[
https://issues.apache.org/jira/browse/CXF-2165?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Benjamin Ernst updated CXF-2165:
--------------------------------
Attachment: policy.xml
the policy for which the assertion fails
> SecurityPolicy-Assertion fails for only signing
> ------------------------------------------------
>
> Key: CXF-2165
> URL: https://issues.apache.org/jira/browse/CXF-2165
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.2
> Reporter: Benjamin Ernst
> Attachments: policy.xml
>
>
> Policy-Assertion fails when a policy only asserts that the body is signed,
> but not encrypted. Sending signed messages is no problem, but when receiving
> a signed message the following error appears:
> Caused by: org.apache.cxf.ws.policy.PolicyException: These policy
> alternatives can not be satisfied:
>
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AsymmetricBinding:
> Not signed before encrypted
> There should not be any encryption at all, only signing. I debugged into the
> code and found the following Method in the PolicyBasedWSS4JInInterceptor.java:
> private boolean assertAsymetricBinding(AssertionInfoMap aim,
> SoapMessage message,
> SOAPMessage doc,
> Protections prots,
> boolean derived) {
> Collection<AssertionInfo> ais =
> aim.get(SP12Constants.ASYMMETRIC_BINDING);
> if (ais == null) {
> return true;
> }
> for (AssertionInfo ai : ais) {
> AsymmetricBinding abinding = (AsymmetricBinding)ai.getAssertion();
> ai.setAsserted(true);
> if (abinding.getProtectionOrder() ==
> SPConstants.ProtectionOrder.EncryptBeforeSigning) {
> if (abinding.isSignatureProtection()) {
> if (prots != Protections.ENCRYPT_SIGN_PROTECT) {
> ai.setNotAsserted("Not encrypted before signed and
> then protected");
> }
> } else if (prots != Protections.ENCRYPT_SIGN) {
> ai.setNotAsserted("Not encrypted before signed");
>
> }
> } else if (prots != Protections.SIGN_ENCRYPT) {
> ai.setNotAsserted("Not signed before encrypted");
>
> }
> assertPolicy(aim, abinding.getInitiatorToken());
> assertPolicy(aim, abinding.getRecipientToken());
> assertPolicy(aim, abinding.getInitiatorToken().getToken(),
> derived);
> assertPolicy(aim, abinding.getRecipientToken().getToken(),
> derived);
> }
> return true;
> }
> In this method the value of prots is ="SIGN" which is correct. But the
> if-statement only checks if prots is not SIGN_ENCRYPT and then sets it to
> notasserted. It might be because SPConstants.ProtectionOrder only knows
> EncryptBeforeSigning and SigningBeforeEncrypt. There is nothing about only
> signing, or only encrypting.
> Here is the policy:
> <wsp:Policy
> wsu:Id='Sig'
>
> xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xsi:schemaLocation="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
>
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/ws-securitypolicy.xsd
> http://schemas.xmlsoap.org/ws/2004/09/policy
> http://schemas.xmlsoap.org/ws/2004/09/policy/ws-policy.xsd
> ">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:AsymmetricBinding
> xmlns:sp='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'>
> <wsp:Policy>
> <sp:InitiatorToken>
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient'>
> <wsp:Policy>
> <sp:WssX509V3Token10 />
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:InitiatorToken>
> <sp:RecipientToken>
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always'>
> <wsp:Policy>
> <sp:WssX509V3Token10 />
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:RecipientToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic256 />
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:Layout>
> <wsp:Policy>
> <sp:Strict />
> </wsp:Policy>
> </sp:Layout>
> <sp:OnlySignEntireHeadersAndBody />
> </wsp:Policy>
> </sp:AsymmetricBinding>
> <sp:Wss10
> xmlns:sp='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'>
> <wsp:Policy>
> <sp:MustSupportRefEmbeddedToken />
> </wsp:Policy>
> </sp:Wss10>
> <sp:SignedParts
> xmlns:sp='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'>
> <sp:Body />
> </sp:SignedParts>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
