Hi all, I thought I would send around an update on the WSS4J 2.0 port in CXF. WSS4J 2.0 offers a new streaming approach to WS-Security based on the work of Marc Giger (cc'd). Both the DOM and StAX approaches share common configuration, meaning that you can flip between the different implementations by just setting a configuration switch. Currently, we default to the DOM implementation, but that may change before the 3.0 release.
A lot of system tests are available in the ws-security systests if anyone is interested. Most of the basic Symmetric, Asymmetric + Transport binding use-cases are working. Here is a list of stuff that is not working, as well as work items that will be done over the next few months to get it ready for the 3.0 release: 1) There are some issues with the current approach to using symmetric keys. We are going to solve this by creating new WSS4J actions for symmetric encryption + signature. 2) Symmetric + Asymmetric Derived Key use-cases are not working. 3) An AsymmetricBinding use-case which uses a SAMLToken as the InitiatorToken does not work. 4) EndorsingSupportingTokens are not supported on the client side for either Symmetric or AsymmetricBindings yet. 5) None of the *Elements XPath expressions are working. 6) We don't support using SecurityTokens yet as the basis for signing/encryption, so for WS-Trust/SPNEGO use-cases etc. This is held up by the first point. 7) The STSClient (+ STS itself) have not been ported to use the streaming code. All of the STS system tests also need to be ported when this is done. 8) There are also some other more minor tasks summarised in the WSS4J JIRA under the "2.0" version if anyone is inclined to take a look. Colm. -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
