...
CXF ships with a advanced SecurityTokenService (STS) implementation that can be used to issue (SAML) tokens for authentication. CXF also supports communicating with the STS using the WS-Trust specification. SSO is supported by caching the tokens on the client side. Please see the WS-Trust page for more information.
...
Starting from CXF 2.3.2 and 2.4.0 it is possible to use an org.apache.cxf.interceptor.security.JAASLoginInterceptor in order to authenticate a current user and populate a CXF SecurityContext.
Example :
Code Block | ||
---|---|---|
| ||
<jaxws:endpoint address="/soapService"> <jaxws:inInterceptors> <ref bean="authenticationInterceptor"/> </jaxws:inInterceptors> </jaxws:endpoint> <bean id="authenticationInterceptor" class="org.apache.cxf.interceptor.security.JAASLoginInterceptor"> <property name="contextName" value="jaasContext"/> <property name="roleClassifier" value="ROLE_"/> </bean> <!-- Similarly for JAX-RS endpoints. Note that org.apache.cxf.jaxrs.security.JAASAuthenticationFilter can be registered as jaxrs:provider instead --> |
...
In some cases objects representing a user principal and roles are implementing the same marker interface such as Principal. That can be handled like this:
Code Block | ||
---|---|---|
| ||
<bean id="authenticationInterceptor" class="org.apache.cxf.interceptor.security.JAASLoginInterceptor"> <property name="contextName" value="jaasContext"/> <property name="roleClassifier" value="RolePrincipal"/> <property name="roleClassifierType" value="classname"/> </bean> <!-- Similarly for JAX-RS endpoints --> |
...
CXF 2.3.2 and 2.4.0 introduce org.apache.cxf.interceptor.security.SimpleAuthorizingInterceptor and org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor interceptors which can help with enforcing the authorization rules.
Example :
Code Block | ||
---|---|---|
| ||
<jaxws:endpoint id="endpoint1" address="/soapService1"> <jaxws:inInterceptors> <ref bean="authorizationInterceptor"/> </jaxws:inInterceptors> </jaxws:endpoint> <bean id="authorizationInterceptor" class="org.apache.cxf.interceptor.security.SimpleAuthorizingInterceptor"> <property name="methodRolesMap"> <map> <!-- no wildcard support, names need to match exactly --> <entry key="addNumbers" value="ROLE_USER ROLE_ADMIN"/> <entry key="divideNumbers" value="ROLE_ADMIN"/> </map> </property> <!-- its possible to define global roles that apply to all WSDL operations not listed above --> <property name="globalRoles" value="ROLE_ADMIN"/> </bean> <jaxws:endpoint id="endpoint2" address="/soapService2" implementor="#secureBean"> <jaxws:inInterceptors> <ref bean="authorizationInterceptor2"/> </jaxws:inInterceptors> </jaxws:endpoint> <!-- This bean is annotated with secure annotations such as RolesAllowed --> <bean id="secureBean" class="org.apache.cxf.tests.security.SecureService"/> <bean id="authorizationInterceptor2" class="org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor"> <property name="securedObject" ref="secureBean"/> </bean> |
...
The complete number of XML elements, the number of immediate children of a given XML element may contain and the stack depth of the payload can be restricted, for example:
Code Block | ||
---|---|---|
| ||
<bean id="depthInterceptor" class="org.apache.cxf.interceptor.security.DepthRestrictingStreamInterceptor"> <!-- Total number of elements in the XML payload --> <property name="elementCountThreshold" value="5000"/> <!-- Total number of child elements for XML elements --> <property name="innerElementCountThreshold" value="3000"/> <!-- Maximum stack depth of the XML payload --> <property name="innerElementLevelThreshold" value="20"/> </bean> <jaxws:endpoint> <jaxws:inInterceptors> <ref bean="depthInterceptor"/> </jaxws:inInterceptors> <jaxws:endpoint> <jaxrs:server> <jaxrs:inInterceptors> <ref bean="depthInterceptor"/> </jaxrs:inInterceptors> <jaxrs:server> |
...