Great, thanks for the solution. I'll try it tomorrow. (the WSConfig way...)
Greetings,
Marcin.
No it's not a bug. WSS4J 1.6 enforces compliance to the Basic Security
Profile specification. You can turn this off if you're using WSHandler
by setting the configuration tag WSHandlerConstants.IS_BSP_COMPLIANT
to "false". If you're not using WSHandler, you can turn if off via the
"setWsiBSPCompliant(boolean)" method of WSSConfig.
Colm.
On Thu, May 19, 2011 at 3:00 PM,<[email protected]> wrote:
Hello,
we are slowly migrating our project from wss4j 1.5.7 to wss4j 1.6.0 (and
later 1.6.1 when it will support CRL check). If our client and server are
both using the same version, then all works fine. But if there are
differences (ex. server at 1.5.7, client with 1.6.0), then wss4j 1.6.0
throws an exception while executing the "processSecurityHeader" method: "An
invalid security token was provided (Bad TokenType "")".
If I look in the messages, I can see just one relevant difference: 1.6.0
writes the attribute "wsse11:TokenType="..."" into the
SecurityTokenReference element, while 1.5.7 doesn't. The concerned line is
marked with "--->>>":
wss4j1.5:
---
...
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
soapenv:mustUnderstand="1">
<wsse:BinarySecurityToken ...>...</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
Id="Signature-9">
<ds:SignedInfo>...</ds:SignedInfo>
<ds:SignatureValue>...</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-92E7CECF9963FFCEA413058113612858">
<wsse:SecurityTokenReference
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="STRId-92E7CECF9963FFCEA413058113612859">
<wsse:Reference URI="#CertId-92E7CECF9963FFCEA413058113612847"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
...
---
wss4j 1.6.0:
---
...
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
soapenv:mustUnderstand="1">
<wsse:BinarySecurityToken ...>...</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; Id="SIG-6">
<ds:SignedInfo>...</ds:SignedInfo>
<ds:SignatureValue>...</ds:SignatureValue>
<ds:KeyInfo Id="KI-F274414FEBA072C84313058113504242">
<wsse:SecurityTokenReference
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";
--->>>
wsse11:TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1";
wsu:Id="STR-F274414FEBA072C84313058113504263">
<wsse:Reference URI="#X509-F274414FEBA072C84313058113504161"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
...
---
The problem is, that 1.6 apparently requires this attribute to be there. Or
can I tell 1.6 (per configuration/programmaticaly) that it should handle
this Element the old way?
The compatibility between 1.5.x and 1.6 is unfortunatly a must have. There
are some other houses that are using their software based on 1.5.x and they
must be allowed to communicate with us. 1.5.7 has no problems zu understand
the messages secured by wss4j 1.6.0. Only the other way makes us some
trouble.
Is there a workaround? Or is it a bug and I should register it in JIRA?
Many greetings,
Marcin Markiewicz
----------------------------------------------------------------------------------------------------------------------------------------------
Fiducia IT AG
Fiduciastraße 20
76227 Karlsruhe
Sitz der Gesellschaft: Karlsruhe
AG Mannheim HRB 100059
Vorsitzender des Aufsichtsrats: Gregor Scheller
Vorsitzender des Vorstands: Michael Krings
Stellv. Vorsitzender des Vorstands: Klaus-Peter Bruns
Vorstand: Jens-Olaf Bartels, Hans-Peter Straberger
Umsatzsteuer-ID.Nr. DE143582320, http://www.fiducia.de
----------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
