Hello, I have an architectural question about using UsernameTokens (which I'm trying to do with CXF, which of course uses WSS4J behind the scenes). If we are using the UsernameToken profile, I can see why we need to encrypt the message with the server's public key (for confidentiality), but am unsure if we need to also sign the message with the client's private key. Is it redundant with UsernameToken profile to also sign the SOAP request? My first guess, is that by definition, one is using Usernames and Passwords for authentication, and hence would not need signing of the message as well, but am unsure here.
Thanks, Glen -- View this message in context: http://www.nabble.com/Using-UsernameTokens--also-need-to-sign-the-SOAP-message--tp18059742p18059742.html Sent from the WSS4J mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
