Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Wiki Markup
{span:style=font-size:2em;font-weight:bold} Securing CXF Services {span}

{toc}

h1. Secure transports

h2. HTTPS

Please see the [Configuring SSL Support|http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html] page for more information.

h1. WS-* Security

Please see the [WS-* Support|http://cxf.apache.org/docs/ws-support.html] page for more information.

h1. Authentication
 
Container or Spring Security managed authentication as well as the custom authentication are all the viable options used by CXF developers.

Starting from CXF 2.3.2 and 2.4.0 it is possible to use an org.apache.cxf.interceptor.security.JAASLoginInterceptor in order to authenticate a current user and populate a CXF SecurityContext.

Example :

{code:xml}
<jaxws:endpoint address="/soapService">
 <jaxws:inInterceptors>
   <ref bean="authenticationInterceptor"/>
 </jaxws:inInterceptors>
</jaxws:endpoint>

<bean id="authenticationInterceptor" class="org.apache.cxf.interceptor.security.JAASLoginInterceptor">
   <property name="contextName" value="jaasContext"/>
   <property name="rolePrefix" value="ROLE_"/>
</bean>
<!-- Similarly for JAX-RS endpoints -->
{code} 

The JAAS authenticator is configured with the name of the JAAS login context (the one usually specified in the JAAS configuration resource which the server is aware of). It is also configured with an optional "rolePrefix" property which is needed by the CXF SecurityContext in order to differentiate between user and role Principals. By default CXF will assume that role Principals are represented by javax.security.acl.Group instances.

h1. WS-Security UsernameToken and Custom Authentication

If needed, one may want to configure a jaxws:endpoint with a "ws-security.ut.no-callbacks" property set to true and register a custom org.apache.cxf.interceptor.security.AbstractUsernameTokenInterceptor implementation for using a WSS4J UsernameToken wrapped in a CXF specific UsernameToken for the custom authentication and Subject creation.

h1. Authorization

Container or Spring Security managed authorization as well as the custom authorization are all the viable options used by CXF developers.

CXF 2.3.2 and 2.4.0 introduce org.apache.cxf.interceptor.security.SimpleAuthorizingInterceptor and org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor interceptors which can help with enforcing the authorization rules.

Example :

{code:xml}
<jaxws:endpoint id="endpoint1" address="/soapServicesoapService1">
 <jaxws:inInterceptors>
   <ref bean="authorizationInterceptor"/>
 </jaxws:inInterceptors>
</jaxws:endpoint>

<bean id="authorizationInterceptor" class="org.apache.cxf.interceptor.security.SimpleAuthorizingInterceptor">
   <property name="methodRolesMap">
      <map>
        <entry key="addNumbers" value="ROLE_USER ROLE_ADMIN"/>
        <entry key="divideNumbers" value="ROLE_ADMIN"/>  
      </map>
   </property> 
</bean>

<jaxws:endpoint id="endpoint2" address="/soapService2" implementor="#secureBean">
 <jaxws:inInterceptors>
   <ref bean="authorizationInterceptor"/>
 </jaxws:inInterceptors>
</jaxws:endpoint>

<!-- This bean is annotated with secure annotations such as RolesAllowed -->
<bean id="secureBean" class="org.apache.cxf.tests.security.SecureService">

<bean id="authorizationInterceptor" class="org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor">
   <property name="secureObject" ref="secureBean"/>
</bean>

{code}