[jboss-user] [JBoss Web Services] - Re: WS-Security without Spring, without WS-Policy and without the CXF annotations?

Alessio Soldano [https://community.jboss.org/people/asoldano] created the discussion "Re: WS-Security without Spring, without WS-Policy and without the CXF annotations?" To view the discussion, visit: https://community.jboss.org/message/751283#751283 -------------------------------------------------------------- Quite frankly, I see and understand the need for avoiding implementation specific api in endpoints (you might want to deploy the same archive on another vendor container), but as hinted before that's probably simply not doable (especially without WS-Policy support) with WS-Security. The reason basically being that there's no JCP spec covering ws-security configuration, so you'll always need to use an implementation specific configuration approach. If the real need is actually with the admin wanting to enable/disable the cxf interceptor without touching the code, you can go the spring descriptor way, after having added spring libraries to the app server. You don't want to bring in spring because it's just for configuration *or* you're simply somehow confused by the fact jbossas/jbossws does not ship with / install spring by default? If it's a matter of willing to avoid spring for ws configuration only, I see what you mean (as a matter of fact jbossws has moved in this direction, hence is not forcing the spring approach and encouraging the ws-policy based approach), but when you have many other contraints like "wsrp does not support policies", "I don't want to use cxf api", ... you need to come to a compromise and use what is left ;-) If it's a matter of you being confused on "what the preferred method is", keep in mind that JBossWS suggest using the policy approach, but allows different methods if you can't go that way. Apache CXF in general simply has multiple configuration mechanisms and I can say that there's not an actual preference for the spring one as of today, they're really all at the same level. The client / endpoint pre-defined configurations can be used to add JAXWS handlers. WS-Security was implemented using handlers in native stack. However it's not implemented using jaxws handlers on cxf and we can't (and do not want to) change that. Any mechanism for allowing configuring a generic interceptor through descriptor would basically imply re-inventing the spring configuration approach (a jaxws handler definition is covered by jsr224/jsr109 specs instead).. so again, either the user go the spring way if he really wants to have fine grain control on the interceptor beans or he stay with the suggested configuration mechanism (policy engine + properties through @EndpointConfig) *or* direct cxf api/annotation usage. Again, 1) it's not *the* way they're meant to be configured, just *one* of the possible ways 2) you *can* still configure the ws endpoints that way if you want, simply install Spring first (either using the jbossws build or manually copying the spring jars into modules/org/springframework/spring/main and creating a valid module.xml descriptor for the new module). -------------------------------------------------------------- Reply to this message by going to Community [https://community.jboss.org/message/751283#751283] Start a new discussion in JBoss Web Services at Community [https://community.jboss.org/choose-container!input.jspa?contentType=1&...]