Secure transports

HTTPS

Please see the Configuring SSL Support page for more information.

Securing JAX-WS services

WS-Security

CXF supports WS-Security via the Apache WSS4J project. WSS4J provides an implementation of the following WS-Security standards:

Please see the WS-Security page for more information.

WS-SecurityPolicy

CXF fully supports WS-SecurityPolicy, which allows you to configure WS-Security requirements for an endpoint using a WS-Policy annotation. This is the recommended way of configuring WS-Security. Policies can be added in a WSDL or else referenced via an annotation in code.

The WS-SecurityPolicy layer and the XML-Security layer in Apache CXF share a common set of security configuration tags from CXF 3.1.0. The Security Configuration page details these tags and values. There are also some addition configuration tags, that are only used for when security is configured via WS-SecurityPolicy, see the following page for more information.

WS-SecureConversation

CXF fully supports WS-SecureConveration, see the following page for more information.

WS-Trust, STS

CXF ships with a advanced SecurityTokenService (STS) implementation that can be used to issue (SAML) tokens for authentication. CXF also supports communicating with the STS using the WS-Trust specification. SSO is supported by caching the tokens on the client side. Please see the WS-Trust page for more information.

Securing JAX-RS services

JAX-RS XML Security

It is possible to secure XML based JAX-RS requests (and responses) using XML Signature and Encryption. See the JAX-RS XML Security page for more information.

JAX-RS SAML

See the JAX-RS SAML page on creating SAML Assertions and adding them to a JAX-RS request, as well as how to validate them on the receiving side.

JAX-RS JOSE

See the JAX-RS JOSE page on support for the JWA, JWK, JWS, JWE and JWT specifications.

HTTP Signature

See the JAX-RS HTTP Signature page on support for the HTTP Signature specification.

SSO

SAML Web SSO

Please see this blog entry announcing the support for SAML Web SSO profile and the SAML Web SSO page for more information. CXF fully supports the SAML Web SSO profile on the service provider side. As of yet however, no IdP is available in CXF.

WS-Federation

Apache CXF Fediz is a subproject of CXF. Fediz helps you to secure your web applications and delegates security enforcement to the underlying application server. With Fediz, authentication is externalized from your web application to an identity provider installed as a dedicated server component. The supported standard is WS-Federation Passive Requestor Profile. Fediz supports Claims Based Access Control beyond Role Based Access Control (RBAC).

OAuth

Please check OAuth2.0 and OAuth1.0 pages for the information about the support for OAuth 2.0 and OAuth 1.0 in CXF.

Authentication

JAASLoginInterceptor

Container or Spring Security managed authentication as well as the custom authentication are all the viable options used by CXF developers.

Starting from CXF 2.3.2 and 2.4.0 it is possible to use an org.apache.cxf.interceptor.security.JAASLoginInterceptor in order to authenticate a current user and populate a CXF SecurityContext.

Example :

<jaxws:endpoint address="/soapService">
 <jaxws:inInterceptors>
   <ref bean="authenticationInterceptor"/>
 </jaxws:inInterceptors>
</jaxws:endpoint>

<bean id="authenticationInterceptor" class="org.apache.cxf.interceptor.security.JAASLoginInterceptor">
   <property name="contextName" value="jaasContext"/>
   <property name="roleClassifier" value="ROLE_"/>

</bean>
<!--
  Similarly for JAX-RS endpoints.
  Note that org.apache.cxf.jaxrs.security.JAASAuthenticationFilter
  can be registered as jaxrs:provider instead
-->

The JAAS authenticator is configured with the name of the JAAS login context (the one usually specified in the JAAS configuration resource which the server is aware of). It is also configured with an optional "roleClassifier" property which is needed by the CXF SecurityContext in order to differentiate between user and role Principals. By default CXF will assume that role Principals are represented by javax.security.acl.Group instances.

In some cases objects representing a user principal and roles are implementing the same marker interface such as Principal. That can be handled like this:

<bean id="authenticationInterceptor" class="org.apache.cxf.interceptor.security.JAASLoginInterceptor">
   <property name="contextName" value="jaasContext"/>
   <property name="roleClassifier" value="RolePrincipal"/>
   <property name="roleClassifierType" value="classname"/>
</bean>
<!-- Similarly for JAX-RS endpoints -->

In this case JAASLoginInterceptor will know that the roles are represented by a class whose simple name is RolePrincipal. Note that full class names are also supported.

Kerberos

Please see this page for the information about Spnego/Kerberos HTTPConduit client support.

Please check the following blog entries about WS-Security Kerberos support in CXF:

Using Kerberos with Web Services - part 1
Using Kerberos with Web Services - part 2
WS-Trust SPNego support in Apache CXF

Please check the following page about Kerberos support in JAX-RS.

Authorization

Container or Spring Security managed authorization as well as the custom authorization are all the viable options used by CXF developers.

CXF 2.3.2 and 2.4.0 introduce org.apache.cxf.interceptor.security.SimpleAuthorizingInterceptor and org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor interceptors which can help with enforcing the authorization rules.

Example :

<jaxws:endpoint id="endpoint1" address="/soapService1">
 <jaxws:inInterceptors>
   <ref bean="authorizationInterceptor"/>
 </jaxws:inInterceptors>
</jaxws:endpoint>

<bean id="authorizationInterceptor" class="org.apache.cxf.interceptor.security.SimpleAuthorizingInterceptor">
   <property name="methodRolesMap">
      <map>
        <!-- no wildcard support, names need to match exactly -->
        <entry key="addNumbers" value="ROLE_USER ROLE_ADMIN"/>
        <entry key="divideNumbers" value="ROLE_ADMIN"/>
      </map>
   </property>
   <!-- its possible to define global roles that apply to all WSDL operations not listed above -->
   <property name="globalRoles" value="ROLE_ADMIN"/>
</bean>

<jaxws:endpoint id="endpoint2" address="/soapService2" implementor="#secureBean">
 <jaxws:inInterceptors>
   <ref bean="authorizationInterceptor2"/>
 </jaxws:inInterceptors>
</jaxws:endpoint>

<!-- This bean is annotated with secure annotations such as RolesAllowed -->
<bean id="secureBean" class="org.apache.cxf.tests.security.SecureService"/>

<bean id="authorizationInterceptor2" class="org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor">
   <property name="securedObject" ref="secureBean"/>
</bean>

Controlling Large Request Payloads

XML

Starting with CXF 2.7.4, CXF now requires use of a StAX parser that can provide fine grained control over the size of the incoming XML. The only parser that will currently work is Woodstox 4.2 or newer. The main reason is there are a series of DOS attacks that can only be prevented at the StAX parser level. There is a "org.apache.cxf.stax.allowInsecureParser" System Property that can be set to true to allow using an insecure parser, but that is HIGHLY not recommended and doing so would also now allow the settings described in this section.

CXF has several default settings that will prevent malicious XML from causing various DOS failures. You can override the default values if you know you will have incoming XML that will exceed these limits. These settings can be set as Bus level properties, endpoint level properties, or even per request via an interceptor.

Setting

Default

Description

org.apache.cxf.stax.maxChildElements

50000

Maximum number of child elements for a given parent element

org.apache.cxf.stax.maxElementDepth

100

Maximum depth of an element

org.apache.cxf.stax.maxAttributeCount

500

Maximum number of attributes on a single element

org.apache.cxf.stax.maxAttributeSize

64K

Maximum size of a single attribute

org.apache.cxf.stax.maxTextLength

128M

Maximum size of an elements text value

org.apache.cxf.stax.maxElementCount

Long.MAX_VALUE

Maximum total number of elements in the XML document

org.apache.cxf.stax.maxXMLCharacters

Long.MAX_VALUE

Maximum total number of characters parsed by the parser

XML - CXF versions prior to 2.7.4

Endpoints expecting XML payloads may get DepthRestrictingInterceptor registered and configured in order to control the limits a given XML payload may not exceed. This can be useful in a variety of cases in order to protect against massive payloads which can potentially cause the denial-of-service situation or simply slow the service down a lot.

The complete number of XML elements, the number of immediate children of a given XML element may contain and the stack depth of the payload can be restricted, for example:

<bean id="depthInterceptor" class="org.apache.cxf.interceptor.security.DepthRestrictingStreamInterceptor">
  <!-- Total number of elements in the XML payload -->
  <property name="elementCountThreshold" value="5000"/>

  <!-- Total number of child elements for XML elements -->
  <property name="innerElementCountThreshold" value="3000"/>

  <!-- Maximum stack depth of the XML payload -->
  <property name="innerElementLevelThreshold" value="20"/>

</bean>

<jaxws:endpoint>
  <jaxws:inInterceptors>
   <ref bean="depthInterceptor"/>
 </jaxws:inInterceptors>
<jaxws:endpoint>

<jaxrs:server>
  <jaxrs:inInterceptors>
   <ref bean="depthInterceptor"/>
 </jaxrs:inInterceptors>
<jaxrs:server>

When one of the limits is reached, the error is returned. JAX-WS consumers will receive 500, JAX-RS/HTTP consumers: 413.

The following system properties can also be set up for JAX-WS endpoints: "org.apache.cxf.staxutils.innerElementCountThreshold" and "org.apache.cxf.staxutils.innerElementLevelThreshold".

Please check this section for the additional information on how JAX-RS JAXB-based providers can be configured.

Multiparts

It's possible to control various properties associated with caching large attachments via the following per-endpoint contextual properties:

Property Name

Value

attachment-memory-threshold

The threshold value in bytes to switch from memory to file caching. The default value is 1024K.

attachment-max-size

The data size in bytes to limit the maximum data size to be cached. Since CXF 3.0.16, 3.1.14, 3.2.1.

No max size is set by default. When the limits is reached, the error is returned. JAX-WS consumers will receive 500, JAX-RS/HTTP consumers: 413.

attachment-directory

The directory name for storing the temporary files. None is specified by default.

attachment-max-header-size

The maximum MIME Header Length. The default is 300. This value can also be set by the system property "org.apache.cxf.attachment-max-header-size".

attachment-max-countCXF 3.3.4 3.2.11 The maximum number of attachments permitted in a message. The default is 50.

If no per-endpoint contextual properties are specified, then CXF checks any values that are set for the corresponding System properties listed below for large data stream caching and re-uses them for caching attachments.

Large data stream caching

A large stream based message or data will be cached in a temporary file, which is written in the system's temporary directory. You can change this behavior and other properties of the caching feature by explicitly setting the following properties.

To change the default behavior for the entire system, you can set the following system properties.

Property Name

Value

org.apache.cxf.io.CachedOutputStream.Threshold

The threshold value in bytes to switch from memory to file caching. The default value is 128K for CachedOutputStream and 64K for CachedWriter.

org.apache.cxf.io.CachedOutputStream.MaxSize

The data size in bytes to limit the maximum data size to be cached. No max size is set by default.

org.apache.cxf.io.CachedOutputStream.OutputDirectory

The directory name for storing the temporary files. None is specified by default. If specified, the directory must already exist.

org.apache.cxf.io.CachedOutputStream.CipherTransformation

The cipher transformation name for encrypting the cached content. None is specified by default.

To change the default behavior for a specific bus, you can set the corresponding bus.io.CachedOutputStream properties:

Bus Property Name

Value

bus.io.CachedOutputStream.Threshold

The threshold value in bytes to switch from memory to file caching. The default value is 128K for CachedOutputStream and 64K for CachedWriter (corresponds org.apache.cxf.io.CachedOutputStream.Threshold system property).

bus.io.CachedOutputStreamCleaner.Delay

The delay (in ms) for cleaning up unclosed CachedOutputStream instances. 30 minutes is specified by default, the minimum value is 2 seconds. If the value of the delay is set to 0 (or is negative), the cleaner will be deactivated.

bus.io.CachedOutputStreamCleaner.CleanOnShutdownForces cleaning of the unclosed CachedOutputStream instances on Bus shutdown. The default value is "true", if the cleaner is deactivated or the value is set to "false", no cleanup attempt on shutdown will be performed.

In some edge cases, the CachedOutputStream instances may not be closed and, if backed by temporary files, may fill up the file system (it applies to servers and clients). The CachedOutputStreamCleaner bus extension could be used to provide the custom cleaning mechanism for such dangling streams (by default, the extension is implemented by DelayedCachedOutputStreamCleaner and run periodic cleanup set by bus.io.CachedOutputStreamCleaner.Delay bus property).

The encryption option, which is available from CXF 2.6.4 and 2.7.1, uses a symmetric encryption using a generated key and it can be used to protect the cached content from unauthorized access. To enable encryption, the CipherTransformation property can be set to the name of an appropriate stream or 8-bit block cipher transformation (e.g., RC4, AES/CTR/NoPadding, etc) that is supported by the environment. However, it is noted that enabling the encryption will result in an increased processing time and it is therefore recommended only in specific use cases where other means to protect the cached content is unavailable.

  • No labels

1 Comment

  1. In the example with the SecureAnnotationsInterceptor, it would be worth to add to use the SecurityOutFaultInterceptor to convert the HTTP error code from 500 to 403.