cxf client using StAX and ws-security policy fails in PolicyEnforcer when processing server response

Wed, 07 Aug 2019 09:49:06 -0700 

Hi

I have upgraded an old ws-security cxf client application to Java 11. It
now uses StAX and builds a policy and sets the
PolicyConstants.POLICY_OVERRIDE at the client's requestContext.

It almost works, however, when getting to processing the response from the
server then the PolicyEnforcer throws exception with no message (null).
I ran a modified version of the PolicyEnforcer, which did not throw
validation exception (inspired by issue WSS-486 with the modified
if-statements in PolicyEnforcer).
The result was that the PolicyVerificationInInterceptor then listed all the
policy alternatives that could not be satisfied:

Caused by: org.apache.cxf.ws.policy.PolicyException: These policy
alternatives can not be satisfied:
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AsymmetricBinding
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}InitiatorToken
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}X509Token
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}WssX509V3Token10
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}RecipientToken
{
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}RequireThumbprintReference
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AlgorithmSuite
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}TripleDes
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Layout
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Lax
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}IncludeTimestamp
{
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}OnlySignEntireHeadersAndBody
{
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SignBeforeEncrypting
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SignedParts
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}EncryptedParts
at
org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:179)

If I remove the PolicyVerificationInInterceptor from the cxf chain then the
message is decrypted and everything looks fine.
Could it be, that the PolicyEnforcer needs to know if it runs on the
server-side or client-side and thereby be less strict at the client-side?

Best regards
Erik

Reply via email to