May 30, 2012 Leave a comment
WSO2 AS supports Apache CXF as the JAX-WS framework from next release on-wards. Applying WS-Security on JAX-WS services is an important use case when developing web services. CXF supports two ways to configure WS-Security on JAX-WS services.
- By using custom configurations in the cxf-servlet.xml file. This is the old way and it’s documented here. When a service is secured using this method, there won’t be a Policy on the WSDL and the clients can’t get needed Policy information to invoke the service just by looking at the contract. Therefore this is not a standard way of securing a service. A useful post on using this method can be found here. On WSO2 AS trunk, you can find a this type of sample here.
- By using WS-SecurityPolicy language. It’s documented here. This is the standard way of securing a service. Here, the service author has to include the Policy in the WSDL and engage it with needed bindings. Only the configurations like key store locations, callback handlers etc. should be done through the cxf-servlet.xml. A nice article which this kind of samples can be found here. And on WSO2 AS trunk, there’s a UT sample of this type here.
Both these methods are still supported. But the second one is the recommended way of doing it.