You are viewing a plain text version of this content. The canonical link for it is here.

Posted to rampart-dev@ws.apache.org by Ellecer Valencia <el...@gmail.com> on 2009/10/30 01:53:36 UTC

PasswordDigest not being displayed in WS-Policy in generated WSDL - bug or not bug?

Hi,

I've set up a webservice with Rampart and WS-Policy to use Password
Digest for authentication. However, I've noticed that when the WSDL is
generated by Axis, the WS-Policy doesn't actually make any mention of
this.  Is this how it's supposed to work?

The Ws Policy shown in the WSDL is this:

   <wsp:Policy
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="UsernameToken">
       <wsp:ExactlyOne>
           <wsp:All>
               <sp:SupportingTokens
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
                   <wsp:Policy>
                       <sp:UsernameToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"/>
                   </wsp:Policy>
               </sp:SupportingTokens>

           </wsp:All>
       </wsp:ExactlyOne>
   </wsp:Policy>


This portion that was in the services.xml seems to have been left out:

<wsp:Policy>
       <sp:HashPassword/>
</wsp:Policy>


Does this indicate a problem with Rampart passing on the policy
information to Axis2 (or Axis2 when creating the WSDL), or is
everything working as it should?

Is WS-Policy in a WSDL also meant to indicate if Password Digest is
used? If the idea is that WSDL represents a contract between clients
and a service, then shouldn't the usage of Password digest be more
explicit?


thanks,

Ellecer