Sorry, you were right:
I put this in client class: Map<String, Object> ctx = ((BindingProvider)port).getRequestContext(); ctx.put(WSHandlerConstants.IS_BSP_COMPLIANT, "false"); Now it works, but without timestamp reference. Interesting, <Body> is correctly signed and validated. If I put <sp:IncludeTimestamp> in policy file: <wsu:Timestamp wsu:Id="TS-5A28482C0A57755103139419734630013"> <wsu:Created>2014-03-07T13:02:26.300Z</wsu:Created> <wsu:Expires>2014-03-07T13:07:26.300Z</wsu:Expires> </wsu:Timestamp> then I get: Digest value: OMNbo25276XKjodI3T60RuR1nh8= Calculated digest value: olWImZ1Re/74QV8+56VdoWpwjcs= DOMReferencer class: validationStatus = Arrays.equals(digestValue, calcDigestValue); This one returns false. Thanks. -- View this message in context: http://cxf.547215.n5.nabble.com/Unable-to-verify-signature-with-Apache-CXF-and-WSS4J-on-Websphere-Application-Server-8-5-tp5740358p5740957.html Sent from the cxf-user mailing list archive at Nabble.com.