keycloak-scim/securing_apps/topics/oidc/java/fuse/cxf-builtin.adoc


[[fuse_adapter_cxf_builtin]]
===== Securing an Apache CXF Endpoint on the Default Jetty Engine

Some services automatically come with deployed servlets on startup. One such service is the CXF servlet running in the $$http://localhost:8181/cxf$$ context. Securing such endpoints can be complicated. One approach, which {project_name} is currently using, is ServletReregistrationService, which undeploys a built-in servlet at startup, enabling you to redeploy it on a context secured by {project_name}.

The configuration file `OSGI-INF/blueprint/blueprint.xml` inside your application might resemble the one below. Note that it adds the JAX-RS `customerservice` endpoint, which is endpoint-specific to your application, but more importantly, secures the entire `/cxf` context.

[source,xml]
----
<?xml version="1.0" encoding="UTF-8"?>
<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
           xmlns:jaxrs="http://cxf.apache.org/blueprint/jaxrs"
           xsi:schemaLocation="
		http://www.osgi.org/xmlns/blueprint/v1.0.0 http://www.osgi.org/xmlns/blueprint/v1.0.0/blueprint.xsd
		http://cxf.apache.org/blueprint/jaxrs http://cxf.apache.org/schemas/blueprint/jaxrs.xsd">

    <!-- JAXRS Application -->

    <bean id="customerBean" class="org.keycloak.example.rs.CxfCustomerService" />

    <jaxrs:server id="cxfJaxrsServer" address="/customerservice">
        <jaxrs:providers>
            <bean class="com.fasterxml.jackson.jaxrs.json.JacksonJsonProvider" />
        </jaxrs:providers>
        <jaxrs:serviceBeans>
            <ref component-id="customerBean" />
        </jaxrs:serviceBeans>
    </jaxrs:server>


    <!-- Securing of whole /cxf context by unregister default cxf servlet from paxweb and re-register with applied security constraints -->

    <bean id="cxfConstraintMapping" class="org.eclipse.jetty.security.ConstraintMapping">
        <property name="constraint">
            <bean class="org.eclipse.jetty.util.security.Constraint">
                <property name="name" value="cst1"/>
                <property name="roles">
                    <list>
                        <value>user</value>
                    </list>
                </property>
                <property name="authenticate" value="true"/>
                <property name="dataConstraint" value="0"/>
            </bean>
        </property>
        <property name="pathSpec" value="/cxf/*"/>
    </bean>

    <bean id="cxfKeycloakPaxWebIntegration" class="org.keycloak.adapters.osgi.PaxWebIntegrationService"
          init-method="start" destroy-method="stop">
        <property name="bundleContext" ref="blueprintBundleContext" />
        <property name="jettyWebXmlLocation" value="/WEB-INF/jetty-web.xml" />
        <property name="constraintMappings">
            <list>
                <ref component-id="cxfConstraintMapping" />
            </list>
        </property>
    </bean>

    <bean id="defaultCxfReregistration" class="org.keycloak.adapters.osgi.ServletReregistrationService" depends-on="cxfKeycloakPaxWebIntegration"
          init-method="start" destroy-method="stop">
        <property name="bundleContext" ref="blueprintBundleContext" />
        <property name="managedServiceReference">
            <reference interface="org.osgi.service.cm.ManagedService" filter="(service.pid=org.apache.cxf.osgi)" timeout="5000"  />
        </property>
    </bean>

</blueprint>
----

As a result, all other CXF services running on the default CXF HTTP destination are also secured. Similarly, when the application is undeployed, the entire `/cxf` context becomes unsecured as well. For this reason, using your own Jetty engine for your applications as described in <<_fuse_adapter_cxf_separate,Secure CXF Application on separate Jetty Engine>> then gives you more
control over security for each individual application.

* The `WEB-INF` directory might need to be inside your project (even if your project is not a web application). You might also need to edit the `/WEB-INF/jetty-web.xml` and `/WEB-INF/keycloak.json` files in a similar way as in <<_fuse_adapter_classic_war,Classic WAR application>>.
Note that you do not need the `web.xml` file as the security constraints are declared in the blueprint configuration file.

* The `Import-Package` in `META-INF/MANIFEST.MF` must contain these imports:

[source, subs="attributes"]
----
META-INF.cxf;version="[2.7,3.2)",
META-INF.cxf.osgi;version="[2.7,3.2)";resolution:=optional,
org.apache.cxf.transport.http;version="[2.7,3.2)",
org.apache.cxf.*;version="[2.7,3.2)",
com.fasterxml.jackson.jaxrs.json;version="[2.5,3)",
org.eclipse.jetty.security;version="[8,10)",
org.eclipse.jetty.util.security;version="[8,10)",
org.keycloak.*;version="{project_versionMvn}",
org.keycloak.adapters.jetty;version="{project_versionMvn}",
*;resolution:=optional
----
More Fuse adapter documentation. Remove references to Apache Karaf 2016-06-03 13:09:26 +00:00
fixed Wildfly mentions and faulty links with underscores 2019-01-21 16:15:22 +00:00			`[[fuse_adapter_cxf_builtin]]`
fixed RHSSO-638, 640, and 730-Fuse edits 2017-02-27 01:45:09 +00:00			`===== Securing an Apache CXF Endpoint on the Default Jetty Engine`
More Fuse adapter documentation. Remove references to Apache Karaf 2016-06-03 13:09:26 +00:00
Convert documentation to AsciiDoctor 2017-08-28 12:50:14 +00:00			`Some services automatically come with deployed servlets on startup. One such service is the CXF servlet running in the $$http://localhost:8181/cxf$$ context. Securing such endpoints can be complicated. One approach, which {project_name} is currently using, is ServletReregistrationService, which undeploys a built-in servlet at startup, enabling you to redeploy it on a context secured by {project_name}.`
fixed RHSSO-638, 640, and 730-Fuse edits 2017-02-27 01:45:09 +00:00
			The configuration file `OSGI-INF/blueprint/blueprint.xml` inside your application might resemble the one below. Note that it adds the JAX-RS `customerservice` endpoint, which is endpoint-specific to your application, but more importantly, secures the entire `/cxf` context.
More Fuse adapter documentation. Remove references to Apache Karaf 2016-06-03 13:09:26 +00:00
			`[source,xml]`
			`----`
			`<?xml version="1.0" encoding="UTF-8"?>`
			`<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"`
			`xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"`
			`xmlns:jaxrs="http://cxf.apache.org/blueprint/jaxrs"`
			`xsi:schemaLocation="`
			`http://www.osgi.org/xmlns/blueprint/v1.0.0 http://www.osgi.org/xmlns/blueprint/v1.0.0/blueprint.xsd`
			`http://cxf.apache.org/blueprint/jaxrs http://cxf.apache.org/schemas/blueprint/jaxrs.xsd">`

			`<!-- JAXRS Application -->`

			`<bean id="customerBean" class="org.keycloak.example.rs.CxfCustomerService" />`

			`<jaxrs:server id="cxfJaxrsServer" address="/customerservice">`
			`<jaxrs:providers>`
			`<bean class="com.fasterxml.jackson.jaxrs.json.JacksonJsonProvider" />`
			`</jaxrs:providers>`
			`<jaxrs:serviceBeans>`
			`<ref component-id="customerBean" />`
			`</jaxrs:serviceBeans>`
			`</jaxrs:server>`


			`<!-- Securing of whole /cxf context by unregister default cxf servlet from paxweb and re-register with applied security constraints -->`

			`<bean id="cxfConstraintMapping" class="org.eclipse.jetty.security.ConstraintMapping">`
			`<property name="constraint">`
			`<bean class="org.eclipse.jetty.util.security.Constraint">`
			`<property name="name" value="cst1"/>`
			`<property name="roles">`
			`<list>`
			`<value>user</value>`
			`</list>`
			`</property>`
			`<property name="authenticate" value="true"/>`
			`<property name="dataConstraint" value="0"/>`
			`</bean>`
			`</property>`
			`<property name="pathSpec" value="/cxf/*"/>`
			`</bean>`

			`<bean id="cxfKeycloakPaxWebIntegration" class="org.keycloak.adapters.osgi.PaxWebIntegrationService"`
			`init-method="start" destroy-method="stop">`
			`<property name="bundleContext" ref="blueprintBundleContext" />`
			`<property name="jettyWebXmlLocation" value="/WEB-INF/jetty-web.xml" />`
			`<property name="constraintMappings">`
			`<list>`
			`<ref component-id="cxfConstraintMapping" />`
			`</list>`
			`</property>`
			`</bean>`

			`<bean id="defaultCxfReregistration" class="org.keycloak.adapters.osgi.ServletReregistrationService" depends-on="cxfKeycloakPaxWebIntegration"`
			`init-method="start" destroy-method="stop">`
			`<property name="bundleContext" ref="blueprintBundleContext" />`
			`<property name="managedServiceReference">`
			`<reference interface="org.osgi.service.cm.ManagedService" filter="(service.pid=org.apache.cxf.osgi)" timeout="5000" />`
			`</property>`
			`</bean>`

			`</blueprint>`
			`----`

Convert documentation to AsciiDoctor 2017-08-28 12:50:14 +00:00			As a result, all other CXF services running on the default CXF HTTP destination are also secured. Similarly, when the application is undeployed, the entire `/cxf` context becomes unsecured as well. For this reason, using your own Jetty engine for your applications as described in <<_fuse_adapter_cxf_separate,Secure CXF Application on separate Jetty Engine>> then gives you more
fixed RHSSO-638, 640, and 730-Fuse edits 2017-02-27 01:45:09 +00:00			`control over security for each individual application.`
More Fuse adapter documentation. Remove references to Apache Karaf 2016-06-03 13:09:26 +00:00
Convert documentation to AsciiDoctor 2017-08-28 12:50:14 +00:00			* The `WEB-INF` directory might need to be inside your project (even if your project is not a web application). You might also need to edit the `/WEB-INF/jetty-web.xml` and `/WEB-INF/keycloak.json` files in a similar way as in <<_fuse_adapter_classic_war,Classic WAR application>>.
fixed RHSSO-638, 640, and 730-Fuse edits 2017-02-27 01:45:09 +00:00			Note that you do not need the `web.xml` file as the security constraints are declared in the blueprint configuration file.
More Fuse adapter documentation. Remove references to Apache Karaf 2016-06-03 13:09:26 +00:00
fixed RHSSO-638, 640, and 730-Fuse edits 2017-02-27 01:45:09 +00:00			* The `Import-Package` in `META-INF/MANIFEST.MF` must contain these imports:
Fix attr substitution in source blocks 2016-06-09 12:54:13 +00:00
			`[source, subs="attributes"]`
More Fuse adapter documentation. Remove references to Apache Karaf 2016-06-03 13:09:26 +00:00			`----`
			`META-INF.cxf;version="[2.7,3.2)",`
			`META-INF.cxf.osgi;version="[2.7,3.2)";resolution:=optional,`
			`org.apache.cxf.transport.http;version="[2.7,3.2)",`
			`org.apache.cxf.*;version="[2.7,3.2)",`
			`com.fasterxml.jackson.jaxrs.json;version="[2.5,3)",`
			`org.eclipse.jetty.security;version="[8,10)",`
			`org.eclipse.jetty.util.security;version="[8,10)",`
Convert documentation to AsciiDoctor 2017-08-28 12:50:14 +00:00			`org.keycloak.*;version="{project_versionMvn}",`
			`org.keycloak.adapters.jetty;version="{project_versionMvn}",`
More Fuse adapter documentation. Remove references to Apache Karaf 2016-06-03 13:09:26 +00:00			`*;resolution:=optional`
			`----`
fixed RHSSO-906 2017-03-24 19:43:16 +00:00