Author: buildbot
Date: Fri Aug 28 11:47:33 2015
New Revision: 963360
Log:
Production update by buildbot for cxf
Modified:
websites/production/cxf/content/cache/main.pageCache
websites/production/cxf/content/fediz.html
Modified: websites/production/cxf/content/cache/main.pageCache
==============================================================================
Binary files - no diff available.
Modified: websites/production/cxf/content/fediz.html
==============================================================================
--- websites/production/cxf/content/fediz.html (original)
+++ websites/production/cxf/content/fediz.html Fri Aug 28 11:47:33 2015
@@ -99,7 +99,7 @@ Apache CXF -- Fediz
<td height="100%">
<!-- Content -->
<div class="wiki-content">
-<div id="ConfluenceContent"><h1
id="Fediz-ApacheCXFFediz:AnOpen-SourceWebSecurityFramework">Apache CXF Fediz:
An Open-Source Web Security Framework</h1><h2
id="Fediz-Overview">Overview</h2><p>Apache CXF Fediz is a subproject of CXF.
Fediz helps you to secure your web applications and delegates security
enforcement to the underlying application server. With Fediz, authentication is
externalized from your web application to an identity provider installed as a
dedicated server component. The supported standard is <a shape="rect"
class="external-link"
href="http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html#_Toc223175002";
rel="nofollow">WS-Federation Passive Requestor Profile</a>. Fediz supports <a
shape="rect" class="external-link"
href="http://en.wikipedia.org/wiki/Claims-based_identity"; rel="nofollow">Claims
Based Access Control</a> beyond Role Based Access Control (RBAC).</p><h2
id="Fediz-News">News</h2><p><strong>August 12, 2015 - Apache CXF Fediz 1.
2.1 and 1.1.3 released!</strong></p><p>Apache CXF Fediz 1.2.1 has been
released. It contains an update to use Apache CXF 3.0.6, an update to use 2048
bit certificates to fix some issues with running the examples, support for SAML
SSO Metadata in the IdP, as well as some other issues.</p><p>Apache CXF Fediz
1.1.3 has also been released. It contains an update to use Apache CXF 2.7.17, a
fix for a NPE when ChainTrust is configured + no Subject is provided, and a
dynamic STS realm parser.</p><p>For more information and to download the new
releases, please go <a shape="rect"
href="fediz-downloads.html">here</a>.</p><h2
id="Fediz-Features">Features</h2><p>The following features are supported by
Fediz 1.2</p><ul><li>WS-Federation 1.0/1.1/1.2</li><li>SAML 1.1/2.0
Tokens</li><li>Support for encrypted SAML Tokens (Release 1.1)</li><li>Support
for Holder-Of-Key SubjectConfirmationMethod (1.1)</li><li>Custom token
Support</li><li>Publish WS-Federation Metadata document</li><li>Role
information
encoded as AttributeStatement in SAML 1.1/2.0 tokens</li><li>Claims
information provided by FederationPrincipal Interface</li><li>Support for
Tomcat, Jetty, Websphere, Spring Security and CXF (1.1)</li><li>Fediz IDP
supports "Resource IDP" role as well (1.1)</li><li>A new REST API for the IdP
(1.2)</li><li>Support for logout in both the RP and IdP (1.2)</li><li>Support
for logging on to the IdP via Kerberos and TLS client authentication
(1.2)</li><li>A new container-independent CXF plugin for WS-Federation
(1.2)</li><li>Support to use the IdP as an identity broker with a remote SAML
SSO IdP (1.2)</li></ul><p>The following features are planned for the next
release:</p><ul><li>support for other protocols like OAuth</li></ul><p>You can
get the current status of the enhancements <a shape="rect"
class="external-link" href="https://issues.apache.org/jira/browse/FEDIZ";>here
</a>.</p><h2 id="Fediz-Architecture">Architecture</h2><p>The Fediz architecture
is described in more detail <a shape=
"rect" href="fediz-architecture.html">here</a>.</p><h2
id="Fediz-Download">Download</h2><p>See <a shape="rect"
href="fediz-downloads.html">here</a>.</p><h2 id="Fediz-Gettingstarted">Getting
started</h2><p>The WS-Federation specification defines the following parties
involved during a web login:</p><ul><li>Browser</li><li>Identity Provider
(IDP)<br clear="none"> The IDP is a centralized, application independent
runtime component which implements the protocol defined by WS-Federation. You
can use any open source or commercial product that supports WS-Federation
1.1/1.2 as your IDP. It's recommended to use the Fediz IDP for testing as it
allows for testing your web application in a sandbox without having all
infrastructure components available. The Fediz IDP consists of two WAR
components. The Security Token Service (STS) does most of the work including
user authentication, claims/role data retrieval and creating the SAML token.
The IDP WAR translates the response to an HTML response a
llowing a browser to process it.</li><li>Relying Party (RP)<br clear="none">
The RP is a web application that needs to be protected. The RP must be able to
implement the protocol as defined by WS-Federation. This component is called
"Fediz Plugin" in this project which consists of container agnostic module/jar
and a container specific jar. When an authenticated request is detected by the
plugin it redirects to the IDP for authentication. The browser sends the
response from the IDP to the RP after successful authentication. The RP
validates the response and creates the container security
context.</li></ul><p>It's recommended to deploy the IDP and the web application
(RP) into different container instances as in a production deployment. The
container with the IDP can be used during development and testing for multiple
web applications needing security.</p><h3 id="Fediz-SettinguptheIDP">Setting up
the IDP</h3><p>The installation and configuration of the IDP is documented <a
shape="rect
" href="fediz-idp-11.html">here</a></p><h3
id="Fediz-SetuptheRelyingPartyContainer">Set up the Relying Party
Container</h3><p>The Fediz plugin needs to be deployed into the Relying Party
(RP) container. The security mechanism is not specified by JEE. Even though it
is very similar in each servlet container there are some differences which
require a dedicated Fediz plugin for each servlet container implementation.
Most of the configuration goes into a Servlet container independent
configuration file which is described <a shape="rect"
href="fediz-configuration.html">here</a></p><p>The following lists shows the
supported containers and the location of the installation and configuration
page.</p><ul><li><a shape="rect" href="fediz-tomcat.html">Tomcat 7
</a></li><li><a shape="rect" href="fediz-jetty.html">Jetty 7/8
(1.1)</a></li><li><a shape="rect" href="fediz-spring.html">Spring Security 3.1
(1.1)</a></li><li><a shape="rect" href="fediz-websphere.html">Websphere 7/8
(1.1)</a></li><li><a
shape="rect" href="fediz-cxf.html">CXF (1.1) </a></li></ul><h2
id="Fediz-Samples">Samples</h2><p>The examples directory contains two sample
relying party applications. They are independent of each other, so it is not
necessary to deploy both at once.</p><p>Each sample is described in a
<code>README.txt</code> file located in the base directory of each
sample.</p><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Sample</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>Description</p></th></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p><strong>simpleWebapp</strong></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>a simple web application which
is protected by the Fediz IDP. The FederationServlet illustrates how to get
security information using the standard APIs.</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p><strong>wsclientWebapp</strong></p></td><td
colspan="
1" rowspan="1" class="confluenceTd"><p>a protected web application that calls
a web service that uses the Fediz STS to validate credentials. Here, the same
STS is used for token issuance (indirectly, by the web application through use
of the Fediz IDP) and validation. The FederationServlet illustrates how to
securely call a web service.</p></td></tr></tbody></table></div><p><span
class="confluence-anchor-link" id="Fediz-building"></span></p><h2
id="Fediz-Building">Building</h2><p>Check out the code from
here:</p><ul><li>git clone -v <a shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf/cxf-fediz.git";>https://git-wip-us.apache.org/repos/asf/cxf-fediz.git</a></li></ul><p>Then
follow the <a shape="rect" class="external-link"
href="http://svn.apache.org/viewvc/cxf/fediz/trunk/BUILDING.txt?view=markup";>BUILDING.txt</a>
file in the Fediz download for full build instructions.</p><h5
id="Fediz-SettingupEclipse:">Setting up Eclipse:</h5><p>See <a shape="rect" hr
ef="http://cxf.apache.org/setting-up-eclipse.html";>this page</a> for
information on using the Eclipse IDE with the Fediz source code. This page is
created for CXF but the same commands are applicable for Fediz too.</p></div>
+<div id="ConfluenceContent"><h1
id="Fediz-ApacheCXFFediz:AnOpen-SourceWebSecurityFramework">Apache CXF Fediz:
An Open-Source Web Security Framework</h1><h2
id="Fediz-Overview">Overview</h2><p>Apache CXF Fediz is a subproject of CXF.
Fediz helps you to secure your web applications and delegates security
enforcement to the underlying application server. With Fediz, authentication is
externalized from your web application to an identity provider installed as a
dedicated server component. The supported standard is <a shape="rect"
class="external-link"
href="http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html#_Toc223175002";
rel="nofollow">WS-Federation Passive Requestor Profile</a>. Fediz supports <a
shape="rect" class="external-link"
href="http://en.wikipedia.org/wiki/Claims-based_identity"; rel="nofollow">Claims
Based Access Control</a> beyond Role Based Access Control (RBAC).</p><h2
id="Fediz-News">News</h2><p><strong>August 28, 2015 - A new security advi
sory for Apache CXF Fediz is released</strong></p><p>A security issue was
fixed in the latest Fediz releases (1.2.1 + 1.1.3):</p><ul><li><a shape="rect"
href="http://cxf.apache.org/security-advisories.data/CVE-2015-5175.txt.asc?version=1&modificationDate=1440598018000&api=v2";>CVE-2015-5175</a>:
Apache CXF Fediz application plugins are vulnerable to Denial of Service (DoS)
attacks</li></ul><p>Please upgrade to the latest releases as soon as
possible.</p><p><strong>August 12, 2015 - Apache CXF Fediz 1.2.1 and 1.1.3
released!</strong></p><p>Apache CXF Fediz 1.2.1 has been released. It contains
an update to use Apache CXF 3.0.6, an update to use 2048 bit certificates to
fix some issues with running the examples, support for SAML SSO Metadata in the
IdP, as well as some other issues.</p><p>Apache CXF Fediz 1.1.3 has also been
released. It contains an update to use Apache CXF 2.7.17, a fix for a NPE when
ChainTrust is configured + no Subject is provided, and a dynamic STS realm pa
rser.</p><p>For more information and to download the new releases, please go
<a shape="rect" href="fediz-downloads.html">here</a>.</p><h2
id="Fediz-Features">Features</h2><p>The following features are supported by
Fediz 1.2</p><ul><li>WS-Federation 1.0/1.1/1.2</li><li>SAML 1.1/2.0
Tokens</li><li>Support for encrypted SAML Tokens (Release 1.1)</li><li>Support
for Holder-Of-Key SubjectConfirmationMethod (1.1)</li><li>Custom token
Support</li><li>Publish WS-Federation Metadata document</li><li>Role
information encoded as AttributeStatement in SAML 1.1/2.0 tokens</li><li>Claims
information provided by FederationPrincipal Interface</li><li>Support for
Tomcat, Jetty, Websphere, Spring Security and CXF (1.1)</li><li>Fediz IDP
supports "Resource IDP" role as well (1.1)</li><li>A new REST API for the IdP
(1.2)</li><li>Support for logout in both the RP and IdP (1.2)</li><li>Support
for logging on to the IdP via Kerberos and TLS client authentication
(1.2)</li><li>A new container-independent C
XF plugin for WS-Federation (1.2)</li><li>Support to use the IdP as an
identity broker with a remote SAML SSO IdP (1.2)</li></ul><p>The following
features are planned for the next release:</p><ul><li>support for other
protocols like OAuth</li></ul><p>You can get the current status of the
enhancements <a shape="rect" class="external-link"
href="https://issues.apache.org/jira/browse/FEDIZ";>here </a>.</p><h2
id="Fediz-Architecture">Architecture</h2><p>The Fediz architecture is described
in more detail <a shape="rect" href="fediz-architecture.html">here</a>.</p><h2
id="Fediz-Download">Download</h2><p>See <a shape="rect"
href="fediz-downloads.html">here</a>.</p><h2 id="Fediz-Gettingstarted">Getting
started</h2><p>The WS-Federation specification defines the following parties
involved during a web login:</p><ul><li>Browser</li><li>Identity Provider
(IDP)<br clear="none"> The IDP is a centralized, application independent
runtime component which implements the protocol defined by WS-Federati
on. You can use any open source or commercial product that supports
WS-Federation 1.1/1.2 as your IDP. It's recommended to use the Fediz IDP for
testing as it allows for testing your web application in a sandbox without
having all infrastructure components available. The Fediz IDP consists of two
WAR components. The Security Token Service (STS) does most of the work
including user authentication, claims/role data retrieval and creating the SAML
token. The IDP WAR translates the response to an HTML response allowing a
browser to process it.</li><li>Relying Party (RP)<br clear="none"> The RP is a
web application that needs to be protected. The RP must be able to implement
the protocol as defined by WS-Federation. This component is called "Fediz
Plugin" in this project which consists of container agnostic module/jar and a
container specific jar. When an authenticated request is detected by the plugin
it redirects to the IDP for authentication. The browser sends the response from
the ID
P to the RP after successful authentication. The RP validates the response and
creates the container security context.</li></ul><p>It's recommended to deploy
the IDP and the web application (RP) into different container instances as in a
production deployment. The container with the IDP can be used during
development and testing for multiple web applications needing security.</p><h3
id="Fediz-SettinguptheIDP">Setting up the IDP</h3><p>The installation and
configuration of the IDP is documented <a shape="rect"
href="fediz-idp-11.html">here</a></p><h3
id="Fediz-SetuptheRelyingPartyContainer">Set up the Relying Party
Container</h3><p>The Fediz plugin needs to be deployed into the Relying Party
(RP) container. The security mechanism is not specified by JEE. Even though it
is very similar in each servlet container there are some differences which
require a dedicated Fediz plugin for each servlet container implementation.
Most of the configuration goes into a Servlet container independent
configuration file which is described <a shape="rect"
href="fediz-configuration.html">here</a></p><p>The following lists shows the
supported containers and the location of the installation and configuration
page.</p><ul><li><a shape="rect" href="fediz-tomcat.html">Tomcat 7
</a></li><li><a shape="rect" href="fediz-jetty.html">Jetty 7/8
(1.1)</a></li><li><a shape="rect" href="fediz-spring.html">Spring Security 3.1
(1.1)</a></li><li><a shape="rect" href="fediz-websphere.html">Websphere 7/8
(1.1)</a></li><li><a shape="rect" href="fediz-cxf.html">CXF (1.1)
</a></li></ul><h2 id="Fediz-Samples">Samples</h2><p>The examples directory
contains two sample relying party applications. They are independent of each
other, so it is not necessary to deploy both at once.</p><p>Each sample is
described in a <code>README.txt</code> file located in the base directory of
each sample.</p><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>
Sample</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>Description</p></th></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p><strong>simpleWebapp</strong></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>a simple web application which
is protected by the Fediz IDP. The FederationServlet illustrates how to get
security information using the standard APIs.</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p><strong>wsclientWebapp</strong></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>a protected web application
that calls a web service that uses the Fediz STS to validate credentials. Here,
the same STS is used for token issuance (indirectly, by the web application
through use of the Fediz IDP) and validation. The FederationServlet illustrates
how to securely call a web service.</p></td></tr></tbody></table></div><p><span
class="confluence-anchor-link" id="Fediz-building"></span></p><h2
id="Fediz-Building">Building</h2><p
>Check out the code from here:</p><ul><li>git clone -v <a shape="rect"
>class="external-link"
>href="https://git-wip-us.apache.org/repos/asf/cxf-fediz.git";>https://git-wip-us.apache.org/repos/asf/cxf-fediz.git</a></li></ul><p>Then
> follow the <a shape="rect" class="external-link"
>href="http://svn.apache.org/viewvc/cxf/fediz/trunk/BUILDING.txt?view=markup";>BUILDING.txt</a>
> file in the Fediz download for full build instructions.</p><h5
>id="Fediz-SettingupEclipse:">Setting up Eclipse:</h5><p>See <a shape="rect"
>href="http://cxf.apache.org/setting-up-eclipse.html";>this page</a> for
>information on using the Eclipse IDE with the Fediz source code. This page is
>created for CXF but the same commands are applicable for Fediz too.</p></div>
</div>
<!-- Content -->
</td>
