From do-not-reply at jboss.org Tue Jan 29 11:07:59 2013 Content-Type: multipart/mixed; boundary="===============6511500478614003691==" MIME-Version: 1.0 From: do-not-reply at jboss.org To: gatein-commits at lists.jboss.org Subject: [gatein-commits] gatein SVN: r9089 - in epp/docs/branches/6.0/Reference_Guide/en-US: modules and 3 other directories. Date: Mon, 28 Jan 2013 01:12:20 -0500 Message-ID: <201301280612.r0S6CK0d012174@svn01.web.mwc.hst.phx2.redhat.com> --===============6511500478614003691== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Author: jaredmorgs Date: 2013-01-28 01:12:20 -0500 (Mon, 28 Jan 2013) New Revision: 9089 Modified: epp/docs/branches/6.0/Reference_Guide/en-US/Reference_Guide.xml epp/docs/branches/6.0/Reference_Guide/en-US/Revision_History.xml epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndIde= ntity/BackendConfiguration.xml epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndIde= ntity/PasswordEncryption.xml epp/docs/branches/6.0/Reference_Guide/en-US/modules/ServerIntegration.xml epp/docs/branches/6.0/Reference_Guide/en-US/modules/WSRP.xml epp/docs/branches/6.0/Reference_Guide/en-US/modules/eXoJCR/jcr-with-gtn/= managed-datasources-under-jboss-as.xml epp/docs/branches/6.0/Reference_Guide/en-US/modules/eXoJCR/jcr/performan= ce-tuning-guide.xml Log: Changes to the Securing WSRP section and clean up from Thomas Heute's and K= en Finnegan's changes in the email Modified: epp/docs/branches/6.0/Reference_Guide/en-US/Reference_Guide.xml =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --- epp/docs/branches/6.0/Reference_Guide/en-US/Reference_Guide.xml 2013-01= -28 05:14:12 UTC (rev 9088) +++ epp/docs/branches/6.0/Reference_Guide/en-US/Reference_Guide.xml 2013-01= -28 06:12:20 UTC (rev 9089) @@ -29,9 +29,9 @@ - Server Integration + Modified: epp/docs/branches/6.0/Reference_Guide/en-US/Revision_History.xml =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --- epp/docs/branches/6.0/Reference_Guide/en-US/Revision_History.xml 2013-0= 1-28 05:14:12 UTC (rev 9088) +++ epp/docs/branches/6.0/Reference_Guide/en-US/Revision_History.xml 2013-0= 1-28 06:12:20 UTC (rev 9089) @@ -7,7 +7,25 @@ Revision History - + + 6.0.0-40 + Mon Jan 26 2013 + + Jared + Morgan + + + + + Incorporated all feedback from Thomas from the Email r= eview, except for some stuff from WSRP. See next entries. + WSRP review due to missing or incorrect file paths ide= ntified by Thomas in email review. + Added Confluence Source links to Securing WSRP. + Moved Server Integration chapter before the Revision H= istory, so the Publican build would not break. + Removed all JBoss AS7, JBossAS 7, JBoss AS 7, GateIn P= ortal references. + + + + 6.0.0-39 Sat Jan 26 2013 Modified: epp/docs/branches/6.0/Reference_Guide/en-US/modules/Authenticatio= nAndIdentity/BackendConfiguration.xml =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --- epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndId= entity/BackendConfiguration.xml 2013-01-28 05:14:12 UTC (rev 9088) +++ epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndId= entity/BackendConfiguration.xml 2013-01-28 06:12:20 UTC (rev 9089) @@ -1,6 +1,5 @@ - - %BOOK_ENTITIES; ]> @@ -390,10 +389,7 @@ = = - --> = - = -
- = +
-->
Configuration files The main configuration file is @@ -401,9 +397,9 @@ : - <configuration xmlns:xsi=3D"http://www.w3.org/200= 1/XMLSchema-instance" - xsi:schemaLocation=3D"http://www.exoplaform.org/xml/ns/kern= el_1_2.xsd http://www.exoplaform.org/xml/ns/kernel_1_2.xsd" - xmlns=3D"http://www.exoplaform.org/xml/ns/kernel_1_2.xsd"&g= t; + <configuration xmlns:xsi=3D"http://www.w3.or= g/2001/XMLSchema-instance" + xsi:schemaLocation=3D"http://www.exoplaform.org/xml/ns= /kernel_1_2.xsd http://www.exoplaform.org/xml/ns/kernel_1_2.xsd" + xmlns=3D"http://www.exoplaform.org/xml/ns/kernel_1_2.x= sd"> = <component> <key>org.exoplatform.services.organization.idm.PicketLinkIDM= Service</key> @@ -427,25 +423,25 @@ <init-params> <object-param> <name>configuration</name> - <object type=3D"org.exoplatform.services.organization.idm.Confi= g"> - <field name=3D"useParentIdAsGroupType"> + <object type=3D"org.exoplatform.services.organization.idm.= Config"> + <field name=3D"useParentIdAsGroupType"> <boolean>true</boolean> </field> = - <field name=3D"forceMembershipOfMappedTypes"> + <field name=3D"forceMembershipOfMappedTypes"> <boolean>true</boolean> </field> = - <field name=3D"pathSeparator"> + <field name=3D"pathSeparator"> <string>.</string> </field> = - <field name=3D"rootGroupName"> + <field name=3D"rootGroupName"> <string>GTN_ROOT_GROUP</string> </field> = - <field name=3D"groupTypeMappings"> - <map type=3D"java.util.HashMap"> + <field name=3D"groupTypeMappings"> + <map type=3D"java.util.HashMap"> <entry> <key><string>/</string></key> <value><string>root_type</string></va= lue> @@ -466,11 +462,11 @@ </map> </field> = - <field name=3D"associationMembershipType"> + <field name=3D"associationMembershipType"> <string>member</string> </field> = - <field name=3D"ignoreMappedMembershipType"> + <field name=3D"ignoreMappedMembershipType"> <boolean>false</boolean> </field> </object> @@ -484,7 +480,6 @@
- = PicketlinkIDMServiceImpl The @@ -521,7 +516,7 @@ jndiName - (value-param) If the 'config' parameter is not provided, this = parameter will be used to perform JNDI lookup for + (value-param) If the 'config' parameter is not provi= ded, this parameter will be used to perform JNDI lookup for IdentitySessionFactory . @@ -532,14 +527,14 @@ (value-param) The realm name that should be used to obtain pro= per IdentitySession . The default is - 'PortalRealm' + 'PortalRealm' . apiCacheConfig - (value-param) The infinispan configuration file with cache con= figuration for Picketlink IDM API. It's different for cluster and non-clust= er because infinispan needs to be replicated in cluster environment. + (value-param) The infinispan configuration file with cache con= figuration for Picketlink IDM API. It's different for cluster and non-= cluster because infinispan needs to be replicated in cluster environment. @@ -547,13 +542,12 @@ storeCacheConfig (value-param) = - The infinispan configuration file with cache configuration for= Picketlink IDM IdentityStore. Actually it's used only for LDAP store (not = used with default DB configuration). It's different for cluster and non-clu= ster because infinispan needs to be replicated in cluster environment. + The infinispan configuration file with cache configuration for= Picketlink IDM IdentityStore. Actually it's used only for LDAP store = (not used with default DB configuration). It's different for cluster a= nd non-cluster because infinispan needs to be replicated in cluster environ= ment.
- = PicketlinkIDMOrganizationServiceImpl The @@ -576,7 +570,7 @@ defaultGroupType The name of the PicketLink IDM GroupType that will be used to = store groups. The default is - 'GTN_GROUP_TYPE' + 'GTN_GROUP_TYPE' . @@ -584,7 +578,7 @@ rootGroupName The name of the PicketLink IDM Group that will be used as a ro= ot parent. The default is - 'GTN_ROOT_GROUP' + 'GTN_ROOT_GROUP' . @@ -599,17 +593,17 @@ useParentIdAsGroupType - This parameter stores the parent ID path as a group type in Pi= cketLink IDM for any IDs not mapped with a specific type in 'groupTypeMappi= ngs'. If this option is set to + This parameter stores the parent ID path as a group type in Pi= cketLink IDM for any IDs not mapped with a specific type in 'groupType= Mappings'. If this option is set to false - , and no mappings are provided under 'groupTypeMappings', then= only one group with the given name can exist in the portal group tree. + , and no mappings are provided under 'groupTypeMappings&a= pos;, then only one group with the given name can exist in the portal group= tree. pathSeparator - When 'userParentIdAsGroupType is set to + When 'userParentIdAsGroupType is set to true - , this value will be used to replace all "/" characters in IDs= . The "/" character is not allowed to be used in group type name in PicketL= ink IDM. + , this value will be used to replace all "/" charact= ers in IDs. The "/" character is not allowed to be used in group = type name in PicketLink IDM. @@ -623,7 +617,7 @@ groupTypeMappings This parameter maps groups added with portal API as children o= f a given group ID, and stores them with a given group type name in PicketL= ink IDM. = - If the parent ID ends with "/*", then all child groups will ha= ve the mapped group type. Otherwise, only direct (first level) children wil= l use this type. + If the parent ID ends with "/*", then all child grou= ps will have the mapped group type. Otherwise, only direct (first level) ch= ildren will use this type. = This can be leveraged by LDAP if LDAP DN is configured in Pick= etLink IDM to only store a specific group type. This will then store the gi= ven branch in portal group tree, while all other groups will remain in the = database. @@ -631,15 +625,15 @@ forceMembershipOfMappedTypes - Groups stored in PicketLink IDM with a type mapped in 'groupTy= peMappings' will automatically be members under the mapped parent. Group re= lationships linked by PicketLink IDM group association will not be necessar= y. + Groups stored in PicketLink IDM with a type mapped in 'gr= oupTypeMappings' will automatically be members under the mapped parent= . Group relationships linked by PicketLink IDM group association will not b= e necessary. = - This parameter can be set to false if all groups are added via= portal APIs. This may be useful with LDAP configuration as, when set to tr= ue, it will make every entry added to LDAP appear in portal. This, however,= is not true for entries added via GateIn Portal management UI. + This parameter can be set to false if all groups are added via= portal APIs. This may be useful with LDAP configuration as, when set to tr= ue, it will make every entry added to LDAP appear in portal. This, however,= is not true for entries added via JBoss Portal Platform management UI. ignoreMappedMembershipType - If "associationMembershipType" option is used, and this option= is set to true, then Membership with MembershipType configured to be store= d as PicketLink IDM association will not be stored as PicketLink IDM Role. + If "associationMembershipType" option is used, and t= his option is set to true, then Membership with MembershipType configured t= o be stored as PicketLink IDM association will not be stored as PicketLink = IDM Role. @@ -650,14 +644,14 @@ - GateIn Portal User interface properties fields are persist= ed in Picketlink IDM using those attributes names: firstName, lastName, ema= il, createdDate, lastLoginTime, organizationId, password (if password is co= nfigured to be stored as attribute). + JBoss Portal Platform User interface properties fields are= persisted in Picketlink IDM using those attributes names: firstName, lastN= ame, email, createdDate, lastLoginTime, organizationId, password (if passwo= rd is configured to be stored as attribute). - GateIn Portal Group interface properties fields are persis= ted in Picketlink IDM using those attributes names: label, description. + JBoss Portal Platform Group interface properties fields ar= e persisted in Picketlink IDM using those attributes names: label, descript= ion. - GateIn Portal MembershipType interface properties fields are p= ersisted in JBoss Identity IDM using those RoleType properties: description= , owner, create_date, modified_date. +JBoss Portal Platform MembershipType interface properties fields are persi= sted in JBoss Identity IDM using those RoleType properties: description, ow= ner, create_date, modified_date. = A sample PicketLink IDM @@ -666,9 +660,9 @@ - <jboss-identity xmlns=3D"urn:jboss:identity:idm= :config:v1_0_beta" - xmlns:xsi=3D"http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation=3D"urn:jboss:identity:idm:config:v1_0_a= lpha identity-config.xsd"> + <jboss-identity xmlns=3D"urn:jboss:identit= y:idm:config:v1_0_beta" + xmlns:xsi=3D"http://www.w3.org/2001/XMLSchema-instanc= e" + xsi:schemaLocation=3D"urn:jboss:identity:idm:config:v= 1_0_alpha identity-config.xsd"> <realms> <realm> <id>PortalRealm</id> Modified: epp/docs/branches/6.0/Reference_Guide/en-US/modules/Authenticatio= nAndIdentity/PasswordEncryption.xml =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --- epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndId= entity/PasswordEncryption.xml 2013-01-28 05:14:12 UTC (rev 9088) +++ epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndId= entity/PasswordEncryption.xml 2013-01-28 06:12:20 UTC (rev 9089) @@ -8,7 +8,7 @@
Hashing and salting of passwords in Picketlink IDM - GateIn Portal is using +JBoss Portal Platform is using Picketlink IDM framework to store information about identity objects (users/groups/= memberships) and more info about this is in PicketLink IDM integration @@ -16,14 +16,14 @@ CredentialEncoder , which encode password and save the encoded form into Picketlink ID= M database. = - Later when user want to authenticate, he needs to provide his passwo= rd in plain-text via web login form. Provided password is then encoded and = compared with encoded password from Picketlink IDM database. GateIn Portal = is then able to authenticate user based on this comparison. + Later when user want to authenticate, he needs to provide his passwo= rd in plain-text via web login form. Provided password is then encoded and = compared with encoded password from Picketlink IDM database. JBoss Portal P= latform is then able to authenticate user based on this comparison. Default implementation of CredentialEncoder - is using password hashing with MD5 algorithm and storing those MD5 h= ashes in database. It does not use any salting of passwords. This is not sa= fest solution, but it's backward compatible with previous releases of = GateIn Portal before version 3.5, where MD5 password hashing was only possi= ble encoding form. So if you migrate from older release of GateIn Portal, y= our users will be still able to authenticate. + is using password hashing with MD5 algorithm and storing those MD5 h= ashes in database. It does not use any salting of passwords. This is not sa= fest solution, but it's backward compatible with previous releases of = JBoss Portal Platform before version 3.5, where MD5 password hashing was on= ly possible encoding form. So if you migrate from older release of JBoss Po= rtal Platform, your users will be still able to authenticate. - However if you are starting from fresh database (no migration fr= om previous GateIn Portal release), you may increase security by using bett= er hashing algorithm and especially by enable password salting. See below f= or details. + However if you are starting from fresh database (no migration fr= om previous JBoss Portal Platform release), you may increase security by us= ing better hashing algorithm and especially by enable password salting. See= below for details.
Choosing CredentialEncoder implementation @@ -37,7 +37,7 @@
HashingEncoder - This is the default choice. It uses only hashing of password= s with MD5 algorithm without salting. As mentioned previously, it's no= t safest solution but it's backward compatible with previous GateIn Po= rtal releases, so there are no issues with database migration from previous= release. Configuration looks like this: + This is the default choice. It uses only hashing of password= s with MD5 algorithm without salting. As mentioned previously, it's no= t safest solution but it's backward compatible with previous JBoss Por= tal Platform releases, so there are no issues with database migration from = previous release. Configuration looks like this: <option> @@ -99,7 +99,7 @@ Please note that specified file /salt/mysalt.txt - must exist and must be readable by user, which executed GateIn P= ortal. But file should be properly secured to not be readable by every user= of your OS. The file can have some random content phrase, for example + must exist and must be readable by user, which executed JBoss Po= rtal Platform. But file should be properly secured to not be readable by ev= ery user of your OS. The file can have some random content phrase, for exam= ple a4564dac2aasddsklklkajdgnioiow . Modified: epp/docs/branches/6.0/Reference_Guide/en-US/modules/ServerIntegra= tion.xml =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D (Binary files differ) Modified: epp/docs/branches/6.0/Reference_Guide/en-US/modules/WSRP.xml =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --- epp/docs/branches/6.0/Reference_Guide/en-US/modules/WSRP.xml 2013-01-28= 05:14:12 UTC (rev 9088) +++ epp/docs/branches/6.0/Reference_Guide/en-US/modules/WSRP.xml 2013-01-28= 06:12:20 UTC (rev 9089) @@ -157,10 +157,9 @@
Considerations to use WSRP when running JBoss Portal Platform= on a non-default port or hostname - The web service stack that JBoss Portal Platform uses is based on= JBoss WS. It updates the port and host name used in WSDL (for further deta= ils refer to the Web Services chapter in the JBoss Enterprise Application Platform 6 Administration and Configuratio= n User Guide). + The web service stack that JBoss Portal Platform uses is based on= JBoss WS. It updates the port and host name used in WSDL. For more informa= tion, refer to the Web Services chapter in the JBos= s Enterprise Application Platform 6 Administration and Configur= ation User Guide. - - Of course, if you have modified the host name and port on whic= h your server runs, you will + If you have modified the host name and port on which your serv= er runs, you will need to update the configuration for the consumer used to consume JBos= s Portal Platform's 'self' producer.
@@ -185,7 +184,7 @@ - Depending on requirements, an HTTPs endpoint or/and ws-security = can be used. + Depending on requirements, an HTTPs endpoint and/or ws-security = can be used.
WSRP over SSL with HTTPS endpoints Source: https://docs.jboss.org/author/display/GTNPORTAL35/Se= curing+WSRP#SecuringWSRP-WSRPoverSSLwithHTTPSendpoints @@ -200,6 +199,8 @@
Sample Configuration For Enabling SSL With WSRP + Sources: https://docs.jboss.org/author/display/GTNPORTA= L35/Securing+WSRP#SecuringWSRP-SampleConfigurationForEnablingSSLWithWSRP The following procedures are provided as an example of configuri= ng HTTPS/SSL with WSRP. @@ -208,6 +209,7 @@ Configure the Producer to Use HTTPS + Source: https://docs.jboss.org/author/display/GTNPORTAL3= 5/Securing+WSRP#SecuringWSRP-ConfiguretheProducertoUseHTTPS Configure the producer's server to use HTTPS. This is= handled in the same manner that you would configure any JBoss AS server fo= r HTTPS. Generate the keystore for the producer by executing the = following command. @@ -253,6 +255,7 @@ Configure the Consumer to Access the WSRP Endpoint over H= TTPS + Source: https://docs.jboss.org/author/display/GTNPORTAL3= 5/Securing+WSRP#SecuringWSRP-ConfiguretheConsumertoAccesstheWSRPEndpointove= rHTTPS Export the producer's public key from the producer&= apos;s keystore keytool -export -alias tomcat -file producerke= y.rsa -keystore producerhttps.keystore -storepass changeme @@ -291,6 +294,7 @@
WSRP and WS-Security + Source: https://docs.jboss.org/author/display/GTNPORTAL35/Se= curing+WSRP#SecuringWSRP-WSRPandWSSecurity Portlets may present different data or options depending on th= e currently authenticated user. For remote portlets, this means having to propagate the user credential= s from the consumer back to the producer in a safe and secure manner. The WSRP specification does not di= rectly specify how this should be @@ -321,9 +325,10 @@ The recommended approach for this situation would be to use a = common LDAP configuration. Refer to to correctly configure LDAP on JBoss Portal Platform.
<remark>BZ#839355 </remark>WS-Security Configuration + Source: https://docs.jboss.org/author/display/GTNPORTAL35/= Securing+WSRP#SecuringWSRP-WSSecurityConfiguration
Introduction - JBoss AS7 uses a different web service implementation than= the previous versions: it is now uses the JBossWS CXF Stack instead of the= JBossWS Native Stack. Due to these changes, the way we configure WS-Securi= ty for WSRP with GateIn Portal on JBossAS 7 has changed. + JBoss Enterprise Application Platform 6 uses a different w= eb service implementation than the previous versions: it is now uses the JB= ossWS CXF Stack instead of the JBossWS Native Stack. Due to these changes, = the way we configure WS-Security for WSRP with JBoss Portal Platform on JBo= ss Enterprise Application Platform 6 has changed. We only support one ws-security configuration option for= the producer. All consumers accessing the producer will have to conform to= this security constraint. This means if the producer requires encryption, = all consumers will be required to encrypt their messages when accessing the= producer. We only support one ws-security configuration option to = be used by all the consumers. A consumer has the option to enable or disabl= e ws-security, which allows for one or more consumers to use ws-security wh= ile the others do not. @@ -331,29 +336,24 @@
Overview + Source: https://docs.jboss.org/author/display/GTNPORTAL3= 5/Securing+WSRP#SecuringWSRP-Overview CXF uses interceptors to extend and configure its behavior= . There are two main types of interceptors: inInterceptors and outInterceptors. InInterceptors are invok= ed for communication coming into the client or server, while outInterceptor= s are invoked when the client or server sends a message. So for the WSRP case, the communication from the consumer = to the producer is governed by the consumer's OutInterceptor and the p= roducer's InIntereceptor. The communication from the producer to the c= onsumer is governed by the producer's OutInterceptor and the consumer&= apos;s InInterceptor. This may mean having to configure 4 Interceptors. - When dealing with WS-Security, there are some things to co= nsider here: - - - When dealing with user propagation, only the consumer = sends the user credentials to the producer. So Username Tokens only need to= be configured for the consumer's OutInterceptor and the producer&apos= ;s InInterceptor. - - - When dealing with things like encryption, you will mos= t likely want to encrypt the message from the consumer to the producer and = also the message from the producer to the consumer. This means that encrypt= ion properties must be configured for all 4 interceptors. - - + When dealing with user propagation, only the consumer send= s the user credentials to the producer. So Username Tokens only need to be = configured for the consumer's OutInterceptor and the producer's I= nInterceptor. + When dealing with things like encryption, you will most li= kely want to encrypt the message from the consumer to the producer and also= the message from the producer to the consumer. This means that encryption = properties must be configured for all 4 interceptors. Please see the CXF Documentation for more details on interceptor= s and their types: - To support ws-security, GateIn Portal uses CXF's WSS4J Inte= rceptors which handle all ws-security related tasks. Please see the CXF Doc= umentation for more details: + To support ws-security, JBoss Portal Platform 6 uses CXF's= WSS4J Interceptors which handle all ws-security related tasks. Please see = the CXF Documentation for more details:
WSS4J Interceptors and WSRP + Source: https://docs.jboss.org/author/display/GTNPORTAL35/= Securing+WSRP#SecuringWSRP-WSS4JInterceptorsandWSRP The WSS4J Interceptors are configured using using simple pr= operty files. = WSRP looks for specific property files to know whether or not in/out inter= ceptors must be added and configured for either consumers or producer. @@ -378,22 +378,30 @@ Consumer IN - standalone/configuration/gatein/wsrp/cxf/ws-securit= y/consumer/WSS4JInInterceptor.properties + + standalone/configuration/gatein/wsrp/cxf/ws-se= curity/consumer/WSS4JInInterceptor.properties + OUT - standalone/configuration/gatein/wsrp/cxf/ws-securit= y/consumer/WSS4JOutInterceptor.properties + + standalone/configuration/gatein/wsrp/cxf/ws-se= curity/consumer/WSS4JOutInterceptor.properties + Producer IN - standalone/configuration/gatein/wsrp/cxf/ws-securit= y/producer/WSS4JInInterceptor.properties + + standalone/configuration/gatein/wsrp/cxf/ws-se= curity/producer/WSS4JInInterceptor.properties + OUT - standalone/configuration/gatein/wsrp/cxf/ws-securit= y/producer/WSS4JOutInterceptor.properties + + standalone/configuration/gatein/wsrp/cxf/ws-se= curity/producer/WSS4JOutInterceptor.properties + @@ -401,6 +409,7 @@ Please refer to the CXF or WSS4J documentation for instructi= ons and options available for each type of interceptors.
User Propagation + Source: https://docs.jboss.org/author/display/GTNPORTAL3= 5/Securing+WSRP#SecuringWSRP-UserPropagation User propagation can be configured to be used over WSRP wi= th ws-security. What this means is that a user logged into a consumer can h= ave their credentials propagated over to the producer. This allows the prod= ucer to authenticate the user and any portlet on the producer (a remote por= tlet from the consumer's perspective) will view the user as being prop= erly authenticated. This allows for remote portlets to access things like u= ser information. This only works if the user's credentials on the = producer and consumer are the same. This may require using a common authent= ication mechanism, such as LDAP. @@ -410,19 +419,24 @@
<remark>BZ#839355</remark>WS-Security Consumer Configuratio= n + Source: https://docs.jboss.org/author/display/GTNPORTAL35/= Securing+WSRP#SecuringWSRP-ConsumerConfiguration In order to configure ws-security on the consumer side, you will h= ave to configure the WSS4J Interceptors as seen above. This will require ha= ving to configure the WSS4JInInterceptor and/or WSS4JOutInterceptor. = You will also need to check the 'Enable WS-Security' che= ckbox on the WSRP Admin Portlet for the consumer configuration to take effe= ct. - - - - - +
+ WSRP Consumers Co= nfiguration + + + + + +
Special JBoss Portal Platform Configuration Options for U= ser Propagation - In order to handle user propagation in GateIn Portal acros= s ws-security, a couple of special configuration options have been created = which should be applied to the consumer's WSS4JOutInterceptor. + Source: https://docs.jboss.org/author/display/GTNPORTAL3= 5/Securing+WSRP#SecuringWSRP-SpecialConfigurationOptionsforUserPropagation<= /remark> + In order to handle user propagation in JBoss Portal Platfo= rm across ws-security, a couple of special configuration options have been = created which should be applied to the consumer's WSS4JOutInterceptor.=
Custom 'user' option @@ -451,11 +465,13 @@
Producer Configuration + Source: https://docs.jboss.org/author/display/GTNPORTAL35/= Securing+WSRP#SecuringWSRP-ProducerConfiguration The configuration of the producer is similar to that of the = consumer. It also requires having to configure the WSS4JInInterceptor and/o= r WSS4JOutInterceptor.
- Special GateIn Portal Configuration Options for User Prop= agation + Special Configuration Options for User Propagation + Source: https://docs.jboss.org/author/display/GTNPORTAL3= 5/Securing+WSRP#SecuringWSRP-SpecialConfigurationOptionsforUserPropagation<= /remark> - To properly propagate user information on the producer-side, y= ou will need to use GTNSubjectCreatingInterceptor instead of a regular WSS4= JInInterceptor. This GateIn Portal specific "in" interceptor is a= n extension of the traditional WSS4JInInterceptor and therefore can be conf= igured similarly and accept the same configuration properties. To specify t= hat you want to use the GTNSubjectCreatingInterceptor, please create a prop= erty file at + To properly propagate user information on the producer-side, y= ou will need to use GTNSubjectCreatingInterceptor instead of a regular WSS4= JInInterceptor. This JBoss Portal Platform specific "in" intercep= tor is an extension of the traditional WSS4JInInterceptor and therefore can= be configured similarly and accept the same configuration properties. To s= pecify that you want to use the GTNSubjectCreatingInterceptor, please creat= e a property file at standalone/configuration/gatein/wsrp/cxf/ws-security/pro= ducer/GTNSubjectCreatingInterceptor.properties instead of the regular WSS4JInInterceptor.properties file. @@ -474,6 +490,7 @@
Sample Configuration using the UsernameToken and User Propa= gation + Source: https://docs.jboss.org/author/display/GTNPORTAL35/= Securing+WSRP#SecuringWSRP-SampleConfigurationusingtheUsernameTokenandUserP= ropagation This example configuration does not encrypt the message. T= his means the username and password will be sent between the producer and c= onsumer in plain text. This is a security concern and is only being shown a= s a simple example. It is up to administrators to properly configure the WS= S4J Interceptors to encrypt messages or to only use https communication bet= ween the producer and consumer. @@ -530,13 +547,14 @@ in the WSRP admin portlet, click the 'enable ws-s= ecurity' checkbox - access a remote portlet (for example, the user identit= y portlet included as an example portlet in GateIn Portal) and verify that = the authenticated user is the same as the one on the consumer + access a remote portlet (for example, the user identit= y portlet included as an example portlet in JBoss Portal Platform) and veri= fy that the authenticated user is the same as the one on the consumer
Sample Configuration Securing the Endpoints using Encryptio= n and Signing + Source: https://docs.jboss.org/author/display/GTNPORTAL35/= Securing+WSRP#SecuringWSRP-SampleConfigurationSecuringtheEndpointsusingEncr= yptionandSigning The following steps outline how to configure the producer an= d consumer to encrypt and sign SOAP messages passed between the producer an= d consumer. This example only deals with SOAP messages being sent between t= he producer and consumer, and not with user propagation. @@ -549,6 +567,7 @@
Password Callback Class + Source: https://docs.jboss.org/author/display/GTNPORTAL3= 5/Securing+WSRP#SecuringWSRP-PasswordCallbackClass WSS4J uses a Java class to specify the password when perfo= rming any security related actions. For the purpose of these encryption and= signing examples, we will use the same password for the producer's an= d consumer's keystore (wsrpAliasPassword). This simplifies things a bi= t as it means we can use just one password callback class for both the prod= ucer and consumer. Example @@ -596,13 +615,13 @@ - CallbackHandler implementations are provided to GateIn Porta= l using the standard Java + CallbackHandler implementations are provided to JBoss Portal= Platform using the standard Java ServiceLoader infrastructure. As such, CallbackHandler implementations nee= d to be bundled in a jar containing a file META-INF/services/javax.security.auth.callback.Callbac= kHandler specifying the fully qualified name of the CallbackHandler i= mplementation class. This jar then needs to be put in the gatein/extensions - directory of your GateIn Portal installation. + directory of your JBoss Portal Platform installation. @@ -612,6 +631,7 @@
Configuring the Keystores + Source: https://docs.jboss.org/author/display/GTNPORTAL3= 5/Securing+WSRP#SecuringWSRP-ConfiguringtheKeystores In this example we are making it a bit easier by specify= ing the same keystore password for both the producer and consumer, as they = can use the same password callback class. @@ -674,6 +694,7 @@
Configuring the Producer + Source: https://docs.jboss.org/author/display/GTNPORTAL3= 5/Securing+WSRP#SecuringWSRP-ConfiguringtheProducer @@ -730,6 +751,7 @@
Configuring the Consumer + Source: @@ -783,9 +805,11 @@
Sample Configuration using UsernameToken, Encryption and Si= gning with User Propagation - The following setps outline how to configure the producer an= d consumer to encrypt and sign the soap message as well as use user propaga= tion between the producer and consumer. + Source: https://docs.jboss.org/author/display/GTNPORTAL35/= Securing+WSRP#SecuringWSRP-SampleConfigurationusingUsernameToken%2CEncrypti= onandSigningwithUserPropagation + The following steps outline how to configure the producer an= d consumer to encrypt and sign the soap message as well as use user propaga= tion between the producer and consumer.
Configure the Producer + Source: https://docs.jboss.org/author/display/GTNPORTAL3= 5/Securing+WSRP#SecuringWSRP-ConfiguretheProducer Follow the steps outlined in the Sample Configuration Securin= g the Endpoints using Encryption and Signing @@ -824,6 +848,7 @@
Configure the Consumer + Source: https://docs.jboss.org/author/display/GTNPORTAL3= 5/Securing+WSRP#SecuringWSRP-ConfiguretheConsumer Follow the steps outlined in the Sample Configuration Securin= g the Endpoints using Encryption and Signing @@ -1984,7 +2009,7 @@ The WSRP specifications allows for implementations to extend the pro= tocol using Extensions - . GateIn Portal, as of its WSRP implementation version 2.2.0, provid= es a way for client code (e.g. portlets) to interact with such extensions i= n the form of several classes and interfaces gathered within the + . JBoss Portal Platform, as of its WSRP implementation version 2.2.0= , provides a way for client code (e.g. portlets) to interact with such exte= nsions in the form of several classes and interfaces gathered within the org.gatein.wsrp.api.ext= ensions package , the most important ones being InvocationHandlerDelegate @@ -1999,7 +2024,7 @@ wsrp-integration-api-$WSRP_VERSION.jar file to your project, where $WSRP_VERSION - is the version of the GateIn Portal WSRP implementation you wish to = use, 2.2.2.Final being the current one. This can be done by adding the foll= owing dependency to your maven project: + is the version of the JBoss Portal Platform WSRP implementation you = wish to use, 2.2.2.Final being the current one. This can be done by adding = the following dependency to your maven project: @@ -2025,7 +2050,7 @@ Since InvocationHandlerDelegate - is a very generic interface, it could potentially be used for mo= re than simply working with WSRP extensions. Moreover, since it has access = to internal GateIn Portal classes, it is important to be treat access to th= ese internal classes as + is a very generic interface, it could potentially be used for mo= re than simply working with WSRP extensions. Moreover, since it has access = to internal JBoss Portal Platform classes, it is important to be treat acce= ss to these internal classes as read-only to prevent any un-intentional side-effects. @@ -2284,7 +2309,7 @@ - To activate the InvocationHandlerDelegates on both the consu= mer and producer, start your GateIn Portal instance as follows: + To activate the InvocationHandlerDelegates on both the consu= mer and producer, start your JBoss Portal Platform instance as follows:
Modified: epp/docs/branches/6.0/Reference_Guide/en-US/modules/eXoJCR/jcr/pe= rformance-tuning-guide.xml =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --- epp/docs/branches/6.0/Reference_Guide/en-US/modules/eXoJCR/jcr/performa= nce-tuning-guide.xml 2013-01-28 05:14:12 UTC (rev 9088) +++ epp/docs/branches/6.0/Reference_Guide/en-US/modules/eXoJCR/jcr/performa= nce-tuning-guide.xml 2013-01-28 06:12:20 UTC (rev 9089) @@ -70,7 +70,7 @@ - JBoss AS configuration: + JBoss Enterprise Application Platf= orm 6 configuration: @@ -199,7 +199,7 @@
Performance Tuning Guide
- JBoss AS Tuning + JBoss Enterprise Application Platform 6 Tuning You can use maxThreads parameter to increase ma= ximum amount of threads that can be launched in AS instance. This can impro= ve performance if you need a high level of concurrency. also you can use -XX:+UseParallelGC java directory to use parallel garbage collec= tor. Modified: epp/docs/branches/6.0/Reference_Guide/en-US/modules/eXoJCR/jcr-wi= th-gtn/managed-datasources-under-jboss-as.xml =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --- epp/docs/branches/6.0/Reference_Guide/en-US/modules/eXoJCR/jcr-with-gtn= /managed-datasources-under-jboss-as.xml 2013-01-28 05:14:12 UTC (rev 9088) +++ epp/docs/branches/6.0/Reference_Guide/en-US/modules/eXoJCR/jcr-with-gtn= /managed-datasources-under-jboss-as.xml 2013-01-28 06:12:20 UTC (rev 9089) @@ -4,7 +4,7 @@ %BOOK_ENTITIES; ]>
- How to use a Managed DataSource under JBoss AS + How to use a Managed DataSource under JBoss Enterprise Applicatio= n Platform 6
Configurations Steps
--===============6511500478614003691==--