Lukas created CXF-7605:
--------------------------
Summary: RequireDerivedKeys policy is not respected
Key: CXF-7605
URL: https://issues.apache.org/jira/browse/CXF-7605
Project: CXF
Issue Type: Bug
Components: Soap Binding, WS-* Components
Affects Versions: 3.1.15, 3.2.2
Environment: * cxf-rt-frontend-jaxws
* cxf-rt-frontend-jaxrs
* cxf-rt-transports-http
* cxf-rt-rs-client
* cxf-rt-rs-service-description
* cxf-rt-ws-security
* cxf-tools-common
* cxf-rt-ws-policy
Reporter: Lukas
Attachments: code.java, full_wsdl.wsdl, policy_fragment.xml
CXF 3.2.2-SNAPSHOT, as well as 3.1.15-SNAPSHOT do not derive keys for hmac
signature, while ws-policy states that derived keys are required
({{<ws:RequireDerivedKeys/>}} in {{effective Policy}}).
The Policy is embedded in the wsdl that is passed to the {{wsdl2java}} gradle
task.
Inspecting the SoapMessage passed to the {{WSStaxOutInterceptor}} the contents
of {{org.apache.cxf.ws.policy.EffectivePolicy}}.{{choosenAlternative[1]
}}(=="SupportEndorsingTokens") contain a nested Policy setting
{{RequireDerivedKeys}}.
This reflects the structure and contents of the attached policy (see
policy_fragment.xml).
CXF correctly embeds a SAML Token as requested by the policy and signs using a
symmetric key (got by WS-Secureconversation / WS-Trust previously) - both steps
are defined in the attached policy.
CXF should however, sign with a key *derived* from said symmetric key,
specified by {{<wsp:RequestDerivedKeys />}}, this step is ignored, thus
resulting an a request that does not adhere to the policy.
Code and wsdl worked with cxf 3.1.12.
Attached are:
* full_wsdl.wsdl - the wsdl parsed by cxfs' "wsdl2java" gradle task (stripped
of irrelevant endpoints and domain names)
* code.java - code snippet demonstrating the use-case
* policy_fragment.xml - the policy to save looking for it in the wsdl
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
