Hi On Fri, Feb 25, 2011 at 2:13 PM, Rhenius, Karl Stefan <[email protected]> wrote: > > >> Do you mean you are ok with UT requests which are not part of >> the SecureConversation flow being accepted as well ? > > Yes, they are fine. > > CXF should answer to an UT request in plain text and to a > SecureConversation request in something unreadable.
thanks for the clarifications and your patience :-) This is what I meant, it could be tricky, though feasible, to figure out dynamically which alternative has to be satisfied, thus I was hoping that explicitly specifying that the UT as part of the flow can be supported can help. Imagine what CXF does now. You have a SecureConversation policy which probably has a UT assertion embedded in one of its deeply nested sub-policies. And you have a UT policy on its own which has allows for exchanges which have nothing to do with the SecureCon flow. So we have a message with the UT arriving. The CXF Policy interceptors will iterate over alternatives and decide which interceptors should handle the request. It probably checks the UT policy first and thus selects that policy and thus ignores the SecCon one. I'm out of my depth by now so let Dan or David V or someone else to fix it :-), but to be honest, I'd not try to create a semi kind of secure port where which allows for message with/without SecCon headers. Would it make sense to have two ports for a single service or two services, one supporting a SecCon only and the other supporting plain UTs only ? Just my 2c thanks, Sergey > > cheers > Karl >
