Hi Kaushalye, I know that Rampart/C is only for SOAP. I mean if someone exposes a WS-Security enabled service as REST, what would be the behaviour?
Regards, Senaka > Senaka Fernando wrote: >> Hi Kaushalye, >> >> Does this mean no-REST with Rampart/C services??? > What are Rampart/C service? If you mean secured services, Apache > Ramaprt/C is only for SOAP. >> That's a big issue I >> guess. Why isn't it possible to make partially secure services. The >> whole >> idea is to meet the requirement of a provider. If he can't partially >> secure then he would rather drop WS-Security. This won't solve at least >> some of his expectations. Thoughts?? >> > What are partially secured services? A service is either secured or > not.:) The same service cannot be allowed to treat two requests in > different ways. For example think about authentication. What's the > rationale behind allowing one request to add claims and another to not? > Why would I bother adding username tokens if the service is kind enough > to pass without them? > Cheers, > Kau > >> Regards, >> Senaka >> >> >>> Hi Kaushalye and Supun, >>> >>> Thanks for your responses. So I would think REST calls will also only >>> work if I am not configuring the service to use rampart, correct? You >>> are right that I can define 2 services and leave one open for REST and >>> other means of security. The customer will decide what they want based >>> on where they are deploying their service. >>> >>> -Dave. >>> >>> -----Original Message----- >>> From: Kaushalye Kapuruge [mailto:[EMAIL PROTECTED] >>> Sent: Thursday, February 21, 2008 9:38 PM >>> To: rampart-c-dev@ws.apache.org >>> Subject: Re: [RAMPART/C] Question about making the WS-SECURITY optional >>> from call to call >>> >>> Hi, >>> Having different security requirements for the same endpoint doesn't >>> make any sense. A service should treat all incoming messages in the >>> same >>> way. >>> Saying that, we do not support the operational level security. The >>> smallest unit of security requirements is for a service. So if you need >>> to have different security requirements, you need to have different >>> services. Then again, you have to be careful exposing your business >>> logic. If a secured service is exposed with another then an attacker >>> can >>> easily pick the latter.:) Cheers, Kau >>> >>> Dave Meier wrote: >>> >>>> Hi, >>>> >>>> I want to support WS-SECURITY on request coming in to my server, but I >>>> >>>> also want clients to be able to send SOAP requests with no WS-SECURITY >>>> >>>> and provide the userid/password by inserting them into the request as >>>> regular elements. I also want my REST calls to work without RAMPART >>>> doing anything with them. Is there a way to configure the server this >>>> >>>> way? >>>> >>>> So I want to support the following all with one services.xml file: >>>> >>>> 1. SOAP WS-SECURITY requests. >>>> 2. SOAP requests with no WS-SECURITY header. >>>> 3. REST calls. >>>> >>>> Thanks, >>>> >>>> -Dave. >>>> >>>> >>>> ********************************************************************** >>>> This email and any files transmitted with it are confidential and >>>> >>> intended solely for the use of the individual or entity to whom they >>> are >>> addressed. Any unauthorized review, use, disclosure or distribution is >>> prohibited. If you are not the intended recipient, please contact the >>> sender by reply e-mail and destroy all copies of the original message. >>> >>>> ********************************************************************** >>>> >>>> >>>> >>>> >>> -- >>> http://blog.kaushalye.org/ >>> http://wso2.org/ >>> >>> >>> >> >> >> > > > -- > http://blog.kaushalye.org/ > http://wso2.org/ > >
