On Feb 3, 2013, at 10:40 PM, Jason Pell <[email protected]> wrote: > I think I answered my own question. It appears that the first > alternative is chosen by default, no matter what when using the > MinimalAlternativeSelector > > The isCompatibleWithRequest method in BaseAlternativeSelector returns > true where the request == null. > > And it looks as though request is always null on the server side > (which I guess makes sense) > > Now I have to figure out if i can code up a AlternativeSelector based > on the content of the request information coming in from the client. > > Any ideas would be welcome…
Kind of unfortunate that the selectAlternative method doesn't take a Map<String, Object> context type thing. Would likely need to use the PhaseInterceptorChain.getCurrentMessage() method. One "idea" might be to add a new "ContextAwareAssertion" interface that adds a method like "boolean isSupported(Map<String, Object> context)" or similar that the AlternativeSelector could call (if the assertion is an instance of that) to determine of an alternative is usable. SOME of the policies could then be updated to support that interface to allow the policies themselves to participate in the selection process. Dan > > On Mon, Feb 4, 2013 at 11:51 AM, Jason Pell <[email protected]> wrote: >> Hi, >> >> I would like to configure a web service which requires one of two >> security mechanisms: >> >> 1) UsernamePassword + SSL (NOT MUTUAL) >> 2) Username only + SSL with Mutual Authentication. >> >> I was hoping to do this via WS-Policy ExactlyOnce matching, but it >> does not seem to work. >> >> What I was wanting to know is if I should expect it to work. I am >> about to jump in and debug what is actually happening but was hoping >> someone would help me before I got too far into it. >> >> My policy is: >> >> <wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"; >> >> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; >> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> >> <wsp:ExactlyOne> >> <wsp:All> >> <sp:TransportBinding> >> <wsp:Policy> >> <sp:TransportToken> >> <wsp:Policy> >> >> <sp:HttpsToken> >> >> <wsp:Policy /> >> >> </sp:HttpsToken> >> </wsp:Policy> >> </sp:TransportToken> >> <sp:Layout> >> <wsp:Policy> >> <sp:Lax /> >> </wsp:Policy> >> </sp:Layout> >> <sp:AlgorithmSuite> >> <wsp:Policy> >> <sp:Basic128 >> /> >> </wsp:Policy> >> </sp:AlgorithmSuite> >> </wsp:Policy> >> </sp:TransportBinding> >> >> <sp:SupportingTokens> >> <wsp:Policy> >> <sp:UsernameToken> >> <wsp:Policy> >> >> <sp:WssUsernameToken11 /> >> </wsp:Policy> >> </sp:UsernameToken> >> </wsp:Policy> >> </sp:SupportingTokens> >> </wsp:All> >> >> <wsp:All> >> <sp:TransportBinding> >> <wsp:Policy> >> <sp:TransportToken> >> <wsp:Policy> >> >> <sp:HttpsToken> >> >> <wsp:Policy> >> >> <sp:RequireClientCertificate /> >> >> </wsp:Policy> >> >> </sp:HttpsToken> >> </wsp:Policy> >> </sp:TransportToken> >> <sp:AlgorithmSuite> >> <wsp:Policy> >> <sp:Basic256 >> /> >> </wsp:Policy> >> </sp:AlgorithmSuite> >> </wsp:Policy> >> </sp:TransportBinding> >> >> <sp:SupportingTokens> >> <wsp:Policy> >> <sp:UsernameToken> >> <wsp:Policy> >> >> <sp:NoPassword /> >> </wsp:Policy> >> </sp:UsernameToken> >> </wsp:Policy> >> </sp:SupportingTokens> >> </wsp:All> >> </wsp:ExactlyOne> >> </wsp:Policy> -- Daniel Kulp [email protected] - http://dankulp.com/blog Talend Community Coder - http://coders.talend.com
