On 02/03/2012 02:38 PM, COURTAULT Francois wrote:
Hello Dan and Glen,
"Quite likely the required approach, yes. If the WSDL contains policies and
the policy engine is turned on (which is the default starting in CXF 2.3), then the
policy based interceptors will be automatically engaged. Using the non-policy based
approach may interfere with it."
Yes, this is what I have seen.
" Clarification: if you *don't* include the cxf-rt-ws-policy dependency (as listed
in the blog article), then any WS-Policy statements in the WSDL will be ignored, and in
that case you can use the WSS4J interceptor approach to manually add headers."
In fact I don't use maven, I have, in my Eclipse project, included all the jars
of the apache-cxf-2.5.2/lib folder.
I strongly encourage you to switch to Maven, and then import the Maven
project into Eclipse. My WSDL-first blog tutorial shows the whole
process (end of Step #5 for Eclipse import):
http://www.jroller.com/gmazza/entry/web_service_tutorial. Web service
development is much more clumsy/stressful without it.
Does that mean that, by doing that, I have included the cxf-rt-ws-policy ?
I presume.
What is the standard classpath for an CXF client ?
Much too complex today to define outside of Maven. There's a WHICH_JARS
file that might help if you want to do things manually:
http://svn.apache.org/viewvc/cxf/trunk/distribution/src/main/release/lib/WHICH_JARS?view=markup
Now I have another issue: I try to write a client which has to target a
Webservice which uses Asymmetric bindings. Again, the WSDL contains policy
statements. So according to what you have said, I have to use the
SecurityPolicy option in order to not have interference.
Unless, again, you've not included the policy dependency which would
cause it to be ignored. But the WS-SecPol security configuration method
anyway should be fine for your needs.
The problem I have is I haven't found any sample with this option for this kind
of configuration :-(
I have only found some info at
http://cxf.apache.org/docs/ws-securitypolicy.html but the ws-security samples
(specially the signing part) available at
http://cxf.apache.org/docs/ws-security.html uses the WSS4J interceptors option
and not the SecurityPolicy one.
Could anybody help me about this issue: find a sample using the SecurityPolicy
for X509Token (only signing) ?
Link #14 here: http://www.jroller.com/gmazza/entry/blog_article_index
offers two articles: WSS4J interceptor and WS-SecPol, but you're going
to need to use Maven to follow them. I don't know of any non-Mavenized
samples on the 'Net for this, but hopefully others can help in that regard.
Glen
Best Regards.
-----Original Message-----
From: Glen Mazza [mailto:[email protected]]
Sent: vendredi 3 février 2012 20:22
To: [email protected]
Subject: Re: Issue with CXF-2.5.2 regarding UsernameToken
On 02/03/2012 02:08 PM, Daniel Kulp wrote:
On Friday, February 03, 2012 8:02:35 PM COURTAULT Francois wrote:
Hello Glen,
First, my WDSL contains policy statements.
I have read again more carefully your article.
Let me know if I have well understood:
- if the WSDL contains policy statements, the WS-SecurityPolicy
option is the preferred approach: right ?
Quite likely the required approach, yes. If the WSDL contains policies and
the policy engine is turned on (which is the default starting in CXF
2.3), then the policy based interceptors will be automatically
engaged. Using the non-policy based approach may interfere with it.
Clarification: if you *don't* include the cxf-rt-ws-policy dependency (as
listed in the blog article), then any WS-Policy statements in the WSDL will be
ignored, and in that case you can use the WSS4J interceptor approach to
manually add headers.
- if the WSDL doesn't contain policy
statements, the WSS4J interceptors option is required: right ?
You CAN, using configuration, provide a policy attachment that would define a
security policy and drive the policy based interceptors that way. Definitely
tricky though.
But does
that mean also that you cannot use this option if the WSDL contains
policy statements ?
So, if the answer to above question is yes, the CXF client coding rules are:
- if your WSDL contains policy statements, you have no choice, you
have to use WS-SecurityPolicy option: right ? - if your WSDL doesn't
contains policy statements, you have no choice, you have to use WSS4J
interceptors
option: right ?
I think that's the easy answer. The more complete answer is that you COULD
use the WSS4J interceptors along with a custom interceptor that assert the
various policies and likely remove/skip the policy based things. Definitely
more work though.
Dan
Best Regards.
-----Original Message-----
From: Glen Mazza [mailto:[email protected]]
Sent: vendredi 3 février 2012 19:42
To: [email protected]<mailto:[email protected]>
Subject: Re: Issue with CXF-2.5.2 regarding UsernameToken
Once *you* decide which one you want--your choice but if the WSDL
doesn't have security policy statements it will need to be
WSS4J--just follow my blog entry, making changes as explained in the
tutorial depending on the option you wanted. For example, the code
segment referenced had instructions just before it telling you to
comment out / uncomment the particular segment depending on the method you
chose.
Glen
On 02/03/2012 01:33 PM, COURTAULT Francois wrote:
Hello,
OK but how do you choose the method WSS4J interceptors or
WS-SecurityPolicy ?
Best Regards.
--
Glen Mazza
Talend Community Coders - coders.talend.com
blog: www.jroller.com/gmazza<http://www.jroller.com/gmazza>
--
Glen Mazza
Talend Community Coders - coders.talend.com
blog: www.jroller.com/gmazza
