cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache CXF Documentation > Security
Date Wed, 01 Aug 2012 11:53:00 GMT
<html>
<head>
    <base href="https://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/2042/9/1/_/styles/combined.css?spaceKey=CXF20DOC&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="https://cwiki.apache.org/confluence/display/CXF20DOC/Security">Security</a></h2>
    <h4>Page <b>edited</b> by             <a href="https://cwiki.apache.org/confluence/display/~sergey_beryozkin">Sergey
Beryozkin</a>
    </h4>
        <br/>
                         <h4>Changes (3)</h4>
                                 
    
<div id="page-diffs">
                    <table class="diff" cellpadding="0" cellspacing="0">
    
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" > <br>h1. Authentication <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">
<br>h2. JAASLoginInterceptor <br></td></tr>
            <tr><td class="diff-unchanged" > <br>Container or Spring Security
managed authentication as well as the custom authentication are all the viable options used
by CXF developers. <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >&lt;bean id=&quot;authenticationInterceptor&quot;
class=&quot;org.apache.cxf.interceptor.security.JAASLoginInterceptor&quot;&gt;
<br>   &lt;property name=&quot;contextName&quot; value=&quot;jaasContext&quot;/&gt;
<br></td></tr>
            <tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">
  &lt;!-- <br>     Deprecated starting from 2.4.4 and 2.5.0  <br>     &lt;property
name=&quot;rolePrefix&quot; value=&quot;ROLE_&quot;/&gt; <br>  
--&gt; <br></td></tr>
            <tr><td class="diff-unchanged" >   &lt;property name=&quot;roleClassifier&quot;
value=&quot;ROLE_&quot;/&gt; <br> <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >In this case JAASLoginInterceptor
will know that the roles are represented by a class whose simple name is RolePrincipal. Note
that full class names are also supported. <br> <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">h2.
Kerberos <br> <br>Please see [this page|http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html#ClientHTTPTransport%28includingSSLsupport%29-SpnegoAuthentication%28Kerberos%29]
for the information about Spnego/Kerberos HTTPConduit client support.  <br> <br>Please
check the following blog entries about WS-Security Kerberos support in CXF: <br> <br>[Using
Kerberos with Web Service - part 1|http://coheigea.blogspot.com/2011/10/using-kerberos-with-web-services-part-i.html]
<br>[Using Kerberos with Web Service - part 2|http://coheigea.blogspot.com/2011/10/using-kerberos-with-web-services-part.html]
<br>[WS-Trust SPNego support in Apache CXF |http://coheigea.blogspot.com/2012/02/ws-trust-spnego-support-in-apache-cxf.html]
<br> <br>Please check the following [page|JAXRS Kerberos] about Kerberos support
in JAX-RS. <br> <br> <br></td></tr>
            <tr><td class="diff-unchanged" >h1. Authorization <br> <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
    
            </table>
    </div>                            <h4>Full Content</h4>
                    <div class="notificationGreySide">
        <p><span style="font-size:2em;font-weight:bold"> Securing CXF Services
</span></p>

<div>
<ul>
    <li><a href='#Security-Securetransports'>Secure transports</a></li>
<ul>
    <li><a href='#Security-HTTPS'>HTTPS</a></li>
</ul>
    <li><a href='#Security-WSSecurity%28includingUsernameTokenandX.509Tokenprofiles%29'>WS-*
Security (including UsernameToken and X.509 Token profiles)</a></li>
    <li><a href='#Security-WSTrust%2CSTS'>WS-Trust, STS</a></li>
    <li><a href='#Security-SAMLWebSSO'>SAML Web SSO</a></li>
    <li><a href='#Security-OAuth'>OAuth</a></li>
    <li><a href='#Security-Authentication'>Authentication</a></li>
<ul>
    <li><a href='#Security-JAASLoginInterceptor'>JAASLoginInterceptor</a></li>
    <li><a href='#Security-Kerberos'>Kerberos</a></li>
</ul>
    <li><a href='#Security-Authorization'>Authorization</a></li>
    <li><a href='#Security-ControllingLargeRequestPayloads'>Controlling Large
Request Payloads</a></li>
<ul>
    <li><a href='#Security-XML'>XML</a></li>
    <li><a href='#Security-Multiparts'>Multiparts</a></li>
</ul>
</ul></div>

<h1><a name="Security-Securetransports"></a>Secure transports</h1>

<h2><a name="Security-HTTPS"></a>HTTPS</h2>

<p>Please see the <a href="http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html"
class="external-link" rel="nofollow">Configuring SSL Support</a> page for more information.</p>

<h1><a name="Security-WSSecurity%28includingUsernameTokenandX.509Tokenprofiles%29"></a>WS-*
Security  (including UsernameToken and X.509 Token profiles)</h1>

<p>Please see the <a href="http://cxf.apache.org/docs/ws-support.html" class="external-link"
rel="nofollow">WS-* Support</a> page for more information.</p>

<h1><a name="Security-WSTrust%2CSTS"></a>WS-Trust, STS</h1>

<p>Please see the <a href="https://cwiki.apache.org/CXF20DOC/ws-trust.html" class="external-link"
rel="nofollow">WS-Trust</a> page for more information.</p>

<h1><a name="Security-SAMLWebSSO"></a>SAML Web SSO</h1>

<p>Please see <a href="http://coheigea.blogspot.ie/2012/06/saml-web-sso-profile-support-in-apache.html"
class="external-link" rel="nofollow">this blog entry</a> announcing the support for
SAML Web SSO profile and the <a href="https://cwiki.apache.org/confluence/display/CXF20DOC/SAML+Web+SSO"
class="external-link" rel="nofollow">SAML Web SSO</a> page for more information.</p>

<h1><a name="Security-OAuth"></a>OAuth</h1>

<p>Please check <a href="http://cxf.apache.org/docs/jax-rs-oauth2.html" class="external-link"
rel="nofollow">OAuth2.0</a> and <a href="http://cxf.apache.org/docs/jax-rs-oauth.html"
class="external-link" rel="nofollow">OAuth1.0</a> pages for the information about
the support for OAuth 2.0 and OAuth 1.0 in CXF.</p>

<h1><a name="Security-Authentication"></a>Authentication</h1>

<h2><a name="Security-JAASLoginInterceptor"></a>JAASLoginInterceptor</h2>

<p>Container or Spring Security managed authentication as well as the custom authentication
are all the viable options used by CXF developers.</p>

<p>Starting from CXF 2.3.2 and 2.4.0 it is possible to use an org.apache.cxf.interceptor.security.JAASLoginInterceptor
in order to authenticate a current user and populate a CXF SecurityContext.</p>

<p>Example :</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
<span class="code-tag">&lt;jaxws:endpoint address=<span class="code-quote">"/soapService"</span>&gt;</span>
 <span class="code-tag">&lt;jaxws:inInterceptors&gt;</span>
   <span class="code-tag">&lt;ref bean=<span class="code-quote">"authenticationInterceptor"</span>/&gt;</span>
 <span class="code-tag">&lt;/jaxws:inInterceptors&gt;</span>
<span class="code-tag">&lt;/jaxws:endpoint&gt;</span>

<span class="code-tag">&lt;bean id=<span class="code-quote">"authenticationInterceptor"</span>
class=<span class="code-quote">"org.apache.cxf.interceptor.security.JAASLoginInterceptor"</span>&gt;</span>
   <span class="code-tag">&lt;property name=<span class="code-quote">"contextName"</span>
value=<span class="code-quote">"jaasContext"</span>/&gt;</span>
   <span class="code-tag">&lt;property name=<span class="code-quote">"roleClassifier"</span>
value=<span class="code-quote">"ROLE_"</span>/&gt;</span>

<span class="code-tag">&lt;/bean&gt;</span>
&lt;!-- 
  Similarly for JAX-RS endpoints.
  Note that org.apache.cxf.jaxrs.security.JAASAuthenticationFilter 
  can be registered as jaxrs:provider instead
--&gt;
</pre>
</div></div> 

<p>The JAAS authenticator is configured with the name of the JAAS login context (the
one usually specified in the JAAS configuration resource which the server is aware of). It
is also configured with an optional "roleClassifier" property which is needed by the CXF SecurityContext
in order to differentiate between user and role Principals. By default CXF will assume that
role Principals are represented by javax.security.acl.Group instances.</p>

<p>In some cases objects representing a user principal and roles are implementing the
same marker interface such as Principal. That can be handled like this:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">

<span class="code-tag">&lt;bean id=<span class="code-quote">"authenticationInterceptor"</span>
class=<span class="code-quote">"org.apache.cxf.interceptor.security.JAASLoginInterceptor"</span>&gt;</span>
   <span class="code-tag">&lt;property name=<span class="code-quote">"contextName"</span>
value=<span class="code-quote">"jaasContext"</span>/&gt;</span>
   <span class="code-tag">&lt;property name=<span class="code-quote">"roleClassifier"</span>
value=<span class="code-quote">"RolePrincipal"</span>/&gt;</span>
   <span class="code-tag">&lt;property name=<span class="code-quote">"roleClassifierType"</span>
value=<span class="code-quote">"classname"</span>/&gt;</span>
<span class="code-tag">&lt;/bean&gt;</span>
<span class="code-tag"><span class="code-comment">&lt;!-- Similarly for JAX-RS
endpoints --&gt;</span></span>
</pre>
</div></div> 

<p>In this case JAASLoginInterceptor will know that the roles are represented by a class
whose simple name is RolePrincipal. Note that full class names are also supported.</p>

<h2><a name="Security-Kerberos"></a>Kerberos</h2>

<p>Please see <a href="http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html#ClientHTTPTransport%28includingSSLsupport%29-SpnegoAuthentication%28Kerberos%29"
class="external-link" rel="nofollow">this page</a> for the information about Spnego/Kerberos
HTTPConduit client support. </p>

<p>Please check the following blog entries about WS-Security Kerberos support in CXF:</p>

<p><a href="http://coheigea.blogspot.com/2011/10/using-kerberos-with-web-services-part-i.html"
class="external-link" rel="nofollow">Using Kerberos with Web Service - part 1</a><br/>
<a href="http://coheigea.blogspot.com/2011/10/using-kerberos-with-web-services-part.html"
class="external-link" rel="nofollow">Using Kerberos with Web Service - part 2</a><br/>
<a href="http://coheigea.blogspot.com/2012/02/ws-trust-spnego-support-in-apache-cxf.html"
class="external-link" rel="nofollow">WS-Trust SPNego support in Apache CXF </a></p>

<p>Please check the following <a href="/confluence/pages/createpage.action?spaceKey=CXF20DOC&amp;title=JAXRS+Kerberos&amp;linkCreation=true&amp;fromPageId=24190972"
class="createlink">page</a> about Kerberos support in JAX-RS.</p>


<h1><a name="Security-Authorization"></a>Authorization</h1>

<p>Container or Spring Security managed authorization as well as the custom authorization
are all the viable options used by CXF developers.</p>

<p>CXF 2.3.2 and 2.4.0 introduce org.apache.cxf.interceptor.security.SimpleAuthorizingInterceptor
and org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor interceptors which can
help with enforcing the authorization rules.</p>

<p>Example :</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
<span class="code-tag">&lt;jaxws:endpoint id=<span class="code-quote">"endpoint1"</span>
address=<span class="code-quote">"/soapService1"</span>&gt;</span>
 <span class="code-tag">&lt;jaxws:inInterceptors&gt;</span>
   <span class="code-tag">&lt;ref bean=<span class="code-quote">"authorizationInterceptor"</span>/&gt;</span>
 <span class="code-tag">&lt;/jaxws:inInterceptors&gt;</span>
<span class="code-tag">&lt;/jaxws:endpoint&gt;</span>

<span class="code-tag">&lt;bean id=<span class="code-quote">"authorizationInterceptor"</span>
class=<span class="code-quote">"org.apache.cxf.interceptor.security.SimpleAuthorizingInterceptor"</span>&gt;</span>
   <span class="code-tag">&lt;property name=<span class="code-quote">"methodRolesMap"</span>&gt;</span>
      <span class="code-tag">&lt;map&gt;</span>
        <span class="code-tag">&lt;entry key=<span class="code-quote">"addNumbers"</span>
value=<span class="code-quote">"ROLE_USER ROLE_ADMIN"</span>/&gt;</span>
        <span class="code-tag">&lt;entry key=<span class="code-quote">"divideNumbers"</span>
value=<span class="code-quote">"ROLE_ADMIN"</span>/&gt;</span>  
      <span class="code-tag">&lt;/map&gt;</span>
   <span class="code-tag">&lt;/property&gt;</span> 
<span class="code-tag">&lt;/bean&gt;</span>

<span class="code-tag">&lt;jaxws:endpoint id=<span class="code-quote">"endpoint2"</span>
address=<span class="code-quote">"/soapService2"</span> implementor=<span class="code-quote">"#secureBean"</span>&gt;</span>
 <span class="code-tag">&lt;jaxws:inInterceptors&gt;</span>
   <span class="code-tag">&lt;ref bean=<span class="code-quote">"authorizationInterceptor2"</span>/&gt;</span>
 <span class="code-tag">&lt;/jaxws:inInterceptors&gt;</span>
<span class="code-tag">&lt;/jaxws:endpoint&gt;</span>

<span class="code-tag"><span class="code-comment">&lt;!-- This bean is annotated
with secure annotations such as RolesAllowed --&gt;</span></span>
<span class="code-tag">&lt;bean id=<span class="code-quote">"secureBean"</span>
class=<span class="code-quote">"org.apache.cxf.tests.security.SecureService"</span>/&gt;</span>

<span class="code-tag">&lt;bean id=<span class="code-quote">"authorizationInterceptor2"</span>
class=<span class="code-quote">"org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor"</span>&gt;</span>
   <span class="code-tag">&lt;property name=<span class="code-quote">"securedObject"</span>
ref=<span class="code-quote">"secureBean"</span>/&gt;</span>
<span class="code-tag">&lt;/bean&gt;</span>

</pre>
</div></div> 

<h1><a name="Security-ControllingLargeRequestPayloads"></a>Controlling Large
Request Payloads</h1>

<h2><a name="Security-XML"></a>XML </h2>
<p>Endpoints expecting XML payloads may get <a href="http://svn.apache.org/repos/asf/cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/DepthRestrictingStreamInterceptor.java"
class="external-link" rel="nofollow">DepthRestrictingInterceptor</a> registered and
configured in order to control the limits a given XML payload may not exceed. This can be
useful in a variety of cases in order to protect against massive payloads which can potentially
cause the denial-of-service situation or simply slow the service down a lot.</p>

<p>The complete number of XML elements, the number of immediate children of a given
XML element may contain and the stack depth of the payload can be restricted, for example:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">

<span class="code-tag">&lt;bean id=<span class="code-quote">"depthInterceptor"</span>
class=<span class="code-quote">"org.apache.cxf.interceptor.security.DepthRestrictingStreamInterceptor"</span>&gt;</span>
  <span class="code-tag"><span class="code-comment">&lt;!-- Total number of
elements in the XML payload --&gt;</span></span>
  <span class="code-tag">&lt;property name=<span class="code-quote">"elementCountThreshold"</span>
value=<span class="code-quote">"5000"</span>/&gt;</span>

  <span class="code-tag"><span class="code-comment">&lt;!-- Total number of
child elements for XML elements --&gt;</span></span>
  <span class="code-tag">&lt;property name=<span class="code-quote">"innerElementCountThreshold"</span>
value=<span class="code-quote">"3000"</span>/&gt;</span>

  <span class="code-tag"><span class="code-comment">&lt;!-- Maximum stack
depth of the XML payload --&gt;</span></span>
  <span class="code-tag">&lt;property name=<span class="code-quote">"innerElementLevelThreshold"</span>
value=<span class="code-quote">"20"</span>/&gt;</span>

<span class="code-tag">&lt;/bean&gt;</span>

<span class="code-tag">&lt;jaxws:endpoint&gt;</span>
  <span class="code-tag">&lt;jaxws:inInterceptors&gt;</span>
   <span class="code-tag">&lt;bean ref=<span class="code-quote">"depthInterceptor"</span>/&gt;</span>
 <span class="code-tag">&lt;/jaxws:inInterceptors&gt;</span>
<span class="code-tag">&lt;jaxws:endpoint&gt;</span>

<span class="code-tag">&lt;jaxrs:server&gt;</span>
  <span class="code-tag">&lt;jaxrs:inInterceptors&gt;</span>
   <span class="code-tag">&lt;bean ref=<span class="code-quote">"depthInterceptor"</span>/&gt;</span>
 <span class="code-tag">&lt;/jaxrs:inInterceptors&gt;</span>
<span class="code-tag">&lt;jaxrs:server&gt;</span>

</pre>
</div></div>

<p>When one of the limits is reached, the error is returned. JAX-WS consumers will receive
500, JAX-RS/HTTP consumers: 413.</p>

<p>The following system properties can also be set up for JAX-WS endpoints: "org.apache.cxf.staxutils.innerElementCountThreshold"
and "org.apache.cxf.staxutils.innerElementLevelThreshold".</p>

<p>Please check this <a href="https://cwiki.apache.org/confluence/display/CXF20DOC/JAX-RS+Data+Bindings#JAX-RSDataBindings-ControllingLargeJAXBXMLandJSONinputpayloads"
class="external-link" rel="nofollow">section</a> for the additional information on
how JAX-RS JAXB-based providers can be configured.</p>

<h2><a name="Security-Multiparts"></a>Multiparts</h2>

<p>The "org.apache.cxf.io.CachedOutputStream.MaxSize" system property or "attachment-max-size"
per-endpoint contextual property can be used to control the size of large attachments. When
the limits is reached, the error is returned. JAX-WS consumers will receive 500, JAX-RS/HTTP
consumers: 413.</p>
    </div>
        <div id="commentsSection" class="wiki-content pageSection">
        <div style="float: right;">
            <a href="https://cwiki.apache.org/confluence/users/viewnotifications.action"
class="grey">Change Notification Preferences</a>
        </div>
        <a href="https://cwiki.apache.org/confluence/display/CXF20DOC/Security">View
Online</a>
        |
        <a href="https://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=24190972&revisedVersion=19&originalVersion=18">View
Changes</a>
                |
        <a href="https://cwiki.apache.org/confluence/display/CXF20DOC/Security?showComments=true&amp;showCommentArea=true#addcomment">Add
Comment</a>
            </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message