cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Fred Dushin <>
Subject Re: Any work on WS-SecurityPolicy done?
Date Tue, 10 Jun 2008 14:59:06 GMT
I've done some experimentation in this area.

I can say that the WS-SecurityPolicy schema compiles without any  
problems in CXF, for a start.  There may be issues with duplicated  
types that are generated, which you might be able to circumvent with  
the JAXB compiler, but I haven't looked into doing that.

I have not done any client-side work, on interpreting policy.  I have,  
however, experimented with some server-side policy work, where the CXF  
policy framework can be used for enforcement of declared policy.

The policy framework in general works pretty well for this, though  
SergeyB has done some work to fix up some of the implementation in 2.1  
-- I think there may still be some holes in the 2.0 fixes branch.

I also found that dealing with JAXB policy assertions can get pretty  
hairy, for at least the following reasons:

  * WS-Policy elements are of type any
  * Many WS-SecurityPolicy element types are any, as well, though many  
of the subtypes are /intended/ to be nested WS-Policy expressions
  * The JAX-B Assertion<T> base type has convenience methods for  
getting an unmarshaller, but it needs to be fixed to allow insertion  
of other schemata or Java namespaces
  * The CXF policy framework does not currently handle nested policy  
assertions as well as it could, though it may work for nested policies  
that are all primitive types (no attributes or embedded elements)

After having tried to do this, I am of the opinion that using WS- 
SecurityPolicy for server-side configuration is more complex than it  
needs to be, both for the implementor and for the user, who has to  
deal with authoring the policies.  It's do-able, but I don't think  
it's usable.

WS-SecurityPolicy support is a lot useful on the client side -- I  
think that's where it's needed the most.  Additionally, I think we  
need some sort of mechanism for publishing policy in CXF -- a  
"PolicyPublish" plugin, if you will.  That would allow services that  
have defined implicit policies through internal configuration (e.g.,  
via a cxf:feature) to express the parts of that configuration that  
would be of interest to clients, so that the policies could be  
published through, say, a ...?wsdl query.


On Jun 8, 2008, at 7:11 PM, Glen Mazza wrote:

> Hello,
> Does CXF 2.1 have any work done yet on WS-SecurityPolicy[1]?  If  
> not, is
> there a incremental how-to-eat-an-elephant way of implementing it?   
> I'm
> quite pressed for time unfortunately and am certainly not the most
> technical developer on the team so anything other than all-or-nothing
> might help this get implemented.
> What I'm thinking is perhaps just getting CXF to validate the Security
> Policy WSDL, even if it would presently be ignored; then, implementing
> various parts of it based on usage demand, user patches and time
> constraints.
> What I'm seeing is that we already have WS-Policy implemented, at  
> least
> for WSDL-first, and that WS-Addressing and WS-ReliableMessage are
> already implemented child elements of WS-Policy.  Am I correct here?
> And are those child elements of WS-Policy already checked for schema
> validation?  There may already be code in CXF for WS-RM and
> WS-Addressing that may point to how WS-SecurityPolicy should be
> implemented.
> Thanks,
> Glen
> [1]

View raw message