Take a look at WS-Policy (http://www-106.ibm.com/developerworks/library/ws-polfram/) and WS-SecurityPolicy (http://www-106.ibm.com/developerworks/webservices/library/ws-secpol/).
The former defines the framework to add service policy information to the WSDL or UDDI entry of a web service. The later uses this framework to define the policy related to WS-Security. Thomas -----Original Message----- From: Ricky Ho [mailto:[EMAIL PROTECTED] Sent: Friday, January 09, 2004 5:00 PM To: [EMAIL PROTECTED] Subject: Re: question regarding WSDL and WS-Security Here is what I'm thinking ... WSDL Binding have some extensibility that you can declare which part to encrypt. But I probably will go with another route, describe as follows ... There is a WSDL and WS-Policy, which part to be encrypted will be described in the WS-Policy. The communication path will look like ... ClientApp -> ClientSideGateway -> Network -> ServerSideGateway -> ServerApp ClientApp & ServerApp - cares only WSDL ClientSideGateway & ServerSideGateway - cares only WS-Policy Rgds, Ricky At 01:30 PM 1/9/2004 -0800, Shantanu Sen wrote: >Suppose I have a method that I want to expose as a web-service. I can >generate a WSDL that describes the service end-point, format etc. >Supppose I expect that one or more parameters of this method will be >encrypted , and my service will also return an >encrypted string which I expect the client to decrypt. > > >How would I go about describing this to the client? >Clearly, I need to supply something more than a WSDL >document to the client. Even if the client has an >underlying infrastructure (e.g. a security gateway) it >needs some sort of information. Does WS-Policy provide > that? > >Thanks, >Shantanu Sen >--- Ricky Ho <[EMAIL PROTECTED]> wrote: > > There is a nice separation between application > > processing and > > infrastructure processing. WSDL describes the > > former and WS-Policy > > describe the later. > > > > If you are writing application code, you shouldn't > > care about WS-Policy > > (and WS-Security), you only care about WSDL. The underlying > > infrastructure (e.g. a security gateway) should take care about > > this for you. > > > > However, it you are writing the intermediary code > > doing infrastructrure > > processing, then you shouldn't care about WSDL. > > Instead you should deal > > with WS-Policy which is a less mature area (you > > probably need to do some > > proprietary policy exchange handshaking). > > > > Rgds, Ricky > > > > At 12:58 PM 1/9/2004 -0800, Shantanu Sen wrote: > > >Please point me to the correct forum if you know > > where > > >I should post this question. > > > > > >As far as I know, currently there is no extension > > in > > >WSDL for WS-Security. In other words, looking at a > > >WSDL there is no way to figure out if the service > > >expects security information as specified in > > >WS-Security in the header/body of the SOAP > > envelope. > > > > > >If this is true, how does a client know how to send > > >the correct SOAP message to the service i.e. how > > does > > >it know to add the required security info? > > > > > >Thanks for any info regarding this. > > > > > >Shantanu Sen > >
