Author: buildbot
Date: Tue Feb 5 19:48:20 2013
New Revision: 849514
Log:
Production update by buildbot for cxf
Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/security.html
Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.
Modified: websites/production/cxf/content/docs/security.html
==============================================================================
--- websites/production/cxf/content/docs/security.html (original)
+++ websites/production/cxf/content/docs/security.html Tue Feb 5 19:48:20 2013
@@ -124,7 +124,7 @@ Apache CXF -- Security
<div id="ConfluenceContent"><p><span style="font-size:2em;font-weight:bold">
Securing CXF Services </span></p>
<div>
-<ul><li><a shape="rect" href="#Security-Securetransports">Secure
transports</a></li><ul><li><a shape="rect"
href="#Security-HTTPS">HTTPS</a></li></ul><li><a shape="rect"
href="#Security-WSSecurity%28includingUsernameTokenandX.509Tokenprofiles%29">WS-*
Security (including UsernameToken and X.509 Token profiles)</a></li><li><a
shape="rect" href="#Security-WSTrust%2CSTS">WS-Trust, STS</a></li><li><a
shape="rect" href="#Security-SAMLWebSSO">SAML Web SSO</a></li><li><a
shape="rect" href="#Security-OAuth">OAuth</a></li><li><a shape="rect"
href="#Security-Authentication">Authentication</a></li><ul><li><a shape="rect"
href="#Security-JAASLoginInterceptor">JAASLoginInterceptor</a></li><li><a
shape="rect" href="#Security-Kerberos">Kerberos</a></li></ul><li><a
shape="rect" href="#Security-Authorization">Authorization</a></li><li><a
shape="rect" href="#Security-ControllingLargeRequestPayloads">Controlling Large
Request Payloads</a></li><ul><li><a shape="rect" href="#Security-XML">XML</a
></li><li><a shape="rect"
>href="#Security-Multiparts">Multiparts</a></li></ul></ul></div>
+<ul><li><a shape="rect" href="#Security-Securetransports">Secure
transports</a></li><ul><li><a shape="rect"
href="#Security-HTTPS">HTTPS</a></li></ul><li><a shape="rect"
href="#Security-WS%5CSecurity%28includingUsernameTokenandX.509Tokenprofiles%29">WS-*
Security (including UsernameToken and X.509 Token profiles)</a></li><li><a
shape="rect" href="#Security-WSTrust%2CSTS">WS-Trust, STS</a></li><li><a
shape="rect" href="#Security-SAMLWebSSO">SAML Web SSO</a></li><li><a
shape="rect" href="#Security-OAuth">OAuth</a></li><li><a shape="rect"
href="#Security-Authentication">Authentication</a></li><ul><li><a shape="rect"
href="#Security-JAASLoginInterceptor">JAASLoginInterceptor</a></li><li><a
shape="rect" href="#Security-Kerberos">Kerberos</a></li></ul><li><a
shape="rect" href="#Security-Authorization">Authorization</a></li><li><a
shape="rect" href="#Security-ControllingLargeRequestPayloads">Controlling Large
Request Payloads</a></li><ul><li><a shape="rect" href="#Security-XML">XML
</a></li><li><a shape="rect"
href="#Security-Multiparts">Multiparts</a></li></ul><li><a shape="rect"
href="#Security-Largedatastreamcaching">Large data stream
caching</a></li></ul></div>
<h1><a shape="rect" name="Security-Securetransports"></a>Secure transports</h1>
@@ -132,7 +132,7 @@ Apache CXF -- Security
<p>Please see the <a shape="rect"
href="http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html";>Configuring
SSL Support</a> page for more information.</p>
-<h1><a shape="rect"
name="Security-WSSecurity%28includingUsernameTokenandX.509Tokenprofiles%29"></a>WS-*
Security (including UsernameToken and X.509 Token profiles)</h1>
+<h1><a shape="rect"
name="Security-WS%5CSecurity%28includingUsernameTokenandX.509Tokenprofiles%29"></a>WS-*
Security (including UsernameToken and X.509 Token profiles)</h1>
<p>Please see the <a shape="rect"
href="http://cxf.apache.org/docs/ws-support.html";>WS-* Support</a> page for
more information.</p>
@@ -159,8 +159,7 @@ Apache CXF -- Security
<p>Example :</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent
panelContent">
-<pre class="code-xml">
-<span class="code-tag"><jaxws:endpoint address=<span
class="code-quote">"/soapService"</span>></span>
+<pre class="code-xml"><span class="code-tag"><jaxws:endpoint address=<span
class="code-quote">"/soapService"</span>></span>
<span class="code-tag"><jaxws:inInterceptors></span>
<span class="code-tag"><ref bean=<span
class="code-quote">"authenticationInterceptor"</span>/></span>
<span class="code-tag"></jaxws:inInterceptors></span>
@@ -171,35 +170,31 @@ Apache CXF -- Security
<span class="code-tag"><property name=<span
class="code-quote">"roleClassifier"</span> value=<span
class="code-quote">"ROLE_"</span>/></span>
<span class="code-tag"></bean></span>
-<!--
+<!--
Similarly for JAX-RS endpoints.
- Note that org.apache.cxf.jaxrs.security.JAASAuthenticationFilter
+ Note that org.apache.cxf.jaxrs.security.JAASAuthenticationFilter
can be registered as jaxrs:provider instead
-->
</pre>
-</div></div>
-
+</div></div>
<p>The JAAS authenticator is configured with the name of the JAAS login
context (the one usually specified in the JAAS configuration resource which the
server is aware of). It is also configured with an optional "roleClassifier"
property which is needed by the CXF SecurityContext in order to differentiate
between user and role Principals. By default CXF will assume that role
Principals are represented by javax.security.acl.Group instances.</p>
<p>In some cases objects representing a user principal and roles are
implementing the same marker interface such as Principal. That can be handled
like this:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent
panelContent">
-<pre class="code-xml">
-
-<span class="code-tag"><bean id=<span
class="code-quote">"authenticationInterceptor"</span> class=<span
class="code-quote">"org.apache.cxf.interceptor.security.JAASLoginInterceptor"</span>></span>
+<pre class="code-xml"><span class="code-tag"><bean id=<span
class="code-quote">"authenticationInterceptor"</span> class=<span
class="code-quote">"org.apache.cxf.interceptor.security.JAASLoginInterceptor"</span>></span>
<span class="code-tag"><property name=<span
class="code-quote">"contextName"</span> value=<span
class="code-quote">"jaasContext"</span>/></span>
<span class="code-tag"><property name=<span
class="code-quote">"roleClassifier"</span> value=<span
class="code-quote">"RolePrincipal"</span>/></span>
<span class="code-tag"><property name=<span
class="code-quote">"roleClassifierType"</span> value=<span
class="code-quote">"classname"</span>/></span>
<span class="code-tag"></bean></span>
<span class="code-tag"><span class="code-comment"><!-- Similarly for JAX-RS
endpoints --></span></span>
</pre>
-</div></div>
-
+</div></div>
<p>In this case JAASLoginInterceptor will know that the roles are represented
by a class whose simple name is RolePrincipal. Note that full class names are
also supported.</p>
<h2><a shape="rect" name="Security-Kerberos"></a>Kerberos</h2>
-<p>Please see <a shape="rect"
href="http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html#ClientHTTPTransport%28includingSSLsupport%29-SpnegoAuthentication%28Kerberos%29";>this
page</a> for the information about Spnego/Kerberos HTTPConduit client support.
</p>
+<p>Please see <a shape="rect"
href="http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html#ClientHTTPTransport%28includingSSLsupport%29-SpnegoAuthentication%28Kerberos%29";>this
page</a> for the information about Spnego/Kerberos HTTPConduit client
support.</p>
<p>Please check the following blog entries about WS-Security Kerberos support
in CXF:</p>
@@ -219,8 +214,7 @@ Apache CXF -- Security
<p>Example :</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent
panelContent">
-<pre class="code-xml">
-<span class="code-tag"><jaxws:endpoint id=<span
class="code-quote">"endpoint1"</span> address=<span
class="code-quote">"/soapService1"</span>></span>
+<pre class="code-xml"><span class="code-tag"><jaxws:endpoint id=<span
class="code-quote">"endpoint1"</span> address=<span
class="code-quote">"/soapService1"</span>></span>
<span class="code-tag"><jaxws:inInterceptors></span>
<span class="code-tag"><ref bean=<span
class="code-quote">"authorizationInterceptor"</span>/></span>
<span class="code-tag"></jaxws:inInterceptors></span>
@@ -230,9 +224,9 @@ Apache CXF -- Security
<span class="code-tag"><property name=<span
class="code-quote">"methodRolesMap"</span>></span>
<span class="code-tag"><map></span>
<span class="code-tag"><entry key=<span
class="code-quote">"addNumbers"</span> value=<span
class="code-quote">"ROLE_USER ROLE_ADMIN"</span>/></span>
- <span class="code-tag"><entry key=<span
class="code-quote">"divideNumbers"</span> value=<span
class="code-quote">"ROLE_ADMIN"</span>/></span>
+ <span class="code-tag"><entry key=<span
class="code-quote">"divideNumbers"</span> value=<span
class="code-quote">"ROLE_ADMIN"</span>/></span>
<span class="code-tag"></map></span>
- <span class="code-tag"></property></span>
+ <span class="code-tag"></property></span>
<span class="code-tag"></bean></span>
<span class="code-tag"><jaxws:endpoint id=<span
class="code-quote">"endpoint2"</span> address=<span
class="code-quote">"/soapService2"</span> implementor=<span
class="code-quote">"#secureBean"</span>></span>
@@ -249,19 +243,17 @@ Apache CXF -- Security
<span class="code-tag"></bean></span>
</pre>
-</div></div>
-
+</div></div>
<h1><a shape="rect"
name="Security-ControllingLargeRequestPayloads"></a>Controlling Large Request
Payloads</h1>
-<h2><a shape="rect" name="Security-XML"></a>XML </h2>
+<h2><a shape="rect" name="Security-XML"></a>XML</h2>
+
<p>Endpoints expecting XML payloads may get <a shape="rect"
class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/DepthRestrictingStreamInterceptor.java";>DepthRestrictingInterceptor</a>
registered and configured in order to control the limits a given XML payload
may not exceed. This can be useful in a variety of cases in order to protect
against massive payloads which can potentially cause the denial-of-service
situation or simply slow the service down a lot.</p>
<p>The complete number of XML elements, the number of immediate children of a
given XML element may contain and the stack depth of the payload can be
restricted, for example:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent
panelContent">
-<pre class="code-xml">
-
-<span class="code-tag"><bean id=<span
class="code-quote">"depthInterceptor"</span> class=<span
class="code-quote">"org.apache.cxf.interceptor.security.DepthRestrictingStreamInterceptor"</span>></span>
+<pre class="code-xml"><span class="code-tag"><bean id=<span
class="code-quote">"depthInterceptor"</span> class=<span
class="code-quote">"org.apache.cxf.interceptor.security.DepthRestrictingStreamInterceptor"</span>></span>
<span class="code-tag"><span class="code-comment"><!-- Total number of
elements in the XML payload --></span></span>
<span class="code-tag"><property name=<span
class="code-quote">"elementCountThreshold"</span> value=<span
class="code-quote">"5000"</span>/></span>
@@ -296,7 +288,22 @@ Apache CXF -- Security
<h2><a shape="rect" name="Security-Multiparts"></a>Multiparts</h2>
-<p>The "org.apache.cxf.io.CachedOutputStream.MaxSize" system property or
"attachment-max-size" per-endpoint contextual property can be used to control
the size of large attachments. When the limits is reached, the error is
returned. JAX-WS consumers will receive 500, JAX-RS/HTTP consumers:
413.</p></div>
+<p>The "org.apache.cxf.io.CachedOutputStream.MaxSize" system property or
"attachment-max-size" per-endpoint contextual property can be used to control
the size of large attachments. When the limits is reached, the error is
returned. JAX-WS consumers will receive 500, JAX-RS/HTTP consumers: 413.</p>
+
+<h1><a shape="rect" name="Security-Largedatastreamcaching"></a>Large data
stream caching</h1>
+
+<p>A large stream based message or data will be cached in a temporary file. In
default, this caching occurs at data size larger than 64K bytes and a temporary
file is written in the system's temporary directory. You can change this
behavior and other properties of the caching feature by explicitly setting the
following properties.</p>
+
+<p>To change the behavior for the entire system, you can set the following
system properties.</p>
+
+<div class="table-wrap">
+<table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh"> Property Name </th><th colspan="1" rowspan="1"
class="confluenceTh"> Value </th></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"> org.apache.cxf.io.CachedOutputStream.Threshold </td><td
colspan="1" rowspan="1" class="confluenceTd"> The threshold value in bytes to
switch to file caching </td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"> org.apache.cxf.io.CachedOutputStream.MaxSize </td><td
colspan="1" rowspan="1" class="confluenceTd"> The maximum data size to be
cached </td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">
org.apache.cxf.io.CachedOutputStream.OutputDirectory </td><td colspan="1"
rowspan="1" class="confluenceTd"> The file directory for the temporary files
</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">
org.apache.cxf.io.CachedOutputStream.CipherTransformation </td><td colspan="1"
rowspan="1" class="confluenceTd"> The cipher
transformation name to encrypt the cached content </td></tr></tbody></table>
+</div>
+
+
+<p>To change the behavior for a specific bus, you can set the corresponding
bus.io.CachedOutputStream properties (e.g., bus.io.CachedOutputStream.Threshold
for org.apache.cxf.io.CachedOutputStream.Threshold).</p>
+
+<p>The encryption option uses a symmetric encryption using a generated key and
it can be used to protect the cached content from unauthorized access. To
enable encryption, the CipherTransformation property can be set to some stream
or 8-bit block cipher transformation names (e.g., RC4, AES/CTR/NoPadding, etc)
that are supported by the environment. However, it is noted that enabling the
encryption will result in an increased processing time and it is therefore
recommended only in specific use cases where other means to protect the cached
content is unavailable.</p></div>
</div>
<!-- Content -->
</td>
