Sunday, December 16, 2012

Using WS-Policy in CXF projects

WS-Policy provides flexible mechanism to activate desired functionality on the client or service sides. Article describes how to define policies in custom CXF projects, implement policy-aware interceptors and explains some aspects of internal CXF design regarding WS-Policy.

How to define policies

There are basically 3 main possibilities to define WS-Policy in CXF projects:
  1. WSDL Policy attachment
  2. Spring configuration
  3. Dynamically via message context property
Let look into them in details.

WSDL Policy attachment
WS-Policies can be attached and referenced in WSDL elements. Web Services Policy 1.5 - Attachment standard describes all possible alternatives. WS-Policies can be placed inside WSDL itself or referenced as external documents. CXF will automatically recognize, read and use policies defined or referenced in WSDL. Sample of attached policy is shown below:
<wsdl:definitions name="HelloWorld" targetNamespace=""<wsdl:service name="SOAPService">
    <wsdl:port binding="tns:Greeter_SOAPBinding" name="SoapPort">
        <soap:address location="http://localhost:9000/SoapContext/SoapPort"/>
        <wsp:Policy xmlns:wsp="">
             <wsam:Addressing xmlns:wsam="">

Spring configuration
It is possible to define policies directly in Spring configuration of client and service as jaxws feature. CFX will recognize and use configured WS-Policies:
<beans xmlns=""
    <jaxws:client id="CRMServiceClient" name="{}CRMServiceProvider"
                    <wsp:PolicyReference xmlns:wsp="" URI="classpath:/saml.policy"/>
<beans xmlns=""
    <jaxws:endpoint id="CRMService"
                    <wsp:PolicyReference xmlns:wsp="" URI="classpath:/saml.policy"/>
Dynamically through message property
Sometimes policies cannot be configured statically, because they are obtained or calculated dynamically for concrete message (for example using Policy Server or Service Registry). For such cases CXF provide a possibility to load policy dynamically and set it into the message context property. It can be done for example in custom interceptor that fulfils the following:
  1. Get policy from external location and build it for current message.
  2. Parse WS-Policy XML using Neethi library.
  3. Store result Policy object into PolicyConstants.POLICY_OVERRIDE message content property.
    Important is that this custom policy interceptor is called before CXF PolicyInInterceptor or PolicyOutInterceptor. Than CXF will automatically recognize Policy stored into this property and use it with highest priority. 
 I have published a small sample illustrating how to apply policy dynamically.

Create custom policy assertions and associate interceptors

It is quite easy to define own policy assertions and associate interceptors with it. Topic is already well described in CXF document, I just provide a list of steps necessary to do:
  1. Provide Assertion Builder class for custom assertion implementing AssertionBuilder<T> interface.
    Interface type can be Element, XMLStreamReader or OMElement.
    Interface contains two methods: build() and getKnownElements().
    Implementation of build() method should construct Assertion from the incoming type. It can be PrimitiveAssertion (without attributes or child elements), NestedPrimitiveAssertion (without attributes but with nested policy element) and JaxbAssertion (assertion described by any XML schema).
    getKnownElements() method must return QNames of assertion elements from which assertion can be built.
  2. Implement policy interceptor provider class extending AbstractPolicyInterceptorProvider class. The main task of policy interceptor provider is to say which interceptors must be activated for specified policy assertion. Policy interceptor provider constructor gives assertions QNames as argument of super constructor and adds corresponded interceptors using getters:
public class AuthorizationInterceptorProvider extends AbstractPolicyInterceptorProvider {
    private static final long serialVersionUID = -5248428637449096540L;
    private static final AuthorizationInInterceptor IN_AUTHZ_INTERCEPTOR = new AuthorizationInInterceptor();
    private static final AuthorizationInInterceptor OUT_AUTHZ_INTERCEPTOR = new AuthorizationOutInterceptor();
    private static final Collection<QName> ASSERTION_TYPES;
    static {
        ASSERTION_TYPES = new ArrayList<QName>();
    public AuthorizationInterceptorProvider() {

Assertion builder and policy interceptor provider can be registered using CXF bus extension mechanism: just create a file META-INF/cxf/bus-extensions.txt containing the following:  
Boolean value at the end specifies lazy loading strategy.
CXF automatically recognizes the assertion builder and policy interceptor provider and store them into registries: AssertionBuilderRegistry and PolicyInterceptorProviderRegistry. Since CXF 2.6.0 it is possible to register multiple interceptor providers for single assertion.

How and where CXF processes policies

As I already mentioned, CXF provides two interceptors: and These interceptors are responsible to load policy from destination, parse, merge them and add all associated interceptors into message interceptor chain. Functionality of policy interceptors are represented on the following figure:

Briefly, policy interceptors make following steps:
  1. Check message property PolicyConstants.POLICY_OVERRIDE.
  2. If PolicyConstants.POLICY_OVERRIDE contains policy, it will be taken for further processing.
  3. If property is empty, policy will be asked from ServiceModel. Here CXF loads policies attached to WSDL or provided via Spring configuration.
  4. If any policy on step 2 or step 3 is found, EffectivePolicy will be created. Appropriate WS-policies will be merged for the current message and built into Neethi Policy object.
  5. All interceptors registered for result policy assertions will be added to message interceptor chain.
Additionally, CXF verifies satisfied policy assertions in PolicyVerfificationInInterceptor, PolicyVerificationInFaultInterceptor, PolicyVerificationOutInterceptor. If assertion is not processed and not satisfied in corresponded interceptor, than In- interceptors throw Fault and Out- interceptors provide appropriate log messages.
The practical using of WS-Policy is illustrated in ws_policy and ws_security CXF samples.


  1. Thanks for the good explanation.
    Can you please share some sample code foe WS-Policy. It would be really useful. Thanks in advance.

  2. Hi Amit,

    Could you please explain in more detail what kind of code you need? Some samples you can find in CXF distribution and in CXF system tests.

  3. i had implemented the scenario Policy Dynamically via message property.
    It can be find at

  4. Hi Andrei,
    Have you any idea how can we configure CXF to can use an External WS-PolicyAttachement ( i have two files , policies.xml and a wsdl file ) ?

  5. This comment has been removed by the author.

  6. Hi Bouanani,

    CXF supports WS-Policy Attachments linked to WSDL bindings, service or directly to client/service configurations out of the box. You don't need any special configuration. Take as basis ws_policy sample delivered with CXF distribution:

  7. Hi Andrei,

    could you advise how to resolve the problem with X.509 security when we try to cipher SOAP body. A client app is sending ciphered SOAP body but in response from server app we see - "org.apache.cxf.interceptor.Fault: Unexpected element EncryptedData found. Expected Message". I have no idea how to solve it. Could you provide the example of good Interceptor class for such a case, as I couln't find it anywhere.
    Best regards,
    Oleksii Rybak

  8. Hi Oleksii,
    It seems that CXF doesn't configured to decrypt your message (either with WS-Policy or WSSJ4 Actions), therefore it tries to unmarshal encrypted payload. I need more information regarding your request message and configuration to help you. I would suggest to post your problem into CXF user mail list (, I will try to help you there.

  9. Hi Andrei,
    thks for your tutorial.
    Following this tutorial I created a cxf service where the wsdl has no policy,
    and I add to service dynamic policy throught a external file ut.policy and the DynamicPolicyOutInterceptor.
    (as decribed at

    However the ws-mex and the wsdl (returned by http://localhost:8080/ServerCXF2/services/ProvaWSSPortoSoap?wsdl )
    remains always without policy .
    Where is my mistake?
    How do I update runtime the ws-mex so that it returns the additions policies?

    Best Regards,

  10. Hi Andrei,
    I have a wsdl wsp:Policy and xsd how to create service using cxf