Hi!
I'm implementing web service with the following special requirements:
1. login/password for user authentication;
2. GOST 34.10-2001/34.11 [1] algorithms should be used for signature
computation (signature is optional; configured on per user basis from
fig. 1)
I considered using WS-SecurityPolicy or WS-Security directly, but there
are pros in both cases:
1. WS-SP:
- easy to make signature optional with wsp:optional attribute;
- not possible to extend WS-SP declaration to use new AlgorithmSuite
(GOST);
2. WS-S:
- CXF has extension point to define new AlgorithmSuite;
- impossible to configure WSS4JInInterceptor to treat signature as
optional (extending WSS4JInInterceptor may be a solution);
May it be that I missed some way to extend WS-SP to declare new
AlgorithmSuite? Or does this spec permit to use only predefined
algorithms declared in [2]?
Or is there a better way to meet my requirements?
WS-S and WS-SP are pretty complex specs to learn in just a few days. I
will be thankful for any insight.
Regards.
-- Vadim
[1] http://en.wikipedia.org/wiki/GOST_%28hash_function%29
[2]
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html
