[
https://issues.apache.org/jira/browse/WSS-147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12654387#action_12654387
]
Colm O hEigeartaigh commented on WSS-147:
-----------------------------------------
Thanks Werner. Ok so the problem here is:
If we change the processing code to append results to the list, then our
"actions" will be processed in the order they are specified, and we have
interop with WCF.
The problem is that on the outbound side WSS4J prepends elements to the
security header, so we would have:
Oubound config: UsernameToken Timestamp
Inbound config: Timestamp UsernameToken
which is not ideal. How about this solution:
a) Reverse the order of the actions on the outbound side. So in this way, the
outbound security header will contain elements in the same order as the
specified actions. It would seem easier to do this than to go into the code and
explicity append rather than prepend.
b) On the inbound side append the processed results to the results list
This would give us interop with WSS4J client-> WSS4J server and WCF
client->WSS4J server. The downside is that it would break backwards
compatibility with existing WSS4J client config. I can live with that though.
Thoughts?
> WCF interop issue: Security header ordering constraint
> ------------------------------------------------------
>
> Key: WSS-147
> URL: https://issues.apache.org/jira/browse/WSS-147
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Handlers
> Environment: Windows XP, Java 1.5, CXF 2.1.2, .Net 3.5
> Reporter: Aditya Sawhney
> Assignee: Colm O hEigeartaigh
>
> I have WCF Client which uses WS-Security UsernameToken profile. WCF also
> automatically adds a TimeStamp header which comes before the UsernameToken
> header in the Security header.
> If I try to call a CXF web service using CXF exposed from a Java container
> then "Security header cannot be authorized" exception is thrown.
> The reason is that WSHandler::checkReceiverResults returns false. WSS4J
> excepts the security header contents to be in a particular oder in which
> Timestamp should come after UsernameToken but in this case it is the opposite
> and the validation fails. The WS-Security spec doesnt specify this ordering
> constraint and seems to have been self-imposed by WSS4J which is incorrect
> and needs to be fixed for the interop to work as desired.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
