Hi Colm, this is the complete policy <wsp:Policy wsu:Id="Asymmetric" xmlns:wsu=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd " xmlns:wsp="http://www.w3.org/ns/ws-policy";> <wsp:ExactlyOne> <wsp:All> <sp:AsymmetricBinding xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> <wsp:Policy> <sp:InitiatorToken> <wsp:Policy> <sp:X509Token sp:IncludeToken=" http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient "> <wsp:Policy> <sp:WssX509V3Token10 /> </wsp:Policy> </sp:X509Token> </wsp:Policy> </sp:InitiatorToken> <sp:RecipientToken> <wsp:Policy> <sp:X509Token sp:IncludeToken=" http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never "> <wsp:Policy/> </sp:X509Token> </wsp:Policy> </sp:RecipientToken> <sp:Layout> <wsp:Policy> <sp:Lax /> </wsp:Policy> </sp:Layout> <sp:IncludeTimestamp /> <sp:OnlySignEntireHeadersAndBody /> <sp:AlgorithmSuite> <wsp:Policy> <sp:Basic128 /> </wsp:Policy> </sp:AlgorithmSuite> </wsp:Policy> </sp:AsymmetricBinding> <sp:SignedParts xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> <sp:Body /> <sp:Header Name="To" Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing"; /> <sp:Header Name="From" Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing"; /> <sp:Header Name="FaultTo" Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing"; /> <sp:Header Name="ReplyTo" Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing"; /> <sp:Header Name="MessageID" Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing"; /> <sp:Header Name="RelatesTo" Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing"; /> <sp:Header Name="Action" Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing"; /> <sp:Header Name="Timestamp" Namespace=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; /> </sp:SignedParts> <sp:EncryptedParts xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"; xmlns:sapsp="http://www.sap.com/webas/630/soap/features/security/policy"; xmlns:wsa="http://www.w3.org/2005/08/addressing"; xmlns:wst=" http://docs.oasis-open.org/ws-sx/ws-trust/200512"; xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility"; xmlns:wsx=" http://schemas.xmlsoap.org/ws/2004/09/mex";> <sp:Body /> </sp:EncryptedParts> </wsp:All> </wsp:ExactlyOne> </wsp:Policy>
2014/1/20 Colm O hEigeartaigh <[email protected]> > It sounds like a bug. What does your complete security policy look like? > > Colm. > > > On Mon, Jan 20, 2014 at 1:42 PM, Kai Rommel <[email protected] > >wrote: > > > Hi, > > > > I setup a request/response scenario with wss. The policy for the > initiator > > token is set to /AlwaysToRecipient and for the recipient token to /Never. > > Signature and encryption is configured. > > > > The message exchange works fine and the request message looks like > > expected. > > But the response message also contains a BinarySecurityToken element (the > > initiator token) in the soap header. > > > > This causes an issues, when my WS Consumer is not a cxf endpoint and > > validates the response message against the following rule > > > > > > > > > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html#_Toc161826602 > > > > > > > > > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient > > > > > > The token MUST be included in all messages sent from initiator to the > > recipient. The token MUST NOT be included in messages sent from the > > recipient to the initiator. > > > > > > Is this a bug? > > > > > > Thanks. > > > > > > Best regards > > > > Kai > > > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com >
