[
https://issues.apache.org/jira/browse/CXF-3453?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ross M. Lodge reopened CXF-3453:
--------------------------------
The applied changes only fix one of two reported errors: the tests in the
attached zip produce both
cvc-complex-type.3.1.1 (where an attribute has been added to a simple type
header), and also:
cvc-complex-type.3.2.2: Attribute 'wsu:Id' is not allowed to appear in element
'blah'
Only the first was fixed in the current fix.
> WS-Security signed headers fail when schema validation enabled
> --------------------------------------------------------------
>
> Key: CXF-3453
> URL: https://issues.apache.org/jira/browse/CXF-3453
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.3.1, 2.3.3
> Reporter: Ross M. Lodge
> Assignee: Daniel Kulp
> Fix For: 2.4, 2.3.4
>
> Attachments: SignedHeaderBug.zip
>
>
> After turning on schema validation on a web-service with headers that are
> signed, but not encrypted, the schema validation fails because the "wsu:Id"
> is not allowed in the schema.
> I've seen two forms of this: a complex type header fails with an error
> saying that the "wsu:Id" attribute isn't allowed, and a simple type header
> fails saying that no attributes are allowed (except for type, nill,
> schemaInstance, etc.).
> I think this is a bug, as I don't know anything in the WS-Security specs that
> would prevent signing of simple type headers or prevent subsequent schema
> validation.
> I've worked around this by using complex types and adding "<xsd:anyAttribute
> namespace="##any" processContents="skip"/>" to those types, but it doesn't
> seem like this should be necessary, and doesn't fix the simple type problem.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
