tags:

views:

149

answers:

1
Q: 

How to set WS-SecurityPolicy in an inbound CXF service in Mule?

When configuring the service for handling UsernameToken and signatures, it's setup like this:

<service name="serviceName">
  <inbound>
    <cxf:inbound-endpoint address="someUrl" protocolConnector="httpsConnector" >
      <cxf:inInterceptors>
        <spring:bean class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor" />
        <spring:bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
        <spring:constructor-arg>
          <spring:map>
            <spring:entry key="action" value="UsernameToken Timestamp Signature" />
            <spring:entry key="passwordCallbackRef" value-ref="serverCallback" />
            <spring:entry key="signaturePropFile" value="wssecurity.properties" />
          </spring:map>
        </spring:constructor-arg>
        </spring:bean>
      </cxf:inInterceptors>
    </cxf:inbound-endpoint>
  </inbound>
</service>

But how is it possible to create a policy of what algorithms that are allowed, and what parts of the message that should be signed?

A: 

You'd have to ask the Mule folks. Last I checked, they hadn't moved to CXF 2.2.x yet. If they ARE on 2.2.x, you could use the WS-SecPol support built into CXF.

Daniel Kulp  2010-05-29 18:05:04
I think they've moved to CXF 2.2.x. But reading the description at http://cxf.apache.org/docs/ws-securitypolicy.html doesn't explain much how this is done.Although it does state that "WS-SecurityPolicy support is ONLY available for "WSDL first" scenarios". So I guess you have to manually define the security policy in the WSDL file, and then it's automatically applied as you use CXF to create the web service from that file.
Brakara  2010-06-01 18:43:45

related questions

Is WS-Security truly interoperable across platforms?
Connecting to WS-Security protected Web Service with PHP
Any good step by step tutorial to implement a secure token service with Java?
How to use Forms Auth when SSL is on a proxy in front of the IIS Farm (WCF) ?
JAX-WS Consuming web service with WS-Security and WS-Addressing
How do I build a secure webservice with .Net?
How do I add a <UsernameToken> header programatically to a SOAP message in JAX-WS?
How do you build an EAR with policy files included using WLS Ant Tasks?
How do you use TLS/SSL Http Authentication with a CXF client to a web service?
webservice using security UserNameToken
User/Pass Authentication using RESTful WCF & Windows Forms
Spring-WS: how to use WebserviceTemplate with pre-generated SOAP-envelope
how to protect the ws discovery ad hoc network from man-in-the-middle attacks
How to use WS-Security with EJB3 ?
Developing a secure WS client for consuming a Axis2 Web Service with Rampart WS Security module?
Standard web services v Secure web services
Using WCF to send a signed Request and receive an unsigned Response
TLS handshake event in Tomcat, is there something like that ?
Encryption of SOAP message in Axis 2
Specify parts of the header that have to be signed and/or encrypted in WCF with binding that support standards
How do I create a cold fusion web service client that uses ws-security?
Ruby and WS-Security
How can I authenticate using client credentials in WCF just once?
Calling .NET Web Service (WSE 2/3, WS-Security) from Java
Where can I find some good WS-Security introductions and tutorials?