Thanks, here's another question. If I'm using the UsernameToken profile, and I sign and encrypt the message, is it recommended to also use SSL on the transport layer, or would that be redundant? I would guess the answer is to use SSL but *not* basic authentication, because the BA part is more or less the same as provided by the username token information.
Glen Robert Wierschke-2 wrote: > > Hi, > > when you additionally sign the SOAP message the recipient can be sure that > the message was not altered in transit. This cannot be achieved with just > adding a UsernameToken. > > regards > robert > > 2008/6/23 Glen Mazza <[EMAIL PROTECTED]>: > >> >> Hello, I have an architectural question about using UsernameTokens (which >> I'm >> trying to do with CXF, which of course uses WSS4J behind the scenes). If >> we >> are using the UsernameToken profile, I can see why we need to encrypt the >> message with the server's public key (for confidentiality), but am unsure >> if >> we need to also sign the message with the client's private key. Is it >> redundant with UsernameToken profile to also sign the SOAP request? My >> first guess, is that by definition, one is using Usernames and Passwords >> for >> authentication, and hence would not need signing of the message as well, >> but >> am unsure here. >> >> Thanks, >> Glen >> -- >> View this message in context: >> http://www.nabble.com/Using-UsernameTokens--also-need-to-sign-the-SOAP-message--tp18059742p18059742.html >> Sent from the WSS4J mailing list archive at Nabble.com. >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> > > -- View this message in context: http://www.nabble.com/Using-UsernameTokens--also-need-to-sign-the-SOAP-message--tp18059742p18258267.html Sent from the WSS4J mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
