I am running the apache-cxf-3.1.3/samples/ws_security/sign_enc_policy sample client/server code. I modified the policy to only do signature, no encryption.
I was curious to see how a custom SOAP header was handled with <sp:OnlySignEntireHeadersAndBody/> So I added the second section of code below. System.out.println(wsdlURL); SOAPService ss = new SOAPService(wsdlURL, SERVICE_NAME); Greeter port = ss.getPort(PORT_NAME, Greeter.class); org.apache.cxf.endpoint.Client proxy = ClientProxy.getClient(port); List<Header> headersList = new ArrayList<Header>(); Header testHeader = new Header(new QName("http://com.test/SampleWS", "tcn"), "abc123", new JAXBDataBinding(String.class)); headersList.add(testHeader); proxy.getRequestContext().put(Header.HEADER_LIST, headersList); I can see my header in the request SOAP now. However, one digest is pointing to the timestamp, and the other digest is pointing to the body based on the "wsu:Id". Will my custom header not be included in the digest that is signed using WS-Security? SOAP example below: <soap:Header> <tcn xmlns="http://com.test/SampleWS">abc123</tcn> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soap:mustUnderstand="1"> <wsu:Timestamp wsu:Id="TS-e092f8db-397a-47c2-8415-9c7416d03356"> <wsu:Created>2015-10-16T18:18:23.145Z</wsu:Created> <wsu:Expires>2015-10-16T18:23:23.145Z</wsu:Expires> </wsu:Timestamp> <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="X509-6a1a648f-2077-49b0-ad52-5dd39839bb2d">xyz </wsse:BinarySecurityToken> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-68e6b7c4-63e5-4a6a-907d-4ca8e629230c"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soap"/> </ds:CanonicalizationMethod> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#TS-e092f8db-397a-47c2-8415-9c7416d03356"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="wsse soap"/> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue>+4djih/y2x4YOGLvfnBvf+LGQFqF6P4Rhh8V9/I5N6o=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#_913bf553-50ca-4bab-a758-168d44e01801"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList=""/> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue>sH3LRyoMxCivKqBU8sFESi3BxaBryVXhrcczVJHK2pA=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>xyz</ds:SignatureValue> <ds:KeyInfo Id="KI-35982ca6-8c19-4e92-b90c-33d18f6f6c9d"> <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STR-fa6ba6f7-c883-4726-99b4-b2c869488983"> <wsse:Reference URI="#X509-6a1a648f-2077-49b0-ad52-5dd39839bb2d" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security> </soap:Header>