--- rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java.orig 2011-02-08 19:26:03.000000000 +0800 +++ rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java 2011-02-22 22:31:37.000000000 +0800 @@ -418,7 +418,6 @@ if (attached) { String id = encrTok.getWsuId(); if (id == null && encrToken instanceof SecureConversationToken) { - dkEncr.setTokenIdDirectId(true); id = encrTok.getId(); } else if (id == null) { id = encrTok.getId(); @@ -428,7 +427,6 @@ } dkEncr.setExternalKey(encrTok.getSecret(), id); } else { - dkEncr.setTokenIdDirectId(true); dkEncr.setExternalKey(encrTok.getSecret(), encrTok.getId()); } } @@ -590,7 +588,7 @@ dkSign.setExternalKey(tok.getSecret(), tokenRef.getElement()); } else { if (policyToken instanceof SecureConversationToken) { - dkSign.setTokenIdDirectId(true); + ; } dkSign.setExternalKey(tok.getSecret(), tok.getId()); } --- rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java.orig 2011-02-08 19:26:03.000000000 +0800 +++ rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java 2011-02-22 22:38:44.000000000 +0800 @@ -318,7 +318,7 @@ X509Certificate[] returnCertChain = (X509Certificate[])result .get(WSSecurityEngineResult.TAG_X509_CERTIFICATES); - if (returnCertChain != null && !verifyTrust(returnCertChain, reqData)) { + if (returnCertChain != null && !verifyTrust(returnCert, reqData)) { LOG.warning("The certificate chain used for the signature is not trusted"); throw new WSSecurityException(WSSecurityException.FAILED_CHECK); } else if (returnCert != null && !verifyTrust(returnCert, reqData)) {