cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache CXF Documentation > Secure JAX-RS Services
Date Thu, 28 Apr 2011 17:02:00 GMT
<html>
<head>
    <base href="https://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/2042/9/1/_/styles/combined.css?spaceKey=CXF20DOC&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="https://cwiki.apache.org/confluence/display/CXF20DOC/Secure+JAX-RS+Services">Secure
JAX-RS Services</a></h2>
    <h4>Page <b>edited</b> by             <a href="https://cwiki.apache.org/confluence/display/~sergey_beryozkin">Sergey
Beryozkin</a>
    </h4>
        <br/>
                         <h4>Changes (4)</h4>
                                 
    
<div id="page-diffs">
                    <table class="diff" cellpadding="0" cellspacing="0">
    
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >h1. HTTPS <br> <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">Transport-level
protection of JAX-RS endpoints can be managed by underlying Servlet containers, for example,
see this [Tomcat SSL Configuration section|http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html].
 <br> <br>h2. Configuring endpoints <br> <br>JAX-RS endpoints using
embedded Jetty can rely on the configuration like this one: <br> <br>{code:xml}
<br>&lt;beans xmlns=&quot;http://www.springframework.org/schema/beans&quot;
<br>       xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot; <br>
      xmlns:http=&quot;http://cxf.apache.org/transports/http/configuration&quot; <br>
      xmlns:httpj=&quot;http://cxf.apache.org/transports/http-jetty/configuration&quot;
<br>       xmlns:sec=&quot;http://cxf.apache.org/configuration/security&quot;
<br>       xsi:schemaLocation=&quot; <br>        http://www.springframework.org/schema/beans
                http://www.springframework.org/schema/beans/spring-beans.xsd <br>  
     http://cxf.apache.org/transports/http/configuration         http://cxf.apache.org/schemas/configuration/http-conf.xsd
<br>        http://cxf.apache.org/transports/http-jetty/configuration   http://cxf.apache.org/schemas/configuration/http-jetty.xsd
<br>        http://cxf.apache.org/configuration/security                http://cxf.apache.org/schemas/configuration/security.xsd&quot;&gt;
<br> <br> <br>    &lt;httpj:engine-factory id=&quot;port-9095-tls-config&quot;&gt;
<br>        &lt;httpj:engine port=&quot;9095&quot;&gt; <br>  
         &lt;httpj:tlsServerParameters&gt; <br>               &lt;sec:keyManagers
keyPassword=&quot;password&quot;&gt; <br>	           &lt;sec:keyStore
type=&quot;JKS&quot; password=&quot;password&quot;  <br>	          
     file=&quot;src/test/java/org/apache/cxf/systest/http/resources/Bethal.jks&quot;/&gt;
<br>	      		&lt;/sec:keyManagers&gt; <br>	      		&lt;sec:trustManagers&gt;
<br>	          	&lt;sec:keyStore type=&quot;JKS&quot; password=&quot;password&quot;
<br>	               file=&quot;src/test/java/org/apache/cxf/systest/http/resources/Truststore.jks&quot;/&gt;
<br>	     		&lt;/sec:trustManagers&gt; <br>            &lt;/httpj:tlsServerParameters&gt;
<br>        &lt;/httpj:engine&gt; <br>    &lt;/httpj:engine-factory&gt;
<br>&lt;/beans&gt; <br>{code} <br> <br>If you use JAXRSServerFactoryBean
to create and start JAX-RS endpoints from the code then the above configuration can be utilized
like this: <br>{code:java} <br>JAXRSServerFactoryBean bean = new JAXRSServerFactoryBean();
<br>SpringBusFactory bf = new SpringBusFactory(); <br>Bus bus = bf.createBus(&quot;configuration/beans.xml&quot;);
<br>bean.setBus(bus); <br>bean.setAddress(&quot;http://localhost:9095/rest&quot;);
<br>bean.setServiceClass(CustomerService.class); <br>{code} <br> <br>If
you also have a jaxrs:server endpoint declared in the above beans.xml, then make sure you
have a &#39;depends-on&#39; attribute set: <br> <br>{code:xml} <br>&lt;jaxrs:server
serviceClass=&quot;CustomerService.class&quot; address=&quot;http://localhost:9095/rest&quot;
<br>   depends-on=&quot;port-9095-tls-config&quot;/&gt; <br>{code}
 <br> <br>Once you have JAX-RS and Jetty HTTPS combined then you can get the application
context initiated like this: <br> <br>{code:java} <br>public class Server
{ <br> <br>    public void main(String[] args) throws Exception { <br> 
      Bus busLocal = new SpringBusFactory().createBus(&quot;configuration/beans.xml&quot;);
<br>        BusFactory.setDefaultBus(busLocal); <br>        new Server(); <br>
       Thread.sleep(60000); <br>    } <br>} <br>{code} <br> <br>Having
JAX-RS endpoints declared alongside CXF Jetty HTTPS configuration is only needed when an embedded
Jetty container is used. If you have application WARs deployed into Tomcat or Jetty then please
follow container-specific guides on how to set up SSL. <br> <br>Please also see
this [HTTPS-based demo|http://svn.apache.org/repos/asf/cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/]
in the CXF distribution. <br> <br>Additionally check the [CXF Jetty Configuration|http://cxf.apache.org/docs/jetty-configuration.html]
section. <br> <br>h2. Configuring clients <br> <br>Secure HTTPConduits
for CXF JAX-RS proxies and WebClients can be configured as described in this [section|http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html].
 <br> <br>For example, check this [configuration file|http://svn.apache.org/repos/asf/cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/resources/ClientConfig.xml].
Endpoint addresses used by proxies or clients have to match the pattern used in the HTTPConduit
configuration. <br> <br>The configuration file can be referenced during the proxy
or WebClient creation: <br>{code:java} <br>final Stribg address = &quot;http://localhost:9095/rest&quot;;
<br>final String configLocation; <br> <br>WebClient client = WebClient.create(address,
configLocation); <br>// or <br>BookStore proxy = JAXRSClientFactory.create(address,
configLocation, BookStore.class); <br>{code} <br> <br>HTTPConduits can also
be &#39;bound&#39; to proxies or WebClients using expanded QNames. Please see this
[section|http://cxf.apache.org/docs/jax-rs-client-api.html#JAX-RSClientAPI-ConfiguringanHTTPConduitfromSpring]
for more information. <br> <br></td></tr>
            <tr><td class="diff-unchanged" >h1. Authentication <br> <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" > <br> <br></td></tr>
            <tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">*SecurityManager
and IllegalAccessExceptions* <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">h1.
WS-Trust integration <br></td></tr>
            <tr><td class="diff-unchanged" > <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">h2.
Validating BasicAuth credentials with STS <br> <br>h1. Note about SecurityManager
<br> <br></td></tr>
            <tr><td class="diff-unchanged" >If {{java.lang.SecurityManager}} is
installed then you&#39;ll likely need to configure the trusted JAX-RS codebase with a
&#39;suppressAccessChecks&#39; permission for the injection of JAXRS context or parameter
fields to succeed. For example, you may want to update a Tomcat [catalina.policy|http://tomcat.apache.org/tomcat-5.5-doc/security-manager-howto.html]
with the following permission : <br> <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
    
            </table>
    </div>                            <h4>Full Content</h4>
                    <div class="notificationGreySide">
        <p><span style="font-size:2em;font-weight:bold"> JAX-RS: Security </span></p>

<div>
<ul>
    <li><a href='#SecureJAX-RSServices-HTTPS'>HTTPS</a></li>
<ul>
    <li><a href='#SecureJAX-RSServices-Configuringendpoints'>Configuring endpoints</a></li>
    <li><a href='#SecureJAX-RSServices-Configuringclients'>Configuring clients</a></li>
</ul>
    <li><a href='#SecureJAX-RSServices-Authentication'>Authentication</a></li>
    <li><a href='#SecureJAX-RSServices-Authorization'>Authorization</a></li>
    <li><a href='#SecureJAX-RSServices-WSTrustintegration'>WS-Trust integration</a></li>
<ul>
    <li><a href='#SecureJAX-RSServices-ValidatingBasicAuthcredentialswithSTS'>Validating
BasicAuth credentials with STS</a></li>
</ul>
    <li><a href='#SecureJAX-RSServices-NoteaboutSecurityManager'>Note about SecurityManager</a></li>
</ul></div>

<h1><a name="SecureJAX-RSServices-HTTPS"></a>HTTPS</h1>

<p>Transport-level protection of JAX-RS endpoints can be managed by underlying Servlet
containers, for example, see this <a href="http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html"
class="external-link" rel="nofollow">Tomcat SSL Configuration section</a>. </p>

<h2><a name="SecureJAX-RSServices-Configuringendpoints"></a>Configuring
endpoints</h2>

<p>JAX-RS endpoints using embedded Jetty can rely on the configuration like this one:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
&lt;beans xmlns=<span class="code-quote">"http://www.springframework.org/schema/beans"</span>
       <span class="code-keyword">xmlns:xsi</span>=<span class="code-quote">"http://www.w3.org/2001/XMLSchema-instance"</span>
       <span class="code-keyword">xmlns:http</span>=<span class="code-quote">"http://cxf.apache.org/transports/http/configuration"</span>
       <span class="code-keyword">xmlns:httpj</span>=<span class="code-quote">"http://cxf.apache.org/transports/http-jetty/configuration"</span>
       <span class="code-keyword">xmlns:sec</span>=<span class="code-quote">"http://cxf.apache.org/configuration/security"</span>
       xsi:schemaLocation="
        http://www.springframework.org/schema/beans                 http://www.springframework.org/schema/beans/spring-beans.xsd
        http://cxf.apache.org/transports/http/configuration         http://cxf.apache.org/schemas/configuration/http-conf.xsd
        http://cxf.apache.org/transports/http-jetty/configuration   http://cxf.apache.org/schemas/configuration/http-jetty.xsd
        http://cxf.apache.org/configuration/security                http://cxf.apache.org/schemas/configuration/security.xsd"&gt;


    <span class="code-tag">&lt;httpj:engine-factory id=<span class="code-quote">"port-9095-tls-config"</span>&gt;</span>
        <span class="code-tag">&lt;httpj:engine port=<span class="code-quote">"9095"</span>&gt;</span>
            <span class="code-tag">&lt;httpj:tlsServerParameters&gt;</span>
               <span class="code-tag">&lt;sec:keyManagers keyPassword=<span class="code-quote">"password"</span>&gt;</span>
	           &lt;sec:keyStore type=<span class="code-quote">"JKS"</span> password=<span
class="code-quote">"password"</span> 
	                file=<span class="code-quote">"src/test/java/org/apache/cxf/systest/http/resources/Bethal.jks"</span>/&gt;
	      		<span class="code-tag">&lt;/sec:keyManagers&gt;</span>
	      		<span class="code-tag">&lt;sec:trustManagers&gt;</span>
	          	&lt;sec:keyStore type=<span class="code-quote">"JKS"</span> password=<span
class="code-quote">"password"</span>
	               file=<span class="code-quote">"src/test/java/org/apache/cxf/systest/http/resources/Truststore.jks"</span>/&gt;
	     		<span class="code-tag">&lt;/sec:trustManagers&gt;</span>
            <span class="code-tag">&lt;/httpj:tlsServerParameters&gt;</span>
        <span class="code-tag">&lt;/httpj:engine&gt;</span>
    <span class="code-tag">&lt;/httpj:engine-factory&gt;</span>
<span class="code-tag">&lt;/beans&gt;</span>
</pre>
</div></div>

<p>If you use JAXRSServerFactoryBean to create and start JAX-RS endpoints from the code
then the above configuration can be utilized like this:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
JAXRSServerFactoryBean bean = <span class="code-keyword">new</span> JAXRSServerFactoryBean();
SpringBusFactory bf = <span class="code-keyword">new</span> SpringBusFactory();
Bus bus = bf.createBus(<span class="code-quote">"configuration/beans.xml"</span>);
bean.setBus(bus);
bean.setAddress(<span class="code-quote">"http:<span class="code-comment">//localhost:9095/<span
class="code-keyword">rest</span>"</span>);
</span>bean.setServiceClass(CustomerService.class);
</pre>
</div></div>

<p>If you also have a jaxrs:server endpoint declared in the above beans.xml, then make
sure you have a 'depends-on' attribute set:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
&lt;jaxrs:server serviceClass=<span class="code-quote">"CustomerService.class"</span>
address=<span class="code-quote">"http://localhost:9095/rest"</span>
   depends-on=<span class="code-quote">"port-9095-tls-config"</span>/&gt;
</pre>
</div></div> 

<p>Once you have JAX-RS and Jetty HTTPS combined then you can get the application context
initiated like this:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
<span class="code-keyword">public</span> class Server {

    <span class="code-keyword">public</span> void main(<span class="code-object">String</span>[]
args) <span class="code-keyword">throws</span> Exception {
        Bus busLocal = <span class="code-keyword">new</span> SpringBusFactory().createBus(<span
class="code-quote">"configuration/beans.xml"</span>);
        BusFactory.setDefaultBus(busLocal);
        <span class="code-keyword">new</span> Server();
        <span class="code-object">Thread</span>.sleep(60000);
    }
}
</pre>
</div></div>

<p>Having JAX-RS endpoints declared alongside CXF Jetty HTTPS configuration is only
needed when an embedded Jetty container is used. If you have application WARs deployed into
Tomcat or Jetty then please follow container-specific guides on how to set up SSL.</p>

<p>Please also see this <a href="http://svn.apache.org/repos/asf/cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/"
class="external-link" rel="nofollow">HTTPS-based demo</a> in the CXF distribution.</p>

<p>Additionally check the <a href="http://cxf.apache.org/docs/jetty-configuration.html"
class="external-link" rel="nofollow">CXF Jetty Configuration</a> section.</p>

<h2><a name="SecureJAX-RSServices-Configuringclients"></a>Configuring clients</h2>

<p>Secure HTTPConduits for CXF JAX-RS proxies and WebClients can be configured as described
in this <a href="http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html"
class="external-link" rel="nofollow">section</a>. </p>

<p>For example, check this <a href="http://svn.apache.org/repos/asf/cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/resources/ClientConfig.xml"
class="external-link" rel="nofollow">configuration file</a>. Endpoint addresses used
by proxies or clients have to match the pattern used in the HTTPConduit configuration.</p>

<p>The configuration file can be referenced during the proxy or WebClient creation:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
<span class="code-keyword">final</span> Stribg address = <span class="code-quote">"http:<span
class="code-comment">//localhost:9095/<span class="code-keyword">rest</span>"</span>;
</span><span class="code-keyword">final</span> <span class="code-object">String</span>
configLocation;

WebClient client = WebClient.create(address, configLocation);
<span class="code-comment">// or
</span>BookStore proxy = JAXRSClientFactory.create(address, configLocation, BookStore.class);
</pre>
</div></div>

<p>HTTPConduits can also be 'bound' to proxies or WebClients using expanded QNames.
Please see this <a href="http://cxf.apache.org/docs/jax-rs-client-api.html#JAX-RSClientAPI-ConfiguringanHTTPConduitfromSpring"
class="external-link" rel="nofollow">section</a> for more information.</p>

<h1><a name="SecureJAX-RSServices-Authentication"></a>Authentication</h1>

<p>It is often containers like Tomcat or frameworks like Spring Security which handle
user authentication. Sometimes you might want to do the custom authentication instead. The
easiest way to do this is to register a custom invoker or <tt>RequestHandler</tt>
filter which will extract a user name and password like this:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
<span class="code-keyword">public</span> class AuthenticationHandler <span
class="code-keyword">implements</span> RequestHandler {

    <span class="code-keyword">public</span> Response handleRequest(Message m,
ClassResourceInfo resourceClass) {
        AuthorizationPolicy policy = (AuthorizationPolicy)m.get(AuthorizationPolicy.class);
        policy.getUserName();
        policy.getPassword(); 
        <span class="code-keyword">return</span> <span class="code-keyword">null</span>;
    }

}
</pre>
</div></div> 

<p>A demo called <tt>samples\jax_rs\spring_security</tt> shows how to provide
the authentication and authorization with the help of Spring Security.</p>

<p>Please see the <a href="/confluence/display/CXF20DOC/Security" title="Security">Security</a>
section on how CXF Security interceptors can help. Check this <a href="http://sberyozkin.blogspot.com/2010/12/authentication-and-authorization-cxf.html"
class="external-link" rel="nofollow">blog entry</a> for more information on how CXF
JAX-RS wraps the CXF security interceptors with helper filters.</p>

<h1><a name="SecureJAX-RSServices-Authorization"></a>Authorization</h1>


<h1><a name="SecureJAX-RSServices-WSTrustintegration"></a>WS-Trust integration</h1>

<h2><a name="SecureJAX-RSServices-ValidatingBasicAuthcredentialswithSTS"></a>Validating
BasicAuth credentials with STS</h2>

<h1><a name="SecureJAX-RSServices-NoteaboutSecurityManager"></a>Note about
SecurityManager</h1>

<p>If <tt>java.lang.SecurityManager</tt> is installed then you'll likely
need to configure the trusted JAX-RS codebase with a 'suppressAccessChecks' permission for
the injection of JAXRS context or parameter fields to succeed. For example, you may want to
update a Tomcat <a href="http://tomcat.apache.org/tomcat-5.5-doc/security-manager-howto.html"
class="external-link" rel="nofollow">catalina.policy</a> with the following permission
:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
grant codeBase <span class="code-quote">"file:${catalina.home}/webapps/yourwebapp/lib/cxf.jar"</span>
{
    permission java.lang.reflect.ReflectPermission <span class="code-quote">"suppressAccessChecks"</span>;
};
</pre>
</div></div>

    </div>
        <div id="commentsSection" class="wiki-content pageSection">
        <div style="float: right;">
            <a href="https://cwiki.apache.org/confluence/users/viewnotifications.action"
class="grey">Change Notification Preferences</a>
        </div>
        <a href="https://cwiki.apache.org/confluence/display/CXF20DOC/Secure+JAX-RS+Services">View
Online</a>
        |
        <a href="https://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=26119178&revisedVersion=2&originalVersion=1">View
Changes</a>
                |
        <a href="https://cwiki.apache.org/confluence/display/CXF20DOC/Secure+JAX-RS+Services?showComments=true&amp;showCommentArea=true#addcomment">Add
Comment</a>
            </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message