This seems to be a "defect". Ideally, you would just need to change the algorithmSuite in the SymetricBinding (not the bootstrap policy) of the policy from Basic256 to Basic128 and the runtime would pick that up and request a 128bit key instead of a 256bit one. That isn't there right now though.
I'm testing a fix now so it should get into 2.2.8. Tomorrow's snapshots should be all set. Dan On Wednesday 05 May 2010 7:33:40 am Ashishz wrote: > Hello Guys, > I am using apache cxf for web service and using WS-SecureConverstationToken > for security. But when I try to use it with normal jce which comes by > default with jdk, I get the exception. > > Caused by: org.apache.xml.security.encryption.XMLEncryptionException: > Illegal key size or default parameters > Original Exception was java.security.InvalidKeyException: Illegal key size > or default parameters > > Then I used the JCE with unlimited strength and it worked. > > But there are some legal obligations with JCE with unlimited strength. Some > countries don't allow such encryption. In that perspective, I cant use this > security module for my project. > > My question is: Is it mandatory to use JCE unlimited strength with > WS-SecureConverstationToken + CXF? If not how can I leverage default JCE > which shipped with JRE 6. > > Thank you very much in advance -- Daniel Kulp [email protected] http://dankulp.com/blog
