Classification: UNCLASSIFIED Caveats: NONE Hi, Simon and others,
I converted by 1.6 policy extension to 2.0. I think/hope I did a thorough job, but I can't get 2.0 runtime to match my newly defined intent to the newly defined policy set. The ComponentPolicyBuilderImpl keeps WARNING that the intent was not satisfied. In the debugger, surely I saw the policySet was empty. Questions: 1. Has there been any changes in how policy set are defined in 2.0? In 1.6, we use the definitioins.xml that comes with the contribution to define the policies that satisfies the intent. But I can't find any example that uses policy in 2.0 samples. 2. If there hasn't been any changes, which class is responsible to parse the policy definition from the contribution and sets the Endpoint's or EndpointReference's policySet, so that I can step through it? Thanks, Gang -----Original Message----- From: Yang, Gang CTR US USA [mailto:[email protected]] Sent: Thursday, January 20, 2011 10:56 AM To: [email protected] Subject: RE: How to add new security extension to Tuscany binding.ws? (UNCLASSIFIED) Classification: UNCLASSIFIED Caveats: NONE Hi, Simon, Thank you for the information. It's very helpful for me to better understand the frameworks in both 1.6 and 2.0. I wish what you described here be in the book you guys wrote. It doesn't have to be elaborate, but some key phrases and high level descriptions and pointers in an advanced chapter. Thanks again, I'll try both to see what happens. Gang -----Original Message----- From: Simon Laws [mailto:[email protected]] Sent: Thursday, January 20, 2011 4:22 AM To: [email protected] Subject: Re: How to add new security extension to Tuscany binding.ws? (UNCLASSIFIED) On Tue, Jan 18, 2011 at 10:08 PM, Yang, Gang CTR US USA <[email protected]> wrote: > Classification: UNCLASSIFIED > Caveats: NONE > > Hi, > > I am trying to see how I can add a new WS-security implementation to the WS > binding. I've got a policy extension hooked into Tuscany runtime using > Tuscany 1.6. However, I seem to have a hard time to place my policy > interceptor at the right place to be able to add security to the SOAP > message. While poking around inside the debugger and with experiments, I > found the following: > > 1. If I return "referece.binding.policy" when getPhase() is called, Tuscany > runtime will place my policy interceptor after the WS binding invoker > (Axis2BindingInvoker) in the invocation chain. Since Axis2BindingInvoker > does not continue the invocation in the chain, my policy interceptor is > never called. > > 2. If I return "reference.policy" instead, my policy interceptor is placed > before the WS binding invoker and will be called. But any headers I add are > ignored by Axis2BindingInvoker. Also I can't access the SOAP body element, > only the body content, which is not good enough if I need to add ID to the > SOAP body for signature reference. > > I'm looking for pointers and suggestions on how to go about adding a new > WS-security. I do understand that Axis2 WS extension provides WS-security > through Rampart, but I need to provide our own security implementation. > > More detailed questions: > > 1. Are binding policy phase implemented in the current Tuscany? If so, who > is responsible to enable "reference.binding.policy" or > "service.binding.policy" phase interceptor, Tuscany runtime or the binding > extension, such as Axis2BindingInvoker? > > 2. I also tried 1.6.1 and failed. Would 2.0.Beta1 have fixed the problem? > > 3. Is there a way to exten Axis2 WS binding so that I can hook my > WS-security implementation as an Axis2 module, just like Rampart module, at > Axis2 service level? > > Thanks, > Gang > > Classification: UNCLASSIFIED > Caveats: NONE > > Hi Gang Sorry for the slow reply. The binding.ws implementation in Tuscany 1.6 is a bit closed in the sense that to add binding specific behaviour you need to get some code into the binding. In 2.x (and in the JMS binding in 1.x) we created what we called a binding wire to allow normal interceptors to phases that effectively sit inside the binding however in the 1.x web services binding we had a thing called a PolicyHandler that was called at setup and before and after the invocation. You can see how the existing WS Policy Handler interacts with the Axis context here; http://svn.apache.org/repos/asf/tuscany/sca-java-1.x/trunk/modules/bindi ng-ws-axis2-policy/src/main/java/org/apache/tuscany/sca/binding/ws/axis2 /policy/wspolicy/WSSecurityPolicyHandler.java This policy handler is registered with the infrastructure by this file; http://svn.apache.org/repos/asf/tuscany/sca-java-1.x/trunk/modules/bindi ng-ws-axis2-policy/src/main/resources/META-INF/services/org.apache.tusca ny.sca.policy.util.PolicyHandler In the 2.x code base we have a binding chain in the web services binding so that you can get at the axis message context between the invoker and when the message gets put out onto the transport. There is a REFERENCE_BINDING_POLICY and a SERVICE_BINDING_POLICY now amongst others. In the binding.ws case on the reference side the Axis OperationClient is put in the binding context. You can get at it in a binding chain interceptor with OperationClient operationClient = msg.getBindingContext(); So you can affect the way that the message will be sent. On the service side the binding context is the Axis MessageContext which can be retrieved as follows MessageContext messageContext = msg.getBindingContext(); Take a look at the basic authentication policy to see how this hangs together http://svn.apache.org/repos/asf/tuscany/sca-java-2.x/trunk/modules/bindi ng-ws-runtime-axis2/src/main/java/org/apache/tuscany/sca/binding/ws/axis 2/policy/authentication/basic/ We haven't tried porting the Rampart based WS security policy over to the new framework in the 2.x code base yet so it maybe that we need to improve the framework to as we do that. If you want to have a go with the security policy in the 2.x code base you want to implement I'm sure we'd be happy to make any infrastructure fixes you need to make it possible. Simon -- Apache Tuscany committer: tuscany.apache.org Co-author of a book about Tuscany and SCA: tuscanyinaction.com Classification: UNCLASSIFIED Caveats: NONE Classification: UNCLASSIFIED Caveats: NONE
