Fred Dushin-3 wrote: > > But regardless, should the effective policy on the response be the > same as the effective policy on the request? Or should policy > assertion implementors code their interceptors to handle the response > chain, as well as the request? >
Does WS-SecurityPolicy have to anything to say for this--how to configure request and response rules differently? I'm not sure I'm understanding you correctly. If you're saying should the security (or other WS-*) rules be the same on both the request and response--I don't think so. I could imagine a service requiring a signature and/or encryption or username/passwords but the client not requiring it on the response. Kind of how WSS4J configuration works today. FWIW, Metro maintains policies both client- and service-side, with differing information and rules. However, the client does read the service WSDL to see security requirements for the request (I think the service provider reads its own WSDL though to see what it needs to do for the response--the client-side policy really just has username/password or client cert info.) Glen -- View this message in context: http://www.nabble.com/Server-Response-Policy-tp18877899p18882270.html Sent from the cxf-dev mailing list archive at Nabble.com.
