You are viewing a plain text version of this content. The canonical link for it is here.

Posted to wss4j-dev@ws.apache.org by "Aditya Sawhney (JIRA)" <ji...@apache.org> on 2008/10/16 02:08:44 UTC

[jira] Updated: (WSS-147) WCF interop issue: Security header ordering constraint

     [ https://issues.apache.org/jira/browse/WSS-147?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Aditya Sawhney updated WSS-147:
-------------------------------

    Environment: Windows XP, Java 1.5, CXF 2.1.2, .Net 3.5  (was: Microsoft XP)

> WCF interop issue: Security header ordering constraint
> ------------------------------------------------------
>
>                 Key: WSS-147
>                 URL: https://issues.apache.org/jira/browse/WSS-147
>             Project: WSS4J
>          Issue Type: Bug
>          Components: WSS4J Handlers
>         Environment: Windows XP, Java 1.5, CXF 2.1.2, .Net 3.5
>            Reporter: Aditya Sawhney
>            Assignee: Ruchith Udayanga Fernando
>
> I have WCF Client which uses WS-Security UsernameToken profile. WCF also automatically adds a TimeStamp header which comes before the UsernameToken header in the Security header.
> If I try to call a CXF web service using CXF  exposed from a Java container then "Security header cannot be authorized" exception is thrown.
> The reason is that WSHandler::checkReceiverResults returns false. WSS4J excepts the security header contents to be in a particular oder in which Timestamp should come after UsernameToken but in this case it is the opposite and the validation fails. The WS-Security spec doesnt specify this ordering constraint and seems to have been self-imposed by WSS4J which is incorrect and needs to be fixed for the interop to work as desired.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org

RE: [jira] Updated: (WSS-147) WCF interop issue: Security header ordering constraint

Posted by "Dittmann, Werner (NSN - DE/Munich)" <we...@nsn.com>.

you can set the ordering of the sec tokens inside the sec header
using the "action" property of the Axis WS Security handlers. 

Regards,
Werner 

> -----Original Message-----
> From: ext Aditya Sawhney (JIRA) [mailto:jira@apache.org] 
> Sent: Thursday, October 16, 2008 2:09 AM
> To: wss4j-dev@ws.apache.org
> Subject: [jira] Updated: (WSS-147) WCF interop issue: 
> Security header ordering constraint
> 
> 
>      [ 
> https://issues.apache.org/jira/browse/WSS-147?page=com.atlassi
an.jira.plugin.system.issuetabpanels:all-tabpanel ]
> 
> Aditya Sawhney updated WSS-147:
> -------------------------------
> 
>     Environment: Windows XP, Java 1.5, CXF 2.1.2, .Net 3.5  
> (was: Microsoft XP)
> 
> > WCF interop issue: Security header ordering constraint
> > ------------------------------------------------------
> >
> >                 Key: WSS-147
> >                 URL: https://issues.apache.org/jira/browse/WSS-147
> >             Project: WSS4J
> >          Issue Type: Bug
> >          Components: WSS4J Handlers
> >         Environment: Windows XP, Java 1.5, CXF 2.1.2, .Net 3.5
> >            Reporter: Aditya Sawhney
> >            Assignee: Ruchith Udayanga Fernando
> >
> > I have WCF Client which uses WS-Security UsernameToken 
> profile. WCF also automatically adds a TimeStamp header which 
> comes before the UsernameToken header in the Security header.
> > If I try to call a CXF web service using CXF  exposed from 
> a Java container then "Security header cannot be authorized" 
> exception is thrown.
> > The reason is that WSHandler::checkReceiverResults returns 
> false. WSS4J excepts the security header contents to be in a 
> particular oder in which Timestamp should come after 
> UsernameToken but in this case it is the opposite and the 
> validation fails. The WS-Security spec doesnt specify this 
> ordering constraint and seems to have been self-imposed by 
> WSS4J which is incorrect and needs to be fixed for the 
> interop to work as desired.
> 
> -- 
> This message is automatically generated by JIRA.
> -
> You can reply to this email to add a comment to the issue online.
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> 
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org