David Illsley wrote: > Ah, the perrenial ws-sec+ws-a problem. > This is a really complex issue, and unfortunately I don't think it can > be resolved this simply i.e. what happens if security rejects the ws-a > headers as invalid? Then security will throws an exception when the message reach to security handler. > There isn't any code to roll-back the ws-a related > fields in the message context, so suddenly one of the main reasons to > require signed ws-a headers (preventing your server from being used to > DoS via ReplyTo) is bypassed. > > I think we probably need to split the addressing processing itself > into 2 parts - the first which provides a guess of the AxisOperation > based onthe To/Action/RelatesTo and the second which does the full > ws-a processing (afer the security handler). > +1 > Do you have a list of use-cases you're trying to support? > David > > On 27/07/07, Deepal jayasinghe <[EMAIL PROTECTED]> wrote: > >> In the case of WS-Security there are instance that the only way to >> dispatch is using addressing , and service and operation must be found >> before running the security handlers. If you take transport like SMTP >> the only way to dispatch is using addressing so we need to run >> addressing before security. >> >> May be Ruchith can add some more infor into this. >> >> Thanks >> Deepal >>
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
