[[_fuse7_adapter_cxf_builtin]] ===== Securing an Apache CXF endpoint on the default Undertow Engine Some services automatically come with deployed servlets on startup. One such service is the CXF servlet running in the $$http://localhost:8181/cxf$$ context. Fuse's Pax Web supports altering existing contexts via configuration admin. This can be used to secure endpoints by {project_name}. The configuration file `OSGI-INF/blueprint/blueprint.xml` inside your application might resemble the one below. Note that it adds the JAX-RS `customerservice` endpoint, which is endpoint-specific to your application. [source,xml] ---- ---- Furthermore, you have to create `${karaf.etc}/org.ops4j.pax.web.context-_anyName_.cfg file`. It will be treated as factory PID configuration that is tracked by `pax-web-runtime` bundle. Such configuration may contain the following properties that correspond to some of the properties of standard `web.xml`: [source, subs="attributes"] ---- bundle.symbolicName = org.apache.cxf.cxf-rt-transports-http context.id = default context.param.keycloak.config.resolver = org.keycloak.adapters.osgi.HierarchicalPathBasedKeycloakConfigResolver login.config.authMethod = KEYCLOAK security.cxf.url = /cxf/customerservice/* security.cxf.roles = admin, user ---- For full description of available properties in configuration admin file, please refer to Fuse documentation. The properties above have the following meaning: `bundle.symbolicName` and `context.id`:: Identification of the bundle and its deployment context within `org.ops4j.pax.web.service.WebContainer`. `context.param.keycloak.config.resolver`:: Provides value of `keycloak.config.resolver` context parameter to the bundle just the same as in `web.xml` for classic WARs. Available resolvers are described in <<_fuse7_config_external_adapter,Configuration Resolvers>> section. `login.config.authMethod`:: Authentication method. Must be `KEYCLOAK`. `security._anyName_.url` and `security._anyName_.roles`:: Values of properties of individual security constraints just as they would be set in `security-constraint/web-resource-collection/url-pattern` and `security-constraint/auth-constraint/role-name` in `web.xml`, respectively. Roles are separated by comma and whitespace around it. The `_anyName_` identifier can be arbitrary but must match for individual properties of the same security constraint. + [NOTE] ==== Some Fuse versions contain a bug that requires roles to be separated by `", "` (comma and single space). Make sure you use precisely this notation for separating the roles. ==== The `Import-Package` in `META-INF/MANIFEST.MF` must contain at least these imports: [source, subs="attributes"] ---- javax.ws.rs;version="[2,3)", META-INF.cxf;version="[2.7,3.3)", META-INF.cxf.osgi;version="[2.7,3.3)";resolution:=optional, org.apache.cxf.transport.http;version="[2.7,3.3)", org.apache.cxf.*;version="[2.7,3.3)", com.fasterxml.jackson.jaxrs.json;version="${jackson.version}" ----