Recent security advisories for Apache CXF
Apache CXF 2.7.3 (release notes), 2.6.6, and 2.5.9 have been released and are available for download. These releases contain fixes for a number of critical security issues, which I will describe below....
View ArticleSignature and Encryption Key Identifiers in Apache WSS4J
The Apache WSS4Jconfiguration allows you to specify how to reference a public key or certificate when signing or encrypting a SOAP message via the following configuration...
View ArticleApache Santuario 1.5.4 and Apache WSS4j 1.6.10 released
Two new bug-fix releases of note in Apache security products: Apache Santuario 1.5.4 has been released. Amongst the issues fixed is a thread-safety problem when secure validation is enabled, and a...
View ArticleApache CXF 2.7.4 released
Apache CXF 2.7.4 (and 2.6.7 + 2.5.10) have been released. Users are strongly encouraged to upgrade to the latest versions, due to a critical security issue which must remain undisclosed for the moment....
View ArticleApache CXF 2.7.5 released
Apache CXF 2.7.5 has been released. The list of issues fixed is available here. The following security fixes of note have been made in this release:The OpenSAML dependency has been upgraded from 2.5.1...
View ArticleApache XML Security for Java 1.4.8 and 1.5.5 released
Two new versions of the Apache XML Security for Java project have been released and are available for download. These releases contain a fix for a critical security advisory CVE-2013-2172, which...
View ArticleDenial of Service attacks on Apache CXF
A significant new paper has emerged called "A new Approach towards DoS Penetration Testing on Web Services" by Andreas Falkenberg of SEC Consult Deutschland GmbH, and Christian Mainka, Juraj Somorovsky...
View ArticleClik here to view.
Apache Syncope tutorial - part I
Apache Syncope is a new open source Identity Management project at Apache. This is the first of a planned four-part set of tutorials on how to get Apache Syncope up and running, how to integrate it...
View ArticleClik here to view.
Apache Syncope tutorial - part II
In the previous tutorial on Apache Syncope, we described how to create a standalone application deployed in Apache Tomcat, and using MySQL as the persistent storage. In this tutorial we will show how...
View ArticleClik here to view.
Apache Syncope tutorial - part III
In the first tutorial on Apache Syncope, we showed how to deploy Syncope to Apache Tomcat, and how to set up MySQL as the internal storage mechanism. In the second tutorial, we showed how to import...
View ArticleApache Syncope tutorial - part IV
In the first tutorial on Apache Syncope, we showed how to deploy Syncope to Apache Tomcat, using MySQL as the internal storage mechanism. In the second and third tutorials, we showed how to import some...
View ArticleXML Encryption support in Apache Camel 2.12.0
Apache Camel supports using XML Encryption (and decryption) in your Camel routes via the XML Security Data Format. I have contributed some additions to this component for the recent 2.12.0 release that...
View ArticleXKMS functionality in Apache CXF
Talend has recently donated an XKMS 2.0 implementation to Apache CXF, which is available from the CXF 2.7.7 release. It is documented on the CXF wiki here. The XKMS implementation consists of two...
View ArticleApache CXF STS client configuration options
Apache CXF provides a Security Token Service (STS), which can issue (as well as validate, renew + cancel) security tokens using the WS-Trust protocol. A common SOAP security scenario is where a service...
View ArticleSecurity Advisory CVE-2013-4517 released
A new security advisory for the Apache Santuario XML Security for Java library has been released:"The Apache Santuario XML Security for Java project is vulnerable to a Denial of Service (DoS) type...
View ArticleApache WSS4J 2.0.0 - part I
Apache WSS4J is an open-source Java implementation of the security standards for web services. The project was founded in 2004 and is widely used, including by the web service stacks Apache CXF and...
View ArticleSAML "OneTimeUse" support in Apache CXF 2.7.8
Apache WSS4J 1.6.13 contains a number of features to support working with SAML 2.0 tokens with a "OneTimeUse" Condition. Firstly, it is now possible to create a SAML 2.0 token with this attribute via...
View ArticleApache WSS4J 2.0.0 - part II
This is the second of a series of articles on the new features and changes that will be delivered in Apache WSS4J 2.0.0. The first article gave an overview of the new features, detailed the new project...
View ArticleApache WSS4J 2.0.0 - part III
This is the third of a series of articles on the new features and changes that will be delivered in Apache WSS4J 2.0.0. The second article grouped together some new features that were too small to...
View ArticleApache WSS4J 2.0.0 - part IV
This is the fourth of a series of articles on the new features and changes that will be delivered in Apache WSS4J 2.0.0. The third article looked at some changes in the area of caching tokens to detect...
View Article