Sun Java System Application Server Platform Edition 8.1 2005Q2 Update 2 Release Notes

Security

This section describes known security issues and solutions.

Specifying target message by java-method does not work in client-side message-security-binding elements. (ID 6155080)

This problem occurs, for example, when a target message in a client-side message-security-binding element is specified by java-method within a port-info element within a service-ref element:

<!ELEMENT service-ref ( service-ref-name, port-info*, call-property*, wsdl-
override?, service-impl-class?, service-qname? )\>
<!ELEMENT port-info ( service-endpoint-interface?, wsdl-port?, stub-
property*, call-property*, message-security-binding? )\>
<!ELEMENT message-security-binding ( message-security* )\>
<!ELEMENT message-security ( message+, request-protection?, 
response-protection? )\>
<!ELEMENT message ( java-method? | operation-name? )\>

The message-security-binding element is used here to define message protection policies for specific methods of a web service endpoint.

Solution

Use an operation-name element within the message element to identify by WSDL operation name the message to which the protection policies defined in the containing message-security element apply.