Google Git
Sign in
apache / cxf-site / refs/heads/asf-staging / . / content / docs / secure-jax-rs-services.html
blob: 1eb716db948c5c28124ac4c85dcb6faac07dc870 [file] [log] [blame]
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<html>
<head>
<link type="text/css" rel="stylesheet" href="/resources/site.css">
<script src='/resources/space.js'></script>
<meta http-equiv="Content-type" content="text/html;charset=UTF-8">
<meta name="keywords" content="business integration, EAI, SOA, Service Oriented Architecture, web services, SOAP, JBI, JMS, WSDL, XML, EDI, Electronic Data Interchange, standards support, integration standards, application integration, middleware, software, solutions, services, CXF, open source">
<meta name="description" content="Apache CXF, Services Framework - Secure JAX-RS Services">
<link type="text/css" rel="stylesheet" href="/resources/highlighter/styles/shCoreCXF.css">
<link type="text/css" rel="stylesheet" href="/resources/highlighter/styles/shThemeCXF.css">
<script src='/resources/highlighter/scripts/shCore.js'></script>
<script src='/resources/highlighter/scripts/shBrushBash.js'></script>
<script src='/resources/highlighter/scripts/shBrushXml.js'></script>
<script src='/resources/highlighter/scripts/shBrushJava.js'></script>
<script>
SyntaxHighlighter.defaults['toolbar'] = false;
SyntaxHighlighter.all();
</script>
<title>
Apache CXF -- Secure JAX-RS Services
</title>
</head>
<body onload="init()">
<table width="100%" cellpadding="0" cellspacing="0">
<tr>
<td id="cell-0-0" colspan="2">&nbsp;</td>
<td id="cell-0-1">&nbsp;</td>
<td id="cell-0-2" colspan="2">&nbsp;</td>
</tr>
<tr>
<td id="cell-1-0">&nbsp;</td>
<td id="cell-1-1">&nbsp;</td>
<td id="cell-1-2">
<!-- Banner -->
<div class="banner" id="banner"><div><table border="0" cellpadding="0" cellspacing="0" width="100%"><tr><td align="left" colspan="1" nowrap>
<a shape="rect" href="http://cxf.apache.org/" title="Apache CXF"><span style="font-weight: bold; font-size: 170%; color: white">Apache CXF</span></a>
</td><td align="right" colspan="1" nowrap>
<a shape="rect" href="http://www.apache.org/" title="The Apache Sofware Foundation"><img border="0" alt="ASF Logo" src="http://cxf.apache.org/images/asf-logo.png"></a>
</td></tr></table></div></div>
<!-- Banner -->
<div id="top-menu">
<table border="0" cellpadding="1" cellspacing="0" width="100%">
<tr>
<td>
<div align="left">
<!-- Breadcrumbs -->
<a href="index.html">Index</a>&nbsp;&gt;&nbsp;<a href="restful-services.html">RESTful Services</a>&nbsp;&gt;&nbsp;<a href="jax-rs.html">JAX-RS</a>&nbsp;&gt;&nbsp;<a href="secure-jax-rs-services.html">Secure JAX-RS Services</a>
<!-- Breadcrumbs -->
</div>
</td>
<td>
<div align="right">
<!-- Quicklinks -->
<div id="quicklinks"><p><a shape="rect" href="http://cxf.apache.org/download.html">Download</a> | <a shape="rect" href="http://cxf.apache.org/docs/index.html">Documentation</a></p></div>
<!-- Quicklinks -->
</div>
</td>
</tr>
</table>
</div>
</td>
<td id="cell-1-3">&nbsp;</td>
<td id="cell-1-4">&nbsp;</td>
</tr>
<tr>
<td id="cell-2-0" colspan="2">&nbsp;</td>
<td id="cell-2-1">
<table>
<tr valign="top">
<td height="100%">
<div id="wrapper-menu-page-right">
<div id="wrapper-menu-page-top">
<div id="wrapper-menu-page-bottom">
<div id="menu-page">
<!-- NavigationBar -->
<div id="navigation"><ul class="alternate"><li><a shape="rect" href="overview.html">Overview</a></li><li><a shape="rect" href="how-tos.html">How-Tos</a></li><li><a shape="rect" href="frontends.html">Frontends</a></li><li><a shape="rect" href="databindings.html">DataBindings</a></li><li><a shape="rect" href="transports.html">Transports</a></li><li><a shape="rect" href="configuration.html">Configuration</a></li><li><a shape="rect" href="debugging-and-logging.html">Debugging and Logging</a></li><li><a shape="rect" href="tools.html">Tools</a></li><li><a shape="rect" href="restful-services.html">RESTful Services</a></li><li><a shape="rect" href="wsdl-bindings.html">WSDL Bindings</a></li><li><a shape="rect" href="service-routing.html">Service Routing</a></li><li><a shape="rect" href="dynamic-languages.html">Dynamic Languages</a></li><li><a shape="rect" href="ws-support.html">WS-* Support</a></li><li><a shape="rect" href="advanced-integration.html">Advanced Integration</a></li><li><a shape="rect" href="deployment.html">Deployment</a></li><li><a shape="rect" href="schemas-and-namespaces.html">Use of Schemas and Namespaces</a></li></ul><hr><ul class="alternate"><li><p>Search</p></li></ul><form enctype="application/x-www-form-urlencoded" method="get" id="cse-search-box" action="http://www.google.com/cse">
<div>
<input type="hidden" name="cx" value="002890367768291051730:o99qiwa09y4">
<input type="hidden" name="ie" value="UTF-8">
<input type="text" name="q" size="21">
<input type="submit" name="sa" value="Search">
</div>
</form>
<script type="text/javascript" src="http://www.google.com/cse/brand?form=cse-search-box&amp;lang=en"></script><hr><ul class="alternate"><li><a shape="rect" href="http://cxf.apache.org/javadoc/latest/">API 3.2.x (Javadoc)</a></li><li><a shape="rect" href="http://cxf.apache.org/javadoc/latest-3.1.x/">API 3.1.x (Javadoc)</a></li><li><a shape="rect" href="http://cxf.apache.org/">CXF Website</a></li></ul><p>&#160;</p><p><a shape="rect" class="external-link" href="http://www.apache.org/events/current-event.html"><span class="confluence-embedded-file-wrapper"><img class="confluence-embedded-image confluence-external-resource" src="http://www.apache.org/events/current-event-125x125.png" data-image-src="http://www.apache.org/events/current-event-125x125.png"></span></a></p></div>
<!-- NavigationBar -->
</div>
</div>
</div>
</div>
</td>
<td height="100%">
<!-- Content -->
<div class="wiki-content">
<div id="ConfluenceContent"><p><span style="font-size:2em;font-weight:bold">JAX-RS: Security</span>
<br clear="none"></p><p><style type="text/css">/*<![CDATA[*/
div.rbtoc1636141750008 {padding: 0px;}
div.rbtoc1636141750008 ul {list-style: disc;margin-left: 0px;}
div.rbtoc1636141750008 li {margin-left: 0px;padding-left: 0px;}
/*]]>*/</style></p><div class="toc-macro rbtoc1636141750008">
<ul class="toc-indentation"><li><a shape="rect" href="#SecureJAXRSServices-HTTPS">HTTPS</a>
<ul class="toc-indentation"><li><a shape="rect" href="#SecureJAXRSServices-Configuringendpoints">Configuring endpoints</a></li><li><a shape="rect" href="#SecureJAXRSServices-Configuringclients">Configuring clients</a></li></ul>
</li><li><a shape="rect" href="#SecureJAXRSServices-Authentication">Authentication</a></li><li><a shape="rect" href="#SecureJAXRSServices-Authorization">Authorization</a></li><li><a shape="rect" href="#SecureJAXRSServices-WS-Trustintegration">WS-Trust integration</a>
<ul class="toc-indentation"><li><a shape="rect" href="#SecureJAXRSServices-ValidatingBasicAuthcredentialswithSTS">Validating BasicAuth credentials with STS</a></li><li><a shape="rect" href="#SecureJAXRSServices-UsingSTStovalidateSAMLassertions">Using STS to validate SAML assertions</a></li></ul>
</li><li><a shape="rect" href="#SecureJAXRSServices-NoteaboutSecurityManager">Note about SecurityManager</a></li><li><a shape="rect" href="#SecureJAXRSServices-SecuringJAX-RSmessages">Securing JAX-RS messages</a></li><li><a shape="rect" href="#SecureJAXRSServices-OAuth2.0/OpenIdConnect.">OAuth 2.0 / OpenId Connect.</a></li><li><a shape="rect" href="#SecureJAXRSServices-Restrictinglargepayloads">Restricting large payloads</a></li><li><a shape="rect" href="#SecureJAXRSServices-CrossOriginResourceSharing">Cross Origin Resource Sharing</a></li></ul>
</div><h1 id="SecureJAXRSServices-HTTPS">HTTPS</h1><p>Transport-level protection of JAX-RS endpoints can be managed by underlying Servlet containers, for example, see this <a shape="rect" class="external-link" href="http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html">Tomcat SSL Configuration section</a>.</p><p>Additionally CXF provides support for configuring endpoints which depend on embedded Jetty. CXF JAX-RS clients can also be configured to support SSL.</p><h2 id="SecureJAXRSServices-Configuringendpoints">Configuring endpoints</h2><p>JAX-RS endpoints using embedded Jetty can rely on the configuration like this one:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default">&lt;beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:http="http://cxf.apache.org/transports/http/configuration"
xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration"
xmlns:sec="http://cxf.apache.org/configuration/security"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd
http://cxf.apache.org/transports/http-jetty/configuration http://cxf.apache.org/schemas/configuration/http-jetty.xsd
http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsd"&gt;
&lt;httpj:engine-factory id="port-9095-tls-config"&gt;
&lt;httpj:engine port="9095"&gt;
&lt;httpj:tlsServerParameters&gt;
&lt;sec:keyManagers keyPassword="password"&gt;
&lt;sec:keyStore type="JKS" password="password"
file="src/test/java/org/apache/cxf/systest/http/resources/Bethal.jks"/&gt;
&lt;/sec:keyManagers&gt;
&lt;sec:trustManagers&gt;
&lt;sec:keyStore type="JKS" password="password"
file="src/test/java/org/apache/cxf/systest/http/resources/Truststore.jks"/&gt;
&lt;/sec:trustManagers&gt;
&lt;/httpj:tlsServerParameters&gt;
&lt;/httpj:engine&gt;
&lt;/httpj:engine-factory&gt;
&lt;/beans&gt;
</pre>
</div></div><p>Instead keyPassword in keyManager you can also specify keyPasswordCallbackHandler attribute. In this case attribute must contain full name of the class implementing JSE <a shape="rect" class="external-link" href="http://docs.oracle.com/javase/7/docs/api/javax/security/auth/callback/CallbackHandler.html" rel="nofollow">CallbackHandler </a>interface and providing key password on the runtime. Sample key password callback handler implementation can be found <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/systests/transports/src/test/java/org/apache/cxf/systest/http/KeyPasswordCallbackHandler.java" rel="nofollow">here</a>.</p><p>If you use JAXRSServerFactoryBean to create and start JAX-RS endpoints from the code then the above configuration can be utilized like this:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default">JAXRSServerFactoryBean bean = new JAXRSServerFactoryBean();
SpringBusFactory bf = new SpringBusFactory();
Bus bus = bf.createBus("configuration/beans.xml");
bean.setBus(bus);
bean.setAddress("http://localhost:9095/rest");
bean.setServiceClass(CustomerService.class);
</pre>
</div></div><p>If you also have a jaxrs:server endpoint declared in the above beans.xml, then make sure you have a 'depends-on' attribute set:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default">&lt;jaxrs:server serviceClass="CustomerService.class" address="http://localhost:9095/rest"
depends-on="port-9095-tls-config"/&gt;
</pre>
</div></div><p>Once you have JAX-RS and Jetty HTTPS combined then you can get the application context initiated like this:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default">public class Server {
public void main(String[] args) throws Exception {
Bus busLocal = new SpringBusFactory().createBus("configuration/beans.xml");
BusFactory.setDefaultBus(busLocal);
new Server();
Thread.sleep(60000);
}
}
</pre>
</div></div><p>Having JAX-RS endpoints declared alongside CXF Jetty HTTPS configuration is only needed when an embedded Jetty container is used. If you have application WARs deployed into Tomcat or Jetty then please follow container-specific guides on how to set up SSL.</p><p>Please also see this <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/">HTTPS-based demo</a> in the CXF distribution.</p><p>Additionally check the <a shape="rect" href="http://cxf.apache.org/docs/jetty-configuration.html">CXF Jetty Configuration</a> section.</p><h2 id="SecureJAXRSServices-Configuringclients">Configuring clients</h2><p>Secure HTTPConduits for CXF JAX-RS proxies and WebClients can be configured as described in this <a shape="rect" href="http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html">section</a>.</p><p>For example, check this <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/resources/ClientConfig.xml">configuration file</a>. Endpoint addresses used by proxies or clients have to match the pattern used in the HTTPConduit configuration.</p><p>The configuration file can be referenced during the proxy or WebClient creation:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default">final String address = "http://localhost:9095/rest";
final String configLocation;
WebClient client = WebClient.create(address, configLocation);
// or
BookStore proxy = JAXRSClientFactory.create(address, configLocation, BookStore.class);
</pre>
</div></div><p>HTTPConduits can also be 'bound' to proxies or WebClients using expanded QNames. Please see this <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-client-api.html#JAX-RSClientAPI-ConfiguringanHTTPConduitfromSpring">section</a> for more information.</p><p>Please see <a shape="rect" class="external-link" href="http://aruld.info/programming-ssl-for-jetty-based-cxf-services/" rel="nofollow">this blog entry</a> on how the HTTPConduit TLS properties can be set up from the code. In the code, do WebClient.getConfig(myClient).getHTTPConduit() and proceed from there.</p><h1 id="SecureJAXRSServices-Authentication">Authentication</h1><p>It is often containers like Tomcat or frameworks like Spring Security which handle the user authentication. Sometimes you might want to do the custom authentication instead. CXF HTTP Transport adds decoded Basic Authentication credentials into an instance of AuthorizationPolicy extension and sets it on the current message. Thus the easiest way is to register a custom invoker or&#160;<code>@PreMatching ContainerRequestFilter</code> filter which will extract a user name and password like this:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default">public class AuthenticationHandler implements ContainerRequestFilter {
@Override
public void filter(ContainerRequestContext requestContext) throws IOException {
String authorization = requestContext.getHeaderString("Authorization");
String[] parts = authValues.authorization(" ");
if (parts.length != 2 || !"Basic".equals(parts[0])) {
requestContext.abortWith(createFaultResponse());
return;
}
String decodedValue = null;
try {
decodedValue = new String(Base64Utility.decode(parts[1]));
} catch (Base64Exception ex) {
requestContext.abortWith(createFaultResponse());
return;
}
String[] namePassword = decodedValue.split(":");
if (isAuthenticated(namePassword[0], namePassword[1])) {
// let request to continue
} else {
// authentication failed, request the authetication, add the realm name if needed to the value of WWW-Authenticate
requestContext.abortWith(Response.status(401).header("WWW-Authenticate", "Basic").build());
}
}
private Response createFaultResponse() {
return Response.status(401).header("WWW-Authenticate", "Basic realm=\"service.com\"").build();
}
&#160;}
</pre>
</div></div><p>One other thing you may want to do, after authenticating a user, is to initialize org.apache.cxf.security.SecurityContext with Principals representing the user and its roles (if available).</p><p>If you prefer using Spring Security then see how the authentication is handled in a <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/distribution/src/main/release/samples/jax_rs/spring_security">spring-security</a> demo.</p><p>Next, please see the <a shape="rect" href="securing-cxf-services.html">Securing CXF Services</a> section on how CXF Security interceptors can help.</p><p>Additionally check this <a shape="rect" class="external-link" href="http://sberyozkin.blogspot.com/2010/12/authentication-and-authorization-cxf.html" rel="nofollow">blog entry</a> for more information on how CXF JAX-RS wraps the CXF security interceptors with helper filters.</p><p>For example, see how a JAX-RS filter can be used to wrap CXF JAASLoginInterceptor:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default">&lt;jaxrs:server address="/jaas"&gt;
&lt;jaxrs:serviceBeans&gt;
&lt;bean class="org.apache.cxf.systest.jaxrs.security.SecureBookStoreNoAnnotations"/&gt;
&lt;/jaxrs:serviceBeans&gt;
&lt;jaxrs:providers&gt;
&lt;ref bean="authenticationFilter"/&gt;
&lt;/jaxrs:providers&gt;
&lt;/jaxrs:server&gt;
&lt;bean id="authenticationFilter" class="org.apache.cxf.jaxrs.security.JAASAuthenticationFilter"&gt;
&lt;!-- Name of the JAAS Context --&gt;
&lt;property name="contextName" value="BookLogin"/&gt;
&lt;!-- Hint to the filter on how to have Principals representing users and roles separated
while initializing a SecurityContext --&gt;
&lt;property name="rolePrefix" value="ROLE_"/&gt;
&lt;property name="redirectURI" value="/login.jsp"/&gt;
&lt;/bean&gt;
</pre>
</div></div><p>The filter will redirect the client to "/login.jsp" if the authentication fails. If no 'redirectURI' property is set then 401 will be returned. A "realmName" property can also be set.</p><p>If the JAAS Authentication succeeds then the filter will set a SecurityContext instance on the message. This context can be used for authorization decisions.</p><h1 id="SecureJAXRSServices-Authorization">Authorization</h1><p>It is often containers like Tomcat or frameworks like Spring Security which handle user authorization, similarly to the way the authentication is handled.</p><p>CXF also provides two interceptors which make it easy to enforce authorization decisions, as described in the <a shape="rect" href="securing-cxf-services.html">Securing CXF Services</a> section.<br clear="none">CXF JAX-RS SimpleAuthorizingFilter can be used to wrap those interceptors and return 403 in case of failures:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default">&lt;jaxrs:server address="/jaas"&gt;
&lt;jaxrs:serviceBeans&gt;
&lt;bean class="org.apache.cxf.systest.jaxrs.security.SecureBookStoreNoAnnotations"/&gt;
&lt;/jaxrs:serviceBeans&gt;
&lt;jaxrs:providers&gt;
&lt;ref bean="authorizationFilter"/&gt;
&lt;/jaxrs:providers&gt;
&lt;/jaxrs:server&gt;
&lt;bean id="authorizationFilter" class="org.apache.cxf.jaxrs.security.SimpleAuthorizingFilter"&gt;
&lt;property name="methodRolesMap" ref="rolesMap"/&gt;
&lt;/bean&gt;
&lt;util:map id="rolesMap"&gt;
&lt;entry key="getThatBook" value="ROLE_BOOK_OWNER"/&gt;
&lt;entry key="getBook" value="ROLE_BOOK_OWNER"/&gt;
&lt;/util:map&gt;
</pre>
</div></div><p>SimpleAuthorizingFilter can also wrap CXF SecureAnnotationsInterceptor.</p><p>Note that wrapping CXF security interceptors with JAX-RS filters is not required; it simply makes it easier to handle authentication and authorization exceptions and return appropriate HTTP error statuses.</p><h1 id="SecureJAXRSServices-WS-Trustintegration">WS-Trust integration</h1><p>One of the requirements for deploying CXF endpoints into secure web service environments is to ensure that existing WS-Trust STS services can be used to protect the endpoints. JAX-WS endpoints can rely on CXF WS-Security and WS-Trust support. Making sure CXF JAX-RS endpoints can be additionally secured by STS is strategically important task. CXF provides close integration between JAX-WS and JAX-RS frontends thus reusing CXF JAX-WS and WS-Security is the most effective way toward achieving this integration.</p><h2 id="SecureJAXRSServices-ValidatingBasicAuthcredentialswithSTS">Validating BasicAuth credentials with STS</h2><p>Validating Basic Authentication credentials with STS is possible starting from CXF 2.4.1. JAX-RS and JAX-WS services can rely on this feature. Here is an example on how a jaxrs endpoint can be configured:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default">&lt;jaxrs:server serviceClass="org.customers.CustomerService"
depends-on="ClientAuthHttpsSettings"
address="https://localhost:8081/rest"&gt;
&lt;jaxrs:inInterceptors&gt;
&lt;ref bean="basicAuthValidator"/&gt;
&lt;/jaxrs:inInterceptors&gt;
&lt;jaxrs:properties&gt;
&lt;entry key="ws-security.sts.client"&gt;
&lt;ref bean="stsclient"/&gt;
&lt;/entry&gt;
&lt;/jaxrs:properties&gt;
&lt;/jaxrs:server&gt;
&lt;bean id="basicAuthValidator" class="org.apache.cxf.ws.security.trust.AuthPolicyValidatingInterceptor"&gt;
&lt;property name="validator"&gt;
&lt;bean class="org.apache.cxf.ws.security.trust.STSTokenValidator"&gt;
&lt;constructor-arg value="true"/&gt;
&lt;/bean&gt;
&lt;/property&gt;
&lt;/bean&gt;
&lt;bean id="stsclient" class="org.apache.cxf.ws.security.trust.STSClient"&gt;
&lt;constructor-arg ref="cxf"/&gt;
&lt;property name="wsdlLocation" value="https://localhost:8083/sts?wsdl"/&gt;
&lt;property name="serviceName" value="{http://tempuri.org/}STSService"/&gt;
&lt;property name="endpointName" value="{http://tempuri.org/STSServicePort"/&gt;
&lt;/bean&gt;
&lt;!-- jaxrs:server depends on this SSL configuration --&gt;
&lt;httpj:engine-factory id="ClientAuthHttpsSettings" bus="cxf"&gt;
&lt;httpj:engine port="8081"&gt;
&lt;httpj:tlsServerParameters&gt;
&lt;sec:keyManagers keyPassword="skpass"&gt;
&lt;sec:keyStore type="jks" password="sspass" resource="servicestore.jks"/&gt;
&lt;/sec:keyManagers&gt;
&lt;sec:cipherSuitesFilter&gt;
&lt;sec:include&gt;.*_EXPORT_.*&lt;/sec:include&gt;
&lt;sec:include&gt;.*_EXPORT1024_.*&lt;/sec:include&gt;
&lt;sec:include&gt;.*_WITH_DES_.*&lt;/sec:include&gt;
&lt;sec:include&gt;.*_WITH_NULL_.*&lt;/sec:include&gt;
&lt;sec:exclude&gt;.*_DH_anon_.*&lt;/sec:exclude&gt;
&lt;/sec:cipherSuitesFilter&gt;
&lt;sec:clientAuthentication want="false" required="false"/&gt;
&lt;/httpj:tlsServerParameters&gt;
&lt;/httpj:engine&gt;
&lt;!-- STSClient depends on this SSL configuration --&gt;
&lt;http:conduit name="https://localhost:8083/.*"&gt;
&lt;http:tlsClientParameters disableCNCheck="true"&gt;
&lt;sec:trustManagers&gt;
&lt;sec:keyStore type="jks" password="sspass" resource="servicestore.jks"/&gt;
&lt;/sec:trustManagers&gt;
&lt;sec:keyManagers keyPassword="skpass"&gt;
&lt;sec:keyStore type="jks" password="sspass" resource="servicestore.jks"/&gt;
&lt;/sec:keyManagers&gt;
&lt;/http:tlsClientParameters&gt;
&lt;/http:conduit&gt;
</pre>
</div></div><p>AuthPolicyValidatingInterceptor converts Basic Auth info into WSS4J UsernameToken and delegates to STS to validate.</p><h2 id="SecureJAXRSServices-UsingSTStovalidateSAMLassertions">Using STS to validate SAML assertions</h2><p>Please see <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-saml.html#JAX-RSSAML-SAMLAssertionValidation">this section</a> for more information on how STSTokenValidator can be used to validate the inbound SAML assertions.</p><h1 id="SecureJAXRSServices-NoteaboutSecurityManager">Note about SecurityManager</h1><p>If <code>java.lang.SecurityManager</code> is installed then you'll likely need to configure the trusted JAX-RS codebase with a 'suppressAccessChecks' permission for the injection of JAXRS context or parameter fields to succeed. For example, you may want to update a Tomcat <a shape="rect" class="external-link" href="http://tomcat.apache.org/tomcat-5.5-doc/security-manager-howto.html">catalina.policy</a> with the following permission :</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default">grant codeBase "file:${catalina.home}/webapps/yourwebapp/lib/cxf.jar" {
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
};
</pre>
</div></div><h1 id="SecureJAXRSServices-SecuringJAX-RSmessages">Securing JAX-RS messages</h1><p>CXF provides a number of different ways to secure JAX-RS messages:</p><ul><li>XML messages can be secured via XML Signature and XML Encryption. See <a shape="rect" href="jax-rs-xml-security.html">JAX-RS XML Security</a> for more information.</li><li>Messages can be signed and/or encryption using JOSE. In addition, authentication and authorization can be achieved using JSON Web Tokens. See <a shape="rect" href="jax-rs-jose.html">JAX-RS JOSE</a> for more information.</li><li>Security claims can be conveyed via SAML assertions. See <a shape="rect" href="jax-rs-saml.html">JAX-RS SAML</a> for more information.</li><li>Messages can be signed via HTTP Signature. See <a shape="rect" href="jax-rs-http-signature.html">JAX-RS HTTP Signature</a> for more information.</li></ul><h1 id="SecureJAXRSServices-OAuth2.0/OpenIdConnect.">OAuth 2.0 / OpenId Connect.</h1><p>CXF supports both OAuth 2.0 and OpenId Connect:</p><ul><li>See <a shape="rect" href="jax-rs-oauth2.html">JAX-RS OAuth2</a> for information about OAuth 2.0.</li><li>See <a shape="rect" href="jax-rs-oidc.html">JAX-RS OIDC</a> for information about OpenId Connect.</li></ul><h1 id="SecureJAXRSServices-Restrictinglargepayloads">Restricting large payloads</h1><p>Please see <a shape="rect" href="https://cwiki.apache.org/confluence/display/CXF20DOC/JAX-RS+Data+Bindings#JAX-RSDataBindings-ControllingLargeJAXBXMLandJSONinputpayloads">this section</a> for more information.</p><h1 id="SecureJAXRSServices-CrossOriginResourceSharing">Cross Origin Resource Sharing</h1><p>Please see <a shape="rect" href="jax-rs-cors.html">this section</a> for more information. Also check <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-data-bindings.html#JAX-RSDataBindings-JSONWithPadding">the section</a> about JSONP.</p></div>
</div>
<!-- Content -->
</td>
</tr>
</table>
</td>
<td id="cell-2-2" colspan="2">&nbsp;</td>
</tr>
<tr>
<td id="cell-3-0">&nbsp;</td>
<td id="cell-3-1">&nbsp;</td>
<td id="cell-3-2">
<div id="footer">
<!-- Footer -->
<div id="site-footer">
<a href="http://cxf.apache.org/privacy-policy.html">Privacy Policy</a> -
(<a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=26119178">edit page</a>)
(<a href="https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=26119178&amp;showComments=true&amp;showCommentArea=true#addcomment">add comment</a>)<br>
Apache CXF, CXF, Apache, the Apache feather logo are trademarks of The Apache Software Foundation.<br>
All other marks mentioned may be trademarks or registered trademarks of their respective owners.
</div>
<!-- Footer -->
</div>
</td>
<td id="cell-3-3">&nbsp;</td>
<td id="cell-3-4">&nbsp;</td>
</tr>
<tr>
<td id="cell-4-0" colspan="2">&nbsp;</td>
<td id="cell-4-1">&nbsp;</td>
<td id="cell-4-2" colspan="2">&nbsp;</td>
</tr>
</table>
<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-4458903-1");
pageTracker._trackPageview();
} catch(err) {}</script>
</body>
</html>