It's hard to see much benefit from using a session key in this case, since it sounds like you're sending it with each request. Why don't you just encrypt the UsernameToken directly with the server's public key?
- Dennis On 08/26/2010 04:13 PM, wservarch wrote: > Instead of password digest in username token, 'am taking slightly different > approach in sending username token to receiver end through soap header. > > Using a session key I am encrypting my password_text, then encrypting the > session key with public key of the receiver (or endpoint). > Receiver receives both my encrypted session key and encrypted password_text. > Receiver uses it's private key to decrypt the session key, which in turn can > be used to decrypt the actual password_text. > > Now the question is how to send the encrypted session key through SOAP > Header along with encrypted password_text? > > If i go with username token policy, i can send encrypted password, there is > no field in it through which I can send my encrypted key. > > Can some body help me know how the policy xml in wsdl going to look like? >
