Hi Kaushalye, Does this mean no-REST with Rampart/C services??? That's a big issue I guess. Why isn't it possible to make partially secure services. The whole idea is to meet the requirement of a provider. If he can't partially secure then he would rather drop WS-Security. This won't solve at least some of his expectations. Thoughts??
Regards, Senaka > Hi Kaushalye and Supun, > > Thanks for your responses. So I would think REST calls will also only > work if I am not configuring the service to use rampart, correct? You > are right that I can define 2 services and leave one open for REST and > other means of security. The customer will decide what they want based > on where they are deploying their service. > > -Dave. > > -----Original Message----- > From: Kaushalye Kapuruge [mailto:[EMAIL PROTECTED] > Sent: Thursday, February 21, 2008 9:38 PM > To: rampart-c-dev@ws.apache.org > Subject: Re: [RAMPART/C] Question about making the WS-SECURITY optional > from call to call > > Hi, > Having different security requirements for the same endpoint doesn't > make any sense. A service should treat all incoming messages in the same > way. > Saying that, we do not support the operational level security. The > smallest unit of security requirements is for a service. So if you need > to have different security requirements, you need to have different > services. Then again, you have to be careful exposing your business > logic. If a secured service is exposed with another then an attacker can > easily pick the latter.:) Cheers, Kau > > Dave Meier wrote: >> Hi, >> >> I want to support WS-SECURITY on request coming in to my server, but I > >> also want clients to be able to send SOAP requests with no WS-SECURITY > >> and provide the userid/password by inserting them into the request as >> regular elements. I also want my REST calls to work without RAMPART >> doing anything with them. Is there a way to configure the server this > >> way? >> >> So I want to support the following all with one services.xml file: >> >> 1. SOAP WS-SECURITY requests. >> 2. SOAP requests with no WS-SECURITY header. >> 3. REST calls. >> >> Thanks, >> >> -Dave. >> >> >> ********************************************************************** >> This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they are > addressed. Any unauthorized review, use, disclosure or distribution is > prohibited. If you are not the intended recipient, please contact the > sender by reply e-mail and destroy all copies of the original message. >> ********************************************************************** >> >> >> > > > -- > http://blog.kaushalye.org/ > http://wso2.org/ > >
