Werner, > well, depending on the security set-up at the server > it may not even possible to process security headers. > > Just a question Grzegorz: does your server throws an > exception to generate the fault? I ask this because > I would like to know why there is a security header on > a SOAP Fault message - this usually shouldn't be the case.
That's where we're getting to "interoperability issues" :) I've got a WSDL document and a public web service address: (it's not secret) https://trial.e-trace.biz/wse/EtraceService.asmx. The server is .NET with WSE (I don't know what versions). Here are the details, I receive: - soap:Fault/faultCode="code:FailedAuthentication" - soap:Fault/faultString="The security token could not be authenticated or authorized" but there are also few soap:headers (wsa:Action, wsa:MessageId, ..., wsse:Security). The wsse:Security header contains digests of six elements (4 from wsa namespace, wsse:Timestamp and soap:Body). I don't know why the server (which clearly rejects my certificate) sends these security headers. In my sample server, generated from this WSDL (using Axis and WSS4J) throwing the fault prevented WSS4J from applying security headers and client received plain soap envelope. However it's not the case with .NET+WSE... According to WSS 1.0 Specification (oasis-200401-wss-soap-message-security-1.0.pdf), the failure MUST be reported using soap:Fault (line 1499 of that PDF), but it says nothing about security headers in that case... > > It could be that we need to check this with a specific test > case. Also we probably need do disable security processing > at the Response handler if we detect a SOAP fault message from > some "upper" layer, similar to the receiver. Certainly, the <faultcode xmlns:code="http://docs.oasi s-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> element suggests that it's WSS fault... Also - when I configured my <responseFlow> at client side with action="Signature Timestamp", WSS4J throws an exception when there are no wsse:Security soap headers... There should be a way to customize/relax/anticipate different behaviors.. Regards Grzegorz Grzybek --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
