Red Hat JBoss Fuse

Apache CXF Security Guide

Protecting your services and their consumers

Red Hat

Version 6.1

Legal Notice

Trademark Disclaimer

The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Apache, ServiceMix, Camel, CXF, and ActiveMQ are trademarks of Apache Software Foundation. Any other names contained herein may be trademarks of their respective owners.

Legal Notice

Third Party Acknowledgements

One or more products in the Red Hat JBoss Fuse release includes third party components covered by licenses that require that the following documentation notices be provided:
  • JLine (http://jline.sourceforge.net) jline:jline:jar:1.0
    License: BSD (LICENSE.txt) - Copyright (c) 2002-2006, Marc Prud'hommeaux
    All rights reserved.
    Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
    • Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
    • Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
    • Neither the name of JLine nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
    THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  • Stax2 API (http://woodstox.codehaus.org/StAX2) org.codehaus.woodstox:stax2-api:jar:3.1.1
    Copyright (c) <YEAR>, <OWNER> All rights reserved.
    Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
    • Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
    • Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
    THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  • jibx-run - JiBX runtime (http://www.jibx.org/main-reactor/jibx-run) org.jibx:jibx-run:bundle:1.2.3
    License: BSD (http://jibx.sourceforge.net/jibx-license.html) Copyright (c) 2003-2010, Dennis M. Sosnoski.
    All rights reserved.
    Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
    • Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
    • Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
    • Neither the name of JiBX nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
    THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  • JavaAssist (http://www.jboss.org/javassist) org.jboss.javassist:com.springsource.javassist:jar:3.9.0.GA:compile
  • HAPI-OSGI-Base Module (http://hl7api.sourceforge.net/hapi-osgi-base/) ca.uhn.hapi:hapi-osgi-base:bundle:1.2
    License: Mozilla Public License 1.1 (http://www.mozilla.org/MPL/MPL-1.1.txt)
09 Mar 2015

Abstract

This guide describes how to use the Apache CXF security features.
1. Security for HTTP-Compatible Bindings
2. Managing Certificates
2.1. What is an X.509 Certificate?
2.2. Certification Authorities
2.2.1. Choice of CAs
2.2.2. Commercial Certification Authorities
2.2.3. Private Certification Authorities
2.3. Certificate Chaining
2.4. Special Requirements on HTTPS Certificates
2.5. Creating Your Own Certificates
2.5.1. Prerequisites
2.5.2. Set Up Your Own CA
2.5.3. Use the CA to Create Signed Certificates in a Java Keystore
2.5.4. Use the CA to Create Signed PKCS#12 Certificates
3. Configuring HTTPS
3.1. Authentication Alternatives
3.1.1. Target-Only Authentication
3.1.2. Mutual Authentication
3.2. Specifying Trusted CA Certificates
3.2.1. When to Deploy Trusted CA Certificates
3.2.2. Specifying Trusted CA Certificates for HTTPS
3.3. Specifying an Application’s Own Certificate
3.3.1. Deploying Own Certificate for HTTPS
4. Configuring HTTPS Cipher Suites
4.1. Supported Cipher Suites
4.2. Cipher Suite Filters
4.3. SSL/TLS Protocol Version
5. The WS-Policy Framework
5.1. Introduction to WS-Policy
5.2. Policy Expressions
6. Message Protection
6.1. Transport Layer Message Protection
6.2. SOAP Message Protection
6.2.1. Introduction to SOAP Message Protection
6.2.2. Basic Signing and Encryption Scenario
6.2.3. Specifying an AsymmetricBinding Policy
6.2.4. Specifying a SymmetricBinding Policy
6.2.5. Specifying Parts of Message to Encrypt and Sign
6.2.6. Providing Encryption Keys and Signing Keys
6.2.7. Specifying the Algorithm Suite
7. Authentication
7.1. Introduction to Authentication
7.2. Specifying an Authentication Policy
7.3. Providing Client Credentials
7.4. Authenticating Received Credentials
8. WS-Trust
8.1. Introduction to WS-Trust
8.2. Basic Scenarios
8.3. Defining an IssuedToken Policy
8.4. Creating an STSClient Instance
9. The Security Token Service
9.1. STS Architecture
9.1.1. Overview of the STS
9.1.2. Customizing the STS WSDL
9.1.3. Customizing the Issue Operation
9.1.4. Customizing the Validate Operation
9.1.5. Customizing the Cancel Operation
9.1.6. Configuring STS Properties
9.2. STS Demonstration
9.2.1. Overview of the Demonstration
9.2.2. STS WSDL Contract
9.2.3. Security Token Service Configuration
9.2.4. Server WSDL Contract
9.2.5. Server Configuration
9.2.6. Client Configuration
9.2.7. Build and Run the Demonstration
9.3. Enabling Claims in the STS
9.4. Enabling AppliesTo in the STS
9.5. Enabling Realms in the STS
9.5.1. Issuing Tokens in Multiple Realms
9.5.2. Validating Tokens in Multiple Realms
9.5.3. Token Transformation across Realms
9.5.4. Realms Demonstration
A. ASN.1 and Distinguished Names
A.1. ASN.1
A.2. Distinguished Names
Index