You could use a SecurityPolicy that just requires a UsernameToken without a binding. For example see the policy "<!-- 2.1.1.3 UsernameToken with timestamp, nonce and password hash -->" starting on line 214:
http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/ut/DoubleItUt.wsdl?view=markup Of course, in practise one would combine a UsernameToken with the Transport binding to secure the message exchange... Colm. On Mon, Jul 23, 2012 at 4:41 PM, Sarafian <[email protected]>wrote: > I have a C# code that asks the STS for a token using username password > credentials. > I'm using the UT or UTEncrypted endpoints but I get this error: > > These policy alternatives can not be satisfied: > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}ProtectionToken > { > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}IncludeTimestamp > : > Received Timestamp does not match the requirements > { > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SymmetricBinding > : > Received Timestamp does not match the requirements > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SignedParts: > {http://schemas.xmlsoap.org/soap/envelope/}Body not SIGNED > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}EncryptedParts: > {http://schemas.xmlsoap.org/soap/envelope/}Body not ENCRYPTED > > Is there a way for the STS to be configured not to apply the above > policies? > Is there another endpoint for these kind of things? > > I simply want to use a username/password credential combination to request > a > security token. > > > > > -- > View this message in context: > http://cxf.547215.n5.nabble.com/RequestSecurityToken-without-Encrypting-and-Signing-tp5711426.html > Sent from the cxf-user mailing list archive at Nabble.com. > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
