Skip to content
Switch branches/tags
Go to file
Cannot retrieve contributors at this time
74 lines (59 sloc) 3.81 KB
Securing an Apache CXF Endpoint on the Default Undertow Engine

Some services automatically come with deployed servlets on startup. One such service is the CXF servlet running in the http://localhost:8181/cxf context. Fuse’s Pax Web supports altering existing contexts via configuration admin. This can be used to secure endpoints by {project_name}.

The configuration file OSGI-INF/blueprint/blueprint.xml inside your application might resemble the one below. Note that it adds the JAX-RS customerservice endpoint, which is endpoint-specific to your application.

<?xml version="1.0" encoding="UTF-8"?>
<blueprint xmlns=""

    <!-- JAXRS Application -->
    <bean id="customerBean" class="" />

    <jaxrs:server id="cxfJaxrsServer" address="/customerservice">
            <bean class="com.fasterxml.jackson.jaxrs.json.JacksonJsonProvider" />
            <ref component-id="customerBean" />

Furthermore, you have to create ${karaf.etc}/org.ops4j.pax.web.context-anyName.cfg file. It will be treated as factory PID configuration that is tracked by pax-web-runtime bundle. Such configuration may contain the following properties that correspond to some of the properties of standard web.xml:

bundle.symbolicName = org.apache.cxf.cxf-rt-transports-http = default

context.param.keycloak.config.resolver = org.keycloak.adapters.osgi.HierarchicalPathBasedKeycloakConfigResolver

login.config.authMethod = KEYCLOAK

security.cxf.url = /cxf/customerservice/*
security.cxf.roles = admin, user

For full description of available properties in configuration admin file, please refer to Fuse documentation. The properties above have the following meaning:

bundle.symbolicName and

Identification of the bundle and its deployment context within org.ops4j.pax.web.service.WebContainer.


Provides value of keycloak.config.resolver context parameter to the bundle just the same as in web.xml for classic WARs. Available resolvers are described in Configuration Resolvers section.


Authentication method. Must be KEYCLOAK.

security.anyName.url and security.anyName.roles

Values of properties of individual security constraints just as they would be set in security-constraint/web-resource-collection/url-pattern and security-constraint/auth-constraint/role-name in web.xml, respectively. Roles are separated by comma and whitespace around it. The anyName identifier can be arbitrary but must match for individual properties of the same security constraint.


Some Fuse versions contain a bug that requires roles to be separated by ", " (comma and single space). Make sure you use precisely this notation for separating the roles.

The Import-Package in META-INF/MANIFEST.MF must contain at least these imports:;version="[2,3)",