cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r815155 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-xml-security.html
Date Mon, 30 Apr 2012 17:48:28 GMT
Author: buildbot
Date: Mon Apr 30 17:48:28 2012
New Revision: 815155

Log:
Production update by buildbot for cxf

Modified:
    websites/production/cxf/content/cache/docs.pageCache
    websites/production/cxf/content/docs/jax-rs-xml-security.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jax-rs-xml-security.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-xml-security.html (original)
+++ websites/production/cxf/content/docs/jax-rs-xml-security.html Mon Apr 30 17:48:28 2012
@@ -125,7 +125,7 @@ Apache CXF -- JAX-RS XML Security
 
 
 <div>
-<ul><li><a shape="rect" href="#JAX-RSXMLSecurity-Introduction">Introduction</a></li><li><a
shape="rect" href="#JAX-RSXMLSecurity-Mavendependencies">Maven dependencies</a></li><li><a
shape="rect" href="#JAX-RSXMLSecurity-XMLSignature">XML Signature</a></li><ul><li><a
shape="rect" href="#JAX-RSXMLSecurity-Envelopedsignatures">Enveloped signatures</a></li><li><a
shape="rect" href="#JAX-RSXMLSecurity-Envelopingsignatures">Enveloping signatures</a></li><li><a
shape="rect" href="#JAX-RSXMLSecurity-Detachedsignatures">Detached signatures</a></li><li><a
shape="rect" href="#JAX-RSXMLSecurity-Customizingthesignature">Customizing the signature</a></li></ul><li><a
shape="rect" href="#JAX-RSXMLSecurity-XMLEncryption">XML Encryption</a></li><ul><li><a
shape="rect" href="#JAX-RSXMLSecurity-Customizingtheencryption">Customizing the encryption</a></li><li><a
shape="rect" href="#JAX-RSXMLSecurity-GCMAlgorithmandBouncyCastleprovider">GCM Algorithm
and BouncyCastle provider</a></li></ul><li><a 
 shape="rect" href="#JAX-RSXMLSecurity-Interoperability">Interoperability</a></li></ul></div>
+<ul><li><a shape="rect" href="#JAX-RSXMLSecurity-Introduction">Introduction</a></li><li><a
shape="rect" href="#JAX-RSXMLSecurity-Mavendependencies">Maven dependencies</a></li><li><a
shape="rect" href="#JAX-RSXMLSecurity-XMLSignature">XML Signature</a></li><ul><li><a
shape="rect" href="#JAX-RSXMLSecurity-Envelopedsignatures">Enveloped signatures</a></li><li><a
shape="rect" href="#JAX-RSXMLSecurity-Envelopingsignatures">Enveloping signatures</a></li><li><a
shape="rect" href="#JAX-RSXMLSecurity-Detachedsignatures">Detached signatures</a></li><li><a
shape="rect" href="#JAX-RSXMLSecurity-Customizingthesignature">Customizing the signature</a></li></ul><li><a
shape="rect" href="#JAX-RSXMLSecurity-XMLEncryption">XML Encryption</a></li><ul><li><a
shape="rect" href="#JAX-RSXMLSecurity-Usingtherequestsignaturecertificatesfortheencryption">Using
the request signature certificates for the encryption</a></li><li><a
shape="rect" href="#JAX-RSXMLSecurity-Customizingtheencryption">Customizin
 g the encryption</a></li><li><a shape="rect" href="#JAX-RSXMLSecurity-GCMAlgorithmandBouncyCastleprovider">GCM
Algorithm and BouncyCastle provider</a></li></ul><li><a shape="rect"
href="#JAX-RSXMLSecurity-Restrictingencryptionandsignaturealgorithms">Restricting encryption
and signature algorithms</a></li><li><a shape="rect" href="#JAX-RSXMLSecurity-Interoperability">Interoperability</a></li></ul></div>
 
 <h1><a shape="rect" name="JAX-RSXMLSecurity-Introduction"></a>Introduction</h1>
 
@@ -447,9 +447,8 @@ The following properties can be set on i
 <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
 <pre class="code-xml">
 <span class="code-tag">&lt;bean id=<span class="code-quote">"serviceBean"</span>
class=<span class="code-quote">"org.apache.cxf.systest.jaxrs.security.BookStore"</span>/&gt;</span>
-<span class="code-tag">&lt;bean id=<span class="code-quote">"xmlSigHandler"</span>
class=<span class="code-quote">"org.apache.cxf.rs.security.xml.XmlSigInHandler"</span>/&gt;</span>
-
-<span class="code-tag">&lt;bean id=<span class="code-quote">"xmlEncHandler"</span>
class=<span class="code-quote">"org.apache.cxf.rs.security.xml.XmlEncInHandler"</span>/&gt;</span>
+<span class="code-tag">&lt;bean id=<span class="code-quote">"xmlSigInHandler"</span>
class=<span class="code-quote">"org.apache.cxf.rs.security.xml.XmlSigInHandler"</span>/&gt;</span>
+<span class="code-tag">&lt;bean id=<span class="code-quote">"xmlEncInHandler"</span>
class=<span class="code-quote">"org.apache.cxf.rs.security.xml.XmlEncInHandler"</span>/&gt;</span>
     
 <span class="code-tag">&lt;jaxrs:server address=<span class="code-quote">"/xmlsig"</span>&gt;</span>

     <span class="code-tag">&lt;jaxrs:serviceBeans&gt;</span>
@@ -523,72 +522,94 @@ assertEquals(200, r.getStatus());
 <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
 <pre class="code-xml">
 <span class="code-tag">&lt;bean id=<span class="code-quote">"serviceBean"</span>
class=<span class="code-quote">"org.apache.cxf.systest.jaxrs.security.BookStore"</span>/&gt;</span>
-<span class="code-tag">&lt;bean id=<span class="code-quote">"xmlSigHandler"</span>
class=<span class="code-quote">"org.apache.cxf.rs.security.xml.XmlSigInHandler"</span>/&gt;</span>
+<span class="code-tag">&lt;bean id=<span class="code-quote">"xmlSigInHandler"</span>
class=<span class="code-quote">"org.apache.cxf.rs.security.xml.XmlSigInHandler"</span>/&gt;</span>
+<span class="code-tag">&lt;bean id=<span class="code-quote">"xmlSigOutHandler"</span>
class=<span class="code-quote">"org.apache.cxf.rs.security.xml.XmlSigOutInterceptor"</span>/&gt;</span>
 
-<span class="code-tag">&lt;bean id=<span class="code-quote">"xmlEncHandler"</span>
class=<span class="code-quote">"org.apache.cxf.rs.security.xml.XmlEncInHandler"</span>/&gt;</span>
-    
+<span class="code-tag">&lt;bean id=<span class="code-quote">"xmlEncInHandler"</span>
class=<span class="code-quote">"org.apache.cxf.rs.security.xml.XmlEncInHandler"</span>/&gt;</span>
 <span class="code-tag">&lt;bean id=<span class="code-quote">"xmlEncOutHandler"</span>
class=<span class="code-quote">"org.apache.cxf.rs.security.xml.XmlEncOutInterceptor"</span>&gt;</span>
         <span class="code-tag">&lt;property name=<span class="code-quote">"symmetricEncAlgorithm"</span>
value=<span class="code-quote">"aes128-cbc"</span>/&gt;</span>
 <span class="code-tag">&lt;/bean&gt;</span>
 
-<span class="code-tag">&lt;jaxrs:server address=<span class="code-quote">"/xmlsig"</span>&gt;</span>

+<span class="code-tag">&lt;jaxrs:server address=<span class="code-quote">"/xmlsec"</span>&gt;</span>

     <span class="code-tag">&lt;jaxrs:serviceBeans&gt;</span>
       <span class="code-tag">&lt;ref bean=<span class="code-quote">"serviceBean"</span>/&gt;</span>
     <span class="code-tag">&lt;/jaxrs:serviceBeans&gt;</span>
     <span class="code-tag">&lt;jaxrs:providers&gt;</span>
-       <span class="code-tag">&lt;ref bean=<span class="code-quote">"xmlEncHandler"</span>/&gt;</span>
-       <span class="code-tag">&lt;ref bean=<span class="code-quote">"xmlSigHandler"</span>/&gt;</span>
+       <span class="code-tag">&lt;ref bean=<span class="code-quote">"xmlEncInHandler"</span>/&gt;</span>
+       <span class="code-tag">&lt;ref bean=<span class="code-quote">"xmlSigInHandler"</span>/&gt;</span>
     <span class="code-tag">&lt;/jaxrs:providers&gt;</span> 
     <span class="code-tag">&lt;jaxrs:outInterceptors&gt;</span>
+        <span class="code-tag">&lt;ref bean=<span class="code-quote">"xmlSigOutHandler"</span>/&gt;</span>

         <span class="code-tag">&lt;ref bean=<span class="code-quote">"xmlEncOutHandler"</span>/&gt;</span>
      <span class="code-tag">&lt;/jaxrs:outInterceptors&gt;</span>
      <span class="code-tag">&lt;jaxrs:properties&gt;</span>
          &lt;entry key=<span class="code-quote">"ws-security.callback-handler"</span>

                   value=<span class="code-quote">"org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"</span>/&gt;
          &lt;entry key=<span class="code-quote">"ws-security.encryption.properties"</span>

+                  value=<span class="code-quote">"org/apache/cxf/systest/jaxrs/security/alice.properties"</span>/&gt;
+         &lt;entry key=<span class="code-quote">"ws-security.signature.properties"</span>

                   value=<span class="code-quote">"org/apache/cxf/systest/jaxrs/security/bob.properties"</span>/&gt;
-     <span class="code-tag">&lt;/jaxrs:properties&gt;</span> 
+ 
+    <span class="code-tag">&lt;/jaxrs:properties&gt;</span> 
 <span class="code-tag">&lt;/jaxrs:server&gt;</span>
 </pre>
 </div></div>
 
-<p>Note the addition of a bean with id "xmlEncOutHandler", this example also shows
that the encryption properties can be used to validate the incoming signature as well which
just simplifies the configuration a bit. Now the client code can be updated to expect an ecryped
Book back:</p>
+<p>Now the client code can be updated to expect an encrypted and signed Book back:</p>
 
 <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
 <pre class="code-java">
-<span class="code-object">String</span> address = <span class="code-quote">"https:<span
class="code-comment">//localhost:8080/xmlencryption/bookstore/books"</span>;
-</span>JAXRSClientFactoryBean bean = <span class="code-keyword">new</span>
JAXRSClientFactoryBean();
-bean.setAddress(address);
-
-<span class="code-comment">// setup properties
-</span>Map&lt;<span class="code-object">String</span>, <span class="code-object">Object</span>&gt;
properties = <span class="code-keyword">new</span> HashMap&lt;<span class="code-object">String</span>,
<span class="code-object">Object</span>&gt;();
+<span class="code-comment">// Use the previous code fragment, add the in interceptors:
+</span>XmlEncInInterceptor encInInterceptor = <span class="code-keyword">new</span>
XmlEncInInterceptor();
+bean.getInInterceptors().add(encInInterceptor);
+XmlSigInInterceptor sigInInterceptor = <span class="code-keyword">new</span>
XmlSigInInterceptor();
+bean.getInInterceptors().add(sigInInterceptor);
+</pre>
+</div></div> 
 
-properties.put(<span class="code-quote">"ws-security.callback-handler"</span>,

-               <span class="code-quote">"org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"</span>);
-properties.put(<span class="code-quote">"ws-security.encryption.username"</span>,
<span class="code-quote">"bob"</span>);
-properties.put(<span class="code-quote">"ws-security.encryption.properties"</span>,

-                       <span class="code-quote">"org/apache/cxf/systest/jaxrs/security/bob.properties"</span>);
 
-bean.setProperties(properties);
+<h2><a shape="rect" name="JAX-RSXMLSecurity-Usingtherequestsignaturecertificatesfortheencryption"></a>Using
the request signature certificates for the encryption</h2>
 
-<span class="code-comment">// <span class="code-keyword">if</span> signature
required: add the interceptor dealing with adding a signature
-</span>XmlSigOutInterceptor sigInterceptor = <span class="code-keyword">new</span>
XmlSigOutInterceptor();
-bean.getOutInterceptors().add(sigInterceptor);
+<p><b>From CXF 2.6.1 and 2.5.4:</b></p>
 
-<span class="code-comment">// add the interceptor dealing with the encryption
-</span>
-XmlEncOutInterceptor encInterceptor = <span class="code-keyword">new</span> XmlEncOutInterceptor();
-encInterceptor.setSymmetricEncAlgorithm(<span class="code-quote">"http:<span class="code-comment">//www.w3.org/2001/04/xmlenc#aes128-cbc"</span>);
-</span>bean.getOutInterceptors().add(encInterceptor);
+<p>When multiple clients are posting the encrypted and signed payloads, the following
configuration will lead to the request signature certificates being utilized for encrypting
the symmetric key used to encrypt the response:</p>
 
-       
-<span class="code-comment">// use WebClient (or proxy) as usual
-</span>WebClient wc = bean.createWebClient();
-Book book = wc.post(<span class="code-keyword">new</span> Book(<span class="code-quote">"CXF"</span>,
126L), Book.class);
-assertEquals(<span class="code-quote">"CXF"</span>, book.getName());
+<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
+<pre class="code-xml">
+<span class="code-tag"><span class="code-comment">&lt;!-- server --&gt;</span></span>
+<span class="code-tag">&lt;jaxrs:server&gt;</span>
+<span class="code-tag">&lt;jaxrs:properties&gt;</span>
+         &lt;entry key=<span class="code-quote">"ws-security.callback-handler"</span>

+                  value=<span class="code-quote">"org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"</span>/&gt;
+         &lt;entry key=<span class="code-quote">"ws-security.encryption.properties"</span>

+                  value=<span class="code-quote">"org/apache/cxf/systest/jaxrs/security/alice.properties"</span>/&gt;
+         <span class="code-tag">&lt;entry key=<span class="code-quote">"ws-security.encryption.username"</span>
value=<span class="code-quote">"useReqSigCert"</span>/&gt;</span>
+         &lt;entry key=<span class="code-quote">"ws-security.signature.properties"</span>

+                  value=<span class="code-quote">"org/apache/cxf/systest/jaxrs/security/bob.properties"</span>/&gt;
+ 
+    <span class="code-tag">&lt;/jaxrs:properties&gt;</span>
+<span class="code-tag">&lt;/jaxrs:server&gt;</span>
+<span class="code-tag">&lt;jaxrs:client&gt;</span>
+    <span class="code-tag">&lt;jaxrs:properties&gt;</span>
+         &lt;entry key=<span class="code-quote">"ws-security.callback-handler"</span>

+                  value=<span class="code-quote">"org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"</span>/&gt;
+         &lt;entry key=<span class="code-quote">"ws-security.encryption.properties"</span>

+                  value=<span class="code-quote">"org/apache/cxf/systest/jaxrs/security/bob.properties"</span>/&gt;
+         <span class="code-tag">&lt;entry key=<span class="code-quote">"ws-security.encryption.username"</span>
value=<span class="code-quote">"bob"</span>/&gt;</span>
+         &lt;entry key=<span class="code-quote">"ws-security.signature.properties"</span>

+                  value=<span class="code-quote">"org/apache/cxf/systest/jaxrs/security/alice.properties"</span>/&gt;
+         <span class="code-tag">&lt;entry key=<span class="code-quote">"ws-security.signature.username"</span>
value=<span class="code-quote">"alice"</span>/&gt;</span>
+    <span class="code-tag">&lt;/jaxrs:properties&gt;</span>
+<span class="code-tag">&lt;/jaxrs:client&gt;</span>
 </pre>
 </div></div> 
 
+<p>The "ws-security.encryption.username" server property is set to "useReqSigCert".</p>
+
+<p>Note that the client configuration assumes Alice (with its alice.properties) represents
a given client, Bob (with its bob.properties) - the receiver/server.  </p>
+
+<p>On the server side the encryption properties point to alice.properties and signature.properties
to bob.properties. This is because the outbound signature needs to be done with the Bob's
certificate and the encryption - with either the specific Alice's certificate or the certificate
from the inbound signature. Note that the in encryption handler will check the signature properties
first - this will ensure that the Bob's certificate used to encrypt the data on the client
side can be validated, similarly for the in signature handler.   </p>
+
 <h2><a shape="rect" name="JAX-RSXMLSecurity-Customizingtheencryption"></a>Customizing
the encryption</h2>
 
 <p>org.apache.cxf.rs.security.xml.XmlEncOutInterceptor manages the encryption process.<br
clear="none">
@@ -603,6 +624,42 @@ The following properties can be set on i
 <p>Please see Colm's <a shape="rect" class="external-link" href="http://coheigea.blogspot.com/2012/04/note-on-cve-2011-1096.html"
rel="nofollow">blog</a> for the information about the possible attack against XML
Encryption and the GCM algorithm which needs to be used in order to prevent it.</p>
 
 
+<h1><a shape="rect" name="JAX-RSXMLSecurity-Restrictingencryptionandsignaturealgorithms"></a>Restricting
encryption and signature algorithms</h1>
+
+<p><b>From CXF 2.6.1 and 2.5.4:</b></p>
+
+<p>It is possible to configure the in encryption and signature handlers with the properties
restricting the encryption and signature algorithms that clients can use, for example:</p>
+
+<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
+<pre class="code-xml">
+    <span class="code-tag">&lt;bean id=<span class="code-quote">"sigProps"</span>
class=<span class="code-quote">"org.apache.cxf.rs.security.xml.SignatureProperties"</span>&gt;</span>
+       &lt;property name=<span class="code-quote">"signatureAlgo"</span>

+                 value=<span class="code-quote">"http://www.w3.org/2000/09/xmldsig#rsa-sha1"</span>/&gt;
+       &lt;property name=<span class="code-quote">"signatureDigestAlgo"</span>

+                 value=<span class="code-quote">"http://www.w3.org/2000/09/xmldsig#sha1"</span>/&gt;
+       &lt;property name=<span class="code-quote">"signatureC14Method"</span>

+                 value=<span class="code-quote">"http://www.w3.org/TR/2001/REC-xml-c14n-20010315"</span>/&gt;
+       &lt;property name=<span class="code-quote">"signatureC14Transform"</span>

+                 value=<span class="code-quote">"http://www.w3.org/2001/10/xml-exc-c14n#"</span>/&gt;
                                                 
+    <span class="code-tag">&lt;/bean&gt;</span>
+    
+    <span class="code-tag">&lt;bean id=<span class="code-quote">"encProps"</span>
class=<span class="code-quote">"org.apache.cxf.rs.security.xml.EncryptionProperties"</span>&gt;</span>
+       &lt;property name=<span class="code-quote">"encryptionKeyTransportAlgo"</span>

+                 value=<span class="code-quote">"http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"</span>/&gt;
+       &lt;property name=<span class="code-quote">"encryptionSymmetricKeyAlgo"</span>

+                 value=<span class="code-quote">"http://www.w3.org/2001/04/xmlenc#aes128-cbc"</span>/&gt;
+    <span class="code-tag">&lt;/bean&gt;</span>
+    
+    <span class="code-tag">&lt;bean id=<span class="code-quote">"xmlSigInHandlerWithProps"</span>
class=<span class="code-quote">"org.apache.cxf.rs.security.xml.XmlSigInHandler"</span>&gt;</span>
+        <span class="code-tag">&lt;property name=<span class="code-quote">"signatureProperties"</span>
ref=<span class="code-quote">"sigProps"</span>/&gt;</span>
+    <span class="code-tag">&lt;/bean&gt;</span>
+        
+    <span class="code-tag">&lt;bean id=<span class="code-quote">"xmlEncInHandlerWithProps"</span>
class=<span class="code-quote">"org.apache.cxf.rs.security.xml.XmlEncInHandler"</span>&gt;</span>
+        <span class="code-tag">&lt;property name=<span class="code-quote">"encryptionProperties"</span>
ref=<span class="code-quote">"encProps"</span>/&gt;</span>
+    <span class="code-tag">&lt;/bean&gt;</span>
+</pre>
+</div></div>
+
 <h1><a shape="rect" name="JAX-RSXMLSecurity-Interoperability"></a>Interoperability</h1>
 
 <p>The payloads containing the enveloping XML Signatures are structured according to
the XML Signature specification and as such can be consumed by any XML Signature aware consumers
capable of handling the enveloping signatures and extracting the signed payload. </p>



Mime
View raw message