Span | ||
---|---|---|
| ||
JAX-RS: XML Security |
Table of Contents |
---|
Introduction
...
Code Block | ||||
---|---|---|---|---|
| ||||
<dependency> <groupId>org.apache.cxf</groupId> <artifactId>cxf-rt-rs-security-xml</artifactId> <version>2.5.2</version> </dependency> |
Backwards compatibility configuration note
From Apache CXF 3.1.0, the WS-Security based configuration tags used to configure XML Signature or Encryption ("ws-security-*") have been changed to just start with "security-". Apart from this they are exactly the same. Older "ws-security-" values continue to be accepted in CXF 3.1.0. To use any of the configuration examples in this page with an older version of CXF, simply add a "ws-" prefix to the configuration tag.
XML Signature
XML Signature defines 3 types of signatures: enveloped, enveloping and detached. All the three types are supported by CXF JAX-RS.
...
Code Block | ||||
---|---|---|---|---|
| ||||
<bean id="serviceBean" class="org.apache.cxf.systest.jaxrs.security.BookStore"/> <bean id="xmlSigHandler" class="org.apache.cxf.rs.security.xml.XmlSigInHandler"/> <bean id="xmlSigOutHandler" class="org.apache.cxf.rs.security.xml.XmlSigOutInterceptor"/> <jaxrs:server address="/xmlsig"> <jaxrs:serviceBeans> <ref bean="serviceBean"/> </jaxrs:serviceBeans> <!-- Required for validating the in signature and removing it from the payload. It also persists the signature on the current Message which can be disabled. --> <jaxrs:providers> <ref bean="xmlSigHandler"/> </jaxrs:providers> <!-- Required for adding a new signature to the outbound payload --> <jaxrs:outInterceptors> <ref bean="xmlSigOutHandler"/> </jaxrs:outInterceptors> <jaxrs:properties> <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"/> <entry key="ws-security.signature.properties" value="org/apache/cxf/systest/jaxrs/security/alice.properties"/> </jaxrs:properties> </jaxrs:server> |
...
Code Block | ||||
---|---|---|---|---|
| ||||
String address = "https://localhost:8080/xmlsig/bookstore/books"; JAXRSClientFactoryBean bean = new JAXRSClientFactoryBean(); bean.setAddress(address); // setup properties Map<String, Object> properties = new HashMap<String, Object>(); properties.put("ws-security.callback-handler", "org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"); properties.put("ws-security.signature.username", "alice"); properties.put("ws-security.signature.properties", "org/apache/cxf/systest/jaxrs/security/alice.properties"); bean.setProperties(properties); // add the interceptor which will add a signature to the outbound payload XmlSigOutInterceptor sigOutInterceptor = new XmlSigOutInterceptor(); bean.getOutInterceptors().add(sigOutInterceptor); // add the interceptor which will validate a signature in the inbound payload XmlSigInInterceptor sigInInterceptor = new XmlSigInInterceptor(); bean.getInInterceptors().add(sigInInterceptor); // load a bus with HTTPS configuration: SpringBusFactory bf = new SpringBusFactory(); Bus bus = bf.createBus(configLocation); bean.setBus(bus); // use WebClient (or proxy) as usual WebClient wc = bean.createWebClient(); Book book = wc.post(new Book("CXF", 126L), Book.class); |
...
Code Block | ||||
---|---|---|---|---|
| ||||
<bean id="serviceBean" class="org.apache.cxf.systest.jaxrs.security.BookStore"/> <bean id="xmlSigInHandler" class="org.apache.cxf.rs.security.xml.XmlSigInHandler"/> <bean id="xmlEncInHandler" class="org.apache.cxf.rs.security.xml.XmlEncInHandler"/> <jaxrs:server address="/xmlsig"> <jaxrs:serviceBeans> <ref bean="serviceBean"/> </jaxrs:serviceBeans> <jaxrs:providers> <ref bean="xmlEncHandler"/> <ref bean="xmlSigHandler"/> </jaxrs:providers> <jaxrs:properties> <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"/> <entry key="ws-security.encryption.properties" value="org/apache/cxf/systest/jaxrs/security/bob.properties"/> <entry key="ws-security.signature.properties" value="org/apache/cxf/systest/jaxrs/security/alice.properties"/> </jaxrs:properties> </jaxrs:server> |
...
Code Block | ||||
---|---|---|---|---|
| ||||
String address = "https://localhost:8080/xmlencryption/bookstore/books"; JAXRSClientFactoryBean bean = new JAXRSClientFactoryBean(); bean.setAddress(address); // setup properties Map<String, Object> properties = new HashMap<String, Object>(); properties.put("ws-security.callback-handler", "org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"); properties.put("ws-security.encryption.username", "bob"); properties.put("ws-security.encryption.properties", "org/apache/cxf/systest/jaxrs/security/bob.properties"); // if signature required: properties.put("ws-security.signature.username", "alice"); properties.put("ws-security.signature.properties", "org/apache/cxf/systest/jaxrs/security/alice.properties"); bean.setProperties(properties); // if signature required: add the interceptor dealing with adding a signature XmlSigOutInterceptor sigInterceptor = new XmlSigOutInterceptor(); bean.getOutInterceptors().add(sigInterceptor); // add the interceptor dealing with the encryption XmlEncOutInterceptor encInterceptor = new XmlEncOutInterceptor(); encInterceptor.setSymmetricEncAlgorithm("http://www.w3.org/2001/04/xmlenc#aes128-cbc"); bean.getOutInterceptors().add(encInterceptor); // use WebClient (or proxy) as usual WebClient wc = bean.createWebClient(); Response r = wc.post(new Book("CXF", 126L), Book.class); assertEquals(200, r.getStatus()); |
...
Code Block | ||||
---|---|---|---|---|
| ||||
<bean id="serviceBean" class="org.apache.cxf.systest.jaxrs.security.BookStore"/> <bean id="xmlSigInHandler" class="org.apache.cxf.rs.security.xml.XmlSigInHandler"/> <bean id="xmlSigOutHandler" class="org.apache.cxf.rs.security.xml.XmlSigOutInterceptor"/> <bean id="xmlEncInHandler" class="org.apache.cxf.rs.security.xml.XmlEncInHandler"/> <bean id="xmlEncOutHandler" class="org.apache.cxf.rs.security.xml.XmlEncOutInterceptor"> <property name="symmetricEncAlgorithm" value="aes128-cbc"/> </bean> <jaxrs:server address="/xmlsec"> <jaxrs:serviceBeans> <ref bean="serviceBean"/> </jaxrs:serviceBeans> <jaxrs:providers> <ref bean="xmlEncInHandler"/> <ref bean="xmlSigInHandler"/> </jaxrs:providers> <jaxrs:outInterceptors> <ref bean="xmlSigOutHandler"/> <ref bean="xmlEncOutHandler"/> </jaxrs:outInterceptors> <jaxrs:properties> <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"/> <entry key="ws-security.encryption.properties" value="org/apache/cxf/systest/jaxrs/security/alice.properties"/> <entry key="ws-security.signature.properties" value="org/apache/cxf/systest/jaxrs/security/bob.properties"/> </jaxrs:properties> </jaxrs:server> |
...
Code Block | ||||
---|---|---|---|---|
| ||||
<!-- server --> <jaxrs:server> <jaxrs:properties> <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"/> <entry key="ws-security.encryption.properties" value="org/apache/cxf/systest/jaxrs/security/alice.properties"/> <entry key="ws-security.encryption.username" value="useReqSigCert"/> <entry key="ws-security.signature.properties" value="org/apache/cxf/systest/jaxrs/security/bob.properties"/> </jaxrs:properties> </jaxrs:server> <jaxrs:client> <jaxrs:properties> <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"/> <entry key="ws-security.encryption.properties" value="org/apache/cxf/systest/jaxrs/security/bob.properties"/> <entry key="ws-security.encryption.username" value="bob"/> <entry key="ws-security.signature.properties" value="org/apache/cxf/systest/jaxrs/security/alice.properties"/> <entry key="ws-security.signature.username" value="alice"/> </jaxrs:properties> </jaxrs:client> |
The "ws-security.encryption.username" server property is set to "useReqSigCert".
...