dit you read part 2? In that article I refer to our code repository where there is actually an example where signing and encryption are used together.

When a message has to be both signed and encrypted, it doesn’t really matter in what order you apply them. However, if you only want to sign part of what you want to encrypt, you’ll have to sign first, as there is no notion of elements anymore after you’ve ecnrypted data (it’s just an unreadable blob of data).

In Spring-WS, you’ll have to specify two different interceptor beans (same class thoug), since both need a diiferent key from your keystore. The example code shows an example of this.

Good luck

What I meant about Signing-then-Encrypting-then-Signing is how to use Signature and Encryption together for a XML file.

Regards

I partly agree with you if you say WSS is complicated. There is pretty good support for WSS in web service stacks (see our example project on google code). So something is already done about it. What is left is pretty hard to make easier.

We don’t have an open source project. On this blog we just express our opinions and (sometimes) support that with sample code.

About your first question, I don’t really understand what you mean. Signing and Encrpytion are two very distinct technologies that achieve different goals. It is never a choice of one or the other. It’s whatever you need to happen.

Thanks for your post.

I’m also interested in WebService Security, and have some experience with both Transport Level Security and Message Level Security. I hope we could discuss more to make WSS useful and widely recognized in the industry.

I have three questions
1. Did you come up with a good scheme either to Sign, Encrypt and Sign, or Encrypt, Sign and Encrypt ?
2. While WSS is supported by Big Guys of the IT world, it is still too much complicated, can we do something about it ?
3. Does your gridshore.nl group have some open source project that I can join ?

I thank you for your time