Hi Michelantonio,
> 1) Do you believe that is possible to enable session only if login is true?
If your client send multiple messages, I think you should consider
using WS Secure Conversation. When using secure conversation, a
security context is created and then that security context is used to
secure the next messages. So the initial context establishment is
analogous to login. Security context is analogous to session.
> 2) Do I must modify passwordCallbackClass for retrieve the informations
> about the user from db by the service?
Yes, you have to modify the password callback class to include the
password retrieval logic.
> 3) Do I need to create a certificate for each client? Does the service need
> all the public keys of all users?
Actually there are two ways you can go ahead. I think the factor to
decide this is whether you want non repudiation.
If you don't want non repudiation, you can go ahead with out creating
certificates for all the clients
1.) Messages are encrypted and signed using an encrypted key
encrypted using server's certificate
2.) Client authentication is done via username/password
If you want non repudiation, then you will have to create certificates
for each and every client ( You actually don't have to create
certificates for them if they already have certificates, but you need
to trust those certificates )
> 4) I don't understand so much this lines...
> <ramp:user>service</ramp:user>
> <ramp:encryptionUser>client</ramp:encryptionUser>
>
<ramp:user/> defines the user alias. This will be used as the username
when creating Username tokens. So the password callback should provide
a password for this id is Username tokens are used. In addition, this
will be used as the alias of the certificate used to sign if not
<ramp:userCertAlias/> defined. If both <ramp:user/> and
<ramp:userCertAlias/> defined, then <ramp:user/> will be used to
create Username tokens and <ramp:userCertAlias/> as signature
certificate alias.
<ramp:encryptionUser> is used to defined which certificate must be
used to encrypt the message. In the client side, as we always encrypt
using the service's certificate, we can use the alias of the server's
certificate as <ramp:encryptionUser>. But in the server side, it is
not appropriate define the encryption user like this because then the
service will only be able to encrypt messages to a single client. To
overcome that, we can set the <encryptionUser/> to useReqSigCert.
<encryptionUser>useReqSigCert</encryptionUser>
Then the certificate used to sign the incoming SOAP message ( Client's
certificate ), is used by the service to encrypt the SOAP response
back to the client.
--
Nandana Mihindukulasooriya
Software Engineer
WSO2 inc.
http://nandana83.blogspot.com/
http://nandanasm.wordpress.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
