Add WS-Security

[rbeckman-nextgen]

WS-Securiy is a wide-streaded solution. Its implementation is critical for a big number of situations

Imported Issue. Original Details: Reporter: albertosaez Created: 2007-08-02T07:41:46.000-0700

[rbeckman-nextgen]

The only way I know to secure the WS is to use IPSec otherwise it is wide open. If someone knows the message format they can send anything without having to log in.

This appears to be a limitation of Mule so it may be difficult to fix. At least report it as an issue to Mule. If they add this functionality then you could get it by default.

Regards, John

Imported Comment. Original Details: Author: jlehew Created: 2007-11-16T09:01:38.000-0800

[rbeckman-nextgen]

Encryption and signtature of the payload of WS can be done using XML-ENCRYPTION and XMLD-SIG (w3c specs), using the WS-Security spec (OASIS one).

The problem with WS-Security is than it defines the way you can encrypt and sign, but it opens too much doors. (you can encrypt the body or just a part of the body, sing and encrypt or encrypt and sig, and so on..). The worst is than WS-Sec can't be defined at WSDL.

So, there are a lot of ways to implement securty with WS. Too much.

To solve it, another standar has arrives: WS-SecurityPolicy (based on WS-Policy). This is used by MS-Comunication Foundations (previously called Indigo). and by the Tago project of Sun.

Imported Comment. Original Details: Author: albertosaez Created: 2007-11-18T16:19:47.000-0800

[rbeckman-nextgen]

I was trying to find a way to attach Mirth to our WCF service, which uses WS-Security. GlassFish/Metro (https://wsit.dev.java.net/) implements WS-Security and works for simple contracts. Unfortunately (as I've discovered), Metro does not yet support duplex channels, one-way operations, or callback interfaces.

Imported Comment. Original Details: Author: rnadler Created: 2007-12-11T17:18:38.000-0800