I've done some experimentation in this area.
I can say that the WS-SecurityPolicy schema compiles without any
problems in CXF, for a start. There may be issues with duplicated
types that are generated, which you might be able to circumvent with
the JAXB compiler, but I haven't looked into doing that.
I have not done any client-side work, on interpreting policy. I have,
however, experimented with some server-side policy work, where the CXF
policy framework can be used for enforcement of declared policy.
The policy framework in general works pretty well for this, though
SergeyB has done some work to fix up some of the implementation in 2.1
-- I think there may still be some holes in the 2.0 fixes branch.
I also found that dealing with JAXB policy assertions can get pretty
hairy, for at least the following reasons:
* WS-Policy elements are of type any
* Many WS-SecurityPolicy element types are any, as well, though many
of the subtypes are /intended/ to be nested WS-Policy expressions
* The JAX-B Assertion<T> base type has convenience methods for
getting an unmarshaller, but it needs to be fixed to allow insertion
of other schemata or Java namespaces
* The CXF policy framework does not currently handle nested policy
assertions as well as it could, though it may work for nested policies
that are all primitive types (no attributes or embedded elements)
After having tried to do this, I am of the opinion that using WS-
SecurityPolicy for server-side configuration is more complex than it
needs to be, both for the implementor and for the user, who has to
deal with authoring the policies. It's do-able, but I don't think
it's usable.
WS-SecurityPolicy support is a lot useful on the client side -- I
think that's where it's needed the most. Additionally, I think we
need some sort of mechanism for publishing policy in CXF -- a
"PolicyPublish" plugin, if you will. That would allow services that
have defined implicit policies through internal configuration (e.g.,
via a cxf:feature) to express the parts of that configuration that
would be of interest to clients, so that the policies could be
published through, say, a ...?wsdl query.
-Fred
On Jun 8, 2008, at 7:11 PM, Glen Mazza wrote:
Hello,
Does CXF 2.1 have any work done yet on WS-SecurityPolicy[1]? If
not, is
there a incremental how-to-eat-an-elephant way of implementing it?
I'm
quite pressed for time unfortunately and am certainly not the most
technical developer on the team so anything other than all-or-nothing
might help this get implemented.
What I'm thinking is perhaps just getting CXF to validate the Security
Policy WSDL, even if it would presently be ignored; then, implementing
various parts of it based on usage demand, user patches and time
constraints.
What I'm seeing is that we already have WS-Policy implemented, at
least
for WSDL-first, and that WS-Addressing and WS-ReliableMessage are
already implemented child elements of WS-Policy. Am I correct here?
And are those child elements of WS-Policy already checked for schema
validation? There may already be code in CXF for WS-RM and
WS-Addressing that may point to how WS-SecurityPolicy should be
implemented.
Thanks,
Glen
[1] http://tinyurl.com/5vq25v
