Hello, We have a WS-Security policy defined with AsymmetricBinding, InitiatorSignatureToken and IncludeTimestamp, among others. This policy request a signature only on request message, not on response message.
When using TLS with this policy, the client validation fail, as CXF consider the timestamp invalid since it isn't signed. To my understanding, "CXF considers a token 'signed' if it is received over TLS" (quote taken from CXF-5056). Is that true for the timestamp signature validation ? Should the timestamp be considered signed when using TLS ? On a side question, our partner (server side) ask us to use http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512 namespace for WSS-Policy. CXF seems to refuse this namespace (since it's a draft I suppose). Should I enforce the 2007 namespace use on their side ? Is it valid to use a draft ? Thanks for any response. Simon -- View this message in context: http://cxf.547215.n5.nabble.com/WSS-WSSP-Should-Timestamp-be-considered-signed-when-using-TLS-tp5738177.html Sent from the cxf-user mailing list archive at Nabble.com.
