I really like the idea of this configuration. I think David's point is a good one - I don't know how bean specific these properties are, but if you want to use a set of properties for more than one webservice I guess we could have a node with the global webservice security config for the app, with any bean specific properties defined overriding this.
I guess I'm thinking of something along the lines of: <openejb-jar xmlns="http://openejb.apache.org/xml/ns/openejb-jar-2.2";> <global-ws-security> <configuration> wss4j.in.action = Encrypt Signature wss4j.in.signaturePropFile = path to file/CalculatorSecurity.properties wss4j.in.encryptionPropFile = path to file/CalculatorSecurity.properties wss4j.out.action = Encrypt Signature wss4j.out.signaturePropFile = path to file/CalculatorSecurity.properties wss4j.out.encryptionPropFile = path to file/CalculatorSecurity.properties wss4j.out.user = something wss4j.out.encryptionUser = bod wss4j.out.signatureKeyIdentifier = DirectReference wss4j.out.encryptionSymAlgorithm = http://www.w3.org/2001/04/xmlenc#tripledes-cbc ... </configuration> </global-ws-security> <enterprise-beans> <session> <ejb-name>CalculatorImpl</ejb-name> <web-service-security> <security-realm-name/> <transport-guarantee>NONE</transport-guarantee> <auth-method>WS-SECURITY</auth-method> <configuration> wss4j.some_bean_specific_property = foo ... </configuration> </web-service-security> </session> </enterprise-beans> </openejb-jar> I'm very happy to help with some of the code and/or testing. Cheers, Jon On Fri, Mar 20, 2009 at 4:57 PM, David Blevins <[email protected]>wrote: > On Mar 20, 2009, at 8:13 AM, Jean-Louis MONTEIRO wrote: > > <openejb-jar xmlns="http://openejb.apache.org/xml/ns/openejb-jar-2.2";> >> <enterprise-beans> >> <session> >> <ejb-name>CalculatorImpl</ejb-name> >> <web-service-security> >> <security-realm-name/> >> <transport-guarantee>NONE</transport-guarantee> >> <auth-method>WS-SECURITY</auth-method> >> >> <configuration> >> wss4j.in.action = Encrypt Signature >> wss4j.in.signaturePropFile = path to file/CalculatorSecurity.properties >> wss4j.in.encryptionPropFile = path to file/CalculatorSecurity.properties >> >> wss4j.out.action = Encrypt Signature >> wss4j.out.signaturePropFile = path to file/CalculatorSecurity.properties >> wss4j.out.encryptionPropFile = path to file/CalculatorSecurity.properties >> wss4j.out.user = something >> wss4j.out.encryptionUser = bod >> wss4j.out.signatureKeyIdentifier = DirectReference >> wss4j.out.encryptionSymAlgorithm = >> http://www.w3.org/2001/04/xmlenc#tripledes-cbc >> ... >> </configuration> >> >> </web-service-security> >> </session> >> </enterprise-beans> >> </openejb-jar> >> > > I'm curious on how bean specific that above configuration is. If I have > say 10 web services that need to be secured, which properties will likely be > the same and which would I typically want to be different? Just wondering > if we'll want some more general way to setup the security in addition to > 100% bean defined. > > -David > > > >
