Hi all,
I have run the sample code for tutorial from
http://www.jroller.com/gmazza/entry/usernametoken_messagelayer_encryption successfully
(i.e. server response returned OK)
To be exact, it's the UsernameToken authentication with X509Token
symmetric binding for message protection, like the one from IBM doc
http://pic.dhe.ibm.com/infocenter/radhelp/v9/index.jsp?topic=%2Fcom.ibm.websphere.wlp.nd.multiplatform.doc%2Fae%2Fcwlp_wssec_templates_scenario6.html
WS-Policy in WSDL is
<wsp:Policy wsu:Id="DoubleItUTSymmetricX509Policy">
<wsp:ExactlyOne>
<wsp:All>
<wsam:Addressing wsp:Optional="false" />
<sp:SymmetricBinding>
<wsp:Policy>
<sp:ProtectionToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";>
<wsp:Policy>
<sp:WssX509V3Token10 />
<sp:RequireIssuerSerialReference />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:ProtectionToken>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
<sp:OnlySignEntireHeadersAndBody />
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128 />
</wsp:Policy>
</sp:AlgorithmSuite>
</wsp:Policy>
</sp:SymmetricBinding>
<sp:Wss11>
<wsp:Policy>
<sp:MustSupportRefIssuerSerial />
<sp:MustSupportRefThumbprint />
<sp:MustSupportRefEncryptedKey />
</wsp:Policy>
</sp:Wss11>
<sp:SignedEncryptedSupportingTokens>
<wsp:Policy>
<sp:UsernameToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
<wsp:Policy>
<sp:WssUsernameToken10 />
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SignedEncryptedSupportingTokens>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Input_Policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:EncryptedParts>
<sp:Body />
</sp:EncryptedParts>
<sp:SignedParts>
<sp:Body />
<sp:Header Name="To"
Namespace="http://www.w3.org/2005/08/addressing"; />
...
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Output_Policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:EncryptedParts>
<sp:Body />
</sp:EncryptedParts>
<sp:SignedParts>
<sp:Body />
<sp:Header Name="To"
Namespace="http://www.w3.org/2005/08/addressing"; />
...
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
After examing the generated soap request from client code, to my
surprose, there is no <wsse:UsernameToken> at all even though the policy
above clearly
states the use of UsernameToken.
* So my question is, is this the expected behaviour for UsernameToken
authentication with X509Token symmetric binding or am I missing something?
* Am I right to assume that for UsernameToken authentication with
X509Token asymmetric binding, I should expect to see
<wsse:UsernameToken> in soap request?
Thanks in advance,
Sam
