The problem is that the action list enforces that the actions be performed in a certain order. For example, if an incoming message has a username token and then a Timestamp in the security header, in that exact order, the action list must be:
<entry key="action" value="UsernameToken Timestamp" /> This is debated in the comments of WSS-147: https://issues.apache.org/jira/browse/WSS-147 The reason the action list appears to be "reversed" is for backwards compatibility reasons. This code could do with some work, but the real solution is to use WS-SecurityPolicy to configure WSS4J, i.e. the forthcoming CXF 2.2 or Rampart. Colm. ________________________________________ From: Bakul Kumar [mailto:[email protected]] Sent: 03 February 2009 20:56 To: [email protected] Subject: Any harm to pass WSConstants.TS action? Hi, I have a secure web service exposed using xfire and wss4j. Some of the clients are using xfire and some are from Microsoft . net either ASP.net, VB.net or C#. Service security works fine for xfire client. But it has a problem while there is a call from .net clients saying that action mismatch, as .net client passes the TimeStamp and its being rejected by WSHandler.checkReceiverResults(). So I have added the WSConstants.TS is a pass list (which has already WSConstants.SC and WSConstants.BST) and it works fine for both xfire client and .net client. I have searched forum and found some threads regarding it like: http://www.nabble.com/Fwd:-"action-mismatch"-and-WSConstants.SC-meaning---td11356763.html#a11696350 but, it doesn't says that its secure or not. And if yes, then I am curious about why its not in code? I thought I will get some feedback from community. Thanks in advance. Bakul Kumar. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
