I would like to further expand on this scenario. Is it possible to construct a security policy that has 2 alternatives, that is a Web client can satisfy all requirements in either scenario 1 or scenario 2.
For example, in scenario 1, the Web Service client has to use UsernameToken, while in Scenario 2, there is no security mechanism in place. I know this is possible with WS-Security Policy but I'm not sure if scenario 2 is possible, i.e. no security mechanism at all. Regards Sanjay >-----Original Message----- >From: Sanjay Vivek [mailto:[EMAIL PROTECTED] >Sent: 21 April 2008 14:04 >To: [email protected] >Subject: Editing the services.xml to allow both Basic Auth and >Rampart auth. > >Hi everyone, > >Is it possible to deploy a service that is either Basic Auth >or Rampart auth enabled by defining it in the services.xml? >For example, if we wish to a deploy a Basic Auth enabled >service, we edit the server.xml (for >Tomcat) accordlingly and we do the same for Rampart authentication. > >However, to enable this, the services.xml file has to be >edited so that it allows clients to send SOAP messages that >contain both WS-SEC and non-WS-SEC headers (in the form of >Basic auth) to consume the service. >So basically the service shouldn't throw up exceptions when >the client is not Rampart enabled. > >Any insight would be appreciated. Cheers. > >Regards >-------------- >Sanjay Vivek >Web Analyst >Middleware Team >ISS >University of Newcastle Upon Tyne >
