Problem: I have a Web Service, which uses WSS4J inside a handler to validate signatures and decrypt the message and that sort of thing. Mostly that works just fine. However, I discovered that the client is sending through messages that look like this:
<SOAP-ENV:Body xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-1023734535">
</SOAP-ENV:Body>
Note how there's a newline between the beginning and the end tag. The message body is signed. However, Glassfish seems to think it's ok to turn the above message into the following:
<SOAP-ENV:Body xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-1023734535" />
That's very naughty, as now the signature doesn't validate... Oops.
My question is: How do I stop Glassfish from doing this? If this can't be done via a simple configuration command, which area of Glassfish is likely responsible, so that I can have a look at patching it myself?
The alternative would be to use Encryption instead of a Signature... Have tested this, and it fixes my problem just fine.
Another alternative would be if there was some way to specify the security information in a file that I can point Glassfish at - this file *cannot be the WSDL*, which is the reason I've gone down this road in the first place.
[Message sent by forum member 'ipsi' (ipsi)]
http://forums.java.net/jive/thread.jspa?messageID=346929