Hi Dobri, Comments are interleaved.
so why you are > saying the following: > > "In your case, you don't have any signed parts or signed elements > defined. But > the policy states to include the time stamp and the time stamp will be > signed using > the clients certificate. As the policy states IncludeToken=" > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient > in the recipient token , the binary token will be included in the soap > request." > Why I need to have something signed in order to transfer the X509 cert? You really don't need to sign anything to transfer the certificate. You can set the IncludeToken attribute correctly and send the security token. But in the server side when we look for encryption user, if the property is set to "useReqSigCert" what we look for is the certificate that is used to sign the request. Can you explain it more precisely. Where I can read about that (e.g. > articles etc I have not found any good resources about that). I got the point exactly when I was going through the code. In RampartUtil class in getReqSigCert(). Vector wsSecEngineResults = rResult.getResults(); /* * Scan the results for the first Signature action. Use the * certificate of this Signature to set the certificate for the * encryption action :-). */ for (int j = 0; j < wsSecEngineResults.size(); j++) { WSSecurityEngineResult wser = (WSSecurityEngineResult) wsSecEngineResults.get(j); Integer actInt = (Integer)wser.get( WSSecurityEngineResult.TAG_ACTION); if (actInt.intValue() == WSConstants.SIGN) { return (X509Certificate)wser.get( WSSecurityEngineResult.TAG_X509_CERTIFICATE); } } As you can see, actInt.intValue() == WSConstants.SIGN, we look for the signed parts of the message and get the certificate used to sign. IMHO, I think this is logical as user has to sign something and he authenticate him self by signing it with his private key. If what you really need is to deal with anonymous clients , you can use a symmetric binding with derived keys so you don't need client certificate and still can use servers X509 certificate to derive keys and use those derived keys to sign and encrypt both the request and the response message. Regards, Nandana
