cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sergey Beryozkin" <sergey.beryoz...@iona.com>
Subject RE: WS-SX
Date Mon, 24 Sep 2007 21:07:02 GMT
Or yes, one more thing. 

How can one express 'or' combination using features, that is how one can do
multiple alternatives, something one can easily do with policies :

<Policy>
  <All>
  </All>
  <All>
  </All>
</Policy>

Alternatives are targeted at a consumer. Multiple consumers can choose their
own alternatives and a provider will ensure it supports all the consumers.
Consumers may also have their policies on which case they'll do the
intersection. 
This clearly shows that WS-Policy is not about configuration only. Looking
at a WS-Policy language as the configuration option only is not correct. 
I don't want push the message that using policies is the only true way to
go. I'd just like us to agree on a policy (:-)) when polices should be
applied.


Cheers, Sergey
 


-----Original Message-----
From: Sergey Beryozkin [mailto:sergey.beryozkin@iona.com] 
Sent: 24 September 2007 21:31
To: cxf-dev@incubator.apache.org
Subject: RE: WS-SX

I think we're over-blowing the problem a bit. Lets not get sidetracked into 
hypothetical discussions on how dangerous it is to put a private stuff into
policies. Rather lets come up with a set of practical guidelines on when to
use policies and features.

Another thing I'd like to avoid is to have some religious debate leading
nowhere. 

Dan, you said you wanted to support WS-SecurityPolicy because it was so
important for the enterprise. Now you're also saying that using features is
so much better from an API perspective.

I personally don't understand what is your position. I'm just confused. Can
you please clarify?

Do you want support WS-SecurityPolicy by using WS-Security feature ? I don't
think it makes any sense but I'd you to explain please.


Can you explain please what you mean by saying it's so much harder to set up
a service using a policy ? 

I'd also like to suggest you to think of the following :

* how can one satisfy a user's desire to attach capabilities to endpoints,
operations, and bindings using features
* how can a client to avoid doing duplications like enabling MTOM on the
client side when using features
* how can a client perform intersection of capabilities using features


Thanks, Sergey  
  

-----Original Message-----
From: Dan Diephouse [mailto:dan.diephouse@mulesource.com] 
Sent: 24 September 2007 19:26
To: cxf-dev@incubator.apache.org
Subject: Re: WS-SX


Fred Dushin wrote:
> So, to summarize:
>
>  *) I disagree that specification of key material should be done 
> through WSDL and/or WS-Policy; that's not what it's for, and there is 
> a real risk of compromise of security-sensitive information this way
I agree that its quite dangerous to put the security info in the policy. 
People will start emailing policies around or putting them in their 
repository without the proper security constraints. If there was 
significant simplification from a user's POV in doing this, I would 
probably support it. But as it stands, people are most likely going to 
have a separate policy file and configuration file anyway.
>  *) I am more inclined to view feature-based config as a kind of 
> simplification of policy-based config, and as a potential generator of 
> policy, which makes it complementary to policy, not orthogonal
>  *) I agree that in some small percentage of cases, we need to support 
> configuration of WS-SecurityPolicy directly, and at a low level, but 
> these cases fall below the 20% bar, and can certainly be exposed 
> through low-level config.
I completely agree here with Fred, and I thank him for taking the time 
to write this email which expresses my views better than I could have :-).

I especially would like people to consider the use case of using CXF 
from the API. Its much harder to set up a service to use WS-SX by 
building a policy document than it is to use a Feature.

- Dan

-- 
Dan Diephouse
MuleSource
http://mulesource.com | http://netzooid.com/blog

----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland

----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland

Mime
View raw message