That is generally true. I would much rather sign the messages using a PKI, but it looks like signing with the UT is a concept that has been popularized by .NET's WSE and that is the model that is used by the specification I am implementing.
As far as I can tell, WSS4J supports this via the WsConstants.UT_SIGN and WsHandlerConstants.SIGN_WITH_UT_KEY actions. I was hoping that CXF was able to support this extension of the standard. If that is not the case then I'm going to have to roll my own solution. -Steve On Wed, 2008-08-27 at 23:34 -0700, Glen Mazza wrote: > Your premise seems bad. You sign messages with a private key, not a > username. > > http://www.jroller.com/gmazza/entry/implementing_ws_security_with_the > > Glen
