Hi
I've been following Glen Mazza's example for Adding X.509 security headers to Apache CXF SOAP calls (http://www.jroller.com/gmazza/entry/cxf_x509_profile <http://www.jroller.com/gmazza/entry/cxf_x509_profile> ), though I've turned encryption off as I didn't need it. When using it client to server, where both are using CXF and the WSS4JOut/InInterceptor's, everything works nicely. Next attempt was to call a service exposed through Oracle Service Bus (OSB). This service runs under Oracle Web Services Manager (OWSM) which enforces signing of the call. First thing I had to change was to add <entry key="signatureKeyIdentifier" value="DirectReference"/> to my clients org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor config, otherwise OWSM wouldn't accept the calls at all. Unfortunately changing the setting didn't cure the problem totally, because OWSM still requires the X509 Binary Security Token to be signed. Looked around and didn't find anything - found an old nabble post about setting tokenProtection to true. Didn't find anything about it, but googling code revealed that PolicyBasedWSS4JOutInterceptor exists, but unfortunately I have no idea on how to get it working. Did I overlook an example or some documentation? If not, I would appreciate some pointers or examples on how to configure PolicyBasedWSS4JOutInterceptor/PolicyBasedWSS4JInInterceptor for both client and server setup :-) Thanks in advance /Jeppe
