ws-security and javascript

[Vassilis Virvilis <v....@biovista.com>]

Hello everybody,

We are evaluating the use of CXF directly in the browser and we have the 
following problem.

Some of our services are WS-security enabled. For these services we 
cannot get the http://server/service?js auto-generated script to produce 
any proxies to our services. For the non WS-security enabled everything 
works.

We looked all over the web but we didn't find a way to configure the 
WSS4JOutInterceptor for the javascript client. Is this a known 
limitation? Is it possible to use javascript and WS-security at all? We 
are currently using 2.3.3 but we are considering upgrading if that would 
help.

Thanks in advance

-- 

__________________________________

Vassilis Virvilis Ph.D.
Head of IT
Biovista Inc.

US Offices
2421 Ivy Road
Charlottesville, VA 22903
USA
T: +1.434.971.1141
F: +1.434.971.1144

European Offices
34 Rodopoleos Street
Ellinikon, Athens 16777
GREECE
T: +30.210.9629848
F: +30.210.9647606

www.biovista.com

Biovista is a privately held biotechnology company that finds novel uses 
for existing drugs, and profiles their side effects using their 
mechanism of action. Biovista develops its own pipeline of drugs in CNS, 
oncology, auto-immune and rare diseases. Biovista is collaborating with 
biopharmaceutical companies on indication expansion and de-risking of 
their portfolios and with the FDA on adverse event prediction.

Re: ws-security and javascript

[Vassilis Virvilis <v....@biovista.com>]

Hello Dan,

Thanks for the quick reply. I have a note and a question.

On 01/08/2012 10:13 μμ, Daniel Kulp wrote:
> On Wednesday, August 01, 2012 12:10:45 PM Vassilis Virvilis wrote:

>> We looked all over the web but we didn't find a way to configure the
>> WSS4JOutInterceptor for the javascript client. Is this a known
>> limitation? Is it possible to use javascript and WS-security at all?
>
> No.  At this time, the javascript clients really just support basic
> soap/http services.
>
> Dan
>

Note: Looking at the documentation we found the page
http://cxf.apache.org/docs/javascript-client-limitations.html mentioning
"""
No Authentication

Hypothetically, the XMLHttpRequest object in the browsers supports 
authentication. The utilities do not expose this support.
"""

We thought (actually hoped) that the documentation was referring to 
Webserver http/https authentication and not to the ws-security. Or it is 
both?. In my opinion the documentation should explicitly mention 
ws-security in the limitations of the javascript client.

If you think it is worthy I could file a documentation bug with a 
suggested wording...

Question:
What is the scope of the work for this feature? How hard is to be done? 
Is it blocked by other parts of cxf? From where one should start? 
org/apache/cxf/javascript? Are there implications in other parts of cxf?

Again If you think it is proper I could file a bug for the missing 
functionality.

Thanks again

-- 

__________________________________

Vassilis Virvilis Ph.D.
Head of IT
Biovista Inc.

US Offices
2421 Ivy Road
Charlottesville, VA 22903
USA
T: +1.434.971.1141
F: +1.434.971.1144

European Offices
34 Rodopoleos Street
Ellinikon, Athens 16777
GREECE
T: +30.210.9629848
F: +30.210.9647606

www.biovista.com

Biovista is a privately held biotechnology company that finds novel uses 
for existing drugs, and profiles their side effects using their 
mechanism of action. Biovista develops its own pipeline of drugs in CNS, 
oncology, auto-immune and rare diseases. Biovista is collaborating with 
biopharmaceutical companies on indication expansion and de-risking of 
their portfolios and with the FDA on adverse event prediction.

Re: ws-security and javascript

[Daniel Kulp <dk...@apache.org>]

On Wednesday, August 01, 2012 12:10:45 PM Vassilis Virvilis wrote:
> Hello everybody,
> 
> We are evaluating the use of CXF directly in the browser and we have the
> following problem.
> 
> Some of our services are WS-security enabled. For these services we
> cannot get the http://server/service?js auto-generated script to produce
> any proxies to our services. For the non WS-security enabled everything
> works.
> 
> We looked all over the web but we didn't find a way to configure the
> WSS4JOutInterceptor for the javascript client. Is this a known
> limitation? Is it possible to use javascript and WS-security at all? 

No.  At this time, the javascript clients really just support basic 
soap/http services.

Dan


> We
> are currently using 2.3.3 but we are considering upgrading if that would
> help.
> 
> Thanks in advance
-- 
Daniel Kulp
dkulp@apache.org - http://dankulp.com/blog
Talend Community Coder - http://coders.talend.com