Re: Fediz Tomcat plug-in and Shibboleth IdP

[Colm O hEigeartaigh]

I am trying to map the different values required by fediz plugin to talk to
 our Shibboleth IdP. Any help is much appreciated.


What kind of help are you looking for? Is the Fediz plugin making an
invocation on the Shibboleth IdP that is rejected? If so please post the
exception and we might be able to help.

Colm.

On Tue, Mar 19, 2013 at 2:16 PM, Abba Yadav a...@usp.org wrote:



 I am trying to integrate Fediz Tomcat plug-in to talk to our Shibboleth
 IdP. The Fediz tomcat plug-in on the Service Provider talks SAML 1.0.



 Sample Fediz configuration file looks like this:



 ?xml version=1.0 encoding=UTF-8 standalone=yes?

 !-- Place in Tomcat conf folder or other location as designated in this
 sample's webapp/META-INF/context.xml file.

  Keystore referenced below must have IDP STS' public cert included in
 it.  This example re-uses the Tomcat SSL

  keystore (tomcat-rp.jks) for this task; alternatively you may wish to
 use a Fediz-specific keystore instead.

 --

 FedizConfig

 contextConfig name=/fedizhelloworld

 audienceUris

 audienceItem
 https://localhost:8443/fedizhelloworld//audienceItem
 https://localhost:8443/fedizhelloworld/%3C/audienceItem

 /audienceUris

 certificateStores

 trustManager

 keyStore
 file=tomcat-rp.jks password=tompass type=JKS /

 /trustManager

 /certificateStores

 trustedIssuers

 issuer
 subject=.*CN=www.sts.com.* certificateValidation=ChainTrust


 name=DoubleItSTSIssuer /

 /trustedIssuers

 maximumClockSkew1000/maximumClockSkew

 protocol xmlns:xsi=
 http://www.w3.org/2001/XMLSchema-instance;
 http://www.w3.org/2001/XMLSchema-instance%22


 xsi:type=federationProtocolType version=1.0.0

 !--realmtarget
 realm/realm--

 issuer
 https://localhost:9443/fedizidp//issuer
 https://localhost:9443/fedizidp/%3C/issuer


 roleDelimiter,/roleDelimiter

 roleURI
 http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role/roleURI
 http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role%3C/roleURI

 !--authenticationType
 type=Stringsome auth type/authenticationType--

 !--homeRealm
 type=Classorg.apache.fediz.realm.MyHomeRealm/homeRealm--


 !--freshness0/freshness--

 !--replyreply
 value/reply--


 !--requestREQUEST/request--

 claimTypesRequested

 claimType
 type=a particular claim type optional=true /

 /claimTypesRequested

 /protocol

 /contextConfig

 /FedizConfig





 I am trying to map the different values required by fediz plugin to talk
 to our Shibboleth IdP. Any help is much appreciated.



 Thanks,

 Abba




-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

RE: Thoughts about a 2.8 release (or not)…

[Andrei Shakirin]

+1 for skipping 2.8 and releasing 3.0 end of this year.

@Sergei: let us to discuss how I could help with 2.0 TCK.

Regards,
Andrei.

 -Original Message-
 From: Daniel Kulp [mailto:dk...@apache.org]
 Sent: Montag, 25. März 2013 19:19
 To: dev@cxf.apache.org
 Subject: Thoughts about a 2.8 release (or not)…
 
 
 We're getting close to April which normally would be the next release (2.8).
 However, looking things over, I'm not sure it makes sense at this time.
 Looking at trunk, the only major change (which is admittedly a big one), is
 updating the JAX-RS 2.0 stuff from m10  to the RC level.   However, it's not
 complete yet.   Almost everything else has been back ported to 2.7.x.   The
 other major chunk of work that is happening is on the wss4j2 branch, but
 that isn't ready for for release yet either.   (and has some backwards compat
 issues to resolve if it would go on a 2.x line)
 
 According to the agreements Apache has with Oracle, we really cannot
 release code that doesn't pass the TCK (which the 2.0 works would not).
 Technically, we should not have released 2.7.0 as a release.  We can release
 things like tech previews or beta or similar, but not a full release.   
 Since
 we are working on trying to renew the agreements, Oracle is paying
 attention to us pretty closely right now.
 
 So, what am I getting at?   In order to release 2.8 in a few weeks, we'd 
 either
 need to back out all the JAX-RS 2.0 stuff to 1.1 level OR everyone jump in 
 full
 force and get it to pass the TCK.   I really don't see either happening.   
 Backing
 out to 1.1 would be silly and the 2.0 TCK stuff is a ton of work.   Thus, my
 suggestion would be to skip a big release this April and concentrate on bigger
 things for our Oct/Nov release.  Possibly make that a CXF 3.0 release instead
 of 2.8 where we can clean up some stuff, break a few things (like change the
 couple API's that currently force WSDL4J on JAX-RS users), etc…We can
 incorporate the WSS4J2 changes as part of this as well.If we go this 
 route,
 we could likely start a series of beta releases or similar in June or so to 
 get
 people looking at it and testing with it.
 
 Any thoughts?
 
 --
 Daniel Kulp
 dk...@apache.org - http://dankulp.com/blog Talend Community Coder -
 http://coders.talend.com

Re: Thoughts about a 2.8 release (or not)…

[Glen Mazza]

Dan's quote: According to the agreements Apache has with Oracle, we really
cannot release code that doesn't pass the TCK (which the 2.0 works would
not).

I'm confused -- Apache FOP, Maven and Tomcat can release whenever they want,
even though none of them even remotely pass the JAX-RS TCK either.  Can you
spell out precisely why CXF has that restriction?   Apache makes maybe 100
software products, which of them are allowed to be released even though they
horribly fail the JAX-RS TCK and which ones aren't?

Oracle is a competitor, it would be strange for us to sign up for something
that limits our ability to make releases (which is what a competitor would
want).  Further, there is so much more to CXF than just adherence to any one
particular TCK, it would seem to our heavy detriment if we could no longer
make releases to make that additional functionality available to the
community (allowing them to work on it, adopt it, and report bugs to us)
just because of incomplete TCK compliance in one specification or the other.

This also seems to give Oracle an advantage of sorts--Oracle splits its
services offerings into Metro and Jersey, so a failure in one would mean the
other still can get released.  With CXF, which supports 2 TCK's, if either
fail then the entire product line can't be released.

Always smelling a rat,
Glen




--
View this message in context: 
http://cxf.547215.n5.nabble.com/Thoughts-about-a-2-8-release-or-not-tp5725179p5725412.html
Sent from the cxf-dev mailing list archive at Nabble.com.

Re: svn commit: r1461738 - /cxf/trunk/rt/rs/security/cors/src/main/java/org/apache/cxf/rs/security/cors/CrossOriginResourceSharingFilter.java

[Sergey Beryozkin]

Dan, thanks for the fix, I actually did not include the local CORS 
update, sorry

Sergey

On 27/03/13 20:47, dk...@apache.org wrote:

Author: dkulp
Date: Wed Mar 27 17:47:25 2013
New Revision: 1461738

URL: http://svn.apache.org/r1461738
Log:
Fix tests by allowing for the null return.

Modified:
 
cxf/trunk/rt/rs/security/cors/src/main/java/org/apache/cxf/rs/security/cors/CrossOriginResourceSharingFilter.java

Modified: 
cxf/trunk/rt/rs/security/cors/src/main/java/org/apache/cxf/rs/security/cors/CrossOriginResourceSharingFilter.java
URL: 
http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/cors/src/main/java/org/apache/cxf/rs/security/cors/CrossOriginResourceSharingFilter.java?rev=1461738r1=1461737r2=1461738view=diff
==
--- 
cxf/trunk/rt/rs/security/cors/src/main/java/org/apache/cxf/rs/security/cors/CrossOriginResourceSharingFilter.java
 (original)
+++ 
cxf/trunk/rt/rs/security/cors/src/main/java/org/apache/cxf/rs/security/cors/CrossOriginResourceSharingFilter.java
 Wed Mar 27 17:47:25 2013
@@ -491,10 +491,12 @@ public class CrossOriginResourceSharingF
  splitPattern = FIELD_COMMA_PATTERN;
  }
  ListString  results = new ArrayListString();
-for (String value : values) {
-String[] items = splitPattern.split(value);
-for (String item : items) {
-results.add(item.trim());
+if (values != null) {
+for (String value : values) {
+String[] items = splitPattern.split(value);
+for (String item : items) {
+results.add(item.trim());
+}
  }
  }
  return results;





--
Sergey Beryozkin

Talend Community Coders
http://coders.talend.com/

Blog: http://sberyozkin.blogspot.com

Re: Thoughts about a 2.8 release (or not)…

[Sergey Beryozkin]

Hi Andrei
On 27/03/13 18:24, Andrei Shakirin wrote:

+1 for skipping 2.8 and releasing 3.0 end of this year.

@Sergei: let us to discuss how I could help with 2.0 TCK.

I'm trying to get the server part close enough to be tested against TCK. 
There are 3 issues which I'm aware at the moment that need to be completed:


1. support for server-side media type quality parameters (;qs), this is 
needed
2. support fro injection of Configuration context - should be 
straightforward enough
3. bean validation support - the latter is important but has just been 
confirmed to be an optional feature - that said I think we can probably 
get it done for RS but also for WS


I think only 1 is required at this stage to start working with TCK, plus 
minor bits and pieces to be fixed to get (server-part) TCK passed :-). 
The TCK we have is not final but should be close enough to the final 
one. The client implementations tests will be done later in the year


I'll get back to you once I do an initial run later on

Thanks Sergey

Regards,
Andrei.


-Original Message-
From: Daniel Kulp [mailto:dk...@apache.org]
Sent: Montag, 25. März 2013 19:19
To: dev@cxf.apache.org
Subject: Thoughts about a 2.8 release (or not)…


We're getting close to April which normally would be the next release (2.8).
However, looking things over, I'm not sure it makes sense at this time.
Looking at trunk, the only major change (which is admittedly a big one), is
updating the JAX-RS 2.0 stuff from m10  to the RC level.   However, it's not
complete yet.   Almost everything else has been back ported to 2.7.x.   The
other major chunk of work that is happening is on the wss4j2 branch, but
that isn't ready for for release yet either.   (and has some backwards compat
issues to resolve if it would go on a 2.x line)

According to the agreements Apache has with Oracle, we really cannot
release code that doesn't pass the TCK (which the 2.0 works would not).
Technically, we should not have released 2.7.0 as a release.  We can release
things like tech previews or beta or similar, but not a full release.   
Since
we are working on trying to renew the agreements, Oracle is paying
attention to us pretty closely right now.

So, what am I getting at?   In order to release 2.8 in a few weeks, we'd either
need to back out all the JAX-RS 2.0 stuff to 1.1 level OR everyone jump in full
force and get it to pass the TCK.   I really don't see either happening.   
Backing
out to 1.1 would be silly and the 2.0 TCK stuff is a ton of work.   Thus, my
suggestion would be to skip a big release this April and concentrate on bigger
things for our Oct/Nov release.  Possibly make that a CXF 3.0 release instead
of 2.8 where we can clean up some stuff, break a few things (like change the
couple API's that currently force WSDL4J on JAX-RS users), etc…We can
incorporate the WSS4J2 changes as part of this as well.If we go this route,
we could likely start a series of beta releases or similar in June or so to 
get
people looking at it and testing with it.

Any thoughts?

--
Daniel Kulp
dk...@apache.org - http://dankulp.com/blog Talend Community Coder -
http://coders.talend.com