content/fediz-spring-2.html - cxf-site - Git at Google


 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--

     Licensed to the Apache Software Foundation (ASF) under one or more
     contributor license agreements.  See the NOTICE file distributed with
     this work for additional information regarding copyright ownership.
     The ASF licenses this file to You under the Apache License, Version 2.0
     (the "License"); you may not use this file except in compliance with
     the License.  You may obtain a copy of the License at

        http://www.apache.org/licenses/LICENSE-2.0

     Unless required by applicable law or agreed to in writing, software
     distributed under the License is distributed on an "AS IS" BASIS,
     WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     See the License for the specific language governing permissions and
     limitations under the License.
 -->
 <html>
   <head>

 <link type="text/css" rel="stylesheet" href="/resources/site.css">
 <script src='/resources/space.js'></script>

 <meta http-equiv="Content-type" content="text/html;charset=UTF-8">
 <meta name="keywords" content="business integration, EAI, SOA, Service Oriented Architecture, web services, SOAP, JBI, JMS, WSDL, XML, EDI, Electronic Data Interchange, standards support, integration standards, application integration, middleware, software, solutions, services, CXF, open source">
 <meta name="description" content="Apache CXF, Services Framework - Fediz Spring 2">


 <link type="text/css" rel="stylesheet" href="/resources/highlighter/styles/shCoreCXF.css">
 <link type="text/css" rel="stylesheet" href="/resources/highlighter/styles/shThemeCXF.css">

 <script src='/resources/highlighter/scripts/shCore.js'></script>
 <script src='/resources/highlighter/scripts/shBrushBash.js'></script>
 <script src='/resources/highlighter/scripts/shBrushXml.js'></script>
 <script src='/resources/highlighter/scripts/shBrushJava.js'></script>
 <script>
   SyntaxHighlighter.defaults['toolbar'] = false;
   SyntaxHighlighter.all();
 </script>


     <title>
 Apache CXF -- Fediz Spring 2
     </title>
   </head>
 <body onload="init()">


 <table width="100%" cellpadding="0" cellspacing="0">
   <tr>
     <td id="cell-0-0" colspan="2">&nbsp;</td>
     <td id="cell-0-1">&nbsp;</td>
     <td id="cell-0-2" colspan="2">&nbsp;</td>
   </tr>
   <tr>
     <td id="cell-1-0">&nbsp;</td>
     <td id="cell-1-1">&nbsp;</td>
     <td id="cell-1-2">
       <!-- Banner -->
 <div class="banner" id="banner"><div><table border="0" cellpadding="0" cellspacing="0" width="100%"><tr><td align="left" colspan="1" nowrap>
 <a shape="rect" href="http://cxf.apache.org/" title="Apache CXF"><span style="font-weight: bold; font-size: 170%; color: white">Apache CXF</span></a>
 </td><td align="right" colspan="1" nowrap>
 <a shape="rect" href="http://www.apache.org/" title="The Apache Software Foundation"><img width="214px" height="88" border="0" alt="ASF Logo" src="https://apache.org/img/asf_logo.png"></a>
 </td></tr></table></div></div>
       <!-- Banner -->
       <div id="top-menu">
         <table border="0" cellpadding="1" cellspacing="0" width="100%">
           <tr>
             <td>
               <div align="left">
                 <!-- Breadcrumbs -->
 <a href="index.html">Index</a>&nbsp;&gt;&nbsp;<a href="fediz.html">Fediz</a>&nbsp;&gt;&nbsp;<a href="fediz-spring-2.html">Fediz Spring 2</a>
                 <!-- Breadcrumbs -->
               </div>
             </td>
             <td>
               <div align="right">
                 <!-- Quicklinks -->
 <div id="quicklinks"><p><a shape="rect" href="download.html">Download</a> | <a shape="rect" href="http://cxf.apache.org/docs/index.html">Documentation</a></p></div>
                 <!-- Quicklinks -->
               </div>
             </td>
           </tr>
         </table>
       </div>
     </td>
     <td id="cell-1-3">&nbsp;</td>
     <td id="cell-1-4">&nbsp;</td>
   </tr>
   <tr>
     <td id="cell-2-0" colspan="2">&nbsp;</td>
     <td id="cell-2-1">
       <table>
         <tr valign="top">
           <td height="100%">
             <div id="wrapper-menu-page-right">
               <div id="wrapper-menu-page-top">
                 <div id="wrapper-menu-page-bottom">
                   <div id="menu-page">
                     <!-- NavigationBar -->
 <div id="navigation"><h3 id="Navigation-ApacheCXF"><a shape="rect" href="index.html">Apache CXF</a></h3><ul class="alternate"><li><a shape="rect" href="index.html">Home</a></li><li><a shape="rect" href="download.html">Download</a></li><li><a shape="rect" href="people.html">People</a></li><li><a shape="rect" href="project-status.html">Project Status</a></li><li><a shape="rect" href="roadmap.html">Roadmap</a></li><li><a shape="rect" href="mailing-lists.html">Mailing Lists</a></li><li><a shape="rect" class="external-link" href="http://issues.apache.org/jira/browse/CXF">Issue Reporting</a></li><li><a shape="rect" href="special-thanks.html">Special Thanks</a></li><li><a shape="rect" class="external-link" href="http://www.apache.org/licenses/">License</a></li><li><a shape="rect" href="security-advisories.html">Security Advisories</a></li></ul><h3 id="Navigation-Users">Users</h3><ul class="alternate"><li><a shape="rect" href="http://cxf.apache.org/docs/index.html">User's Guide</a></li><li><a shape="rect" href="support.html">Support</a></li><li><a shape="rect" href="faq.html">FAQ</a></li><li><a shape="rect" href="resources-and-articles.html">Resources and Articles</a></li></ul><h3 id="Navigation-Search">Search</h3><form enctype="application/x-www-form-urlencoded" method="get" id="cse-search-box" action="http://www.google.com/cse"><div> <input type="hidden" name="cx" value="002890367768291051730:o99qiwa09y4"> <input type="hidden" name="ie" value="UTF-8"> <input type="text" name="q" size="21"> <input type="submit" name="sa" value="Search"> </div> </form> <script type="text/javascript" src="http://www.google.com/cse/brand?form=cse-search-box&amp;lang=en"></script> <h3 id="Navigation-Developers">Developers</h3><ul class="alternate"><li><a shape="rect" href="http://cxf.apache.org/docs/cxf-architecture.html">Architecture Guide</a></li><li><a shape="rect" href="source-repository.html">Source Repository</a></li><li><a shape="rect" href="building.html">Building</a></li><li><a shape="rect" href="automated-builds.html">Automated Builds</a></li><li><a shape="rect" href="testing-debugging.html">Testing-Debugging</a></li><li><a shape="rect" href="coding-guidelines.html">Coding Guidelines</a></li><li><a shape="rect" href="getting-involved.html">Getting Involved</a></li><li><a shape="rect" href="release-management.html">Release Management</a></li></ul><h3 id="Navigation-Subprojects">Subprojects</h3><ul class="alternate"><li><a shape="rect" href="distributed-osgi.html">Distributed OSGi</a></li><li><a shape="rect" href="xjc-utils.html">XJC Utils</a></li><li><a shape="rect" href="build-utils.html">Build Utils</a></li><li><a shape="rect" href="fediz.html">Fediz</a></li></ul><h3 id="Navigation-ASF"><a shape="rect" class="external-link" href="http://www.apache.org">ASF</a></h3><ul class="alternate"><li><a shape="rect" class="external-link" href="http://www.apache.org/foundation/how-it-works.html">How Apache Works</a></li><li><a shape="rect" class="external-link" href="http://www.apache.org/foundation/">Foundation</a></li><li><a shape="rect" class="external-link" href="http://www.apache.org/foundation/sponsorship.html">Sponsor Apache</a></li><li><a shape="rect" class="external-link" href="http://www.apache.org/foundation/thanks.html">Thanks</a></li><li><a shape="rect" class="external-link" href="http://www.apache.org/security/">Security</a></li></ul><p>&#160;</p><p><a shape="rect" class="external-link" href="http://www.apache.org/events/current-event.html"><span class="confluence-embedded-file-wrapper"><img class="confluence-embedded-image confluence-external-resource" src="http://www.apache.org/events/current-event-125x125.png" data-image-src="http://www.apache.org/events/current-event-125x125.png"></span></a></p></div>
                     <!-- NavigationBar -->
                   </div>
               </div>
             </div>
           </div>
          </td>
          <td height="100%">
            <!-- Content -->
            <div class="wiki-content">
 <div id="ConfluenceContent"><h1 id="FedizSpring2-SpringSecurity2.0Plugin(1.1)">Spring Security 2.0 Plugin (1.1)</h1>

 <p>This page describes how to enable Federation for a <a shape="rect" class="external-link" href="http://static.springsource.org/spring-security/site/docs/2.0.x/reference/html/springsecurity.html" rel="nofollow">Spring Security</a> based Web Application. Spring Security provides more authorization capabilities than defined in the Java Servlet specification. Beyond authorizing web requests Spring Security supports authorizing whether methods can be invoked and authorizing access to individual domain object instances.</p>

 <p>Spring Security supports two deployment options. On the one hand, authentication and authorization is enforced by the underlying Servlet Container or on the other hand by Spring Security embedded with the application. The former ensures that the application is only called if authentication is successful. This can be controlled by an administrator/operator. This option is called <a shape="rect" class="external-link" href="http://static.springsource.org/spring-security/site/docs/2.0.x/reference/html/preauth.html" rel="nofollow">Pre-Authentication</a>. The latter gives all the control to the application developer and removes the dependency to security configuration in the Servlet Container. This simplifies deploying an application into different Serlvet Container environments.</p>

 <p>Both options are valid and it mainly depends on the policies/requirements within a company which is a better fit. Questions to be answered are: Who should manage the security enforcement (Application developer, Administrator)? Do you have to deploy the application into different Servlet Container environments?</p>

 <p>Prior to doing this configuration, make sure you've first deployed the Fediz IDP and STS on the Tomcat IDP instance as discussed <a shape="rect" href="fediz-idp-10.html">here</a>, and can view the STS WSDL at the URL given on that page.</p>

 <h3 id="FedizSpring2-Installation">Installation</h3>

 <p>You can either build the Fediz plugin on your own, download the package <a shape="rect" href="fediz-downloads.html">here</a> or add the dependency to your Maven project. If you have built the plugin on your own you'll find the required libraries in <code>plugins/spring2/target/...zip-with-dependencies.zip</code></p>

 <p>It's recommended to use Maven to resolve all the dependencies as illustrated in the example <em>spring2Webapp</em>. The README provides instructions for building and deployment.</p>

 <h3 id="FedizSpring2-WebApplicationwith&quot;native&quot;SpringSecurity">Web Application with "native" Spring Security</h3>

 <p>Authentication and authorization are managed by Spring Security only. The Fediz Spring Plugin provides the implementation of WS-Federation by implementing certain Spring Security interfaces. Finally, this results into the creation of the Spring Security Context. You can use Spring's authorization capabilities for web requests and method calls. The example <em>spring2Webapp</em> only illustrates authorizing web requests. Method based authorization is described <a shape="rect" class="external-link" href="http://static.springsource.org/spring-security/site/docs/2.0.x/reference/html/ns-config.html#ns-method-security" rel="nofollow">here</a>.</p>

 <h5 id="FedizSpring2-FedizPluginconfigurationforYourWebApplication">Fediz Plugin configuration for Your Web Application</h5>

 <p>The Fediz related configuration is done in a Servlet Container independent configuration file which is described <a shape="rect" href="fediz-configuration.html">here</a>.</p>

 <h5 id="FedizSpring2-SpringSecurityConfiguration">Spring Security Configuration</h5>

 <p>The following configuration snippets illustrate the Fediz related configuration. The complete configuration file can be found in the example <em>spring2Webapp</em>.</p>

 <div class="code panel pdl" style="border-style: solid;border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;border-bottom-style: solid;"><b>applicationContext-security.xml</b></div><div class="codeContent panelContent pdl">
 <pre class="brush: java; gutter: false; theme: Default">
     &lt;sec:http entry-point-ref="federationEntryPoint"&gt;
         &lt;sec:intercept-url pattern="/secure/fedservlet" access="IS_AUTHENTICATED_FULLY"/&gt;
         &lt;sec:intercept-url pattern="/secure/manager/**" access="ROLE_MANAGER"/&gt;
         &lt;sec:intercept-url pattern="/secure/admin/**" access="ROLE_ADMIN"/&gt;
         &lt;sec:intercept-url pattern="/secure/user/**" access="ROLE_USER,ROLE_ADMIN,ROLE_MANAGER"/&gt;
     &lt;/sec:http&gt;


     &lt;sec:authentication-manager alias="authManager"/&gt;

     &lt;bean id="fedizConfig" class="org.apache.cxf.fediz.spring.FederationConfigImpl" init-method="init"
         p:configFile="WEB-INF/fediz_config.xml" p:contextName="/fedizhelloworld" /&gt;

     &lt;bean id="federationEntryPoint"
         class="org.apache.cxf.fediz.spring.web.FederationAuthenticationEntryPoint"
         p:federationConfig-ref="fedizConfig" /&gt;

     &lt;bean id="federationFilter"
         class="org.apache.cxf.fediz.spring.web.FederationAuthenticationFilter"
         p:authenticationManager-ref="authManager" p:defaultTargetUrl="/whatever"&gt;
         &lt;sec:custom-filter after="BASIC_PROCESSING_FILTER"/&gt;
     &lt;/bean&gt;

     &lt;bean id="federationAuthProvider" class="org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider"
         p:federationConfig-ref="fedizConfig"&gt;
         &lt;sec:custom-authentication-provider /&gt;
         &lt;property name="authenticationUserDetailsService"&gt;
             &lt;bean class="org.apache.cxf.fediz.spring.authentication.GrantedAuthoritiesUserDetailsFederationService"/&gt;
         &lt;/property&gt;
     &lt;/bean&gt;

 </pre>
 </div></div>

 <p>The <em>http</em> element is the key element which depends on the other bean definitions like <em>federationFilter</em> and the <em>federationAuthProvider</em>. Web request authorizing is configured in the <em>http</em> element as well which looks similar to security constraints definition in <code>web.xml</code>.</p>

 <p>The following code snippet of the FederationServlet example illustrates how to get access to the Spring Security Context of the current user and to the Federation releated information like claims and login token.</p>

 <div class="code panel pdl" style="border-style: solid;border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;border-bottom-style: solid;"><b>FederationServlet.java</b></div><div class="codeContent panelContent pdl">
 <pre class="brush: java; gutter: false; theme: Default">
     Authentication obj = SecurityContextHolder.getContext().getAuthentication();
     FederationAuthenticationToken fedAuthToken = (FederationAuthenticationToken)auth;
     for (GrantedAuthority item : fedAuthToken.getAuthorities()) {
         ...
     }

     ClaimCollection claims = ((FederationUser)fedAuthToken.getUserDetails()).getClaims();
     for (Claim c: claims) {
         ...
     }
 </pre>
 </div></div>


 <h3 id="FedizSpring2-FederationMetadatadocument">Federation Metadata document</h3>

 <p>The Spring Security Fediz plugin supports publishing the WS-Federation Metadata document which is described <a shape="rect" href="fediz-metadata.html">here</a>.</p>

 </div>
            </div>
            <!-- Content -->
          </td>
         </tr>
       </table>
    </td>
    <td id="cell-2-2" colspan="2">&nbsp;</td>
   </tr>
   <tr>
    <td id="cell-3-0">&nbsp;</td>
    <td id="cell-3-1">&nbsp;</td>
    <td id="cell-3-2">
      <div id="footer">
        <!-- Footer -->
        <div id="site-footer">
          <a href="http://cxf.apache.org/privacy-policy.html">Privacy Policy</a> -
          (<a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=30758602">edit page</a>)
 	 (<a href="https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=30758602&amp;showComments=true&amp;showCommentArea=true#addcomment">add comment</a>)<br>
 	Apache CXF, CXF, Apache, the Apache feather logo are trademarks of The Apache Software Foundation.<br>
         All other marks mentioned may be trademarks or registered trademarks of their respective owners.
        </div>
        <!-- Footer -->
      </div>
    </td>
    <td id="cell-3-3">&nbsp;</td>
    <td id="cell-3-4">&nbsp;</td>
   </tr>
   <tr>
     <td id="cell-4-0" colspan="2">&nbsp;</td>
     <td id="cell-4-1">&nbsp;</td>
     <td id="cell-4-2" colspan="2">&nbsp;</td>
   </tr>
 </table>

 <script type="text/javascript">
 var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
 document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
 </script>
 <script type="text/javascript">
 try {
 var pageTracker = _gat._getTracker("UA-4458903-1");
 pageTracker._trackPageview();
 } catch(err) {}</script>

 </body>
 </html>

	<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
	<!--

	Licensed to the Apache Software Foundation (ASF) under one or more
	contributor license agreements. See the NOTICE file distributed with
	this work for additional information regarding copyright ownership.
	The ASF licenses this file to You under the Apache License, Version 2.0
	(the "License"); you may not use this file except in compliance with
	the License. You may obtain a copy of the License at

	http://www.apache.org/licenses/LICENSE-2.0

	Unless required by applicable law or agreed to in writing, software
	distributed under the License is distributed on an "AS IS" BASIS,
	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	See the License for the specific language governing permissions and
	limitations under the License.
	-->
	<html>
	<head>

	<link type="text/css" rel="stylesheet" href="/resources/site.css">
	<script src='/resources/space.js'></script>

	<meta http-equiv="Content-type" content="text/html;charset=UTF-8">
	<meta name="keywords" content="business integration, EAI, SOA, Service Oriented Architecture, web services, SOAP, JBI, JMS, WSDL, XML, EDI, Electronic Data Interchange, standards support, integration standards, application integration, middleware, software, solutions, services, CXF, open source">
	<meta name="description" content="Apache CXF, Services Framework - Fediz Spring 2">


	<link type="text/css" rel="stylesheet" href="/resources/highlighter/styles/shCoreCXF.css">
	<link type="text/css" rel="stylesheet" href="/resources/highlighter/styles/shThemeCXF.css">

	<script src='/resources/highlighter/scripts/shCore.js'></script>
	<script src='/resources/highlighter/scripts/shBrushBash.js'></script>
	<script src='/resources/highlighter/scripts/shBrushXml.js'></script>
	<script src='/resources/highlighter/scripts/shBrushJava.js'></script>
	<script>
	SyntaxHighlighter.defaults['toolbar'] = false;
	SyntaxHighlighter.all();
	</script>


	<title>
	Apache CXF -- Fediz Spring 2
	</title>
	</head>
	<body onload="init()">


	<table width="100%" cellpadding="0" cellspacing="0">
	<tr>
	<td id="cell-0-0" colspan="2"> </td>
	<td id="cell-0-1"> </td>
	<td id="cell-0-2" colspan="2"> </td>
	</tr>
	<tr>
	<td id="cell-1-0"> </td>
	<td id="cell-1-1"> </td>
	<td id="cell-1-2">
	<!-- Banner -->
	<div class="banner" id="banner"><div><table border="0" cellpadding="0" cellspacing="0" width="100%"><tr><td align="left" colspan="1" nowrap>
	<a shape="rect" href="http://cxf.apache.org/" title="Apache CXF"><span style="font-weight: bold; font-size: 170%; color: white">Apache CXF</span></a>
	</td><td align="right" colspan="1" nowrap>
	<a shape="rect" href="http://www.apache.org/" title="The Apache Software Foundation"><img width="214px" height="88" border="0" alt="ASF Logo" src="https://apache.org/img/asf_logo.png"></a>
	</td></tr></table></div></div>
	<!-- Banner -->
	<div id="top-menu">
	<table border="0" cellpadding="1" cellspacing="0" width="100%">
	<tr>
	<td>
	<div align="left">
	<!-- Breadcrumbs -->
	<a href="index.html">Index</a> > <a href="fediz.html">Fediz</a> > <a href="fediz-spring-2.html">Fediz Spring 2</a>
	<!-- Breadcrumbs -->
	</div>
	</td>
	<td>
	<div align="right">
	<!-- Quicklinks -->
	<div id="quicklinks"><p><a shape="rect" href="download.html">Download</a> \| <a shape="rect" href="http://cxf.apache.org/docs/index.html">Documentation</a></p></div>
	<!-- Quicklinks -->
	</div>
	</td>
	</tr>
	</table>
	</div>
	</td>
	<td id="cell-1-3"> </td>
	<td id="cell-1-4"> </td>
	</tr>
	<tr>
	<td id="cell-2-0" colspan="2"> </td>
	<td id="cell-2-1">
	<table>
	<tr valign="top">
	<td height="100%">
	<div id="wrapper-menu-page-right">
	<div id="wrapper-menu-page-top">
	<div id="wrapper-menu-page-bottom">
	<div id="menu-page">
	<!-- NavigationBar -->
	<div id="navigation"><h3 id="Navigation-ApacheCXF"><a shape="rect" href="index.html">Apache CXF</a></h3><ul class="alternate"><li><a shape="rect" href="index.html">Home</a></li><li><a shape="rect" href="download.html">Download</a></li><li><a shape="rect" href="people.html">People</a></li><li><a shape="rect" href="project-status.html">Project Status</a></li><li><a shape="rect" href="roadmap.html">Roadmap</a></li><li><a shape="rect" href="mailing-lists.html">Mailing Lists</a></li><li><a shape="rect" class="external-link" href="http://issues.apache.org/jira/browse/CXF">Issue Reporting</a></li><li><a shape="rect" href="special-thanks.html">Special Thanks</a></li><li><a shape="rect" class="external-link" href="http://www.apache.org/licenses/">License</a></li><li><a shape="rect" href="security-advisories.html">Security Advisories</a></li></ul><h3 id="Navigation-Users">Users</h3><ul class="alternate"><li><a shape="rect" href="http://cxf.apache.org/docs/index.html">User's Guide</a></li><li><a shape="rect" href="support.html">Support</a></li><li><a shape="rect" href="faq.html">FAQ</a></li><li><a shape="rect" href="resources-and-articles.html">Resources and Articles</a></li></ul><h3 id="Navigation-Search">Search</h3><form enctype="application/x-www-form-urlencoded" method="get" id="cse-search-box" action="http://www.google.com/cse"><div> <input type="hidden" name="cx" value="002890367768291051730:o99qiwa09y4"> <input type="hidden" name="ie" value="UTF-8"> <input type="text" name="q" size="21"> <input type="submit" name="sa" value="Search"> </div> </form> <script type="text/javascript" src="http://www.google.com/cse/brand?form=cse-search-box&lang=en"></script> <h3 id="Navigation-Developers">Developers</h3><ul class="alternate"><li><a shape="rect" href="http://cxf.apache.org/docs/cxf-architecture.html">Architecture Guide</a></li><li><a shape="rect" href="source-repository.html">Source Repository</a></li><li><a shape="rect" href="building.html">Building</a></li><li><a shape="rect" href="automated-builds.html">Automated Builds</a></li><li><a shape="rect" href="testing-debugging.html">Testing-Debugging</a></li><li><a shape="rect" href="coding-guidelines.html">Coding Guidelines</a></li><li><a shape="rect" href="getting-involved.html">Getting Involved</a></li><li><a shape="rect" href="release-management.html">Release Management</a></li></ul><h3 id="Navigation-Subprojects">Subprojects</h3><ul class="alternate"><li><a shape="rect" href="distributed-osgi.html">Distributed OSGi</a></li><li><a shape="rect" href="xjc-utils.html">XJC Utils</a></li><li><a shape="rect" href="build-utils.html">Build Utils</a></li><li><a shape="rect" href="fediz.html">Fediz</a></li></ul><h3 id="Navigation-ASF"><a shape="rect" class="external-link" href="http://www.apache.org">ASF</a></h3><ul class="alternate"><li><a shape="rect" class="external-link" href="http://www.apache.org/foundation/how-it-works.html">How Apache Works</a></li><li><a shape="rect" class="external-link" href="http://www.apache.org/foundation/">Foundation</a></li><li><a shape="rect" class="external-link" href="http://www.apache.org/foundation/sponsorship.html">Sponsor Apache</a></li><li><a shape="rect" class="external-link" href="http://www.apache.org/foundation/thanks.html">Thanks</a></li><li><a shape="rect" class="external-link" href="http://www.apache.org/security/">Security</a></li></ul><p> </p><p><a shape="rect" class="external-link" href="http://www.apache.org/events/current-event.html"><span class="confluence-embedded-file-wrapper"><img class="confluence-embedded-image confluence-external-resource" src="http://www.apache.org/events/current-event-125x125.png" data-image-src="http://www.apache.org/events/current-event-125x125.png"></span></a></p></div>
	<!-- NavigationBar -->
	</div>
	</div>
	</div>
	</div>
	</td>
	<td height="100%">
	<!-- Content -->
	<div class="wiki-content">
	<div id="ConfluenceContent"><h1 id="FedizSpring2-SpringSecurity2.0Plugin(1.1)">Spring Security 2.0 Plugin (1.1)</h1>

	<p>This page describes how to enable Federation for a <a shape="rect" class="external-link" href="http://static.springsource.org/spring-security/site/docs/2.0.x/reference/html/springsecurity.html" rel="nofollow">Spring Security</a> based Web Application. Spring Security provides more authorization capabilities than defined in the Java Servlet specification. Beyond authorizing web requests Spring Security supports authorizing whether methods can be invoked and authorizing access to individual domain object instances.</p>

	<p>Spring Security supports two deployment options. On the one hand, authentication and authorization is enforced by the underlying Servlet Container or on the other hand by Spring Security embedded with the application. The former ensures that the application is only called if authentication is successful. This can be controlled by an administrator/operator. This option is called <a shape="rect" class="external-link" href="http://static.springsource.org/spring-security/site/docs/2.0.x/reference/html/preauth.html" rel="nofollow">Pre-Authentication</a>. The latter gives all the control to the application developer and removes the dependency to security configuration in the Servlet Container. This simplifies deploying an application into different Serlvet Container environments.</p>

	<p>Both options are valid and it mainly depends on the policies/requirements within a company which is a better fit. Questions to be answered are: Who should manage the security enforcement (Application developer, Administrator)? Do you have to deploy the application into different Servlet Container environments?</p>

	<p>Prior to doing this configuration, make sure you've first deployed the Fediz IDP and STS on the Tomcat IDP instance as discussed <a shape="rect" href="fediz-idp-10.html">here</a>, and can view the STS WSDL at the URL given on that page.</p>

	<h3 id="FedizSpring2-Installation">Installation</h3>

	<p>You can either build the Fediz plugin on your own, download the package <a shape="rect" href="fediz-downloads.html">here</a> or add the dependency to your Maven project. If you have built the plugin on your own you'll find the required libraries in <code>plugins/spring2/target/...zip-with-dependencies.zip</code></p>

	<p>It's recommended to use Maven to resolve all the dependencies as illustrated in the example <em>spring2Webapp</em>. The README provides instructions for building and deployment.</p>

	<h3 id="FedizSpring2-WebApplicationwith"native"SpringSecurity">Web Application with "native" Spring Security</h3>

	<p>Authentication and authorization are managed by Spring Security only. The Fediz Spring Plugin provides the implementation of WS-Federation by implementing certain Spring Security interfaces. Finally, this results into the creation of the Spring Security Context. You can use Spring's authorization capabilities for web requests and method calls. The example <em>spring2Webapp</em> only illustrates authorizing web requests. Method based authorization is described <a shape="rect" class="external-link" href="http://static.springsource.org/spring-security/site/docs/2.0.x/reference/html/ns-config.html#ns-method-security" rel="nofollow">here</a>.</p>

	<h5 id="FedizSpring2-FedizPluginconfigurationforYourWebApplication">Fediz Plugin configuration for Your Web Application</h5>

	<p>The Fediz related configuration is done in a Servlet Container independent configuration file which is described <a shape="rect" href="fediz-configuration.html">here</a>.</p>

	<h5 id="FedizSpring2-SpringSecurityConfiguration">Spring Security Configuration</h5>

	<p>The following configuration snippets illustrate the Fediz related configuration. The complete configuration file can be found in the example <em>spring2Webapp</em>.</p>

	<div class="code panel pdl" style="border-style: solid;border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;border-bottom-style: solid;"><b>applicationContext-security.xml</b></div><div class="codeContent panelContent pdl">
	<pre class="brush: java; gutter: false; theme: Default">
	<sec:http entry-point-ref="federationEntryPoint">
	<sec:intercept-url pattern="/secure/fedservlet" access="IS_AUTHENTICATED_FULLY"/>
	<sec:intercept-url pattern="/secure/manager/**" access="ROLE_MANAGER"/>
	<sec:intercept-url pattern="/secure/admin/**" access="ROLE_ADMIN"/>
	<sec:intercept-url pattern="/secure/user/**" access="ROLE_USER,ROLE_ADMIN,ROLE_MANAGER"/>
	</sec:http>


	<sec:authentication-manager alias="authManager"/>

	<bean id="fedizConfig" class="org.apache.cxf.fediz.spring.FederationConfigImpl" init-method="init"
	p:configFile="WEB-INF/fediz_config.xml" p:contextName="/fedizhelloworld" />

	<bean id="federationEntryPoint"
	class="org.apache.cxf.fediz.spring.web.FederationAuthenticationEntryPoint"
	p:federationConfig-ref="fedizConfig" />

	<bean id="federationFilter"
	class="org.apache.cxf.fediz.spring.web.FederationAuthenticationFilter"
	p:authenticationManager-ref="authManager" p:defaultTargetUrl="/whatever">
	<sec:custom-filter after="BASIC_PROCESSING_FILTER"/>
	</bean>

	<bean id="federationAuthProvider" class="org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider"
	p:federationConfig-ref="fedizConfig">
	<sec:custom-authentication-provider />
	<property name="authenticationUserDetailsService">
	<bean class="org.apache.cxf.fediz.spring.authentication.GrantedAuthoritiesUserDetailsFederationService"/>
	</property>
	</bean>

	</pre>
	</div></div>

	<p>The <em>http</em> element is the key element which depends on the other bean definitions like <em>federationFilter</em> and the <em>federationAuthProvider</em>. Web request authorizing is configured in the <em>http</em> element as well which looks similar to security constraints definition in <code>web.xml</code>.</p>

	<p>The following code snippet of the FederationServlet example illustrates how to get access to the Spring Security Context of the current user and to the Federation releated information like claims and login token.</p>

	<div class="code panel pdl" style="border-style: solid;border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;border-bottom-style: solid;"><b>FederationServlet.java</b></div><div class="codeContent panelContent pdl">
	<pre class="brush: java; gutter: false; theme: Default">
	Authentication obj = SecurityContextHolder.getContext().getAuthentication();
	FederationAuthenticationToken fedAuthToken = (FederationAuthenticationToken)auth;
	for (GrantedAuthority item : fedAuthToken.getAuthorities()) {
	...
	}

	ClaimCollection claims = ((FederationUser)fedAuthToken.getUserDetails()).getClaims();
	for (Claim c: claims) {
	...
	}
	</pre>
	</div></div>


	<h3 id="FedizSpring2-FederationMetadatadocument">Federation Metadata document</h3>

	<p>The Spring Security Fediz plugin supports publishing the WS-Federation Metadata document which is described <a shape="rect" href="fediz-metadata.html">here</a>.</p>

	</div>
	</div>
	<!-- Content -->
	</td>
	</tr>
	</table>
	</td>
	<td id="cell-2-2" colspan="2"> </td>
	</tr>
	<tr>
	<td id="cell-3-0"> </td>
	<td id="cell-3-1"> </td>
	<td id="cell-3-2">
	<div id="footer">
	<!-- Footer -->
	<div id="site-footer">
	<a href="http://cxf.apache.org/privacy-policy.html">Privacy Policy</a> -
	(<a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=30758602">edit page</a>)
	(<a href="https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=30758602&showComments=true&showCommentArea=true#addcomment">add comment</a>)<br>
	Apache CXF, CXF, Apache, the Apache feather logo are trademarks of The Apache Software Foundation.<br>
	All other marks mentioned may be trademarks or registered trademarks of their respective owners.
	</div>
	<!-- Footer -->
	</div>
	</td>
	<td id="cell-3-3"> </td>
	<td id="cell-3-4"> </td>
	</tr>
	<tr>
	<td id="cell-4-0" colspan="2"> </td>
	<td id="cell-4-1"> </td>
	<td id="cell-4-2" colspan="2"> </td>
	</tr>
	</table>

	<script type="text/javascript">
	var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
	document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
	</script>
	<script type="text/javascript">
	try {
	var pageTracker = _gat._getTracker("UA-4458903-1");
	pageTracker._trackPageview();
	} catch(err) {}</script>

	</body>
	</html>