I am not sure about policies that are outside of the classpath. I
have only tried loading policies via the classpath.
The uri is resolved to something similiar to a spring Resource. So
you might be able to reference it using a "file:" uri but not sure.
In order to load this via spring what you would do is import your
SignEncrypt.xml file into spring. See attached I modified your
policy file so it can be imported by spring. So you can reference it
as a normal spring import statement:
<import resouce="SignEncrypt.xml" />
Not sure whether you will need to use classpath, or a file reference
or what, but spring will tell you if it cannot import it.
Then what you can do in your interface instead of referencing the xml
file, is use the spring reference like so:
@Policies({ @Policy(uri ="#SignAndEncryptPolicy") })
Cheers
Jason
On Thu, Oct 18, 2012 at 5:56 PM, Flavio Campana
<[email protected]> wrote:
> Thanks for all the answers.
> What i'm trying to do is to create a secure web service with UsernameToken,
> Signing and Encription.
> if i understood correctly all the info, i need to:
>
> provide a CallbackHandler which sets the keystore password for DECRYPT and
> SIGNATURE action, and check the hashed password for USERNMANE_TOKEN.
> Create a policy file (attached)
> Annotate the WS interface with @Policies({ @Policy(uri =
> "policy:SignEncrypt.xml") }) (it's placed under WEB-INF/policies, should i
> use a different uri? How can i load this with spring?)
>
>
> Il 18/10/2012 03:02, [email protected] ha scritto:
>
> Out of the couple I highlighted I eventually decided to go with using
> externalAttachment and wrote my own DomainExpressionBuilder and
> DomainExpression.
>
> What I wanted to be able to do was apply a single security policy to
> all jaxws:endpoints at the operation level for all except the "ping"
> operation which I wanted
> to have free to access.
>
> This was extremely simple to achieve.
>
> In my spring xml I registered:
>
> <p:externalAttachment
> location="classpath:/wspolicy/UsernamePasswordTimestampPolicy.xml"/>
>
> <!-- register a policy attachment appliesto checker! -->
> <bean id="com.pellcorp.spring.security.DomainExpressionBuilder"
> class="com.pellcorp.spring.security.DomainExpressionBuilder" />
>
> My UsernamePasswordTimestampPolicy.xml has an namespace of
> xmlns:myns="http://pellcorp.com/security/policy"; and an AppliesTo:
>
> <wsp:AppliesTo>
> <myns:OperationMatch />
> </wsp:AppliesTo>
>
> Then my expression builder has this element as the supported type:
>
> new QName("http://pellcorp.com/security/policy";, "OperationMatch")
>
> I then implemented the public boolean appliesTo(BindingMessageInfo
> messageInfo) {
>
> if (Type.INPUT.equals(messageInfo.getMessageInfo().getType())) {
> String operationName =
> messageInfo.getBindingOperation().getName().getLocalPart();
> return !"ping".equalsIgnoreCase(operationName);
> }
>
> It works wonderfully on the server and with 2.7.1 snapshot the
> relevent policy reference and policy are included in the wsdl.
>
> Cheers
> Jason
>
> On Thu, Oct 18, 2012 at 11:45 AM, <[email protected]> wrote:
>
> Actually java first in cxf supports ws-policy very nicely. I have been
> contributing some additional work in this area and I don't think you need to
> go to the trouble of having to manually manipulate a wsdl post gen.
>
> With 2.7.1 snapshot I have added additional work to ensure that even if you
> want to use external ws policy attachments you can have them applied at the
> binding operation level.
>
> Or you can annotate the web service interface with either a classpath
> reference to a policy file or you can use a #id to refer to q policy
> embedded in spring context. You can use spring imports to import a policy
> file but it will need to be embedded in a spring bean xml tag.
>
> I have been very happy with all these approaches and performed a lot of
> testing and it works very well in 2.7 onwards. 2.7.1 just has one
> enhancement to include policies ij wsdl that have been applied at the op
> message level.
>
> Happy to provide additional info about all this
>
> Sent from my Galaxy S2
>
> On Oct 18, 2012 8:38 AM, "Glen Mazza" <[email protected]> wrote:
>
> I'd recommend building a Java-first web service in order to auto-generate
> a WSDL[1, link 3][2], then with WSDL in hand switch to a WSDL-first
> implementation where you can do whatever security options you want [1, links
> 11-21, also the CXF WS-* samples].
>
> Glen
>
> [1] http://www.jroller.com/gmazza/entry/blog_article_index (link 3)
> [2]
> http://cxf.apache.org/docs/defining-contract-first-webservices-with-wsdl-generation-from-java.html
>
> On 10/17/2012 03:04 AM, Flavio Campana wrote:
>
> Hi everyone,
> i was looking for some example of implementing a web service with CXF
> wich used WS-Security and WS-SecurityPolicy using a code first approach.
> Do you know if there are any?
>
> Thanks.
>
>
> --
> Glen Mazza
> Talend Community Coders - coders.talend.com
> blog: www.jroller.com/gmazza
>
>
<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns="http://www.springframework.org/schema/beans";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:wsp="http://www.w3.org/ns/ws-policy";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.w3.org/ns/ws-policy http://www.w3.org/2007/02/ws-policy.xsd";>
<wsp:Policy wsu:Id="SignAndEncryptPolicy">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken=".../AlwaysToRecipient">
<wsp:Policy>
<sp:RequireThumbprintReference />
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken=".../Never">
<wsp:Policy>
<sp:RequireThumbprintReference />
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:TripleDesRsa15 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
<sp:OnlySignEntireHeadersAndBody />
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:SignedParts>
<sp:Body />
</sp:SignedParts>
<sp:EncryptedParts>
<sp:Body />
</sp:EncryptedParts>
<sp:IncludeTimestamp />
<sp:SupportingTokens>
<wsp:Policy>
<sp:UsernameToken>
<wsp:Policy>
<sp:WssUsernameToken10 />
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SupportingTokens>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
</beans>
