Apache CXF 2.2 released….

Finally managed to Apache CXF 2.2 out the door. Definitely took a bit longer than expected, mostly cause I COMPLETELY underestimated what a PAIN doing security stuff is.

Normally when working with WebServices, if something goes wrong, it’s very easy to use Wireshark or similar to grab the SOAP message and examine it to see if the problem is related to the message or not. With the various WS-Security standards, that doesn’t work very well. The captured messages end up encrypted. Thus, looking at the raw messages doesn’t help too much. I ended up writing several extra helper things to help me decrypt the messages to see what they really look at.

The other issue I ran into is security people tend to NOT give useful error messages. Then tend to think it’s a security violation or similar to say “the provided X509 key was not trusted” or similar. Instead, you get a “Security tokens could not be processed” type fault. Yea, that helps. Which token?

The GOOD news is that CXF 2.2 now passes the Microsoft Interop PlugFest tests for WS-Security 1.0 and 1.1, WS-SecureConversation, and the client side portion of WS-Trust 1.0 and parts of WS-Trust 1.3. That’s a huge step forward in interopability with WCF. There is still a lot of work to do and a bunch of performance tuning is needed, but this is a huge milestone representing a ton of work.

Anyway, major thanks to the entire CXF team for helping to get this out.

Leave a Comment

Your email address will not be published. Required fields are marked *