[
https://issues.apache.org/jira/browse/CXF-6873?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Charles Moulliard updated CXF-6873:
-----------------------------------
Description:
The PolicyVerificationInInterceptor of the Interceptor of the Client reports
this error when it gets the Server response
{code}
[ main] PhaseInterceptorChain WARN
Interceptor for
{http://jboss.org/HelloWorld}GreeterService#{http://jboss.org/HelloWorld}greetMe
has thrown exception, unwinding now
org.apache.cxf.ws.policy.PolicyException: These policy alternatives can not be
satisfied:
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AsymmetricBinding:
Received Timestamp does not match the requirements
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}InitiatorSignatureToken
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}RecipientSignatureToken
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}IncludeTimestamp
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SignedParts:
{http://schemas.xmlsoap.org/soap/envelope/}Body not SIGNED
at
org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:179)
at
org.apache.cxf.ws.policy.PolicyVerificationInInterceptor.handle(PolicyVerificationInInterceptor.java:102)
at
org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:44)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:802)
{code}
This error is related to the fact that the Server doesn't generate the required
information needed by the client
Response
{code}
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";>
<SOAP-ENV:Header xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
soap:mustUnderstand="1">
<wsu:Timestamp wsu:Id="TS-48744ea4-5dfa-4910-97c1-88a3ba2b224b">
<wsu:Created>2016-04-19T14:13:50.848Z</wsu:Created>
<wsu:Expires>2016-04-19T14:18:50.848Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</SOAP-ENV:Header>
<soap:Body>
<greetMeResponse xmlns="http://jboss.org/HelloWorld/types";>
<responseType>Hello Charles</responseType>
</greetMeResponse>
</soap:Body>
</soap:Envelope>
{code}
Here is the WSSecurityPolicy that I'm using to configure the JAXWS
Client/Server beans. this policy is used to generate a TimeStamp, a username
Token with a hashed password and the Body, Timestamp are signed
{code}
<wsp:Policy
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";
xmlns:wsp="http://www.w3.org/ns/ws-policy";
wsu:Id="RequiredPartsPolicy">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding>
<wsp:Policy>
<!-- The specified token populates the [Initiator Signature
Token] property and is used for the message signature from initiator to
recipient. -->
<sp:InitiatorSignatureToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
<wsp:Policy>
<!-- X509 Version 3 token should be used -->
<sp:WssX509V3Token10/>
<!-- An issuer serial reference is required
when referencing this token and is generated as such :
<wsse:SecurityTokenReference
wsu:Id="STR-0c1b9c80-f6c3-459b-a9ca-868add284ba2">
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>
CN=localhost,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Unknown
</ds:X509IssuerName>
<ds:X509SerialNumber>863863773</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
-->
<sp:RequireIssuerSerialReference/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorSignatureToken>
<sp:RecipientSignatureToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";>
<wsp:Policy>
<!-- X509 Version 3 token should be used -->
<sp:WssX509V3Token10/>
<!-- An issuer serial reference is required
when referencing this token -->
<sp:RequireIssuerSerialReference/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientSignatureToken>
<sp:Layout>
<wsp:Policy>
<sp:Lax/>
</wsp:Policy>
</sp:Layout>
<sp:AlgorithmSuite>
<wsp:Policy>
<!-- Algorithm to be used to sign the message -->
<sp:Basic128/>
</wsp:Policy>
</sp:AlgorithmSuite>
<!-- Include within the WSSE Header a TimeStamp -->
<sp:IncludeTimestamp/>
<sp:SignedSupportingTokens>
<wsp:Policy>
<sp:UsernameToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
<wsp:Policy>
<sp:HashPassword/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SignedSupportingTokens>
</wsp:Policy>
</sp:AsymmetricBinding>
<!-- Elements to be signed -->
<sp:SignedParts>
<sp:Body/>
<sp:Header
Namespace="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
Name="Timestamp"/>
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
{code}
Here is the SOAP Request generated by the client
{code}
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";>
<SOAP-ENV:Header xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>
<wsu:Timestamp wsu:Id="TS-fb62d8a5-7000-4a7b-9b74-484de7744159">
<wsu:Created>2016-04-19T14:13:50.122Z</wsu:Created>
<wsu:Expires>2016-04-19T14:18:50.122Z</wsu:Expires>
</wsu:Timestamp>
<wsse:UsernameToken
wsu:Id="UsernameToken-418f33ae-f291-4671-aaae-56c769fab274">
<wsse:Username>cmoulliard</wsse:Username>
<wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest";>
NlBUyEfQJS8NoBc/9zqk0ea6NsU=
</wsse:Password>
<wsse:Nonce
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";>
+ex+MdsXUER0SlSebV+m9w==
</wsse:Nonce>
<wsu:Created>2016-04-19T14:13:50.151Z</wsu:Created>
</wsse:UsernameToken>
<wsse:BinarySecurityToken
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
wsu:Id="X509-8590f6a8-03e0-43d3-b9b9-36de71fd462a">
MIIDezCCAmOgAwIBAgIEM32D3TANBgkqhkiG9w0BAQsFADBuMRAwDgYDVQQGEwdVbmtub3duMRAwDgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMRAwDgYDVQQKEwdVbmtub3duMRAwDgYDVQQLEwdVbmtub3duMRIwEAYDVQQDEwlsb2NhbGhvc3QwHhcNMTYwNDA2MDkzMDA0WhcNMTYwNzA1MDkzMDA0WjBuMRAwDgYDVQQGEwdVbmtub3duMRAwDgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMRAwDgYDVQQKEwdVbmtub3duMRAwDgYDVQQLEwdVbmtub3duMRIwEAYDVQQDEwlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9DOFY0p6B//FzN21lp2jRFtzC70FmmFuWIHAkUzyougtsmVcLybhvh6B58WMWVJxFn1rPRYFS5VHybGUD06eYV8uMTllUw59U7nNTaYqr+xfKPXYqKkTqIEKC+gNNGm25NXXp48zq5+RXDQOffqE4q0bBL8tQxX+MkDxxdlBGWG+MkCscRNmt0cNnWZR/+aWz70c+MV4l0XbKruw7KuLttTvnuqIyT5/adv4zQkf8fKEqenREMZc6Vj8OVVt3/SxEj6Dfm3VO7LgxUg4gEnO4FpUSHYRclNYxH7BX81OveuALbiMjC6XmuUuw6EZLK8EuSNqzdZ7YVrvSE5RA6SbvAgMBAAGjITAfMB0GA1UdDgQWBBQ2CsMYRH1lVh+oWCC8kd5YlITAqTANBgkqhkiG9w0BAQsFAAOCAQEAH9jcis/n8jrj9A/NJ38QdM6ymTEEHaKvDdbMi3j+Ms6q5RJdVJ9ZKYdlPTgCgD+SgkpuoMZ2Dbe5hddouNV7FUdeN29fO00sGYtmHeT9vr4e6Z6ciYqM37BeeTm/c8KHpi+hscPtk86a66d4Zxwbty0d4C0WbjlBDPMlx73rOMiQZZOEdZj+c7q2r7HjSHsSb/gVXX/rDpWzpcPxWvMMiVnhOHEb8yNJZzIScTEF0QBmPatyXvNpldO7wgVPZ8pt0ev0WgVTjAwsFb51J3BHLaM/SaSjy+PMd0x7juakAP4od3zg7/LK1I2ArcAd06P/mI/88Dbm/CCcUBnZxLn7Aw==
</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
Id="SIG-1e0b76c1-9a21-410e-bcc3-c3b6d50f3df4">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#";
PrefixList="soap"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference
URI="#TS-fb62d8a5-7000-4a7b-9b74-484de7744159">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#";
PrefixList="wsse soap"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>Zz8butLavsU8pUGLUPgmmxDBjsk=</ds:DigestValue>
</ds:Reference>
<ds:Reference
URI="#UsernameToken-418f33ae-f291-4671-aaae-56c769fab274">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#";
PrefixList="soap"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>y6y/lKinEcuJIc+Zbtvmq/gZPZI=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#_2ef50453-a254-494c-ad77-be6ac9a37b9d">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#";
PrefixList=""/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>8xtLX+pO7fQmIV4WPyAXCz8mBlI=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
fWyWo0mSjOVVPzun/OZaaRJ6w4+H74xaoqdG6Jzq7UIDm3LCbFF7cWz+6dZw/ajkb40xHPeYIbU1THXwOjKNr8OiPDQUIjKKgioIr2uYax3eZLO1GcBz6rct4dC0jfQUivGEzqbo/P+C9t+AQKboldVF6LvlnAcbk8RWo9uBeUpz1Bipotau/LovVgb4RuO/YmSO2fyQhRhnihvVmpkZ5NFq9cfy85KcQFuWYVjxRgLY9NprN9hOeeD8ARiWsOfIt7OIBPNcGGh6FwKumzWjNgKfYNurs2xVDAxVkTz/NUGt0sUBfSRbAL44LmYKfxH29sf08YwTeWGa+wutC67DRg==
</ds:SignatureValue>
<ds:KeyInfo Id="KI-915ac155-0866-48f2-980e-2c094f5f3d05">
<wsse:SecurityTokenReference
wsu:Id="STR-d1334971-113b-4fc2-bd60-f33355293b7d">
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>
CN=localhost,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Unknown
</ds:X509IssuerName>
<ds:X509SerialNumber>863863773</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</SOAP-ENV:Header>
<soap:Body
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="_2ef50453-a254-494c-ad77-be6ac9a37b9d">
<greetMe xmlns="http://jboss.org/HelloWorld/types";>
<requestType>Charles</requestType>
</greetMe>
</soap:Body>
</soap:Envelope>
{code}
was:
The PolicyVerificationInInterceptor of the Interceptor of the Client reports
this error when it gets the Server response
{code}
[ main] PhaseInterceptorChain WARN
Interceptor for
{http://jboss.org/HelloWorld}GreeterService#{http://jboss.org/HelloWorld}greetMe
has thrown exception, unwinding now
org.apache.cxf.ws.policy.PolicyException: These policy alternatives can not be
satisfied:
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AsymmetricBinding:
Received Timestamp does not match the requirements
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}InitiatorSignatureToken
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}RecipientSignatureToken
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}IncludeTimestamp
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SignedParts:
{http://schemas.xmlsoap.org/soap/envelope/}Body not SIGNED
at
org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:179)
at
org.apache.cxf.ws.policy.PolicyVerificationInInterceptor.handle(PolicyVerificationInInterceptor.java:102)
at
org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:44)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:802)
{code}
This error is related to the fact that the Server doesn't generate the required
information needed by the client
Response
{code}
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";>
<SOAP-ENV:Header xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
soap:mustUnderstand="1">
<wsu:Timestamp wsu:Id="TS-48744ea4-5dfa-4910-97c1-88a3ba2b224b">
<wsu:Created>2016-04-19T14:13:50.848Z</wsu:Created>
<wsu:Expires>2016-04-19T14:18:50.848Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</SOAP-ENV:Header>
<soap:Body>
<greetMeResponse xmlns="http://jboss.org/HelloWorld/types";>
<responseType>Hello Charles</responseType>
</greetMeResponse>
</soap:Body>
</soap:Envelope>
{code}
Here is the WSSecurityPolicy that I'm using to configure the JAXWS
Client/Server beans. this policy is used to generate a TimeStamp, a username
Token with a hashed password and the Body, Timestamp are signed
{code}
<wsp:Policy
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";
xmlns:wsp="http://www.w3.org/ns/ws-policy";
wsu:Id="RequiredPartsPolicy">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding>
<wsp:Policy>
<!-- The specified token populates the [Initiator Signature
Token] property and is used for the message signature from initiator to
recipient. -->
<sp:InitiatorSignatureToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
<wsp:Policy>
<!-- X509 Version 3 token should be used -->
<sp:WssX509V3Token10/>
<!-- An issuer serial reference is required
when referencing this token and is generated as such :
<wsse:SecurityTokenReference
wsu:Id="STR-0c1b9c80-f6c3-459b-a9ca-868add284ba2">
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>
CN=localhost,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Unknown
</ds:X509IssuerName>
<ds:X509SerialNumber>863863773</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
-->
<sp:RequireIssuerSerialReference/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorSignatureToken>
<sp:RecipientSignatureToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";>
<wsp:Policy>
<!-- X509 Version 3 token should be used -->
<sp:WssX509V3Token10/>
<!-- An issuer serial reference is required
when referencing this token -->
<sp:RequireIssuerSerialReference/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientSignatureToken>
<sp:Layout>
<wsp:Policy>
<sp:Lax/>
</wsp:Policy>
</sp:Layout>
<sp:AlgorithmSuite>
<wsp:Policy>
<!-- Algorithm to be used to sign the message -->
<sp:Basic128/>
</wsp:Policy>
</sp:AlgorithmSuite>
<!-- Include within the WSSE Header a TimeStamp -->
<sp:IncludeTimestamp/>
<sp:SignedSupportingTokens>
<wsp:Policy>
<sp:UsernameToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
<wsp:Policy>
<sp:HashPassword/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SignedSupportingTokens>
</wsp:Policy>
</sp:AsymmetricBinding>
<!-- Elements to be signed -->
<sp:SignedParts>
<sp:Body/>
<sp:Header
Namespace="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
Name="Timestamp"/>
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
{code}
Here is the SOAP Request generated by the client
{code}
<soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";><SOAP-ENV:Header
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";><wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";><wsu:Timestamp
wsu:Id="TS-fb62d8a5-7000-4a7b-9b74-484de7744159"><wsu:Created>2016-04-19T14:13:50.122Z</wsu:Created><wsu:Expires>2016-04-19T14:18:50.122Z</wsu:Expires></wsu:Timestamp><wsse:UsernameToken
wsu:Id="UsernameToken-418f33ae-f291-4671-aaae-56c769fab274"><wsse:Username>cmoulliard</wsse:Username><wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest";>NlBUyEfQJS8NoBc/9zqk0ea6NsU=</wsse:Password><wsse:Nonce
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";>+ex+MdsXUER0SlSebV+m9w==</wsse:Nonce><wsu:Created>2016-04-19T14:13:50.151Z</wsu:Created></wsse:UsernameToken><wsse:BinarySecurityToken
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
wsu:Id="X509-8590f6a8-03e0-43d3-b9b9-36de71fd462a">MIIDezCCAmOgAwIBAgIEM32D3TANBgkqhkiG9w0BAQsFADBuMRAwDgYDVQQGEwdVbmtub3duMRAwDgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMRAwDgYDVQQKEwdVbmtub3duMRAwDgYDVQQLEwdVbmtub3duMRIwEAYDVQQDEwlsb2NhbGhvc3QwHhcNMTYwNDA2MDkzMDA0WhcNMTYwNzA1MDkzMDA0WjBuMRAwDgYDVQQGEwdVbmtub3duMRAwDgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMRAwDgYDVQQKEwdVbmtub3duMRAwDgYDVQQLEwdVbmtub3duMRIwEAYDVQQDEwlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9DOFY0p6B//FzN21lp2jRFtzC70FmmFuWIHAkUzyougtsmVcLybhvh6B58WMWVJxFn1rPRYFS5VHybGUD06eYV8uMTllUw59U7nNTaYqr+xfKPXYqKkTqIEKC+gNNGm25NXXp48zq5+RXDQOffqE4q0bBL8tQxX+MkDxxdlBGWG+MkCscRNmt0cNnWZR/+aWz70c+MV4l0XbKruw7KuLttTvnuqIyT5/adv4zQkf8fKEqenREMZc6Vj8OVVt3/SxEj6Dfm3VO7LgxUg4gEnO4FpUSHYRclNYxH7BX81OveuALbiMjC6XmuUuw6EZLK8EuSNqzdZ7YVrvSE5RA6SbvAgMBAAGjITAfMB0GA1UdDgQWBBQ2CsMYRH1lVh+oWCC8kd5YlITAqTANBgkqhkiG9w0BAQsFAAOCAQEAH9jcis/n8jrj9A/NJ38QdM6ymTEEHaKvDdbMi3j+Ms6q5RJdVJ9ZKYdlPTgCgD+SgkpuoMZ2Dbe5hddouNV7FUdeN29fO00sGYtmHeT9vr4e6Z6ciYqM37BeeTm/c8KHpi+hscPtk86a66d4Zxwbty0d4C0WbjlBDPMlx73rOMiQZZOEdZj+c7q2r7HjSHsSb/gVXX/rDpWzpcPxWvMMiVnhOHEb8yNJZzIScTEF0QBmPatyXvNpldO7wgVPZ8pt0ev0WgVTjAwsFb51J3BHLaM/SaSjy+PMd0x7juakAP4od3zg7/LK1I2ArcAd06P/mI/88Dbm/CCcUBnZxLn7Aw==</wsse:BinarySecurityToken><ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
Id="SIG-1e0b76c1-9a21-410e-bcc3-c3b6d50f3df4"><ds:SignedInfo><ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";><ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#";
PrefixList="soap"/></ds:CanonicalizationMethod><ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference
URI="#TS-fb62d8a5-7000-4a7b-9b74-484de7744159"><ds:Transforms><ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";><ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="wsse
soap"/></ds:Transform></ds:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>Zz8butLavsU8pUGLUPgmmxDBjsk=</ds:DigestValue></ds:Reference><ds:Reference
URI="#UsernameToken-418f33ae-f291-4671-aaae-56c769fab274"><ds:Transforms><ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";><ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#";
PrefixList="soap"/></ds:Transform></ds:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>y6y/lKinEcuJIc+Zbtvmq/gZPZI=</ds:DigestValue></ds:Reference><ds:Reference
URI="#_2ef50453-a254-494c-ad77-be6ac9a37b9d"><ds:Transforms><ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";><ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#";
PrefixList=""/></ds:Transform></ds:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>8xtLX+pO7fQmIV4WPyAXCz8mBlI=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>fWyWo0mSjOVVPzun/OZaaRJ6w4+H74xaoqdG6Jzq7UIDm3LCbFF7cWz+6dZw/ajkb40xHPeYIbU1THXwOjKNr8OiPDQUIjKKgioIr2uYax3eZLO1GcBz6rct4dC0jfQUivGEzqbo/P+C9t+AQKboldVF6LvlnAcbk8RWo9uBeUpz1Bipotau/LovVgb4RuO/YmSO2fyQhRhnihvVmpkZ5NFq9cfy85KcQFuWYVjxRgLY9NprN9hOeeD8ARiWsOfIt7OIBPNcGGh6FwKumzWjNgKfYNurs2xVDAxVkTz/NUGt0sUBfSRbAL44LmYKfxH29sf08YwTeWGa+wutC67DRg==</ds:SignatureValue><ds:KeyInfo
Id="KI-915ac155-0866-48f2-980e-2c094f5f3d05"><wsse:SecurityTokenReference
wsu:Id="STR-d1334971-113b-4fc2-bd60-f33355293b7d"><ds:X509Data><ds:X509IssuerSerial><ds:X509IssuerName>CN=localhost,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Unknown</ds:X509IssuerName><ds:X509SerialNumber>863863773</ds:X509SerialNumber></ds:X509IssuerSerial></ds:X509Data></wsse:SecurityTokenReference></ds:KeyInfo></ds:Signature></wsse:Security></SOAP-ENV:Header><soap:Body
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="_2ef50453-a254-494c-ad77-be6ac9a37b9d"><greetMe
xmlns="http://jboss.org/HelloWorld/types";><requestType>Charles</requestType></greetMe></soap:Body></soap:Envelope>
{code}
> PolicyVerificationInInterceptor ERROR Inbound policy verification failed:
> These policy alternatives can not be satisfied
> ------------------------------------------------------------------------------------------------------------------------
>
> Key: CXF-6873
> URL: https://issues.apache.org/jira/browse/CXF-6873
> Project: CXF
> Issue Type: Bug
> Affects Versions: 3.0.4
> Reporter: Charles Moulliard
>
> The PolicyVerificationInInterceptor of the Interceptor of the Client reports
> this error when it gets the Server response
> {code}
> [ main] PhaseInterceptorChain WARN
> Interceptor for
> {http://jboss.org/HelloWorld}GreeterService#{http://jboss.org/HelloWorld}greetMe
> has thrown exception, unwinding now
> org.apache.cxf.ws.policy.PolicyException: These policy alternatives can not
> be satisfied:
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AsymmetricBinding:
> Received Timestamp does not match the requirements
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}InitiatorSignatureToken
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}RecipientSignatureToken
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}IncludeTimestamp
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SignedParts:
> {http://schemas.xmlsoap.org/soap/envelope/}Body not SIGNED
> at
> org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:179)
> at
> org.apache.cxf.ws.policy.PolicyVerificationInInterceptor.handle(PolicyVerificationInInterceptor.java:102)
> at
> org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:44)
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
> at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:802)
> {code}
> This error is related to the fact that the Server doesn't generate the
> required information needed by the client
> Response
> {code}
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";>
> <SOAP-ENV:Header xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";>
> <wsse:Security
>
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
> soap:mustUnderstand="1">
> <wsu:Timestamp wsu:Id="TS-48744ea4-5dfa-4910-97c1-88a3ba2b224b">
> <wsu:Created>2016-04-19T14:13:50.848Z</wsu:Created>
> <wsu:Expires>2016-04-19T14:18:50.848Z</wsu:Expires>
> </wsu:Timestamp>
> </wsse:Security>
> </SOAP-ENV:Header>
> <soap:Body>
> <greetMeResponse xmlns="http://jboss.org/HelloWorld/types";>
> <responseType>Hello Charles</responseType>
> </greetMeResponse>
> </soap:Body>
> </soap:Envelope>
> {code}
> Here is the WSSecurityPolicy that I'm using to configure the JAXWS
> Client/Server beans. this policy is used to generate a TimeStamp, a username
> Token with a hashed password and the Body, Timestamp are signed
> {code}
> <wsp:Policy
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
>
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";
> xmlns:wsp="http://www.w3.org/ns/ws-policy";
> wsu:Id="RequiredPartsPolicy">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:AsymmetricBinding>
> <wsp:Policy>
> <!-- The specified token populates the [Initiator
> Signature Token] property and is used for the message signature from
> initiator to recipient. -->
> <sp:InitiatorSignatureToken>
> <wsp:Policy>
> <sp:X509Token
>
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
> <wsp:Policy>
> <!-- X509 Version 3 token should be used
> -->
> <sp:WssX509V3Token10/>
> <!-- An issuer serial reference is
> required when referencing this token and is generated as such :
> <wsse:SecurityTokenReference
> wsu:Id="STR-0c1b9c80-f6c3-459b-a9ca-868add284ba2">
> <ds:X509Data>
> <ds:X509IssuerSerial>
> <ds:X509IssuerName>
>
> CN=localhost,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Unknown
> </ds:X509IssuerName>
>
> <ds:X509SerialNumber>863863773</ds:X509SerialNumber>
> </ds:X509IssuerSerial>
> </ds:X509Data>
> </wsse:SecurityTokenReference>
> -->
> <sp:RequireIssuerSerialReference/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:InitiatorSignatureToken>
> <sp:RecipientSignatureToken>
> <wsp:Policy>
> <sp:X509Token
>
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";>
> <wsp:Policy>
> <!-- X509 Version 3 token should be used
> -->
> <sp:WssX509V3Token10/>
> <!-- An issuer serial reference is
> required when referencing this token -->
> <sp:RequireIssuerSerialReference/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:RecipientSignatureToken>
> <sp:Layout>
> <wsp:Policy>
> <sp:Lax/>
> </wsp:Policy>
> </sp:Layout>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <!-- Algorithm to be used to sign the message -->
> <sp:Basic128/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <!-- Include within the WSSE Header a TimeStamp -->
> <sp:IncludeTimestamp/>
> <sp:SignedSupportingTokens>
> <wsp:Policy>
> <sp:UsernameToken
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
> <wsp:Policy>
> <sp:HashPassword/>
> </wsp:Policy>
> </sp:UsernameToken>
> </wsp:Policy>
> </sp:SignedSupportingTokens>
> </wsp:Policy>
> </sp:AsymmetricBinding>
> <!-- Elements to be signed -->
> <sp:SignedParts>
> <sp:Body/>
> <sp:Header
>
> Namespace="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
> Name="Timestamp"/>
> </sp:SignedParts>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
> {code}
> Here is the SOAP Request generated by the client
> {code}
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";>
> <SOAP-ENV:Header
> xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";>
> <wsse:Security
>
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>
> <wsu:Timestamp wsu:Id="TS-fb62d8a5-7000-4a7b-9b74-484de7744159">
> <wsu:Created>2016-04-19T14:13:50.122Z</wsu:Created>
> <wsu:Expires>2016-04-19T14:18:50.122Z</wsu:Expires>
> </wsu:Timestamp>
> <wsse:UsernameToken
> wsu:Id="UsernameToken-418f33ae-f291-4671-aaae-56c769fab274">
> <wsse:Username>cmoulliard</wsse:Username>
> <wsse:Password
>
> Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest";>
> NlBUyEfQJS8NoBc/9zqk0ea6NsU=
> </wsse:Password>
> <wsse:Nonce
>
> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";>
> +ex+MdsXUER0SlSebV+m9w==
> </wsse:Nonce>
> <wsu:Created>2016-04-19T14:13:50.151Z</wsu:Created>
> </wsse:UsernameToken>
> <wsse:BinarySecurityToken
>
> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
>
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
> wsu:Id="X509-8590f6a8-03e0-43d3-b9b9-36de71fd462a">
>
> MIIDezCCAmOgAwIBAgIEM32D3TANBgkqhkiG9w0BAQsFADBuMRAwDgYDVQQGEwdVbmtub3duMRAwDgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMRAwDgYDVQQKEwdVbmtub3duMRAwDgYDVQQLEwdVbmtub3duMRIwEAYDVQQDEwlsb2NhbGhvc3QwHhcNMTYwNDA2MDkzMDA0WhcNMTYwNzA1MDkzMDA0WjBuMRAwDgYDVQQGEwdVbmtub3duMRAwDgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMRAwDgYDVQQKEwdVbmtub3duMRAwDgYDVQQLEwdVbmtub3duMRIwEAYDVQQDEwlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9DOFY0p6B//FzN21lp2jRFtzC70FmmFuWIHAkUzyougtsmVcLybhvh6B58WMWVJxFn1rPRYFS5VHybGUD06eYV8uMTllUw59U7nNTaYqr+xfKPXYqKkTqIEKC+gNNGm25NXXp48zq5+RXDQOffqE4q0bBL8tQxX+MkDxxdlBGWG+MkCscRNmt0cNnWZR/+aWz70c+MV4l0XbKruw7KuLttTvnuqIyT5/adv4zQkf8fKEqenREMZc6Vj8OVVt3/SxEj6Dfm3VO7LgxUg4gEnO4FpUSHYRclNYxH7BX81OveuALbiMjC6XmuUuw6EZLK8EuSNqzdZ7YVrvSE5RA6SbvAgMBAAGjITAfMB0GA1UdDgQWBBQ2CsMYRH1lVh+oWCC8kd5YlITAqTANBgkqhkiG9w0BAQsFAAOCAQEAH9jcis/n8jrj9A/NJ38QdM6ymTEEHaKvDdbMi3j+Ms6q5RJdVJ9ZKYdlPTgCgD+SgkpuoMZ2Dbe5hddouNV7FUdeN29fO00sGYtmHeT9vr4e6Z6ciYqM37BeeTm/c8KHpi+hscPtk86a66d4Zxwbty0d4C0WbjlBDPMlx73rOMiQZZOEdZj+c7q2r7HjSHsSb/gVXX/rDpWzpcPxWvMMiVnhOHEb8yNJZzIScTEF0QBmPatyXvNpldO7wgVPZ8pt0ev0WgVTjAwsFb51J3BHLaM/SaSjy+PMd0x7juakAP4od3zg7/LK1I2ArcAd06P/mI/88Dbm/CCcUBnZxLn7Aw==
> </wsse:BinarySecurityToken>
> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
> Id="SIG-1e0b76c1-9a21-410e-bcc3-c3b6d50f3df4">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
> <ec:InclusiveNamespaces
> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#";
> PrefixList="soap"/>
> </ds:CanonicalizationMethod>
> <ds:SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> <ds:Reference
> URI="#TS-fb62d8a5-7000-4a7b-9b74-484de7744159">
> <ds:Transforms>
> <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
> <ec:InclusiveNamespaces
> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#";
> PrefixList="wsse
> soap"/>
> </ds:Transform>
> </ds:Transforms>
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>
> <ds:DigestValue>Zz8butLavsU8pUGLUPgmmxDBjsk=</ds:DigestValue>
> </ds:Reference>
> <ds:Reference
> URI="#UsernameToken-418f33ae-f291-4671-aaae-56c769fab274">
> <ds:Transforms>
> <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
> <ec:InclusiveNamespaces
> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#";
> PrefixList="soap"/>
> </ds:Transform>
> </ds:Transforms>
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>
> <ds:DigestValue>y6y/lKinEcuJIc+Zbtvmq/gZPZI=</ds:DigestValue>
> </ds:Reference>
> <ds:Reference
> URI="#_2ef50453-a254-494c-ad77-be6ac9a37b9d">
> <ds:Transforms>
> <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
> <ec:InclusiveNamespaces
> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#";
> PrefixList=""/>
> </ds:Transform>
> </ds:Transforms>
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>
> <ds:DigestValue>8xtLX+pO7fQmIV4WPyAXCz8mBlI=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
> <ds:SignatureValue>
>
> fWyWo0mSjOVVPzun/OZaaRJ6w4+H74xaoqdG6Jzq7UIDm3LCbFF7cWz+6dZw/ajkb40xHPeYIbU1THXwOjKNr8OiPDQUIjKKgioIr2uYax3eZLO1GcBz6rct4dC0jfQUivGEzqbo/P+C9t+AQKboldVF6LvlnAcbk8RWo9uBeUpz1Bipotau/LovVgb4RuO/YmSO2fyQhRhnihvVmpkZ5NFq9cfy85KcQFuWYVjxRgLY9NprN9hOeeD8ARiWsOfIt7OIBPNcGGh6FwKumzWjNgKfYNurs2xVDAxVkTz/NUGt0sUBfSRbAL44LmYKfxH29sf08YwTeWGa+wutC67DRg==
> </ds:SignatureValue>
> <ds:KeyInfo Id="KI-915ac155-0866-48f2-980e-2c094f5f3d05">
> <wsse:SecurityTokenReference
> wsu:Id="STR-d1334971-113b-4fc2-bd60-f33355293b7d">
> <ds:X509Data>
> <ds:X509IssuerSerial>
> <ds:X509IssuerName>
>
> CN=localhost,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Unknown
> </ds:X509IssuerName>
>
> <ds:X509SerialNumber>863863773</ds:X509SerialNumber>
> </ds:X509IssuerSerial>
> </ds:X509Data>
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> </ds:Signature>
> </wsse:Security>
> </SOAP-ENV:Header>
> <soap:Body
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
> wsu:Id="_2ef50453-a254-494c-ad77-be6ac9a37b9d">
> <greetMe xmlns="http://jboss.org/HelloWorld/types";>
> <requestType>Charles</requestType>
> </greetMe>
> </soap:Body>
> </soap:Envelope>
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
