Latest Activity

This extension will be available in CXF release 2.7.6 which is not yet available. But you can run tests with the SNAPSHOT build till this version is released. Please provide feedback to the CXF mailing list.

Different logging frameworks (SLF4J, Log4J, Logback, JUL) can be used to log events for Apache CXF STS. The configuration allows to define which logger should log messages till to which log level. That works fine to drill down generic issues but ...

Continue reading →

When deploying a web service provider to a J2EE server such as Oracle WebLogic or IBM WebSphere Application Server it's probably easiest to first try to deploy as a WAR and see if that will work. However, due to classloader issues or a desire to take advantage of container-specific configuration you may find yourself needing to deploy your web service as an enterprise archive (EAR). This sample converts my WAR-based DoubleIt web service tutorial to ...

Continue reading →

One of the new features in Apache CXF 2.7.x that I worked hard on was the introduction of support for WS-Discovery. WS-Discovery is basically a standard way for a service to announce when it’s available as well as standard way to probe the network for services that meet certain criteria and have the services that
Continue reading →

I described in a previous blog how to configure the CXF STS for an LDAP directory for authentication and to retrieve user claims (attributes). The new release 2.7.5 of CXF provides extended support for roles managed in a LDAP directory. In previous versions, the LdapClaimsHandler added groups as roles if the groups were assigned to a multi-value attribute of the user. The new release provides an LdapGroupClaimsHandler which supports the case where an ...
Continue reading →

Blog post edited by Christian Schneider

At least for some time the whole world seemed to only talk about ESB and webservices. These technologies have their place in integration but they are quite complex and starting with them means you have to invest a lot of time and or money. Recently around the release of Java EE 6 the idea of simplicity came back to the Enterprise ...

Continue reading →

Some exercise and diet lessons I've learned through the years:

Exercise:

1. Switch from per-day to per-week discipline. For many years I tried to exercise a set amount each day or every other day but would find my discipline would soon wane for one reason or another, causing difficulty restarting and getting back into a groove. About six years ago I switched to per-week discipline, which I've been able to adhere to 100% since then, amazing ...

Continue reading →

Glassfish Jersey provides roughly three dozen RESTful samples (zip) (SVN) in its Version 1.17 (JAX-RS 1.1 compatible) release. I thought it would be useful to convert several of the examples to Apache CXF to see the changes needed for them to run. I have the converted samples stored on GitHub for all to view/download -- they can obtained via the download ZIP button or via the Git git clone -v git://github.com/gmazza/jersey-samples-on-cxf.git ...

Continue reading →

Last night the Washington DC chapter of the ACM held a meetup at the New America Foundation featuring Dr. Larry Davis of the University of Maryland. He gave a broad overview of the history and applications of computer vision over the decades, successes and challenges, and current techniques and goals in the field. My notes from the meeting:

• Early research in computer vision started in the 1960's by the U.S. Post Office, with the goal of having ...

Continue reading →

Saturday, I decided to upgrade to Ubuntu 13.04. I used Ubuntu 12.04 LTS for a long time (since the release date). So the first step was to upgrade to Ubuntu 12.10: no problem with this upgrade, it works straight forward. After that I upgraded to 13.04, and I had the following issues. Upgrade to AMD
Continue reading →

Blog post edited by Christian Schneider

Shows how to run your camel routes in the OSGi server Apache Karaf. Like for CXF blueprint is used to boot up camel. The tutorial shows three examples - a simple blueprint route, a jms2rest adapter and an order processing example.

Installing Karaf and making Camel features available

• Download Karaf 2.3.1 and unpack to the file ...

Continue reading →

I attended last night's OpenStackDC meetup graciously sponsored by HPCloud. It was held at the Warehouse Theater, a large room in an older masonry-starred building across the street from the D.C. Convention Center. OpenStack is an Apache-licensed cloud computing platform sponsored by several major companies as an alternative to proprietary offerings from companies such as Amazon, VMWare and Google. One of the main benefits OpenStack provides is ...

Continue reading →

Blog post edited by Christian Schneider

Shows how to publish and use a simple REST and SOAP service in karaf using cxf and blueprint.

To run the example you need to install the http feature of karaf. The default http port is 8080 and can be configured using the
config admin pid "org.ops4j.pax.web". You also need to install the cxf feature. The base url of the cxf ...

Continue reading →

Apache CXF 2.7.4 (and 2.6.7 + 2.5.10) have been released. Users are strongly encouraged to upgrade to the latest versions, due to a critical security issue which must remain undisclosed for the moment. These latest releases pick up Apache Santuario 1.5.4 and Apache WSS4J 1.6.10. In addition to the fixes in these projects, CXF 2.7.4 contains a number of security fixes of interest.

1) WS-SecurityPolicy fixes

A large number of negative tests for ...
Continue reading →

I attended Data Business DC's April meetup last night, featuring speakers from Oracle, MapR, and Intridea held at the impressive (yet still under construction) facility of Washington's new startup incubator 1776. Data Business DC is a sub-organization of Data Community DC, and this presentation was part of Big Data Week Washington. The slides from all three presentations are available online. My notes from the presentations:

Speaker #1 - Charles ...

Continue reading →

Full Spring Security Support in Apache CXF Fediz

New features are going to be added in the next version 1.1 of Fediz. I described here how to configure the new Fediz plugin for Spring Security with Container Managed Security (Pre-Authentication in Spring Security terms). The current snapshot version of Fediz 1.1 provides also full/native Spring Security support which means the Servlet Container runs unauthenticated (no security constraints defined in ...

Continue reading →

Two new bug-fix releases of note in Apache security products:

Apache Santuario 1.5.4 has been released. Amongst the issues fixed is a thread-safety problem when secure validation is enabled, and a possible NPE due to ThreadLocal storage when an application is deployed in certain containers.

Apache WSS4J 1.6.10 has also been released. The issues fixed are available here. A performance issue was fixed in the MemoryReplayCache, which is used to guard ...
Continue reading →

Those of you living in Ireland who tune to listen to a brilliant NewsTalk team will recognize where I've got the idea for this regular, first half of the year, off-topic post :-), indeed, it is from NewsTalk being "more than just news, you know!".

So I got inspired and decided to do this short entry and suggest to you, the developers of web services, that CXF is more just a library,

It is the home, blueprint for developing the modern, secure web ...
Continue reading →

Awhile back I posted an entry on how to get CXF JAX-RS loaded successfully within your favorite Java EE application container, and specifically within the containers like JBoss or Glassfish which have their preferred JAX-RS implementations actively supported.

I think it was a good enough initial step but it proved to be quite incomplete, with users reporting CXF failing to handle the objects of some of JAX-RS core types like Response.

In this rather ...
Continue reading →

.scroll { overflow: auto; /* Добавляем полосы прокрутки */ width: 570px; /* Ширина блока */ padding: 5px; /* Поля вокруг текста */ } .scroll-height { overflow: auto; /* Добавляем полосы прокрутки */ width: 570px; /* Ширина блока */ padding: 5px; /* Поля вокруг текста */ height: 300px; } CXF security ...
Continue reading →

The Apache WSS4J configuration allows you to specify how to reference a public key or certificate when signing or encrypting a SOAP message via the following configuration items:

• WSHandlerConstants.SIG_KEY_ID ("signatureKeyIdentifier").
• WSHandlerConstants.ENC_KEY_ID ("encryptionKeyIdentifier").

This blog entry will explain what values are valid for each of these configuration items, and will explain what each of these values means. Firstly, let's look ...
Continue reading →

OAuth2 allows third-party clients to use different types of grants in order to request access tokens. The specification defines a number of grant types to get some specific flows supported, but also allows for extensions - one can use whatever custom grant is required in a particular scenario.

SAML2 Bearer Assertion Profiles  and JWT Bearer Token Profiles standardize  two such extension grants, SAML2 Bearer Assertions and JWT Bearer Tokens ...
Continue reading →

In February 2013, I was at ApacheCon NA 2013 in Portland, Oregon, US where I learned a lot about several Apache projects.

My presentation was about SSO and Fine Grained Authorization in the Cloud. I gave an introduction about application security 10-15 years ago and how to address challanges with Cloud deployment using Apache CXF Fediz.

Here are the slides from my talk:

ApacheCon 2013 SSO and Fine Grained Authorization in the Cloud from Oliver ...

Continue reading →

Apache CXF 2.7.3 (release notes), 2.6.6, and 2.5.9 have been released and are available for download. These releases contain fixes for a number of critical security issues, which I will describe below.

1) CVE-2012-5633

A security advisory has been issued in relation to a possible circumvention of WS-Security processing of an inbound request, due to the URIMappingInterceptor in CXF. This is a legacy interceptor (largely made redundant by JAX-RS) that ...
Continue reading →

Apache CXF is a leading web services stack with excellent support for a long list of security protocols such as WS-Security, OAuth, etc. A recent addition to this list is support for WS-Federation via the Apache CXF Fediz subproject. In this post, we will introduce Fediz and illustrate how to secure a web application with Fediz via an example.

1) Introducing Apache CXF Fediz

The Apache CXF Fediz subproject provides an easy way to secure your web ...
Continue reading →

Blog post edited by Christian Schneider

Getting Started

With this post I am beginning a series of posts about Apache Karaf. So what is Karaf and why should you be interested in it? Karaf is an OSGi container based on Equinox or Felix. The main difference to these fine containers is that it brings excellent management features with it.

Outstanding features of Karaf:

• ...

Continue reading →

WS-Policy statements for WSDLs are quite complex of course and outside the bounds of most of us to create from scratch. For assistance, CXF users can leverage the WSDL Policy statements provided in the distribution's security examples and in the CXF test cases for their own work (as well as, as always, the User's mailing list for questions). Metro provides wizard-based Policy generators in NetBeans that add the Policy statements to the user's WSDL ...

Continue reading →

JAX magazine for Java developers features articles and tutorials which can help to get the most of all the new and cool technologies and developments happening in the Java land today.

The latest issue offers, among other features, the tutorial introducing FIQL and how it is currently supported in Apache CXF. Please download the issue as a PDF or get it over your preferred channel (on iTunes, etc), and see what you can do with FIQL - and provide the ...
Continue reading →

Talend will be very well represented at ApacheCon 2013 in Portland, Oregon next week, painting the town lime green. Talend session speakers:

Date Time Speaker Presentation Tuesday 2/26 11:45 a.m Colm O hEigeartaigh Integrating Apache Syncope with Apache CXF Tuesday 2/26 4:15 p.m. Oliver Wulff SSO and fine grained authorization in the cloud Thursday 2/28 10:15 a.m. Kai Waehner NoSQL takes over – Systems Integration in the NoSQL Era ...

Continue reading →

Initial support for Spring Security in Apache CXF Fediz added

New features are going to be added in the next version 1.1. The next feature ready for testing is the support for Spring Security for version 3.1

You can either download the sources here:

git clone git://git.apache.org/cxf-fediz.git

or

svn co https://svn.apache.org/repos/asf/cxf/fediz/trunk

or download it from the snapshot maven repository.

The Fediz Spring Plugin supports integration with ...

Continue reading →

Blog post edited by Christian Schneider

By default OSGi services are only visible and accessible in the OSGi container where they are published. Distributed OSGi allows to define services in one container and use them in some other (even over machine boundaries).

For this tutorial we use the DOSGi sub project of CXF which is the reference implementation of the OSGi ...

Continue reading →