cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache CXF Documentation > JAX-RS XML Security
Date Wed, 02 Nov 2011 23:08:00 GMT
<html>
<head>
    <base href="https://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/2042/9/1/_/styles/combined.css?spaceKey=CXF20DOC&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="https://cwiki.apache.org/confluence/display/CXF20DOC/JAX-RS+XML+Security">JAX-RS
XML Security</a></h2>
    <h4>Page  <b>added</b> by             <a href="https://cwiki.apache.org/confluence/display/~sergey_beryozkin">Sergey
Beryozkin</a>
    </h4>
         <br/>
    <div class="notificationGreySide">
         <p><span style="font-size:2em;font-weight:bold"> JAX-RS XML Security
</span></p>


<div>
<ul>
    <li><a href='#JAX-RSXMLSecurity-Introduction'>Introduction</a></li>
    <li><a href='#JAX-RSXMLSecurity-Mavendependencies'>Maven dependencies</a></li>
    <li><a href='#JAX-RSXMLSecurity-XMLSignature'>XML Signature</a></li>
<ul>
    <li><a href='#JAX-RSXMLSecurity-Envelopedsignatures'>Enveloped signatures</a></li>
    <li><a href='#JAX-RSXMLSecurity-Envelopingsignatures'>Enveloping signatures</a></li>
    <li><a href='#JAX-RSXMLSecurity-Detachedsignatures'>Detached signatures</a></li>
</ul>
    <li><a href='#JAX-RSXMLSecurity-XMLEncryption'>XML Encryption</a></li>
</ul></div>

<h1><a name="JAX-RSXMLSecurity-Introduction"></a>Introduction</h1>

<p>CXF 2.5.0 introduces an initial support for securing JAX-RS clients and endpoints
with <a href="http://www.w3.org/TR/xmldsig-core/" class="external-link" rel="nofollow">XML
Signature</a> and <a href="http://www.w3.org/TR/xmlenc-core/" class="external-link"
rel="nofollow">XML Encryption</a>. <br/>
This is a work in progress and the enhancements will be applied regularly. Support for the
alternative signature and encryption technologies will also be provided in due time.</p>

<h1><a name="JAX-RSXMLSecurity-Mavendependencies"></a>Maven dependencies</h1>

<h1><a name="JAX-RSXMLSecurity-XMLSignature"></a>XML Signature</h1>

<p><a href="http://www.w3.org/TR/xmldsig-core/" class="external-link" rel="nofollow">XML
Signature</a> defines 3 types of signatures: enveloped, enveloping and detached. All
the three types are supported by CXF JAX-RS.</p>

<h2><a name="JAX-RSXMLSecurity-Envelopedsignatures"></a>Enveloped signatures</h2>

<p>Payload:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
<span class="code-tag">&lt;Book ID=<span class="code-quote">"4bd59819-7b78-47a5-bb61-cc08348e9d48"</span>&gt;</span>
   <span class="code-tag">&lt;id&gt;</span>126<span class="code-tag">&lt;/id&gt;</span>
   <span class="code-tag">&lt;name&gt;</span>CXF<span class="code-tag">&lt;/name&gt;</span>

   <span class="code-tag">&lt;ds:Signature <span class="code-keyword">xmlns:ds</span>=<span
class="code-quote">"http://www.w3.org/2000/09/xmldsig#"</span>&gt;</span>
      <span class="code-tag">&lt;ds:SignedInfo&gt;</span>
         <span class="code-tag">&lt;ds:CanonicalizationMethod Algorithm=<span
class="code-quote">"http://www.w3.org/TR/2001/REC-xml-c14n-20010315"</span>/&gt;</span>
         <span class="code-tag">&lt;ds:SignatureMethod Algorithm=<span class="code-quote">"http://www.w3.org/2000/09/xmldsig#rsa-sha1"</span>/&gt;</span>
         <span class="code-tag">&lt;ds:Reference URI=<span class="code-quote">"#4bd59819-7b78-47a5-bb61-cc08348e9d48"</span>&gt;</span>
           <span class="code-tag">&lt;ds:Transforms&gt;</span>
             <span class="code-tag">&lt;ds:Transform Algorithm=<span class="code-quote">"http://www.w3.org/2000/09/xmldsig#enveloped-signature"</span>/&gt;</span>
             <span class="code-tag">&lt;ds:Transform Algorithm=<span class="code-quote">"http://www.w3.org/2001/10/xml-exc-c14n#"</span>/&gt;</span>
           <span class="code-tag">&lt;/ds:Transforms&gt;</span>
           <span class="code-tag">&lt;ds:DigestMethod Algorithm=<span class="code-quote">"http://www.w3.org/2000/09/xmldsig#sha1"</span>/&gt;</span>
           <span class="code-tag">&lt;ds:DigestValue&gt;</span>eFduzs6Cg1/Wd6jagUmr8vRYxHY=<span
class="code-tag">&lt;/ds:DigestValue&gt;</span>
         <span class="code-tag">&lt;/ds:Reference&gt;</span>
      <span class="code-tag">&lt;/ds:SignedInfo&gt;</span>
<span class="code-tag">&lt;ds:SignatureValue&gt;</span>DLD+wU85G+Q+H/SNoMr1I7tOCAZAjd3lYE84sBGU5tuMtzbwxKOIgg10g2F1SUbpujy1CZZ9BPkQNA+gA1CH4FE3uiBzp3DDSVv6o5l6Q76Ci0XI28ylO7O1OCY+q2nbP0WtERFWOn9f9nniVKbduz6YQHjv6cNLd8pf4+k2U3g=<span
class="code-tag">&lt;/ds:SignatureValue&gt;</span>

       <span class="code-tag">&lt;ds:KeyInfo&gt;</span>
         <span class="code-tag">&lt;ds:X509Data&gt;</span><span class="code-tag">&lt;ds:X509Certificate&gt;</span>MIICGjCCAYOgAwIBAgIESVRgATANBgkqhkiG9w0BAQUFADAzMRMwEQYDVQQKEwphcGFjaGUub3JnMQwwCgYDVQQLEwNlbmcxDjAMBgNVBAMTBWN4ZmNhMB4XDTcwMDEwMTAwMDAwMFoXDTM4MDExOTAzMTQwN1owMzETMBEGA1UEChMKYXBhY2hlLm9yZzEMMAoGA1UECxMDZW5nMQ4wDAYDVQQDEwVhbGljZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvu747/VShQ85f16DGSc4Ixh9PVpGguyEqrCsK8q9XHOYX9l9/g5wEC6ZcR2FwfNsoaHcKNPjd5sSTzVtBWmQjfBEfIqwTR7vuihOxyNTwEzVwIJzvo7p8/aYxk+VdBtQxq4UweIcf/iFkUbM1cZ1oiXRQzciRBi+C1BQCQE0qzsCAwEAAaM7MDkwIQYDVR0SBBowGIIWTk9UX0ZPUl9QUk9EVUNUSU9OX1VTRTAUBgNVHREEDTALgglsb2NhbGhvc3QwDQYJKoZIhvcNAQEFBQADgYEAhLwkm+8psKt4gnbikGzV0TgpSWGcWxWKBi+z8tI2n6hFA5v1jVHHa4G9h3s0nxQ2TewzeR/k7gmgV2sI483NgrYHmTmLKaDBWza2pAuZuDhQH8GAEhJakFtKBP++EC9rNNpZnqqHxx3qb2tW25qRtBzDmK921gg9PMomMc7uqRQ=<span
class="code-tag">&lt;/ds:X509Certificate&gt;</span>
        <span class="code-tag">&lt;/ds:X509Data&gt;</span>

        <span class="code-tag">&lt;ds:KeyValue&gt;</span>
          <span class="code-tag">&lt;ds:RSAKeyValue&gt;</span>
             <span class="code-tag">&lt;ds:Modulus&gt;</span>vu747/VShQ85f16DGSc4Ixh9PVpGguyEqrCsK8q9XHOYX9l9/g5wEC6ZcR2FwfNsoaHcKNPjd5sSTzVtBWmQjfBEfIqwTR7vuihOxyNTwEzVwIJzvo7p8/aYxk+VdBtQxq4UweIcf/iFkUbM1cZ1oiXRQzciRBi+C1BQCQE0qzs=<span
class="code-tag">&lt;/ds:Modulus&gt;</span>
             <span class="code-tag">&lt;ds:Exponent&gt;</span>AQAB<span
class="code-tag">&lt;/ds:Exponent&gt;</span>
          <span class="code-tag">&lt;/ds:RSAKeyValue&gt;</span>
        <span class="code-tag">&lt;/ds:KeyValue&gt;</span>
       <span class="code-tag">&lt;/ds:KeyInfo&gt;</span>
     <span class="code-tag">&lt;/ds:Signature&gt;</span>

<span class="code-tag">&lt;/Book&gt;</span>
</pre>
</div></div>

<p>Server Configuration fragment:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">

<span class="code-tag">&lt;bean id=<span class="code-quote">"serviceBean"</span>
class=<span class="code-quote">"org.apache.cxf.systest.jaxrs.security.BookStore"</span>/&gt;</span>
<span class="code-tag">&lt;bean id=<span class="code-quote">"xmlSigHandler"</span>
class=<span class="code-quote">"org.apache.cxf.rs.security.xml.XmlSigInHandler"</span>/&gt;</span>

<span class="code-tag">&lt;jaxrs:server address=<span class="code-quote">"/xmlsig"</span>&gt;</span>

    <span class="code-tag">&lt;jaxrs:serviceBeans&gt;</span>
      <span class="code-tag">&lt;ref bean=<span class="code-quote">"serviceBean"</span>/&gt;</span>
    <span class="code-tag">&lt;/jaxrs:serviceBeans&gt;</span>
    <span class="code-tag">&lt;jaxrs:providers&gt;</span>
      <span class="code-tag">&lt;ref bean=<span class="code-quote">"xmlSigHandler"</span>/&gt;</span>
    <span class="code-tag">&lt;/jaxrs:providers&gt;</span> 
    <span class="code-tag">&lt;jaxrs:properties&gt;</span>
        &lt;entry key=<span class="code-quote">"ws-security.signature.properties"</span>

              value=<span class="code-quote">"org/apache/cxf/systest/jaxrs/security/alice.properties"</span>/&gt;
    <span class="code-tag">&lt;/jaxrs:properties&gt;</span> 
<span class="code-tag">&lt;/jaxrs:server&gt;</span>

</pre>
</div></div>

<p>Note that org.apache.cxf.rs.security.xml.XmlSigInHandler is capable of processing
all 3 types of XML Signature. </p>

<p>Client code:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">

<span class="code-object">String</span> address = <span class="code-quote">"https:<span
class="code-comment">//localhost:8080/xmlsig/bookstore/books"</span>;
</span>JAXRSClientFactoryBean bean = <span class="code-keyword">new</span>
JAXRSClientFactoryBean();
bean.setAddress(address);

<span class="code-comment">// setup properties
</span>Map&lt;<span class="code-object">String</span>, <span class="code-object">Object</span>&gt;
properties = <span class="code-keyword">new</span> HashMap&lt;<span class="code-object">String</span>,
<span class="code-object">Object</span>&gt;();
properties.put(<span class="code-quote">"ws-security.callback-handler"</span>,

               <span class="code-quote">"org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"</span>);
properties.put(<span class="code-quote">"ws-security.signature.username"</span>,
<span class="code-quote">"alice"</span>);
properties.put(<span class="code-quote">"ws-security.signature.properties"</span>,

               <span class="code-quote">"org/apache/cxf/systest/jaxrs/security/alice.properties"</span>);
bean.setProperties(properties);

<span class="code-comment">// add the interceptor dealing with adding a signature
</span>XmlSigOutInterceptor sigInterceptor = <span class="code-keyword">new</span>
XmlSigOutInterceptor();
bean.getOutInterceptors().add(sigInterceptor);
        
<span class="code-comment">// use WebClient (or proxy) as usual
</span>WebClient wc = bean.createWebClient();
Book book = wc.post(<span class="code-keyword">new</span> Book(<span class="code-quote">"CXF"</span>,
126L), Book.class);
</pre>
</div></div>

<p>Spring configuration can also be used.<br/>
Please also check <a href="/confluence/display/CXF20DOC/Secure+JAX-RS+Services" title="Secure
JAX-RS Services">Secure JAX&#45;RS Services</a> on how HTTPS can be configured.</p>

<h2><a name="JAX-RSXMLSecurity-Envelopingsignatures"></a>Enveloping signatures</h2>

<p>Payload:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
<span class="code-tag">&lt;ds:Signature <span class="code-keyword">xmlns:ds</span>=<span
class="code-quote">"http://www.w3.org/2000/09/xmldsig#"</span>&gt;</span>
   <span class="code-tag">&lt;ds:SignedInfo&gt;</span>
      <span class="code-tag">&lt;ds:CanonicalizationMethod Algorithm=<span class="code-quote">"http://www.w3.org/TR/2001/REC-xml-c14n-20010315"</span>/&gt;</span>
      <span class="code-tag">&lt;ds:SignatureMethod Algorithm=<span class="code-quote">"http://www.w3.org/2000/09/xmldsig#rsa-sha1"</span>/&gt;</span>
      <span class="code-tag">&lt;ds:Reference URI=<span class="code-quote">"#88e688e6-6512-406f-9e88-a58e5d781ff0"</span>&gt;</span>
        <span class="code-tag">&lt;ds:Transforms&gt;</span>
           <span class="code-tag">&lt;ds:Transform Algorithm=<span class="code-quote">"http://www.w3.org/2001/10/xml-exc-c14n#"</span>/&gt;</span>
        <span class="code-tag">&lt;/ds:Transforms&gt;</span>
        <span class="code-tag">&lt;ds:DigestMethod Algorithm=<span class="code-quote">"http://www.w3.org/2000/09/xmldsig#sha1"</span>/&gt;</span>
        <span class="code-tag">&lt;ds:DigestValue&gt;</span>Cq3zl3t3DqWTvuZ+4EtZgGs4ikk=<span
class="code-tag">&lt;/ds:DigestValue&gt;</span>
      <span class="code-tag">&lt;/ds:Reference&gt;</span>
   <span class="code-tag">&lt;/ds:SignedInfo&gt;</span><span class="code-tag">&lt;ds:SignatureValue&gt;</span>NvcCS8vx3YJkc8fHMf8bQkC+lwasC6CwiS7HfKSm8t+6TtYdM7TRbYxSuqfCTkF4vBIldWIzl6UngON592FfJdbvrgE2CusCkIybrP7BBmP7zTSV0GjH4/60L6ObkhGPkMNoKzw4V+zgF7Zo+F7ngsz5ZUWZX/GWETmTtYtcfT0=<span
class="code-tag">&lt;/ds:SignatureValue&gt;</span>
   <span class="code-tag">&lt;ds:KeyInfo&gt;</span>
     <span class="code-tag">&lt;ds:X509Data&gt;</span>
       <span class="code-tag">&lt;ds:X509Certificate&gt;</span><span
class="code-tag"><span class="code-comment">&lt;!-- Omitted for brewity--&gt;</span></span><span
class="code-tag">&lt;/ds:X509Certificate&gt;</span>
     <span class="code-tag">&lt;/ds:X509Data&gt;</span>
     <span class="code-tag">&lt;ds:KeyValue&gt;</span>
      <span class="code-tag">&lt;ds:RSAKeyValue&gt;</span><span class="code-tag">&lt;ds:Modulus&gt;</span>vu747/VShQ85f16DGSc4Ixh9PVpGguyEqrCsK8q9XHOYX9l9/g5wEC6ZcR2FwfNsoaHcKNPjd5sSTzVtBWmQjfBEfIqwTR7vuihOxyNTwEzVwIJzvo7p8/aYxk+VdBtQxq4UweIcf/iFkUbM1cZ1oiXRQzciRBi+C1BQCQE0qzs=<span
class="code-tag">&lt;/ds:Modulus&gt;</span>
       <span class="code-tag">&lt;ds:Exponent&gt;</span>AQAB<span class="code-tag">&lt;/ds:Exponent&gt;</span>
      <span class="code-tag">&lt;/ds:RSAKeyValue&gt;</span>
     <span class="code-tag">&lt;/ds:KeyValue&gt;</span>
   <span class="code-tag">&lt;/ds:KeyInfo&gt;</span>
   <span class="code-tag">&lt;ds:Object ID=<span class="code-quote">"88e688e6-6512-406f-9e88-a58e5d781ff0"</span>&gt;</span>

      <span class="code-tag">&lt;Book&gt;</span>
         <span class="code-tag">&lt;id&gt;</span>126<span class="code-tag">&lt;/id&gt;</span>
         <span class="code-tag">&lt;name&gt;</span>CXF<span class="code-tag">&lt;/name&gt;</span>
      <span class="code-tag">&lt;/Book&gt;</span>
   <span class="code-tag">&lt;/ds:Object&gt;</span>
<span class="code-tag">&lt;/ds:Signature&gt;</span>
</pre>
</div></div>

<p>Server Configuration fragment is identical to the one shown in the Enveloped signatures
section.</p>

<p>Client code is is nearly identical to the one shown in the Enveloped signatures section
except that XmlSigOutInterceptor need to have an additional property set:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">

<span class="code-comment">// add the interceptor dealing with adding a signature
</span>XmlSigOutInterceptor sigInterceptor = <span class="code-keyword">new</span>
XmlSigOutInterceptor();
sigInterceptor.setStyle(<span class="code-quote">"enveloping"</span>);

</pre>
</div></div>

<h2><a name="JAX-RSXMLSecurity-Detachedsignatures"></a>Detached signatures</h2>

<p>Payload:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
<span class="code-tag">&lt;env:Envelope <span class="code-keyword">xmlns:env</span>=<span
class="code-quote">"http://org.apache.cxf/rs/env"</span>&gt;</span>

  <span class="code-tag">&lt;Book ID=<span class="code-quote">"e9836bc2-cb5a-453f-b967-a9ddbaf9a6de"</span>&gt;</span>
    <span class="code-tag">&lt;id&gt;</span>125<span class="code-tag">&lt;/id&gt;</span>
    <span class="code-tag">&lt;name&gt;</span>CXF<span class="code-tag">&lt;/name&gt;</span>
   <span class="code-tag">&lt;/Book&gt;</span>
   <span class="code-tag">&lt;ds:Signature <span class="code-keyword">xmlns:ds</span>=<span
class="code-quote">"http://www.w3.org/2000/09/xmldsig#"</span>&gt;</span>
     <span class="code-tag">&lt;ds:SignedInfo&gt;</span>
       <span class="code-tag">&lt;ds:CanonicalizationMethod Algorithm=<span class="code-quote">"http://www.w3.org/TR/2001/REC-xml-c14n-20010315"</span>/&gt;</span>
       <span class="code-tag">&lt;ds:SignatureMethod Algorithm=<span class="code-quote">"http://www.w3.org/2000/09/xmldsig#rsa-sha1"</span>/&gt;</span>
       <span class="code-tag">&lt;ds:Reference URI=<span class="code-quote">"#e9836bc2-cb5a-453f-b967-a9ddbaf9a6de"</span>&gt;</span>
         <span class="code-tag">&lt;ds:Transforms&gt;</span>
           <span class="code-tag">&lt;ds:Transform Algorithm=<span class="code-quote">"http://www.w3.org/2001/10/xml-exc-c14n#"</span>/&gt;</span>
         <span class="code-tag">&lt;/ds:Transforms&gt;</span>
         <span class="code-tag">&lt;ds:DigestMethod Algorithm=<span class="code-quote">"http://www.w3.org/2000/09/xmldsig#sha1"</span>/&gt;</span>
         <span class="code-tag">&lt;ds:DigestValue&gt;</span>Pxz77Hlg6I/MRsJz4gixkaMFtYI=<span
class="code-tag">&lt;/ds:DigestValue&gt;</span>
       <span class="code-tag">&lt;/ds:Reference&gt;</span>
     <span class="code-tag">&lt;/ds:SignedInfo&gt;</span>
<span class="code-tag">&lt;ds:SignatureValue&gt;</span>JSwgiVqZT1EtJ9xqtb90juS54pvZguzFMne7cQyGMQDvBW7b65aAAIfVx/PmFB7Tuy4qB4zqNFCzCwHlhDurNP9NYB7PEzFsA3v3vSyEcHnpUhu41xmBvjT5HWEKbuzqX0dHekizuUefbfzG5WpluVPmOgjashrm9DIhfEf+Hyg=<span
class="code-tag">&lt;/ds:SignatureValue&gt;</span>
     <span class="code-tag">&lt;ds:KeyInfo&gt;</span>
      <span class="code-tag">&lt;ds:X509Data&gt;</span>
         <span class="code-tag">&lt;ds:X509Certificate&gt;</span><span
class="code-tag"><span class="code-comment">&lt;!--Omitted for Brewity--&gt;</span></span><span
class="code-tag">&lt;/ds:X509Certificate&gt;</span>
      <span class="code-tag">&lt;/ds:X509Data&gt;</span>
      <span class="code-tag">&lt;ds:KeyValue&gt;</span>
        <span class="code-tag">&lt;ds:RSAKeyValue&gt;</span>
          <span class="code-tag">&lt;ds:Modulus&gt;</span>vu747/VShQ85f16DGSc4Ixh9PVpGguyEqrCsK8q9XHOYX9l9/g5wEC6ZcR2FwfNsoaHcKNPjd5sSTzVtBWmQjfBEfIqwTR7vuihOxyNTwEzVwIJzvo7p8/aYxk+VdBtQxq4UweIcf/iFkUbM1cZ1oiXRQzciRBi+C1BQCQE0qzs=<span
class="code-tag">&lt;/ds:Modulus&gt;</span>
          <span class="code-tag">&lt;ds:Exponent&gt;</span>AQAB<span
class="code-tag">&lt;/ds:Exponent&gt;</span>
        <span class="code-tag">&lt;/ds:RSAKeyValue&gt;</span>
      <span class="code-tag">&lt;/ds:KeyValue&gt;</span>
     <span class="code-tag">&lt;/ds:KeyInfo&gt;</span>
   <span class="code-tag">&lt;/ds:Signature&gt;</span>

    <span class="code-tag">&lt;saml2:Assertion <span class="code-keyword">xmlns:saml2</span>=<span
class="code-quote">"urn:oasis:names:tc:SAML:2.0:assertion"</span> <span class="code-keyword">xmlns:xs</span>=<span
class="code-quote">"http://www.w3.org/2001/XMLSchema"</span> <span class="code-keyword">xmlns:xsi</span>=<span
class="code-quote">"http://www.w3.org/2001/XMLSchema-instance"</span> ID=<span
class="code-quote">"_E462768C678896CE9913202742137181"</span> IssueInstant=<span
class="code-quote">"2011-11-02T22:50:13.718Z"</span> Version=<span class="code-quote">"2.0"</span>
xsi:type=<span class="code-quote">"saml2:AssertionType"</span>&gt;</span>

<span class="code-tag">&lt;saml2:Issuer&gt;</span>https://idp.example.org/SAML2<span
class="code-tag">&lt;/saml2:Issuer&gt;</span>

<span class="code-tag">&lt;ds:Signature <span class="code-keyword">xmlns:ds</span>=<span
class="code-quote">"http://www.w3.org/2000/09/xmldsig#"</span>&gt;</span>
 &lt;!-- 
    Enveloped/embedded SAML Assertion XML Signature is omitted for brewity
    See the JAX-RS SAML section for more info
 --&gt;
<span class="code-tag">&lt;/ds:Signature&gt;</span>
<span class="code-tag"><span class="code-comment">&lt;!-- the rest of SAML
assertion --&gt;</span></span>
<span class="code-tag">&lt;/saml2:Assertion&gt;</span>
<span class="code-tag">&lt;/env:Envelope&gt;</span>
</pre>
</div></div>

<p>Note that the whole payload is enveloped by a configurable element wrapper, see the
<a href="/confluence/pages/createpage.action?spaceKey=CXF20DOC&amp;title=JAX-RS+SAML&amp;linkCreation=true&amp;fromPageId=27830245"
class="createlink">JAX&#45;RS SAML</a> section for more about it. The Book instance
is one part of the envelope and it's signed by a detached signature. The envelope also has
an embedded SAML assertion which is signed on its own.</p>

<p>The instance of org.apache.cxf.rs.security.xml.XmlSigInHandler will handle a detached
XML signature of the Book XML fragment on the server side. See the <a href="/confluence/pages/createpage.action?spaceKey=CXF20DOC&amp;title=JAX-RS+SAML&amp;linkCreation=true&amp;fromPageId=27830245"
class="createlink">JAX&#45;RS SAML</a> for more info on how to deal with SAML
assertions.</p>

<p>Client code is is nearly identical to the one shown in the Enveloped signatures section
except that XmlSigOutInterceptor need to have an additional property set:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">

<span class="code-comment">// add the interceptor dealing with adding a signature
</span>XmlSigOutInterceptor sigInterceptor = <span class="code-keyword">new</span>
XmlSigOutInterceptor();
sigInterceptor.setStyle(<span class="code-quote">"detached"</span>);

</pre>
</div></div>


<h1><a name="JAX-RSXMLSecurity-XMLEncryption"></a>XML Encryption</h1>
    </div>
    <div id="commentsSection" class="wiki-content pageSection">
       <div style="float: right;">
            <a href="https://cwiki.apache.org/confluence/users/viewnotifications.action"
class="grey">Change Notification Preferences</a>
       </div>
       <a href="https://cwiki.apache.org/confluence/display/CXF20DOC/JAX-RS+XML+Security">View
Online</a>
              |
       <a href="https://cwiki.apache.org/confluence/display/CXF20DOC/JAX-RS+XML+Security?showComments=true&amp;showCommentArea=true#addcomment">Add
Comment</a>
           </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message