Brian Storm Graversen created CXF-6398:
------------------------------------------
Summary: AlgorithmSuitePolicyValidator rejects enveloped-signature
Transform
Key: CXF-6398
URL: https://issues.apache.org/jira/browse/CXF-6398
Project: CXF
Issue Type: Bug
Components: WS-* Components
Affects Versions: 3.0.5
Reporter: Brian Storm Graversen
I'm receiving a response from a (.NET) webservice, where the security
requirements are set by a WS-SecurityPolicy section in the WSDL.
The response contains a set of Reference elements, thave have both the
enveloped-signature transform and the c14n transform, example below
{code:xml}
<Reference URI="#action">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature";></Transform>
<Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></Transform>
</Transforms>
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod>
<DigestValue>1hj8fpM7T5rcOsNRPpnxA3p3AkM=</DigestValue>
</Reference>
{code}
Unfortunately, the AlgorithmSuitePolicyValidator does not like the
enveloped-signature transform, and the response is rejected, exception shown
below
{code}
Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: These policy
alternatives can not be satisfied:
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AlgorithmSuite: The
transform algorithms do not match the requirement
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Basic256
at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:160)
at com.sun.proxy.$Proxy33.helloWorld(Unknown Source)
at client.WSClient.hello(WSClient.java:19)
at client.WSClient.main(WSClient.java:12)
Caused by: org.apache.cxf.ws.policy.PolicyException: These policy alternatives
can not be satisfied:
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AlgorithmSuite: The
transform algorithms do not match the requirement
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Basic256
at
org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:203)
at
org.apache.cxf.ws.policy.PolicyVerificationInInterceptor.handle(PolicyVerificationInInterceptor.java:102)
at
org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:44)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:802)
{code}
I took a look at the AlgorithmSuitePolicyValidator that does the actual
validation, and it scans through all the Transforms, and reject the Reference
if ANY of the Transform elements are not on an approved list.
Should it not just validate that the list of Transforms contains at least one
transform that is c14n (or similar), and allow the eveloped-signature transform?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
