ffang commented on PR #1473:
URL: https://github.com/apache/cxf/pull/1473#issuecomment-1772817281
> @ffang The problem is that adding the DOM interceptors means that you are
losing the whole benefit of the UsernameTokenInterceptor, which is a
pure-streaming interceptor. It will cause the message to be converted to DOM.
Instead IMO the fix is to add the must understand header as part of the
streaming code in UsernameTokenInterceptor.
Hi @coheigea ,
Thanks for your response!
I may miss something but I am confused by reading the code.
In dom based PolicyBasedWSS4JOutInterceptor we have
```
boolean enableStax =
MessageUtils.getContextualBoolean(mc,
SecurityConstants.ENABLE_STREAMING_SECURITY);
if (!enableStax) {
if (mc.getContent(SOAPMessage.class) == null) {
saajOut.handleMessage(mc);
}
mc.put(SECURITY_PROCESSED, Boolean.TRUE);
mc.getInterceptorChain().add(ending);
}
```
So if I read it correctly, if stax is enabled, this dom based
PolicyBasedWSS4JOutInterceptor will be skipped so I don't think this will cause
the message to be converted to DOM if we want to use stax way. Plus, in
UsernameTokenInterceptor, I see DOMUtils and hence dom api is used under the
hood, so I don't think UsernameTokenInterceptor is stream based purely.
Please shed light here
Thanks!
Freeman
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
