Just to verify that I understand this correctly; The security policy is only needed if the client does not know what security headers/parameters the service is expecting. The security policy is implemented on the server side and the client gets the "format of security" from the server through a public security policy.
However, if somehow the client already knows the requirements it must add to the SOAP message, then there is no need for a security policy, and it can already directly bind itself to the web service. P.S. Mind you that I still have a fuzzy idea of what "binding" fully implies. -----Original Message----- From: Nandana Mihindukulasooriya [mailto:[EMAIL PROTECTED] Sent: Tue 7/8/2008 6:18 PM To: [email protected] Subject: Re: Newbie Question: Rampart 1.1 versus Rampart 1.0 and WS-Security Hi Roxanne, I may not be able to answer all your questions this time, but I will try to answer as much as possible. See my comments in line. I'm not quite sure how these two versions fit together. Does 1.1 enhances > 1.0? Are they two different ways of accomplishing the same tasks? 1.1 enhances 1.0. And there versions are tightly related to Axis2 versions. For example, Rampart 1.3 is tested with Axis2 1.3 and Rampart 1.4 is tested with Axis2 1.4. You can't use Rampart 1.4 with Axis2 1.3 due to API changes in Axis2. So it is better to use the Rampart version which corresponds to your Axis2 version. For example... > > Looking at the Configuration tags at > http://ws.apache.org/rampart/rampartconfig-guide.html , I would greatly > appreciate to have an example explaining what each tag does and every > possibility that can be used in a tag. The table seems incomplete. > > <encryptionCypto> > ....crypto element ......[What are all the possibilities that can be > placed here?] > .........................[What will happen if I just put in a random > word?] > </encryptionCypto> > An example crypto element can be found signatureCrypto description. Same structure applies to encryptionCrypto and decryptionCrypto elements. If I wanted basic WSS, could I ignore creating a Policy completely? > Depends on your usage. For example, if you use parameter based configuration, your WSDL will not be annotated with policy. So your clients need to have a out of band knowledge about of service's security requirements. P.S. This might sound stupid, but what is the difference between a user and > an encryption user? User is used provide the username or private key alias. Enncryption user is used provide the key alias of the certificate which should be used for encryption. thanks, nandana
