  On Wed, May 9, 2012 at 1:45 AM, Oliver Wulff <owulff@talend.com> wrote:
> >
> >>  Hi Gina
> >>
> >> The steps are absolutely correct. Not sure about the failing deployment
> >> step for the application. Have you also updated tomcat-users.xml of the
> >> second tomcat instance? Or was the application already deployed once and
> >> you must run "mvn clean install tomcat:redeploy"? Is anything logged on
> >> catalina.out?
> >> Otherwise, just copy the war manually from target/fedizhelloworld.war to
> >> <tomcat-dir>/webapps.
> >>
> >> I've checked in fediz_config.xml in
> examples/simpleWebapp/src/main/config
> >> (sorry for that). Please manually copy it to the location you've
> configured
> >> in the context.xml. Ensure that the IDP url (later ADFS):
> >> <issuer>https://localhost:9443/fedizidp/</issuer>
> >> and the location of the trusted keystore is updated:
> >> <keyStore file="/projects/fediz/tomcat-rp2/conf/stsstore.jks"
> >> password="stsspass" type="file" />
> >>
> >> It will be supported in the next days to also configure a relative
> >> location to catalina.home.
> >>
> >>
> >> Thanks
> >> Oli
> >>
> >>
> >>
> >> ------
> >>
> >> Oliver Wulff
> >>
> >> Blog: http://owulff.blogspot.com
> >> Solution Architect
> >> http://coders.talend.com
> >>
> >> <http://coders.talend.com>Talend Application Integration Division
> >> http://www.talend.com
> >>   ------------------------------
> >> *From:* Gina Choi [ginachoi88@gmail.com]
> >> *Sent:* 09 May 2012 00:55
> >>
> >> *To:* Oliver Wulff
> >> *Cc:* users@cxf.apache.org
> >> *Subject:* Re: CXF supporting scope
> >>
> >>   By the way I checked out head version fediz project from SVN.
> >>
> >> On Tue, May 8, 2012 at 6:36 PM, Gina Choi <ginachoi88@gmail.com> wrote:
> >>
> >>> Hi Oliver,
> >>>
> >>> I am using seperate Tomcat instance for IDP and application and I set
> up
> >>> https. Following is what I did.
> >>>
> >>> I checked out Fediz project into my local machine. As you explained on
> >>> your post
> >>>
> http://owulff.blogspot.com/2011/11/configure-tomcat-for-federation-part.html
> ,
> >>> I run mvn clean install in plugins/core, pligins/tomcat and
> >>> examples/simpleWebapp/. I configued maven's settings.xml and updated
> >>> tomca-users.xml. I ran mvn tomcat:deploy under fediz\trunk\plugins,
> and I
> >>> am seeing both IDP and STS are deployed.
> >>>
> >>> I am just having problem with deloying sample application in another
> >>> Tomcat instance.
> >>>
> >>> 1. I created  sub-directory fediz in ${catalina.home}/lib of the
> >>> tomcat-rp.
> >>> 2. I have following line in the  calatina.properties in
> >>> ${catalina.home}/conf.
> >>>
> >>>
> common.loader=${catalina.base}/lib,${catalina.base}/lib/*.jar,${catalina.home}/lib,${catalina.home}/lib/*.jar,${catalina.home}/lib/fediz/*.jar
> >>> 3. I deployed the built libraries and dependencies to the directory
> >>> created in (1)
> >>> I got the built libraries from
> fediz-tomcat/target/fediz-tomcat-0.6-SNAPSHOT-zip-with-dependencies.zip.
> >>> After this, I am getting error messages when start Tomcat. This
> preventing
> >>> me step5 for deploying applicaitons properly.
> >>>  If I replace generated lib/fediz jar files with old jar files that I
> >>> downloaded from your post, I am able to start tomcat without error and
> able
> >>> to deploy application, but couldn't run properly.
> >>> 4. since I can't find fediz_config.xml, so I configured
> *META-INF/context.xml
> >>> as follow.
> >>>
> >>> *  <Context>
> >>> <Valve className="org.apache<
> http://owulff.blogspot.com/2011/11/configure-tomcat-for-federation-part.html#
> >
> >>> .cxf.fediz.tomcat.FederationAuthenticator"
> >>>  issuerURL="https://localhost:9443/fedizidp/"
> >>> truststoreFile="conf/stsstore.jks"
> >>> truststorePassword="stsspass"
> >>> trustedIssuer=".*CN=www.sts.com.*" />
> >>>  </Context>
> >>> 5. If I run mvn tomcat:deploy under fediz\trunk\examples\simpleWebapp,
> I
> >>> am getting following error message.
> >>>
> >>> Failed to execute goal org.codehaus.mojo:tomcat-maven-plugin:1.1:deploy
> >>> (default-cli) on project simpleWebapp: Cannot invoke Tomcat manager:
> FAIL -
> >>> Failed to deploy application at context path /fedizhelloworld -> [Help
> 1]
> >>>
> >>> So, I couldn't get your application run. I hope that all these problem
> >>> caused because of missing fediz_config.xml.
> >>>
> >>> Thanks.
> >>>
> >>> Gina
> >>>   On Tue, May 8, 2012 at 2:46 PM, Oliver Wulff <owulff@talend.com
> >wrote:
> >>>
> >>>>  Hi Gina
> >>>>
> >>>>
> >>>>
> >>>> I'll send you and checkin the fediz_config.xml as soon as I can - I'm
> >>>> on the way right now.
> >>>>
> >>>>
> >>>>
> >>>> This STS URL is fine, the Mock IDP uses the CXF STS. When the
> >>>> application works you will change in your application
> (fediz_config.xml)
> >>>> the issuerUrl of ADFS.
> >>>>
> >>>>
> >>>>
> >>>> Have you configured HTTPS for the IDP Tomcat instance and your
> >>>> application Tomcat instance?
> >>>>
> >>>> I recommend to use a separate instance of the IDP and your
> application.
> >>>>
> >>>> Do you use the port 9443?
> >>>>
> >>>>
> >>>>
> >>>> Thanks
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> ------
> >>>>
> >>>> Oliver Wulff
> >>>>
> >>>> Blog: http://owulff.blogspot.com
> >>>> Solution Architect
> >>>> http://coders.talend.com
> >>>>
> >>>> <http://coders.talend.com>Talend Application Integration Division
> >>>> http://www.talend.com
> >>>>   ------------------------------
> >>>> *From:* Gina Choi [ginachoi88@gmail.com]
> >>>> *Sent:* 08 May 2012 20:20
> >>>>
> >>>> *To:* Oliver Wulff
> >>>> *Cc:* users@cxf.apache.org
> >>>> *Subject:* Re: CXF supporting scope
> >>>>
> >>>>    Hi Oliver
> >>>>
> >>>> >I'd recommend to successfully deploy the wsclientWebapp sample and
> the
> >>>> IDP. When this works, rip&replace >one piece after the other. I'd
> recommend
> >>>> to choose the following approach.
> >>>>
> >>>> >1) Replace the Fediz IDP by ADFS
> >>>> >      + configure the ADFS issuerUrl (context.xml)
> >>>> >      + ensure that ADFS supports WS-Federation Passive Requestor
> >>>> Profile
> >>>> >      + configure the certificate used by ADFS to sign the SAML token
> >>>> >
> >>>> >(the most recent version of fediz uses a separate xml file for the
> >>>> configuration)
> >>>>
> >>>> Somehow I couldn't deploy both fediz\trunk\services and
> >>>> fediz\trunk\examples\wsclientWebapp on Tomcat7.0.27, so I deployed
> them on
> >>>> Tomcat 7.0.21. I checked tomcat user name and Maven's settings file
> all,
> >>>> but couldn't find reason. It just said that can't involke Tomcat
> Manager.
> >>>> But since I was able to deploy it on tomcat 7.0.21, I decided to
> figure it
> >>>> out later.
> >>>>
> >>>> In the context.xml, I have following content. So, It lookis like that
> >>>> issuerURL defined inside fediz_config.xml, but I searched all
> directories,
> >>>> but couldn't find a file called fediz_config.xml.
> >>>>
> >>>> <Context>
> >>>>         <Valve
> >>>> className="org.apache.cxf.fediz.tomcat.FederationAuthenticator"
> >>>> configFile="conf/fediz_config.xml" />
> >>>>         <!--<Valve
> >>>> className="org.apache.cxf.fediz.tomcat.FederationAuthenticator"
> issuerURL="
> >>>> https://localhost:9443/fedizidp/" truststoreFile="conf/stsstore.jks"
> >>>> truststorePassword="stsspass" trustedIssuer=".*CN=www.sts.com.*" />-->
> >>>>         <!--Valve
> >>>> className="org.apache.cxf.fediz.tomcat.FederationAuthenticator"
> >>>>
> issuerCallbackHandler="org.apache.cxf.fediz.tomcat.DummyIDPCallbackHandler"
> >>>> truststoreFile="conf/stsstore.jks" truststorePassword="stsspass"
> >>>> />-->
> >>>> </Context>
> >>>>
> >>>> In the web.xml file of the idp, you have following content. ADFS has
> >>>> mex address. so, I assume that I need to replace value of
> sts.wsdl.url with
> >>>> ADFS mex address.
> >>>>
> >>>>
> >>>>  <servlet>
> >>>>   <servlet-name>FederationServlet</servlet-name>
> >>>>
> >>>>
> <servlet-class>org.apache.cxf.fediz.service.idp.IdpServlet</servlet-class>
> >>>>   <init-param>
> >>>>    <param-name>sts.wsdl.url</param-name>
> >>>>    <param-value>https://localhost:9443/fedizidpsts/STSService?wsdl
> >>>> </param-value>
> >>>>   </init-param>
> >>>>   <init-param>
> >>>>    <param-name>sts.wsdl.service</param-name>
> >>>>    <param-value>SecurityTokenService</param-value>
> >>>>   </init-param>
> >>>>
> >>>> Thanks.
> >>>>
> >>>> Gina
> >>>>  On Tue, May 8, 2012 at 2:26 AM, Oliver Wulff <owulff@talend.com
> >wrote:
> >>>>
> >>>>>  Hi Gina
> >>>>>
> >>>>>
> >>>>>
> >>>>> >>>
> >>>>>
> >>>>> I don't mind giving up existing implementation as long as I find
> >>>>> better solution. I was hoping that Fediz project
> >>>>>
> >>>>> uses only Apache CXF instead of introducing another FrameWork -
> >>>>> OpenSAML.
> >>>>>
> >>>>> >>>
> >>>>>
> >>>>> Apache CXF uses OpenSAML too for all SAML processing for SOAP and
> REST
> >>>>> based service communication. OpenSAML is widely used and bundled
> into other
> >>>>> frameworks like CXF and Fediz.
> >>>>>
> >>>>>
> >>>>>
> >>>>> >>>
> >>>>>
> >>>>> If I only consider passive profile at this moment, what changes are
> >>>>> need to Fediz project to point to ADFS(STS) intead of Apach CXF STS?
> Where
> >>>>> did you define your stsActionURL? I like to start with passive
> profile
> >>>>> since it is easier to start with. I can use your sample application.
> It
> >>>>> doesn't matter if I use Airline or not since it is a just prototype
> >>>>>
> >>>>> >>>
> >>>>>
> >>>>> I'd recommend to successfully deploy the wsclientWebapp sample and
> the
> >>>>> IDP. When this works, rip&replace one piece after the other. I'd
> recommend
> >>>>> to choose the following approach.
> >>>>>
> >>>>>
> >>>>>
> >>>>> 1) Replace the Fediz IDP by ADFS
> >>>>>
> >>>>>       + configure the ADFS issuerUrl (context.xml)
> >>>>>
> >>>>>       + ensure that ADFS supports WS-Federation Passive Requestor
> >>>>> Profile
> >>>>>
> >>>>>       + configure the certificate used by ADFS to sign the SAML token
> >>>>>
> >>>>>
> >>>>>
> >>>>> (the most recent version of fediz uses a separate xml file for the
> >>>>> configuration)
> >>>>>
> >>>>>
> >>>>>
> >>>>> 2) Update the webapp to generate and use the stubs of the
> >>>>> BookingService in the FederationServlet (just a test - call the
> simplest
> >>>>> method). Configure the ASP.NET wsdl location (usually url?wsdl).
> >>>>> Configure the ADFS STS url in the STSClient bean in the beans.xml
> >>>>> configuration. Change the property onbehalfof to actas.
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>> HTH
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>> ------
> >>>>>
> >>>>> Oliver Wulff
> >>>>>
> >>>>> Blog: http://owulff.blogspot.com
> >>>>> Solution Architect
> >>>>> http://coders.talend.com
> >>>>>
> >>>>> <http://coders.talend.com>Talend Application Integration Division
> >>>>> http://www.talend.com
> >>>>>   ------------------------------
> >>>>> *From:* Gina Choi [ginachoi88@gmail.com]
> >>>>> *Sent:* 08 May 2012 01:05
> >>>>> *To:* Oliver Wulff
> >>>>> *Cc:* users@cxf.apache.org
> >>>>>
> >>>>> *Subject:* Re: CXF supporting scope
> >>>>>
> >>>>>    Hi Oliver,
> >>>>>
> >>>>> I am not responsible for BookingService(.NET). The other guys who
> >>>>> implemented it using WIF. You know that Microsoft created WIF and
> tested
> >>>>> with ADFS, so it it doesn't work, I would be surprised.
> >>>>>  >Which Servlet container do you use?
> >>>>> I am using Tomcat7.
> >>>>>
> >>>>>
> >>>>> >In your current setup, how does the samlp:Response look like?
> >>>>> I sent you decoded SAML response token in seperate email. I am
> >>>>> sretrieving based64 encoded saml response token using following code.
> >>>>>
> >>>>>
> >>>>> String encodedSamlResponseTokenStr =
> >>>>> request.getParameter("SAMLResponse");
> >>>>>
> >>>>> I don't mind giving up existing implementation as long as I find
> >>>>> better solution. I was hoping that Fediz project uses only Apache CXF
> >>>>> instead of introducing another FrameWork - OpenSAML.
> >>>>>
> >>>>> I loaded
> >>>>>
> http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/wsclientWebapp/webapp/to
> >>>>> the Eclipse today.
> >>>>>
> >>>>>
> >>>>>
> >>>>> Basically I need following three URL for ADFS(STS). First two is for
> >>>>> active profile and third one is for passive profile(SP initiated
> Redirect
> >>>>> POST bindings). If I only consider passive profile at this moment,
> what
> >>>>> changes are need to Fediz project to point to ADFS(STS) intead of
> Apach CXF
> >>>>> STS? Where did you define your stsActionURL? I like to start with
> passive
> >>>>> profile since it is easier to start with. I can use your sample
> >>>>> application. It doesn't matter if I use Airline or not since it is a
> just
> >>>>> prototype.
> >>>>>
> >>>>> *private* *static* *final* String *stsEndpoint* = "
> >>>>> https://strts01.ams.dev/adfs/services/trust/13/usernamemixed";
> >>>>>
> >>>>> *private* *static* *final* String *stsMEXAddress* =
> >>>>> https://strts01.ams.dev/adfs/services/trust/mex;
> >>>>>
> >>>>> private static final String stsActionURL =
> >>>>> https://strts01.ams.dev/adfs/ls/;
> >>>>>
> >>>>>
> >>>>>  Thanks again for your guidance.
> >>>>>
> >>>>> Gina
> >>>>>
> >>>>> On Mon, May 7, 2012 at 3:36 PM, Oliver Wulff <owulff@talend.com
> >wrote:
> >>>>>
> >>>>>>  Hi Gina
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> The fediz project is used to protect your web application where the
> >>>>>> client is a browser. Right now, Fediz supports WS-Federation Passive
> >>>>>> Requestor Profile which is supported by ADFS and usually used in
> the .NET
> >>>>>> world as a the default mechanism. You don't have to implement that
> in
> >>>>>> your application - that's done by the Fediz plugin. Fediz uses
> opensaml for
> >>>>>> SAML processing.
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> The original URL is stored in the wreply parameter. .NET uses a
> >>>>>> combination of the wtrealm and wctx parameter.
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> Your Airline application can use CXF for the web services
> >>>>>> communication (for the REST communication also, if you like). The
> built-in
> >>>>>> support in CXF for the IssuedToken assertion (WS-SecurityPolicy)
> supports
> >>>>>> to get a token from ADFS using actas. In my example, just use actas
> instead
> >>>>>> of onbehalfof property.
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> >>>
> >>>>>>
> >>>>>>  ADFS generate SAMLtoken and this SAML token is sent back to
> >>>>>> Airline(Airline does all validation work) and cached in the
> session. - This
> >>>>>> part is implemented.
> >>>>>>
> >>>>>> >>>
> >>>>>>
> >>>>>> The validation work is already done by Fediz. Session management is
> >>>>>> then done by the JEE container. Your application is called after
> the SAML
> >>>>>> token issued by ADFS is successfully validated. The container will
> create
> >>>>>> the session and check every incoming request whether the used token
> is
> >>>>>> still valid - otherwise, the browser is redirected again to ADFS.
> You could
> >>>>>> also configure some roles in ADFS to protect your web application
> as the
> >>>>>> fediz plugin tells the container the userid as well as its roles.
> You could
> >>>>>> even use claims if you like.
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> Which Servlet container do you use?
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> In your current setup, how does the samlp:Response look like?
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> Thanks
> >>>>>>
> >>>>>> Oli
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> ------
> >>>>>>
> >>>>>> Oliver Wulff
> >>>>>>
> >>>>>> Blog: http://owulff.blogspot.com
> >>>>>> Solution Architect
> >>>>>> http://coders.talend.com
> >>>>>>
> >>>>>> <http://coders.talend.com>Talend Application Integration Division
> >>>>>> http://www.talend.com
> >>>>>>   ------------------------------
> >>>>>> *From:* Gina Choi [ginachoi88@gmail.com]
> >>>>>> *Sent:* 07 May 2012 20:24
> >>>>>> *To:* users@cxf.apache.org
> >>>>>> *Cc:* Oliver Wulff
> >>>>>> *Subject:* Re: CXF supporting scope
> >>>>>>
> >>>>>>    Hi Oliver,
> >>>>>>
> >>>>>> I did notice that your sample application used both opensaml and
> >>>>>> openws libraries. Are they used by Apache CXF or just by Frediz
> project?
> >>>>>>
> >>>>>> I need to clarify my environment further to give you better picture.
> >>>>>>
> >>>>>> 1. All web services in my application are REST. The only reason that
> >>>>>> I use SOAP is to create a soap client to call .NET SOAP web service
> which
> >>>>>> resides on another application. I am working with a .NET guy to
> prove some
> >>>>>> prototypes. His sample application is BookingService which I
> provided you
> >>>>>> wsdl. I am working on Airline.
> >>>>>>
> >>>>>> BookingService: .NET4.0 SOAP
> >>>>>> Airline: Java with REST
> >>>>>>
> >>>>>> 2. Both BookingService and Airline use same ADFS as STS. We have set
> >>>>>> up relying parties for BookingService and Airline in ADFS.
> >>>>>>
> >>>>>> 3. SSO:  A user will be using both Airline and BookingService. So,
> >>>>>> she/he should be able to log on once for both applications. In
> Airline(my
> >>>>>> application), I used SP initialed POST redirect bindings. So, when
> a user
> >>>>>> make a request to Airline at first time, the user will be
> redirected to
> >>>>>> ADFS and asked credentials. After user provide username/password,
> ADFS
> >>>>>> generate SAMLtoken and this SAML token is sent back to
> Airline(Airline does
> >>>>>> all validation work) and cached in the session. - This part is
> implemented.
> >>>>>>
> >>>>>> 4. Now a user call BookingService which is claim aware. So, I need
> to
> >>>>>> inject Assertion token get from previous step inside actas element
> to call
> >>>>>> STS(ADFS2.0) to get a new token. With that new token, I will be
> calling
> >>>>>> Booking service.
> >>>>>>
> >>>>>> So, I don't think that I am able to use Apach CXF STS part since my
> >>>>>> STS will be ADFS. So, I am hoping that Apache CXF can work with
> ADFS(STS)
> >>>>>> to support my prototypes.
> >>>>>>
> >>>>>>
> >>>>>> Thanks.
> >>>>>>
> >>>>>> Gina
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> On Sat, May 5, 2012 at 6:22 AM, Oliver Wulff <owulff@talend.com
> >wrote:
> >>>>>>
> >>>>>>> Hi Gina
> >>>>>>>
> >>>>>>> >>>
> >>>>>>> So, what I need is after user log on using Web SSO, the SAML token
> >>>>>>> should be cached in web context and being used as actas token when
> making a
> >>>>>>> call to .NET web service.
> >>>>>>> >>>
> >>>>>>>  This is supported by CXF without writing any single line of code.
> I
> >>>>>>> do have a sample web application here:
> >>>>>>>
> >>>>>>>
> http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/wsclientWebapp/webapp/
> >>>>>>>
> >>>>>>> This example illustrates:
> >>>>>>> - fediz is configured for web sso
> >>>>>>> - SAML token is cached in the session and used to request a new
> >>>>>>> token from the STS
> >>>>>>>
> >>>>>>> The code to call the web service is in FederationServlet.doPost():
> >>>>>>> ...
> >>>>>>> Greeter service =
> >>>>>>>
> (Greeter)ApplicationContextProvider.getContext().getBean("HelloServiceClient");
> >>>>>>> String reply = service.greetMe();
> >>>>>>> ...
> >>>>>>>
> >>>>>>> The magic is in the configuration I used here:
> >>>>>>>
> >>>>>>>
> http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/wsclientWebapp/webapp/src/main/webapp/WEB-INF/beans.xml?view=markup
> >>>>>>>
> >>>>>>> The following property registers a callback handler to provide the
> >>>>>>> STSClient the token of the Web Login:
> >>>>>>> <property name="onBehalfOf" ref="delegationCallbackHandler" />
> >>>>>>>
> >>>>>>> (There is also a property for actAs)
> >>>>>>>
> >>>>>>> The above example should exactly do what you need. You just have to
> >>>>>>> change the above property to use ActAs instead of OnBehalfOf. The
> details
> >>>>>>> for this example are described here:
> >>>>>>>
> >>>>>>>
> http://owulff.blogspot.com/2012/04/sso-across-web-applications-and-web_16.html
> >>>>>>>
> >>>>>>>
> >>>>>>> To test this easily, you can use the Mock IDP as part of Fediz for
> >>>>>>> the authentication. You could also attach Active Directory in the
> Mock if
> >>>>>>> you like. See here:
> >>>>>>>
> >>>>>>>
> http://owulff.blogspot.com/2011/10/configure-ldap-directory-for-cxf-sts.html
> >>>>>>>
> >>>>>>> I use that within a customer set up to connect the CXF STS to
> Active
> >>>>>>> Directory.
> >>>>>>>
> >>>>>>> >>>
> >>>>>>> What is Spring role in CXF?
> >>>>>>> >>>
> >>>>>>>  You can use Spring to configure your services. The above example
> is
> >>>>>>> based on spring. As you see, all security related stuff is enabled
> by
> >>>>>>> configuration (Convention of Configuration). You can also write an
> >>>>>>> application without spring but I wouldn't write an application
> without
> >>>>>>> spring nowadays but this is up to you.
> >>>>>>>
> >>>>>>> >>>
> >>>>>>> I don't know much LDAP, but it should be used as an attribute
> store.
> >>>>>>> I consider it as an alternative of Active Directory. Please
> correct me if I
> >>>>>>> am wrong.
> >>>>>>> >>>
> >>>>>>>  Active Directory provides different interfaces. One of them is
> >>>>>>> LDAP. You can use the LDAPLoginModule of the JDK for
> authentication. But
> >>>>>>> you don't have to care that much as ADFS (and maybe the Fediz Mock
> for
> >>>>>>> testing) will access ActiveDirectory to read the claims to add
> them to the
> >>>>>>> SAML token.
> >>>>>>>
> >>>>>>> Could you zip the wsdl before attaching?
> >>>>>>>
> >>>>>>> Thanks
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> ------
> >>>>>>>
> >>>>>>> Oliver Wulff
> >>>>>>>
> >>>>>>> Blog: http://owulff.blogspot.com<http://owulff.blogspot.com/>
> >>>>>>> Solution Architect
> >>>>>>> http://coders.talend.com
> >>>>>>>
> >>>>>>> <http://coders.talend.com>Talend Application Integration Division
> >>>>>>> http://www.talend.com
> >>>>>>>
> >>>>>>> ________________________________
> >>>>>>>  Von: Gina Choi [ginachoi88@gmail.com]
> >>>>>>> Gesendet: Freitag, 4. Mai 2012 20:54
> >>>>>>> Bis: users@cxf.apache.org
> >>>>>>> Betreff: Re: CXF supporting scope
> >>>>>>>
> >>>>>>> Hi Oliver,
> >>>>>>>
> >>>>>>> Thanks for your response.
> >>>>>>>
> >>>>>>>  >You mean that WIF is deployed in the ASP.NET<http://asp.net/>
> web
> >>>>>>> service using the Active Requestor Profile?
> >>>>>>> >The SAML token should contain the claims as an AttributeStatement?
> >>>>>>> >Can you share with us the WS-SecurityPolicy of this Web Service?
> >>>>>>> I have attached two wsdl file. BookingService.wsdl and
> >>>>>>> BookingService_imported.wsdl. BookingService.wsdl  is importing
> >>>>>>> BookingService_imported.wsdl and if you open BookingService.wsdl,
> in line
> >>>>>>> 10 there is a importing statement like bellow. This .NET4.0
> service is not
> >>>>>>> owned by me and I don't know if separating wsdl file is common
> practice. Is
> >>>>>>> there anyway to combin them into one when generate artifact using
> wsimport?
> >>>>>>> I will be calling CheckIn operation.
> >>>>>>>
> >>>>>>> <wsdl:import location="
> >>>>>>>
> http://mecdevapp02.global.sdl.corp/BookingService/BookingService.svc?wsdl=wsdl0
> "
> >>>>>>> namespace="http://tempuri.org/"/>
> >>>>>>>
> >>>>>>> >I haven't used ADFS using WS-Trust so far. Usually, it uses a
> >>>>>>> Symmetric and Asymmetric binding.
> >>>>>>> >What roles does ADFS 2.0 play?
> >>>>>>> >Once as the IDP for the Web application SSO and once to let issue
> a
> >>>>>>> token onbehalfof/actas the original token >from the Web SSO? (this
> is
> >>>>>>> supported by CXF-Fediz)
> >>>>>>> >
> >>>>>>>
> http://owulff.blogspot.com/2012/04/sso-across-web-applications-and-web_16.html
> >>>>>>> I am using Active Directory as an attribute store. So, I could say
> >>>>>>> ADFS role should be IDP. So, what I need is after user log on
> using Web
> >>>>>>> SSO, the SAML token should be cached in web context and being used
> as actas
> >>>>>>> token when making a call to .NET web service.
> >>>>>>>
> >>>>>>> > Yes, the passive profile is supported by Fediz. Is ADFS the IDP?
> >>>>>>> In which application server is your web >application deployed?
> >>>>>>> ADFS is IDP and my Java web application is Service Provider.
> >>>>>>>
> >>>>>>> >What do you mean exactly? Is LDAP used for authentication by the
> >>>>>>> STS? Or should the service provider retrieve >the claims/roles
> from LDAP?
> >>>>>>> I don't know much LDAP, but it should be used as an attribute
> store.
> >>>>>>> I consider it as an alternative of Active Directory. Please
> correct me if I
> >>>>>>> am wrong. I have been reading many specifications, but I am still
> having
> >>>>>>> hard time to straiten up correct terms.
> >>>>>>>
> >>>>>>> >No, Spring is not a requirement.
> >>>>>>> What is Spring role in CXF?
> >>>>>>>
> >>>>>>> Thanks.
> >>>>>>>
> >>>>>>> Gina
> >>>>>>>  On Thu, May 3, 2012 at 2:24 PM, Oliver Wulff <owulff@talend.com
> >>>>>>> <mailto:owulff@talend.com>> wrote:
> >>>>>>> >>>
> >>>>>>> 1. I have to create a client for .NET4.0 web service which claim
> >>>>>>> aware. So,
> >>>>>>> how is CXF interoperability with .NET?
> >>>>>>> >>>
> >>>>>>>  You mean that WIF is deployed in the ASP.NET<http://ASP.NET> web
> >>>>>>> service using the Active Requestor Profile?
> >>>>>>> The SAML token should contain the claims as an AttributeStatement?
> >>>>>>> Can you share with us the WS-SecurityPolicy of this Web Service?
> >>>>>>>
> >>>>>>> >>>
> >>>>>>> 2. If CXF support ADFS2.0 as STS.
> >>>>>>> >>>
> >>>>>>> I haven't used ADFS using WS-Trust so far. Usually, it uses a
> >>>>>>> Symmetric and Asymmetric binding.
> >>>>>>> What roles does ADFS 2.0 play?
> >>>>>>> Once as the IDP for the Web application SSO and once to let issue a
> >>>>>>> token onbehalfof/actas the original token from the Web SSO? (this
> is
> >>>>>>> supported by CXF-Fediz)
> >>>>>>>
> >>>>>>>
> http://owulff.blogspot.com/2012/04/sso-across-web-applications-and-web_16.html
> >>>>>>>
> >>>>>>> >>>
> >>>>>>> 3. If CXF support passive profile. Especially SP initiated Redirect
> >>>>>>> ->  POST
> >>>>>>> binding.
> >>>>>>> >>>
> >>>>>>> Yes, the passive profile is supported by Fediz. Is ADFS the IDP? In
> >>>>>>> which application server is your web application deployed?
> >>>>>>>
> >>>>>>> >>>
> >>>>>>> 4. If CXF can work with LDAP.
> >>>>>>> >>>
> >>>>>>> What do you mean exactly? Is LDAP used for authentication by the
> >>>>>>> STS? Or should the service provider retrieve the claims/roles from
> LDAP?
> >>>>>>>
> >>>>>>> >>>>
> >>>>>>> 5. My application doesn't use Spring frame work. Do I have to use
> >>>>>>> Spring
> >>>>>>> Frame work to use CXF.
> >>>>>>> >>>
> >>>>>>> No, Spring is not a requirement.
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> ------
> >>>>>>>
> >>>>>>> Oliver Wulff
> >>>>>>>
> >>>>>>> Blog: http://owulff.blogspot.com
> >>>>>>> Solution Architect
> >>>>>>> http://coders.talend.com
> >>>>>>>
> >>>>>>> Talend Application Integration Division http://www.talend.com
> >>>>>>>
> >>>>>>> ________________________________________
> >>>>>>>  Von: gchoi [gchoi@sdl.com<mailto:gchoi@sdl.com>]
> >>>>>>> Gesendet: Mittwoch, 2. Mai 2012 17:29
> >>>>>>>  Bis: users@cxf.apache.org<mailto:users@cxf.apache.org>
> >>>>>>>  Betreff: CXF supporting scope
> >>>>>>>
> >>>>>>> Hi All,
> >>>>>>>
> >>>>>>> So far, I evaluated several frame works, but they seem don't do
> what
> >>>>>>> I
> >>>>>>> expect. Several people suggested me that I should consider CXF.
> >>>>>>> Before I dig
> >>>>>>> into CXF, I would like know if CXF support following things. By the
> >>>>>>> way, I
> >>>>>>> just joined this user group.
> >>>>>>>
> >>>>>>>
> >>>>>>> 1. I have to create a client for .NET4.0 web service which claim
> >>>>>>> aware. So,
> >>>>>>> how is CXF interoperability with .NET?
> >>>>>>>
> >>>>>>> 2. If CXF support ADFS2.0 as STS.
> >>>>>>>
> >>>>>>> 3. If CXF support passive profile. Especially SP initiated Redirect
> >>>>>>> ->  POST
> >>>>>>> binding.
> >>>>>>>
> >>>>>>> 4. If CXF can work with LDAP.
> >>>>>>>
> >>>>>>> 5. My application doesn't use Spring frame work. Do I have to use
> >>>>>>> Spring
> >>>>>>> Frame work to use CXF.
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> Thank in advance.
> >>>>>>>
> >>>>>>> --
> >>>>>>> View this message in context:
> >>>>>>>
> http://cxf.547215.n5.nabble.com/CXF-supporting-scope-tp5680855.html
> >>>>>>> Sent from the cxf-user mailing list archive at Nabble.com.
> >>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>
> >>>>
> >>>
> >>
> >
>
Mime
View raw message