One of the big selling points of WS-Security is that it allows security
through intermediaries - so parts of a message may be signed or
encrypted for a third-party endpoint, rather than the actual service
consumer or service provider involved in an exchange.
But it's not obvious how to implement this in practical terms. Suppose I
have a CXF service provider which is functioning as an intermediary with
regard to some part of the message (say it's a payment authorization
token I need to send to a payment service). I could use a DOM
representation for the encrypted or signed data, allowing me to pass it
back out without modification when communicating with the third party,
but what about the WS-Security headers that go along with this? Is there
a way of selectively passing on these headers through some sort of
configuration, or would I need to use custom interceptors to somehow
capture them on the way in and add them back in the outbound message to
the third party?
Thanks for any suggestions,
- Dennis
--
Dennis M. Sosnoski
Java SOA and Web Services Consulting <http://www.sosnoski.com/consult.html>
Axis2/CXF/Metro SOA and Web Services Training
<http://www.sosnoski.com/training.html>
Web Services Jump-Start <http://www.sosnoski.com/jumpstart.html>
