Apache CXF New Directions in

IntegrationDaniel Kulp

VP Open Source Development Talend

Your Speaker• VP - Open Source Development at Talend

• Team of engineers devoted to Apache Projects

• Worked on WebService/SOA related technology for over 10 years

• Apache Software Foundation

• Apache CXF - since the beginning

• Apache Maven, Apache WebServices, Apache Camel, Apache ServiceMix, Apache Aries, etc…

• Apache Member

A Little About Apache CXF• Entered the Apache Incubator in August 2006

• Merge of Celtix and XFire

• Compete with Axis/Axis2?

• Graduated in April 2008

• JAX-WS 2.x certified, JAX-RS 1.1 certified

• 8 “minor” versions (2.0 - 2.7), 82 patch releases

• 33 committers - 21 active

• The most complete implementation of WS-* specifications.

• DOSGi Reference Implementation of OSGi Remote Service Specification

• Apache CXF Fediz - Web Security Framework

• Used in products by Talend, JBoss, Fuse, WSO2, Pramati, MuleSoft, TomEE, IBM, etc…

• Embedded all over - Google “CXF - Service List”

2010 - Is CXF Finished?• Go into maintenance mode? NO!!!!

• Development Efforts Centered around:

• Deployment options

• REST/JAX-RS Based Services

• Services

• Security

Deployment Models• Always have had

• Good for standalone applications

• Top Notch Spring support

• Good for WAR based applications (other than conflicts with various app servers)

• OSGi support has “improved”

• Single big bundle -> little bundles

• Blueprint support and enhancements

• Better management

Changed for 3.0• Major refactoring of “api”, “core”, and WSDL based

APIs

• No more wsdl4j.jar or neethi.jar or mail.jar needed for JAX-RS (amongst others)

• Smaller core - removed a lot of duplicate functionality, unused code, deprecated code, etc….

• Better hooks for embedders like TomEE, JBoss, and Talend

REST/JAX-RS• 2.3.x-2.6.x is JAX-RS 1.1 Compliant

• 2.7.x started work on JAX-RS 2.0

• Filters, Interceptors, parts of Async Invokation, dynamic features, exception classes, etc…

• 3.0 will be JAX-RS 2.0 compliant

• Client API, Bean Validation

• OAuth 1, OAuth 2, SAML, Kerberos

• WADL generation from services

• Interface generation from WADL

• Started discussions about RAML

• FIQL searches// Find all employees younger than 25 or older than 35 living in London!http://server.com/employees?_s=(age=lt=25,age=gt=35);city==London

Services• 2.5.0 - introduced “out of the box” services based on CXF

technology

• WS-Notification

• Ported from ServiceMix

• WS-Notification Service using ActiveMQ backend

• JBI removed, pure JAX-WS API’s

• API module added

• WS-Eventing - new for CXF 3.0

• Security Token Service (STS)

• Initially developed for a Talend Customer

• Full production ready STS

• Supports Issue, Validate, Cancel, Renew binding

• Pluggable token validators, claims handlers, SAML customizers, etc…

• Advanced use cases: KeyTypes (Public/Symmetric/Bearer), OnBehalfOf, ActAs, Claims, etc…

• Enhanced support for Roles

• WS-Discovery (CXF 2.7)

• “Probe” the network for services

• Services can announce their availability

• Not just “software services”

• ONVIF compliant IP cameras

• Network Printers

• Network Scanners

• XML Key Management Service (XKMS)

• New for CXF 3.0, back ported for 2.7.7

• Normal - Java KeyStores

• XKMS front end for organizations PKI

• Supports LDAP and File based back ends

• XKMS - continued

• WSS4J Crypto Providers

• Adding support to CXF’s STS to validate keys via XKMS

Fediz• Framework that implements WS-

Federation Passive Requestor Profile

• Plugins to Tomcat to redirect to an IDP for authentication

• Contains a light weight IDP

• Soon: support for Jetty, Spring Security, CXF

Security

“I’m going to make CXF’s WS-Security implementation the best WS-Security implementation.”

!- Colm O hEigeartaigh

http://coheigea.blogspot.com/

Security• STS, XKMS services

• XACML/SAML utilities

• SPNego/Kerberos profiles

• Prevent various DOS attacks

• ehCache based Nonce/Timestamp caches

• XML based attacks (DTD, size, limits)

• New algorithms

• Streaming WS-Security Implementation for 3.0

• StAX Based

• No more DOM/SAAJ (unless required)

• Higher performance

• Quicker failures

• Support MIME attachments

Other 3.0 Things• WS-RM updates

• Full 1.1 support, tested extensively with .NET

• Termination of sequences

• JMX management

• Support for WS-RM with WS-Security and WS-SecureConversation

• CXF specific front end code generator

• Allow passing Bus instances, CXF features

• Guarantees that CXF is picked up

• Allows future configuration points

3.0 Roadmap• A “milestone” release in the next week or so

• A second milestone or beta before the end of the year

• 3.0 in early Q1

• Normal 2.7.x/2.6.x patch releases every 8 weeks

• Fediz 1.1 release (voting now)

Questions and More Information

• Apache CXF

• http://cxf.apache.org

• users@cxf.apache.org

• Me

• dkulp@apache.org or dkulp@talend.com