I figured it out but the documentation wasnt a lot of help. It appears that the EndpointReferenceDomainExpression is being compared to the address configured in the jaxrs-endpoint and not what is in the wsdl. This makes PERFECT sense but as all the example configuration contained the complete url (including protocol and port: e.g. http://localhost:8080/user-servic/userService) i wrongly presumed that it was either reading the address from the actual request and comparing it to the expression or reading it from the configured wsdl address.
So when a configuration looks like this: <jaxws:endpoint id="userService" implementor="com.healthmedia.ws.wsdl.user.v1.UserServiceImpl" address="/userService"> <jaxws:properties> <entry key="ws-security.ut.validator" value-ref="validator" /> </jaxws:properties> </jaxws:endpoint> The policy expression should reflect the address above like so: <?xml version="1.0" encoding="UTF-8" ?> <attachments xmlns:wsp="http://www.w3.org/ns/ws-policy"; xmlns:wsa="http://www.w3.org/2005/08/addressing"; xmlns:i18np="http://www.w3.org/2008/04/ws-i18np"; xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <wsp:PolicyAttachment> <wsp:AppliesTo> <wsa:EndpointReference> <wsa:Address>/userService</wsa:Address> </wsa:EndpointReference> </wsp:AppliesTo> <wsp:Policy> <wsp:ExactlyOne> <wsp:All> <wsp:Policy> <i18np:i18n Optional="false" /> </wsp:Policy> </wsp:All> </wsp:ExactlyOne> </wsp:Policy> </wsp:PolicyAttachment> </attachments> Thanks for the help. This was tremendously frustrating to figure out. Thank god for debuggers! -Mike On Thu, Jul 3, 2014 at 7:37 AM, Lambert, Michael <[email protected] > wrote: > Sorry Andrei, > > I didnt think you were going to respond so i moved forward with a solution > using another technique. I would like to solve this issue however so i > created a branch with the problem: > > > https://github.com/MacFlecknoe/service-repository-sample/blob/policy-attachement-problem/schema/src/main/resources/policy/authentication-policy.xml > https://github.com/MacFlecknoe/service-repository-sample/blob/ > policy-attachement-problem > /schema/src/main/resources/service/user-soap-v1.wsdl > <https://github.com/MacFlecknoe/service-repository-sample/blob/master/schema/src/main/resources/service/user-soap-v1.wsdl> > https://github.com/MacFlecknoe/service-repository-sample/blob/ > <https://github.com/MacFlecknoe/service-repository-sample/blob/master/user/service/src/main/webapp/WEB-INF/beans.xml> > policy-attachement-problem > <https://github.com/MacFlecknoe/service-repository-sample/blob/master/schema/src/main/resources/service/user-soap-v1.wsdl> > /user/service/src/main/webapp/WEB-INF/beans.xml > > Could you take another quick peek? Again, the problem is that the policy > is being completely ignored. The address i have it configured for is both > reflected in the wsdl and in reality when I start my server. > > Also, is there a way to configure the address in the policy so that is > dynamic? I am not sure what the end address of the service is going to be > once its deployed (e.g. its domain will likely change). > > Thanks, > > Mike > > > On Thu, Jul 3, 2014 at 4:38 AM, Andrei Shakirin <[email protected]> > wrote: > >> Hi, >> >> I am bit confused: don't see policy attachments in your configuration, >> you attach policies direct to endpoint: >> >> <jaxws:features> >> <bean class="org.apache.cxf.feature.LoggingFeature"/> >> <p:policies> >> <!-- we attach policies via spring as there are issues leveraging >> external policy attachments when using PolicyAttachement with cxf 2.*--> >> <wsp:PolicyReference >> URI="classpath:policy/authentication-policy.xml" /> >> <wsp:PolicyReference URI="classpath:policy/i18n-policy.xml" /> >> </p:policies> >> </jaxws:features> >> >> To use policy attachments you need something like: >> >> <cxf:bus> >> <cxf:features> >> <p:policies/> >> </cxf:features> >> </cxf:bus> >> >> <p:externalAttachment location="${temp.location}/addr-external.xml"/> >> >> Where addr-external.xml is policy attachment: >> >> <attachments xmlns:wsp="http://www.w3.org/ns/ws-policy"; xmlns:wsa=" >> http://www.w3.org/2005/08/addressing";> >> <wsp:PolicyAttachment> >> <wsp:AppliesTo> >> <wsa:EndpointReference> >> <wsa:Address> >> http://localhost:9020/SoapContext/GreeterPort</wsa:Address> >> </wsa:EndpointReference> >> </wsp:AppliesTo> >> <wsp:Policy> >> <wsp:ExactlyOne> >> <wsp:All> >> <wsam:Addressing xmlns:wsam=" >> http://www.w3.org/2007/02/addressing/metadata";> >> <wsp:Policy/> >> </wsam:Addressing> >> </wsp:All> >> </wsp:ExactlyOne> >> </wsp:Policy> >> </wsp:PolicyAttachment> >> </attachments> >> >> I propose that you look into working policy attachments CXF system tests >> and find the difference with your code. >> If that doesn't help, please create a small distilled sample with simple >> policy (for example WS-Addressing) to illustrate your problem, I will look >> into it. >> >> Regards, >> Andrei. >> >> > -----Original Message----- >> > From: Lambert, Michael [mailto:[email protected]] >> > Sent: Mittwoch, 2. Juli 2014 15:25 >> > To: [email protected] >> > Subject: Re: policy attachment >> > >> > Thats part of the problem Andrei. I have followed the examples and its >> just not >> > working for me. Can you take a look at my policy file and wsdl and see >> if >> > anything obvious sticks out as wrong? >> > >> > https://github.com/MacFlecknoe/service-repository- >> > sample/blob/master/schema/src/main/resources/policy/authentication- >> > policy.xml >> > https://github.com/MacFlecknoe/service-repository- >> > sample/blob/master/schema/src/main/resources/service/user-soap-v1.wsdl >> > >> > Here is how I have it configured: >> > https://github.com/MacFlecknoe/service-repository- >> > sample/blob/master/user/service/src/main/webapp/WEB-INF/beans.xml >> > >> > It only works when I embed the policy in the wsdl file itself. The >> external >> > attachment file loads but doesnt trigger the ws-security policy to fire. >> > >> > -Mike >> > >> > >> > On Wed, Jul 2, 2014 at 8:27 AM, Andrei Shakirin <[email protected]> >> > wrote: >> > >> > > Hi, >> > > >> > > > -----Original Message----- >> > > > From: Lambert, Michael [mailto:[email protected]] >> > > > Sent: Mittwoch, 2. Juli 2014 14:05 >> > > > To: [email protected] >> > > > Subject: RE: policy attachment >> > > > >> > > > Thanks Andrei! That helps a lot... I'll try your suggestion and let >> > > > you >> > > know how it >> > > > goes. >> > > > >> > > >> > > OK. >> > > >> > > > Any insight as to why I can't get end point references to work? Is >> > > > there >> > > a trick to >> > > > configuring it? I followed the example on the samples but can't seem >> > > > to >> > > get it >> > > > to work with my wsdl. Does the end point need to match what is in >> > > > the >> > > wsdl or >> > > > what cxf generates the address to be when it starts? Any >> > > > documentation surrounding this? >> > > >> > > This construction should work by default, if endpoint address matches >> > > to your service: >> > > >> > > <attachments xmlns:wsp="http://www.w3.org/ns/ws-policy"; xmlns:wsa=" >> > > http://www.w3.org/2005/08/addressing";> >> > > <wsp:PolicyAttachment> >> > > <wsp:AppliesTo> >> > > <wsa:EndpointReference> >> > > >> > > <wsa:Address>http://localhost:9020/SoapContext/GreeterPort >> > > </wsa:Address> >> > > </wsa:EndpointReference> >> > > </wsp:AppliesTo> >> > > <wsp:Policy> >> > > <wsp:ExactlyOne> >> > > <wsp:All> >> > > <wsam:Addressing xmlns:wsam=" >> > > http://www.w3.org/2007/02/addressing/metadata";> >> > > <wsp:Policy/> >> > > </wsam:Addressing> >> > > </wsp:All> >> > > </wsp:ExactlyOne> >> > > </wsp:Policy> >> > > </wsp:PolicyAttachment> >> > > </attachments> >> > > >> > > For details, look into addr-external.xml and AddressingPolicyTest.java >> > > in >> > > systests/ws-specs: >> > > >> > > >> https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=systests/ws >> > > -specs/src/test/java/org/apache/cxf/systest/ws/policy;h=5e6323442952eb >> > > 619300582a2ced25cf861f6118;hb=HEAD >> > > >> > > Regards, >> > > Andrei. >> > > >> > > >> > > > >> > > > Thanks much! >> > > > On Jul 2, 2014 3:19 AM, "Andrei Shakirin" <[email protected]> >> wrote: >> > > > >> > > > > Hi, >> > > > > >> > > > > If you use CXF >= 3.0.0, 2.7.12, >> > > > > you should register >> > > > > org.apache.cxf.ws.policy.attachment.external.URIDomainExpressionBu >> > > > > ilde >> > > > > r as bus extension. >> > > > > It supports all policy attachment URL syntaxes (except extension). >> > > > > >> > > > > By default CXF registers the >> > > > > org.apache.cxf.ws.policy.attachment.external.EndpointReferenceDoma >> > > > > inEx pressionBuilder supporting only wsa:EndpointReference. >> > > > > >> > > > > See https://issues.apache.org/jira/browse/CXF-5685 for details. >> > > > > >> > > > > Either add following string into META-INF/cxf/bus-extensions.txt: >> > > > > >> > > > > org.apache.cxf.ws.policy.attachment.external.URIDomainExpressionBu >> > > > > ilde r::true or add bean in Spring/Blueprint context with >> > > > > URIDomainExpressionBuilder type. >> > > > > >> > > > > System test registering URIDomainExpressionBuilder: >> > > > > >> https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=systest >> > > > > s/ws >> > > > > -specs/src/test/java/org/apache/cxf/systest/ws/policy/AddressingPo >> > > > > licy >> > > > > >> > > > >> > ExternalAttachmentWsdl11Test.java;h=d44ee8decf628a57edbf402bc6d8ff0c >> > > > 00 >> > > > > 42b649;hb=HEAD >> > > > > . >> > > > > >> > > > > If you use CXF version < 3.0.0, 2.7.12, just copy the classes >> > > > > URIDomainExpressionBuilder.java, URIDomainExpression.java and >> > > > > register URIDomainExpressionBuilder as bus extension. >> > > > > >> > > > > Let me know if it works as expected. >> > > > > >> > > > > Regards, >> > > > > Andrei. >> > > > > >> > > > > > -----Original Message----- >> > > > > > From: Lambert, Michael [mailto:[email protected]] >> > > > > > Sent: Mittwoch, 2. Juli 2014 08:13 >> > > > > > To: [email protected] >> > > > > > Subject: policy attachment >> > > > > > >> > > > > > I feel awful for asking so many questions but googling hasnt >> > > > > > been >> > > > > helpful. >> > > > > > >> > > > > > I am attempting to attach an external security policy to an >> > > > > > endpoint >> > > > > with no >> > > > > > success. When I attempt to use a wsp:UI in the AppliesTo element >> > > > > > cxf >> > > > > blows up. >> > > > > > Here is the contents of the file: >> > > > > > >> > > > > > ---- >> > > > > > <?xml version="1.0" encoding="UTF-8" ?> <attachments >> > > > > > xmlns:wsp="http://www.w3.org/ns/ws-policy"; >> > > > > > xmlns:wsa="http://www.w3.org/2005/08/addressing"; >> > > > > > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy >> "> >> > > > > > <wsp:PolicyAttachment> >> > > > > > <wsp:AppliesTo> >> > > > > > <wsp:URI> >> > > > > > >> > > > > >> http://cxf.apache.org/testutils/wsdl/greeter_control.wsdl#wsdl.por >> > > > > t(Gr >> > > > > eeterSer >> > > > > > vice/GreeterPort) >> > > > > > </wsp:URI> >> > > > > > </wsp:AppliesTo> >> > > > > > <wsp:Policy> >> > > > > > <wsp:ExactlyOne> >> > > > > > <wsp:All> >> > > > > > <wsp:Policy> >> > > > > > <sp:UsernameToken sp:IncludeToken=" >> > > > > > >> > > > > >> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/ >> > > > > Alwa >> > > > > ysTo >> > > > > > Recipient >> > > > > > "> >> > > > > > <wsp:Policy> >> > > > > > <sp:WssUsernameToken10 /> >> > > > > > </wsp:Policy> >> > > > > > </sp:UsernameToken> >> > > > > > </wsp:Policy> >> > > > > > </wsp:All> >> > > > > > </wsp:ExactlyOne> >> > > > > > </wsp:Policy> >> > > > > > </wsp:PolicyAttachment> >> > > > > > </attachments> >> > > > > > >> > > > > > ---- >> > > > > > And here is the error: >> > > > > > ---- >> > > > > > Caused by: javax.xml.ws.WebServiceException: >> > > > > > org.apache.cxf.ws.policy.PolicyException: >> > > > > > NO_DOMAINEXPRESSIONBUILDER_EXC >> > > > > > ---- >> > > > > > It appears that the wsp:URI element passed into >> > > > > > DomainExpressionBuilderRegistry.build(Element element) has null >> > > > > > contents >> > > > > for >> > > > > > a reason that I cannot figure out. I have tried different >> > > > > > syntaxes and >> > > > > URLs to try >> > > > > > to get it to work and its always null. >> > > > > > >> > > > > > Putting an EndpointReference in the AppliesTo element doesnt >> error: >> > > > > > >> > > > > > <wsa:EndpointReference><wsa:Address>http://localhost:8080/user- >> > > > > > service/userService</wsa:Address> >> > > > > > </wsa:EndpointReference> >> > > > > > >> > > > > > But it doesnt work either. It never seems to intercept calls to >> > > > > > the >> > > > > service hosted >> > > > > > at the configured URL. The ONLY way I have able to get it to >> > > > > > work is by embedding the policy in the wsdl. I dont want to do >> > > > > > that however as I >> > > > > want a >> > > > > > mediator to handle the policy and would like the contract >> > > > > > policies to >> > > > > configured >> > > > > > differently in different environments. >> > > > > > >> > > > > > >> > > > > > Any help would be appreciated. I am tearing my hair out over >> > > > > > this. I >> > > > > cant be the >> > > > > > only one attempting to do this. >> > > > > > >> > > > > > The code is on github: >> > > > > > >> > > > > > https://github.com/MacFlecknoe/service-repository- >> > > > > > sample/blob/master/schema/src/main/resources/policy/authenticati >> > > > > > on- >> > > > > > policy.xml >> > > > > > >> > > > > > Thanks. >> > > > > > >> > > > > > Mike >> > > > > >> > > >> > >
