4 Replies Latest reply on Mar 26, 2010 10:38 AM by sdf sdf

    WS Security Policy

    sdf sdf Newbie

      I was wondering does the cxfse or cxfbc support ws security policy w/ a password callback instead of wss4j interceptors method?  And where would I place the callback at the se or bc?  An example would be much appreciated, since I'm a total noob at this.  I've done a cxf jaxws with ws-security policy, but with all the spring tags they really don't match well with the cxfse stuff. 

       

      Thanks

        • 1. Re: WS Security Policy
          Freeman(Yue) Fang Master

          Hi,

           

          You can only configure the policy through cxf bc. As Binding Component is the place to handle external protocol (ws-security over soap in this case).

           

          Cxf Se is inside JBI container and there's no such concept of ws-security.

           

          Freeman

          • 2. Re: WS Security Policy
            sdf sdf Newbie

            I figured it was something like that. So I have to configure an inInterceptor for the BC, right?   Also do you know of what is the general practice of passing along the credentials from ws-security to the SE, or how can the SE retrieve the username?

             

            Thanks

            • 3. Re: WS Security Policy
              Freeman(Yue) Fang Master

              Hi,

               

              You can configure interceptors on cxf bc endpoint directly or configure it in a cxf configuration file, same as you do for standalone cxf, and pass this file as busCfg attribute for cxf bc endpoint.

               

              Generally we delegate the wss4j UsernameToken auth to smx jaas service, so that you can configure which user can access which endpoint in smx, you may need take a look at cxf-ws-security example shipped with FUSE ESB 3.x.

               

              Freeman

              • 4. Re: WS Security Policy
                sdf sdf Newbie

                Oh man, its getting crazy complicated now.  We're trying to do WS-Security Policy, which i thought was different from just WS-Security as it doesn't use WSS4JInterceptors, and seems much more intuitive and simpler.  We're also deploying on 4.x, which doesn't have the sample ws-security sample. go figure.