Hi Igor, Yes it's a bug in the SecurityContextTokenInputHandler in WSS4J. It should be forming a new QName using securityContextTokenTypeJAXBElement.getName().getNamespaceURI() and securityContextTokenTypeJAXBElement.getName().getLocalPart() and using this instead with the getValidator call. Could you create a JIRA ( https://issues.apache.org/jira/projects/WSS) and submit a PR ( https://github.com/apache/ws-wss4j/).
Colm. On Fri, Nov 22, 2019 at 4:05 PM CauchyPeano <[email protected]> wrote: > Hi, > > I'm trying to have a class that validates incoming SCT written in request > with Stax Security. > Request looks like this: > <soapenv:Header> > <wsse:Security> > <wsc:SecurityContextToken> > <wsc:Identifier>myToken</wsc:Identifier> > </wsc:SecurityContextToken> > </wsse:Security> > </soapenv:Header> > > And I'm configuring it as > properties.put(SCT_TOKEN_VALIDATOR, "MySuperValidator"); > > Now I see that myValidator is being instantiated but it can't be called > because WSS4J gets validator by other QName that CXF is setting it. > > CXF Part: > org.apache.cxf.ws.security.wss4j.WSS4JStaxInInterceptor#setTokenValidators > if (validator != null) { > properties.addValidator(WSSConstants.TAG_WSC0502_SCT, > validator); > properties.addValidator(WSSConstants.TAG_WSC0512_SCT, > validator); > } > > WSS4J Part: SecurityContextTokenInputHandler.java:72 > //elementName == > {http://schemas.xmlsoap.org/ws/2005/02/sc}Identifier but should be > SecurityContextToken ? > SecurityContextTokenValidator securityContextTokenValidator = > wssSecurityProperties.getValidator(elementName); > if (securityContextTokenValidator == null) { > securityContextTokenValidator = new > SecurityContextTokenValidatorImpl(); > } > > Is it a bug? Or do I configure it wrongly? I would be also glad to help to > provide PR. > Cheer > Igor > > > > > > -- > Sent from: http://cxf.547215.n5.nabble.com/cxf-user-f547216.html >
