You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by bu...@apache.org on 2019/09/03 14:56:43 UTC
svn commit: r1049569 - in /websites/production/cxf/content:
cache/docs.pageCache docs/securing-cxf-services.html
Author: buildbot
Date: Tue Sep 3 14:56:43 2019
New Revision: 1049569
Log:
Production update by buildbot for cxf
Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/securing-cxf-services.html
Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.
Modified: websites/production/cxf/content/docs/securing-cxf-services.html
==============================================================================
--- websites/production/cxf/content/docs/securing-cxf-services.html (original)
+++ websites/production/cxf/content/docs/securing-cxf-services.html Tue Sep 3 14:56:43 2019
@@ -117,11 +117,11 @@ Apache CXF -- Securing CXF Services
<!-- Content -->
<div class="wiki-content">
<div id="ConfluenceContent"><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1553860571112 {padding: 0px;}
-div.rbtoc1553860571112 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1553860571112 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1567522564627 {padding: 0px;}
+div.rbtoc1567522564627 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1567522564627 li {margin-left: 0px;padding-left: 0px;}
-/*]]>*/</style></p><div class="toc-macro rbtoc1553860571112">
+/*]]>*/</style></p><div class="toc-macro rbtoc1567522564627">
<ul class="toc-indentation"><li><a shape="rect" href="#SecuringCXFServices-Securetransports">Secure transports</a>
<ul class="toc-indentation"><li><a shape="rect" href="#SecuringCXFServices-HTTPS">HTTPS</a></li></ul>
</li><li><a shape="rect" href="#SecuringCXFServices-SecuringJAX-WSservices">Securing JAX-WS services</a>
@@ -135,7 +135,7 @@ div.rbtoc1553860571112 li {margin-left:
</li><li><a shape="rect" href="#SecuringCXFServices-Authorization">Authorization</a></li><li><a shape="rect" href="#SecuringCXFServices-ControllingLargeRequestPayloads">Controlling Large Request Payloads</a>
<ul class="toc-indentation"><li><a shape="rect" href="#SecuringCXFServices-XML">XML</a></li><li><a shape="rect" href="#SecuringCXFServices-XML-CXFversionspriorto2.7.4">XML - CXF versions prior to 2.7.4</a></li><li><a shape="rect" href="#SecuringCXFServices-Multiparts">Multiparts</a></li></ul>
</li><li><a shape="rect" href="#SecuringCXFServices-Largedatastreamcaching">Large data stream caching</a></li></ul>
-</div><h1 id="SecuringCXFServices-Securetransports">Secure transports</h1><h2 id="SecuringCXFServices-HTTPS">HTTPS</h2><p>Please see the <a shape="rect" href="http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html">Configuring SSL Support</a> page for more information.</p><h1 id="SecuringCXFServices-SecuringJAX-WSservices">Securing JAX-WS services</h1><h2 id="SecuringCXFServices-WS-Security">WS-Security</h2><p>CXF supports WS-Security via the Apache WSS4J project. WSS4J provides an implementation of the following WS-Security standards:</p><ul><li><a shape="rect" class="external-link" href="http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-os-SOAPMessageSecurity.pdf" rel="nofollow"> SOAP Message Security 1.1</a></li><li><a shape="rect" class="external-link" href="http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-os-UsernameTokenProfile.pdf" rel="nofollow">Username Token Profile 1.1</a></li><li><a shape="rect" class="external-link" href="http://docs.oasis-open.org
/wss/v1.1/wss-v1.1-spec-os-x509TokenProfile.pdf" rel="nofollow">X.509 Certificate Token Profile 1.1</a></li><li><a shape="rect" class="external-link" href="http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-os-SAMLTokenProfile.pdf" rel="nofollow">SAML Token Profile 1.1</a></li><li><a shape="rect" class="external-link" href="http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-os-KerberosTokenProfile.pdf" rel="nofollow">Kerberos Token Profile 1.1</a></li><li><a shape="rect" class="external-link" href="http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-os-SwAProfile.pdf" rel="nofollow">SOAP Messages with Attachments Profile 1.1</a></li><li><a shape="rect" class="external-link" href="http://www.ws-i.org/Profiles/BasicSecurityProfile-1.1.html" rel="nofollow">Basic Security Profile 1.1</a></li></ul><p>Please see the <a shape="rect" href="ws-security.html">WS-Security</a> page for more information.</p><h2 id="SecuringCXFServices-WS-SecurityPolicy">WS-SecurityPolicy</h2><p>CXF fully supports WS
-SecurityPolicy, which allows you to configure WS-Security requirements for an endpoint using a WS-Policy annotation. This is the recommended way of configuring WS-Security. Policies can be added in a WSDL or else referenced via an annotation in code.</p><p>The WS-SecurityPolicy layer and the XML-Security layer in Apache CXF share a common set of security configuration tags from CXF 3.1.0. The <a shape="rect" href="security-configuration.html">Security Configuration</a> page details these tags and values. There are also some addition configuration tags, that are only used for when security is configured via WS-SecurityPolicy, see the following <a shape="rect" href="ws-securitypolicy.html">page</a> for more information.</p><h2 id="SecuringCXFServices-WS-SecureConversation">WS-SecureConversation</h2><p>CXF fully supports WS-SecureConveration, see the following <a shape="rect" href="ws-secureconversation.html">page</a> for more information.</p><h2 id="SecuringCXFServices-WS-Trust,STS">
WS-Trust, STS</h2><p>CXF ships with a advanced SecurityTokenService (STS) implementation that can be used to issue (SAML) tokens for authentication. CXF also supports communicating with the STS using the WS-Trust specification. SSO is supported by caching the tokens on the client side. Please see the <a shape="rect" href="ws-trust.html">WS-Trust</a> page for more information.</p><h1 id="SecuringCXFServices-SecuringJAX-RSservices">Securing JAX-RS services</h1><h2 id="SecuringCXFServices-JAX-RSXMLSecurity">JAX-RS XML Security</h2><p>It is possible to secure XML based JAX-RS requests (and responses) using XML Signature and Encryption. See the <a shape="rect" href="jax-rs-xml-security.html">JAX-RS XML Security</a> page for more information.</p><h2 id="SecuringCXFServices-JAX-RSSAML">JAX-RS SAML</h2><p>See the <a shape="rect" href="jax-rs-saml.html">JAX-RS SAML</a> page on creating SAML Assertions and adding them to a JAX-RS request, as well as how to validate them on the receiving side.
</p><h2 id="SecuringCXFServices-JAX-RSJOSE">JAX-RS JOSE</h2><p>See the <a shape="rect" href="jax-rs-jose.html">JAX-RS JOSE</a> page on support for the JWA, JWK, JWS, JWE and JWT specifications.</p><h2 id="SecuringCXFServices-HTTPSignature">HTTP Signature</h2><p>See the <a shape="rect" href="jax-rs-http-signature.html">JAX-RS HTTP Signature</a> page on support for the HTTP Signature specification.</p><h1 id="SecuringCXFServices-SSO">SSO</h1><h2 id="SecuringCXFServices-SAMLWebSSO">SAML Web SSO</h2><p>Please see <a shape="rect" class="external-link" href="http://coheigea.blogspot.ie/2012/06/saml-web-sso-profile-support-in-apache.html" rel="nofollow">this blog entry</a> announcing the support for SAML Web SSO profile and the <a shape="rect" href="https://cwiki.apache.org/confluence/display/CXF20DOC/SAML+Web+SSO">SAML Web SSO</a> page for more information. CXF fully supports the SAML Web SSO profile on the service provider side. As of yet however, no IdP is available in CXF.</p><h2 id="S
ecuringCXFServices-WS-Federation">WS-Federation</h2><p>Apache CXF <a shape="rect" href="../fediz.html">Fediz</a> is a subproject of CXF. Fediz helps you to secure your web applications and delegates security enforcement to the underlying application server. With Fediz, authentication is externalized from your web application to an identity provider installed as a dedicated server component. The supported standard is <a shape="rect" class="external-link" href="http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html#_Toc223175002" rel="nofollow">WS-Federation Passive Requestor Profile</a>. Fediz supports <a shape="rect" class="external-link" href="http://en.wikipedia.org/wiki/Claims-based_identity" rel="nofollow">Claims Based Access Control</a> beyond Role Based Access Control (RBAC).</p><h1 id="SecuringCXFServices-OAuth">OAuth</h1><p>Please check <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-oauth2.html">OAuth2.0</a> and <a shape="rect" href="http
://cxf.apache.org/docs/jax-rs-oauth.html">OAuth1.0</a> pages for the information about the support for OAuth 2.0 and OAuth 1.0 in CXF.</p><h1 id="SecuringCXFServices-Authentication">Authentication</h1><h2 id="SecuringCXFServices-JAASLoginInterceptor">JAASLoginInterceptor</h2><p>Container or Spring Security managed authentication as well as the custom authentication are all the viable options used by CXF developers.</p><p>Starting from CXF 2.3.2 and 2.4.0 it is possible to use an org.apache.cxf.interceptor.security.JAASLoginInterceptor in order to authenticate a current user and populate a CXF SecurityContext.</p><p>Example :</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+</div><h1 id="SecuringCXFServices-Securetransports">Secure transports</h1><h2 id="SecuringCXFServices-HTTPS">HTTPS</h2><p>Please see the <a shape="rect" href="http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html">Configuring SSL Support</a> page for more information.</p><h1 id="SecuringCXFServices-SecuringJAX-WSservices">Securing JAX-WS services</h1><h2 id="SecuringCXFServices-WS-Security">WS-Security</h2><p>CXF supports WS-Security via the Apache WSS4J project. WSS4J provides an implementation of the following WS-Security standards:</p><ul><li><a shape="rect" class="external-link" href="http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-os-SOAPMessageSecurity.pdf" rel="nofollow"> SOAP Message Security 1.1</a></li><li><a shape="rect" class="external-link" href="http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-os-UsernameTokenProfile.pdf" rel="nofollow">Username Token Profile 1.1</a></li><li><a shape="rect" class="external-link" href="http://docs.oasis-open.org
/wss/v1.1/wss-v1.1-spec-os-x509TokenProfile.pdf" rel="nofollow">X.509 Certificate Token Profile 1.1</a></li><li><a shape="rect" class="external-link" href="http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-os-SAMLTokenProfile.pdf" rel="nofollow">SAML Token Profile 1.1</a></li><li><a shape="rect" class="external-link" href="http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-os-KerberosTokenProfile.pdf" rel="nofollow">Kerberos Token Profile 1.1</a></li><li><a shape="rect" class="external-link" href="http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-os-SwAProfile.pdf" rel="nofollow">SOAP Messages with Attachments Profile 1.1</a></li><li><a shape="rect" class="external-link" href="http://www.ws-i.org/Profiles/BasicSecurityProfile-1.1.html" rel="nofollow">Basic Security Profile 1.1</a></li></ul><p>Please see the <a shape="rect" href="ws-security.html">WS-Security</a> page for more information.</p><h2 id="SecuringCXFServices-WS-SecurityPolicy">WS-SecurityPolicy</h2><p>CXF fully supports WS
-SecurityPolicy, which allows you to configure WS-Security requirements for an endpoint using a WS-Policy annotation. This is the recommended way of configuring WS-Security. Policies can be added in a WSDL or else referenced via an annotation in code.</p><p>The WS-SecurityPolicy layer and the XML-Security layer in Apache CXF share a common set of security configuration tags from CXF 3.1.0. The <a shape="rect" href="security-configuration.html">Security Configuration</a> page details these tags and values. There are also some addition configuration tags, that are only used for when security is configured via WS-SecurityPolicy, see the following <a shape="rect" href="ws-securitypolicy.html">page</a> for more information.</p><h2 id="SecuringCXFServices-WS-SecureConversation">WS-SecureConversation</h2><p>CXF fully supports WS-SecureConveration, see the following <a shape="rect" href="ws-secureconversation.html">page</a> for more information.</p><h2 id="SecuringCXFServices-WS-Trust,STS">
WS-Trust, STS</h2><p>CXF ships with a advanced SecurityTokenService (STS) implementation that can be used to issue (SAML) tokens for authentication. CXF also supports communicating with the STS using the WS-Trust specification. SSO is supported by caching the tokens on the client side. Please see the <a shape="rect" href="ws-trust.html">WS-Trust</a> page for more information.</p><h1 id="SecuringCXFServices-SecuringJAX-RSservices">Securing JAX-RS services</h1><h2 id="SecuringCXFServices-JAX-RSXMLSecurity">JAX-RS XML Security</h2><p>It is possible to secure XML based JAX-RS requests (and responses) using XML Signature and Encryption. See the <a shape="rect" href="jax-rs-xml-security.html">JAX-RS XML Security</a> page for more information.</p><h2 id="SecuringCXFServices-JAX-RSSAML">JAX-RS SAML</h2><p>See the <a shape="rect" href="jax-rs-saml.html">JAX-RS SAML</a> page on creating SAML Assertions and adding them to a JAX-RS request, as well as how to validate them on the receiving side.
</p><h2 id="SecuringCXFServices-JAX-RSJOSE">JAX-RS JOSE</h2><p>See the <a shape="rect" href="jax-rs-jose.html">JAX-RS JOSE</a> page on support for the JWA, JWK, JWS, JWE and JWT specifications.</p><h2 id="SecuringCXFServices-HTTPSignature">HTTP Signature</h2><p>See the <a shape="rect" href="jax-rs-http-signature.html">JAX-RS HTTP Signature</a> page on support for the HTTP Signature specification.</p><h1 id="SecuringCXFServices-SSO">SSO</h1><h2 id="SecuringCXFServices-SAMLWebSSO">SAML Web SSO</h2><p>Please see <a shape="rect" class="external-link" href="http://coheigea.blogspot.ie/2012/06/saml-web-sso-profile-support-in-apache.html" rel="nofollow">this blog entry</a> announcing the support for SAML Web SSO profile and the <a shape="rect" href="https://cwiki.apache.org/confluence/display/CXF20DOC/SAML+Web+SSO">SAML Web SSO</a> page for more information. CXF fully supports the SAML Web SSO profile on the service provider side. As of yet however, no IdP is available in CXF.</p><h2 id="S
ecuringCXFServices-WS-Federation">WS-Federation</h2><p>Apache CXF <a shape="rect" href="../fediz.html">Fediz</a> is a subproject of CXF. Fediz helps you to secure your web applications and delegates security enforcement to the underlying application server. With Fediz, authentication is externalized from your web application to an identity provider installed as a dedicated server component. The supported standard is <a shape="rect" class="external-link" rel="nofollow" href="http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html#_Toc223175002">WS-Federation Passive Requestor Profile</a>. Fediz supports <a shape="rect" class="external-link" href="http://en.wikipedia.org/wiki/Claims-based_identity" rel="nofollow">Claims Based Access Control</a> beyond Role Based Access Control (RBAC).</p><h1 id="SecuringCXFServices-OAuth">OAuth</h1><p>Please check <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-oauth2.html">OAuth2.0</a> and <a shape="rect" href="http
://cxf.apache.org/docs/jax-rs-oauth.html">OAuth1.0</a> pages for the information about the support for OAuth 2.0 and OAuth 1.0 in CXF.</p><h1 id="SecuringCXFServices-Authentication">Authentication</h1><h2 id="SecuringCXFServices-JAASLoginInterceptor">JAASLoginInterceptor</h2><p>Container or Spring Security managed authentication as well as the custom authentication are all the viable options used by CXF developers.</p><p>Starting from CXF 2.3.2 and 2.4.0 it is possible to use an org.apache.cxf.interceptor.security.JAASLoginInterceptor in order to authenticate a current user and populate a CXF SecurityContext.</p><p>Example :</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: xml; gutter: false; theme: Default"><jaxws:endpoint address="/soapService">
<jaxws:inInterceptors>
<ref bean="authenticationInterceptor"/>
@@ -220,7 +220,7 @@ div.rbtoc1553860571112 li {margin-left:
<jaxrs:server>
</pre>
-</div></div><p>When one of the limits is reached, the error is returned. JAX-WS consumers will receive 500, JAX-RS/HTTP consumers: 413.</p><p>The following system properties can also be set up for JAX-WS endpoints: "org.apache.cxf.staxutils.innerElementCountThreshold" and "org.apache.cxf.staxutils.innerElementLevelThreshold".</p><p>Please check this <a shape="rect" href="https://cwiki.apache.org/confluence/display/CXF20DOC/JAX-RS+Data+Bindings#JAX-RSDataBindings-ControllingLargeJAXBXMLandJSONinputpayloads">section</a> for the additional information on how JAX-RS JAXB-based providers can be configured.</p><h2 id="SecuringCXFServices-Multiparts">Multiparts</h2><p>It's possible to control various properties associated with caching large attachments via the following per-endpoint contextual properties:</p><div class="table-wrap"><table class="wrapped confluenceTable"><colgroup span="1"><col span="1"><col span="1"></colgroup><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>
Property Name</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Value</p></th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>attachment-memory-threshold</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The threshold value in bytes to switch from memory to file caching. The default value is 1024K.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>attachment-max-size</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The data size in bytes to limit the maximum data size to be cached. Since CXF 3.0.16, 3.1.14, 3.2.1.</p><p>No max size is set by default. When the limits is reached, the error is returned. JAX-WS consumers will receive 500, JAX-RS/HTTP consumers: 413.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>attachment-directory</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The directory name for storing the temporary files. None is specified by default.</p></td></tr><tr><td colspan="1
" rowspan="1" class="confluenceTd"><p>attachment-max-header-size</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The maximum MIME Header Length. The default is 300. This value can also be set by the system property "org.apache.cxf.attachment-max-header-size".</p></td></tr></tbody></table></div><p>If no per-endpoint contextual properties are specified, then CXF checks any values that are set for the corresponding System properties listed below for large data stream caching and re-uses them for caching attachments.</p><h1 id="SecuringCXFServices-Largedatastreamcaching">Large data stream caching</h1><p>A large stream based message or data will be cached in a temporary file, which is written in the system's temporary directory. You can change this behavior and other properties of the caching feature by explicitly setting the following properties.</p><p>To change the default behavior for the entire system, you can set the following system properties.</p><div class="table-wrap
"><table class="wrapped confluenceTable"><colgroup span="1"><col span="1"><col span="1"></colgroup><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Property Name</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Value</p></th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>org.apache.cxf.io.CachedOutputStream.Threshold</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The threshold value in bytes to switch from memory to file caching. The default value is 128K for CachedOutputStream and 64K for CachedWriter.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>org.apache.cxf.io.CachedOutputStream.MaxSize</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The data size in bytes to limit the maximum data size to be cached. No max size is set by default.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>org.apache.cxf.io.CachedOutputStream.OutputDirectory</p></td><td colspan="1" rowspan="1" class
="confluenceTd"><p>The directory name for storing the temporary files. None is specified by default. If specified, the directory must already exist.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>org.apache.cxf.io.CachedOutputStream.CipherTransformation</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The cipher transformation name for encrypting the cached content. None is specified by default.</p></td></tr></tbody></table></div><p>To change the default behavior for a specific bus, you can set the corresponding bus.io.CachedOutputStream properties (e.g., bus.io.CachedOutputStream.Threshold for org.apache.cxf.io.CachedOutputStream.Threshold).</p><p>The encryption option, which is available from CXF 2.6.4 and 2.7.1, uses a symmetric encryption using a generated key and it can be used to protect the cached content from unauthorized access. To enable encryption, the CipherTransformation property can be set to the name of an appropriate stream or 8-bit b
lock cipher transformation (e.g., RC4, AES/CTR/NoPadding, etc) that is supported by the environment. However, it is noted that enabling the encryption will result in an increased processing time and it is therefore recommended only in specific use cases where other means to protect the cached content is unavailable.</p></div>
+</div></div><p>When one of the limits is reached, the error is returned. JAX-WS consumers will receive 500, JAX-RS/HTTP consumers: 413.</p><p>The following system properties can also be set up for JAX-WS endpoints: "org.apache.cxf.staxutils.innerElementCountThreshold" and "org.apache.cxf.staxutils.innerElementLevelThreshold".</p><p>Please check this <a shape="rect" href="https://cwiki.apache.org/confluence/display/CXF20DOC/JAX-RS+Data+Bindings#JAX-RSDataBindings-ControllingLargeJAXBXMLandJSONinputpayloads">section</a> for the additional information on how JAX-RS JAXB-based providers can be configured.</p><h2 id="SecuringCXFServices-Multiparts">Multiparts</h2><p>It's possible to control various properties associated with caching large attachments via the following per-endpoint contextual properties:</p><div class="table-wrap"><table class="wrapped confluenceTable"><colgroup span="1"><col span="1"><col span="1"></colgroup><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>
Property Name</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Value</p></th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>attachment-memory-threshold</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The threshold value in bytes to switch from memory to file caching. The default value is 1024K.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>attachment-max-size</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The data size in bytes to limit the maximum data size to be cached. Since CXF 3.0.16, 3.1.14, 3.2.1.</p><p>No max size is set by default. When the limits is reached, the error is returned. JAX-WS consumers will receive 500, JAX-RS/HTTP consumers: 413.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>attachment-directory</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The directory name for storing the temporary files. None is specified by default.</p></td></tr><tr><td colspan="1
" rowspan="1" class="confluenceTd"><p>attachment-max-header-size</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The maximum MIME Header Length. The default is 300. This value can also be set by the system property "org.apache.cxf.attachment-max-header-size".</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">attachment-max-count</td><td colspan="1" rowspan="1" class="confluenceTd"><strong>CXF 3.3.4 3.2.11</strong> The maximum number of attachments permitted in a message. The default is 50.</td></tr></tbody></table></div><p>If no per-endpoint contextual properties are specified, then CXF checks any values that are set for the corresponding System properties listed below for large data stream caching and re-uses them for caching attachments.</p><h1 id="SecuringCXFServices-Largedatastreamcaching">Large data stream caching</h1><p>A large stream based message or data will be cached in a temporary file, which is written in the system's temporary directory. You
can change this behavior and other properties of the caching feature by explicitly setting the following properties.</p><p>To change the default behavior for the entire system, you can set the following system properties.</p><div class="table-wrap"><table class="wrapped confluenceTable"><colgroup span="1"><col span="1"><col span="1"></colgroup><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Property Name</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Value</p></th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>org.apache.cxf.io.CachedOutputStream.Threshold</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The threshold value in bytes to switch from memory to file caching. The default value is 128K for CachedOutputStream and 64K for CachedWriter.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>org.apache.cxf.io.CachedOutputStream.MaxSize</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The data size i
n bytes to limit the maximum data size to be cached. No max size is set by default.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>org.apache.cxf.io.CachedOutputStream.OutputDirectory</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The directory name for storing the temporary files. None is specified by default. If specified, the directory must already exist.</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><p>org.apache.cxf.io.CachedOutputStream.CipherTransformation</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>The cipher transformation name for encrypting the cached content. None is specified by default.</p></td></tr></tbody></table></div><p>To change the default behavior for a specific bus, you can set the corresponding bus.io.CachedOutputStream properties (e.g., bus.io.CachedOutputStream.Threshold for org.apache.cxf.io.CachedOutputStream.Threshold).</p><p>The encryption option, which is available from CXF 2.6.4 and
2.7.1, uses a symmetric encryption using a generated key and it can be used to protect the cached content from unauthorized access. To enable encryption, the CipherTransformation property can be set to the name of an appropriate stream or 8-bit block cipher transformation (e.g., RC4, AES/CTR/NoPadding, etc) that is supported by the environment. However, it is noted that enabling the encryption will result in an increased processing time and it is therefore recommended only in specific use cases where other means to protect the cached content is unavailable.</p></div>
</div>
<!-- Content -->
</td>