While processing security headers below, wss4j reads DataReference to decrypt EncryptedData. But when it tries to identify KeyInfo to get SharedKey, it doesn't understand that key is a SecurityTokenReference and tries to find KeyName and throws exception. Do you have any ideas to correct this behaviour?
<soapenv:Header> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";> <xenc:ReferenceList><xenc:DataReference URI="#EncDataId-1234"/></xenc:ReferenceList> <wsse:UsernameToken Id="TokenId-1234"> <wsse:Username>username</wsse:Username> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText";>password</wsse:Password> </wsse:UsernameToken> </wsse:Security> </soapenv:Header> <soapenv:Body> <xenc:EncryptedData Id="EncDataId-1234" Type="http://www.w3.org/2001/04/xmlenc#Content";> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0. xsd"> <wsse:Reference URI="#TokenId-1234" ValueType="UsernameToken"/> </wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>...</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </soapenv:Body> -- gurkan Gürkan Vural wrote: >Why the verification code of username token encryption commented in >TestWSSecurity10.java? When I try to uncomment the call of >verifyEMBED_SECURITY_TOKEN_REF (line 211), it throws an exception >ds:KeyName does not contain a key name. Is it really required? > >-- >Gürkan Vural > > ==========================================================- Bu e-posta sadece yukarida isimleri belirtilen kisiler arasinda özel haberlesme amacini tasimaktadir. Size yanlislikla ulasmissa lütfen gönderen kisiyi bilgilendiriniz ve mesaji sisteminizden siliniz. Turkiye Cumhuriyet Merkez Bankasi A.S. bu mesajin icerigi ile ilgili olarak hicbir hukuksal sorumlulugu kabul etmez. This e-mail communication is intended for the private use of the people named above. If you received this message in error, please immediately notify the sender and delete it from your system. The Central Bank of The Republic of Turkey does not accept legal responsibility for the contents of this message.
