THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
Apache CXF Fediz: An Open-Source Web Security Framework
Overview
Apache CXF Fediz is a subproject of CXF. Fediz helps you to secure your web applications and delegates security enforcement to the underlying application server. With Fediz, authentication is externalized from your web application to an identity provider installed as a dedicated server component. The supported standard is WS-Federation 1.2 Passive Requestor Profile. Fediz supports Claims Based Access Control beyond Role Based Access Control (RBAC).
News
Features
The following features are supported by the Fediz plugin 1.0
- WS-Federation 1.1/1.2
- SAML 1.1/2.0 Tokens
- Custom token support
- Publish WS-Federation Metadata document
- Role information encoded as AttributeStatement in SAML 1.1/2.0 tokens
- Claims information provided by FederationPrincipal interface
The following features are planned for the next release:
- Support for Jetty and JBoss
- CXF plugin
- Support for encrypted SAML tokens
- Support for Holder-Of-Key SubjectConfirmationMethod
- "Resource IDP" support for Fediz IDP
- support for other protocols like SAML-P, OAuth
You can get the current status of the issues here .
Getting started
The WS-Federation specification defines the following parties involved during a web login:
- Browser
- Identity Provider (IDP)
The IDP is a centralized, application independent runtime component which implements the protocol defined by WS-Federation. You can use any open source or commercial product that supports WS-Federation 1.1/1.2 as your IDP. It's recommended to use the Fediz IDP for testing as it allows for testing your web application in a sandbox without having all infrastructure components available. The Fediz IDP consists of two WAR components. The Security Token Service (STS) does most of the work including user authentication, claims/role data retrieval and creating the SAML token. The IDP WAR translates the response to an HTML response allowing a browser to process it. - Relying Party (RP)
The RP is a web application that needs to be protected. The RP must be able to implement the protocol as defined by WS-Federation. This component is called "Fediz Plugin" in this project which consists of container agnostic module/jar and a container specific jar. When an authenticated request is detected by the plugin it redirects to the IDP for authentication. The browser sends the response from the IDP to the RP after successful authentication. The RP validates the response and creates the container security context.
It's recommended to deploy the IDP and the web application (RP) into different container instances as in a production deployment. The container with the IDP can be used during development and testing for multiple web applications needing security.
Setting up the IDP
The installation and configuration of the IDP is documented here
Set up the Relying Party Container
The Fediz plugin needs to be deployed into the Relying Party (RP) container. The security mechanism is not specified by JEE. Even though it is very similar in each servlet container there are some differences which require a dedicated Fediz plugin for each servlet container implementation. Most of the configuration goes into a Servlet container independent configuration file which is described here
The following lists shows the supported containers and the location of the installation and configuration page.
Distribution
For the moment, you'll need to check out the Fediz source and build them following the instructions in "Building" below. Once built, the deployable WARs will be located in the fediz-idp and fediz-idp-sts "target" folders (fedizidp.war and fedizidpsts.war).
Samples
The examples directory contains two sample relying party applications. They are independent of each other, so it is not necessary to deploy both at once.
Each sample is described in the README.txt
Sample |
Description |
|---|---|
simpleWebapp |
a simple web application which is protected by the Fediz IDP. The FederationServlet illustrates how to get security information using the standard APIs. |
wsclientWebapp |
a protected web application that calls a web service that uses the Fediz STS to validate credentials. Here, the same STS is used for token issuance (indirectly, by the web application through use of the Fediz IDP) and validation. The FederationServlet illustrates how to securely call a web service. |
Building
Check out the code from here:
- svn
svn co http://svn.apache.org/repos/asf/cxf/fediz/trunk
- git
git clone -v git://git.apache.org/cxf-fediz.git
Building with Maven
To build and run the tests use the following command:
mvn clean install
Note: you need to use Maven 2.0.9 or newer and have the following environment variable set: MAVEN_OPTS=-Xmx512m
Setting up Eclipse:
See this page for information on using the Eclipse IDE with the Fediz source code. This page is created for CXF but the same commands are applicable for Fediz too.