Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.
Wiki Markup
{span:style=font-size:2em;font-weight:bold} JAX-RS: XML Security {span}


h1. Introduction

CXF 2.5.0 introduces an initial support for securing JAX-RS clients and endpoints with [XML Signature|] and [XML Encryption|]. 
This is a work in progress and the enhancements will be applied regularly. Support for the alternative signature and encryption technologies will also be provided in due time.

h1. Maven dependencies


h1. XML Signature

[XML Signature|] defines 3 types of signatures: enveloped, enveloping and detached. All the three types are supported by CXF JAX-RS.

*New* Starting from CXF 2.5.2 it is also possible to add XML Signatures on the server side and get them validated on the client side.

h2. Enveloped signatures


<Book ID="4bd59819-7b78-47a5-bb61-cc08348e9d48">

   <ds:Signature xmlns:ds="">
         <ds:CanonicalizationMethod Algorithm=""/>
         <ds:SignatureMethod Algorithm=""/>
         <ds:Reference URI="#4bd59819-7b78-47a5-bb61-cc08348e9d48">
             <ds:Transform Algorithm=""/>
             <ds:Transform Algorithm=""/>
           <ds:DigestMethod Algorithm=""/>




Note that the Book root element is signed including its name and id children, and a signature ds:Reference links to Book. 

Server Configuration fragment:


<bean id="serviceBean" class=""/>
<bean id="xmlSigHandler" class=""/>

<jaxrs:server address<bean id="/xmlsigxmlSigOutHandler"> 

<jaxrs:server address="/xmlsig"> 
      <ref bean="serviceBean"/>
       Required for validating the in signature and removing it from the payload.
       It also persists the signature on the current Message which can be disabled.
      <ref bean="xmlSigHandler"/>
       Required for adding a new signature to the outbound payload
          <ref bean="serviceBeanxmlSigOutHandler"/>

      <ref bean="xmlSigHandler"/>
    </jaxrs:providers>     <entry key="ws-security.callback-handler" 
        <entry key="" 


Note that is responsible for validating the signature attached to the inbound payload and is capable of processing all 3 types of XML Signature 3 types of XML Signature. is responsible for adding a new signature to the outbound payload. 

Client code:

String address = "https://localhost:8080/xmlsig/bookstore/books";
JAXRSClientFactoryBean bean = new JAXRSClientFactoryBean();

// setup properties
Map<String, Object> properties = new HashMap<String, Object>();
properties.put("ws-security.signature.username", "alice");

// add the interceptor dealingwhich withwill addingadd a signature to the outbound payload
XmlSigOutInterceptor sigInterceptorsigOutInterceptor = new XmlSigOutInterceptor();

// add the interceptor which will validate a signature in the inbound payload
XmlSigInInterceptor sigInInterceptor = new XmlSigInInterceptor();

// load a bus with HTTPS configuration:
SpringBusFactory bf = new SpringBusFactory();
Bus bus = bf.createBus(configLocation);
// use WebClient (or proxy) as usual
WebClient wc = bean.createWebClient();
Book book = Book("CXF", 126L), Book.class);

Spring configuration can also be used.
Please also check [Secure JAX-RS Services] on how HTTPS can be configured from Spring.

h2. Enveloping signatures


<ds:Signature xmlns:ds="">
      <ds:CanonicalizationMethod Algorithm=""/>
      <ds:SignatureMethod Algorithm=""/>
      <ds:Reference URI="#88e688e6-6512-406f-9e88-a58e5d781ff0">
           <ds:Transform Algorithm=""/>
        <ds:DigestMethod Algorithm=""/>
       <ds:X509Certificate><!-- Omitted for brewity--></ds:X509Certificate>
   <ds:Object ID="88e688e6-6512-406f-9e88-a58e5d781ff0">


This time the signature is enveloping the Book element using a ds:Object wrapper which ds:Reference links to.

Server Configuration fragment is identical to the one shown in the Enveloped signatures section.

Client code is nearly identical to the one shown in the Enveloped signatures section except that XmlSigOutInterceptor need to have an additional property set:

// add the interceptor dealing with adding a signature
XmlSigOutInterceptor sigInterceptor = new XmlSigOutInterceptor();


h2. Detached signatures


<env:Envelope xmlns:env="http://org.apache.cxf/rs/env">

  <Book ID="e9836bc2-cb5a-453f-b967-a9ddbaf9a6de">
   <ds:Signature xmlns:ds="">
       <ds:CanonicalizationMethod Algorithm=""/>
       <ds:SignatureMethod Algorithm=""/>
       <ds:Reference URI="#e9836bc2-cb5a-453f-b967-a9ddbaf9a6de">
           <ds:Transform Algorithm=""/>
         <ds:DigestMethod Algorithm=""/>
         <ds:X509Certificate><!--Omitted for Brewity--></ds:X509Certificate>

    <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="" xmlns:xsi="" ID="_E462768C678896CE9913202742137181" IssueInstant="2011-11-02T22:50:13.718Z" Version="2.0" xsi:type="saml2:AssertionType">


<ds:Signature xmlns:ds="">
    Enveloped/embedded SAML Assertion XML Signature is omitted for brewity
    See the JAX-RS SAML section for more info
<!-- the rest of SAML assertion -->

Note that the whole payload is enveloped by a configurable element wrapper. The Book instance is one part of the envelope and it's signed by a detached signature (see the first ds:Signature, with its ds:Reference linking to Book). The envelope also has an embedded SAML assertion which has its own enveloped signature.

The instance of will handle a detached XML signature of the Book XML fragment on the server side. See the [JAX-RS SAML] for more info on how to deal with SAML assertions.

Client code is nearly identical to the one shown in the Enveloped signatures section except that XmlSigOutInterceptor need to have an additional property set:


// add the interceptor dealing with adding a signature
XmlSigOutInterceptor sigInterceptor = new XmlSigOutInterceptor();


h2. Customizing the signature manages the creation of the signature on the client side.
The following properties can be set on it at the moment:

"style": possible values are "enveloped" (default), "enveloping" and "detached"
"envelopedName": only used with the "detached" style, default is "\{http://org.apache.cxf/rs/env}Envelope"
"signatureAlgorithm": default is ""
"digestAlgorithm": default is ""

h1. XML Encryption

Encrypting XML payloads makes it possible to drop a requirement for HTTPS.

Here is a payload example:

<xenc:EncryptedData xmlns:xenc="">
  <xenc:EncryptionMethod Algorithm=""/>
  <ds:KeyInfo xmlns:ds="">
    <ds:RetrievalMethod Type=""/>
    <xenc:EncryptedKey Id="EK-B353DDCEE7C575B6A213203188664772">
      <xenc:EncryptionMethod Algorithm=""/>
               <ds:X509Certificate><!-- Omitted for brewity --></ds:X509Certificate>

Here is a server configuration fragment:

<bean id="serviceBean" class=""/>
<bean id="xmlSigHandler" class=""/>

<bean id="xmlEncHandler" class=""/>
<jaxrs:server address="/xmlsig"> 
      <ref bean="serviceBean"/>
       <ref bean="xmlEncHandler"/>
       <ref bean="xmlSigHandler"/>
           <entry key="ws-security.callback-handler" 
           <entry key="" 
           <entry key="" 


This configuration supports receiving signed and then encrypted XML payloads.

The code:

String address = "https://localhost:8080/xmlencryption/bookstore/books";
JAXRSClientFactoryBean bean = new JAXRSClientFactoryBean();

// setup properties
Map<String, Object> properties = new HashMap<String, Object>();

properties.put("ws-security.encryption.username", "bob");

// if signature required: 
properties.put("ws-security.signature.username", "alice");


// if signature required: add the interceptor dealing with adding a signature
XmlSigOutInterceptor sigInterceptor = new XmlSigOutInterceptor();

// add the interceptor dealing with the encryption

XmlEncOutInterceptor encInterceptor = new XmlEncOutInterceptor();

// use WebClient (or proxy) as usual
WebClient wc = bean.createWebClient();
Response r = Book("CXF", 126L), Book.class);
assertEquals(200, r.getStatus());

Note that XmlEncOutInterceptor interceptor has a "symmetricEncAlgorithm" property set to a weaker type just to get CXF tests passing.

The actual application client code does not expect a payload such as Book back but if it did then configuring the server to encrypt the response would be straightforward:

<bean id="serviceBean" class=""/>
<bean id="xmlSigHandler" class=""/>

<bean id="xmlEncHandler" class=""/>
<bean id="xmlEncOutHandler" class="">
        <property name="symmetricEncAlgorithm" value="aes128-cbc"/>

<jaxrs:server address="/xmlsig"> 
      <ref bean="serviceBean"/>
       <ref bean="xmlEncHandler"/>
       <ref bean="xmlSigHandler"/>
        <ref bean="xmlEncOutHandler"/>
         <entry key="ws-security.callback-handler" 
         <entry key="" 

Note the addition of a bean with id "xmlEncOutHandler", this example also shows that the encryption properties can be used to validate the incoming signature as well which just simplifies the configuration a bit. Now the client code can be updated to expect an ecryped Book back:

String address = "https://localhost:8080/xmlencryption/bookstore/books";
JAXRSClientFactoryBean bean = new JAXRSClientFactoryBean();

// setup properties
Map<String, Object> properties = new HashMap<String, Object>();

properties.put("ws-security.encryption.username", "bob");


// if signature required: add the interceptor dealing with adding a signature
XmlSigOutInterceptor sigInterceptor = new XmlSigOutInterceptor();

// add the interceptor dealing with the encryption

XmlEncOutInterceptor encInterceptor = new XmlEncOutInterceptor();

// use WebClient (or proxy) as usual
WebClient wc = bean.createWebClient();
Book book = Book("CXF", 126L), Book.class);
assertEquals("CXF", book.getName());
h2. Customizing the encryption manages the encryption process.
The following properties can be set on it at the moment:
"symmetricEncAlgorithm": default is "", complete URIs or short identifiers are supported, for example,
                         "aes128-cbc" or "". 
"keyEncAlgorithm": default is ""
"keyIdentifierType": default is "X509_KEY", "X509_ISSUER_SERIAL" is also supported - useful when the whole x509Certificate should not be embedded 

h1. Interoperability

The payloads containing the enveloping XML Signatures are structured according to the XML Signature specification and as such can be consumed by any XML Signature aware consumers capable of handling the enveloping signatures and extracting the signed payload. 

Same applies to enveloped signatures, for example, a signed SAML assertion always contains an enveloped signature.

The way CXF creates detached XML Signatures is experimental, so at the moment CXF will be required on both ends for the detached signatures be created and validated.

The current XML Encryption support is in line with the specification and thus the capable non-CXF consumers will be able to decrypt the payloads.