[
https://issues.apache.org/jira/browse/WSS-147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12653994#action_12653994
]
Glenn Twiggs commented on WSS-147:
----------------------------------
I'm using CXF 2.1.3 / WSS4J 1.5.4 and have seen strange behavior related to
this issue.
I built a client using c# / WSE 3.5 to send a UsernameToken secured message to
a web service built wth CXF.
The client generates a <Security> element with a <Timestamp> and a
<UsernameToken> in that order.
I have updated my bean.xml for the endpoint to include the following action:
<entry key="action" value="Timestamp UsernameToken" />
But the message still fails!
Stepping through the debugger I see that when the list of elements is passed to
WSHandler::checkReceiverResults, it is reversed but the list of actions is in
the original order.
So I updated the action to:
<entry key="action" value="UsernameToken Timestamp" />
And it worked.
There is a bug in the way the processors for the security elements builds up a
result. It pushes elements on to the front of a Vector instead of adding them
to the end. Oi!
org.apache.ws.security.processor.UsernameTokenProcessor line 54
returnResults.add(0, new WSSecurityEngineResult(WSConstants.UT,
> WCF interop issue: Security header ordering constraint
> ------------------------------------------------------
>
> Key: WSS-147
> URL: https://issues.apache.org/jira/browse/WSS-147
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Handlers
> Environment: Windows XP, Java 1.5, CXF 2.1.2, .Net 3.5
> Reporter: Aditya Sawhney
> Assignee: Ruchith Udayanga Fernando
>
> I have WCF Client which uses WS-Security UsernameToken profile. WCF also
> automatically adds a TimeStamp header which comes before the UsernameToken
> header in the Security header.
> If I try to call a CXF web service using CXF exposed from a Java container
> then "Security header cannot be authorized" exception is thrown.
> The reason is that WSHandler::checkReceiverResults returns false. WSS4J
> excepts the security header contents to be in a particular oder in which
> Timestamp should come after UsernameToken but in this case it is the opposite
> and the validation fails. The WS-Security spec doesnt specify this ordering
> constraint and seems to have been self-imposed by WSS4J which is incorrect
> and needs to be fixed for the interop to work as desired.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
