[jira] Commented: (WSS-147) WCF interop issue: Security header ordering constraint

Sun, 26 Oct 2008 16:41:36 -0700 

    [ 
https://issues.apache.org/jira/browse/WSS-147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12642830#action_12642830
 ] 

Aditya Sawhney commented on WSS-147:
------------------------------------

That doesn't help as setting the order in the action list has no effect because 
of the hard coding of the order in the code. 
I have tried this setting before:
<bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
              <constructor-arg>
                  <map>
                      <entry key="action" value="Timestamp UsernameToken" />

Moreover, I can't specify the order as interop with any other (eg CXF) client 
will become an issue and I don't want to govern
the security token order. Also, having a time-stamp is not a requirement for 
me. Note that WSSJ is the receiver of the security token
and not sender.

Regards
Aditya

> WCF interop issue: Security header ordering constraint
> ------------------------------------------------------
>
>                 Key: WSS-147
>                 URL: https://issues.apache.org/jira/browse/WSS-147
>             Project: WSS4J
>          Issue Type: Bug
>          Components: WSS4J Handlers
>         Environment: Windows XP, Java 1.5, CXF 2.1.2, .Net 3.5
>            Reporter: Aditya Sawhney
>            Assignee: Ruchith Udayanga Fernando
>
> I have WCF Client which uses WS-Security UsernameToken profile. WCF also 
> automatically adds a TimeStamp header which comes before the UsernameToken 
> header in the Security header.
> If I try to call a CXF web service using CXF  exposed from a Java container 
> then "Security header cannot be authorized" exception is thrown.
> The reason is that WSHandler::checkReceiverResults returns false. WSS4J 
> excepts the security header contents to be in a particular oder in which 
> Timestamp should come after UsernameToken but in this case it is the opposite 
> and the validation fails. The WS-Security spec doesnt specify this ordering 
> constraint and seems to have been self-imposed by WSS4J which is incorrect 
> and needs to be fixed for the interop to work as desired.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to