February 13, 2013

Spring Security support added in Apache CXF Fediz

Initial support for Spring Security in Apache CXF Fediz added

New features are going to be added in the next version 1.1. The next feature ready for testing is the support for Spring Security for version 3.1

You can either download the sources here:

git clone git://git.apache.org/cxf-fediz.git


svn co https://svn.apache.org/repos/asf/cxf/fediz/trunk

or download it from the snapshot maven repository.

The Fediz Spring Plugin supports integration with the Spring Pre-Authentication scenario as described here.

A new example springPreauthWebapp has been added to the distribution to show this.

I'd like to highlight two things.

1) You can get access to the Spring Security Context like this: SecurityContextHolder.getContext().getAuthentication(); The Authentication interfaces provides the following methods.

getCredentialsElementIssues Security Token (ex. SAML Assertion)
getDetailsPreAuthenticatedGrantedAuthoritiesWebAuthenticationDetailsAuthentication details like IP, Session ID
getNameStringAuthenticated user name
getAuthoritiesCollection<? extends GrantedAuthority>List of roles
getPrincipalFederationUserExtends the standard Spring User class with method getClaims()

Here is an example where the information of the Authentication object is logged:

getCredentials: [saml2:Assertion: null] getDetails: org.springframework.security.web.authentication.preauth.PreAuthenticatedGrantedAuthoritiesWebAuthenticationDetails@1c07a: RemoteIpAddress:; SessionId: go3xw6sxzqr5w02gn85elfgv; [ROLE_USER] getName: alice getAuthorities: [ROLE_USER] getPrincipal: org.apache.cxf.fediz.spring.FederationUser@5899680: Username: alice; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER

2) You can define rules who can access which resource as illustrated in the following snippet of applicationContext-security.xml of the new example springPreauthWebapp Please post feedback and ideas to the CXF mailing list or the JIRA task FEDIZ-38 and FEDIZ-39.

Apache CXF Fediz is a subproject of Apache CXF. Fediz helps you to secure your web applications and delegate security enforcement to the underlying application server. With Fediz, authentication is externalized from your web application to an identity provider installed as a dedicated server component. The supported standard is WS-Federation Passive Requestor Profile.

Thank you for all support and feedback!


  1. Hi,

    I need to create a java client for a WCF STS based web service. All i have is the wsdls for web service and STS.
    is there any help on how to proceed? There are so many if/else in this space that its very hard to narrow down what exactly i need to do, all i have tried so far does not work.


    1. Maybe have a look at colms blog about STS and test cases to interact with here:

      Verify the policies of your STS and web service with the examples wsdls? The test cases should provide you information how to configure this use cases in CXF.

    2. btw, please post specific questions about Web Services and Security in the CXF user mailing list:

  2. Hi Oliver,

    First of all thanks for your excellent job. I followed all the previous blog entries, and managed to make running everything (STS/IDP, RP, web service client). But only the 1.0.0 Fediz version. With the new ones (e.g. 1.1.0-SNAPSHOT from github) there is some problem with the tomcat keystore.

    * In the 1.0.0 case the tomcat keystore has a cert with CN=localhost, SHA1: FE:B6... This is the cert the IDP has in its truststore.

    * In case of 1.1.0-SNAPSHOT the IDP trusts a cert with CN=localhost, SHA1: A6:BC...

    I know very well that I could generate the keys/keystores by myself, but I would first prefer running your examples as they are. Could you please share with me this tomcat keytore you are using in the latest release?

    Thank you very much, I hope I can help your job somehow sometime soon. Regards,

    1. Sorry, I missed your comment. I assume you've found the keystore already here:

      I'm also thinking about adding a wiki page at http://cxf.apache.org/fediz.html
      explain the role of each certificate and what could be simplified by introducing a Certificate Authority.