Thanks a lot for the hint. Greetings Chris
----- original Nachricht -------- Betreff: Re: Rampart Policy Sample 1 without SSL Gesendet: Fr, 30. Nov 2007 Von: Nandana Mihindukulasooriya<[EMAIL PROTECTED]> > Hi Chris, > dropping the <sp:HttpsToken/> from the policy and exposing the > web > service in HTTP will do the trick but it is not advisable. So > you are sending the plain text password over HTTP. Someone can easily > capture the password in the transit. > > <wsp:Policy wsu:Id="UTOverTransport" xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1 > .0.xsd" > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";> > <wsp:ExactlyOne> > <wsp:All> > <sp:TransportBinding xmlns:sp=" > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > <wsp:Policy> > <sp:TransportToken> > <wsp:Policy> > <!-- <sp:HttpsToken RequireClientCertificate="false"/> --> > </wsp:Policy> > </sp:TransportToken> > <sp:AlgorithmSuite> > <wsp:Policy> > <sp:Basic256/> > </wsp:Policy> > </sp:AlgorithmSuite> > <sp:Layout> > <wsp:Policy> > <sp:Lax/> > </wsp:Policy> > </sp:Layout> > <sp:IncludeTimestamp/> > </wsp:Policy> > </sp:TransportBinding> > <sp:SignedSupportingTokens xmlns:sp=" > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > <wsp:Policy> > <sp:UsernameToken sp:IncludeToken=" > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRe > cipient" > /> > </wsp:Policy> > </sp:SignedSupportingTokens> > </wsp:All> > </wsp:ExactlyOne> > </wsp:Policy> > > Thanks, > Nandana > > > > > On Nov 29, 2007 6:41 PM, Christian Mielke <[EMAIL PROTECTED]> wrote: > > > Hi want to user Username-Authentication for my webservice with the use of > > policies. The policy sample1 in Rampart uses username but also HTTPS. How > > must I change the policy so HTTPS won't be used only HTTP? > > Greetings > > Chris > > > --- original Nachricht Ende ----
