Rampart 1.4 with axis2 1.4.1 Talking to webservice with custom security configuration.

[James Robson]

I have a webservice I am writing a client for which has the following 
requirements:

Request message:
Include a user name token with no password
include a timestamp.
Sign the body timestamp and username token
do not encrypt the username token.

I've worked out policy for the request using a TransportBinding as the 
usernametoken needs to be unencrypted.

<wsp:Policy wsu:Id="InputPolicy">
        <wsp:ExactlyOne>
            <wsp:All>
                <sp:TransportBinding>
                    <wsp:Policy>
                        <wsp:All>
                            <sp:TransportToken>
                                <wsp:Policy>
                                    <sp:HttpsToken 
RequireClientCertificate="false" />
                                </wsp:Policy>
                            </sp:TransportToken>
                            <sp:AlgorithmSuite>
                                <wsp:Policy>
                                    <sp:Basic128 />
                                </wsp:Policy>
                            </sp:AlgorithmSuite>
                            <sp:Layout>
                                <wsp:Policy>
                                    <wsp:ExactlyOne>
                                        <wsp:All>
                                            <sp:Strict />
                                        </wsp:All>
                                    </wsp:ExactlyOne>
                                </wsp:Policy>
                            </sp:Layout>
                            <sp:IncludeTimestamp />
                        </wsp:All>
                    </wsp:Policy>
                </sp:TransportBinding>
                <sp:EndorsingSupportingTokens>
                    <wsp:Policy>
                        <sp:X509Token
                            
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
                            <wsp:Policy>
                                <wsp:ExactlyOne>
                                    <wsp:All>
                                        <sp:WssX509V3Token10 />
                                    </wsp:All>
                                </wsp:ExactlyOne>
                            </wsp:Policy>
                        </sp:X509Token>
                    </wsp:Policy>
                </sp:EndorsingSupportingTokens>
                <sp:SignedParts>
                    <sp:Body />
                </sp:SignedParts>
                <sp:SignedSupportingTokens>
                    <wsp:Policy>
                        <wsp:All>
                            <sp:UsernameToken
                                
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
                                <wsp:Policy>
                                    <sp:NoPassword />
                                </wsp:Policy>
                            </sp:UsernameToken>
                        </wsp:All>
                    </wsp:Policy>
                </sp:SignedSupportingTokens>
                <sp:Wss11>
                    <wsp:Policy>
                       <sp:RequireSignatureConfirmation />
                    </wsp:Policy>
                </sp:Wss11>
            </wsp:All>
        </wsp:ExactlyOne>
    </wsp:Policy>


The problem is tha tthe server signes the response, including a time stamp and 
the client is expected to respond to any of t he servers' requests in the same 
form.
I've not worked out how I can use a TransportBinding and ALSO include a 
signature in the security header.

I've bound the input policy at wsd:binding/wsdl:operation/wsdl:input

The various policies i've tried for the output have been bound at 
wsd:binding/wsdl:operation/wsdl:output


Can anyone help on this?

Thanks in advance,
James



      Search 1000's of available singles in your area at the new Yahoo!7 
Dating. Get Started http://au..dating.yahoo.com/?cid=53151&pid=1011