cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Kulp <dk...@apache.org>
Subject Re: WS-SecurityPolicy in CXF 2.1.x, or just 2.2?
Date Tue, 14 Oct 2008 14:20:35 GMT

Glen,

See:
http://e-docs.bea.com/wls/docs103/webserv_intro/interop.html

Particularly the section entitled:
WS-SecurityPolicy Interoperability Guidelines

"As a result, Microsoft .NET 3.0 encrypts the UsernameToken in the 
<sp:SignedSupportingTokens> policy assertion. If you use the 
<sp:SignedSupportingTokens> policy assertion without encrypting the 
UsernameToken, the WebLogic Server and .NET Web Services will not 
interoperate."


Dan



On Monday 13 October 2008 9:52:33 pm Glen Mazza wrote:
> dkulp wrote:
> >> I would
> >> next like to test out the WS-SecurityPolicy configuration that Dan has
> >> done.  Is it supported only on the CXF 2.2 branch or both 2.1.x and
> >> 2.2?
> >
> > Just 2.2.   It's very "unstable" right now as I kind of move things
> > around to get it working.   Right now, there is pretty much no error
> > handling (it likely will just printStackTrace and continue with
> > unpredicatble results), I'll probably refactory the sending into 3 (or
> > more) interceptors, and the incoming messages are currently not
> > validated against the policies.  Basically, there is still much work to
> > do, but it's at a state where the basic usecases are working.  The MS
> > InteropFest usecases are now working (except the UsernameToken stuff,
> > and I'm not sure why yet.  Seems MS wants those encrypted, even if the
> > policy says not to, but I haven't dug into all that yet.  Not having a
> > windows box is slightly hindering that progress.)
>
> By MS wanting messages encrypted, I'm unsure if you mean message-level or
> transport-level encryption.  Regardless, Jiandong Guo of the Metro team has
> written[1] that Metro requires some type of encryption regardless of what
> the policy says.  I suspect it is to help idiot-proof their web service
> stack, i.e., they would rather not support an experienced user who has the
> rare requirement for unencrypted username/password tokens in order to keep
> the system solid for the tons of newbies who might otherwise forget to
> encrypt their SOAP messages.
>
> Glen
>
> [1]
> http://www.nabble.com/Re%3A-How-to-implement-WS-Security-with-UsernameToken
>-on-plain-HTTP-transport-p19445662.html



-- 
Daniel Kulp
dkulp@apache.org
http://dankulp.com/blog

Mime
View raw message