I have a WSDL with the following policy:
<wsp:Policy wsu:Id="SecurityPolicy">
<wsp:ExactlyOne>
<wsp:All>
<wsp:PolicyReference
URI="#TransportSecurityBindingPolicy"/>
</wsp:All>
<wsp:All>
<wsp:PolicyReference
URI="#TransportSecurityBindingPolicy"/>
<wsp:PolicyReference
URI="#MessageSecurityBindingPolicy"/>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
The MessageSecurityBindingPolicy mandates usage of a UsernameToken.
The policy is equivalent to:
<wsp:Policy wsu:Id="SecurityPolicy">
<wsp:PolicyReference URI="#TransportSecurityBindingPolicy" />
<wsp:PolicyReference URI="#MessageSecurityBindingPolicy"
wsp:Optional="true" />
</wsp:Policy>
The policy means the UsernameToken is optional.
My code relies on the support of WS-SecurityPolicy in CXF and is as follows:
mContext.put("ws-security.username", "USER");
mContext.put("ws-security.callback-handler", "test.ClientPasswordCallback");
The output message contains the WS-Security and verifies the second
alternative.
With the following:
mContext.remove("ws-security.username");
mContext.remove("ws-security.callback-handler");
The output message doesn't contain the WS-Security whereas it verifies the
first alternative.
Is there a way to force the alternative or could CXF check the username
properties are set (which is applicable as per policy definition) and set
the WS-Security according to the policy.
--
View this message in context:
http://cxf.547215.n5.nabble.com/Policy-Alternatives-not-handled-properly-on-client-side-tp5710882.html
Sent from the cxf-user mailing list archive at Nabble.com.
