Hi all,
Could someone confirm my understanding for the order of encryption &
signing using WS-SecurityPolicy in WSDL?
I saw in
http://fusesource.com/docs/esb/4.4/cxf_security/MsgProtect-SOAP-SymmetricPolicy.html
that says the order is specified
in sp:EncryptBeforeSigning. If not specified, the default order is to
sign and encrypt.
And I rarely see any use of this tag so I assume the default order is
always right?
What I do see in almost all WS-Policy file that comes with WSDL is
something like
...
<wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Input_Policy">
<wsp:ExactlyOne>
<wsp:All>
*<sp:EncryptedParts>*
<sp:Body />
</sp:EncryptedParts>
*<sp:SignedParts>*
<sp:Body />
<sp:Header Namespace="..." />
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Output_Policy">
<wsp:ExactlyOne>
<wsp:All>
*<sp:EncryptedParts>*
<sp:Body />
</sp:EncryptedParts>
*<sp:SignedParts>*
<sp:Body />
<sp:Header Namespace="..." />
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
</wsdl:definitions>
Am I right to say the order of <sp:EncryptedParts> and <sp:SignedParts>
elements do not specify the order of encryption and signing in both
request and response?
Thanks in advance,
Sam
