Hi, in our project we have a conflict between two parties using different webservice frameworks. We use apache cxf (3.1.3).
This is what happens: We use a WS-SecurityPolicy for all communication with a partner. This policy defines that attachments must be encrypted. The problem is now when we send a message without attachments with this policy, cxf creates a EncryptedKey element in the security header. But this EncryptedKey element (xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";) has no referencelist (which is correct) and is not associated with any element because we don't encrypt anything in this case. The other party rejects these messages because of this unnecessary EncryptedKey element. In my opinion this element is not necessary but it is not a bug and I can not find anything against it in the corresponding specs. What do you think about it. Is it a bug? Greets -- View this message in context: http://cxf.547215.n5.nabble.com/EncryptedKey-in-Security-Header-for-messages-wihtout-encrypted-content-tp5768129.html Sent from the cxf-user mailing list archive at Nabble.com.
