cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dennis Sosnoski <>
Subject Re: Best practice of using external WS-Policy files with CXF?
Date Tue, 19 Nov 2013 11:26:01 GMT
Hi Sam,

This page discusses how policies are defined in CXF: It sounds like 
you want to use the "Dynamically via message property" option discussed 
at the bottom of the page. There's example code for this here: I 
haven't tried it out, but it looks reasonable.

There have also been several discussions of this one the mailing list, 


   - Dennis

Dennis M. Sosnoski
Java Web Services Consulting <>
CXF and Web Services Security Training 
Web Services Jump-Start <>

On 11/20/2013 12:01 AM, Sam wrote:
> Hi all,
> I found many sample policy files within 
> /apache-cxf-2.7.6-src/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j

> that don't use wsu:Id attribute at all in <wsp:Policy>, i.e. 
> <wsp:Policy wsu:Id="test_policy">.
> This implies the WSDL doesn't even need to use <wsp:PolicyReference> 
> to use them. Instead these policy files use something like the 
> following to refer to parts of WSDL.
>       <sp:SignedParts>
>         <sp:Body/>
>         <sp:Header Name="Header" Namespace=""/>
>       </sp:SignedParts>
>       <sp:SignedParts>
>         <sp:Body/>
>         <sp:Header Namespace=""/>
>       </sp:SignedParts>
>         or use xpath like
>     <sp:EncryptedElements>
>         <sp:XPath>//soap:Body</sp:XPath>
>       </sp:EncryptedElements>
>        <sp:SignedElements>
>         <sp:XPath>//ser:Header</sp:XPath>
>       </sp:SignedElements>
> So just to confirm, is CXF capable of applying these reusable, 
> external WS-Policy files to WSDL at runtime without modifying WSDL to 
> use <wsp:PolicyReference>?
> What is the best practice of applying external WS-Policy files with CXF?
> I see no need to use <wsp:PolicyAttachment> at all if the above 
> approach work for CXF. <wsp:PolicyAttachment> seems much less flexisble.
> All the CXF examples and forum discussions I read seem to suggest it's 
> best to embed policy within WSDL but I can't see CONs of useing 
> external WS-Policy files like above.
> What am I trying to do? I read the link 
> and try to implement a WS client that can apply WS-Policy dynamically 
> at run time  without touching WSDL.
> Thanks in advance,
> Sam

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message