<ds:KeyInfo Id="KeyId-F26B331D23680CE7A712512821313252">
<wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-F26B331D23680CE7A712512821313343">
<ds:X509Data>
...

голова болит секс
than you have to request a “direct reference” to your certificate, which will result in a binarySecurityToken element in the SOAP header containing your encoded certificate:

<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
soap:mustUnderstand="1">
<wsse:BinarySecurityToken
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" ...

голова болит секс


 

You can enable the direct reference by adding a parameter to the WSS4J interceptor:

outProps.put(WSHandlerConstants.ACTION, WSHandlerConstants.TIMESTAMP + " " + WSHandlerConstants.SIGNATURE);
outProps.put(WSHandlerConstants.USER, "my_amazon_cert");
outProps.put(WSHandlerConstants.PW_CALLBACK_CLASS, ClientCallbackHandler.class.getName());
outProps.put(WSHandlerConstants.SIG_PROP_FILE, "amazonsecurity.properties");
outProps.put(WSHandlerConstants.SIG_KEY_ID, "DirectReference");    

красноярские свингеры
The reason for all of this is that some services can’t work with referenced certificates. Amazon Product Advertising API for example. This has caused some hours of research to find out. Reasoning from my Google research, it seems that only a few are actually using WS-Security this way. My personal opinion: most security APIs are completely over engineered and utter bullshit. Someone should tell those security guys how to design proper APIs whithout cluttering it with hundreds of configuration options, preferences, diverse and esoteric configuration files and the like. This really annoys me. And it is not a problem of the Java security APIs, but a language crossing problem.
I mean: I, as an application designer, just don’t want to configure every tiny bit of security part when using the security layer. There should be some “best practice” – simple and secure – way to use security. It should be transparent and unintrusive to my business code.
Instead of this, todays security APIs are complicated, please-configure-every-tiny-bit beasts in the notion of “if you want security, then go and study encryption algorithms and encoding formats first, you bastard”. It feels like the WS-* standards before WS-I came. Or EJB before EJB3.
And, I think this is a large security issue. As the application designers are forced to integrate complicated security APIs without the time (or notion) to fully understand them, there is a lot of possible pitfalls that can potentially ruin your security. So you are also forced to be a security expert understanding all the different things going on in the security layer. I don’t want this. I want to focus on business code. Abstraction and clear responsibility is the base of any large system and needed to conquer complexity. But instead, looking at current Security APIs is like looking at the stone age of software engineering.