Hi, The policy what you found in rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j don't reference WSDL, but refer parts of SOAP message to be signed or encrypted. That is not related to binding WS-Policy to WSDL.
To bind the policies you have following options: a) Embed WS-Policy into WSDL b) use WS-PolicyAttachment c) apply policy dynamically at runtime As Dennis said, you could refer to this CXF documents http://cxf.apache.org/docs/ws-policy.html, http://cxf.apache.org/docs/how-to-define-policies.html and my blog: http://ashakirin.blogspot.de/2012/02/using-ws-policy-in-cxf-projects.html Regards, Andrei. > -----Original Message----- > From: Sam [mailto:[email protected]] > Sent: Dienstag, 19. November 2013 12:01 > To: [email protected] > Subject: Best practice of using external WS-Policy files with CXF? > > Hi all, > > I found many sample policy files within /apache-cxf-2.7.6- > src/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j > that don't use wsu:Id attribute at all in <wsp:Policy>, i.e. <wsp:Policy > wsu:Id="test_policy">. > This implies the WSDL doesn't even need to use <wsp:PolicyReference> to > use them. Instead these policy files use something like the following to refer > to parts of WSDL. > > <sp:SignedParts> > <sp:Body/> > <sp:Header Name="Header" Namespace="http://www.sdj.pl"/> > </sp:SignedParts> > <sp:SignedParts> > <sp:Body/> > <sp:Header Namespace="http://www.sdj.pl"/> > </sp:SignedParts> > > or use xpath like > > <sp:EncryptedElements> > <sp:XPath>//soap:Body</sp:XPath> > </sp:EncryptedElements> > > <sp:SignedElements> > <sp:XPath>//ser:Header</sp:XPath> > </sp:SignedElements> > > So just to confirm, is CXF capable of applying these reusable, external WS- > Policy files to WSDL at runtime without modifying WSDL to use > <wsp:PolicyReference>? > What is the best practice of applying external WS-Policy files with CXF? > > I see no need to use <wsp:PolicyAttachment> at all if the above approach > work for CXF. <wsp:PolicyAttachment> seems much less flexisble. > All the CXF examples and forum discussions I read seem to suggest it's best > to embed policy within WSDL but I can't see CONs of useing external WS- > Policy files like above. > > What am I trying to do? I read the link > http://ashakirin.blogspot.co.nz/2013/04/cxf-security-getting-certificates- > from.html > and try to implement a WS client that can apply WS-Policy dynamically at run > time without touching WSDL. > > Thanks in advance, > > Sam
