using axis2 ramaprt module with own security framework

Question

I have webservice (server-side) implemented using axis2 in my project. We want to enable WS-security in the existing web services. We are evaluating if apache ramapart module fits our need. Here is our requirement: Basically we have in-house security framework which provides encryption,signature and token generation capabilites. Our in-house security framework basically requires a set of configurations in form of XML and it expose various APIs to do various security operations.

Now with above environment, I can think of three possbile solutions:-

1. I can develop an axis2 module around in-house security framework and install it as .mar file in security phase. So I will not use apache rampart. But issue with this approach is I can't use ws-security policy to specify security assertions and making sure incoming security tokens conforms to effective policy. It is like reinventing wheel what rampart already doing.

2. I believe apache rampart underlines call to apache wss4j module for security operations. I believe apache wss4j module provides a way to register 3rd party security provider (by implemeting CryptoProvider interface). I am not sure if this is feasible and viable solution. Please suggest.

3. Ws-security policy allows to use a custom token. This custom token can be built up using our in-house security framework. So basically it enables us to create ws-security policy using apache rampart module and have custom token developed using our security framework. But I could not find help regarding this on internet. Could anyone please help with example.

any other suggestions are also most welcome.

Answer 1

I've posted an answer here: How to encrypt SOAP messages manually?

There is a very detailed example there that you might find useful.

you can set the provider by using :

cryptoConfig.setProvider(PROVIDER); 

Regarding the custom security headers, I'm sorry but I didn't try it so I can't help you there.