Author: buildbot
Date: Tue Oct 6 15:47:30 2015
New Revision: 967955
Log:
Production update by buildbot for cxf
Modified:
websites/production/cxf/content/cache/main.pageCache
websites/production/cxf/content/fediz-configuration.html
Modified: websites/production/cxf/content/cache/main.pageCache
==============================================================================
Binary files - no diff available.
Modified: websites/production/cxf/content/fediz-configuration.html
==============================================================================
--- websites/production/cxf/content/fediz-configuration.html (original)
+++ websites/production/cxf/content/fediz-configuration.html Tue Oct 6
15:47:30 2015
@@ -129,7 +129,7 @@ Apache CXF -- Fediz Configuration
</contextConfig>
</FedizConfig>
</pre>
-</div></div><p>The protocol element declares that the WS-Federation protocol
is being used. The issuer element shows the URL to which authenticated requests
will be redirected with a SignIn request.</p><p>The IDP issues a SAML token
which must be validated by the plugin. The validation requires the certificate
store of the Certificate Authority(ies) of the certificate which signed the
SAML token. This is defined in <code>certificateStore</code>. The signing
certificate itself is not required because <code>certificateValidation</code>
is set to <code>ChainTrust</code>. The <code>subject</code> defines the trusted
signing certificate using the subject as a regular expression.<br clear="none">
Finally, the audience URI is validated against the audience restriction in the
SAML token.</p><h3 id="FedizConfiguration-Configurationreference">Configuration
reference</h3><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>XML el
ement</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>Name</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>Use</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>Description</p></th></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p>audienceUris</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Audience URI</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Required</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The values of the list of audience URIs are
verified against the element <code>AudienceRestriction</code> in the SAML
token</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>certificateStores</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Trusted certificate store</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Required</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The list of keystores (JKS, PEM) includes
at least the certificate of the Certif
icate Authorities (CA) which signed the certificate which is used to sign the
SAML token.<br clear="none"> If the file location is not fully qualified it
needs to be relative to the Container home directory</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>trustedIssuers</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Trusted Issuers</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Required</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>There are two ways to configure
a trusted issuer (IDP). Either you configure the subject name and the CA(s) who
signed the certificate of the IDP
(<code>certificateValidation=ChainTrust</code>) or you configure the
certificate of the IDP and the CA(s) who signed it
(<code>certificateValidation=PeerTrust</code>)</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p>maximumClockSkew</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Maximum Clock Skew</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Optional</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Maximum allowable time difference between
the system clocks of the IDP and RP.<br clear="none"> Default 5
seconds.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>tokenReplayCache</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Token Replay Cache</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>The <a shape="rect" class="external-link"
href="http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/TokenReplayCache.java?view=markup";>TokenReplayCache</a>
implementation to use to cache tokens. The default is an implementation based
on EHCache.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>signingKey</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Key for Signature</p></td><td colspan="1" rowspan=
"1" class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>If configured, the published (WS-Federation) <a
shape="rect" href="fediz-metadata.html">Metadata document</a> is signed by this
key. Otherwise, not signed.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>tokenDecryptionKey</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Decryption Key</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>A Keystore used to decrypt an encrypted
token.</p></td></tr></tbody></table></div><h5
id="FedizConfiguration-WS-Federationprotocolconfigurationreference">WS-Federation
protocol configuration reference</h5><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>XML element</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>Name</p></th><th colspan="1" rowspan="1"
class="confluenc
eTh"><p>Use</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>Metadata</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>Description</p></th></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p>issuer</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Issuer URL</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Required</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>PassiveRequestorEndpoint</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>This URL defines the location of the IDP to
whom unauthenticated requests are redirected</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p>realm</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Realm</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>TargetScope</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Security realm of the Relying Party / Application. T
his value is part of the SignIn request as the <code>wtrealm</code>
parameter.<br clear="none"> Default: URL including the Servlet
Context</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>authenticationType</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Authentication Type</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>NA</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>The authentication type defines what kind of
authentication is required. This information is provided in the SignInRequest
to the IDP (parameter <code>wauth</code>)<br clear="none"> The WS-Federation
standard defines a list of predefined URIs for wauth <a shape="rect"
class="external-link"
href="http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html#_Toc223174997";
rel="nofollow">here</a>.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>roleURI</
p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Role Claim
URI</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>NA</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Defines the attribute name of the SAML token which
contains the roles.<br clear="none"> Required for Role Based Access
Control.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>roleDelimiter</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Role Value Delimiter</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Optional</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>NA</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>There are different ways to encode multi value
attributes in SAML.</p><ul><li>Single attribute with multiple
values</li><li>Several attributes with the same name but only one
value</li><li>Single attribute with single value. Roles are delimited by
<code>roleDelimiter</code></li></ul></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>claimTypesRequested</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Requested claims</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>ClaimTypesRequested</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>The claims required by the Relying Party are listed
here. Claims can be optional. If a mandatory claim can't be provided by the IDP
the issuance of the token should fail</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p>homeRealm</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Home Realm</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Optional</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>NA</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Indicates the Resource IDP the home realm of the
requestor. This may be an U
RL or an identifier like urn: or uuid: and depends on the Resource IDP
implementation. This value is part of the SignIn request as the
<code>whr</code> parameter</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>freshness</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Freshness</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>NA</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>The desired "freshness" of the token from the IdP. This
information is provided in the SignInRequest to the IdP (parameter
<code>wfresh</code>)</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">request</td><td colspan="1" rowspan="1"
class="confluenceTd">Request</td><td colspan="1" rowspan="1"
class="confluenceTd">Optional</td><td colspan="1" rowspan="1"
class="confluenceTd">NA</td><td colspan="1" rowspan="1"
class="confluenceTd">This value is part of the SignIn request as
the wreq parameter. It can be used to specify a desired TokenType from the
IdP.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>tokenValidators</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>TokenValidators</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>NA</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Custom Token validator classes can be configured here.
The SAML Token validator is enabled by default.<br clear="none"> See example <a
shape="rect" class="external-link"
href="http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/CustomValidator.java";>here</a></p></td></tr></tbody></table></div><h5
id="FedizConfiguration-Attributesresolvedatruntime">Attributes resolved at
runtime</h5><p>The following attributes can be either configured statically at
deployment time or dynamically when the initial request is received:</
p><ul><li>authenticationType</li><li>homeRealm</li><li>issuer</li><li>realm</li></ul><p>These
configuration elements allows for configuring a CallbackHandler which gets a
Callback object where the appropriate value must be set. The CallbackHandler
implementation has access to the HttpServletRequest. The XML attribute
<code>type</code> must be set to <code>Class</code>.</p><p>For more information
see <a shape="rect" href="fediz-extensions.html">Fediz Extensions</a>.</p><h3
id="FedizConfiguration-Advancedexample">Advanced example</h3><p>The following
example defines the required claims and configures a custom callback handler to
define some configuration values at runtime.</p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeContent panelContent pdl">
+</div></div><p>The protocol element declares that the WS-Federation protocol
is being used. The issuer element shows the URL to which authenticated requests
will be redirected with a SignIn request.</p><p>The IDP issues a SAML token
which must be validated by the plugin. The validation requires the certificate
store of the Certificate Authority(ies) of the certificate which signed the
SAML token. This is defined in <code>certificateStore</code>. The signing
certificate itself is not required because <code>certificateValidation</code>
is set to <code>ChainTrust</code>. The <code>subject</code> defines the trusted
signing certificate using the subject as a regular expression.<br clear="none">
Finally, the audience URI is validated against the audience restriction in the
SAML token.</p><h3 id="FedizConfiguration-Configurationreference">Configuration
reference</h3><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>XML el
ement</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>Name</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>Use</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>Description</p></th></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p>audienceUris</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Audience URI</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Required</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The values of the list of audience URIs are
verified against the element <code>AudienceRestriction</code> in the SAML
token</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>certificateStores</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Trusted certificate store</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Required</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The list of keystores (JKS, PEM) includes
at least the certificate of the Certif
icate Authorities (CA) which signed the certificate which is used to sign the
SAML token.<br clear="none"> If the file location is not fully qualified it
needs to be relative to the Container home directory</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>trustedIssuers</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Trusted Issuers</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Required</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>There are two ways to configure
a trusted issuer (IDP). Either you configure the subject name and the CA(s) who
signed the certificate of the IDP
(<code>certificateValidation=ChainTrust</code>) or you configure the
certificate of the IDP and the CA(s) who signed it
(<code>certificateValidation=PeerTrust</code>)</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p>maximumClockSkew</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Maximum Clock Skew</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Optional</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Maximum allowable time difference between
the system clocks of the IDP and RP.<br clear="none"> Default 5
seconds.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>tokenReplayCache</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Token Replay Cache</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>The <a shape="rect" class="external-link"
href="http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/TokenReplayCache.java?view=markup";>TokenReplayCache</a>
implementation to use to cache tokens. The default is an implementation based
on EHCache.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>signingKey</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Key for Signature</p></td><td colspan="1" rowspan=
"1" class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>If configured, the published (WS-Federation) <a
shape="rect" href="fediz-metadata.html">Metadata document</a> is signed by this
key. Otherwise, not signed.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>tokenDecryptionKey</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Decryption Key</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>A Keystore used to decrypt an encrypted
token.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">tokenExpirationValidation</td><td colspan="1" rowspan="1"
class="confluenceTd">Token Expiration Validation</td><td colspan="1"
rowspan="1" class="confluenceTd">Optional</td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Decision whether the token validation (e.g. lifetime)
shall be performed on every request (true) or only once at i
nitial authentication (false). The default is
"false".</p></td></tr></tbody></table></div><h5
id="FedizConfiguration-WS-Federationprotocolconfigurationreference">WS-Federation
protocol configuration reference</h5><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>XML element</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>Name</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>Use</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>Metadata</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>Description</p></th></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p>issuer</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Issuer URL</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Required</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>PassiveRequestorEndpoint</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>This URL defines the lo
cation of the IDP to whom unauthenticated requests are
redirected</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>realm</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Realm</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>TargetScope</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Security realm of the Relying Party / Application. This
value is part of the SignIn request as the <code>wtrealm</code> parameter.<br
clear="none"> Default: URL including the Servlet Context</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>authenticationType</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Authentication Type</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Optional</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>NA</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The authentication type defines what k
ind of authentication is required. This information is provided in the
SignInRequest to the IDP (parameter <code>wauth</code>)<br clear="none"> The
WS-Federation standard defines a list of predefined URIs for wauth <a
shape="rect" class="external-link"
href="http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html#_Toc223174997";
rel="nofollow">here</a>.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>roleURI</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Role Claim URI</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>NA</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Defines the attribute name of the SAML token which
contains the roles.<br clear="none"> Required for Role Based Access
Control.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>roleDelimiter</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>
Role Value Delimiter</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>NA</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>There are different ways to encode multi value
attributes in SAML.</p><ul><li>Single attribute with multiple
values</li><li>Several attributes with the same name but only one
value</li><li>Single attribute with single value. Roles are delimited by
<code>roleDelimiter</code></li></ul></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>claimTypesRequested</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Requested claims</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>ClaimTypesRequested</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>The claims required by the Relying Party are listed
here. Claims can be optional. If a mandatory claim can't be provided by the
IDP the issuance of the token should fail</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p>homeRealm</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Home Realm</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Optional</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>NA</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Indicates the Resource IDP the home realm of the
requestor. This may be an URL or an identifier like urn: or uuid: and depends
on the Resource IDP implementation. This value is part of the SignIn request as
the <code>whr</code> parameter</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>freshness</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Freshness</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>NA</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>The desired "freshness" of the tok
en from the IdP. This information is provided in the SignInRequest to the IdP
(parameter <code>wfresh</code>)</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">request</td><td colspan="1" rowspan="1"
class="confluenceTd">Request</td><td colspan="1" rowspan="1"
class="confluenceTd">Optional</td><td colspan="1" rowspan="1"
class="confluenceTd">NA</td><td colspan="1" rowspan="1"
class="confluenceTd">This value is part of the SignIn request as the wreq
parameter. It can be used to specify a desired TokenType from the
IdP.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>tokenValidators</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>TokenValidators</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Optional</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>NA</p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Custom Token validator classes can be configured here.
The SAML Token validator is enabled by default.<br cl
ear="none"> See example <a shape="rect" class="external-link"
href="http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/CustomValidator.java";>here</a></p></td></tr></tbody></table></div><h5
id="FedizConfiguration-Attributesresolvedatruntime">Attributes resolved at
runtime</h5><p>The following attributes can be either configured statically at
deployment time or dynamically when the initial request is
received:</p><ul><li>authenticationType</li><li>homeRealm</li><li>issuer</li><li>realm</li></ul><p>These
configuration elements allows for configuring a CallbackHandler which gets a
Callback object where the appropriate value must be set. The CallbackHandler
implementation has access to the HttpServletRequest. The XML attribute
<code>type</code> must be set to <code>Class</code>.</p><p>For more information
see <a shape="rect" href="fediz-extensions.html">Fediz Extensions</a>.</p><h3
id="FedizConfiguration-Advancedexample">Advanced example</h3
><p>The following example defines the required claims and configures a custom
>callback handler to define some configuration values at runtime.</p><div
>class="code panel pdl" style="border-width: 1px;"><div class="codeContent
>panelContent pdl">
<pre class="brush: xml; gutter: false; theme: Default"
style="font-size:12px;"><?xml version="1.0" encoding="UTF-8"
standalone="yes"?>
<FedizConfig>
<contextConfig name="/fedizhelloworld">
