Return-Path: 
 <axis-user-return-20905-apmail-ws-axis-user-archive=ws.apache.org@ws.apache.org>
Delivered-To: apmail-ws-axis-user-archive@www.apache.org
Received: (qmail 94945 invoked from network); 9 Jan 2004 21:31:18 -0000
Received: from daedalus.apache.org (HELO mail.apache.org) (208.185.179.12)
  by minotaur-2.apache.org with SMTP; 9 Jan 2004 21:31:18 -0000
Received: (qmail 55203 invoked by uid 500); 9 Jan 2004 21:30:57 -0000
Delivered-To: apmail-ws-axis-user-archive@ws.apache.org
Received: (qmail 55194 invoked by uid 500); 9 Jan 2004 21:30:57 -0000
Mailing-List: contact axis-user-help@ws.apache.org; run by ezmlm
Precedence: bulk
Reply-To: axis-user@ws.apache.org
list-help: <mailto:axis-user-help@ws.apache.org>
list-unsubscribe: <mailto:axis-user-unsubscribe@ws.apache.org>
list-post: <mailto:axis-user@xml.apache.org>
Delivered-To: mailing list axis-user@ws.apache.org
Received: (qmail 55182 invoked from network); 9 Jan 2004 21:30:56 -0000
Message-ID: <20040109213057.55449.qmail@web80410.mail.yahoo.com>
Date: Fri, 9 Jan 2004 13:30:57 -0800 (PST)
From: Shantanu Sen <ssen@pacbell.net>
Subject: Re: question regarding WSDL and WS-Security
To: axis-user@ws.apache.org
In-Reply-To: <4.3.2.7.2.20040109131430.01cad938@franklin.cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N
X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N

Suppose I have a method that I want to expose as a
web-service. I can generate a WSDL that describes the
service end-point, format etc. Supppose I expect that
one or more parameters of this method will be
encrypted , and my service will also return an
encrypted string which I expect the client to decrypt.


How would I go about describing this to the client?
Clearly, I need to supply something more than a WSDL
document to the client. Even if the client has an
underlying infrastructure (e.g. a security gateway) it
needs some sort of information. Does WS-Policy provide
 that? 

Thanks,
Shantanu Sen
--- Ricky Ho <riho@cisco.com> wrote:
> There is a nice separation between application
> processing and 
> infrastructure processing.  WSDL describes the
> former and WS-Policy 
> describe the later.
> 
> If you are writing application code, you shouldn't
> care about WS-Policy 
> (and WS-Security), you only care about WSDL.  The
> underlying infrastructure 
> (e.g. a security gateway) should take care about
> this for you.
> 
> However, it you are writing the intermediary code
> doing infrastructrure 
> processing, then you shouldn't care about WSDL. 
> Instead you should deal 
> with WS-Policy which is a less mature area (you
> probably need to do some 
> proprietary policy exchange handshaking).
> 
> Rgds, Ricky
> 
> At 12:58 PM 1/9/2004 -0800, Shantanu Sen wrote:
> >Please point me to the correct forum if you know
> where
> >I should post this question.
> >
> >As far as I know, currently there is no extension
> in
> >WSDL  for WS-Security. In other words, looking at a
> >WSDL there is no way to figure out if the service
> >expects security information as specified in
> >WS-Security in the header/body of the SOAP
> envelope.
> >
> >If this is true, how does a client know how to send
> >the correct SOAP message to the service i.e. how
> does
> >it know to add the required security info?
> >
> >Thanks for any info regarding this.
> >
> >Shantanu Sen
>