Hi, I'm a bit confused about the handling of Security headers in wss4j.
There is a object representing the Security header that must be inserted in the DOM manually WSSecHeader secHeader = new WSSecHeader(); secHeader.insertSecurityHeader(doc); // einbinden in DOM also the Security header should now be in the DOM tree the object must be passed again when calling the security operations. builder.addExternalRefElement(refs, secHeader); builder.prependToHeader(secHeader); // einbinden in SOAP (warum!?) builder.prependBSTElementToHeader(secHeader); Furthermore I signed and encrypted the SOAP message in separate steps using different builders and different WSSecHeader objects and calling secHeader.insertSecurityHeader(doc) twice (once for each WSSecHeader) with the same DOM tree. To my confusion this results in a SOAP message with only one Security header element. So what is the sense of the WSSecHeader? Why do I need to pass it everywhere? Why do I need to insert it manually in the SOAP? What if I need separate Security headers? regards robert
