[
https://issues.apache.org/jira/browse/WSS-147?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Colm O hEigeartaigh resolved WSS-147.
-------------------------------------
Resolution: Fixed
Added a checkReceiverResultsAnyOrder method to WSHandler, which doesn't enforce
an order on the security results. It's up to any application (e.g. CXF in the
case of the original jira) to support calling this method.
> WCF interop issue: Security header ordering constraint
> ------------------------------------------------------
>
> Key: WSS-147
> URL: https://issues.apache.org/jira/browse/WSS-147
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Handlers
> Affects Versions: 1.5.6
> Environment: Windows XP, Java 1.5, CXF 2.1.2, .Net 3.5
> Reporter: Aditya Sawhney
> Assignee: Colm O hEigeartaigh
> Fix For: 1.5.8, 1.6
>
>
> I have WCF Client which uses WS-Security UsernameToken profile. WCF also
> automatically adds a TimeStamp header which comes before the UsernameToken
> header in the Security header.
> If I try to call a CXF web service using CXF exposed from a Java container
> then "Security header cannot be authorized" exception is thrown.
> The reason is that WSHandler::checkReceiverResults returns false. WSS4J
> excepts the security header contents to be in a particular oder in which
> Timestamp should come after UsernameToken but in this case it is the opposite
> and the validation fails. The WS-Security spec doesnt specify this ordering
> constraint and seems to have been self-imposed by WSS4J which is incorrect
> and needs to be fixed for the interop to work as desired.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
