Tuesday, March 8, 2011

[WSS4J 1.6] Basic Security Profile 1.1 compliance

The Basic Security Profile (BSP) 1.1 specification provides an industry-standard way of making sure that different WS-Security stacks can communicate with each other, by clarifying and narrowing the scope of the various WS-Security standards. WSS4J 1.5.x does not implement the BSP in any meaningful way. The WSSConfig class supports a "isWsiBSPCompliant" method (default is false), which will enable the generation of an InclusivePrefix list for signature generation, something that is mandated by the BSP spec.

WSS4J 1.6 provides support for the BSP 1.1 specification, in so far as it pertains to the core WS-Security specifications that WSS4J supports. The enforcing of BSP compliance for inbound messages is controlled by the WSSConfig class, as per WSS4J 1.5.x. An important change is that BSP compliance is now turned on by default. In addition, a new WSHandlerConstants configuration parameter has been added so that BSP compliance can be controlled via a WSHandler implementation.


  1. Can I have a example of implementing WSHandler to make wsiBSPCompliant = false

  2. Take a look at the Javadoc here:


    * Whether to ensure compliance with the Basic Security Profile (BSP) 1.1 or not. The
    * default value is "true".
    * The application may set this parameter using the following method:
    * call.setProperty(WSHandlerConstants.IS_BSP_COMPLIANT, "false");
    public static final String IS_BSP_COMPLIANT = "isBSPCompliant";