Hi Pash,
We can specify the requirement as below:
<wsp:Policy>
* <wsp:ExactlyOne>
<wsp:All> *
* <sp:UsernameToken/>
</wsp:All>
<wsp:All/>
</wsp:ExactlyOne>
* </wsp:Policy**>
or else you can use the Optional attribute of Policy assertions and can
specify the same as:
<wsp:Policy>
<sp:UsernameToken *wsp:Optional="true"*/>
</wsp:Policy>
You can read in more details at WS-Policy[1] and WS-SecurityPolicy[2].
With Regards,
Mayank
[1]. http://www.w3.org/TR/ws-policy/
[2].
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.2/ws-securitypolicy.html
On Thu, Dec 11, 2008 at 1:13 AM, pashpour <[EMAIL PROTECTED]> wrote:
>
> Dear Mayank,
>
> Thank you for your reply. Do you by any chance know of a simple example
> of how to go about using ws-policy to setup a security policy
> alternative?
>
> -pash
>
>
> Mayank Mishra-2 wrote:
> >
> > pashpour wrote:
> >> Hi folks,
> >>
> >> I wanted to find out if it's possible to make WSS4j username/pass
> >> headers optional. I'm hosting a service where a subset of the hosted
> >> methods
> >> require authentication. Any help would be greatly appreciated.
> >>
> >>
> > Hi Pash,
> >
> > Specifying UsernameToken in the wss4j action, must always seek for
> > username in security headers. But I can see that WSSecurityEngine
> > calling the respective processor for every security element found in the
> > security header. I guess, it must verify the actual incoming request
> > with the expected incoming request. Colm, will be having a better answer.
> > :)
> >
> > If you are going to use CXF 2.2, in which SecurityPolicy is supported,
> > then you can specify the same as policy alternative (security policy
> > alternative), hence any request with or without username will be
> accepted.
> >
> > With Regards,
> > Mayank
> >> Thanks,
> >>
> >> pash
> >>
> >
> >
> >
>
> --
> View this message in context:
> http://www.nabble.com/WSS4J-username-pass-optional--tp20930045p20942699.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
>
