Hi all,
I am using wss4j-1.5.3 and CXF 2.0.
I am trying to secure both incoming and outgoing message from web
service client to service. Hence, I configured both incoming and
outgoing interceptors on both client and server.
The incoming request gets secured by WSS4JOutInterceptor on client and
accordingly get verified by the WSS4JInInterceptor on server. But,
problem comes in response message from Server to Client. In creating the
response message on Server, after invoking the service and creating
right response element, the WSS4JOutInterceptor is putting the same
security header which was in incoming request (from Client to Server)
and then adding Security Elements (as configured in WSS4JOutInterceptor
configuration).
This happens even WSS4JOutInterceptor is configured for
Action="NoSecurity", the Outgoing return message contains SecurityHeader
and security element.
In Signature case:
If the incoming message has following, the return message from server
also shows the same (obviously no element is found with the URI number)
<ds:Reference URI="#id-24924329"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
For X509 token, the same X509SerialNumber is used in response message
(which is like signing/encrypting using the same key/cert which client
used in request message)
and for Timestamp same client side timestamp creation and expiry values
are used.
I am using org.apache.cxf.jaxws.EndpointImpl class to get endpoints of
service and to configure service Interceptors. On the client side, I am
using ClientProxy to get endpoint and configure properties on it.
Please let me know, why server interceptor is behaving in such a way.
With Regards,
Mayank
