cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject [CONF] Apache CXF Documentation > Secure JAX-RS Services
Date Thu, 28 Apr 2011 15:58:00 GMT
    <base href="">
            <link rel="stylesheet" href="/confluence/s/2042/9/1/_/styles/combined.css?spaceKey=CXF20DOC&amp;forWysiwyg=true"
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="">Secure
JAX-RS Services</a></h2>
    <h4>Page  <b>added</b> by             <a href="">Sergey
    <div class="notificationGreySide">
         <p><span style="font-size:2em;font-weight:bold"> JAX-RS: Security </span></p>

    <li><a href='#SecureJAX-RSServices-HTTPS'>HTTPS</a></li>
    <li><a href='#SecureJAX-RSServices-Authentication'>Authentication</a></li>
    <li><a href='#SecureJAX-RSServices-Authorization'>Authorization</a></li>

<h1><a name="SecureJAX-RSServices-HTTPS"></a>HTTPS</h1>

<h1><a name="SecureJAX-RSServices-Authentication"></a>Authentication</h1>

<p>It is often containers like Tomcat or frameworks like Spring Security which handle
user authentication. Sometimes you might want to do the custom authentication instead. The
easiest way to do this is to register a custom invoker or <tt>RequestHandler</tt>
filter which will extract a user name and password like this:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
<span class="code-keyword">public</span> class AuthenticationHandler <span
class="code-keyword">implements</span> RequestHandler {

    <span class="code-keyword">public</span> Response handleRequest(Message m,
ClassResourceInfo resourceClass) {
        AuthorizationPolicy policy = (AuthorizationPolicy)m.get(AuthorizationPolicy.class);
        <span class="code-keyword">return</span> <span class="code-keyword">null</span>;


<p>A demo called <tt>samples\jax_rs\spring_security</tt> shows how to provide
the authentication and authorization with the help of Spring Security.</p>

<p>Please see the <a href="/confluence/display/CXF20DOC/Security" title="Security">Security</a>
section on how CXF Security interceptors can help. Check this <a href=""
class="external-link" rel="nofollow">blog entry</a> for more information on how CXF
JAX-RS wraps the CXF security interceptors with helper filters.</p>

<h1><a name="SecureJAX-RSServices-Authorization"></a>Authorization</h1>

<p><b>SecurityManager and IllegalAccessExceptions</b></p>

<p>If <tt>java.lang.SecurityManager</tt> is installed then you'll likely
need to configure the trusted JAX-RS codebase with a 'suppressAccessChecks' permission for
the injection of JAXRS context or parameter fields to succeed. For example, you may want to
update a Tomcat <a href=""
class="external-link" rel="nofollow">catalina.policy</a> with the following permission

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
grant codeBase <span class="code-quote">"file:${catalina.home}/webapps/yourwebapp/lib/cxf.jar"</span>
    permission java.lang.reflect.ReflectPermission <span class="code-quote">"suppressAccessChecks"</span>;

    <div id="commentsSection" class="wiki-content pageSection">
       <div style="float: right;">
            <a href=""
class="grey">Change Notification Preferences</a>
       <a href="">View
       <a href=";showCommentArea=true#addcomment">Add

View raw message