Wednesday, June 10, 2015

Apache CXF Fediz 1.2.0 tutorial - part I

The previous blog entry gave an overview of the new features in Apache CXF Fediz 1.2.0. This post first focuses on setting up and running the IdP (Identity Provider) and the sample simpleWebapp in Apache Tomcat.

1) Deploying the 1.2.0 Fediz IdP in Apache Tomcat

Download Fediz 1.2.0 and extract it to a new directory (${fediz.home}). We will use a Apache Tomcat 7 container to host the Idp. To deploy the IdP to Tomcat:
  • Create a new directory: ${catalina.home}/lib/fediz
  • Edit ${catalina.home}/conf/catalina.properties and append ',${catalina.home}/lib/fediz/*.jar' to the 'common.loader' property.
  • Copy ${fediz.home}/plugins/tomcat/lib/* to ${catalina.home}/lib/fediz
  • Copy ${fediz.home}/idp/war/* to ${catalina.home}/webapps
  • Download and copy the hsqldb jar (e.g. hsqldb-1.8.0.10.jar) to ${catalina.home}/lib
Now we need to set up TLS:
  • The keys that ship with Fediz 1.2.0 are 1024 bit DSA keys, which will not work with most modern browsers (this will be fixed for 1.2.1). 
  • So with 1.2.0 we need to download the keys from git, rather than use the keys in the distribution
  • Download idp-ssl-key.jks and idp-ssl-trust.jks from here.
  • Copy idp-ssl-key.jks and idp-ssl-trust.jks to ${catalina.home}.
  • Copy both jks files as well to ${catalina.home}/webapps/fediz-idp/WEB-INF/classes/ (after Tomcat is started)
  • Edit the TLS Connector in ${catalina.home}/conf/server.xml', e.g.: <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="want" sslProtocol="TLS" keystoreFile="idp-ssl-key.jks" keystorePass="tompass" keyPass="tompass" truststoreFile="idp-ssl-trust.jks" truststorePass="ispass" />
Now start Tomcat, and check that the IdP is live by opening the STS WSDL in a web browser: 'https://localhost:8443/fediz-idp-sts/REALMA/STSServiceTransport?wsdl'

For a more thorough test, enter the following in a web browser - you should be directed to the URL for the service application (404, as we have not yet configured it):

https://localhost:8443/fediz-idp/federation?wa=wsignin1.0&wreply=https%3A%2F%2Flocalhost%3A8443%2Ffedizhelloworld%2Fsecure%2Ffedservlet&wtrealm=urn%3Aorg%3Aapache%3Acxf%3Afediz%3Afedizhelloworld

2) Deploying the simpleWebapp in Apache Tomcat

To deploy the service to Tomcat:
  • Copy ${fediz.home}/examples/samplekeys/rp-ssl-server.jks (rp-ssl-key.jks from Fediz 1.2.1) and ${fediz.home}/examples/samplekeys/ststrust.jks to ${catalina.home}.
  • Copy ${fediz.home}/examples/simpleWebapp/src/main/config/fediz_config.xml to ${catalina.home}/conf/
  • Edit ${catalina.home}/conf/fediz_config.xml and replace '9443' with '8443'.
  • Do a "mvn clean install" in ${fediz.home}/examples/simpleWebapp
  • Copy ${fediz.home}/examples/simpleWebapp/target/fedizhelloworld.war to ${catalina.home}/webapps.
3) Testing the service

To test the service navigate to:
  • https://localhost:8443/fedizhelloworld/  (this is not secured) 
  • https://localhost:8443/fedizhelloworld/secure/fedservlet
With the latter URL, the browser is redirected to the IDP (select realm "A") and is prompted for a username and password. Enter "alice/ecila" or "bob/bob" or "ted/det" to test the various roles that are associated with these username/password pairs.

8 comments:

  1. Hi Colm,
    I have setup two different apache tomcat server one for IDP/STS and another for my RP and this is working fine for sampleWebapp example. Now I am integrating RP in my another webapp and trying to connect with IDP but I am getting Exception. Saying request is not validated. I understand the problem that this is configuration issue. I need your help for register my RP to Fediz IDP. I followed http://janbernhardt.blogspot.com/2015/01/single-logout-with-fediz-ws-federation.html and I m using https://localhost:9443/fediz-idp/services/rs?_wadl wadl using SOAPUI to change the contaxt path in IDP configuration but also facing authentication issue here. I have following queries related to my issue.
    1. How can I register my own RP(Relying party) in fediz IDP and STS.
    2. During the build of STS src I am getting some Ldap configuration exception. I am following README.txt
    Hope to hear from you soon :) -Raj

    ReplyDelete
  2. Hi,

    Please send an email to the CXF users list with this information + I will take a look.

    Colm.

    ReplyDelete
    Replies
    1. Hi Colm,
      Thanks, I have send an email to the CXF users list. I am facing problem during applying security in SOAPUI for https://localhost:9443/fediz-idp/services/rs?_wadl. I get some exception in IDP server console when I do POST https://localhost:9443/fediz-idp/services/rs/applications to register this application via the IDP REST Interface.

      2015-08-19 11:19:39,964 [http-bio-9443-exec-1] WARN org.apache.cxf.jaxrs.utils.JAXRSUtils - No operation matching request path "/fediz-idp/services/rs" is found, Relative Path: /
      , HTTP Method: POST, ContentType: application/xml, Accept: */*,. Please enable FINE/TRACE log level for more details.
      2015-08-19 11:19:39,964 [http-bio-9443-exec-1] WARN org.apache.cxf.fediz.service.idp.rest.RestServiceExceptionMapper - Exception occured processing REST request: HTTP 405 Method
      Not Allowed
      javax.ws.rs.ClientErrorException: HTTP 405 Method Not Allowed
      at org.apache.cxf.jaxrs.utils.SpecExceptions.toHttpException(SpecExceptions.java:117)
      at org.apache.cxf.jaxrs.utils.ExceptionUtils.toHttpException(ExceptionUtils.java:166)

      Delete
    2. Thank you Colm,
      I got solution on CXF user lists from Jan Bernhardt. And now it's working fine. Thank you @Jan :)

      Delete
  3. I am configuring the sample app, however the idp is redirecting to https://localhost:12443/fediz-idp-remote/federation?wa=wsignin1.0&wtrealm=urn%3Aorg%3Aapache%3Acxf%3Afediz%3Aidp%3Arealm-A&wreply=https%3A%2F%2Flocalhost%3A9443%2Ffediz-idp%2Ffederation&whr=urn:org:apache:cxf:fediz:idp:realm-B&wctx=4327ff71-df9e-4428-9fdd-9138e6330413
    instead of 8443 port in IDP.

    ReplyDelete
  4. When the browser is redirected to the IdP are you selecting "Realm B" in the drop down list? This will redirect to "12443"...instead you should be selecting "Realm A".

    ReplyDelete
  5. Thanks for the reply, If there is an existing REST calls which are just having basic authentication but i dont want another call, how this can be achieved in fediz...

    ReplyDelete
  6. I don't understand the question. I suggest adding more detail and asking it on the CXF users mailing list.

    ReplyDelete