On Wednesday, September 28, 2011 10:41:10 AM Penmatsa, Vinay wrote: > Hi Colm, > Thanks for the info. Yes, it wouldn't make sense to send it unencrypted, but > I was wondering why when I use "SignedSupportingTokens", the message is > automatically encrypted too instead of only signed.
Compatibility with MS and Weblogic and a few others. Despite it being only "SignedSupportingTokens", they will refuse to accept Username tokens if the data is not encrypted. It can either be via encrypting the element or by using some sort of secure transport (like HTTPs). Dan > > Regards, > Vinay > > > -----Original Message----- > From: Colm O hEigeartaigh [mailto:[email protected]] > Sent: Wednesday, September 28, 2011 4:24 AM > To: [email protected] > Subject: Re: Signature only in policy for Username Token > > You can set the following jax-ws property > "ws-security.username-token.always.encrypted" to "false". See the > "ALWAYS_ENCRYPT_UT" variable here: > > http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apac > he/cxf/ws/security/SecurityConstants.java?view=markup > > Why would you want to send an unencrypted UsernameToken across the > wire? An eavesdropper could just harvest the username/password. > > Colm. > > On Wed, Sep 28, 2011 at 12:03 AM, Penmatsa, Vinay > > <[email protected]> wrote: > > Hi, > > With the following policy definition, the header is sent encrypted. How > > can I get the client to only sign and not encrypt? > > > > ------ > > <wsp:Policy wsu:Id="UsernameToken" > > > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wss > > ecurity-utility-1.0.xsd" > > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"; > > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > > <wsp:ExactlyOne> > > <wsp:All> > > <sp:AsymmetricBinding> > > <wsp:Policy> > > <sp:InitiatorToken> > > <wsp:Policy> > > <sp:X509Token > > > > sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/20 > > 0702/IncludeToken/AlwaysToRecipient"> <wsp:Policy> > > <sp:WssX509V3Token10/> > > </wsp:Policy> > > </sp:X509Token> > > </wsp:Policy> > > </sp:InitiatorToken> > > <sp:RecipientToken> > > <wsp:Policy> > > <sp:X509Token > > > > sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/20 > > 0702/IncludeToken/Never"> <wsp:Policy> > > <sp:WssX509V3Token10/> > > </wsp:Policy> > > </sp:X509Token> > > </wsp:Policy> > > </sp:RecipientToken> > > <sp:Layout> > > <wsp:Policy> > > <sp:Lax > > /> > > </wsp:Policy> > > </sp:Layout> > > <sp:AlgorithmSuite> > > <wsp:Policy> > > > > <sp:Basic128 /> <!-- To use the export grade encryption that comes > > bundled in the JDK, comment out the above Basic256 algorithm and > > uncomment the below Basic128. --> <!-- <sp:Basic128 /> --> > > </wsp:Policy> </sp:AlgorithmSuite> </wsp:Policy> > > </sp:AsymmetricBinding> > > <sp:Wss10 > > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > > <wsp:Policy> > > <sp:MustSupportRefKeyIdentifier/> > > </wsp:Policy> > > </sp:Wss10> > > <sp:SignedSupportingTokens> > > <wsp:Policy> > > <sp:UsernameToken > > > > sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/20 > > 0702/IncludeToken/AlwaysToRecipient"> <wsp:Policy> > > <sp:WssUsernameToken10/> </wsp:Policy> </sp:UsernameToken> > > </wsp:Policy> > > </sp:SignedSupportingTokens> > > </wsp:All> > > </wsp:ExactlyOne> > > </wsp:Policy> > > --- > > > > > > Regards, > > Vinay -- Daniel Kulp [email protected] http://dankulp.com/blog Talend - http://www.talend.com
