.... OpenID4Java Library - INSTALL ======================================================================== INSTALLATION AND USAGE INSTRUCTIONS Introduction: This document describes how to install and use the OpenID4Java library. For general information about the package please see the README document. Requirements: - Java 1.5 JVM (or higher) - Ant (optional: needed for building the package and running the tests) - Maven2 (optional: alternative to Ant; see maven2/README.txt) - JUnit (optional: needed for running the tests) Installation: 1. Installing the package => To make the OpenID4Java library available to a (web) application the following JAR files need to be copied to the application's classpath: - openid4java-*.jar - library dependencies (see below) => Library dependencies: lib/*jar : Required. Core OpenID4Java library dependencies. lib/optional/ : Optional. Libraries supporting alternative deployments. - spring-*.jar : JdbcServerAssociationStore - ehcache-1.2.4.jar : EhcacheNonceVerifier - log4j-1.2.8.jar lib/extra/ : Extra/development libraries, not needed for deployments. (JUnit tests, Jetty servlet container, SVN/Ant utilities) lib/xri/ : Optional. Local OpenXRI resolver dependencies. Included only in the "openid4java-xri" and "openid4java-full" packages. (A dependency-less proxy XRI resolver is included in the standard package) lib/infocard/ : Optional. OpenID-Infocards/Higgins STS dependencies. Included only in the "openid4java-infocard" and "openid4java-full" packages. => Relying Party Discovery: Relying Parties must publish their endpoints in order for the OpenID Providers to be able to verify authentication requests and prevent proxy attacks. The Yadis protocol and realm verification mechanisms are used for this purpose. See the section "Discovering OpenID Relying Parties" of the OpenID Authentication specification for details. Example: http://specs.openid.net/auth/2.0/return_to http://consumer.example.com/return The RP should publish the above element at their realm URL. All OpenID Authentication request sent by this RP should contain openid.return_to values matching the http://consumer.example.com/return realm. OpenID Providers: Validation of openid.return_to values against Relying Party Discovery endpoints is enabled by default. This feature can be disabled with ServerManager.setEnforceRpId(false). => Java 1.4 compatibility The official OpenID4Java distribution is compiled with a Java 1.5 compiler. The source, however, can be compiled with Java 1.4. See the "Building the package" section below. 2. OPTIONAL: Configuring logging OpenID4Java uses Apache's commons-logging API. This allows the application developers to choose (or change) their preferred logging implementations, without the need to modify or recompile the library. http://commons.apache.org/logging/guide.html#Configuration => Log4J configuration Log4J v1.2 is used as the logging implementation for the sample projects included with the OpenID4Java library. Commons-logging uses Log4J as the primary default and automatically detects if Log4J is available when discoverying available logging implementations. A typical way to configure Log4J is using a log4j.properties file in the classpath which should contain the following (adjust log levels as desired): log4j.rootLogger=INFO, A1 log4j.logger.org.openid4java=DEBUG, A1 log4j.appender.A1=org.apache.log4j.ConsoleAppender log4j.appender.A1.layout=org.apache.log4j.PatternLayout http://logging.apache.org/log4j/1.2/ 3. OPTIONAL: Enabling 256bit cryptographic support => Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Download and install (under JAVA_HOME/jre/lib/security) the JCE unlimited strength policy files, usually distributed along with JVMs (but not included in standard packages). SUN's Java JCE policy files can be found as separate downloads at the following URLs: http://java.sun.com/javase/downloads/index_jdk5.jsp => Third party libraries Third party libraries that provide unlimited strength JCE implementations can also be used. One such library is provided by Bouncy Castle: http://www.bouncycastle.org/java.html 4. OPTIONAL: Building the package To build the package from source Ant is also needed. The following build targets are provided: - Packages compiled class files into a JAR archive ant jar - Builds official distributable archive ant dist 5. OPTIONAL: Testing the package JUnit test classes and data files are found under the test/ folder. JUnit and Ant are needed for running the tests: A servlet is provided for generating custom OpenID URIs and the HTTP responses needed during discovery. The servlet is run inside the lightweight Jetty servlet container. - To run the tests execute the following Ant target: ant test Alternatively, if Ant is not used, the following need to be configured: - The port on which the servlet will listen SERVLET_PORT system property - The path where the test data is available to the servlet TEST_DATA system property The test data files need to be updated with the actual servlet port, which is part of the YadisURLs API Usage and Examples: Following is the general usage pattern of the library. => NOTE: For extended usage see the JavaDoc API documentation under apidoc/ The main interaction points between a web application acting as a Relying Party (Consumer) and the library are the Discovery and ConsumerManager classes. See also the SampleConsumer.java implementation in the consumer package. // instantiate a ConsumerManager object public static manager = new ConsumerManager(); // --- placing the authentication request --- // determine a return_to URL where your application will receive // the authentication responses from the OpenID provider String returnToUrl = "http://example.com/openid"; // perform discovery on the user-supplied identifier List discoveries = manager.discover(userSuppliedString); // attempt to associate with an OpenID provider // and retrieve one service endpoint for authentication DiscoveryInformation discovered = manager.associate(discoveries); // store the discovery information in the user's session session.setAttribute("openid-disco", discovered); // Attribute Exchange example: fetching the 'email' attribute FetchRequest fetch = new FetchRequest(); fetch.addAttribute("email", // attribute alias "http://schema.openid.net/contact/email", // type URI true); // required // obtain a AuthRequest message to be sent to the OpenID provider AuthRequest authReq = manager.authenticate(discovered, returnToUrl); // attach the extension to the authentication request authReq.addExtensionParams(fetch); if (! discovered.isVersion2() ) { // Option 1: GET HTTP-redirect to the OpenID Provider endpoint // The only method supported in OpenID 1.x // redirect-URL usually limited to 255 bytes return authReq.getRedirectUrl(); } else { // Option 2: HTML FORM Redirection // Allows payloads > 255 bytes //
// see samples/formredirection.jsp for a JSP example authReq.getOPEndpoint(); // build a HTML FORM with the message parameters authReq.getParameterMap(); } // --- processing the authentication response // extract the parameters from the authentication response // (which comes in as a HTTP request from the OpenID provider) ParameterList response = new ParameterList(httpReq.getParameterMap()); // retrieve the previously stored discovery information DiscoveryInformation discovered = (DiscoveryInformation) session.getAttribute("openid-disco"); // verify the response; ConsumerManager needs to be the same // (static) instance used to place the authentication request VerificationResult verification = manager.verify( httpReq.getRequestURL().toString(), response, discovered); // examine the verification result and extract the verified identifier Identifier verified = verification.getVerifiedId(); if (verified != null) { // Attribute Exchange: retrieving the fetched "email" attribute AuthSuccess authSuccess = AuthSuccess.createAuthSuccess(response); MessageExtension ext = authSuccess.getExtension(AxMessage.OPENID_NS_AX); if (ext != null) { FetchResponse fetchResp = new FetchResponse(ext.getParameters()); String email = fetchResp.getParameter("email"); } return verified; // success } The main interaction point between a web application acting as a OpenID Provider (Server) and the library is the ServerManager class. See also the SampleServer.java implementation in the server package. // instantiate a ServerManager object public static ServerManager manager = new ServerManager(); // configure the OpenID Provider's endpoint URL static { manager.setOPEndpointUrl("Http://my.openidprovider.com/server"); } // extract the parameters from the request ParameterList request = new ParameterList(httpReq.getParameterMap()); String mode = request.hasParameter("openid.mode") ? request.getParameterValue("openid.mode") : null; Message response; String responseText; if ("associate".equals(mode)) { // --- process an association request --- response = manager.associationResponse(request); responseText = response.keyValueFormEncoding(); } else if ("checkid_setup".equals(mode) || "checkid_immediate".equals(mode)) { // interact with the user and obtain data needed to continue List userData = userInteraction(request); String userSelectedId = (String) userData.get(0); String userSelectedClaimedId = (String) userData.get(1); Boolean authenticatedAndApproved = (Boolean) userData.get(2); // --- process an authentication request --- response = manager.authResponse(request, userSelectedId, userSelectedClaimedId, authenticatedAndApproved.booleanValue()); // caller will need to decide which of the following to use: // - GET HTTP-redirect to the return_to URL // - HTML FORM Redirection responseText = response.wwwFormEncoding(); } else if ("check_authentication".equals(mode)) { // --- processing a verification request --- response = manager.verify(request); responseText = response.keyValueFormEncoding(); } else { // --- error response --- response = DirectError.createDirectError("Unknown request"); responseText = response.keyValueFormEncoding(); } // return the result to the user return responseText; Contacts: If you want freely available support, to participate in active development, and to be informed about new code releases, bug fixes, security fixes, general news and information about the OpenID4Java Library, subscribe to the Google Group at: http://groups.google.com/group/openid4java If you want commercial support for running the OpenID4Java Library, please contact: bizdev@sxip.com If you find a bug in the OpenID4Java Library please submit a defect in the tracking database after verifying that it hasn't already been submitted. http://code.google.com/p/openid4java/issues/list Thanks for running OpenID! The Sxip Team -- http://sxip.com ======================================================================== Copyright 2006-2008 Sxip Identity Corporation Project home page and package distribution: => http://code.google.com/p/openid4java => http://code.google.com/p/openid4java/downloads/ For support, please visit the wiki and join the Google Groups! => http://groups.google.com/group/openid4java/ => http://code.google.com/p/openid4java/w/ OpenID => http://openid.net/ Released under the Apache License 2.0 => see LICENSE