Modestas Vainius created CXF-5609:
-------------------------------------
Summary: Won't pass verification of explicit WSS Policy
AsymmetricBinding -> Layout -> Policy -> Lax
Key: CXF-5609
URL: https://issues.apache.org/jira/browse/CXF-5609
Project: CXF
Issue Type: Bug
Components: WS-* Components
Affects Versions: 2.7.10, 2.6.13
Reporter: Modestas Vainius
Hello,
I can't seem to get CXF WS-* validator to accept a message for service which
has <sp:Layout> <wsp:Policy> <sp:Lax /> policy explicitly defined in the WSDL.
Maybe I'm missing something, but all I get is:
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";>
<soap:Body>
<soap:Fault>
<faultcode>soap:Server</faultcode>
<faultstring>These policy alternatives can not be satisfied:
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Layout</faultstring>
</soap:Fault>
</soap:Body>
</soap:Envelope>
I did some debugging on the issue and it appears that both
org.apache.cxf.ws.security.policy.builders.LayoutBuilder and
org.apache.cxf.ws.security.policy.model.AsymmetricBinding add
org.apache.cxf.ws.security.policy.model.Layout assertions to the expected
policy. However
org.apache.cxf.ws.security.wss4j.policyvalidators.AbstractBindingPolicyValidator.checkProperties(SymmetricAsymmetricBindingBase,
AssertionInfo, AssertionInfoMap, List<WSSecurityEngineResult>,
List<WSSecurityEngineResult>, Message) successfully asserts only one of Layout
instances while another one remains untouched and causes the failure to occur.
If I comment out sp:Layout from WSDL, validation passes since LayoutBuilder
never adds its Layout instance.
I guess that removing LayoutBuilder would fix the problem but I'm not sure if
this is the right thing to do.
Relevant excerpt from WSDL:
<wsp:Policy wsu:Id="SignAndEncrypt"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:wsp="http://www.w3.org/ns/ws-policy";
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";
wsdl:required="true">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";>
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";>
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256Rsa15 />
<sp:TripleDesRsa15 />
<sp:Basic128Rsa15 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:IncludeTimestamp />
<sp:EncryptSignature />
<sp:OnlySignEntireHeadersAndBody />
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss10>
<wsp:Policy>
<sp:MustSupportRefIssuerSerial
/>
<sp:MustSupportRefEmbeddedToken
/>
</wsp:Policy>
</sp:Wss10>
<sp:Layout>
<wsp:Policy>
<sp:Lax />
</wsp:Policy>
</sp:Layout>
<sp:SignedParts>
<sp:Body />
<sp:Header
Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing"; />
<sp:Header
Namespace="http://www.w3.org/2005/08/addressing"; />
</sp:SignedParts>
<sp:EncryptedParts>
<sp:Body />
</sp:EncryptedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
--
This message was sent by Atlassian JIRA
(v6.2#6252)
