| |
| <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> |
| <!-- |
| |
| Licensed to the Apache Software Foundation (ASF) under one or more |
| contributor license agreements. See the NOTICE file distributed with |
| this work for additional information regarding copyright ownership. |
| The ASF licenses this file to You under the Apache License, Version 2.0 |
| (the "License"); you may not use this file except in compliance with |
| the License. You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, software |
| distributed under the License is distributed on an "AS IS" BASIS, |
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| See the License for the specific language governing permissions and |
| limitations under the License. |
| --> |
| <html> |
| <head> |
| |
| <link type="text/css" rel="stylesheet" href="/resources/site.css"> |
| <script src='/resources/space.js'></script> |
| |
| <meta http-equiv="Content-type" content="text/html;charset=UTF-8"> |
| <meta name="keywords" content="business integration, EAI, SOA, Service Oriented Architecture, web services, SOAP, JBI, JMS, WSDL, XML, EDI, Electronic Data Interchange, standards support, integration standards, application integration, middleware, software, solutions, services, CXF, open source"> |
| <meta name="description" content="Apache CXF, Services Framework - JAX-RS XML Security"> |
| |
| |
| <link type="text/css" rel="stylesheet" href="/resources/highlighter/styles/shCoreCXF.css"> |
| <link type="text/css" rel="stylesheet" href="/resources/highlighter/styles/shThemeCXF.css"> |
| |
| <script src='/resources/highlighter/scripts/shCore.js'></script> |
| <script src='/resources/highlighter/scripts/shBrushXml.js'></script> |
| <script src='/resources/highlighter/scripts/shBrushJava.js'></script> |
| <script> |
| SyntaxHighlighter.defaults['toolbar'] = false; |
| SyntaxHighlighter.all(); |
| </script> |
| |
| |
| <title> |
| Apache CXF -- JAX-RS XML Security |
| </title> |
| </head> |
| <body onload="init()"> |
| |
| |
| <table width="100%" cellpadding="0" cellspacing="0"> |
| <tr> |
| <td id="cell-0-0" colspan="2"> </td> |
| <td id="cell-0-1"> </td> |
| <td id="cell-0-2" colspan="2"> </td> |
| </tr> |
| <tr> |
| <td id="cell-1-0"> </td> |
| <td id="cell-1-1"> </td> |
| <td id="cell-1-2"> |
| <!-- Banner --> |
| <div class="banner" id="banner"><div><table border="0" cellpadding="0" cellspacing="0" width="100%"><tr><td align="left" colspan="1" nowrap> |
| <a shape="rect" href="http://cxf.apache.org/" title="Apache CXF"><span style="font-weight: bold; font-size: 170%; color: white">Apache CXF</span></a> |
| </td><td align="right" colspan="1" nowrap> |
| <a shape="rect" href="http://www.apache.org/" title="The Apache Sofware Foundation"><img border="0" alt="ASF Logo" src="http://cxf.apache.org/images/asf-logo.png"></a> |
| </td></tr></table></div></div> |
| <!-- Banner --> |
| <div id="top-menu"> |
| <table border="0" cellpadding="1" cellspacing="0" width="100%"> |
| <tr> |
| <td> |
| <div align="left"> |
| <!-- Breadcrumbs --> |
| <a href="index.html">Index</a> > <a href="restful-services.html">RESTful Services</a> > <a href="jax-rs.html">JAX-RS</a> > <a href="jax-rs-xml-security.html">JAX-RS XML Security</a> |
| <!-- Breadcrumbs --> |
| </div> |
| </td> |
| <td> |
| <div align="right"> |
| <!-- Quicklinks --> |
| <div id="quicklinks"><p><a shape="rect" href="http://cxf.apache.org/download.html">Download</a> | <a shape="rect" href="http://cxf.apache.org/docs/index.html">Documentation</a></p></div> |
| <!-- Quicklinks --> |
| </div> |
| </td> |
| </tr> |
| </table> |
| </div> |
| </td> |
| <td id="cell-1-3"> </td> |
| <td id="cell-1-4"> </td> |
| </tr> |
| <tr> |
| <td id="cell-2-0" colspan="2"> </td> |
| <td id="cell-2-1"> |
| <table> |
| <tr valign="top"> |
| <td height="100%"> |
| <div id="wrapper-menu-page-right"> |
| <div id="wrapper-menu-page-top"> |
| <div id="wrapper-menu-page-bottom"> |
| <div id="menu-page"> |
| <!-- NavigationBar --> |
| <div id="navigation"><ul class="alternate"><li><a shape="rect" href="overview.html">Overview</a></li><li><a shape="rect" href="how-tos.html">How-Tos</a></li><li><a shape="rect" href="frontends.html">Frontends</a></li><li><a shape="rect" href="databindings.html">DataBindings</a></li><li><a shape="rect" href="transports.html">Transports</a></li><li><a shape="rect" href="configuration.html">Configuration</a></li><li><a shape="rect" href="debugging-and-logging.html">Debugging and Logging</a></li><li><a shape="rect" href="tools.html">Tools</a></li><li><a shape="rect" href="restful-services.html">RESTful Services</a></li><li><a shape="rect" href="wsdl-bindings.html">WSDL Bindings</a></li><li><a shape="rect" href="service-routing.html">Service Routing</a></li><li><a shape="rect" href="dynamic-languages.html">Dynamic Languages</a></li><li><a shape="rect" href="ws-support.html">WS-* Support</a></li><li><a shape="rect" href="advanced-integration.html">Advanced Integration</a></li><li><a shape="rect" href="deployment.html">Deployment</a></li><li><a shape="rect" href="schemas-and-namespaces.html">Use of Schemas and Namespaces</a></li></ul><hr><ul class="alternate"><li><p>Search</p></li></ul><form enctype="application/x-www-form-urlencoded" method="get" id="cse-search-box" action="http://www.google.com/cse"> |
| <div> |
| <input type="hidden" name="cx" value="002890367768291051730:o99qiwa09y4"> |
| <input type="hidden" name="ie" value="UTF-8"> |
| <input type="text" name="q" size="21"> |
| <input type="submit" name="sa" value="Search"> |
| </div> |
| </form> |
| <script type="text/javascript" src="http://www.google.com/cse/brand?form=cse-search-box&lang=en"></script><hr><ul class="alternate"><li><a shape="rect" href="http://cxf.apache.org/javadoc/latest/">API 3.2.x (Javadoc)</a></li><li><a shape="rect" href="http://cxf.apache.org/javadoc/latest-3.1.x/">API 3.1.x (Javadoc)</a></li><li><a shape="rect" href="http://cxf.apache.org/">CXF Website</a></li></ul><p> </p><p><a shape="rect" class="external-link" href="http://www.apache.org/events/current-event.html"><span class="confluence-embedded-file-wrapper"><img class="confluence-embedded-image confluence-external-resource" src="http://www.apache.org/events/current-event-125x125.png" data-image-src="http://www.apache.org/events/current-event-125x125.png"></span></a></p></div> |
| <!-- NavigationBar --> |
| </div> |
| </div> |
| </div> |
| </div> |
| </td> |
| <td height="100%"> |
| <!-- Content --> |
| <div class="wiki-content"> |
| <div id="ConfluenceContent"><p><span style="font-size:2em;font-weight:bold">JAX-RS: XML Security</span> |
| |
| |
| <br clear="none"></p><p><style type="text/css">/*<![CDATA[*/ |
| div.rbtoc1636141798802 {padding: 0px;} |
| div.rbtoc1636141798802 ul {list-style: disc;margin-left: 0px;} |
| div.rbtoc1636141798802 li {margin-left: 0px;padding-left: 0px;} |
| |
| /*]]>*/</style></p><div class="toc-macro rbtoc1636141798802"> |
| <ul class="toc-indentation"><li><a shape="rect" href="#JAXRSXMLSecurity-Introduction">Introduction</a></li><li><a shape="rect" href="#JAXRSXMLSecurity-Mavendependencies">Maven dependencies</a></li><li><a shape="rect" href="#JAXRSXMLSecurity-Backwardscompatibilityconfigurationnote">Backwards compatibility configuration note</a></li><li><a shape="rect" href="#JAXRSXMLSecurity-XMLSignature">XML Signature</a> |
| <ul class="toc-indentation"><li><a shape="rect" href="#JAXRSXMLSecurity-Envelopedsignatures">Enveloped signatures</a></li><li><a shape="rect" href="#JAXRSXMLSecurity-Envelopingsignatures">Enveloping signatures</a></li><li><a shape="rect" href="#JAXRSXMLSecurity-Detachedsignatures">Detached signatures</a></li><li><a shape="rect" href="#JAXRSXMLSecurity-Customizingthesignature">Customizing the signature</a></li><li><a shape="rect" href="#JAXRSXMLSecurity-SignatureKeyInfoValidation">Signature Key Info Validation</a></li></ul> |
| </li><li><a shape="rect" href="#JAXRSXMLSecurity-XMLEncryption">XML Encryption</a> |
| <ul class="toc-indentation"><li><a shape="rect" href="#JAXRSXMLSecurity-Usingtherequestsignaturecertificatesfortheencryption">Using the request signature certificates for the encryption</a></li><li><a shape="rect" href="#JAXRSXMLSecurity-Customizingtheencryption">Customizing the encryption</a></li><li><a shape="rect" href="#JAXRSXMLSecurity-GCMAlgorithmandBouncyCastleprovider">GCM Algorithm and BouncyCastle provider</a></li></ul> |
| </li><li><a shape="rect" href="#JAXRSXMLSecurity-Restrictingencryptionandsignaturealgorithms">Restricting encryption and signature algorithms</a></li><li><a shape="rect" href="#JAXRSXMLSecurity-Interoperability">Interoperability</a></li></ul> |
| </div><h1 id="JAXRSXMLSecurity-Introduction">Introduction</h1><p>CXF 2.5.0 introduces an initial support for securing JAX-RS clients and endpoints with <a shape="rect" class="external-link" href="http://www.w3.org/TR/xmldsig-core/" rel="nofollow">XML Signature</a> and <a shape="rect" class="external-link" href="http://www.w3.org/TR/xmlenc-core/" rel="nofollow">XML Encryption</a>. <br clear="none">This is a work in progress and the enhancements will be applied regularly. Support for the alternative signature and encryption technologies will also be provided in due time.</p><h1 id="JAXRSXMLSecurity-Mavendependencies">Maven dependencies</h1><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl"> |
| <pre class="brush: java; gutter: false; theme: Default"><dependency> |
| <groupId>org.apache.cxf</groupId> |
| <artifactId>cxf-rt-rs-security-xml</artifactId> |
| <version>2.5.2</version> |
| </dependency> |
| </pre> |
| </div></div><h1 id="JAXRSXMLSecurity-Backwardscompatibilityconfigurationnote">Backwards compatibility configuration note</h1><p>From Apache CXF 3.1.0, the WS-Security based configuration tags used to configure XML Signature or Encryption ("ws-security-*") have been changed to just start with "security-". Apart from this they are exactly the same. Older "ws-security-" values continue to be accepted in CXF 3.1.0. To use any of the configuration examples in this page with an older version of CXF, simply add a "ws-" prefix to the configuration tag.</p><h1 id="JAXRSXMLSecurity-XMLSignature">XML Signature</h1><p><a shape="rect" class="external-link" href="http://www.w3.org/TR/xmldsig-core/" rel="nofollow">XML Signature</a> defines 3 types of signatures: enveloped, enveloping and detached. All the three types are supported by CXF JAX-RS.</p><p><strong>New</strong> Starting from CXF 2.5.2 it is also possible to add XML Signatures on the server side and get them validated on the client side.</p><h2 id="JAXRSXMLSecurity-Envelopedsignatures">Enveloped signatures</h2><p>Payload:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl"> |
| <pre class="brush: java; gutter: false; theme: Default"><Book ID="4bd59819-7b78-47a5-bb61-cc08348e9d48"> |
| <id>126</id> |
| <name>CXF</name> |
| |
| <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> |
| <ds:SignedInfo> |
| <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> |
| <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> |
| <ds:Reference URI="#4bd59819-7b78-47a5-bb61-cc08348e9d48"> |
| <ds:Transforms> |
| <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> |
| <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> |
| </ds:Transforms> |
| <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> |
| <ds:DigestValue>eFduzs6Cg1/Wd6jagUmr8vRYxHY=</ds:DigestValue> |
| </ds:Reference> |
| </ds:SignedInfo> |
| <ds:SignatureValue>DLD+wU85G+Q+H/SNoMr1I7tOCAZAjd3lYE84sBGU5tuMtzbwxKOIgg10g2F1SUbpujy1CZZ9BPkQNA+gA1CH4 |
| FE3uiBzp3DDSVv6o5l6Q76Ci0XI28ylO7O1OCY+q2nbP0WtERFWOn9f9nniVKbduz6YQHjv6cNLd8pf4+k2U3g=</ds:SignatureValue> |
| |
| <ds:KeyInfo> |
| <ds:X509Data><ds:X509Certificate>MIICGjCCAYOgAwIBAgIESVRgATANBgkqhkiG9w0BAQUFADAzMRMwEQYDVQQKEwphcGFjaGUub3JnMQwwCgYDVQQL |
| EwNlbmcxDjAMBgNVBAMTBWN4ZmNhMB4XDTcwMDEwMTAwMDAwMFoXDTM4MDExOTAzMTQwN1owMzETMBEGA1UEChMKYXBhY2hlLm9yZzEMMAoGA1UECxMDZW5nMQ4wDAYDVQ |
| QDEwVhbGljZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvu747/VShQ85f16DGSc4Ixh9PVpGguyEqrCsK8q9XHOYX9l9/g5wEC6ZcR2FwfNsoaHcKNPjd5sSTzVt |
| BWmQjfBEfIqwTR7vuihOxyNTwEzVwIJzvo7p8/aYxk+VdBtQxq4UweIcf/iFkUbM1cZ1oiXRQzciRBi+C1BQCQE0qzsCAwEAAaM7MDkwIQYDVR0SBBowGIIWTk9UX0ZPUl |
| 9QUk9EVUNUSU9OX1VTRTAUBgNVHREEDTALgglsb2NhbGhvc3QwDQYJKoZI |
| hvcNAQEFBQADgYEAhLwkm+8psKt4gnbikGzV0TgpSWGcWxWKBi+z8tI2n6hFA5v1jVHHa4G9h3s0nxQ2TewzeR/k7gmgV2sI483NgrYHmTmLKaDBWza2pAuZuDhQH8GAEh |
| JakFtKBP++EC9rNNpZnqqHxx3qb2tW25qRtBzDmK921gg9PMomMc7uqRQ=</ds:X509Certificate> |
| </ds:X509Data> |
| |
| <ds:KeyValue> |
| <ds:RSAKeyValue> |
| <ds:Modulus>vu747/VShQ85f16DGSc4Ixh9PVpGguyEqrCsK8q9XHOYX9l9/g5wEC6ZcR2FwfNsoaHcKNPjd5sSTzVtBWmQjfBEfIqwTR7vuihOxyNTw |
| EzVwIJzvo7p8/aYxk+VdBtQxq4UweIcf/iFkUbM1cZ1oiXRQzciRBi+C1BQCQE0qzs=</ds:Modulus> |
| <ds:Exponent>AQAB</ds:Exponent> |
| </ds:RSAKeyValue> |
| </ds:KeyValue> |
| </ds:KeyInfo> |
| </ds:Signature> |
| |
| </Book> |
| </pre> |
| </div></div><p>Note that the Book root element is signed including its name and id children, and a signature ds:Reference links to Book.</p><p>Server Configuration fragment:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl"> |
| <pre class="brush: java; gutter: false; theme: Default"><bean id="serviceBean" class="org.apache.cxf.systest.jaxrs.security.BookStore"/> |
| <bean id="xmlSigHandler" class="org.apache.cxf.rs.security.xml.XmlSigInHandler"/> |
| <bean id="xmlSigOutHandler" class="org.apache.cxf.rs.security.xml.XmlSigOutInterceptor"/> |
| |
| <jaxrs:server address="/xmlsig"> |
| <jaxrs:serviceBeans> |
| <ref bean="serviceBean"/> |
| </jaxrs:serviceBeans> |
| <!-- |
| Required for validating the in signature and removing it from the payload. |
| It also persists the signature on the current Message which can be disabled. |
| --> |
| <jaxrs:providers> |
| <ref bean="xmlSigHandler"/> |
| </jaxrs:providers> |
| <!-- |
| Required for adding a new signature to the outbound payload |
| --> |
| <jaxrs:outInterceptors> |
| <ref bean="xmlSigOutHandler"/> |
| </jaxrs:outInterceptors> |
| |
| <jaxrs:properties> |
| <entry key="security.callback-handler" |
| value="org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"/> |
| <entry key="security.signature.properties" |
| value="org/apache/cxf/systest/jaxrs/security/alice.properties"/> |
| </jaxrs:properties> |
| </jaxrs:server> |
| |
| </pre> |
| </div></div><p>Note that org.apache.cxf.rs.security.xml.XmlSigInHandler is responsible for validating the signature attached to the inbound payload and is capable of processing all 3 types of XML Signature.</p><p>org.apache.cxf.rs.security.xml.XmlSigOutInterceptor is responsible for adding a new signature to the outbound payload.</p><p>Client code:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl"> |
| <pre class="brush: java; gutter: false; theme: Default">String address = "https://localhost:8080/xmlsig/bookstore/books"; |
| JAXRSClientFactoryBean bean = new JAXRSClientFactoryBean(); |
| bean.setAddress(address); |
| |
| // setup properties |
| Map<String, Object> properties = new HashMap<String, Object>(); |
| properties.put("security.callback-handler", |
| "org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"); |
| properties.put("security.signature.username", "alice"); |
| properties.put("security.signature.properties", |
| "org/apache/cxf/systest/jaxrs/security/alice.properties"); |
| bean.setProperties(properties); |
| |
| // add the interceptor which will add a signature to the outbound payload |
| XmlSigOutInterceptor sigOutInterceptor = new XmlSigOutInterceptor(); |
| bean.getOutInterceptors().add(sigOutInterceptor); |
| |
| // add the interceptor which will validate a signature in the inbound payload |
| XmlSigInInterceptor sigInInterceptor = new XmlSigInInterceptor(); |
| bean.getInInterceptors().add(sigInInterceptor); |
| |
| |
| // load a bus with HTTPS configuration: |
| SpringBusFactory bf = new SpringBusFactory(); |
| Bus bus = bf.createBus(configLocation); |
| bean.setBus(bus); |
| |
| // use WebClient (or proxy) as usual |
| WebClient wc = bean.createWebClient(); |
| Book book = wc.post(new Book("CXF", 126L), Book.class); |
| </pre> |
| </div></div><p>Spring configuration can also be used.<br clear="none">Please also check <a shape="rect" href="secure-jax-rs-services.html">Secure JAX-RS Services</a> on how HTTPS can be configured from Spring.</p><h2 id="JAXRSXMLSecurity-Envelopingsignatures">Enveloping signatures</h2><p>Payload:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl"> |
| <pre class="brush: java; gutter: false; theme: Default"><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> |
| <ds:SignedInfo> |
| <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> |
| <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> |
| <ds:Reference URI="#88e688e6-6512-406f-9e88-a58e5d781ff0"> |
| <ds:Transforms> |
| <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> |
| </ds:Transforms> |
| <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> |
| <ds:DigestValue>Cq3zl3t3DqWTvuZ+4EtZgGs4ikk=</ds:DigestValue> |
| </ds:Reference> |
| </ds:SignedInfo><ds:SignatureValue>NvcCS8vx3YJkc8fHMf8bQkC+lwasC6CwiS7HfKSm8t+6TtYdM7TRbYxSuqfCTkF4 |
| vBIldWIzl6UngON592FfJdbvrgE2CusCkIybrP7BBmP7zTSV0GjH4/60L6ObkhGPkMNoKzw4V+zgF7Zo+F7ngsz5ZUWZX/GWETmTtYtcfT0=</ds:SignatureValue> |
| <ds:KeyInfo> |
| <ds:X509Data> |
| <ds:X509Certificate><!-- Omitted for brevity--></ds:X509Certificate> |
| </ds:X509Data> |
| <ds:KeyValue> |
| <ds:RSAKeyValue><ds:Modulus>vu747/VShQ85f16DGSc4Ixh9PVpGguyEqrCsK8q9XHOYX9l9/g5wEC6ZcR2FwfNsoaHcKNPjd5sST |
| zVtBWmQjfBEfIqwTR7vuihOxyNTwEzVwIJzvo7p8/aYxk+VdBtQxq4UweIcf/iFkUbM1cZ1oiXRQzciRBi+C1BQCQE0qzs=</ds:Modulus> |
| <ds:Exponent>AQAB</ds:Exponent> |
| </ds:RSAKeyValue> |
| </ds:KeyValue> |
| </ds:KeyInfo> |
| <ds:Object ID="88e688e6-6512-406f-9e88-a58e5d781ff0"> |
| |
| <Book> |
| <id>126</id> |
| <name>CXF</name> |
| </Book> |
| </ds:Object> |
| </ds:Signature> |
| </pre> |
| </div></div><p>This time the signature is enveloping the Book element using a ds:Object wrapper which ds:Reference links to.</p><p>Server Configuration fragment is identical to the one shown in the Enveloped signatures section.</p><p>Client code is nearly identical to the one shown in the Enveloped signatures section except that XmlSigOutInterceptor need to have an additional property set:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl"> |
| <pre class="brush: java; gutter: false; theme: Default">// add the interceptor dealing with adding a signature |
| XmlSigOutInterceptor sigInterceptor = new XmlSigOutInterceptor(); |
| sigInterceptor.setStyle("enveloping"); |
| |
| </pre> |
| </div></div><h2 id="JAXRSXMLSecurity-Detachedsignatures">Detached signatures</h2><p>Payload:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl"> |
| <pre class="brush: java; gutter: false; theme: Default"><env:Envelope xmlns:env="http://org.apache.cxf/rs/env"> |
| |
| <Book ID="e9836bc2-cb5a-453f-b967-a9ddbaf9a6de"> |
| <id>125</id> |
| <name>CXF</name> |
| </Book> |
| <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> |
| <ds:SignedInfo> |
| <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> |
| <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> |
| <ds:Reference URI="#e9836bc2-cb5a-453f-b967-a9ddbaf9a6de"> |
| <ds:Transforms> |
| <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> |
| </ds:Transforms> |
| <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> |
| <ds:DigestValue>Pxz77Hlg6I/MRsJz4gixkaMFtYI=</ds:DigestValue> |
| </ds:Reference> |
| </ds:SignedInfo> |
| <ds:SignatureValue>JSwgiVqZT1EtJ9xqtb90juS54pvZguzFMne7cQyGMQDvBW7b65aAAIfVx/PmFB7Tuy4qB4zqNFCzCwHlhDurNP9NYB7PEzFsA3v |
| 3vSyEcHnpUhu41xmBvjT5HWEKbuzqX0dHekizuUefbfzG5WpluVPmOgjashrm9DIhfEf+Hyg=</ds:SignatureValue> |
| <ds:KeyInfo> |
| <ds:X509Data> |
| <ds:X509Certificate><!--Omitted for Brewity--></ds:X509Certificate> |
| </ds:X509Data> |
| <ds:KeyValue> |
| <ds:RSAKeyValue> |
| <ds:Modulus>vu747/VShQ85f16DGSc4Ixh9PVpGguyEqrCsK8q9XHOYX9l9/g5wEC6ZcR2FwfNsoaHcKNPjd5sSTzVtBWmQjfBEfIqwTR7v |
| uihOxyNTwEzVwIJzvo7p8/aYxk+VdBtQxq4UweIcf/iFkUbM1cZ1oiXRQzciRBi+C1BQCQE0qzs=</ds:Modulus> |
| <ds:Exponent>AQAB</ds:Exponent> |
| </ds:RSAKeyValue> |
| </ds:KeyValue> |
| </ds:KeyInfo> |
| </ds:Signature> |
| |
| <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" |
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="_E462768C678896CE9913202742137181" |
| IssueInstant="2011-11-02T22:50:13.718Z" Version="2.0" xsi:type="saml2:AssertionType"> |
| |
| <saml2:Issuer>https://idp.example.org/SAML2</saml2:Issuer> |
| |
| <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> |
| <!-- |
| Enveloped/embedded SAML Assertion XML Signature is omitted for brevity |
| See the JAX-RS SAML section for more info |
| --> |
| </ds:Signature> |
| <!-- the rest of SAML assertion --> |
| </saml2:Assertion> |
| </env:Envelope> |
| </pre> |
| </div></div><p>Note that the whole payload is enveloped by a configurable element wrapper. The Book instance is one part of the envelope and it's signed by a detached signature (see the first ds:Signature, with its ds:Reference linking to Book). The envelope also has an embedded SAML assertion which has its own enveloped signature.</p><p>The instance of org.apache.cxf.rs.security.xml.XmlSigInHandler will handle a detached XML signature of the Book XML fragment on the server side. See the <a shape="rect" href="jax-rs-saml.html">JAX-RS SAML</a> for more info on how to deal with SAML assertions.</p><p>Client code is nearly identical to the one shown in the Enveloped signatures section except that XmlSigOutInterceptor need to have an additional property set:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl"> |
| <pre class="brush: java; gutter: false; theme: Default">// add the interceptor dealing with adding a signature |
| XmlSigOutInterceptor sigInterceptor = new XmlSigOutInterceptor(); |
| sigInterceptor.setStyle("detached"); |
| |
| </pre> |
| </div></div><h2 id="JAXRSXMLSecurity-Customizingthesignature">Customizing the signature</h2><p>org.apache.cxf.rs.security.xml.XmlSigOutInterceptor manages the creation of the signature on the client side.<br clear="none">The following properties can be set on it at the moment:</p><p>"style": possible values are "enveloped" (default), "enveloping" and "detached"<br clear="none">"envelopedName": only used with the "detached" style, default is "{<a shape="rect" class="external-link" rel="nofollow" href="http://org.apache.cxf/rs/env">http://org.apache.cxf/rs/env</a>}Envelope"<br clear="none">"signatureAlgorithm": default is "http://www.w3.org/2000/09/xmldsig#rsa-sha1"<br clear="none">"digestAlgorithm": default is "http://www.w3.org/2000/09/xmldsig#sha1"</p><h2 id="JAXRSXMLSecurity-SignatureKeyInfoValidation">Signature Key Info Validation</h2><p>By default ds:Signature is expected to contain ds:KeyInfo element.</p><p>Setting a "keyInfoMustBeAvailable" property to false on the out interceptors will lead to KeyInfo not included.</p><p>If the same property is set to false on the in interceptors then either an authenticated Principal name or a default store alias will be used to load the certificate for validating the signature.</p><h1 id="JAXRSXMLSecurity-XMLEncryption">XML Encryption</h1><p>Encrypting XML payloads makes it possible to drop a requirement for HTTPS.</p><p>Here is a payload example:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl"> |
| <pre class="brush: java; gutter: false; theme: Default"><xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> |
| <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/> |
| <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> |
| <ds:RetrievalMethod Type="http://www.w3.org/2001/04/xmlenc#EncryptedKey"/> |
| <xenc:EncryptedKey Id="EK-B353DDCEE7C575B6A213203188664772"> |
| <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/> |
| <ds:KeyInfo> |
| <ds:X509Data> |
| <ds:X509Certificate><!-- Omitted for brevity --></ds:X509Certificate> |
| </ds:X509Data> |
| </ds:KeyInfo> |
| <xenc:CipherData><xenc:CipherValue>tPtZz4pnVWquaV2a7O0y+VrHoeWwk3Eu5Jnu3RHz5rGDB/MLyG6rBamhit03J2xWaV52zUtDAPEj8sr4oy5y2KLB09Hu317IbQjinePabUpd |
| +DLnwNn5iHZpHWJPfndkh07JdYZSrMwqOvJ3fqrNJ+LQeLzZDneT8sC1vRyhSDU=</xenc:CipherValue> |
| </xenc:CipherData> |
| </xenc:EncryptedKey> |
| </ds:KeyInfo> |
| <xenc:CipherData> |
| <xenc:CipherValue>3ZPQ3SapAxemJwqG58sWh+r8B5SMRf/DZ2w/REswgl0zr8kpk0x4tayC5hl7IbSE8CPQYYHX8sXVnUFUoHOtJA==</xenc:CipherValue> |
| </xenc:CipherData> |
| </xenc:EncryptedData> |
| </pre> |
| </div></div><p>Here is a server configuration fragment:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl"> |
| <pre class="brush: java; gutter: false; theme: Default"><bean id="serviceBean" class="org.apache.cxf.systest.jaxrs.security.BookStore"/> |
| <bean id="xmlSigInHandler" class="org.apache.cxf.rs.security.xml.XmlSigInHandler"/> |
| <bean id="xmlEncInHandler" class="org.apache.cxf.rs.security.xml.XmlEncInHandler"/> |
| |
| <jaxrs:server address="/xmlsig"> |
| <jaxrs:serviceBeans> |
| <ref bean="serviceBean"/> |
| </jaxrs:serviceBeans> |
| <jaxrs:providers> |
| <ref bean="xmlEncHandler"/> |
| <ref bean="xmlSigHandler"/> |
| </jaxrs:providers> |
| <jaxrs:properties> |
| <entry key="security.callback-handler" |
| value="org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"/> |
| <entry key="security.encryption.properties" |
| value="org/apache/cxf/systest/jaxrs/security/bob.properties"/> |
| <entry key="security.signature.properties" |
| value="org/apache/cxf/systest/jaxrs/security/alice.properties"/> |
| </jaxrs:properties> |
| </jaxrs:server> |
| |
| </pre> |
| </div></div><p>This configuration supports receiving signed and then encrypted XML payloads.</p><p>The code:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl"> |
| <pre class="brush: java; gutter: false; theme: Default">String address = "https://localhost:8080/xmlencryption/bookstore/books"; |
| JAXRSClientFactoryBean bean = new JAXRSClientFactoryBean(); |
| bean.setAddress(address); |
| |
| // setup properties |
| Map<String, Object> properties = new HashMap<String, Object>(); |
| |
| properties.put("security.callback-handler", |
| "org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"); |
| properties.put("security.encryption.username", "bob"); |
| properties.put("security.encryption.properties", |
| "org/apache/cxf/systest/jaxrs/security/bob.properties"); |
| |
| // if signature required: |
| properties.put("security.signature.username", "alice"); |
| properties.put("security.signature.properties", |
| "org/apache/cxf/systest/jaxrs/security/alice.properties"); |
| |
| bean.setProperties(properties); |
| |
| // if signature required: add the interceptor dealing with adding a signature |
| XmlSigOutInterceptor sigInterceptor = new XmlSigOutInterceptor(); |
| bean.getOutInterceptors().add(sigInterceptor); |
| |
| // add the interceptor dealing with the encryption |
| |
| XmlEncOutInterceptor encInterceptor = new XmlEncOutInterceptor(); |
| encInterceptor.setSymmetricEncAlgorithm("http://www.w3.org/2001/04/xmlenc#aes128-cbc"); |
| bean.getOutInterceptors().add(encInterceptor); |
| |
| |
| // use WebClient (or proxy) as usual |
| WebClient wc = bean.createWebClient(); |
| Response r = wc.post(new Book("CXF", 126L), Book.class); |
| assertEquals(200, r.getStatus()); |
| </pre> |
| </div></div><p>Note that XmlEncOutInterceptor interceptor has a "symmetricEncAlgorithm" property set to a weaker type just to get CXF tests passing.</p><p>The actual application client code does not expect a payload such as Book back but if it did then configuring the server to encrypt the response would be straightforward:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl"> |
| <pre class="brush: java; gutter: false; theme: Default"><bean id="serviceBean" class="org.apache.cxf.systest.jaxrs.security.BookStore"/> |
| <bean id="xmlSigInHandler" class="org.apache.cxf.rs.security.xml.XmlSigInHandler"/> |
| <bean id="xmlSigOutHandler" class="org.apache.cxf.rs.security.xml.XmlSigOutInterceptor"/> |
| |
| <bean id="xmlEncInHandler" class="org.apache.cxf.rs.security.xml.XmlEncInHandler"/> |
| <bean id="xmlEncOutHandler" class="org.apache.cxf.rs.security.xml.XmlEncOutInterceptor"> |
| <property name="symmetricEncAlgorithm" value="aes128-cbc"/> |
| </bean> |
| |
| <jaxrs:server address="/xmlsec"> |
| <jaxrs:serviceBeans> |
| <ref bean="serviceBean"/> |
| </jaxrs:serviceBeans> |
| <jaxrs:providers> |
| <ref bean="xmlEncInHandler"/> |
| <ref bean="xmlSigInHandler"/> |
| </jaxrs:providers> |
| <jaxrs:outInterceptors> |
| <ref bean="xmlSigOutHandler"/> |
| <ref bean="xmlEncOutHandler"/> |
| </jaxrs:outInterceptors> |
| <jaxrs:properties> |
| <entry key="security.callback-handler" |
| value="org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"/> |
| <entry key="security.encryption.properties" |
| value="org/apache/cxf/systest/jaxrs/security/alice.properties"/> |
| <entry key="security.signature.properties" |
| value="org/apache/cxf/systest/jaxrs/security/bob.properties"/> |
| |
| </jaxrs:properties> |
| </jaxrs:server> |
| </pre> |
| </div></div><p>Now the client code can be updated to expect an encrypted and signed Book back:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl"> |
| <pre class="brush: java; gutter: false; theme: Default">// Use the previous code fragment, add the in interceptors: |
| XmlEncInInterceptor encInInterceptor = new XmlEncInInterceptor(); |
| bean.getInInterceptors().add(encInInterceptor); |
| XmlSigInInterceptor sigInInterceptor = new XmlSigInInterceptor(); |
| bean.getInInterceptors().add(sigInInterceptor); |
| </pre> |
| </div></div><h2 id="JAXRSXMLSecurity-Usingtherequestsignaturecertificatesfortheencryption">Using the request signature certificates for the encryption</h2><p><strong>From CXF 2.6.1 and 2.5.4:</strong></p><p>When multiple clients are posting the encrypted and signed payloads, the following configuration will lead to the request signature certificates being utilized for encrypting the symmetric key used to encrypt the response:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl"> |
| <pre class="brush: java; gutter: false; theme: Default"><!-- server --> |
| <jaxrs:server> |
| <jaxrs:properties> |
| <entry key="security.callback-handler" |
| value="org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"/> |
| <entry key="security.encryption.properties" |
| value="org/apache/cxf/systest/jaxrs/security/alice.properties"/> |
| <entry key="security.encryption.username" value="useReqSigCert"/> |
| <entry key="security.signature.properties" |
| value="org/apache/cxf/systest/jaxrs/security/bob.properties"/> |
| |
| </jaxrs:properties> |
| </jaxrs:server> |
| <jaxrs:client> |
| <jaxrs:properties> |
| <entry key="security.callback-handler" |
| value="org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"/> |
| <entry key="security.encryption.properties" |
| value="org/apache/cxf/systest/jaxrs/security/bob.properties"/> |
| <entry key="security.encryption.username" value="bob"/> |
| <entry key="security.signature.properties" |
| value="org/apache/cxf/systest/jaxrs/security/alice.properties"/> |
| <entry key="security.signature.username" value="alice"/> |
| </jaxrs:properties> |
| </jaxrs:client> |
| </pre> |
| </div></div><p>The "security.encryption.username" server property is set to "useReqSigCert".</p><p>Note that the client configuration assumes Alice (with its alice.properties) represents a given client, Bob (with its bob.properties) - the receiver/server.</p><p>On the server side the encryption properties point to alice.properties and signature.properties to bob.properties. This is because the outbound signature needs to be done with the Bob's certificate and the encryption - with either the specific Alice's certificate or the certificate from the inbound signature. Note that the in encryption handler will check the signature properties first - this will ensure that the Bob's certificate used to encrypt the data on the client side can be validated, similarly for the in signature handler.</p><h2 id="JAXRSXMLSecurity-Customizingtheencryption">Customizing the encryption</h2><p>org.apache.cxf.rs.security.xml.XmlEncOutInterceptor manages the encryption process.<br clear="none">The following properties can be set on it at the moment:<br clear="none">"symmetricEncAlgorithm": default is "http://www.w3.org/2001/04/xmlenc#aes256-cbc", complete URIs or short identifiers are supported, for example, "aes128-cbc" or "http://www.w3.org/2001/04/xmlenc#aes256-cbc". <br clear="none">"digestAlgorithm": optional, example "http://www.w3.org/2001/04/xmlenc#sha256" can be set.<br clear="none">"keyEncAlgorithm": default is "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"<br clear="none">"keyIdentifierType": default is "X509_KEY", "X509_ISSUER_SERIAL" is also supported - useful when the whole x509Certificate should not be embedded</p><h2 id="JAXRSXMLSecurity-GCMAlgorithmandBouncyCastleprovider">GCM Algorithm and BouncyCastle provider</h2><p>Please see Colm's <a shape="rect" class="external-link" href="http://coheigea.blogspot.com/2012/04/note-on-cve-2011-1096.html" rel="nofollow">blog</a> for the information about the possible attack against XML Encryption and the GCM algorithm which needs to be used in order to prevent it.</p><h1 id="JAXRSXMLSecurity-Restrictingencryptionandsignaturealgorithms">Restricting encryption and signature algorithms</h1><p><strong>From CXF 2.6.1 and 2.5.4:</strong></p><p>It is possible to configure the in encryption and signature handlers with the properties restricting the encryption and signature algorithms that clients can use, for example:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl"> |
| <pre class="brush: java; gutter: false; theme: Default"> <bean id="sigProps" class="org.apache.cxf.rs.security.xml.SignatureProperties"> |
| <property name="signatureAlgo" |
| value="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> |
| <property name="signatureDigestAlgo" |
| value="http://www.w3.org/2000/09/xmldsig#sha1"/> |
| <property name="signatureC14Method" |
| value="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> |
| <property name="signatureC14Transform" |
| value="http://www.w3.org/2001/10/xml-exc-c14n#"/> |
| </bean> |
| |
| <bean id="encProps" class="org.apache.cxf.rs.security.xml.EncryptionProperties"> |
| <property name="encryptionKeyTransportAlgo" |
| value="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/> |
| <property name="encryptionSymmetricKeyAlgo" |
| value="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/> |
| </bean> |
| |
| <bean id="xmlSigInHandlerWithProps" class="org.apache.cxf.rs.security.xml.XmlSigInHandler"> |
| <property name="signatureProperties" ref="sigProps"/> |
| </bean> |
| |
| <bean id="xmlEncInHandlerWithProps" class="org.apache.cxf.rs.security.xml.XmlEncInHandler"> |
| <property name="encryptionProperties" ref="encProps"/> |
| </bean> |
| |
| <!-- the following ensures that the outbound handlers will use the same algorithms that the client used --> |
| <bean id="xmlSigOutHandlerWithProps" class="org.apache.cxf.rs.security.xml.XmlSigOutInterceptor"> |
| <property name="signatureProperties" ref="sigProps"/> |
| </bean> |
| |
| <bean id="xmlEncOutHandlerWithProps" class="org.apache.cxf.rs.security.xml.XmlEncOutInterceptor"> |
| <property name="encryptionProperties" ref="encProps"/> |
| </bean> |
| </pre> |
| </div></div><p>Getting the same SignatureProperties and EncryptionProperties beans (with "sigProps" and "encProps" ids) registered with the outbound handlers will ensure that the algorithms used by the current client have not only been validated on the inbound side but also used on the outbound side for encrypting and signing the data.</p><p>Note that from CXF 2.7.1, 2.6.4 and 2.5.7, the XmlEncInHandler will require that the RSA-OAEP algorithm be used as the key transport encryption algorithm by default. As this algorithm is used by default by the XmlEncOutInterceptor, no action is required unless you are specifying a different algorithm on the outbound side. In this case, an EncryptionProperties object will need to be configured on XmlEncInHandler with the desired key transport algorithm.</p><h1 id="JAXRSXMLSecurity-Interoperability">Interoperability</h1><p>The payloads containing the enveloping XML Signatures are structured according to the XML Signature specification and as such can be consumed by any XML Signature aware consumers capable of handling the enveloping signatures and extracting the signed payload.</p><p>Same applies to enveloped signatures, for example, a signed SAML assertion always contains an enveloped signature.</p><p>The way CXF creates detached XML Signatures is experimental, so at the moment CXF will be required on both ends for the detached signatures be created and validated.</p><p>The current XML Encryption support is in line with the specification and thus the capable non-CXF consumers will be able to decrypt the payloads.</p></div> |
| </div> |
| <!-- Content --> |
| </td> |
| </tr> |
| </table> |
| </td> |
| <td id="cell-2-2" colspan="2"> </td> |
| </tr> |
| <tr> |
| <td id="cell-3-0"> </td> |
| <td id="cell-3-1"> </td> |
| <td id="cell-3-2"> |
| <div id="footer"> |
| <!-- Footer --> |
| <div id="site-footer"> |
| <a href="http://cxf.apache.org/privacy-policy.html">Privacy Policy</a> - |
| (<a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=27830245">edit page</a>) |
| (<a href="https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=27830245&showComments=true&showCommentArea=true#addcomment">add comment</a>)<br> |
| Apache CXF, CXF, Apache, the Apache feather logo are trademarks of The Apache Software Foundation.<br> |
| All other marks mentioned may be trademarks or registered trademarks of their respective owners. |
| </div> |
| <!-- Footer --> |
| </div> |
| </td> |
| <td id="cell-3-3"> </td> |
| <td id="cell-3-4"> </td> |
| </tr> |
| <tr> |
| <td id="cell-4-0" colspan="2"> </td> |
| <td id="cell-4-1"> </td> |
| <td id="cell-4-2" colspan="2"> </td> |
| </tr> |
| </table> |
| |
| <script type="text/javascript"> |
| var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www."); |
| document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E")); |
| </script> |
| <script type="text/javascript"> |
| try { |
| var pageTracker = _gat._getTracker("UA-4458903-1"); |
| pageTracker._trackPageview(); |
| } catch(err) {}</script> |
| |
| </body> |
| </html> |
| |
