cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rhenius, Karl Stefan" <...@mach.de>
Subject RE: cfx and policy alternatives
Date Fri, 25 Feb 2011 13:25:53 GMT
Hi Sergey

> To me this policy reads:
> 
> Ensure the message satisfies both SecureConversation and 
> UsernameToken policies at the same time, because <wsp:ExactlyOne>
>       <SecureConversation>
>       <UsernameToken>
> </wsp:ExactlyOne>
> 
> is equivalent to
> 
> <wsp:ExactlyOne>
>   <wsp:All>
>       <SecureConversation>
>       <UsernameToken>
>   <wsp:All>
> </wsp:ExactlyOne>

Are you sure, that this is equivalent? In the WS-SecurityPolicy spec are
examples, that imply <wsp:ExactlyOne> choses one of the direct childs,
so <wsp:all> is used to combine multiple policies. But nevertheless, I
wrapped each in a <wsp:all>.

> Indeed. Sorry if I don't understand, but the way you 
> described the flow sounded like the one which would be 
> validated by this policy, that is, the first message is 
> starting SecConversation flow, no UT, and the subsequent 
> messages will be validated by the 2nd alternative where both 
> SecConversation and UT assertions are available....
> 
> Your original policy:
> [...]
> 
> is actually equivalent to two alternatives (because of embedded
> wsp:Alls) : either SecureConversation only or UT only, it 
> does not express the requirement that UT messages should be 
> part of the SecConversation flow.

thats exactly what I'd like to have - SecureConversation only or UT
only.

I hope this makes it clearer :)

cheers
Karl

Mime
View raw message