[prev in list] [next in list] [prev in thread] [next in thread]
List: jboss-user
Subject: [jboss-user] [JBoss Web Services] - Re: WS-Security without Spring, without WS-Policy and without th
From: Alessio Soldano <do-not-reply () jboss ! com>
Date: 2012-07-31 15:53:51
Message-ID: 2-751071-3-2338-1343680166143-2-751283-3-3973-1343750022562.jivesbs.jivemailuser () https://community ! jboss ! org
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Alessio Soldano [https://community.jboss.org/people/asoldano] created the discussion
"Re: WS-Security without Spring, without WS-Policy and without the CXF annotations?"
To view the discussion, visit: https://community.jboss.org/message/751283#751283
--------------------------------------------------------------
> Matt Wringe wrote:
>
> I know (and mentioned) those configuration options in my original post :) As \
> mentioned:
> 1) we can't use ws-policy since its against the wsrp spec
>
> 2) adding annotations to add in interceptors means that our purely jax java service \
> classes now have to become dependent on cxf (which doesn't make a lot of sense \
> since have to support non-cxf based web services, and we also want an admin to be \
> able to enable/disable the interceptors themselves).
Quite frankly, I see and understand the need for avoiding implementation specific api \
in endpoints (you might want to deploy the same archive on another vendor container), \
but as hinted before that's probably simply not doable (especially without WS-Policy \
support) with WS-Security. The reason basically being that there's no JCP spec \
covering ws-security configuration, so you'll always need to use an implementation \
specific configuration approach. If the real need is actually with the admin wanting \
to enable/disable the cxf interceptor without touching the code, you can go the \
spring descriptor way, after having added spring libraries to the app server.
> 3) we don't want to have to bring in spring just to configure the web service. And \
> this doesn't appear to the preferred method of configuring jbossws (but it is the \
> preferred way to configure cxf).
You don't want to bring in spring because it's just for configuration *or* you're \
simply somehow confused by the fact jbossas/jbossws does not ship with / install \
spring by default? If it's a matter of willing to avoid spring for ws configuration \
only, I see what you mean (as a matter of fact jbossws has moved in this direction, \
hence is not forcing the spring approach and encouraging the ws-policy based \
approach), but when you have many other contraints like "wsrp does not support \
policies", "I don't want to use cxf api", ... you need to come to a compromise and \
use what is left ;-) If it's a matter of you being confused on "what the preferred \
method is", keep in mind that JBossWS suggest using the policy approach, but allows \
different methods if you can't go that way. Apache CXF in general simply has multiple \
configuration mechanisms and I can say that there's not an actual preference for the \
spring one as of today, they're really all at the same level.
> The problem is how to configure the server. Using JBossWS Native stack I could just \
> use the pre and post handlers to add in proper soap handlers for ws-security, this \
> was simple and straight forward and configurable from an admin perspective. The \
> ws-security setup could be handled outside of the service configuration (add in the \
> options in the web.xml file to specify the endpoint config name and config file). \
> It would be perfect if we could add in interceptors also in this manner, but this \
> option doesn't seem to exist (which is strange since in cxf interceptors are the \
> preferred method).
The client / endpoint pre-defined configurations can be used to add JAXWS handlers. \
WS-Security was implemented using handlers in native stack. However it's not \
implemented using jaxws handlers on cxf and we can't (and do not want to) change \
that. Any mechanism for allowing configuring a generic interceptor through descriptor \
would basically imply re-inventing the spring configuration approach (a jaxws handler \
definition is covered by jsr224/jsr109 specs instead).. so again, either the user go \
the spring way if he really wants to have fine grain control on the interceptor beans \
or he stay with the suggested configuration mechanism (policy engine + properties \
through @EndpointConfig) *or* direct cxf api/annotation usage.
> Its strange that CXF is the preferred web service stack in JBossAS, and the \
> preferred way to configure CXF is using Spring configuration files, but JBossAS \
> doesn't ship or include Spring. So we can't properly configure web services the way \
> they were meant to be configured.
Again, 1) it's not *the* way they're meant to be configured, just *one* of the \
possible ways 2) you *can* still configure the ws endpoints that way if you want, \
simply install Spring first (either using the jbossws build or manually copying the \
spring jars into modules/org/springframework/spring/main and creating a valid \
module.xml descriptor for the new module).
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/751283#751283]
Start a new discussion in JBoss Web Services at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2044]
[Attachment #5 (text/html)]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<body link="#355491" alink="#4262a1" vlink="#355491" style="background: #e2e2e2; \
margin: 0; padding: 20px;">
<div>
<table cellpadding="0" bgcolor="#FFFFFF" border="0" cellspacing="0" style="border: \
1px solid #dadada; margin-bottom: 30px; width: 100%; -moz-border-radius: 6px; \
-webkit-border-radius: 6px;"> <tbody>
<tr>
<td>
<table border="0" cellpadding="0" cellspacing="0" bgcolor="#FFFFFF" \
style="border: solid 2px #ccc; background: #dadada; width: 100%; -moz-border-radius: \
6px; -webkit-border-radius: 6px;"> <tbody>
<tr>
<td bgcolor="#000000" valign="middle" height="58px" style="border-bottom: 1px \
solid #ccc; padding: 20px; -moz-border-radius-topleft: 3px; \
-moz-border-radius-topright: 3px; -webkit-border-top-right-radius: 5px; \
-webkit-border-top-left-radius: 5px;">
<h1 style="color: #333333; font: bold 22px Arial, Helvetica, sans-serif; \
margin: 0; display: block !important;">
<!-- To have a header image/logo replace the name below with your img tag \
-->
<!-- Email clients will render the images when the message is read so any \
image -->
<!-- must be made available on a public server, so that all recipients can \
load the image. -->
<a href="https://community.jboss.org/index.jspa" style="text-decoration: \
none; color: #E1E1E1">JBoss Community</a></h1> </td>
</tr>
<tr>
<td bgcolor="#FFFFFF" style="font: normal 12px Arial, Helvetica, sans-serif; \
color:#333333; padding: 20px; -moz-border-radius-bottomleft: 4px; \
-moz-border-radius-bottomright: 4px; -webkit-border-bottom-right-radius: 5px; \
-webkit-border-bottom-left-radius: 5px;"><h3 style="margin: 10px 0 5px; font-size: \
17px; font-weight: normal;"> Re: WS-Security without Spring, without WS-Policy and \
without the CXF annotations? </h3>
<span style="margin-bottom: 10px;">
created by <a href="https://community.jboss.org/people/asoldano">Alessio \
Soldano</a> in <i>JBoss Web Services</i> - <a \
href="https://community.jboss.org/message/751283#751283">View the full discussion</a> \
</span> <hr style="margin: 20px 0; border: none; background-color: #dadada; height: \
1px;">
<div class="jive-rendered-content"><blockquote class="jive-quote"><p>Matt Wringe \
wrote:</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>I know \
(and mentioned) those configuration options in my original post <span> :) </span> As \
mentioned:</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>1) \
we can't use ws-policy since its against the wsrp spec</p><p style="min-height: 8pt; \
height: 8pt; padding: 0px;"> </p><p>2) adding annotations to add in interceptors \
means that our purely jax java service classes now have to become dependent on cxf \
(which doesn't make a lot of sense since have to support non-cxf based web services, \
and we also want an admin to be able to enable/disable the interceptors \
themselves).</p></blockquote><p>Quite frankly, I see and understand the need for \
avoiding implementation specific api in endpoints (you might want to deploy the same \
archive on another vendor container), but as hinted before that's probably simply not \
doable (especially without WS-Policy support) with WS-Security. The reason basically \
being that there's no JCP spec covering ws-security configuration, so you'll always \
need to use an implementation specific configuration approach.</p><p>If the real need \
is actually with the admin wanting to enable/disable the cxf interceptor without \
touching the code, you can go the spring descriptor way, after having added spring \
libraries to the app server.</p><p style="min-height: 8pt; height: 8pt; padding: \
0px;"> </p><blockquote class="jive-quote"><p>3) we don't want to have to bring \
in spring just to configure the web service. And this doesn't appear to the preferred \
method of configuring jbossws (but it is the preferred way to configure \
cxf).</p></blockquote><p>You don't want to bring in spring because it's just for \
configuration *or* you're simply somehow confused by the fact jbossas/jbossws does \
not ship with / install spring by default? If it's a matter of willing to avoid \
spring for ws configuration only, I see what you mean (as a matter of fact jbossws \
has moved in this direction, hence is not forcing the spring approach and encouraging \
the ws-policy based approach), but when you have many other contraints like "wsrp \
does not support policies", "I don't want to use cxf api", ... you need to come to a \
compromise and use what is left ;-)</p><p>If it's a matter of you being confused on \
"what the preferred method is", keep in mind that JBossWS suggest using the policy \
approach, but allows different methods if you can't go that way. Apache CXF in \
general simply has multiple configuration mechanisms and I can say that there's not \
an actual preference for the spring one as of today, they're really all at the same \
level.</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p \
style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><blockquote \
class="jive-quote"><p style="min- padding: 0px;"> The problem is how to configure the \
server. Using JBossWS Native stack I could just use the pre and post handlers to add \
in proper soap handlers for ws-security, this was simple and straight forward and \
configurable from an admin perspective. The ws-security setup could be handled \
outside of the service configuration (add in the options in the web.xml file to \
specify the endpoint config name and config file). It would be perfect if we could \
add in interceptors also in this manner, but this option doesn't seem to exist (which \
is strange since in cxf interceptors are the preferred \
method).</p></blockquote><p>The client / endpoint pre-defined configurations can be \
used to add JAXWS handlers. WS-Security was implemented using handlers in native \
stack. However it's not implemented using jaxws handlers on cxf and we can't (and do \
not want to) change that.</p><p>Any mechanism for allowing configuring a generic \
interceptor through descriptor would basically imply re-inventing the spring \
configuration approach (a jaxws handler definition is covered by jsr224/jsr109 specs \
instead).. so again, either the user go the spring way if he really wants to have \
fine grain control on the interceptor beans or he stay with the suggested \
configuration mechanism (policy engine + properties through @EndpointConfig) *or* \
direct cxf api/annotation usage.</p><p style="min-height: 8pt; height: 8pt; padding: \
0px;"> </p><p style="min-height: 8pt; height: 8pt; padding: \
0px;"> </p><blockquote class="jive-quote"><p style="min- padding: 0px;">Its \
strange that CXF is the preferred web service stack in JBossAS, and the preferred way \
to configure CXF is using Spring configuration files, but JBossAS doesn't ship or \
include Spring. So we can't properly configure web services the way they were meant \
to be configured. </p></blockquote><p>Again, 1) it's not *the* way they're meant to \
be configured, just *one* of the possible ways 2) you *can* still configure the ws \
endpoints that way if you want, simply install Spring first (either using the jbossws \
build or manually copying the spring jars into \
modules/org/springframework/spring/main and creating a valid module.xml descriptor \
for the new module).</p></div>
<div style="background-color: #f4f4f4; padding: 10px; margin-top: 20px;">
<p style="margin: 0;">Reply to this message by <a \
href="https://community.jboss.org/message/751283#751283">going to Community</a></p> \
<p style="margin: 0;">Start a new discussion in JBoss Web Services at <a \
href="https://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2044">Community</a></p>
</div></td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</div>
</body>
</html>
_______________________________________________
jboss-user mailing list
jboss-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/jboss-user
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic