Affects Version/s: 2.2.4 (EE only), 3.0.0-M1
Fix Version/s: Product Backlog
"As Travis was showing the wss4j config I was reminded of the old Mule
1.x days: lots of magic strings and class names in the config,
everything configured as <spring:bean> elements. Since the config
happens all inside the <cxf:endpoint> element, can't we just simplify
configuration a bit by adding namespace handlers for the more common
cases? The uncommon/complex cases can still be configured using the
spring notation, though."
"I would definitely be behind adding simpler WSS4J configuration. CXF has a mechanism to make these types of configuration easier called Features which allow you to wrap up a bunch of configuration work in one class. The thing that makes this a difficult is the mind bending array of configuration possibilities
CXF as a whole I believe is moving toward configuring security with WS-SecurityPolicy and then a few auxillary properties. See for instance here:
I haven't delved into this too much yet though.
I would probably support a hybrid approach. Supporting some simple use cases via a WSSecurityFeature and then recommending WS-SP for the others. Might earn us some good credit with the Apache guys if we contribute something like this back too - not sure how critical it is to our offering."