I am trying to process a RequestSecurityTokenResponse response from a Tango/WSIT using WSSecurityEngine.processSecurityHeader and I am getting a schema violation in a SecurityTokenReference while processing DerivedKeyToken.
The 2 XML snippets: <wsse:SecurityTokenReference> 98NJSduf4U2nkayvyLa883vlwH8'>http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1";>98NJSduf4U2nkayvyLa883vlwH8= </wsse:SecurityTokenReference> <wsc:Offset>0</wsc:Offset> <wsc:Length>16</wsc:Length> <wsc:Nonce>4XUJHPIItkdKUoXn5LeTPYnL</wsc:Nonce> </wsc:DerivedKeyToken> <wsse:SecurityTokenReference> 98NJSduf4U2nkayvyLa883vlwH8'>http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1";>98NJSduf4U2nkayvyLa883vlwH8= </wsse:SecurityTokenReference> <wsc:Offset>0</wsc:Offset> <wsc:Length>16</wsc:Length> <wsc:Nonce>XNyCAb834PB3p/wN5zV5x7q+</wsc:Nonce> </wsc:DerivedKeyToken> It appears that the DerivedKeyTokenProcessor.extractSecret assumes that there will only be a Reference. There are instances in the same XML document where a SecurityTokenReference within an EncryptedData does contain a Reference. The stack trace: testSTSResponse1(sts.test.ProcessSampleMessages)org.apache.ws.security.WSSecurityException: General security error (Bad element, expected "{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Reference"; while got "{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}KeyIdentifier";) at org.apache.ws.security.message.token.Reference.<init>(Reference.java:60) at org.apache.ws.security.message.token.SecurityTokenReference.getReference(SecurityTokenReference.java:127) at org.apache.ws.security.processor.DerivedKeyTokenProcessor.extractSecret(DerivedKeyTokenProcessor.java:117) at org.apache.ws.security.processor.DerivedKeyTokenProcessor.handleToken(DerivedKeyTokenProcessor.java:65) at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:279) at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:201) I am not sure if I am doing something fundamentally wrong or I have a compatibility issue. I am trying to validate the message level security and decrypt message. Wes.
