Hi Dan, thanks, for your help. I logged a Jira ( https://issues.apache.org/jira/browse/CXF-2165) for this. My Policy should be attached to it.
-- Benjamin On Wed, Apr 8, 2009 at 10:58 PM, Daniel Kulp <[email protected]> wrote: > > That definitely looks like a bug. Can you log a jira with your policy > attached? I'll see if I can look at it tomorrow. > > Dan > > > On Wed April 8 2009 12:07:31 pm Benjamin Ernst wrote: > > Hello everybody, > > > > I have a problem with the WS-SecurityPolicy. My Policy only asserts that > > the body is signed, but not encrypted. Sending signed messages is no > > problem, but when I receive a signed message the following error appears: > > > > Caused by: org.apache.cxf.ws.policy.PolicyException: These policy > > alternatives can not be satisfied: > > { > > > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AsymmetricBinding<http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702%7DAsymmetricBinding> > >: Not signed before encrypted > > > > There should not be any encryption at all, only signing. I debugged into > > the code and found the following Method in the > > PolicyBasedWSS4JInInterceptor.java: > > > > private boolean assertAsymetricBinding(AssertionInfoMap aim, > > SoapMessage message, > > SOAPMessage doc, > > Protections prots, > > boolean derived) { > > Collection<AssertionInfo> ais = > > aim.get(SP12Constants.ASYMMETRIC_BINDING); > > if (ais == null) { > > return true; > > } > > for (AssertionInfo ai : ais) { > > AsymmetricBinding abinding = > > (AsymmetricBinding)ai.getAssertion(); > > ai.setAsserted(true); > > if (abinding.getProtectionOrder() == > > SPConstants.ProtectionOrder.EncryptBeforeSigning) { > > if (abinding.isSignatureProtection()) { > > if (prots != Protections.ENCRYPT_SIGN_PROTECT) { > > ai.setNotAsserted("Not encrypted before signed > and > > then protected"); > > } > > } else if (prots != Protections.ENCRYPT_SIGN) { > > ai.setNotAsserted("Not encrypted before > > signed"); > > } > > } else if (prots != Protections.SIGN_ENCRYPT) { > > ai.setNotAsserted("Not signed before > > encrypted"); > > } > > assertPolicy(aim, abinding.getInitiatorToken()); > > assertPolicy(aim, abinding.getRecipientToken()); > > assertPolicy(aim, abinding.getInitiatorToken().getToken(), > > derived); > > assertPolicy(aim, abinding.getRecipientToken().getToken(), > > derived); > > } > > return true; > > } > > > > In this method the value of prots is ="SIGN" which is correct. But the > > if-statement only checks if prots is not SIGN_ENCRYPT and then sets it to > > notasserted. It might be because SPConstants.ProtectionOrder only knows > > EncryptBeforeSigning and SigningBeforeEncrypt. There is nothing about > only > > signing, or only encrypting. > > > > Is this an error, or do I have to configure something else? > > > > Here is my Policy: > > > > <wsp:Policy > > wsu:Id='Sig' > > xmlns:wsu=' > > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility- > >1.0.xsd ' > > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"; > > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"; > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > > xsi:schemaLocation=" > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy > > > > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/ws-securitypolicy.xsd > > http://schemas.xmlsoap.org/ws/2004/09/policy > > http://schemas.xmlsoap.org/ws/2004/09/policy/ws-policy.xsd > > "> > > <wsp:ExactlyOne> > > <wsp:All> > > <sp:AsymmetricBinding xmlns:sp=' > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'> > > <wsp:Policy> > > <sp:InitiatorToken> > > <wsp:Policy> > > <sp:X509Token sp:IncludeToken=' > > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToR > >ecipient '> > > <wsp:Policy> > > <sp:WssX509V3Token10 /> > > </wsp:Policy> > > </sp:X509Token> > > </wsp:Policy> > > </sp:InitiatorToken> > > <sp:RecipientToken> > > <wsp:Policy> > > <sp:X509Token sp:IncludeToken=' > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always > '> > > <wsp:Policy> > > <sp:WssX509V3Token10 /> > > </wsp:Policy> > > </sp:X509Token> > > </wsp:Policy> > > </sp:RecipientToken> > > <sp:AlgorithmSuite> > > <wsp:Policy> > > <sp:Basic256 /> > > </wsp:Policy> > > </sp:AlgorithmSuite> > > <sp:Layout> > > <wsp:Policy> > > <sp:Strict /> > > </wsp:Policy> > > </sp:Layout> > > <sp:OnlySignEntireHeadersAndBody /> > > </wsp:Policy> > > </sp:AsymmetricBinding> > > <sp:Wss10 xmlns:sp=' > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'> > > <wsp:Policy> > > <sp:MustSupportRefEmbeddedToken /> > > </wsp:Policy> > > </sp:Wss10> > > <sp:SignedParts xmlns:sp=' > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'> > > <sp:Body /> > > </sp:SignedParts> > > </wsp:All> > > </wsp:ExactlyOne> > > </wsp:Policy> > > > > > > Thanks for any help! > > > > --Benjamin > > -- > Daniel Kulp > [email protected] > http://www.dankulp.com/blog >
