Latest Activity

Apache CXF Fediz 1.1.2 released
15 hours ago

By Colm O hEigeartaigh
Apache CXF Fediz 1.1.2 has been released. Apache CXF Fediz is a Single Sign-On (SSO) solution based on the WS-Federation Passive Requestor Profile. It consists of an Identity Provider (IdP) which leverages the Apache CXF STS to issue tokens, as well as a number of container-specific plugins (Jetty, Tomcat, Spring, etc.) to enable SSO for web applications. The issues fixed in the new release include an upgrade to CXF 2.7.13, support for claims mapping ...
Continue reading →

Kerberos Credential Delegation support in Apache CXF
1 day ago

By Colm O hEigeartaigh
Apache CXF provides full support for integrating Kerberos with JAX-WS and JAX-RS services. A previous tutorial (here and here) described how to set up Kerberos with WS-Security in CXF, where the client obtains a Kerberos service ticket and encodes it in the security header of the request, and where it is validated in turn by the service. In this post we will discuss support for kerberos credential delegation for JAX-WS clients and services in Apache ...
Continue reading →

CXF becomes friends with Tika and Lucene
1 week ago

By Sergey Beryozkin
You may have been thinking for a while: would it actually be cool to get some experience with Apache Lucene and Apache Tika and enhance the JAX-RS services you work upon along the way ? Lucene and Tika are those cool projects people are talking about but as it happens there has never been an opportunity to use them in your project...

Apache Lucene is a well known project where its community keeps innovating with improving and optimizing the ...
Continue reading →

Using JAAS with Apache CXF
1 week ago

By Colm O hEigeartaigh
Apache CXF supports a wide range of tokens for authentication (SAML, UsernameTokens, Kerberos, etc.), and also offers different ways of authenticating these tokens. A standard way of authenticating a received token is to use a JAAS LoginModule. This article will cover some of the different ways you can configure JAAS in CXF, and some of the JAAS LoginModules that are available.

1) Configuring JAAS in Apache CXF

There are a number of different ways to ...
Continue reading →

New Apache WSS4J releases
1 week ago

By Colm O hEigeartaigh
Apache WSS4J 1.6.17 and 2.0.2 have been released. WSS4J 2.0.2 picks up some bug fixes via Apache Santuario and BouncyCastle dependency upgrades, in particular the latter upgrade fixes some Kerberos issues. Both releases contain some changes to how SAML tokens are processed that will be described in a forthcoming blog post.

I also added a new Security Advisories page to the WSS4J website. For the moment it just contains some links and information on ...
Continue reading →

Some recent WS-Trust client topics in Apache CXF
2 weeks ago

By Colm O hEigeartaigh
There are a number of minor new features and changes in recent versions of Apache CXF with respect to the client side of WS-Trust, which will be documented in this post.

1) STSClient configuration

CXF's STSClient is responsible for communicating with a Security Token Service (STS) via the WS-Trust protocol, in order to issue/validate/renew/etc. a security token. To support WS-Trust on the client side in CXF, it is necessary to construct an STSClient ...
Continue reading →

Apache CXF Authentication and Authorization test-cases III
2 weeks ago

By Colm O hEigeartaigh
This is the third in a series of posts on authentication and authorization test-cases for web services using Apache CXF. The first post focused on authenticating and authorizing web service requests that included a username and password (WS-Security UsernameToken and HTTP/BA). The second article looked at more sophisticated ways of performing authentication and authorization, such as using X.509 certificates, using a SecurityTokenService (STS), using ...
Continue reading →

Encrypt ConfigAdmin properties values in Apache Karaf
2 weeks ago

By Jean-Baptiste Onofré
Apache Karaf loads all the configuration from etc/*.cfg files by default, using a mix of Felix FileInstall and Felix ConfigAdmin. These files are regular properties file looking like: Some values may be critical, and so not store in plain text. It could be critical business data (credit card number, etc), or technical data (password to
Continue reading →

Apache Santuario - XML Security for Java 2.0.2 release
3 weeks ago

By Colm O hEigeartaigh
Apache Santuario - XML Security for Java 2.0.2 has been released. This is a minor release that fixes a couple of bugs with the streaming code and contains a few dependency
Continue reading →

MDC logging with Apache Karaf and Camel
1 month ago

By Jean-Baptiste Onofré
MDC (Mapped Diagnostic Context) logging is an interesting feature to log contextual messages. It’s classic to want to log contextual messages in your application. For instance, we want to log the actions performed by an user (identified by an username or user id). As you have a lot of simultaneous users on your application, it’s
Continue reading →

Testing (utest and itest) Apache Camel Blueprint route
1 month ago

By Jean-Baptiste Onofré
In any integration project, testing is vital for multiple reasons: to guarantee that the integration logic matches the expectations to quickly identify some regression issues to test some special cases, like the errors for instance to validate the succesful provisioning (deployment) on a runtime as close as possible to the target platform We distinguish two
Continue reading →

Apache JMeter to test Apache ActiveMQ on CI with Maven/Jenkins
1 month ago

By Jean-Baptiste Onofré
Apache JMeter is a great tool for testing, especially performance testing. It provides a lot of samplers that you can use to test your web services, web applications, etc. It also includes a couple of samplers for JMS that we can use with ActiveMQ. Preparing JMeter for ActiveMQ For this article, I downloaded JMeter 2.10
Continue reading →

Webex on Ubuntu 14.04
2 months ago

By Jean-Baptiste Onofré
Webex is a great tool but unfortunately, it doesn’t work “out of the box” on Ubuntu 14.04 (and also with previous Ubuntu releases). For instance, the webex applet starts but it doesn’t refresh correctly, or the share of desktop/application doesn’t work. Actually, the issue is due to: some libraries required by webex are missing on
Continue reading →

[OT] Wake Up To CXF Revolution !
2 months ago

By Sergey Beryozkin
It's the end of the summer, still warm outside, and your friends from the Big Data team have millions of millions of records processed per second with Hadoop and give the happy smiles of those who are doing something new and cool. And you have GET, POST, may be PUT, then again GET. Occasional DELETE and if you are really lucky, you've got PATCH in the logs. You are starting wondering, is it really still cool, be a web service  developer, does ...
Continue reading →

Apache Syncope backend with Apache Karaf
2 months ago

By Jean-Baptiste Onofré
Apache Syncope is an identity manager (IdM). It comes with a web console where you can manage users, attributes, roles, etc. It also comes with a REST API allowing to integrate with other applications. By default, Syncope has its own database, but it can also “façade” another backend (LDAP, ActiveDirectory, JDBC) by using ConnId. In
Continue reading →

Learn JOSE and become a better Web Service Developer
2 months ago

By Sergey Beryozkin
The work around OAuth2 and JOSE in particular has inspired me.

So much that I've ordered several books from Amazon.co.uk - and it's been quite a while since the idea of buying a book occurred to me; and several books in the age of Google ? - see, it did inspire me.

Sometimes we the developers think that we know all and if not all then we think we won't need that extra piece of knowledge, being the experts we are. The software engineering is not easy. ...
Continue reading →

JAX-RS is not only about REST
2 months ago

By Sergey Beryozkin
I've been planning to post this 'philosophical' piece for a while.

The JAX-RS specification (Java API for RESTful services) has really got off the ground long time ago. JAX-RS 2.0 with its new brilliant features, with three JAX-RS 2.0 frameworks around (there will possibly be more, we never know), is and will further contribute to the popularity of JAX-RS.

JAX-RS 2.1 work will go ahead  soon enough and it will be another great specification, I've ...
Continue reading →

New Apache Santuario releases
3 months ago

By Colm O hEigeartaigh
Two new versions of the Apache Santuario - XML Security for Java project have been released. Version 2.0.1 (release notes) adds support for a number of previously unsupported algorithms, such as RSA with SHA-224, the RIPE-MD160 digest algorithm, and the RSASSA-PSS signature scheme. It also fixes a performance regression when evaluating signatures, a UTF-8 encoding issue with certain characters, an issue with using GCM algorithms with JDK 8, and a ...
Continue reading →

Apache CXF Fediz 1.1.1 released
4 months ago

By Colm O hEigeartaigh
Apache CXF Fediz 1.1.1 and 1.0.4 have been released. Fediz is a subproject of Apache CXF which implements the WS-Federation Passive Requestor Profile. It allows you to secure web applications using Single Sign-On (SSO) and Claims Based Access Control (CBAC), by redirecting users to an IdP (Identity Provider) for authentication, which in turn leverages the CXF STS (SecurityTokenService). Plugins are provided for the most popular web application ...
Continue reading →

Apache CXF Authentication and Authorization test-cases II
4 months ago

By Colm O hEigeartaigh
In a previous blog post, I covered a number of Apache CXF-based authentication and authorization testcases I uploaded to github. The testcases showed how to authenticate and authorize a SOAP request containing either a SOAP UsernameToken or HTTP Basic Authentication. The options for authentication/authorization backends included Apache DS (ldap), Apache Syncope, Apache Shiro, and Spring Security. In this post, I will cover a number of more advanced ...
Continue reading →

Apache CXF 3.0.0 released
5 months ago

By Colm O hEigeartaigh
Apache CXF 3.0.0 has been released. CXF 3.0.0 picks up Apache Santuario 2.0.0 and WSS4J 2.0.0, and hence all of the new streaming XML/WS-Security functionality available in those releases. Please see the CXF 3.0.0 migration guide for more details about upgrading from an older release. I've also updated the CXF Authentication and Authorization tests in my github repo to use CXF
Continue reading →

OAuth2 - the future of HTTP web services
5 months ago

By Sergey Beryozkin
If the only thing that you've heard about OAuth2 is that it is "insecure" then I'd like to say it is impossible to come up with the generic specification that will ensure the security of your application.
If you have invested some time into analyzing the specific OAuth2 flows and found the conditions under which the security can be breached then it is obvious that a care needs to be applied to whatever OAuth2 flow is deployed depending on how open the ...
Continue reading →

Apache WSS4J 2.0.0 released
5 months ago

By Colm O hEigeartaigh
Apache WSS4J 2.0.0 has been released. This major new release features a new StAX-based implementation of WS-Security, as well as a whole host of other changes and features. I've collected a lot of the information on this blog and created a User Guide for WSS4J as a result, so this is a good place to start to learn about the project and the new features of the
Continue reading →

Apache Santuario - XML Security for Java 2.0.0
5 months ago

By Colm O hEigeartaigh
Apache Santuario - XML Security for Java 2.0.0 has been released, after many months of development work. The main new feature of this release is a new StAX-based API for XML Signature and Encryption. Please see the following page for an overview of this functionality, with some links back to this blog containing configuration and samples. In addition to this new API, the other changes of note in this release are that the JSR-105 API has been removed, ...
Continue reading →

Apache WSS4J 2.0.0 - part VIII
5 months ago

By Colm O hEigeartaigh
This is the eight and final article on Apache WSS4J 2.0.0. In the previous post, I discussed how to use the new streaming WS-Security functionality of Apache WSS4J 2.0.0 via the "action" based configuration approach. In this post, I will show how the new streaming functionality can be used with Apache CXF when using WS-SecurityPolicy. I will also discuss the limitations of the streaming code compared to the older DOM implementation of WS-Security.

1) ...
Continue reading →

Apache WSS4J 2.0.0 - part VII
5 months ago

By Colm O hEigeartaigh
This is the seventh in a series of articles on Apache WSS4J 2.0.0. Up to now I've discussed the new features and changes for the older DOM implementation of WS-Security in WSS4J 2.0.0. This post will look at using the new streaming WS-Security functionality available in WSS4J 2.0.0, when security is configured via the "action"-based approach (as opposed to using WS-SecurityPolicy).

The WSS4J user guide has an article about the different ways to use ...
Continue reading →

New security advisories for Apache CXF
5 months ago

By Colm O hEigeartaigh
Four new security advisories have been disclosed for Apache CXF. They are:
  • CVE-2014-0109: HTML content posted to SOAP endpoint could cause OOM errors
  • CVE-2014-0110: Large invalid content could cause temporary space to fill
  • CVE-2014-0034: The SecurityTokenService accepts certain invalid SAML Tokens as valid
  • CVE-2014-0035: UsernameTokens are sent in plaintext with a Symmetric EncryptBeforeSigning policy
Please see the security advisories page of Apache CXF ...
Continue reading →

XML Security improvements for JAX-RS in Apache CXF 3.0.0
5 months ago

By Colm O hEigeartaigh
Recently on this blog, I've covered the new streaming XML Security functionality that will be available in Apache Santuario - XML Security for Java 2.0.0. For more information about why to use the new streaming implementation, as well as how to use it, please review the following - XML Signature is covered here,  XML Encryption is covered here, and some memory benchmarks are presented here. This article will cover using the new streaming XML ...
Continue reading →

The Tom EE Tribe Time
5 months ago

By Sergey Beryozkin
You do not have to have any specific experience with Tom EE to become a fan. You do not even have to download it. You only have to talk or listen to David Blevins, a long time EE practitioner and the leader of TomiTribe, the real business around Tom EE, to feel excited and realize Tom EE is coming near you if not now but very soon.

We are the fans of TomEE+ of course :-).

You can become the member of the Tom EE(i) Tribe too, play with Tom EE and ...
Continue reading →

Observations about Apache Con NA 2014
5 months ago

By Sergey Beryozkin
It has been a while since I visited Apache Con last time, so I was happy I got a chance to go to Apache Con NA 2014 held in Denver, nice 'mile high' city, April 7-9.

It may be quite a cliche thing to say but the most rewarding thing about visiting Apache Con is about socializing with the fellow team mates, committers and visitors, seeing people you have talked with over the years but not realizing how impressive they look like in the real life :-). ...
Continue reading →
More Articles (+10)

Pages

Subscribe to Talend Community Coders aggregator