Hello Dan and Glen,
"Quite likely the required approach, yes. If the WSDL contains policies and the policy engine is turned on (which is the default starting in CXF 2.3), then the policy based interceptors will be automatically engaged. Using the non-policy based approach may interfere with it." Yes, this is what I have seen. " Clarification: if you *don't* include the cxf-rt-ws-policy dependency (as listed in the blog article), then any WS-Policy statements in the WSDL will be ignored, and in that case you can use the WSS4J interceptor approach to manually add headers." In fact I don't use maven, I have, in my Eclipse project, included all the jars of the apache-cxf-2.5.2/lib folder. Does that mean that, by doing that, I have included the cxf-rt-ws-policy ? What is the standard classpath for an CXF client ? Now I have another issue: I try to write a client which has to target a Webservice which uses Asymmetric bindings. Again, the WSDL contains policy statements. So according to what you have said, I have to use the SecurityPolicy option in order to not have interference. The problem I have is I haven't found any sample with this option for this kind of configuration :-( I have only found some info at http://cxf.apache.org/docs/ws-securitypolicy.html but the ws-security samples (specially the signing part) available at http://cxf.apache.org/docs/ws-security.html uses the WSS4J interceptors option and not the SecurityPolicy one. Could anybody help me about this issue: find a sample using the SecurityPolicy for X509Token (only signing) ? Best Regards. -----Original Message----- From: Glen Mazza [mailto:[email protected]] Sent: vendredi 3 février 2012 20:22 To: [email protected] Subject: Re: Issue with CXF-2.5.2 regarding UsernameToken On 02/03/2012 02:08 PM, Daniel Kulp wrote: > On Friday, February 03, 2012 8:02:35 PM COURTAULT Francois wrote: >> Hello Glen, >> >> First, my WDSL contains policy statements. >> I have read again more carefully your article. >> >> Let me know if I have well understood: >> - if the WSDL contains policy statements, the WS-SecurityPolicy >> option is the preferred approach: right ? > Quite likely the required approach, yes. If the WSDL contains policies and > the policy engine is turned on (which is the default starting in CXF > 2.3), then the policy based interceptors will be automatically > engaged. Using the non-policy based approach may interfere with it. Clarification: if you *don't* include the cxf-rt-ws-policy dependency (as listed in the blog article), then any WS-Policy statements in the WSDL will be ignored, and in that case you can use the WSS4J interceptor approach to manually add headers. >> - if the WSDL doesn't contain policy >> statements, the WSS4J interceptors option is required: right ? > You CAN, using configuration, provide a policy attachment that would define a > security policy and drive the policy based interceptors that way. Definitely > tricky though. > >> But does >> that mean also that you cannot use this option if the WSDL contains >> policy statements ? >> >> So, if the answer to above question is yes, the CXF client coding rules are: >> - if your WSDL contains policy statements, you have no choice, you >> have to use WS-SecurityPolicy option: right ? - if your WSDL doesn't >> contains policy statements, you have no choice, you have to use WSS4J >> interceptors >> option: right ? > I think that's the easy answer. The more complete answer is that you COULD > use the WSS4J interceptors along with a custom interceptor that assert the > various policies and likely remove/skip the policy based things. Definitely > more work though. > > Dan > > >> Best Regards. >> >> -----Original Message----- >> From: Glen Mazza [mailto:[email protected]] >> Sent: vendredi 3 février 2012 19:42 >> To: [email protected]<mailto:[email protected]> >> Subject: Re: Issue with CXF-2.5.2 regarding UsernameToken >> >> Once *you* decide which one you want--your choice but if the WSDL >> doesn't have security policy statements it will need to be >> WSS4J--just follow my blog entry, making changes as explained in the >> tutorial depending on the option you wanted. For example, the code >> segment referenced had instructions just before it telling you to >> comment out / uncomment the particular segment depending on the method you >> chose. >> >> Glen >> >> On 02/03/2012 01:33 PM, COURTAULT Francois wrote: >>> Hello, >>> >>> OK but how do you choose the method WSS4J interceptors or >>> WS-SecurityPolicy ? >>> >>> Best Regards. -- Glen Mazza Talend Community Coders - coders.talend.com blog: www.jroller.com/gmazza<http://www.jroller.com/gmazza>
