You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by bu...@apache.org on 2015/04/24 16:46:56 UTC
svn commit: r949042 [1/2] - in /websites/production/cxf/content: cache/ docs/
Author: buildbot
Date: Fri Apr 24 14:46:55 2015
New Revision: 949042
Log:
Production update by buildbot for cxf
Added:
websites/production/cxf/content/docs/security-configuration.html
Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/31-migration-guide.html
websites/production/cxf/content/docs/index.html
websites/production/cxf/content/docs/jax-rs-saml.html
websites/production/cxf/content/docs/jax-rs-xml-security.html
websites/production/cxf/content/docs/security.html
websites/production/cxf/content/docs/ws-securitypolicy.html
Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.
Modified: websites/production/cxf/content/docs/31-migration-guide.html
==============================================================================
--- websites/production/cxf/content/docs/31-migration-guide.html (original)
+++ websites/production/cxf/content/docs/31-migration-guide.html Fri Apr 24 14:46:55 2015
@@ -116,7 +116,7 @@ Apache CXF -- 3.1 Migration Guide
<td height="100%">
<!-- Content -->
<div class="wiki-content">
-<div id="ConfluenceContent"><h3 id="id-3.1MigrationGuide-MajorNotes">Major Notes</h3><ul><li>CXF 3.1 no longer supports Java 6.   You must use Java 7 or Java 8.</li><li>The JAX-WS/Simple frontend ServerFactoryBean will automatically call reset at the end of the create() call.   This allows resources to be cleaned up and garbage collected sooner.  However, it also prevents multiple calls to create() from sharing the same ServerInfo/EndpointInfo/etc... objects like they would we 3.0.x.   That sharing has caused many problems in the past due to sharing of properties (like token caches) that are stored on those objects so the new behavior is more "correct", but it is different than previous versions so care must be taken while upgrading.</li><li>The Karaf features.xml file for CXF 3.1 no longer will install spring or spring-dm when installing the "cxf" feature.  If you require spring/spring-dm, you will need to install those features prior to installing the CXF
feature.</li></ul><h3 id="id-3.1MigrationGuide-Securitychanges">Security changes</h3><ul><li>The STS (Security Token Service) now issues tokens using the RSA-SHA256 signature algorithm by default (previously RSA-SHA1), and the SHA-256 digest algorithm (previously SHA-1).</li><li>Some security configuration tags have been renamed from "ws-security.*" to "security.*", as they are now shared with (some of) the JAX-RS stack. The old tags will continue to work as before however without any change.</li><li>The SAML/XACML functionality previously available in the cxf-rt-security module is now in the cxf-rt-security-saml module.</li><li>If you are explicitly specifying the SAML version in a SAML CallbackHandler, then this is changed in CXF 3.1 due to the migration to use OpenSAML 3.1. The version is now set on the SAMLCallback using a org.apache.wss4j.common.saml.bean.Version class. Previously there was a dependency on OpenSAML's SAMLVersion class.</li></ul><h3 id="id-3.1MigrationGuide-NewF
eatures">New Features</h3><ul><li>The CXF JAX-WS code generator has a new option "seiSuper" that can be used to specify additional super interfaces for the SEI.  This makes the code nonportable to other JAX-WS containers.   The primary use would be to add AutoCloseable to the interface to allow use of the clients in Java7 try with resource blocks.</li><li>New Metrics feature for collecting metrics about a CXF services.   Codahale/DropWizard based collector included.</li><li>New Throttling feature for easily throttling CXF services.  Sample included that uses the Metrics component to help make the throttling decisions.</li><li>New Logging feature for more advanced logging than the logging available in cxf-core</li><li>New Metadata service for SAML SSO to allow you to publish SAML SSO metadata for your service provider.</li><li><p>The "cxf" frontend to the JAX-WS code generator (-fe cxf) now generates code that is a bit more "Java7" friendly as the return type of t
he getPort(...) calls is a sub-interface of the SEI that also implements AutoCloseable, BindingProvider, and Client.   Code that used to look like:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<div id="ConfluenceContent"><h3 id="id-3.1MigrationGuide-MajorNotes">Major Notes</h3><ul><li>CXF 3.1 no longer supports Java 6.   You must use Java 7 or Java 8.</li><li>The JAX-WS/Simple frontend ServerFactoryBean will automatically call reset at the end of the create() call.   This allows resources to be cleaned up and garbage collected sooner.  However, it also prevents multiple calls to create() from sharing the same ServerInfo/EndpointInfo/etc... objects like they would we 3.0.x.   That sharing has caused many problems in the past due to sharing of properties (like token caches) that are stored on those objects so the new behavior is more "correct", but it is different than previous versions so care must be taken while upgrading.</li><li>The Karaf features.xml file for CXF 3.1 no longer will install spring or spring-dm when installing the "cxf" feature.  If you require spring/spring-dm, you will need to install those features prior to installing the CXF
feature.</li></ul><h3 id="id-3.1MigrationGuide-Securitychanges">Security changes</h3><ul><li>The STS (Security Token Service) now issues tokens using the RSA-SHA256 signature algorithm by default (previously RSA-SHA1), and the SHA-256 digest algorithm (previously SHA-1).</li><li>Some security configuration tags have been renamed from "ws-security.*" to "security.*", as they are now shared with (some of) the JAX-RS stack. The old tags will continue to work as before however without any change. See the <a shape="rect" href="security-configuration.html">Security Configuration </a>page for more information.</li><li>The SAML/XACML functionality previously available in the cxf-rt-security module is now in the cxf-rt-security-saml module.</li><li>If you are explicitly specifying the SAML version in a SAML CallbackHandler, then this is changed in CXF 3.1 due to the migration to use OpenSAML 3.1. The version is now set on the SAMLCallback using a org.apache.wss4j.common.saml.bean.Version cla
ss. Previously there was a dependency on OpenSAML's SAMLVersion class.</li></ul><h3 id="id-3.1MigrationGuide-NewFeatures">New Features</h3><ul><li>The CXF JAX-WS code generator has a new option "seiSuper" that can be used to specify additional super interfaces for the SEI.  This makes the code nonportable to other JAX-WS containers.   The primary use would be to add AutoCloseable to the interface to allow use of the clients in Java7 try with resource blocks.</li><li>New Metrics feature for collecting metrics about a CXF services.   Codahale/DropWizard based collector included.</li><li>New Throttling feature for easily throttling CXF services.  Sample included that uses the Metrics component to help make the throttling decisions.</li><li>New Logging feature for more advanced logging than the logging available in cxf-core</li><li>New Metadata service for SAML SSO to allow you to publish SAML SSO metadata for your service provider.</li><li><p>The "cxf" frontend to t
he JAX-WS code generator (-fe cxf) now generates code that is a bit more "Java7" friendly as the return type of the getPort(...) calls is a sub-interface of the SEI that also implements AutoCloseable, BindingProvider, and Client.   Code that used to look like:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[(AddNumbersPortType port = service.getAddNumbersPort();
((BindingProvider)port).getRequestContext()
.put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, address);
Modified: websites/production/cxf/content/docs/index.html
==============================================================================
--- websites/production/cxf/content/docs/index.html (original)
+++ websites/production/cxf/content/docs/index.html Fri Apr 24 14:46:55 2015
@@ -113,7 +113,7 @@ Apache CXF -- Index
<input maxlength="255" type="text" name="queryString" size="15" value="value">
<input type="submit" name="btnG" value="Search">
</form>
-</div><ul><li><a shape="rect" href="overview.html">Overview</a><ul class="childpages-macro"><li><a shape="rect" href="why-cxf.html">Why CXF?</a></li><li><a shape="rect" href="how-do-i-integrate-my-application-with-cxf.html">How do I integrate my application with CXF</a> — <span class="smalltext">A meta guide to integrating your application with CXF - including Bindings, Transports, Interceptors, etc</span></li><li><a shape="rect" href="how-do-i-develop-a-service.html">How do I develop a service?</a> — <span class="smalltext">A meta guide to your options with CXF</span></li><li><a shape="rect" href="how-do-i-develop-a-client.html">How do I develop a client?</a> — <span class="smalltext">A meta guide to your options with CXF</span></li></ul></li><li><a shape="rect" href="how-tos.html">How-Tos</a><ul class="childpages-macro"><li><a shape="rect" href="writing-a-service-with-spring.html">Writing a service with Spring</a></li><li><a shape="rect" href="a-simple-jax-ws-ser
vice.html">A simple JAX-WS service</a></li><li><a shape="rect" href="running-a-service-in-tomcat-on-zos.html">Running a service in Tomcat on zOS</a></li><li><a shape="rect" href="defining-contract-first-webservices-with-wsdl-generation-from-java.html">Defining Contract first webservices with wsdl generation from java</a></li><li><a shape="rect" href="migration-guides.html">Migration Guides</a></li><li><a shape="rect" href="sample-projects.html">Sample Projects</a></li></ul></li><li><a shape="rect" href="frontends.html">Frontends</a><ul class="childpages-macro"><li><a shape="rect" href="annotations.html">Annotations</a></li><li><a shape="rect" href="dynamic-clients.html">Dynamic Clients</a></li><li><a shape="rect" href="jax-ws.html">JAX-WS</a><ul class="childpages-macro"><li><a shape="rect" href="developing-a-consumer.html">Developing a Consumer</a></li><li><a shape="rect" href="developing-a-service.html">Developing a Service</a></li><li><a shape="rect" href="jax-ws-configuration.htm
l">JAX-WS Configuration</a></li><li><a shape="rect" href="jax-ws-dispatch-api.html">JAX-WS Dispatch API</a></li><li><a shape="rect" href="provider-services.html">Provider Services</a></li><li><a shape="rect" href="webservicecontext.html">WebserviceContext</a></li></ul></li><li><a shape="rect" href="simple.html">Simple</a><ul class="childpages-macro"><li><a shape="rect" href="simple-frontend.html">Simple Frontend</a></li><li><a shape="rect" href="simple-frontend-configuration.html">Simple Frontend Configuration</a></li></ul></li></ul></li><li><a shape="rect" href="databindings.html">DataBindings</a><ul class="childpages-macro"><li><a shape="rect" href="aegis-21.html">Aegis (2.1)</a> — <span class="smalltext">For CXF 2.1 or newer</span></li><li><a shape="rect" href="aegis-databinding-20x.html">Aegis Databinding (2.0.x)</a> — <span class="smalltext">For CXF up to 2.0.x</span></li><li><a shape="rect" href="jaxb.html">JAXB</a></li><li><a shape="rect" href="mtom-attachments-wi
th-jaxb.html">MTOM Attachments with JAXB</a></li><li><a shape="rect" href="sdo.html">SDO</a></li><li><a shape="rect" href="xmlbeans.html">XMLBeans</a></li></ul></li><li><a shape="rect" href="transports.html">Transports</a><ul class="childpages-macro"><li><a shape="rect" href="http-transport.html">HTTP Transport</a><ul class="childpages-macro"><li><a shape="rect" href="asynchronous-client-http-transport.html">Asynchronous Client HTTP Transport</a></li><li><a shape="rect" href="client-http-transport-including-ssl-support.html">Client HTTP Transport (including SSL support)</a></li><li><a shape="rect" href="jetty-configuration.html">Jetty Configuration</a></li><li><a shape="rect" href="server-http-transport.html">Server HTTP Transport</a></li><li><a shape="rect" href="servlet-transport.html">Servlet Transport</a></li><li><a shape="rect" href="standalone-http-transport.html">Standalone HTTP Transport</a></li></ul></li><li><a shape="rect" href="jms-transport.html">JMS Transport</a><ul cla
ss="childpages-macro"><li><a shape="rect" href="cxf-2x-jms-configuration-removed-in-cxf-3.html">CXF 2.x JMS configuration (removed in CXF 3)</a></li><li><a shape="rect" href="jms-performance-and-pooling.html">JMS performance and pooling</a></li><li><a shape="rect" href="jms-transactions.html">JMS transactions</a></li><li><a shape="rect" href="soap-over-jms-10-support.html">SOAP over JMS 1.0 support</a></li><li><a shape="rect" href="using-the-jmsconfigfeature.html">Using the JMSConfigFeature</a></li></ul></li><li><a shape="rect" href="local-transport.html">Local Transport</a></li><li><a shape="rect" href="udp-transport.html">UDP Transport</a><ul class="childpages-macro"><li><a shape="rect" href="soap-over-udp.html">SOAP over UDP</a></li></ul></li><li><a shape="rect" href="custom-transport.html">Custom Transport</a></li><li><a shape="rect" href="coloc-feature.html">Coloc Feature</a></li><li><a shape="rect" href="apache-camel-transport.html">Apache Camel Transport</a></li><li><a shape=
"rect" href="websocket.html">WebSocket</a></li></ul></li><li><a shape="rect" href="configuration.html">Configuration</a><ul class="childpages-macro"><li><a shape="rect" href="bus-configuration.html">Bus Configuration</a></li><li><a shape="rect" href="featureslist.html">FeaturesList</a></li><li><a shape="rect" href="jmx-management.html">JMX Management</a></li><li><a shape="rect" href="wsaconfiguration.html">WSAConfiguration</a></li><li><a shape="rect" href="wspconfiguration.html">WSPConfiguration</a></li><li><a shape="rect" href="wsrmconfiguration.html">WSRMConfiguration</a></li></ul></li><li><a shape="rect" href="debugging-and-logging.html">Debugging and Logging</a></li><li><a shape="rect" href="tools.html">Tools</a><ul class="childpages-macro"><li><a shape="rect" href="cxf-tools-in-eclipse.html">CXF tools in Eclipse</a></li><li><a shape="rect" href="idl-to-wsdl.html">IDL to WSDL</a></li><li><a shape="rect" href="java-to-javascript.html">Java to Javascript</a></li><li><a shape="rect
" href="java-to-ws.html">Java to WS</a></li><li><a shape="rect" href="java-to-wsdl.html">Java to WSDL</a></li><li><a shape="rect" href="maven-cxf-codegen-plugin-wsdl-to-java.html">Maven cxf-codegen-plugin (WSDL to Java)</a></li><li><a shape="rect" href="maven-java2wsdl-plugin-cxf-20x-only-removed-in-21-and-replaced-with-java2ws.html">Maven Java2WSDL plugin (CXF 2.0.x only. Removed in 2.1 and replaced with Java2WS)</a></li><li><a shape="rect" href="maven-java2ws-plugin.html">Maven Java2WS plugin</a></li><li><a shape="rect" href="using-cxf-with-maven.html">Using CXF with maven</a></li><li><a shape="rect" href="wsdl-to-corba.html">WSDL to CORBA</a></li><li><a shape="rect" href="wsdl-to-java.html">WSDL to Java</a></li><li><a shape="rect" href="wsdl-to-javascript.html">WSDL to Javascript</a></li><li><a shape="rect" href="wsdl-to-service.html">WSDL to Service</a></li><li><a shape="rect" href="wsdl-to-soap.html">WSDL to SOAP</a></li><li><a shape="rect" href="wsdl-to-xml.html">WSDL to XML<
/a></li><li><a shape="rect" href="wsdlvalidator.html">WSDLValidator</a></li><li><a shape="rect" href="xsd-to-wsdl.html">XSD to WSDL</a></li></ul></li><li><a shape="rect" href="restful-services.html">RESTful Services</a><ul class="childpages-macro"><li><a shape="rect" href="http-binding.html">HTTP Binding</a></li><li><a shape="rect" href="jax-rs.html">JAX-RS</a></li><li><a shape="rect" href="jax-rs-jsr-311.html">JAX-RS (JSR-311)</a></li><li><a shape="rect" href="rest-with-jax-ws-provider-and-dispatch.html">REST with JAX-WS Provider and Dispatch</a></li><li><a shape="rect" href="json-support.html">JSON Support</a></li></ul></li><li><a shape="rect" href="wsdl-bindings.html">WSDL Bindings</a><ul class="childpages-macro"><li><a shape="rect" href="mtom.html">MTOM</a></li><li><a shape="rect" href="pure-xml.html">Pure XML</a></li><li><a shape="rect" href="soap-11.html">SOAP 1.1</a></li><li><a shape="rect" href="soap-12.html">SOAP 1.2</a></li></ul></li><li><a shape="rect" href="service-routi
ng.html">Service Routing</a></li><li><a shape="rect" href="dynamic-languages.html">Dynamic Languages</a><ul class="childpages-macro"><li><a shape="rect" href="javascript.html">JavaScript</a></li><li><a shape="rect" href="javascript-clients.html">JavaScript Clients</a></li></ul></li><li><a shape="rect" href="ws-support.html">WS-* Support</a><ul class="childpages-macro"><li><a shape="rect" href="ws-addressing.html">WS-Addressing</a></li><li><a shape="rect" href="ws-discovery.html">WS-Discovery</a></li><li><a shape="rect" href="ws-metadataexchange.html">WS-MetadataExchange</a></li><li><a shape="rect" href="ws-policy.html">WS-Policy</a></li><li><a shape="rect" href="ws-reliablemessaging.html">WS-ReliableMessaging</a></li><li><a shape="rect" href="ws-secureconversation.html">WS-SecureConversation</a></li><li><a shape="rect" href="ws-security.html">WS-Security</a></li><li><a shape="rect" href="ws-securitypolicy.html">WS-SecurityPolicy</a></li><li><a shape="rect" href="ws-trust.html">WS-Tr
ust</a></li></ul></li><li><a shape="rect" href="security.html">Security</a><ul class="childpages-macro"><li><a shape="rect" href="jaxrs-kerberos.html">JAXRS Kerberos</a></li><li><a shape="rect" href="saml-web-sso.html">SAML Web SSO</a></li></ul></li><li><a shape="rect" href="advanced-integration.html">Advanced Integration</a><ul class="childpages-macro"><li><a shape="rect" href="features.html">Features</a></li><li><a shape="rect" href="interceptors.html">Interceptors</a></li><li><a shape="rect" href="invokers.html">Invokers</a></li><li><a shape="rect" href="multiplexed-endpointreferences.html">Multiplexed EndpointReferences</a></li><li><a shape="rect" href="server-service-and-client-factorybeans.html">Server, Service, and Client FactoryBeans</a></li></ul></li><li><a shape="rect" href="deployment.html">Deployment</a><ul class="childpages-macro"><li><a shape="rect" href="application-server-specific-configuration-guide.html">Application Server Specific Configuration Guide</a></li><li><
a shape="rect" href="embedding-cxf-inside-spring.html">Embedding CXF inside Spring</a></li><li><a shape="rect" href="using-cxf-and-cdi-1112-jsr-346-in-osgi-environment.html">Using CXF and CDI 1.1/1.2 (JSR-346) in OSGi environment</a></li><li><a shape="rect" href="using-cxf-and-cdi-11-jsr-346.html">Using CXF and CDI 1.1 (JSR-346)</a></li><li><a shape="rect" href="using-cxf-jca-rar-in-application-server.html">Using CXF-JCA RAR in Application Server</a></li></ul></li><li><a shape="rect" href="schemas-and-namespaces.html">Use of Schemas and Namespaces</a></li><li><a shape="rect" href="javadoc.html">Javadoc</a></li></ul><h3 id="Index-OtherSourcesofDocumentationandInformation">Other Sources of Documentation and Information</h3><p>There are several companies that provide extra documentation, examples, tutorials, etc... that users may find useful. See the <a shape="rect" href="http://cxf.apache.org/commercial-cxf-offerings.html">Commercial CXF Offerings</a> page for more details.</p><p>Also
, many users have created excellent blog posts and other articles that may provide extra information. See the <a shape="rect" href="http://cxf.apache.org/resources-and-articles.html">Resources and Articles</a> page for a listing.</p><h2 id="Index-DeveloperGuide">Developer Guide</h2><ul><li><a shape="rect" href="cxf-architecture.html">CXF Architecture</a></li><li><a shape="rect" href="configuration-for-developers.html">Configuration for Developers</a></li><li><a shape="rect" href="cxf-dependency-graphs.html">CXF Dependency Graphs</a></li><li><a shape="rect" href="documentation-todos.html">Documentation TODOs</a></li></ul></div>
+</div><ul><li><a shape="rect" href="overview.html">Overview</a><ul class="childpages-macro"><li><a shape="rect" href="why-cxf.html">Why CXF?</a></li><li><a shape="rect" href="how-do-i-integrate-my-application-with-cxf.html">How do I integrate my application with CXF</a> — <span class="smalltext">A meta guide to integrating your application with CXF - including Bindings, Transports, Interceptors, etc</span></li><li><a shape="rect" href="how-do-i-develop-a-service.html">How do I develop a service?</a> — <span class="smalltext">A meta guide to your options with CXF</span></li><li><a shape="rect" href="how-do-i-develop-a-client.html">How do I develop a client?</a> — <span class="smalltext">A meta guide to your options with CXF</span></li></ul></li><li><a shape="rect" href="how-tos.html">How-Tos</a><ul class="childpages-macro"><li><a shape="rect" href="writing-a-service-with-spring.html">Writing a service with Spring</a></li><li><a shape="rect" href="a-simple-jax-ws-ser
vice.html">A simple JAX-WS service</a></li><li><a shape="rect" href="running-a-service-in-tomcat-on-zos.html">Running a service in Tomcat on zOS</a></li><li><a shape="rect" href="defining-contract-first-webservices-with-wsdl-generation-from-java.html">Defining Contract first webservices with wsdl generation from java</a></li><li><a shape="rect" href="migration-guides.html">Migration Guides</a></li><li><a shape="rect" href="sample-projects.html">Sample Projects</a></li></ul></li><li><a shape="rect" href="frontends.html">Frontends</a><ul class="childpages-macro"><li><a shape="rect" href="annotations.html">Annotations</a></li><li><a shape="rect" href="dynamic-clients.html">Dynamic Clients</a></li><li><a shape="rect" href="jax-ws.html">JAX-WS</a><ul class="childpages-macro"><li><a shape="rect" href="developing-a-consumer.html">Developing a Consumer</a></li><li><a shape="rect" href="developing-a-service.html">Developing a Service</a></li><li><a shape="rect" href="jax-ws-configuration.htm
l">JAX-WS Configuration</a></li><li><a shape="rect" href="jax-ws-dispatch-api.html">JAX-WS Dispatch API</a></li><li><a shape="rect" href="provider-services.html">Provider Services</a></li><li><a shape="rect" href="webservicecontext.html">WebserviceContext</a></li></ul></li><li><a shape="rect" href="simple.html">Simple</a><ul class="childpages-macro"><li><a shape="rect" href="simple-frontend.html">Simple Frontend</a></li><li><a shape="rect" href="simple-frontend-configuration.html">Simple Frontend Configuration</a></li></ul></li></ul></li><li><a shape="rect" href="databindings.html">DataBindings</a><ul class="childpages-macro"><li><a shape="rect" href="aegis-21.html">Aegis (2.1)</a> — <span class="smalltext">For CXF 2.1 or newer</span></li><li><a shape="rect" href="aegis-databinding-20x.html">Aegis Databinding (2.0.x)</a> — <span class="smalltext">For CXF up to 2.0.x</span></li><li><a shape="rect" href="jaxb.html">JAXB</a></li><li><a shape="rect" href="mtom-attachments-wi
th-jaxb.html">MTOM Attachments with JAXB</a></li><li><a shape="rect" href="sdo.html">SDO</a></li><li><a shape="rect" href="xmlbeans.html">XMLBeans</a></li></ul></li><li><a shape="rect" href="transports.html">Transports</a><ul class="childpages-macro"><li><a shape="rect" href="http-transport.html">HTTP Transport</a><ul class="childpages-macro"><li><a shape="rect" href="asynchronous-client-http-transport.html">Asynchronous Client HTTP Transport</a></li><li><a shape="rect" href="client-http-transport-including-ssl-support.html">Client HTTP Transport (including SSL support)</a></li><li><a shape="rect" href="jetty-configuration.html">Jetty Configuration</a></li><li><a shape="rect" href="server-http-transport.html">Server HTTP Transport</a></li><li><a shape="rect" href="servlet-transport.html">Servlet Transport</a></li><li><a shape="rect" href="standalone-http-transport.html">Standalone HTTP Transport</a></li></ul></li><li><a shape="rect" href="jms-transport.html">JMS Transport</a><ul cla
ss="childpages-macro"><li><a shape="rect" href="cxf-2x-jms-configuration-removed-in-cxf-3.html">CXF 2.x JMS configuration (removed in CXF 3)</a></li><li><a shape="rect" href="jms-performance-and-pooling.html">JMS performance and pooling</a></li><li><a shape="rect" href="jms-transactions.html">JMS transactions</a></li><li><a shape="rect" href="soap-over-jms-10-support.html">SOAP over JMS 1.0 support</a></li><li><a shape="rect" href="using-the-jmsconfigfeature.html">Using the JMSConfigFeature</a></li></ul></li><li><a shape="rect" href="local-transport.html">Local Transport</a></li><li><a shape="rect" href="udp-transport.html">UDP Transport</a><ul class="childpages-macro"><li><a shape="rect" href="soap-over-udp.html">SOAP over UDP</a></li></ul></li><li><a shape="rect" href="custom-transport.html">Custom Transport</a></li><li><a shape="rect" href="coloc-feature.html">Coloc Feature</a></li><li><a shape="rect" href="apache-camel-transport.html">Apache Camel Transport</a></li><li><a shape=
"rect" href="websocket.html">WebSocket</a></li></ul></li><li><a shape="rect" href="configuration.html">Configuration</a><ul class="childpages-macro"><li><a shape="rect" href="bus-configuration.html">Bus Configuration</a></li><li><a shape="rect" href="featureslist.html">FeaturesList</a></li><li><a shape="rect" href="jmx-management.html">JMX Management</a></li><li><a shape="rect" href="wsaconfiguration.html">WSAConfiguration</a></li><li><a shape="rect" href="wspconfiguration.html">WSPConfiguration</a></li><li><a shape="rect" href="wsrmconfiguration.html">WSRMConfiguration</a></li></ul></li><li><a shape="rect" href="debugging-and-logging.html">Debugging and Logging</a></li><li><a shape="rect" href="tools.html">Tools</a><ul class="childpages-macro"><li><a shape="rect" href="cxf-tools-in-eclipse.html">CXF tools in Eclipse</a></li><li><a shape="rect" href="idl-to-wsdl.html">IDL to WSDL</a></li><li><a shape="rect" href="java-to-javascript.html">Java to Javascript</a></li><li><a shape="rect
" href="java-to-ws.html">Java to WS</a></li><li><a shape="rect" href="java-to-wsdl.html">Java to WSDL</a></li><li><a shape="rect" href="maven-cxf-codegen-plugin-wsdl-to-java.html">Maven cxf-codegen-plugin (WSDL to Java)</a></li><li><a shape="rect" href="maven-java2wsdl-plugin-cxf-20x-only-removed-in-21-and-replaced-with-java2ws.html">Maven Java2WSDL plugin (CXF 2.0.x only. Removed in 2.1 and replaced with Java2WS)</a></li><li><a shape="rect" href="maven-java2ws-plugin.html">Maven Java2WS plugin</a></li><li><a shape="rect" href="using-cxf-with-maven.html">Using CXF with maven</a></li><li><a shape="rect" href="wsdl-to-corba.html">WSDL to CORBA</a></li><li><a shape="rect" href="wsdl-to-java.html">WSDL to Java</a></li><li><a shape="rect" href="wsdl-to-javascript.html">WSDL to Javascript</a></li><li><a shape="rect" href="wsdl-to-service.html">WSDL to Service</a></li><li><a shape="rect" href="wsdl-to-soap.html">WSDL to SOAP</a></li><li><a shape="rect" href="wsdl-to-xml.html">WSDL to XML<
/a></li><li><a shape="rect" href="wsdlvalidator.html">WSDLValidator</a></li><li><a shape="rect" href="xsd-to-wsdl.html">XSD to WSDL</a></li></ul></li><li><a shape="rect" href="restful-services.html">RESTful Services</a><ul class="childpages-macro"><li><a shape="rect" href="http-binding.html">HTTP Binding</a></li><li><a shape="rect" href="jax-rs.html">JAX-RS</a></li><li><a shape="rect" href="jax-rs-jsr-311.html">JAX-RS (JSR-311)</a></li><li><a shape="rect" href="rest-with-jax-ws-provider-and-dispatch.html">REST with JAX-WS Provider and Dispatch</a></li><li><a shape="rect" href="json-support.html">JSON Support</a></li></ul></li><li><a shape="rect" href="wsdl-bindings.html">WSDL Bindings</a><ul class="childpages-macro"><li><a shape="rect" href="mtom.html">MTOM</a></li><li><a shape="rect" href="pure-xml.html">Pure XML</a></li><li><a shape="rect" href="soap-11.html">SOAP 1.1</a></li><li><a shape="rect" href="soap-12.html">SOAP 1.2</a></li></ul></li><li><a shape="rect" href="service-routi
ng.html">Service Routing</a></li><li><a shape="rect" href="dynamic-languages.html">Dynamic Languages</a><ul class="childpages-macro"><li><a shape="rect" href="javascript.html">JavaScript</a></li><li><a shape="rect" href="javascript-clients.html">JavaScript Clients</a></li></ul></li><li><a shape="rect" href="ws-support.html">WS-* Support</a><ul class="childpages-macro"><li><a shape="rect" href="ws-addressing.html">WS-Addressing</a></li><li><a shape="rect" href="ws-discovery.html">WS-Discovery</a></li><li><a shape="rect" href="ws-metadataexchange.html">WS-MetadataExchange</a></li><li><a shape="rect" href="ws-policy.html">WS-Policy</a></li><li><a shape="rect" href="ws-reliablemessaging.html">WS-ReliableMessaging</a></li><li><a shape="rect" href="ws-secureconversation.html">WS-SecureConversation</a></li><li><a shape="rect" href="ws-security.html">WS-Security</a></li><li><a shape="rect" href="ws-securitypolicy.html">WS-SecurityPolicy</a></li><li><a shape="rect" href="ws-trust.html">WS-Tr
ust</a></li></ul></li><li><a shape="rect" href="security.html">Security</a><ul class="childpages-macro"><li><a shape="rect" href="jaxrs-kerberos.html">JAXRS Kerberos</a></li><li><a shape="rect" href="saml-web-sso.html">SAML Web SSO</a></li><li><a shape="rect" href="security-configuration.html">Security Configuration</a></li></ul></li><li><a shape="rect" href="advanced-integration.html">Advanced Integration</a><ul class="childpages-macro"><li><a shape="rect" href="features.html">Features</a></li><li><a shape="rect" href="interceptors.html">Interceptors</a></li><li><a shape="rect" href="invokers.html">Invokers</a></li><li><a shape="rect" href="multiplexed-endpointreferences.html">Multiplexed EndpointReferences</a></li><li><a shape="rect" href="server-service-and-client-factorybeans.html">Server, Service, and Client FactoryBeans</a></li></ul></li><li><a shape="rect" href="deployment.html">Deployment</a><ul class="childpages-macro"><li><a shape="rect" href="application-server-specific-c
onfiguration-guide.html">Application Server Specific Configuration Guide</a></li><li><a shape="rect" href="embedding-cxf-inside-spring.html">Embedding CXF inside Spring</a></li><li><a shape="rect" href="using-cxf-and-cdi-1112-jsr-346-in-osgi-environment.html">Using CXF and CDI 1.1/1.2 (JSR-346) in OSGi environment</a></li><li><a shape="rect" href="using-cxf-and-cdi-11-jsr-346.html">Using CXF and CDI 1.1 (JSR-346)</a></li><li><a shape="rect" href="using-cxf-jca-rar-in-application-server.html">Using CXF-JCA RAR in Application Server</a></li></ul></li><li><a shape="rect" href="schemas-and-namespaces.html">Use of Schemas and Namespaces</a></li><li><a shape="rect" href="javadoc.html">Javadoc</a></li></ul><h3 id="Index-OtherSourcesofDocumentationandInformation">Other Sources of Documentation and Information</h3><p>There are several companies that provide extra documentation, examples, tutorials, etc... that users may find useful. See the <a shape="rect" href="http://cxf.apache.org/commerc
ial-cxf-offerings.html">Commercial CXF Offerings</a> page for more details.</p><p>Also, many users have created excellent blog posts and other articles that may provide extra information. See the <a shape="rect" href="http://cxf.apache.org/resources-and-articles.html">Resources and Articles</a> page for a listing.</p><h2 id="Index-DeveloperGuide">Developer Guide</h2><ul><li><a shape="rect" href="cxf-architecture.html">CXF Architecture</a></li><li><a shape="rect" href="configuration-for-developers.html">Configuration for Developers</a></li><li><a shape="rect" href="cxf-dependency-graphs.html">CXF Dependency Graphs</a></li><li><a shape="rect" href="documentation-todos.html">Documentation TODOs</a></li></ul></div>
</div>
<!-- Content -->
</td>
Modified: websites/production/cxf/content/docs/jax-rs-saml.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-saml.html (original)
+++ websites/production/cxf/content/docs/jax-rs-saml.html Fri Apr 24 14:46:55 2015
@@ -117,23 +117,23 @@ Apache CXF -- JAX-RS SAML
<td height="100%">
<!-- Content -->
<div class="wiki-content">
-<div id="ConfluenceContent"><p> </p><p> </p><p> </p><p></p><p><span class="inline-first-p" style="font-size:2em;font-weight:bold"> JAX-RS: SAML </span></p><p></p><p> </p><p> </p><p> </p><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1419015866024 {padding: 0px;}
-div.rbtoc1419015866024 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1419015866024 li {margin-left: 0px;padding-left: 0px;}
+<div id="ConfluenceContent"><p> </p><p> </p><p> </p><p> <span class="inline-first-p" style="font-size:2em;font-weight:bold">JAX-RS: SAML</span> </p><p> </p><p> </p><p> </p><p><style type="text/css">/*<![CDATA[*/
+div.rbtoc1429886791424 {padding: 0px;}
+div.rbtoc1429886791424 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1429886791424 li {margin-left: 0px;padding-left: 0px;}
-/*]]>*/</style></p><div class="toc-macro rbtoc1419015866024">
-<ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSSAML-Introduction">Introduction</a></li><li><a shape="rect" href="#JAX-RSSAML-Mavendependencies">Maven dependencies</a></li><li><a shape="rect" href="#JAX-RSSAML-EnvelopedSAMLassertions">Enveloped SAML assertions</a></li><li><a shape="rect" href="#JAX-RSSAML-SAMLassertionsinAuthorizationheader">SAML assertions in Authorization header</a></li><li><a shape="rect" href="#JAX-RSSAML-SAMLassertionsasFormvalues">SAML assertions as Form values</a></li><li><a shape="rect" href="#JAX-RSSAML-CreatingSAMLAssertions">Creating SAML Assertions</a></li><li><a shape="rect" href="#JAX-RSSAML-SAMLAssertionValidation">SAML Assertion Validation</a></li><li><a shape="rect" href="#JAX-RSSAML-SAMLAuthorization">SAML Authorization</a>
+/*]]>*/</style></p><div class="toc-macro rbtoc1429886791424">
+<ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSSAML-Introduction">Introduction</a></li><li><a shape="rect" href="#JAX-RSSAML-Backwardscompatibilityconfigurationnote">Backwards compatibility configuration note</a></li><li><a shape="rect" href="#JAX-RSSAML-Mavendependencies">Maven dependencies</a></li><li><a shape="rect" href="#JAX-RSSAML-EnvelopedSAMLassertions">Enveloped SAML assertions</a></li><li><a shape="rect" href="#JAX-RSSAML-SAMLassertionsinAuthorizationheader">SAML assertions in Authorization header</a></li><li><a shape="rect" href="#JAX-RSSAML-SAMLassertionsasFormvalues">SAML assertions as Form values</a></li><li><a shape="rect" href="#JAX-RSSAML-CreatingSAMLAssertions">Creating SAML Assertions</a></li><li><a shape="rect" href="#JAX-RSSAML-SAMLAssertionValidation">SAML Assertion Validation</a></li><li><a shape="rect" href="#JAX-RSSAML-SAMLAuthorization">SAML Authorization</a>
<ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSSAML-ClaimsBasedAccessControl">Claims Based Access Control</a></li><li><a shape="rect" href="#JAX-RSSAML-RoleBasedAccessControl">Role Based Access Control</a></li></ul>
</li><li><a shape="rect" href="#JAX-RSSAML-SAMLWebSSOProfile">SAML Web SSO Profile</a></li></ul>
-</div><h1 id="JAX-RSSAML-Introduction">Introduction</h1><p>CXF 2.5.0 introduces an initial support for working with <a shape="rect" class="external-link" href="http://en.wikipedia.org/wiki/SAML_2.0" rel="nofollow">SAML2</a> assertions. So far the main focus has been put on making sure SAML assertions can be included in HTTP requests targeted at application endpoints: embedded inside XML payloads or passed as encoded HTTP header or form values.</p><p>See also <a shape="rect" href="jax-rs-xml-security.html">JAX-RS XML Security</a>.</p><h1 id="JAX-RSSAML-Mavendependencies">Maven dependencies</h1><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+</div><h1 id="JAX-RSSAML-Introduction">Introduction</h1><p>CXF 2.5.0 introduces an initial support for working with <a shape="rect" class="external-link" href="http://en.wikipedia.org/wiki/SAML_2.0" rel="nofollow">SAML2</a> assertions. So far the main focus has been put on making sure SAML assertions can be included in HTTP requests targeted at application endpoints: embedded inside XML payloads or passed as encoded HTTP header or form values.</p><p>See also <a shape="rect" href="jax-rs-xml-security.html">JAX-RS XML Security</a>.</p><h1 id="JAX-RSSAML-Backwardscompatibilityconfigurationnote">Backwards compatibility configuration note</h1><p>From Apache CXF 3.1.0, the WS-Security based configuration tags used to configure XML Signature or Encryption ("ws-security-*") have been changed to just start with "security-". Apart from this they are exactly the same. Older "ws-security-" values continue to be accepted in CXF 3.1.0. To use any of the configuration examples in this page with an
older version of CXF, simply add a "ws-" prefix to the configuration tag.</p><h1 id="JAX-RSSAML-Mavendependencies">Maven dependencies</h1><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[<dependency>
<groupId>org.apache.cxf</groupId>
<artifactId>cxf-rt-rs-security-xml</artifactId>
<version>2.5.0</version>
</dependency>
]]></script>
-</div></div><p>This module depends on CXF WS-Security and Apache WSS4J modules, due to them containing a lot of useful utility code.<br clear="none"> We will see in time if it will make sense to exclude such dependencies or not.</p><h1 id="JAX-RSSAML-EnvelopedSAMLassertions">Enveloped SAML assertions</h1><p>Payload:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+</div></div><p>This module depends on Apache WSS4J, as it contains a lot of useful utility code based around OpenSAML.</p><h1 id="JAX-RSSAML-EnvelopedSAMLassertions">Enveloped SAML assertions</h1><p>Payload:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[<env:Envelope xmlns:env="http://org.apache.cxf/rs/env">
<Book ID="67ca6441-0c4e-4430-af0e-9463ce9226aa">
@@ -255,29 +255,25 @@ div.rbtoc1419015866024 li {margin-left:
</jaxrs:providers>
<jaxrs:properties>
- <entry key="ws-security.signature.properties"
+ <entry key="security.signature.properties"
value="org/apache/cxf/systest/jaxrs/security/alice.properties"/>
</jaxrs:properties>
</jaxrs:server>
]]></script>
</div></div><p>Client code:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[private WebClient createWebClient(String address,
- boolean selfSigned) {
+<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[private WebClient createWebClient(String address) {
JAXRSClientFactoryBean bean = new JAXRSClientFactoryBean();
bean.setAddress(address);
Map<String, Object> properties = new HashMap<String, Object>();
- properties.put("ws-security.callback-handler",
+ properties.put("security.callback-handler",
"org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback");
- properties.put("ws-security.saml-callback-handler",
+ properties.put("security.saml-callback-handler",
"org.apache.cxf.systest.jaxrs.security.saml.SamlCallbackHandler");
- properties.put("ws-security.signature.username", "alice");
- properties.put("ws-security.signature.properties",
+ properties.put("security.signature.username", "alice");
+ properties.put("security.signature.properties",
"org/apache/cxf/systest/jaxrs/security/alice.properties");
- if (selfSigned) {
- properties.put("ws-security.self-sign-saml-assertion", "true");
- }
bean.setProperties(properties);
bean.getOutInterceptors().add(new SamlEnvelopedOutInterceptor(!selfSigned));
@@ -288,10 +284,22 @@ div.rbtoc1419015866024 li {margin-left:
return bean.createWebClient();
}
]]></script>
-</div></div><p>In the above code, the "ws-security.self-sign-saml-assertion" property, if set to true, will require SamlEnvelopedOutInterceptor to get a SAML assertion self-signed, by adding an enveloped signature to it. When we also need to sign the application payload such as Book we need to make sure that a detached XML signature for Book is created. When the whole envelope is signed then SamlEnvelopedOutInterceptor needs to be placed before XmlSigOutInterceptor hence the "new SamlEnvelopedOutInterceptor(!selfSigned)" constructor is invoked.</p><h1 id="JAX-RSSAML-SAMLassertionsinAuthorizationheader">SAML assertions in Authorization header</h1><p>Logging output:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+</div></div><p>When we also need to sign the application payload such as Book we need to make sure that a detached XML signature for Book is created. When the whole envelope is signed then SamlEnvelopedOutInterceptor needs to be placed before XmlSigOutInterceptor hence the "new SamlEnvelopedOutInterceptor(!selfSigned)" constructor is invoked.</p><h1 id="JAX-RSSAML-SAMLassertionsinAuthorizationheader">SAML assertions in Authorization header</h1><p>Logging output:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[Address: https://localhost:9000/samlheader/bookstore/books/123
Http-Method: GET
-Headers: {Accept=[application/xml], Authorization=[SAML eJydV1mTokgQfu9fYTCPrs2htGKMHVEcKq2gKOLxsoFQAsqhFAjNr99CW1ud7t2ZjdAwMisr68s7/YnMwGfaACEYJ14UVmSxQ/z9wjUlBrRYiWZZiWVYlqPrDFVnmhTbwL80UZERSqEcosQMkw7BUDRdwx+qrtP1dp1qs41nLLciKgaMEVaLRZ4popIHfojapyc7RBqH7chEHmqHZgBRO7HaU6AM21iybV7wXO7kqEO4SbJvk2SWZc9Z/TmKHZKhKJpcKMOp5cLA/JT1/lu45p3AWxDfQl47ed/DDvHgDB0zidefZ+7J4vi11IuwYs/eP8PcDPY+PGkvoTM/yTvZnzZqTz0nNJM0hh/g7O8MoUiKI7GMjTznB3G9C2053EQnUjDDKPQs0/cKs4SnwMSN7ArwnSj2Ejf41miaKhXXYG7VLLoR/iDIe2i/qegOYYzMGnJN+kPXBG5gDLE7K7OJ3CF+/HcKna7psRmiTRQH6J78MywwPEI/2kO7hi4mfcD6fYVfeOn1J7Tacmj5KfKOUC2TdG9aEFXGMdx4+dBDOPVzdEk7aP1RAMhbeA/k2Rui50CU/J/g3ATmrMQw/RS+Lod0s8c74oavDxsCSoueGs8H4zUQlp0TgFvhE+Ma1jP5kJDXBDrfABTXCxR7+UJ5clXM0XjN8LG9MQxG57bTMfB9rUkaXUNKJgsRzKl+f8R2q0qr/sLB+Ub3oGEPhrIMJTegkBOM+0E4nbCLjVXYXO6MHXYhDLMWtGjKtRtNGtirfrioTvXhhnM2zalRXdXDlVVPg2Oe0Sp4Ge/eWgdRiXQwOiZWtZEfjtSwm1aH46xzNecGf2nSAL5fzVuwFCeaiXklhLItbHAFJvBVkWWhtxUEsBw5IJN54MjS1Jg4QAcq7+wO7s7rcRnFA23WBSIolImSSdpSNDRtIGV71+p1t2Zvl
q7rb+GTomWZ4JwOh1Km+uvAysUtUHhHNXig6PxcbawC1VX4xkLUrUwRpUzRAf7F326EeUoD8/KRDoonRdcylY4ypZB0hZd6gJ5JgqsMlgveXTKuPwy491UhKQqIzme5Iq7mbKhojUwEJxBYveGue/72aaULfFg8miR1ARjxWw1kznKHgUvgmDYbOLhTV2uxG/pF7E2thpy73NjY95z0XTrEAnoatA7coj9aLjifIx02k4SXlTVhutlGRZHZtwbqeGuzaKoXRsLPA2274aWNfMj0SfOYeu4of1f1TCqMTH4rno5Rc98izWW+qxo2n2j5oTHLoGxtSK+7m60V2lrRkbeYaIXlTXivKtC8JmgSdSiQADIJAFNpKuIuk3FQnowJNeX5KOvJ8lzfcbMFtRrPfE6b7TjJmKmz6YwbLWhDn+hgVgalP5EkUQdDx/HRmlGxr9yjVdcyUVu+PQ2ilYxJtfQTrwGx9I87zHZBtbVHg6ThhGtv1ysMSnf203nPmufzAQZYtBKZCV/cLmCP9Nbo981Gj3ty64gKc43RYVbACblrOoFjMEhutOqqEy/7gR4MB6bIzwuT2YN0lYqu1m/1gOS+mbtuMuDH1aokcLGq7ldP4eHQz/P6Yc0kc4Y9TBK+EIMBx9COw42VKFCsZnqYaOfqeMz4K/NcE+RttdxV02ViTtP1FlrJhSwbqCxWuri/mcn3459+pk8cz65tTqLtNER7aGEY0CYqpRYtxTMQk3GHKJtgEFm7GkrQsxUFxGvq2R1M1Czfg2HyV9S5Pb4M6DOWB6BCFG688sVyDzq33X/fUqygjWBow7h2jFK8VaBTX//SeKzb9krFqKJGCQ+xafCbvYl+wXsTFhqFoxhsktLKb+Uu6kFqe2WbnuD2HXtW+dDj0XVzQZ+LC/bI/eJyFX5k3CkmH236fCtxw2mCsyXAvq+cyH9dEvFOgI2dQlQuiTJ2Zd4haKbeYF+IO534qQTmyVc8wcfLIp5T5A
3m2xvkV9CuihJs1TpN4PcnlW6MPWD772XO4BXxHNdaHPnwnI3XgYxOiyV6xlMYt7P9aTJnqBzOLIk/no3Ve8k7afmmFyDyU8OlJP6XHuIXxKdpdrPV5njlxkehg4sDb7ZXj9zJv/7C/tUTd9Z+WGFiv5Z4LPO8rn9hz5eSH8X9R+j3ONJZFNu/b8Ej59cwY1CFiLtLmYCfmXvhdIgyKXENBh7ubfCmvq9/El7/AXoseyE=], ...}
+Headers: {Accept=[application/xml], Authorization=[SAML eJydV1mTokgQfu9fYTCPrs2htGKMHVEcKq2gKOLxsoFQAsqhFAjNr99CW1ud7t2ZjdAwMisr68s7/YnMwGfaACEYJ14UVmSxQ/z9wjUlBrRYiWZZiWVYlqPrDFVnmhTbwL80UZERSqEcosQMkw7BUDRdwx+qrtP1dp1qs41nLLciKgaMEVaLRZ4popIHfojapyc7RBqH7chEHmqHZgBRO7HaU6AM21iybV7wXO7kqEO4SbJvk2SWZc9Z/Tm
+KHZKhKJpcKMOp5cLA/JT1/lu45p3AWxDfQl47ed/DDvHgDB0zidefZ+7J4vi11IuwYs/eP8PcDPY+PGkvoTM/yTvZnzZqTz0nNJM0hh/g7O8MoUiKI7GMjTznB3G9C2053EQnUjDDKPQs0/cKs4SnwMSN7
+ArwnSj2Ejf41miaKhXXYG7VLLoR/iDIe2i/qegOYYzMGnJN+kPXBG5gDLE7K7OJ3CF+/HcKna7psRmiTRQH6J78MywwPEI/2kO7hi4mfcD6fYVfeOn1J7Tacmj5KfKOUC2TdG9aEFXGMdx4+dBDOPVzdEk
+7aP1RAMhbeA/k2Rui50CU/J/g3ATmrMQw/RS+Lod0s8c74oavDxsCSoueGs8H4zUQlp0TgFvhE+Ma1jP5kJDXBDrfABTXCxR7+UJ5clXM0XjN8LG9MQxG57bTMfB9rUkaXUNKJgsRzKl+f8R2q0qr/sLB+
+Ub3oGEPhrIMJTegkBOM+0E4nbCLjVXYXO6MHXYhDLMWtGjKtRtNGtirfrioTvXhhnM2zalRXdXDlVVPg2Oe0Sp4Ge/eWgdRiXQwOiZWtZEfjtSwm1aH46xzNecGf2nSAL5fzVuwFCeaiXklhLItbHAFJvB
+VkWWhtxUEsBw5IJN54MjS1Jg4QAcq7+wO7s7rcRnFA23WBSIolImSSdpSNDRtIGV71+p1t2Zvlq7rb+GTomWZ4JwOh1Km+uvAysUtUHhHNXig6PxcbawC1VX4xkLUrUwRpUzRAf7F326EeUoD8/KRDoonR
+dcylY4ypZB0hZd6gJ5JgqsMlgveXTKuPwy491UhKQqIzme5Iq7mbKhojUwEJxBYveGue/72aaULfFg8miR1ARjxWw1kznKHgUvgmDYbOLhTV2uxG/pF7E2thpy73NjY95z0XTrEAnoatA7coj9aLjifIx02k4SXlTVhutlGRZHZtwbqeGuzaKoXRsLPA2274aWNfMj0SfOYeu4of1f1TCqMTH4rno5Rc98izWW+qxo2n2j5oTHLoGxtSK+7m60V2lrRkbeYaIX
+lTXivKtC8JmgSdSiQADIJAFNpKuIuk3FQnowJNeX5KOvJ8lzfcbMFtRrPfE6b7TjJmKmz6YwbLWhDn+hgVgalP5EkUQdDx/HRmlGxr9yjVdcyUVu+PQ2ilYxJtfQTrwGx9I87zHZBtbVHg6ThhGtv1ysMS
+nf203nPmufzAQZYtBKZCV/cLmCP9Nbo981Gj3ty64gKc43RYVbACblrOoFjMEhutOqqEy/7gR4MB6bIzwuT2YN0lYqu1m/1gOS+mbtuMuDH1aokcLGq7ldP4eHQz/P6Yc0kc4Y9TBK+EIMBx9COw42VKFC
+sZnqYaOfqeMz4K/NcE+RttdxV02ViTtP1FlrJhSwbqCxWuri/mcn3459+pk8cz65tTqLtNER7aGEY0CYqpRYtxTMQk3GHKJtgEFm7GkrQsxUFxGvq2R1M1Czfg2HyV9S5Pb4M6DOWB6BCFG688sVyDzq33
+X/fUqygjWBow7h2jFK8VaBTX//SeKzb9krFqKJGCQ+xafCbvYl+wXsTFhqFoxhsktLKb+Uu6kFqe2WbnuD2HXtW+dDj0XVzQZ+LC/bI/eJyFX5k3CkmH236fCtxw2mCsyXAvq+cyH9dEvFOgI2dQlQuiTJ2Zd4haKbeYF+IO534qQTmyVc8wcfLIp5T5A3m2xvkV9CuihJs1TpN4PcnlW6MPWD772XO4BXxHNdaHPnwnI3XgYxOiyV6xlMYt7P
+9aTJnqBzOLIk/no3Ve8k7afmmFyDyU8OlJP6XHuIXxKdpdrPV5njlxkehg4sDb7ZXj9zJv/7C/tUTd9Z+WGFiv5Z4LPO8rn9hz5eSH8X9R+j3ONJZFNu/b8Ej59cwY1CFiLtLmYCfmXvhdIgyKXENBh7ub
+fCmvq9/El7/AXoseyE=], ...}
]]></script>
</div></div><p>Note that the Authorization header has an encoded SAML Assertion as its value. The original SAML assertion has been optionally compressed using a deflated encoding and then base64-encoded. This encoded value can be signed itself - but it is not currently possible.</p><p>Server configuration is similar to the one from the Enveloped SAML Assertions section, the only difference is that a SAML handler needs to be replaced:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[ <bean id="serviceBean" class="org.apache.cxf.systest.jaxrs.security.BookStore"/>
@@ -300,22 +308,19 @@ Headers: {Accept=[application/xml], Auth
<!-- same as in the Enveloped SAML Assertions section -->
]]></script>
</div></div><p>Client code:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[private WebClient createWebClient(String address,
- boolean selfSigned) {
+<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[private WebClient createWebClient(String address) {
JAXRSClientFactoryBean bean = new JAXRSClientFactoryBean();
bean.setAddress(address);
Map<String, Object> properties = new HashMap<String, Object>();
- properties.put("ws-security.callback-handler",
+ properties.put("security.callback-handler",
"org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback");
- properties.put("ws-security.saml-callback-handler",
+ properties.put("security.saml-callback-handler",
"org.apache.cxf.systest.jaxrs.security.saml.SamlCallbackHandler");
- properties.put("ws-security.signature.username", "alice");
- properties.put("ws-security.signature.properties",
+ properties.put("security.signature.username", "alice");
+ properties.put("security.signature.properties",
"org/apache/cxf/systest/jaxrs/security/alice.properties");
- if (selfSigned) {
- properties.put("ws-security.self-sign-saml-assertion", "true");
- }
+
bean.setProperties(properties);
bean.getOutInterceptors().add(new SamlHeaderOutInterceptor());
@@ -328,8 +333,20 @@ Headers: {Accept=[application/xml], Auth
Encoding: ISO-8859-1
Http-Method: POST
Content-Type: application/x-www-form-urlencoded
-Headers: {Accept=[application/xml], Cache-Control=[no-cache], connection=[keep-alive], Content-Length=[2206], content-type=[application/x-www-form-urlencoded], Host=[localhost:9000], Pragma=[no-cache], User-Agent=[Apache CXF ${project.version}]}
-Payload: name=CXF&id=125&SAMLToken=eJydV1tzqkgQfs+vsDiPWcNFjWIdUzUIGqJgQMTLyxYOI6BclAFBfv0OGo16kt1ztkrL6p6eb77u6e5pf2Ir8Lk2wBjFiReFFVnsUH8zYqPFAAkwbOsZSK2eKLI1jqlxTY5p8PVnlqrIGKdIDnFihUmH4hiWrZIPUzPYWrtWa3ONJ2K3oComijGBJSZPDFXJAz/E7eORHSqNw3ZkYQ+3QytAuJ3A9hgowzaxbFtnPuc9Oe5QbpJs2zSdZdlTVnuKYofmGIalZ8pwDF0UWJ+23n8bV70jeYjILuy1k8MWdai7YBhESb38PGmPHscvJS4mwJ69fUK5FWx9dEQvqXM/6RvbnzZujz0ntJI0Rh/k7O8cYWiGp4mNjT3nB3XZi2w5XEVHsWuFUehBy/cKq6SnoMSN7ArwnSj2Ejf41mmWKYGrKIdVyNbDHxR9S+03gW4YxtiqYtdiP7B0tEIxIuGsTHS5Q/347xQ6bjNiK8SrKA7wrfhnXFC4R360RXYVn136oPX7gF9E6eUngm05hH6KvT1SyyTdWhDhynuMVl4+9DBJ/Ryf0w7BP7oA+prenXiKhug5CCf/53KuLuYEYlp+il5qDTNiWU3Hz3qxkBCzn0aanw8K7TDvHAlcGx8Vl2s9iXcJeUmg046Q1/bNx0AVHltzNp3pb/KwtizS/nZmHNYYvG6A5G44Bj4bw4msaTYCi93Q5NfL1cBgoBvCw9DbS0GPm43UQnzfJW9JfzUs6nQ/nQh7zXb7EltbPTKPXvSeRSuvvu/LIHWEjTJqJfom5qCJn0W7lSxg34LSPlSMOmitOLyUDNc2PGWpw169tTb5rHNx54p/6dIAHS7uzRoML1qJdRG6ZVtYkQpM0Isiy93+utsF85EDMlkAjiyNTd0BBlAFZ7NzN16fzxgBaJMeEEGh6EomaXPR1LSBlG1d2O+trf4kXdbewgdFy7
Kuc1wcSpnqLwOYi2ugCI5qCkAxhKlaXwSqqwj1mWjATBGlTDEA+SXfXkR0Sp3o8pEBigfF0DKVjTKlkAxFkPqAnUhdVxnMZ4I751x/GPCHRSEpCohOa7kiLqaNUNHqmQiOJAi86S77/vphYXSFsLh3SeoBMBLWGsic+YYQl8A+bdabtDl2tVZjxT6L/TGsy7nLv5vbvpMepF3cxQ+D1o6fvY7mM97naaeRSd3nBdS5XrZScWS9woH6vrYbeGwUZiJMA229EqSVvMsMvblPPXeUH1Qjkwozk9+Kh33U3LZoa55vHk1bSLR8V59kSIYr2uttJkuFhQs28ma6VkBPF7zHLitoXU1idgXugkwCwFKairjJZHIpD6bOjAUhyvqyPDU2/GTGLN4nPq9NNrxkTtTJeMKPZqxp6AaYlJfyqkuSaICh4/h4yakkVu4e1rRM1OZvD4NoIRNRLeMkaEAs4+MOs03w2NriQVJ3wqW36RcmYzjb8bQPp/l0QAgWrUTmwme3Bxp7dm2+vlr1Pv/g1jAT5hpnoKxAOr1pOoFjcliut2qqE89fAyMYDixRmBYWtwXpIhVd7bXVJ6X2Zm16yUB4f3yUunysqtvFQ7jbveZ5bbfkkinX2OmJUIjBgOdYx+HflShQYDPd6dqpOu4z/qI81QR9XS031XR+Mcfpco1gchbLBiqLlR7pb1by/fPPPrFHjWdXV0fTdhriLYKEBrKpSomipeQNJGLcocomGERwU8UJfoJRQL2knt0hQhX6HgqTv6LO9fL5gT5xuSPajcKVV55YzkGntvvvUwoM2hiFNoqr+yglUwU+9vUvnSfYtlcC44oaJQIirqFv5qYGT+YmYjQKRzFYJaWX39qd4UFqe2Wb1kn7jj1YHnS/dJlc8OfgQiJyO7hcjO8VN8D0vU+fZyVuOE5ItgQk9pWj+K9DYqtZDoljhMshUSahzDsUy9XqjWfqBpMclaA8+UrX9cmwSN4p+orz9Q76K2o
XoIR4tUwT9P1KpReTCNj+ocwZMiKe7rUaRz46ZePlQcbHwRI/kVeYtLPt8WXOcPk4N2jy8WwC7yUHGvqWF2D6E+FcEv8Lh/qF8fE1u5pqczJyk6XQIcVBJttLRG7sX35R/xqJG28/vLBIXEs+0DqN61/486XlR3H/Efstueksiu3f9+Be8+s1E1KFSLpLmYCfmXvWdKgyKUkNBh7pbeiqvi9/El7+Adcbfqw=
+Headers: {Accept=[application/xml], Cache-Control=[no-cache], connection=[keep-alive], Content-Length=[2206], content-type=[application/x-www-form-urlencoded],
+Host=[localhost:9000], Pragma=[no-cache], User-Agent=[Apache CXF ${project.version}]}
+Payload: name=CXF&id=125&SAMLToken=eJydV1tzqkgQfs+vsDiPWcNFjWIdUzUIGqJgQMTLyxYOI6BclAFBfv0OGo16kt1ztkrL6p6eb77u6e5pf2Ir8Lk2wBjFiReFFVnsUH8zYqPFAAkwbOsZSK2eKLI1jqlxTY5p8P
+VnlqrIGKdIDnFihUmH4hiWrZIPUzPYWrtWa3ONJ2K3oComijGBJSZPDFXJAz/E7eORHSqNw3ZkYQ+3QytAuJ3A9hgowzaxbFtnPuc9Oe5QbpJs2zSdZdlTVnuKYofmGIalZ8pwDF0UWJ+23n8bV70jeYjILuy1k8MWdai7YBh
+ESb38PGmPHscvJS4mwJ69fUK5FWx9dEQvqXM/6RvbnzZujz0ntJI0Rh/k7O8cYWiGp4mNjT3nB3XZi2w5XEVHsWuFUehBy/cKq6SnoMSN7ArwnSj2Ejf41mmWKYGrKIdVyNbDHxR9S+03gW4YxtiqYtdiP7B0tEIxIuGsTHS5
+Q/347xQ6bjNiK8SrKA7wrfhnXFC4R360RXYVn136oPX7gF9E6eUngm05hH6KvT1SyyTdWhDhynuMVl4+9DBJ/Ryf0w7BP7oA+prenXiKhug5CCf/53KuLuYEYlp+il5qDTNiWU3Hz3qxkBCzn0aanw8K7TDvHAlcGx8Vl2s9i
+XcJeUmg046Q1/bNx0AVHltzNp3pb/KwtizS/nZmHNYYvG6A5G44Bj4bw4msaTYCi93Q5NfL1cBgoBvCw9DbS0GPm43UQnzfJW9JfzUs6nQ/nQh7zXb7EltbPTKPXvSeRSuvvu/LIHWEjTJqJfom5qCJn0W7lSxg34LSPlSMOm
+itOLyUDNc2PGWpw169tTb5rHNx54p/6dIAHS7uzRoML1qJdRG6ZVtYkQpM0Isiy93+utsF85EDMlkAjiyNTd0BBlAFZ7NzN16fzxgBaJMeEEGh6EomaXPR1LSBlG1d2O+trf4kXdbewgdFy7Kuc1wcSpnqLwOYi2ugCI5qCkA
+xhKlaXwSqqwj1mWjATBGlTDEA+SXfXkR0Sp3o8pEBigfF0DKVjTKlkAxFkPqAnUhdVxnMZ4I751x/GPCHRSEpCohOa7kiLqaNUNHqmQiOJAi86S77/vphYXSFsLh3SeoBMBLWGsic+YYQl8A+bdabtDl2tVZjxT6L/TGsy7nLv5vbvpMepF3cxQ+D1o6fvY7mM97naaeRSd3nBdS5XrZScWS9woH6vrYbeGwUZiJMA229EqSVvMsMvblPPXeUH1Qjkwozk9+Kh33U3LZoa55vHk1bSLR8V59kSIYr2uttJkuFhQs28ma6VkBPF7zHLitoXU1idgXug
+kwCwFKairjJZHIpD6bOjAUhyvqyPDU2/GTGLN4nPq9NNrxkTtTJeMKPZqxp6AaYlJfyqkuSaICh4/h4yakkVu4e1rRM1OZvD4NoIRNRLeMkaEAs4+MOs03w2NriQVJ3wqW36RcmYzjb8bQPp/l0QAgWrUTmwme3Bxp7dm2+vl
+r1Pv/g1jAT5hpnoKxAOr1pOoFjcliut2qqE89fAyMYDixRmBYWtwXpIhVd7bXVJ6X2Zm16yUB4f3yUunysqtvFQ7jbveZ5bbfkkinX2OmJUIjBgOdYx+HflShQYDPd6dqpOu4z/qI81QR9XS031XR+Mcfpco1gchbLBiqLlR7
+pb1by/fPPPrFHjWdXV0fTdhriLYKEBrKpSomipeQNJGLcocomGERwU8UJfoJRQL2knt0hQhX6HgqTv6LO9fL5gT5xuSPajcKVV55YzkGntvvvUwoM2hiFNoqr+yglUwU+9vUvnSfYtlcC44oaJQIirqFv5qYGT+YmYjQKRzFY
+JaWX39qd4UFqe2Wb1kn7jj1YHnS/dJlc8OfgQiJyO7hcjO8VN8D0vU+fZyVuOE5ItgQk9pWj+K9DYqtZDoljhMshUSahzDsUy9XqjWfqBpMclaA8+UrX9cmwSN4p+orz9Q76K2oXoIR4tUwT9P1KpReTCNj+ocwZMiKe7rUaR
+z46ZePlQcbHwRI/kVeYtLPt8WXOcPk4N2jy8WwC7yUHGvqWF2D6E+FcEv8Lh/qF8fE1u5pqczJyk6XQIcVBJttLRG7sX35R/xqJG28/vLBIXEs+0DqN61/486XlR3H/Efstueksiu3f9+Be8+s1E1KFSLpLmYCfmXvWdKgyKUkNBh7pbeiqvi9/El7+Adcbfqw=
]]></script>
</div></div><p>Note that only form 'name' and 'id' fields will remain after the SAML handler processes a SAML assertion encoded in the SAMLToken form field. The original SAML assertion has been optionally compressed using a deflated encoding and then base64-encoded. This encoded value can be signed - but it is not currently possible.</p><p>Server configuration is similar to the one from the Enveloped SAML Assertions section, the only difference is that a SAML handler needs to be replaced:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[ <bean id="serviceBean" class="org.apache.cxf.systest.jaxrs.security.BookStore"/>
@@ -340,7 +357,7 @@ Payload: name=CXF&id=125&SAMLTok
</div></div><p>The client code is the same as in the SAML assertions in Authorization header section except than an instance of SamlFormOutInterceptor has to be registered:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[bean.getOutInterceptors().add(new SamlFormOutInterceptor());
]]></script>
-</div></div><h1 id="JAX-RSSAML-CreatingSAMLAssertions">Creating SAML Assertions</h1><p>If you use CXF JAX-RS client API to experiment with SAML then all you need to do is to register an appropriate out interceptor as shown in the above code fragments. The interceptor will ensure that a SAML assertion is created and added inside the XML envelope, as a form or HTTP header value.<br clear="none"> All of the SAML output interceptors depend on a "ws-security.saml-callback-handler" property linking to a custom javax.security.auth.callback.Callback implementation which in its handle(Callbacks) method provides the information which is needed to create a SAML assertion to a org.apache.ws.security.saml.ext.SAMLCallback Callback instance, for example, see this <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlCallbackHandler.java">custom implementation</a>.</p><p>More involved
cases with SAML assertions being created by identity providers will be supported, with the help of CXF (WS) STSClient when needed.</p><h1 id="JAX-RSSAML-SAMLAssertionValidation">SAML Assertion Validation</h1><p>When SAML assertions are received on the server side, they are validated to make sure that the enveloped signatures are correct. SubjectConfirmation methods (sender-vouches, holder-of-key, bearer) are also checked. <br clear="none"> The validation can be delegated to STS if needed. By default, server side SAML handlers have a "samlValidator" property set to an instance of org.apache.ws.security.validate.SamlAssertionValidator which does a thorough validation of the assertion. If needed org.apache.cxf.ws.security.trust.STSTokenValidator can be set instead which will use STS to validate the assertion.<br clear="none"> Custom validators extending WSS4J SamlAssertionValidator and doing the additional application-specific validation can be registered if needed.</p><p>Note the fact
that the default validation relies a lot on the code heavily utilized by the WS-Security implementation should be of no concern - it is an example of the integration on its own in order to get the validation done. For example, WS-* STS are heavily used in the enterprise today and it simply makes a complete sense to rely on it to validate a SAML assertion if it is possible.</p><p>SubjectConfirmation sender-vouches and holder-of-key methods can be easily validated with enveloped SAML assertions given that the embedded SAML signatures and key info can be checked against the signature used to sign the envelope or a custom payload like Book.</p><p>At the moment these methods can not be properly validated when the assertion is provided in a header or in the form, the additional signature signing the encoded SAML token will be needed - this will be supported in due time. Use "bearer" in those cases.</p><h1 id="JAX-RSSAML-SAMLAuthorization">SAML Authorization</h1><p>SAML assertions may con
tain so-called claims which are represented by a sequence of SAML AttributeStatements containing one or more Attributes, for example:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+</div></div><h1 id="JAX-RSSAML-CreatingSAMLAssertions">Creating SAML Assertions</h1><p>If you use CXF JAX-RS client API to experiment with SAML then all you need to do is to register an appropriate out interceptor as shown in the above code fragments. The interceptor will ensure that a SAML assertion is created and added inside the XML envelope, as a form or HTTP header value.<br clear="none"> All of the SAML output interceptors depend on a "security.saml-callback-handler" property linking to a custom javax.security.auth.callback.Callback implementation which in its handle(Callbacks) method provides the information which is needed to create a SAML assertion to a org.apache.ws.security.saml.ext.SAMLCallback Callback instance, for example, see this <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlCallbackHandler.java">custom implementation</a>.</p><p>More involved cas
es with SAML assertions being created by identity providers will be supported, with the help of CXF (WS) STSClient when needed.</p><h1 id="JAX-RSSAML-SAMLAssertionValidation">SAML Assertion Validation</h1><p>When SAML assertions are received on the server side, they are validated to make sure that the enveloped signatures are correct. SubjectConfirmation methods (sender-vouches, holder-of-key, bearer) are also checked. <br clear="none"> The validation can be delegated to STS if needed. By default, server side SAML handlers have a "samlValidator" property set to an instance of org.apache.ws.security.validate.SamlAssertionValidator which does a thorough validation of the assertion. If needed org.apache.cxf.ws.security.trust.STSTokenValidator can be set instead which will use STS to validate the assertion.<br clear="none"> Custom validators extending WSS4J SamlAssertionValidator and doing the additional application-specific validation can be registered if needed.</p><p>Note the fact th
at the default validation relies a lot on the code heavily utilized by the WS-Security implementation should be of no concern - it is an example of the integration on its own in order to get the validation done. For example, WS-* STS are heavily used in the enterprise today and it simply makes a complete sense to rely on it to validate a SAML assertion if it is possible.</p><p>SubjectConfirmation sender-vouches and holder-of-key methods can be easily validated with enveloped SAML assertions given that the embedded SAML signatures and key info can be checked against the signature used to sign the envelope or a custom payload like Book.</p><p>At the moment these methods can not be properly validated when the assertion is provided in a header or in the form, the additional signature signing the encoded SAML token will be needed - this will be supported in due time. Use "bearer" in those cases.</p><h1 id="JAX-RSSAML-SAMLAuthorization">SAML Authorization</h1><p>SAML assertions may contai
n so-called claims which are represented by a sequence of SAML AttributeStatements containing one or more Attributes, for example:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[<saml2:Assertion>
<!-- ... -->
<saml2:AttributeStatement>
Modified: websites/production/cxf/content/docs/jax-rs-xml-security.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-xml-security.html (original)
+++ websites/production/cxf/content/docs/jax-rs-xml-security.html Fri Apr 24 14:46:55 2015
@@ -117,13 +117,13 @@ Apache CXF -- JAX-RS XML Security
<td height="100%">
<!-- Content -->
<div class="wiki-content">
-<div id="ConfluenceContent"><p></p><p></p><p><span class="inline-first-p" style="font-size:2em;font-weight:bold"> JAX-RS: XML Security </span></p><p></p><p></p><p></p><p> </p><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1419015873155 {padding: 0px;}
-div.rbtoc1419015873155 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1419015873155 li {margin-left: 0px;padding-left: 0px;}
+<div id="ConfluenceContent"><p> </p><p> </p><p> <span class="inline-first-p" style="font-size:2em;font-weight:bold">JAX-RS: XML Security</span> </p><p> </p><p> </p><p> </p><p><style type="text/css">/*<![CDATA[*/
+div.rbtoc1429886791674 {padding: 0px;}
+div.rbtoc1429886791674 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1429886791674 li {margin-left: 0px;padding-left: 0px;}
-/*]]>*/</style></p><div class="toc-macro rbtoc1419015873155">
-<ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSXMLSecurity-Introduction">Introduction</a></li><li><a shape="rect" href="#JAX-RSXMLSecurity-Mavendependencies">Maven dependencies</a></li><li><a shape="rect" href="#JAX-RSXMLSecurity-XMLSignature">XML Signature</a>
+/*]]>*/</style></p><div class="toc-macro rbtoc1429886791674">
+<ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSXMLSecurity-Introduction">Introduction</a></li><li><a shape="rect" href="#JAX-RSXMLSecurity-Mavendependencies">Maven dependencies</a></li><li><a shape="rect" href="#JAX-RSXMLSecurity-Backwardscompatibilityconfigurationnote">Backwards compatibility configuration note</a></li><li><a shape="rect" href="#JAX-RSXMLSecurity-XMLSignature">XML Signature</a>
<ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSXMLSecurity-Envelopedsignatures">Enveloped signatures</a></li><li><a shape="rect" href="#JAX-RSXMLSecurity-Envelopingsignatures">Enveloping signatures</a></li><li><a shape="rect" href="#JAX-RSXMLSecurity-Detachedsignatures">Detached signatures</a></li><li><a shape="rect" href="#JAX-RSXMLSecurity-Customizingthesignature">Customizing the signature</a></li><li><a shape="rect" href="#JAX-RSXMLSecurity-SignatureKeyInfoValidation">Signature Key Info Validation</a></li></ul>
</li><li><a shape="rect" href="#JAX-RSXMLSecurity-XMLEncryption">XML Encryption</a>
<ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSXMLSecurity-Usingtherequestsignaturecertificatesfortheencryption">Using the request signature certificates for the encryption</a></li><li><a shape="rect" href="#JAX-RSXMLSecurity-Customizingtheencryption">Customizing the encryption</a></li><li><a shape="rect" href="#JAX-RSXMLSecurity-GCMAlgorithmandBouncyCastleprovider">GCM Algorithm and BouncyCastle provider</a></li></ul>
@@ -135,7 +135,7 @@ div.rbtoc1419015873155 li {margin-left:
<version>2.5.2</version>
</dependency>
]]></script>
-</div></div><h1 id="JAX-RSXMLSecurity-XMLSignature">XML Signature</h1><p><a shape="rect" class="external-link" href="http://www.w3.org/TR/xmldsig-core/" rel="nofollow">XML Signature</a> defines 3 types of signatures: enveloped, enveloping and detached. All the three types are supported by CXF JAX-RS.</p><p><strong>New</strong> Starting from CXF 2.5.2 it is also possible to add XML Signatures on the server side and get them validated on the client side.</p><h2 id="JAX-RSXMLSecurity-Envelopedsignatures">Enveloped signatures</h2><p>Payload:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+</div></div><h1 id="JAX-RSXMLSecurity-Backwardscompatibilityconfigurationnote">Backwards compatibility configuration note</h1><p>From Apache CXF 3.1.0, the WS-Security based configuration tags used to configure XML Signature or Encryption ("ws-security-*") have been changed to just start with "security-". Apart from this they are exactly the same. Older "ws-security-" values continue to be accepted in CXF 3.1.0. To use any of the configuration examples in this page with an older version of CXF, simply add a "ws-" prefix to the configuration tag.</p><h1 id="JAX-RSXMLSecurity-XMLSignature">XML Signature</h1><p><a shape="rect" class="external-link" href="http://www.w3.org/TR/xmldsig-core/" rel="nofollow">XML Signature</a> defines 3 types of signatures: enveloped, enveloping and detached. All the three types are supported by CXF JAX-RS.</p><p><strong>New</strong> Starting from CXF 2.5.2 it is also possible to add XML Signatures on the server side and get them validated on the client sid
e.</p><h2 id="JAX-RSXMLSecurity-Envelopedsignatures">Enveloped signatures</h2><p>Payload:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[<Book ID="4bd59819-7b78-47a5-bb61-cc08348e9d48">
<id>126</id>
<name>CXF</name>
@@ -153,10 +153,17 @@ div.rbtoc1419015873155 li {margin-left:
<ds:DigestValue>eFduzs6Cg1/Wd6jagUmr8vRYxHY=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
-<ds:SignatureValue>DLD+wU85G+Q+H/SNoMr1I7tOCAZAjd3lYE84sBGU5tuMtzbwxKOIgg10g2F1SUbpujy1CZZ9BPkQNA+gA1CH4FE3uiBzp3DDSVv6o5l6Q76Ci0XI28ylO7O1OCY+q2nbP0WtERFWOn9f9nniVKbduz6YQHjv6cNLd8pf4+k2U3g=</ds:SignatureValue>
+<ds:SignatureValue>DLD+wU85G+Q+H/SNoMr1I7tOCAZAjd3lYE84sBGU5tuMtzbwxKOIgg10g2F1SUbpujy1CZZ9BPkQNA+gA1CH4
+FE3uiBzp3DDSVv6o5l6Q76Ci0XI28ylO7O1OCY+q2nbP0WtERFWOn9f9nniVKbduz6YQHjv6cNLd8pf4+k2U3g=</ds:SignatureValue>
<ds:KeyInfo>
- <ds:X509Data><ds:X509Certificate>MIICGjCCAYOgAwIBAgIESVRgATANBgkqhkiG9w0BAQUFADAzMRMwEQYDVQQKEwphcGFjaGUub3JnMQwwCgYDVQQLEwNlbmcxDjAMBgNVBAMTBWN4ZmNhMB4XDTcwMDEwMTAwMDAwMFoXDTM4MDExOTAzMTQwN1owMzETMBEGA1UEChMKYXBhY2hlLm9yZzEMMAoGA1UECxMDZW5nMQ4wDAYDVQQDEwVhbGljZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvu747/VShQ85f16DGSc4Ixh9PVpGguyEqrCsK8q9XHOYX9l9/g5wEC6ZcR2FwfNsoaHcKNPjd5sSTzVtBWmQjfBEfIqwTR7vuihOxyNTwEzVwIJzvo7p8/aYxk+VdBtQxq4UweIcf/iFkUbM1cZ1oiXRQzciRBi+C1BQCQE0qzsCAwEAAaM7MDkwIQYDVR0SBBowGIIWTk9UX0ZPUl9QUk9EVUNUSU9OX1VTRTAUBgNVHREEDTALgglsb2NhbGhvc3QwDQYJKoZIhvcNAQEFBQADgYEAhLwkm+8psKt4gnbikGzV0TgpSWGcWxWKBi+z8tI2n6hFA5v1jVHHa4G9h3s0nxQ2TewzeR/k7gmgV2sI483NgrYHmTmLKaDBWza2pAuZuDhQH8GAEhJakFtKBP++EC9rNNpZnqqHxx3qb2tW25qRtBzDmK921gg9PMomMc7uqRQ=</ds:X509Certificate>
+ <ds:X509Data><ds:X509Certificate>MIICGjCCAYOgAwIBAgIESVRgATANBgkqhkiG9w0BAQUFADAzMRMwEQYDVQQKEwphcGFjaGUub3JnMQwwCgYDVQQL
+EwNlbmcxDjAMBgNVBAMTBWN4ZmNhMB4XDTcwMDEwMTAwMDAwMFoXDTM4MDExOTAzMTQwN1owMzETMBEGA1UEChMKYXBhY2hlLm9yZzEMMAoGA1UECxMDZW5nMQ4wDAYDVQ
+QDEwVhbGljZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvu747/VShQ85f16DGSc4Ixh9PVpGguyEqrCsK8q9XHOYX9l9/g5wEC6ZcR2FwfNsoaHcKNPjd5sSTzVt
+BWmQjfBEfIqwTR7vuihOxyNTwEzVwIJzvo7p8/aYxk+VdBtQxq4UweIcf/iFkUbM1cZ1oiXRQzciRBi+C1BQCQE0qzsCAwEAAaM7MDkwIQYDVR0SBBowGIIWTk9UX0ZPUl
+9QUk9EVUNUSU9OX1VTRTAUBgNVHREEDTALgglsb2NhbGhvc3QwDQYJKoZI
+hvcNAQEFBQADgYEAhLwkm+8psKt4gnbikGzV0TgpSWGcWxWKBi+z8tI2n6hFA5v1jVHHa4G9h3s0nxQ2TewzeR/k7gmgV2sI483NgrYHmTmLKaDBWza2pAuZuDhQH8GAEh
+JakFtKBP++EC9rNNpZnqqHxx3qb2tW25qRtBzDmK921gg9PMomMc7uqRQ=</ds:X509Certificate>
</ds:X509Data>
<ds:KeyValue>
@@ -194,9 +201,9 @@ div.rbtoc1419015873155 li {margin-left:
</jaxrs:outInterceptors>
<jaxrs:properties>
- <entry key="ws-security.callback-handler"
+ <entry key="security.callback-handler"
value="org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"/>
- <entry key="ws-security.signature.properties"
+ <entry key="security.signature.properties"
value="org/apache/cxf/systest/jaxrs/security/alice.properties"/>
</jaxrs:properties>
</jaxrs:server>
@@ -209,10 +216,10 @@ bean.setAddress(address);
// setup properties
Map<String, Object> properties = new HashMap<String, Object>();
-properties.put("ws-security.callback-handler",
+properties.put("security.callback-handler",
"org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback");
-properties.put("ws-security.signature.username", "alice");
-properties.put("ws-security.signature.properties",
+properties.put("security.signature.username", "alice");
+properties.put("security.signature.properties",
"org/apache/cxf/systest/jaxrs/security/alice.properties");
bean.setProperties(properties);
@@ -337,7 +344,8 @@ sigInterceptor.setStyle("detached&q
<ds:X509Certificate><!-- Omitted for brevity --></ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
- <xenc:CipherData><xenc:CipherValue>tPtZz4pnVWquaV2a7O0y+VrHoeWwk3Eu5Jnu3RHz5rGDB/MLyG6rBamhit03J2xWaV52zUtDAPEj8sr4oy5y2KLB09Hu317IbQjinePabUpd+DLnwNn5iHZpHWJPfndkh07JdYZSrMwqOvJ3fqrNJ+LQeLzZDneT8sC1vRyhSDU=</xenc:CipherValue>
+ <xenc:CipherData><xenc:CipherValue>tPtZz4pnVWquaV2a7O0y+VrHoeWwk3Eu5Jnu3RHz5rGDB/MLyG6rBamhit03J2xWaV52zUtDAPEj8sr4oy5y2KLB09Hu317IbQjinePabUpd
++DLnwNn5iHZpHWJPfndkh07JdYZSrMwqOvJ3fqrNJ+LQeLzZDneT8sC1vRyhSDU=</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedKey>
</ds:KeyInfo>
@@ -360,11 +368,11 @@ sigInterceptor.setStyle("detached&q
<ref bean="xmlSigHandler"/>
</jaxrs:providers>
<jaxrs:properties>
- <entry key="ws-security.callback-handler"
+ <entry key="security.callback-handler"
value="org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"/>
- <entry key="ws-security.encryption.properties"
+ <entry key="security.encryption.properties"
value="org/apache/cxf/systest/jaxrs/security/bob.properties"/>
- <entry key="ws-security.signature.properties"
+ <entry key="security.signature.properties"
value="org/apache/cxf/systest/jaxrs/security/alice.properties"/>
</jaxrs:properties>
</jaxrs:server>
@@ -378,15 +386,15 @@ bean.setAddress(address);
// setup properties
Map<String, Object> properties = new HashMap<String, Object>();
-properties.put("ws-security.callback-handler",
+properties.put("security.callback-handler",
"org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback");
-properties.put("ws-security.encryption.username", "bob");
-properties.put("ws-security.encryption.properties",
+properties.put("security.encryption.username", "bob");
+properties.put("security.encryption.properties",
"org/apache/cxf/systest/jaxrs/security/bob.properties");
// if signature required:
-properties.put("ws-security.signature.username", "alice");
-properties.put("ws-security.signature.properties",
+properties.put("security.signature.username", "alice");
+properties.put("security.signature.properties",
"org/apache/cxf/systest/jaxrs/security/alice.properties");
bean.setProperties(properties);
@@ -430,11 +438,11 @@ assertEquals(200, r.getStatus());
<ref bean="xmlEncOutHandler"/>
</jaxrs:outInterceptors>
<jaxrs:properties>
- <entry key="ws-security.callback-handler"
+ <entry key="security.callback-handler"
value="org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"/>
- <entry key="ws-security.encryption.properties"
+ <entry key="security.encryption.properties"
value="org/apache/cxf/systest/jaxrs/security/alice.properties"/>
- <entry key="ws-security.signature.properties"
+ <entry key="security.signature.properties"
value="org/apache/cxf/systest/jaxrs/security/bob.properties"/>
</jaxrs:properties>
@@ -451,30 +459,30 @@ bean.getInInterceptors().add(sigInInterc
<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[<!-- server -->
<jaxrs:server>
<jaxrs:properties>
- <entry key="ws-security.callback-handler"
+ <entry key="security.callback-handler"
value="org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"/>
- <entry key="ws-security.encryption.properties"
+ <entry key="security.encryption.properties"
value="org/apache/cxf/systest/jaxrs/security/alice.properties"/>
- <entry key="ws-security.encryption.username" value="useReqSigCert"/>
- <entry key="ws-security.signature.properties"
+ <entry key="security.encryption.username" value="useReqSigCert"/>
+ <entry key="security.signature.properties"
value="org/apache/cxf/systest/jaxrs/security/bob.properties"/>
</jaxrs:properties>
</jaxrs:server>
<jaxrs:client>
<jaxrs:properties>
- <entry key="ws-security.callback-handler"
+ <entry key="security.callback-handler"
value="org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"/>
- <entry key="ws-security.encryption.properties"
+ <entry key="security.encryption.properties"
value="org/apache/cxf/systest/jaxrs/security/bob.properties"/>
- <entry key="ws-security.encryption.username" value="bob"/>
- <entry key="ws-security.signature.properties"
+ <entry key="security.encryption.username" value="bob"/>
+ <entry key="security.signature.properties"
value="org/apache/cxf/systest/jaxrs/security/alice.properties"/>
- <entry key="ws-security.signature.username" value="alice"/>
+ <entry key="security.signature.username" value="alice"/>
</jaxrs:properties>
</jaxrs:client>
]]></script>
-</div></div><p>The "ws-security.encryption.username" server property is set to "useReqSigCert".</p><p>Note that the client configuration assumes Alice (with its alice.properties) represents a given client, Bob (with its bob.properties) - the receiver/server.</p><p>On the server side the encryption properties point to alice.properties and signature.properties to bob.properties. This is because the outbound signature needs to be done with the Bob's certificate and the encryption - with either the specific Alice's certificate or the certificate from the inbound signature. Note that the in encryption handler will check the signature properties first - this will ensure that the Bob's certificate used to encrypt the data on the client side can be validated, similarly for the in signature handler.</p><h2 id="JAX-RSXMLSecurity-Customizingtheencryption">Customizing the encryption</h2><p>org.apache.cxf.rs.security.xml.XmlEncOutInterceptor manages the encryption process.<br clear="none"> The f
ollowing properties can be set on it at the moment:<br clear="none"> "symmetricEncAlgorithm": default is "http://www.w3.org/2001/04/xmlenc#aes256-cbc", complete URIs or short identifiers are supported, for example, "aes128-cbc" or "http://www.w3.org/2001/04/xmlenc#aes256-cbc". <br clear="none"> "digestAlgorithm": optional, example "http://www.w3.org/2001/04/xmlenc#sha256" can be set.<br clear="none"> "keyEncAlgorithm": default is "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"<br clear="none"> "keyIdentifierType": default is "X509_KEY", "X509_ISSUER_SERIAL" is also supported - useful when the whole x509Certificate should not be embedded</p><h2 id="JAX-RSXMLSecurity-GCMAlgorithmandBouncyCastleprovider">GCM Algorithm and BouncyCastle provider</h2><p>Please see Colm's <a shape="rect" class="external-link" href="http://coheigea.blogspot.com/2012/04/note-on-cve-2011-1096.html" rel="nofollow">blog</a> for the information about the possible attack against XML Encryption and the GCM algor
ithm which needs to be used in order to prevent it.</p><h1 id="JAX-RSXMLSecurity-Restrictingencryptionandsignaturealgorithms">Restricting encryption and signature algorithms</h1><p><strong>From CXF 2.6.1 and 2.5.4:</strong></p><p>It is possible to configure the in encryption and signature handlers with the properties restricting the encryption and signature algorithms that clients can use, for example:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+</div></div><p>The "security.encryption.username" server property is set to "useReqSigCert".</p><p>Note that the client configuration assumes Alice (with its alice.properties) represents a given client, Bob (with its bob.properties) - the receiver/server.</p><p>On the server side the encryption properties point to alice.properties and signature.properties to bob.properties. This is because the outbound signature needs to be done with the Bob's certificate and the encryption - with either the specific Alice's certificate or the certificate from the inbound signature. Note that the in encryption handler will check the signature properties first - this will ensure that the Bob's certificate used to encrypt the data on the client side can be validated, similarly for the in signature handler.</p><h2 id="JAX-RSXMLSecurity-Customizingtheencryption">Customizing the encryption</h2><p>org.apache.cxf.rs.security.xml.XmlEncOutInterceptor manages the encryption process.<br clear="none"> The foll
owing properties can be set on it at the moment:<br clear="none"> "symmetricEncAlgorithm": default is "http://www.w3.org/2001/04/xmlenc#aes256-cbc", complete URIs or short identifiers are supported, for example, "aes128-cbc" or "http://www.w3.org/2001/04/xmlenc#aes256-cbc". <br clear="none"> "digestAlgorithm": optional, example "http://www.w3.org/2001/04/xmlenc#sha256" can be set.<br clear="none"> "keyEncAlgorithm": default is "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"<br clear="none"> "keyIdentifierType": default is "X509_KEY", "X509_ISSUER_SERIAL" is also supported - useful when the whole x509Certificate should not be embedded</p><h2 id="JAX-RSXMLSecurity-GCMAlgorithmandBouncyCastleprovider">GCM Algorithm and BouncyCastle provider</h2><p>Please see Colm's <a shape="rect" class="external-link" href="http://coheigea.blogspot.com/2012/04/note-on-cve-2011-1096.html" rel="nofollow">blog</a> for the information about the possible attack against XML Encryption and the GCM algorith
m which needs to be used in order to prevent it.</p><h1 id="JAX-RSXMLSecurity-Restrictingencryptionandsignaturealgorithms">Restricting encryption and signature algorithms</h1><p><strong>From CXF 2.6.1 and 2.5.4:</strong></p><p>It is possible to configure the in encryption and signature handlers with the properties restricting the encryption and signature algorithms that clients can use, for example:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[ <bean id="sigProps" class="org.apache.cxf.rs.security.xml.SignatureProperties">
<property name="signatureAlgo"
value="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>