Re: [Apiman-dev] Apiman - WS Security policy

Hi Benjamin - thanks for the excellent question. I will do my best to answer and note that I am CC'ing the apiman-dev mailing list so others can chime in. First let me say that a WS-Security policy sounds great - we haven't focused much on the WS-* protocols because we get much more demand for managing REST APIs than SOAP APIs. That said, better SOAP support is certainly on the radar. When that happens, my hope is that processing the envelope might be a core part of the gateway and so implementing policies that use information in there will be easier. Perhaps your implementation can be the genesis of some of that work! To your question - without core changes to apiman, the approach you *need* to take is to have your policy implement IDataPolicy. I believe you may have already tried that, and observed that you cannot send proper policy failures from that method. You are right - that's something we will need to fix! I think you should be able to throw a runtime exception from the write(IApimanBuffer chunk) method if you detect an error. However, this is a little bit hacky! Instead, I suggest (if you're up for it) that we perhaps work together to bake SOAP support directly into the core of apiman, such that the SOAP envelope is read/parsed *before* the policy chain is executed. We could expose, for example, the SOAP headers as a proper Map<> stored either in the context or on the ApiRequest. This would allow you to properly implement most (all?) WS-* protocols as proper apiman policies in the apply(ApiRequest request) method. Thoughts? -Eric On 3/24/2016 7:58 AM, Benjamin Kastelic wrote: