THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
Securing
...
CXF
...
Services
...
Table of Contents |
---|
Secure transports
...
Example :
Code Block | ||||
---|---|---|---|---|
| ||||
<jaxws:endpoint address="/soapService">
<jaxws:inInterceptors>
<ref bean="authenticationInterceptor"/>
</jaxws:inInterceptors>
</jaxws:endpoint>
<bean id="authenticationInterceptor" class="org.apache.cxf.interceptor.security.JAASLoginInterceptor">
<property name="contextName" value="jaasContext"/>
<property name="roleClassifier" value="ROLE_"/>
</bean>
<!--
Similarly for JAX-RS endpoints.
Note that org.apache.cxf.jaxrs.security.JAASAuthenticationFilter
can be registered as jaxrs:provider instead
-->
|
...
In some cases objects representing a user principal and roles are implementing the same marker interface such as Principal. That can be handled like this:
Code Block | ||||
---|---|---|---|---|
| ||||
<bean id="authenticationInterceptor" class="org.apache.cxf.interceptor.security.JAASLoginInterceptor">
<property name="contextName" value="jaasContext"/>
<property name="roleClassifier" value="RolePrincipal"/>
<property name="roleClassifierType" value="classname"/>
</bean>
<!-- Similarly for JAX-RS endpoints -->
|
...
Example :
Code Block | ||||
---|---|---|---|---|
| ||||
<jaxws:endpoint id="endpoint1" address="/soapService1">
<jaxws:inInterceptors>
<ref bean="authorizationInterceptor"/>
</jaxws:inInterceptors>
</jaxws:endpoint>
<bean id="authorizationInterceptor" class="org.apache.cxf.interceptor.security.SimpleAuthorizingInterceptor">
<property name="methodRolesMap">
<map>
<!-- no wildcard support, names need to match exactly -->
<entry key="addNumbers" value="ROLE_USER ROLE_ADMIN"/>
<entry key="divideNumbers" value="ROLE_ADMIN"/>
</map>
</property>
<!-- its possible to define global roles that apply to all WSDL operations not listed above -->
<property name="globalRoles" value="ROLE_ADMIN"/>
</bean>
<jaxws:endpoint id="endpoint2" address="/soapService2" implementor="#secureBean">
<jaxws:inInterceptors>
<ref bean="authorizationInterceptor2"/>
</jaxws:inInterceptors>
</jaxws:endpoint>
<!-- This bean is annotated with secure annotations such as RolesAllowed -->
<bean id="secureBean" class="org.apache.cxf.tests.security.SecureService"/>
<bean id="authorizationInterceptor2" class="org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor">
<property name="securedObject" ref="secureBean"/>
</bean>
|
...
The complete number of XML elements, the number of immediate children of a given XML element may contain and the stack depth of the payload can be restricted, for example:
Code Block | ||||
---|---|---|---|---|
| ||||
<bean id="depthInterceptor" class="org.apache.cxf.interceptor.security.DepthRestrictingStreamInterceptor">
<!-- Total number of elements in the XML payload -->
<property name="elementCountThreshold" value="5000"/>
<!-- Total number of child elements for XML elements -->
<property name="innerElementCountThreshold" value="3000"/>
<!-- Maximum stack depth of the XML payload -->
<property name="innerElementLevelThreshold" value="20"/>
</bean>
<jaxws:endpoint>
<jaxws:inInterceptors>
<ref bean="depthInterceptor"/>
</jaxws:inInterceptors>
<jaxws:endpoint>
<jaxrs:server>
<jaxrs:inInterceptors>
<ref bean="depthInterceptor"/>
</jaxrs:inInterceptors>
<jaxrs:server>
|
...