cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Glen Mazza <>
Subject Re: Server Response Policy
Date Thu, 07 Aug 2008 23:48:27 GMT

Fred Dushin-3 wrote:
> But regardless, should the effective policy on the response be the  
> same as the effective policy on the request?  Or should policy  
> assertion implementors code their interceptors to handle the response  
> chain, as well as the request?

Does WS-SecurityPolicy have to anything to say for this--how to configure
request and response rules differently?  

I'm not sure I'm understanding you correctly.  If you're saying should the
security (or other WS-*) rules be the same on both the request and
response--I don't think so.  I could imagine a service requiring a signature
and/or encryption or username/passwords but the client not requiring it on
the response.  Kind of how WSS4J configuration works today.

FWIW, Metro maintains policies both client- and service-side, with differing
information and rules.  However, the client does read the service WSDL to
see security requirements for the request (I think the service provider
reads its own WSDL though to see what it needs to do for the response--the
client-side policy really just has username/password or client cert info.)


View this message in context:
Sent from the cxf-dev mailing list archive at

View raw message