On 9/27/07, Rich Taylor <[EMAIL PROTECTED]> wrote: > > I'm interested in using WS-Security with Ode in the Axis2 distro. I see > that Axis2 supports WS-Security via the Rampart project. Has anyone > successfully utilized WS-Security with Ode? I'm interested in using > WS-Security to secure incoming messages to Ode (receives etc.) as well as > outgoing messages (invokes). In particular I'm just interested the > UsernameToken profile.
For what it's worth, I haven't heard any success stories yet :) If not, how are others securing their processes and calling into secured web > services from their process? Do people use proxies for this sort of > thing? What I see most is 1) HTTP Authentication and/or 2) passing a (custom) security token inside the message header or body and doing explicit checks in the process and in subordinate services. I did see the recent security discussion, but 1 I'm wondering how people are > presently securing their processes and calling secure services and 2. I'm > not sure I understood what the conclusion was in the end of that thread. The conclusion for me is that we have a lot of work ahead and we still need to reconcile our understandings in order to move forward. I see better Axis2 integration (deploying services.xml inside the process package) as being a first step in the right direction since you can then secure your process without any impact on the process itself (external policy). The next step would be to propagate the security context into the process so it's accessible for further propagation to services. This is where it gets interesting because we haven't agreed on how to represent and manipulate the security context in the process. There is interest in separating it from the partnerLink. alex
