You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Will Gomes <wg...@umd.edu> on 2008/02/26 15:54:28 UTC
CXF Proxy and WS-Security
Is it possible with CXF to use single Proxy and be able to set the user
for UsernameToken before each invocation and be thread safe? All
examples I've seen so far sets the user on the interceptor once per
proxy. Can I specify callback for username, similar to the password?
Re: CXF Proxy and WS-Security
Posted by Will Gomes <wg...@umd.edu>.
Daniel Kulp wrote:
> On Tuesday 26 February 2008, Will Gomes wrote:
>
>> Is it possible with CXF to use single Proxy and be able to set the
>> user for UsernameToken before each invocation and be thread safe? All
>> examples I've seen so far sets the user on the interceptor once per
>> proxy. Can I specify callback for username, similar to the password?
>>
>
> Unforunately, at this point, the answer is no due to spec compliance
> issues. You can read some of the discussion about it in JIRA:
> https://issues.apache.org/jira/browse/CXF-1410
>
> We're kind of debating which direction to go:
> 1) A separate proprietary "getThreadRequestContext()" call on a
> proprietary interface.
>
> 2) A flag that would somehow flip the getRequestContext() call over to a
> thread safe variety.
>
> In either case, the behavoir would be proprietary to CXF as the spec (and
> TCK) more or less requires the non-thread safe behavior to be the
> default. :-(
>
> I'd be interesting in hearing your opinions on the matter.
>
>
Second solution seems more portable. Could the WSS4JOutInterceptor be
made to make a callback to a UsernameCallbackHandler to retreive the
username and add to the message context? I assume the message is thread
safe when in the InterceptorChain. Also, i'm not sure the purpose of
having a password callback (aside from keeping passwords out of
config/code) if there is no associated username callback handler.
Re: CXF Proxy and WS-Security
Posted by Daniel Kulp <dk...@apache.org>.
On Tuesday 26 February 2008, Will Gomes wrote:
> Is it possible with CXF to use single Proxy and be able to set the
> user for UsernameToken before each invocation and be thread safe? All
> examples I've seen so far sets the user on the interceptor once per
> proxy. Can I specify callback for username, similar to the password?
Unforunately, at this point, the answer is no due to spec compliance
issues. You can read some of the discussion about it in JIRA:
https://issues.apache.org/jira/browse/CXF-1410
We're kind of debating which direction to go:
1) A separate proprietary "getThreadRequestContext()" call on a
proprietary interface.
2) A flag that would somehow flip the getRequestContext() call over to a
thread safe variety.
In either case, the behavoir would be proprietary to CXF as the spec (and
TCK) more or less requires the non-thread safe behavior to be the
default. :-(
I'd be interesting in hearing your opinions on the matter.
--
J. Daniel Kulp
Principal Engineer, IONA
dkulp@apache.org
http://www.dankulp.com/blog