knox-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lmc...@apache.org
Subject svn commit: r1719241 - in /knox: site/books/knox-0-7-0/user-guide.html trunk/books/0.7.0/config_knox_sso.md
Date Fri, 11 Dec 2015 00:35:39 GMT
Author: lmccay
Date: Fri Dec 11 00:35:38 2015
New Revision: 1719241

URL: http://svn.apache.org/viewvc?rev=1719241&view=rev
Log:
cleaned up knoxsso cookie domain description

Modified:
    knox/site/books/knox-0-7-0/user-guide.html
    knox/trunk/books/0.7.0/config_knox_sso.md

Modified: knox/site/books/knox-0-7-0/user-guide.html
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-7-0/user-guide.html?rev=1719241&r1=1719240&r2=1719241&view=diff
==============================================================================
--- knox/site/books/knox-0-7-0/user-guide.html (original)
+++ knox/site/books/knox-0-7-0/user-guide.html Fri Dec 11 00:35:38 2015
@@ -2126,7 +2126,7 @@ APACHE_HOME/bin/apachectl -k stop
     <tr>
       <td>knoxsso.cookie.domain.suffix </td>
       <td>optional: This indicates the portion of the request hostname that represents
the domain to be used for the cookie domain. For single host development scenarios the default
behavior should be fine. For production deployments, the expected domain should be set and
all configured URLs that are related to SSO should use this domain. Otherwise, the cookie
will not be presented by the browser to mismatched URLs. </td>
-      <td>Default cookie domain or a domain derived from a hostname that includes of
more than 2 dots.</td>
+      <td>Default cookie domain or a domain derived from a hostname that includes more
than 2 dots.</td>
     </tr>
     <tr>
       <td>knoxsso.token.ttl </td>

Modified: knox/trunk/books/0.7.0/config_knox_sso.md
URL: http://svn.apache.org/viewvc/knox/trunk/books/0.7.0/config_knox_sso.md?rev=1719241&r1=1719240&r2=1719241&view=diff
==============================================================================
--- knox/trunk/books/0.7.0/config_knox_sso.md (original)
+++ knox/trunk/books/0.7.0/config_knox_sso.md Fri Dec 11 00:35:38 2015
@@ -107,7 +107,7 @@ Parameter | Description | Default
 --------- |----------- |----------- 
 knoxsso.cookie.secure.only | This determines whether the browser is allowed to send the cookie
over unsecured channels. This should always be set to true in production systems. If during
development a relying party is not running ssl then you can turn this off. Running with it
off exposes the cookie and underlying token for capture and replay by others. | true
 knoxsso.cookie.max.age | optional: This indicates that a cookie can only live for a specified
amount of time - in seconds. This should probably be left to the default which makes it a
session cookie. Session cookies are discarded once the browser session is closed. | session
-knoxsso.cookie.domain.suffix | optional: This indicates the portion of the request hostname
that represents the domain to be used for the cookie domain. For single host development scenarios
the default behavior should be fine. For production deployments, the expected domain should
be set and all configured URLs that are related to SSO should use this domain. Otherwise,
the cookie will not be presented by the browser to mismatched URLs. | Default cookie domain
or a domain derived from a hostname that includes of more than 2 dots.
+knoxsso.cookie.domain.suffix | optional: This indicates the portion of the request hostname
that represents the domain to be used for the cookie domain. For single host development scenarios
the default behavior should be fine. For production deployments, the expected domain should
be set and all configured URLs that are related to SSO should use this domain. Otherwise,
the cookie will not be presented by the browser to mismatched URLs. | Default cookie domain
or a domain derived from a hostname that includes more than 2 dots.
 knoxsso.token.ttl | This indicates the lifespan of the token within the cookie. Once it expires
a new cookie must be acquired from KnoxSSO. This is in milliseconds. The 36000000 in the topology
above gives you 10 hrs. | 30000 That is 30 seconds.
 knoxsso.token.audiences | This is a comma separated list of audiences to add to the JWT token.
This is used to ensure that a token received by a participating application knows that the
token was intended for use with that application. It is optional. In the event that an application
has expected audiences and they are not present the token must be rejected. In the event where
the token has audiences and the application has none expected then the token is accepted.
OPEN ISSUE - not currently being populated in WebSSOResource. | empty
 knoxsso.redirect.whitelist.regex | A semicolon separated list of regex expressions. The incoming
originalUrl must match one of the expressions in order for KnoxSSO to redirect to it after
authentication. Defaults to only relative paths and localhost with or without SSL for development
usecases. This needs to be opened up for production use and actual participating applications.
Note that cookie use is still constrained to redirect destinations in the same domain as the
KnoxSSO service - regardless of the expressions specified here. | ^/.\*$;^https?://localhost:\\d{0,9}/.\*$



Mime
View raw message