[
https://issues.apache.org/jira/browse/CXF-5609?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13933146#comment-13933146
]
Colm O hEigeartaigh commented on CXF-5609:
------------------------------------------
There is probably no need for a separate LayoutBuilder - I will remove it.
However, the problem fundamentally is that your security policy is incorrect,
in that the Layout policy is in the wrong place.
Colm.
> Won't pass verification of explicit WSS Policy AsymmetricBinding -> Layout ->
> Policy -> Lax
> -------------------------------------------------------------------------------------------
>
> Key: CXF-5609
> URL: https://issues.apache.org/jira/browse/CXF-5609
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.6.13, 2.7.10
> Reporter: Modestas Vainius
> Assignee: Colm O hEigeartaigh
>
> Hello,
> I can't seem to get CXF WS-* validator to accept a message for service which
> has <sp:Layout> <wsp:Policy> <sp:Lax /> policy explicitly defined in the
> WSDL. Maybe I'm missing something, but all I get is:
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";>
> <soap:Body>
> <soap:Fault>
> <faultcode>soap:Server</faultcode>
> <faultstring>These policy alternatives can not be satisfied:
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Layout</faultstring>
> </soap:Fault>
> </soap:Body>
> </soap:Envelope>
> I did some debugging on the issue and it appears that both
> org.apache.cxf.ws.security.policy.builders.LayoutBuilder and
> org.apache.cxf.ws.security.policy.model.AsymmetricBinding add
> org.apache.cxf.ws.security.policy.model.Layout assertions to the expected
> policy. However
> org.apache.cxf.ws.security.wss4j.policyvalidators.AbstractBindingPolicyValidator.checkProperties(SymmetricAsymmetricBindingBase,
> AssertionInfo, AssertionInfoMap, List<WSSecurityEngineResult>,
> List<WSSecurityEngineResult>, Message) successfully asserts only one of
> Layout instances while another one remains untouched and causes the failure
> to occur. If I comment out sp:Layout from WSDL, validation passes since
> LayoutBuilder never adds its Layout instance.
> I guess that removing LayoutBuilder would fix the problem but I'm not sure if
> this is the right thing to do.
> Relevant excerpt from WSDL:
> <wsp:Policy wsu:Id="SignAndEncrypt"
>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
> xmlns:wsp="http://www.w3.org/ns/ws-policy";
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";
> wsdl:required="true">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:AsymmetricBinding>
> <wsp:Policy>
> <sp:InitiatorToken>
> <wsp:Policy>
> <sp:X509Token
>
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";>
>
> <wsp:Policy>
>
> <sp:WssX509V3Token10 />
>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:InitiatorToken>
> <sp:RecipientToken>
> <wsp:Policy>
> <sp:X509Token
>
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";>
>
> <wsp:Policy>
>
> <sp:WssX509V3Token10 />
>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:RecipientToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
>
> <sp:Basic256Rsa15 />
>
> <sp:TripleDesRsa15 />
>
> <sp:Basic128Rsa15 />
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:IncludeTimestamp />
> <sp:EncryptSignature />
>
> <sp:OnlySignEntireHeadersAndBody />
> </wsp:Policy>
> </sp:AsymmetricBinding>
> <sp:Wss10>
> <wsp:Policy>
> <sp:MustSupportRefIssuerSerial
> />
> <sp:MustSupportRefEmbeddedToken
> />
> </wsp:Policy>
> </sp:Wss10>
> <sp:Layout>
> <wsp:Policy>
> <sp:Lax />
> </wsp:Policy>
> </sp:Layout>
> <sp:SignedParts>
> <sp:Body />
> <sp:Header
> Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing"; />
> <sp:Header
> Namespace="http://www.w3.org/2005/08/addressing"; />
> </sp:SignedParts>
> <sp:EncryptedParts>
> <sp:Body />
> </sp:EncryptedParts>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
--
This message was sent by Atlassian JIRA
(v6.2#6252)
