Good day all, I understand this is more of a WSS4J question, however I was unable to find the WSS4J users list and it occurs when trying to do .NET and Java interop using CXF.
Our setup is a .NET client to a .NET STS to a Java Service. Things are going well, until we receive the token in the CXF framework at the service point. By debugging down through the code, we hit the WSS4J SAMLUtil.getCredentialFromKeyInfo method. keyInfoElement.getFirstChild() returns the SecurityTokenReference element, which has as its first child an X509Data element. The first loop correctly determines that no EncryptedKey or BinarySecret is present. The second loop, determines the first child of keyInfo is not an X509Data or PublicKey, however the SecurityTokenReference, which is the element being inspected, contains the X509Data. >From *WSS X.509 Certificate Token Profile, section 3.2*: In order to ensure a consistent processing model across all the token types supported by WSS: SOAP Message Security, the <wsse:SecurityTokenReference> element SHALL be used to specify all references to X.509 token types in signature or encryption elements that comply with this profile. Is this a bug in WSS4J? Or have we misconfigured something? If it is a bug, am I better off submitting the bug or creating a patch and test to submit to WSS4J? Thanks, Dan. -- View this message in context: http://cxf.547215.n5.nabble.com/Issue-with-SecurityReferenceToken-handling-tp5709621.html Sent from the cxf-user mailing list archive at Nabble.com.
