I have webservice (server-side) implemented using axis2 in my project. We want to enable WS-security in the existing web services. We are evaluating if apache ramapart module fits our need. Here is our requirement: Basically we have in-house security framework which provides encryption,signature and token generation capabilites. Our in-house security framework basically requires a set of configurations in form of XML and it expose various APIs to do various security operations.
Now with above environment, I can think of three possbile solutions:-
I can develop an axis2 module around in-house security framework and install it as .mar file in security phase. So I will not use apache rampart. But issue with this approach is I can't use ws-security policy to specify security assertions and making sure incoming security tokens conforms to effective policy. It is like reinventing wheel what rampart already doing.
I believe apache rampart underlines call to apache wss4j module for security operations. I believe apache wss4j module provides a way to register 3rd party security provider (by implemeting CryptoProvider interface). I am not sure if this is feasible and viable solution. Please suggest.
Ws-security policy allows to use a custom token. This custom token can be built up using our in-house security framework. So basically it enables us to create ws-security policy using apache rampart module and have custom token developed using our security framework. But I could not find help regarding this on internet. Could anyone please help with example.
any other suggestions are also most welcome.