Hi, when you additionally sign the SOAP message the recipient can be sure that the message was not altered in transit. This cannot be achieved with just adding a UsernameToken.
regards robert 2008/6/23 Glen Mazza <[EMAIL PROTECTED]>: > > Hello, I have an architectural question about using UsernameTokens (which > I'm > trying to do with CXF, which of course uses WSS4J behind the scenes). If > we > are using the UsernameToken profile, I can see why we need to encrypt the > message with the server's public key (for confidentiality), but am unsure > if > we need to also sign the message with the client's private key. Is it > redundant with UsernameToken profile to also sign the SOAP request? My > first guess, is that by definition, one is using Usernames and Passwords > for > authentication, and hence would not need signing of the message as well, > but > am unsure here. > > Thanks, > Glen > -- > View this message in context: > http://www.nabble.com/Using-UsernameTokens--also-need-to-sign-the-SOAP-message--tp18059742p18059742.html > Sent from the WSS4J mailing list archive at Nabble.com. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > >
