The spec from Microsoft and IBM is now under control from OASIS: http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss Oliver ****************************************************************** Oliver Wulff Zürich Versicherungs-Gesellschaft IA4, CoC Middleware Postfach, 8085 Zürich Telefon: +41- 1 628 58 07 Fax: +41 - 1 623 58 07 E-Mail: mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] oftware.com An: [EMAIL PROTECTED] Kopie: 10.01.2004 19:11 Thema: RE: question regarding WSDL and WS-Security Bitte antworten an axis-user Take a look at WS-Policy (http://www-106.ibm.com/developerworks/library/ws-polfram/) and WS-SecurityPolicy (http://www-106.ibm.com/developerworks/webservices/library/ws-secpol/). The former defines the framework to add service policy information to the WSDL or UDDI entry of a web service. The later uses this framework to define the policy related to WS-Security. Thomas -----Original Message----- From: Ricky Ho [mailto:[EMAIL PROTECTED] Sent: Friday, January 09, 2004 5:00 PM To: [EMAIL PROTECTED] Subject: Re: question regarding WSDL and WS-Security Here is what I'm thinking ... WSDL Binding have some extensibility that you can declare which part to encrypt. But I probably will go with another route, describe as follows ... There is a WSDL and WS-Policy, which part to be encrypted will be described in the WS-Policy. The communication path will look like ... ClientApp -> ClientSideGateway -> Network -> ServerSideGateway -> ServerApp ClientApp & ServerApp - cares only WSDL ClientSideGateway & ServerSideGateway - cares only WS-Policy Rgds, Ricky At 01:30 PM 1/9/2004 -0800, Shantanu Sen wrote: >Suppose I have a method that I want to expose as a web-service. I can >generate a WSDL that describes the service end-point, format etc. >Supppose I expect that one or more parameters of this method will be >encrypted , and my service will also return an >encrypted string which I expect the client to decrypt. > > >How would I go about describing this to the client? >Clearly, I need to supply something more than a WSDL >document to the client. Even if the client has an >underlying infrastructure (e.g. a security gateway) it >needs some sort of information. Does WS-Policy provide > that? > >Thanks, >Shantanu Sen >--- Ricky Ho <[EMAIL PROTECTED]> wrote: > > There is a nice separation between application > > processing and > > infrastructure processing. WSDL describes the > > former and WS-Policy > > describe the later. > > > > If you are writing application code, you shouldn't > > care about WS-Policy > > (and WS-Security), you only care about WSDL. The underlying > > infrastructure (e.g. a security gateway) should take care about > > this for you. > > > > However, it you are writing the intermediary code > > doing infrastructrure > > processing, then you shouldn't care about WSDL. > > Instead you should deal > > with WS-Policy which is a less mature area (you > > probably need to do some > > proprietary policy exchange handshaking). > > > > Rgds, Ricky > > > > At 12:58 PM 1/9/2004 -0800, Shantanu Sen wrote: > > >Please point me to the correct forum if you know > > where > > >I should post this question. > > > > > >As far as I know, currently there is no extension > > in > > >WSDL for WS-Security. In other words, looking at a > > >WSDL there is no way to figure out if the service > > >expects security information as specified in > > >WS-Security in the header/body of the SOAP > > envelope. > > > > > >If this is true, how does a client know how to send > > >the correct SOAP message to the service i.e. how > > does > > >it know to add the required security info? > > > > > >Thanks for any info regarding this. > > > > > >Shantanu Sen > > ******************* BITTE BEACHTEN ******************* Diese Nachricht (wie auch allfällige Anhänge dazu) beinhaltet möglicherweise vertrauliche oder gesetzlich geschützte Daten oder Informationen. Zum Empfang derselben ist (sind) ausschliesslich die genannte(n) Person(en) bestimmt. Falls Sie diese Nachricht irrtümlicherweise erreicht hat, sind Sie höflich gebeten, diese unter Ausschluss jeder Reproduktion zu zerstören und die absendende Person umgehend zu benachrichtigen. Vielen Dank für Ihre Hilfe.
