Hi Amila, I am not sure what we can achieve by only checking the security token header of the message. To verify the message is sent by the person who has the security token, the entire message should be verified for the signature. To verify the message is not seen by anybody else, it can be encrypted.
HTH, Jaliya ----- Original Message ----- From: Amila Suriarachchi To: [email protected] Sent: Sunday, July 20, 2008 7:46 AM Subject: Security Manager Interface hi, Sandesha2 SecurityManager has this interface. Here what this message Part parameter means. /** * Check that the given element of the message demonstrated proof of possession of * the given token. This allows Sandesha to implement the checking required by the * RM spec. Proof is normally demonstrated by signing or encrypting the the given * part using the token. * If the elements is not secured with the given token the SecurityManager must * throw an exception. */ public abstract void checkProofOfPossession(SecurityToken token, OMElement messagePart, MessageContext message) throws SandeshaException; I went through the code and so that always Soap Body and Sequence header parts are passed to this parameter. Is this means for a Secure conversation is it required to Sign and Encrypt these parts? Is there any reason why this check is done like this without checking the given Security token value with the Security token value in the Security Header? thanks, Amila. -- Amila Suriarachchi, WSO2 Inc.
