Hi Colm, I appreciate your reply. Thank you for all of the sound work you do in this space.
In regards to the web service under development, the X.509 certificate presented in a request is expected to have signed the body of the SOAP message so a signature can be validated and the user therefore authenticated. However, that is the only secure measure the service intends to assert. Transport security is handled upstream, so a transport binding is extraneous, as are symmetric and asymmetric bindings, because the response isn't signed and there is no encryption. The use case described above is one I'm presently encountering with a Red Hat Consulting customer. Justin -- View this message in context: http://cxf.547215.n5.nabble.com/WS-Policy-Expressions-for-X-509-Token-Assertions-tp5742248p5742336.html Sent from the cxf-user mailing list archive at Nabble.com.
