Hi, Perhaps the X509 certificate is included into request message (because of includeToken=http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient) and encryption part just refers him. For response message certificate is not included (includeToken=http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never) and encryption packs it inside the encryption structure.
Could you post the complete request and response message to be sure? Regards, Andrei. > -----Original Message----- > From: Kai Rommel [mailto:[email protected]] > Sent: Freitag, 16. Mai 2014 14:07 > To: [email protected]; [email protected] > Subject: ws policies InitiatorToken RecipientToken > > Hi Colm, > I set up a scenario and was wondering about the KeyInfo elements. > > > Policy P1 for WS-Consumer and WS-Provider > > CXF ---sends requestA ----> CXF > <--- sends responseB--- > > Policy is > <p:policies enabled="true" xmlns:p="http://cxf.apache.org/policy";> > <wsp:Policy wsu:Id="AsymmetricII" > xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility- > 1.0.xsd > " > xmlns:wsp="http://www.w3.org/ns/ws-policy";> > <wsp:ExactlyOne> > <wsp:All> > <sp:AsymmetricBinding > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > <wsp:Policy> > <sp:InitiatorToken> > <wsp:Policy> > <sp:X509Token > sp:IncludeToken=" > http://docs.oasis-open.org/ws-sx/ws- > securitypolicy/200702/IncludeToken/AlwaysToRecipient > "> > <wsp:Policy> > <sp:WssX509V3Token10 /> > </wsp:Policy> > </sp:X509Token> > </wsp:Policy> > </sp:InitiatorToken> > <sp:RecipientToken> > <wsp:Policy> > <sp:X509Token > sp:IncludeToken=" > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never > "> > <wsp:Policy> > <sp:WssX509V3Token10 /> > </wsp:Policy> > </sp:X509Token> > </wsp:Policy> > </sp:RecipientToken> > <sp:Layout> > <wsp:Policy> > <sp:Strict /> > </wsp:Policy> > </sp:Layout> > <sp:IncludeTimestamp /> > <sp:OnlySignEntireHeadersAndBody /> > <sp:AlgorithmSuite> > <wsp:Policy> > <sp:TripleDesRsa15 /> > </wsp:Policy> > </sp:AlgorithmSuite> > </wsp:Policy> > </sp:AsymmetricBinding> > <sp:Wss10 > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > <wsp:Policy> > <sp:MustSupportRefKeyIdentifier /> > <sp:MustSupportRefIssuerSerial /> > </wsp:Policy> > </sp:Wss10> > <sp:SignedParts > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > <sp:Body /> > <sp:Header Name="Timestamp" > Namespace=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility- > 1.0.xsd" > /> > </sp:SignedParts> > <sp:EncryptedParts > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > <sp:Body /> > </sp:EncryptedParts> > </wsp:All> > </wsp:ExactlyOne> > </wsp:Policy> > </p:policies> > > When I have a closer look to the messages, these look like this: > > > A: > Enc-Element: KeyInfo/SecurityTokenReference/KeyIdentifier > Sig-Element: KeyInfo/SecurityTokenReference/Reference > > B: > Enc-Element: KeyInfo/SecurityTokenReference/X509Data > Sig-Element: KeyInfo/SecurityTokenReference/KeyIdentifier > > > Is there any reason, that the request message contains in the encryption part > the KeyIdentifier and the response message the X509Data element? > > I am using CXF version 2.7.10 > > Best regards > Kai
