d/l and building 3.3.2 cxf info.picocli:picocli:jar:3.9.5 has not been downloaded from it before.
? ideas on where picocli is located ? *thanks* ________________________________ From: Erik Lund Jensen <[email protected]> Sent: Wednesday, August 7, 2019 12:32 PM To: [email protected] <[email protected]> Subject: cxf client using StAX and ws-security policy fails in PolicyEnforcer when processing server response Hi I have upgraded an old ws-security cxf client application to Java 11. It now uses StAX and builds a policy and sets the PolicyConstants.POLICY_OVERRIDE at the client's requestContext. It almost works, however, when getting to processing the response from the server then the PolicyEnforcer throws exception with no message (null). I ran a modified version of the PolicyEnforcer, which did not throw validation exception (inspired by issue WSS-486 with the modified if-statements in PolicyEnforcer). The result was that the PolicyVerificationInInterceptor then listed all the policy alternatives that could not be satisfied: Caused by: org.apache.cxf.ws.policy.PolicyException: These policy alternatives can not be satisfied: {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AsymmetricBinding {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}InitiatorToken {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}X509Token {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}WssX509V3Token10 {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}RecipientToken {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}RequireThumbprintReference {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AlgorithmSuite {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}TripleDes {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Layout {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Lax {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}IncludeTimestamp {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}OnlySignEntireHeadersAndBody {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SignBeforeEncrypting {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SignedParts {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}EncryptedParts at org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:179) If I remove the PolicyVerificationInInterceptor from the cxf chain then the message is decrypted and everything looks fine. Could it be, that the PolicyEnforcer needs to know if it runs on the server-side or client-side and thereby be less strict at the client-side? Best regards Erik
