Hi all,
The policy document below describes 2 policy alternatives, one that
contains a policy assertion requiring the inclusion of a certain
security token and the other that doesn't contain a policy assertion.
Does this policy mean that a client that is not Rampart enabled (i.e.
the SOAP request header doesn't contain WS-Sec headers) will be able to
consume the service? Or does the service just ignore the 2nd policy
assertion and only the first policy assertion is used? Cheers.
Regards
Sanjay
<wsp:ExactlyOne>
<wsp:All>
<sp:SecurityToken>
<sp:TokenType>sp:X509v3</sp:TokenType>
</sp:SecurityToken>
<sp:UsernameToken />
</wsp:All>
<wsp:All>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
>-----Original Message-----
>From: Sanjay Vivek [mailto:[EMAIL PROTECTED]
>Sent: 22 April 2008 07:35
>To: [email protected]
>Subject: RE: Editing the services.xml to allow both Basic Auth
>and Rampart auth.
>
>Hi Nandana,
>
>Is it possible to define a policy that supports 2
>alternatives? The 1st alternative requires the Web Service
>client to use UsernameToken while the 2nd alternative allows
>any client at all to consume the service? I know this is can
>be done with WS-Security Policy but I would like to know if
>the 2nd alternative is possible, i.e. allowing any client at
>all to consume the service.
>
>Clients who are not Rampart enabled can instead use Basic Auth
>to consume the service. Any insight would be greatly
>appreciated. Cheers.
>
>Regards
>Sanjay
