Saturday, September 15, 2012

Secure JAX-WS with Apache CXF (Some links)

Some useful links for my reference, related to securing JAX-WS services when using Apache CXF:


Some background:

If you want to create a JAX-WS web service as standalone Java program (i.e., one that starts with a main(String..) method), there are two approaches:


1. If you can deploy your application on the Sun JVM, you can probably easily use Sun's HTTP server that comes bundled with it.
Something on the lines of:
KeyStore keyStore = KeyStore.getInstance("JKS");
keyStore.load..
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance..
keyManagerFactory.init..
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init..
HttpsServer httpsServer = HttpsServer.create..
httpsServer.setHttpsConfigurator.. (pass the sslContext here)
HttpContext httpContext = httpsServer.createContext..
httpContext.setAuthenticator.. (for example, a BasicAuthenticator)
httpsServer.start();
Endpoint e = Endpoint.create(impl)
and e.publish(httpContext)


2. Instead, if you want you application to be portable and be able to run on any JVM, one way is to use an alternate JAX-WS implementation, such as Apache CXF.
Doing this would mean the following:
- Download the CXF distribution and add a large number of JARs that it needs to the classpath.
- If SSL and authentication is not needed, a simple one-liner is all that's needed:
http://cxf.apache.org/docs/a-simple-jax-ws-service.html#AsimpleJAX-WSservice-Publishingyourservice

- If SSL is needed, refer to the wsdl_first_https sample in the CXF distrbution, and set up a Spring configuration file to enable SSL on the embedded Jetty that CXF internally uses:
http://svn.apache.org/repos/asf/cxf/trunk/distribution/src/main/release/samples/wsdl_first_https
http://svn.apache.org/repos/asf/cxf/trunk/distribution/src/main/release/samples/wsdl_first_https/src/main/resources/ServerConfig.xml
And make your Java program use that Spring configuration:
http://svn.apache.org/repos/asf/cxf/trunk/distribution/src/main/release/samples/wsdl_first_https/src/main/java/demo/hw_https/server/Server.java

-If basic authentication is desired, add a Jetty handler to that Spring configuration file,
 <httpj:handlers>
        <beans:bean class="org.example.MyLoginHandler">
 </beans:bean></httpj:handlers>
where the handler MyLoginHandler extends ConstraintSecurityHandler, and in its constructor, initializes itself.
Some links on initializing a SecurityHandler:
http://wiki.eclipse.org/RAP/FAQ#How_can_I_use_Jetty_basic_authentication_in_my_application.3F
http://stackoverflow.com/questions/8056851/basic-authentication-with-embedded-jetty-7-server-and-no-web-xml-file

Miscellaneous references:
http://cxf.apache.org/docs/jetty-configuration.html
http://stackoverflow.com/questions/12423862/using-j2se-endpoint-with-embedded-tomcat

No comments:

Post a Comment