ffang commented on PR #1473:
URL: https://github.com/apache/cxf/pull/1473#issuecomment-1775586806
> @ffang The "SecurityConstants.ENABLE_STREAMING_SECURITY" refers to the
streaming WS-Security implementation in WSS4J. The UsernameTokenInterceptor
doesn't use WSS4J at all, it's just a pure-streaming interceptor for when we
have the simple case of a UsernameToken with no security binding.
Hi @coheigea !
Thanks for the response!
So you are suggesting that we need to accommodate the property
"ws-security.must-understand" in AbstractTokenInterceptor.findSecurityHeader
method, right?
Currently we have code in that method like
{code}
SoapHeader sh = new SoapHeader(new QName(WSS4JConstants.WSSE_NS,
"Security"), el);
sh.setMustUnderstand(true);
{code}
where mustUnderstand is hard-coded as true, but we should check property
"ws-security.must-understand" here and setMustUnderstand accordingly. Is my
understanding correct?
Freeman
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
