Thanks for all the answers.
What i'm trying to do is to create a secure web service with
UsernameToken, Signing and Encription.
if i understood correctly all the info, i need to:
* provide a CallbackHandler which sets the keystore password for
DECRYPT and SIGNATURE action, and check the hashed password for
USERNMANE_TOKEN.
* Create a policy file (attached)
* Annotate the WS interface with @Policies({ @Policy(uri =
"policy:SignEncrypt.xml") }) (it's placed under WEB-INF/policies,
should i use a different uri? How can i load this with spring?)
Il 18/10/2012 03:02, [email protected] ha scritto:
Out of the couple I highlighted I eventually decided to go with using
externalAttachment and wrote my own DomainExpressionBuilder and
DomainExpression.
What I wanted to be able to do was apply a single security policy to
all jaxws:endpoints at the operation level for all except the "ping"
operation which I wanted
to have free to access.
This was extremely simple to achieve.
In my spring xml I registered:
<p:externalAttachment
location="classpath:/wspolicy/UsernamePasswordTimestampPolicy.xml"/>
<!-- register a policy attachment appliesto checker! -->
<bean id="com.pellcorp.spring.security.DomainExpressionBuilder"
class="com.pellcorp.spring.security.DomainExpressionBuilder" />
My UsernamePasswordTimestampPolicy.xml has an namespace of
xmlns:myns="http://pellcorp.com/security/policy"; and an AppliesTo:
<wsp:AppliesTo>
<myns:OperationMatch />
</wsp:AppliesTo>
Then my expression builder has this element as the supported type:
new QName("http://pellcorp.com/security/policy";, "OperationMatch")
I then implemented the public boolean appliesTo(BindingMessageInfo
messageInfo) {
if (Type.INPUT.equals(messageInfo.getMessageInfo().getType())) {
String operationName =
messageInfo.getBindingOperation().getName().getLocalPart();
return !"ping".equalsIgnoreCase(operationName);
}
It works wonderfully on the server and with 2.7.1 snapshot the
relevent policy reference and policy are included in the wsdl.
Cheers
Jason
On Thu, Oct 18, 2012 at 11:45 AM, <[email protected]> wrote:
Actually java first in cxf supports ws-policy very nicely. I have been
contributing some additional work in this area and I don't think you need to
go to the trouble of having to manually manipulate a wsdl post gen.
With 2.7.1 snapshot I have added additional work to ensure that even if you
want to use external ws policy attachments you can have them applied at the
binding operation level.
Or you can annotate the web service interface with either a classpath
reference to a policy file or you can use a #id to refer to q policy
embedded in spring context. You can use spring imports to import a policy
file but it will need to be embedded in a spring bean xml tag.
I have been very happy with all these approaches and performed a lot of
testing and it works very well in 2.7 onwards. 2.7.1 just has one
enhancement to include policies ij wsdl that have been applied at the op
message level.
Happy to provide additional info about all this
Sent from my Galaxy S2
On Oct 18, 2012 8:38 AM, "Glen Mazza" <[email protected]> wrote:
I'd recommend building a Java-first web service in order to auto-generate
a WSDL[1, link 3][2], then with WSDL in hand switch to a WSDL-first
implementation where you can do whatever security options you want [1, links
11-21, also the CXF WS-* samples].
Glen
[1] http://www.jroller.com/gmazza/entry/blog_article_index (link 3)
[2]
http://cxf.apache.org/docs/defining-contract-first-webservices-with-wsdl-generation-from-java.html
On 10/17/2012 03:04 AM, Flavio Campana wrote:
Hi everyone,
i was looking for some example of implementing a web service with CXF
wich used WS-Security and WS-SecurityPolicy using a code first approach.
Do you know if there are any?
Thanks.
--
Glen Mazza
Talend Community Coders - coders.talend.com
blog: www.jroller.com/gmazza
<?xml version="1.0" encoding="UTF-8" ?>
<wsp:Policy wsu:Id="SignAndEncryptPolicy" xmlns:wsp="http://www.w3.org/ns/ws-policy";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken=".../AlwaysToRecipient">
<wsp:Policy>
<sp:RequireThumbprintReference />
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken=".../Never">
<wsp:Policy>
<sp:RequireThumbprintReference />
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:TripleDesRsa15 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
<sp:OnlySignEntireHeadersAndBody />
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:SignedParts>
<sp:Body />
</sp:SignedParts>
<sp:EncryptedParts>
<sp:Body />
</sp:EncryptedParts>
<sp:IncludeTimestamp />
<sp:SupportingTokens>
<wsp:Policy>
<sp:UsernameToken>
<wsp:Policy>
<sp:WssUsernameToken10 />
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SupportingTokens>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
