The only issue in this approach is, it exposes the system from rogue requests
trying to guess passwords and when defended with max re-tries, will lock
users. Not just that, it also has potential to open server sessions and
max-out, when other parts of the contract are not satisfied. Can this be
cla
My policy looks like,
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
http://schemas.xm
I see CXF2.5.2 implementation as,
protected void checkPublishPermission()
{
SecurityManager sm = System.getSecurityManager();
if (sm != null)
sm.checkPermission(PUBLISH_PERMISSION);
else if
(Boolean.getBoolean("org.apache.cxf.jaxws.checkPublishEndpointPermission"))
Access
I'm on CXF 2.5.2, WAS 6.1.0.39 with Java2 Security Policy enabled. In my
was.policy, I have
grant codeBase "file:${application}" {
...
permission javax.xml.ws.WebServicePermission "publishEndpoint";
};
I also, have JVM system property,
org.apache.cxf.jaxws.checkPublishEndpointPermission=fa
I forgot to mention the version,
CXF 2.5.2, WAS 6.1.0.39 w/ WS-FEP
--
View this message in context:
http://cxf.547215.n5.nabble.com/Websphere-6-1-JAX-WS-Feature-Pack-Enabled-CXF-issue-tp5633117p5633127.html
Sent from the cxf-user mailing list archive at Nabble.com.
I have strange issue with WAS6.1 webservice feature pack enabled on 6.1.0.39.
It works on standalone version of WAS but not on network deployment version.
List of items I did:
- Follow instructions on CXF and IBM site, to disable IBM JAXWS-Engine. I
have the disable property set both at module and
I'm coding a custom policy for "outbound messages" based on instructions from
CXF website, and see my interceptor being called. As per instructions, I
will need an MyAssertionBuilder, MyInterceptor, MyInterceptorProvider and a
bus-extensions that configures the interceptors. Question, is do I not n
Resolved the issue, but think this is a bug in CXF framework. when
Adding interceptor
org.apache.cxf.binding.soap.interceptor.ReadHeadersInterceptor$CheckClosingTagsInterceptor@37ae37ae
to phase post-logical
[2/28/12 14:15:57:731 EST] 005f PhaseIntercep 1 Chain
org.apache.cxf.phase.PhaseInte
I have better logs here to determine if this is a bug or per design,
[2/28/12 11:28:22:872 EST] 006d PhaseIntercep 1 Chain
org.apache.cxf.phase.PhaseInterceptorChain@156a156a was modified. Current
flow:
receive [PolicyInInterceptor, LoggingInInterceptor,
AttachmentInInterceptor]
pre-stre
HolderInterceptors are used only in Service1, jaxws:endpoint and does not use
any camel artifacts or is not under camel context . Even when commented, I
see LoggingInterceptor called before PolicyInterceptor.
Could this be a camel, cxf collision when security policies are in play?
Anyhow, I will p
A few updates, I'm on CXF2.5.2 and I notice AbstractPhaseInterceptors attach
constructor arguments "pre-invoke" and "receive" for HolderInInterceptor and
PolicyInterceptor respectively. In which case, receive should execute before
pre-invoke, and observed behavior in test case #2 aligns well; Howev
I have two endpoints, one derived from jaxws:endpoint and other via Provider
interface. Both have different service ports, names but share same binding.
Both are wired with WS-Security policy.
http://localhost/reportService/"; />
Following on my previous post,
The issue, is the file contains keystore password in plain text. Is there a
way to encrypt this and still have apache security libraries decode them OR
have all these information supplied from websphere keystore and direct
apache security libraries to use WAS keystor
Is there support in CXF to listen during JAXB marshall/unmarshalling. When my
SOAP request is unmarshalled, I want Foo.class to listen for certain complex
types. I see some listeners available in JAXBDataBinding, but is there any
handle to retrieve this JAXBDatabinding instance from cxf context?
-
When working with EndorsingSupportedTokens (X.509), on the server side it is
required to provide,
that encapsulates details of keystore, password, etc., Is there a way to
integrate this into websphere keystore, rather than having a separate file.
I can point "org.apache.ws.security.crypto.merlin
On CXF2.5.2, I have WS-Security policies declared on WSDL first approach and
works as expected when
@javax.jws.WebService(
serviceName = "PingService",
portName = "pingPort",
targetNamespace = "http://services.mycomp.com/ping";,
"If you want to sign the SOAP Body, you'll have to add it to the
SignatureParts list..."
Agreed. But even without signing it works though server policy indicates
signing is required. I was thinking body part signing will be expected from
server using X.509 under section.
"you are using TLS an
I had similar issue few days back, and added JVM argument
-Dlog4j.configuration=my/log.properites to my websphere JVM container; This
created visibility to org.apache.ws.* package under websphere trace and
logging configuration. I then bumped traced level for these security
packages from WAS admin
Excellent. thanks a lot
--
View this message in context:
http://cxf.547215.n5.nabble.com/WSS4J-Endorsing-Supporting-tokens-tp5470082p5473735.html
Sent from the cxf-user mailing list archive at Nabble.com.
I am trying a WSS4J assisted client to generate security headers that can
meet the policy (DoubleItTransportEndorsingPolicy + usernametoken); the
issue is how do I tell to generate . Instructions
available from DoubleIt test cases, are using WSPolicy interceptors. I want
to make sure this token can
Will the mere presence of client X.509 under supporting tokens validate
client authentication. I thought SignatureTrustValidator will validate the
received token against trust store for assertion. Not true? Should a
message part be signed to verify client auth?
--
View this message in context:
h
thanks. With TLS and supporting binary X509 token in SOAP, is there any
benefit signing parts of message or timestamp, when the communication model
is only between two nodes?
--
View this message in context:
http://cxf.547215.n5.nabble.com/SecurityPolicy-Option-tp5456290p5461795.html
Sent from th
Correct, I'm running Websphere 6.1.x. Is there a workaround here?
--
View this message in context:
http://cxf.547215.n5.nabble.com/WSSJ-Interceptor-invoked-instead-of-Policy-tp5456874p5461083.html
Sent from the cxf-user mailing list archive at Nabble.com.
I work on CXF2.5.2 with WS-SecurityPolicy following instructions
(DoubleItAsymmetricSESupportingPolicy) posted from
http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/ut/DoubleItUt.wsdl?view=markup
Issue is, when signatur
I'm working on a use case where I need to uniquely identify (in secured
fashion, no compromise) all clients reaching my endpoint and take measures
based on it. All clients will use common TLS infrastructure; when I
configure my security policy, what would be my best options without
overdoing or com
It was related to 2.5.1, looks OK in 2.5.2, thanks.
--
View this message in context:
http://cxf.547215.n5.nabble.com/CXF2-5-1-WS-SecurityPolicy-tp5449316p5455100.html
Sent from the cxf-user mailing list archive at Nabble.com.
Thanks for your response. I'm following the examples from your link. I'm not
sure how transport binding is a pre-requisite here when cases where SSL can
be offloaded at F5 or webserver (single hop webservice from one node to
another). Also, the case I am trying out was adapted from the authors
"Dou
Its the SecurityPolicy issue again, with cxf2.5.1. I ran through all messages
posted in this group across different versions and could not figure out this
issue. At this point, I'm not sure if I am doing wrong or its a side effect
of some neethi updates. Please help
On CXF2.5.1, neethi-3.0.1, wss4
28 matches
Mail list logo
