JAX-RS: Security
HTTPS
Transport-level protection of JAX-RS endpoints can be managed by underlying Servlet containers, for example, see this Tomcat SSL Configuration section.
Configuring endpoints
JAX-RS endpoints using embedded Jetty can rely on the configuration like this one:
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:http="http://cxf.apache.org/transports/http/configuration" xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration" xmlns:sec="http://cxf.apache.org/configuration/security" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd http://cxf.apache.org/transports/http-jetty/configuration http://cxf.apache.org/schemas/configuration/http-jetty.xsd http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsd"> <httpj:engine-factory id="port-9095-tls-config"> <httpj:engine port="9095"> <httpj:tlsServerParameters> <sec:keyManagers keyPassword="password"> <sec:keyStore type="JKS" password="password" file="src/test/java/org/apache/cxf/systest/http/resources/Bethal.jks"/> </sec:keyManagers> <sec:trustManagers> <sec:keyStore type="JKS" password="password" file="src/test/java/org/apache/cxf/systest/http/resources/Truststore.jks"/> </sec:trustManagers> </httpj:tlsServerParameters> </httpj:engine> </httpj:engine-factory> </beans>
If you use JAXRSServerFactoryBean to create and start JAX-RS endpoints from the code then the above configuration can be utilized like this:
JAXRSServerFactoryBean bean = new JAXRSServerFactoryBean(); SpringBusFactory bf = new SpringBusFactory(); Bus bus = bf.createBus("configuration/beans.xml"); bean.setBus(bus); bean.setAddress("http://localhost:9095/rest"); bean.setServiceClass(CustomerService.class);
If you also have a jaxrs:server endpoint declared in the above beans.xml, then make sure you have a 'depends-on' attribute set:
<jaxrs:server serviceClass="CustomerService.class" address="http://localhost:9095/rest" depends-on="port-9095-tls-config"/>
Once you have JAX-RS and Jetty HTTPS combined then you can get the application context initiated like this:
public class Server { public void main(String[] args) throws Exception { Bus busLocal = new SpringBusFactory().createBus("configuration/beans.xml"); BusFactory.setDefaultBus(busLocal); new Server(); Thread.sleep(60000); } }
Having JAX-RS endpoints declared alongside CXF Jetty HTTPS configuration is only needed when an embedded Jetty container is used. If you have application WARs deployed into Tomcat or Jetty then please follow container-specific guides on how to set up SSL.
Please also see this HTTPS-based demo in the CXF distribution.
Additionally check the CXF Jetty Configuration section.
Configuring clients
Secure HTTPConduits for CXF JAX-RS proxies and WebClients can be configured as described in this section.
For example, check this configuration file. Endpoint addresses used by proxies or clients have to match the pattern used in the HTTPConduit configuration.
The configuration file can be referenced during the proxy or WebClient creation:
final Stribg address = "http://localhost:9095/rest"; final String configLocation; WebClient client = WebClient.create(address, configLocation); // or BookStore proxy = JAXRSClientFactory.create(address, configLocation, BookStore.class);
HTTPConduits can also be 'bound' to proxies or WebClients using expanded QNames. Please see this section for more information.
Authentication
It is often containers like Tomcat or frameworks like Spring Security which handle user authentication. Sometimes you might want to do the custom authentication instead. The easiest way to do this is to register a custom invoker or RequestHandler
filter which will extract a user name and password like this:
public class AuthenticationHandler implements RequestHandler { public Response handleRequest(Message m, ClassResourceInfo resourceClass) { AuthorizationPolicy policy = (AuthorizationPolicy)m.get(AuthorizationPolicy.class); policy.getUserName(); policy.getPassword(); return null; } }
A demo called samples\jax_rs\spring_security
shows how to provide the authentication and authorization with the help of Spring Security.
Please see the [Security] section on how CXF Security interceptors can help. Check this blog entry for more information on how CXF JAX-RS wraps the CXF security interceptors with helper filters.
Authorization
WS-Trust integration
Validating BasicAuth credentials with STS
Note about SecurityManager
If java.lang.SecurityManager
is installed then you'll likely need to configure the trusted JAX-RS codebase with a 'suppressAccessChecks' permission for the injection of JAXRS context or parameter fields to succeed. For example, you may want to update a Tomcat catalina.policy with the following permission :
grant codeBase "file:${catalina.home}/webapps/yourwebapp/lib/cxf.jar" { permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; };