Out of the couple I highlighted I eventually decided to go with using
externalAttachment and wrote my own DomainExpressionBuilder and
DomainExpression.
What I wanted to be able to do was apply a single security policy to
all jaxws:endpoints at the operation level for all except the "ping"
operation which I wanted
to have free to access.
This was extremely simple to achieve.
In my spring xml I registered:
<p:externalAttachment
location="classpath:/wspolicy/UsernamePasswordTimestampPolicy.xml"/>
<!-- register a policy attachment appliesto checker! -->
<bean id="com.pellcorp.spring.security.DomainExpressionBuilder"
class="com.pellcorp.spring.security.DomainExpressionBuilder" />
My UsernamePasswordTimestampPolicy.xml has an namespace of
xmlns:myns="http://pellcorp.com/security/policy"; and an AppliesTo:
<wsp:AppliesTo>
<myns:OperationMatch />
</wsp:AppliesTo>
Then my expression builder has this element as the supported type:
new QName("http://pellcorp.com/security/policy";, "OperationMatch")
I then implemented the public boolean appliesTo(BindingMessageInfo
messageInfo) {
if (Type.INPUT.equals(messageInfo.getMessageInfo().getType())) {
String operationName =
messageInfo.getBindingOperation().getName().getLocalPart();
return !"ping".equalsIgnoreCase(operationName);
}
It works wonderfully on the server and with 2.7.1 snapshot the
relevent policy reference and policy are included in the wsdl.
Cheers
Jason
On Thu, Oct 18, 2012 at 11:45 AM, <[email protected]> wrote:
> Actually java first in cxf supports ws-policy very nicely. I have been
> contributing some additional work in this area and I don't think you need to
> go to the trouble of having to manually manipulate a wsdl post gen.
>
> With 2.7.1 snapshot I have added additional work to ensure that even if you
> want to use external ws policy attachments you can have them applied at the
> binding operation level.
>
> Or you can annotate the web service interface with either a classpath
> reference to a policy file or you can use a #id to refer to q policy
> embedded in spring context. You can use spring imports to import a policy
> file but it will need to be embedded in a spring bean xml tag.
>
> I have been very happy with all these approaches and performed a lot of
> testing and it works very well in 2.7 onwards. 2.7.1 just has one
> enhancement to include policies ij wsdl that have been applied at the op
> message level.
>
> Happy to provide additional info about all this
>
> Sent from my Galaxy S2
>
> On Oct 18, 2012 8:38 AM, "Glen Mazza" <[email protected]> wrote:
>>
>> I'd recommend building a Java-first web service in order to auto-generate
>> a WSDL[1, link 3][2], then with WSDL in hand switch to a WSDL-first
>> implementation where you can do whatever security options you want [1, links
>> 11-21, also the CXF WS-* samples].
>>
>> Glen
>>
>> [1] http://www.jroller.com/gmazza/entry/blog_article_index (link 3)
>> [2]
>> http://cxf.apache.org/docs/defining-contract-first-webservices-with-wsdl-generation-from-java.html
>>
>> On 10/17/2012 03:04 AM, Flavio Campana wrote:
>>>
>>> Hi everyone,
>>> i was looking for some example of implementing a web service with CXF
>>> wich used WS-Security and WS-SecurityPolicy using a code first approach.
>>> Do you know if there are any?
>>>
>>> Thanks.
>>
>>
>>
>> --
>> Glen Mazza
>> Talend Community Coders - coders.talend.com
>> blog: www.jroller.com/gmazza
>>
>
