Re: svn commit: r1291166 - in /cxf/trunk: rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/ rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/ rt/ws/security/src/ma
Hi Freeman, I'm -1 to the way you are configuring this patch. WSS10 and WSS11 are standard policies defined in the WS-SP 1.3 spec, and so it's not a good idea to add a custom policy for these. The best way to configure it is to define a (boolean) tag in SecurityConstants so that it can be set as a JAX-WS property. Colm. On Mon, Feb 20, 2012 at 9:51 AM, ff...@apache.org wrote: Author: ffang Date: Mon Feb 20 09:51:20 2012 New Revision: 1291166 URL: http://svn.apache.org/viewvc?rev=1291166view=rev Log: [CXF-4119]support Certificates revocation check before encrypt when use CXF WS-SecurityPolicy Added: cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/revocation.properties cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/wss40CA.jks (with props) cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/wss40CACRL.pem cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/wss40rev.jks (with props) Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SPConstants.java cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/WSS10Builder.java cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/WSS11Builder.java cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Wss10.java cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Wss11.java cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/KeystorePasswordCallback.java cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/DoubleIt.wsdl Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SPConstants.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SPConstants.java?rev=1291166r1=1291165r2=1291166view=diff == --- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SPConstants.java (original) +++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SPConstants.java Mon Feb 20 09:51:20 2012 @@ -386,6 +386,8 @@ public abstract class SPConstants { public static final String MUST_SUPPORT_ISSUED_TOKENS = MustSupportIssuedTokens; + public static final String ENABLE_REVOCATION = EnableRevocation; + public static final String REQUIRE_REQUEST_SECURITY_TOKEN_COLLECTION = RequireRequestSecurityTokenCollection; Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/WSS10Builder.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/WSS10Builder.java?rev=1291166r1=1291165r2=1291166view=diff == --- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/WSS10Builder.java (original) +++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/WSS10Builder.java Mon Feb 20 09:51:20 2012 @@ -65,6 +65,8 @@ public class WSS10Builder implements Ass parent.setMustSupportRefExternalURI(true); } else if (SPConstants.MUST_SUPPORT_REF_EMBEDDED_TOKEN.equals(name)) { parent.setMustSupportRefEmbeddedToken(true); + } else if (SPConstants.ENABLE_REVOCATION.equals(name)) { + parent.setEnableRevocation(true); } child = DOMUtils.getNextElement(child); } Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/WSS11Builder.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/WSS11Builder.java?rev=1291166r1=1291165r2=1291166view=diff == --- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/WSS11Builder.java (original) +++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/WSS11Builder.java Mon Feb 20 09:51:20 2012 @@ -75,6 +75,8 @@ public class WSS11Builder implements Ass } else if (SPConstants.REQUIRE_SIGNATURE_CONFIRMATION.equals(name)) { parent.setRequireSignatureConfirmation(true); + } else if
Re: svn commit: r1291166 - in /cxf/trunk: rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/ rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/ rt/ws/security/src/ma
Hi Colm, Thanks for the input, will revise it accordingly. Freeman On 2012-2-20, at 下午6:06, Colm O hEigeartaigh wrote: Hi Freeman, I'm -1 to the way you are configuring this patch. WSS10 and WSS11 are standard policies defined in the WS-SP 1.3 spec, and so it's not a good idea to add a custom policy for these. The best way to configure it is to define a (boolean) tag in SecurityConstants so that it can be set as a JAX-WS property. Colm. On Mon, Feb 20, 2012 at 9:51 AM, ff...@apache.org wrote: Author: ffang Date: Mon Feb 20 09:51:20 2012 New Revision: 1291166 URL: http://svn.apache.org/viewvc?rev=1291166view=rev Log: [CXF-4119]support Certificates revocation check before encrypt when use CXF WS-SecurityPolicy Added: cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/ systest/ws/security/revocation.properties cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/ systest/ws/security/wss40CA.jks (with props) cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/ systest/ws/security/wss40CACRL.pem cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/ systest/ws/security/wss40rev.jks (with props) Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/ security/policy/SPConstants.java cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/ security/policy/builders/WSS10Builder.java cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/ security/policy/builders/WSS11Builder.java cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/ security/policy/model/Wss10.java cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/ security/policy/model/Wss11.java cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/ security/wss4j/policyhandlers/AbstractBindingBuilder.java cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/ systest/ws/security/KeystorePasswordCallback.java cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/ systest/ws/security/SecurityPolicyTest.java cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/ systest/ws/security/DoubleIt.wsdl Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/ security/policy/SPConstants.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SPConstants.java?rev=1291166r1=1291165r2=1291166view=diff = = = = = = = = = = --- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/ security/policy/SPConstants.java (original) +++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/ security/policy/SPConstants.java Mon Feb 20 09:51:20 2012 @@ -386,6 +386,8 @@ public abstract class SPConstants { public static final String MUST_SUPPORT_ISSUED_TOKENS = MustSupportIssuedTokens; +public static final String ENABLE_REVOCATION = EnableRevocation; + public static final String REQUIRE_REQUEST_SECURITY_TOKEN_COLLECTION = RequireRequestSecurityTokenCollection; Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/ security/policy/builders/WSS10Builder.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/WSS10Builder.java?rev=1291166r1=1291165r2=1291166view=diff = = = = = = = = = = --- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/ security/policy/builders/WSS10Builder.java (original) +++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/ security/policy/builders/WSS10Builder.java Mon Feb 20 09:51:20 2012 @@ -65,6 +65,8 @@ public class WSS10Builder implements Ass parent.setMustSupportRefExternalURI(true); } else if (SPConstants.MUST_SUPPORT_REF_EMBEDDED_TOKEN.equals(name)) { parent.setMustSupportRefEmbeddedToken(true); +} else if (SPConstants.ENABLE_REVOCATION.equals(name)) { +parent.setEnableRevocation(true); } child = DOMUtils.getNextElement(child); } Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/ security/policy/builders/WSS11Builder.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/WSS11Builder.java?rev=1291166r1=1291165r2=1291166view=diff = = = = = = = = = = --- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/ security/policy/builders/WSS11Builder.java (original) +++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/ security/policy/builders/WSS11Builder.java Mon Feb 20 09:51:20 2012 @@ -75,6 +75,8 @@ public class WSS11Builder implements Ass } else if
WS-Policy Article: https://cwiki.apache.org/confluence/display/CXF/Using+WS-Policy+in+CXF+projects
Hi, Just collected experience regarding WS-policy in CXF in following article: https://cwiki.apache.org/confluence/display/CXF/Using+WS-Policy+in+CXF+projects Notes, remarks, corrections are welcome. Regards, Andrei.
Initial OAuth 2.0 support for CXF 2.6.0
Hi I've started working on the initial OAuth 2.0 support to be available in CXF 2.6.0 [1]. We already provide OAuth 1.0 support starting from CXF 2.5.0 [2] - this has been continuously enhanced during the last few months and I think it is capable enough for users seeking to write OAuth 1.0 applications with CXF to be able to rely upon it. However OAuth 2.0 [3], is really going to hit the mainstream IMHO soon enough and we are already seeing some demand for the OAuth 2.0 support. Thus I've started prototyping the initial code to do with supporting the OAuth 2.0 Authorization Code Grant [3] and the simple bearer token [4]; this combination is the closest to the OAuth 1.0 3-leg flow, further optimized by dropping the requirement to get a request token round trip. I'd like to keep the OAuth 1.0 code in 2.6.0 - there are quite a few OAuth 1.0 deployments out there and it would not surprise me if some users wanted to start with OAuth 1.0 gievn that it's well understood. Besides, despite OAuth 2.0 offering arguably a simpler alternative to the complete OAuth 1.0 flow, IMHO it is much more complex specification-wise. So I think we can see OAuth 1.0 being around for some time... The other thing I'd like to mention is the possibility of relying on the other OAuth 2.0 libraries such as Amber[5]. At the moment Amber has not been released yet. Personally I'll be open to reusing some of Amber's code or who knows even contributing back to the project, but at the moment I think it is simpler to prototype some base support within the CXF as opposed to trying to build it from the get go on the project code that has not been released yet. What is also important is that as far as CXF OAuth is concerned it is all about providing utility JAX-RS OAuth services with some additional utility support. The main complexity over time will come from the optional support for MAC or JWT tokens or say OpenId-Connect profiles. This is where we'd likely need some 'help' from the 3rd-party libraries. So for now I'm prototyping some code and hope to make the initial bits contributed in a week or so, may be earlier... Comments are welcome Sergey [1] https://issues.apache.org/jira/browse/CXF-4112 [2] http://cxf.apache.org/docs/jax-rs-oauth.html [3] http://tools.ietf.org/html/draft-ietf-oauth-v2-23 [4] http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-17 [5] http://incubator.apache.org/amber/
Re: CXF-DOSGi and the OSGi Remote Service Admin TCK
Hi David On 19/02/12 00:42, David Bosschaert wrote: Hi all, I was recently running the CXF-DOSGi 1.3 release through the OSGi TCK to make sure it's still compliant with the spec. It turned out that the changes made between 1.2 and 1.3 cause a number of TCK failures, so I've been looking at fixing them. Here's a quick summary. * the single-bundle distro (which is used with the TCK) now includes the org.osgi.enterprise-4.2.0.jar. This is fine, but it didn't export/import the types defined in there which meant that these types existed twice in the VM, once inside the single bundle distro and once outside. This caused issues with ConfigAdmin and some event types since communication with the outside world wasn't possible with these types any more. I fixed this for the single-bundle distro (it doesn't apply to the multi-bundle distro). * ExportReferenceImpl, which is really a wrapper, was used in a Map but missing hashCode and equals(). I added these. * There were some issues around close() calls not completely properly behaving, I fixed those * RemoteServiceAdminCore was putting objects of the wrong type in the collection returned by exportService() Some more changes may be needed in order to fully pass the TCK, but I've committed the above in r1290914. Cool, guess you are thinking about 1.3.1 already :-) Cheers, Sergey Cheers, David