I’m currently writing a client that consumes a soap sercvice, and noticed something strange in the SOAP calls from the client we’re writing compared to the examples I have from the vendor of the web service.
For the ValueType attribute of the BinarySecurityToken, it is using http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 as the type, whereas my examples use wsse:X509v3, where wsse is defined as http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd.
From a fair amount of internet research these namespaces seem to be used about equally, and I suspect that they are equivalent, but still wonder if there is a difference and why there are two namepsaces.
Similarly for EncodingType, you can use wsse:Base64Binary or
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Any ideas?
I went through both the WSS X509 Token Profile 1.0 and WSS X509 Token Profile 1.1 specifications. It seems both values for the ValueType are correct. But “http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0” is not a namespace. It is a URI defined for the specification [Line 171 of spec 1.0 and Line 158 of spec 1.1]. Both specifications use the WSSE, that is http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd as the namespace.
So the my conclusion is ValueType=”wsse:x509v3″ (spec 1.0 line 308) is equivalent to ValueType=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3″ (spec 1.1 line 340)