I think I am going to have to come up with something here, as I would prefer to have a single ws-policy rather than try and deploy two endpoints one for Mutual SSL and one for normal ssl.
On Tue, Feb 5, 2013 at 2:58 AM, Daniel Kulp <[email protected]> wrote: > > On Feb 3, 2013, at 10:40 PM, Jason Pell <[email protected]> wrote: > >> I think I answered my own question. It appears that the first >> alternative is chosen by default, no matter what when using the >> MinimalAlternativeSelector >> >> The isCompatibleWithRequest method in BaseAlternativeSelector returns >> true where the request == null. >> >> And it looks as though request is always null on the server side >> (which I guess makes sense) >> >> Now I have to figure out if i can code up a AlternativeSelector based >> on the content of the request information coming in from the client. >> >> Any ideas would be welcome… > > Kind of unfortunate that the selectAlternative method doesn't take a > Map<String, Object> context type thing. Would likely need to use the > PhaseInterceptorChain.getCurrentMessage() method. > > One "idea" might be to add a new "ContextAwareAssertion" interface that adds > a method like "boolean isSupported(Map<String, Object> context)" or similar > that the AlternativeSelector could call (if the assertion is an instance of > that) to determine of an alternative is usable. SOME of the policies could > then be updated to support that interface to allow the policies themselves to > participate in the selection process. > > > Dan > > > > >> >> On Mon, Feb 4, 2013 at 11:51 AM, Jason Pell <[email protected]> wrote: >>> Hi, >>> >>> I would like to configure a web service which requires one of two >>> security mechanisms: >>> >>> 1) UsernamePassword + SSL (NOT MUTUAL) >>> 2) Username only + SSL with Mutual Authentication. >>> >>> I was hoping to do this via WS-Policy ExactlyOnce matching, but it >>> does not seem to work. >>> >>> What I was wanting to know is if I should expect it to work. I am >>> about to jump in and debug what is actually happening but was hoping >>> someone would help me before I got too far into it. >>> >>> My policy is: >>> >>> <wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"; >>> >>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; >>> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> >>> <wsp:ExactlyOne> >>> <wsp:All> >>> <sp:TransportBinding> >>> <wsp:Policy> >>> <sp:TransportToken> >>> <wsp:Policy> >>> >>> <sp:HttpsToken> >>> >>> <wsp:Policy /> >>> >>> </sp:HttpsToken> >>> </wsp:Policy> >>> </sp:TransportToken> >>> <sp:Layout> >>> <wsp:Policy> >>> <sp:Lax /> >>> </wsp:Policy> >>> </sp:Layout> >>> <sp:AlgorithmSuite> >>> <wsp:Policy> >>> <sp:Basic128 >>> /> >>> </wsp:Policy> >>> </sp:AlgorithmSuite> >>> </wsp:Policy> >>> </sp:TransportBinding> >>> >>> <sp:SupportingTokens> >>> <wsp:Policy> >>> <sp:UsernameToken> >>> <wsp:Policy> >>> >>> <sp:WssUsernameToken11 /> >>> </wsp:Policy> >>> </sp:UsernameToken> >>> </wsp:Policy> >>> </sp:SupportingTokens> >>> </wsp:All> >>> >>> <wsp:All> >>> <sp:TransportBinding> >>> <wsp:Policy> >>> <sp:TransportToken> >>> <wsp:Policy> >>> >>> <sp:HttpsToken> >>> >>> <wsp:Policy> >>> >>> <sp:RequireClientCertificate /> >>> >>> </wsp:Policy> >>> >>> </sp:HttpsToken> >>> </wsp:Policy> >>> </sp:TransportToken> >>> <sp:AlgorithmSuite> >>> <wsp:Policy> >>> <sp:Basic256 >>> /> >>> </wsp:Policy> >>> </sp:AlgorithmSuite> >>> </wsp:Policy> >>> </sp:TransportBinding> >>> >>> <sp:SupportingTokens> >>> <wsp:Policy> >>> <sp:UsernameToken> >>> <wsp:Policy> >>> >>> <sp:NoPassword /> >>> </wsp:Policy> >>> </sp:UsernameToken> >>> </wsp:Policy> >>> </sp:SupportingTokens> >>> </wsp:All> >>> </wsp:ExactlyOne> >>> </wsp:Policy> > > -- > Daniel Kulp > [email protected] - http://dankulp.com/blog > Talend Community Coder - http://coders.talend.com >
