cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daniel Kulp (Confluence)" <conflue...@apache.org>
Subject [CONF] Apache CXF Documentation > Security
Date Mon, 22 Jul 2013 15:36:00 GMT
<html>
<head>
    <base href="https://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/en/2176/1/1/_/styles/combined.css?spaceKey=CXF20DOC&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="https://cwiki.apache.org/confluence/display/CXF20DOC/Security">Security</a></h2>
    <h4>Page <b>edited</b> by             <a href="https://cwiki.apache.org/confluence/display/~dkulp">Daniel
Kulp</a>
    </h4>
        <br/>
                         <h4>Changes (1)</h4>
                                 
    
<div id="page-diffs">
                    <table class="diff" cellpadding="0" cellspacing="0">
    
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >Starting with CXF 2.7.4, CXF now requires
use of a StAX parser that can provide fine grained control over the size of the incoming XML.
  The only parser that will currently work is Woodstox 4.2 or newer.   The main reason is
there are a series of DOS attacks that can only be prevented at the StAX parser level.   There
is a &quot;org.apache.cxf.stax.allowInsecureParser&quot; System Property that can
be set to true to allow using an insecure parser, but that is HIGHLY not recommended and doing
so would also now allow the settings described in this section. <br> <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">CXF
has several default settings that will prevent malicious XML from causing various DOS failures.
  You can override the default values if you know you will have incoming XML that will exceed
these limits.   These settings can be set as Bus level properties, endpoint level properties,
or even per request via an interceptor.  <br> <br></td></tr>
            <tr><td class="diff-unchanged" >||Setting||Default||Description||
<br>|org.apache.cxf.stax.maxChildElements|50000|Maximum number of child elements for
a given parent element| <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
    
            </table>
    </div>                            <h4>Full Content</h4>
                    <div class="notificationGreySide">
        <p><span style="font-size:2em;font-weight:bold"> Securing CXF Services
</span></p>

<div>
<ul>
    <li><a href='#Security-Securetransports'>Secure transports</a></li>
<ul>
    <li><a href='#Security-HTTPS'>HTTPS</a></li>
</ul>
    <li><a href='#Security-WS%5CSecurity%28includingUsernameTokenandX.509Tokenprofiles%29'>WS-*
Security (including UsernameToken and X.509 Token profiles)</a></li>
    <li><a href='#Security-WSTrust%2CSTS'>WS-Trust, STS</a></li>
    <li><a href='#Security-SAMLWebSSO'>SAML Web SSO</a></li>
    <li><a href='#Security-OAuth'>OAuth</a></li>
    <li><a href='#Security-Authentication'>Authentication</a></li>
<ul>
    <li><a href='#Security-JAASLoginInterceptor'>JAASLoginInterceptor</a></li>
    <li><a href='#Security-Kerberos'>Kerberos</a></li>
</ul>
    <li><a href='#Security-Authorization'>Authorization</a></li>
    <li><a href='#Security-ControllingLargeRequestPayloads'>Controlling Large
Request Payloads</a></li>
<ul>
    <li><a href='#Security-XML'>XML</a></li>
    <li><a href='#Security-XMLCXFversionspriorto2.7.4'>XML - CXF versions prior
to 2.7.4</a></li>
    <li><a href='#Security-Multiparts'>Multiparts</a></li>
</ul>
    <li><a href='#Security-Largedatastreamcaching'>Large data stream caching</a></li>
</ul></div>

<h1><a name="Security-Securetransports"></a>Secure transports</h1>

<h2><a name="Security-HTTPS"></a>HTTPS</h2>

<p>Please see the <a href="http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html"
class="external-link" rel="nofollow">Configuring SSL Support</a> page for more information.</p>

<h1><a name="Security-WS%5CSecurity%28includingUsernameTokenandX.509Tokenprofiles%29"></a>WS-&#42;
Security  (including UsernameToken and X.509 Token profiles)</h1>

<p>Please see the <a href="http://cxf.apache.org/docs/ws-support.html" class="external-link"
rel="nofollow">WS-&#42; Support</a> page for more information.</p>

<h1><a name="Security-WSTrust%2CSTS"></a>WS-Trust, STS</h1>

<p>Please see the <a href="https://cwiki.apache.org/CXF20DOC/ws-trust.html" class="external-link"
rel="nofollow">WS-Trust</a> page for more information.</p>

<h1><a name="Security-SAMLWebSSO"></a>SAML Web SSO</h1>

<p>Please see <a href="http://coheigea.blogspot.ie/2012/06/saml-web-sso-profile-support-in-apache.html"
class="external-link" rel="nofollow">this blog entry</a> announcing the support for
SAML Web SSO profile and the <a href="https://cwiki.apache.org/confluence/display/CXF20DOC/SAML+Web+SSO"
class="external-link" rel="nofollow">SAML Web SSO</a> page for more information.</p>

<h1><a name="Security-OAuth"></a>OAuth</h1>

<p>Please check <a href="http://cxf.apache.org/docs/jax-rs-oauth2.html" class="external-link"
rel="nofollow">OAuth2.0</a> and <a href="http://cxf.apache.org/docs/jax-rs-oauth.html"
class="external-link" rel="nofollow">OAuth1.0</a> pages for the information about
the support for OAuth 2.0 and OAuth 1.0 in CXF.</p>

<h1><a name="Security-Authentication"></a>Authentication</h1>

<h2><a name="Security-JAASLoginInterceptor"></a>JAASLoginInterceptor</h2>

<p>Container or Spring Security managed authentication as well as the custom authentication
are all the viable options used by CXF developers.</p>

<p>Starting from CXF 2.3.2 and 2.4.0 it is possible to use an org.apache.cxf.interceptor.security.JAASLoginInterceptor
in order to authenticate a current user and populate a CXF SecurityContext.</p>

<p>Example :</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="theme: Default; brush: xml; gutter: false" style="font-size:12px; font-family:
ConfluenceInstalledFont,monospace;">
&lt;jaxws:endpoint address="/soapService"&gt;
 &lt;jaxws:inInterceptors&gt;
   &lt;ref bean="authenticationInterceptor"/&gt;
 &lt;/jaxws:inInterceptors&gt;
&lt;/jaxws:endpoint&gt;

&lt;bean id="authenticationInterceptor" class="org.apache.cxf.interceptor.security.JAASLoginInterceptor"&gt;
   &lt;property name="contextName" value="jaasContext"/&gt;
   &lt;property name="roleClassifier" value="ROLE_"/&gt;

&lt;/bean&gt;
&lt;!--
  Similarly for JAX-RS endpoints.
  Note that org.apache.cxf.jaxrs.security.JAASAuthenticationFilter
  can be registered as jaxrs:provider instead
--&gt;
</pre>
</div></div>
<p>The JAAS authenticator is configured with the name of the JAAS login context (the
one usually specified in the JAAS configuration resource which the server is aware of). It
is also configured with an optional "roleClassifier" property which is needed by the CXF SecurityContext
in order to differentiate between user and role Principals. By default CXF will assume that
role Principals are represented by javax.security.acl.Group instances.</p>

<p>In some cases objects representing a user principal and roles are implementing the
same marker interface such as Principal. That can be handled like this:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="theme: Default; brush: xml; gutter: false" style="font-size:12px; font-family:
ConfluenceInstalledFont,monospace;">
&lt;bean id="authenticationInterceptor" class="org.apache.cxf.interceptor.security.JAASLoginInterceptor"&gt;
   &lt;property name="contextName" value="jaasContext"/&gt;
   &lt;property name="roleClassifier" value="RolePrincipal"/&gt;
   &lt;property name="roleClassifierType" value="classname"/&gt;
&lt;/bean&gt;
&lt;!-- Similarly for JAX-RS endpoints --&gt;
</pre>
</div></div>
<p>In this case JAASLoginInterceptor will know that the roles are represented by a class
whose simple name is RolePrincipal. Note that full class names are also supported.</p>

<h2><a name="Security-Kerberos"></a>Kerberos</h2>

<p>Please see <a href="http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html#ClientHTTPTransport%28includingSSLsupport%29-SpnegoAuthentication%28Kerberos%29"
class="external-link" rel="nofollow">this page</a> for the information about Spnego/Kerberos
HTTPConduit client support.</p>

<p>Please check the following blog entries about WS-Security Kerberos support in CXF:</p>

<p><a href="http://coheigea.blogspot.com/2011/10/using-kerberos-with-web-services-part-i.html"
class="external-link" rel="nofollow">Using Kerberos with Web Services - part 1</a><br/>
<a href="http://coheigea.blogspot.com/2011/10/using-kerberos-with-web-services-part.html"
class="external-link" rel="nofollow">Using Kerberos with Web Services - part 2</a><br/>
<a href="http://coheigea.blogspot.com/2012/02/ws-trust-spnego-support-in-apache-cxf.html"
class="external-link" rel="nofollow">WS-Trust SPNego support in Apache CXF </a></p>

<p>Please check the following <a href="/confluence/display/CXF20DOC/JAXRS+Kerberos"
title="JAXRS Kerberos">page</a> about Kerberos support in JAX-RS.</p>


<h1><a name="Security-Authorization"></a>Authorization</h1>

<p>Container or Spring Security managed authorization as well as the custom authorization
are all the viable options used by CXF developers.</p>

<p>CXF 2.3.2 and 2.4.0 introduce org.apache.cxf.interceptor.security.SimpleAuthorizingInterceptor
and org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor interceptors which can
help with enforcing the authorization rules.</p>

<p>Example :</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="theme: Default; brush: xml; gutter: false" style="font-size:12px; font-family:
ConfluenceInstalledFont,monospace;">
&lt;jaxws:endpoint id="endpoint1" address="/soapService1"&gt;
 &lt;jaxws:inInterceptors&gt;
   &lt;ref bean="authorizationInterceptor"/&gt;
 &lt;/jaxws:inInterceptors&gt;
&lt;/jaxws:endpoint&gt;

&lt;bean id="authorizationInterceptor" class="org.apache.cxf.interceptor.security.SimpleAuthorizingInterceptor"&gt;
   &lt;property name="methodRolesMap"&gt;
      &lt;map&gt;
        &lt;!-- no wildcard support, names need to match exactly --&gt;
        &lt;entry key="addNumbers" value="ROLE_USER ROLE_ADMIN"/&gt;
        &lt;entry key="divideNumbers" value="ROLE_ADMIN"/&gt;
      &lt;/map&gt;
   &lt;/property&gt;
   &lt;!-- its possible to define global roles that apply to all WSDL operations not listed
above --&gt;
   &lt;property name="globalRoles" value="ROLE_ADMIN"/&gt;
&lt;/bean&gt;

&lt;jaxws:endpoint id="endpoint2" address="/soapService2" implementor="#secureBean"&gt;
 &lt;jaxws:inInterceptors&gt;
   &lt;ref bean="authorizationInterceptor2"/&gt;
 &lt;/jaxws:inInterceptors&gt;
&lt;/jaxws:endpoint&gt;

&lt;!-- This bean is annotated with secure annotations such as RolesAllowed --&gt;
&lt;bean id="secureBean" class="org.apache.cxf.tests.security.SecureService"/&gt;

&lt;bean id="authorizationInterceptor2" class="org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor"&gt;
   &lt;property name="securedObject" ref="secureBean"/&gt;
&lt;/bean&gt;

</pre>
</div></div>
<h1><a name="Security-ControllingLargeRequestPayloads"></a>Controlling Large
Request Payloads</h1>

<h2><a name="Security-XML"></a>XML</h2>

<p>Starting with CXF 2.7.4, CXF now requires use of a StAX parser that can provide fine
grained control over the size of the incoming XML.   The only parser that will currently work
is Woodstox 4.2 or newer.   The main reason is there are a series of DOS attacks that can
only be prevented at the StAX parser level.   There is a "org.apache.cxf.stax.allowInsecureParser"
System Property that can be set to true to allow using an insecure parser, but that is HIGHLY
not recommended and doing so would also now allow the settings described in this section.</p>

<p>CXF has several default settings that will prevent malicious XML from causing various
DOS failures.   You can override the default values if you know you will have incoming XML
that will exceed these limits.   These settings can be set as Bus level properties, endpoint
level properties, or even per request via an interceptor. </p>

<div class='table-wrap'>
<table class='confluenceTable'><tbody>
<tr>
<th class='confluenceTh'>Setting</th>
<th class='confluenceTh'>Default</th>
<th class='confluenceTh'>Description</th>
</tr>
<tr>
<td class='confluenceTd'>org.apache.cxf.stax.maxChildElements</td>
<td class='confluenceTd'>50000</td>
<td class='confluenceTd'>Maximum number of child elements for a given parent element</td>
</tr>
<tr>
<td class='confluenceTd'>org.apache.cxf.stax.maxElementDepth</td>
<td class='confluenceTd'>100</td>
<td class='confluenceTd'>Maximum depth of an element</td>
</tr>
<tr>
<td class='confluenceTd'>org.apache.cxf.stax.maxAttributeCount</td>
<td class='confluenceTd'>500</td>
<td class='confluenceTd'>Maximum number of attributes on a single element</td>
</tr>
<tr>
<td class='confluenceTd'>org.apache.cxf.stax.maxAttributeSize</td>
<td class='confluenceTd'>64K</td>
<td class='confluenceTd'>Maximum size of a single attribute</td>
</tr>
<tr>
<td class='confluenceTd'>org.apache.cxf.stax.maxTextLength</td>
<td class='confluenceTd'>128M</td>
<td class='confluenceTd'>Maximum size of an elements text value</td>
</tr>
<tr>
<td class='confluenceTd'>org.apache.cxf.stax.maxElementCount</td>
<td class='confluenceTd'>Long.MAX_VALUE</td>
<td class='confluenceTd'>Maximum total number of elements in the XML document</td>
</tr>
<tr>
<td class='confluenceTd'>org.apache.cxf.stax.maxXMLCharacters</td>
<td class='confluenceTd'>Long.MAX_VALUE</td>
<td class='confluenceTd'>Maximum total number of characters parsed by the parser</td>
</tr>
</tbody></table>
</div>




<h2><a name="Security-XMLCXFversionspriorto2.7.4"></a>XML - CXF versions
prior to 2.7.4</h2>

<p>Endpoints expecting XML payloads may get <a href="http://svn.apache.org/repos/asf/cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/DepthRestrictingStreamInterceptor.java"
class="external-link" rel="nofollow">DepthRestrictingInterceptor</a> registered and
configured in order to control the limits a given XML payload may not exceed. This can be
useful in a variety of cases in order to protect against massive payloads which can potentially
cause the denial-of-service situation or simply slow the service down a lot.</p>

<p>The complete number of XML elements, the number of immediate children of a given
XML element may contain and the stack depth of the payload can be restricted, for example:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="theme: Default; brush: xml; gutter: false" style="font-size:12px; font-family:
ConfluenceInstalledFont,monospace;">
&lt;bean id="depthInterceptor" class="org.apache.cxf.interceptor.security.DepthRestrictingStreamInterceptor"&gt;
  &lt;!-- Total number of elements in the XML payload --&gt;
  &lt;property name="elementCountThreshold" value="5000"/&gt;

  &lt;!-- Total number of child elements for XML elements --&gt;
  &lt;property name="innerElementCountThreshold" value="3000"/&gt;

  &lt;!-- Maximum stack depth of the XML payload --&gt;
  &lt;property name="innerElementLevelThreshold" value="20"/&gt;

&lt;/bean&gt;

&lt;jaxws:endpoint&gt;
  &lt;jaxws:inInterceptors&gt;
   &lt;ref bean="depthInterceptor"/&gt;
 &lt;/jaxws:inInterceptors&gt;
&lt;jaxws:endpoint&gt;

&lt;jaxrs:server&gt;
  &lt;jaxrs:inInterceptors&gt;
   &lt;ref bean="depthInterceptor"/&gt;
 &lt;/jaxrs:inInterceptors&gt;
&lt;jaxrs:server&gt;

</pre>
</div></div>

<p>When one of the limits is reached, the error is returned. JAX-WS consumers will receive
500, JAX-RS/HTTP consumers: 413.</p>

<p>The following system properties can also be set up for JAX-WS endpoints: "org.apache.cxf.staxutils.innerElementCountThreshold"
and "org.apache.cxf.staxutils.innerElementLevelThreshold".</p>

<p>Please check this <a href="https://cwiki.apache.org/confluence/display/CXF20DOC/JAX-RS+Data+Bindings#JAX-RSDataBindings-ControllingLargeJAXBXMLandJSONinputpayloads"
class="external-link" rel="nofollow">section</a> for the additional information on
how JAX-RS JAXB-based providers can be configured.</p>

<h2><a name="Security-Multiparts"></a>Multiparts</h2>

<p>The "org.apache.cxf.io.CachedOutputStream.MaxSize" system property or "attachment-max-size"
per-endpoint contextual property can be used to control the size of large attachments. When
the limits is reached, the error is returned. JAX-WS consumers will receive 500, JAX-RS/HTTP
consumers: 413.</p>

<h1><a name="Security-Largedatastreamcaching"></a>Large data stream caching</h1>

<p>A large stream based message or data will be cached in a temporary file. In default,
this caching occurs at data size larger than 64K bytes and a temporary file is written in
the system's temporary directory. You can change this behavior and other properties of the
caching feature by explicitly setting the following properties.</p>

<p>To change the default behavior for the entire system, you can set the following system
properties.</p>

<div class='table-wrap'>
<table class='confluenceTable'><tbody>
<tr>
<th class='confluenceTh'> Property Name </th>
<th class='confluenceTh'> Value </th>
</tr>
<tr>
<td class='confluenceTd'> org.apache.cxf.io.CachedOutputStream.Threshold </td>
<td class='confluenceTd'> The threshold value in bytes to switch from memory to file
caching </td>
</tr>
<tr>
<td class='confluenceTd'> org.apache.cxf.io.CachedOutputStream.MaxSize </td>
<td class='confluenceTd'> The data size in bytes to limit the maximum data size to be
cached </td>
</tr>
<tr>
<td class='confluenceTd'> org.apache.cxf.io.CachedOutputStream.OutputDirectory </td>
<td class='confluenceTd'> The directory name for storing the temporary files </td>
</tr>
<tr>
<td class='confluenceTd'> org.apache.cxf.io.CachedOutputStream.CipherTransformation
</td>
<td class='confluenceTd'> The cipher transformation name for encryptiing the cached
content </td>
</tr>
</tbody></table>
</div>


<p>To change the default behavior for a specific bus, you can set the corresponding
bus.io.CachedOutputStream properties (e.g., bus.io.CachedOutputStream.Threshold for org.apache.cxf.io.CachedOutputStream.Threshold).</p>

<p>The encryption option, which is available from CXF 2.6.4 and 2.7.1, uses a symmetric
encryption using a generated key and it can be used to protect the cached content from unauthorized
access. To enable encryption, the CipherTransformation property can be set to the name of
an appropriate stream or 8-bit block cipher transformation (e.g., RC4, AES/CTR/NoPadding,
etc) that is supported by the environment. However, it is noted that enabling the encryption
will result in an increased processing time and it is therefore recommended only in specific
use cases where other means to protect the cached content is unavailable.</p>
    </div>
        <div id="commentsSection" class="wiki-content pageSection">
        <div style="float: right;" class="grey">
                        <a href="https://cwiki.apache.org/confluence/users/removespacenotification.action?spaceKey=CXF20DOC">Stop
watching space</a>
            <span style="padding: 0px 5px;">|</span>
                <a href="https://cwiki.apache.org/confluence/users/editmyemailsettings.action">Change
email notification preferences</a>
</div>
        <a href="https://cwiki.apache.org/confluence/display/CXF20DOC/Security">View
Online</a>
        |
        <a href="https://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=24190972&revisedVersion=26&originalVersion=25">View
Changes</a>
                |
        <a href="https://cwiki.apache.org/confluence/display/CXF20DOC/Security?showComments=true&amp;showCommentArea=true#addcomment">Add
Comment</a>
            </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message