Hi Justin, I still think that your use-case can be handled by the standard bindings + policies. You could have an AsymmetricBinding with no IncludeTimestamp, and then have a SignedParts policy only associated with the input of the service. The response should not have any security applied then.
Colm. On Wed, Apr 2, 2014 at 5:02 PM, JHClouser <[email protected]> wrote: > Hi Colm, > > I appreciate your reply. Thank you for all of the sound work you do in this > space. > > In regards to the web service under development, the X.509 certificate > presented in a request is expected to have signed the body of the SOAP > message so a signature can be validated and the user therefore > authenticated. > > However, that is the only secure measure the service intends to assert. > Transport security is handled upstream, so a transport binding is > extraneous, as are symmetric and asymmetric bindings, because the response > isn't signed and there is no encryption. > > The use case described above is one I'm presently encountering with a Red > Hat Consulting customer. > > Justin > > > > -- > View this message in context: > http://cxf.547215.n5.nabble.com/WS-Policy-Expressions-for-X-509-Token-Assertions-tp5742248p5742336.html > Sent from the cxf-user mailing list archive at Nabble.com. > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
