WS-Security is not supported by Flex out of the box. Has anyone tackled this, or if not could someone give a high-level view of how they might accomplish this? I can't seem to create a user in the Adobe forums to post it to find out if this might be added in upcoming support point release???
My thoughts on topic: 1) Manual creation of the SOAP Headers will not work because the token has a set expiration time based on timestamp, username, password. Building that logic up in the client app would expose the credentials in the .swf. 2) Using Axis to create a proxy of the true WS-Secure web service might be viable, but seems dumb to create a web service wrapper for an already exposed web service. Plus, my knowledge on the java side is limited and the googles on Eclipse WTP and doing this haven't yielded much more than a headache. 3) With the FDS Plugin facet for Eclipse WTP in theory I can code both java and mxml / as3 into one. If that is the case could I write a component (SecureWS) to extend mx.rpc.soap.WebService to add the WSS4J functionality I'm after. The user / pass parameters would then be stored as part of the named proxy service on FDS. Everything secure and connective. Also something I'd happily share back to the community if I can get some help on how I'd tackle #3. Thx, Jamie [Thread History] In a previous thread that was in danger of being fragmented, Seth Hodgson wrote, "WSSAddUsernameToken is part of the WSS4J API that implements the OASIS WS-Security spec. The Flex web service stack on the client doesn't currently support WS-Security out of the box, but WS-Security is based on SOAP headers and you could probably build these manually. Perhaps someone on the list has tackled this and has code to share?" It was in response to my question, "One of the next web services I'm looking to integrate uses a username / password to create token via WSSAddUsernameToken. Its package is org.apache.ws.security.message. Or so the co-worker who has built connectivity to that out through J2EE tells me. Each client system connects with it's own user / pass combo. So I believe I should be able to write these into the named proxy web service connection (having issue with that also, put a separate post out for it) on FDS to be secure.