cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache CXF Documentation > WS-SecurityPolicy
Date Tue, 24 Jul 2012 14:07:00 GMT
<html>
<head>
    <base href="https://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/2042/9/1/_/styles/combined.css?spaceKey=CXF20DOC&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="https://cwiki.apache.org/confluence/display/CXF20DOC/WS-SecurityPolicy">WS-SecurityPolicy</a></h2>
    <h4>Page <b>edited</b> by             <a href="https://cwiki.apache.org/confluence/display/~coheigea@apache.org">Colm
O hEigeartaigh</a>
    </h4>
        <br/>
                         <h4>Changes (12)</h4>
                                 
    
<div id="page-diffs">
                    <table class="diff" cellpadding="0" cellspacing="0">
    
            <tr><td class="diff-unchanged" >h1. WS-SecurityPolicy <br> <br></td></tr>
            <tr><td class="diff-changed-lines" >CXF 2.2 introduced support for
using [WS-SecurityPolicy|http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.3/ws-securitypolicy.html]
to configure WSS4J instead of the custom configuration documented on the <span class="diff-changed-words">[WS-Security<span
class="diff-added-chars"style="background-color: #dfd;">|WS-Security</span>]</span>
page.  However, all of the &quot;background&quot; material on the <span class="diff-changed-words">[WS-Security<span
class="diff-added-chars"style="background-color: #dfd;">|WS-Security</span>]</span>
page still applies and is important to know.   WS-SecurityPolicy just provides an easier and
more standards based way to configure and control the security requirements.   With the security
requirements documented in the WSDL as <span class="diff-changed-words">[WS-Policy<span
class="diff-added-chars"style="background-color: #dfd;">|WS-Policy</span>]</span>
fragments, other tools such as .NET can easily know how to configure themselves to inter-operate
with CXF services. <br></td></tr>
            <tr><td class="diff-unchanged" > <br> <br>h3. Enabling
WS-SecurityPolicy <br></td></tr>
            <tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">In
CXF 2.2, if the cxf-rt-ws-policy and cxf-rt-ws-security modules are available on the classpath,
the WS-SecurityPolicy stuff is automatically enabled.   Since the entire security runtime
is policy driven, the only requirement is that the policy engine and security policies be
available.   <br></td></tr>
            <tr><td class="diff-unchanged" > <br></td></tr>
            <tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">If
you are using the full &quot;bundle&quot; jar, all the security and policy stuff is
already included.    <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">In
CXF 2.2, if the cxf-rt-ws-policy and cxf-rt-ws-security modules are available on the classpath,
the WS-SecurityPolicy stuff is automatically enabled.   Since the entire security runtime
is policy driven, the only requirement is that the policy engine and security policies be
available. <br></td></tr>
            <tr><td class="diff-unchanged" > <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">If
you are using the full &quot;bundle&quot; jar, all the security and policy stuff is
already included. <br></td></tr>
            <tr><td class="diff-unchanged" > <br> <br>h3. Policy description
<br></td></tr>
            <tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">With
WS-SecurityPolicy, the binding and/or operation in the wsdl references a [WS-Policy] fragment
that describes the basic security requirements for interacting with that service.   The [WS-SecurityPolicy
specification|http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.3/ws-securitypolicy.html]
allows for specifying things like asymmetric/symmetric keys, using transports (https) for
encryption, which parts/headers to encrypt or sign, whether to sign then encrypt or encrypt
then sign, whether to include timestamps, whether to use derived keys, etc...   Basically,
it describes what actions are necessary to securely interact with the service described in
the WSDL. <br></td></tr>
            <tr><td class="diff-unchanged" > <br></td></tr>
            <tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">However,
the WS-SecurityPolicy fragment does not include &quot;everything&quot; that is required
for a runtime to be able to able to create the messages.  It does not describe things such
as locations of key stores, user names and passwords, etc...  Those need to be configured
in at runtime to augment the WS-SecurityPolicy fragment.   <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">With
WS-SecurityPolicy, the binding and/or operation in the wsdl references a [WS-Policy|WS-Policy]
fragment that describes the basic security requirements for interacting with that service.
  The [WS-SecurityPolicy specification|http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.3/ws-securitypolicy.html]
allows for specifying things like asymmetric/symmetric keys, using transports (https) for
encryption, which parts/headers to encrypt or sign, whether to sign then encrypt or encrypt
then sign, whether to include timestamps, whether to use derived keys, etc...   Basically,
it describes what actions are necessary to securely interact with the service described in
the WSDL. <br></td></tr>
            <tr><td class="diff-unchanged" > <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">However,
the WS-SecurityPolicy fragment does not include &quot;everything&quot; that is required
for a runtime to be able to able to create the messages.  It does not describe things such
as locations of key stores, user names and passwords, etc...  Those need to be configured
in at runtime to augment the WS-SecurityPolicy fragment. <br></td></tr>
            <tr><td class="diff-unchanged" > <br> <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >There are several extra properties
that may need to be set to provide the additional bits of information to the runtime. Note
that you should check that a particular property is supported in the version of CXF you are
using. <br> <br></td></tr>
            <tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">|
ws-security.username | The username used for UsernameToken policy assertions | <br>|
ws-security.password | The password used for UsernameToken policy assertions.   If not specified,
the callback handler will be called. | <br>| ws-security.callback-handler | The WSS4J
security CallbackHandler that will be used to retrieve passwords for keystores and UsernameTokens.
| <br>| ws-security.signature.properties | The properties file/object that contains
the WSS4J properties for configuring the signature keystore and crypto objects | <br>|
ws-security.encryption.properties | The properties file/object that contains the WSS4J properties
for configuring the encryption keystore and crypto objects | <br>| ws-security.signature.username
| The username or alias for the key in the signature keystore that will be used.   If not
specified, it uses the the default alias set in the properties file.  If that&#39;s also
not set, and the keystore only contains a single key, that key will be used. | <br>|
ws-security.encryption.username | The username or alias for the key in the encryption keystore
that will be used.   If not specified, it uses the the default alias set in the properties
file.  If that&#39;s also not set, and the keystore only contains a single key, that key
will be used.  For the web service provider, the useReqSigCert keyword can be used to accept
(encrypt to) any client whose public key is in the service&#39;s truststore (defined in
ws-security.encryption.properties.) | <br>| ws-security.signature.crypto | Instead of
specifying the signature properties, this can point to the full [WSS4J Crypto|http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/components/crypto/Crypto.html]
object.  This can allow easier &quot;programmatic&quot; configuration of the Crypto
information.&quot; <br>| ws-security.encryption.crypto | Instead of specifying the
encryption properties, this can point to the full [WSS4J Crypto|http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/components/crypto/Crypto.html]
object.  This can allow easier &quot;programmatic&quot; configuration of the Crypto
information.&quot; | <br>| ws-security.subject.cert.constraints | This configuration
tag is a comma separated String of regular expressions which will be applied to the subject
DN of the certificate used for signature validation, after trust verification of the certificate
chain associated with the  certificate. These constraints are not used when the certificate
is contained in the keystore (direct trust).| <br>| ws-security.is-bsp-compliant | Whether
to ensure compliance with the Basic Security Profile (BSP) 1.1 or not. The default value is
&quot;true&quot;.| <br>| ws-security.timestamp.futureTimeToLive |  This configuration
tag specifies the time in seconds in the future within which the Created time of an incoming
Timestamp is valid. WSS4J rejects by default any timestamp which is &quot;Created&quot;
in the future, and so there could potentially be <br>problems in a scenario where a
client&#39;s clock is slightly askew. The default value for this parameter is &quot;0&quot;,
meaning that no future-created Timestamps are allowed.| <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">h4.
User properties <br></td></tr>
            <tr><td class="diff-unchanged" > <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">|
ws-security.username | The user&#39;s name. It is used differently by each of the WS-Security
functions, see [here|http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#USERNAME]
for more information. | <br>| ws-security.password | The user&#39;s password when
&quot;ws-security.callback-handler&quot; is not defined. It is currently only used
for the case of adding a password to a UsernameToken. | <br>| ws-security.signature.username
| The user&#39;s name for signature. It is used as the alias name in the keystore to get
the user&#39;s cert and private key for signature. See [here|http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#SIGNATURE_USERNAME]
for more information. | <br>| ws-security.encryption.username | The user&#39;s name
for encryption. It is used as the alias name in the keystore to get the user&#39;s public
key for encryption. See [here|http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#ENCRYPT_USERNAME]
for more information.| <br> <br>h4. Callback Class and Crypto properties <br>
<br>| ws-security.callback-handler | The CallbackHandler [implementation|http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#CALLBACK_HANDLER]
class used to obtain passwords.| <br>| ws-security.saml-callback-handler | The SAML
CallbackHandler [implementation|http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#SAML_CALLBACK_HANDLER]
class used to construct SAML Assertions.| <br>| ws-security.signature.properties | The
Crypto property [configuration|http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#SIGNATURE_PROPERTIES]
to use for signature, if &quot;ws-security.signature.crypto&quot; is not set instead.|
<br>| ws-security.encryption.properties | The Crypto property [configuration|http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#ENCRYPT_PROPERTIES]
to use for encryption, if &quot;ws-security.encryption.crypto&quot; is not set instead.
| <br>| ws-security.signature.crypto | A Crypto [object|http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/components/crypto/Crypto.html]
to be used for signature. If this is not defined then &quot;ws-security.signature.properties&quot;
is used instead.| <br>| ws-security.encryption.crypto | A Crypto [object|http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/components/crypto/Crypto.html]
to be used for encryption. If this is not defined then &quot;ws-security.encryption.properties&quot;
is used instead.| <br> <br>h4. Other properties <br> <br>| ws-security.subject.cert.constraints
| This configuration tag is a comma separated String of regular expressions which will be
applied to the subject DN of the certificate used for signature validation, after trust verification
of the certificate chain associated with the  certificate. These constraints are not used
when the certificate is contained in the keystore (direct trust). | <br>| ws-security.is-bsp-compliant
| Whether to ensure compliance with the Basic Security Profile (BSP) 1.1 or not. The default
value is &quot;true&quot;. | <br>| ws-security.timestamp.futureTimeToLive |
This configuration tag specifies the time in seconds in the future within which the Created
time of an incoming Timestamp is valid. WSS4J rejects by default any timestamp which is &quot;Created&quot;
in the future, and so there could potentially be\\ <br> problems in a scenario where
a client&#39;s clock is slightly askew. The default value for this parameter is &quot;0&quot;,
meaning that no future-created Timestamps are allowed. | <br> <br></td></tr>
            <tr><td class="diff-unchanged" >*Note:* for Symmetric bindings that
specify a protection token, the ws-security-encryption properties are used. <br> <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
    
            </table>
    </div>                            <h4>Full Content</h4>
                    <div class="notificationGreySide">
        <h1><a name="WS-SecurityPolicy-WSSecurityPolicy"></a>WS-SecurityPolicy</h1>

<p>CXF 2.2 introduced support for using <a href="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.3/ws-securitypolicy.html"
class="external-link" rel="nofollow">WS-SecurityPolicy</a> to configure WSS4J instead
of the custom configuration documented on the <a href="/confluence/display/CXF20DOC/WS-Security"
title="WS-Security">WS-Security</a> page.  However, all of the "background" material
on the <a href="/confluence/display/CXF20DOC/WS-Security" title="WS-Security">WS-Security</a>
page still applies and is important to know.   WS-SecurityPolicy just provides an easier and
more standards based way to configure and control the security requirements.   With the security
requirements documented in the WSDL as <a href="/confluence/display/CXF20DOC/WS-Policy"
title="WS-Policy">WS-Policy</a> fragments, other tools such as .NET can easily know
how to configure themselves to inter-operate with CXF services.</p>


<h3><a name="WS-SecurityPolicy-EnablingWSSecurityPolicy"></a>Enabling WS-SecurityPolicy</h3>

<p>In CXF 2.2, if the cxf-rt-ws-policy and cxf-rt-ws-security modules are available
on the classpath, the WS-SecurityPolicy stuff is automatically enabled.   Since the entire
security runtime is policy driven, the only requirement is that the policy engine and security
policies be available.</p>

<p>If you are using the full "bundle" jar, all the security and policy stuff is already
included.</p>


<h3><a name="WS-SecurityPolicy-Policydescription"></a>Policy description</h3>

<p>With WS-SecurityPolicy, the binding and/or operation in the wsdl references a <a
href="/confluence/display/CXF20DOC/WS-Policy" title="WS-Policy">WS-Policy</a> fragment
that describes the basic security requirements for interacting with that service.   The <a
href="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.3/ws-securitypolicy.html" class="external-link"
rel="nofollow">WS-SecurityPolicy specification</a> allows for specifying things like
asymmetric/symmetric keys, using transports (https) for encryption, which parts/headers to
encrypt or sign, whether to sign then encrypt or encrypt then sign, whether to include timestamps,
whether to use derived keys, etc...   Basically, it describes what actions are necessary to
securely interact with the service described in the WSDL.</p>

<p>However, the WS-SecurityPolicy fragment does not include "everything" that is required
for a runtime to be able to able to create the messages.  It does not describe things such
as locations of key stores, user names and passwords, etc...  Those need to be configured
in at runtime to augment the WS-SecurityPolicy fragment.</p>


<h3><a name="WS-SecurityPolicy-Configuringtheextraproperties"></a>Configuring
the extra properties</h3>

<p>There are several extra properties that may need to be set to provide the additional
bits of information to the runtime. Note that you should check that a particular property
is supported in the version of CXF you are using.</p>

<h4><a name="WS-SecurityPolicy-Userproperties"></a>User properties</h4>

<div class='table-wrap'>
<table class='confluenceTable'><tbody>
<tr>
<td class='confluenceTd'> ws-security.username </td>
<td class='confluenceTd'> The user's name. It is used differently by each of the WS-Security
functions, see <a href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#USERNAME"
class="external-link" rel="nofollow">here</a> for more information. </td>
</tr>
<tr>
<td class='confluenceTd'> ws-security.password </td>
<td class='confluenceTd'> The user's password when "ws-security.callback-handler" is
not defined. It is currently only used for the case of adding a password to a UsernameToken.
</td>
</tr>
<tr>
<td class='confluenceTd'> ws-security.signature.username </td>
<td class='confluenceTd'> The user's name for signature. It is used as the alias name
in the keystore to get the user's cert and private key for signature. See <a href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#SIGNATURE_USERNAME"
class="external-link" rel="nofollow">here</a> for more information. </td>
</tr>
<tr>
<td class='confluenceTd'> ws-security.encryption.username </td>
<td class='confluenceTd'> The user's name for encryption. It is used as the alias name
in the keystore to get the user's public key for encryption. See <a href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#ENCRYPT_USERNAME"
class="external-link" rel="nofollow">here</a> for more information.</td>
</tr>
</tbody></table>
</div>


<h4><a name="WS-SecurityPolicy-CallbackClassandCryptoproperties"></a>Callback
Class and Crypto properties</h4>

<div class='table-wrap'>
<table class='confluenceTable'><tbody>
<tr>
<td class='confluenceTd'> ws-security.callback-handler </td>
<td class='confluenceTd'> The CallbackHandler <a href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#CALLBACK_HANDLER"
class="external-link" rel="nofollow">implementation</a> class used to obtain passwords.</td>
</tr>
<tr>
<td class='confluenceTd'> ws-security.saml-callback-handler </td>
<td class='confluenceTd'> The SAML CallbackHandler <a href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#SAML_CALLBACK_HANDLER"
class="external-link" rel="nofollow">implementation</a> class used to construct SAML
Assertions.</td>
</tr>
<tr>
<td class='confluenceTd'> ws-security.signature.properties </td>
<td class='confluenceTd'> The Crypto property <a href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#SIGNATURE_PROPERTIES"
class="external-link" rel="nofollow">configuration</a> to use for signature, if "ws-security.signature.crypto"
is not set instead.</td>
</tr>
<tr>
<td class='confluenceTd'> ws-security.encryption.properties </td>
<td class='confluenceTd'> The Crypto property <a href="http://cxf.apache.org/javadoc/latest/org/apache/cxf/ws/security/SecurityConstants.html#ENCRYPT_PROPERTIES"
class="external-link" rel="nofollow">configuration</a> to use for encryption, if
"ws-security.encryption.crypto" is not set instead. </td>
</tr>
<tr>
<td class='confluenceTd'> ws-security.signature.crypto </td>
<td class='confluenceTd'> A Crypto <a href="http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/components/crypto/Crypto.html"
class="external-link" rel="nofollow">object</a> to be used for signature. If this
is not defined then "ws-security.signature.properties" is used instead.</td>
</tr>
<tr>
<td class='confluenceTd'> ws-security.encryption.crypto </td>
<td class='confluenceTd'> A Crypto <a href="http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/components/crypto/Crypto.html"
class="external-link" rel="nofollow">object</a> to be used for encryption. If this
is not defined then "ws-security.encryption.properties" is used instead.</td>
</tr>
</tbody></table>
</div>


<h4><a name="WS-SecurityPolicy-Otherproperties"></a>Other properties</h4>

<div class='table-wrap'>
<table class='confluenceTable'><tbody>
<tr>
<td class='confluenceTd'> ws-security.subject.cert.constraints </td>
<td class='confluenceTd'> This configuration tag is a comma separated String of regular
expressions which will be applied to the subject DN of the certificate used for signature
validation, after trust verification of the certificate chain associated with the  certificate.
These constraints are not used when the certificate is contained in the keystore (direct trust).
</td>
</tr>
<tr>
<td class='confluenceTd'> ws-security.is-bsp-compliant </td>
<td class='confluenceTd'> Whether to ensure compliance with the Basic Security Profile
(BSP) 1.1 or not. The default value is "true". </td>
</tr>
<tr>
<td class='confluenceTd'> ws-security.timestamp.futureTimeToLive </td>
<td class='confluenceTd'> This configuration tag specifies the time in seconds in the
future within which the Created time of an incoming Timestamp is valid. WSS4J rejects by default
any timestamp which is "Created" in the future, and so there could potentially be<br class="atl-forced-newline"
/>
 problems in a scenario where a client's clock is slightly askew. The default value for this
parameter is "0", meaning that no future-created Timestamps are allowed. </td>
</tr>
</tbody></table>
</div>


<p><b>Note:</b> for Symmetric bindings that specify a protection token,
the ws-security-encryption properties are used.</p>


<h4><a name="WS-SecurityPolicy-ConfiguringviaSpring"></a>Configuring via
Spring</h4>

<p>The properties are easily configured as client or endpoint properties--use the former
for the SOAP client, the latter for the web service provider.</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
&lt;beans xmlns=<span class="code-quote">"http://www.springframework.org/schema/beans"</span>
   <span class="code-keyword">xmlns:xsi</span>=<span class="code-quote">"http://www.w3.org/2001/XMLSchema-instance"</span>
   <span class="code-keyword">xmlns:jaxws</span>=<span class="code-quote">"http://cxf.apache.org/jaxws"</span>
   xsi:schemaLocation="http://www.springframework.org/schema/beans
   http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
   http://cxf.apache.org/jaxws
   http://cxf.apache.org/schemas/jaxws.xsd"&gt;

   &lt;jaxws:client name=<span class="code-quote">"{http://cxf.apache.org}MyPortName"</span>
      createdFromAPI=<span class="code-quote">"true"</span>&gt;
      <span class="code-tag">&lt;jaxws:properties&gt;</span>
         &lt;entry key=<span class="code-quote">"ws-security.callback-handler"</span>
             value=<span class="code-quote">"interop.client.KeystorePasswordCallback"</span>/&gt;
         &lt;entry key=<span class="code-quote">"ws-security.signature.properties"</span>
             value=<span class="code-quote">"etc/client.properties"</span>/&gt;
         &lt;entry key=<span class="code-quote">"ws-security.encryption.properties"</span>
             value=<span class="code-quote">"etc/service.properties"</span>/&gt;
         &lt;entry key=<span class="code-quote">"ws-security.encryption.username"</span>
             value=<span class="code-quote">"servicekeyalias"</span>/&gt;
      <span class="code-tag">&lt;/jaxws:properties&gt;</span>
   <span class="code-tag">&lt;/jaxws:client&gt;</span>

<span class="code-tag">&lt;/beans&gt;</span>
</pre>
</div></div>

<p>For the jaxws:client's <em>name</em> attribute above, use the namespace
of the WSDL along with the <em>name</em> attribute of the desired wsdl:port element
under the WSDL's service section. (See <a href="http://tinyurl.com/yatskw4" class="external-link"
rel="nofollow">here</a> and <a href="http://tinyurl.com/y9e7rjf" class="external-link"
rel="nofollow">here</a> for an example.)</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
&lt;beans xmlns=<span class="code-quote">"http://www.springframework.org/schema/beans"</span>
   <span class="code-keyword">xmlns:xsi</span>=<span class="code-quote">"http://www.w3.org/2001/XMLSchema-instance"</span>
   <span class="code-keyword">xmlns:jaxws</span>=<span class="code-quote">"http://cxf.apache.org/jaxws"</span>
   xsi:schemaLocation="http://www.springframework.org/schema/beans
   http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
   http://cxf.apache.org/jaxws
   http://cxf.apache.org/schemas/jaxws.xsd"&gt;

   &lt;jaxws:endpoint
      id=<span class="code-quote">"MyService"</span>
      address=<span class="code-quote">"https://localhost:9001/MyService"</span>
      serviceName=<span class="code-quote">"interop:MyService"</span>
      endpointName=<span class="code-quote">"interop:MyServiceEndpoint"</span>
      implementor=<span class="code-quote">"com.foo.MyService"</span>&gt;

      <span class="code-tag">&lt;jaxws:properties&gt;</span>
         &lt;entry key=<span class="code-quote">"ws-security.callback-handler"</span>
             value=<span class="code-quote">"interop.client.UTPasswordCallback"</span>/&gt;
         &lt;entry key=<span class="code-quote">"ws-security.signature.properties"</span>
             value=<span class="code-quote">"etc/keystore.properties"</span>/&gt;
         &lt;entry key=<span class="code-quote">"ws-security.encryption.properties"</span>
             value=<span class="code-quote">"etc/truststore.properties"</span>/&gt;
         &lt;entry key=<span class="code-quote">"ws-security.encryption.username"</span>
             value=<span class="code-quote">"useReqSigCert"</span>/&gt;
      <span class="code-tag">&lt;/jaxws:properties&gt;</span>

   <span class="code-tag">&lt;/jaxws:endpoint&gt;</span>
<span class="code-tag">&lt;/beans&gt;</span>
</pre>
</div></div>

<p>See this <a href="http://www.jroller.com/gmazza/entry/cxf_x509_profile_secpol"
class="external-link" rel="nofollow">blog entry</a> for a more end-to-end example
of using WS-SecurityPolicy with X.509 keys.</p>

<h4><a name="WS-SecurityPolicy-ConfiguringviaAPI%27s"></a>Configuring via
API's</h4>

<p>Configuring the properties for the client just involves setting the properties in
the client's RequestContext:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
Map&lt;<span class="code-object">String</span>, <span class="code-object">Object</span>&gt;
ctx = ((BindingProvider)port).getRequestContext();
ctx.put(<span class="code-quote">"ws-security.encryption.properties"</span>, properties);
port.echoString(<span class="code-quote">"hello"</span>);
</pre>
</div></div>
    </div>
        <div id="commentsSection" class="wiki-content pageSection">
        <div style="float: right;">
            <a href="https://cwiki.apache.org/confluence/users/viewnotifications.action"
class="grey">Change Notification Preferences</a>
        </div>
        <a href="https://cwiki.apache.org/confluence/display/CXF20DOC/WS-SecurityPolicy">View
Online</a>
        |
        <a href="https://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=112639&revisedVersion=20&originalVersion=19">View
Changes</a>
                |
        <a href="https://cwiki.apache.org/confluence/display/CXF20DOC/WS-SecurityPolicy?showComments=true&amp;showCommentArea=true#addcomment">Add
Comment</a>
            </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message