cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Will Gomes <>
Subject Re: CXF Proxy and WS-Security
Date Wed, 27 Feb 2008 17:34:52 GMT

Daniel Kulp wrote:
> On Tuesday 26 February 2008, Will Gomes wrote:
>> Is it possible with CXF to use single Proxy and be able to set the
>> user for UsernameToken before each invocation and be thread safe? All
>> examples I've seen so far sets the user on the interceptor once per
>> proxy.  Can I specify callback for username, similar to the password?
> Unforunately, at this point, the answer is no due to spec compliance 
> issues.    You can read some of the discussion about it in JIRA:
> We're kind of debating which direction to go:
> 1) A separate proprietary "getThreadRequestContext()" call on a 
> proprietary interface.
> 2) A flag that would somehow flip the getRequestContext() call over to a 
> thread safe variety.
> In either case, the behavoir would be proprietary to CXF as the spec (and 
> TCK) more or less requires the non-thread safe behavior to be the 
> default.   :-(
> I'd be interesting in hearing your opinions on the matter.
Second solution seems more portable.  Could the WSS4JOutInterceptor be 
made to make a callback to a UsernameCallbackHandler to retreive the 
username and add to the message context? I assume the message is thread 
safe when in the InterceptorChain. Also, i'm not sure the purpose of 
having a password callback (aside from keeping passwords out of 
config/code) if there is no associated  username callback handler.

View raw message