Thursday, May 29, 2014

Apache CXF Authentication and Authorization test-cases II

In a previous blog post, I covered a number of Apache CXF-based authentication and authorization testcases I uploaded to github. The testcases showed how to authenticate and authorize a SOAP request containing either a SOAP UsernameToken or HTTP Basic Authentication. The options for authentication/authorization backends included Apache DS (ldap), Apache Syncope, Apache Shiro, and Spring Security. In this post, I will cover a number of more advanced authentication and authorization testcases for JAX-WS services using Apache CXF.

The new projects are as follows:
  • cxf-x509: This shows how to use X.509 tokens for authentication and authorization. The service has a TransportBinding policy with an EndorsingSupportingToken X509Token policy. The roles of the authenticated client are mocked by a WSS4J Validator for this demo, but could be retrieved from (e.g) an ldap backend in a real-world demo.
  • cxf-sts: The service in this demo has a TransportBinding policy with an EndorsingSupportingToken IssuedToken policy, requiring a SAML 2.0 token in a client request. The client obtains a SAML token from the CXF SecurityTokenService (STS) and includes it in the service request (also signing the request using the private key which corresponds to the certificate in the SAML token). An Authorization test is also available which uses Claims in the policy to tell the STS to add the roles of the client in the SAML token, which are then used for RBAC on the service side.
  • cxf-sts-xacml: Similar to the cxf-sts demo, this testcase requires a SAML 2.0 token from the STS with the roles of the client embedded in the token. The service is then configured to create a XACML request and dispatch it to a Policy Decision Point (PDP) for authorization. The service endpoint then enforces the authorization decision of the PDP. This demo ships with a mocked PDP implementation. For an enterprise-grade PDP which works with CXF, please see Talend ESB.
  • cxf-kerberos: The service in this demo requires a Kerberos token over TLS. A Kerberos KDC is started as part of the demo, and a CXF JAX-WS client obtains a token and sends it across to the service for authentication. Spnego is also demonstrated as part of this test-case.
These demos build on the first set of demos, which gave different ways to authentication/authorize Username+Password based requests. They show how to authenticate requests using X.509 Tokens, Kerberos tokens and SAML tokens, as well as how to retrieve SAML tokens from an STS, and how to authorize requests using XACML. Please feel free to download + play around with the testcases.


  1. Hi Colm,

    For me the x509 AuthorizationTest works only if I add these settings to the authorizationInterceptor:

    <property name="userRolesMap">
    <entry key="CN=Client,O=Apache,L=Dublin,ST=Leinster,C=IE" value="boss"/>
    <property name="checkConfiguredRolesOnly" value="true"/>

    Without these the SimpleAuthorizingInterceptor.isUserInRole fails.


  2. Hi Ivan,

    Have you modified the demo at all? I just tried it again + it works ok. How are you running it?


    1. Hi Colm. In the meantime I found the reason. I only modified the wss4j version in the pom.xml. I replaced 2.0.1-SNAPSHOT with 2.0.0, as that one was only available in the central repo. Now I tested also with 2.0.2-SNAPSHOT. For me 2.0.2-SNAPSHOT works, but 2.0.0 does not.

  3. Hi Ivan,

    Ah yes, that test-case depends on WSS4J 2.0.1-SNAPSHOT. WSS4J 2.0.1 is currently under vote, so I'll update the test-case when it gets released.


  4. This comment has been removed by a blog administrator.