On 08/25/2010 06:31 AM, Daniel Kulp wrote:
> On Tuesday 24 August 2010 8:59:37 am Dennis Sosnoski wrote:
>
>> I'm trying some samples of effective policies combining multiple levels
>> of attachment in the WSDL. It looks like it works fine when I attach at
>> the wsdl:binding level and wsdl:binding/operation level, but not at the
>> wsdl:binding/operation/input|output level. Is message-level policy
>> attachment not supported by CXF?
>>
> It LOOKS like it should work. Looking at the code where it calculates the
> policy, I see:
> policy = policy.merge(engine.getAggregatedOperationPolicy(boi));
> if (null != bmi) {
> policy = policy.merge(engine.getAggregatedMessagePolicy(bmi));
> }
> so it looks like it should be merging in the message level policy. Thus, if
> it's not working, file a bug with a test case. It might be in the
> WSDLServiceBuilder or similar. It might not be saving the policy on the
> message level. Not really sure.
>
After more investigation, it looks like what's happening is that the
UsernameToken *is* being sent, but in encrypted form. I'm not sure if
that's correct or not.
I have the UsernameToken in the policy as a SupportingToken. WS-SP says
this about that:
/The supporting tokens can be added to any SOAP message and do not
require any protection (signature or encryption) to be applied to the
message before they are added. More specifically there is no requirement
on "message signature" being present before the supporting tokens are
added. However it is RECOMMENDED to employ underlying protection
mechanism to ensure that the supporting tokens are cryptographically
bound to the message during the transmission./
So does this mean that if encryption is possible the stack should
automatically encrypt the token anyway? I don't know. Any opinions?
In any case, it's nothing to do with attachment points - I get the same
result when I only use a single combined policy.
- Dennis
