Quarkus CXF 3.8.1 (LTS) release notes
Important dependency upgrades:
-
Quarkus 3.8.0 → 3.8.2 - 3.8.1 release notes, 3.8.2 release notes
-
CXF 4.0.3 → 4.0.4 - release notes, changelog
-
WSS4J 3.0.2 → 3.0.3 - changelog
-
Santuario XMLSec 3.0.3 → 3.0.4 changelog
New and noteworthy in Quarkus CXF
Mutual TLS (mTLS)
Mutual TLS (mTLS) is now documented,
tested
and can be configured for clients via quarkus.cxf.client."client-name".key*
family of options.
Keystores and truststores now looked up in the file system
The keystores and truststores are now really looked up in the file system
unless they are available in the classpath as documented in
quarkus.cxf.client."client-name".trust-store
and
quarkus.cxf.client."client-name".key-store
.
Running on systems with FIPS assertions enabled
Changes in CXF 4.0.4 and Quarkus CXF 3.8.1 make it possible to run applications using WS-Security on systems with FIPS assertions enabled.
Those changes are twofold:
-
Bouncy Castle security provider is not present in the class path anymore.
If your project depends directly or transitively on
org.bouncycastle:bcprov-jdk18on
and you want to keep using it, then Quarkus CXF will suggest you at build time to excludeio.quarkiverse.cxf:quarkus-cxf-bc-stub
fromio.quarkiverse.cxf:quarkus-cxf-rt-ws-security
.io.quarkiverse.cxf:quarkus-cxf-bc-stub
contains some empty methods to allow native compilation with GraalVM when Bouncy Castle is not present in class path. -
Before CXF 4.0.4 and Quarkus CXF 3.8.1 there was no way to select encryption algorithms compatible with FIPS. Now there is a way to do so via security policy and Quarkus configuration.
In the policy file, the
AlgorithmSuite
has to be set toCustomAlgorithmSuite
:<wsp:Policy wsu:Id="SecurityServiceEncryptThenSignPolicy" xmlns:wsp="http://www.w3.org/ns/ws-policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> <wsp:ExactlyOne> <wsp:All> <sp:AsymmetricBinding xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> <wsp:Policy> ... <sp:AlgorithmSuite> <wsp:Policy> <sp:CustomAlgorithmSuite/> </wsp:Policy> </sp:AlgorithmSuite> ... </wsp:Policy> </sp:AsymmetricBinding> ... </wsp:All> </wsp:ExactlyOne> </wsp:Policy>
FIPS complaint algorithms can then be set in
application.properties
. Here, we list the default values that are FIPS complaint already:quarkus.cxf.client."client-name".security.custom.digest.algorithm = http://www.w3.org/2001/04/xmlenc#sha256 quarkus.cxf.client."client-name".security.custom.encryption.algorithm = http://www.w3.org/2009/xmlenc11#aes256-gcm quarkus.cxf.client."client-name".security.custom.symmetric.key.encryption.algorithm = http://www.w3.org/2001/04/xmlenc#kw-aes256 quarkus.cxf.client."client-name".security.custom.asymmetric.key.encryption.algorithm = http://www.w3.org/2001/04/xmlenc#rsa-1_5 quarkus.cxf.client."client-name".security.custom.encryption.key.derivation = http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1 quarkus.cxf.client."client-name".security.custom.signature.key.derivation = http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1 quarkus.cxf.client."client-name".security.custom.encryption.derived.key.length = 256 quarkus.cxf.client."client-name".security.custom.signature.derived.key.length = 192 quarkus.cxf.client."client-name".security.custom.minimum.symmetric.key.length = 256 quarkus.cxf.client."client-name".security.custom.maximum.symmetric.key.length = 256 quarkus.cxf.client."client-name".security.custom.minimum.asymmetric.key.length = 1024 quarkus.cxf.client."client-name".security.custom.maximum.asymmetric.key.length = 4096