| |
| <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> |
| <!-- |
| |
| Licensed to the Apache Software Foundation (ASF) under one or more |
| contributor license agreements. See the NOTICE file distributed with |
| this work for additional information regarding copyright ownership. |
| The ASF licenses this file to You under the Apache License, Version 2.0 |
| (the "License"); you may not use this file except in compliance with |
| the License. You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, software |
| distributed under the License is distributed on an "AS IS" BASIS, |
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| See the License for the specific language governing permissions and |
| limitations under the License. |
| --> |
| <html> |
| <head> |
| |
| <link type="text/css" rel="stylesheet" href="/resources/site.css"> |
| <script src='/resources/space.js'></script> |
| |
| <meta http-equiv="Content-type" content="text/html;charset=UTF-8"> |
| <meta name="keywords" content="business integration, EAI, SOA, Service Oriented Architecture, web services, SOAP, JBI, JMS, WSDL, XML, EDI, Electronic Data Interchange, standards support, integration standards, application integration, middleware, software, solutions, services, CXF, open source"> |
| <meta name="description" content="Apache CXF, Services Framework - JAX-RS Token Authorization"> |
| |
| |
| <link type="text/css" rel="stylesheet" href="/resources/highlighter/styles/shCoreCXF.css"> |
| <link type="text/css" rel="stylesheet" href="/resources/highlighter/styles/shThemeCXF.css"> |
| |
| <script src='/resources/highlighter/scripts/shCore.js'></script> |
| <script src='/resources/highlighter/scripts/shBrushXml.js'></script> |
| <script src='/resources/highlighter/scripts/shBrushJava.js'></script> |
| <script> |
| SyntaxHighlighter.defaults['toolbar'] = false; |
| SyntaxHighlighter.all(); |
| </script> |
| |
| |
| <title> |
| Apache CXF -- JAX-RS Token Authorization |
| </title> |
| </head> |
| <body onload="init()"> |
| |
| |
| <table width="100%" cellpadding="0" cellspacing="0"> |
| <tr> |
| <td id="cell-0-0" colspan="2"> </td> |
| <td id="cell-0-1"> </td> |
| <td id="cell-0-2" colspan="2"> </td> |
| </tr> |
| <tr> |
| <td id="cell-1-0"> </td> |
| <td id="cell-1-1"> </td> |
| <td id="cell-1-2"> |
| <!-- Banner --> |
| <div class="banner" id="banner"><div><table border="0" cellpadding="0" cellspacing="0" width="100%"><tr><td align="left" colspan="1" nowrap> |
| <a shape="rect" href="http://cxf.apache.org/" title="Apache CXF"><span style="font-weight: bold; font-size: 170%; color: white">Apache CXF</span></a> |
| </td><td align="right" colspan="1" nowrap> |
| <a shape="rect" href="http://www.apache.org/" title="The Apache Sofware Foundation"><img border="0" alt="ASF Logo" src="http://cxf.apache.org/images/asf-logo.png"></a> |
| </td></tr></table></div></div> |
| <!-- Banner --> |
| <div id="top-menu"> |
| <table border="0" cellpadding="1" cellspacing="0" width="100%"> |
| <tr> |
| <td> |
| <div align="left"> |
| <!-- Breadcrumbs --> |
| <a href="index.html">Index</a> > <a href="restful-services.html">RESTful Services</a> > <a href="jax-rs.html">JAX-RS</a> > <a href="jax-rs-token-authorization.html">JAX-RS Token Authorization</a> |
| <!-- Breadcrumbs --> |
| </div> |
| </td> |
| <td> |
| <div align="right"> |
| <!-- Quicklinks --> |
| <div id="quicklinks"><p><a shape="rect" href="http://cxf.apache.org/download.html">Download</a> | <a shape="rect" href="http://cxf.apache.org/docs/index.html">Documentation</a></p></div> |
| <!-- Quicklinks --> |
| </div> |
| </td> |
| </tr> |
| </table> |
| </div> |
| </td> |
| <td id="cell-1-3"> </td> |
| <td id="cell-1-4"> </td> |
| </tr> |
| <tr> |
| <td id="cell-2-0" colspan="2"> </td> |
| <td id="cell-2-1"> |
| <table> |
| <tr valign="top"> |
| <td height="100%"> |
| <div id="wrapper-menu-page-right"> |
| <div id="wrapper-menu-page-top"> |
| <div id="wrapper-menu-page-bottom"> |
| <div id="menu-page"> |
| <!-- NavigationBar --> |
| <div id="navigation"><ul class="alternate"><li><a shape="rect" href="overview.html">Overview</a></li><li><a shape="rect" href="how-tos.html">How-Tos</a></li><li><a shape="rect" href="frontends.html">Frontends</a></li><li><a shape="rect" href="databindings.html">DataBindings</a></li><li><a shape="rect" href="transports.html">Transports</a></li><li><a shape="rect" href="configuration.html">Configuration</a></li><li><a shape="rect" href="debugging-and-logging.html">Debugging and Logging</a></li><li><a shape="rect" href="tools.html">Tools</a></li><li><a shape="rect" href="restful-services.html">RESTful Services</a></li><li><a shape="rect" href="wsdl-bindings.html">WSDL Bindings</a></li><li><a shape="rect" href="service-routing.html">Service Routing</a></li><li><a shape="rect" href="dynamic-languages.html">Dynamic Languages</a></li><li><a shape="rect" href="ws-support.html">WS-* Support</a></li><li><a shape="rect" href="advanced-integration.html">Advanced Integration</a></li><li><a shape="rect" href="deployment.html">Deployment</a></li><li><a shape="rect" href="schemas-and-namespaces.html">Use of Schemas and Namespaces</a></li></ul><hr><ul class="alternate"><li><p>Search</p></li></ul><form enctype="application/x-www-form-urlencoded" method="get" id="cse-search-box" action="http://www.google.com/cse"> |
| <div> |
| <input type="hidden" name="cx" value="002890367768291051730:o99qiwa09y4"> |
| <input type="hidden" name="ie" value="UTF-8"> |
| <input type="text" name="q" size="21"> |
| <input type="submit" name="sa" value="Search"> |
| </div> |
| </form> |
| <script type="text/javascript" src="http://www.google.com/cse/brand?form=cse-search-box&lang=en"></script><hr><ul class="alternate"><li><a shape="rect" href="http://cxf.apache.org/javadoc/latest/">API 3.2.x (Javadoc)</a></li><li><a shape="rect" href="http://cxf.apache.org/javadoc/latest-3.1.x/">API 3.1.x (Javadoc)</a></li><li><a shape="rect" href="http://cxf.apache.org/">CXF Website</a></li></ul><p> </p><p><a shape="rect" class="external-link" href="http://www.apache.org/events/current-event.html"><span class="confluence-embedded-file-wrapper"><img class="confluence-embedded-image confluence-external-resource" src="http://www.apache.org/events/current-event-125x125.png" data-image-src="http://www.apache.org/events/current-event-125x125.png"></span></a></p></div> |
| <!-- NavigationBar --> |
| </div> |
| </div> |
| </div> |
| </div> |
| </td> |
| <td height="100%"> |
| <!-- Content --> |
| <div class="wiki-content"> |
| <div id="ConfluenceContent"><p> <span style="font-size:2em;font-weight:bold">JAX-RS: Token Authorization</span> |
| |
| |
| <br clear="none"></p><p><style type="text/css">/*<![CDATA[*/ |
| div.rbtoc1636141589274 {padding: 0px;} |
| div.rbtoc1636141589274 ul {list-style: disc;margin-left: 0px;} |
| div.rbtoc1636141589274 li {margin-left: 0px;padding-left: 0px;} |
| |
| /*]]>*/</style></p><div class="toc-macro rbtoc1636141589274"> |
| <ul class="toc-indentation"><li><a shape="rect" href="#JAXRSTokenAuthorization-Introduction">Introduction</a></li><li><a shape="rect" href="#JAXRSTokenAuthorization-Backwardscompatibilityconfigurationnote">Backwards compatibility configuration note</a></li><li><a shape="rect" href="#JAXRSTokenAuthorization-Mavendependencies">Maven dependencies</a></li><li><a shape="rect" href="#JAXRSTokenAuthorization-Claimsbasedaccesscontrol">Claims based access control</a> |
| <ul class="toc-indentation"><li><a shape="rect" href="#JAXRSTokenAuthorization-Claimsannotations">Claims annotations</a></li><li><a shape="rect" href="#JAXRSTokenAuthorization-EnforcingClaimsauthorization">Enforcing Claims authorization</a></li></ul> |
| </li><li><a shape="rect" href="#JAXRSTokenAuthorization-Rolebasedaccesscontrol">Role based access control</a> |
| <ul class="toc-indentation"><li><a shape="rect" href="#JAXRSTokenAuthorization-SimpleAuthorizingInterceptor">SimpleAuthorizingInterceptor</a></li><li><a shape="rect" href="#JAXRSTokenAuthorization-Usingannotations">Using annotations</a></li></ul> |
| </li></ul> |
| </div><h1 id="JAXRSTokenAuthorization-Introduction">Introduction</h1><p>CXF JAX-RS offers an extension letting users to enforce a new fine-grained Claims Based Access Control (CBAC) based on <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/core/src/main/java/org/apache/cxf/security/claims/authorization/Claim.java" rel="nofollow">Claim</a> and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/core/src/main/java/org/apache/cxf/security/claims/authorization/Claims.java" rel="nofollow">Claims</a> annotations as well as <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/core/src/main/java/org/apache/cxf/security/claims/authorization/ClaimMode.java" rel="nofollow">ClaimMode</a> enum class. It works with SAML tokens and with JWT tokens (from the 3.3.0 release onwards).</p><p>See also <a shape="rect" href="jax-rs-xml-security.html">JAX-RS XML Security</a>, <a shape="rect" href="jax-rs-saml.html">JAX-RS SAML</a> and <a shape="rect" href="jax-rs-jose.html">JAX-RS JOSE</a>.</p><h1 id="JAXRSTokenAuthorization-Backwardscompatibilityconfigurationnote">Backwards compatibility configuration note</h1><p>From Apache CXF 3.1.0, the WS-Security based configuration tags used to configure XML Signature or Encryption ("ws-security-*") have been changed to just start with "security-". Apart from this they are exactly the same. Older "ws-security-" values continue to be accepted in CXF 3.1.0. To use any of the configuration examples in this page with an older version of CXF, simply add a "ws-" prefix to the configuration tag.</p><p>The package for Claim, Claims and ClaimMode annotations has changed from "org.apache.cxf.rs.security.saml.authorization" to "org.apache.cxf.security.claims.authorization". Starting from CXF 2.7.1, the default name format for claims is "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" instead of "<a shape="rect" class="external-link" href="http://schemas.xmlsoap.org/ws/2005/05/identity/claims" rel="nofollow">http://schemas.xmlsoap.org/ws/2005/05/identity/claims</a>".</p><p>From the 3.3.0 release, the Claims access control annotations/interceptors <a shape="rect" class="external-link" href="https://issues.apache.org/jira/browse/CXF-6727">now work</a> with JWT tokens (as well as SAML tokens). This resulted in the following package changes:</p><ul><li>ClaimsAuthorizingInterceptor has moved from the cxf-rt-security-saml module to the cxf-rt-security module. The package name of the ClaimsAuthorizingInterceptor has changed: from org.apache.cxf.rt.security.saml.interceptor.ClaimsAuthorizingInterceptor to org.apache.cxf.rt.security.claims.interceptor.ClaimsAuthorizingInterceptor.</li><li>ClaimsAuthorizingFilter has moved from the cxf-rt-rs-security-xml module to the cxf-rt-frontend-jaxrs module. The package name of the ClaimsAuthorizingFilter  has changed: from org.apache.cxf.rs.security.saml.authorization.ClaimsAuthorizingFilter to org.apache.cxf.jaxrs.security.ClaimsAuthorizingFilter</li></ul><h1 id="JAXRSTokenAuthorization-Mavendependencies">Maven dependencies</h1><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl"> |
| <pre class="brush: java; gutter: false; theme: Default"><dependency> |
| <groupId>org.apache.cxf</groupId> |
| <artifactId>cxf-rt-security</artifactId> |
| <version>3.3.0</version> |
| </dependency> |
| </pre> |
| </div></div><p>In addition, cxf-rt-rs-security-xml is required if you are working with SAML tokens, and cxf-rt-rs-security-jose-jaxrs is required if you are working with JWT tokens.</p><h1 id="JAXRSTokenAuthorization-Claimsbasedaccesscontrol">Claims based access control</h1><h2 id="JAXRSTokenAuthorization-Claimsannotations">Claims annotations</h2><p>Here is a simple code fragment to secure a service object using Claims annotations:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl"> |
| <pre class="brush: java; gutter: false; theme: Default">import org.apache.cxf.security.claims.authorization.Claim; |
| import org.apache.cxf.security.claims.authorization.Claims; |
| |
| @Path("/bookstore") |
| public class SecureClaimBookStore { |
| |
| @POST |
| @Path("/books") |
| @Produces("application/xml") |
| @Consumes("application/xml") |
| @Claims({ |
| @Claim({"admin" }), |
| @Claim(name = "http://claims/authentication-format", |
| format = "http://claims/authentication", |
| value = {"fingertip", "smartcard" }) |
| }) |
| public Book addBook(Book book) { |
| return book; |
| } |
| |
| } |
| </pre> |
| </div></div><p>SecureClaimBookStore.addBook(Book) can only be invoked if Subject meets the following requirement: it needs to have a Claim with a value "admin" and another Claim confirming that it got authenticated using either a 'fingertip' or 'smartcard' method. Note that @Claim({"admin"}) has no name and format classifiers set - it relies on default name and format values, namely "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" and "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims" before CXF 2.7.1) respectively. These default values may change in the future depending on which claims are found to be used most often - but as you can see you can always provide name and format values which will scope a given claim value.</p><p>Note that in the above example, a Claim with the name "http://claims/authentication-format" has two values, 'fingertip' and 'smartcard'. By default, in order to meet this Claim, Subject needs to have a Claim which has either a 'fingertip' or 'smartcard' value. If it is expected that Subject needs to have a Claim which has both 'fingertip' and 'smartcard' values, then the following change needs to be done:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl"> |
| <pre class="brush: java; gutter: false; theme: Default">import org.apache.cxf.security.claims.authorization.Claim; |
| import org.apache.cxf.security.claims.authorization.Claims; |
| |
| @Path("/bookstore") |
| public class SecureClaimBookStore { |
| |
| @POST |
| @Path("/books") |
| @Produces("application/xml") |
| @Consumes("application/xml") |
| @Claims({ |
| @Claim({"admin" }), |
| @Claim(name = "http://claims/authentication-format", |
| format = "http://claims/authentication", |
| value = {"fingertip", "smartcard" }, |
| matchAll = true) |
| }) |
| public Book addBook(Book book) { |
| return book; |
| } |
| |
| } |
| </pre> |
| </div></div><p>Claims can be specified using individual @Claim annotation, they can be set at the class level and overridden at the method level and finally a lax mode of check can be specified:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl"> |
| <pre class="brush: java; gutter: false; theme: Default">import org.apache.cxf.security.claims.authorization.Claim; |
| import org.apache.cxf.security.claims.authorization.Claims; |
| |
| @Path("/bookstore") |
| @Claim({"user"}) |
| public class SecureClaimBookStore { |
| |
| @POST |
| @Path("/books") |
| @Produces("application/xml") |
| @Consumes("application/xml") |
| @Claims({ |
| @Claim({"admin" }), |
| @Claim(name = "http://claims/authentication-format", |
| format = "http://claims/authentication", |
| value = {"fingertip", "smartcard" }, |
| matchAll = true) |
| }) |
| public Book addBook(Book book) { |
| return book; |
| } |
| |
| @GET |
| @Claim(name = "http://claims/authentication-format", |
| format = "http://claims/authentication", |
| value = {"password" }, |
| mode = ClaimMode.LAX) |
| public Book getBook() { |
| //... |
| } |
| |
| @GET |
| public BookList getBookList() { |
| //... |
| } |
| |
| |
| } |
| </pre> |
| </div></div><p>In the above example, getBookList() can be invoked if Subject has a Claim with the value "user"; addBook() has it overridden - "admin" is expected and the authentication format Claim too; getBook() can be invoked if Subject has a Claim with the value "user" and it also must have the authentication format Claim with the value "password" - or no such Claim at all.</p><p>org.apache.cxf.rt.security.claims.interceptor.ClaimsAuthorizingInterceptor ("org.apache.cxf.rt.security.saml.interceptor.ClaimsAuthorizingInterceptor" before CXF 3.3.0) enforces the CBAC rules. This filter can be overridden and configured with the rules directly which can be useful if no Claim-related annotations are expected in the code. Map nameAliases and formatAliases properties are supported to make @Claim annotations look a bit simpler, for example:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl"> |
| <pre class="brush: java; gutter: false; theme: Default">@Claim(name = "auth-format", format = "authentication", value = {"password" }) |
| </pre> |
| </div></div><p>where "auth-format" and "authentication" are aliases for "http://claims/authentication-format" and "http://claims/authentication" respectively.</p><h2 id="JAXRSTokenAuthorization-EnforcingClaimsauthorization">Enforcing Claims authorization</h2><p>Simply adding Claims annotations are per the examples above is not sufficient to enforce claims based authorization.</p><p>First we need to configure the appropriate interceptors/filters to authenticate the type of token we are interested in extracting claims from. See the <a shape="rect" href="jax-rs-saml.html">JAX-RS SAML</a> page for information on how to configure SAML, and the <a shape="rect" href="jax-rs-jose.html">JAX-RS JOSE</a> page for information on how to configure JWT.</p><p>For both SAML and JWT, once the incoming token is validated, a <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/security/src/main/java/org/apache/cxf/rt/security/claims/ClaimsSecurityContext.java" rel="nofollow">ClaimsSecurityContext</a> security context will be created containing the claims contained in the token, as well as the authenticated subject and role (claims).</p><p>To enforce claims authorization, a <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/security/src/main/java/org/apache/cxf/rt/security/claims/interceptor/ClaimsAuthorizingInterceptor.java" rel="nofollow">ClaimsAuthorizingInterceptor</a> must be set as an "inInterceptor", passing it a reference to the secured object. There is also a JAX-RS filter wrapper around ClaimsAuthorizingInterceptor available, which is called <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/ClaimsAuthorizingFilter.java" rel="nofollow">ClaimsAuthorizingFilter</a>.</p><p>An instance of org.apache.cxf.rs.security.saml.authorization.ClaimsAuthorizingFilter (note org.apache.cxf.rs.security.claims.ClaimsAuthorizingFilter from CXF 3.3.0) is used to enforce CBAC. It's a simple JAX-RS filter wrapper around ClaimsAuthorizingInterceptor.</p><p>Here is an example of enforcing Claims authorization against a JWT token. BookStoreAuthn is the service object which is annotated with Claims annotations. The ClaimsAuthorizingFilter is added as a JAX-RS provider to the endpoint, wrapping the serviceBean. A JwtAuthenticationFilter instance is also added to validate the received JWT token and to set up the ClaimsSecurityContext. The <a shape="rect" class="external-link" href="http://rs.security.signature.in" rel="nofollow">rs.security.signature.in</a>.properties property is used to verify the signature on the received token.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl"> |
| <pre class="brush: java; gutter: false; theme: Default"><bean id="serviceBean" class="org.apache.cxf.systest.jaxrs.security.jose.jwt.BookStoreAuthn"/> |
| |
| <bean id="claimsHandler" class="org.apache.cxf.jaxrs.security.ClaimsAuthorizingFilter"> |
| <property name="securedObject" ref="serviceBean"/> |
| </bean> |
| |
| <bean id="jwtAuthzFilter" class="org.apache.cxf.rs.security.jose.jaxrs.JwtAuthenticationFilter"> |
| <property name="roleClaim" value="role"/> |
| </bean> |
| |
| <jaxrs:server address="https://localhost:${testutil.ports.jaxrs-jwt-authn-authz}/signedjwtauthz"> |
| <jaxrs:serviceBeans> |
| <ref bean="serviceBean"/> |
| </jaxrs:serviceBeans> |
| <jaxrs:providers> |
| <ref bean="jwtAuthzFilter"/> |
| <ref bean="claimsHandler"/> |
| </jaxrs:providers> |
| <jaxrs:properties> |
| <entry key="rs.security.signature.in.properties" |
| value="org/apache/cxf/systest/jaxrs/security/bob.jwk.properties"/> |
| </jaxrs:properties> |
| </jaxrs:server></pre> |
| </div></div><h1 id="JAXRSTokenAuthorization-Rolebasedaccesscontrol">Role based access control</h1><p>If we have a SAML Assertion or JWT token with claims that are known to represent roles, then making those claims work with an RBAC system can be achieved easily.</p><h2 id="JAXRSTokenAuthorization-SimpleAuthorizingInterceptor">SimpleAuthorizingInterceptor</h2><p>One option is to enforce that only users in a given role can access a method in the service bean is to use CXF's SimpleAuthorizingInterceptor. It has a "methodRolesMap" property can maps method names to roles. This interceptor must then be added to the inInterceptor chain of the service endpoint. For example:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl"> |
| <pre class="brush: java; gutter: false; theme: Default"><bean id="serviceBean" class="org.apache.cxf.systest.jaxrs.security.jose.jwt.BookStoreAuthn"/> |
| |
| <bean id="jwtAuthzFilter" class="org.apache.cxf.rs.security.jose.jaxrs.JwtAuthenticationFilter"> |
| <property name="roleClaim" value="role"/> |
| </bean> |
| |
| <bean id="authorizationInterceptor" |
| class="org.apache.cxf.interceptor.security.SimpleAuthorizingInterceptor"> |
| <property name="methodRolesMap"> |
| <map> |
| <entry key="echoBook" value="boss"/> |
| <entry key="echoBook2" value="boss"/> |
| </map> |
| </property> |
| </bean> |
| |
| <jaxrs:server address="https://localhost:${testutil.ports.jaxrs-jwt-authn-authz}/signedjwtauthz"> |
| <jaxrs:serviceBeans> |
| <ref bean="serviceBean"/> |
| </jaxrs:serviceBeans> |
| <jaxrs:providers> |
| <ref bean="jwtAuthzFilter"/> |
| </jaxrs:providers> |
| <jaxrs:inInterceptors> |
| <ref bean="authorizationInterceptor"/> |
| </jaxrs:inInterceptors> |
|  <jaxrs:properties> |
| <entry key="rs.security.signature.in.properties" |
| value="org/apache/cxf/systest/jaxrs/security/bob.jwk.properties"/> |
| </jaxrs:properties> |
| </jaxrs:server></pre> |
| </div></div><h2 id="JAXRSTokenAuthorization-Usingannotations">Using annotations</h2><p>Instead of mapping method names to roles using the SimpleAuthorizingInterceptor, we can instead annotate them in the service bean with javax.annotation.security.RolesAllowed or org.springframework.security.annotation.Secured annotations. For example:</p><div class="table-wrap"><table class="wrapped confluenceTable"><colgroup span="1"><col span="1"></colgroup><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><code class="java keyword">import</code> <code class="java plain"><a shape="rect" href="https://cwiki.apache.org/confluence/display/CXF20DOC/org.springframework.security.annotation.Secured;">org.springframework.security.annotation.Secured;</a></code><br clear="none"> <br clear="none"><code class="java color1">@Path</code><code class="java plain">(</code><code class="java string">"/bookstore"</code><code class="java plain">)</code><br clear="none"><code class="java keyword">public</code> <code class="java keyword">class</code> <code class="java plain">SecureBookStore {</code><br clear="none"><code class="java spaces">    </code> <br clear="none"><code class="java spaces">    </code><code class="java color1">@POST</code><br clear="none"><code class="java spaces">    </code><code class="java color1">@Secured</code><code class="java plain">(</code><code class="java string">"admin"</code><code class="java plain">)</code><br clear="none"><code class="java spaces">    </code><code class="java keyword">public</code> <code class="java plain">Book addBook(Book book) {</code><br clear="none"><code class="java spaces">        </code><code class="java keyword">return</code> <code class="java plain">book;</code><br clear="none"><code class="java spaces">    </code><code class="java plain">}</code><br clear="none"><code class="java plain">}</code></p></td></tr></tbody></table></div><p>where @Secured can be replaced with @RoledAllowed if needed, the following configuration will do it:</p><div class="table-wrap"><table class="wrapped confluenceTable"><colgroup span="1"><col span="1"></colgroup><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd"><p><code class="java plain"><bean id=</code><code class="java string">"serviceBeanRoles"</code> <code class="java keyword">class</code><code class="java plain">=</code><code class="java string">"<a shape="rect" href="https://cwiki.apache.org/confluence/display/CXF20DOC/org.apache.cxf.systest.jaxrs.security.saml.SecureBookStore">org.apache.cxf.systest.jaxrs.security.saml.SecureBookStore</a>"</code><code class="java plain">/></code><br clear="none"><code class="java plain"><bean id=</code><code class="java string">"samlEnvHandler"</code> <code class="java keyword">class</code><code class="java plain">=</code><code class="java string">"<a shape="rect" href="https://cwiki.apache.org/confluence/display/CXF20DOC/org.apache.cxf.rs.security.saml.SamlEnvelopedInHandler">org.apache.cxf.rs.security.saml.SamlEnvelopedInHandler</a>"</code><code class="java plain">></code><br clear="none"><code class="java spaces"> </code><code class="java plain"><property name=</code><code class="java string">"securityContextProvider"</code><code class="java plain">></code><br clear="none"><code class="java spaces">    </code><code class="java plain"><bean </code><code class="java keyword">class</code><code class="java plain">=</code><code class="java string">"<a shape="rect" href="https://cwiki.apache.org/confluence/display/CXF20DOC/org.apache.cxf.systest.jaxrs.security.saml.CustomSecurityContextProvider">org.apache.cxf.systest.jaxrs.security.saml.CustomSecurityContextProvider</a>"</code><code class="java plain">/></code><br clear="none"><code class="java spaces"> </code><code class="java plain"></property></code><br clear="none"><code class="java plain"></bean></code><br clear="none"> <br clear="none"><code class="java plain"><bean id=</code><code class="java string">"authorizationInterceptor"</code> <code class="java keyword">class</code><code class="java plain">=</code><code class="java string">"<a shape="rect" href="https://cwiki.apache.org/confluence/display/CXF20DOC/org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor">org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor</a>"</code><code class="java plain">></code><br clear="none"><code class="java spaces">    </code><code class="java plain"><property name=</code><code class="java string">"securedObject"</code> <code class="java plain">ref=</code><code class="java string">"serviceBean"</code><code class="java plain">/></code><br clear="none"><code class="java spaces">    </code><code class="java plain"><property name=</code><code class="java string">"annotationClassName"</code><br clear="none"><code class="java spaces">              </code><code class="java plain">value=</code><code class="java string">"<a shape="rect" href="https://cwiki.apache.org/confluence/display/CXF20DOC/org.springframework.security.annotation.Secured">org.springframework.security.annotation.Secured</a>"</code><code class="java plain">/></code><br clear="none"><code class="java plain"></bean></code><br clear="none"><code class="java spaces">    </code> <br clear="none"><code class="java plain"><bean id=</code><code class="java string">"rolesHandler"</code> <code class="java keyword">class</code><code class="java plain">=</code><code class="java string">"<a shape="rect" href="https://cwiki.apache.org/confluence/display/CXF20DOC/org.apache.cxf.jaxrs.security.SimpleAuthorizingFilter">org.apache.cxf.jaxrs.security.SimpleAuthorizingFilter</a>"</code><code class="java plain">></code><br clear="none"><code class="java spaces">    </code><code class="java plain"><property name=</code><code class="java string">"interceptor"</code> <code class="java plain">ref=</code><code class="java string">"authorizationInterceptor"</code><code class="java plain">/></code><br clear="none"><code class="java plain"></bean></code><br clear="none"><code class="java spaces">    </code> <br clear="none"><code class="java plain"><jaxrs:server address=</code><code class="java string">"/saml-roles"</code><code class="java plain">> </code><br clear="none"><code class="java spaces">  </code><code class="java plain"><jaxrs:serviceBeans></code><br clear="none"><code class="java spaces">     </code><code class="java plain"><ref bean=</code><code class="java string">"serviceBeanRoles"</code><code class="java plain">/></code><br clear="none"><code class="java spaces">  </code><code class="java plain"></jaxrs:serviceBeans></code><br clear="none"><code class="java spaces">  </code><code class="java plain"><jaxrs:providers></code><br clear="none"><code class="java spaces">      </code><code class="java plain"><ref bean=</code><code class="java string">"samlEnvHandler"</code><code class="java plain">/></code><br clear="none"><code class="java spaces">      </code><code class="java plain"><ref bean=</code><code class="java string">"rolesHandler"</code><code class="java plain">/></code><br clear="none"><code class="java spaces">  </code><code class="java plain"></jaxrs:providers></code><br clear="none"><code class="java spaces">  </code> <br clear="none"><code class="java spaces">  </code><code class="java plain"><!-- If </code><code class="java keyword">default</code> <code class="java plain">role qualifier and format are not supported: </code><br clear="none"><code class="java spaces">       </code> <br clear="none"><code class="java spaces">  </code><code class="java plain"><jaxrs:properties></code><br clear="none"><code class="java spaces">     </code><code class="java plain"><entry key=</code><code class="java string">"<a shape="rect" href="https://cwiki.apache.org/confluence/display/CXF20DOC/org.apache.cxf.saml.claims.role.nameformat">org.apache.cxf.saml.claims.role.nameformat</a>"</code><br clear="none"><code class="java spaces">                </code><code class="java plain">value=</code><code class="java string">"urn:oasis:names:tc:SAML:<a shape="rect" href="https://cwiki.apache.org/confluence/display/CXF20DOC/2.0:attrname-format:uri">2.0:attrname-format:uri</a>"</code><code class="java plain">/></code><br clear="none"><code class="java spaces">     </code><code class="java plain"><entry key=</code><code class="java string">"<a shape="rect" href="https://cwiki.apache.org/confluence/display/CXF20DOC/org.apache.cxf.saml.claims.role.qualifier">org.apache.cxf.saml.claims.role.qualifier</a>"</code><br clear="none"><code class="java spaces">                </code><code class="java plain">value=</code><code class="java string">"urn:oid:<a shape="rect" href="https://cwiki.apache.org/confluence/display/CXF20DOC/1.3.6.1.4.1.5923.1.1.1.1">1.3.6.1.4.1.5923.1.1.1.1</a>"</code><code class="java plain">/></code><br clear="none"><code class="java spaces">  </code><code class="java plain"></jaxrs:properties></code><br clear="none"><code class="java spaces">  </code><code class="java plain">--></code><br clear="none"><code class="java plain"></jaxrs:server></code></p></td></tr></tbody></table></div><p>That is all what is needed. Note that in order to help the default SAML SecurityContextProvider figure out which claims are roles, one can set the two properties as shown above - this not needed if it's known that claims identifying roles have NameFormat and Name values with the default values, which are "<a shape="rect" class="external-link" href="http://schemas.xmlsoap.org/ws/2005/05/identity/claims" rel="nofollow">http://schemas.xmlsoap.org/ws/2005/05/identity/claims</a>" and "<a shape="rect" class="external-link" href="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" rel="nofollow">http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</a>" respectively at the moment.</p><p>Note that you can have RBAC and CBAC combined for a more sophisticated access control rules be enforced while still keeping the existing code relying on @RolesAllowed or @Secured intact. Override ClaimsAuthorizingFilter and configure it with the Claims rules directly and register it alongside SimpleAuthorizingFilter and here you go.</p><p>Also note how SecureAnnotationsInterceptor can handle different types of role annotations, with @RolesAllowed being supported by default.</p></div> |
| </div> |
| <!-- Content --> |
| </td> |
| </tr> |
| </table> |
| </td> |
| <td id="cell-2-2" colspan="2"> </td> |
| </tr> |
| <tr> |
| <td id="cell-3-0"> </td> |
| <td id="cell-3-1"> </td> |
| <td id="cell-3-2"> |
| <div id="footer"> |
| <!-- Footer --> |
| <div id="site-footer"> |
| <a href="http://cxf.apache.org/privacy-policy.html">Privacy Policy</a> - |
| (<a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=93323401">edit page</a>) |
| (<a href="https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=93323401&showComments=true&showCommentArea=true#addcomment">add comment</a>)<br> |
| Apache CXF, CXF, Apache, the Apache feather logo are trademarks of The Apache Software Foundation.<br> |
| All other marks mentioned may be trademarks or registered trademarks of their respective owners. |
| </div> |
| <!-- Footer --> |
| </div> |
| </td> |
| <td id="cell-3-3"> </td> |
| <td id="cell-3-4"> </td> |
| </tr> |
| <tr> |
| <td id="cell-4-0" colspan="2"> </td> |
| <td id="cell-4-1"> </td> |
| <td id="cell-4-2" colspan="2"> </td> |
| </tr> |
| </table> |
| |
| <script type="text/javascript"> |
| var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www."); |
| document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E")); |
| </script> |
| <script type="text/javascript"> |
| try { |
| var pageTracker = _gat._getTracker("UA-4458903-1"); |
| pageTracker._trackPageview(); |
| } catch(err) {}</script> |
| |
| </body> |
| </html> |
| |
