Robert, it's quite simple. One SOAP request may have several security headers, for example using different actors. There is a constructor in WSSecHeader to define an actor. a setter method is also available. Because it is an error to have two security header with the same actor the WSSecHeader class takes care to create an insert only _one_ header per actor. Refer to the OASIS WSS specification for more detailed information.
Thus the application, in this case the test cases, may manage several security headers. When calling a security function such as adding a username token the application must define to wich security header the token shall be added or the security action shall be performed. see some comments inline Regards, Werner Robert Wierschke schrieb:
Hi, I'm a bit confused about the handling of Security headers in wss4j. There is a object representing the Security header that must be inserted in the DOM manually WSSecHeader secHeader = new WSSecHeader(); secHeader.insertSecurityHeader(doc); // einbinden in DOM also the Security header should now be in the DOM tree the object must be passed again when calling the security operations. builder.addExternalRefElement(refs, secHeader); builder.prependToHeader(secHeader); // einbinden in SOAP (warum!?)
Werner: does not bind to SOAP but puts the data of this builder object into the security header, prepending other existing security tokens already inside the security header. The security header is already inserted into the SOAP request
builder.prependBSTElementToHeader(secHeader); Furthermore I signed and encrypted the SOAP message in separate steps using different builders and different WSSecHeader objects and calling secHeader.insertSecurityHeader(doc) twice (once for each WSSecHeader) with the same DOM tree. To my confusion this results in a SOAP message with only one Security header element. So what is the sense of the WSSecHeader? Why do I need to pass it everywhere? Why do I need to insert it manually in the SOAP? What if I need separate Security headers? regards robert
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
