cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache CXF Documentation > Secure JAX-RS Services
Date Fri, 29 Apr 2011 16:30:00 GMT
<html>
<head>
    <base href="https://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/2042/9/1/_/styles/combined.css?spaceKey=CXF20DOC&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="https://cwiki.apache.org/confluence/display/CXF20DOC/Secure+JAX-RS+Services">Secure
JAX-RS Services</a></h2>
    <h4>Page <b>edited</b> by             <a href="https://cwiki.apache.org/confluence/display/~sergey_beryozkin">Sergey
Beryozkin</a>
    </h4>
        <br/>
                         <h4>Changes (2)</h4>
                                 
    
<div id="page-diffs">
                    <table class="diff" cellpadding="0" cellspacing="0">
    
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >h1. WS-Trust integration <br>
<br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">One
of the requirements for deploying CXF endpoints into secure web service environments is to
ensure that existing WS-Trust STS services can be used to protect the endpoints. JAX-WS endpoints
can rely on CXF WS-Security and WS-Trust support. Making sure CXF JAX-RS endpoints can be
additionally secured by STS is strategically important task. CXF provides close integration
between JAX-WS and JAX-RS frontends thus reusing CXF JAX-WS and WS-Security is the most effective
way toward achieving this integration. <br> <br>At the moment what can be done
is to have Basic Authentication credentials validated with STS. The next step is to provide
a more advanced integration with STS, stay tuned.      <br> <br></td></tr>
            <tr><td class="diff-unchanged" >h2. Validating BasicAuth credentials
with STS <br> <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">Validating
Basic Authentication credentials with STS is possible starting from CXF 2.4.1. JAX-RS and
JAX-WS services can rely on this feature. Here is an example on how a jaxrs endpoint can be
configured: <br> <br>{code:xml} <br>&lt;jaxrs:server serviceClass=&quot;org.customers.CustomerService&quot;
<br>      depends-on=&quot;ClientAuthHttpsSettings&quot; <br>      address=&quot;https://localhost:8081/rest&quot;&gt;
<br> <br>      &lt;jaxrs:inInterceptors&gt; <br>         &lt;ref
bean=&quot;basicAuthValidator&quot;/&gt; <br>      &lt;/jaxrs:inInterceptors&gt;
<br> <br>      &lt;jaxrs:properties&gt; <br>           &lt;entry
key=&quot;ws-security.sts.client&quot;&gt; <br>              &lt;ref
bean=&quot;stsclient&quot;/&gt; <br>           &lt;/entry&gt; <br>
     &lt;/jaxrs:properties&gt; <br> <br>   &lt;/jaxrs:server&gt;
<br> <br>   &lt;bean id=&quot;basicAuthValidator&quot; class=&quot;org.apache.cxf.ws.security.trust.AuthPolicyValidatingInterceptor&quot;&gt;
<br>       &lt;property name=&quot;validator&quot;&gt; <br>  
           &lt;bean class=&quot;org.apache.cxf.ws.security.trust.STSTokenValidator&quot;&gt;
<br>                  &lt;constructor-arg value=&quot;true&quot;/&gt;
<br>              &lt;/bean&gt; <br>       &lt;/property&gt; <br>
  &lt;/bean&gt; <br> <br>   &lt;bean id=&quot;stsclient&quot;
class=&quot;org.apache.cxf.ws.security.trust.STSClient&quot;&gt; <br>  
    &lt;constructor-arg ref=&quot;cxf&quot;/&gt; <br>       &lt;property
name=&quot;wsdlLocation&quot; value=&quot;https://localhost:8081/sts?wsdl&quot;/&gt;
<br>       &lt;property name=&quot;serviceName&quot; value=&quot;{http://tempuri.org/}STSService&quot;/&gt;
<br>       &lt;property name=&quot;endpointName&quot; value=&quot;{http://tempuri.org/STSServicePort&quot;/&gt;
<br>   &lt;/bean&gt;  <br>{code} <br> <br>AuthPolicyValidatingInterceptor
converts Basic Auth info into WSS4J UsernameToken and delegates to STS to validate. <br>
<br></td></tr>
            <tr><td class="diff-unchanged" >h1. Note about SecurityManager <br>
<br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
    
            </table>
    </div>                            <h4>Full Content</h4>
                    <div class="notificationGreySide">
        <p><span style="font-size:2em;font-weight:bold"> JAX-RS: Security </span></p>

<div>
<ul>
    <li><a href='#SecureJAX-RSServices-HTTPS'>HTTPS</a></li>
<ul>
    <li><a href='#SecureJAX-RSServices-Configuringendpoints'>Configuring endpoints</a></li>
    <li><a href='#SecureJAX-RSServices-Configuringclients'>Configuring clients</a></li>
</ul>
    <li><a href='#SecureJAX-RSServices-Authentication'>Authentication</a></li>
    <li><a href='#SecureJAX-RSServices-Authorization'>Authorization</a></li>
    <li><a href='#SecureJAX-RSServices-WSTrustintegration'>WS-Trust integration</a></li>
<ul>
    <li><a href='#SecureJAX-RSServices-ValidatingBasicAuthcredentialswithSTS'>Validating
BasicAuth credentials with STS</a></li>
</ul>
    <li><a href='#SecureJAX-RSServices-NoteaboutSecurityManager'>Note about SecurityManager</a></li>
</ul></div>

<h1><a name="SecureJAX-RSServices-HTTPS"></a>HTTPS</h1>

<p>Transport-level protection of JAX-RS endpoints can be managed by underlying Servlet
containers, for example, see this <a href="http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html"
class="external-link" rel="nofollow">Tomcat SSL Configuration section</a>. </p>

<p>Additionally CXF provides support for configuring endpoints which depend on embedded
Jetty. CXF JAX-RS clients can also be configured to support SSL. </p>

<h2><a name="SecureJAX-RSServices-Configuringendpoints"></a>Configuring
endpoints</h2>

<p>JAX-RS endpoints using embedded Jetty can rely on the configuration like this one:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
&lt;beans xmlns=<span class="code-quote">"http://www.springframework.org/schema/beans"</span>
       <span class="code-keyword">xmlns:xsi</span>=<span class="code-quote">"http://www.w3.org/2001/XMLSchema-instance"</span>
       <span class="code-keyword">xmlns:http</span>=<span class="code-quote">"http://cxf.apache.org/transports/http/configuration"</span>
       <span class="code-keyword">xmlns:httpj</span>=<span class="code-quote">"http://cxf.apache.org/transports/http-jetty/configuration"</span>
       <span class="code-keyword">xmlns:sec</span>=<span class="code-quote">"http://cxf.apache.org/configuration/security"</span>
       xsi:schemaLocation="
        http://www.springframework.org/schema/beans                 http://www.springframework.org/schema/beans/spring-beans.xsd
        http://cxf.apache.org/transports/http/configuration         http://cxf.apache.org/schemas/configuration/http-conf.xsd
        http://cxf.apache.org/transports/http-jetty/configuration   http://cxf.apache.org/schemas/configuration/http-jetty.xsd
        http://cxf.apache.org/configuration/security                http://cxf.apache.org/schemas/configuration/security.xsd"&gt;


    <span class="code-tag">&lt;httpj:engine-factory id=<span class="code-quote">"port-9095-tls-config"</span>&gt;</span>
        <span class="code-tag">&lt;httpj:engine port=<span class="code-quote">"9095"</span>&gt;</span>
            <span class="code-tag">&lt;httpj:tlsServerParameters&gt;</span>
               <span class="code-tag">&lt;sec:keyManagers keyPassword=<span class="code-quote">"password"</span>&gt;</span>
	           &lt;sec:keyStore type=<span class="code-quote">"JKS"</span> password=<span
class="code-quote">"password"</span> 
	                file=<span class="code-quote">"src/test/java/org/apache/cxf/systest/http/resources/Bethal.jks"</span>/&gt;
	      		<span class="code-tag">&lt;/sec:keyManagers&gt;</span>
	      		<span class="code-tag">&lt;sec:trustManagers&gt;</span>
	          	&lt;sec:keyStore type=<span class="code-quote">"JKS"</span> password=<span
class="code-quote">"password"</span>
	               file=<span class="code-quote">"src/test/java/org/apache/cxf/systest/http/resources/Truststore.jks"</span>/&gt;
	     		<span class="code-tag">&lt;/sec:trustManagers&gt;</span>
            <span class="code-tag">&lt;/httpj:tlsServerParameters&gt;</span>
        <span class="code-tag">&lt;/httpj:engine&gt;</span>
    <span class="code-tag">&lt;/httpj:engine-factory&gt;</span>
<span class="code-tag">&lt;/beans&gt;</span>
</pre>
</div></div>

<p>If you use JAXRSServerFactoryBean to create and start JAX-RS endpoints from the code
then the above configuration can be utilized like this:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
JAXRSServerFactoryBean bean = <span class="code-keyword">new</span> JAXRSServerFactoryBean();
SpringBusFactory bf = <span class="code-keyword">new</span> SpringBusFactory();
Bus bus = bf.createBus(<span class="code-quote">"configuration/beans.xml"</span>);
bean.setBus(bus);
bean.setAddress(<span class="code-quote">"http:<span class="code-comment">//localhost:9095/<span
class="code-keyword">rest</span>"</span>);
</span>bean.setServiceClass(CustomerService.class);
</pre>
</div></div>

<p>If you also have a jaxrs:server endpoint declared in the above beans.xml, then make
sure you have a 'depends-on' attribute set:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
&lt;jaxrs:server serviceClass=<span class="code-quote">"CustomerService.class"</span>
address=<span class="code-quote">"http://localhost:9095/rest"</span>
   depends-on=<span class="code-quote">"port-9095-tls-config"</span>/&gt;
</pre>
</div></div> 

<p>Once you have JAX-RS and Jetty HTTPS combined then you can get the application context
initiated like this:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
<span class="code-keyword">public</span> class Server {

    <span class="code-keyword">public</span> void main(<span class="code-object">String</span>[]
args) <span class="code-keyword">throws</span> Exception {
        Bus busLocal = <span class="code-keyword">new</span> SpringBusFactory().createBus(<span
class="code-quote">"configuration/beans.xml"</span>);
        BusFactory.setDefaultBus(busLocal);
        <span class="code-keyword">new</span> Server();
        <span class="code-object">Thread</span>.sleep(60000);
    }
}
</pre>
</div></div>

<p>Having JAX-RS endpoints declared alongside CXF Jetty HTTPS configuration is only
needed when an embedded Jetty container is used. If you have application WARs deployed into
Tomcat or Jetty then please follow container-specific guides on how to set up SSL.</p>

<p>Please also see this <a href="http://svn.apache.org/repos/asf/cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/"
class="external-link" rel="nofollow">HTTPS-based demo</a> in the CXF distribution.</p>

<p>Additionally check the <a href="http://cxf.apache.org/docs/jetty-configuration.html"
class="external-link" rel="nofollow">CXF Jetty Configuration</a> section.</p>

<h2><a name="SecureJAX-RSServices-Configuringclients"></a>Configuring clients</h2>

<p>Secure HTTPConduits for CXF JAX-RS proxies and WebClients can be configured as described
in this <a href="http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html"
class="external-link" rel="nofollow">section</a>. </p>

<p>For example, check this <a href="http://svn.apache.org/repos/asf/cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/resources/ClientConfig.xml"
class="external-link" rel="nofollow">configuration file</a>. Endpoint addresses used
by proxies or clients have to match the pattern used in the HTTPConduit configuration.</p>

<p>The configuration file can be referenced during the proxy or WebClient creation:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
<span class="code-keyword">final</span> Stribg address = <span class="code-quote">"http:<span
class="code-comment">//localhost:9095/<span class="code-keyword">rest</span>"</span>;
</span><span class="code-keyword">final</span> <span class="code-object">String</span>
configLocation;

WebClient client = WebClient.create(address, configLocation);
<span class="code-comment">// or
</span>BookStore proxy = JAXRSClientFactory.create(address, configLocation, BookStore.class);
</pre>
</div></div>

<p>HTTPConduits can also be 'bound' to proxies or WebClients using expanded QNames.
Please see this <a href="http://cxf.apache.org/docs/jax-rs-client-api.html#JAX-RSClientAPI-ConfiguringanHTTPConduitfromSpring"
class="external-link" rel="nofollow">section</a> for more information.</p>

<h1><a name="SecureJAX-RSServices-Authentication"></a>Authentication</h1>

<p>It is often containers like Tomcat or frameworks like Spring Security which handle
the user authentication. Sometimes you might want to do the custom authentication instead.
CXF HTTP Transport adds decoded Basic Authentication credentials into an instance of AuthorizationPolicy
extension and sets it on the current message. Thus the easiest way is to register a custom
invoker or <tt>RequestHandler</tt> filter which will extract a user name and password
like this:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
<span class="code-keyword">public</span> class AuthenticationHandler <span
class="code-keyword">implements</span> RequestHandler {

    <span class="code-keyword">public</span> Response handleRequest(Message m,
ClassResourceInfo resourceClass) {
        AuthorizationPolicy policy = (AuthorizationPolicy)m.get(AuthorizationPolicy.class);
        <span class="code-object">String</span> username = policy.getUserName();
        <span class="code-object">String</span> password = policy.getPassword();

        <span class="code-keyword">if</span> (isAuthenticated(username, password))
{
            <span class="code-comment">// let request to <span class="code-keyword">continue</span>
</span>            <span class="code-keyword">return</span> <span class="code-keyword">null</span>;
        } <span class="code-keyword">else</span> {
            <span class="code-comment">// authentication failed 
</span>            <span class="code-keyword">return</span> Response.status(401).build();
  
        }
    }

}
</pre>
</div></div> 

<p>One other thing you may want to do, after authenticating a user, is to initialize
org.apache.cxf.security.SecurityContext with Principals representing the user and its roles
(if available).</p>

<p>If you prefer using Spring Security then see how the authentication is handled in
a <a href="http://svn.apache.org/repos/asf/cxf/trunk/distribution/src/main/release/samples/jax_rs/spring_security"
class="external-link" rel="nofollow">spring-security</a> demo.</p>

<p>Next, please see the <a href="/confluence/display/CXF20DOC/Security" title="Security">Security</a>
section on how CXF Security interceptors can help. </p>

<p>Additionally check this <a href="http://sberyozkin.blogspot.com/2010/12/authentication-and-authorization-cxf.html"
class="external-link" rel="nofollow">blog entry</a> for more information on how CXF
JAX-RS wraps the CXF security interceptors with helper filters.</p>

<p>For example, see how a JAX-RS filter can be used to wrap CXF JAASLoginInterceptor:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
<span class="code-tag">&lt;jaxrs:server address=<span class="code-quote">"/jaas"</span>&gt;</span>
    <span class="code-tag">&lt;jaxrs:serviceBeans&gt;</span>
       <span class="code-tag">&lt;bean class=<span class="code-quote">"org.apache.cxf.systest.jaxrs.security.SecureBookStoreNoAnnotations"</span>/&gt;</span>
    <span class="code-tag">&lt;/jaxrs:serviceBeans&gt;</span>		   
    <span class="code-tag">&lt;jaxrs:providers&gt;</span>
        <span class="code-tag">&lt;ref bean=<span class="code-quote">"authenticationFilter"</span>/&gt;</span>
    <span class="code-tag">&lt;/jaxrs:providers&gt;</span>
  <span class="code-tag">&lt;/jaxrs:server&gt;</span>
  
  <span class="code-tag">&lt;bean id=<span class="code-quote">"authenticationFilter"</span>
class=<span class="code-quote">"org.apache.cxf.jaxrs.security.JAASAutheenticationFilter"</span>&gt;</span>
        <span class="code-tag"><span class="code-comment">&lt;!-- Name of
the JAAS Context --&gt;</span></span>
        <span class="code-tag">&lt;property name=<span class="code-quote">"contextName"</span>
value=<span class="code-quote">"BookLogin"</span>/&gt;</span>
        &lt;!-- Hint to the filter on how to have Principals representing users and roles
separated 
             while initializing a SecurityContext --&gt;
        <span class="code-tag">&lt;property name=<span class="code-quote">"rolePrefix"</span>
value=<span class="code-quote">"ROLE_"</span>/&gt;</span>
        
        <span class="code-tag">&lt;property name=<span class="code-quote">"redirectURI"</span>
value=<span class="code-quote">"/login.jsp"</span>/&gt;</span>
  <span class="code-tag">&lt;/bean&gt;</span>
</pre>
</div></div>

<p>The filter will redirect the client to "/login.jsp" if the authentication fails.
If no 'redirectURI' property is set then 401 will be returned. A "realmName" property can
also be set. </p>

<p>If the JAAS Authentication succeeds then the filter will set a SecurityContext instance
on the message. This context can be used for authorization decisions. </p>

<h1><a name="SecureJAX-RSServices-Authorization"></a>Authorization</h1>

<p>It is often containers like Tomcat or frameworks like Spring Security which handle
user authorization, similarly to the way the authentication is handled.</p>

<p>CXF also provides two interceptors which make it easy to enforce authorization decisions,
as described in the <a href="/confluence/display/CXF20DOC/Security" title="Security">Security</a>
section.<br/>
CXF JAX-RS SimpleAuthorizingFilter can be used to wrap those interceptors and return 403 in
case of failures:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
<span class="code-tag">&lt;jaxrs:server address=<span class="code-quote">"/jaas"</span>&gt;</span>
    <span class="code-tag">&lt;jaxrs:serviceBeans&gt;</span>
       <span class="code-tag">&lt;bean class=<span class="code-quote">"org.apache.cxf.systest.jaxrs.security.SecureBookStoreNoAnnotations"</span>/&gt;</span>
    <span class="code-tag">&lt;/jaxrs:serviceBeans&gt;</span>		   
    <span class="code-tag">&lt;jaxrs:providers&gt;</span>
        <span class="code-tag">&lt;ref bean=<span class="code-quote">"authorizationFilter"</span>/&gt;</span>
    <span class="code-tag">&lt;/jaxrs:providers&gt;</span>
  <span class="code-tag">&lt;/jaxrs:server&gt;</span>
  
  <span class="code-tag">&lt;bean id=<span class="code-quote">"authorizationFilter"</span>
class=<span class="code-quote">"org.apache.cxf.jaxrs.security.SimpleAuthorizingFilter"</span>&gt;</span>
        <span class="code-tag">&lt;property name=<span class="code-quote">"methodRolesMap"</span>
ref=<span class="code-quote">"rolesMap"</span>/&gt;</span>
  <span class="code-tag">&lt;/bean&gt;</span>
  
  <span class="code-tag">&lt;util:map id=<span class="code-quote">"rolesMap"</span>&gt;</span>
     <span class="code-tag">&lt;entry key=<span class="code-quote">"getThatBook"</span>
value=<span class="code-quote">"ROLE_BOOK_OWNER"</span>/&gt;</span>
     <span class="code-tag">&lt;entry key=<span class="code-quote">"getBook"</span>
value=<span class="code-quote">"ROLE_BOOK_OWNER"</span>/&gt;</span>
  <span class="code-tag">&lt;/util:map&gt;</span>
</pre>
</div></div>

<p>SimpleAuthorizingFilter can also wrap CXF SecureAnnotationsInterceptor.</p>

<p>Note that wrapping CXF security interceptors with JAX-RS filters is not required;
it simply makes it easier to handle authentication and authorization exceptions and return
appropriate HTTP error statuses.</p>

<h1><a name="SecureJAX-RSServices-WSTrustintegration"></a>WS-Trust integration</h1>

<p>One of the requirements for deploying CXF endpoints into secure web service environments
is to ensure that existing WS-Trust STS services can be used to protect the endpoints. JAX-WS
endpoints can rely on CXF WS-Security and WS-Trust support. Making sure CXF JAX-RS endpoints
can be additionally secured by STS is strategically important task. CXF provides close integration
between JAX-WS and JAX-RS frontends thus reusing CXF JAX-WS and WS-Security is the most effective
way toward achieving this integration.</p>

<p>At the moment what can be done is to have Basic Authentication credentials validated
with STS. The next step is to provide a more advanced integration with STS, stay tuned.  
  </p>

<h2><a name="SecureJAX-RSServices-ValidatingBasicAuthcredentialswithSTS"></a>Validating
BasicAuth credentials with STS</h2>

<p>Validating Basic Authentication credentials with STS is possible starting from CXF
2.4.1. JAX-RS and JAX-WS services can rely on this feature. Here is an example on how a jaxrs
endpoint can be configured:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
&lt;jaxrs:server serviceClass=<span class="code-quote">"org.customers.CustomerService"</span>
      depends-on=<span class="code-quote">"ClientAuthHttpsSettings"</span>
      address=<span class="code-quote">"https://localhost:8081/rest"</span>&gt;

      <span class="code-tag">&lt;jaxrs:inInterceptors&gt;</span>
         <span class="code-tag">&lt;ref bean=<span class="code-quote">"basicAuthValidator"</span>/&gt;</span>
      <span class="code-tag">&lt;/jaxrs:inInterceptors&gt;</span>
  
      <span class="code-tag">&lt;jaxrs:properties&gt;</span>
           <span class="code-tag">&lt;entry key=<span class="code-quote">"ws-security.sts.client"</span>&gt;</span>
              <span class="code-tag">&lt;ref bean=<span class="code-quote">"stsclient"</span>/&gt;</span>
           <span class="code-tag">&lt;/entry&gt;</span>
      <span class="code-tag">&lt;/jaxrs:properties&gt;</span>

   <span class="code-tag">&lt;/jaxrs:server&gt;</span>
   
   <span class="code-tag">&lt;bean id=<span class="code-quote">"basicAuthValidator"</span>
class=<span class="code-quote">"org.apache.cxf.ws.security.trust.AuthPolicyValidatingInterceptor"</span>&gt;</span>
       <span class="code-tag">&lt;property name=<span class="code-quote">"validator"</span>&gt;</span>
              <span class="code-tag">&lt;bean class=<span class="code-quote">"org.apache.cxf.ws.security.trust.STSTokenValidator"</span>&gt;</span>
                  <span class="code-tag">&lt;constructor-arg value=<span class="code-quote">"true"</span>/&gt;</span>
              <span class="code-tag">&lt;/bean&gt;</span>
       <span class="code-tag">&lt;/property&gt;</span>
   <span class="code-tag">&lt;/bean&gt;</span>

   <span class="code-tag">&lt;bean id=<span class="code-quote">"stsclient"</span>
class=<span class="code-quote">"org.apache.cxf.ws.security.trust.STSClient"</span>&gt;</span>
       <span class="code-tag">&lt;constructor-arg ref=<span class="code-quote">"cxf"</span>/&gt;</span>
       <span class="code-tag">&lt;property name=<span class="code-quote">"wsdlLocation"</span>
value=<span class="code-quote">"https://localhost:8081/sts?wsdl"</span>/&gt;</span>
       <span class="code-tag">&lt;property name=<span class="code-quote">"serviceName"</span>
value=<span class="code-quote">"{http://tempuri.org/}STSService"</span>/&gt;</span>
       <span class="code-tag">&lt;property name=<span class="code-quote">"endpointName"</span>
value=<span class="code-quote">"{http://tempuri.org/STSServicePort"</span>/&gt;</span>
   <span class="code-tag">&lt;/bean&gt;</span> 
</pre>
</div></div>

<p>AuthPolicyValidatingInterceptor converts Basic Auth info into WSS4J UsernameToken
and delegates to STS to validate.</p>

<h1><a name="SecureJAX-RSServices-NoteaboutSecurityManager"></a>Note about
SecurityManager</h1>

<p>If <tt>java.lang.SecurityManager</tt> is installed then you'll likely
need to configure the trusted JAX-RS codebase with a 'suppressAccessChecks' permission for
the injection of JAXRS context or parameter fields to succeed. For example, you may want to
update a Tomcat <a href="http://tomcat.apache.org/tomcat-5.5-doc/security-manager-howto.html"
class="external-link" rel="nofollow">catalina.policy</a> with the following permission
:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
grant codeBase <span class="code-quote">"file:${catalina.home}/webapps/yourwebapp/lib/cxf.jar"</span>
{
    permission java.lang.reflect.ReflectPermission <span class="code-quote">"suppressAccessChecks"</span>;
};
</pre>
</div></div>

    </div>
        <div id="commentsSection" class="wiki-content pageSection">
        <div style="float: right;">
            <a href="https://cwiki.apache.org/confluence/users/viewnotifications.action"
class="grey">Change Notification Preferences</a>
        </div>
        <a href="https://cwiki.apache.org/confluence/display/CXF20DOC/Secure+JAX-RS+Services">View
Online</a>
        |
        <a href="https://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=26119178&revisedVersion=5&originalVersion=4">View
Changes</a>
                |
        <a href="https://cwiki.apache.org/confluence/display/CXF20DOC/Secure+JAX-RS+Services?showComments=true&amp;showCommentArea=true#addcomment">Add
Comment</a>
            </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message