cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache CXF Documentation > JAX-RS XML Security
Date Thu, 03 Nov 2011 11:57:00 GMT
<html>
<head>
    <base href="https://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/2042/9/1/_/styles/combined.css?spaceKey=CXF20DOC&amp;forWysiwyg=true" type="text/css">
    </head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="https://cwiki.apache.org/confluence/display/CXF20DOC/JAX-RS+XML+Security">JAX-RS XML Security</a></h2>
    <h4>Page <b>edited</b> by             <a href="https://cwiki.apache.org/confluence/display/~sergey_beryozkin">Sergey Beryozkin</a>
    </h4>
        <br/>
                         <h4>Changes (12)</h4>
                                 
    
<div id="page-diffs">
                    <table class="diff" cellpadding="0" cellspacing="0">
    
            <tr><td class="diff-changed-lines" >{span:style=font-size:2em;font-weight:bold} <span class="diff-changed-words">JAX-RS<span class="diff-added-chars"style="background-color: #dfd;">:</span></span> XML Security {span} <br></td></tr>
            <tr><td class="diff-unchanged" > <br> <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >h1. Maven dependencies <br> <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">{code:xml} <br>&lt;dependency&gt; <br>  &lt;groupId&gt;org.apache.cxf&lt;/groupId&gt; <br>  &lt;artifactId&gt;cxf-rt-rs-security-xml&lt;/artifactId&gt; <br>  &lt;version&gt;2.5.0&lt;/version&gt; <br>&lt;/dependency&gt; <br>{code} <br> <br></td></tr>
            <tr><td class="diff-unchanged" >h1. XML Signature <br> <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >{code} <br> <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">Note that the Book root element is signed including its name and id children, and a signature ds:Reference links to Book.  <br> <br></td></tr>
            <tr><td class="diff-unchanged" >Server Configuration fragment: <br> <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >XmlSigOutInterceptor sigInterceptor = new XmlSigOutInterceptor(); <br>bean.getOutInterceptors().add(sigInterceptor); <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;"> <br>// load a bus with HTTPS configuration: <br>SpringBusFactory bf = new SpringBusFactory(); <br>Bus bus = bf.createBus(configLocation); <br>bean.setBus(bus); <br></td></tr>
            <tr><td class="diff-unchanged" > <br>// use WebClient (or proxy) as usual <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" > <br>Spring configuration can also be used. <br></td></tr>
            <tr><td class="diff-changed-lines" >Please also check [Secure JAX-RS Services] on how HTTPS can be <span class="diff-changed-words">configured<span class="diff-added-chars"style="background-color: #dfd;"> from Spring</span>.</span> <br></td></tr>
            <tr><td class="diff-unchanged" > <br>h2. Enveloping signatures <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >{code} <br> <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">This time the signature is enveloping the Book element using a ds:Object wrapper which ds:Reference links to. <br> <br></td></tr>
            <tr><td class="diff-unchanged" >Server Configuration fragment is identical to the one shown in the Enveloped signatures section. <br> <br></td></tr>
            <tr><td class="diff-changed-lines" >Client code is <span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">is</span> nearly identical to the one shown in the Enveloped signatures section except that XmlSigOutInterceptor need to have an additional property set: <br></td></tr>
            <tr><td class="diff-unchanged" >{code:java} <br> <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >{code} <br> <br></td></tr>
            <tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">Note that the whole payload is enveloped by a configurable element wrapper, see the [JAX-RS SAML] section for more about it. The Book instance is one part of the envelope and it&#39;s signed by a detached signature. The envelope also has an embedded SAML assertion which is signed on its own. <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">Note that the whole payload is enveloped by a configurable element wrapper. The Book instance is one part of the envelope and it&#39;s signed by a detached signature (see the first ds:Signature, with its ds:Reference linking to Book). The envelope also has an embedded SAML assertion which has its own enveloped signature. <br></td></tr>
            <tr><td class="diff-unchanged" > <br>The instance of org.apache.cxf.rs.security.xml.XmlSigInHandler will handle a detached XML signature of the Book XML fragment on the server side. See the [JAX-RS SAML] for more info on how to deal with SAML assertions. <br> <br></td></tr>
            <tr><td class="diff-changed-lines" >Client code is <span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">is</span> nearly identical to the one shown in the Enveloped signatures section except that XmlSigOutInterceptor need to have an additional property set: <br></td></tr>
            <tr><td class="diff-unchanged" > <br>{code:java} <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" > <br>{code} <br></td></tr>
            <tr><td class="diff-unchanged" > <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">h2. Customizing the signature <br> <br>org.apache.cxf.rs.security.xml.XmlSigOutInterceptor manages the creation of the signature on the client side. <br>The following properties can be set on it at the moment: <br> <br>&quot;style&quot;: possible values are &quot;enveloped&quot; (default), &quot;enveloping&quot; and &quot;detached&quot; <br>&quot;envelopedName&quot;: only used with the &quot;detached&quot; style, default is &quot;\{http://org.apache.cxf/rs/env}Envelope&quot; <br>&quot;signatureAlgorithm&quot;: default is &quot;http://www.w3.org/2000/09/xmldsig#rsa-sha1&quot; <br>&quot;digestAlgorithm&quot;: default is &quot;http://www.w3.org/2000/09/xmldsig#sha1&quot; <br> <br></td></tr>
            <tr><td class="diff-unchanged" >h1. XML Encryption <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;"> <br>Encrypting XML payloads makes it possible to drop a requirement for HTTPS. <br> <br>Here is a payload example: <br> <br>{code:xml} <br>&lt;xenc:EncryptedData xmlns:xenc=&quot;http://www.w3.org/2001/04/xmlenc#&quot;&gt; <br>  &lt;xenc:EncryptionMethod Algorithm=&quot;http://www.w3.org/2001/04/xmlenc#aes128-cbc&quot;/&gt; <br>  &lt;ds:KeyInfo xmlns:ds=&quot;http://www.w3.org/2000/09/xmldsig#&quot;&gt; <br>    &lt;ds:RetrievalMethod Type=&quot;http://www.w3.org/2001/04/xmlenc#EncryptedKey&quot;/&gt; <br>    &lt;xenc:EncryptedKey Id=&quot;EK-B353DDCEE7C575B6A213203188664772&quot;&gt; <br>      &lt;xenc:EncryptionMethod Algorithm=&quot;http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p&quot;/&gt; <br>        &lt;ds:KeyInfo&gt; <br>            &lt;ds:X509Data&gt; <br>               &lt;ds:X509Certificate&gt;&lt;!-- Omitted for brewity --&gt;&lt;/ds:X509Certificate&gt; <br>           &lt;/ds:X509Data&gt; <br>        &lt;/ds:KeyInfo&gt; <br>        &lt;xenc:CipherData&gt;&lt;xenc:CipherValue&gt;tPtZz4pnVWquaV2a7O0y+VrHoeWwk3Eu5Jnu3RHz5rGDB/MLyG6rBamhit03J2xWaV52zUtDAPEj8sr4oy5y2KLB09Hu317IbQjinePabUpd+DLnwNn5iHZpHWJPfndkh07JdYZSrMwqOvJ3fqrNJ+LQeLzZDneT8sC1vRyhSDU=&lt;/xenc:CipherValue&gt; <br>        &lt;/xenc:CipherData&gt; <br>    &lt;/xenc:EncryptedKey&gt; <br>  &lt;/ds:KeyInfo&gt; <br>  &lt;xenc:CipherData&gt; <br>     &lt;xenc:CipherValue&gt;3ZPQ3SapAxemJwqG58sWh+r8B5SMRf/DZ2w/REswgl0zr8kpk0x4tayC5hl7IbSE8CPQYYHX8sXVnUFUoHOtJA==&lt;/xenc:CipherValue&gt; <br>  &lt;/xenc:CipherData&gt; <br>&lt;/xenc:EncryptedData&gt; <br>{code}  <br> <br>Here is a server configuration fragment: <br> <br>{code:xml} <br>&lt;bean id=&quot;serviceBean&quot; class=&quot;org.apache.cxf.systest.jaxrs.security.BookStore&quot;/&gt; <br>&lt;bean id=&quot;xmlSigHandler&quot; class=&quot;org.apache.cxf.rs.security.xml.XmlSigInHandler&quot;/&gt; <br> <br>&lt;bean id=&quot;xmlEncHandler&quot; class=&quot;org.apache.cxf.rs.security.xml.XmlEncInHandler&quot;/&gt; <br> <br>&lt;jaxrs:server address=&quot;/xmlsig&quot;&gt;  <br>    &lt;jaxrs:serviceBeans&gt; <br>      &lt;ref bean=&quot;serviceBean&quot;/&gt; <br>    &lt;/jaxrs:serviceBeans&gt; <br>    &lt;jaxrs:providers&gt; <br>       &lt;ref bean=&quot;xmlEncHandler&quot;/&gt; <br>       &lt;ref bean=&quot;xmlSigHandler&quot;/&gt; <br>    &lt;/jaxrs:providers&gt;  <br>     &lt;jaxrs:properties&gt; <br>           &lt;entry key=&quot;ws-security.callback-handler&quot;  <br>                  value=&quot;org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback&quot;/&gt; <br>           &lt;entry key=&quot;ws-security.encryption.properties&quot;  <br>                  value=&quot;org/apache/cxf/systest/jaxrs/security/bob.properties&quot;/&gt; <br>           &lt;entry key=&quot;ws-security.signature.properties&quot;  <br>                  value=&quot;org/apache/cxf/systest/jaxrs/security/alice.properties&quot;/&gt;        <br>     &lt;/jaxrs:properties&gt;  <br>&lt;/jaxrs:server&gt; <br> <br>{code} <br> <br>This configuration supports receiving signed and then encrypted XML payloads. <br> <br>The code: <br> <br>{code:java} <br>String address = &quot;https://localhost:8080/xmlencryption/bookstore/books&quot;; <br>JAXRSClientFactoryBean bean = new JAXRSClientFactoryBean(); <br>bean.setAddress(address); <br> <br>// setup properties <br>Map&lt;String, Object&gt; properties = new HashMap&lt;String, Object&gt;(); <br> <br>properties.put(&quot;ws-security.callback-handler&quot;,  <br>               &quot;org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback&quot;); <br>properties.put(&quot;ws-security.encryption.username&quot;, &quot;bob&quot;); <br>properties.put(&quot;ws-security.encryption.properties&quot;,  <br>                       &quot;org/apache/cxf/systest/jaxrs/security/bob.properties&quot;); <br> <br>// if signature required:  <br>properties.put(&quot;ws-security.signature.username&quot;, &quot;alice&quot;); <br>properties.put(&quot;ws-security.signature.properties&quot;,  <br>               &quot;org/apache/cxf/systest/jaxrs/security/alice.properties&quot;); <br> <br>bean.setProperties(properties); <br> <br>// if signature required: add the interceptor dealing with adding a signature <br>XmlSigOutInterceptor sigInterceptor = new XmlSigOutInterceptor(); <br>bean.getOutInterceptors().add(sigInterceptor); <br> <br>// add the interceptor dealing with the encryption <br> <br>XmlEncOutInterceptor encInterceptor = new XmlEncOutInterceptor(); <br>encInterceptor.setSymmetricEncAlgorithm(&quot;http://www.w3.org/2001/04/xmlenc#aes128-cbc&quot;); <br>bean.getOutInterceptors().add(encInterceptor); <br> <br> <br>// use WebClient (or proxy) as usual <br>WebClient wc = bean.createWebClient(); <br>Response r = wc.post(new Book(&quot;CXF&quot;, 126L), Book.class); <br>assertEquals(200, r.getStatus()); <br>{code} <br> <br>Note that XmlEncOutInterceptor interceptor has a &quot;symmetricEncAlgorithm&quot; property set to a weaker type just to get CXF tests passing. <br> <br>The actual application client code does not expect a payload such as Book back but if it did then configuring the server to encrypt the response would be straightforward: <br> <br>{code:xml} <br>&lt;bean id=&quot;serviceBean&quot; class=&quot;org.apache.cxf.systest.jaxrs.security.BookStore&quot;/&gt; <br>&lt;bean id=&quot;xmlSigHandler&quot; class=&quot;org.apache.cxf.rs.security.xml.XmlSigInHandler&quot;/&gt; <br> <br>&lt;bean id=&quot;xmlEncHandler&quot; class=&quot;org.apache.cxf.rs.security.xml.XmlEncInHandler&quot;/&gt; <br> <br>&lt;bean id=&quot;xmlEncOutHandler&quot; class=&quot;org.apache.cxf.rs.security.xml.XmlEncOutInterceptor&quot;&gt; <br>        &lt;property name=&quot;symmetricEncAlgorithm&quot; value=&quot;aes128-cbc&quot;/&gt; <br>&lt;/bean&gt; <br> <br>&lt;jaxrs:server address=&quot;/xmlsig&quot;&gt;  <br>    &lt;jaxrs:serviceBeans&gt; <br>      &lt;ref bean=&quot;serviceBean&quot;/&gt; <br>    &lt;/jaxrs:serviceBeans&gt; <br>    &lt;jaxrs:providers&gt; <br>       &lt;ref bean=&quot;xmlEncHandler&quot;/&gt; <br>       &lt;ref bean=&quot;xmlSigHandler&quot;/&gt; <br>    &lt;/jaxrs:providers&gt;  <br>    &lt;jaxrs:outInterceptors&gt; <br>        &lt;ref bean=&quot;xmlEncOutHandler&quot;/&gt; <br>     &lt;/jaxrs:outInterceptors&gt; <br>     &lt;jaxrs:properties&gt; <br>         &lt;entry key=&quot;ws-security.callback-handler&quot;  <br>                  value=&quot;org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback&quot;/&gt; <br>         &lt;entry key=&quot;ws-security.encryption.properties&quot;  <br>                  value=&quot;org/apache/cxf/systest/jaxrs/security/bob.properties&quot;/&gt; <br>     &lt;/jaxrs:properties&gt;  <br>&lt;/jaxrs:server&gt; <br>{code} <br> <br>Note the addition of a bean with id &quot;xmlEncOutHandler&quot;, this example also shows that the encryption properties can be used to validate the incoming signature as well which just simplifies the configuration a bit. Now the client code can be updated to expect an ecryped Book back: <br> <br>{code:java} <br>String address = &quot;https://localhost:8080/xmlencryption/bookstore/books&quot;; <br>JAXRSClientFactoryBean bean = new JAXRSClientFactoryBean(); <br>bean.setAddress(address); <br> <br>// setup properties <br>Map&lt;String, Object&gt; properties = new HashMap&lt;String, Object&gt;(); <br> <br>properties.put(&quot;ws-security.callback-handler&quot;,  <br>               &quot;org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback&quot;); <br>properties.put(&quot;ws-security.encryption.username&quot;, &quot;bob&quot;); <br>properties.put(&quot;ws-security.encryption.properties&quot;,  <br>                       &quot;org/apache/cxf/systest/jaxrs/security/bob.properties&quot;); <br> <br>bean.setProperties(properties); <br> <br>// if signature required: add the interceptor dealing with adding a signature <br>XmlSigOutInterceptor sigInterceptor = new XmlSigOutInterceptor(); <br>bean.getOutInterceptors().add(sigInterceptor); <br> <br>// add the interceptor dealing with the encryption <br> <br>XmlEncOutInterceptor encInterceptor = new XmlEncOutInterceptor(); <br>encInterceptor.setSymmetricEncAlgorithm(&quot;http://www.w3.org/2001/04/xmlenc#aes128-cbc&quot;); <br>bean.getOutInterceptors().add(encInterceptor); <br> <br> <br>// use WebClient (or proxy) as usual <br>WebClient wc = bean.createWebClient(); <br>Book book = wc.post(new Book(&quot;CXF&quot;, 126L), Book.class); <br>assertEquals(&quot;CXF&quot;, book.getName()); <br>{code}  <br> <br>h2. Customizing the encryption <br> <br>org.apache.cxf.rs.security.xml.XmlEncOutInterceptor manages the encryption process. <br>The following properties can be set on it at the moment: <br>&quot;symmetricEncAlgorithm&quot;: default is &quot;http://www.w3.org/2001/04/xmlenc#aes256-cbc&quot;, complete URIs or short identifiers are supported, for example, <br>                         &quot;aes128-cbc&quot; or &quot;http://www.w3.org/2001/04/xmlenc#aes256-cbc&quot;.  <br>&quot;keyEncAlgorithm&quot;: default is &quot;http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p&quot; <br>&quot;keyIdentifierType&quot;: default is &quot;X509_KEY&quot;, &quot;X509_ISSUER_SERIAL&quot; is also supported - useful when the whole x509Certificate should not be embedded  <br></td></tr>
    
            </table>
    </div>                            <h4>Full Content</h4>
                    <div class="notificationGreySide">
        <p><span style="font-size:2em;font-weight:bold"> JAX-RS: XML Security </span></p>


<div>
<ul>
    <li><a href='#JAX-RSXMLSecurity-Introduction'>Introduction</a></li>
    <li><a href='#JAX-RSXMLSecurity-Mavendependencies'>Maven dependencies</a></li>
    <li><a href='#JAX-RSXMLSecurity-XMLSignature'>XML Signature</a></li>
<ul>
    <li><a href='#JAX-RSXMLSecurity-Envelopedsignatures'>Enveloped signatures</a></li>
    <li><a href='#JAX-RSXMLSecurity-Envelopingsignatures'>Enveloping signatures</a></li>
    <li><a href='#JAX-RSXMLSecurity-Detachedsignatures'>Detached signatures</a></li>
    <li><a href='#JAX-RSXMLSecurity-Customizingthesignature'>Customizing the signature</a></li>
</ul>
    <li><a href='#JAX-RSXMLSecurity-XMLEncryption'>XML Encryption</a></li>
<ul>
    <li><a href='#JAX-RSXMLSecurity-Customizingtheencryption'>Customizing the encryption</a></li>
</ul>
</ul></div>

<h1><a name="JAX-RSXMLSecurity-Introduction"></a>Introduction</h1>

<p>CXF 2.5.0 introduces an initial support for securing JAX-RS clients and endpoints with <a href="http://www.w3.org/TR/xmldsig-core/" class="external-link" rel="nofollow">XML Signature</a> and <a href="http://www.w3.org/TR/xmlenc-core/" class="external-link" rel="nofollow">XML Encryption</a>. <br/>
This is a work in progress and the enhancements will be applied regularly. Support for the alternative signature and encryption technologies will also be provided in due time.</p>

<h1><a name="JAX-RSXMLSecurity-Mavendependencies"></a>Maven dependencies</h1>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
<span class="code-tag">&lt;dependency&gt;</span>
  <span class="code-tag">&lt;groupId&gt;</span>org.apache.cxf<span class="code-tag">&lt;/groupId&gt;</span>
  <span class="code-tag">&lt;artifactId&gt;</span>cxf-rt-rs-security-xml<span class="code-tag">&lt;/artifactId&gt;</span>
  <span class="code-tag">&lt;version&gt;</span>2.5.0<span class="code-tag">&lt;/version&gt;</span>
<span class="code-tag">&lt;/dependency&gt;</span>
</pre>
</div></div>

<h1><a name="JAX-RSXMLSecurity-XMLSignature"></a>XML Signature</h1>

<p><a href="http://www.w3.org/TR/xmldsig-core/" class="external-link" rel="nofollow">XML Signature</a> defines 3 types of signatures: enveloped, enveloping and detached. All the three types are supported by CXF JAX-RS.</p>

<h2><a name="JAX-RSXMLSecurity-Envelopedsignatures"></a>Enveloped signatures</h2>

<p>Payload:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
<span class="code-tag">&lt;Book ID=<span class="code-quote">"4bd59819-7b78-47a5-bb61-cc08348e9d48"</span>&gt;</span>
   <span class="code-tag">&lt;id&gt;</span>126<span class="code-tag">&lt;/id&gt;</span>
   <span class="code-tag">&lt;name&gt;</span>CXF<span class="code-tag">&lt;/name&gt;</span>

   <span class="code-tag">&lt;ds:Signature <span class="code-keyword">xmlns:ds</span>=<span class="code-quote">"http://www.w3.org/2000/09/xmldsig#"</span>&gt;</span>
      <span class="code-tag">&lt;ds:SignedInfo&gt;</span>
         <span class="code-tag">&lt;ds:CanonicalizationMethod Algorithm=<span class="code-quote">"http://www.w3.org/TR/2001/REC-xml-c14n-20010315"</span>/&gt;</span>
         <span class="code-tag">&lt;ds:SignatureMethod Algorithm=<span class="code-quote">"http://www.w3.org/2000/09/xmldsig#rsa-sha1"</span>/&gt;</span>
         <span class="code-tag">&lt;ds:Reference URI=<span class="code-quote">"#4bd59819-7b78-47a5-bb61-cc08348e9d48"</span>&gt;</span>
           <span class="code-tag">&lt;ds:Transforms&gt;</span>
             <span class="code-tag">&lt;ds:Transform Algorithm=<span class="code-quote">"http://www.w3.org/2000/09/xmldsig#enveloped-signature"</span>/&gt;</span>
             <span class="code-tag">&lt;ds:Transform Algorithm=<span class="code-quote">"http://www.w3.org/2001/10/xml-exc-c14n#"</span>/&gt;</span>
           <span class="code-tag">&lt;/ds:Transforms&gt;</span>
           <span class="code-tag">&lt;ds:DigestMethod Algorithm=<span class="code-quote">"http://www.w3.org/2000/09/xmldsig#sha1"</span>/&gt;</span>
           <span class="code-tag">&lt;ds:DigestValue&gt;</span>eFduzs6Cg1/Wd6jagUmr8vRYxHY=<span class="code-tag">&lt;/ds:DigestValue&gt;</span>
         <span class="code-tag">&lt;/ds:Reference&gt;</span>
      <span class="code-tag">&lt;/ds:SignedInfo&gt;</span>
<span class="code-tag">&lt;ds:SignatureValue&gt;</span>DLD+wU85G+Q+H/SNoMr1I7tOCAZAjd3lYE84sBGU5tuMtzbwxKOIgg10g2F1SUbpujy1CZZ9BPkQNA+gA1CH4FE3uiBzp3DDSVv6o5l6Q76Ci0XI28ylO7O1OCY+q2nbP0WtERFWOn9f9nniVKbduz6YQHjv6cNLd8pf4+k2U3g=<span class="code-tag">&lt;/ds:SignatureValue&gt;</span>

       <span class="code-tag">&lt;ds:KeyInfo&gt;</span>
         <span class="code-tag">&lt;ds:X509Data&gt;</span><span class="code-tag">&lt;ds:X509Certificate&gt;</span>MIICGjCCAYOgAwIBAgIESVRgATANBgkqhkiG9w0BAQUFADAzMRMwEQYDVQQKEwphcGFjaGUub3JnMQwwCgYDVQQLEwNlbmcxDjAMBgNVBAMTBWN4ZmNhMB4XDTcwMDEwMTAwMDAwMFoXDTM4MDExOTAzMTQwN1owMzETMBEGA1UEChMKYXBhY2hlLm9yZzEMMAoGA1UECxMDZW5nMQ4wDAYDVQQDEwVhbGljZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvu747/VShQ85f16DGSc4Ixh9PVpGguyEqrCsK8q9XHOYX9l9/g5wEC6ZcR2FwfNsoaHcKNPjd5sSTzVtBWmQjfBEfIqwTR7vuihOxyNTwEzVwIJzvo7p8/aYxk+VdBtQxq4UweIcf/iFkUbM1cZ1oiXRQzciRBi+C1BQCQE0qzsCAwEAAaM7MDkwIQYDVR0SBBowGIIWTk9UX0ZPUl9QUk9EVUNUSU9OX1VTRTAUBgNVHREEDTALgglsb2NhbGhvc3QwDQYJKoZIhvcNAQEFBQADgYEAhLwkm+8psKt4gnbikGzV0TgpSWGcWxWKBi+z8tI2n6hFA5v1jVHHa4G9h3s0nxQ2TewzeR/k7gmgV2sI483NgrYHmTmLKaDBWza2pAuZuDhQH8GAEhJakFtKBP++EC9rNNpZnqqHxx3qb2tW25qRtBzDmK921gg9PMomMc7uqRQ=<span class="code-tag">&lt;/ds:X509Certificate&gt;</span>
        <span class="code-tag">&lt;/ds:X509Data&gt;</span>

        <span class="code-tag">&lt;ds:KeyValue&gt;</span>
          <span class="code-tag">&lt;ds:RSAKeyValue&gt;</span>
             <span class="code-tag">&lt;ds:Modulus&gt;</span>vu747/VShQ85f16DGSc4Ixh9PVpGguyEqrCsK8q9XHOYX9l9/g5wEC6ZcR2FwfNsoaHcKNPjd5sSTzVtBWmQjfBEfIqwTR7vuihOxyNTwEzVwIJzvo7p8/aYxk+VdBtQxq4UweIcf/iFkUbM1cZ1oiXRQzciRBi+C1BQCQE0qzs=<span class="code-tag">&lt;/ds:Modulus&gt;</span>
             <span class="code-tag">&lt;ds:Exponent&gt;</span>AQAB<span class="code-tag">&lt;/ds:Exponent&gt;</span>
          <span class="code-tag">&lt;/ds:RSAKeyValue&gt;</span>
        <span class="code-tag">&lt;/ds:KeyValue&gt;</span>
       <span class="code-tag">&lt;/ds:KeyInfo&gt;</span>
     <span class="code-tag">&lt;/ds:Signature&gt;</span>

<span class="code-tag">&lt;/Book&gt;</span>
</pre>
</div></div>

<p>Note that the Book root element is signed including its name and id children, and a signature ds:Reference links to Book. </p>

<p>Server Configuration fragment:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">

<span class="code-tag">&lt;bean id=<span class="code-quote">"serviceBean"</span> class=<span class="code-quote">"org.apache.cxf.systest.jaxrs.security.BookStore"</span>/&gt;</span>
<span class="code-tag">&lt;bean id=<span class="code-quote">"xmlSigHandler"</span> class=<span class="code-quote">"org.apache.cxf.rs.security.xml.XmlSigInHandler"</span>/&gt;</span>

<span class="code-tag">&lt;jaxrs:server address=<span class="code-quote">"/xmlsig"</span>&gt;</span> 
    <span class="code-tag">&lt;jaxrs:serviceBeans&gt;</span>
      <span class="code-tag">&lt;ref bean=<span class="code-quote">"serviceBean"</span>/&gt;</span>
    <span class="code-tag">&lt;/jaxrs:serviceBeans&gt;</span>
    <span class="code-tag">&lt;jaxrs:providers&gt;</span>
      <span class="code-tag">&lt;ref bean=<span class="code-quote">"xmlSigHandler"</span>/&gt;</span>
    <span class="code-tag">&lt;/jaxrs:providers&gt;</span> 
    <span class="code-tag">&lt;jaxrs:properties&gt;</span>
        &lt;entry key=<span class="code-quote">"ws-security.signature.properties"</span> 
              value=<span class="code-quote">"org/apache/cxf/systest/jaxrs/security/alice.properties"</span>/&gt;
    <span class="code-tag">&lt;/jaxrs:properties&gt;</span> 
<span class="code-tag">&lt;/jaxrs:server&gt;</span>

</pre>
</div></div>

<p>Note that org.apache.cxf.rs.security.xml.XmlSigInHandler is capable of processing all 3 types of XML Signature. </p>

<p>Client code:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">

<span class="code-object">String</span> address = <span class="code-quote">"https:<span class="code-comment">//localhost:8080/xmlsig/bookstore/books"</span>;
</span>JAXRSClientFactoryBean bean = <span class="code-keyword">new</span> JAXRSClientFactoryBean();
bean.setAddress(address);

<span class="code-comment">// setup properties
</span>Map&lt;<span class="code-object">String</span>, <span class="code-object">Object</span>&gt; properties = <span class="code-keyword">new</span> HashMap&lt;<span class="code-object">String</span>, <span class="code-object">Object</span>&gt;();
properties.put(<span class="code-quote">"ws-security.callback-handler"</span>, 
               <span class="code-quote">"org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"</span>);
properties.put(<span class="code-quote">"ws-security.signature.username"</span>, <span class="code-quote">"alice"</span>);
properties.put(<span class="code-quote">"ws-security.signature.properties"</span>, 
               <span class="code-quote">"org/apache/cxf/systest/jaxrs/security/alice.properties"</span>);
bean.setProperties(properties);

<span class="code-comment">// add the interceptor dealing with adding a signature
</span>XmlSigOutInterceptor sigInterceptor = <span class="code-keyword">new</span> XmlSigOutInterceptor();
bean.getOutInterceptors().add(sigInterceptor);

<span class="code-comment">// load a bus with HTTPS configuration:
</span>SpringBusFactory bf = <span class="code-keyword">new</span> SpringBusFactory();
Bus bus = bf.createBus(configLocation);
bean.setBus(bus);
        
<span class="code-comment">// use WebClient (or proxy) as usual
</span>WebClient wc = bean.createWebClient();
Book book = wc.post(<span class="code-keyword">new</span> Book(<span class="code-quote">"CXF"</span>, 126L), Book.class);
</pre>
</div></div>

<p>Spring configuration can also be used.<br/>
Please also check <a href="/confluence/display/CXF20DOC/Secure+JAX-RS+Services" title="Secure JAX-RS Services">Secure JAX&#45;RS Services</a> on how HTTPS can be configured from Spring.</p>

<h2><a name="JAX-RSXMLSecurity-Envelopingsignatures"></a>Enveloping signatures</h2>

<p>Payload:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
<span class="code-tag">&lt;ds:Signature <span class="code-keyword">xmlns:ds</span>=<span class="code-quote">"http://www.w3.org/2000/09/xmldsig#"</span>&gt;</span>
   <span class="code-tag">&lt;ds:SignedInfo&gt;</span>
      <span class="code-tag">&lt;ds:CanonicalizationMethod Algorithm=<span class="code-quote">"http://www.w3.org/TR/2001/REC-xml-c14n-20010315"</span>/&gt;</span>
      <span class="code-tag">&lt;ds:SignatureMethod Algorithm=<span class="code-quote">"http://www.w3.org/2000/09/xmldsig#rsa-sha1"</span>/&gt;</span>
      <span class="code-tag">&lt;ds:Reference URI=<span class="code-quote">"#88e688e6-6512-406f-9e88-a58e5d781ff0"</span>&gt;</span>
        <span class="code-tag">&lt;ds:Transforms&gt;</span>
           <span class="code-tag">&lt;ds:Transform Algorithm=<span class="code-quote">"http://www.w3.org/2001/10/xml-exc-c14n#"</span>/&gt;</span>
        <span class="code-tag">&lt;/ds:Transforms&gt;</span>
        <span class="code-tag">&lt;ds:DigestMethod Algorithm=<span class="code-quote">"http://www.w3.org/2000/09/xmldsig#sha1"</span>/&gt;</span>
        <span class="code-tag">&lt;ds:DigestValue&gt;</span>Cq3zl3t3DqWTvuZ+4EtZgGs4ikk=<span class="code-tag">&lt;/ds:DigestValue&gt;</span>
      <span class="code-tag">&lt;/ds:Reference&gt;</span>
   <span class="code-tag">&lt;/ds:SignedInfo&gt;</span><span class="code-tag">&lt;ds:SignatureValue&gt;</span>NvcCS8vx3YJkc8fHMf8bQkC+lwasC6CwiS7HfKSm8t+6TtYdM7TRbYxSuqfCTkF4vBIldWIzl6UngON592FfJdbvrgE2CusCkIybrP7BBmP7zTSV0GjH4/60L6ObkhGPkMNoKzw4V+zgF7Zo+F7ngsz5ZUWZX/GWETmTtYtcfT0=<span class="code-tag">&lt;/ds:SignatureValue&gt;</span>
   <span class="code-tag">&lt;ds:KeyInfo&gt;</span>
     <span class="code-tag">&lt;ds:X509Data&gt;</span>
       <span class="code-tag">&lt;ds:X509Certificate&gt;</span><span class="code-tag"><span class="code-comment">&lt;!-- Omitted for brewity--&gt;</span></span><span class="code-tag">&lt;/ds:X509Certificate&gt;</span>
     <span class="code-tag">&lt;/ds:X509Data&gt;</span>
     <span class="code-tag">&lt;ds:KeyValue&gt;</span>
      <span class="code-tag">&lt;ds:RSAKeyValue&gt;</span><span class="code-tag">&lt;ds:Modulus&gt;</span>vu747/VShQ85f16DGSc4Ixh9PVpGguyEqrCsK8q9XHOYX9l9/g5wEC6ZcR2FwfNsoaHcKNPjd5sSTzVtBWmQjfBEfIqwTR7vuihOxyNTwEzVwIJzvo7p8/aYxk+VdBtQxq4UweIcf/iFkUbM1cZ1oiXRQzciRBi+C1BQCQE0qzs=<span class="code-tag">&lt;/ds:Modulus&gt;</span>
       <span class="code-tag">&lt;ds:Exponent&gt;</span>AQAB<span class="code-tag">&lt;/ds:Exponent&gt;</span>
      <span class="code-tag">&lt;/ds:RSAKeyValue&gt;</span>
     <span class="code-tag">&lt;/ds:KeyValue&gt;</span>
   <span class="code-tag">&lt;/ds:KeyInfo&gt;</span>
   <span class="code-tag">&lt;ds:Object ID=<span class="code-quote">"88e688e6-6512-406f-9e88-a58e5d781ff0"</span>&gt;</span>

      <span class="code-tag">&lt;Book&gt;</span>
         <span class="code-tag">&lt;id&gt;</span>126<span class="code-tag">&lt;/id&gt;</span>
         <span class="code-tag">&lt;name&gt;</span>CXF<span class="code-tag">&lt;/name&gt;</span>
      <span class="code-tag">&lt;/Book&gt;</span>
   <span class="code-tag">&lt;/ds:Object&gt;</span>
<span class="code-tag">&lt;/ds:Signature&gt;</span>
</pre>
</div></div>

<p>This time the signature is enveloping the Book element using a ds:Object wrapper which ds:Reference links to.</p>

<p>Server Configuration fragment is identical to the one shown in the Enveloped signatures section.</p>

<p>Client code is nearly identical to the one shown in the Enveloped signatures section except that XmlSigOutInterceptor need to have an additional property set:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">

<span class="code-comment">// add the interceptor dealing with adding a signature
</span>XmlSigOutInterceptor sigInterceptor = <span class="code-keyword">new</span> XmlSigOutInterceptor();
sigInterceptor.setStyle(<span class="code-quote">"enveloping"</span>);

</pre>
</div></div>

<h2><a name="JAX-RSXMLSecurity-Detachedsignatures"></a>Detached signatures</h2>

<p>Payload:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
<span class="code-tag">&lt;env:Envelope <span class="code-keyword">xmlns:env</span>=<span class="code-quote">"http://org.apache.cxf/rs/env"</span>&gt;</span>

  <span class="code-tag">&lt;Book ID=<span class="code-quote">"e9836bc2-cb5a-453f-b967-a9ddbaf9a6de"</span>&gt;</span>
    <span class="code-tag">&lt;id&gt;</span>125<span class="code-tag">&lt;/id&gt;</span>
    <span class="code-tag">&lt;name&gt;</span>CXF<span class="code-tag">&lt;/name&gt;</span>
   <span class="code-tag">&lt;/Book&gt;</span>
   <span class="code-tag">&lt;ds:Signature <span class="code-keyword">xmlns:ds</span>=<span class="code-quote">"http://www.w3.org/2000/09/xmldsig#"</span>&gt;</span>
     <span class="code-tag">&lt;ds:SignedInfo&gt;</span>
       <span class="code-tag">&lt;ds:CanonicalizationMethod Algorithm=<span class="code-quote">"http://www.w3.org/TR/2001/REC-xml-c14n-20010315"</span>/&gt;</span>
       <span class="code-tag">&lt;ds:SignatureMethod Algorithm=<span class="code-quote">"http://www.w3.org/2000/09/xmldsig#rsa-sha1"</span>/&gt;</span>
       <span class="code-tag">&lt;ds:Reference URI=<span class="code-quote">"#e9836bc2-cb5a-453f-b967-a9ddbaf9a6de"</span>&gt;</span>
         <span class="code-tag">&lt;ds:Transforms&gt;</span>
           <span class="code-tag">&lt;ds:Transform Algorithm=<span class="code-quote">"http://www.w3.org/2001/10/xml-exc-c14n#"</span>/&gt;</span>
         <span class="code-tag">&lt;/ds:Transforms&gt;</span>
         <span class="code-tag">&lt;ds:DigestMethod Algorithm=<span class="code-quote">"http://www.w3.org/2000/09/xmldsig#sha1"</span>/&gt;</span>
         <span class="code-tag">&lt;ds:DigestValue&gt;</span>Pxz77Hlg6I/MRsJz4gixkaMFtYI=<span class="code-tag">&lt;/ds:DigestValue&gt;</span>
       <span class="code-tag">&lt;/ds:Reference&gt;</span>
     <span class="code-tag">&lt;/ds:SignedInfo&gt;</span>
<span class="code-tag">&lt;ds:SignatureValue&gt;</span>JSwgiVqZT1EtJ9xqtb90juS54pvZguzFMne7cQyGMQDvBW7b65aAAIfVx/PmFB7Tuy4qB4zqNFCzCwHlhDurNP9NYB7PEzFsA3v3vSyEcHnpUhu41xmBvjT5HWEKbuzqX0dHekizuUefbfzG5WpluVPmOgjashrm9DIhfEf+Hyg=<span class="code-tag">&lt;/ds:SignatureValue&gt;</span>
     <span class="code-tag">&lt;ds:KeyInfo&gt;</span>
      <span class="code-tag">&lt;ds:X509Data&gt;</span>
         <span class="code-tag">&lt;ds:X509Certificate&gt;</span><span class="code-tag"><span class="code-comment">&lt;!--Omitted for Brewity--&gt;</span></span><span class="code-tag">&lt;/ds:X509Certificate&gt;</span>
      <span class="code-tag">&lt;/ds:X509Data&gt;</span>
      <span class="code-tag">&lt;ds:KeyValue&gt;</span>
        <span class="code-tag">&lt;ds:RSAKeyValue&gt;</span>
          <span class="code-tag">&lt;ds:Modulus&gt;</span>vu747/VShQ85f16DGSc4Ixh9PVpGguyEqrCsK8q9XHOYX9l9/g5wEC6ZcR2FwfNsoaHcKNPjd5sSTzVtBWmQjfBEfIqwTR7vuihOxyNTwEzVwIJzvo7p8/aYxk+VdBtQxq4UweIcf/iFkUbM1cZ1oiXRQzciRBi+C1BQCQE0qzs=<span class="code-tag">&lt;/ds:Modulus&gt;</span>
          <span class="code-tag">&lt;ds:Exponent&gt;</span>AQAB<span class="code-tag">&lt;/ds:Exponent&gt;</span>
        <span class="code-tag">&lt;/ds:RSAKeyValue&gt;</span>
      <span class="code-tag">&lt;/ds:KeyValue&gt;</span>
     <span class="code-tag">&lt;/ds:KeyInfo&gt;</span>
   <span class="code-tag">&lt;/ds:Signature&gt;</span>

    <span class="code-tag">&lt;saml2:Assertion <span class="code-keyword">xmlns:saml2</span>=<span class="code-quote">"urn:oasis:names:tc:SAML:2.0:assertion"</span> <span class="code-keyword">xmlns:xs</span>=<span class="code-quote">"http://www.w3.org/2001/XMLSchema"</span> <span class="code-keyword">xmlns:xsi</span>=<span class="code-quote">"http://www.w3.org/2001/XMLSchema-instance"</span> ID=<span class="code-quote">"_E462768C678896CE9913202742137181"</span> IssueInstant=<span class="code-quote">"2011-11-02T22:50:13.718Z"</span> Version=<span class="code-quote">"2.0"</span> xsi:type=<span class="code-quote">"saml2:AssertionType"</span>&gt;</span>

<span class="code-tag">&lt;saml2:Issuer&gt;</span>https://idp.example.org/SAML2<span class="code-tag">&lt;/saml2:Issuer&gt;</span>

<span class="code-tag">&lt;ds:Signature <span class="code-keyword">xmlns:ds</span>=<span class="code-quote">"http://www.w3.org/2000/09/xmldsig#"</span>&gt;</span>
 &lt;!-- 
    Enveloped/embedded SAML Assertion XML Signature is omitted for brewity
    See the JAX-RS SAML section for more info
 --&gt;
<span class="code-tag">&lt;/ds:Signature&gt;</span>
<span class="code-tag"><span class="code-comment">&lt;!-- the rest of SAML assertion --&gt;</span></span>
<span class="code-tag">&lt;/saml2:Assertion&gt;</span>
<span class="code-tag">&lt;/env:Envelope&gt;</span>
</pre>
</div></div>

<p>Note that the whole payload is enveloped by a configurable element wrapper. The Book instance is one part of the envelope and it's signed by a detached signature (see the first ds:Signature, with its ds:Reference linking to Book). The envelope also has an embedded SAML assertion which has its own enveloped signature.</p>

<p>The instance of org.apache.cxf.rs.security.xml.XmlSigInHandler will handle a detached XML signature of the Book XML fragment on the server side. See the <a href="/confluence/pages/createpage.action?spaceKey=CXF20DOC&amp;title=JAX-RS+SAML&amp;linkCreation=true&amp;fromPageId=27830245" class="createlink">JAX&#45;RS SAML</a> for more info on how to deal with SAML assertions.</p>

<p>Client code is nearly identical to the one shown in the Enveloped signatures section except that XmlSigOutInterceptor need to have an additional property set:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">

<span class="code-comment">// add the interceptor dealing with adding a signature
</span>XmlSigOutInterceptor sigInterceptor = <span class="code-keyword">new</span> XmlSigOutInterceptor();
sigInterceptor.setStyle(<span class="code-quote">"detached"</span>);

</pre>
</div></div>

<h2><a name="JAX-RSXMLSecurity-Customizingthesignature"></a>Customizing the signature</h2>

<p>org.apache.cxf.rs.security.xml.XmlSigOutInterceptor manages the creation of the signature on the client side.<br/>
The following properties can be set on it at the moment:</p>

<p>"style": possible values are "enveloped" (default), "enveloping" and "detached"<br/>
"envelopedName": only used with the "detached" style, default is "{<a href="http://org.apache.cxf/rs/env" class="external-link" rel="nofollow">http://org.apache.cxf/rs/env</a>}Envelope"<br/>
"signatureAlgorithm": default is "http://www.w3.org/2000/09/xmldsig#rsa-sha1"<br/>
"digestAlgorithm": default is "http://www.w3.org/2000/09/xmldsig#sha1"</p>

<h1><a name="JAX-RSXMLSecurity-XMLEncryption"></a>XML Encryption</h1>

<p>Encrypting XML payloads makes it possible to drop a requirement for HTTPS.</p>

<p>Here is a payload example:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
<span class="code-tag">&lt;xenc:EncryptedData <span class="code-keyword">xmlns:xenc</span>=<span class="code-quote">"http://www.w3.org/2001/04/xmlenc#"</span>&gt;</span>
  <span class="code-tag">&lt;xenc:EncryptionMethod Algorithm=<span class="code-quote">"http://www.w3.org/2001/04/xmlenc#aes128-cbc"</span>/&gt;</span>
  <span class="code-tag">&lt;ds:KeyInfo <span class="code-keyword">xmlns:ds</span>=<span class="code-quote">"http://www.w3.org/2000/09/xmldsig#"</span>&gt;</span>
    <span class="code-tag">&lt;ds:RetrievalMethod Type=<span class="code-quote">"http://www.w3.org/2001/04/xmlenc#EncryptedKey"</span>/&gt;</span>
    <span class="code-tag">&lt;xenc:EncryptedKey Id=<span class="code-quote">"EK-B353DDCEE7C575B6A213203188664772"</span>&gt;</span>
      <span class="code-tag">&lt;xenc:EncryptionMethod Algorithm=<span class="code-quote">"http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"</span>/&gt;</span>
        <span class="code-tag">&lt;ds:KeyInfo&gt;</span>
            <span class="code-tag">&lt;ds:X509Data&gt;</span>
               <span class="code-tag">&lt;ds:X509Certificate&gt;</span><span class="code-tag"><span class="code-comment">&lt;!-- Omitted for brewity --&gt;</span></span><span class="code-tag">&lt;/ds:X509Certificate&gt;</span>
           <span class="code-tag">&lt;/ds:X509Data&gt;</span>
        <span class="code-tag">&lt;/ds:KeyInfo&gt;</span>
        <span class="code-tag">&lt;xenc:CipherData&gt;</span><span class="code-tag">&lt;xenc:CipherValue&gt;</span>tPtZz4pnVWquaV2a7O0y+VrHoeWwk3Eu5Jnu3RHz5rGDB/MLyG6rBamhit03J2xWaV52zUtDAPEj8sr4oy5y2KLB09Hu317IbQjinePabUpd+DLnwNn5iHZpHWJPfndkh07JdYZSrMwqOvJ3fqrNJ+LQeLzZDneT8sC1vRyhSDU=<span class="code-tag">&lt;/xenc:CipherValue&gt;</span>
        <span class="code-tag">&lt;/xenc:CipherData&gt;</span>
    <span class="code-tag">&lt;/xenc:EncryptedKey&gt;</span>
  <span class="code-tag">&lt;/ds:KeyInfo&gt;</span>
  <span class="code-tag">&lt;xenc:CipherData&gt;</span>
     <span class="code-tag">&lt;xenc:CipherValue&gt;</span>3ZPQ3SapAxemJwqG58sWh+r8B5SMRf/DZ2w/REswgl0zr8kpk0x4tayC5hl7IbSE8CPQYYHX8sXVnUFUoHOtJA==<span class="code-tag">&lt;/xenc:CipherValue&gt;</span>
  <span class="code-tag">&lt;/xenc:CipherData&gt;</span>
<span class="code-tag">&lt;/xenc:EncryptedData&gt;</span>
</pre>
</div></div> 

<p>Here is a server configuration fragment:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
<span class="code-tag">&lt;bean id=<span class="code-quote">"serviceBean"</span> class=<span class="code-quote">"org.apache.cxf.systest.jaxrs.security.BookStore"</span>/&gt;</span>
<span class="code-tag">&lt;bean id=<span class="code-quote">"xmlSigHandler"</span> class=<span class="code-quote">"org.apache.cxf.rs.security.xml.XmlSigInHandler"</span>/&gt;</span>

<span class="code-tag">&lt;bean id=<span class="code-quote">"xmlEncHandler"</span> class=<span class="code-quote">"org.apache.cxf.rs.security.xml.XmlEncInHandler"</span>/&gt;</span>
    
<span class="code-tag">&lt;jaxrs:server address=<span class="code-quote">"/xmlsig"</span>&gt;</span> 
    <span class="code-tag">&lt;jaxrs:serviceBeans&gt;</span>
      <span class="code-tag">&lt;ref bean=<span class="code-quote">"serviceBean"</span>/&gt;</span>
    <span class="code-tag">&lt;/jaxrs:serviceBeans&gt;</span>
    <span class="code-tag">&lt;jaxrs:providers&gt;</span>
       <span class="code-tag">&lt;ref bean=<span class="code-quote">"xmlEncHandler"</span>/&gt;</span>
       <span class="code-tag">&lt;ref bean=<span class="code-quote">"xmlSigHandler"</span>/&gt;</span>
    <span class="code-tag">&lt;/jaxrs:providers&gt;</span> 
     <span class="code-tag">&lt;jaxrs:properties&gt;</span>
           &lt;entry key=<span class="code-quote">"ws-security.callback-handler"</span> 
                  value=<span class="code-quote">"org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"</span>/&gt;
           &lt;entry key=<span class="code-quote">"ws-security.encryption.properties"</span> 
                  value=<span class="code-quote">"org/apache/cxf/systest/jaxrs/security/bob.properties"</span>/&gt;
           &lt;entry key=<span class="code-quote">"ws-security.signature.properties"</span> 
                  value=<span class="code-quote">"org/apache/cxf/systest/jaxrs/security/alice.properties"</span>/&gt;       
     <span class="code-tag">&lt;/jaxrs:properties&gt;</span> 
<span class="code-tag">&lt;/jaxrs:server&gt;</span>

</pre>
</div></div>

<p>This configuration supports receiving signed and then encrypted XML payloads.</p>

<p>The code:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
<span class="code-object">String</span> address = <span class="code-quote">"https:<span class="code-comment">//localhost:8080/xmlencryption/bookstore/books"</span>;
</span>JAXRSClientFactoryBean bean = <span class="code-keyword">new</span> JAXRSClientFactoryBean();
bean.setAddress(address);

<span class="code-comment">// setup properties
</span>Map&lt;<span class="code-object">String</span>, <span class="code-object">Object</span>&gt; properties = <span class="code-keyword">new</span> HashMap&lt;<span class="code-object">String</span>, <span class="code-object">Object</span>&gt;();

properties.put(<span class="code-quote">"ws-security.callback-handler"</span>, 
               <span class="code-quote">"org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"</span>);
properties.put(<span class="code-quote">"ws-security.encryption.username"</span>, <span class="code-quote">"bob"</span>);
properties.put(<span class="code-quote">"ws-security.encryption.properties"</span>, 
                       <span class="code-quote">"org/apache/cxf/systest/jaxrs/security/bob.properties"</span>);

<span class="code-comment">// <span class="code-keyword">if</span> signature required: 
</span>properties.put(<span class="code-quote">"ws-security.signature.username"</span>, <span class="code-quote">"alice"</span>);
properties.put(<span class="code-quote">"ws-security.signature.properties"</span>, 
               <span class="code-quote">"org/apache/cxf/systest/jaxrs/security/alice.properties"</span>);

bean.setProperties(properties);

<span class="code-comment">// <span class="code-keyword">if</span> signature required: add the interceptor dealing with adding a signature
</span>XmlSigOutInterceptor sigInterceptor = <span class="code-keyword">new</span> XmlSigOutInterceptor();
bean.getOutInterceptors().add(sigInterceptor);

<span class="code-comment">// add the interceptor dealing with the encryption
</span>
XmlEncOutInterceptor encInterceptor = <span class="code-keyword">new</span> XmlEncOutInterceptor();
encInterceptor.setSymmetricEncAlgorithm(<span class="code-quote">"http:<span class="code-comment">//www.w3.org/2001/04/xmlenc#aes128-cbc"</span>);
</span>bean.getOutInterceptors().add(encInterceptor);

       
<span class="code-comment">// use WebClient (or proxy) as usual
</span>WebClient wc = bean.createWebClient();
Response r = wc.post(<span class="code-keyword">new</span> Book(<span class="code-quote">"CXF"</span>, 126L), Book.class);
assertEquals(200, r.getStatus());
</pre>
</div></div>

<p>Note that XmlEncOutInterceptor interceptor has a "symmetricEncAlgorithm" property set to a weaker type just to get CXF tests passing.</p>

<p>The actual application client code does not expect a payload such as Book back but if it did then configuring the server to encrypt the response would be straightforward:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
<span class="code-tag">&lt;bean id=<span class="code-quote">"serviceBean"</span> class=<span class="code-quote">"org.apache.cxf.systest.jaxrs.security.BookStore"</span>/&gt;</span>
<span class="code-tag">&lt;bean id=<span class="code-quote">"xmlSigHandler"</span> class=<span class="code-quote">"org.apache.cxf.rs.security.xml.XmlSigInHandler"</span>/&gt;</span>

<span class="code-tag">&lt;bean id=<span class="code-quote">"xmlEncHandler"</span> class=<span class="code-quote">"org.apache.cxf.rs.security.xml.XmlEncInHandler"</span>/&gt;</span>
    
<span class="code-tag">&lt;bean id=<span class="code-quote">"xmlEncOutHandler"</span> class=<span class="code-quote">"org.apache.cxf.rs.security.xml.XmlEncOutInterceptor"</span>&gt;</span>
        <span class="code-tag">&lt;property name=<span class="code-quote">"symmetricEncAlgorithm"</span> value=<span class="code-quote">"aes128-cbc"</span>/&gt;</span>
<span class="code-tag">&lt;/bean&gt;</span>

<span class="code-tag">&lt;jaxrs:server address=<span class="code-quote">"/xmlsig"</span>&gt;</span> 
    <span class="code-tag">&lt;jaxrs:serviceBeans&gt;</span>
      <span class="code-tag">&lt;ref bean=<span class="code-quote">"serviceBean"</span>/&gt;</span>
    <span class="code-tag">&lt;/jaxrs:serviceBeans&gt;</span>
    <span class="code-tag">&lt;jaxrs:providers&gt;</span>
       <span class="code-tag">&lt;ref bean=<span class="code-quote">"xmlEncHandler"</span>/&gt;</span>
       <span class="code-tag">&lt;ref bean=<span class="code-quote">"xmlSigHandler"</span>/&gt;</span>
    <span class="code-tag">&lt;/jaxrs:providers&gt;</span> 
    <span class="code-tag">&lt;jaxrs:outInterceptors&gt;</span>
        <span class="code-tag">&lt;ref bean=<span class="code-quote">"xmlEncOutHandler"</span>/&gt;</span>
     <span class="code-tag">&lt;/jaxrs:outInterceptors&gt;</span>
     <span class="code-tag">&lt;jaxrs:properties&gt;</span>
         &lt;entry key=<span class="code-quote">"ws-security.callback-handler"</span> 
                  value=<span class="code-quote">"org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"</span>/&gt;
         &lt;entry key=<span class="code-quote">"ws-security.encryption.properties"</span> 
                  value=<span class="code-quote">"org/apache/cxf/systest/jaxrs/security/bob.properties"</span>/&gt;
     <span class="code-tag">&lt;/jaxrs:properties&gt;</span> 
<span class="code-tag">&lt;/jaxrs:server&gt;</span>
</pre>
</div></div>

<p>Note the addition of a bean with id "xmlEncOutHandler", this example also shows that the encryption properties can be used to validate the incoming signature as well which just simplifies the configuration a bit. Now the client code can be updated to expect an ecryped Book back:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
<span class="code-object">String</span> address = <span class="code-quote">"https:<span class="code-comment">//localhost:8080/xmlencryption/bookstore/books"</span>;
</span>JAXRSClientFactoryBean bean = <span class="code-keyword">new</span> JAXRSClientFactoryBean();
bean.setAddress(address);

<span class="code-comment">// setup properties
</span>Map&lt;<span class="code-object">String</span>, <span class="code-object">Object</span>&gt; properties = <span class="code-keyword">new</span> HashMap&lt;<span class="code-object">String</span>, <span class="code-object">Object</span>&gt;();

properties.put(<span class="code-quote">"ws-security.callback-handler"</span>, 
               <span class="code-quote">"org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"</span>);
properties.put(<span class="code-quote">"ws-security.encryption.username"</span>, <span class="code-quote">"bob"</span>);
properties.put(<span class="code-quote">"ws-security.encryption.properties"</span>, 
                       <span class="code-quote">"org/apache/cxf/systest/jaxrs/security/bob.properties"</span>);

bean.setProperties(properties);

<span class="code-comment">// <span class="code-keyword">if</span> signature required: add the interceptor dealing with adding a signature
</span>XmlSigOutInterceptor sigInterceptor = <span class="code-keyword">new</span> XmlSigOutInterceptor();
bean.getOutInterceptors().add(sigInterceptor);

<span class="code-comment">// add the interceptor dealing with the encryption
</span>
XmlEncOutInterceptor encInterceptor = <span class="code-keyword">new</span> XmlEncOutInterceptor();
encInterceptor.setSymmetricEncAlgorithm(<span class="code-quote">"http:<span class="code-comment">//www.w3.org/2001/04/xmlenc#aes128-cbc"</span>);
</span>bean.getOutInterceptors().add(encInterceptor);

       
<span class="code-comment">// use WebClient (or proxy) as usual
</span>WebClient wc = bean.createWebClient();
Book book = wc.post(<span class="code-keyword">new</span> Book(<span class="code-quote">"CXF"</span>, 126L), Book.class);
assertEquals(<span class="code-quote">"CXF"</span>, book.getName());
</pre>
</div></div> 

<h2><a name="JAX-RSXMLSecurity-Customizingtheencryption"></a>Customizing the encryption</h2>

<p>org.apache.cxf.rs.security.xml.XmlEncOutInterceptor manages the encryption process.<br/>
The following properties can be set on it at the moment:<br/>
"symmetricEncAlgorithm": default is "http://www.w3.org/2001/04/xmlenc#aes256-cbc", complete URIs or short identifiers are supported, for example,<br/>
                         "aes128-cbc" or "http://www.w3.org/2001/04/xmlenc#aes256-cbc". <br/>
"keyEncAlgorithm": default is "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"<br/>
"keyIdentifierType": default is "X509_KEY", "X509_ISSUER_SERIAL" is also supported - useful when the whole x509Certificate should not be embedded </p>
    </div>
        <div id="commentsSection" class="wiki-content pageSection">
        <div style="float: right;">
            <a href="https://cwiki.apache.org/confluence/users/viewnotifications.action" class="grey">Change Notification Preferences</a>
        </div>
        <a href="https://cwiki.apache.org/confluence/display/CXF20DOC/JAX-RS+XML+Security">View Online</a>
        |
        <a href="https://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=27830245&revisedVersion=2&originalVersion=1">View Changes</a>
                |
        <a href="https://cwiki.apache.org/confluence/display/CXF20DOC/JAX-RS+XML+Security?showComments=true&amp;showCommentArea=true#addcomment">Add Comment</a>
            </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message