[
https://issues.apache.org/jira/browse/CXF-3042?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Dennis Sosnoski updated CXF-3042:
---------------------------------
Description:
When specifying SymmetricBinding at the operation level but only using it for
the request message,everything looks reasonable on the wire but the client
throws an exception when processing the response (tested with both 2.2.10 and
the 2.3 nightly):
[java] WARNING: Interceptor for
{http://ws.sosnoski.com/library/wsdl}CXFLibrary#{http://ws.sosnoski.com/library/wsdl}addBook
has thrown exception, unwinding now
[java] org.apache.cxf.interceptor.Fault: These policy alternatives can not
be satisfied:
[java]
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}X509Token: No
derived keys found.
[java] at
org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:47)
[java] at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:247)
[java] at
org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:733)
[java] at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:2198)
[java] at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:2071)
[java] at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1925)
[java] at
org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
[java] at
org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:662)
[java] at
org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
[java] at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:247)
[java] at
org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:516)
[java] at
org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:313)
[java] at
org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:265)
[java] at
org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
[java] at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:124)
The error appears to be caused by the client receiving a response without
security headers (which is correct according to the WSDL/policy).
Here's an edited version of the WSDL:
<wsdl:definitions targetNamespace="http://ws.sosnoski.com/library/wsdl";
xmlns:wns="http://ws.sosnoski.com/library/wsdl";
xmlns:tns="http://ws.sosnoski.com/library/types";
xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/";
xmlns:wsdlsoap="http://schemas.xmlsoap.org/wsdl/soap/";>
<!-- Policy for Username Token with hashed password, sent from client to
server only -->
<wsp:Policy wsu:Id="UsernameToken" xmlns:wsu=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:wsp="http://www.w3.org/ns/ws-policy";
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
<sp:SupportingTokens>
<wsp:Policy>
<sp:UsernameToken sp:IncludeToken=
"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
<wsp:Policy>
<sp:HashPassword/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SupportingTokens>
</wsp:Policy>
<!-- Policy for symmetric binding, using an ephemeral key generated by the
client and
sent to the server as part of the request, using asymmetric encryption with
the server
public key to secure the symmetric key. -->
<wsp:Policy wsu:Id="SymmEncr"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";
xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl";
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
<sp:SymmetricBinding>
<wsp:Policy>
<sp:ProtectionToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";>
<wsp:Policy>
<sp:RequireDerivedKeys/>
<sp:RequireThumbprintReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:ProtectionToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128Rsa15/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:OnlySignEntireHeadersAndBody/>
</wsp:Policy>
</sp:SymmetricBinding>
<sp:Wss11>
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefThumbprint/>
<sp:MustSupportRefEncryptedKey/>
</wsp:Policy>
</sp:Wss11>
</wsp:Policy>
<!-- Policy for encrypting the message body. -->
<wsp:Policy wsu:Id="EncrBody" xmlns:wsu=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:wsp="http://www.w3.org/ns/ws-policy";
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
<sp:EncryptedParts>
<sp:Body/>
</sp:EncryptedParts>
</wsp:Policy>
...
<wsdl:binding name="LibrarySoapBinding" type="wns:Library">
<wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy";
URI="#UsernameToken"/>
...
<wsdl:operation name="addBook">
<wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy";
URI="#SymmEncr"/>
<wsdlsoap:operation soapAction="urn:addBook"/>
<wsdl:input name="addBookRequest">
<wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy";
URI="#EncrBody"/>
<wsdlsoap:body use="literal"/>
</wsdl:input>
<wsdl:output name="addBookResponse">
<wsdlsoap:body use="literal"/>
</wsdl:output>
<wsdl:fault name="addDuplicateFault">
<wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy";
URI="#EncrBody"/>
<wsdlsoap:fault name="addDuplicateFault" use="literal"/>
</wsdl:fault>
</wsdl:operation>
...
was:
When specifying SymmetricBinding at the operation level but only using it for
the request message,everything looks reasonable on the wire but the client
throws an exception when processing the response:
[java] WARNING: Interceptor for
{http://ws.sosnoski.com/library/wsdl}CXFLibrary#{http://ws.sosnoski.com/library/wsdl}addBook
has thrown exception, unwinding now
[java] org.apache.cxf.interceptor.Fault: These policy alternatives can not
be satisfied:
[java]
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}X509Token: No
derived keys found.
[java] at
org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:47)
[java] at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:247)
[java] at
org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:733)
[java] at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:2198)
[java] at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:2071)
[java] at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1925)
[java] at
org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
[java] at
org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:662)
[java] at
org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
[java] at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:247)
[java] at
org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:516)
[java] at
org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:313)
[java] at
org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:265)
[java] at
org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
[java] at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:124)
The error appears to be caused by the client receiving a response without
security headers (which is correct according to the WSDL/policy).
Here's an edited version of the WSDL:
<wsdl:definitions targetNamespace="http://ws.sosnoski.com/library/wsdl";
xmlns:wns="http://ws.sosnoski.com/library/wsdl";
xmlns:tns="http://ws.sosnoski.com/library/types";
xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/";
xmlns:wsdlsoap="http://schemas.xmlsoap.org/wsdl/soap/";>
<!-- Policy for Username Token with hashed password, sent from client to
server only -->
<wsp:Policy wsu:Id="UsernameToken" xmlns:wsu=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:wsp="http://www.w3.org/ns/ws-policy";
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
<sp:SupportingTokens>
<wsp:Policy>
<sp:UsernameToken sp:IncludeToken=
"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
<wsp:Policy>
<sp:HashPassword/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SupportingTokens>
</wsp:Policy>
<!-- Policy for symmetric binding, using an ephemeral key generated by the
client and
sent to the server as part of the request, using asymmetric encryption with
the server
public key to secure the symmetric key. -->
<wsp:Policy wsu:Id="SymmEncr"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";
xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl";
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
<sp:SymmetricBinding>
<wsp:Policy>
<sp:ProtectionToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";>
<wsp:Policy>
<sp:RequireDerivedKeys/>
<sp:RequireThumbprintReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:ProtectionToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128Rsa15/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:OnlySignEntireHeadersAndBody/>
</wsp:Policy>
</sp:SymmetricBinding>
<sp:Wss11>
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefThumbprint/>
<sp:MustSupportRefEncryptedKey/>
</wsp:Policy>
</sp:Wss11>
</wsp:Policy>
<!-- Policy for encrypting the message body. -->
<wsp:Policy wsu:Id="EncrBody" xmlns:wsu=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:wsp="http://www.w3.org/ns/ws-policy";
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
<sp:EncryptedParts>
<sp:Body/>
</sp:EncryptedParts>
</wsp:Policy>
...
<wsdl:binding name="LibrarySoapBinding" type="wns:Library">
<wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy";
URI="#UsernameToken"/>
...
<wsdl:operation name="addBook">
<wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy";
URI="#SymmEncr"/>
<wsdlsoap:operation soapAction="urn:addBook"/>
<wsdl:input name="addBookRequest">
<wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy";
URI="#EncrBody"/>
<wsdlsoap:body use="literal"/>
</wsdl:input>
<wsdl:output name="addBookResponse">
<wsdlsoap:body use="literal"/>
</wsdl:output>
<wsdl:fault name="addDuplicateFault">
<wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy";
URI="#EncrBody"/>
<wsdlsoap:fault name="addDuplicateFault" use="literal"/>
</wsdl:fault>
</wsdl:operation>
...
> SymmetricBinding used only for request causes error
> ---------------------------------------------------
>
> Key: CXF-3042
> URL: https://issues.apache.org/jira/browse/CXF-3042
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.2.10
> Reporter: Dennis Sosnoski
> Attachments: effective1.tgz
>
>
> When specifying SymmetricBinding at the operation level but only using it for
> the request message,everything looks reasonable on the wire but the client
> throws an exception when processing the response (tested with both 2.2.10 and
> the 2.3 nightly):
> [java] WARNING: Interceptor for
> {http://ws.sosnoski.com/library/wsdl}CXFLibrary#{http://ws.sosnoski.com/library/wsdl}addBook
> has thrown exception, unwinding now
> [java] org.apache.cxf.interceptor.Fault: These policy alternatives can
> not be satisfied:
> [java]
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}X509Token: No
> derived keys found.
> [java] at
> org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:47)
> [java] at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:247)
> [java] at
> org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:733)
> [java] at
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:2198)
> [java] at
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:2071)
> [java] at
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1925)
> [java] at
> org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
> [java] at
> org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:662)
> [java] at
> org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
> [java] at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:247)
> [java] at
> org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:516)
> [java] at
> org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:313)
> [java] at
> org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:265)
> [java] at
> org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
> [java] at
> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:124)
> The error appears to be caused by the client receiving a response without
> security headers (which is correct according to the WSDL/policy).
> Here's an edited version of the WSDL:
> <wsdl:definitions targetNamespace="http://ws.sosnoski.com/library/wsdl";
> xmlns:wns="http://ws.sosnoski.com/library/wsdl";
> xmlns:tns="http://ws.sosnoski.com/library/types";
> xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/";
> xmlns:wsdlsoap="http://schemas.xmlsoap.org/wsdl/soap/";>
>
> <!-- Policy for Username Token with hashed password, sent from client to
> server only -->
> <wsp:Policy wsu:Id="UsernameToken" xmlns:wsu=
>
> "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
> xmlns:wsp="http://www.w3.org/ns/ws-policy";
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
> <sp:SupportingTokens>
> <wsp:Policy>
> <sp:UsernameToken sp:IncludeToken=
>
> "http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
> <wsp:Policy>
> <sp:HashPassword/>
> </wsp:Policy>
> </sp:UsernameToken>
> </wsp:Policy>
> </sp:SupportingTokens>
> </wsp:Policy>
>
> <!-- Policy for symmetric binding, using an ephemeral key generated by the
> client and
> sent to the server as part of the request, using asymmetric encryption
> with the server
> public key to secure the symmetric key. -->
> <wsp:Policy wsu:Id="SymmEncr"
>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";
> xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl";
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
> <sp:SymmetricBinding>
> <wsp:Policy>
> <sp:ProtectionToken>
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";>
> <wsp:Policy>
> <sp:RequireDerivedKeys/>
> <sp:RequireThumbprintReference/>
> <sp:WssX509V3Token10/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:ProtectionToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic128Rsa15/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:OnlySignEntireHeadersAndBody/>
> </wsp:Policy>
> </sp:SymmetricBinding>
> <sp:Wss11>
> <wsp:Policy>
> <sp:MustSupportRefKeyIdentifier/>
> <sp:MustSupportRefThumbprint/>
> <sp:MustSupportRefEncryptedKey/>
> </wsp:Policy>
> </sp:Wss11>
> </wsp:Policy>
>
> <!-- Policy for encrypting the message body. -->
> <wsp:Policy wsu:Id="EncrBody" xmlns:wsu=
>
> "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
> xmlns:wsp="http://www.w3.org/ns/ws-policy";
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
> <sp:EncryptedParts>
> <sp:Body/>
> </sp:EncryptedParts>
> </wsp:Policy>
> ...
> <wsdl:binding name="LibrarySoapBinding" type="wns:Library">
>
> <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy";
> URI="#UsernameToken"/>
> ...
> <wsdl:operation name="addBook">
>
> <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy";
> URI="#SymmEncr"/>
>
> <wsdlsoap:operation soapAction="urn:addBook"/>
> <wsdl:input name="addBookRequest">
> <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy";
> URI="#EncrBody"/>
> <wsdlsoap:body use="literal"/>
> </wsdl:input>
> <wsdl:output name="addBookResponse">
> <wsdlsoap:body use="literal"/>
> </wsdl:output>
> <wsdl:fault name="addDuplicateFault">
> <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy";
> URI="#EncrBody"/>
> <wsdlsoap:fault name="addDuplicateFault" use="literal"/>
> </wsdl:fault>
> </wsdl:operation>
> ...
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
