You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by "Dittmann, Werner (JIRA)" <ji...@apache.org> on 2008/10/16 08:34:48 UTC
[jira] Commented: (WSS-147) WCF interop issue: Security header
ordering constraint
[ https://issues.apache.org/jira/browse/WSS-147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12640081#action_12640081 ]
Dittmann, Werner commented on WSS-147:
--------------------------------------
you can set the ordering of the sec tokens inside the sec header
using the "action" property of the Axis WS Security handlers.
Regards,
Werner
an.jira.plugin.system.issuetabpanels:all-tabpanel ]
> WCF interop issue: Security header ordering constraint
> ------------------------------------------------------
>
> Key: WSS-147
> URL: https://issues.apache.org/jira/browse/WSS-147
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Handlers
> Environment: Windows XP, Java 1.5, CXF 2.1.2, .Net 3.5
> Reporter: Aditya Sawhney
> Assignee: Ruchith Udayanga Fernando
>
> I have WCF Client which uses WS-Security UsernameToken profile. WCF also automatically adds a TimeStamp header which comes before the UsernameToken header in the Security header.
> If I try to call a CXF web service using CXF exposed from a Java container then "Security header cannot be authorized" exception is thrown.
> The reason is that WSHandler::checkReceiverResults returns false. WSS4J excepts the security header contents to be in a particular oder in which Timestamp should come after UsernameToken but in this case it is the opposite and the validation fails. The WS-Security spec doesnt specify this ordering constraint and seems to have been self-imposed by WSS4J which is incorrect and needs to be fixed for the interop to work as desired.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org