On Tue, 04 Oct 2011 10:16:14 +0200 Alessio Soldano <[email protected]> wrote:
> You can configure the org.apache.cxf.ws.policy.AlternativeSelector [1] > to be used in the Bus, either through the spring configuration or with > something like: > > bus.getExtension(PolicyEngine.class).setAlternativeSelector(new > MaximalAlternativeSelector()); > > The default selector is the MinimalAlternativeSelector. Yes, I'm aware of this. But the alternative will be selected without looking into the actual request and selecting the appropriate policy. Simple use case: Two alternatives, one which enforces a <sp:WssX509V3Token10/> the other one enforces a <sp:WssX509Pkcs7Token10/> so that both token types are allowed but no other kind of Token. Or an use case where both an asym- and -symmetric binding is allowed for a particular operation with specific keys? Or... How can it be done with CXF? Thanks Marc > > Cheers > Alessio > > [1] http://cxf.apache.org/docs/wspconfiguration.html > > On 10/04/2011 08:44 AM, Marc Giger wrote: > > Hi > > > > Yesterday I tried to setup CXF with WS-Policy via annotations. The following > > Policy with two alternatives was applied: > > > > <wsp:Policy > > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"; > > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"; > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";> > > <wsp:ExactlyOne> > > <wsp:All> > > <sp:AsymmetricBinding> > > <wsp:Policy> > > <sp:InitiatorToken> > > <wsp:Policy> > > <sp:X509Token> > > <wsp:Policy> > > <sp:WssX509V3Token11/> > > </wsp:Policy> > > </sp:X509Token> > > </wsp:Policy> > > </sp:InitiatorToken> > > <sp:RecipientToken> > > <wsp:Policy> > > <sp:X509Token> > > <wsp:Policy> > > <sp:WssX509V3Token11/> > > </wsp:Policy> > > </sp:X509Token> > > </wsp:Policy> > > </sp:RecipientToken> > > <sp:IncludeTimestamp/> > > </wsp:Policy> > > </sp:AsymmetricBinding> > > <sp:SignedParts> > > <sp:Body/> > > </sp:SignedParts> > > <sp:SignedElements> > > <!-- The IncludeTimestamp says that the Timestamp must be > > integrity protected either by > > transport or by message level security. We enforce message > > level protection here: --> > > <sp:XPath xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"; > > > > xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; > > > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";> > > /soap:Envelope/soap:Header/wsse:Security/wsu:Timestamp > > </sp:XPath> > > </sp:SignedElements> > > </wsp:All> > > <wsp:All> > > <sp:AsymmetricBinding> > > <wsp:Policy> > > <sp:InitiatorToken> > > <wsp:Policy> > > <sp:X509Token> > > <wsp:Policy> > > <sp:WssX509V3Token11/> > > </wsp:Policy> > > </sp:X509Token> > > </wsp:Policy> > > </sp:InitiatorToken> > > <sp:RecipientToken> > > <wsp:Policy> > > <sp:X509Token> > > <wsp:Policy> > > <sp:WssX509V3Token11/> > > </wsp:Policy> > > </sp:X509Token> > > </wsp:Policy> > > </sp:RecipientToken> > > <sp:IncludeTimestamp/> > > </wsp:Policy> > > </sp:AsymmetricBinding> > > <sp:SignedParts> > > <sp:Body/> > > </sp:SignedParts> > > <sp:SignedElements> > > <!-- The IncludeTimestamp says that the Timestamp must be > > integrity protected either by > > transport or by message level security. We enforce message > > level protection here: --> > > <sp:XPath xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"; > > > > xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; > > > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";> > > /soap:Envelope/soap:Header/wsse:Security/wsu:Timestamp > > </sp:XPath> > > </sp:SignedElements> > > <sp:EncryptedParts> > > <sp:Body/> > > </sp:EncryptedParts> > > </wsp:All> > > </wsp:ExactlyOne> > > </wsp:Policy> > > > > The expectation from my sided was, that one of the alternatives is choosen > > based on the actual request. But CXF chooses > > per default the alternative with the lowest number of assertions without > > taking the actual request into account. > > Then this selected alternative (effective Policy) is always used for all > > subsequent requests. > > > > Is this correct, or did I miss something? Is there a switch to change this > > behavior? > > > > Thanks > > > > Marc > > > > > > > -- > Alessio Soldano > Web Service Lead, JBoss -- itServe AG M.Sc. Marc Giger Länggassstrasse 26 3000 Bern 9 Tel.: +41 31 305 16 16 Fax: +41 31 305 16 17 Direkt: +41 31 305 43 27 Email: [email protected] http://www.itserve.ch
