Hi Andrei,
Thanks for clearing up the confusion. That's enough to get me going now.
Regards,
Sam
On 27/11/2013 11:21 p.m., Andrei Shakirin wrote:
Hi Sam,
As I already written, of course, WS-policy can reference elements from SOAP
header or body using XPath expressions.
For example:
<wsp:Policy
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"; >
<!-- Policy P1 -->
<wsp:ExactlyOne>
<wsp:All> <!-- Alternative A1 -->
<sp:SignedElements>
<sp:XPath>/S:Envelope/S:Body/ElementXYZ</sp:XPath>
</sp:SignedElements>
<sp:EncryptedElements>
<sp:XPath>/S:Envelope/S:Body</sp:XPath>
</sp:EncryptedElements>
</wsp:All>
<wsp:All> <!-- Alternative A2 -->
<sp:SignedParts>
<sp:Body />
<sp:Header
Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing"; />
</sp:SignedParts>
<sp:EncryptedParts>
<sp:Body />
</sp:EncryptedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
But these references are not related to binding WSDL <-> WS-Policy.
You can apply this policy even with java first service or client. CXF policy
engine will apply policy assertions to SOAP message and use XPath expressions
for this message accordingly.
Regards,
Andrei.
-----Original Message-----
From: Sam [mailto:[email protected]]
Sent: Mittwoch, 27. November 2013 10:39
To: Andrei Shakirin
Cc: [email protected]
Subject: Re: Best practice of using external WS-Policy files with CXF?
Hi Andrei,
For option c, assuming the policy is reusable and specifies xml signing then
encrypt for soap request header and body. Then how does the policy targets
soap request header & body without using a or b? That's the part I am
confused about. For usernameToken policy, there is no need to target wsdl
parts, but for signing/encrypt, policy does need to target wsdl parts.
Thanks
Sam
On 27/11/2013 1:15 a.m., Andrei Shakirin wrote:
Hi Sam,
-----Original Message-----
From: Sam [mailto:[email protected]]
Sent: Dienstag, 26. November 2013 10:20
To: Andrei Shakirin
Cc: [email protected]
Subject: Re: Best practice of using external WS-Policy files with CXF?
Hi Andrei,
This does mean the policy imported in option c could be using:
- option a: wsdl already contains <wsp:PolicyReference
URI="#policyId"/> so the policy applied at runtime will define actual
<wsp:Policy wsu:Id="policyId"> or
- option b: policyattachemnt element
and CXF should still work right?
Not sure that I got your question. If you use option (c), it doesn't matter
how your policy is related with WSDL.
You load file with ws-policy yourself, parse it with Neethi and apply to
POLICY_OVERRIDE message property. That's all.
All other policy related to WSDL will be ignored in this case. Take a look in
CXF PolicyInInterceptor and PolicyOutInterceptor code.
Regards,
Andrei.
Thanks
Sam
On 25/11/2013 6:20 a.m., Andrei Shakirin wrote:
Hi Sam,
-----Original Message-----
From: Sam [mailto:[email protected]]
Sent: Sonntag, 24. November 2013 00:39
To: Andrei Shakirin
Cc: [email protected]
Subject: Re: Best practice of using external WS-Policy files with CXF?
Hi Andrei,
I think I will go for option C but the question is if a policy is
targeted at wsdl:input, wsdl:output or sp:header, say signing then
encrypt those parts, then how does policy reference parts of WSDL
without using a) and b).
If you apply ws-policy using PolicyConstants.POLICY_OVERRIDE (option
(c)),
this effective policy is used to trigger interceptors for current
message and all other ws-policies from service model are ignored (see
PolicyInInterceptor and PolicyOutInterceptor for details).
Therefore, is up to you how to compose and merge effective policy -
CXF
doesn't care about any WSDL relations in this case, it will just use
your effective policy.
Is there any sample code usage/examples of option C in CXF source
code beside BindingPropertiesTest?
I will distil the option C in small sample and link it from my blog
as soon as I
find a bit a time to do that.
Regards,
Andrei.
Thanks
Sam
On 21/11/2013 4:16 a.m., Andrei Shakirin wrote:
Hi,
The policy what you found in
rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j
don't reference WSDL, but refer parts of SOAP message to be signed
or
encrypted.
That is not related to binding WS-Policy to WSDL.
To bind the policies you have following options:
a) Embed WS-Policy into WSDL
b) use WS-PolicyAttachment
c) apply policy dynamically at runtime
As Dennis said, you could refer to this CXF documents
http://cxf.apache.org/docs/ws-policy.html,
http://cxf.apache.org/docs/how-to-define-policies.html
and my blog:
http://ashakirin.blogspot.de/2012/02/using-ws-policy-in-cxf-projec
ts
.h
tml
Regards,
Andrei.
-----Original Message-----
From: Sam [mailto:[email protected]]
Sent: Dienstag, 19. November 2013 12:01
To: [email protected]
Subject: Best practice of using external WS-Policy files with CXF?
Hi all,
I found many sample policy files within /apache-cxf-2.7.6-
src/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/
ws
s4 j that don't use wsu:Id attribute at all in <wsp:Policy>, i.e.
<wsp:Policy wsu:Id="test_policy">.
This implies the WSDL doesn't even need to use
<wsp:PolicyReference> to use them. Instead these policy files use
something like the following to refer to parts of WSDL.
<sp:SignedParts>
<sp:Body/>
<sp:Header Name="Header"
Namespace="http://www.sdj.pl"/>
</sp:SignedParts>
<sp:SignedParts>
<sp:Body/>
<sp:Header Namespace="http://www.sdj.pl"/>
</sp:SignedParts>
or use xpath like
<sp:EncryptedElements>
<sp:XPath>//soap:Body</sp:XPath>
</sp:EncryptedElements>
<sp:SignedElements>
<sp:XPath>//ser:Header</sp:XPath>
</sp:SignedElements>
So just to confirm, is CXF capable of applying these reusable,
external WS- Policy files to WSDL at runtime without modifying
WSDL to use <wsp:PolicyReference>?
What is the best practice of applying external WS-Policy files with
CXF?
I see no need to use <wsp:PolicyAttachment> at all if the above
approach work for CXF. <wsp:PolicyAttachment> seems much less
flexisble.
All the CXF examples and forum discussions I read seem to suggest
it's best to embed policy within WSDL but I can't see CONs of
useing external WS- Policy files like above.
What am I trying to do? I read the link
http://ashakirin.blogspot.co.nz/2013/04/cxf-security-getting-cert
if
ic
ates-
from.html
and try to implement a WS client that can apply WS-Policy
dynamically at run time without touching WSDL.
Thanks in advance,
Sam
