THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
CXF ships with a advanced SecurityTokenService (STS) implementation that can be used to issue (SAML) tokens for authentication. CXF also supports communicating with the STS using the WS-Trust specification. SSO is supported by caching the tokens on the client side. Please see the WS-Trust page for more information.
...
Starting from CXF 2.3.2 and 2.4.0 it is possible to use an org.apache.cxf.interceptor.security.JAASLoginInterceptor in order to authenticate a current user and populate a CXF SecurityContext.
Example :
| Code Block | ||
|---|---|---|
| ||
<jaxws:endpoint address="/soapService"> <jaxws:inInterceptors> <ref bean="authenticationInterceptor"/> </jaxws:inInterceptors> </jaxws:endpoint> <bean id="authenticationInterceptor" class="org.apache.cxf.interceptor.security.JAASLoginInterceptor"> <property name="contextName" value="jaasContext"/> <property name="roleClassifier" value="ROLE_"/> </bean> <!-- Similarly for JAX-RS endpoints. Note that org.apache.cxf.jaxrs.security.JAASAuthenticationFilter can be registered as jaxrs:provider instead --> |
...
In some cases objects representing a user principal and roles are implementing the same marker interface such as Principal. That can be handled like this:
| Code Block | ||
|---|---|---|
| ||
<bean id="authenticationInterceptor" class="org.apache.cxf.interceptor.security.JAASLoginInterceptor"> <property name="contextName" value="jaasContext"/> <property name="roleClassifier" value="RolePrincipal"/> <property name="roleClassifierType" value="classname"/> </bean> <!-- Similarly for JAX-RS endpoints --> |
...
CXF 2.3.2 and 2.4.0 introduce org.apache.cxf.interceptor.security.SimpleAuthorizingInterceptor and org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor interceptors which can help with enforcing the authorization rules.
Example :
| Code Block | ||
|---|---|---|
| ||
<jaxws:endpoint id="endpoint1" address="/soapService1">
<jaxws:inInterceptors>
<ref bean="authorizationInterceptor"/>
</jaxws:inInterceptors>
</jaxws:endpoint>
<bean id="authorizationInterceptor" class="org.apache.cxf.interceptor.security.SimpleAuthorizingInterceptor">
<property name="methodRolesMap">
<map>
<!-- no wildcard support, names need to match exactly -->
<entry key="addNumbers" value="ROLE_USER ROLE_ADMIN"/>
<entry key="divideNumbers" value="ROLE_ADMIN"/>
</map>
</property>
<!-- its possible to define global roles that apply to all WSDL operations not listed above -->
<property name="globalRoles" value="ROLE_ADMIN"/>
</bean>
<jaxws:endpoint id="endpoint2" address="/soapService2" implementor="#secureBean">
<jaxws:inInterceptors>
<ref bean="authorizationInterceptor2"/>
</jaxws:inInterceptors>
</jaxws:endpoint>
<!-- This bean is annotated with secure annotations such as RolesAllowed -->
<bean id="secureBean" class="org.apache.cxf.tests.security.SecureService"/>
<bean id="authorizationInterceptor2" class="org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor">
<property name="securedObject" ref="secureBean"/>
</bean>
|
...
The complete number of XML elements, the number of immediate children of a given XML element may contain and the stack depth of the payload can be restricted, for example:
| Code Block | ||
|---|---|---|
| ||
<bean id="depthInterceptor" class="org.apache.cxf.interceptor.security.DepthRestrictingStreamInterceptor"> <!-- Total number of elements in the XML payload --> <property name="elementCountThreshold" value="5000"/> <!-- Total number of child elements for XML elements --> <property name="innerElementCountThreshold" value="3000"/> <!-- Maximum stack depth of the XML payload --> <property name="innerElementLevelThreshold" value="20"/> </bean> <jaxws:endpoint> <jaxws:inInterceptors> <ref bean="depthInterceptor"/> </jaxws:inInterceptors> <jaxws:endpoint> <jaxrs:server> <jaxrs:inInterceptors> <ref bean="depthInterceptor"/> </jaxrs:inInterceptors> <jaxrs:server> |
...