cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From DTaylor <>
Subject Issue with SecurityReferenceToken handling
Date Tue, 12 Jun 2012 20:43:25 GMT
Good day all,

I understand this is more of a WSS4J question, however I was unable to find
the WSS4J users list and it occurs when trying to do .NET and Java interop
using CXF.

Our setup is a .NET client to a .NET STS to a Java Service.

Things are going well, until we receive the token in the CXF framework at
the service point.
By debugging down through the code, we hit the WSS4J
SAMLUtil.getCredentialFromKeyInfo method.

keyInfoElement.getFirstChild() returns the SecurityTokenReference element,
which has as its first child an X509Data element.

The first loop correctly determines that no EncryptedKey or BinarySecret is
present.  The second loop, determines the first child of keyInfo is not an
X509Data or PublicKey, however the SecurityTokenReference, which is the
element being inspected, contains the X509Data.

>From *WSS X.509 Certificate Token Profile, section 3.2*:

In order to ensure a consistent processing model across all the token types
supported by WSS: SOAP Message Security, the <wsse:SecurityTokenReference>
element SHALL be used to specify all references to X.509 token types in
signature or encryption elements that comply with this profile.

Is this a bug in WSS4J? Or have we misconfigured something?  If it is a bug,
am I better off submitting the bug or creating a patch and test to submit to



View this message in context:
Sent from the cxf-user mailing list archive at

View raw message