Thank you for this explanation! It sounds like the system I'm sending to
does not follow the current standards about line feeds in the Signature &
Keyinfo tags, or perhaps their support team is just guessing about why it
thinks I have threatening characters in the payload.
Either way, they are not going to change their system this year so I have to
humor them, before they will look deeper. I think it should be possible to
remove the characters using an Interceptor, in the USER or POST_STREAM
Phase, without invalidating the signature, since they are not in the
SignedInfo tag? (Am studying http://cxf.apache.org/docs/interceptors.html).
Sent from: http://cxf.547215.n5.nabble.com/cxf-user-f547216.html