cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r969874 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-jose.html docs/securing-cxf-services.html
Date Thu, 22 Oct 2015 14:49:23 GMT
Author: buildbot
Date: Thu Oct 22 14:49:23 2015
New Revision: 969874

Log:
Production update by buildbot for cxf

Modified:
    websites/production/cxf/content/cache/docs.pageCache
    websites/production/cxf/content/docs/jax-rs-jose.html
    websites/production/cxf/content/docs/securing-cxf-services.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jax-rs-jose.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-jose.html (original)
+++ websites/production/cxf/content/docs/jax-rs-jose.html Thu Oct 22 14:49:23 2015
@@ -118,15 +118,15 @@ Apache CXF -- JAX-RS JOSE
            <!-- Content -->
            <div class="wiki-content">
 <div id="ConfluenceContent"><p>&#160;</p><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1435780180689 {padding: 0px;}
-div.rbtoc1435780180689 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1435780180689 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1445525232766 {padding: 0px;}
+div.rbtoc1445525232766 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1445525232766 li {margin-left: 0px;padding-left: 0px;}
 
-/*]]>*/</style></p><div class="toc-macro rbtoc1435780180689">
+/*]]>*/</style></p><div class="toc-macro rbtoc1445525232766">
 <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSJOSE-Introduction">Introduction</a></li><li><a
shape="rect" href="#JAX-RSJOSE-MavenDependencies">Maven Dependencies</a></li><li><a
shape="rect" href="#JAX-RSJOSE-JOSEOverview">JOSE Overview</a></li><li><a
shape="rect" href="#JAX-RSJOSE-JWAAlgorithms">JWA Algorithms</a></li><li><a
shape="rect" href="#JAX-RSJOSE-JWKKeys">JWK Keys</a></li><li><a shape="rect"
href="#JAX-RSJOSE-JWSSignature">JWS Signature</a></li><li><a shape="rect"
href="#JAX-RSJOSE-JSONEncryption">JSON Encryption</a></li><li><a shape="rect"
href="#JAX-RSJOSE-JSONWebTokens">JSON Web Tokens</a></li><li><a shape="rect"
href="#JAX-RSJOSE-LinkingJWTauthenticationstoJWSorJWEcontent">Linking JWT authentications
to JWS or JWE content</a></li><li><a shape="rect" href="#JAX-RSJOSE-JOSEJAX-RSFilters">JOSE
JAX-RS Filters</a>
 <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSJOSE-JWE">JWE</a></li><li><a
shape="rect" href="#JAX-RSJOSE-JWS">JWS</a></li></ul>
 </li><li><a shape="rect" href="#JAX-RSJOSE-Configuration">Configuration</a>
-<ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSJOSE-EncryptingJWKstores">Encrypting
JWK stores</a></li></ul>
+<ul class="toc-indentation"><ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSJOSE-Configurationthatappliestobothencryptionandsignature">Configuration that
applies to both encryption and signature</a></li></ul><li><a shape="rect"
href="#JAX-RSJOSE-EncryptingJWKstores">Encrypting JWK stores</a></li></ul>
 </li><li><a shape="rect" href="#JAX-RSJOSE-OAuth2andJose">OAuth2 and Jose</a></li><li><a
shape="rect" href="#JAX-RSJOSE-OIDCandJose">OIDC and Jose</a></li><li><a
shape="rect" href="#JAX-RSJOSE-FutureWork">Future Work</a></li><li><a
shape="rect" href="#JAX-RSJOSE-Third-PartyAlternatives">Third-Party Alternatives</a></li></ul>
 </div><h1 id="JAX-RSJOSE-Introduction">Introduction</h1><p>CXF 3.0.x
implements <a shape="rect" class="external-link" href="https://datatracker.ietf.org/wg/jose/documents/"
rel="nofollow">JOSE</a>.</p><h1 id="JAX-RSJOSE-MavenDependencies">Maven
Dependencies</h1><div class="code panel pdl" style="border-width: 1px;"><div
class="codeContent panelContent pdl">
 <pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">&lt;dependency&gt;
@@ -176,7 +176,7 @@ AesWrapKeyDecryptionAlgorithm keyDecrypt
 JweDecryptionProvider decryption = new AesCbcHmacJweDecryption(keyDecryption);
 String decryptedText = decryption.decrypt(jweContent).getContentText();
 assertEquals(specPlainText, decryptedText);</pre>
-</div></div><p>&#160;</p><p>CXF ships JWE related classes
in <a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe;h=71e0e29025252080838168458b3d2e0179a7a0bd;hb=HEAD">this
package</a> and offers a support for all of JWA encryption algorithms.</p><p><a
shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionProvider.java;h=615212b1622abb1c0a8b06a3b5498d8b6199d0cc;hb=HEAD">JweEncryptionProvider</a>
supports encrypting the content, <a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryptionProvider.java;h=1f4861a2d78df5514ff74c40330c1a5f5933f47d;hb=HEAD">JweDecryptionProvider</a>
- decrypting the content. Encryptors and
  Decryptors for all of JWE algorithms are shipped.</p><p>JweCompactConsumer and
JweCompactProducer offer a utility support for creating and validating JWE compact serialization
and accept keys in a variety of formats</p><p>(as JWKs, JCA representations, created
out of band and wrapped in either JweEncryptionProvider or JweDecryptionProvider).</p><p>JweJwtCompactConsumer
and JweJwtCompactProducer are JweCompactConsumer and JweCompactProducer specializations that
offer a utility support for encrypting Json Web Tokens in a compact format.</p><p>JweJsonConsumer
and JweJsonProducer support JWE JSON (full) serialization.</p><p>JweOutputStream
is a specialized output stream that can be used in conjunction with JWE JAX-RS filters (see
one of the next sections)</p><p>to support the best effort at streaming the content
while encrypting it.&#160; These classes will use <a shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src
 /main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionOutput.java;h=918ef5a085c3dc51025e2e9cbba37388f37eb49e;hb=HEAD">JweEncryptionOutput</a>&#160;
optionally returned from JweEncryptionProvider</p><p>instead of working with the
consumer utility classes which deal with the encryption process completely in memory.</p><p>&#160;</p><p>Many
more examples will be added here.</p><h1 id="JAX-RSJOSE-JSONWebTokens">JSON Web
Tokens</h1><p>&#160;</p><p><a shape="rect" class="external-link"
href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32" rel="nofollow">JSON
Web Token</a> (JWT) is a collection of claims in JSON format. It offers a standard JSON
container for representing various properties or claims.</p><p>JWT can be signed
and or encrypted, i.e, serve as a JOSE signature or encryption input like any other data structure.</p><p>&#160;</p><p>JWT
has been primarily used in OAuth2 applications to represent self-contained access tokens but
can also be used in other contex
 ts.</p><p>CXF offers an initial JWT support in <a shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt;h=ab5e633cd9d81374288c46c7d283df49931cc0d8;hb=HEAD">this
package</a>.</p><h1 id="JAX-RSJOSE-LinkingJWTauthenticationstoJWSorJWEcontent">Linking
JWT authentications to JWS or JWE content</h1><p>Add more...</p><h1 id="JAX-RSJOSE-JOSEJAX-RSFilters">JOSE
JAX-RS Filters</h1><h2 id="JAX-RSJOSE-JWE">JWE</h2><h2 id="JAX-RSJOSE-JWS">JWS</h2><h1
id="JAX-RSJOSE-Configuration">Configuration</h1><p>A variety of signature and
encryption key properties is supported. Add more...</p><h2 id="JAX-RSJOSE-EncryptingJWKstores">Encrypting
JWK stores</h2><p>JAX-RS filters can read the keys from encrypted JWK stores.
The stores are encrypted inline or in separate storages (files). By default the filters expect
that the stores has been encrypted using</p><p>a password based <a shape="rect"
cl
 ass="external-link" href="https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40#section-4.8"
rel="nofollow">PBES2 algorithm</a>. The filters will check a registered <a shape="rect"
class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/PrivateKeyPasswordProvider.java;h=bfcde495a9f9fd0f11a2394c758be1d85beb5c60;hb=HEAD">password
provider</a>.</p><h1 id="JAX-RSJOSE-OAuth2andJose">OAuth2 and Jose</h1><p>CXF
OAuth2 module depends on its JOSE module. This will be used to support OAuth2 POP tokens.
Authorization code JOSE requests can already be processed. Utility support for validating
JWT-based access tokens is provided.</p><p>Add more...</p><h1 id="JAX-RSJOSE-OIDCandJose">OIDC
and Jose</h1><p>OIDC heavily depends on JOSE. CXF OIDC module utilizes a JOSE
module to support OIDC RP and IDP code. Add more...</p><h1 id="JAX-RSJOSE-FutureWork">Future
Work</h1><p>OAuth2, WebCryp
 to, OIDC, etc</p><h1 id="JAX-RSJOSE-Third-PartyAlternatives">Third-Party Alternatives</h1><p><a
shape="rect" class="external-link" href="https://bitbucket.org/b_c/jose4j/wiki/Home" rel="nofollow">Jose4J</a>
is a top project from Brian Campbell.&#160; CXF users are encouraged to experiment with
Jose4J (or indeed with other 3rd party implementations) if they prefer.</p><p>TODO:
describe how Jose4J can be integrated with CXF filters if preferred.</p><p>&#160;</p></div>
+</div></div><p>&#160;</p><p>CXF ships JWE related classes
in <a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe;h=71e0e29025252080838168458b3d2e0179a7a0bd;hb=HEAD">this
package</a> and offers a support for all of JWA encryption algorithms.</p><p><a
shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionProvider.java;h=615212b1622abb1c0a8b06a3b5498d8b6199d0cc;hb=HEAD">JweEncryptionProvider</a>
supports encrypting the content, <a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryptionProvider.java;h=1f4861a2d78df5514ff74c40330c1a5f5933f47d;hb=HEAD">JweDecryptionProvider</a>
- decrypting the content. Encryptors and
  Decryptors for all of JWE algorithms are shipped.</p><p>JweCompactConsumer and
JweCompactProducer offer a utility support for creating and validating JWE compact serialization
and accept keys in a variety of formats</p><p>(as JWKs, JCA representations, created
out of band and wrapped in either JweEncryptionProvider or JweDecryptionProvider).</p><p>JweJwtCompactConsumer
and JweJwtCompactProducer are JweCompactConsumer and JweCompactProducer specializations that
offer a utility support for encrypting Json Web Tokens in a compact format.</p><p>JweJsonConsumer
and JweJsonProducer support JWE JSON (full) serialization.</p><p>JweOutputStream
is a specialized output stream that can be used in conjunction with JWE JAX-RS filters (see
one of the next sections)</p><p>to support the best effort at streaming the content
while encrypting it.&#160; These classes will use <a shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src
 /main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionOutput.java;h=918ef5a085c3dc51025e2e9cbba37388f37eb49e;hb=HEAD">JweEncryptionOutput</a>&#160;
optionally returned from JweEncryptionProvider</p><p>instead of working with the
consumer utility classes which deal with the encryption process completely in memory.</p><p>&#160;</p><p>Many
more examples will be added here.</p><h1 id="JAX-RSJOSE-JSONWebTokens">JSON Web
Tokens</h1><p>&#160;</p><p><a shape="rect" class="external-link"
href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32" rel="nofollow">JSON
Web Token</a> (JWT) is a collection of claims in JSON format. It offers a standard JSON
container for representing various properties or claims.</p><p>JWT can be signed
and or encrypted, i.e, serve as a JOSE signature or encryption input like any other data structure.</p><p>&#160;</p><p>JWT
has been primarily used in OAuth2 applications to represent self-contained access tokens but
can also be used in other contex
 ts.</p><p>CXF offers an initial JWT support in <a shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt;h=ab5e633cd9d81374288c46c7d283df49931cc0d8;hb=HEAD">this
package</a>.</p><h1 id="JAX-RSJOSE-LinkingJWTauthenticationstoJWSorJWEcontent">Linking
JWT authentications to JWS or JWE content</h1><p>Add more...</p><h1 id="JAX-RSJOSE-JOSEJAX-RSFilters">JOSE
JAX-RS Filters</h1><h2 id="JAX-RSJOSE-JWE">JWE</h2><h2 id="JAX-RSJOSE-JWS">JWS</h2><h1
id="JAX-RSJOSE-Configuration">Configuration</h1><h4 id="JAX-RSJOSE-Configurationthatappliestobothencryptionandsignature">Configuration
that applies to both encryption and signature</h4><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>rs.security.keystore.type</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The keystore type. Suitable values
are "jks" or "j
 wk".</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.keystore.password</td><td
colspan="1" rowspan="1" class="confluenceTd">The password required to access the keystore.</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.key.password</td><td
colspan="1" rowspan="1" class="confluenceTd">The password required to access the private
key (in the keystore).</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.keystore.alias</td><td
colspan="1" rowspan="1" class="confluenceTd">&#160;The keystore alias corresponding
to the key to use. You can append one of the following to this tag to get the alias for more
specific operations:<br clear="none">&#160;&#160;&#160;&#160; - jwe.out<br
clear="none">&#160;&#160;&#160;&#160; - jwe.in<br clear="none">&#160;&#160;&#160;&#160;
- jws.out<br clear="none">&#160;&#160;&#160;&#160; - jws.in</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.keystore.aliases</t
 d><td colspan="1" rowspan="1" class="confluenceTd">The keystore aliases corresponding
to the keys to use, when using the JSON serialization form. You can append one of the following
to this tag to get the alias for more specific operations:<br clear="none">&#160;&#160;&#160;&#160;
- jws.out<br clear="none">&#160;&#160;&#160;&#160; - jws.in</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.keystore.file</td><td
colspan="1" rowspan="1" class="confluenceTd">The path to the keystore file.</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.key.password.provider</td><td
colspan="1" rowspan="1" class="confluenceTd">A reference to a PrivateKeyPasswordProvider
instance used to retrieve passwords to access keys.</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">rs.security.include.public.key</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the JWK public key (for signature
or encryption) in the "jwk" header.</td></tr><tr><
 td colspan="1" rowspan="1" class="confluenceTd">rs.security.include.cert</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate (for signature
or encryption) in the "x5c" header.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd">rs.security.include.key.id</td><td colspan="1" rowspan="1"
class="confluenceTd">Include the JWK key id (for signature or encryption) in the "kid"
header.</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">rs.security.include.cert.sha1</td><td
colspan="1" rowspan="1" class="confluenceTd">Include the X.509 certificate SHA-1 digest
(for signature or encryption) in the "x5t" header.</td></tr></tbody></table></div><h2
id="JAX-RSJOSE-EncryptingJWKstores">Encrypting JWK stores</h2><p>JAX-RS filters
can read the keys from encrypted JWK stores. The stores are encrypted inline or in separate
storages (files). By default the filters expect that the stores has been encrypted using</p><p>a
password based <a shape="rect" 
 class="external-link" href="https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40#section-4.8"
rel="nofollow">PBES2 algorithm</a>. The filters will check a registered <a shape="rect"
class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/PrivateKeyPasswordProvider.java;h=bfcde495a9f9fd0f11a2394c758be1d85beb5c60;hb=HEAD">password
provider</a>.</p><h1 id="JAX-RSJOSE-OAuth2andJose">OAuth2 and Jose</h1><p>CXF
OAuth2 module depends on its JOSE module. This will be used to support OAuth2 POP tokens.
Authorization code JOSE requests can already be processed. Utility support for validating
JWT-based access tokens is provided.</p><p>Add more...</p><h1 id="JAX-RSJOSE-OIDCandJose">OIDC
and Jose</h1><p>OIDC heavily depends on JOSE. CXF OIDC module utilizes a JOSE
module to support OIDC RP and IDP code. Add more...</p><h1 id="JAX-RSJOSE-FutureWork">Future
Work</h1><p>OAuth2, WebCr
 ypto, OIDC, etc</p><h1 id="JAX-RSJOSE-Third-PartyAlternatives">Third-Party Alternatives</h1><p><a
shape="rect" class="external-link" href="https://bitbucket.org/b_c/jose4j/wiki/Home" rel="nofollow">Jose4J</a>
is a top project from Brian Campbell.&#160; CXF users are encouraged to experiment with
Jose4J (or indeed with other 3rd party implementations) if they prefer.</p><p>TODO:
describe how Jose4J can be integrated with CXF filters if preferred.</p><p>&#160;</p></div>
            </div>
            <!-- Content -->
          </td>

Modified: websites/production/cxf/content/docs/securing-cxf-services.html
==============================================================================
--- websites/production/cxf/content/docs/securing-cxf-services.html (original)
+++ websites/production/cxf/content/docs/securing-cxf-services.html Thu Oct 22 14:49:23 2015
@@ -117,17 +117,17 @@ Apache CXF -- Securing CXF Services
            <!-- Content -->
            <div class="wiki-content">
 <div id="ConfluenceContent"><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1435780138048 {padding: 0px;}
-div.rbtoc1435780138048 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1435780138048 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1445525228009 {padding: 0px;}
+div.rbtoc1445525228009 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1445525228009 li {margin-left: 0px;padding-left: 0px;}
 
-/*]]>*/</style></p><div class="toc-macro rbtoc1435780138048">
+/*]]>*/</style></p><div class="toc-macro rbtoc1445525228009">
 <ul class="toc-indentation"><li><a shape="rect" href="#SecuringCXFServices-Securetransports">Secure
transports</a>
 <ul class="toc-indentation"><li><a shape="rect" href="#SecuringCXFServices-HTTPS">HTTPS</a></li></ul>
 </li><li><a shape="rect" href="#SecuringCXFServices-SecuringJAX-WSservices">Securing
JAX-WS services</a>
 <ul class="toc-indentation"><li><a shape="rect" href="#SecuringCXFServices-WS-Security">WS-Security</a></li><li><a
shape="rect" href="#SecuringCXFServices-WS-SecurityPolicy">WS-SecurityPolicy</a></li><li><a
shape="rect" href="#SecuringCXFServices-WS-SecureConversation">WS-SecureConversation</a></li><li><a
shape="rect" href="#SecuringCXFServices-WS-Trust,STS">WS-Trust, STS</a></li></ul>
 </li><li><a shape="rect" href="#SecuringCXFServices-SecuringJAX-RSservices">Securing
JAX-RS services</a>
-<ul class="toc-indentation"><li><a shape="rect" href="#SecuringCXFServices-JAX-RSXMLSecurity">JAX-RS
XML Security</a></li><li><a shape="rect" href="#SecuringCXFServices-JAX-RSSAML">JAX-RS
SAML</a></li></ul>
+<ul class="toc-indentation"><li><a shape="rect" href="#SecuringCXFServices-JAX-RSXMLSecurity">JAX-RS
XML Security</a></li><li><a shape="rect" href="#SecuringCXFServices-JAX-RSSAML">JAX-RS
SAML</a></li><li><a shape="rect" href="#SecuringCXFServices-JAX-RSJOSE">JAX-RS
JOSE</a></li></ul>
 </li><li><a shape="rect" href="#SecuringCXFServices-SSO">SSO</a>
 <ul class="toc-indentation"><li><a shape="rect" href="#SecuringCXFServices-SAMLWebSSO">SAML
Web SSO</a></li><li><a shape="rect" href="#SecuringCXFServices-WS-Federation">WS-Federation</a></li></ul>
 </li><li><a shape="rect" href="#SecuringCXFServices-OAuth">OAuth</a></li><li><a
shape="rect" href="#SecuringCXFServices-Authentication">Authentication</a>
@@ -135,7 +135,7 @@ div.rbtoc1435780138048 li {margin-left:
 </li><li><a shape="rect" href="#SecuringCXFServices-Authorization">Authorization</a></li><li><a
shape="rect" href="#SecuringCXFServices-ControllingLargeRequestPayloads">Controlling Large
Request Payloads</a>
 <ul class="toc-indentation"><li><a shape="rect" href="#SecuringCXFServices-XML">XML</a></li><li><a
shape="rect" href="#SecuringCXFServices-XML-CXFversionspriorto2.7.4">XML - CXF versions
prior to 2.7.4</a></li><li><a shape="rect" href="#SecuringCXFServices-Multiparts">Multiparts</a></li></ul>
 </li><li><a shape="rect" href="#SecuringCXFServices-Largedatastreamcaching">Large
data stream caching</a></li></ul>
-</div><h1 id="SecuringCXFServices-Securetransports">Secure transports</h1><h2
id="SecuringCXFServices-HTTPS">HTTPS</h2><p>Please see the <a shape="rect"
href="http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html">Configuring
SSL Support</a> page for more information.</p><h1 id="SecuringCXFServices-SecuringJAX-WSservices">Securing
JAX-WS services</h1><h2 id="SecuringCXFServices-WS-Security">WS-Security</h2><p>CXF
supports WS-Security via the Apache WSS4J project. WSS4J provides an implementation of the
following WS-Security standards:</p><ul><li><a shape="rect" class="external-link"
href="http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-os-SOAPMessageSecurity.pdf" rel="nofollow">
SOAP Message Security 1.1</a></li><li><a shape="rect" class="external-link"
href="http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-os-UsernameTokenProfile.pdf" rel="nofollow">Username
Token Profile 1.1</a></li><li><a shape="rect" class="external-link" href="http://docs.oasis-open.org
 /wss/v1.1/wss-v1.1-spec-os-x509TokenProfile.pdf" rel="nofollow">X.509 Certificate Token
Profile 1.1</a></li><li><a shape="rect" class="external-link" href="http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-os-SAMLTokenProfile.pdf"
rel="nofollow">SAML Token Profile 1.1</a></li><li><a shape="rect"
class="external-link" href="http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-os-KerberosTokenProfile.pdf"
rel="nofollow">Kerberos Token Profile 1.1</a></li><li><a shape="rect"
class="external-link" href="http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-os-SwAProfile.pdf"
rel="nofollow">SOAP Messages with Attachments Profile 1.1</a></li><li><a
shape="rect" class="external-link" href="http://www.ws-i.org/Profiles/BasicSecurityProfile-1.1.html"
rel="nofollow">Basic Security Profile 1.1</a></li></ul><p>Please
see the <a shape="rect" href="ws-security.html">WS-Security</a> page for more
information.</p><h2 id="SecuringCXFServices-WS-SecurityPolicy">WS-SecurityPolicy</h2><p>CXF
fully supports WS
 -SecurityPolicy, which allows you to configure WS-Security requirements for an endpoint using
a WS-Policy annotation. This is the recommended way of configuring WS-Security. Policies can
be added in a WSDL or else referenced via an annotation in code.</p><p>The WS-SecurityPolicy
layer and the XML-Security layer in Apache CXF share a common set of security configuration
tags from CXF 3.1.0. The <a shape="rect" href="security-configuration.html">Security
Configuration</a> page details these tags and values. There are also some addition configuration
tags, that are only used for when security is configured via WS-SecurityPolicy, see the following
<a shape="rect" href="ws-securitypolicy.html">page</a> for more information.</p><h2
id="SecuringCXFServices-WS-SecureConversation">WS-SecureConversation</h2><p>CXF
fully supports WS-SecureConveration, see the following <a shape="rect" href="ws-secureconversation.html">page</a>
for more information.</p><h2 id="SecuringCXFServices-WS-Trust,STS">
 WS-Trust, STS</h2><p>CXF ships with a advanced SecurityTokenService (STS) implementation
that can be used to issue (SAML) tokens for authentication. CXF also supports communicating
with the STS using the WS-Trust specification. SSO is supported by caching the tokens on the
client side. Please see the <a shape="rect" class="external-link" href="https://cwiki.apache.org/CXF20DOC/ws-trust.html">WS-Trust</a>
page for more information.</p><h1 id="SecuringCXFServices-SecuringJAX-RSservices">Securing
JAX-RS services</h1><h2 id="SecuringCXFServices-JAX-RSXMLSecurity">JAX-RS XML
Security</h2><p>It is possible to secure XML based JAX-RS requests (and responses)
using XML Signature and Encryption. See the <a shape="rect" href="jax-rs-xml-security.html">JAX-RS
XML Security</a> page for more information.</p><h2 id="SecuringCXFServices-JAX-RSSAML">JAX-RS
SAML</h2><p>See the <a shape="rect" href="jax-rs-saml.html">JAX-RS SAML</a>
page on creating SAML Assertions and adding them to a JAX-RS request
 , as well as how to validate them on the receiving side.</p><h1 id="SecuringCXFServices-SSO">SSO</h1><h2
id="SecuringCXFServices-SAMLWebSSO">SAML Web SSO</h2><p>Please see <a shape="rect"
class="external-link" href="http://coheigea.blogspot.ie/2012/06/saml-web-sso-profile-support-in-apache.html"
rel="nofollow">this blog entry</a> announcing the support for SAML Web SSO profile
and the <a shape="rect" href="https://cwiki.apache.org/confluence/display/CXF20DOC/SAML+Web+SSO">SAML
Web SSO</a> page for more information. CXF fully supports the SAML Web SSO profile on
the service provider side. As of yet however, no IdP is available in CXF.</p><h2
id="SecuringCXFServices-WS-Federation">WS-Federation</h2><p>Apache CXF <a
shape="rect" href="../fediz.html">Fediz</a> is a subproject of CXF. Fediz helps you
to secure your web applications and delegates security enforcement to the underlying application
server. With Fediz, authentication is externalized from your web application to an identity
p
 rovider installed as a dedicated server component. The supported standard is <a shape="rect"
class="external-link" href="http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html#_Toc223175002"
rel="nofollow">WS-Federation Passive Requestor Profile</a>. Fediz supports <a
shape="rect" class="external-link" href="http://en.wikipedia.org/wiki/Claims-based_identity"
rel="nofollow">Claims Based Access Control</a> beyond Role Based Access Control (RBAC).</p><h1
id="SecuringCXFServices-OAuth">OAuth</h1><p>Please check <a shape="rect"
href="http://cxf.apache.org/docs/jax-rs-oauth2.html">OAuth2.0</a> and <a shape="rect"
href="http://cxf.apache.org/docs/jax-rs-oauth.html">OAuth1.0</a> pages for the information
about the support for OAuth 2.0 and OAuth 1.0 in CXF.</p><h1 id="SecuringCXFServices-Authentication">Authentication</h1><h2
id="SecuringCXFServices-JAASLoginInterceptor">JAASLoginInterceptor</h2><p>Container
or Spring Security managed authentication as well as t
 he custom authentication are all the viable options used by CXF developers.</p><p>Starting
from CXF 2.3.2 and 2.4.0 it is possible to use an org.apache.cxf.interceptor.security.JAASLoginInterceptor
in order to authenticate a current user and populate a CXF SecurityContext.</p><p>Example
:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent
panelContent pdl">
+</div><h1 id="SecuringCXFServices-Securetransports">Secure transports</h1><h2
id="SecuringCXFServices-HTTPS">HTTPS</h2><p>Please see the <a shape="rect"
href="http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html">Configuring
SSL Support</a> page for more information.</p><h1 id="SecuringCXFServices-SecuringJAX-WSservices">Securing
JAX-WS services</h1><h2 id="SecuringCXFServices-WS-Security">WS-Security</h2><p>CXF
supports WS-Security via the Apache WSS4J project. WSS4J provides an implementation of the
following WS-Security standards:</p><ul><li><a shape="rect" class="external-link"
href="http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-os-SOAPMessageSecurity.pdf" rel="nofollow">
SOAP Message Security 1.1</a></li><li><a shape="rect" class="external-link"
href="http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-os-UsernameTokenProfile.pdf" rel="nofollow">Username
Token Profile 1.1</a></li><li><a shape="rect" class="external-link" href="http://docs.oasis-open.org
 /wss/v1.1/wss-v1.1-spec-os-x509TokenProfile.pdf" rel="nofollow">X.509 Certificate Token
Profile 1.1</a></li><li><a shape="rect" class="external-link" href="http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-os-SAMLTokenProfile.pdf"
rel="nofollow">SAML Token Profile 1.1</a></li><li><a shape="rect"
class="external-link" href="http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-os-KerberosTokenProfile.pdf"
rel="nofollow">Kerberos Token Profile 1.1</a></li><li><a shape="rect"
class="external-link" href="http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-os-SwAProfile.pdf"
rel="nofollow">SOAP Messages with Attachments Profile 1.1</a></li><li><a
shape="rect" class="external-link" href="http://www.ws-i.org/Profiles/BasicSecurityProfile-1.1.html"
rel="nofollow">Basic Security Profile 1.1</a></li></ul><p>Please
see the <a shape="rect" href="ws-security.html">WS-Security</a> page for more
information.</p><h2 id="SecuringCXFServices-WS-SecurityPolicy">WS-SecurityPolicy</h2><p>CXF
fully supports WS
 -SecurityPolicy, which allows you to configure WS-Security requirements for an endpoint using
a WS-Policy annotation. This is the recommended way of configuring WS-Security. Policies can
be added in a WSDL or else referenced via an annotation in code.</p><p>The WS-SecurityPolicy
layer and the XML-Security layer in Apache CXF share a common set of security configuration
tags from CXF 3.1.0. The <a shape="rect" href="security-configuration.html">Security
Configuration</a> page details these tags and values. There are also some addition configuration
tags, that are only used for when security is configured via WS-SecurityPolicy, see the following
<a shape="rect" href="ws-securitypolicy.html">page</a> for more information.</p><h2
id="SecuringCXFServices-WS-SecureConversation">WS-SecureConversation</h2><p>CXF
fully supports WS-SecureConveration, see the following <a shape="rect" href="ws-secureconversation.html">page</a>
for more information.</p><h2 id="SecuringCXFServices-WS-Trust,STS">
 WS-Trust, STS</h2><p>CXF ships with a advanced SecurityTokenService (STS) implementation
that can be used to issue (SAML) tokens for authentication. CXF also supports communicating
with the STS using the WS-Trust specification. SSO is supported by caching the tokens on the
client side. Please see the <a shape="rect" class="external-link" href="https://cwiki.apache.org/CXF20DOC/ws-trust.html">WS-Trust</a>
page for more information.</p><h1 id="SecuringCXFServices-SecuringJAX-RSservices">Securing
JAX-RS services</h1><h2 id="SecuringCXFServices-JAX-RSXMLSecurity">JAX-RS XML
Security</h2><p>It is possible to secure XML based JAX-RS requests (and responses)
using XML Signature and Encryption. See the <a shape="rect" href="jax-rs-xml-security.html">JAX-RS
XML Security</a> page for more information.</p><h2 id="SecuringCXFServices-JAX-RSSAML">JAX-RS
SAML</h2><p>See the <a shape="rect" href="jax-rs-saml.html">JAX-RS SAML</a>
page on creating SAML Assertions and adding them to a JAX-RS request
 , as well as how to validate them on the receiving side.</p><h2 id="SecuringCXFServices-JAX-RSJOSE">JAX-RS
JOSE</h2><p>See the <a shape="rect" href="jax-rs-jose.html">JAX-RS JOSE</a>
page on support for the JWA, JWK, JWS, JWE and JWT specifications.</p><h1 id="SecuringCXFServices-SSO">SSO</h1><h2
id="SecuringCXFServices-SAMLWebSSO">SAML Web SSO</h2><p>Please see <a shape="rect"
class="external-link" href="http://coheigea.blogspot.ie/2012/06/saml-web-sso-profile-support-in-apache.html"
rel="nofollow">this blog entry</a> announcing the support for SAML Web SSO profile
and the <a shape="rect" href="https://cwiki.apache.org/confluence/display/CXF20DOC/SAML+Web+SSO">SAML
Web SSO</a> page for more information. CXF fully supports the SAML Web SSO profile on
the service provider side. As of yet however, no IdP is available in CXF.</p><h2
id="SecuringCXFServices-WS-Federation">WS-Federation</h2><p>Apache CXF <a
shape="rect" href="../fediz.html">Fediz</a> is a subproject of CXF. Fediz helps y
 ou to secure your web applications and delegates security enforcement to the underlying application
server. With Fediz, authentication is externalized from your web application to an identity
provider installed as a dedicated server component. The supported standard is <a shape="rect"
class="external-link" href="http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html#_Toc223175002"
rel="nofollow">WS-Federation Passive Requestor Profile</a>. Fediz supports <a
shape="rect" class="external-link" href="http://en.wikipedia.org/wiki/Claims-based_identity"
rel="nofollow">Claims Based Access Control</a> beyond Role Based Access Control (RBAC).</p><h1
id="SecuringCXFServices-OAuth">OAuth</h1><p>Please check <a shape="rect"
href="http://cxf.apache.org/docs/jax-rs-oauth2.html">OAuth2.0</a> and <a shape="rect"
href="http://cxf.apache.org/docs/jax-rs-oauth.html">OAuth1.0</a> pages for the information
about the support for OAuth 2.0 and OAuth 1.0 in CXF.</p><h1 id="Secu
 ringCXFServices-Authentication">Authentication</h1><h2 id="SecuringCXFServices-JAASLoginInterceptor">JAASLoginInterceptor</h2><p>Container
or Spring Security managed authentication as well as the custom authentication are all the
viable options used by CXF developers.</p><p>Starting from CXF 2.3.2 and 2.4.0
it is possible to use an org.apache.cxf.interceptor.security.JAASLoginInterceptor in order
to authenticate a current user and populate a CXF SecurityContext.</p><p>Example
:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent
panelContent pdl">
 <pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">&lt;jaxws:endpoint
address="/soapService"&gt;
  &lt;jaxws:inInterceptors&gt;
    &lt;ref bean="authenticationInterceptor"/&gt;



Mime
View raw message