cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Kulp <>
Subject Re: WS-SecurityPolicy in CXF 2.1.x, or just 2.2?
Date Tue, 14 Oct 2008 14:20:35 GMT



Particularly the section entitled:
WS-SecurityPolicy Interoperability Guidelines

"As a result, Microsoft .NET 3.0 encrypts the UsernameToken in the 
<sp:SignedSupportingTokens> policy assertion. If you use the 
<sp:SignedSupportingTokens> policy assertion without encrypting the 
UsernameToken, the WebLogic Server and .NET Web Services will not 


On Monday 13 October 2008 9:52:33 pm Glen Mazza wrote:
> dkulp wrote:
> >> I would
> >> next like to test out the WS-SecurityPolicy configuration that Dan has
> >> done.  Is it supported only on the CXF 2.2 branch or both 2.1.x and
> >> 2.2?
> >
> > Just 2.2.   It's very "unstable" right now as I kind of move things
> > around to get it working.   Right now, there is pretty much no error
> > handling (it likely will just printStackTrace and continue with
> > unpredicatble results), I'll probably refactory the sending into 3 (or
> > more) interceptors, and the incoming messages are currently not
> > validated against the policies.  Basically, there is still much work to
> > do, but it's at a state where the basic usecases are working.  The MS
> > InteropFest usecases are now working (except the UsernameToken stuff,
> > and I'm not sure why yet.  Seems MS wants those encrypted, even if the
> > policy says not to, but I haven't dug into all that yet.  Not having a
> > windows box is slightly hindering that progress.)
> By MS wanting messages encrypted, I'm unsure if you mean message-level or
> transport-level encryption.  Regardless, Jiandong Guo of the Metro team has
> written[1] that Metro requires some type of encryption regardless of what
> the policy says.  I suspect it is to help idiot-proof their web service
> stack, i.e., they would rather not support an experienced user who has the
> rare requirement for unencrypted username/password tokens in order to keep
> the system solid for the tons of newbies who might otherwise forget to
> encrypt their SOAP messages.
> Glen
> [1]

Daniel Kulp

View raw message