Hi Colm, Thanks for the info. Yes, it wouldn't make sense to send it unencrypted, but I was wondering why when I use "SignedSupportingTokens", the message is automatically encrypted too instead of only signed.
Regards, Vinay -----Original Message----- From: Colm O hEigeartaigh [mailto:cohei...@apache.org] Sent: Wednesday, September 28, 2011 4:24 AM To: users@cxf.apache.org Subject: Re: Signature only in policy for Username Token You can set the following jax-ws property "ws-security.username-token.always.encrypted" to "false". See the "ALWAYS_ENCRYPT_UT" variable here: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java?view=markup Why would you want to send an unencrypted UsernameToken across the wire? An eavesdropper could just harvest the username/password. Colm. On Wed, Sep 28, 2011 at 12:03 AM, Penmatsa, Vinay <vinay.penma...@sap.com> wrote: > > Hi, > With the following policy definition, the header is sent encrypted. How can I > get the client to only sign and not encrypt? > > ------ > <wsp:Policy wsu:Id="UsernameToken" > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> > <wsp:ExactlyOne> > <wsp:All> > <sp:AsymmetricBinding> > <wsp:Policy> > <sp:InitiatorToken> > <wsp:Policy> > <sp:X509Token > > sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"> > <wsp:Policy> > <sp:WssX509V3Token10/> > </wsp:Policy> > </sp:X509Token> > </wsp:Policy> > </sp:InitiatorToken> > <sp:RecipientToken> > <wsp:Policy> > <sp:X509Token > > sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never"> > <wsp:Policy> > <sp:WssX509V3Token10/> > </wsp:Policy> > </sp:X509Token> > </wsp:Policy> > </sp:RecipientToken> > <sp:Layout> > <wsp:Policy> > <sp:Lax /> > </wsp:Policy> > </sp:Layout> > <sp:AlgorithmSuite> > <wsp:Policy> > <sp:Basic128 /> > <!-- To use > the export grade encryption that comes bundled in the > JDK, > comment out the above Basic256 algorithm and uncomment the below Basic128. --> > <!-- > <sp:Basic128 /> --> > </wsp:Policy> > </sp:AlgorithmSuite> > </wsp:Policy> > </sp:AsymmetricBinding> > <sp:Wss10 > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> > <wsp:Policy> > <sp:MustSupportRefKeyIdentifier/> > </wsp:Policy> > </sp:Wss10> > <sp:SignedSupportingTokens> > <wsp:Policy> > <sp:UsernameToken > > sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"> > <wsp:Policy> > > <sp:WssUsernameToken10/> > </wsp:Policy> > </sp:UsernameToken> > </wsp:Policy> > </sp:SignedSupportingTokens> > </wsp:All> > </wsp:ExactlyOne> > </wsp:Policy> > --- > > > Regards, > Vinay > > -- Colm O hEigeartaigh http://coheigea.blogspot.com/ Talend - http://www.talend.com