Hi Colm, thanks for the information. I used WS-SecurityPolicy and I do not get the exception. I am wondering whether there will be a fix for WSS4J to align the behaviour, or is it recommended not to use WSS4JOutInterceptor but to use WS-SecurityPolicy in the future. Thanks. Best regards Kai
2013/10/25 Colm O hEigeartaigh <[email protected]> > Hi Kai, > > Rather than using CXF's WSS4JOutInterceptor, you need to use > WS-SecurityPolicy instead. When WSS4J is configured in this way, any > SignedParts Element will only be signed if they exist in the message. > > Colm. > > > On Fri, Oct 25, 2013 at 1:35 PM, Kai Rommel <[email protected]>wrote: > >> Hi, >> I am trying to consume a WebService which requires WSRM and that the SOAP >> headers are signed. >> >> So I listed in the configuration of the interceptor >> org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor of the cxf endpoint >> the elemenst to sign: >> <entry key="signatureParts" >> value="{Element}{ >> http://schemas.xmlsoap.org/ws/2004/08/addressing}To;{Element}{http://schemas.xmlsoap.org/ws/2004/08/addressing}ReplyTo; >> .... >> >> Doing so leads to a successful CreateSequence message send to the >> WS-Provider, which answers with a CreateSequenceResponse. >> But now the cxf WS-Consumer endpoint tries to sign the One-Way message. >> This message does not have the header "ReplyTo", and an exception is thrown >> in the class org.apache.ws.security.message.WSSecSignatureBase >> >> It is in line 159, where the elementsToSign are checked. >> >> In the specification >> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html#_Toc161826512 >> following >> is stated: "Note that this assertion does not require that a given part >> appear in a message, just that if such a part appears, it requires >> integrity protection." >> >> Is there a possibility to change the wss4j implementation so that only >> these elements of the SignedParts configuration are signed, which are >> available in the message (and not to throw an exception for the elements, >> which are not available)? Or I am wrong with my interpretation? >> If there is another possibitiy to configure it, please let me know. >> >> Best regards >> Kai >> > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com >
