On Thu April 9 2009 3:00:59 am Benjamin Ernst wrote: > Hi Dan, > > thanks, for your help. I logged a Jira ( > https://issues.apache.org/jira/browse/CXF-2165) for this. My Policy should > be attached to it.
This should now be fixed. Thanks for the policy. Dan > -- Benjamin > > On Wed, Apr 8, 2009 at 10:58 PM, Daniel Kulp <[email protected]> wrote: > > That definitely looks like a bug. Can you log a jira with your policy > > attached? I'll see if I can look at it tomorrow. > > > > Dan > > > > On Wed April 8 2009 12:07:31 pm Benjamin Ernst wrote: > > > Hello everybody, > > > > > > I have a problem with the WS-SecurityPolicy. My Policy only asserts > > > that the body is signed, but not encrypted. Sending signed messages is > > > no problem, but when I receive a signed message the following error > > > appears: > > > > > > Caused by: org.apache.cxf.ws.policy.PolicyException: These policy > > > alternatives can not be satisfied: > > > { > > > > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AsymmetricBindi > >ng<http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702%7DAsymmetricB > >inding> > > > > >: Not signed before encrypted > > > > > > There should not be any encryption at all, only signing. I debugged > > > into the code and found the following Method in the > > > PolicyBasedWSS4JInInterceptor.java: > > > > > > private boolean assertAsymetricBinding(AssertionInfoMap aim, > > > SoapMessage message, > > > SOAPMessage doc, > > > Protections prots, > > > boolean derived) { > > > Collection<AssertionInfo> ais = > > > aim.get(SP12Constants.ASYMMETRIC_BINDING); > > > if (ais == null) { > > > return true; > > > } > > > for (AssertionInfo ai : ais) { > > > AsymmetricBinding abinding = > > > (AsymmetricBinding)ai.getAssertion(); > > > ai.setAsserted(true); > > > if (abinding.getProtectionOrder() == > > > SPConstants.ProtectionOrder.EncryptBeforeSigning) { > > > if (abinding.isSignatureProtection()) { > > > if (prots != Protections.ENCRYPT_SIGN_PROTECT) { > > > ai.setNotAsserted("Not encrypted before signed > > > > and > > > > > then protected"); > > > } > > > } else if (prots != Protections.ENCRYPT_SIGN) { > > > ai.setNotAsserted("Not encrypted before > > > signed"); > > > } > > > } else if (prots != Protections.SIGN_ENCRYPT) { > > > ai.setNotAsserted("Not signed before > > > encrypted"); > > > } > > > assertPolicy(aim, abinding.getInitiatorToken()); > > > assertPolicy(aim, abinding.getRecipientToken()); > > > assertPolicy(aim, abinding.getInitiatorToken().getToken(), > > > derived); > > > assertPolicy(aim, abinding.getRecipientToken().getToken(), > > > derived); > > > } > > > return true; > > > } > > > > > > In this method the value of prots is ="SIGN" which is correct. But the > > > if-statement only checks if prots is not SIGN_ENCRYPT and then sets it > > > to notasserted. It might be because SPConstants.ProtectionOrder only > > > knows EncryptBeforeSigning and SigningBeforeEncrypt. There is nothing > > > about > > > > only > > > > > signing, or only encrypting. > > > > > > Is this an error, or do I have to configure something else? > > > > > > Here is my Policy: > > > > > > <wsp:Policy > > > wsu:Id='Sig' > > > xmlns:wsu=' > > > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utilit > >y- > > > > >1.0.xsd ' > > > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"; > > > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"; > > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > > > xsi:schemaLocation=" > > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy > > > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/ws-securitypolicy.xs > >d > > > > > http://schemas.xmlsoap.org/ws/2004/09/policy > > > http://schemas.xmlsoap.org/ws/2004/09/policy/ws-policy.xsd > > > "> > > > <wsp:ExactlyOne> > > > <wsp:All> > > > <sp:AsymmetricBinding xmlns:sp=' > > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'> > > > <wsp:Policy> > > > <sp:InitiatorToken> > > > <wsp:Policy> > > > <sp:X509Token sp:IncludeToken=' > > > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysT > >oR > > > > >ecipient '> > > > <wsp:Policy> > > > <sp:WssX509V3Token10 /> > > > </wsp:Policy> > > > </sp:X509Token> > > > </wsp:Policy> > > > </sp:InitiatorToken> > > > <sp:RecipientToken> > > > <wsp:Policy> > > > <sp:X509Token sp:IncludeToken=' > > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Alway > > >s > > > > '> > > > > > <wsp:Policy> > > > <sp:WssX509V3Token10 /> > > > </wsp:Policy> > > > </sp:X509Token> > > > </wsp:Policy> > > > </sp:RecipientToken> > > > <sp:AlgorithmSuite> > > > <wsp:Policy> > > > <sp:Basic256 /> > > > </wsp:Policy> > > > </sp:AlgorithmSuite> > > > <sp:Layout> > > > <wsp:Policy> > > > <sp:Strict /> > > > </wsp:Policy> > > > </sp:Layout> > > > <sp:OnlySignEntireHeadersAndBody /> > > > </wsp:Policy> > > > </sp:AsymmetricBinding> > > > <sp:Wss10 xmlns:sp=' > > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'> > > > <wsp:Policy> > > > <sp:MustSupportRefEmbeddedToken /> > > > </wsp:Policy> > > > </sp:Wss10> > > > <sp:SignedParts xmlns:sp=' > > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'> > > > <sp:Body /> > > > </sp:SignedParts> > > > </wsp:All> > > > </wsp:ExactlyOne> > > > </wsp:Policy> > > > > > > > > > Thanks for any help! > > > > > > --Benjamin > > > > -- > > Daniel Kulp > > [email protected] > > http://www.dankulp.com/blog -- Daniel Kulp [email protected] http://www.dankulp.com/blog
