AsymmetricBinding used only for response causes error
-----------------------------------------------------

                 Key: CXF-3041
                 URL: https://issues.apache.org/jira/browse/CXF-3041
             Project: CXF
          Issue Type: Bug
          Components: WS-* Components
    Affects Versions: 2.2.10
            Reporter: Dennis Sosnoski


When specifying AsymmetricBinding at the operation level but only using it for 
the response message, the request message is sent with a signature and the 
server throws an exception (tested with both 2.2.10 and the 2.3 nightly):
org.w3c.dom.DOMException: Cannot find Reference in Manifest
        at org.apache.xml.security.signature.Manifest.<init>(Unknown Source)
        at org.apache.xml.security.signature.SignedInfo.<init>(Unknown Source)
        at org.apache.xml.security.signature.XMLSignature.<init>(Unknown Source)
        at 
org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:197)
        at 
org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:97)
        at 
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)

Here's an edited version of the WSDL (intended to demonstrate using 
message-level encryption only in one direction):
<wsdl:definitions targetNamespace="http://ws.sosnoski.com/library/wsdl";
    xmlns:wns="http://ws.sosnoski.com/library/wsdl";
    xmlns:tns="http://ws.sosnoski.com/library/types";
    xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/";
    xmlns:wsdlsoap="http://schemas.xmlsoap.org/wsdl/soap/";>
  
  <!-- Policy for asymmetric binding with the certificate included in the 
message from
   client to server but only a thumbprint on messages from the server to the 
client. -->
  <wsp:Policy wsu:Id="AsymmBinding" xmlns:wsu=
      
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
      xmlns:wsp="http://www.w3.org/ns/ws-policy";
      xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
    <sp:AsymmetricBinding>
      <wsp:Policy>
        <sp:InitiatorToken>
          <wsp:Policy>
            <sp:X509Token 
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
              <wsp:Policy>
                <sp:RequireThumbprintReference/>
              </wsp:Policy>
            </sp:X509Token>
          </wsp:Policy>
        </sp:InitiatorToken>
        <sp:RecipientToken>
          <wsp:Policy>
            <sp:X509Token 
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";>
              <wsp:Policy>
                <sp:RequireThumbprintReference/>
              </wsp:Policy>
            </sp:X509Token>
          </wsp:Policy>
        </sp:RecipientToken>
        <sp:AlgorithmSuite>
          <wsp:Policy>
            <sp:Basic128Rsa15/>
          </wsp:Policy>
        </sp:AlgorithmSuite>
      </wsp:Policy>
    </sp:AsymmetricBinding>
  </wsp:Policy>
  
  <!-- Policy for signing the message body. -->
  <wsp:Policy wsu:Id="SignBody" xmlns:wsu=
      
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
      xmlns:wsp="http://www.w3.org/ns/ws-policy";
      xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
    <sp:SignedParts>
      <sp:Body/>
    </sp:SignedParts>
  </wsp:Policy>
  
  ...

  <wsdl:binding name="LibrarySoapBinding" type="wns:Library">

    <wsdlsoap:binding style="document" 
transport="http://schemas.xmlsoap.org/soap/http"/>

    <wsdl:operation name="getBook">
  
      <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy"; 
URI="#AsymmBinding"/>
    
      <wsdlsoap:operation soapAction="urn:getBook"/>
      
      <wsdl:input name="getBookRequest">
        <wsdlsoap:body use="literal"/>
      </wsdl:input>
      
      <wsdl:output name="getBookResponse">
        <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy"; 
URI="#SignBody"/>
        <wsdlsoap:body use="literal"/>
      </wsdl:output>
      
    </wsdl:operation>
    ...
  </wsdl:binding>
  ...
</wsdl:definitions>

Here's the actual request message:
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";>
   <soap:Header>
      <wsse:Security 
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
 soap:mustUnderstand="1">
         <wsse:BinarySecurityToken 
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
 
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
 
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
 
wsu:Id="CertId-797FFC48A8BEF2669712863570548321">MIICoDCCAgkCBEnhw2IwDQYJKoZIhvcNAQEFBQAwgZYxCzAJBgNVBAYTAk5aMRMwEQYDVQQIEwpXZWxsaW5ndG9uMRowGAYDVQQHExFQYXJhcGFyYXVtdSBCZWFjaDEqMCgGA1UEChMhU29zbm9za2kgU29mdHdhcmUgQXNzb2NpYXRlcyBMdGQuMRAwDgYDVQQLEwdVbmtub3duMRgwFgYDVQQDEw9EZW5uaXMgU29zbm9za2kwHhcNMDkwNDEyMTAzMzA2WhcNMzYwODI3MTAzMzA2WjCBljELMAkGA1UEBhMCTloxEzARBgNVBAgTCldlbGxpbmd0b24xGjAYBgNVBAcTEVBhcmFwYXJhdW11IEJlYWNoMSowKAYDVQQKEyFTb3Nub3NraSBTb2Z0d2FyZSBBc3NvY2lhdGVzIEx0ZC4xEDAOBgNVBAsTB1Vua25vd24xGDAWBgNVBAMTD0Rlbm5pcyBTb3Nub3NraTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAhOVyNK8xyxtb4DnKtU6mF9KoiFqCk7eKoLE26+9h410CtTkxzWAfgnR+8i+LPbdsPY+yXAo6NYpCCKolXfDLe+AG2GwnMZGrIl6+BLF3hqTmIXBFTLGUmC7A7uBTivaWgdH1w3hb33rASoVU67BVtQ3QQi99juZX4vU9o9pScocCAwEAATANBgkqhkiG9w0BAQUFAAOBgQBMNPo1KAGbz8Jl6HGbtAcetieSJ3bEAXmv1tcjysBS67AXzdu1Ac+onHh2EpzBM7kuGbw+trU+AhulooPpewIQRApXP1F0KHRDcbqWjwvknS6HnomN9572giLGKn2601bHiRUj35hiA8aLmMUBppIRPFFAoQ0QUBCPx+m8/0n33w==</wsse:BinarySecurityToken>
         <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; 
Id="Signature-1">
            <ds:SignedInfo>
               <ds:CanonicalizationMethod 
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
               <ds:SignatureMethod 
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
            </ds:SignedInfo>
            
<ds:SignatureValue>L422ALMnyFgf5WZiEixkUiaGY08otO3qRtm9C6mhWuZukFnmz0XmvggN03B6tcd1zE1nHWKUD0bLeOQ1RLjnd8LCL/+zYjnWOEtALZHPwJfJW5r9xq42DFIWVg2llVDw83rgShU5IhbBUMvdHv5zP/Y6xPipVysxDzPZS8t2gpM=</ds:SignatureValue>
            <ds:KeyInfo Id="KeyId-797FFC48A8BEF2669712863570548432">
               <wsse:SecurityTokenReference 
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
 wsu:Id="STRId-797FFC48A8BEF2669712863570548463">
                  <wsse:Reference 
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
 URI="#CertId-797FFC48A8BEF2669712863570548321" 
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
               </wsse:SecurityTokenReference>
            </ds:KeyInfo>
         </ds:Signature>
      </wsse:Security>
   </soap:Header>
   <soap:Body>
      <getBook xmlns="http://ws.sosnoski.com/library/wsdl"; 
xmlns:ns2="http://ws.sosnoski.com/library/types";>
         <isbn>0061020052</isbn>
      </getBook>
   </soap:Body></soap:Envelope>

To use the attached .tgz, edit the build.properties cxf-home property to set 
the home directory for you CXF installation, and build with Ant (default 
target). This generates the .war, and you can then run the client with the Ant 
target "run".

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to