This is an excellent point, as I've run into exactly the same issue
testing interop between CXF (a descendent of XFire) and WCF.
I agree that the ordering constraint in WSS4J is misguided; I have a
hunce that the intention is to enforce that, say, a message is signed
before it's encrypted, but the implementation is thrown off be other
elements in the headers. But I'm guessing as to the author's actual
intentions.
There is a ticket for this item in the Apache JIRA:
http://issues.apache.org/jira/browse/WSS-70
-Fred
On Nov 7, 2007, at 4:56 PM, Bobby Warner wrote:
We are trying to consume a XFire web service using WSS4J with
a .NET client using WSE 2.0 and are facing an issue. WSS4J expects
that the BinarySecurityToken tag will be the first one in the
header, but WSE puts the Timestamp in first.
There was a proposed change that would fix this issue posted to the
XFire mailing list, but was closed because it's not an XFire issue,
but rather WSS4J. Here is a link to that discussion:
http://jira.codehaus.org/browse/XFIRE-752?page=all
Was this issue ever discussed on the WSS4J mailing list? If so,
why was the change not implemented? Please let me know.
Thanks,
Bobby
