As of spring-ws-2.1 (2.1.0 & 2.1.1) the key-word "Token" is no longer accepted as a securementSignatureParts by the Wss4jSecurityInterceptor.
This key-word was meant to add a signature reference to the BinarySecurityToken element generated during the same signature process.
If you try to use this key-word, you now get a nice WSSecurityException, however to use of this key-word is still documented in the spring documentation, chapter 18.104.22.168. Signing Messages, as well as in the Wss4jSecurityInterceptor javadoc for the securementSignatureParts setter.
This problem seem to come from the upgrade of apache wss4j from version 1.5 to 1.6, but the documentation for apache wss4j doesn’t looks to mention how to achieve the same kind of signature with the new version.
Is there a way to have this kind of signature (signing the BinarySecurityToken) working again with spring-ws-2.1 ?
For reference, here is our securityInterceptor configuration in the context file (which was working with spring-ws 2.0 and no longer with 2.1)
<property name="securementActions" value="Timestamp Signature" />
<property name="securementSignatureKeyIdentifier" value="DirectReference" />
<property name="securementMustUnderstand" value="false" />