Hi all,
I found many sample policy files within
/apache-cxf-2.7.6-src/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j
that don't use wsu:Id attribute at all in <wsp:Policy>, i.e. <wsp:Policy
wsu:Id="test_policy">.
This implies the WSDL doesn't even need to use <wsp:PolicyReference> to
use them. Instead these policy files use something like the following to
refer to parts of WSDL.
<sp:SignedParts>
<sp:Body/>
<sp:Header Name="Header" Namespace="http://www.sdj.pl"/>
</sp:SignedParts>
<sp:SignedParts>
<sp:Body/>
<sp:Header Namespace="http://www.sdj.pl"/>
</sp:SignedParts>
or use xpath like
<sp:EncryptedElements>
<sp:XPath>//soap:Body</sp:XPath>
</sp:EncryptedElements>
<sp:SignedElements>
<sp:XPath>//ser:Header</sp:XPath>
</sp:SignedElements>
So just to confirm, is CXF capable of applying these reusable, external
WS-Policy files to WSDL at runtime without modifying WSDL to use
<wsp:PolicyReference>?
What is the best practice of applying external WS-Policy files with CXF?
I see no need to use <wsp:PolicyAttachment> at all if the above approach
work for CXF. <wsp:PolicyAttachment> seems much less flexisble.
All the CXF examples and forum discussions I read seem to suggest it's
best to embed policy within WSDL but I can't see CONs of useing external
WS-Policy files like above.
What am I trying to do? I read the link
http://ashakirin.blogspot.co.nz/2013/04/cxf-security-getting-certificates-from.html
and try to implement a WS client that can apply WS-Policy dynamically at
run time without touching WSDL.
Thanks in advance,
Sam
