Thanks Nandana. I'll explain the requirement better.
1) request comes in with a wsse:Security header and a wsu:Timestamp. Then our services.xml has a wsp:Policy that has SignedParts (Timestamp & Body) 2) we want to be able to evaluate that request for content and report on it. In the case where no Timestamp is provided we would say so in our report 3) due to our services.xml file, rampart evaluates the request first and throws a fault. 4) We need to be able to evaluate that request. We want to use the wsp:Policy in the services.xml to apply message level security to our outbound response only. Currently our handler is after the RMPhase. Is one option that we move up our custom handler in axis2 before Security? I hope that helps. -----Original Message----- From: Nandana Mihindukulasooriya [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 22, 2008 12:48 AM To: [email protected] Subject: Re: Rampart 1.4 for axis2 InFlow only > We need to be able to bypass rampart security during the InFlow phase > only. This is due to the fact that we are grading requests based on a > certain critieria. If the request is missing a signed part then we > want to know that. With the current rampart module (1.4) it rejects > the request out of hand. > We can configure message level security and so only the out messages will be secured. But from the above content. it seems that is not what you want. If I understood correct, your incoming messages will carry security information, but you don't need to Rampart to validate it ? If you want to this to happen when signature failures / decryption failures then that is not possible. But if you want this to happen for policy validations such as missing singed part then it is possible with Rampart using a Custom Policy validater. Which one of the above is your requirement ? > What are my options to have the service only activate signing and > encrypting during OutFlow only? I have searched axis2 as well but I > figured someone using Rampart may have run into this before. I can > think of one option which is to modify the rampar module's module.xml > file and remove InFlow. But that can't be ideal. > Are you security validation by your self ? So are you using a handler or are you doing this at the service ? As security header is must understand header someone needs to process it before it reaches message receiver , otherwise you will get an must understand failure. thanks, nandana -- Nandana Mihindukulasooriya WSO2 inc. http://nandana83.blogspot.com/
