Search code examples
web-servicessoapcxfws-security

WS-SecurityPolicy configuration of CXF client


The question: Can CXF automatically configure WS-Security for a client based on a WS-SecurityPolicy file?

If so, is there any documentation on actually doing so? I've spent several hours looking at the CXF site and doing searches without finding an answer.

The CXF documentation says "CXF 2.2 introduced support for using WS-SecurityPolicy to configure WSS4J instead of the custom configuration documented on the WS-Security page", and also says "In CXF 2.2, if the cxf-rt-ws-policy and cxf-rt-ws-security modules are available on the classpath, the WS-SecurityPolicy stuff is automatically enabled." Finally, there's a listing of the properties that may need to be configured (keystore locations, etc). All of that I understand, but the documentation doesn't actually explain what enabling WS-SecurityPolicy does. Is it just for policy generation, or does it actually help configure clients?


The reason I'm asking is that I'm working on an application that uses CXF (JAX-WS front end) via Camel to consume a SOAP service secured with WS-Security. Because of the existing structure of our application, I've been trying to configure the client with WSS4J interceptors, but have been having a tough time actually implementing what they've described.

After a couple of days working on this, the provider mentioned that they had a WS-SecurityPolicy file they could send to me (why they didn't mention this up front is a mystery). Now that I have their policy, I'd really like to figure out a less code-driven way of configuring the security.


Solution

  • Having a WS-SecurityPolicy configures "most" of the security requirements for a client. You still need to specify JAX-WS properties to configure users, passwords, keys etc. I would recommend checking out the CXF source and looking at the systests/ws-security-examples tests.