cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache CXF Documentation > Security
Date Wed, 22 Dec 2010 17:22:00 GMT
<html>
<head>
    <base href="https://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/1810/9/1/_/styles/combined.css?spaceKey=CXF20DOC&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="https://cwiki.apache.org/confluence/display/CXF20DOC/Security">Security</a></h2>
    <h4>Page <b>edited</b> by             <a href="https://cwiki.apache.org/confluence/display/~sergey_beryozkin">Sergey
Beryozkin</a>
    </h4>
        <br/>
                         <h4>Changes (5)</h4>
                                 
    
<div id="page-diffs">
            <table class="diff" cellpadding="0" cellspacing="0">
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >The JAAS authenticator is configured
with the name of the JAAS login context (the one usually specified in the JAAS configuration
resource which the server is aware of). It is also configured with an optional &quot;rolePrefix&quot;
property which is needed by the CXF SecurityContext in order to differentiate between user
and role Principals. By default CXF will assume that role Principals are represented by javax.security.acl.Group
instances. <br> <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">h1.
WS-Security UsernameToken and Custom Authentication <br> <br>If needed, one may
want to configure a jaxws:endpoint with a &quot;ws-security.ut.no-callbacks&quot;
property set to true and register a custom org.apache.cxf.interceptor.security.AbstractUsernameTokenInterceptor
implementation for using a WSS4J UsernameToken wrapped in a CXF specific UsernameToken for
the custom authentication and Subject creation. <br> <br></td></tr>
            <tr><td class="diff-unchanged" >h1. Authorization <br> <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" > <br>{code:xml} <br></td></tr>
            <tr><td class="diff-changed-lines" >&lt;jaxws:endpoint id=&quot;endpoint1&quot;
<span class="diff-changed-words">address=&quot;/soapService<span class="diff-added-chars"style="background-color:
#dfd;">1</span>&quot;&gt;</span> <br></td></tr>
            <tr><td class="diff-unchanged" > &lt;jaxws:inInterceptors&gt;
<br>   &lt;ref bean=&quot;authorizationInterceptor&quot;/&gt; <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >&lt;/bean&gt; <br> <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">&lt;jaxws:endpoint
id=&quot;endpoint2&quot; address=&quot;/soapService2&quot; implementor=&quot;#secureBean&quot;&gt;
<br> &lt;jaxws:inInterceptors&gt; <br>   &lt;ref bean=&quot;authorizationInterceptor&quot;/&gt;
<br> &lt;/jaxws:inInterceptors&gt; <br>&lt;/jaxws:endpoint&gt;
<br></td></tr>
            <tr><td class="diff-unchanged" > <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">&lt;!--
This bean is annotated with secure annotations such as RolesAllowed --&gt; <br>&lt;bean
id=&quot;secureBean&quot; class=&quot;org.apache.cxf.tests.security.SecureService&quot;&gt;
<br></td></tr>
            <tr><td class="diff-unchanged" > <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">&lt;bean
id=&quot;authorizationInterceptor&quot; class=&quot;org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor&quot;&gt;
<br>   &lt;property name=&quot;secureObject&quot; ref=&quot;secureBean&quot;/&gt;
<br>&lt;/bean&gt; <br> <br></td></tr>
            <tr><td class="diff-unchanged" >{code}  <br></td></tr>
        </table>
</div>                            <h4>Full Content</h4>
                    <div class="notificationGreySide">
        <span style="font-size:2em;font-weight:bold"> Securing CXF Services </span>

<div>
<ul>
    <li><a href='#Security-Securetransports'>Secure transports</a></li>
<ul>
    <li><a href='#Security-HTTPS'>HTTPS</a></li>
</ul>
    <li><a href='#Security-WSSecurity'>WS-* Security</a></li>
    <li><a href='#Security-Authentication'>Authentication</a></li>
    <li><a href='#Security-WSSecurityUsernameTokenandCustomAuthentication'>WS-Security
UsernameToken and Custom Authentication</a></li>
    <li><a href='#Security-Authorization'>Authorization</a></li>
</ul></div>

<h1><a name="Security-Securetransports"></a>Secure transports</h1>

<h2><a name="Security-HTTPS"></a>HTTPS</h2>

<p>Please see the <a href="http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html"
class="external-link" rel="nofollow">Configuring SSL Support</a> page for more information.</p>

<h1><a name="Security-WSSecurity"></a>WS-* Security</h1>

<p>Please see the <a href="http://cxf.apache.org/docs/ws-support.html" class="external-link"
rel="nofollow">WS-* Support</a> page for more information.</p>

<h1><a name="Security-Authentication"></a>Authentication</h1>

<p>Container or Spring Security managed authentication as well as the custom authentication
are all the viable options used by CXF developers.</p>

<p>Starting from CXF 2.3.2 and 2.4.0 it is possible to use an org.apache.cxf.interceptor.security.JAASLoginInterceptor
in order to authenticate a current user and populate a CXF SecurityContext.</p>

<p>Example :</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
<span class="code-tag">&lt;jaxws:endpoint address=<span class="code-quote">"/soapService"</span>&gt;</span>
 <span class="code-tag">&lt;jaxws:inInterceptors&gt;</span>
   <span class="code-tag">&lt;ref bean=<span class="code-quote">"authenticationInterceptor"</span>/&gt;</span>
 <span class="code-tag">&lt;/jaxws:inInterceptors&gt;</span>
<span class="code-tag">&lt;/jaxws:endpoint&gt;</span>

<span class="code-tag">&lt;bean id=<span class="code-quote">"authenticationInterceptor"</span>
class=<span class="code-quote">"org.apache.cxf.interceptor.security.JAASLoginInterceptor"</span>&gt;</span>
   <span class="code-tag">&lt;property name=<span class="code-quote">"contextName"</span>
value=<span class="code-quote">"jaasContext"</span>/&gt;</span>
   <span class="code-tag">&lt;property name=<span class="code-quote">"rolePrefix"</span>
value=<span class="code-quote">"ROLE_"</span>/&gt;</span>
<span class="code-tag">&lt;/bean&gt;</span>
<span class="code-tag"><span class="code-comment">&lt;!-- Similarly for JAX-RS
endpoints --&gt;</span></span>
</pre>
</div></div> 

<p>The JAAS authenticator is configured with the name of the JAAS login context (the
one usually specified in the JAAS configuration resource which the server is aware of). It
is also configured with an optional "rolePrefix" property which is needed by the CXF SecurityContext
in order to differentiate between user and role Principals. By default CXF will assume that
role Principals are represented by javax.security.acl.Group instances.</p>

<h1><a name="Security-WSSecurityUsernameTokenandCustomAuthentication"></a>WS-Security
UsernameToken and Custom Authentication</h1>

<p>If needed, one may want to configure a jaxws:endpoint with a "ws-security.ut.no-callbacks"
property set to true and register a custom org.apache.cxf.interceptor.security.AbstractUsernameTokenInterceptor
implementation for using a WSS4J UsernameToken wrapped in a CXF specific UsernameToken for
the custom authentication and Subject creation.</p>

<h1><a name="Security-Authorization"></a>Authorization</h1>

<p>Container or Spring Security managed authorization as well as the custom authorization
are all the viable options used by CXF developers.</p>

<p>CXF 2.3.2 and 2.4.0 introduce org.apache.cxf.interceptor.security.SimpleAuthorizingInterceptor
and org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor interceptors which can
help with enforcing the authorization rules.</p>

<p>Example :</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
<span class="code-tag">&lt;jaxws:endpoint id=<span class="code-quote">"endpoint1"</span>
address=<span class="code-quote">"/soapService1"</span>&gt;</span>
 <span class="code-tag">&lt;jaxws:inInterceptors&gt;</span>
   <span class="code-tag">&lt;ref bean=<span class="code-quote">"authorizationInterceptor"</span>/&gt;</span>
 <span class="code-tag">&lt;/jaxws:inInterceptors&gt;</span>
<span class="code-tag">&lt;/jaxws:endpoint&gt;</span>

<span class="code-tag">&lt;bean id=<span class="code-quote">"authorizationInterceptor"</span>
class=<span class="code-quote">"org.apache.cxf.interceptor.security.SimpleAuthorizingInterceptor"</span>&gt;</span>
   <span class="code-tag">&lt;property name=<span class="code-quote">"methodRolesMap"</span>&gt;</span>
      <span class="code-tag">&lt;map&gt;</span>
        <span class="code-tag">&lt;entry key=<span class="code-quote">"addNumbers"</span>
value=<span class="code-quote">"ROLE_USER ROLE_ADMIN"</span>/&gt;</span>
        <span class="code-tag">&lt;entry key=<span class="code-quote">"divideNumbers"</span>
value=<span class="code-quote">"ROLE_ADMIN"</span>/&gt;</span>  
      <span class="code-tag">&lt;/map&gt;</span>
   <span class="code-tag">&lt;/property&gt;</span> 
<span class="code-tag">&lt;/bean&gt;</span>

<span class="code-tag">&lt;jaxws:endpoint id=<span class="code-quote">"endpoint2"</span>
address=<span class="code-quote">"/soapService2"</span> implementor=<span class="code-quote">"#secureBean"</span>&gt;</span>
 <span class="code-tag">&lt;jaxws:inInterceptors&gt;</span>
   <span class="code-tag">&lt;ref bean=<span class="code-quote">"authorizationInterceptor"</span>/&gt;</span>
 <span class="code-tag">&lt;/jaxws:inInterceptors&gt;</span>
<span class="code-tag">&lt;/jaxws:endpoint&gt;</span>

<span class="code-tag"><span class="code-comment">&lt;!-- This bean is annotated
with secure annotations such as RolesAllowed --&gt;</span></span>
<span class="code-tag">&lt;bean id=<span class="code-quote">"secureBean"</span>
class=<span class="code-quote">"org.apache.cxf.tests.security.SecureService"</span>&gt;</span>

<span class="code-tag">&lt;bean id=<span class="code-quote">"authorizationInterceptor"</span>
class=<span class="code-quote">"org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor"</span>&gt;</span>
   <span class="code-tag">&lt;property name=<span class="code-quote">"secureObject"</span>
ref=<span class="code-quote">"secureBean"</span>/&gt;</span>
<span class="code-tag">&lt;/bean&gt;</span>

</pre>
</div></div> 
    </div>
        <div id="commentsSection" class="wiki-content pageSection">
        <div style="float: right;">
            <a href="https://cwiki.apache.org/confluence/users/viewnotifications.action"
class="grey">Change Notification Preferences</a>
        </div>
        <a href="https://cwiki.apache.org/confluence/display/CXF20DOC/Security">View
Online</a>
        |
        <a href="https://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=24190972&revisedVersion=4&originalVersion=3">View
Changes</a>
                |
        <a href="https://cwiki.apache.org/confluence/display/CXF20DOC/Security?showComments=true&amp;showCommentArea=true#addcomment">Add
Comment</a>
            </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message