Latest Activity

New Apache Santuario releases
3 weeks ago

By Colm O hEigeartaigh
Two new versions of the Apache Santuario - XML Security for Java project have been released. Version 2.0.1 (release notes) adds support for a number of previously unsupported algorithms, such as RSA with SHA-224, the RIPE-MD160 digest algorithm, and the RSASSA-PSS signature scheme. It also fixes a performance regression when evaluating signatures, a UTF-8 encoding issue with certain characters, an issue with using GCM algorithms with JDK 8, and a ...
Continue reading →

Apache CXF Fediz 1.1.1 released
1 month ago

By Colm O hEigeartaigh
Apache CXF Fediz 1.1.1 and 1.0.4 have been released. Fediz is a subproject of Apache CXF which implements the WS-Federation Passive Requestor Profile. It allows you to secure web applications using Single Sign-On (SSO) and Claims Based Access Control (CBAC), by redirecting users to an IdP (Identity Provider) for authentication, which in turn leverages the CXF STS (SecurityTokenService). Plugins are provided for the most popular web application ...
Continue reading →

Apache CXF Authentication and Authorization test-cases II
2 months ago

By Colm O hEigeartaigh
In a previous blog post, I covered a number of Apache CXF-based authentication and authorization testcases I uploaded to github. The testcases showed how to authenticate and authorize a SOAP request containing either a SOAP UsernameToken or HTTP Basic Authentication. The options for authentication/authorization backends included Apache DS (ldap), Apache Syncope, Apache Shiro, and Spring Security. In this post, I will cover a number of more advanced ...
Continue reading →

Apache CXF 3.0.0 released
2 months ago

By Colm O hEigeartaigh
Apache CXF 3.0.0 has been released. CXF 3.0.0 picks up Apache Santuario 2.0.0 and WSS4J 2.0.0, and hence all of the new streaming XML/WS-Security functionality available in those releases. Please see the CXF 3.0.0 migration guide for more details about upgrading from an older release. I've also updated the CXF Authentication and Authorization tests in my github repo to use CXF
Continue reading →

OAuth2 - the future of HTTP web services
2 months ago

By Sergey Beryozkin
If the only thing that you've heard about OAuth2 is that it is "insecure" then I'd like to say it is impossible to come up with the generic specification that will ensure the security of your application.
If you have invested some time into analyzing the specific OAuth2 flows and found the conditions under which the security can be breached then it is obvious that a care needs to be applied to whatever OAuth2 flow is deployed depending on how open the ...
Continue reading →

Apache WSS4J 2.0.0 released
2 months ago

By Colm O hEigeartaigh
Apache WSS4J 2.0.0 has been released. This major new release features a new StAX-based implementation of WS-Security, as well as a whole host of other changes and features. I've collected a lot of the information on this blog and created a User Guide for WSS4J as a result, so this is a good place to start to learn about the project and the new features of the
Continue reading →

Apache Santuario - XML Security for Java 2.0.0
2 months ago

By Colm O hEigeartaigh
Apache Santuario - XML Security for Java 2.0.0 has been released, after many months of development work. The main new feature of this release is a new StAX-based API for XML Signature and Encryption. Please see the following page for an overview of this functionality, with some links back to this blog containing configuration and samples. In addition to this new API, the other changes of note in this release are that the JSR-105 API has been removed, ...
Continue reading →

Apache WSS4J 2.0.0 - part VIII
2 months ago

By Colm O hEigeartaigh
This is the eight and final article on Apache WSS4J 2.0.0. In the previous post, I discussed how to use the new streaming WS-Security functionality of Apache WSS4J 2.0.0 via the "action" based configuration approach. In this post, I will show how the new streaming functionality can be used with Apache CXF when using WS-SecurityPolicy. I will also discuss the limitations of the streaming code compared to the older DOM implementation of WS-Security.

1) ...
Continue reading →

Apache WSS4J 2.0.0 - part VII
3 months ago

By Colm O hEigeartaigh
This is the seventh in a series of articles on Apache WSS4J 2.0.0. Up to now I've discussed the new features and changes for the older DOM implementation of WS-Security in WSS4J 2.0.0. This post will look at using the new streaming WS-Security functionality available in WSS4J 2.0.0, when security is configured via the "action"-based approach (as opposed to using WS-SecurityPolicy).

The WSS4J user guide has an article about the different ways to use ...
Continue reading →

New security advisories for Apache CXF
3 months ago

By Colm O hEigeartaigh
Four new security advisories have been disclosed for Apache CXF. They are:
  • CVE-2014-0109: HTML content posted to SOAP endpoint could cause OOM errors
  • CVE-2014-0110: Large invalid content could cause temporary space to fill
  • CVE-2014-0034: The SecurityTokenService accepts certain invalid SAML Tokens as valid
  • CVE-2014-0035: UsernameTokens are sent in plaintext with a Symmetric EncryptBeforeSigning policy
Please see the security advisories page of Apache CXF ...
Continue reading →

XML Security improvements for JAX-RS in Apache CXF 3.0.0
3 months ago

By Colm O hEigeartaigh
Recently on this blog, I've covered the new streaming XML Security functionality that will be available in Apache Santuario - XML Security for Java 2.0.0. For more information about why to use the new streaming implementation, as well as how to use it, please review the following - XML Signature is covered here,  XML Encryption is covered here, and some memory benchmarks are presented here. This article will cover using the new streaming XML ...
Continue reading →

The Tom EE Tribe Time
3 months ago

By Sergey Beryozkin
You do not have to have any specific experience with Tom EE to become a fan. You do not even have to download it. You only have to talk or listen to David Blevins, a long time EE practitioner and the leader of TomiTribe, the real business around Tom EE, to feel excited and realize Tom EE is coming near you if not now but very soon.

We are the fans of TomEE+ of course :-).

You can become the member of the Tom EE(i) Tribe too, play with Tom EE and ...
Continue reading →

Observations about Apache Con NA 2014
3 months ago

By Sergey Beryozkin
It has been a while since I visited Apache Con last time, so I was happy I got a chance to go to Apache Con NA 2014 held in Denver, nice 'mile high' city, April 7-9.

It may be quite a cliche thing to say but the most rewarding thing about visiting Apache Con is about socializing with the fellow team mates, committers and visitors, seeing people you have talked with over the years but not realizing how impressive they look like in the real life :-). ...
Continue reading →

Apache Santuario - XML Security for Java 2.0.0 - part III
3 months ago

By Colm O hEigeartaigh
In the previous couple of posts, I've introduced the new streaming functionality of Apache Santuario - XML Security for Java 2.0.0. The first post focused on XML Signature and the second post focused on XML Encryption. This post will discuss the performance of the new streaming approach. In particular, we will focus on the memory consumption of the DOM vs StAX implementations as the size of the XML tree increases. Both implementations are roughly ...
Continue reading →

Apache Santuario - XML Security for Java 2.0.0 - part II
3 months ago

By Colm O hEigeartaigh
In the previous blog post, I covered the new StAX-based (streaming) XML Signature functionality coming in Apache Santuario - XML Security for Java 2.0.0. In this post, I will focus on the new streaming XML Encryption functionality that will also be available in this release.

1) XML Encryption test-cases

I have uploaded some test-cases to github to show how to use the new StAX-based API. The tests and setup mirror the XML Signature testcases that I ...
Continue reading →

Revisiting JMS performance. Improvements in CXF 3.0.0
4 months ago

By Christian Schneider

Blog post edited by Christian Schneider

Some time ago I did some CXF performance measurements. See How fast is CXF ? - Measuring CXF performance on http, https and jms.

For cxf 3.0.0 I did some massive changes on the JMS transport. So I thought it is a good time to compare cxf 2.x and 3 in JMS performance. My goal was to reach at least the original performance. As my ...


Continue reading →

How fast is CXF ? - Measuring CXF performance on http, https and jms
4 months ago

By Christian Schneider

Blog post edited by Christian Schneider

From time to time people ask how fast is CXF? Of course this is a difficult question as the measuered speed depends very much on the Hardware of the test setup and on the whole definition of the test.
So I am trying to explain how you can do your own tests and what to do to make sure you get clean results.

What should you keep in ...


Continue reading →

Hadoop CDC and processes notification with Apache Falcon, Apache ActiveMQ, and Apache Camel
4 months ago

By Jean-Baptiste Onofré
Some weeks (months ? ;)) ago, I started to work on Apache Falcon. First of all, I would like to thanks all Falcon guys: they are really awesome and do a great job (special thanks to Srikanth, Venkatesh, Swetha). This blog post is a preparation to a set of “recipes documentation” that I will propose
Continue reading →

Apache Santuario - XML Security for Java 2.0.0
4 months ago

By Colm O hEigeartaigh
In recent posts I have described some of the new features of the forthcoming Apache WSS4J 2.0.0 release. In particular, I focused on the changes and improvements to the existing "in-memory" (DOM-based) WS-Security implementation. However, the biggest new feature of WSS4J 2.0.0 will be a new streaming (StAX-based) WS-Security stack. In the next couple of posts, we will examine the core streaming XML Security functionality that will be available in the ...
Continue reading →

Apache Karaf, Cellar, Camel, ActiveMQ monitoring with ELK (ElasticSearch, Logstash, and Kibana)
4 months ago

By Jean-Baptiste Onofré
Apache Karaf, Cellar, Camel, and ActiveMQ provides a lot of information via JMX. More over, another very useful source of information is in the log files. If these two sources are very interesting, for a “real life” monitoring, we need some additional features: The JMX information and log messages should be stored in order to
Continue reading →

Apache CXF Authentication and Authorization test-cases
4 months ago

By Colm O hEigeartaigh
I've recently uploaded some test-cases to github that show different ways to authenticate and authorize a web services invocation using Apache CXF. Each project has the same two simple use-cases:
  • A JAX-WS request where the service requires a WS-Security UsernameToken over TLS.
  • A JAX-WS request where the service requires HTTP Basic Auth over TLS.
Each project has an "AuthenticationTest" that just illustrates some tests (including negative tests) for ...
Continue reading →

Apache WSS4J 2.0.0 - part VI
5 months ago

By Colm O hEigeartaigh
This is the sixth of a series of articles on the new features and changes that will be delivered in Apache WSS4J 2.0.0. The fifth article looked at support for signing and encrypting message attachments via the SOAP with Attachments (SWA) Profile 1.1 specification, as well as the associated WS-SecurityPolicy expressions to sign and encrypt attachments. This post looks at the WS-SecurityPolicy model in WSS4J 2.0.0 and how it is used by the streaming ...
Continue reading →

Feeling Hawkish about OAuth2 ?
5 months ago

By Sergey Beryozkin
You all know the recent OAuth history of course, Eran Hammer, the author of  popular OAuth1 specification, leaving the OAuth2 work group, with OAuth2 not getting much of a praise from Eran afterwards.
 
Eran has started several projects afterwards, Hawk and Oz in particular.  The former is the evolution of the MAC draft Eran and others authored as part of the OAuth2 work, the latter is the alternative to OAuth2.

Now, I do like the OAuth2 ...
Continue reading →

You're gonna be a star with CXF !
5 months ago

By Sergey Beryozkin
I've happened to listen to one of my favorite songs, All the Way to Reno from R.E.M, just recently, which probably shows me being not exactly very young :-).

Apparently the text has a lot of subtle meanings but one really can't beat its gentle rhythm leading to the listener having a kind of 'life is good' feeling, being optimistic.

"You're gonna be a star", you really can and you will...Feeling the excitement has gone out of the web services ...
Continue reading →

Apache WSS4J 2.0.0 - part V
5 months ago

By Colm O hEigeartaigh
This is the fifth of a series of articles on the new features and changes that will be delivered in Apache WSS4J 2.0.0. The fourth article looked at the ability to encrypt passwords in Crypto properties files. This post looks at support for signing and encrypting message attachments via the SOAP with Attachments (SWA) Profile 1.1 specification, as well as the associated WS-SecurityPolicy expressions to sign and encrypt attachments. Note that there ...
Continue reading →

Use OAuth2 tokens to protect CXF SOAP endpoints
5 months ago

By Sergey Beryozkin
So you are a happy Apache CXF developer working with its second-to-none WS SOAP front-end, creating SOAP endpoints protected by WS-Security. Your friends from the other team have deployed few CXF JAX-RS endpoints protected by the OAuth2 filter validating the incoming OAuth2 tokens with the remote OAuth2 server.

Now, you really, really, really want to get your SOAP client code use OAuth2 tokens too, the same tokens non-SOAP RS clients use to access RS ...
Continue reading →

Apache WSS4J 2.0.0 - part IV
5 months ago

By Colm O hEigeartaigh
This is the fourth of a series of articles on the new features and changes that will be delivered in Apache WSS4J 2.0.0. The third article looked at some changes in the area of caching tokens to detect replay attacks. This post looks at a new feature of WSS4J 2.0.0, which is the ability to encrypt passwords in Crypto properties files.

1) Crypto properties

Apache WSS4J uses the Crypto interface to get keys and certificates for encryption/decryption and ...
Continue reading →

Stateless OAuth2 providers in CXF 3.0.0
5 months ago

By Sergey Beryozkin
Writing a proper OAuth2 data provider typically involves persisting the data such as access token, refresh token and transient authorization code representations in the storage of some sort (relational database, etc).

It is also a well-known fact that major OAuth2 providers often have the access token state encrypted - the clients effectively keep the token state, the server does not need to worry about persisting and looking up the tokens. It is ...
Continue reading →

Apache WSS4J 2.0.0 - part III
6 months ago

By Colm O hEigeartaigh
This is the third of a series of articles on the new features and changes that will be delivered in Apache WSS4J 2.0.0. The second article grouped together some new features that were too small to warrant a separate article on their own. This article will focus on some changes in the area of caching tokens to detect replay attacks.

1) Replay Attack detection in Apache WSS4J 1.6.x

Please see a previous article I wrote which covers what Replay Attacks ...
Continue reading →

Features coming in Fediz 1.2 - REST
6 months ago

By Oliver Wulff
The work for Fediz 1.2 has started and introduces a bunch of new features for the IDP. This post shall introduce the new features to initiate the discussion (recommended in the CXF Dev Mailing list) now. These features become available in the new minor release. Therefore, the branch trunk is has been changed to this version. The new features are:
  • Single Logout

    The IDP supports to logout from all web applications in one click according the ...


Continue reading →
More Articles (+10)

Pages

Subscribe to Talend Community Coders aggregator