Securing CXF Services
Secure transports
HTTPS
Please see the Configuring SSL Support page for more information.
WS-* Security
Please see the WS-* Support page for more information.
Authentication
Container or Spring Security managed authentication as well as the custom authentication are all the viable options used by CXF developers.
Starting from CXF 2.3.2 and 2.4.0 it is possible to use an org.apache.cxf.interceptor.security.JAASLoginInterceptor in order to authenticate a current user and populate a CXF SecurityContext.
Authorization
Container or Spring Security managed authorization as well as the custom authorization are all the viable options used by CXF developers.
CXF 2.3.2 and 2.4.0 introduce org.apache.cxf.interceptor.security.SimpleAuthorizingInterceptor and org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor interceptors which can help with enforcing the authorization rules.