axis-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Savitsky, Alex" <>
Subject RE: [Rampart] What is the correct way to secure a JAX-WS service?
Date Thu, 08 May 2008 13:12:30 GMT
Hi Nandana,

Yes, I looked at this thread, and it's confusing, at best. I can deploy the rampart module
all right (one doesn't need the Lifecycle for that, just drop rampart.mar in the WEB-INF/modules),
but the problem is - it doesn't load the policy (specified in the axis2.xml, as there's no
other place to put it, really). Looking at the source code, it seems that the policyInclude
that was used to hold the policy in 1.3, was deprecated in 1.4 in favor of policySubject -
but there's no consensus between the Axis classes on which one to use. The policy is correctly
loaded into the AxisConfiguration's policySubject property at Axis startup (verified via debugger),
but the subsequent service loading (via JAXWSDeployer) doesn't seem to care about the policySubject,
using the deprecated policyInclude instead. I suspect this is a bug, especially that it doesn't
look like anyone from Axis team has tried this particular (JAX-WS + Rampart) configuration
just yet (I hope the JAX-WS will be addressed in more details in Rampart 1.4).

Nevertheless, I will continue my investigations, bugs or not. I believe I'm close...



From: Nandana Mihindukulasooriya []
Sent: May 7, 2008 11:51 PM
Subject: Re: [Rampart] What is the correct way to secure a JAX-WS service?

Hi Alex,
      Have you looked at  this thread  [1] ?


[1] -

On Wed, May 7, 2008 at 10:26 PM, Savitsky, Alex <<>>

Usually, Axis2 services are secured using Rampart, by engaging the module, and specifying
the policy in services.xml. However, this won't do for services deployed via JAX-WS annotations,
as there's no services.xml file there. The module could still be deployed, as long as it's
placed in WEB-INF/modules - but where would one have to place the policy file, for it to be
picked up by the Rampart? Are there any annotations one has to specify on the service endpoint,
to specify that the service is using WS-Security?

I looked at the @HandlerCHain annotation, but the Rampart handlers are not based on the JAX-WS
handler interfaces, but on some internal Axis2 ones, and thus cannot be used in JAX-WS handler

And final question - does Rampart even support JAX-WS style services?



This communication including any information transmitted with it is
intended only for the use of the addressees and is confidential.
If you are not an intended recipient or responsible for delivering
the message to an intended recipient, any review, disclosure,
conversion to hard copy, dissemination, reproduction or other use
of any part of this communication is strictly prohibited, as is the
taking or omitting of any action in reliance upon this communication.
If you receive this communication in error or without authorization
please notify us immediately by return e-mail or otherwise and
permanently delete the entire communication from any computer,
disk drive, or other storage medium.

If the above disclaimer is not properly readable, it can be found at<>

Ce courriel, ainsi que tout renseignement ci-inclus, destiné uniquement
aux destinataires susmentionnés,  est confidentiel.  Si vous
n'êtes pas le destinataire prévu ou un agent responsable de la
livraison de ce courriel, tout examen, divulgation, copie, impression,
reproduction, distribution, ou autre utilisation d'une partie de ce
courriel est strictement interdit de même que toute intervention ou
abstraction à cet égard.  Si vous avez reçu ce message par erreur ou
sans autorisation, veuillez en aviser immédiatement l'expéditeur par
retour de courriel ou par un autre moyen et supprimer immédiatement
cette communication entière de tout système électronique.

Si l'avis de non-responsabilité ci-dessus n'est pas lisible, vous
pouvez le consulter à<>

View raw message