cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Glen Mazza <glen.ma...@gmail.com>
Subject Need clarification on the WS-SecurityPolicy documentation
Date Thu, 12 Nov 2009 12:46:25 GMT

Hello, a sentence in the CXF docs I believe I had placed in a while back I
would like to confirm--for the two code examples here:

http://cwiki.apache.org/CXF20DOC/ws-securitypolicy.html#WS-SecurityPolicy-ConfiguringviaSpring

The sentence in question is:  "The properties are easily configured as
client or endpoint properties--use the latter for web service provider
configuration:"

Just to confirm:

1.) The *upper* code example is *only* for SOAP clients and not web service
providers

2.) Is the *lower* code example *only* for web service providers, or can it
be equally used for both provider and client--also, if both, does the lower
example provide any advantage over the upper one when configuring a client?

(I *might* have asked (1) and (2) before I placed that sentence in the docs;
if so, pardon my duplication!)

3.) The *lower* code example is currently somewhat nonsensical for web
service providers, because it has an "ws-security.username" entry--that
would normally only be for a client supplying a password, correct?

4.) The "ws-security.callback-handler" entry seems to have two usages:  For
the client-side, it is to supply the password but for the service-side, it
is to validate the supplied password, correct?  If so, this would seem to be
confusing and suboptimal, if:

--- 1.) A web service provider could need to supply both a password (perhaps
if forwarding to another web service call) *and* validate a password--is
that a realistic scenario not presently supported by our configuration?

--- 2.) Architecturally, WSS4J may be moving away from using callback
handlers to validate passwords
(https://issues.apache.org/jira/browse/WSS-183) -- would it not be better to
have a separate property, say "ws-security.password-validator" or
".authentication-validator" or whatever, strictly for validating passwords,
and letting "ws-security.callback-handler" just be for providing passwords
(or other authentication data)?

Thanks,
Glen

-- 
View this message in context: http://old.nabble.com/Need-clarification-on-the-WS-SecurityPolicy-documentation-tp26318049p26318049.html
Sent from the cxf-dev mailing list archive at Nabble.com.


Mime
View raw message