Author: jaredmorgs
Date: 2013-01-28 01:12:20 -0500 (Mon, 28 Jan 2013)
New Revision: 9089
Modified:
epp/docs/branches/6.0/Reference_Guide/en-US/Reference_Guide.xml
epp/docs/branches/6.0/Reference_Guide/en-US/Revision_History.xml
epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndIdentity/BackendConfiguration.xml
epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndIdentity/PasswordEncryption.xml
epp/docs/branches/6.0/Reference_Guide/en-US/modules/ServerIntegration.xml
epp/docs/branches/6.0/Reference_Guide/en-US/modules/WSRP.xml
epp/docs/branches/6.0/Reference_Guide/en-US/modules/eXoJCR/jcr-with-gtn/managed-datasources-under-jboss-as.xml
epp/docs/branches/6.0/Reference_Guide/en-US/modules/eXoJCR/jcr/performance-tuning-guide.xml
Log:
Changes to the Securing WSRP section and clean up from Thomas Heute's and Ken
Finnegan's changes in the email
Modified: epp/docs/branches/6.0/Reference_Guide/en-US/Reference_Guide.xml
===================================================================
--- epp/docs/branches/6.0/Reference_Guide/en-US/Reference_Guide.xml 2013-01-28 05:14:12
UTC (rev 9088)
+++ epp/docs/branches/6.0/Reference_Guide/en-US/Reference_Guide.xml 2013-01-28 06:12:20
UTC (rev 9089)
@@ -29,9 +29,9 @@
</part>
<xi:include
xmlns:xi="http://www.w3.org/2001/XInclude"
href="modules/Advanced.xml"/>
<xi:include
xmlns:xi="http://www.w3.org/2001/XInclude"
href="modules/eXoJCR.xml"/>
- <xi:include
xmlns:xi="http://www.w3.org/2001/XInclude"
href="Revision_History.xml"/>
<part>
<title>Server Integration</title>
<xi:include
xmlns:xi="http://www.w3.org/2001/XInclude"
href="modules/ServerIntegration.xml"/>
</part>
+ <xi:include
xmlns:xi="http://www.w3.org/2001/XInclude"
href="Revision_History.xml"/>
</book>
Modified: epp/docs/branches/6.0/Reference_Guide/en-US/Revision_History.xml
===================================================================
--- epp/docs/branches/6.0/Reference_Guide/en-US/Revision_History.xml 2013-01-28 05:14:12
UTC (rev 9088)
+++ epp/docs/branches/6.0/Reference_Guide/en-US/Revision_History.xml 2013-01-28 06:12:20
UTC (rev 9089)
@@ -7,7 +7,25 @@
<title>Revision History</title>
<simpara>
<revhistory>
- <revision>
+ <revision>
+ <revnumber>6.0.0-40</revnumber>
+ <date>Mon Jan 26 2013</date>
+ <author>
+ <firstname>Jared</firstname>
+ <surname>Morgan</surname>
+ <email/>
+ </author>
+ <revdescription>
+ <simplelist>
+ <member>Incorporated all feedback from Thomas from the Email review,
except for some stuff from WSRP. See next entries.</member>
+ <member>WSRP review due to missing or incorrect file paths identified
by Thomas in email review.</member>
+ <member>Added Confluence Source links to Securing WSRP.</member>
+ <member>Moved Server Integration chapter before the Revision History,
so the Publican build would not break.</member>
+ <member>Removed all JBoss AS7, JBossAS 7, JBoss AS 7, GateIn Portal
references.</member>
+ </simplelist>
+ </revdescription>
+ </revision>
+ <revision>
<revnumber>6.0.0-39</revnumber>
<date>Sat Jan 26 2013</date>
<author>
Modified:
epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndIdentity/BackendConfiguration.xml
===================================================================
---
epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndIdentity/BackendConfiguration.xml 2013-01-28
05:14:12 UTC (rev 9088)
+++
epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndIdentity/BackendConfiguration.xml 2013-01-28
06:12:20 UTC (rev 9089)
@@ -1,6 +1,5 @@
<?xml version='1.0' encoding='UTF-8'?>
-<!-- This document was created with Syntext Serna Free. -->
-<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+<!-- This document was created with Syntext Serna Free. --><!DOCTYPE chapter
PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % BOOK_ENTITIES SYSTEM "../../Reference_Guide.ent">
%BOOK_ENTITIES;
]>
@@ -390,10 +389,7 @@
<programlisting language="XML" role="XML"><xi:include
href="../../extras/Authentication_Identity_BackendConfiguration/default97.xml"
parse="text"
xmlns:xi="http://www.w3.org/2001/XInclude"
/></programlisting>
- </section> -->
-
-<section id="sid-54264613_PicketLinkIDMintegration-Configurationfiles">
-
+ </section> --> <section
id="sid-54264613_PicketLinkIDMintegration-Configurationfiles">
<title>Configuration files</title>
<para>
The main configuration file is
@@ -401,9 +397,9 @@
:
</para>
<informalexample>
- <programlisting><configuration
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-
xsi:schemaLocation="http://www.exoplaform.org/xml/ns/kernel_1_2.xsd
http://www.exoplaform.org/xml/ns/kernel_1_2.xsd"
-
xmlns="http://www.exoplaform.org/xml/ns/kernel_1_2.xsd">
+ <programlisting><configuration
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+
xsi:schemaLocation="http://www.exoplaform.org/xml/ns/kernel_1_2.xsd
http://www.exoplaform.org/xml/ns/kernel_1_2.xsd"
+
xmlns="http://www.exoplaform.org/xml/ns/kernel_1_2.xsd"...
<component>
<key>org.exoplatform.services.organization.idm.PicketLinkIDMService</key>
@@ -427,25 +423,25 @@
<init-params>
<object-param>
<name>configuration</name>
- <object
type="org.exoplatform.services.organization.idm.Config">
- <field name="useParentIdAsGroupType">
+ <object
type="org.exoplatform.services.organization.idm.Config">
+ <field name="useParentIdAsGroupType">
<boolean>true</boolean>
</field>
- <field name="forceMembershipOfMappedTypes">
+ <field name="forceMembershipOfMappedTypes">
<boolean>true</boolean>
</field>
- <field name="pathSeparator">
+ <field name="pathSeparator">
<string>.</string>
</field>
- <field name="rootGroupName">
+ <field name="rootGroupName">
<string>GTN_ROOT_GROUP</string>
</field>
- <field name="groupTypeMappings">
- <map type="java.util.HashMap">
+ <field name="groupTypeMappings">
+ <map type="java.util.HashMap">
<entry>
<key><string>/</string></key>
<value><string>root_type</string></value>
@@ -466,11 +462,11 @@
</map>
</field>
- <field name="associationMembershipType">
+ <field name="associationMembershipType">
<string>member</string>
</field>
- <field name="ignoreMappedMembershipType">
+ <field name="ignoreMappedMembershipType">
<boolean>false</boolean>
</field>
</object>
@@ -484,7 +480,6 @@
</programlisting>
</informalexample>
<section
id="sid-54264613_PicketLinkIDMintegration-PicketlinkIDMServiceImpl">
-
<title>PicketlinkIDMServiceImpl</title>
<para>
The
@@ -521,7 +516,7 @@
<listitem>
<para>
<code>jndiName</code>
- (value-param) If the 'config' parameter is not provided, this
parameter will be used to perform JNDI lookup for
+ (value-param) If the 'config' parameter is not provided,
this parameter will be used to perform JNDI lookup for
<code>IdentitySessionFactory</code>
.
</para>
@@ -532,14 +527,14 @@
(value-param) The realm name that should be used to obtain proper
<code>IdentitySession</code>
. The default is
- <code>'PortalRealm'</code>
+ <code>'PortalRealm'</code>
.
</para>
</listitem>
<listitem>
<para>
<code>apiCacheConfig</code>
- (value-param) The infinispan configuration file with cache configuration for
Picketlink IDM API. It's different for cluster and non-cluster because infinispan
needs to be replicated in cluster environment.
+ (value-param) The infinispan configuration file with cache configuration for
Picketlink IDM API. It's different for cluster and non-cluster because infinispan
needs to be replicated in cluster environment.
</para>
</listitem>
<listitem>
@@ -547,13 +542,12 @@
<code>storeCacheConfig</code>
(value-param)
- The infinispan configuration file with cache configuration for Picketlink IDM
IdentityStore. Actually it's used only for LDAP store (not used with default DB
configuration). It's different for cluster and non-cluster because infinispan needs to
be replicated in cluster environment.
+ The infinispan configuration file with cache configuration for Picketlink IDM
IdentityStore. Actually it's used only for LDAP store (not used with default DB
configuration). It's different for cluster and non-cluster because infinispan
needs to be replicated in cluster environment.
</para>
</listitem>
</itemizedlist>
</section>
<section
id="sid-54264613_PicketLinkIDMintegration-PicketlinkIDMOrganizationServiceImpl">
-
<title>PicketlinkIDMOrganizationServiceImpl</title>
<para>
The
@@ -576,7 +570,7 @@
<para>
<code>defaultGroupType</code>
The name of the PicketLink IDM GroupType that will be used to store groups.
The default is
- <code>'GTN_GROUP_TYPE'</code>
+ <code>'GTN_GROUP_TYPE'</code>
.
</para>
</listitem>
@@ -584,7 +578,7 @@
<para>
<code>rootGroupName</code>
The name of the PicketLink IDM Group that will be used as a root parent. The
default is
- <code>'GTN_ROOT_GROUP'</code>
+ <code>'GTN_ROOT_GROUP'</code>
.
</para>
</listitem>
@@ -599,17 +593,17 @@
<listitem>
<para>
<code>useParentIdAsGroupType</code>
- This parameter stores the parent ID path as a group type in PicketLink IDM
for any IDs not mapped with a specific type in 'groupTypeMappings'. If this option
is set to
+ This parameter stores the parent ID path as a group type in PicketLink IDM
for any IDs not mapped with a specific type in 'groupTypeMappings'. If
this option is set to
<code>false</code>
- , and no mappings are provided under 'groupTypeMappings', then only
one group with the given name can exist in the portal group tree.
+ , and no mappings are provided under 'groupTypeMappings',
then only one group with the given name can exist in the portal group tree.
</para>
</listitem>
<listitem>
<para>
<code>pathSeparator</code>
- When 'userParentIdAsGroupType is set to
+ When 'userParentIdAsGroupType is set to
<code>true</code>
- , this value will be used to replace all "/" characters in IDs. The
"/" character is not allowed to be used in group type name in PicketLink IDM.
+ , this value will be used to replace all "/" characters in
IDs. The "/" character is not allowed to be used in group type name in
PicketLink IDM.
</para>
</listitem>
<listitem>
@@ -623,7 +617,7 @@
<code>groupTypeMappings</code>
This parameter maps groups added with portal API as children of a given group
ID, and stores them with a given group type name in PicketLink IDM.
- If the parent ID ends with "/*", then all child groups will have
the mapped group type. Otherwise, only direct (first level) children will use this type.
+ If the parent ID ends with "/*", then all child groups will
have the mapped group type. Otherwise, only direct (first level) children will use this
type.
This can be leveraged by LDAP if LDAP DN is configured in PicketLink IDM to
only store a specific group type. This will then store the given branch in portal group
tree, while all other groups will remain in the database.
</para>
@@ -631,15 +625,15 @@
<listitem>
<para>
<code>forceMembershipOfMappedTypes</code>
- Groups stored in PicketLink IDM with a type mapped in
'groupTypeMappings' will automatically be members under the mapped parent. Group
relationships linked by PicketLink IDM group association will not be necessary.
+ Groups stored in PicketLink IDM with a type mapped in
'groupTypeMappings' will automatically be members under the mapped
parent. Group relationships linked by PicketLink IDM group association will not be
necessary.
- This parameter can be set to false if all groups are added via portal APIs.
This may be useful with LDAP configuration as, when set to true, it will make every entry
added to LDAP appear in portal. This, however, is not true for entries added via GateIn
Portal management UI.
+ This parameter can be set to false if all groups are added via portal APIs.
This may be useful with LDAP configuration as, when set to true, it will make every entry
added to LDAP appear in portal. This, however, is not true for entries added via JBoss
Portal Platform management UI.
</para>
</listitem>
<listitem>
<para>
<code>ignoreMappedMembershipType</code>
- If "associationMembershipType" option is used, and this option is
set to true, then Membership with MembershipType configured to be stored as PicketLink IDM
association will not be stored as PicketLink IDM Role.
+ If "associationMembershipType" option is used, and this
option is set to true, then Membership with MembershipType configured to be stored as
PicketLink IDM association will not be stored as PicketLink IDM Role.
</para>
</listitem>
</itemizedlist>
@@ -650,14 +644,14 @@
</para>
<itemizedlist>
<listitem>
- <para>GateIn Portal User interface properties fields are persisted in
Picketlink IDM using those attributes names: firstName, lastName, email, createdDate,
lastLoginTime, organizationId, password (if password is configured to be stored as
attribute).</para>
+ <para>JBoss Portal Platform User interface properties fields are
persisted in Picketlink IDM using those attributes names: firstName, lastName, email,
createdDate, lastLoginTime, organizationId, password (if password is configured to be
stored as attribute).</para>
</listitem>
<listitem>
- <para>GateIn Portal Group interface properties fields are persisted in
Picketlink IDM using those attributes names: label, description.</para>
+ <para>JBoss Portal Platform Group interface properties fields are
persisted in Picketlink IDM using those attributes names: label,
description.</para>
</listitem>
<listitem>
<para>
- GateIn Portal MembershipType interface properties fields are persisted in
JBoss Identity IDM using those RoleType properties: description, owner, create_date,
modified_date.
+JBoss Portal Platform MembershipType interface properties fields are persisted in JBoss
Identity IDM using those RoleType properties: description, owner, create_date,
modified_date.
A sample
<emphasis role="italics">PicketLink IDM</emphasis>
@@ -666,9 +660,9 @@
</listitem>
</itemizedlist>
<informalexample>
- <programlisting><jboss-identity
xmlns="urn:jboss:identity:idm:config:v1_0_beta"
-
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="urn:jboss:identity:idm:config:v1_0_alpha
identity-config.xsd">
+ <programlisting><jboss-identity
xmlns="urn:jboss:identity:idm:config:v1_0_beta"
+
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="urn:jboss:identity:idm:config:v1_0_alpha
identity-config.xsd">
<realms>
<realm>
<id>PortalRealm</id>
Modified:
epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndIdentity/PasswordEncryption.xml
===================================================================
---
epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndIdentity/PasswordEncryption.xml 2013-01-28
05:14:12 UTC (rev 9088)
+++
epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndIdentity/PasswordEncryption.xml 2013-01-28
06:12:20 UTC (rev 9089)
@@ -8,7 +8,7 @@
<section
id="sid-54264610_PasswordEncryption-HashingandsaltingofpasswordsinPicketlinkIDM">
<title>Hashing and salting of passwords in Picketlink IDM</title>
<para>
- GateIn Portal is using
+JBoss Portal Platform is using
<ulink
url="http://www.jboss.org/picketlink/IDM">Picketlink
IDM</ulink>
framework to store information about identity objects (users/groups/memberships)
and more info about this is in
<ulink
url="https://docs.jboss.org/author/pages/viewpage.action?pageId=5426...
IDM integration</ulink>
@@ -16,14 +16,14 @@
<code>CredentialEncoder</code>
, which encode password and save the encoded form into Picketlink IDM database.
- Later when user want to authenticate, he needs to provide his password in
plain-text via web login form. Provided password is then encoded and compared with encoded
password from Picketlink IDM database. GateIn Portal is then able to authenticate user
based on this comparison.
+ Later when user want to authenticate, he needs to provide his password in
plain-text via web login form. Provided password is then encoded and compared with encoded
password from Picketlink IDM database. JBoss Portal Platform is then able to authenticate
user based on this comparison.
</para>
<para>
Default implementation of
<code>CredentialEncoder</code>
- is using password hashing with MD5 algorithm and storing those MD5 hashes in
database. It does not use any salting of passwords. This is not safest solution, but
it's backward compatible with previous releases of GateIn Portal before version
3.5, where MD5 password hashing was only possible encoding form. So if you migrate from
older release of GateIn Portal, your users will be still able to authenticate.
+ is using password hashing with MD5 algorithm and storing those MD5 hashes in
database. It does not use any salting of passwords. This is not safest solution, but
it's backward compatible with previous releases of JBoss Portal Platform before
version 3.5, where MD5 password hashing was only possible encoding form. So if you migrate
from older release of JBoss Portal Platform, your users will be still able to
authenticate.
</para>
- <para>However if you are starting from fresh database (no migration from
previous GateIn Portal release), you may increase security by using better hashing
algorithm and especially by enable password salting. See below for details.</para>
+ <para>However if you are starting from fresh database (no migration from
previous JBoss Portal Platform release), you may increase security by using better hashing
algorithm and especially by enable password salting. See below for details.</para>
<section
id="sid-54264610_PasswordEncryption-ChoosingCredentialEncoderimplementation">
<title>Choosing CredentialEncoder implementation</title>
<para>
@@ -37,7 +37,7 @@
</para>
<section id="sid-54264610_PasswordEncryption-HashingEncoder">
<title>HashingEncoder</title>
- <para>This is the default choice. It uses only hashing of passwords with
MD5 algorithm without salting. As mentioned previously, it's not safest solution
but it's backward compatible with previous GateIn Portal releases, so there are
no issues with database migration from previous release. Configuration looks like
this:</para>
+ <para>This is the default choice. It uses only hashing of passwords with
MD5 algorithm without salting. As mentioned previously, it's not safest solution
but it's backward compatible with previous JBoss Portal Platform releases, so
there are no issues with database migration from previous release. Configuration looks
like this:</para>
<informalexample>
<programlisting>
<option>
@@ -99,7 +99,7 @@
<para>
Please note that specified file
<code>/salt/mysalt.txt</code>
- must exist and must be readable by user, which executed GateIn Portal. But file
should be properly secured to not be readable by every user of your OS. The file can have
some random content phrase, for example
+ must exist and must be readable by user, which executed JBoss Portal Platform.
But file should be properly secured to not be readable by every user of your OS. The file
can have some random content phrase, for example
<emphasis
role="italics">a4564dac2aasddsklklkajdgnioiow</emphasis>
.
</para>
Modified: epp/docs/branches/6.0/Reference_Guide/en-US/modules/ServerIntegration.xml
===================================================================
(Binary files differ)
Modified: epp/docs/branches/6.0/Reference_Guide/en-US/modules/WSRP.xml
===================================================================
--- epp/docs/branches/6.0/Reference_Guide/en-US/modules/WSRP.xml 2013-01-28 05:14:12 UTC
(rev 9088)
+++ epp/docs/branches/6.0/Reference_Guide/en-US/modules/WSRP.xml 2013-01-28 06:12:20 UTC
(rev 9089)
@@ -157,10 +157,9 @@
<section id="wsrp-ports">
<title>Considerations to use WSRP when running JBoss Portal Platform on a
non-default port or hostname</title>
<para>
- The web service stack that JBoss Portal Platform uses is based on JBoss WS. It
updates the port and host name used in WSDL (for further details refer to the
<citetitle>Web Services</citetitle> chapter in the <citetitle>JBoss
Enterprise Application Platform 6 Administration and Configuration User
Guide</citetitle>).
+ The web service stack that JBoss Portal Platform uses is based on JBoss WS. It
updates the port and host name used in WSDL. For more information, refer to the
<citetitle>Web Services</citetitle> chapter in the JBoss Enterprise
Application Platform 6 <citetitle>Administration and Configuration User
Guide</citetitle>.
</para>
- <para>
- Of course, if you have modified the host name and port on which your server
runs, you will
+ <para>If you have modified the host name and port on which your server runs,
you will
need to
update the configuration for the consumer used to consume JBoss Portal
Platform's 'self' producer. </para>
</section>
@@ -185,7 +184,7 @@
</para>
</listitem>
</orderedlist>
- <para>Depending on requirements, an HTTPs endpoint or/and ws-security can be
used.</para>
+ <para>Depending on requirements, an HTTPs endpoint and/or ws-security can be
used.</para>
<section id="WSRP_over_SSL_HTTPS_Endpoints">
<title>WSRP over SSL with HTTPS endpoints</title>
<remark>Source:
https://docs.jboss.org/author/display/GTNPORTAL35/Securing+WSRP#SecuringW...
@@ -200,6 +199,8 @@
</para>
<section
id="sid-54264620_SecuringWSRP-SampleConfigurationForEnablingSSLWithWSRP">
<title>Sample Configuration For Enabling SSL With WSRP</title>
+<!--Docs Note - jmorgan - merged these three sections together using procedure tags.
+--> <remark>Sources:
https://docs.jboss.org/author/display/GTNPORTAL35/Securing+WSRP#SecuringW...
<warning>
<para>
The following procedures are provided as an example of configuring HTTPS/SSL
with WSRP. </para>
@@ -208,6 +209,7 @@
</warning>
<procedure>
<title>Configure the Producer to Use HTTPS</title>
+ <remark>Source:
https://docs.jboss.org/author/display/GTNPORTAL35/Securing+WSRP#SecuringW...
<para>Configure the producer's server to use HTTPS. This is
handled in the same manner that you would configure any JBoss AS server for
HTTPS.</para>
<step>
<para>Generate the keystore for the producer by executing the following
command.</para>
@@ -253,6 +255,7 @@
</procedure>
<procedure>
<title>Configure the Consumer to Access the WSRP Endpoint over
HTTPS</title>
+ <remark>Source:
https://docs.jboss.org/author/display/GTNPORTAL35/Securing+WSRP#SecuringW...
<step>
<para>Export the producer's public key from the
producer's keystore</para>
<programlisting>keytool -export -alias tomcat -file producerkey.rsa
-keystore producerhttps.keystore -storepass changeme</programlisting>
@@ -291,6 +294,7 @@
</section>
<section id="WSRP_and_WS-Security">
<title>WSRP and WS-Security</title>
+ <remark>Source:
https://docs.jboss.org/author/display/GTNPORTAL35/Securing+WSRP#SecuringW...
<para>Portlets may present different data or options depending on the
currently authenticated user. For remote
portlets, this means having to propagate the user credentials from the
consumer back to the producer in
a safe and secure manner. The WSRP specification does not directly specify
how this should be
@@ -321,9 +325,10 @@
<para>The recommended approach for this situation would be to use a common
LDAP configuration. Refer to <xref linkend="chap-LDAP_Integration"/> to
correctly configure LDAP on JBoss Portal Platform. </para>
<section id="wss_configuration">
<title><remark>BZ#839355 </remark>WS-Security
Configuration</title>
+ <remark>Source:
https://docs.jboss.org/author/display/GTNPORTAL35/Securing+WSRP#SecuringW...
<section id="sid-54264620_SecuringWSRP-Introduction">
<title>Introduction</title>
- <para>JBoss AS7 uses a different web service implementation than the
previous versions: it is now uses the JBossWS CXF Stack instead of the JBossWS Native
Stack. Due to these changes, the way we configure WS-Security for WSRP with GateIn Portal
on JBossAS 7 has changed.</para>
+ <para>JBoss Enterprise Application Platform 6 uses a different web
service implementation than the previous versions: it is now uses the JBossWS CXF Stack
instead of the JBossWS Native Stack. Due to these changes, the way we configure
WS-Security for WSRP with JBoss Portal Platform on JBoss Enterprise Application Platform 6
has changed.</para>
<note>
<para>We only support one ws-security configuration option for the
producer. All consumers accessing the producer will have to conform to this security
constraint. This means if the producer requires encryption, all consumers will be required
to encrypt their messages when accessing the producer.</para>
<para>We only support one ws-security configuration option to be used
by all the consumers. A consumer has the option to enable or disable ws-security, which
allows for one or more consumers to use ws-security while the others do not.</para>
@@ -331,29 +336,24 @@
</section>
<section id="sid-54264620_SecuringWSRP-Overview">
<title>Overview</title>
+ <remark>Source:
https://docs.jboss.org/author/display/GTNPORTAL35/Securing+WSRP#SecuringW...
<para>CXF uses interceptors to extend and configure its behavior. There
are two main types of interceptors: <firstterm>inInterceptors</firstterm> and
<firstterm>outInterceptors</firstterm>. InInterceptors are invoked for
communication coming into the client or server, while outInterceptors are invoked when the
client or server sends a message.</para>
<para>So for the WSRP case, the communication from the consumer to the
producer is governed by the consumer's OutInterceptor and the producer's
InIntereceptor. The communication from the producer to the consumer is governed by the
producer's OutInterceptor and the consumer's InInterceptor. This may
mean having to configure 4 Interceptors.</para>
- <para>When dealing with WS-Security, there are some things to consider
here:</para>
- <orderedlist>
- <listitem>
- <para>When dealing with user propagation, only the consumer sends the
user credentials to the producer. So Username Tokens only need to be configured for the
consumer's OutInterceptor and the producer's
InInterceptor.</para>
- </listitem>
- <listitem>
- <para>When dealing with things like encryption, you will most likely
want to encrypt the message from the consumer to the producer and also the message from
the producer to the consumer. This means that encryption properties must be configured for
all 4 interceptors.</para>
- </listitem>
- </orderedlist>
+ <para>When dealing with user propagation, only the consumer sends the
user credentials to the producer. So Username Tokens only need to be configured for the
consumer's OutInterceptor and the producer's
InInterceptor.</para>
+ <para>When dealing with things like encryption, you will most likely want
to encrypt the message from the consumer to the producer and also the message from the
producer to the consumer. This means that encryption properties must be configured for all
4 interceptors.</para>
<para>
Please see the CXF Documentation for more details on interceptors and their
types:
<ulink
url="http://cxf.apache.org/docs/interceptors.html"/>
</para>
<para>
- To support ws-security, GateIn Portal uses CXF's WSS4J Interceptors
which handle all ws-security related tasks. Please see the CXF Documentation for more
details:
+ To support ws-security, JBoss Portal Platform 6 uses CXF's WSS4J
Interceptors which handle all ws-security related tasks. Please see the CXF Documentation
for more details:
<ulink
url="http://cxf.apache.org/docs/ws-security.html"/>
</para>
</section>
</section>
<section id="WSS4J_Interceptors_and_WSRP">
<title>WSS4J Interceptors and WSRP</title>
+ <remark>Source:
https://docs.jboss.org/author/display/GTNPORTAL35/Securing+WSRP#SecuringW...
<para>The WSS4J Interceptors are configured using using simple property
files.
WSRP looks for specific property files to know whether or not in/out interceptors must be
added and configured for either consumers or producer. </para>
@@ -378,22 +378,30 @@
<row>
<entry>Consumer</entry>
<entry>IN</entry>
-
<entry>standalone/configuration/gatein/wsrp/cxf/ws-security/consumer/WSS4JInInterceptor.properties</entry>
+ <entry>
+
<filename>standalone/configuration/gatein/wsrp/cxf/ws-security/consumer/WSS4JInInterceptor.properties</filename>
+ </entry>
</row>
<row>
<entry/>
<entry>OUT</entry>
-
<entry>standalone/configuration/gatein/wsrp/cxf/ws-security/consumer/WSS4JOutInterceptor.properties
</entry>
+ <entry>
+
<filename>standalone/configuration/gatein/wsrp/cxf/ws-security/consumer/WSS4JOutInterceptor.properties</filename>
+ </entry>
</row>
<row>
<entry>Producer</entry>
<entry>IN</entry>
-
<entry>standalone/configuration/gatein/wsrp/cxf/ws-security/producer/WSS4JInInterceptor.properties
</entry>
+ <entry>
+
<filename>standalone/configuration/gatein/wsrp/cxf/ws-security/producer/WSS4JInInterceptor.properties</filename>
+ </entry>
</row>
<row>
<entry/>
<entry>OUT</entry>
-
<entry>standalone/configuration/gatein/wsrp/cxf/ws-security/producer/WSS4JOutInterceptor.properties
</entry>
+ <entry>
+
<filename>standalone/configuration/gatein/wsrp/cxf/ws-security/producer/WSS4JOutInterceptor.properties</filename>
+ </entry>
</row>
</tbody>
</tgroup>
@@ -401,6 +409,7 @@
<para>Please refer to the CXF or WSS4J documentation for instructions and
options available for each type of interceptors.</para>
<section>
<title>User Propagation</title>
+ <remark>Source:
https://docs.jboss.org/author/display/GTNPORTAL35/Securing+WSRP#SecuringW...
<para>User propagation can be configured to be used over WSRP with
ws-security. What this means is that a user logged into a consumer can have their
credentials propagated over to the producer. This allows the producer to authenticate the
user and any portlet on the producer (a remote portlet from the consumer's
perspective) will view the user as being properly authenticated. This allows for remote
portlets to access things like user information.</para>
<para><note>
<para>This only works if the user's credentials on the
producer and consumer are the same. This may require using a common authentication
mechanism, such as LDAP.</para>
@@ -410,19 +419,24 @@
</section>
<section>
<title><remark>BZ#839355</remark>WS-Security Consumer
Configuration</title>
+ <remark>Source:
https://docs.jboss.org/author/display/GTNPORTAL35/Securing+WSRP#SecuringW...
<para>
In order to configure ws-security on the consumer side, you will have to
configure the WSS4J Interceptors as seen above. This will require having to configure the
WSS4JInInterceptor and/or WSS4JOutInterceptor.
You will also need to check the 'Enable WS-Security' checkbox
on the WSRP Admin Portlet for the consumer configuration to take effect.
</para>
- <mediaobject>
- <imageobject>
- <imagedata align="center" valign="middle"
scalefit="1" fileref="images/WSRP/config_wss_selected.png"
format="PNG"/>
- </imageobject>
- </mediaobject>
+ <figure>
+ <title id="fig-WSRP_Consumers_Configuration">WSRP Consumers
Configuration</title>
+ <mediaobject>
+ <imageobject>
+ <imagedata align="center" valign="middle"
scalefit="1" fileref="images/WSRP/config_wss_selected.png"
format="PNG"/>
+ </imageobject>
+ </mediaobject>
+ </figure>
<section>
<title>Special JBoss Portal Platform Configuration Options for User
Propagation</title>
- <para>In order to handle user propagation in GateIn Portal across
ws-security, a couple of special configuration options have been created which should be
applied to the consumer's WSS4JOutInterceptor.</para>
+ <remark>Source:
https://docs.jboss.org/author/display/GTNPORTAL35/Securing+WSRP#SecuringW...
+ <para>In order to handle user propagation in JBoss Portal Platform across
ws-security, a couple of special configuration options have been created which should be
applied to the consumer's WSS4JOutInterceptor.</para>
<section>
<title>Custom 'user' option</title>
<para><informalexample>
@@ -451,11 +465,13 @@
</section>
<section id="sid-54264620_SecuringWSRP-ProducerConfiguration">
<title>Producer Configuration</title>
+ <remark>Source:
https://docs.jboss.org/author/display/GTNPORTAL35/Securing+WSRP#SecuringW...
<para>The configuration of the producer is similar to that of the consumer.
It also requires having to configure the WSS4JInInterceptor and/or
WSS4JOutInterceptor.</para>
<section>
- <title>Special GateIn Portal Configuration Options for User
Propagation</title>
+ <title>Special Configuration Options for User Propagation</title>
+ <remark>Source:
https://docs.jboss.org/author/display/GTNPORTAL35/Securing+WSRP#SecuringW...
<para>
- To properly propagate user information on the producer-side, you will need to
use GTNSubjectCreatingInterceptor instead of a regular WSS4JInInterceptor. This GateIn
Portal specific "in" interceptor is an extension of the traditional
WSS4JInInterceptor and therefore can be configured similarly and accept the same
configuration properties. To specify that you want to use the
GTNSubjectCreatingInterceptor, please create a property file at
+ To properly propagate user information on the producer-side, you will need to
use GTNSubjectCreatingInterceptor instead of a regular WSS4JInInterceptor. This JBoss
Portal Platform specific "in" interceptor is an extension of the
traditional WSS4JInInterceptor and therefore can be configured similarly and accept the
same configuration properties. To specify that you want to use the
GTNSubjectCreatingInterceptor, please create a property file at
<code>standalone/configuration/gatein/wsrp/cxf/ws-security/producer/GTNSubjectCreatingInterceptor.properties</code>
instead of the regular WSS4JInInterceptor.properties file.
</para>
@@ -474,6 +490,7 @@
</section>
<section
id="sid-54264620_SecuringWSRP-SampleConfigurationusingtheUsernameTokenandUserPropagation">
<title>Sample Configuration using the UsernameToken and User
Propagation</title>
+ <remark>Source:
https://docs.jboss.org/author/display/GTNPORTAL35/Securing+WSRP#SecuringW...
<warning>
<para>This example configuration does not encrypt the message. This means
the username and password will be sent between the producer and consumer in plain text.
This is a security concern and is only being shown as a simple example. It is up to
administrators to properly configure the WSS4J Interceptors to encrypt messages or to only
use https communication between the producer and consumer.</para>
</warning>
@@ -530,13 +547,14 @@
<para>in the WSRP admin portlet, click the 'enable
ws-security' checkbox</para>
</listitem>
<listitem>
- <para>access a remote portlet (for example, the user identity portlet
included as an example portlet in GateIn Portal) and verify that the authenticated user is
the same as the one on the consumer</para>
+ <para>access a remote portlet (for example, the user identity portlet
included as an example portlet in JBoss Portal Platform) and verify that the authenticated
user is the same as the one on the consumer</para>
</listitem>
</orderedlist>
</section>
</section>
<section
id="sid-54264620_SecuringWSRP-SampleConfigurationSecuringtheEndpointsusingEncryptionandSigning">
<title>Sample Configuration Securing the Endpoints using Encryption and
Signing</title>
+ <remark>Source:
https://docs.jboss.org/author/display/GTNPORTAL35/Securing+WSRP#SecuringW...
<para>The following steps outline how to configure the producer and
consumer to encrypt and sign SOAP messages passed between the producer and consumer. This
example only deals with SOAP messages being sent between the producer and consumer, and
not with user propagation.</para>
<note>
<para>
@@ -549,6 +567,7 @@
</note>
<section>
<title>Password Callback Class</title>
+ <remark>Source:
https://docs.jboss.org/author/display/GTNPORTAL35/Securing+WSRP#SecuringW...
<para>WSS4J uses a Java class to specify the password when performing any
security related actions. For the purpose of these encryption and signing examples, we
will use the same password for the producer's and consumer's keystore
(wsrpAliasPassword). This simplifies things a bit as it means we can use just one password
callback class for both the producer and consumer.</para>
<para>
Example
@@ -596,13 +615,13 @@
</informalexample>
<note>
<para>
- CallbackHandler implementations are provided to GateIn Portal using the
standard Java
+ CallbackHandler implementations are provided to JBoss Portal Platform using
the standard Java
<ulink
url="http://docs.oracle.com/javase/6/docs/api/java/util/ServiceLoade...
infrastructure. As such, CallbackHandler implementations need to be bundled
in a jar containing a file
<code>META-INF/services/javax.security.auth.callback.CallbackHandler</code>
specifying the fully qualified name of the CallbackHandler implementation
class. This jar then needs to be put in the
<code>gatein/extensions</code>
- directory of your GateIn Portal installation.
+ directory of your JBoss Portal Platform installation.
</para>
</note>
<para>
@@ -612,6 +631,7 @@
</section>
<section>
<title>Configuring the Keystores</title>
+ <remark>Source:
https://docs.jboss.org/author/display/GTNPORTAL35/Securing+WSRP#SecuringW...
<note>
<para>In this example we are making it a bit easier by specifying the
same keystore password for both the producer and consumer, as they can use the same
password callback class.</para>
</note>
@@ -674,6 +694,7 @@
</section>
<section>
<title>Configuring the Producer</title>
+ <remark>Source:
https://docs.jboss.org/author/display/GTNPORTAL35/Securing+WSRP#SecuringW...
<orderedlist>
<listitem>
<para>
@@ -730,6 +751,7 @@
</section>
<section>
<title>Configuring the Consumer</title>
+ <remark>Source: </remark>
<orderedlist>
<listitem>
<para>
@@ -783,9 +805,11 @@
</section>
<section>
<title>Sample Configuration using UsernameToken, Encryption and Signing
with User Propagation</title>
- <para>The following setps outline how to configure the producer and
consumer to encrypt and sign the soap message as well as use user propagation between the
producer and consumer.</para>
+ <remark>Source:
https://docs.jboss.org/author/display/GTNPORTAL35/Securing+WSRP#SecuringW...
+ <para>The following steps outline how to configure the producer and
consumer to encrypt and sign the soap message as well as use user propagation between the
producer and consumer.</para>
<section>
<title>Configure the Producer</title>
+ <remark>Source:
https://docs.jboss.org/author/display/GTNPORTAL35/Securing+WSRP#SecuringW...
<para>
Follow the steps outlined in the
<link
linkend="sid-54264620_SecuringWSRP-SampleConfigurationSecuringtheEndpointsusingEncryptionandSigning">Sample
Configuration Securing the Endpoints using Encryption and Signing</link>
@@ -824,6 +848,7 @@
</section>
<section>
<title>Configure the Consumer</title>
+ <remark>Source:
https://docs.jboss.org/author/display/GTNPORTAL35/Securing+WSRP#SecuringW...
<para>
Follow the steps outlined in the
<link
linkend="sid-54264620_SecuringWSRP-SampleConfigurationSecuringtheEndpointsusingEncryptionandSigning">Sample
Configuration Securing the Endpoints using Encryption and Signing</link>
@@ -1984,7 +2009,7 @@
<para>
The WSRP specifications allows for implementations to extend the protocol using
<ulink
url="http://docs.oasis-open.org/wsrp/v2/wsrp-2.0-spec-os-01.html#_Ex...
- . GateIn Portal, as of its WSRP implementation version 2.2.0, provides a way for
client code (e.g. portlets) to interact with such extensions in the form of several
classes and interfaces gathered within the
+ . JBoss Portal Platform, as of its WSRP implementation version 2.2.0, provides a
way for client code (e.g. portlets) to interact with such extensions in the form of
several classes and interfaces gathered within the
<ulink
url="https://github.com/gatein/gatein-wsrp/tree/master/api/src/main/...
package </ulink>
, the most important ones being
<code>InvocationHandlerDelegate</code>
@@ -1999,7 +2024,7 @@
<code>wsrp-integration-api-$WSRP_VERSION.jar</code>
file to your project, where
<code>$WSRP_VERSION</code>
- is the version of the GateIn Portal WSRP implementation you wish to use,
2.2.2.Final being the current one. This can be done by adding the following dependency to
your maven project:
+ is the version of the JBoss Portal Platform WSRP implementation you wish to use,
2.2.2.Final being the current one. This can be done by adding the following dependency to
your maven project:
</para>
<informalexample>
<programlisting>
@@ -2025,7 +2050,7 @@
<para>
Since
<code>InvocationHandlerDelegate</code>
- is a very generic interface, it could potentially be used for more than simply
working with WSRP extensions. Moreover, since it has access to internal GateIn Portal
classes, it is important to be treat access to these internal classes as
+ is a very generic interface, it could potentially be used for more than simply
working with WSRP extensions. Moreover, since it has access to internal JBoss Portal
Platform classes, it is important to be treat access to these internal classes as
<emphasis role="strong">read-only</emphasis>
to prevent any un-intentional side-effects.
</para>
@@ -2284,7 +2309,7 @@
</listitem>
</itemizedlist>
<sidebar>
- <para>To activate the InvocationHandlerDelegates on both the consumer and
producer, start your GateIn Portal instance as follows:</para>
+ <para>To activate the InvocationHandlerDelegates on both the consumer and
producer, start your JBoss Portal Platform instance as follows:</para>
</sidebar>
</section>
</section>
Modified:
epp/docs/branches/6.0/Reference_Guide/en-US/modules/eXoJCR/jcr/performance-tuning-guide.xml
===================================================================
---
epp/docs/branches/6.0/Reference_Guide/en-US/modules/eXoJCR/jcr/performance-tuning-guide.xml 2013-01-28
05:14:12 UTC (rev 9088)
+++
epp/docs/branches/6.0/Reference_Guide/en-US/modules/eXoJCR/jcr/performance-tuning-guide.xml 2013-01-28
06:12:20 UTC (rev 9089)
@@ -70,7 +70,7 @@
</row>
<row>
<entry spanname="hspan">
- <emphasis role="bold">JBoss AS
configuration:</emphasis>
+ <emphasis role="bold">JBoss Enterprise Application
Platform 6 configuration:</emphasis>
</entry>
</row>
<row>
@@ -199,7 +199,7 @@
<section
id="sect-Reference_Guide-JCR_Performance_Tuning_Guide-Performance_Tuning_Guide">
<title>Performance Tuning Guide</title>
<section
id="sect-Reference_Guide-Performance_Tuning_Guide-JBoss_AS_Tuning">
- <title>JBoss AS Tuning</title>
+ <title>JBoss Enterprise Application Platform 6 Tuning</title>
<para>
You can use <parameter>maxThreads</parameter> parameter to increase
maximum amount of threads that can be launched in AS instance. This can improve
performance if you need a high level of concurrency. also you can use
<code>-XX:+UseParallelGC</code> java directory to use parallel garbage
collector.
</para>
Modified:
epp/docs/branches/6.0/Reference_Guide/en-US/modules/eXoJCR/jcr-with-gtn/managed-datasources-under-jboss-as.xml
===================================================================
---
epp/docs/branches/6.0/Reference_Guide/en-US/modules/eXoJCR/jcr-with-gtn/managed-datasources-under-jboss-as.xml 2013-01-28
05:14:12 UTC (rev 9088)
+++
epp/docs/branches/6.0/Reference_Guide/en-US/modules/eXoJCR/jcr-with-gtn/managed-datasources-under-jboss-as.xml 2013-01-28
06:12:20 UTC (rev 9089)
@@ -4,7 +4,7 @@
%BOOK_ENTITIES;
]>
<section
id="sect-Reference_Guide-How_to_use_AS_Managed_DataSource_under_JBoss_AS">
- <title>How to use a Managed DataSource under JBoss AS</title>
+ <title>How to use a Managed DataSource under JBoss Enterprise Application
Platform 6</title>
<section
id="sect-Reference_Guide-How_to_use_AS_Managed_DataSource_under_JBoss_AS-Configurations_Steps">
<title>Configurations Steps</title>
<section
id="sect-Reference_Guide-Configurations_Steps-Declaring_the_datasources_in_the_AS">