geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <>
Subject Re: WS-Security support for JAX-WS Web Services
Date Mon, 11 May 2009 23:16:46 GMT

On May 11, 2009, at 3:24 PM, rahul.soa wrote:

> Hello everyone,
> As you know I am working on the support of ws-security module, so I  
> did some research about integrating the modules in Apache Geronimo  
> for the same.
> For the integrating/enabling WS-Security support, I think we need to  
> have the following jars and modules in Geronimo:
> Apache CXF:
> For WS-Security support we need to have following jar files from the  
> CXF:
> - bcprov-jdk15.jar

Previously when we used some bouncy castle classes the jar included  
some classes that may well have infringed some us patents.  I think I  
saw somewhere that bouncy castle had finally released a jar without  
thses classes.  We should verify that this jar does not contain these  
classes.  Also, we have copies of a bunch of the bc classes we need  
for other purposes in the geronimo-crypto module, so we should check  
that we don't already have the needed classes.
> - xalan.jar

really?  I'd like to know why the xml transform support in the jdk is  
not sufficient.
> - serializer.jar
> - wss4j.jar
> - xmlsec.jar
> Apache Axis2
> 1. We need to integrate "Rampart*" module of axis2,
> 2. for step 1, need to download the Java Cryptography Extension  
> (JCE) Unlimited Strength Jurisdiction Policy Files corresponding to  
> JDK version and extract the jar files local_policy.jar and  
> US_export_policy.jar to $JAVA_HOME/jre/lib/security

These are not something we can include, right?  they'd have to be  
installed by the end user?
> 3. for step 1, need to download bouncycastle according to java  
> version separately
> *Rampart is the security module of Axis2
> Please let me know if I am missing something and please also guide  
> me how can I get them in Geronimo.

That depends partly on the classloader relationships needed between  
the main cxf/axis2 jars and these new ones.  If appropriate cxf/axis2  
jars and these jars can be in a classloader that is a child of the cxf/ 
axis2 "main" plugin classloaders, you should probably make cxf-wss and  
axis2-wss plugins with all the security related jars as dependencies.   
If this doesn't work and the classes need to be in the main cxf/axis2  
plugin classloader then you probably need to just add these as  

david jencks

> Thanks in advance.
> Regards,
> Rahul

View raw message