Hi Dobri,
In the isSecHeaderRequired method, there is a logic for checking
supporting tokens. That should cover Username Tokens and any kind of
supporting tokens. But in your policy, your username token is not wrapped in
any kind of supporting token policy assertion. So my guess is this is
causing the issue. I will dig in this more, if I get some time. Can you
please check on that.
regards,
Nandana
On Mon, Sep 14, 2009 at 1:09 PM, Dobri Kitipov <[email protected]
> wrote:
> Hi all,
> I have noticed that if I have the following security policy:
>
> see the attachment.
>
> , or Asymmetric binding + timestamp and UsernameToken. IMHO it is a valid
> case to have the above mentioned policy without the timestamp but only with
> UsernameToken.
>
> The problem is that when RampartEngine.process(MessageContext) is invoked
> then in turn it invokes RampartUtil.isSecHeaderRequired(RampartPolicyData,
> boolean, boolean)
>
> here we check if the security header is required. And if we have check for
> the timestamp:
>
> // Checking for time stamp
> if ( rpd.isIncludeTimestamp() ) {
> return true;
> }
>
> We do not have check for the Username token. IMHO we need the same check
> for the Username , too.
> Please, provide me with your comments. I am a little bit confused why such
> check is not available?
>
> If I am right I can commit the needed changes.
>
> Thanks,
> Dobri
>
