Hi Colm, I am pretty sure the header is added on the server side & is present on the client side in encrypted format. I have soap message with & without the security policy entry <EncryptedElements> (NO OTHER CHANGES) and I have the response coming in with added header.
And more over, when I add n'th header in <EncryptedElements> I can see the n'th header on the client side as below: <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; Id="EncDataId-10" Type="http://www.w3.org/2001/04/xmlenc#Element";> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"; /> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> <wsse:SecurityTokenReference xmlns:wsse=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd "> <wsse:Reference xmlns:wsse=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd " URI="#EncKeyId-2C6F5CD6CE83923749131858956408810" /> </wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>Cw6GA+HKv8qpO0v1mDN5Odrx1PkxqcPns52g3kubMcdok4X0HU3ZSaqXEMPgCWLU9ESHKIdYlKau PqinZrFVObIg3B/n4TaA0oEcN4SwstFYo42P75gBRJc/1qmVpWyFGWIRUHRbZOZvE/YwGeOV1lLL gUUx6JgCbB9u4UdSshgEFMiWV3XL4XEsgE7dNqpwHSBxontib2PJaQuZsOosHmtf9L4uT/F4dybO FqZt50GuWxGz1Tb177yXAgfX0nqgMiNldkHO1l/NppFQU31RvaPc/ZGDpw5Xv0kv/CTIr5tiJY6F EaNXzcOUdXKr8Nv1/PwQQfoRQiWepjZHH8mBSqp3rTX7A4GSEQSvcYVHuMZrszqXA+HA/gfp5+KV dHxGsw9Y2yiwQNXAGT+PHtlQYFJAtu9v3W8CxgOVrWF2m+eQdFXMg1onfsgZW2O/Pv7Z8zsbnvdW KWSDIg73r+Du1k8yCFr4Jw1oH2p8e8WJYeeYxPhuZe/Jcj4N1gsk2EyxjApNhQpSfw4YtcgVAcHx Bf0JgLNm9Vxa6VPcQKu/LUcoNiX0sN4EzX8hqe8ySztjlC71X4bDrok73Muhz7CCngl2jV7gX/JF HQ0/KF+wzBZHAyPSMY6CadSqloE+Jm88s4yUB52v3qeDXP7psO2BjzOrd1jtaeLIYJB8AWeqP6JO 4gsHm7Crk4Pg9dNzxv5YgAYRxOuj2V7yFysR7M0NhDiGEngM+BnwFot6BWOg8w/byAgn85kIejY+ LRVxeiw9bLHpzHobQtnXhe293m/g3Hj8rJKAnIMZ5+w8QNFPyvWxl42IJToRvYf5kHZKfR2Nd7mr IRB0cuuVgx2Aej6zqBWa5HgUgEmSo5XD519X9qaksYQg4QQn79d+S1zEznF4p/tR8pWuoY/N/NlG 33URYJ8p8+D8uKe9hCGTJfgb5SNolI5ENQKRx9BFzIX6rIZq5IvxDd1mtf/nfy2i4BWznibLlp+Y 3nRN848MbmkUCLktK+J/5QrFep7DxWlhmF+i6c4fC1SCVAScK8oTXsfSzpKaSuV2FgxwiO7FwO+c ZYGuccSY1S2KRcETEPkFbtm0hiKaNJWXKr/3BODR1Zxajzl/qbh/X3Jd </xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> So, that confirms that the WS-Security layer has not processed the header on the client side based on the policy. Thanks & Regards, Anil On Fri, Oct 14, 2011 at 7:10 PM, Colm O hEigeartaigh <cohei...@apache.org>wrote: > Hi Anil, > > Could you paste the SOAP response to the client? Maybe the returned > encrypted token is not in the security header or something? > > Colm. > > On Fri, Oct 14, 2011 at 1:46 PM, Blue Diamond <gvnan...@gmail.com> wrote: > > Hi, > > > > We are using CXF 2.3.x, and we have our WS-SecurityPolicy that has > something > > like: > > > > <sp:EncryptedParts> > > <sp:Body /> > > </sp:EncryptedParts> > > <sp:EncryptedElements> > > <sp:XPath>/wsse:Security/wsse:SecurityContextToken</sp:XPath> > > </sp:EncryptedElements> > > > > > > Requirement is that, we have our custom security token in header that > needs > > to be encrypted. > > > > What happens, is that the EncryptedElements section was taken care in > SOAP > > requests. i.e., client side encrypts & server side decrypts. All is well. > > But in response, the element is encrypted on the server side but on the > > client side, it is not decrypted. So client doesn't see the token in > > response header but rather sees a <xenc:CipherData> header. > > > > This looks like a bug to me (could be in WSS4J). > > > > Is anyone aware of this issue? > > Do we have a fix? > > Is there some property (config) that can make the client side WS-Security > > layer do the decryption part? Or is the only hope the later versions of > CXF? > > > > Thanks & Regards, > > Anil > > > > > > -- > Colm O hEigeartaigh > > http://coheigea.blogspot.com/ > Talend - http://www.talend.com/apache >
