My interpretation of the "token used to generate that signature" is the actual token itself. The SecurityTokenReference inside the KeyInfo is a reference to the token. Therefore IMO the WebLogic requirement is incorrect - however, others may have different opinions on it.
Colm. On Fri, Nov 23, 2012 at 12:33 PM, andreas_triebel <[email protected] > wrote: > This works! Thank you! > > Removing the ProtectTokens assertion stops Weblogic from signing resp. > validating the STR inside the KeyInfo. > > I was curious and had a look at the WS-SecurityPolicy 1.2 spec and probably > Weblogic was right to expect the STR signed? > / > 6.5 [Token Protection] Property > This boolean property specifies whether signatures must cover the token > used > to generate that signature. If the value is 'true', then each token used to > generate a signature MUST be covered by that signature. If the value is > 'false', then the token MUST NOT be covered by the signature. Note that in > cases where derived keys are used the 'main' token, and NOT the derived key > token, is covered by the signature. It is recommended that assertions that > define values for this property apply to [Endpoint Policy Subject]. The > default value for this property is 'false'./ > > -Andreas > > > > -- > View this message in context: > http://cxf.547215.n5.nabble.com/Signature-Interop-Issue-Weblogic-Apache-CXF-tp5718487p5719030.html > Sent from the cxf-user mailing list archive at Nabble.com. > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
