Hi, I setup a request/response scenario with wss. The policy for the initiator token is set to /AlwaysToRecipient and for the recipient token to /Never. Signature and encryption is configured.
The message exchange works fine and the request message looks like expected. But the response message also contains a BinarySecurityToken element (the initiator token) in the soap header. This causes an issues, when my WS Consumer is not a cxf endpoint and validates the response message against the following rule http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html#_Toc161826602 http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient The token MUST be included in all messages sent from initiator to the recipient. The token MUST NOT be included in messages sent from the recipient to the initiator. Is this a bug? Thanks. Best regards Kai
