Skip to main content

WSIT client and multiple WS policy alternatives

Please note these java.net forums are being decommissioned and use the new and improved forums at https://community.oracle.com/community/java.
1 reply [Last post]
martin.cvetanov
Offline
Joined: 2011-09-07

Greetings,

I have some questions/thoughts on WSIT client ability to handle multiple WS policy alternatives.

So suppose I have a system with WS API that accepts SAML tokens for authentication. There are 2 major alternatives: a Holder-of-key token (that requires also XML dig signature for the request) and a Bearer token (no signature required). Now my API WSDL contains WS-SecurityPolicy assertions for the 2 cases, organized as 1 main policy with 2 alternatives.

Now a JAX-WS based client of the API, is using Metro/WSIT to consume that API WSDL and login to the API (understand the security policies, generates the WS request, put a SAML token inside, sign if needed - all that is for clarity, it's not the important point).

The important point is how the WSIT client chooses the WS policy alternative to use (HoK or Bearer). I did some investigation (testing, source/doc reading, etc.) and realized the WSIT client uses internal, non-configurable mechanism that bacisally chooses "arbitrary" one of the alternatives that is evaluated as supported by WSIT. I.e. it is not possible for the client to somehow choose which alternative is desired. This Metro 2.1 source code is at

EffectiveAlternativeSelector.selectBestAlternative()

Question 1: Am I misreading this? Is there a way to customize/configure the policy selection logic?

Question 2: Is someone aware if ability for client to choose which alternative to use is on Metro roadmap/plans. (I'm using Metro 2.1 currently).

Metro documentation suggests that the only way to handle multiple alternatives is to make a copy of the server WSDL and manually edit it removing all but 1 of the alternatives. Then use this WSDL only (and do not use the original server one at all). This works, of course, but opens another issue that it is very difficult to switch the policy alternative in use at runtime (though possible, you need 1 copy of the WSDL for every alternative, and then playing with thread context classloader to change between them - quite ugly and very hard to maintain).

Question 3: Could someone suggest another approach for hanling multiple alternatives?

Regards,
Martin

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
jpanelli
Offline
Joined: 2008-10-13

This isn't really an answer to your question, but is a related issue. I am having trouble with a multi-client configuration myself. I have 2 clients where I need to use 2 different callback handlers. My wsit-client.xml file looks like this:

<div>&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?&gt; </div><div>&lt;definitions xmlns=&quot;http://schemas.xmlsoap.org/wsdl/&quot; </div><div>              xmlns:soap=&quot;http://schemas.xmlsoap.org/wsdl/soap/&quot;</div><div>              name=&quot;mainclientconfig&quot;&gt;</div><div><span class="Apple-tab-span" style="white-space:pre"> </span></div><div>    &lt;import location=&quot;wsit-client-QBOPayrollWS.xml&quot; namespace=&quot;http://www.intuit.com/sb/service/qbopayroll/v2/&quot; /&gt;</div><div>    &lt;import location=&quot;wsit-client-AccountManager.xml&quot; namespace=&quot;http://spc.intuit.com/idmanager/account/&quot; /&gt;</div><div>    </div><div>&lt;/definitions&gt; </div>

My other 2 files look like this:

<div>wsit-client-QBOPayrollWS.xml:</div><div> </div><div>&lt;?xml version='1.0' encoding='UTF-8'?&gt;</div><div>&lt;definitions xmlns:wsu=&quot;http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd&quot; </div><div><span class="Apple-tab-span" style="white-space:pre"> </span>xmlns:soap=&quot;http://schemas.xmlsoap.org/wsdl/soap/&quot; </div><div><span class="Apple-tab-span" style="white-space:pre"> </span>xmlns:xsd=&quot;http://www.w3.org/2001/XMLSchema&quot; </div><div><span class="Apple-tab-span" style="white-space:pre"> </span>xmlns=&quot;http://schemas.xmlsoap.org/wsdl/&quot; </div><div><span class="Apple-tab-span" style="white-space:pre"> </span>xmlns:wsp=&quot;http://www.w3.org/ns/ws-policy&quot; </div><div><span class="Apple-tab-span" style="white-space:pre"> </span>xmlns:sc=&quot;http://schemas.sun.com/2006/03/wss/client&quot; </div><div><span class="Apple-tab-span" style="white-space:pre"> </span>xmlns:wspp=&quot;http://java.sun.com/xml/ns/wsit/policy&quot;</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>name=&quot;QboPayrollWsService&quot; </div><div><span class="Apple-tab-span" style="white-space:pre"> </span>xmlns:tns=&quot;http://www.intuit.com/sb/service/qbopayroll/v2&quot; </div><div><span class="Apple-tab-span" style="white-space:pre"> </span>targetNamespace=&quot;http://www.intuit.com/sb/service/qbopayroll/v2&quot;&gt;</div><div> </div><div><span class="Apple-tab-span" style="white-space:pre"> </span>&lt;portType name=&quot;QboPayrollWs&quot;&gt;</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>&lt;/portType&gt;</div><div><span class="Apple-tab-span" style="white-space:pre"> </span></div><div><span class="Apple-tab-span" style="white-space:pre"> </span>&lt;binding name=&quot;QboPayrollWsPortBinding&quot; type=&quot;tns:QboPayrollWs&quot;&gt;</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>&lt;wsp:PolicyReference URI=&quot;#QboPayrollWsPortBindingPolicy&quot;/&gt;</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>&lt;soap:binding transport=&quot;http://schemas.xmlsoap.org/soap/http&quot; style=&quot;document&quot; /&gt;</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>&lt;/binding&gt;</div><div><span class="Apple-tab-span" style="white-space:pre"> </span></div><div><span class="Apple-tab-span" style="white-space:pre"> </span>&lt;service name=&quot;QboPayrollWsService&quot;&gt;</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>&lt;port name=&quot;QboPayrollWsPort&quot; binding=&quot;tns:QboPayrollWsPortBinding&quot;&gt;</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>&lt;/port&gt;</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>&lt;/service&gt;</div><div> </div><div><span class="Apple-tab-span" style="white-space:pre"> </span>&lt;wsp:Policy wsu:Id=&quot;QboPayrollWsPortBindingPolicy&quot;&gt;</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>&lt;wsp:ExactlyOne&gt;</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>&lt;wsp:All&gt;</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>&lt;sc:CallbackHandlerConfiguration wspp:visibility=&quot;private&quot; xmlns:sc=&quot;http://schemas.sun.com/2006/03/wss/client&quot;&gt;</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>&lt;sc:CallbackHandler name=&quot;xwssCallbackHandler&quot; classname=&quot;com.paycycle.partnerdata.qbo.QBOXWSSCallbackHandler&quot;/&gt;</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>&lt;/sc:CallbackHandlerConfiguration&gt;</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>&lt;/wsp:All&gt;</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>&lt;/wsp:ExactlyOne&gt;</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>&lt;/wsp:Policy&gt;</div><div>&lt;/definitions&gt;</div><div><br />wsit-client-AccountManager.xml:</div><div> </div><div><div>&lt;?xml version='1.0' encoding='UTF-8'?&gt;</div><div>&lt;definitions xmlns:wsu=&quot;http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd&quot; </div><div><span class="Apple-tab-span" style="white-space:pre"> </span>xmlns:soap=&quot;http://schemas.xmlsoap.org/wsdl/soap/&quot; </div><div><span class="Apple-tab-span" style="white-space:pre"> </span>xmlns:xsd=&quot;http://www.w3.org/2001/XMLSchema&quot; </div><div><span class="Apple-tab-span" style="white-space:pre"> </span>xmlns=&quot;http://schemas.xmlsoap.org/wsdl/&quot; </div><div><span class="Apple-tab-span" style="white-space:pre"> </span>xmlns:wsp=&quot;http://www.w3.org/ns/ws-policy&quot; </div><div><span class="Apple-tab-span" style="white-space:pre"> </span>xmlns:sc=&quot;http://schemas.sun.com/2006/03/wss/client&quot; </div><div><span class="Apple-tab-span" style="white-space:pre"> </span>xmlns:wspp=&quot;http://java.sun.com/xml/ns/wsit/policy&quot;</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>name=&quot;AccountManager_Service&quot; </div><div><span class="Apple-tab-span" style="white-space:pre"> </span>xmlns:tns=&quot;http://spc.intuit.com/idmanager/account&quot; </div><div><span class="Apple-tab-span" style="white-space:pre"> </span>targetNamespace=&quot;http://spc.intuit.com/idmanager/account&quot;&gt;</div><div> </div><div><span class="Apple-tab-span" style="white-space:pre"> </span>&lt;portType name=&quot;AccountManager&quot;&gt;</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>&lt;/portType&gt;</div><div><span class="Apple-tab-span" style="white-space:pre"> </span></div><div><span class="Apple-tab-span" style="white-space:pre"> </span>&lt;binding name=&quot;AccountManagerPortBinding&quot; type=&quot;tns:AccountManager&quot;&gt;</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>&lt;wsp:PolicyReference URI=&quot;#AccountManagerPortBindingPolicy&quot;/&gt;</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>&lt;soap:binding transport=&quot;http://schemas.xmlsoap.org/soap/http&quot; style=&quot;document&quot; /&gt;</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>&lt;/binding&gt;</div><div><span class="Apple-tab-span" style="white-space:pre"> </span></div><div><span class="Apple-tab-span" style="white-space:pre"> </span>&lt;service name=&quot;AccountManager_Service&quot;&gt;</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>&lt;port name=&quot;AccountManagerPort&quot; binding=&quot;tns:AccountManagerPortBinding&quot;&gt;</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>&lt;/port&gt;</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>&lt;/service&gt;</div><div> </div><div><span class="Apple-tab-span" style="white-space:pre"> </span>&lt;wsp:Policy wsu:Id=&quot;AccountManagerPortBindingPolicy&quot;&gt;</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>&lt;wsp:ExactlyOne&gt;</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>&lt;wsp:All&gt;</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>&lt;sc:CallbackHandlerConfiguration wspp:visibility=&quot;private&quot; xmlns:sc=&quot;http://schemas.sun.com/2006/03/wss/client&quot;&gt;</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>&lt;sc:CallbackHandler name=&quot;xwssCallbackHandler&quot; classname=&quot;com.paycycle.webservices.client.IAMClientSecurityCallbackHandler&quot;/&gt;</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>&lt;/sc:CallbackHandlerConfiguration&gt;</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>&lt;/wsp:All&gt;</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>&lt;/wsp:ExactlyOne&gt;</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>&lt;/wsp:Policy&gt;</div><div>&lt;/definitions&gt;</div></div>

Metro doesn't seem to pick up the configuration for wsit-AccountManager.xml because no calls are made to the callback. Are you suggesting that the policy being used in this case is random? How can we tell what metro is trying to do here?

Thank you!