Thanks Dan! I appreciate the suggestions to dive in myself, but in the interests of my employer my time is better spent elsewhere on this project. Let me instead try to describe what I'd like to have someone in the CXF community code up for us. Interested parties can contact me off-list about costs, timeframes, etc. It is a relatively urgent need of ours at this point, but unfortunately none of our coding talent has direct Java experience.
What I'm looking for is a stand-alone Java Web Application (we've looked at the support for WS-Security policies for SOAP in other programming languages and they fall short of our needs) that I can front-end with an apache proxy server with some cookie authentication code to protect the service. What the Application needs to do is accept HTML form-data to populate a handful of different calls to a specific WSS-encrypted SOAP endpoint. The app is really just a gateway from a web-form to a SOAP request/response: the response simply needs to be decrypted and passed along as XML to the web client. That's pretty much it- there are databases involved but the invoking code we're writing ourselves can deal with the storage requirements. This shouldn't be hard to achieve given familiarity with the requisite software and knowledge about the WSDL for the service. If there's some other place I should be asking please let me know- I've spoken with Talend sales and they weren't able to offer anything directly relevant to this task. On Wed, Jun 15, 2016 at 7:30 PM, Daniel Kulp <[email protected]> wrote: > > > On Jun 15, 2016, at 4:59 PM, Joe Schaefer <[email protected]> wrote: > > > > Yes I found a version of the WSDL that contains ws-policy elements. > > Great! Let’s hope the policy is correct and complete. ;-) > > Once you have the wsdl, you should just be able to generate a client from > it (wsdl2java) and use the standard client Service object to obtain the > port you need. You would then configure the client using whatever > security configuration options that are dictated by the policy. Without > seeing the policy, that will be hard to determine. Since you mention > both encryption and signature, you might be able to get an idea by looking > at the “samples/ws_security/sign_enc_policy” example that comes in the CXF > download. That uses spring to configure the client, but configuring via > java code is relatively straightforward. The trick is getting the > “Client_Encrypt.properties” file created (thats the name of the file in the > sample, can be anything) which creates your keystrokes and alias’s and > such that you will need. > > > Dan > > > > > > > > > > > On Wed, Jun 15, 2016 at 4:27 PM, Joe Schaefer <[email protected]> > wrote: > > > >> Yes there is a wsdl including wsse elements. I'm just not at liberty > >> to share it publicly. I'm not sure it includes a ws-policy but I can > >> investigate. > >> > >> Thanks Dan! > >> > >> Sent from my iPhone > >> > >>> On Jun 15, 2016, at 4:14 PM, Daniel Kulp <[email protected]> wrote: > >>> > >>> Joe, > >>> > >>> This isn’t really a lot to go on. Does the soap endpoint that you > are > >> connecting to have a published WSDL? Does the WSDL provide a WS-Policy > >> definition that describes the security requirements? If so, things are > >> significantly easier than if it doesn’t. With the WS-Policy stuff, it > >> should just be a matter of configuring properties on the client (java > code, > >> spring config, etc…) for the stuff the policy requires (keystrokes, key > >> aliases, etc…). If the WSDL doesn’t have a policy, things are quite a > >> bit more complex. In that case, you’d have to figure out what the > security > >> requirements are and configure in appropriate actions onto a set of > WSS4J > >> interceptors. > >>> > >>> Anyway, start with looking at the WSDL and see what information is > there > >> and then we can figure out the next step. > >>> > >>> Dan > >>> > >>> > >>>> On Jun 15, 2016, at 1:14 PM, Joe Schaefer <[email protected]> wrote: > >>>> > >>>> Hi, > >>>> I have a business customer who needs a stand-alone web application > that > >> can > >>>> connect to a SOAP endpoint that requires support for the Oasis WSS > >>>> standards for XML encryption and signatures. > >>>> > >>>> Looking over the documentation for CXF it seems that may be the answer > >> I'm > >>>> looking for on some level. However I am a perl guy, so I may need > some > >>>> assistance braving the java world. My company will naturally > >> compensate on > >>>> a contract basis for any coding we need done, but it should be > >>>> straightforward. > >>>> > >>>> I realize the Oasis specs cover a lot of ground, but I do not need > more > >>>> than a small handset supported. We have familiarity with SOAP UI from > >>>> SoftBear which does the job, but is the wrong architecture for a > >>>> concurrent, multi-user web services based solution. > >>>> > >>>> Any advice in this area would be greatly appreciated- I can try to > >> answer > >>>> any questions about our needs and requirements to the best of my > >> ability, > >>>> but at this point I'm just looking to know if the CXF community can > >> support > >>>> this type of use case. > >>>> > >>>> > >>>> TIA! > >>> > >>> -- > >>> Daniel Kulp > >>> [email protected] - http://dankulp.com/blog > >>> Talend Community Coder - http://coders.talend.com > >>> > >> > > -- > Daniel Kulp > [email protected] - http://dankulp.com/blog > Talend Community Coder - http://coders.talend.com > >
