Hi Werner, Yep .. my bad !! thanks for correction ... the spec [1] clearly states that we have to include one SignatureConfirmation element.
1428 If no <ds:Signature> elements are present in the original request message, the responder 1429 MUST include exactly one <wsse11:SignatureConfirmation> element. IMHO this allows for a case where there will be a SignatureConfirmation element with no stored signature value at the requester... therefore IMHO we should not throw an exception in such a scenario. Thanks, Ruchith [1] https://svn.apache.org/repos/asf/webservices/wss4j/trunk/specs/oasis-2005xx-wss-soap-message-security-1.1-CD.pdf On 5/23/06, Werner Dittmann <[EMAIL PROTECTED]> wrote:
Hi, I haven't checked it yet - but according to the WSS specs sending of security confirmation is also required (AFAIK) in any case even if the request didn't contain an Signature I'll cross check it. Regards, Werner Ruchith Fernando wrote: > Hi, > > On 5/23/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: >> Hi Ruchith, >> >> thanks again, this works. But isn't this a bug? >> Why does it include a SignatureConfirmation if there is no signature to >> confirm? > > Yep ... I agree that we should not return SignatureConfirmation when > there's no signature in the request... please file a JIRA bug here: > [1] > >> If this behaviour is correct, the default value of >> enableSignatureConfirmation should be "false", shouldn't it? > > +1 on making the default false... and I believe this will be fixed > when we support WS-SecurityPolicy (in WSS4J 2.0). > > Thanks, > Ruchith > > [1] http://issues.apache.org/jira/browse/WSS > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > >
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
