I'm trying to get Flex 3 to talk to JAX-WS (CXF) using WS-Security. I've modified the flex side to add the headers, resulting in:
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xs="http://www.w3
.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<SOAP-ENV:Header>
<ns0:Security SOAP-ENV:mustUnderstand="1" xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/07/secext"
xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility" xmlns:soap="http://schemas.xmlsoap.org/soap
/envelope/" xmlns:ns0="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0
.xsd">
<wsse:UsernameToken wsu:Id="UsernameToken-829934">
<wsse:Username>username</wsse:Username>
<wsse:Password Type="wsse:PasswordDigest">Q3Nmmto+7ZVD0hkbn3R84UrJ86A=</wsse:Password>
</wsse:UsernameToken>
</ns0:Security>
</SOAP-ENV:Header>
<SOAP-ENV:Body>
<tns:getAllPeople xmlns:tns="http://sample.cxf.wfc.kronos.com/"/>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
On the server side, I'm using CXF with Spring configuration, and I added the org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor and
org.apache.cxf.binding.soap.saaj.SAAJInInterceptor configuration. However, when I make the call, I get an exception thrown on the server side because
this fails:
if (reqData.getWssConfig().isEnableSignatureConfirmation()) {
checkSignatureConfirmation(reqData, wsResult);
}
I'm trying to figure out how to disable the confirmation requirement on the server side, but I'd also like to find out how to sign it on the client (Flex)
side. Any suggestions?
James
