I'm trying to apply a digital signature to the inbound and outbound message for a simple Axis2 (1.3) web service. I would like the client to send their certificate with the request but send the DN and certidicate serial # in the response and have the client look it up in their keystore. I've include the policy assertions in the services.xml for the server and in the WSDL (which is used to codegen the client stub).
Questions: Is this signature validation scenario reasonable? Or is there a better practice for send information for validating the signature? Is there currently a way to get policy assertions from the WSDL into services.xml when generating code? Below are the relevant parts of the security policy I think should work as described above but doesn't: the reponse includes a BinarySecurityToken that is referenced in the reponse <KeyInfo>. Any ideas about what I'm doing wrong? <sp:InitiatorToken> <wsp:Policy> <sp:X509Token sp:IncludeToken= "http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient" > <wsp:Policy> <sp:WssX509V3Token10/> </wsp:Policy> </sp:X509Token> </wsp:Policy> </sp:InitiatorToken> <sp:RecipientToken> <wsp:Policy> <sp:X509Token sp:IncludeToken= "http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never"> <wsp:Policy> <sp:WssX509V3Token10/> </wsp:Policy> </sp:X509Token> </wsp:Policy> </sp:RecipientToken> Any help on this is appreciated! Also, if this is not appropriate for this list and there's a better one, sorry and please let me know. - Steve ______________________________________________ Steve Gruverman IntelliCare, Inc. | A Medco Health Solutions Company --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]