Hi Andrei, that looks just like what I was looking for, thanks!
However, I can't seem to make it work. Applying the policy to service() works fine, but with both bindingOperation.input/output() and portTypeOperation.input/output() I always get mustUnderstand errors for the security headers (even with "...input(.*/.*)") so it looks like the policy either doesn't apply the necessary interceptors or doesn't match outright. Any ideas what might be wrong? Jens Andrei Shakirin wrote > Hi Jens, > >> Wrt PolicyAttachment http://cxf.apache.org/docs/how-it-works.html says >> that >> "Currently, CXF supports only domain expressions of type >> wsa:EndpointReferenceType" to associate policy attachments with policy >> targets. I suppose that means there is currently no means to select a >> specific >> input/output from XML configuration only? > > The PolicyAttachment URIDomainExpressionBuilder support was extended in > CXF 2.7.12 (3.0.0): https://issues.apache.org/jira/browse/CXF-5685 > Therefore you can use following expressions as well: > wsdl11.definitions() > wsdl11.service(service) > wsdl11.binding(binding) > wsdl11.bindingOperation(binding/operation) > wsdl11.bindingOperation.input(binding/operation) > wsdl11.bindingOperation.output(binding/operation) > wsdl11.bindingOperation.fault(binding/operation/fault) > > See > https://github.com/apache/cxf/blob/master/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/policy/AddressingPolicyExternalAttachmentWsdl11Test.java > as a sample. > > I will update the documentation. > > > If you need really dynamic way to assign the policy, you can consider to > use PolicyConstants.POLICY_OVERRIDE properties in your interceptor: > http://ashakirin.blogspot.de/2012/02/using-ws-policy-in-cxf-projects.html > ; http://cxf.apache.org/using-ws-policy-in-cxf-projects (Dynamically via > message property) > > Regards, > Andrei. > >> -----Original Message----- >> From: Jens [mailto: > smixdev@ > ] >> Sent: Montag, 30. Mai 2016 09:30 >> To: > [email protected] >> Subject: Re: WS-SecurityPolicy and signing faults >> >> Thanks, Colm. >> >> Unfortunately, that doesn't work for me, either. I'm using a Camel-CXF >> endpoint to internally forward the messages and I don't actually have a >> SEI to >> add annotations to. >> >> Wrt PolicyAttachment http://cxf.apache.org/docs/how-it-works.html says >> that >> "Currently, CXF supports only domain expressions of type >> wsa:EndpointReferenceType" to associate policy attachments with policy >> targets. I suppose that means there is currently no means to select a >> specific >> input/output from XML configuration only? >> >> Regards, >> Jens >> >> >> coheigea wrote >> > Hi Jens, >> > >> > You could try using the CXF @Policy annotation on the SEI itself. I >> > added a test that shows how this can be done: >> > >> > https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=systests/ws >> > -security/src/test/java/org/apache/cxf/systest/ws/fault/FaultTest.java >> > ;h=471f07ce0d6a53d7c869240e19ee494be6c360ee;hb=HEAD >> > https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=systests/ws >> > -security/src/test/java/org/apache/cxf/systest/ws/fault/DoubleItPortTy >> > >> peImplJavaFirst.java;h=5e205246c7f4103b3f3d7a25cddd2517430edc83;hb=HEA >> > D >> > >> > Two policies are defined on the latter, the security binding policy + >> > then the actual signed/encrypted parts policy, which is attached on >> > placement = Placement.BINDING_OPERATION_OUTPUT. This means that it is >> > only invoked on the normal response, and not if an exception is thrown. >> > >> > Note Dan Kulp fixed a bug to get this test to work - before you could >> > only add policy annotations on methods of an interface, not of the >> > implementing class. >> > >> > Colm. >> > >> > On Wed, May 18, 2016 at 2:10 PM, Jens < >> >> > smixdev@ >> >> > > wrote: >> > >> >> Thanks Colm, >> >> >> >> I cannot (am not supposed to) change the WSDL so I'm using a >> >> wsp:PolicyReference on the CXF endpoint. >> >> Is it possible that way as well? >> >> >> >> Jens >> >> >> >> >> >> coheigea wrote >> >> > Yes, simply reference the SignedParts policy only in the >> >> wsdl:input/output >> >> > in your wsdl:binding, and not the wsdl:fault. >> >> > >> >> > Colm. >> >> > >> >> > On Wed, May 18, 2016 at 9:17 AM, Jens < >> >> >> >> > smixdev@ >> >> >> >> > > wrote: >> >> > >> >> >> Hi, >> >> >> >> >> >> I'm using WS-SecurityPolicy to sign my SOAP messages with >> >> >> SignedParts/Body and OnlySignEntireHeadersAndBody. In previous >> >> >> versions of CXF, the runtime would never sign outgoing fault >> >> >> messages. Recent versions seem to now sign fault messages, too. Is >> >> >> there a way to disable this new behaviour and >> >> go >> >> >> back to signing "regular" responses only? Is there a way to >> >> >> specify >> >> that >> >> >> with WS-Policy? >> >> >> >> >> >> Thanks, >> >> >> Jens >> >> >> >> >> >> >> >> >> >> >> >> -- >> >> >> View this message in context: >> >> >> >> >> http://cxf.547215.n5.nabble.com/WS-SecurityPolicy-and-signing-faults- >> >> tp5768725.html >> >> >> Sent from the cxf-user mailing list archive at Nabble.com. >> >> >> >> >> > >> >> > >> >> > >> >> > -- >> >> > Colm O hEigeartaigh >> >> > >> >> > Talend Community Coder >> >> > http://coders.talend.com >> >> >> >> >> >> >> >> >> >> >> >> -- >> >> View this message in context: >> >> http://cxf.547215.n5.nabble.com/WS-SecurityPolicy-and-signing-faults- >> >> tp5768725p5768739.html Sent from the cxf-user mailing list archive at >> >> Nabble.com. >> >> >> > >> > >> > >> > -- >> > Colm O hEigeartaigh >> > >> > Talend Community Coder >> > http://coders.talend.com >> >> >> >> >> >> -- >> View this message in context: http://cxf.547215.n5.nabble.com/WS- >> SecurityPolicy-and-signing-faults-tp5768725p5769073.html >> Sent from the cxf-user mailing list archive at Nabble.com. -- View this message in context: http://cxf.547215.n5.nabble.com/WS-SecurityPolicy-and-signing-faults-tp5768725p5769328.html Sent from the cxf-user mailing list archive at Nabble.com.
