Versions Compared

Old Version 2

changes.mady.by.user Oliver Wulff

Saved on

compared with

New Version Current

changes.mady.by.user Colm O hEigeartaigh

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

CXF Plugin

The Apache CXF Fediz plugin for an Apache CXF web service contains two separate pieces of functionality. The first is a CallbackHandler that allows the SAML Token of the Web SSO session to be used by the CXF Web Services Stack, i.e. for delegation (available since 1.1). The second is a full WS-Federation/SAML SSO RP plugin based solely on Apache CXF JAX-RS, which is container independent (available since 1.2.0).

CXF Plugin support for WS-Federation

The new CXF plugin for WS-Federation available from Fediz 1.2.0 means that it is now possible to add support for WS-Federation to your JAX-RS CXF service without having to specify a container-specific plugin. Also note that from the 1.4.5 release, the Apache CXF Fediz plugin also supports SAML SSO. Here is an example Spring based configuration:

Code Block
titleCXF spring configuration
<bean id="serviceBean" class="org.apache.cxf.fediz.example.Service">
</bean>
   
<bean id="fedizFilter" class="org.apache.cxf.fediz.cxf.plugin.FedizRedirectBindingFilter">
    <property name="configFile" value="fediz_config.xml"/>
</bean>
   
<bean id="authorizationInterceptor"
      class="org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor">
   <property name="securedObject" ref="serviceBean" />
</bean>

<jaxrs:server address="/">
    <jaxrs:serviceBeans>
        <ref bean="serviceBean"/>
    </jaxrs:serviceBeans>
    <jaxrs:providers>
        <ref bean="fedizFilter"/>
        <ref bean="exceptionMapper"/>
    </jaxrs:providers>
    <jaxrs:inInterceptors>
        <ref bean="authorizationInterceptor"/>
    </jaxrs:inInterceptors>
</jaxrs:server>

Here we have a JAX-RS service which is secured via the SecureAnnotationsInterceptor. For example:

Code Block
titleCXF Service Bean
@Path("/secure/")
@Produces("text/html")
public class Service {
    @Context
    private MessageContext messageContext;
    @Path("/admin/fedservlet")
    @RolesAllowed("Admin")
    @GET
    public String doGetAdmin(@Context UriInfo uriInfo) throws Exception {
        return doGet(uriInfo);
    }
    
    ...
}

The FedizRedirectBindingFilter is instantiated with a link to the Fediz plugin configuration and is added as a JAX-RS provider.

Delegation Scenario

The subproject Fediz purpose is to provide Single Sign On for Web Applications which is independent of an underlying Web Services framework like Apache CXF. The Fediz plugins for Tomcat, Jetty, etc. are independent of Apache CXF, whereas the Fediz IDP leverages the capabilities of the CXF STS to issue SAML tokens with Claims information to build applications which use Claims Based Authorization with all the benefits.

...

In release 1.1, the Fediz CXF plugin supports delegating the application server security context (SAML token) to the STS client of CXF. CXF is now then able to request a security token for the target Web Service from the STS on behalf of the browser user. Prior to release 1.1, this Java code had to be developed by the application developer.

It is required that one of the other Fediz plugins are deployed to WS-Federation enable the application. After this step, the Fediz CXF plugin can be installed to integrate the Web SSO layer with the Web Services stack of Apache CXF.

...

It's recommended to use Maven to resolve the dependencies as illustrated in the the example wsclientWebapp.

Code Block
xml
xml
borderStylesolid
titlepom.xml

    <dependency>
        <groupId>org.apache.cxf.fediz</groupId>
        <artifactId>fediz-cxf</artifactId>
        <version>1.14.0<5</version>
    </dependency>

The example contains a README with instructions for building and deployment.

...

Two configurations are required in web.xml to enable the FederationFilter to cache the security context in the thread local storage and in the spring configuration file applicationContext.xml to configure a callback handler to provide the STS client the security context stored in the thread local storage.

Code Block
xml

...

code
xml
borderStyle
solidxml
titleweb.xml

    <filter>
        <filter-name>FederationFilter</filter-name>
        <filter-class>org.apache.cxf.fediz.core.servlet.FederationFilter</filter-class>
    </filter>

    <filter-mapping>
        <filter-name>FederationFilter</filter-name>
        <url-pattern>/secure/*</url-pattern>
    </filter-mapping>

The FederationFilter is part of the library fediz-core.

applicationContext.xml

Code Block
xml
xml
borderStylesolid
titleapplicationContext.xml
Code Block
xmlxml


    <bean id="delegationCallbackHandler"
        class="org.apache.cxf.fediz.cxf.web.ThreadLocalCallbackHandler" />

    <jaxws:client id="HelloServiceClient" serviceName="svc:GreeterService"
        ...
        wsdlLocation="WEB-INF/wsdl/hello_world.wsdl">
        <jaxws:properties>
            <entry key="ws-security.sts.client">
                <bean class="org.apache.cxf.ws.security.trust.STSClient">
                    ...
                    <property name="onBehalfOf" ref="delegationCallbackHandler" />
                    ...
                 </bean>
            </entry>
            <entry key="ws-security.cache.issued.token.in.endpoint" value="false" />
        </jaxws:properties>
    </jaxws:client>

...

If you have set the property ws-security.cache.issued.token.in.endpoint to false, CXF will cache the issued token per security context dependent on the returned lifetime element of the STS. When the cached token for the target web services is expired, CXF will request a new token from the STS on-behalf-of the cached Fediz security context.

There is no special Java code required to get this functionality as illustrated in the following code snippet:

Code Block
borderStylesolid
titleFederationServlet.java

    Greeter service = (Greeter)ApplicationContextProvider.getContext().getBean("HelloServiceClient");
    String reply = service.greetMe();

...