Hello,
we are slowly migrating our project from wss4j 1.5.7 to wss4j 1.6.0 (and later 1.6.1 when it will support CRL check). If our client and server are both using the same version, then all works fine. But if there are differences (ex. server at 1.5.7, client with 1.6.0), then wss4j 1.6.0 throws an exception while executing the "processSecurityHeader" method: "An invalid security token was provided (Bad TokenType "")". If I look in the messages, I can see just one relevant difference: 1.6.0 writes the attribute "wsse11:TokenType="..."" into the SecurityTokenReference element, while 1.5.7 doesn't. The concerned line is marked with "--->>>": wss4j1.5: --- ... <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; soapenv:mustUnderstand="1"> <wsse:BinarySecurityToken ...>...</wsse:BinarySecurityToken> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; Id="Signature-9"> <ds:SignedInfo>...</ds:SignedInfo> <ds:SignatureValue>...</ds:SignatureValue> <ds:KeyInfo Id="KeyId-92E7CECF9963FFCEA413058113612858"> <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="STRId-92E7CECF9963FFCEA413058113612859"> <wsse:Reference URI="#CertId-92E7CECF9963FFCEA413058113612847" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1"/> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security> ... --- wss4j 1.6.0: --- ... <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; soapenv:mustUnderstand="1"> <wsse:BinarySecurityToken ...>...</wsse:BinarySecurityToken> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; Id="SIG-6"> <ds:SignedInfo>...</ds:SignedInfo> <ds:SignatureValue>...</ds:SignatureValue> <ds:KeyInfo Id="KI-F274414FEBA072C84313058113504242"> <wsse:SecurityTokenReference xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"; --->>> wsse11:TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1"; wsu:Id="STR-F274414FEBA072C84313058113504263"> <wsse:Reference URI="#X509-F274414FEBA072C84313058113504161" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1"/> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security> ... --- The problem is, that 1.6 apparently requires this attribute to be there. Or can I tell 1.6 (per configuration/programmaticaly) that it should handle this Element the old way? The compatibility between 1.5.x and 1.6 is unfortunatly a must have. There are some other houses that are using their software based on 1.5.x and they must be allowed to communicate with us. 1.5.7 has no problems zu understand the messages secured by wss4j 1.6.0. Only the other way makes us some trouble. Is there a workaround? Or is it a bug and I should register it in JIRA? Many greetings, Marcin Markiewicz ---------------------------------------------------------------------------------------------------------------------------------------------- Fiducia IT AG Fiduciastraße 20 76227 Karlsruhe Sitz der Gesellschaft: Karlsruhe AG Mannheim HRB 100059 Vorsitzender des Aufsichtsrats: Gregor Scheller Vorsitzender des Vorstands: Michael Krings Stellv. Vorsitzender des Vorstands: Klaus-Peter Bruns Vorstand: Jens-Olaf Bartels, Hans-Peter Straberger Umsatzsteuer-ID.Nr. DE143582320, http://www.fiducia.de ----------------------------------------------------------------------------------------------------------------------------------------------
