[
https://issues.apache.org/jira/browse/CXF-6398?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Colm O hEigeartaigh resolved CXF-6398.
--------------------------------------
Resolution: Pending Closed
> AlgorithmSuitePolicyValidator rejects enveloped-signature Transform
> -------------------------------------------------------------------
>
> Key: CXF-6398
> URL: https://issues.apache.org/jira/browse/CXF-6398
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 3.0.5
> Reporter: Brian Storm Graversen
> Assignee: Colm O hEigeartaigh
> Fix For: 3.1.1, 3.0.6
>
>
> I'm receiving a response from a (.NET) webservice, where the security
> requirements are set by a WS-SecurityPolicy section in the WSDL.
> The response contains a set of Reference elements, thave have both the
> enveloped-signature transform and the c14n transform, example below
> {code:xml}
> <Reference URI="#action">
> <Transforms>
> <Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature";></Transform>
> <Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></Transform>
> </Transforms>
> <DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod>
> <DigestValue>1hj8fpM7T5rcOsNRPpnxA3p3AkM=</DigestValue>
> </Reference>
> {code}
> Unfortunately, the AlgorithmSuitePolicyValidator does not like the
> enveloped-signature transform, and the response is rejected, exception shown
> below
> {code}
> Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: These policy
> alternatives can not be satisfied:
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AlgorithmSuite:
> The transform algorithms do not match the requirement
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Basic256
> at
> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:160)
> at com.sun.proxy.$Proxy33.helloWorld(Unknown Source)
> at client.WSClient.hello(WSClient.java:19)
> at client.WSClient.main(WSClient.java:12)
> Caused by: org.apache.cxf.ws.policy.PolicyException: These policy
> alternatives can not be satisfied:
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AlgorithmSuite:
> The transform algorithms do not match the requirement
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Basic256
> at
> org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:203)
> at
> org.apache.cxf.ws.policy.PolicyVerificationInInterceptor.handle(PolicyVerificationInInterceptor.java:102)
> at
> org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:44)
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
> at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:802)
> {code}
> I took a look at the AlgorithmSuitePolicyValidator that does the actual
> validation, and it scans through all the Transforms, and reject the Reference
> if ANY of the Transform elements are not on an approved list.
> Should it not just validate that the list of Transforms contains at least one
> transform that is c14n (or similar), and allow the eveloped-signature
> transform?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
