Sending binary data through web service and using WS-Security?

CXF can do WS-Security related things along with MTOM, but the attachments do not end up signed or encrypted. The SOAP message itself is signed/encrypted, but the attachments are not due to restrictions in WSS4J. (If SpringWS uses WSS4J, it would have the same restrictions).

CXF can do WS-Security related things along with MTOM, but the attachments do not end up signed or encrypted. The SOAP message itself is signed/encrypted, but the attachments are not due to restrictions in WSS4J. (If SpringWS uses WSS4J, it would have the same restrictions) Be default for security reasons when using the WSS4JOutInterceptor with CXF, we turn off MTOM to make sure they get inlined and then signed/encrypted.

That's a security choice. The WSS4JOutInterceptor DOES have a flag (out. SetAllowMTOM(true)) which would allow the MTOM to remain as attachments, but keep in mind, those attachments would not be "secured".

Thank you for your answer. – ILX Aug 13 '09 at 21:06.

Simply send the data as a byte. If there is a large amount of data, then WCF does support MTOM. Under no circumstances should you use WSE.

WSE is based on top of ASMX web services. Microsoft has stated that ASMX technology is "legacy", and that they will not be fixing bugs in it. Even worse, WSE is quite obsolete, and has been replaced by WCF.

Yes, I'm aware of WCF and WSE. I'm asking for advices on web service design: what standards should be picked, and do they really work. To give a perspective: I work for an IBM Java shop, so MS .

NET is considered for interoperability, not for implementation. The problem is more related to serialization of binary data and digital signature: MTOM is preffered way to serialize binary data. And WS-Security specifies how to sign SOAP messages.

But there are more questions: Does MTOM work with digital signature? Is it really standardized? Are there examples?

– ILX Aug 12 '09 at 10:42 Thanks for clarifying. You should edit your question to include this information. – John Saunders Aug 12 '09 at 10:44 Also, you may not have noticed, but there was an earlier answer that suggested you use WSE.

That's why I mentioned that you should not, ever. Also, BTW, I would not consider WSE in interoperability testing. – John Saunders Aug 12 '09 at 10:45 Thanks for the answer!

It may help somebody from . NET world. You're right: I haven't noticed earlier answer.

– ILX Aug 12 '09 at 10:50 No problem. The earlier answer was deleted by the answerer. – John Saunders Aug 12 '09 at 11:41.

I would recommend the use of Spring-WS over the Apache CXF API, it's considerably lighter, better-documented and easier to use. However, Spring-WS is not JAX-WS compliant (this is no bad thing, in my opinion, but you may think different). Spring-WS is just a light, Spring-friendly wrapper around an underlying SOAP implementation, and should work on top of Sun JAX-WS or Apache CXF, although I'd recommend using Sun's implementation.It also has full MTOM and WS-Security support (via Apache WSS4J).

– ILX Aug 12 '09 at 12:29 If WSS4J can do it, then yes, since that's what Spring-WS uses. – skaffman Aug 12 '09 at 12:56.

I cant really gove you an answer,but what I can give you is a way to a solution, that is you have to find the anglde that you relate to or peaks your interest. A good paper is one that people get drawn into because it reaches them ln some way.As for me WW11 to me, I think of the holocaust and the effect it had on the survivors, their families and those who stood by and did nothing until it was too late.