Re: WS-SecurityPolicy: Problem with AsymmetricBinding: Not signed before encrypted

Wed, 08 Apr 2009 13:58:57 -0700 

That definitely looks like a bug.  Can you log a jira with your policy 
attached?   I'll see if I can look at it tomorrow.

Dan


On Wed April 8 2009 12:07:31 pm Benjamin Ernst wrote:
> Hello everybody,
>
> I have a problem with the WS-SecurityPolicy. My Policy only asserts that
> the body is signed, but not encrypted. Sending signed messages is no
> problem, but when I receive a signed message the following error appears:
>
>   Caused by: org.apache.cxf.ws.policy.PolicyException: These policy
> alternatives can not be satisfied:
>   {
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AsymmetricBinding
>: Not signed before encrypted
>
> There should not be any encryption at all, only signing. I debugged into
> the code and found the following Method in the
> PolicyBasedWSS4JInInterceptor.java:
>
>  private boolean assertAsymetricBinding(AssertionInfoMap aim,
>                                            SoapMessage message,
>                                            SOAPMessage doc,
>                                            Protections prots,
>                                            boolean derived) {
>         Collection<AssertionInfo> ais =
> aim.get(SP12Constants.ASYMMETRIC_BINDING);
>         if (ais == null) {
>             return true;
>         }
>         for (AssertionInfo ai : ais) {
>             AsymmetricBinding abinding =
> (AsymmetricBinding)ai.getAssertion();
>             ai.setAsserted(true);
>             if (abinding.getProtectionOrder() ==
> SPConstants.ProtectionOrder.EncryptBeforeSigning) {
>                 if (abinding.isSignatureProtection()) {
>                     if (prots != Protections.ENCRYPT_SIGN_PROTECT) {
>                         ai.setNotAsserted("Not encrypted before signed and
> then protected");
>                     }
>                 } else if (prots != Protections.ENCRYPT_SIGN) {
>                     ai.setNotAsserted("Not encrypted before
> signed");
>                 }
>             } else if (prots != Protections.SIGN_ENCRYPT) {
>                 ai.setNotAsserted("Not signed before
> encrypted");
>             }
>             assertPolicy(aim, abinding.getInitiatorToken());
>             assertPolicy(aim, abinding.getRecipientToken());
>             assertPolicy(aim, abinding.getInitiatorToken().getToken(),
> derived);
>             assertPolicy(aim, abinding.getRecipientToken().getToken(),
> derived);
>         }
>         return true;
>     }
>
> In this method the value of prots is ="SIGN" which is correct. But the
> if-statement only checks if prots is not SIGN_ENCRYPT and then sets it to
> notasserted. It might be because SPConstants.ProtectionOrder only knows
> EncryptBeforeSigning and SigningBeforeEncrypt. There is nothing about only
> signing, or only encrypting.
>
> Is this an error, or do I have to configure something else?
>
> Here is my Policy:
>
> <wsp:Policy
>     wsu:Id='Sig'
>     xmlns:wsu='
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-
>1.0.xsd '
>     xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";
>     xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";
>     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
>     xsi:schemaLocation="
>       http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
>
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/ws-securitypolicy.xsd
>       http://schemas.xmlsoap.org/ws/2004/09/policy
>       http://schemas.xmlsoap.org/ws/2004/09/policy/ws-policy.xsd
>   ">
>     <wsp:ExactlyOne>
>         <wsp:All>
>             <sp:AsymmetricBinding xmlns:sp='
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'>
>                 <wsp:Policy>
>                     <sp:InitiatorToken>
>                         <wsp:Policy>
>                             <sp:X509Token sp:IncludeToken='
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToR
>ecipient '>
>                                 <wsp:Policy>
>                                     <sp:WssX509V3Token10 />
>                                 </wsp:Policy>
>                             </sp:X509Token>
>                         </wsp:Policy>
>                     </sp:InitiatorToken>
>                     <sp:RecipientToken>
>                         <wsp:Policy>
>                             <sp:X509Token sp:IncludeToken='
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always'>
>                                 <wsp:Policy>
>                                     <sp:WssX509V3Token10 />
>                                 </wsp:Policy>
>                             </sp:X509Token>
>                         </wsp:Policy>
>                     </sp:RecipientToken>
>                     <sp:AlgorithmSuite>
>                         <wsp:Policy>
>                             <sp:Basic256 />
>                         </wsp:Policy>
>                     </sp:AlgorithmSuite>
>                     <sp:Layout>
>                         <wsp:Policy>
>                             <sp:Strict />
>                         </wsp:Policy>
>                     </sp:Layout>
>                     <sp:OnlySignEntireHeadersAndBody />
>                 </wsp:Policy>
>             </sp:AsymmetricBinding>
>             <sp:Wss10 xmlns:sp='
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'>
>                 <wsp:Policy>
>                     <sp:MustSupportRefEmbeddedToken />
>                 </wsp:Policy>
>             </sp:Wss10>
>             <sp:SignedParts xmlns:sp='
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'>
>                 <sp:Body />
>             </sp:SignedParts>
>         </wsp:All>
>     </wsp:ExactlyOne>
> </wsp:Policy>
>
>
> Thanks for any help!
>
> --Benjamin

-- 
Daniel Kulp
[email protected]
http://www.dankulp.com/blog

Reply via email to