Hi,
I have to provide a web service to a client that can only supports message layer security for authentication. In Glassfish 2.1.
In order to keep things as simple as possible in terms of Glassfish config, I specified a default provider for SOAP message security. I configured the ServerProvider by setting auth-source="sender", which as I understand it, requires me to provide a UsernameToken security header. I then built a simple ejb3 Session bean, added a @WebService annotation to it and deployed it to test with soapUI 2.5.1. I added two WS-Security headers to the request in soapUI - one for UsernameToken and one for Timestamp. When I tried this configuration, I got an AuthException in the Glassfish server log: "More Receiver requirements [ SignaturePolicy SignaturePolicy ] specified than present in the message". This in spite of the fact that I use auth-source="sender". I tried XWS_ServerProvider with the same result.
If I remove Message Security altogether, the web service works, so I know there is no issue with the deployed ear.
Am I doing something wrong? Please tell me this is so. I'd prefer it if it was not a bug in Glassfish message security.
Regards
Johan Hoogenboezem
[Message sent by forum member 'hoogenbj' (hoogenbj)]
http://forums.java.net/jive/thread.jspa?messageID=354319