You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@cxf.apache.org by Brandon Richins <Br...@imail.org> on 2010/05/25 18:39:44 UTC

PolicyAttachement and address

Currently I use an external policy to apply security policies to the STS client.  It seems that the policy is applied based on a static endpoint address (http://cxf.apache.org/docs/how-it-works.html).  Since my environment will have a different STS address for production than development I would like to avoid separate policy files for each endpoint.  Is it possible to create the endpoint address based on the endpoint name instead of address like {http://docs.oasis-open.org/ws-sx/ws-trust/200512}RequestSecurityToken?  Is there a name for the {namespace}name notation used in CXF?  

I've included the start of an external policy showing a sample endpoint address.

<?xml version="1.0" encoding="UTF-8"?>
<attachments xmlns:wsp="http://www.w3.org/ns/ws-policy" xmlns:wsa="http://www.w3.org/2005/08/addressing">
   <wsp:PolicyAttachment>
      <wsp:AppliesTo>
         <wsa:EndpointReference>
            <wsa:Address>https://dev-sts.foo.com/services/RequestSecurityToken</wsa:Address> 
         </wsa:EndpointReference>
      </wsp:AppliesTo>
      <wsp:Policy wsu:Id="UTOverTransport" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
         xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
         <wsp:ExactlyOne>
            <wsp:All>

Thanks,

Brandon Richins

Re: PolicyAttachement and address

Posted by Daniel Kulp <dk...@apache.org>.


At this point, there isn't a way to do this.   If you would like to pursue 
trying to create a patch to include this, the place to look would be:

rt/ws/policy/src/main/java/org/apache/cxf/ws/policy/attachment/external/EndpointReferenceDomainExpression.java

In there, you'll see an 
boolean appliesTo(EndpointInfo ei)

that compares the address from the parsed EndpointReferenceType to the 
addressin the EndpointInfo.   What you may be able to do is use our 
org.apache.cxf.wsdl.EndpointReferenceUtils
to pull potential ServiceName and portnames and such from the parsed 
EndpointReferenceType and compare them to the EndpointInfo and such to see if 
those would be applicable.     

Dan


On Tuesday 25 May 2010 12:39:44 pm Brandon Richins wrote:
> Currently I use an external policy to apply security policies to the STS
> client.  It seems that the policy is applied based on a static endpoint
> address (http://cxf.apache.org/docs/how-it-works.html).  Since my
> environment will have a different STS address for production than
> development I would like to avoid separate policy files for each endpoint.
>  Is it possible to create the endpoint address based on the endpoint name
> instead of address like
> {http://docs.oasis-open.org/ws-sx/ws-trust/200512}RequestSecurityToken? 
> Is there a name for the {namespace}name notation used in CXF?
> 
> I've included the start of an external policy showing a sample endpoint
> address.
> 
> <?xml version="1.0" encoding="UTF-8"?>
> <attachments xmlns:wsp="http://www.w3.org/ns/ws-policy"
> xmlns:wsa="http://www.w3.org/2005/08/addressing"> <wsp:PolicyAttachment>
>       <wsp:AppliesTo>
>          <wsa:EndpointReference>
>            
> <wsa:Address>https://dev-sts.foo.com/services/RequestSecurityToken</wsa:Ad
> dress> </wsa:EndpointReference>
>       </wsp:AppliesTo>
>       <wsp:Policy wsu:Id="UTOverTransport"
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecur
> ity-utility-1.0.xsd"
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"> <wsp:ExactlyOne>
>             <wsp:All>
> 
> Thanks,
> 
> Brandon Richins

-- 
Daniel Kulp
dkulp@apache.org
http://dankulp.com/blog