[ 
https://issues.apache.org/jira/browse/CXF-6398?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Colm O hEigeartaigh closed CXF-6398.
------------------------------------

> AlgorithmSuitePolicyValidator rejects enveloped-signature Transform
> -------------------------------------------------------------------
>
>                 Key: CXF-6398
>                 URL: https://issues.apache.org/jira/browse/CXF-6398
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>    Affects Versions: 3.0.5
>            Reporter: Brian Storm Graversen
>            Assignee: Colm O hEigeartaigh
>             Fix For: 3.1.1, 3.0.6
>
>
> I'm receiving a response from a (.NET) webservice, where the security 
> requirements are set by a WS-SecurityPolicy section in the WSDL.
> The response contains a set of Reference elements, thave have both the 
> enveloped-signature transform and the c14n transform, example below
> {code:xml}
>       <Reference URI="#action">
>               <Transforms>
>                       <Transform 
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature";></Transform>
>                       <Transform 
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></Transform>
>               </Transforms>
>               <DigestMethod 
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod>
>               <DigestValue>1hj8fpM7T5rcOsNRPpnxA3p3AkM=</DigestValue>
>       </Reference>
> {code}
> Unfortunately, the AlgorithmSuitePolicyValidator does not like the 
> enveloped-signature transform, and the response is rejected, exception shown 
> below
> {code}
> Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: These policy 
> alternatives can not be satisfied: 
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AlgorithmSuite: 
> The transform algorithms do not match the requirement
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Basic256
>       at 
> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:160)
>       at com.sun.proxy.$Proxy33.helloWorld(Unknown Source)
>       at client.WSClient.hello(WSClient.java:19)
>       at client.WSClient.main(WSClient.java:12)
> Caused by: org.apache.cxf.ws.policy.PolicyException: These policy 
> alternatives can not be satisfied: 
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AlgorithmSuite: 
> The transform algorithms do not match the requirement
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Basic256
>       at 
> org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:203)
>       at 
> org.apache.cxf.ws.policy.PolicyVerificationInInterceptor.handle(PolicyVerificationInInterceptor.java:102)
>       at 
> org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:44)
>       at 
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
>       at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:802)
> {code}
> I took a look at the AlgorithmSuitePolicyValidator that does the actual 
> validation, and it scans through all the Transforms, and reject the Reference 
> if ANY of the Transform elements are not on an approved list.
> Should it not just validate that the list of Transforms contains at least one 
> transform that is c14n (or similar), and allow the eveloped-signature 
> transform?



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to