cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r953093 - in /websites/production/cxf/content: cache/docs.pageCache docs/securing-cxf-services.html
Date Fri, 29 May 2015 13:47:23 GMT
Author: buildbot
Date: Fri May 29 13:47:23 2015
New Revision: 953093

Log:
Production update by buildbot for cxf

Added:
    websites/production/cxf/content/docs/securing-cxf-services.html
Modified:
    websites/production/cxf/content/cache/docs.pageCache

Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.

Added: websites/production/cxf/content/docs/securing-cxf-services.html
==============================================================================
--- websites/production/cxf/content/docs/securing-cxf-services.html (added)
+++ websites/production/cxf/content/docs/securing-cxf-services.html Fri May 29 13:47:23 2015
@@ -0,0 +1,270 @@
+
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!--
+
+    Licensed to the Apache Software Foundation (ASF) under one or more
+    contributor license agreements.  See the NOTICE file distributed with
+    this work for additional information regarding copyright ownership.
+    The ASF licenses this file to You under the Apache License, Version 2.0
+    (the "License"); you may not use this file except in compliance with
+    the License.  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+-->
+<html>
+  <head>
+
+<link type="text/css" rel="stylesheet" href="/resources/site.css">
+<script src='/resources/space.js'></script>
+
+<meta http-equiv="Content-type" content="text/html;charset=UTF-8">
+<meta name="keywords" content="business integration, EAI, SOA, Service Oriented Architecture,
web services, SOAP, JBI, JMS, WSDL, XML, EDI, Electronic Data Interchange, standards support,
integration standards, application integration, middleware, software, solutions, services,
CXF, open source">
+<meta name="description" content="Apache CXF, Services Framework - Securing CXF Services">
+
+
+<link type="text/css" rel="stylesheet" href="/resources/highlighter/styles/shCoreCXF.css">
+<link type="text/css" rel="stylesheet" href="/resources/highlighter/styles/shThemeCXF.css">
+
+<script src='/resources/highlighter/scripts/shCore.js'></script>
+<script src='/resources/highlighter/scripts/shBrushXml.js'></script>
+<script>
+  SyntaxHighlighter.defaults['toolbar'] = false;
+  SyntaxHighlighter.all();
+</script>
+
+
+    <title>
+Apache CXF -- Securing CXF Services
+    </title>
+  </head>
+<body onload="init()">
+
+
+<table width="100%" cellpadding="0" cellspacing="0">
+  <tr>
+    <td id="cell-0-0" colspan="2">&nbsp;</td>
+    <td id="cell-0-1">&nbsp;</td>
+    <td id="cell-0-2" colspan="2">&nbsp;</td>
+  </tr>
+  <tr>
+    <td id="cell-1-0">&nbsp;</td>
+    <td id="cell-1-1">&nbsp;</td>
+    <td id="cell-1-2">
+      <!-- Banner -->
+<div class="banner" id="banner"><div><table border="0" cellpadding="0" cellspacing="0"
width="100%"><tr><td align="left" colspan="1" nowrap>
+<a shape="rect" href="http://cxf.apache.org/" title="Apache CXF"><span style="font-weight:
bold; font-size: 170%; color: white">Apache CXF</span></a>
+</td><td align="right" colspan="1" nowrap>
+<a shape="rect" href="http://www.apache.org/" title="The Apache Sofware Foundation"><img
border="0" alt="ASF Logo" src="http://cxf.apache.org/images/asf-logo.png"></a>
+</td></tr></table></div></div>
+      <!-- Banner -->
+      <div id="top-menu">
+        <table border="0" cellpadding="1" cellspacing="0" width="100%">
+          <tr>
+            <td>
+              <div align="left">
+                <!-- Breadcrumbs -->
+<a href="index.html">Index</a>&nbsp;&gt;&nbsp;<a href="securing-cxf-services.html">Securing
CXF Services</a>
+                <!-- Breadcrumbs -->
+              </div>
+            </td>
+            <td>
+              <div align="right">
+                <!-- Quicklinks -->
+<div id="quicklinks"><p><a shape="rect" href="http://cxf.apache.org/download.html">Download</a>
| <a shape="rect" href="http://cxf.apache.org/docs/index.html">Documentation</a></p></div>
+                <!-- Quicklinks -->
+              </div>
+            </td>
+          </tr>
+        </table>
+      </div>
+    </td>
+    <td id="cell-1-3">&nbsp;</td>
+    <td id="cell-1-4">&nbsp;</td>
+  </tr>
+  <tr>
+    <td id="cell-2-0" colspan="2">&nbsp;</td>
+    <td id="cell-2-1">
+      <table>
+        <tr valign="top">
+          <td height="100%">
+            <div id="wrapper-menu-page-right">
+              <div id="wrapper-menu-page-top">
+                <div id="wrapper-menu-page-bottom">
+                  <div id="menu-page">
+                    <!-- NavigationBar -->
+<div id="navigation"><ul class="alternate"><li><a shape="rect" href="overview.html">Overview</a></li><li><a
shape="rect" href="how-tos.html">How-Tos</a></li><li><a shape="rect"
href="frontends.html">Frontends</a></li><li><a shape="rect" href="databindings.html">DataBindings</a></li><li><a
shape="rect" href="transports.html">Transports</a></li><li><a shape="rect"
href="configuration.html">Configuration</a></li><li><a shape="rect"
href="debugging-and-logging.html">Debugging and Logging</a></li><li><a
shape="rect" href="tools.html">Tools</a></li><li><a shape="rect" href="restful-services.html">RESTful
Services</a></li><li><a shape="rect" href="wsdl-bindings.html">WSDL
Bindings</a></li><li><a shape="rect" href="service-routing.html">Service
Routing</a></li><li><a shape="rect" href="dynamic-languages.html">Dynamic
Languages</a></li><li><a shape="rect" href="ws-support.html">WS-*
Support</a></li><li><a shape="rect" href="advanced-integration.html">Advanced
Integration</a></li><li><a shape
 ="rect" href="deployment.html">Deployment</a></li><li><a shape="rect"
href="schemas-and-namespaces.html">Use of Schemas and Namespaces</a></li></ul><hr><ul
class="alternate"><li><p>Search</p></li></ul><form enctype="application/x-www-form-urlencoded"
method="get" id="cse-search-box" action="http://www.google.com/cse">
+  <div>
+    <input type="hidden" name="cx" value="002890367768291051730:o99qiwa09y4">
+    <input type="hidden" name="ie" value="UTF-8">
+    <input type="text" name="q" size="21">
+    <input type="submit" name="sa" value="Search">
+  </div>
+</form>
+<script type="text/javascript" src="http://www.google.com/cse/brand?form=cse-search-box&amp;lang=en"></script><hr><ul
class="alternate"><li><a shape="rect" href="http://cxf.apache.org/javadoc/latest/">API
3.1.x (Javadoc)</a></li><li><a shape="rect" href="http://cxf.apache.org/javadoc/latest-3.0.x/">API
3.0.x (Javadoc)</a></li><li><a shape="rect" href="http://cxf.apache.org/">CXF
Website</a></li></ul></div>
+                    <!-- NavigationBar -->
+                  </div>
+              </div>
+            </div>
+          </div>
+         </td>
+         <td height="100%">
+           <!-- Content -->
+           <div class="wiki-content">
+<div id="ConfluenceContent"><p><style type="text/css">/*<![CDATA[*/
+div.rbtoc1432907241874 {padding: 0px;}
+div.rbtoc1432907241874 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1432907241874 li {margin-left: 0px;padding-left: 0px;}
+
+/*]]>*/</style></p><div class="toc-macro rbtoc1432907241874">
+<ul class="toc-indentation"><li><a shape="rect" href="#SecuringCXFServices-Securetransports">Secure
transports</a>
+<ul class="toc-indentation"><li><a shape="rect" href="#SecuringCXFServices-HTTPS">HTTPS</a></li></ul>
+</li><li><a shape="rect" href="#SecuringCXFServices-SecuringJAX-WSservices">Securing
JAX-WS services</a>
+<ul class="toc-indentation"><li><a shape="rect" href="#SecuringCXFServices-WS-Security">WS-Security</a></li><li><a
shape="rect" href="#SecuringCXFServices-WS-SecurityPolicy">WS-SecurityPolicy</a></li><li><a
shape="rect" href="#SecuringCXFServices-WS-SecureConversation">WS-SecureConversation</a></li><li><a
shape="rect" href="#SecuringCXFServices-WS-Trust,STS">WS-Trust, STS</a></li></ul>
+</li><li><a shape="rect" href="#SecuringCXFServices-SecuringJAX-RSservices">Securing
JAX-RS services</a>
+<ul class="toc-indentation"><li><a shape="rect" href="#SecuringCXFServices-JAX-RSXMLSecurity">JAX-RS
XML Security</a></li><li><a shape="rect" href="#SecuringCXFServices-JAX-RSSAML">JAX-RS
SAML</a></li></ul>
+</li><li><a shape="rect" href="#SecuringCXFServices-SSO">SSO</a>
+<ul class="toc-indentation"><li><a shape="rect" href="#SecuringCXFServices-SAMLWebSSO">SAML
Web SSO</a></li><li><a shape="rect" href="#SecuringCXFServices-WS-Federation">WS-Federation</a></li></ul>
+</li><li><a shape="rect" href="#SecuringCXFServices-OAuth">OAuth</a></li><li><a
shape="rect" href="#SecuringCXFServices-Authentication">Authentication</a>
+<ul class="toc-indentation"><li><a shape="rect" href="#SecuringCXFServices-JAASLoginInterceptor">JAASLoginInterceptor</a></li><li><a
shape="rect" href="#SecuringCXFServices-Kerberos">Kerberos</a></li></ul>
+</li><li><a shape="rect" href="#SecuringCXFServices-Authorization">Authorization</a></li><li><a
shape="rect" href="#SecuringCXFServices-ControllingLargeRequestPayloads">Controlling Large
Request Payloads</a>
+<ul class="toc-indentation"><li><a shape="rect" href="#SecuringCXFServices-XML">XML</a></li><li><a
shape="rect" href="#SecuringCXFServices-XML-CXFversionspriorto2.7.4">XML - CXF versions
prior to 2.7.4</a></li><li><a shape="rect" href="#SecuringCXFServices-Multiparts">Multiparts</a></li></ul>
+</li><li><a shape="rect" href="#SecuringCXFServices-Largedatastreamcaching">Large
data stream caching</a></li></ul>
+</div><h1 id="SecuringCXFServices-Securetransports">Secure transports</h1><h2
id="SecuringCXFServices-HTTPS">HTTPS</h2><p>Please see the <a shape="rect"
href="http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html">Configuring
SSL Support</a> page for more information.</p><h1 id="SecuringCXFServices-SecuringJAX-WSservices">Securing
JAX-WS services</h1><h2 id="SecuringCXFServices-WS-Security">WS-Security</h2><p>CXF
supports WS-Security via the Apache WSS4J project. WSS4J provides an implementation of the
following WS-Security standards:</p><ul><li><a shape="rect" class="external-link"
href="http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-os-SOAPMessageSecurity.pdf" rel="nofollow">
SOAP Message Security 1.1</a></li><li><a shape="rect" class="external-link"
href="http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-os-UsernameTokenProfile.pdf" rel="nofollow">Username
Token Profile 1.1</a></li><li><a shape="rect" class="external-link" href="http://docs.oasis-open.org
 /wss/v1.1/wss-v1.1-spec-os-x509TokenProfile.pdf" rel="nofollow">X.509 Certificate Token
Profile 1.1</a></li><li><a shape="rect" class="external-link" href="http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-os-SAMLTokenProfile.pdf"
rel="nofollow">SAML Token Profile 1.1</a></li><li><a shape="rect"
class="external-link" href="http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-os-KerberosTokenProfile.pdf"
rel="nofollow">Kerberos Token Profile 1.1</a></li><li><a shape="rect"
class="external-link" href="http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-os-SwAProfile.pdf"
rel="nofollow">SOAP Messages with Attachments Profile 1.1</a></li><li><a
shape="rect" class="external-link" href="http://www.ws-i.org/Profiles/BasicSecurityProfile-1.1.html"
rel="nofollow">Basic Security Profile 1.1</a></li></ul><p>Please
see the <a shape="rect" href="ws-security.html">WS-Security</a> page for more
information.</p><h2 id="SecuringCXFServices-WS-SecurityPolicy">WS-SecurityPolicy</h2><p>CXF
fully supports WS
 -SecurityPolicy, which allows you to configure WS-Security requirements for an endpoint using
a WS-Policy annotation. This is the recommended way of configuring WS-Security. Policies can
be added in a WSDL or else referenced via an annotation in code.</p><p>The WS-SecurityPolicy
layer and the XML-Security layer in Apache CXF share a common set of security configuration
tags from CXF 3.1.0. The <a shape="rect" href="security-configuration.html">Security
Configuration</a> page details these tags and values. There are also some addition configuration
tags, that are only used for when security is configured via WS-SecurityPolicy, see the following
<a shape="rect" href="ws-securitypolicy.html">page</a> for more information.</p><h2
id="SecuringCXFServices-WS-SecureConversation">WS-SecureConversation</h2><p>CXF
fully supports WS-SecureConveration, see the following <a shape="rect" href="ws-secureconversation.html">page</a>
for more information.</p><h2 id="SecuringCXFServices-WS-Trust,STS">
 WS-Trust, STS</h2><p>CXF ships with a advanced SecurityTokenService (STS) implementation
that can be used to issue (SAML) tokens for authentication. CXF also supports communicating
with the STS using the WS-Trust specification. SSO is supported by caching the tokens on the
client side. Please see the <a shape="rect" class="external-link" href="https://cwiki.apache.org/CXF20DOC/ws-trust.html">WS-Trust</a>
page for more information.</p><h1 id="SecuringCXFServices-SecuringJAX-RSservices">Securing
JAX-RS services</h1><h2 id="SecuringCXFServices-JAX-RSXMLSecurity">JAX-RS XML
Security</h2><p>It is possible to secure XML based JAX-RS requests (and responses)
using XML Signature and Encryption. See the <a shape="rect" href="jax-rs-xml-security.html">JAX-RS
XML Security</a> page for more information.</p><h2 id="SecuringCXFServices-JAX-RSSAML">JAX-RS
SAML</h2><p>See the <a shape="rect" href="jax-rs-saml.html">JAX-RS SAML</a>
page on creating SAML Assertions and adding them to a JAX-RS request
 , as well as how to validate them on the receiving side.</p><h1 id="SecuringCXFServices-SSO">SSO</h1><h2
id="SecuringCXFServices-SAMLWebSSO">SAML Web SSO</h2><p>Please see <a shape="rect"
class="external-link" href="http://coheigea.blogspot.ie/2012/06/saml-web-sso-profile-support-in-apache.html"
rel="nofollow">this blog entry</a> announcing the support for SAML Web SSO profile
and the <a shape="rect" href="https://cwiki.apache.org/confluence/display/CXF20DOC/SAML+Web+SSO">SAML
Web SSO</a> page for more information. CXF fully supports the SAML Web SSO profile on
the service provider side. As of yet however, no IdP is available in CXF.</p><h2
id="SecuringCXFServices-WS-Federation">WS-Federation</h2><p>Apache CXF <a
shape="rect" href="../fediz.html">Fediz</a> is a subproject of CXF. Fediz helps you
to secure your web applications and delegates security enforcement to the underlying application
server. With Fediz, authentication is externalized from your web application to an identity
p
 rovider installed as a dedicated server component. The supported standard is <a shape="rect"
class="external-link" href="http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html#_Toc223175002"
rel="nofollow">WS-Federation Passive Requestor Profile</a>. Fediz supports <a
shape="rect" class="external-link" href="http://en.wikipedia.org/wiki/Claims-based_identity"
rel="nofollow">Claims Based Access Control</a> beyond Role Based Access Control (RBAC).</p><h1
id="SecuringCXFServices-OAuth">OAuth</h1><p>Please check <a shape="rect"
href="http://cxf.apache.org/docs/jax-rs-oauth2.html">OAuth2.0</a> and <a shape="rect"
href="http://cxf.apache.org/docs/jax-rs-oauth.html">OAuth1.0</a> pages for the information
about the support for OAuth 2.0 and OAuth 1.0 in CXF.</p><h1 id="SecuringCXFServices-Authentication">Authentication</h1><h2
id="SecuringCXFServices-JAASLoginInterceptor">JAASLoginInterceptor</h2><p>Container
or Spring Security managed authentication as well as t
 he custom authentication are all the viable options used by CXF developers.</p><p>Starting
from CXF 2.3.2 and 2.4.0 it is possible to use an org.apache.cxf.interceptor.security.JAASLoginInterceptor
in order to authenticate a current user and populate a CXF SecurityContext.</p><p>Example
:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent
panelContent pdl">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[&lt;jaxws:endpoint
address=&quot;/soapService&quot;&gt;
+ &lt;jaxws:inInterceptors&gt;
+   &lt;ref bean=&quot;authenticationInterceptor&quot;/&gt;
+ &lt;/jaxws:inInterceptors&gt;
+&lt;/jaxws:endpoint&gt;
+
+&lt;bean id=&quot;authenticationInterceptor&quot; class=&quot;org.apache.cxf.interceptor.security.JAASLoginInterceptor&quot;&gt;
+   &lt;property name=&quot;contextName&quot; value=&quot;jaasContext&quot;/&gt;
+   &lt;property name=&quot;roleClassifier&quot; value=&quot;ROLE_&quot;/&gt;
+
+&lt;/bean&gt;
+&lt;!--
+  Similarly for JAX-RS endpoints.
+  Note that org.apache.cxf.jaxrs.security.JAASAuthenticationFilter
+  can be registered as jaxrs:provider instead
+--&gt;
+]]></script>
+</div></div><p>The JAAS authenticator is configured with the name of the
JAAS login context (the one usually specified in the JAAS configuration resource which the
server is aware of). It is also configured with an optional "roleClassifier" property which
is needed by the CXF SecurityContext in order to differentiate between user and role Principals.
By default CXF will assume that role Principals are represented by javax.security.acl.Group
instances.</p><p>In some cases objects representing a user principal and roles
are implementing the same marker interface such as Principal. That can be handled like this:</p><div
class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent
pdl">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[&lt;bean
id=&quot;authenticationInterceptor&quot; class=&quot;org.apache.cxf.interceptor.security.JAASLoginInterceptor&quot;&gt;
+   &lt;property name=&quot;contextName&quot; value=&quot;jaasContext&quot;/&gt;
+   &lt;property name=&quot;roleClassifier&quot; value=&quot;RolePrincipal&quot;/&gt;
+   &lt;property name=&quot;roleClassifierType&quot; value=&quot;classname&quot;/&gt;
+&lt;/bean&gt;
+&lt;!-- Similarly for JAX-RS endpoints --&gt;
+]]></script>
+</div></div><p>In this case JAASLoginInterceptor will know that the roles
are represented by a class whose simple name is RolePrincipal. Note that full class names
are also supported.</p><h2 id="SecuringCXFServices-Kerberos">Kerberos</h2><p>Please
see <a shape="rect" href="http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html#ClientHTTPTransport%28includingSSLsupport%29-SpnegoAuthentication%28Kerberos%29">this
page</a> for the information about Spnego/Kerberos HTTPConduit client support.</p><p>Please
check the following blog entries about WS-Security Kerberos support in CXF:</p><p><a
shape="rect" class="external-link" href="http://coheigea.blogspot.com/2011/10/using-kerberos-with-web-services-part-i.html"
rel="nofollow">Using Kerberos with Web Services - part 1</a><br clear="none">
<a shape="rect" class="external-link" href="http://coheigea.blogspot.com/2011/10/using-kerberos-with-web-services-part.html"
rel="nofollow">Using Kerberos with Web Services - part 2<
 /a><br clear="none"> <a shape="rect" class="external-link" href="http://coheigea.blogspot.com/2012/02/ws-trust-spnego-support-in-apache-cxf.html"
rel="nofollow">WS-Trust SPNego support in Apache CXF </a></p><p>Please
check the following <a shape="rect" href="jaxrs-kerberos.html">page</a> about
Kerberos support in JAX-RS.</p><h1 id="SecuringCXFServices-Authorization">Authorization</h1><p>Container
or Spring Security managed authorization as well as the custom authorization are all the viable
options used by CXF developers.</p><p>CXF 2.3.2 and 2.4.0 introduce org.apache.cxf.interceptor.security.SimpleAuthorizingInterceptor
and org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor interceptors which can
help with enforcing the authorization rules.</p><p>Example :</p><div
class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent
pdl">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[&lt;jaxws:endpoint
id=&quot;endpoint1&quot; address=&quot;/soapService1&quot;&gt;
+ &lt;jaxws:inInterceptors&gt;
+   &lt;ref bean=&quot;authorizationInterceptor&quot;/&gt;
+ &lt;/jaxws:inInterceptors&gt;
+&lt;/jaxws:endpoint&gt;
+
+&lt;bean id=&quot;authorizationInterceptor&quot; class=&quot;org.apache.cxf.interceptor.security.SimpleAuthorizingInterceptor&quot;&gt;
+   &lt;property name=&quot;methodRolesMap&quot;&gt;
+      &lt;map&gt;
+        &lt;!-- no wildcard support, names need to match exactly --&gt;
+        &lt;entry key=&quot;addNumbers&quot; value=&quot;ROLE_USER ROLE_ADMIN&quot;/&gt;
+        &lt;entry key=&quot;divideNumbers&quot; value=&quot;ROLE_ADMIN&quot;/&gt;
+      &lt;/map&gt;
+   &lt;/property&gt;
+   &lt;!-- its possible to define global roles that apply to all WSDL operations not
listed above --&gt;
+   &lt;property name=&quot;globalRoles&quot; value=&quot;ROLE_ADMIN&quot;/&gt;
+&lt;/bean&gt;
+
+&lt;jaxws:endpoint id=&quot;endpoint2&quot; address=&quot;/soapService2&quot;
implementor=&quot;#secureBean&quot;&gt;
+ &lt;jaxws:inInterceptors&gt;
+   &lt;ref bean=&quot;authorizationInterceptor2&quot;/&gt;
+ &lt;/jaxws:inInterceptors&gt;
+&lt;/jaxws:endpoint&gt;
+
+&lt;!-- This bean is annotated with secure annotations such as RolesAllowed --&gt;
+&lt;bean id=&quot;secureBean&quot; class=&quot;org.apache.cxf.tests.security.SecureService&quot;/&gt;
+
+&lt;bean id=&quot;authorizationInterceptor2&quot; class=&quot;org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor&quot;&gt;
+   &lt;property name=&quot;securedObject&quot; ref=&quot;secureBean&quot;/&gt;
+&lt;/bean&gt;
+
+]]></script>
+</div></div><h1 id="SecuringCXFServices-ControllingLargeRequestPayloads">Controlling
Large Request Payloads</h1><h2 id="SecuringCXFServices-XML">XML</h2><p>Starting
with CXF 2.7.4, CXF now requires use of a StAX parser that can provide fine grained control
over the size of the incoming XML. The only parser that will currently work is Woodstox 4.2
or newer. The main reason is there are a series of DOS attacks that can only be prevented
at the StAX parser level. There is a "org.apache.cxf.stax.allowInsecureParser" System Property
that can be set to true to allow using an insecure parser, but that is HIGHLY not recommended
and doing so would also now allow the settings described in this section.</p><p>CXF
has several default settings that will prevent malicious XML from causing various DOS failures.
You can override the default values if you know you will have incoming XML that will exceed
these limits. These settings can be set as Bus level properties, endpoint level properties,
or ev
 en per request via an interceptor.</p><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Setting</p></th><th
colspan="1" rowspan="1" class="confluenceTh"><p>Default</p></th><th
colspan="1" rowspan="1" class="confluenceTh"><p>Description</p></th></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>org.apache.cxf.stax.maxChildElements</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>50000</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Maximum number of child elements
for a given parent element</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>org.apache.cxf.stax.maxElementDepth</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>100</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Maximum depth of an element</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>org.apache.cxf.stax.maxAttributeCount</p></td><td
colspan="1" rowspan="1" c
 lass="confluenceTd"><p>500</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>Maximum
number of attributes on a single element</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p>org.apache.cxf.stax.maxAttributeSize</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>64K</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Maximum size of a single attribute</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>org.apache.cxf.stax.maxTextLength</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>128M</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Maximum size of an elements text value</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>org.apache.cxf.stax.maxElementCount</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Long.MAX_VALUE</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Maximum total number of elements
in the XML document</p></td></tr><tr><td colspan="1" row
 span="1" class="confluenceTd"><p>org.apache.cxf.stax.maxXMLCharacters</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Long.MAX_VALUE</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Maximum total number of characters
parsed by the parser</p></td></tr></tbody></table></div><h2
id="SecuringCXFServices-XML-CXFversionspriorto2.7.4">XML - CXF versions prior to 2.7.4</h2><p>Endpoints
expecting XML payloads may get <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/DepthRestrictingStreamInterceptor.java">DepthRestrictingInterceptor</a>
registered and configured in order to control the limits a given XML payload may not exceed.
This can be useful in a variety of cases in order to protect against massive payloads which
can potentially cause the denial-of-service situation or simply slow the service down a lot.</p><p>The
complete number of XML elements, the number of immediate c
 hildren of a given XML element may contain and the stack depth of the payload can be restricted,
for example:</p><div class="code panel pdl" style="border-width: 1px;"><div
class="codeContent panelContent pdl">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[&lt;bean
id=&quot;depthInterceptor&quot; class=&quot;org.apache.cxf.interceptor.security.DepthRestrictingStreamInterceptor&quot;&gt;
+  &lt;!-- Total number of elements in the XML payload --&gt;
+  &lt;property name=&quot;elementCountThreshold&quot; value=&quot;5000&quot;/&gt;
+
+  &lt;!-- Total number of child elements for XML elements --&gt;
+  &lt;property name=&quot;innerElementCountThreshold&quot; value=&quot;3000&quot;/&gt;
+
+  &lt;!-- Maximum stack depth of the XML payload --&gt;
+  &lt;property name=&quot;innerElementLevelThreshold&quot; value=&quot;20&quot;/&gt;
+
+&lt;/bean&gt;
+
+&lt;jaxws:endpoint&gt;
+  &lt;jaxws:inInterceptors&gt;
+   &lt;ref bean=&quot;depthInterceptor&quot;/&gt;
+ &lt;/jaxws:inInterceptors&gt;
+&lt;jaxws:endpoint&gt;
+
+&lt;jaxrs:server&gt;
+  &lt;jaxrs:inInterceptors&gt;
+   &lt;ref bean=&quot;depthInterceptor&quot;/&gt;
+ &lt;/jaxrs:inInterceptors&gt;
+&lt;jaxrs:server&gt;
+
+]]></script>
+</div></div><p>When one of the limits is reached, the error is returned.
JAX-WS consumers will receive 500, JAX-RS/HTTP consumers: 413.</p><p>The following
system properties can also be set up for JAX-WS endpoints: "org.apache.cxf.staxutils.innerElementCountThreshold"
and "org.apache.cxf.staxutils.innerElementLevelThreshold".</p><p>Please check
this <a shape="rect" href="https://cwiki.apache.org/confluence/display/CXF20DOC/JAX-RS+Data+Bindings#JAX-RSDataBindings-ControllingLargeJAXBXMLandJSONinputpayloads">section</a>
for the additional information on how JAX-RS JAXB-based providers can be configured.</p><h2
id="SecuringCXFServices-Multiparts">Multiparts</h2><p>The "org.apache.cxf.io.CachedOutputStream.MaxSize"
system property or "attachment-max-size" per-endpoint contextual property can be used to control
the size of large attachments. When the limits is reached, the error is returned. JAX-WS consumers
will receive 500, JAX-RS/HTTP consumers: 413.</p><h1 id="SecuringCXFServices-Lar
 gedatastreamcaching">Large data stream caching</h1><p>A large stream based
message or data will be cached in a temporary file. In default, this caching occurs at data
size larger than 64K bytes and a temporary file is written in the system's temporary directory.
You can change this behavior and other properties of the caching feature by explicitly setting
the following properties.</p><p>To change the default behavior for the entire
system, you can set the following system properties.</p><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Property
Name</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Value</p></th></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>org.apache.cxf.io.CachedOutputStream.Threshold</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The threshold value in bytes to switch
from memory to file caching</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd
 "><p>org.apache.cxf.io.CachedOutputStream.MaxSize</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The data size in bytes to limit the maximum data
size to be cached</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p>org.apache.cxf.io.CachedOutputStream.OutputDirectory</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The directory name for storing the
temporary files</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>org.apache.cxf.io.CachedOutputStream.CipherTransformation</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The cipher transformation name for
encryptiing the cached content</p></td></tr></tbody></table></div><p>To
change the default behavior for a specific bus, you can set the corresponding bus.io.CachedOutputStream
properties (e.g., bus.io.CachedOutputStream.Threshold for org.apache.cxf.io.CachedOutputStream.Threshold).</p><p>The
encryption option, which is available from CXF 2.6.4 and 2.7.1, uses a s
 ymmetric encryption using a generated key and it can be used to protect the cached content
from unauthorized access. To enable encryption, the CipherTransformation property can be set
to the name of an appropriate stream or 8-bit block cipher transformation (e.g., RC4, AES/CTR/NoPadding,
etc) that is supported by the environment. However, it is noted that enabling the encryption
will result in an increased processing time and it is therefore recommended only in specific
use cases where other means to protect the cached content is unavailable.</p></div>
+           </div>
+           <!-- Content -->
+         </td>
+        </tr>
+      </table>
+   </td>
+   <td id="cell-2-2" colspan="2">&nbsp;</td>
+  </tr>
+  <tr>
+   <td id="cell-3-0">&nbsp;</td>
+   <td id="cell-3-1">&nbsp;</td>
+   <td id="cell-3-2">
+     <div id="footer">
+       <!-- Footer -->
+       <div id="site-footer">
+         <a href="http://cxf.apache.org/privacy-policy.html">Privacy Policy</a>
- 
+         (<a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=24190972">edit
page</a>) 
+	 (<a href="https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=24190972&amp;showComments=true&amp;showCommentArea=true#addcomment">add
comment</a>)<br>
+	Apache CXF, CXF, Apache, the Apache feather logo are trademarks of The Apache Software Foundation.<br>
+        All other marks mentioned may be trademarks or registered trademarks of their respective
owners.
+       </div>
+       <!-- Footer -->
+     </div>
+   </td>
+   <td id="cell-3-3">&nbsp;</td>
+   <td id="cell-3-4">&nbsp;</td>
+  </tr>
+  <tr>
+    <td id="cell-4-0" colspan="2">&nbsp;</td>
+    <td id="cell-4-1">&nbsp;</td>
+    <td id="cell-4-2" colspan="2">&nbsp;</td>
+  </tr>
+</table>
+
+<script type="text/javascript">
+var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
+document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
+</script>
+<script type="text/javascript">
+try {
+var pageTracker = _gat._getTracker("UA-4458903-1");
+pageTracker._trackPageview();
+} catch(err) {}</script>
+
+</body>
+</html>
+



Mime
View raw message