> This means that the service owner must enable the Port/Binding related to > the DoubleItDigestPort/DoubleItDigestBinding?
Not exactly sure what you mean here. You must let the endpoint know what security policy to use, for example by a policy reference in the WSDL or else you can do it in Spring. > Can you also elaborate more about The policy I previously defined to "just" required a UsernameToken and makes no demands on whether TLS is used or not. If TLS is not used, then the service endpoint is vulnerable to a third-party intercepting the message on the wire and copying the UsernameToken etc. In a real world scenario, you would use the UsernameToken as a supporting token in conjunction with a Transport binding to require TLS to be used. Colm. On Tue, Jul 24, 2012 at 12:33 PM, Sarafian <[email protected]>wrote: > Hi Colm, > Thank you for your reply. > This means that the service owner must enable the Port/Binding related to > the DoubleItDigestPort/DoubleItDigestBinding? > > > Can you also elaborate more about > > Colm O hEigeartaigh-3 wrote > > > > Of course, in practise one would combine a UsernameToken with the > > Transport > > binding to secure the message exchange... > > > > The reason I'm asking is that coming from the .NET world and having an > application that connects to ADFS and another STS > (identityserver.codeplex.com) we are using the WindowsMixed and > UsernameMixed endpoints in conjunction with TransportWithMessageCredential > for the SecurityMode setting. > > > > -- > View this message in context: > http://cxf.547215.n5.nabble.com/RequestSecurityToken-without-Encrypting-and-Signing-tp5711426p5711486.html > Sent from the cxf-user mailing list archive at Nabble.com. > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
