Author: buildbot
Date: Fri Sep 14 15:57:43 2018
New Revision: 1035175
Log:
Production update by buildbot for cxf
Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/jax-rs-token-authorization.html
Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.
Modified: websites/production/cxf/content/docs/jax-rs-token-authorization.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-token-authorization.html
(original)
+++ websites/production/cxf/content/docs/jax-rs-token-authorization.html Fri
Sep 14 15:57:43 2018
@@ -121,22 +121,22 @@ Apache CXF -- JAX-RS Token Authorization
<br clear="none"></p><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1536936979708 {padding: 0px;}
-div.rbtoc1536936979708 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1536936979708 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1536940623991 {padding: 0px;}
+div.rbtoc1536940623991 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1536940623991 li {margin-left: 0px;padding-left: 0px;}
-/*]]>*/</style></p><div class="toc-macro rbtoc1536936979708">
+/*]]>*/</style></p><div class="toc-macro rbtoc1536940623991">
<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSTokenAuthorization-Introduction">Introduction</a></li><li><a
shape="rect"
href="#JAX-RSTokenAuthorization-Backwardscompatibilityconfigurationnote">Backwards
compatibility configuration note</a></li><li><a shape="rect"
href="#JAX-RSTokenAuthorization-Mavendependencies">Maven
dependencies</a></li><li><a shape="rect"
href="#JAX-RSTokenAuthorization-Claimsbasedaccesscontrol">Claims based access
control</a>
-<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSTokenAuthorization-Claimsannotations">Claims
annotations</a></li></ul>
-</li><li><a shape="rect"
href="#JAX-RSTokenAuthorization-EnforcingClaimsauthorization">Enforcing Claims
authorization</a></li><li><a shape="rect"
href="#JAX-RSTokenAuthorization-Rolebasedaccesscontrol">Role based access
control</a></li></ul>
-</div><h1 id="JAX-RSTokenAuthorization-Introduction">Introduction</h1><p>CXF
JAX-RS offers an extension letting users to enforce a new fine-grained Claims
Based Access Control (CBAC) based on <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/core/src/main/java/org/apache/cxf/security/claims/authorization/Claim.java";
rel="nofollow">Claim</a> and <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/core/src/main/java/org/apache/cxf/security/claims/authorization/Claims.java";
rel="nofollow">Claims</a> annotations as well as <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/core/src/main/java/org/apache/cxf/security/claims/authorization/ClaimMode.java";
rel="nofollow">ClaimMode</a> enum class. It works with SAML tokens and with
JWT tokens (from the 3.3.0 release onwards).</p><p>See also <a shape="rect"
href="jax-rs-xml-security.html">JAX-RS XML Security</a>, <a shape="rect"
href="jax-r
s-saml.html">JAX-RS SAML</a> and <a shape="rect"
href="jax-rs-jose.html">JAX-RS JOSE</a>.</p><h1
id="JAX-RSTokenAuthorization-Backwardscompatibilityconfigurationnote">Backwards
compatibility configuration note</h1><p>From Apache CXF 3.1.0, the WS-Security
based configuration tags used to configure XML Signature or Encryption
("ws-security-*") have been changed to just start with "security-". Apart from
this they are exactly the same. Older "ws-security-" values continue to be
accepted in CXF 3.1.0. To use any of the configuration examples in this page
with an older version of CXF, simply add a "ws-" prefix to the configuration
tag.</p><p>The package for Claim, Claims and ClaimMode annotations has changed
from "org.apache.cxf.rs.security.saml.authorization" to
"org.apache.cxf.security.claims.authorization". Starting from CXF 2.7.1, the
default name format for claims is
"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" instead of "<a
shape="rect" class="external-link" href="ht
tp://schemas.xmlsoap.org/ws/2005/05/identity/claims"
rel="nofollow">http://schemas.xmlsoap.org/ws/2005/05/identity/claims</a>".</p><p>From
the 3.3.0 release, the Claims access control annotations/interceptors <a
shape="rect" class="external-link"
href="https://issues.apache.org/jira/browse/CXF-6727";>now work</a> with JWT
tokens (as well as SAML tokens). This resulted in the following package
changes:</p><ul><li>The package name of the ClaimsAuthorizingInterceptor has
changed: from
org.apache.cxf.rt.security.saml.interceptor.ClaimsAuthorizingInterceptor to
org.apache.cxf.rt.security.claims.interceptor.ClaimsAuthorizingInterceptor.</li><li>The
package name of the ClaimsAuthorizingFilter  has changed: from
org.apache.cxf.rs.security.saml.authorization.ClaimsAuthorizingFilter to
org.apache.cxf.rs.security.claims.ClaimsAuthorizingFilter</li></ul><h1
id="JAX-RSTokenAuthorization-Mavendependencies">Maven dependencies</h1><div
class="code panel pdl" style="border-width: 1px;"><div clas
s="codeContent panelContent pdl">
+<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSTokenAuthorization-Claimsannotations">Claims
annotations</a></li><li><a shape="rect"
href="#JAX-RSTokenAuthorization-EnforcingClaimsauthorization">Enforcing Claims
authorization</a></li></ul>
+</li><li><a shape="rect"
href="#JAX-RSTokenAuthorization-Rolebasedaccesscontrol">Role based access
control</a></li></ul>
+</div><h1 id="JAX-RSTokenAuthorization-Introduction">Introduction</h1><p>CXF
JAX-RS offers an extension letting users to enforce a new fine-grained Claims
Based Access Control (CBAC) based on <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/core/src/main/java/org/apache/cxf/security/claims/authorization/Claim.java";
rel="nofollow">Claim</a> and <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/core/src/main/java/org/apache/cxf/security/claims/authorization/Claims.java";
rel="nofollow">Claims</a> annotations as well as <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/core/src/main/java/org/apache/cxf/security/claims/authorization/ClaimMode.java";
rel="nofollow">ClaimMode</a> enum class. It works with SAML tokens and with
JWT tokens (from the 3.3.0 release onwards).</p><p>See also <a shape="rect"
href="jax-rs-xml-security.html">JAX-RS XML Security</a>, <a shape="rect"
href="jax-r
s-saml.html">JAX-RS SAML</a> and <a shape="rect"
href="jax-rs-jose.html">JAX-RS JOSE</a>.</p><h1
id="JAX-RSTokenAuthorization-Backwardscompatibilityconfigurationnote">Backwards
compatibility configuration note</h1><p>From Apache CXF 3.1.0, the WS-Security
based configuration tags used to configure XML Signature or Encryption
("ws-security-*") have been changed to just start with "security-". Apart from
this they are exactly the same. Older "ws-security-" values continue to be
accepted in CXF 3.1.0. To use any of the configuration examples in this page
with an older version of CXF, simply add a "ws-" prefix to the configuration
tag.</p><p>The package for Claim, Claims and ClaimMode annotations has changed
from "org.apache.cxf.rs.security.saml.authorization" to
"org.apache.cxf.security.claims.authorization". Starting from CXF 2.7.1, the
default name format for claims is
"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" instead of "<a
shape="rect" class="external-link" href="ht
tp://schemas.xmlsoap.org/ws/2005/05/identity/claims"
rel="nofollow">http://schemas.xmlsoap.org/ws/2005/05/identity/claims</a>".</p><p>From
the 3.3.0 release, the Claims access control annotations/interceptors <a
shape="rect" class="external-link"
href="https://issues.apache.org/jira/browse/CXF-6727";>now work</a> with JWT
tokens (as well as SAML tokens). This resulted in the following package
changes:</p><ul><li>ClaimsAuthorizingInterceptor has moved from the
cxf-rt-security-saml module to the cxf-rt-security module. The package name of
the ClaimsAuthorizingInterceptor has changed: from
org.apache.cxf.rt.security.saml.interceptor.ClaimsAuthorizingInterceptor to
org.apache.cxf.rt.security.claims.interceptor.ClaimsAuthorizingInterceptor.</li><li>ClaimsAuthorizingFilter
has moved from the cxf-rt-rs-security-xml module to the cxf-rt-frontend-jaxrs
module. The package name of the ClaimsAuthorizingFilter  has changed: from
org.apache.cxf.rs.security.saml.authorization.ClaimsAuthorizin
gFilter
to org.apache.cxf.jaxrs.security.ClaimsAuthorizingFilter</li></ul><h1
id="JAX-RSTokenAuthorization-Mavendependencies">Maven dependencies</h1><div
class="code panel pdl" style="border-width: 1px;"><div class="codeContent
panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default"><dependency>
<groupId>org.apache.cxf</groupId>
- <artifactId>cxf-rt-rs-security-xml</artifactId>
+ <artifactId>cxf-rt-security</artifactId>
<version>3.3.0</version>
</dependency>
</pre>
-</div></div><h1 id="JAX-RSTokenAuthorization-Claimsbasedaccesscontrol">Claims
based access control</h1><h2
id="JAX-RSTokenAuthorization-Claimsannotations">Claims annotations</h2><p>Here
is a simple code fragment to secure a service object using Claims
annotations:</p><div class="code panel pdl" style="border-width: 1px;"><div
class="codeContent panelContent pdl">
+</div></div><p>In addition, cxf-rt-rs-security-xml is required if you are
working with SAML tokens, and cxf-rt-rs-security-jose-jaxrs is required if you
are working with JWT tokens. </p><h1
id="JAX-RSTokenAuthorization-Claimsbasedaccesscontrol">Claims based access
control</h1><h2 id="JAX-RSTokenAuthorization-Claimsannotations">Claims
annotations</h2><p>Here is a simple code fragment to secure a service object
using Claims annotations:</p><div class="code panel pdl" style="border-width:
1px;"><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default">import
org.apache.cxf.security.claims.authorization.Claim;
import org.apache.cxf.security.claims.authorization.Claims;
@@ -226,7 +226,7 @@ public class SecureClaimBookStore {
</div></div><p>In the above example, getBookList() can be invoked if Subject
has a Claim with the value "user"; addBook() has it overridden - "admin" is
expected and the authentication format Claim too; getBook() can be invoked if
Subject has a Claim with the value "user" and it also must have the
authentication format Claim with the value "password" - or no such Claim at
all.</p><p>org.apache.cxf.rt.security.claims.interceptor.ClaimsAuthorizingInterceptor
("org.apache.cxf.rt.security.saml.interceptor.ClaimsAuthorizingInterceptor"
before CXF 3.3.0) enforces the CBAC rules. This filter can be overridden and
configured with the rules directly which can be useful if no Claim-related
annotations are expected in the code. Map nameAliases and formatAliases
properties are supported to make @Claim annotations look a bit simpler, for
example:</p><div class="code panel pdl" style="border-width: 1px;"><div
class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default">@Claim(name =
"auth-format", format = "authentication", value = {"password" })
</pre>
-</div></div><p>where "auth-format" and "authentication" are aliases for
"http://claims/authentication-format"; and "http://claims/authentication";
respectively.</p><h1
id="JAX-RSTokenAuthorization-EnforcingClaimsauthorization">Enforcing Claims
authorization</h1><p>Simply adding Claims annotations are per the examples
above is not sufficient to enforce claims based authorization.</p><p>First we
need to configure the appropriate interceptors/filters to authenticate the type
of token we are interested in extracting claims from. See the <a shape="rect"
href="jax-rs-saml.html">JAX-RS SAML</a> page for information on how to
configure SAML, and the <a shape="rect" href="jax-rs-jose.html">JAX-RS JOSE</a>
page for information on how to configure JWT.</p><p>For both SAML and JWT, once
the incoming token is validated, a <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/security/src/main/java/org/apache/cxf/rt/security/claims/ClaimsSecurityContext.java";
rel=
"nofollow">ClaimsSecurityContext</a> security context will be created
containing the claims contained in the token, as well as the authenticated
subject and role (claims).</p><p>To enforce claims authorization, a <a
shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/security/src/main/java/org/apache/cxf/rt/security/claims/interceptor/ClaimsAuthorizingInterceptor.java";
rel="nofollow">ClaimsAuthorizingInterceptor</a> must be set as an
"inInterceptor", passing it a reference to the secured object. There is also a
JAX-RS filter wrapper around ClaimsAuthorizingInterceptor available, which is
called ClaimsAuthorizingFilter.</p><p>An instance of
org.apache.cxf.rs.security.saml.authorization.ClaimsAuthorizingFilter (note
org.apache.cxf.rs.security.claims.ClaimsAuthorizingFilter from CXF 3.3.0) is
used to enforce CBAC. It's a simple JAX-RS filter wrapper around
ClaimsAuthorizingInterceptor.</p><p>Here is an example of enforcing Claims
authorization against
a JWT token. BookStoreAuthn is the service object which is annotated with
Claims annotations. The ClaimsAuthorizingFilter is added as a JAX-RS provider
to the endpoint, wrapping the serviceBean. A JwtAuthenticationFilter instance
is also added to validate the received JWT token and to set up the
ClaimsSecurityContext. The <a shape="rect" class="external-link"
href="http://rs.security.signature.in";
rel="nofollow">rs.security.signature.in</a>.properties property is used to
verify the signature on the received token.</p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeContent panelContent pdl">
+</div></div><p>where "auth-format" and "authentication" are aliases for
"http://claims/authentication-format"; and "http://claims/authentication";
respectively.</p><h2
id="JAX-RSTokenAuthorization-EnforcingClaimsauthorization">Enforcing Claims
authorization</h2><p>Simply adding Claims annotations are per the examples
above is not sufficient to enforce claims based authorization.</p><p>First we
need to configure the appropriate interceptors/filters to authenticate the type
of token we are interested in extracting claims from. See the <a shape="rect"
href="jax-rs-saml.html">JAX-RS SAML</a> page for information on how to
configure SAML, and the <a shape="rect" href="jax-rs-jose.html">JAX-RS JOSE</a>
page for information on how to configure JWT.</p><p>For both SAML and JWT, once
the incoming token is validated, a <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/security/src/main/java/org/apache/cxf/rt/security/claims/ClaimsSecurityContext.java";
rel=
"nofollow">ClaimsSecurityContext</a> security context will be created
containing the claims contained in the token, as well as the authenticated
subject and role (claims).</p><p>To enforce claims authorization, a <a
shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/security/src/main/java/org/apache/cxf/rt/security/claims/interceptor/ClaimsAuthorizingInterceptor.java";
rel="nofollow">ClaimsAuthorizingInterceptor</a> must be set as an
"inInterceptor", passing it a reference to the secured object. There is also a
JAX-RS filter wrapper around ClaimsAuthorizingInterceptor available, which is
called <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/ClaimsAuthorizingFilter.java";
rel="nofollow">ClaimsAuthorizingFilter</a>.</p><p>An instance of
org.apache.cxf.rs.security.saml.authorization.ClaimsAuthorizingFilter (note
org.apache.cxf.rs.security.claims.ClaimsAu
thorizingFilter from CXF 3.3.0) is used to enforce CBAC. It's a simple JAX-RS
filter wrapper around ClaimsAuthorizingInterceptor.</p><p>Here is an example of
enforcing Claims authorization against a JWT token. BookStoreAuthn is the
service object which is annotated with Claims annotations. The
ClaimsAuthorizingFilter is added as a JAX-RS provider to the endpoint, wrapping
the serviceBean. A JwtAuthenticationFilter instance is also added to validate
the received JWT token and to set up the ClaimsSecurityContext. The <a
shape="rect" class="external-link" href="http://rs.security.signature.in";
rel="nofollow">rs.security.signature.in</a>.properties property is used to
verify the signature on the received token.</p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default"><bean
id="serviceBean"
class="org.apache.cxf.systest.jaxrs.security.jose.jwt.BookStoreAuthn"/>
<bean id="claimsHandler"
class="org.apache.cxf.jaxrs.security.ClaimsAuthorizingFilter">
@@ -250,7 +250,7 @@ public class SecureClaimBookStore {
value="org/apache/cxf/systest/jaxrs/security/bob.jwk.properties"/>
</jaxrs:properties>
</jaxrs:server></pre>
-</div></div><h1 id="JAX-RSTokenAuthorization-Rolebasedaccesscontrol">Role
based access control</h1><p>If you have an existing RBAC system (based on
javax.annotation.security.RolesAllowed or even
org.springframework.security.annotation.Secured annotations) in place and have
SAML assertions with claims that are known to represent roles, then making
those claims work with the RBAC system can be achieved easily.</p><p>For
example, given this code:</p><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code class="java keyword">import</code> <code
class="java plain"><a shape="rect"
href="https://cwiki.apache.org/confluence/display/CXF20DOC/org.springframework.security.annotation.Secured;";>org.springframework.security.annotation.Secured;</a></code><br
clear="none"> <br clear="none"><code class="java
color1">@Path</code><code class="java plain">(</code><code class="java
string">"/bookstore"</code><code class="java plai
n">)</code><br clear="none"><code class="java keyword">public</code> <code
class="java keyword">class</code> <code class="java plain">SecureBookStore
{</code><br clear="none"><code class="java
spaces">    </code> <br clear="none"><code class="java
spaces">    </code><code class="java
color1">@POST</code><br clear="none"><code class="java
spaces">    </code><code class="java
color1">@Secured</code><code class="java plain">(</code><code class="java
string">"admin"</code><code class="java plain">)</code><br clear="none"><code
class="java spaces">    </code><code class="java
keyword">public</code> <code class="java plain">Book addBook(Book book)
{</code><br clear="none"><code class="java
spaces">        </code><code
class="java keyword">return</code> <code class="java plain">book;</code><br
clear="none"><code class="java spaces">    </code><cod
e class="java plain">}</code><br clear="none"><code class="java
plain">}</code></p></td></tr></tbody></table></div><p>where @Secured can be
replaced with @RoledAllowed if needed, the following configuration will do
it:</p><div class="table-wrap"><table class="confluenceTable"><colgroup
span="1"><col span="1"></colgroup><tbody><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code class="java plain"><bean id=</code><code
class="java string">"serviceBeanRoles"</code> <code class="java
keyword">class</code><code class="java plain">=</code><code class="java
string">"<a shape="rect"
href="https://cwiki.apache.org/confluence/display/CXF20DOC/org.apache.cxf.systest.jaxrs.security.saml.SecureBookStore";>org.apache.cxf.systest.jaxrs.security.saml.SecureBookStore</a>"</code><code
class="java plain">/></code><br clear="none"><code class="java
plain"><bean id=</code><code class="java string">"samlEnvHandler"</code>
<code class="java keyword">class</code><code class="java plain">=
</code><code class="java string">"<a shape="rect"
href="https://cwiki.apache.org/confluence/display/CXF20DOC/org.apache.cxf.rs.security.saml.SamlEnvelopedInHandler";>org.apache.cxf.rs.security.saml.SamlEnvelopedInHandler</a>"</code><code
class="java plain">></code><br clear="none"><code class="java
spaces"> </code><code class="java plain"><property name=</code><code
class="java string">"securityContextProvider"</code><code class="java
plain">></code><br clear="none"><code class="java
spaces">    </code><code class="java plain"><bean
</code><code class="java keyword">class</code><code class="java
plain">=</code><code class="java string">"<a shape="rect"
href="https://cwiki.apache.org/confluence/display/CXF20DOC/org.apache.cxf.systest.jaxrs.security.saml.CustomSecurityContextProvider";>org.apache.cxf.systest.jaxrs.security.saml.CustomSecurityContextProvider</a>"</code><code
class="java plain">/></code><br clear="none"><code class="java spaces">
60;</code><code class="java plain"></property></code><br
clear="none"><code class="java plain"></bean></code><br
clear="none"> <br clear="none"><code class="java plain"><bean
id=</code><code class="java string">"authorizationInterceptor"</code> <code
class="java keyword">class</code><code class="java plain">=</code><code
class="java string">"<a shape="rect"
href="https://cwiki.apache.org/confluence/display/CXF20DOC/org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor";>org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor</a>"</code><code
class="java plain">></code><br clear="none"><code class="java
spaces">    </code><code class="java plain"><property
name=</code><code class="java string">"securedObject"</code> <code class="java
plain">ref=</code><code class="java string">"serviceBean"</code><code
class="java plain">/></code><br clear="none"><code class="java
spaces">    </code><code class="j
ava plain"><property name=</code><code class="java
string">"annotationClassName"</code><br clear="none"><code class="java
spaces">              </code><code
class="java plain">value=</code><code class="java string">"<a shape="rect"
href="https://cwiki.apache.org/confluence/display/CXF20DOC/org.springframework.security.annotation.Secured";>org.springframework.security.annotation.Secured</a>"</code><code
class="java plain">/></code><br clear="none"><code class="java
plain"></bean></code><br clear="none"><code class="java
spaces">    </code> <br clear="none"><code class="java
plain"><bean id=</code><code class="java string">"rolesHandler"</code> <code
class="java keyword">class</code><code class="java plain">=</code><code
class="java string">"<a shape="rect"
href="https://cwiki.apache.org/confluence/display/CXF20DOC/org.apache.cxf.jaxrs.security.SimpleAuthorizingFilter";>org.apac
he.cxf.jaxrs.security.SimpleAuthorizingFilter</a>"</code><code class="java
plain">></code><br clear="none"><code class="java
spaces">    </code><code class="java plain"><property
name=</code><code class="java string">"interceptor"</code> <code class="java
plain">ref=</code><code class="java
string">"authorizationInterceptor"</code><code class="java
plain">/></code><br clear="none"><code class="java
plain"></bean></code><br clear="none"><code class="java
spaces">    </code> <br clear="none"><code class="java
plain"><jaxrs:server address=</code><code class="java
string">"/saml-roles"</code><code class="java plain">> </code><br
clear="none"><code class="java spaces">  </code><code class="java
plain"><jaxrs:serviceBeans></code><br clear="none"><code class="java
spaces">     </code><code class="java plain"><ref
bean=</code><code class="java string">"serviceBeanRoles"</code><code
class="java plain">/></code><br clear="none"><code class="java
spaces">  </code><code class="java
plain"></jaxrs:serviceBeans></code><br clear="none"><code class="java
spaces">  </code><code class="java
plain"><jaxrs:providers></code><br clear="none"><code class="java
spaces">      </code><code class="java
plain"><ref bean=</code><code class="java
string">"samlEnvHandler"</code><code class="java plain">/></code><br
clear="none"><code class="java
spaces">      </code><code class="java
plain"><ref bean=</code><code class="java string">"rolesHandler"</code><code
class="java plain">/></code><br clear="none"><code class="java
spaces">  </code><code class="java
plain"></jaxrs:providers></code><br clear="none"><code class="java
spaces">  </code> <br clear="none"><code class="java
spaces">  </code><code class="java plain"><!-- If </code><code
class="java keyword">default</code> <code class="java plain">role qualifier
and format are not supported: </code><br clear="none"><code class="java
spaces">       </code> <br
clear="none"><code class="java spaces">  </code><code class="java
plain"><jaxrs:properties></code><br clear="none"><code class="java
spaces">     </code><code class="java plain"><entry
key=</code><code class="java string">"<a shape="rect"
href="https://cwiki.apache.org/confluence/display/CXF20DOC/org.apache.cxf.saml.claims.role.nameformat";>org.apache.cxf.saml.claims.role.nameformat</a>"</code><br
clear="none"><code class="java
spaces">                </code><code
class="java plain">value=</code><code class="java
string">"urn:oasis:names:tc:SAML:<a shape="rect"
href="https://cwiki.apache.org/confluence/display/CXF20DOC/2.0:attrname-format:uri";>2.0:at
trname-format:uri</a>"</code><code class="java plain">/></code><br
clear="none"><code class="java
spaces">     </code><code class="java plain"><entry
key=</code><code class="java string">"<a shape="rect"
href="https://cwiki.apache.org/confluence/display/CXF20DOC/org.apache.cxf.saml.claims.role.qualifier";>org.apache.cxf.saml.claims.role.qualifier</a>"</code><br
clear="none"><code class="java
spaces">                </code><code
class="java plain">value=</code><code class="java string">"urn:oid:<a
shape="rect"
href="https://cwiki.apache.org/confluence/display/CXF20DOC/1.3.6.1.4.1.5923.1.1.1.1";>1.3.6.1.4.1.5923.1.1.1.1</a>"</code><code
class="java plain">/></code><br clear="none"><code class="java
spaces">  </code><code class="java
plain"></jaxrs:properties></code><br clear="none"><code class="java
spaces">  </code><code class="java plain">--></
code><br clear="none"><code class="java
plain"></jaxrs:server></code></p></td></tr></tbody></table></div><p>That
is all what is needed. Note that in order to help the default SAML
SecurityContextProvider figure out which claims are roles, one can set the two
properties as shown above - this not needed if it's known that claims
identifying roles have NameFormat and Name values with the default values,
which are "<a shape="rect" class="external-link"
href="http://schemas.xmlsoap.org/ws/2005/05/identity/claims";
rel="nofollow">http://schemas.xmlsoap.org/ws/2005/05/identity/claims</a>" and
"<a shape="rect" class="external-link"
href="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role";
rel="nofollow">http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</a>"
respectively at the moment.</p><p>Note that you can have RBAC and CBAC combined
for a more sophisticated access control rules be enforced while still keeping
the existing code relying on @RolesAllowed or @Secured in
tact. Override ClaimsAuthorizingFilter and configure it with the Claims rules
directly and register it alongside SimpleAuthorizingFilter and here you
go.</p><p>Also note how SecureAnnotationsInterceptor can handle different types
of role annotations, with @RoledAllowed being supported by default.</p></div>
+</div></div><h1 id="JAX-RSTokenAuthorization-Rolebasedaccesscontrol">Role
based access control</h1><p>If you have an existing RBAC system (based on
javax.annotation.security.RolesAllowed or even
org.springframework.security.annotation.Secured annotations) in place and have
SAML assertions with claims that are known to represent roles, then making
those claims work with the RBAC system can be achieved easily.</p><p>For
example, given this code:</p><div class="table-wrap"><table class="wrapped
confluenceTable"><tbody><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code class="java keyword">import</code> <code
class="java plain"><a shape="rect"
href="https://cwiki.apache.org/confluence/display/CXF20DOC/org.springframework.security.annotation.Secured;";>org.springframework.security.annotation.Secured;</a></code><br
clear="none"> <br clear="none"><code class="java
color1">@Path</code><code class="java plain">(</code><code class="java
string">"/bookstore"</code><code class="j
ava plain">)</code><br clear="none"><code class="java keyword">public</code>
<code class="java keyword">class</code> <code class="java
plain">SecureBookStore {</code><br clear="none"><code class="java
spaces">    </code> <br clear="none"><code class="java
spaces">    </code><code class="java
color1">@POST</code><br clear="none"><code class="java
spaces">    </code><code class="java
color1">@Secured</code><code class="java plain">(</code><code class="java
string">"admin"</code><code class="java plain">)</code><br clear="none"><code
class="java spaces">    </code><code class="java
keyword">public</code> <code class="java plain">Book addBook(Book book)
{</code><br clear="none"><code class="java
spaces">        </code><code
class="java keyword">return</code> <code class="java plain">book;</code><br
clear="none"><code class="java spaces">    </c
ode><code class="java plain">}</code><br clear="none"><code class="java
plain">}</code></p></td></tr></tbody></table></div><p>where @Secured can be
replaced with @RoledAllowed if needed, the following configuration will do
it:</p><div class="table-wrap"><table class="wrapped confluenceTable"><colgroup
span="1"><col span="1"></colgroup><tbody><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code class="java plain"><bean id=</code><code
class="java string">"serviceBeanRoles"</code> <code class="java
keyword">class</code><code class="java plain">=</code><code class="java
string">"<a shape="rect"
href="https://cwiki.apache.org/confluence/display/CXF20DOC/org.apache.cxf.systest.jaxrs.security.saml.SecureBookStore";>org.apache.cxf.systest.jaxrs.security.saml.SecureBookStore</a>"</code><code
class="java plain">/></code><br clear="none"><code class="java
plain"><bean id=</code><code class="java string">"samlEnvHandler"</code>
<code class="java keyword">class</code><code clas
s="java plain">=</code><code class="java string">"<a shape="rect"
href="https://cwiki.apache.org/confluence/display/CXF20DOC/org.apache.cxf.rs.security.saml.SamlEnvelopedInHandler";>org.apache.cxf.rs.security.saml.SamlEnvelopedInHandler</a>"</code><code
class="java plain">></code><br clear="none"><code class="java
spaces"> </code><code class="java plain"><property name=</code><code
class="java string">"securityContextProvider"</code><code class="java
plain">></code><br clear="none"><code class="java
spaces">    </code><code class="java plain"><bean
</code><code class="java keyword">class</code><code class="java
plain">=</code><code class="java string">"<a shape="rect"
href="https://cwiki.apache.org/confluence/display/CXF20DOC/org.apache.cxf.systest.jaxrs.security.saml.CustomSecurityContextProvider";>org.apache.cxf.systest.jaxrs.security.saml.CustomSecurityContextProvider</a>"</code><code
class="java plain">/></code><br clear="none"><code class="
java spaces"> </code><code class="java plain"></property></code><br
clear="none"><code class="java plain"></bean></code><br
clear="none"> <br clear="none"><code class="java plain"><bean
id=</code><code class="java string">"authorizationInterceptor"</code> <code
class="java keyword">class</code><code class="java plain">=</code><code
class="java string">"<a shape="rect"
href="https://cwiki.apache.org/confluence/display/CXF20DOC/org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor";>org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor</a>"</code><code
class="java plain">></code><br clear="none"><code class="java
spaces">    </code><code class="java plain"><property
name=</code><code class="java string">"securedObject"</code> <code class="java
plain">ref=</code><code class="java string">"serviceBean"</code><code
class="java plain">/></code><br clear="none"><code class="java
spaces">    </cod
e><code class="java plain"><property name=</code><code class="java
string">"annotationClassName"</code><br clear="none"><code class="java
spaces">              </code><code
class="java plain">value=</code><code class="java string">"<a shape="rect"
href="https://cwiki.apache.org/confluence/display/CXF20DOC/org.springframework.security.annotation.Secured";>org.springframework.security.annotation.Secured</a>"</code><code
class="java plain">/></code><br clear="none"><code class="java
plain"></bean></code><br clear="none"><code class="java
spaces">    </code> <br clear="none"><code class="java
plain"><bean id=</code><code class="java string">"rolesHandler"</code> <code
class="java keyword">class</code><code class="java plain">=</code><code
class="java string">"<a shape="rect"
href="https://cwiki.apache.org/confluence/display/CXF20DOC/org.apache.cxf.jaxrs.security.SimpleAuthorizing
Filter">org.apache.cxf.jaxrs.security.SimpleAuthorizingFilter</a>"</code><code
class="java plain">></code><br clear="none"><code class="java
spaces">    </code><code class="java plain"><property
name=</code><code class="java string">"interceptor"</code> <code class="java
plain">ref=</code><code class="java
string">"authorizationInterceptor"</code><code class="java
plain">/></code><br clear="none"><code class="java
plain"></bean></code><br clear="none"><code class="java
spaces">    </code> <br clear="none"><code class="java
plain"><jaxrs:server address=</code><code class="java
string">"/saml-roles"</code><code class="java plain">> </code><br
clear="none"><code class="java spaces">  </code><code class="java
plain"><jaxrs:serviceBeans></code><br clear="none"><code class="java
spaces">     </code><code class="java plain"><ref
bean=</code><code class="java string">"serviceBeanRol
es"</code><code class="java plain">/></code><br clear="none"><code
class="java spaces">  </code><code class="java
plain"></jaxrs:serviceBeans></code><br clear="none"><code class="java
spaces">  </code><code class="java
plain"><jaxrs:providers></code><br clear="none"><code class="java
spaces">      </code><code class="java
plain"><ref bean=</code><code class="java
string">"samlEnvHandler"</code><code class="java plain">/></code><br
clear="none"><code class="java
spaces">      </code><code class="java
plain"><ref bean=</code><code class="java string">"rolesHandler"</code><code
class="java plain">/></code><br clear="none"><code class="java
spaces">  </code><code class="java
plain"></jaxrs:providers></code><br clear="none"><code class="java
spaces">  </code> <br clear="none"><code class="java
spaces">  </code><code class="java plain"><!--
If </code><code class="java keyword">default</code> <code class="java
plain">role qualifier and format are not supported: </code><br
clear="none"><code class="java
spaces">       </code> <br
clear="none"><code class="java spaces">  </code><code class="java
plain"><jaxrs:properties></code><br clear="none"><code class="java
spaces">     </code><code class="java plain"><entry
key=</code><code class="java string">"<a shape="rect"
href="https://cwiki.apache.org/confluence/display/CXF20DOC/org.apache.cxf.saml.claims.role.nameformat";>org.apache.cxf.saml.claims.role.nameformat</a>"</code><br
clear="none"><code class="java
spaces">                </code><code
class="java plain">value=</code><code class="java
string">"urn:oasis:names:tc:SAML:<a shape="rect"
href="https://cwiki.apache.org/confluence/display/CXF20DOC/2.0:attrname-fo
rmat:uri">2.0:attrname-format:uri</a>"</code><code class="java
plain">/></code><br clear="none"><code class="java
spaces">     </code><code class="java plain"><entry
key=</code><code class="java string">"<a shape="rect"
href="https://cwiki.apache.org/confluence/display/CXF20DOC/org.apache.cxf.saml.claims.role.qualifier";>org.apache.cxf.saml.claims.role.qualifier</a>"</code><br
clear="none"><code class="java
spaces">                </code><code
class="java plain">value=</code><code class="java string">"urn:oid:<a
shape="rect"
href="https://cwiki.apache.org/confluence/display/CXF20DOC/1.3.6.1.4.1.5923.1.1.1.1";>1.3.6.1.4.1.5923.1.1.1.1</a>"</code><code
class="java plain">/></code><br clear="none"><code class="java
spaces">  </code><code class="java
plain"></jaxrs:properties></code><br clear="none"><code class="java
spaces">  </code><code class="java
plain">--></code><br clear="none"><code class="java
plain"></jaxrs:server></code></p></td></tr></tbody></table></div><p>That
is all what is needed. Note that in order to help the default SAML
SecurityContextProvider figure out which claims are roles, one can set the two
properties as shown above - this not needed if it's known that claims
identifying roles have NameFormat and Name values with the default values,
which are "<a shape="rect" class="external-link"
href="http://schemas.xmlsoap.org/ws/2005/05/identity/claims";
rel="nofollow">http://schemas.xmlsoap.org/ws/2005/05/identity/claims</a>" and
"<a shape="rect" class="external-link"
href="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role";
rel="nofollow">http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</a>"
respectively at the moment.</p><p>Note that you can have RBAC and CBAC combined
for a more sophisticated access control rules be enforced while still keeping
the existing code relying on @RolesAllowe
d or @Secured intact. Override ClaimsAuthorizingFilter and configure it with
the Claims rules directly and register it alongside SimpleAuthorizingFilter and
here you go.</p><p>Also note how SecureAnnotationsInterceptor can handle
different types of role annotations, with @RoledAllowed being supported by
default.</p></div>
</div>
<!-- Content -->
</td>
