Hello Colm, Thank you for this explanation! It sounds like the system I'm sending to does not follow the current standards about line feeds in the Signature & Keyinfo tags, or perhaps their support team is just guessing about why it thinks I have threatening characters in the payload.
Either way, they are not going to change their system this year so I have to humor them, before they will look deeper. I think it should be possible to remove the characters using an Interceptor, in the USER or POST_STREAM Phase, without invalidating the signature, since they are not in the SignedInfo tag? (Am studying http://cxf.apache.org/docs/interceptors.html). Thanks again, Guy -- Sent from: http://cxf.547215.n5.nabble.com/cxf-user-f547216.html
