Most used toolkits in Java for WSS are:
Both are mature solutions and both cover obligatory part of the standard. However, the implementation of optional parts of the standard produces conflicts in client-server communications between this toolkits.
Recently, we had to work with systems communicating through secure web services based on XWSS and WSS4j and we had to solve two problems:
- WSS4J doesn’t support
InclusiveNamespacesin canonicalization methods of XMLDSig (WSS estandar covers this functionality as optional).
- WSS4J doesn’t support signed timestamp (WSS estandar covers this functionality as optional).
For the first issue, we configured XWSS in order to avoid the unsupported use of the prefix in XML canonicalization.
Someone decided for the second issue to use non-signed timestamp. In my opinion, this option is unwise because of timestamp manipulation risk. But one can’t always win…
A deep comparison of XWSS and WSS4j can be found at http://blogs.cocoondev.org/dims/wss4j/compare.html