WSS4J and WSE

[Bobby Warner <bo...@gmail.com>]

We are trying to consume a XFire web service using WSS4J with a .NET client
using WSE 2.0 and are facing an issue.  WSS4J expects that the
BinarySecurityToken tag will be the first one in the header, but WSE puts
the Timestamp in first.

There was a proposed change that would fix this issue posted to the XFire
mailing list, but was closed because it's not an XFire issue, but rather
WSS4J.  Here is a link to that discussion:
http://jira.codehaus.org/browse/XFIRE-752?page=all

Was this issue ever discussed on the WSS4J mailing list?  If so, why was the
change not implemented?  Please let me know.


Thanks,
Bobby

Re: WSS4J and WSE

[Fred Dushin <fr...@dushin.net>]

This is an excellent point, as I've run into exactly the same issue  
testing interop between CXF (a descendent of XFire) and WCF.

I agree that the ordering constraint in WSS4J is misguided; I have a  
hunce that the intention is to enforce that, say, a message is signed  
before it's encrypted, but the implementation is thrown off be other  
elements in the headers.  But I'm guessing as to the author's actual  
intentions.

There is a ticket for this item in the Apache JIRA:

http://issues.apache.org/jira/browse/WSS-70

-Fred

On Nov 7, 2007, at 4:56 PM, Bobby Warner wrote:

> We are trying to consume a XFire web service using WSS4J with  
> a .NET client using WSE 2.0 and are facing an issue.  WSS4J expects  
> that the BinarySecurityToken tag will be the first one in the  
> header, but WSE puts the Timestamp in first.
>
> There was a proposed change that would fix this issue posted to the  
> XFire mailing list, but was closed because it's not an XFire issue,  
> but rather WSS4J.  Here is a link to that discussion:
> http://jira.codehaus.org/browse/XFIRE-752?page=all
>
> Was this issue ever discussed on the WSS4J mailing list?  If so,  
> why was the change not implemented?  Please let me know.
>
>
> Thanks,
> Bobby