So I’ve also been following Glen Mazza’s X.509 tutorial for JAX-WS, found here.  It has some of the same problems as the other ones.  But this post is about something different.

Glen’s tutorial, and every other tutorial I’ve seen for JAX-WS/Metro and WS-Security, includes configurations in the WSDL for the security engine like this (along with a lot of other policy markup, without explanation; one of my beefs with these is that they don’t actually explain what any of the stuff they’re asking you to do is for):

<sc:KeyStore wspp:visibility="private"
   location="/home/gmazza/workspace/DoubleIt/mykeys/servicestore.jks"
   type="JKS" storepass="sspass" alias="myservicekey" keypass="skpass"/>
<sc:TrustStore wspp:visibility="private" storepass="sspass"
   type="JKS"
   location="/home/gmazza/workspace/DoubleIt/mykeys/servicestore.jks"/>

So I understand this is a “quick and dirty” tutorial, but this is code that is completely unsuited for a production deployment.  Never mind the cleartext passwords which, given that there’s never really a good way to store them, may be excusable.  In no environment I’ve ever heard of would it be possible to hard-code the path to a keystore in a WSDL file and then deploy it to various environments (qa, prod, etc.).  Yet that’s how the tutorial specifies it.

So I’ve got a couple of complaints:

1. I think it’s irresponsible for tutorial writers to take these kind of shortcuts, at least without noting them.  Every tutorial I’ve seen for JAX-WS and WS-Security has been had basically the same structure, and this is apparently what Netbeans generates.
2. I think it’s irresponsible of the Metro/Glassfish team to even allow this kind of configuration.  I found some documents today in the WSIT project mentioning that this configuration option was put in the project to make it quick and easy for developers to get started, and that it wasn’t intended for production use, although no good alternative was mentioned in the document.  And because it exists, every tutorial and document will use it.  And since developers are like lemmings, there are probably sysadmins all over the world silently cursing while hand-editing the production WSDL for the same web-service for the six-hundredth time.