All, during the discussion with Allen IMHO we should have a closer look into the WS-Policy* stuff (again). WSS4J as it stands now (not looking at the sandbox code) provides methods to create Sceurity headers in a request and to parse/validate them.
The check at the receiver if the request contains all required security actions is rudimentary only. To enhance the action checking and also the way how the sender controls the setup the request we shall consider to use WS-Policy* specs. Some ideas: - At the sender side we could have a parser that sets up internal structures that drive/control how the WSS4J handlers create the security functions (some time ago this topic was shortly discussed on this list, I'll have a look in the archives). To avoid to much parsing we need to have some sort of "global, per service" location to store this internal structure (somewhere in the Axis data structures?) - At the receiver side a similar parser (the same?) can setup an internal structure which a "Policy checker" can use to verify the results generated during parsing/verification of the security headers. Both new modules could be "plugged-in" similar to the "action/processor" structure now in use in WSS4J. Is there some code that could be used to start e.g. a parser for the relevant WS-Policy* specs? Any more ideas? Volunteers :-) ? Regards, Werner --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
