Hello, I would like to enforce my endpoint to return a reference to the embedded binarySecurityToken instead of the serial+issuer name such as: <wsse:SecurityTokenReference xmlns:wsse=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd " xmlns:wsu=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd " wsu:Id="STR-a65f2369-4c86-4e01-9663-0ec7b90b5ac9"> <ds:X509Data> <ds:X509IssuerSerial> <ds:X509IssuerName> IssuerName </ds:X509IssuerName> <ds:X509SerialNumber>124284142324952637825</ds:X509SerialNumber> </ds:X509IssuerSerial> </ds:X509Data> </wsse:SecurityTokenReference> I was told by Colm O hEigeartaigh(thank you btw) that I could use the signatureKeyIdentifier property with "Directreference" value. TBH as I'm on a servicemix which cxf+wss4J, it's quite complicate to know where to set this property value but that's not the point here. I'm using a policy to define my ws-security and found it was possible to definie something like <sp:RequireEmbeddedTokenReference/> in the X509 tag. However, I'm still receiving the X509IssuerSerial.... Does anybody knows how to define this correctly in a policy. Here is my policy only applied on the server response: *<wsp:Policy wsu:Id="signAndTsPolicy">*
* <wsp:ExactlyOne>* * <wsp:All>* * <sp:AsymmetricBinding>* * <wsp:Policy>* * <sp:IncludeTimestamp/>* * <sp:InitiatorSignatureToken>>* * <wsp:Policy>* * <sp:X509Token* * sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient <http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient>">* * <wsp:Policy>* * <sp:WssX509PkiPathV1Token10/>* * </wsp:Policy>* * </sp:X509Token>* * </wsp:Policy>* * </sp:InitiatorSignatureToken>* * >* * <sp:RecipientSignatureToken>* * <wsp:Policy>* * <sp:X509Token* * sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient <http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient>"> <!-- Never? -->* * <wsp:Policy>* * <sp:WssX509PkiPathV1Token10/>* * <sp:RequireEmbeddedTokenReference/>* * </wsp:Policy>* * </sp:X509Token>* * </wsp:Policy>* * </sp:RecipientSignatureToken>* * <sp:AlgorithmSuite>* * <wsp:Policy>* * <sp:Basic256Sha256/>* * </wsp:Policy>* * </sp:AlgorithmSuite>* * <sp:Layout> * * <wsp:Policy>* * <sp:Lax/>* * </wsp:Policy>* * </sp:Layout>* * <sp:ProtectTokens/>* * <sp:OnlySignEntireHeadersAndBody/>* * </wsp:Policy>* * </sp:AsymmetricBinding>* * <sp:SignedParts> * * <sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing <http://www.w3.org/2005/08/addressing>"/>* * <sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing <http://www.w3.org/2005/08/addressing>"/>* * <sp:Body/>* * </sp:SignedParts>* * <sp:Wss10>* * <sp:Policy>* * <sp:MustSupportRefKeyIdentifier/>* * </sp:Policy>* * </sp:Wss10>* * </wsp:All>* * </wsp:ExactlyOne>* * </wsp:Policy>* To be honnest, I'm rather new in the ws-security with policy on cxf+wss4j. I must say that it was quite complicate to find complete information to achieve my goal. That's why I'm asking some help now. Best Regards, Claude
