I think we're over-blowing the problem a bit. Lets not get sidetracked into hypothetical discussions on how dangerous it is to put a private stuff into policies. Rather lets come up with a set of practical guidelines on when to use policies and features.
Another thing I'd like to avoid is to have some religious debate leading nowhere. Dan, you said you wanted to support WS-SecurityPolicy because it was so important for the enterprise. Now you're also saying that using features is so much better from an API perspective. I personally don't understand what is your position. I'm just confused. Can you please clarify? Do you want support WS-SecurityPolicy by using WS-Security feature ? I don't think it makes any sense but I'd you to explain please. Can you explain please what you mean by saying it's so much harder to set up a service using a policy ? I'd also like to suggest you to think of the following : * how can one satisfy a user's desire to attach capabilities to endpoints, operations, and bindings using features * how can a client to avoid doing duplications like enabling MTOM on the client side when using features * how can a client perform intersection of capabilities using features Thanks, Sergey -----Original Message----- From: Dan Diephouse [mailto:[EMAIL PROTECTED] Sent: 24 September 2007 19:26 To: [email protected] Subject: Re: WS-SX Fred Dushin wrote: > So, to summarize: > > *) I disagree that specification of key material should be done > through WSDL and/or WS-Policy; that's not what it's for, and there is > a real risk of compromise of security-sensitive information this way I agree that its quite dangerous to put the security info in the policy. People will start emailing policies around or putting them in their repository without the proper security constraints. If there was significant simplification from a user's POV in doing this, I would probably support it. But as it stands, people are most likely going to have a separate policy file and configuration file anyway. > *) I am more inclined to view feature-based config as a kind of > simplification of policy-based config, and as a potential generator of > policy, which makes it complementary to policy, not orthogonal > *) I agree that in some small percentage of cases, we need to support > configuration of WS-SecurityPolicy directly, and at a low level, but > these cases fall below the 20% bar, and can certainly be exposed > through low-level config. I completely agree here with Fred, and I thank him for taking the time to write this email which expresses my views better than I could have :-). I especially would like people to consider the use case of using CXF from the API. Its much harder to set up a service to use WS-SX by building a policy document than it is to use a Feature. - Dan -- Dan Diephouse MuleSource http://mulesource.com | http://netzooid.com/blog ---------------------------- IONA Technologies PLC (registered in Ireland) Registered Number: 171387 Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland
