I believe this is a deficiency in the "appliesTo" handling for the EPR stuff.
Looking at the code, I see:
public boolean appliesTo(EndpointInfo ei) {
return epr.getAddress().getValue().equals(ei.getAddress());
}
Thus, it will only match on an exact string compare of the URL. Your policy
has xsd:anyUri which doesn't match exactly. I'd need to dig in to specs
more to figure out what is allowed.
Dan
On Mon June 29 2009 2:05:34 pm Anthony Davidson wrote:
> Daniel,
>
> Thanks for responding.
>
> I put together a small application based on one of the sample applications
> but I was not able to reproduce the NPE. In my main application cxf.xml I
> removed the line
>
> <p:engine enabled="true" ignoreUnknownAssertions="false"/>
>
> and now I do not get the NPE. Weird.
>
> However, I do not think the policy engine is reading my policy file because
> the policy still isn't being enforced. Any ideas?
>
> Thanks.
>
> On Mon, Jun 29, 2009 at 12:12 PM, Daniel Kulp <[email protected]> wrote:
> > Well, with 2.2.x, the policy engine is turned on by default. Thus, any
> > config
> > related to turning that on should not be needed. I've updated that wiki
> > page.
> >
> > <p:externalAttachment location="classpath:/policies.xml"/>
> >
> > should work however. Any chance you could package up a small sample
> > that shows the NPE or similar and attach to that JIRA?
> >
> > Thanks!
> > Dan
> >
> > On Mon June 29 2009 11:05:27 am Anthony Davidson wrote:
> > > Hello,
> > >
> > > I am using CXF 2.2.2 and I am trying to implement a policy that
> > > requires transport-level security for securing messages. I followed the
> >
> > intructions
> >
> > > for enabling and configuring the policy engine (
> > > http://cwiki.apache.org/CXF20DOC/wspconfiguration.html). The contents
> > > of
> >
> > my
> >
> > > cxf.xml is included below along with my policy expression, which is
> > > contained in a separate file called policies.xml. When I ran my code I
> >
> > got
> >
> > > an error shown in the stacktrace below. I did some searching online and
> > > found a currently open bug describing the same problem (
> >
> > https://issues.apache.org/jira/browse/CXF-1318?page=com.atlassian.jira.pl
> >ug
> >
> > >in.system.issuetabpanels:all-tabpanel ).
> > >
> > > I tried the workaround given in the bug and it got rid of the
> > > NullPointerException, however, the policy now isn't being enforced.
> > > Does anyone have any ideas on how I can have CXF enforce
> > > transport-level security?
> > >
> > > Thanks.
> > >
> > >
> > >
> > > cxf.xml
> > > ======
> > > <?xml version="1.0" encoding="UTF-8" ?>
> > > <beans xmlns="http://www.springframework.org/schema/beans";
> > > xmlns:p="http://cxf.apache.org/policy";
> > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> > >
> > > xmlns:http-conf="http://cxf.apache.org/transports/http/configuration";
> > >
> > > xmlns:cxf="http://cxf.apache.org/core";
> > > xmlns:xs="http://www.w3.org/2001/XMLSchema";
> > > xsi:schemaLocation="
> > > http://cxf.apache.org/transports/http/configuration
> > > http://cxf.apache.org/schemas/configuration/http-conf.xsd
> > > http://cxf.apache.org/policy
> > > http://cxf.apache.org/schemas/policy.xsd
> > > http://www.springframework.org/schema/beans
> > > http://www.springframework.org/schema/beans/spring-beans.xsd
> > > http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd";>
> > > <!-- This causes NPE in PolicyEngineImpl -->
> > > <!--
> > > <p:engine enabled="true" ignoreUnknownAssertions="false"/>
> > > <p:externalAttachment location="classpath:/policies.xml"/>
> > > -->
> > > <bean
> >
> > class="org.apache.cxf.ws.policy.attachment.external.ExternalAttachmentPro
> >vi
> >
> > >der"> <constructor-arg ref="cxf"/>
> > > <property name="location" value="classpath:/policies.xml"/>
> > > </bean>
> > > <bean id="org.apache.cxf.ws.policy.PolicyEngine"
> > > class="org.apache.cxf.ws.policy.spring.InitializingPolicyEngine">
> > > <property name="bus" ref="cxf"/>
> > > <property name="enabled" value="true"/>
> > > </bean>
> > > </beans>
> > >
> > >
> > >
> > > policies.xml
> > > =========
> > > <?xml version="1.0" encoding="UTF-8" ?>
> > > <attachments xmlns:wsp="http://www.w3.org/ns/ws-policy";
> > > xmlns:wsa="http://www.w3.org/2005/08/addressing";
> > > xmlns:xs="http://www.w3.org/2001/XMLSchema";
> > > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
> >
> > ">
> >
> > > <wsp:PolicyAttachment>
> > > <wsp:AppliesTo>
> > > <wsa:EndpointReference>
> > > <wsa:Address>xs:anyURI</wsa:Address>
> > > </wsa:EndpointReference>
> > > </wsp:AppliesTo>
> > > <wsp:Policy>
> > > <sp:TransportBinding>
> > > <wsp:Policy>
> > > <sp:TransportToken>
> > > <wsp:Policy>
> > > <sp:HttpsToken>
> > > <wsp:Policy/>
> > > </sp:HttpsToken>
> > > </wsp:Policy>
> > > </sp:TransportToken>
> > > </wsp:Policy>
> > > </sp:TransportBinding>
> > > </wsp:Policy>
> > > </wsp:PolicyAttachment>
> > > </attachments>
> > >
> > > Stacktrace
> > > ========
> > >
> > > java.lang.NullPointerException
> >
> > org.apache.cxf.ws.policy.PolicyEngineImpl.supportsAlternative(PolicyEngin
> >eI
> >
> > >mpl.java:499)
> >
> > org.apache.cxf.ws.policy.EndpointPolicyImpl.getSupportedAlternatives(Endp
> >oi
> >
> > >ntPolicyImpl.java:166)
> >
> > org.apache.cxf.ws.policy.EndpointPolicyImpl.chooseAlternative(EndpointPol
> >ic
> >
> > >yImpl.java:153)
> >
> > org.apache.cxf.ws.policy.EndpointPolicyImpl.finalizeConfig(EndpointPolicy
> >Im
> >
> > >pl.java:137)
> >
> > org.apache.cxf.ws.policy.EndpointPolicyImpl.initialize(EndpointPolicyImpl
> >.j
> >
> > >ava:133)
> >
> > org.apache.cxf.ws.policy.PolicyEngineImpl.createEndpointPolicyInfo(Policy
> >En
> >
> > >gineImpl.java:482)
> >
> > org.apache.cxf.ws.policy.PolicyEngineImpl.getEndpointPolicy(PolicyEngineI
> >mp
> >
> > >l.java:229)
> >
> > org.apache.cxf.ws.policy.PolicyEngineImpl.getServerEndpointPolicy(PolicyE
> >ng
> >
> > >ineImpl.java:217)
> >
> > org.apache.cxf.transport.http.policy.PolicyUtils.getServer(PolicyUtils.ja
> >va
> >
> > >:180)
> >
> > org.apache.cxf.transport.http.AbstractHTTPDestination.initConfig(Abstract
> >HT
> >
> > >TPDestination.java:398)
> >
> > org.apache.cxf.transport.http.AbstractHTTPDestination.<init>(AbstractHTTP
> >De
> >
> > >stination.java:119)
> >
> > org.apache.cxf.transport.servlet.ServletDestination.<init>(ServletDestina
> >ti
> >
> > >on.java:66)
> >
> > org.apache.cxf.transport.servlet.ServletTransportFactory.getDestination(S
> >er
> >
> > >vletTransportFactory.java:102)
> > > org.apache.cxf.endpoint.ServerImpl.initDestination(ServerImpl.java:90)
> > > org.apache.cxf.endpoint.ServerImpl.<init>(ServerImpl.java:69)
> >
> > org.apache.cxf.frontend.ServerFactoryBean.create(ServerFactoryBean.java:1
> >18
> >
> > >)
> >
> > org.apache.cxf.jaxws.JaxWsServerFactoryBean.create(JaxWsServerFactoryBean
> >.j
> >
> > >ava:167)
> >
> > org.apache.cxf.jaxws.EndpointImpl.getServer(EndpointImpl.java:346)
> >
> > > org.apache.cxf.jaxws.EndpointImpl.doPublish(EndpointImpl.java:259)
> > > org.apache.cxf.jaxws.EndpointImpl.publish(EndpointImpl.java:209)
> > > org.apache.cxf.jaxws.EndpointImpl.publish(EndpointImpl.java:404)
> > > sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> >
> > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java
> >:3
> >
> > >9)
> >
> > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorI
> >mp
> >
> > >l.java:25) java.lang.reflect.Method.invoke(Method.java:597)
> >
> > org.springframework.beans.factory.support.AbstractAutowireCapableBeanFact
> >or
> >
> > >y.invokeCustomInitMethod(AbstractAutowireCapableBeanFactory.java:1413)
> >
> > org.springframework.beans.factory.support.AbstractAutowireCapableBeanFact
> >or
> >
> > >y.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1374)
> >
> > org.springframework.beans.factory.support.AbstractAutowireCapableBeanFact
> >or
> >
> > >y.initializeBean(AbstractAutowireCapableBeanFactory.java:1334)
> >
> > org.springframework.beans.factory.support.AbstractAutowireCapableBeanFact
> >or
> >
> > >y.doCreateBean(AbstractAutowireCapableBeanFactory.java:473)
> >
> > org.springframework.beans.factory.support.AbstractAutowireCapableBeanFact
> >or
> >
> > >y$1.run(AbstractAutowireCapableBeanFactory.java:409)
> > > java.security.AccessController.doPrivileged(Native Method)
> >
> > org.springframework.beans.factory.support.AbstractAutowireCapableBeanFact
> >or
> >
> > >y.createBean(AbstractAutowireCapableBeanFactory.java:380)
> >
> > org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject
> >(A
> >
> > >bstractBeanFactory.java:264)
> >
> > org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.ge
> >tS
> >
> > >ingleton(DefaultSingletonBeanRegistry.java:221)
> >
> > org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(A
> >bs
> >
> > >tractBeanFactory.java:261)
> >
> > org.springframework.beans.factory.support.AbstractBeanFactory.getBean(Abs
> >tr
> >
> > >actBeanFactory.java:185)
> >
> > org.springframework.beans.factory.support.AbstractBeanFactory.getBean(Abs
> >tr
> >
> > >actBeanFactory.java:164)
> >
> > org.springframework.beans.factory.support.DefaultListableBeanFactory.preI
> >ns
> >
> > >tantiateSingletons(DefaultListableBeanFactory.java:429)
> >
> > org.springframework.context.support.AbstractApplicationContext.finishBean
> >Fa
> >
> > >ctoryInitialization(AbstractApplicationContext.java:729)
> >
> > org.springframework.context.support.AbstractApplicationContext.refresh(Ab
> >st
> >
> > >ractApplicationContext.java:381)
> >
> > org.apache.cxf.transport.servlet.CXFServlet.loadAdditionalConfig(CXFServl
> >et
> >
> > >.java:166)
> >
> > org.apache.cxf.transport.servlet.CXFServlet.updateContext(CXFServlet.java
> >:1
> >
> > >34)
> >
> > org.apache.cxf.transport.servlet.CXFServlet.loadSpringBus(CXFServlet.java
> >:1
> >
> > >01)
> >
> > org.apache.cxf.transport.servlet.CXFServlet.loadBus(CXFServlet.java:70)
> >
> > org.apache.cxf.transport.servlet.AbstractCXFServlet.init(AbstractCXFServl
> >et
> >
> > >.java:79)
> >
> > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:
> >10
> >
> > >5)
> >
> > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:14
> >8)
> >
> > org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869
> >)
> >
> > org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.proce
> >ss
> >
> > >Connection(Http11BaseProtocol.java:664)
> >
> > org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.
> >ja
> >
> > >va:527)
> >
> > org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowe
> >rW
> >
> > >orkerThread.java:80)
> >
> > org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.
> >ja
> >
> > >va:684) java.lang.Thread.run(Thread.java:619)
> >
> > --
> > Daniel Kulp
> > [email protected]
> > http://www.dankulp.com/blog
--
Daniel Kulp
[email protected]
http://www.dankulp.com/blog
