Yes, i already updated my pom.
Btw, i had a few error with the policy xml, here is the fixed one:
<beans
xmlns="http://www.springframework.org/schema/beans";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.w3.org/ns/ws-policy
http://www.w3.org/2007/02/ws-policy.xsd";>
<wsp:Policy wsu:Id="SignAndEncryptPolicy"
xmlns:wsp="http://www.w3.org/ns/ws-policy";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
<wsp:Policy>
<sp:RequireThumbprintReference />
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";>
<wsp:Policy>
<sp:RequireThumbprintReference />
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:TripleDesRsa15 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
<sp:OnlySignEntireHeadersAndBody />
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:SignedParts>
<sp:Body />
</sp:SignedParts>
<sp:EncryptedParts>
<sp:Body />
</sp:EncryptedParts>
<sp:IncludeTimestamp />
<sp:SupportingTokens>
<wsp:Policy>
<sp:UsernameToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
<wsp:Policy>
<sp:WssUsernameToken10 />
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SupportingTokens>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
</beans>
Il 18/10/2012 10:11, [email protected] ha scritto:
Just be sure you are using 2.7.0 for this as there were a few bugs in java
first ws policy support fixed in 2.7.0.
Sent from my Galaxy S2
On Oct 18, 2012 6:12 PM, "Jason Pell" <[email protected]> wrote:
I am not sure about policies that are outside of the classpath. I
have only tried loading policies via the classpath.
The uri is resolved to something similiar to a spring Resource. So
you might be able to reference it using a "file:" uri but not sure.
In order to load this via spring what you would do is import your
SignEncrypt.xml file into spring. See attached I modified your
policy file so it can be imported by spring. So you can reference it
as a normal spring import statement:
<import resouce="SignEncrypt.xml" />
Not sure whether you will need to use classpath, or a file reference
or what, but spring will tell you if it cannot import it.
Then what you can do in your interface instead of referencing the xml
file, is use the spring reference like so:
@Policies({ @Policy(uri ="#SignAndEncryptPolicy") })
Cheers
Jason
On Thu, Oct 18, 2012 at 5:56 PM, Flavio Campana
<[email protected]> wrote:
Thanks for all the answers.
What i'm trying to do is to create a secure web service with
UsernameToken,
Signing and Encription.
if i understood correctly all the info, i need to:
provide a CallbackHandler which sets the keystore password for DECRYPT
and
SIGNATURE action, and check the hashed password for USERNMANE_TOKEN.
Create a policy file (attached)
Annotate the WS interface with @Policies({ @Policy(uri =
"policy:SignEncrypt.xml") }) (it's placed under WEB-INF/policies, should
i
use a different uri? How can i load this with spring?)
Il 18/10/2012 03:02, [email protected] ha scritto:
Out of the couple I highlighted I eventually decided to go with using
externalAttachment and wrote my own DomainExpressionBuilder and
DomainExpression.
What I wanted to be able to do was apply a single security policy to
all jaxws:endpoints at the operation level for all except the "ping"
operation which I wanted
to have free to access.
This was extremely simple to achieve.
In my spring xml I registered:
<p:externalAttachment
location="classpath:/wspolicy/UsernamePasswordTimestampPolicy.xml"/>
<!-- register a policy attachment appliesto checker! -->
<bean id="com.pellcorp.spring.security.DomainExpressionBuilder"
class="com.pellcorp.spring.security.DomainExpressionBuilder" />
My UsernamePasswordTimestampPolicy.xml has an namespace of
xmlns:myns="http://pellcorp.com/security/policy"; and an AppliesTo:
<wsp:AppliesTo>
<myns:OperationMatch />
</wsp:AppliesTo>
Then my expression builder has this element as the supported type:
new QName("http://pellcorp.com/security/policy";, "OperationMatch")
I then implemented the public boolean appliesTo(BindingMessageInfo
messageInfo) {
if (Type.INPUT.equals(messageInfo.getMessageInfo().getType())) {
String operationName =
messageInfo.getBindingOperation().getName().getLocalPart();
return !"ping".equalsIgnoreCase(operationName);
}
It works wonderfully on the server and with 2.7.1 snapshot the
relevent policy reference and policy are included in the wsdl.
Cheers
Jason
On Thu, Oct 18, 2012 at 11:45 AM, <[email protected]> wrote:
Actually java first in cxf supports ws-policy very nicely. I have been
contributing some additional work in this area and I don't think you
need to
go to the trouble of having to manually manipulate a wsdl post gen.
With 2.7.1 snapshot I have added additional work to ensure that even if
you
want to use external ws policy attachments you can have them applied at
the
binding operation level.
Or you can annotate the web service interface with either a classpath
reference to a policy file or you can use a #id to refer to q policy
embedded in spring context. You can use spring imports to import a policy
file but it will need to be embedded in a spring bean xml tag.
I have been very happy with all these approaches and performed a lot of
testing and it works very well in 2.7 onwards. 2.7.1 just has one
enhancement to include policies ij wsdl that have been applied at the op
message level.
Happy to provide additional info about all this
Sent from my Galaxy S2
On Oct 18, 2012 8:38 AM, "Glen Mazza" <[email protected]> wrote:
I'd recommend building a Java-first web service in order to auto-generate
a WSDL[1, link 3][2], then with WSDL in hand switch to a WSDL-first
implementation where you can do whatever security options you want [1,
links
11-21, also the CXF WS-* samples].
Glen
[1] http://www.jroller.com/gmazza/entry/blog_article_index (link 3)
[2]
http://cxf.apache.org/docs/defining-contract-first-webservices-with-wsdl-generation-from-java.html
On 10/17/2012 03:04 AM, Flavio Campana wrote:
Hi everyone,
i was looking for some example of implementing a web service with CXF
wich used WS-Security and WS-SecurityPolicy using a code first approach.
Do you know if there are any?
Thanks.
--
Glen Mazza
Talend Community Coders - coders.talend.com
blog: www.jroller.com/gmazza
