Ok thanks. I've merged a fix for this which will appear in CXF 2.7.9. Colm.
On Mon, Jan 20, 2014 at 1:56 PM, Kai Rommel <[email protected]>wrote: > Hi Colm, this is the complete policy > > <wsp:Policy wsu:Id="Asymmetric" > xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > " > xmlns:wsp="http://www.w3.org/ns/ws-policy";> > <wsp:ExactlyOne> > <wsp:All> > <sp:AsymmetricBinding > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > <wsp:Policy> > <sp:InitiatorToken> > <wsp:Policy> > <sp:X509Token > sp:IncludeToken=" > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient > "> > <wsp:Policy> > <sp:WssX509V3Token10 /> > </wsp:Policy> > </sp:X509Token> > </wsp:Policy> > </sp:InitiatorToken> > <sp:RecipientToken> > <wsp:Policy> > <sp:X509Token > sp:IncludeToken=" > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never > "> > <wsp:Policy/> > </sp:X509Token> > </wsp:Policy> > </sp:RecipientToken> > <sp:Layout> > <wsp:Policy> > <sp:Lax /> > </wsp:Policy> > </sp:Layout> > <sp:IncludeTimestamp /> > <sp:OnlySignEntireHeadersAndBody /> > <sp:AlgorithmSuite> > <wsp:Policy> > <sp:Basic128 /> > </wsp:Policy> > </sp:AlgorithmSuite> > </wsp:Policy> > </sp:AsymmetricBinding> > <sp:SignedParts > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > <sp:Body /> > <sp:Header Name="To" > Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing"; /> > <sp:Header Name="From" > Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing"; /> > <sp:Header Name="FaultTo" > Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing"; /> > <sp:Header Name="ReplyTo" > Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing"; /> > <sp:Header Name="MessageID" > Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing"; /> > <sp:Header Name="RelatesTo" > Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing"; /> > <sp:Header Name="Action" > Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing"; /> > <sp:Header Name="Timestamp" > Namespace=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; > /> > </sp:SignedParts> > <sp:EncryptedParts > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"; > xmlns:sapsp="http://www.sap.com/webas/630/soap/features/security/policy"; > xmlns:wsa="http://www.w3.org/2005/08/addressing"; xmlns:wst=" > http://docs.oasis-open.org/ws-sx/ws-trust/200512"; > xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility"; xmlns:wsx=" > http://schemas.xmlsoap.org/ws/2004/09/mex";> > <sp:Body /> > </sp:EncryptedParts> > </wsp:All> > </wsp:ExactlyOne> > </wsp:Policy> > > > 2014/1/20 Colm O hEigeartaigh <[email protected]> > >> It sounds like a bug. What does your complete security policy look like? >> >> Colm. >> >> >> On Mon, Jan 20, 2014 at 1:42 PM, Kai Rommel <[email protected] >> >wrote: >> >> > Hi, >> > >> > I setup a request/response scenario with wss. The policy for the >> initiator >> > token is set to /AlwaysToRecipient and for the recipient token to >> /Never. >> > Signature and encryption is configured. >> > >> > The message exchange works fine and the request message looks like >> > expected. >> > But the response message also contains a BinarySecurityToken element >> (the >> > initiator token) in the soap header. >> > >> > This causes an issues, when my WS Consumer is not a cxf endpoint and >> > validates the response message against the following rule >> > >> > >> > >> > >> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html#_Toc161826602 >> > >> > >> > >> > >> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient >> > >> > >> > The token MUST be included in all messages sent from initiator to the >> > recipient. The token MUST NOT be included in messages sent from the >> > recipient to the initiator. >> > >> > >> > Is this a bug? >> > >> > >> > Thanks. >> > >> > >> > Best regards >> > >> > Kai >> > >> >> >> >> -- >> Colm O hEigeartaigh >> >> Talend Community Coder >> http://coders.talend.com >> > > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
