[SWS-989] Setting up a Wss4jSecurityInterceptor as no security still requires WS-Security header Created: 30/May/17  Updated: 30/Oct/17  Resolved: 10/Jul/17

Status: Closed
Project: Spring Web Services
Component/s: None
Affects Version/s: None
Fix Version/s: 2.4.1

Type: Bug Priority: Minor
Reporter: Jeff Torson Assignee: Greg Turnquist
Resolution: Complete Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
relates to SWS-1008 Remove NO_SECURITY check in 3.x Closed
supersedes SWS-961 WSS4J2 Wss4jSecurityInterceptor -> va... Closed
Pull Request URL: https://github.com/spring-projects/spring-ws/pull/90


When trying to use Wss4jSecurityInterceptor from the wss4j2 package, validation is still performed when no security is set. This does not happen from the deprecated one in the wss4j package. We use this as a simple simulator and thus we turned security off. It looks like the real issue is that when calling WSSecurityUtil.decodeAction(), when NO_SECURITY is used, it returns an empty list instead of a list with 0 in it and thus:

if (validationActionsVector.contains(WSConstants.NO_SECURITY)) 

fails in validateMessage() since the list is really empty.

Generated at Wed Oct 17 20:24:23 UTC 2018 using JIRA 7.9.2#79002-sha1:3bb15b68ecd99a30eb364c4c1a393359bcad6278.