Security Policy question

[SG...@intellicare.com]

I'm trying to apply a digital signature to the inbound and outbound message
for a simple Axis2 (1.3) web service.
I would like the client to send their certificate with the request but send
the DN and certidicate serial # in the response and have the client look it
up in their keystore.
I've include the policy assertions in the services.xml for the server and
in the WSDL (which is used to codegen the client stub).

Questions:
   Is this signature validation scenario reasonable? Or is there a better
   practice for send information for validating the signature?
   Is there currently a way to get policy assertions from the WSDL into
   services.xml when generating code?
   Below are the relevant parts of the security policy I think should work
   as described above but doesn't: the reponse includes a
   BinarySecurityToken that is referenced
   in the reponse <KeyInfo>. Any ideas about what I'm doing wrong?

<sp:InitiatorToken>
  <wsp:Policy>
    <sp:X509Token sp:IncludeToken=
"http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"
>                                      <wsp:Policy>
        <sp:WssX509V3Token10/>
      </wsp:Policy>
    </sp:X509Token>
  </wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
  <wsp:Policy>
    <sp:X509Token sp:IncludeToken=
"http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
      <wsp:Policy>
        <sp:WssX509V3Token10/>
      </wsp:Policy>
    </sp:X509Token>
  </wsp:Policy>
</sp:RecipientToken>

Any help on this is appreciated!

Also, if this is not appropriate for this list and there's a better one,
sorry and please let me know.

- Steve

______________________________________________
Steve Gruverman
IntelliCare, Inc. | A Medco Health Solutions Company






---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org