Hi Chris,
dropping the <sp:HttpsToken/> from the policy and exposing the web
service in HTTP will do the trick but it is not advisable. So
you are sending the plain text password over HTTP. Someone can easily
capture the password in the transit.
<wsp:Policy wsu:Id="UTOverTransport" xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";>
<wsp:ExactlyOne>
<wsp:All>
<sp:TransportBinding xmlns:sp="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<!-- <sp:HttpsToken RequireClientCertificate="false"/> -->
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Lax/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
</wsp:Policy>
</sp:TransportBinding>
<sp:SignedSupportingTokens xmlns:sp="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:UsernameToken sp:IncludeToken="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";
/>
</wsp:Policy>
</sp:SignedSupportingTokens>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
Thanks,
Nandana
On Nov 29, 2007 6:41 PM, Christian Mielke <[EMAIL PROTECTED]> wrote:
> Hi want to user Username-Authentication for my webservice with the use of
> policies. The policy sample1 in Rampart uses username but also HTTPS. How
> must I change the policy so HTTPS won't be used only HTTP?
> Greetings
> Chris
>
