camel-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Kulp <dk...@apache.org>
Subject Re: CXF proxy for ws security
Date Mon, 26 Nov 2012 19:16:31 GMT

On Nov 21, 2012, at 5:51 AM, Jesper Nygårds <jesper.nygards@gmail.com> wrote:

> Great thanks, Daniel!
> 
> That solved the problem. I have a hard time finding any documentation about
> CXF_MESSAGE mode. What is the difference between this and the PAYLOAD mode?

MESSAGE (or RAW) pretty much is equivalent to passing a raw InputStream through the system.
  Most of CXF's handling is bypassed.  For the most part, this would be very close to just
using the Jetty or other http component, although there are somethings that the CXF component
can do in this scenario (like generate the WSDL).  

CXF_MESSAGE mode is similar to the JAX-WS Message mode for Provider/Dispatch clients where
the entire message is available in the route.   All of the CXF processing is available as
this is handled internally just like the Provider/Dispatches.   Downside is that the entire
message is parsed and is likely in memory (SAAJ).

PAYLOAD mode is somewhat similar to the PAYLOAD mode for Provider/Dispatches.   The only information
available in the route is the contents of the soap:Body.   However, CXF's processing is more
optimized for this use case which, in some scenarios, allows streaming to continue for this.
  However, it's a StAX based streaming, not input/output stream based streaming like in MESSAGE/RAW
mode.     Also, in PAYLOAD mode, I believe that since it's just the body pushed through the
route, things like headers are, by default, stripped off.   In CXF_MESSAGE mode, you may need
to write some code to remove headers.  (conversely, in PAYLOAD mode, you may need code to
copy headers if needed)

There are upsides and downsides for each of the three modes.


Dan




> 
> Jesper
> 
> 
> 
> On Tue, Nov 20, 2012 at 9:31 PM, Daniel Kulp <dkulp@apache.org> wrote:
> 
>> 
>> With MESSAGE mode, camel-cxf pretty much keeps everything as a stream and
>> bypasses much of the CXF interceptor chain and conversions and such.   In
>> some cases, that's very good.  Performance and stuff works well.  However,
>> it also means a lot of CXF's processing capabilities are not used/usable.
>> 
>> If you flip to PAYLOAD mode or the new CXF_MESSAGE mode, it will likely
>> work find for you.   Those will behave more like normal CXF clients/servers
>> that would allow all the ws-security stuff to work.
>> 
>> Dan
>> 
>> 
>> 
>> On Nov 20, 2012, at 10:01 AM, Jesper Nygårds <jesper.nygards@gmail.com>
>> wrote:
>> 
>>> I have a scenario where I want to add wss signing to an outgoing web
>>> service call. I am trying to accomplish this by using a cxf consumer and
>> a
>>> cxf producer wired together by camel as a simple proxy.
>>> 
>>> The idea is this: a system sends an un-signed SOAP request to our CXF web
>>> service requiring no security. The call is then routed to a CXF client,
>>> which signs th eoutgoing message using wss. This way, the original caller
>>> does not concern itself with any security related issues.
>>> 
>>> I have included our spring configuration below. The problem is that the
>>> call gets routed as it should through the two CXF beans, but the outgoing
>>> call leaves the CXF client without being signed. There is no trace of any
>>> wss headers in the outgoing call.
>>> 
>>> Turning on debugging, I can see that the WSS4JOutInterceptor is invoked,
>>> and it writes to the debug messages that it has created a
>>> xmldsig:SignedInfo element, but this is never added to the outgoing
>>> message. Can anyone here throw some light on this problem?
>>> 
>>> Here's the configuration:
>>> 
>>> <?xml version="1.0" encoding="UTF-8"?>
>>> 
>>> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="
>>> http://www.w3.org/2001/XMLSchema-instance" xmlns:camel="
>>> http://camel.apache.org/schema/spring"
>>>   xmlns:cxf="http://camel.apache.org/schema/cxf" xmlns:context="
>>> http://www.springframework.org/schema/context"
>>>   xsi:schemaLocation="http://www.springframework.org/schema/beans
>>> http://www.springframework.org/schema/beans/spring-beans.xsd
>>>      http://www.springframework.org/schema/context
>>> http://www.springframework.org/schema/context/spring-context.xsd
>>>      http://camel.apache.org/schema/spring
>>> http://camel.apache.org/schema/spring/camel-spring.xsd
>>>      http://camel.apache.org/schema/cxf
>>> http://camel.apache.org/schema/cxf/camel-cxf.xsd">
>>> 
>>>   <import resource="classpath:META-INF/cxf/cxf.xml" />
>>> 
>>>   <cxf:cxfEndpoint id="receiveOutgoingMessageEndpoint"
>>> wsdlURL="etc/SendOccupationalPensionService.wsdl"
>>> address="/sendOccupationalPension"
>>>       serviceName="s:SendOccupationalPensionService" xmlns:s="
>>> http://ssek.ic.afa.se/">
>>>       <cxf:properties>
>>>           <entry key="dataFormat" value="MESSAGE" />
>>>       </cxf:properties>
>>>   </cxf:cxfEndpoint>
>>> 
>>>   <cxf:cxfEndpoint id="sendOutgoingMessageEndpoint" address="
>>> http://localhost:8088/mockSendOccupationalPensionResponseToFKSOAPBinding
>> ">
>>>       <cxf:properties>
>>>           <entry key="dataFormat" value="MESSAGE" />
>>>       </cxf:properties>
>>>       <cxf:outInterceptors>
>>>           <bean
>>> class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
>>>               <constructor-arg>
>>>                   <map>
>>>                       <entry key="action" value="Timestamp Signature" />
>>>                       <entry key="user" value="myservicekey" />
>>>                       <entry key="signatureKeyIdentifier"
>>> value="DirectReference" />
>>>                       <entry key="timeToLive" value="10800" />
>>>                       <entry key="signaturePropFile"
>>> value="classpath:etc/ssek.serviceKeystore.properties" />
>>>                       <entry key="passwordCallbackRef">
>>>                           <bean
>>> class="se.afa.ic.ssek.ServiceKeystorePasswordCallback">
>>>                               <constructor-arg>
>>>                                   <value>myservicekey</value>
>>>                               </constructor-arg>
>>>                               <constructor-arg>
>>>                                   <value>skpass</value>
>>>                               </constructor-arg>
>>>                           </bean>
>>>                       </entry>
>>>                       <entry key="signatureParts"
>>>                           value="{Element}{
>>> 
>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body
>> "
>>> />
>>>                   </map>
>>>               </constructor-arg>
>>>           </bean>
>>>       </cxf:outInterceptors>
>>>   </cxf:cxfEndpoint>
>>> 
>>>   <camelContext id="camelContext" xmlns="
>>> http://camel.apache.org/schema/spring">
>>>       <route trace="true">
>>>           <from uri="cxf:bean:receiveOutgoingMessageEndpoint" />
>>>           <to uri="cxf:bean:sendOutgoingMessageEndpoint" />
>>>       </route>
>>>   </camelContext>
>>> 
>>> </beans>
>> 
>> --
>> Daniel Kulp
>> dkulp@apache.org - http://dankulp.com/blog
>> Talend Community Coder - http://coders.talend.com
>> 
>> 

-- 
Daniel Kulp
dkulp@apache.org - http://dankulp.com/blog
Talend Community Coder - http://coders.talend.com


Mime
View raw message