Hi Kai, Rather than using CXF's WSS4JOutInterceptor, you need to use WS-SecurityPolicy instead. When WSS4J is configured in this way, any SignedParts Element will only be signed if they exist in the message.
Colm. On Fri, Oct 25, 2013 at 1:35 PM, Kai Rommel <[email protected]>wrote: > Hi, > I am trying to consume a WebService which requires WSRM and that the SOAP > headers are signed. > > So I listed in the configuration of the interceptor > org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor of the cxf endpoint > the elemenst to sign: > <entry key="signatureParts" > value="{Element}{ > http://schemas.xmlsoap.org/ws/2004/08/addressing}To;{Element}{http://schemas.xmlsoap.org/ws/2004/08/addressing}ReplyTo; > .... > > Doing so leads to a successful CreateSequence message send to the > WS-Provider, which answers with a CreateSequenceResponse. > But now the cxf WS-Consumer endpoint tries to sign the One-Way message. > This message does not have the header "ReplyTo", and an exception is thrown > in the class org.apache.ws.security.message.WSSecSignatureBase > > It is in line 159, where the elementsToSign are checked. > > In the specification > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html#_Toc161826512 > following > is stated: "Note that this assertion does not require that a given part > appear in a message, just that if such a part appears, it requires > integrity protection." > > Is there a possibility to change the wss4j implementation so that only > these elements of the SignedParts configuration are signed, which are > available in the message (and not to throw an exception for the elements, > which are not available)? Or I am wrong with my interpretation? > If there is another possibitiy to configure it, please let me know. > > Best regards > Kai > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
