Hi Nicolas, What are the invalid security header elements that you want to avoid processing? If the service only cares about the UsernameToken, the correct thing to do is to add an "actor" attribute to a security header that is only meant to be processed by the service provider, and only put the UsernameToken in this security header.
You can disable processors by the QName of the element they are meant to process via WSSConfig: https://svn.apache.org/repos/asf/webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/WSSConfig.java Colm. On Fri, Jul 22, 2011 at 10:25 PM, Nicolas B <[email protected]> wrote: > > Dear all, > > I'm trying to understand the default map processors initialize in the > WSSConfig class of wss4j. > > As explained in this ticket > http://forum.springsource.org/showthread.php?112450-WSSecurityException-while-validating-WS-Security-headers > I'm trying to validate my incoming SOAP messages based on the UernameToken. > > So I want to only take care of this header element ;) When one of my client > attacks my web service he is sending the right UsernameToken but also other > elements, and the WSSecurityEngine is trying to validate ALL the elements. > > How can I configure wss4j to only validate my UsernameToken and ignore > others. Is this the good way ? Is it to my client to respect what the server > is waiting ? > > Thanks a lot in advance, and thanks for wss4j ;) > > Best Regards, > -- > View this message in context: > http://old.nabble.com/WSSConfig-processors-tp32118532p32118532.html > Sent from the WSS4J mailing list archive at Nabble.com. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > -- Colm O hEigeartaigh http://coheigea.blogspot.com/ Talend - http://www.talend.com --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
