You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@cxf.apache.org by "O. Baujard" <ol...@etat.ge.ch> on 2009/02/12 19:15:16 UTC

WS-SECURITY Interceptor configuration

Hi,

I have the following requirements in a projet :

- Create a Web Service (lets name it WS1) and in the service implementation,
call an other Web Service (lets name it WS2). So we have the call chain :
Client --> WS1 --> WS2
- WS1 and WS2 are secured with WS-SECURITY.
- WS-SECURITY must be placed at bus level --> it means in and out
interceptors for client and server are shared on the same bus because WS1 is
also a client of WS2.
- WS1 and WS2 are deployed on different Tomcat Servers.

For now, Client --> WS1 works well in my environment but now I want to add
WS1 --> WS2

What are the possible configurations, if it's possible ?
 
How to prevent in this architecture the "server side" outInterceptor to
place WS-SECURITY headers on the response to the "client side " ? 

Olivier
-- 
View this message in context: http://www.nabble.com/WS-SECURITY-Interceptor-configuration-tp21981733p21981733.html
Sent from the cxf-user mailing list archive at Nabble.com.

Re: WS-SECURITY Interceptor configuration

Posted by Tedman Leung <te...@sfu.ca>.

On the surface, I appear to be doing the same thing too.

I have 2 tomcats with 2 cxf installations where 

   client -> WS1 -> WS2 

and I'm using the cxf wss4j without any problems. I've configured the 
in-interceptors on the bus but the out-interceptors I'm doing 
programmatically.

The only problem I've found is that the generated client stubs from WS1 
appear to include request/response objects from WS2 in the wsdl. This 
prevents you from using the same method names in WS1 and WS2. Other than 
that, everything seems to work as you'd expect it to.


On Fri, Feb 13, 2009 at 11:50:30AM -0500, Daniel Kulp wrote:
> 
> I'm not sure I understand the issue completely. 
> 
> If WS1 is "secure", then the client is sending WS-Security headers.  Thus, WS1 
> should be sending back ws-security headers as part of the response.  
> 
> That said, I expect the security requirements to be different for WS1 than 
> what is required for WS1 to interact with WS2.   Thus, I would suggest one of:
> 
> 1) Don't configure them on the bus.   Configure them on WS1 and the WS2/client 
> directly so they would have different configurations.
> 
> 2) Use a different bus for WS1 and WS2/client.   This is a bit more complex as 
> you would need to use the SpringBusFactory to create separate busses with 
> separate configs and "manage" it setting the 
> BusFactory.setThreadDefaultBus(..) calls as appropriate.
> 
> Dan
> 
> 
> On Thu February 12 2009 1:15:16 pm O. Baujard wrote:
> > Hi,
> >
> > I have the following requirements in a projet :
> >
> > - Create a Web Service (lets name it WS1) and in the service
> > implementation, call an other Web Service (lets name it WS2). So we have
> > the call chain : Client --> WS1 --> WS2
> > - WS1 and WS2 are secured with WS-SECURITY.
> > - WS-SECURITY must be placed at bus level --> it means in and out
> > interceptors for client and server are shared on the same bus because WS1
> > is also a client of WS2.
> > - WS1 and WS2 are deployed on different Tomcat Servers.
> >
> > For now, Client --> WS1 works well in my environment but now I want to add
> > WS1 --> WS2
> >
> > What are the possible configurations, if it's possible ?
> >
> > How to prevent in this architecture the "server side" outInterceptor to
> > place WS-SECURITY headers on the response to the "client side " ?
> >
> > Olivier
> 
> -- 
> Daniel Kulp
> dkulp@apache.org
> http://www.dankulp.com/blog

-- 
                                                           Ted Leung
                                                           tedman@sfu.ca

The world is spinning too fast, it's making me dizzy.

Re: WS-SECURITY Interceptor configuration

Posted by Daniel Kulp <dk...@apache.org>.

I'm not sure I understand the issue completely. 

If WS1 is "secure", then the client is sending WS-Security headers.  Thus, WS1 
should be sending back ws-security headers as part of the response.  

That said, I expect the security requirements to be different for WS1 than 
what is required for WS1 to interact with WS2.   Thus, I would suggest one of:

1) Don't configure them on the bus.   Configure them on WS1 and the WS2/client 
directly so they would have different configurations.

2) Use a different bus for WS1 and WS2/client.   This is a bit more complex as 
you would need to use the SpringBusFactory to create separate busses with 
separate configs and "manage" it setting the 
BusFactory.setThreadDefaultBus(..) calls as appropriate.

Dan

On Thu February 12 2009 1:15:16 pm O. Baujard wrote:
> Hi,
>
> I have the following requirements in a projet :
>
> - Create a Web Service (lets name it WS1) and in the service
> implementation, call an other Web Service (lets name it WS2). So we have
> the call chain : Client --> WS1 --> WS2
> - WS1 and WS2 are secured with WS-SECURITY.
> - WS-SECURITY must be placed at bus level --> it means in and out
> interceptors for client and server are shared on the same bus because WS1
> is also a client of WS2.
> - WS1 and WS2 are deployed on different Tomcat Servers.
>
> For now, Client --> WS1 works well in my environment but now I want to add
> WS1 --> WS2
>
> What are the possible configurations, if it's possible ?
>
> How to prevent in this architecture the "server side" outInterceptor to
> place WS-SECURITY headers on the response to the "client side " ?
>
> Olivier

-- 
Daniel Kulp
dkulp@apache.org
http://www.dankulp.com/blog