Fred Dushin wrote:
So, to summarize:
*) I disagree that specification of key material should be done
through WSDL and/or WS-Policy; that's not what it's for, and there is
a real risk of compromise of security-sensitive information this way
I agree that its quite dangerous to put the security info in the policy.
People will start emailing policies around or putting them in their
repository without the proper security constraints. If there was
significant simplification from a user's POV in doing this, I would
probably support it. But as it stands, people are most likely going to
have a separate policy file and configuration file anyway.
*) I am more inclined to view feature-based config as a kind of
simplification of policy-based config, and as a potential generator of
policy, which makes it complementary to policy, not orthogonal
*) I agree that in some small percentage of cases, we need to support
configuration of WS-SecurityPolicy directly, and at a low level, but
these cases fall below the 20% bar, and can certainly be exposed
through low-level config.
I completely agree here with Fred, and I thank him for taking the time
to write this email which expresses my views better than I could have :-).
I especially would like people to consider the use case of using CXF
from the API. Its much harder to set up a service to use WS-SX by
building a policy document than it is to use a Feature.
- Dan
--
Dan Diephouse
MuleSource
http://mulesource.com | http://netzooid.com/blog
