Page History

...

Apache CXF Fediz is a subproject of CXF. Fediz helps you to secure your web applications and delegates security enforcement to the underlying application server. With Fediz, authentication is externalized from your web application to an identity provider installed as a dedicated server component. The supported standard is Apache CXF Fediz supports both WS-Federation Passive Requestor Profile and the SAML Web Browser SSO Profile. Fediz supports Claims Based Access Control beyond Role Based Access Control (RBAC).

News

May 16December 23, 2017 2022 - Two new security advisories for Apache CXF Fediz are released

Two new security advisories have been released for issues that are fixed in the latest releases (1.4.0, 1.3.2 and 1.2.4):

• CVE-2017-7661: The Apache CXF Fediz Jetty and Spring plugins are vulnerable to CSRF attacks.
• CVE-2017-7662: The Apache CXF Fediz OIDC Client Registration Service is vulnerable to CSRF attacks.

1.6.1 released

Apache CXF Fediz 1.6.1 is released. This is a bugfix release containing upgrades to CXF 3.5.5, amongst other dependency upgrades. See the download page for more information.

February 12, 2022 April 28, 2017 - Apache CXF Fediz 1.46.0 , 1.3.2 and 1.2.4 released

Apache CXF Fediz 1.46.0 , 1.3.2 and 1.2.4 have been released.

For more information and to download the new releases, please go here.

September 8, 2016 - A new security advisory for Apache CXF Fediz is released

A security issue was fixed in the latest Fediz releases (1.3.1 + 1.2.3):

• CVE-2016-4464: Apache CXF Fediz application plugins do not match the SAML AudienceRestriction values against the list of configured audience URIs

Please upgrade to the latest releases as soon as possible.

Features

The following features are supported by Fediz 1.2

• WS-Federation 1.0/1.1/1.2
• SAML 1.1/2.0 Tokens
• Support for encrypted SAML Tokens (Release 1.1)
• Support for Holder-Of-Key SubjectConfirmationMethod (1.1)
• Custom token Support
• Publish WS-Federation Metadata document
• Role information encoded as AttributeStatement in SAML 1.1/2.0 tokens
• Claims information provided by FederationPrincipal Interface
• Support for Tomcat, Jetty, Websphere, Spring Security and CXF (1.1)
• Fediz IDP supports "Resource IDP" role as well (1.1)
• A new REST API for the IdP (1.2)
• Support for logout in both the RP and IdP (1.2)
• Support for logging on to the IdP via Kerberos and TLS client authentication (1.2)
• A new container-independent CXF plugin for WS-Federation (1.2)
• Support to use the IdP as an identity broker with a remote SAML SSO IdP (1.2)

The following features are planned for the next release:

• support for other protocols like OAuth

You can get the current status of the enhancements here .

Architecture

The Fediz architecture is described in more detail here.

Download

See here.

Getting started

The WS-Federation specification defines the following parties involved during a web login:

• Browser
• Identity Provider (IDP)
  The IDP is a centralized, application independent runtime component which implements the protocol defined by WS-Federation. You can use any open source or commercial product that supports WS-Federation 1.1/1.2 as your IDP. It's recommended to use the Fediz IDP for testing as it allows for testing your web application in a sandbox without having all infrastructure components available. The Fediz IDP consists of two WAR components. The Security Token Service (STS) does most of the work including user authentication, claims/role data retrieval and creating the SAML token. The IDP WAR translates the response to an HTML response allowing a browser to process it.
• Relying Party (RP)
  The RP is a web application that needs to be protected. The RP must be able to implement the protocol as defined by WS-Federation. This component is called "Fediz Plugin" in this project which consists of container agnostic module/jar and a container specific jar. When an authenticated request is detected by the plugin it redirects to the IDP for authentication. The browser sends the response from the IDP to the RP after successful authentication. The RP validates the response and creates the container security context.

It's recommended to deploy the IDP and the web application (RP) into different container instances as in a production deployment. The container with the IDP can be used during development and testing for multiple web applications needing security.

Setting up the IDP

The installation and configuration of the IDP is documented here

Set up the Relying Party Container

The Fediz plugin needs to be deployed into the Relying Party (RP) container. The security mechanism is not specified by JEE. Even though it is very similar in each servlet container there are some differences which require a dedicated Fediz plugin for each servlet container implementation. Most of the configuration goes into a Servlet container independent configuration file which is described here

The following lists shows the supported containers and the location of the installation and configuration page.

• Tomcat 7
• Jetty 7/8 (1.1)
• Spring Security 3.1 (1.1)
• Websphere 7/8 (1.1)
• CXF (1.1)

Samples

The examples directory contains two sample relying party applications. They are independent of each other, so it is not necessary to deploy both at once.

Each sample is described in a README.txt file located in the base directory of each sample.

...

is released. This is a new major release containing upgrades to CXF 3.5.x and Spring 5, amongst others. See the download page for more information.

November 30, 2020 - Apache CXF Fediz 1.5.1 released

Apache CXF Fediz 1.5.1 is released. See the download page for more information.

June 23, 2020 - Apache CXF Fediz 1.5.0 released

Apache CXF Fediz 1.5.0 is released. This is a major new release with the following issues fixed: https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12313420&version=12336848

The main changes are:

• The IdP is updated to use Spring Security 4.
• Support is added for Jetty 9.4 + Tomcat 9 plugins
• A fix for issues that prevented the Tomcat plugin working from versions 8.5.50 and 9.0.30
• The Tomcat 7, Jetty 8, Spring Security 2 + 3 plugins are removed.

See the download page for more information.

Download

See here.

Project Source

The Apache CXF Fediz sources are hosted at Apache gitbox. This includes a full two way sync with github. As github provides the nicer user interface we now recommend to directly work on the github cxf repo.

• Web Browsing: https://github.com/apache/cxf-fediz
• Checking out from GIT: git clone git@github.com:apache/cxf-fediz.git

CXF committers can directly commit to github after doing the Apache gitbox setup. Be aware that the sync might take half an hour before you are added to the CXF github group.

• Forking and Pull Requests: See Getting Involved
• Building the Source: Follow

...

Building

Check out the code from here:

• git clone -v https://git-wip-us.apache.org/repos/asf/cxf-fediz.git

...

• the BUILDING.txt file in the Fediz download for full build instructions.

...

• Eclipse:

...

• See this page for information on using the Eclipse IDE with the Fediz source code. This page is created for CXF but the same commands are applicable for Fediz too.

Apache CXF Fediz user guide

• Introduction
• Fediz Architecture
• Relying Party Containers
  
  • Fediz Configuration
  • Fediz Extensions
  • Apache Tomcat
  • Jetty
    
  • Spring Security
    
  • Websphere
    
  • Apache CXF
    
• Fediz IdP
• Fediz IdP 1.0 (deprecated)
• Fediz Metadata
• Fediz Samples
• Fediz Articles
• Fediz History