cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r849514 - in /websites/production/cxf/content: cache/docs.pageCache docs/security.html
Date Tue, 05 Feb 2013 19:48:20 GMT
Author: buildbot
Date: Tue Feb  5 19:48:20 2013
New Revision: 849514

Log:
Production update by buildbot for cxf

Modified:
    websites/production/cxf/content/cache/docs.pageCache
    websites/production/cxf/content/docs/security.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/security.html
==============================================================================
--- websites/production/cxf/content/docs/security.html (original)
+++ websites/production/cxf/content/docs/security.html Tue Feb  5 19:48:20 2013
@@ -124,7 +124,7 @@ Apache CXF -- Security
 <div id="ConfluenceContent"><p><span style="font-size:2em;font-weight:bold">
Securing CXF Services </span></p>
 
 <div>
-<ul><li><a shape="rect" href="#Security-Securetransports">Secure transports</a></li><ul><li><a
shape="rect" href="#Security-HTTPS">HTTPS</a></li></ul><li><a
shape="rect" href="#Security-WSSecurity%28includingUsernameTokenandX.509Tokenprofiles%29">WS-*
Security (including UsernameToken and X.509 Token profiles)</a></li><li><a
shape="rect" href="#Security-WSTrust%2CSTS">WS-Trust, STS</a></li><li><a
shape="rect" href="#Security-SAMLWebSSO">SAML Web SSO</a></li><li><a
shape="rect" href="#Security-OAuth">OAuth</a></li><li><a shape="rect"
href="#Security-Authentication">Authentication</a></li><ul><li><a
shape="rect" href="#Security-JAASLoginInterceptor">JAASLoginInterceptor</a></li><li><a
shape="rect" href="#Security-Kerberos">Kerberos</a></li></ul><li><a
shape="rect" href="#Security-Authorization">Authorization</a></li><li><a
shape="rect" href="#Security-ControllingLargeRequestPayloads">Controlling Large Request
Payloads</a></li><ul><li><a shape="rect" href="#Security-XML">XML</a
 ></li><li><a shape="rect" href="#Security-Multiparts">Multiparts</a></li></ul></ul></div>
+<ul><li><a shape="rect" href="#Security-Securetransports">Secure transports</a></li><ul><li><a
shape="rect" href="#Security-HTTPS">HTTPS</a></li></ul><li><a
shape="rect" href="#Security-WS%5CSecurity%28includingUsernameTokenandX.509Tokenprofiles%29">WS-*
Security (including UsernameToken and X.509 Token profiles)</a></li><li><a
shape="rect" href="#Security-WSTrust%2CSTS">WS-Trust, STS</a></li><li><a
shape="rect" href="#Security-SAMLWebSSO">SAML Web SSO</a></li><li><a
shape="rect" href="#Security-OAuth">OAuth</a></li><li><a shape="rect"
href="#Security-Authentication">Authentication</a></li><ul><li><a
shape="rect" href="#Security-JAASLoginInterceptor">JAASLoginInterceptor</a></li><li><a
shape="rect" href="#Security-Kerberos">Kerberos</a></li></ul><li><a
shape="rect" href="#Security-Authorization">Authorization</a></li><li><a
shape="rect" href="#Security-ControllingLargeRequestPayloads">Controlling Large Request
Payloads</a></li><ul><li><a shape="rect" href="#Security-XML">XML
 </a></li><li><a shape="rect" href="#Security-Multiparts">Multiparts</a></li></ul><li><a
shape="rect" href="#Security-Largedatastreamcaching">Large data stream caching</a></li></ul></div>
 
 <h1><a shape="rect" name="Security-Securetransports"></a>Secure transports</h1>
 
@@ -132,7 +132,7 @@ Apache CXF -- Security
 
 <p>Please see the <a shape="rect" href="http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html">Configuring
SSL Support</a> page for more information.</p>
 
-<h1><a shape="rect" name="Security-WSSecurity%28includingUsernameTokenandX.509Tokenprofiles%29"></a>WS-*
Security  (including UsernameToken and X.509 Token profiles)</h1>
+<h1><a shape="rect" name="Security-WS%5CSecurity%28includingUsernameTokenandX.509Tokenprofiles%29"></a>WS-*
Security  (including UsernameToken and X.509 Token profiles)</h1>
 
 <p>Please see the <a shape="rect" href="http://cxf.apache.org/docs/ws-support.html">WS-*
Support</a> page for more information.</p>
 
@@ -159,8 +159,7 @@ Apache CXF -- Security
 <p>Example :</p>
 
 <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
-<pre class="code-xml">
-<span class="code-tag">&lt;jaxws:endpoint address=<span class="code-quote">"/soapService"</span>&gt;</span>
+<pre class="code-xml"><span class="code-tag">&lt;jaxws:endpoint address=<span
class="code-quote">"/soapService"</span>&gt;</span>
  <span class="code-tag">&lt;jaxws:inInterceptors&gt;</span>
    <span class="code-tag">&lt;ref bean=<span class="code-quote">"authenticationInterceptor"</span>/&gt;</span>
  <span class="code-tag">&lt;/jaxws:inInterceptors&gt;</span>
@@ -171,35 +170,31 @@ Apache CXF -- Security
    <span class="code-tag">&lt;property name=<span class="code-quote">"roleClassifier"</span>
value=<span class="code-quote">"ROLE_"</span>/&gt;</span>
 
 <span class="code-tag">&lt;/bean&gt;</span>
-&lt;!-- 
+&lt;!--
   Similarly for JAX-RS endpoints.
-  Note that org.apache.cxf.jaxrs.security.JAASAuthenticationFilter 
+  Note that org.apache.cxf.jaxrs.security.JAASAuthenticationFilter
   can be registered as jaxrs:provider instead
 --&gt;
 </pre>
-</div></div> 
-
+</div></div>
 <p>The JAAS authenticator is configured with the name of the JAAS login context (the
one usually specified in the JAAS configuration resource which the server is aware of). It
is also configured with an optional "roleClassifier" property which is needed by the CXF SecurityContext
in order to differentiate between user and role Principals. By default CXF will assume that
role Principals are represented by javax.security.acl.Group instances.</p>
 
 <p>In some cases objects representing a user principal and roles are implementing the
same marker interface such as Principal. That can be handled like this:</p>
 
 <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
-<pre class="code-xml">
-
-<span class="code-tag">&lt;bean id=<span class="code-quote">"authenticationInterceptor"</span>
class=<span class="code-quote">"org.apache.cxf.interceptor.security.JAASLoginInterceptor"</span>&gt;</span>
+<pre class="code-xml"><span class="code-tag">&lt;bean id=<span class="code-quote">"authenticationInterceptor"</span>
class=<span class="code-quote">"org.apache.cxf.interceptor.security.JAASLoginInterceptor"</span>&gt;</span>
    <span class="code-tag">&lt;property name=<span class="code-quote">"contextName"</span>
value=<span class="code-quote">"jaasContext"</span>/&gt;</span>
    <span class="code-tag">&lt;property name=<span class="code-quote">"roleClassifier"</span>
value=<span class="code-quote">"RolePrincipal"</span>/&gt;</span>
    <span class="code-tag">&lt;property name=<span class="code-quote">"roleClassifierType"</span>
value=<span class="code-quote">"classname"</span>/&gt;</span>
 <span class="code-tag">&lt;/bean&gt;</span>
 <span class="code-tag"><span class="code-comment">&lt;!-- Similarly for JAX-RS
endpoints --&gt;</span></span>
 </pre>
-</div></div> 
-
+</div></div>
 <p>In this case JAASLoginInterceptor will know that the roles are represented by a
class whose simple name is RolePrincipal. Note that full class names are also supported.</p>
 
 <h2><a shape="rect" name="Security-Kerberos"></a>Kerberos</h2>
 
-<p>Please see <a shape="rect" href="http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html#ClientHTTPTransport%28includingSSLsupport%29-SpnegoAuthentication%28Kerberos%29">this
page</a> for the information about Spnego/Kerberos HTTPConduit client support. </p>
+<p>Please see <a shape="rect" href="http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html#ClientHTTPTransport%28includingSSLsupport%29-SpnegoAuthentication%28Kerberos%29">this
page</a> for the information about Spnego/Kerberos HTTPConduit client support.</p>
 
 <p>Please check the following blog entries about WS-Security Kerberos support in CXF:</p>
 
@@ -219,8 +214,7 @@ Apache CXF -- Security
 <p>Example :</p>
 
 <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
-<pre class="code-xml">
-<span class="code-tag">&lt;jaxws:endpoint id=<span class="code-quote">"endpoint1"</span>
address=<span class="code-quote">"/soapService1"</span>&gt;</span>
+<pre class="code-xml"><span class="code-tag">&lt;jaxws:endpoint id=<span
class="code-quote">"endpoint1"</span> address=<span class="code-quote">"/soapService1"</span>&gt;</span>
  <span class="code-tag">&lt;jaxws:inInterceptors&gt;</span>
    <span class="code-tag">&lt;ref bean=<span class="code-quote">"authorizationInterceptor"</span>/&gt;</span>
  <span class="code-tag">&lt;/jaxws:inInterceptors&gt;</span>
@@ -230,9 +224,9 @@ Apache CXF -- Security
    <span class="code-tag">&lt;property name=<span class="code-quote">"methodRolesMap"</span>&gt;</span>
       <span class="code-tag">&lt;map&gt;</span>
         <span class="code-tag">&lt;entry key=<span class="code-quote">"addNumbers"</span>
value=<span class="code-quote">"ROLE_USER ROLE_ADMIN"</span>/&gt;</span>
-        <span class="code-tag">&lt;entry key=<span class="code-quote">"divideNumbers"</span>
value=<span class="code-quote">"ROLE_ADMIN"</span>/&gt;</span>  
+        <span class="code-tag">&lt;entry key=<span class="code-quote">"divideNumbers"</span>
value=<span class="code-quote">"ROLE_ADMIN"</span>/&gt;</span>
       <span class="code-tag">&lt;/map&gt;</span>
-   <span class="code-tag">&lt;/property&gt;</span> 
+   <span class="code-tag">&lt;/property&gt;</span>
 <span class="code-tag">&lt;/bean&gt;</span>
 
 <span class="code-tag">&lt;jaxws:endpoint id=<span class="code-quote">"endpoint2"</span>
address=<span class="code-quote">"/soapService2"</span> implementor=<span class="code-quote">"#secureBean"</span>&gt;</span>
@@ -249,19 +243,17 @@ Apache CXF -- Security
 <span class="code-tag">&lt;/bean&gt;</span>
 
 </pre>
-</div></div> 
-
+</div></div>
 <h1><a shape="rect" name="Security-ControllingLargeRequestPayloads"></a>Controlling
Large Request Payloads</h1>
 
-<h2><a shape="rect" name="Security-XML"></a>XML </h2>
+<h2><a shape="rect" name="Security-XML"></a>XML</h2>
+
 <p>Endpoints expecting XML payloads may get <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/DepthRestrictingStreamInterceptor.java">DepthRestrictingInterceptor</a>
registered and configured in order to control the limits a given XML payload may not exceed.
This can be useful in a variety of cases in order to protect against massive payloads which
can potentially cause the denial-of-service situation or simply slow the service down a lot.</p>
 
 <p>The complete number of XML elements, the number of immediate children of a given
XML element may contain and the stack depth of the payload can be restricted, for example:</p>
 
 <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
-<pre class="code-xml">
-
-<span class="code-tag">&lt;bean id=<span class="code-quote">"depthInterceptor"</span>
class=<span class="code-quote">"org.apache.cxf.interceptor.security.DepthRestrictingStreamInterceptor"</span>&gt;</span>
+<pre class="code-xml"><span class="code-tag">&lt;bean id=<span class="code-quote">"depthInterceptor"</span>
class=<span class="code-quote">"org.apache.cxf.interceptor.security.DepthRestrictingStreamInterceptor"</span>&gt;</span>
   <span class="code-tag"><span class="code-comment">&lt;!-- Total number
of elements in the XML payload --&gt;</span></span>
   <span class="code-tag">&lt;property name=<span class="code-quote">"elementCountThreshold"</span>
value=<span class="code-quote">"5000"</span>/&gt;</span>
 
@@ -296,7 +288,22 @@ Apache CXF -- Security
 
 <h2><a shape="rect" name="Security-Multiparts"></a>Multiparts</h2>
 
-<p>The "org.apache.cxf.io.CachedOutputStream.MaxSize" system property or "attachment-max-size"
per-endpoint contextual property can be used to control the size of large attachments. When
the limits is reached, the error is returned. JAX-WS consumers will receive 500, JAX-RS/HTTP
consumers: 413.</p></div>
+<p>The "org.apache.cxf.io.CachedOutputStream.MaxSize" system property or "attachment-max-size"
per-endpoint contextual property can be used to control the size of large attachments. When
the limits is reached, the error is returned. JAX-WS consumers will receive 500, JAX-RS/HTTP
consumers: 413.</p>
+
+<h1><a shape="rect" name="Security-Largedatastreamcaching"></a>Large data
stream caching</h1>
+
+<p>A large stream based message or data will be cached in a temporary file. In default,
this caching occurs at data size larger than 64K bytes and a temporary file is written in
the system's temporary directory. You can change this behavior and other properties of the
caching feature by explicitly setting the following properties.</p>
+
+<p>To change the behavior for the entire system, you can set the following system properties.</p>
+
+<div class="table-wrap">
+<table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh"> Property Name </th><th colspan="1" rowspan="1" class="confluenceTh">
Value </th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">
org.apache.cxf.io.CachedOutputStream.Threshold </td><td colspan="1" rowspan="1" class="confluenceTd">
The threshold value in bytes to switch to file caching </td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"> org.apache.cxf.io.CachedOutputStream.MaxSize
</td><td colspan="1" rowspan="1" class="confluenceTd"> The maximum data size to
be cached </td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">
org.apache.cxf.io.CachedOutputStream.OutputDirectory </td><td colspan="1" rowspan="1"
class="confluenceTd"> The file directory for the temporary files </td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"> org.apache.cxf.io.CachedOutputStream.CipherTransformation
</td><td colspan="1" rowspan="1" class="confluenceTd"> The cipher
  transformation name to encrypt the cached content </td></tr></tbody></table>
+</div>
+
+
+<p>To change the behavior for a specific bus, you can set the corresponding bus.io.CachedOutputStream
properties (e.g., bus.io.CachedOutputStream.Threshold for org.apache.cxf.io.CachedOutputStream.Threshold).</p>
+
+<p>The encryption option uses a symmetric encryption using a generated key and it can
be used to protect the cached content from unauthorized access. To enable encryption, the
CipherTransformation property can be set to some stream or 8-bit block cipher transformation
names (e.g., RC4, AES/CTR/NoPadding, etc) that are supported by the environment. However,
it is noted that enabling the encryption will result in an increased processing time and it
is therefore recommended only in specific use cases where other means to protect the cached
content is unavailable.</p></div>
            </div>
            <!-- Content -->
          </td>



Mime
View raw message