Hi Nate, > My goal is to allow access to my service only to those clients who possess a > certificate that I issued (using a self-signed CA certificate.)
Yes, this is possible. As you are already trying to do, in the security policy specify requirement that incoming SOAP messages has to be signed so only a client possessing a valid certificate can consume the service. > I also require that the client submit some unique ID -- preferably their > encryptionUser (the name that I originally created when issuing the client's > certificate.) I used the information found on this page to create my > certificates: http://wso2.org/library/174 This can be easily done too. A X509 certificate contains a lot of unique properties [1]. You can use one of them as the unique ID. For example Thumb print value , issuer serial , etc. > My final requirement is to retrieve the IP address of the connecting client. Take a look at the KB article [2] > I have tried several different forms of policy.xml, but I've become > confused. I don't understand exactly what tags enforce a signature. Signed Parts assertion can be used to sign body and the headers. If you want to sign arbitrary elements then you can use signed elements assertion. > I've been reading ws-securitypolicy.pdf (2005, v1.1) but I don't completely > understand it. What does the OnlySignEntireHeadersAndBody assertion do? If that property is true, we only sign the entire headers and body and we don't sign arbitrary elements inside them. Take a look at the article [3] > How can I require a signature? Use a Signed Parts or Signed elements assertion according to your requirement. > How can I pass the encryptionUser rather than some arbitrarily-named user > token? I think it is better to use the properties in the certificate used to sign the message to uniquely identify the client. > How can I obtain the client's IP address? Take a look at the KB - [2] thanks, /nandana [1] - http://en.wikipedia.org/wiki/X.509 [2] - http://wso2.org/library/480 [3] - http://wso2.org/library/3132 http://nandana83.blogspot.com/ http://nandanasm.wordpress.com/
