[
https://issues.apache.org/jira/browse/CXF-6398?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14537877#comment-14537877
]
Brian Storm Graversen commented on CXF-6398:
--------------------------------------------
I think that this validation code might have been inspired by the Basic
Security Profile 1.1 rule 5412, as it states that the LAST Transform must be
one of the Transforms that the code in checkDataRefs() validates against
http://www.ws-i.org/profiles/basicsecurityprofile-1.1.html#Last_Transform_Algorithm
I think the problem is that the validation is to strict, as it requires ALL
Transforms to be on this list, and not just the LAST Transform
> AlgorithmSuitePolicyValidator rejects enveloped-signature Transform
> -------------------------------------------------------------------
>
> Key: CXF-6398
> URL: https://issues.apache.org/jira/browse/CXF-6398
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 3.0.5
> Reporter: Brian Storm Graversen
>
> I'm receiving a response from a (.NET) webservice, where the security
> requirements are set by a WS-SecurityPolicy section in the WSDL.
> The response contains a set of Reference elements, thave have both the
> enveloped-signature transform and the c14n transform, example below
> {code:xml}
> <Reference URI="#action">
> <Transforms>
> <Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature";></Transform>
> <Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></Transform>
> </Transforms>
> <DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod>
> <DigestValue>1hj8fpM7T5rcOsNRPpnxA3p3AkM=</DigestValue>
> </Reference>
> {code}
> Unfortunately, the AlgorithmSuitePolicyValidator does not like the
> enveloped-signature transform, and the response is rejected, exception shown
> below
> {code}
> Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: These policy
> alternatives can not be satisfied:
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AlgorithmSuite:
> The transform algorithms do not match the requirement
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Basic256
> at
> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:160)
> at com.sun.proxy.$Proxy33.helloWorld(Unknown Source)
> at client.WSClient.hello(WSClient.java:19)
> at client.WSClient.main(WSClient.java:12)
> Caused by: org.apache.cxf.ws.policy.PolicyException: These policy
> alternatives can not be satisfied:
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AlgorithmSuite:
> The transform algorithms do not match the requirement
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Basic256
> at
> org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:203)
> at
> org.apache.cxf.ws.policy.PolicyVerificationInInterceptor.handle(PolicyVerificationInInterceptor.java:102)
> at
> org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:44)
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
> at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:802)
> {code}
> I took a look at the AlgorithmSuitePolicyValidator that does the actual
> validation, and it scans through all the Transforms, and reject the Reference
> if ANY of the Transform elements are not on an approved list.
> Should it not just validate that the list of Transforms contains at least one
> transform that is c14n (or similar), and allow the eveloped-signature
> transform?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
