cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r988387 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-filters.html docs/secure-jax-rs-services.html
Date Mon, 16 May 2016 16:47:36 GMT
Author: buildbot
Date: Mon May 16 16:47:35 2016
New Revision: 988387

Log:
Production update by buildbot for cxf

Modified:
    websites/production/cxf/content/cache/docs.pageCache
    websites/production/cxf/content/docs/jax-rs-filters.html
    websites/production/cxf/content/docs/secure-jax-rs-services.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jax-rs-filters.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-filters.html (original)
+++ websites/production/cxf/content/docs/jax-rs-filters.html Mon May 16 16:47:35 2016
@@ -117,115 +117,19 @@ Apache CXF -- JAX-RS Filters
          <td height="100%">
            <!-- Content -->
            <div class="wiki-content">
-<div id="ConfluenceContent"><p></p><p></p><p></p><p></p><p><span
class="inline-first-p" style="font-size:2em;font-weight:bold"> JAX-RS Filters </span></p><p></p><p></p><p></p><p></p><p></p>
+<div id="ConfluenceContent"><p>&#160;</p><p>&#160;</p><p>&#160;</p><p>&#160;</p><p>&#160;<span
class="inline-first-p" style="font-size:2em;font-weight:bold">JAX-RS Filters</span>&#160;</p><p>&#160;</p><p>&#160;</p><p>&#160;</p><p>&#160;</p><p><style
type="text/css">/*<![CDATA[*/
+div.rbtoc1463417215860 {padding: 0px;}
+div.rbtoc1463417215860 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1463417215860 li {margin-left: 0px;padding-left: 0px;}
 
-<style type="text/css">/*<![CDATA[*/
-div.rbtoc1435780167249 {padding: 0px;}
-div.rbtoc1435780167249 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1435780167249 li {margin-left: 0px;padding-left: 0px;}
-
-/*]]>*/</style><div class="toc-macro rbtoc1435780167249">
+/*]]>*/</style></p><div class="toc-macro rbtoc1463417215860">
 <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSFilters-Filters">Filters</a>
 <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSFilters-DifferencebetweenJAXRSfiltersandCXFinterceptors">Difference
between JAXRS filters and CXF interceptors</a></li></ul>
 </li><li><a shape="rect" href="#JAX-RSFilters-Overridingrequestandresponseproperties">Overriding
request and response properties</a>
 <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSFilters-OverridingHTTPmethod">Overriding
HTTP method</a></li><li><a shape="rect" href="#JAX-RSFilters-OverridingrequestURI,queryandheaders">Overriding
request URI, query and headers</a></li><li><a shape="rect" href="#JAX-RSFilters-Overridingresponsestatuscodeandheaders">Overriding
response status code and headers</a></li></ul>
 </li><li><a shape="rect" href="#JAX-RSFilters-IgnoringJAXRSMessageBodyWriters">Ignoring
JAXRS MessageBodyWriters</a></li><li><a shape="rect" href="#JAX-RSFilters-Custominvokers">Custom
invokers</a></li></ul>
-</div>
-
-<h1 id="JAX-RSFilters-Filters">Filters</h1>
-
-<p>Often it's necessary to pre- or post-process some requests according to a number
of requirements.<br clear="none">
-For example, a request like </p>
-
-<p>GET /resource?_type=xml is supported by a CXF specific RequestHandler filter which
modifies the CXF input Message <br clear="none">
-by updating one of its headers.</p>
-
-<p>In some cases users can use the existing filter technologies such as Servler filters
or Spring AOP proxies. In other cases, it can be handy<br clear="none">
-to write a CXF filter which will introspect the resource class, input or output message,
the operation which was invoked and modify the request or response accordingly. </p>
-
-<p>Here are the interface definitions : </p>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent
pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">
-import org.apache.cxf.jaxrs.ext.RequestHandler;
-import org.apache.cxf.jaxrs.model.ClassResourceInfo;
-import org.apache.cxf.message.Message;
-
-public interface RequestHandler {
-    
-    Response handleRequest(Message inputMessage, 
-                           ClassResourceInfo resourceClass);
-
-}
-</pre>
-</div></div>
-
-<p>The request handler implementation can either modify the input Message and let the
request to proceed or block the request by returning a non-null Response. </p>
-
-<p>A response filter implementation can get an access to OperationResourceInfo object
representing a method to be invoked on a resource class :</p>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent
pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">
-OperationResourceInfo ori = exchange.get(OperationResourceInfo.class);
-</pre>
-</div></div>  
-
-<p>Use OperationResourceInfo in your filter with care. In principle a given request
chain may have filters which may want to  overwrite Accept or ContentType message headers
which might lead to another method be selected. However if you know no such filters (will)
exist in your application then you might want to check an OperationResourceInfo instance as
part of your filter logic. </p>
-
-<p>When modifying an input message, one would typically want to replace a message input
stream or one of its headers, such as ContentType :</p>
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent
pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">
-InputStream is = message.getContent(InputStream.class);
-message.setContent(new MyFilterInputStream(is));
-message.put(Message.ACCEPT_CONTENT_TYPE, "custom/media"); 
-</pre>
-</div></div>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent
pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">
-import javax.ws.rs.core.Response;
-import org.apache.cxf.jaxrs.ext.ResponseHandler;
-import org.apache.cxf.jaxrs.model.OperationResourceInfo
-import org.apache.cxf.message.Message;
-
-public interface ResponseHandler {
-    
-    Response handleResponse(Message outputMessage,
-                           OperationResourceInfo invokedOperation, 
-                           Response response);
-
-}
-</pre>
-</div></div>
-
-<p>The response handler implementation can optionally overwrite or modify the application
Response or modify the output message. When modifying an output message, one may want to either
replace an output stream before message body providers attempt to write to it or replace the
actual response object :</p>
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent
pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">
-// replace an output stream
-OutputStream os = message.getContent(OutputStream.class);
-message.setContent(new MyFilterOutputStream(os));
-
-// replace an actual object
-response.setEntity(new MyWrapper(response.getEntity()))
-// or using a low-level Message api if needed
-MessageContentsList objs = MessageContentsList.getContentsList(message);
-if (objs !== null &amp;&amp; objs.size() == 1) {
-    Object responseObj = objs.remove(0);
-    obj.add(new MyWrapper(responseObj));
-}
-</pre>
-</div></div>
-
-<p>Please see <a shape="rect" class="external-link" href="http://sberyozkin.blogspot.com/2008/07/rest-and-soap-united-in-cxf.html"
rel="nofollow">this blog entry</a> for another example of when response filters can
be useful.</p>
-
-<p>Multiple request and response handlers are supported.</p>
-
-<p>The implementations can be registered like any other types of providers :</p>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent
pdl">
-<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">
-
-&lt;beans&gt;
+</div><h1 id="JAX-RSFilters-Filters">Filters</h1><p>Often it's necessary
to pre- or post-process some requests according to a number of requirements.<br clear="none">
For example, a request like</p><p>GET /resource?_type=xml is supported by a CXF
specific RequestPreprocessor code which modifies an input message <br clear="none">
by updating one of its headers.</p><p>A standard mechanism for updating the request
or response properties is to use JAX-RS 2.0 ContainerRequestFilter or ContainerResponseFilter.</p><p>ContainerRequestFilters
with a @PreMatching annotation are run before the JAX-RS resource selection process starts.
PreMatching filters should be used to modify request URI or headers or input stream. Post-matching
filters are run just before a selected resource method is executed.</p><p>Multiple
ContainerRequestFilter and ContainerResponseFilter filters can be ordered using a @Priority
annotation.</p><p>&#160;</p><p>The implementations can be registered
like any other type of
  providers :</p><div class="code panel pdl" style="border-width: 1px;"><div
class="codeContent panelContent pdl">
+<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">&lt;beans&gt;
 &lt;jaxrs:server id="customerService" address="/"&gt;
     &lt;jaxrs:serviceBeans&gt;
       &lt;bean class="org.CustomerService" /&gt;
@@ -234,25 +138,14 @@ if (objs !== null &amp;&amp; objs.size()
     &lt;jaxrs:providers&gt;
       &lt;ref bean="authorizationFilter" /&gt;
     &lt;/jaxrs:providers&gt;
-    &lt;bean id="authorizationFilter" class="com.bar.providers.AuthorizationRequestHandler"&gt;
+    &lt;bean id="authorizationFilter" class="com.bar.providers.AuthorizationContainerRequestFilter"&gt;
         &lt;!-- authorization bean properties --&gt;
     &lt;/bean&gt;
 &lt;/jaxrs:server&gt;
 &lt;/beans&gt;
 </pre>
-</div></div>
-
-<h2 id="JAX-RSFilters-DifferencebetweenJAXRSfiltersandCXFinterceptors">Difference between
JAXRS filters and CXF interceptors</h2>
-
-<p>JAXRS runtime flow is mainly implemented by a pair of 'classical' CXF interceptors.
JAXRSInInterceptor is currently at Phase.UNMARSHAL (was at Phase.PRE_STREAM before CXF 2.2.2)
phase while JAXRSOutInterceptor is currently at Phase.MARSHAL phase. </p>
-
-<p>JAXRS filters can be thought of as additional handlers. JAXRSInInterceptor deals
with a chain of RequestHandlers, just before the invocation. JAXRSOutInterceptor deals with
a chain of ResponseHandlers, just after the invocation but before message body writers get
their chance.</p>
-
-<p>Sometimes you may want to use CXF interceptors rather than writing JAXRS filters.
For example, suppose you combine JAXWS and JAXRS and you need to log only inbound or outbound
messages. You can reuse the existing CXF interceptors :</p>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent
pdl">
-<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">
-&lt;beans&gt;
+</div></div><h2 id="JAX-RSFilters-DifferencebetweenJAXRSfiltersandCXFinterceptors">Difference
between JAXRS filters and CXF interceptors</h2><p>JAXRS runtime flow is mainly
implemented by a pair of 'classical' CXF interceptors. JAXRSInInterceptor is currently at
Phase.UNMARSHAL (was at Phase.PRE_STREAM before CXF 2.2.2) phase while JAXRSOutInterceptor
is currently at Phase.MARSHAL phase.</p><p>JAXRS filters can be thought of as
additional handlers. JAXRSInInterceptor deals with a chain of Pre and Post Match ContainerRequestFilters,
just before the invocation. JAXRSOutInterceptor deals with a chain of ContainerResponseFilters,
just after the invocation but before message body writers get their chance.</p><p>Sometimes
you may want to use CXF interceptors rather than writing JAXRS filters. For example, suppose
you combine JAXWS and JAXRS and you need to log only inbound or outbound messages. You can
reuse the existing CXF interceptors :</p><div class="code panel pdl" style="border-widt
 h: 1px;"><div class="codeContent panelContent pdl">
+<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">&lt;beans&gt;
 &lt;bean id="logInbound" class="org.apache.cxf.interceptor.LoggingInInterceptor"/&gt;
 &lt;bean id="logOutbound" class="org.apache.cxf.interceptor.LoggingOutInterceptor"/&gt;
 
@@ -276,46 +169,13 @@ if (objs !== null &amp;&amp; objs.size()
 
 &lt;/beans&gt;
 </pre>
-</div></div> 
-
-<p>Reusing other CXF interceptors/features such as GZIP handlers can be useful too.</p>
-
-<h1 id="JAX-RSFilters-Overridingrequestandresponseproperties">Overriding request and
response properties</h1>
-
-<p>Now and then one needs to overwrite various request and response properties like
HTTP method or request URI, <br clear="none">
-response headers or status codes and even the request or response body. JAX-RS Response may
be used to specify custom status and response headers but it might be intrusive to add it
to method signatures.</p>
-
-<p>Using filters and interceptors makes it possible to override all the needed request/response
properties. </p>
-
-<h2 id="JAX-RSFilters-OverridingHTTPmethod">Overriding HTTP method</h2>
-
-<p>Register a custom RequestHandler filter which will replace the current method value
keyed by <br clear="none">
-Message.HTTP_REQUEST_METHOD in a given Message.   </p>
-
-<h2 id="JAX-RSFilters-OverridingrequestURI,queryandheaders">Overriding request URI,
query and headers</h2>
-
-<p>One can do it either from a CXF input interceptor (registered at the early phase
like USER_STREAM) or from a RequestHandler filter, for example :</p>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent
pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">
-String s = m.get(Message.REQUEST_URI);
+</div></div><p>Reusing other CXF interceptors/features such as GZIP handlers
can be useful too.</p><h1 id="JAX-RSFilters-Overridingrequestandresponseproperties">Overriding
request and response properties</h1><p>Now and then one needs to overwrite various
request and response properties like HTTP method or request URI, <br clear="none"> response
headers or status codes and even the request or response body. JAX-RS Response may be used
to specify custom status and response headers but it might be intrusive to add it to method
signatures.</p><p>Using filters and interceptors makes it possible to override
all the needed request/response properties.</p><h2 id="JAX-RSFilters-OverridingHTTPmethod">Overriding
HTTP method</h2><p>Use @PreMatching ContainerRequestFilter or register a custom
CXF in intrerceptor filter which will replace the current method value keyed by <br clear="none">
Message.HTTP_REQUEST_METHOD in a given Message.</p><h2 id="JAX-RSFilters-OverridingrequestURI,queryandheader
 s">Overriding request URI, query and headers</h2><p>One can do it either from
@PreMatching ContainerRequestFilter or CXF input interceptor (registered at the early phase
like USER_STREAM), for example :</p><div class="code panel pdl" style="border-width:
1px;"><div class="codeContent panelContent pdl">
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">String
s = m.get(Message.REQUEST_URI);
 s += "/data/";
 m.put(Message.REQUEST_URI, s);
 </pre>
-</div></div> 
-
-<p>If the updated Request URI has a new query string, then you also need to update
a Message.QUERY_STRING property.</p>
-
-<p>Similarly, one can update request HTTP headers, by modifying a Message.REQUEST_HEADERS
Message object which is a Map containing String and List of Strings entries.</p>
-
-<h2 id="JAX-RSFilters-Overridingresponsestatuscodeandheaders">Overriding response status
code and headers</h2>
-
-<p>It is assumed here a user prefers not to use explicit Response objects in the application
code.<br clear="none">
-This can be done either from a CXF output interceptor (phase like MARSHALL will do) or from
a ResponseHandler filter, for example this code will work for both JAXRS and JAXWS :</p>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent
pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">
-import java.util.Map;
+</div></div><p>If the updated Request URI has a new query string, then
you also need to update a Message.QUERY_STRING property.</p><p>Similarly, one
can update request HTTP headers, by modifying a Message.REQUEST_HEADERS Message object which
is a Map containing String and List of Strings entries.</p><h2 id="JAX-RSFilters-Overridingresponsestatuscodeandheaders">Overriding
response status code and headers</h2><p>It is assumed here a user prefers not
to use explicit Response objects in the application code.<br clear="none"> This can
be done either from ContainerResponseFilter or CXF output interceptor (phase like MARSHALL
will do), for example this code will work for both JAXRS and JAXWS :</p><div class="code
panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">import
java.util.Map;
 import java.util.TreeMap;
 
 import org.apache.cxf.message.Message;
@@ -338,32 +198,11 @@ public class CustomOutInterceptor extend
         // modify headers  
     }    
 </pre>
-</div></div>  
-
-<p>At the moment it is not possible to override a response status code from a CXF interceptor
running before JAXRSOutInterceptor, like CustomOutInterceptor above, which will be fixed.<br
clear="none">
-The only option at the moment is to use a custom ResponseHandler which will replace the current
Response object with another one containing the required status. </p>
-
-<h1 id="JAX-RSFilters-IgnoringJAXRSMessageBodyWriters">Ignoring JAXRS MessageBodyWriters</h1>
-
-<p>In some cases you may want to have a JAXRS Response entity which a given RequestHandler
or ResponseHandler has produced to be directly written to the output stream. For example,
a CXF JAXRS WADLGenerator RequestHandler produces an XML content which does not have to be
serialized by JAXRS MessageBodyWriters. If you do need to have the writers ignored then set
the following property on the current exchange in the custom handler :</p>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent
pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">
-message.getExchange().put("ignore.message.writers", true);
+</div></div><p>At the moment it is not possible to override a response
status code from a CXF interceptor running before JAXRSOutInterceptor, like CustomOutInterceptor
above, which will be fixed.<br clear="none"> The only option at the moment is to use
a custom ResponseHandler which will replace the current Response object with another one containing
the required status.</p><h1 id="JAX-RSFilters-IgnoringJAXRSMessageBodyWriters">Ignoring
JAXRS MessageBodyWriters</h1><p>In some cases you may want to have a JAXRS Response
entity which a given filter has produced to be directly written to the output stream. For
example, a CXF JAXRS WADLGenerator filter produces an XML content which does not have to be
serialized by JAXRS MessageBodyWriters. If you do need to have the writers ignored then set
the following property on the current exchange in the custom handler :</p><div class="code
panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">message.getExchange().put("ignore.message.writers",
true);
 </pre>
-</div></div>
-
-<h1 id="JAX-RSFilters-Custominvokers">Custom invokers</h1>
-
-<p><strong>Note</strong> This feature is available starting from CXF 2.2.2
</p>
-
-<p>Using custom JAXR-RS invokers is yet another way to pre or post process a given
invocation. For example, this <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/CustomJAXRSInvoker.java">invoker</a>
does a security check before delegating to the default JAXRS invoker. A custom invoker, like
a request filter, has the access to all the information accumulated during the processing
of a given call, but additionally, it can also check the actual method parameter values.</p>
-
-<p>Custom invokers can be registered like this :</p>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent
pdl">
-<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">
-&lt;beans&gt;
+</div></div><h1 id="JAX-RSFilters-Custominvokers">Custom invokers</h1><p><strong>Note</strong>
This feature is available starting from CXF 2.2.2</p><p>Using custom JAXR-RS invokers
is yet another way to pre or post process a given invocation. For example, this <a shape="rect"
class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/CustomJAXRSInvoker.java">invoker</a>
does a security check before delegating to the default JAXRS invoker. A custom invoker, like
a request filter, has the access to all the information accumulated during the processing
of a given call, but additionally, it can also check the actual method parameter values.</p><p>Custom
invokers can be registered like this :</p><div class="code panel pdl" style="border-width:
1px;"><div class="codeContent panelContent pdl">
+<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">&lt;beans&gt;
 
 &lt;jaxrs:server address="/"&gt; 
  &lt;jaxrs:invoker&gt;
@@ -373,7 +212,7 @@ message.getExchange().put("ignore.messag
 
 &lt;/beans&gt;
 </pre>
-</div></div> </div>
+</div></div></div>
            </div>
            <!-- Content -->
          </td>

Modified: websites/production/cxf/content/docs/secure-jax-rs-services.html
==============================================================================
--- websites/production/cxf/content/docs/secure-jax-rs-services.html (original)
+++ websites/production/cxf/content/docs/secure-jax-rs-services.html Mon May 16 16:47:35 2016
@@ -117,12 +117,12 @@ Apache CXF -- Secure JAX-RS Services
          <td height="100%">
            <!-- Content -->
            <div class="wiki-content">
-<div id="ConfluenceContent"><p>&#160;</p><p>&#160;</p><p>&#160;</p><p><span
class="inline-first-p" style="font-size:2em;font-weight:bold"> JAX-RS: Security </span></p><p>&#160;</p><p>&#160;</p><p>&#160;</p><p><style
type="text/css">/*<![CDATA[*/
-div.rbtoc1435780201098 {padding: 0px;}
-div.rbtoc1435780201098 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1435780201098 li {margin-left: 0px;padding-left: 0px;}
+<div id="ConfluenceContent"><p>&#160;</p><p>&#160;</p><p>&#160;<span
class="inline-first-p" style="font-size:2em;font-weight:bold">JAX-RS: Security</span>&#160;</p><p>&#160;</p><p>&#160;</p><p><style
type="text/css">/*<![CDATA[*/
+div.rbtoc1463417217036 {padding: 0px;}
+div.rbtoc1463417217036 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1463417217036 li {margin-left: 0px;padding-left: 0px;}
 
-/*]]>*/</style></p><div class="toc-macro rbtoc1435780201098">
+/*]]>*/</style></p><div class="toc-macro rbtoc1463417217036">
 <ul class="toc-indentation"><li><a shape="rect" href="#SecureJAX-RSServices-HTTPS">HTTPS</a>
 <ul class="toc-indentation"><li><a shape="rect" href="#SecureJAX-RSServices-Configuringendpoints">Configuring
endpoints</a></li><li><a shape="rect" href="#SecureJAX-RSServices-Configuringclients">Configuring
clients</a></li></ul>
 </li><li><a shape="rect" href="#SecureJAX-RSServices-Authentication">Authentication</a></li><li><a
shape="rect" href="#SecureJAX-RSServices-Authorization">Authorization</a></li><li><a
shape="rect" href="#SecureJAX-RSServices-WS-Trustintegration">WS-Trust integration</a>
@@ -188,23 +188,37 @@ WebClient client = WebClient.create(addr
 // or
 BookStore proxy = JAXRSClientFactory.create(address, configLocation, BookStore.class);
 </pre>
-</div></div><p>HTTPConduits can also be 'bound' to proxies or WebClients
using expanded QNames. Please see this <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-client-api.html#JAX-RSClientAPI-ConfiguringanHTTPConduitfromSpring">section</a>
for more information.</p><p>Please see <a shape="rect" class="external-link"
href="http://aruld.info/programming-ssl-for-jetty-based-cxf-services/" rel="nofollow">this
blog entry</a> on how the HTTPConduit TLS properties can be set up from the code. In
the code, do WebClient.getConfig(myClient).getHTTPConduit() and proceed from there.</p><h1
id="SecureJAX-RSServices-Authentication">Authentication</h1><p>It is often
containers like Tomcat or frameworks like Spring Security which handle the user authentication.
Sometimes you might want to do the custom authentication instead. CXF HTTP Transport adds
decoded Basic Authentication credentials into an instance of AuthorizationPolicy extension
and sets it on the current message. Thus the easiest 
 way is to register a custom invoker or <code>RequestHandler</code> filter which
will extract a user name and password like this:</p><div class="code panel pdl" style="border-width:
1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">public
class AuthenticationHandler implements RequestHandler {
+</div></div><p>HTTPConduits can also be 'bound' to proxies or WebClients
using expanded QNames. Please see this <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-client-api.html#JAX-RSClientAPI-ConfiguringanHTTPConduitfromSpring">section</a>
for more information.</p><p>Please see <a shape="rect" class="external-link"
href="http://aruld.info/programming-ssl-for-jetty-based-cxf-services/" rel="nofollow">this
blog entry</a> on how the HTTPConduit TLS properties can be set up from the code. In
the code, do WebClient.getConfig(myClient).getHTTPConduit() and proceed from there.</p><h1
id="SecureJAX-RSServices-Authentication">Authentication</h1><p>It is often
containers like Tomcat or frameworks like Spring Security which handle the user authentication.
Sometimes you might want to do the custom authentication instead. CXF HTTP Transport adds
decoded Basic Authentication credentials into an instance of AuthorizationPolicy extension
and sets it on the current message. Thus the easiest 
 way is to register a custom invoker or&#160;<code>@PreMatching ContainerRequestFilter</code>
filter which will extract a user name and password like this:</p><div class="code
panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">public
class AuthenticationHandler implements ContainerRequestFilter {
 
-    public Response handleRequest(Message m, ClassResourceInfo resourceClass) {
-        AuthorizationPolicy policy = (AuthorizationPolicy)m.get(AuthorizationPolicy.class);
-        String username = policy.getUserName();
-        String password = policy.getPassword(); 
-        if (isAuthenticated(username, password)) {
+    @Override
+    public void filter(ContainerRequestContext requestContext) throws IOException {
+        String authorization = requestContext.getHeaderString("Authorization");
+        String[] parts = authValues.authorization(" ");
+        if (parts.length != 2 || !"Basic".equals(parts[0])) {
+            requestContext.abortWith(createFaultResponse());
+            return;
+        }
+        
+        String decodedValue = null;
+        try {
+            decodedValue = new String(Base64Utility.decode(parts[1]));
+        } catch (Base64Exception ex) {
+            requestContext.abortWith(createFaultResponse());
+            return;
+        }
+        String[] namePassword = decodedValue.split(":"); 
+        if (isAuthenticated(namePassword[0], namePassword[1])) {
             // let request to continue
-            return null;
         } else {
             // authentication failed, request the authetication, add the realm name if needed
to the value of WWW-Authenticate 
-            return Response.status(401).header("WWW-Authenticate", "Basic").build();
+            requestContext.abortWith(Response.status(401).header("WWW-Authenticate", "Basic").build());
         }
     }
-
-}
+    private Response createFaultResponse() {
+        return Response.status(401).header("WWW-Authenticate", "Basic realm=\"service.com\"").build();
+    }
+&#160;}
 </pre>
 </div></div><p>One other thing you may want to do, after authenticating
a user, is to initialize org.apache.cxf.security.SecurityContext with Principals representing
the user and its roles (if available).</p><p>If you prefer using Spring Security
then see how the authentication is handled in a <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/distribution/src/main/release/samples/jax_rs/spring_security">spring-security</a>
demo.</p><p>Next, please see the <a shape="rect" href="securing-cxf-services.html">Securing
CXF Services</a> section on how CXF Security interceptors can help.</p><p>Additionally
check this <a shape="rect" class="external-link" href="http://sberyozkin.blogspot.com/2010/12/authentication-and-authorization-cxf.html"
rel="nofollow">blog entry</a> for more information on how CXF JAX-RS wraps the CXF
security interceptors with helper filters.</p><p>For example, see how a JAX-RS
filter can be used to wrap CXF JAASLoginInterceptor:</p>
 <div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent
pdl">
 <pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">&lt;jaxrs:server
address="/jaas"&gt;



Mime
View raw message