cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gina Choi <ginacho...@gmail.com>
Subject Re: CXF supporting scope
Date Mon, 14 May 2012 20:44:25 GMT
Hi Oliver,

ADFS2.0 have many end points and depends on request or profile that we use,
we have to use different end points. When I test helloworld, I see username
token sent to STS as a security header, so I used
*adfs/services/trust/13/usernamemixed
endpoint of ADFS, but when I see URL on the browser, it looks like SP
initiated redirect post bindings, but I don't see  base 64 encoded
SAMLRequest. That's why I am confused.*

**
Gina


On Mon, May 14, 2012 at 4:27 PM, Gina Choi <ginachoi88@gmail.com> wrote:

>
> >Neither the RST nor the RSTR are encrypted. It's planned for the next
> release of the Fediz plugin >to support encrypted token which are embedded
> in RSTR.
> Ok. Just verifying with you.
>
> >Is it required to support encrypted tokens initially? I should have this
> functionality by end of may.
> encryption doesn't matter at this time.
>
> >You have to export the signing cert from ADFS and import into a java
> keystore. Don't import it into >stsstore.jks as this should be used for
> this demo IDP only.
> when I import ADFS signing cert to java keystore, what alias name should I
> use? You must reference alias name from somewhere.
>
> I also need to import Service Provider signing cert to ADFS. How do I
> export it?
>
> I was trying to poing helloworld to ADFS, but it seems not simple. *wreply
> vs *RelayState. What is *wa=wsignin1.0 and wtrealm? Without deep change,
> it wouldn't work with ADFS.*
> Based on following url, I couldn't tell what kind of profile do you use? I
> couldn't really tell. Please see oasis link.
>
> http://www.oasis-open.org/committees/download.php/27819/sstc-saml-tech-overview-2.0-cd-02.pdf
> .
>
> Fediz
>
>
> https://strts01.ams.dev/adfs/services/trust/13/usernamemixed?wa=wsignin1.0&wreply=https%3A%2F%2Flocalhost%3A8443%2Ffedizhelloworld%2Fsecureservlet%2Ffed&wtrealm=https%3A%2F%2Flocalhost%3A8443%2Ffedizhelloworld%2F
>
> SP initiated redirect post bindig:
>
> GET
> /adfs/ls/?SAMLRequest=pZJPa9wwEMXv%2FRRG99U%2F73ptsXbYNoQGUrpknRR6KbI9TtTKkquR3Xz8Opss5FQKOQ7MvPd4v9ldPA02mSGg8a4kgnKSgGt9Z9xDSe7qq1VOLqoPO9SDHdV%2Bio%2FuFn5PgDHZI0KIy9kn73AaIBwhzKaFu9ubkjzGOKJi7M8vcDjzlGf0wfpGW4qdpa0Po8rX65TtTbDGAVscgX0D2%2FoB6E8cSXK5eBin4ynXWQ5jiMgF1QPSDmamux6ZRUaSKx9aOOUrSQwTkOT6siQ%2F0qLXfSZyyLs0K%2Fi24SKVXd%2B1hWw2a5GKrMi2siv6LMubPFuu8KARzQwl6bXFZx3ECa4dRu1iSSQXcsU3K7GuJVciVxtJt7n4TpJD8NG33n407qW9KTjlNRpUTg%2BAKrbquP9yoyTlqnlZQvW5rg%2Brw9djTZL7MwX5TGHh4lCdev%2B31PjqS6pXSqfA4f8F9Bkkqd6LbcfeRqjO49u%2Fqf4C&RelayState=
> https://wkensv0306.global.sdl.corp:8443/Airline/code/Welcome.jsp HTTP/1.1
>
>
> On Mon, May 14, 2012 at 3:51 PM, Oliver Wulff <owulff@talend.com> wrote:
>
>> Hi Gina
>>
>> >>>
>> It looks like that you don't encrypt RST and RSTR, but you said that
>> both RST and RSTR are signed. I need to import signing cert from ADFS to
>> stsstore.jks keystore. Which one is key alias for RP? You have clientkey,
>> myservicekey and mystskey. Vise versa, I need to export signing cert from
>> RP to import it to ADFS. Do you have signing cert somewhere or I have to
>> export it myself?
>> >>>
>> Neither the RST nor the RSTR are encrypted. It's planned for the next
>> release of the Fediz plugin to support encrypted token which are embedded
>> in RSTR.
>>
>> Is it required to support encrypted tokens initially? I should have this
>> functionality by end of may.
>>
>> You have to export the signing cert from ADFS and import into a java
>> keystore. Don't import it into stsstore.jks as this should be used for this
>> demo IDP only.
>>
>> Thanks
>> Oli
>>
>>
>>
>> ------
>>
>> Oliver Wulff
>>
>> Blog: http://owulff.blogspot.com
>> Solution Architect
>> http://coders.talend.com
>>
>> Talend Application Integration Division http://www.talend.com
>>
>> ________________________________________
>> From: Gina Choi [ginachoi88@gmail.com]
>> Sent: 14 May 2012 21:23
>> To: users@cxf.apache.org
>> Subject: Re: CXF supporting scope
>>
>> Hi Oliver,
>>
>> >You're right - this is confusing. The STS signs the SAML token with the
>> private which correlates to >the STS certificate. The RP requires the CA
>> certificates and the STS certificate (if self-signed as in >this demo
>> case)
>> to validate the SAML token.
>>
>> Thanks for response. I looked request and response message between RP and
>> STS. It looks like that you don't encrypt RST and RSTR, but you said that
>> both RST and RSTR are signed. I need to import signing cert from ADFS to
>> stsstore.jks keystore. Which one is key alias for RP? You have clientkey,
>> myservicekey and mystskey. Vise versa, I need to export signing cert from
>> RP to import it to ADFS. Do you have signing cert somewhere or I have to
>> export it myself?
>>
>> Thanks.
>>
>> Gina
>>
>>
>> On Mon, May 14, 2012 at 2:19 PM, Oliver Wulff <owulff@talend.com> wrote:
>>
>> > Hi Gina
>> >
>> > >>>
>> > But I still don't understand why I have to copy stsstore.jks file into
>> RP.
>> > stsstore.jks is the keystore file of STS and it should be sitting on
>> > somewhere on tomcat-idp not tomcat-rp. And ttomcat-rp should have it's
>> own
>> > keystore file, for example clientstore.jks.
>> > When client issue AuthnRequest to STS, it will sign AuthnRequest with
>> STS
>> > signing certificate. Vise versa, when STS issue Assertion token, it
>> will be
>> > signed by client signing certificate.
>> > In fediz project senario, RP will be the client and it will never have
>> > keystore file of STS.
>> > I just looked at content of stsstore.jks and it looks like that you
>> > combined sts, client and service keystore file into one - stsstore.jks.
>> In
>> > other words, stsstore.jks is being used as a keystore file for all
>> three -
>> > client, service and sts. Is that correct? I think that they should be
>> > separated. Kind of confusing until list content of stsstore.jks.
>> > >>>
>> > You're right - this is confusing. The STS signs the SAML token with the
>> > private which correlates to the STS certificate. The RP requires the CA
>> > certificates and the STS certificate (if self-signed as in this demo
>> case)
>> > to validate the SAML token.
>> >
>> > I was too lazy in creating two keystores (I just copied the keystore
>> used
>> > by the CXF STS distribution). In a production environment, one keystore
>> > contains the private key and the certificate for the STS and the other
>> > contains the certificate only for the RP.
>> >
>> > I've started documentating fediz here:
>> > http://cxf.apache.org/fediz.html
>> >
>> > It would make sense to add a section what to consider for production
>> > implementation. I'll add that.
>> >
>> > Thanks
>> >
>> > ------
>> >
>> > Oliver Wulff
>> >
>> > Blog: http://owulff.blogspot.com
>> > Solution Architect
>> > http://coders.talend.com
>> >
>> > Talend Application Integration Division http://www.talend.com
>> >
>> > ________________________________________
>> > From: Gina Choi [ginachoi88@gmail.com]
>> > Sent: 14 May 2012 18:00
>> > To: Oliver Wulff
>> > Cc: users@cxf.apache.org
>> > Subject: Re: CXF supporting scope
>> >
>> > Hi Oliver,
>> >
>> > Thanks for your response. I copied over stsstore.jks into tomcat rp and
>> I
>> > am seeing saml token now.
>> >
>> > >The SAML token issued by the IDP/STS is signed and the used certificate
>> > must be referenced to >validate the signature:
>> >
>> >  ><trustedIssuerItem provider=".*CN=www.sts.com.*">
>> > >< keyStore file="/projects/fediz/tomcat-rp2/conf/stsstore.jks"
>> > password="stsspass" type="file" />
>> > >< /trustedIssuerItem>
>> >
>> > >In this example, I used a self-signed certificate and I was too lazy in
>> > separating the keystore into >one with the private key and into one
>> > without.
>> >
>> > >You find the stsstore.jks in fedizidpsts.war. Just copy it to the RP.
>> >
>> > But I still don't understand why I have to copy stsstore.jks file into
>> RP.
>> > stsstore.jks is the keystore file of STS and it should be sitting on
>> > somewhere on tomcat-idp not tomcat-rp. And ttomcat-rp should have it's
>> own
>> > keystore file, for example clientstore.jks.
>> >
>> > When client issue AuthnRequest to STS, it will sign AuthnRequest with
>> STS
>> > signing certificate. Vise versa, when STS issue Assertion token, it
>> will be
>> > signed by client signing certificate.
>> >
>> > In fediz project senario, RP will be the client and it will never have
>> > keystore file of STS.
>> >
>> > I just looked at content of stsstore.jks and it looks like that you
>> > combined sts, client and service keystore file into one - stsstore.jks.
>> In
>> > other words, stsstore.jks is being used as a keystore file for all
>> three -
>> > client, service and sts. Is that correct? I think that they should be
>> > separated. Kind of confusing until list content of stsstore.jks.
>> >
>> > Thanks.
>> >
>> > Gina
>> >
>> >
>> > On Fri, May 11, 2012 at 2:55 AM, Oliver Wulff <owulff@talend.com>
>> wrote:
>> >
>> > >  Hi Gina
>> > >
>> > >
>> > >
>> > > The SAML token issued by the IDP/STS is signed and the used
>> certificate
>> > > must be referenced to validate the signature:
>> > >
>> > >
>> > >
>> > >  <trustedIssuerItem provider=".*CN=www.sts.com.*">
>> > > <keyStore file="/projects/fediz/tomcat-rp2/conf/stsstore.jks"
>> > > password="stsspass" type="file" />
>> > > </trustedIssuerItem>
>> > >
>> > > In this example, I used a self-signed certificate and I was too lazy
>> in
>> > > separating the keystore into one with the private key and into one
>> > without.
>> > >
>> > >
>> > >
>> > > You find the stsstore.jks in fedizidpsts.war. Just copy it to the RP.
>> > >
>> > >
>> > >
>> > > In your scenario with ADFS. You must import the CA certs which signed
>> the
>> > > ADFS cert into a keystore and configure the CN name as a regular
>> > expression
>> > > in the attribute "provider". (The name provider is misleaing, will fix
>> > that)
>> > >
>> > >
>> > >
>> > > Thanks
>> > >
>> > >
>> > >
>> > >
>> > >
>> > > ------
>> > >
>> > > Oliver Wulff
>> > >
>> > > Blog: http://owulff.blogspot.com
>> > > Solution Architect
>> > > http://coders.talend.com
>> > >
>> > > <http://coders.talend.com>Talend Application Integration Division
>> > > http://www.talend.com
>> > >   ------------------------------
>> > > *From:* Gina Choi [ginachoi88@gmail.com]
>> > > *Sent:* 11 May 2012 00:44
>> > >
>> > > *To:* Oliver Wulff
>> > > *Cc:* users@cxf.apache.org
>> > > *Subject:* Re: CXF supporting scope
>> > >
>> > >   Hi Oliver,
>> > >
>> > > Until this afternoon, I didn't have time to work with Fediz. Finally I
>> > > have successfully deployed idp, sts and simpleWebapp on Tomcat7.0.27.
>> > > Everything went well. I guess that on the other day, I thought doing
>> some
>> > > thing, but I probably did something else. :)
>> > > After type https://localhost:8443/fedizhelloworld/secureservlet/fedon
>> > > the browser, I inputed test user name and password, but it failed.
>> > >
>> > >
>> > > org.apache.ws.security.components.crypto.CredentialException: Proxy
>> file
>> > (/projects/fediz/tomcat-rp2/conf/stsstore.jks) not found.
>> > >
>> > >
>> > > In your fediz_config.xml, you have following lines. Why do we put sts
>> key
>> > > store file on RP server? Does web application need to know where is
>> sts
>> > > keystore file?
>> > >
>> > >   <trustedIssuers>
>> > >    <trustedIssuerItem provider=".*CN=www.sts.com.*">
>> > >     <keyStore file="/projects/fediz/tomcat-rp2/conf/stsstore.jks"
>> > > password="stsspass" type="file" />
>> > >    </trustedIssuerItem>
>> > >   </trustedIssuers>
>> > >
>> > >
>> > > Thanks.
>> > >
>> > > Gina
>> > >
>> > >  On Wed, May 9, 2012 at 1:45 AM, Oliver Wulff <owulff@talend.com>
>> wrote:
>> > >
>> > >>  Hi Gina
>> > >>
>> > >> The steps are absolutely correct. Not sure about the failing
>> deployment
>> > >> step for the application. Have you also updated tomcat-users.xml of
>> the
>> > >> second tomcat instance? Or was the application already deployed once
>> and
>> > >> you must run "mvn clean install tomcat:redeploy"? Is anything logged
>> on
>> > >> catalina.out?
>> > >> Otherwise, just copy the war manually from
>> target/fedizhelloworld.war to
>> > >> <tomcat-dir>/webapps.
>> > >>
>> > >> I've checked in fediz_config.xml in
>> > examples/simpleWebapp/src/main/config
>> > >> (sorry for that). Please manually copy it to the location you've
>> > configured
>> > >> in the context.xml. Ensure that the IDP url (later ADFS):
>> > >> <issuer>https://localhost:9443/fedizidp/</issuer>
>> > >> and the location of the trusted keystore is updated:
>> > >> <keyStore file="/projects/fediz/tomcat-rp2/conf/stsstore.jks"
>> > >> password="stsspass" type="file" />
>> > >>
>> > >> It will be supported in the next days to also configure a relative
>> > >> location to catalina.home.
>> > >>
>> > >>
>> > >> Thanks
>> > >> Oli
>> > >>
>> > >>
>> > >>
>> > >> ------
>> > >>
>> > >> Oliver Wulff
>> > >>
>> > >> Blog: http://owulff.blogspot.com
>> > >> Solution Architect
>> > >> http://coders.talend.com
>> > >>
>> > >> <http://coders.talend.com>Talend Application Integration Division
>> > >> http://www.talend.com
>> > >>   ------------------------------
>> > >> *From:* Gina Choi [ginachoi88@gmail.com]
>> > >> *Sent:* 09 May 2012 00:55
>> > >>
>> > >> *To:* Oliver Wulff
>> > >> *Cc:* users@cxf.apache.org
>> > >> *Subject:* Re: CXF supporting scope
>> > >>
>> > >>   By the way I checked out head version fediz project from SVN.
>> > >>
>> > >> On Tue, May 8, 2012 at 6:36 PM, Gina Choi <ginachoi88@gmail.com>
>> wrote:
>> > >>
>> > >>> Hi Oliver,
>> > >>>
>> > >>> I am using seperate Tomcat instance for IDP and application and I
>> set
>> > up
>> > >>> https. Following is what I did.
>> > >>>
>> > >>> I checked out Fediz project into my local machine. As you explained
>> on
>> > >>> your post
>> > >>>
>> >
>> http://owulff.blogspot.com/2011/11/configure-tomcat-for-federation-part.html
>> > ,
>> > >>> I run mvn clean install in plugins/core, pligins/tomcat and
>> > >>> examples/simpleWebapp/. I configued maven's settings.xml and updated
>> > >>> tomca-users.xml. I ran mvn tomcat:deploy under fediz\trunk\plugins,
>> > and I
>> > >>> am seeing both IDP and STS are deployed.
>> > >>>
>> > >>> I am just having problem with deloying sample application in another
>> > >>> Tomcat instance.
>> > >>>
>> > >>> 1. I created  sub-directory fediz in ${catalina.home}/lib of the
>> > >>> tomcat-rp.
>> > >>> 2. I have following line in the  calatina.properties in
>> > >>> ${catalina.home}/conf.
>> > >>>
>> > >>>
>> >
>> common.loader=${catalina.base}/lib,${catalina.base}/lib/*.jar,${catalina.home}/lib,${catalina.home}/lib/*.jar,${catalina.home}/lib/fediz/*.jar
>> > >>> 3. I deployed the built libraries and dependencies to the directory
>> > >>> created in (1)
>> > >>> I got the built libraries from
>> > fediz-tomcat/target/fediz-tomcat-0.6-SNAPSHOT-zip-with-dependencies.zip.
>> > >>> After this, I am getting error messages when start Tomcat. This
>> > preventing
>> > >>> me step5 for deploying applicaitons properly.
>> > >>>  If I replace generated lib/fediz jar files with old jar files that
>> I
>> > >>> downloaded from your post, I am able to start tomcat without error
>> and
>> > able
>> > >>> to deploy application, but couldn't run properly.
>> > >>> 4. since I can't find fediz_config.xml, so I configured
>> > *META-INF/context.xml
>> > >>> as follow.
>> > >>>
>> > >>> *  <Context>
>> > >>> <Valve className="org.apache<
>> >
>> http://owulff.blogspot.com/2011/11/configure-tomcat-for-federation-part.html#
>> > >
>> > >>> .cxf.fediz.tomcat.FederationAuthenticator"
>> > >>>  issuerURL="https://localhost:9443/fedizidp/"
>> > >>> truststoreFile="conf/stsstore.jks"
>> > >>> truststorePassword="stsspass"
>> > >>> trustedIssuer=".*CN=www.sts.com.*" />
>> > >>>  </Context>
>> > >>> 5. If I run mvn tomcat:deploy under
>> fediz\trunk\examples\simpleWebapp,
>> > I
>> > >>> am getting following error message.
>> > >>>
>> > >>> Failed to execute goal
>> org.codehaus.mojo:tomcat-maven-plugin:1.1:deploy
>> > >>> (default-cli) on project simpleWebapp: Cannot invoke Tomcat manager:
>> > FAIL -
>> > >>> Failed to deploy application at context path /fedizhelloworld ->
>> [Help
>> > 1]
>> > >>>
>> > >>> So, I couldn't get your application run. I hope that all these
>> problem
>> > >>> caused because of missing fediz_config.xml.
>> > >>>
>> > >>> Thanks.
>> > >>>
>> > >>> Gina
>> > >>>   On Tue, May 8, 2012 at 2:46 PM, Oliver Wulff <owulff@talend.com
>> > >wrote:
>> > >>>
>> > >>>>  Hi Gina
>> > >>>>
>> > >>>>
>> > >>>>
>> > >>>> I'll send you and checkin the fediz_config.xml as soon as I can -
>> I'm
>> > >>>> on the way right now.
>> > >>>>
>> > >>>>
>> > >>>>
>> > >>>> This STS URL is fine, the Mock IDP uses the CXF STS. When the
>> > >>>> application works you will change in your application
>> > (fediz_config.xml)
>> > >>>> the issuerUrl of ADFS.
>> > >>>>
>> > >>>>
>> > >>>>
>> > >>>> Have you configured HTTPS for the IDP Tomcat instance and your
>> > >>>> application Tomcat instance?
>> > >>>>
>> > >>>> I recommend to use a separate instance of the IDP and your
>> > application.
>> > >>>>
>> > >>>> Do you use the port 9443?
>> > >>>>
>> > >>>>
>> > >>>>
>> > >>>> Thanks
>> > >>>>
>> > >>>>
>> > >>>>
>> > >>>>
>> > >>>>
>> > >>>> ------
>> > >>>>
>> > >>>> Oliver Wulff
>> > >>>>
>> > >>>> Blog: http://owulff.blogspot.com
>> > >>>> Solution Architect
>> > >>>> http://coders.talend.com
>> > >>>>
>> > >>>> <http://coders.talend.com>Talend Application Integration Division
>> > >>>> http://www.talend.com
>> > >>>>   ------------------------------
>> > >>>> *From:* Gina Choi [ginachoi88@gmail.com]
>> > >>>> *Sent:* 08 May 2012 20:20
>> > >>>>
>> > >>>> *To:* Oliver Wulff
>> > >>>> *Cc:* users@cxf.apache.org
>> > >>>> *Subject:* Re: CXF supporting scope
>> > >>>>
>> > >>>>    Hi Oliver
>> > >>>>
>> > >>>> >I'd recommend to successfully deploy the wsclientWebapp sample and
>> > the
>> > >>>> IDP. When this works, rip&replace >one piece after the other. I'd
>> > recommend
>> > >>>> to choose the following approach.
>> > >>>>
>> > >>>> >1) Replace the Fediz IDP by ADFS
>> > >>>> >      + configure the ADFS issuerUrl (context.xml)
>> > >>>> >      + ensure that ADFS supports WS-Federation Passive Requestor
>> > >>>> Profile
>> > >>>> >      + configure the certificate used by ADFS to sign the SAML
>> token
>> > >>>> >
>> > >>>> >(the most recent version of fediz uses a separate xml file for the
>> > >>>> configuration)
>> > >>>>
>> > >>>> Somehow I couldn't deploy both fediz\trunk\services and
>> > >>>> fediz\trunk\examples\wsclientWebapp on Tomcat7.0.27, so I deployed
>> > them on
>> > >>>> Tomcat 7.0.21. I checked tomcat user name and Maven's settings file
>> > all,
>> > >>>> but couldn't find reason. It just said that can't involke Tomcat
>> > Manager.
>> > >>>> But since I was able to deploy it on tomcat 7.0.21, I decided to
>> > figure it
>> > >>>> out later.
>> > >>>>
>> > >>>> In the context.xml, I have following content. So, It lookis like
>> that
>> > >>>> issuerURL defined inside fediz_config.xml, but I searched all
>> > directories,
>> > >>>> but couldn't find a file called fediz_config.xml.
>> > >>>>
>> > >>>> <Context>
>> > >>>>         <Valve
>> > >>>> className="org.apache.cxf.fediz.tomcat.FederationAuthenticator"
>> > >>>> configFile="conf/fediz_config.xml" />
>> > >>>>         <!--<Valve
>> > >>>> className="org.apache.cxf.fediz.tomcat.FederationAuthenticator"
>> > issuerURL="
>> > >>>> https://localhost:9443/fedizidp/"
>> truststoreFile="conf/stsstore.jks"
>> > >>>> truststorePassword="stsspass" trustedIssuer=".*CN=www.sts.com.*"
>> />-->
>> > >>>>         <!--Valve
>> > >>>> className="org.apache.cxf.fediz.tomcat.FederationAuthenticator"
>> > >>>>
>> >
>> issuerCallbackHandler="org.apache.cxf.fediz.tomcat.DummyIDPCallbackHandler"
>> > >>>> truststoreFile="conf/stsstore.jks" truststorePassword="stsspass"
>> > >>>> />-->
>> > >>>> </Context>
>> > >>>>
>> > >>>> In the web.xml file of the idp, you have following content. ADFS
>> has
>> > >>>> mex address. so, I assume that I need to replace value of
>> > sts.wsdl.url with
>> > >>>> ADFS mex address.
>> > >>>>
>> > >>>>
>> > >>>>  <servlet>
>> > >>>>   <servlet-name>FederationServlet</servlet-name>
>> > >>>>
>> > >>>>
>> >
>> <servlet-class>org.apache.cxf.fediz.service.idp.IdpServlet</servlet-class>
>> > >>>>   <init-param>
>> > >>>>    <param-name>sts.wsdl.url</param-name>
>> > >>>>    <param-value>https://localhost:9443/fedizidpsts/STSService?wsdl
>> > >>>> </param-value>
>> > >>>>   </init-param>
>> > >>>>   <init-param>
>> > >>>>    <param-name>sts.wsdl.service</param-name>
>> > >>>>    <param-value>SecurityTokenService</param-value>
>> > >>>>   </init-param>
>> > >>>>
>> > >>>> Thanks.
>> > >>>>
>> > >>>> Gina
>> > >>>>  On Tue, May 8, 2012 at 2:26 AM, Oliver Wulff <owulff@talend.com
>> > >wrote:
>> > >>>>
>> > >>>>>  Hi Gina
>> > >>>>>
>> > >>>>>
>> > >>>>>
>> > >>>>> >>>
>> > >>>>>
>> > >>>>> I don't mind giving up existing implementation as long as I find
>> > >>>>> better solution. I was hoping that Fediz project
>> > >>>>>
>> > >>>>> uses only Apache CXF instead of introducing another FrameWork -
>> > >>>>> OpenSAML.
>> > >>>>>
>> > >>>>> >>>
>> > >>>>>
>> > >>>>> Apache CXF uses OpenSAML too for all SAML processing for SOAP and
>> > REST
>> > >>>>> based service communication. OpenSAML is widely used and bundled
>> > into other
>> > >>>>> frameworks like CXF and Fediz.
>> > >>>>>
>> > >>>>>
>> > >>>>>
>> > >>>>> >>>
>> > >>>>>
>> > >>>>> If I only consider passive profile at this moment, what changes
>> are
>> > >>>>> need to Fediz project to point to ADFS(STS) intead of Apach CXF
>> STS?
>> > Where
>> > >>>>> did you define your stsActionURL? I like to start with passive
>> > profile
>> > >>>>> since it is easier to start with. I can use your sample
>> application.
>> > It
>> > >>>>> doesn't matter if I use Airline or not since it is a just
>> prototype
>> > >>>>>
>> > >>>>> >>>
>> > >>>>>
>> > >>>>> I'd recommend to successfully deploy the wsclientWebapp sample and
>> > the
>> > >>>>> IDP. When this works, rip&replace one piece after the other. I'd
>> > recommend
>> > >>>>> to choose the following approach.
>> > >>>>>
>> > >>>>>
>> > >>>>>
>> > >>>>> 1) Replace the Fediz IDP by ADFS
>> > >>>>>
>> > >>>>>       + configure the ADFS issuerUrl (context.xml)
>> > >>>>>
>> > >>>>>       + ensure that ADFS supports WS-Federation Passive Requestor
>> > >>>>> Profile
>> > >>>>>
>> > >>>>>       + configure the certificate used by ADFS to sign the SAML
>> token
>> > >>>>>
>> > >>>>>
>> > >>>>>
>> > >>>>> (the most recent version of fediz uses a separate xml file for the
>> > >>>>> configuration)
>> > >>>>>
>> > >>>>>
>> > >>>>>
>> > >>>>> 2) Update the webapp to generate and use the stubs of the
>> > >>>>> BookingService in the FederationServlet (just a test - call the
>> > simplest
>> > >>>>> method). Configure the ASP.NET wsdl location (usually url?wsdl).
>> > >>>>> Configure the ADFS STS url in the STSClient bean in the beans.xml
>> > >>>>> configuration. Change the property onbehalfof to actas.
>> > >>>>>
>> > >>>>>
>> > >>>>>
>> > >>>>>
>> > >>>>>
>> > >>>>> HTH
>> > >>>>>
>> > >>>>>
>> > >>>>>
>> > >>>>>
>> > >>>>>
>> > >>>>> ------
>> > >>>>>
>> > >>>>> Oliver Wulff
>> > >>>>>
>> > >>>>> Blog: http://owulff.blogspot.com
>> > >>>>> Solution Architect
>> > >>>>> http://coders.talend.com
>> > >>>>>
>> > >>>>> <http://coders.talend.com>Talend Application Integration Division
>> > >>>>> http://www.talend.com
>> > >>>>>   ------------------------------
>> > >>>>> *From:* Gina Choi [ginachoi88@gmail.com]
>> > >>>>> *Sent:* 08 May 2012 01:05
>> > >>>>> *To:* Oliver Wulff
>> > >>>>> *Cc:* users@cxf.apache.org
>> > >>>>>
>> > >>>>> *Subject:* Re: CXF supporting scope
>> > >>>>>
>> > >>>>>    Hi Oliver,
>> > >>>>>
>> > >>>>> I am not responsible for BookingService(.NET). The other guys who
>> > >>>>> implemented it using WIF. You know that Microsoft created WIF and
>> > tested
>> > >>>>> with ADFS, so it it doesn't work, I would be surprised.
>> > >>>>>  >Which Servlet container do you use?
>> > >>>>> I am using Tomcat7.
>> > >>>>>
>> > >>>>>
>> > >>>>> >In your current setup, how does the samlp:Response look like?
>> > >>>>> I sent you decoded SAML response token in seperate email. I am
>> > >>>>> sretrieving based64 encoded saml response token using following
>> code.
>> > >>>>>
>> > >>>>>
>> > >>>>> String encodedSamlResponseTokenStr =
>> > >>>>> request.getParameter("SAMLResponse");
>> > >>>>>
>> > >>>>> I don't mind giving up existing implementation as long as I find
>> > >>>>> better solution. I was hoping that Fediz project uses only Apache
>> CXF
>> > >>>>> instead of introducing another FrameWork - OpenSAML.
>> > >>>>>
>> > >>>>> I loaded
>> > >>>>>
>> >
>> http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/wsclientWebapp/webapp/to
>> > >>>>> the Eclipse today.
>> > >>>>>
>> > >>>>>
>> > >>>>>
>> > >>>>> Basically I need following three URL for ADFS(STS). First two is
>> for
>> > >>>>> active profile and third one is for passive profile(SP initiated
>> > Redirect
>> > >>>>> POST bindings). If I only consider passive profile at this moment,
>> > what
>> > >>>>> changes are need to Fediz project to point to ADFS(STS) intead of
>> > Apach CXF
>> > >>>>> STS? Where did you define your stsActionURL? I like to start with
>> > passive
>> > >>>>> profile since it is easier to start with. I can use your sample
>> > >>>>> application. It doesn't matter if I use Airline or not since it
>> is a
>> > just
>> > >>>>> prototype.
>> > >>>>>
>> > >>>>> *private* *static* *final* String *stsEndpoint* = "
>> > >>>>> https://strts01.ams.dev/adfs/services/trust/13/usernamemixed";
>> > >>>>>
>> > >>>>> *private* *static* *final* String *stsMEXAddress* =
>> > >>>>> https://strts01.ams.dev/adfs/services/trust/mex;
>> > >>>>>
>> > >>>>> private static final String stsActionURL =
>> > >>>>> https://strts01.ams.dev/adfs/ls/;
>> > >>>>>
>> > >>>>>
>> > >>>>>  Thanks again for your guidance.
>> > >>>>>
>> > >>>>> Gina
>> > >>>>>
>> > >>>>> On Mon, May 7, 2012 at 3:36 PM, Oliver Wulff <owulff@talend.com
>> > >wrote:
>> > >>>>>
>> > >>>>>>  Hi Gina
>> > >>>>>>
>> > >>>>>>
>> > >>>>>>
>> > >>>>>> The fediz project is used to protect your web application where
>> the
>> > >>>>>> client is a browser. Right now, Fediz supports WS-Federation
>> Passive
>> > >>>>>> Requestor Profile which is supported by ADFS and usually used in
>> > the .NET
>> > >>>>>> world as a the default mechanism. You don't have to implement
>> that
>> > in
>> > >>>>>> your application - that's done by the Fediz plugin. Fediz uses
>> > opensaml for
>> > >>>>>> SAML processing.
>> > >>>>>>
>> > >>>>>>
>> > >>>>>>
>> > >>>>>> The original URL is stored in the wreply parameter. .NET uses a
>> > >>>>>> combination of the wtrealm and wctx parameter.
>> > >>>>>>
>> > >>>>>>
>> > >>>>>>
>> > >>>>>> Your Airline application can use CXF for the web services
>> > >>>>>> communication (for the REST communication also, if you like). The
>> > built-in
>> > >>>>>> support in CXF for the IssuedToken assertion (WS-SecurityPolicy)
>> > supports
>> > >>>>>> to get a token from ADFS using actas. In my example, just use
>> actas
>> > instead
>> > >>>>>> of onbehalfof property.
>> > >>>>>>
>> > >>>>>>
>> > >>>>>>
>> > >>>>>> >>>
>> > >>>>>>
>> > >>>>>>  ADFS generate SAMLtoken and this SAML token is sent back to
>> > >>>>>> Airline(Airline does all validation work) and cached in the
>> > session. - This
>> > >>>>>> part is implemented.
>> > >>>>>>
>> > >>>>>> >>>
>> > >>>>>>
>> > >>>>>> The validation work is already done by Fediz. Session management
>> is
>> > >>>>>> then done by the JEE container. Your application is called after
>> > the SAML
>> > >>>>>> token issued by ADFS is successfully validated. The container
>> will
>> > create
>> > >>>>>> the session and check every incoming request whether the used
>> token
>> > is
>> > >>>>>> still valid - otherwise, the browser is redirected again to ADFS.
>> > You could
>> > >>>>>> also configure some roles in ADFS to protect your web application
>> > as the
>> > >>>>>> fediz plugin tells the container the userid as well as its roles.
>> > You could
>> > >>>>>> even use claims if you like.
>> > >>>>>>
>> > >>>>>>
>> > >>>>>>
>> > >>>>>> Which Servlet container do you use?
>> > >>>>>>
>> > >>>>>>
>> > >>>>>>
>> > >>>>>> In your current setup, how does the samlp:Response look like?
>> > >>>>>>
>> > >>>>>>
>> > >>>>>>
>> > >>>>>> Thanks
>> > >>>>>>
>> > >>>>>> Oli
>> > >>>>>>
>> > >>>>>>
>> > >>>>>>
>> > >>>>>> ------
>> > >>>>>>
>> > >>>>>> Oliver Wulff
>> > >>>>>>
>> > >>>>>> Blog: http://owulff.blogspot.com
>> > >>>>>> Solution Architect
>> > >>>>>> http://coders.talend.com
>> > >>>>>>
>> > >>>>>> <http://coders.talend.com>Talend Application Integration
>> Division
>> > >>>>>> http://www.talend.com
>> > >>>>>>   ------------------------------
>> > >>>>>> *From:* Gina Choi [ginachoi88@gmail.com]
>> > >>>>>> *Sent:* 07 May 2012 20:24
>> > >>>>>> *To:* users@cxf.apache.org
>> > >>>>>> *Cc:* Oliver Wulff
>> > >>>>>> *Subject:* Re: CXF supporting scope
>> > >>>>>>
>> > >>>>>>    Hi Oliver,
>> > >>>>>>
>> > >>>>>> I did notice that your sample application used both opensaml and
>> > >>>>>> openws libraries. Are they used by Apache CXF or just by Frediz
>> > project?
>> > >>>>>>
>> > >>>>>> I need to clarify my environment further to give you better
>> picture.
>> > >>>>>>
>> > >>>>>> 1. All web services in my application are REST. The only reason
>> that
>> > >>>>>> I use SOAP is to create a soap client to call .NET SOAP web
>> service
>> > which
>> > >>>>>> resides on another application. I am working with a .NET guy to
>> > prove some
>> > >>>>>> prototypes. His sample application is BookingService which I
>> > provided you
>> > >>>>>> wsdl. I am working on Airline.
>> > >>>>>>
>> > >>>>>> BookingService: .NET4.0 SOAP
>> > >>>>>> Airline: Java with REST
>> > >>>>>>
>> > >>>>>> 2. Both BookingService and Airline use same ADFS as STS. We have
>> set
>> > >>>>>> up relying parties for BookingService and Airline in ADFS.
>> > >>>>>>
>> > >>>>>> 3. SSO:  A user will be using both Airline and BookingService.
>> So,
>> > >>>>>> she/he should be able to log on once for both applications. In
>> > Airline(my
>> > >>>>>> application), I used SP initialed POST redirect bindings. So,
>> when
>> > a user
>> > >>>>>> make a request to Airline at first time, the user will be
>> > redirected to
>> > >>>>>> ADFS and asked credentials. After user provide username/password,
>> > ADFS
>> > >>>>>> generate SAMLtoken and this SAML token is sent back to
>> > Airline(Airline does
>> > >>>>>> all validation work) and cached in the session. - This part is
>> > implemented.
>> > >>>>>>
>> > >>>>>> 4. Now a user call BookingService which is claim aware. So, I
>> need
>> > to
>> > >>>>>> inject Assertion token get from previous step inside actas
>> element
>> > to call
>> > >>>>>> STS(ADFS2.0) to get a new token. With that new token, I will be
>> > calling
>> > >>>>>> Booking service.
>> > >>>>>>
>> > >>>>>> So, I don't think that I am able to use Apach CXF STS part since
>> my
>> > >>>>>> STS will be ADFS. So, I am hoping that Apache CXF can work with
>> > ADFS(STS)
>> > >>>>>> to support my prototypes.
>> > >>>>>>
>> > >>>>>>
>> > >>>>>> Thanks.
>> > >>>>>>
>> > >>>>>> Gina
>> > >>>>>>
>> > >>>>>>
>> > >>>>>>
>> > >>>>>>
>> > >>>>>>
>> > >>>>>>
>> > >>>>>> On Sat, May 5, 2012 at 6:22 AM, Oliver Wulff <owulff@talend.com
>> > >wrote:
>> > >>>>>>
>> > >>>>>>> Hi Gina
>> > >>>>>>>
>> > >>>>>>> >>>
>> > >>>>>>> So, what I need is after user log on using Web SSO, the SAML
>> token
>> > >>>>>>> should be cached in web context and being used as actas token
>> when
>> > making a
>> > >>>>>>> call to .NET web service.
>> > >>>>>>> >>>
>> > >>>>>>>  This is supported by CXF without writing any single line of
>> code.
>> > I
>> > >>>>>>> do have a sample web application here:
>> > >>>>>>>
>> > >>>>>>>
>> >
>> http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/wsclientWebapp/webapp/
>> > >>>>>>>
>> > >>>>>>> This example illustrates:
>> > >>>>>>> - fediz is configured for web sso
>> > >>>>>>> - SAML token is cached in the session and used to request a new
>> > >>>>>>> token from the STS
>> > >>>>>>>
>> > >>>>>>> The code to call the web service is in
>> FederationServlet.doPost():
>> > >>>>>>> ...
>> > >>>>>>> Greeter service =
>> > >>>>>>>
>> >
>> (Greeter)ApplicationContextProvider.getContext().getBean("HelloServiceClient");
>> > >>>>>>> String reply = service.greetMe();
>> > >>>>>>> ...
>> > >>>>>>>
>> > >>>>>>> The magic is in the configuration I used here:
>> > >>>>>>>
>> > >>>>>>>
>> >
>> http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/wsclientWebapp/webapp/src/main/webapp/WEB-INF/beans.xml?view=markup
>> > >>>>>>>
>> > >>>>>>> The following property registers a callback handler to provide
>> the
>> > >>>>>>> STSClient the token of the Web Login:
>> > >>>>>>> <property name="onBehalfOf" ref="delegationCallbackHandler" />
>> > >>>>>>>
>> > >>>>>>> (There is also a property for actAs)
>> > >>>>>>>
>> > >>>>>>> The above example should exactly do what you need. You just
>> have to
>> > >>>>>>> change the above property to use ActAs instead of OnBehalfOf.
>> The
>> > details
>> > >>>>>>> for this example are described here:
>> > >>>>>>>
>> > >>>>>>>
>> >
>> http://owulff.blogspot.com/2012/04/sso-across-web-applications-and-web_16.html
>> > >>>>>>>
>> > >>>>>>>
>> > >>>>>>> To test this easily, you can use the Mock IDP as part of Fediz
>> for
>> > >>>>>>> the authentication. You could also attach Active Directory in
>> the
>> > Mock if
>> > >>>>>>> you like. See here:
>> > >>>>>>>
>> > >>>>>>>
>> >
>> http://owulff.blogspot.com/2011/10/configure-ldap-directory-for-cxf-sts.html
>> > >>>>>>>
>> > >>>>>>> I use that within a customer set up to connect the CXF STS to
>> > Active
>> > >>>>>>> Directory.
>> > >>>>>>>
>> > >>>>>>> >>>
>> > >>>>>>> What is Spring role in CXF?
>> > >>>>>>> >>>
>> > >>>>>>>  You can use Spring to configure your services. The above
>> example
>> > is
>> > >>>>>>> based on spring. As you see, all security related stuff is
>> enabled
>> > by
>> > >>>>>>> configuration (Convention of Configuration). You can also write
>> an
>> > >>>>>>> application without spring but I wouldn't write an application
>> > without
>> > >>>>>>> spring nowadays but this is up to you.
>> > >>>>>>>
>> > >>>>>>> >>>
>> > >>>>>>> I don't know much LDAP, but it should be used as an attribute
>> > store.
>> > >>>>>>> I consider it as an alternative of Active Directory. Please
>> > correct me if I
>> > >>>>>>> am wrong.
>> > >>>>>>> >>>
>> > >>>>>>>  Active Directory provides different interfaces. One of them is
>> > >>>>>>> LDAP. You can use the LDAPLoginModule of the JDK for
>> > authentication. But
>> > >>>>>>> you don't have to care that much as ADFS (and maybe the Fediz
>> Mock
>> > for
>> > >>>>>>> testing) will access ActiveDirectory to read the claims to add
>> > them to the
>> > >>>>>>> SAML token.
>> > >>>>>>>
>> > >>>>>>> Could you zip the wsdl before attaching?
>> > >>>>>>>
>> > >>>>>>> Thanks
>> > >>>>>>>
>> > >>>>>>>
>> > >>>>>>>
>> > >>>>>>> ------
>> > >>>>>>>
>> > >>>>>>> Oliver Wulff
>> > >>>>>>>
>> > >>>>>>> Blog: http://owulff.blogspot.com<http://owulff.blogspot.com/>
>> > >>>>>>> Solution Architect
>> > >>>>>>> http://coders.talend.com
>> > >>>>>>>
>> > >>>>>>> <http://coders.talend.com>Talend Application Integration
>> Division
>> > >>>>>>> http://www.talend.com
>> > >>>>>>>
>> > >>>>>>> ________________________________
>> > >>>>>>>  Von: Gina Choi [ginachoi88@gmail.com]
>> > >>>>>>> Gesendet: Freitag, 4. Mai 2012 20:54
>> > >>>>>>> Bis: users@cxf.apache.org
>> > >>>>>>> Betreff: Re: CXF supporting scope
>> > >>>>>>>
>> > >>>>>>> Hi Oliver,
>> > >>>>>>>
>> > >>>>>>> Thanks for your response.
>> > >>>>>>>
>> > >>>>>>>  >You mean that WIF is deployed in the ASP.NET<http://asp.net/>
>> > web
>> > >>>>>>> service using the Active Requestor Profile?
>> > >>>>>>> >The SAML token should contain the claims as an
>> AttributeStatement?
>> > >>>>>>> >Can you share with us the WS-SecurityPolicy of this Web
>> Service?
>> > >>>>>>> I have attached two wsdl file. BookingService.wsdl and
>> > >>>>>>> BookingService_imported.wsdl. BookingService.wsdl  is importing
>> > >>>>>>> BookingService_imported.wsdl and if you open
>> BookingService.wsdl,
>> > in line
>> > >>>>>>> 10 there is a importing statement like bellow. This .NET4.0
>> > service is not
>> > >>>>>>> owned by me and I don't know if separating wsdl file is common
>> > practice. Is
>> > >>>>>>> there anyway to combin them into one when generate artifact
>> using
>> > wsimport?
>> > >>>>>>> I will be calling CheckIn operation.
>> > >>>>>>>
>> > >>>>>>> <wsdl:import location="
>> > >>>>>>>
>> >
>> http://mecdevapp02.global.sdl.corp/BookingService/BookingService.svc?wsdl=wsdl0
>> > "
>> > >>>>>>> namespace="http://tempuri.org/"/>
>> > >>>>>>>
>> > >>>>>>> >I haven't used ADFS using WS-Trust so far. Usually, it uses a
>> > >>>>>>> Symmetric and Asymmetric binding.
>> > >>>>>>> >What roles does ADFS 2.0 play?
>> > >>>>>>> >Once as the IDP for the Web application SSO and once to let
>> issue
>> > a
>> > >>>>>>> token onbehalfof/actas the original token >from the Web SSO?
>> (this
>> > is
>> > >>>>>>> supported by CXF-Fediz)
>> > >>>>>>> >
>> > >>>>>>>
>> >
>> http://owulff.blogspot.com/2012/04/sso-across-web-applications-and-web_16.html
>> > >>>>>>> I am using Active Directory as an attribute store. So, I could
>> say
>> > >>>>>>> ADFS role should be IDP. So, what I need is after user log on
>> > using Web
>> > >>>>>>> SSO, the SAML token should be cached in web context and being
>> used
>> > as actas
>> > >>>>>>> token when making a call to .NET web service.
>> > >>>>>>>
>> > >>>>>>> > Yes, the passive profile is supported by Fediz. Is ADFS the
>> IDP?
>> > >>>>>>> In which application server is your web >application deployed?
>> > >>>>>>> ADFS is IDP and my Java web application is Service Provider.
>> > >>>>>>>
>> > >>>>>>> >What do you mean exactly? Is LDAP used for authentication by
>> the
>> > >>>>>>> STS? Or should the service provider retrieve >the claims/roles
>> > from LDAP?
>> > >>>>>>> I don't know much LDAP, but it should be used as an attribute
>> > store.
>> > >>>>>>> I consider it as an alternative of Active Directory. Please
>> > correct me if I
>> > >>>>>>> am wrong. I have been reading many specifications, but I am
>> still
>> > having
>> > >>>>>>> hard time to straiten up correct terms.
>> > >>>>>>>
>> > >>>>>>> >No, Spring is not a requirement.
>> > >>>>>>> What is Spring role in CXF?
>> > >>>>>>>
>> > >>>>>>> Thanks.
>> > >>>>>>>
>> > >>>>>>> Gina
>> > >>>>>>>  On Thu, May 3, 2012 at 2:24 PM, Oliver Wulff <
>> owulff@talend.com
>> > >>>>>>> <mailto:owulff@talend.com>> wrote:
>> > >>>>>>> >>>
>> > >>>>>>> 1. I have to create a client for .NET4.0 web service which claim
>> > >>>>>>> aware. So,
>> > >>>>>>> how is CXF interoperability with .NET?
>> > >>>>>>> >>>
>> > >>>>>>>  You mean that WIF is deployed in the ASP.NET<http://ASP.NET>
>> web
>> > >>>>>>> service using the Active Requestor Profile?
>> > >>>>>>> The SAML token should contain the claims as an
>> AttributeStatement?
>> > >>>>>>> Can you share with us the WS-SecurityPolicy of this Web Service?
>> > >>>>>>>
>> > >>>>>>> >>>
>> > >>>>>>> 2. If CXF support ADFS2.0 as STS.
>> > >>>>>>> >>>
>> > >>>>>>> I haven't used ADFS using WS-Trust so far. Usually, it uses a
>> > >>>>>>> Symmetric and Asymmetric binding.
>> > >>>>>>> What roles does ADFS 2.0 play?
>> > >>>>>>> Once as the IDP for the Web application SSO and once to let
>> issue a
>> > >>>>>>> token onbehalfof/actas the original token from the Web SSO?
>> (this
>> > is
>> > >>>>>>> supported by CXF-Fediz)
>> > >>>>>>>
>> > >>>>>>>
>> >
>> http://owulff.blogspot.com/2012/04/sso-across-web-applications-and-web_16.html
>> > >>>>>>>
>> > >>>>>>> >>>
>> > >>>>>>> 3. If CXF support passive profile. Especially SP initiated
>> Redirect
>> > >>>>>>> ->  POST
>> > >>>>>>> binding.
>> > >>>>>>> >>>
>> > >>>>>>> Yes, the passive profile is supported by Fediz. Is ADFS the
>> IDP? In
>> > >>>>>>> which application server is your web application deployed?
>> > >>>>>>>
>> > >>>>>>> >>>
>> > >>>>>>> 4. If CXF can work with LDAP.
>> > >>>>>>> >>>
>> > >>>>>>> What do you mean exactly? Is LDAP used for authentication by the
>> > >>>>>>> STS? Or should the service provider retrieve the claims/roles
>> from
>> > LDAP?
>> > >>>>>>>
>> > >>>>>>> >>>>
>> > >>>>>>> 5. My application doesn't use Spring frame work. Do I have to
>> use
>> > >>>>>>> Spring
>> > >>>>>>> Frame work to use CXF.
>> > >>>>>>> >>>
>> > >>>>>>> No, Spring is not a requirement.
>> > >>>>>>>
>> > >>>>>>>
>> > >>>>>>>
>> > >>>>>>>
>> > >>>>>>> ------
>> > >>>>>>>
>> > >>>>>>> Oliver Wulff
>> > >>>>>>>
>> > >>>>>>> Blog: http://owulff.blogspot.com
>> > >>>>>>> Solution Architect
>> > >>>>>>> http://coders.talend.com
>> > >>>>>>>
>> > >>>>>>> Talend Application Integration Division http://www.talend.com
>> > >>>>>>>
>> > >>>>>>> ________________________________________
>> > >>>>>>>  Von: gchoi [gchoi@sdl.com<mailto:gchoi@sdl.com>]
>> > >>>>>>> Gesendet: Mittwoch, 2. Mai 2012 17:29
>> > >>>>>>>  Bis: users@cxf.apache.org<mailto:users@cxf.apache.org>
>> > >>>>>>>  Betreff: CXF supporting scope
>> > >>>>>>>
>> > >>>>>>> Hi All,
>> > >>>>>>>
>> > >>>>>>> So far, I evaluated several frame works, but they seem don't do
>> > what
>> > >>>>>>> I
>> > >>>>>>> expect. Several people suggested me that I should consider CXF.
>> > >>>>>>> Before I dig
>> > >>>>>>> into CXF, I would like know if CXF support following things. By
>> the
>> > >>>>>>> way, I
>> > >>>>>>> just joined this user group.
>> > >>>>>>>
>> > >>>>>>>
>> > >>>>>>> 1. I have to create a client for .NET4.0 web service which claim
>> > >>>>>>> aware. So,
>> > >>>>>>> how is CXF interoperability with .NET?
>> > >>>>>>>
>> > >>>>>>> 2. If CXF support ADFS2.0 as STS.
>> > >>>>>>>
>> > >>>>>>> 3. If CXF support passive profile. Especially SP initiated
>> Redirect
>> > >>>>>>> ->  POST
>> > >>>>>>> binding.
>> > >>>>>>>
>> > >>>>>>> 4. If CXF can work with LDAP.
>> > >>>>>>>
>> > >>>>>>> 5. My application doesn't use Spring frame work. Do I have to
>> use
>> > >>>>>>> Spring
>> > >>>>>>> Frame work to use CXF.
>> > >>>>>>>
>> > >>>>>>>
>> > >>>>>>>
>> > >>>>>>> Thank in advance.
>> > >>>>>>>
>> > >>>>>>> --
>> > >>>>>>> View this message in context:
>> > >>>>>>>
>> > http://cxf.547215.n5.nabble.com/CXF-supporting-scope-tp5680855.html
>> > >>>>>>> Sent from the cxf-user mailing list archive at Nabble.com.
>> > >>>>>>>
>> > >>>>>>>
>> > >>>>>>
>> > >>>>>
>> > >>>>
>> > >>>
>> > >>
>> > >
>> >
>>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message