You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cxf.apache.org by Sergey Beryozkin <se...@iona.com> on 2007/12/20 19:08:02 UTC

Automatic publication of ws-policy expressions

Hi

A number of CXF users have come across some limitations of its policy engine which prevent them from
meeting otherwise expected results.
Particularly, what users expect from WS-Policy expressions is to set them up on the server side and have client runtimes reuse them as appropriate.

Two issues are on the top of the list.
1. Policy engine needs to be explicitly enabled - this one should be simple to fix

2. Policies do not automatically get published

There're two cases here.

2.a Java-first development
2.b Contract-first, WSDL is already there, policy are defined elsewehere

For the purpose of the publication policy expressions I'd like to consider 2 cases be equivalent.
In both case an issue of privacy may arise, that is, is a given policy expression is safe to be published ?

When discussinf WS-SecurityPolicy, I thought we agreed in principle that one way to solve the issue of privacy is to
not put the sensitive configuration into the policy expressions but into features and then the runtime would merge the information appropriately. Thus the WSDL Publisher would not be concerned about leaking some sensitive data.

Another approach would be to mark sensitive policy expressions with an attribute like 'private'. There was a concern expressed about solutions like this one. 

As far as the actual publication is concerned, I thought it would be a matter of policy components registering themselves as extensors with given WSDL nodes like wsdl:service, wsdl:service/wsdl:ports, etc.

Thoughts ?

Thanks, Sergey










----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland

RE: Automatic publication of ws-policy expressions

Posted by "Beryozkin, Sergey" <Se...@iona.com>.
Hi,

I reckon that individual policy components can decide for themselves,
so for ex, security policy components can ensure that they don't leak
some well-known sensitive info, when asked to publish...

I haven't started on WS-SecurityPolicy but I'm hoping that we'll see
some work on enhancing the core policy engine done soon, for the engine
be ready to deal with WS-SecurityPolicy :-)

Merry Christmas to everyone
Cheers, Sergey 

-----Original Message-----
From: Dan Diephouse [mailto:dan.diephouse@mulesource.com] 
Sent: 22 December 2007 07:50
To: cxf-dev@incubator.apache.org
Subject: Re: Automatic publication of ws-policy expressions

Sergey Beryozkin wrote:
> Hi
>
> A number of CXF users have come across some limitations of its policy
engine which prevent them from
> meeting otherwise expected results.
> Particularly, what users expect from WS-Policy expressions is to set
them up on the server side and have client runtimes reuse them as
appropriate.
>
> Two issues are on the top of the list.
> 1. Policy engine needs to be explicitly enabled - this one should be
simple to fix
>
> 2. Policies do not automatically get published
>
> There're two cases here.
>
> 2.a Java-first development
> 2.b Contract-first, WSDL is already there, policy are defined
elsewehere
>
> For the purpose of the publication policy expressions I'd like to
consider 2 cases be equivalent.
> In both case an issue of privacy may arise, that is, is a given policy
expression is safe to be published ?
>
> When discussinf WS-SecurityPolicy, I thought we agreed in principle
that one way to solve the issue of privacy is to
> not put the sensitive configuration into the policy expressions but
into features and then the runtime would merge the information
appropriately. Thus the WSDL Publisher would not be concerned about
leaking some sensitive data.
>
> Another approach would be to mark sensitive policy expressions with an
attribute like 'private'. There was a concern expressed about solutions
like this one. 
>
> As far as the actual publication is concerned, I thought it would be a
matter of policy components registering themselves as extensors with
given WSDL nodes like wsdl:service, wsdl:service/wsdl:ports, etc.
>
> Thoughts ?
>   

I think I agree that we should out attach to the WSDL. We should have 
some sort of blacklisting mechanism though for policy expressions which 
are private. By default, we should never allow publishing of security 
info (the user shouldn't have to set private=false, it should just never

show). We should also allow the private=false mechanism.

Have you started work on WS-SecPol? I'm still wishing I had some cycles 
to devote to this...

- Dan

-- 
Dan Diephouse
MuleSource
http://mulesource.com | http://netzooid.com/blog

----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland

Re: Automatic publication of ws-policy expressions

Posted by Dan Diephouse <da...@mulesource.com>.
Sergey Beryozkin wrote:
> Hi
>
> A number of CXF users have come across some limitations of its policy engine which prevent them from
> meeting otherwise expected results.
> Particularly, what users expect from WS-Policy expressions is to set them up on the server side and have client runtimes reuse them as appropriate.
>
> Two issues are on the top of the list.
> 1. Policy engine needs to be explicitly enabled - this one should be simple to fix
>
> 2. Policies do not automatically get published
>
> There're two cases here.
>
> 2.a Java-first development
> 2.b Contract-first, WSDL is already there, policy are defined elsewehere
>
> For the purpose of the publication policy expressions I'd like to consider 2 cases be equivalent.
> In both case an issue of privacy may arise, that is, is a given policy expression is safe to be published ?
>
> When discussinf WS-SecurityPolicy, I thought we agreed in principle that one way to solve the issue of privacy is to
> not put the sensitive configuration into the policy expressions but into features and then the runtime would merge the information appropriately. Thus the WSDL Publisher would not be concerned about leaking some sensitive data.
>
> Another approach would be to mark sensitive policy expressions with an attribute like 'private'. There was a concern expressed about solutions like this one. 
>
> As far as the actual publication is concerned, I thought it would be a matter of policy components registering themselves as extensors with given WSDL nodes like wsdl:service, wsdl:service/wsdl:ports, etc.
>
> Thoughts ?
>   

I think I agree that we should out attach to the WSDL. We should have 
some sort of blacklisting mechanism though for policy expressions which 
are private. By default, we should never allow publishing of security 
info (the user shouldn't have to set private=false, it should just never 
show). We should also allow the private=false mechanism.

Have you started work on WS-SecPol? I'm still wishing I had some cycles 
to devote to this...

- Dan

-- 
Dan Diephouse
MuleSource
http://mulesource.com | http://netzooid.com/blog