I tried switching to the URI for a specific endpoint and the policies still
seem to be ignored. I looked at the documentation again and I saw something
that said that CXF only supports Assertion implementation for the following
Assertion types:
{http://schemas.xmlsoap.org/ws/2005/02/rm/policy}RMAssertion
{http://www.w3.org/2007/01/addressing/metadata}Addressing
{http://www.w3.org/2007/01/addressing/metadata}AnonymousResponses
{http://www.w3.org/2007/01/addressing/metadata}NonAnonymousResponses
{http://cxf.apache.org/transports/http/configuration}client
{http://cxf.apache.org/transports/http/configuration}server
This seems to suggest that CXF does not currently support what I'm trying to
do, enforce a transport level security policy. Correct? I looked at the
2.2.2 source code and I see Assertion implementations for the TransportToken
and HttpsToken so I'm thinking that what I'm trying to do is supported. Can
you clarify?
Thanks.
On Mon, Jun 29, 2009 at 5:15 PM, Daniel Kulp <[email protected]> wrote:
>
> I believe this is a deficiency in the "appliesTo" handling for the EPR
> stuff.
> Looking at the code, I see:
>
> public boolean appliesTo(EndpointInfo ei) {
> return epr.getAddress().getValue().equals(ei.getAddress());
> }
>
> Thus, it will only match on an exact string compare of the URL. Your
> policy
> has xsd:anyUri which doesn't match exactly. I'd need to dig in to specs
> more to figure out what is allowed.
>
> Dan
>
>
>
> On Mon June 29 2009 2:05:34 pm Anthony Davidson wrote:
> > Daniel,
> >
> > Thanks for responding.
> >
> > I put together a small application based on one of the sample
> applications
> > but I was not able to reproduce the NPE. In my main application cxf.xml I
> > removed the line
> >
> > <p:engine enabled="true" ignoreUnknownAssertions="false"/>
> >
> > and now I do not get the NPE. Weird.
> >
> > However, I do not think the policy engine is reading my policy file
> because
> > the policy still isn't being enforced. Any ideas?
> >
> > Thanks.
> >
> > On Mon, Jun 29, 2009 at 12:12 PM, Daniel Kulp <[email protected]> wrote:
> > > Well, with 2.2.x, the policy engine is turned on by default. Thus, any
> > > config
> > > related to turning that on should not be needed. I've updated that
> wiki
> > > page.
> > >
> > > <p:externalAttachment location="classpath:/policies.xml"/>
> > >
> > > should work however. Any chance you could package up a small sample
> > > that shows the NPE or similar and attach to that JIRA?
> > >
> > > Thanks!
> > > Dan
> > >
> > > On Mon June 29 2009 11:05:27 am Anthony Davidson wrote:
> > > > Hello,
> > > >
> > > > I am using CXF 2.2.2 and I am trying to implement a policy that
> > > > requires transport-level security for securing messages. I followed
> the
> > >
> > > intructions
> > >
> > > > for enabling and configuring the policy engine (
> > > > http://cwiki.apache.org/CXF20DOC/wspconfiguration.html). The
> contents
> > > > of
> > >
> > > my
> > >
> > > > cxf.xml is included below along with my policy expression, which is
> > > > contained in a separate file called policies.xml. When I ran my code
> I
> > >
> > > got
> > >
> > > > an error shown in the stacktrace below. I did some searching online
> and
> > > > found a currently open bug describing the same problem (
> > >
> > >
> https://issues.apache.org/jira/browse/CXF-1318?page=com.atlassian.jira.pl
> > >ug
> > >
> > > >in.system.issuetabpanels:all-tabpanel ).
> > > >
> > > > I tried the workaround given in the bug and it got rid of the
> > > > NullPointerException, however, the policy now isn't being enforced.
> > > > Does anyone have any ideas on how I can have CXF enforce
> > > > transport-level security?
> > > >
> > > > Thanks.
> > > >
> > > >
> > > >
> > > > cxf.xml
> > > > ======
> > > > <?xml version="1.0" encoding="UTF-8" ?>
> > > > <beans xmlns="http://www.springframework.org/schema/beans";
> > > > xmlns:p="http://cxf.apache.org/policy";
> > > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> > > >
> > > > xmlns:http-conf="http://cxf.apache.org/transports/http/configuration
> "
> > > >
> > > > xmlns:cxf="http://cxf.apache.org/core";
> > > > xmlns:xs="http://www.w3.org/2001/XMLSchema";
> > > > xsi:schemaLocation="
> > > > http://cxf.apache.org/transports/http/configuration
> > > > http://cxf.apache.org/schemas/configuration/http-conf.xsd
> > > > http://cxf.apache.org/policy
> > > > http://cxf.apache.org/schemas/policy.xsd
> > > > http://www.springframework.org/schema/beans
> > > >
> http://www.springframework.org/schema/beans/spring-beans.xsd
> > > > http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd";>
> > > > <!-- This causes NPE in PolicyEngineImpl -->
> > > > <!--
> > > > <p:engine enabled="true" ignoreUnknownAssertions="false"/>
> > > > <p:externalAttachment location="classpath:/policies.xml"/>
> > > > -->
> > > > <bean
> > >
> > >
> class="org.apache.cxf.ws.policy.attachment.external.ExternalAttachmentPro
> > >vi
> > >
> > > >der"> <constructor-arg ref="cxf"/>
> > > > <property name="location" value="classpath:/policies.xml"/>
> > > > </bean>
> > > > <bean id="org.apache.cxf.ws.policy.PolicyEngine"
> > > > class="org.apache.cxf.ws.policy.spring.InitializingPolicyEngine">
> > > > <property name="bus" ref="cxf"/>
> > > > <property name="enabled" value="true"/>
> > > > </bean>
> > > > </beans>
> > > >
> > > >
> > > >
> > > > policies.xml
> > > > =========
> > > > <?xml version="1.0" encoding="UTF-8" ?>
> > > > <attachments xmlns:wsp="http://www.w3.org/ns/ws-policy";
> > > > xmlns:wsa="http://www.w3.org/2005/08/addressing";
> > > > xmlns:xs="http://www.w3.org/2001/XMLSchema";
> > > > xmlns:sp="
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
> > >
> > > ">
> > >
> > > > <wsp:PolicyAttachment>
> > > > <wsp:AppliesTo>
> > > > <wsa:EndpointReference>
> > > > <wsa:Address>xs:anyURI</wsa:Address>
> > > > </wsa:EndpointReference>
> > > > </wsp:AppliesTo>
> > > > <wsp:Policy>
> > > > <sp:TransportBinding>
> > > > <wsp:Policy>
> > > > <sp:TransportToken>
> > > > <wsp:Policy>
> > > > <sp:HttpsToken>
> > > > <wsp:Policy/>
> > > > </sp:HttpsToken>
> > > > </wsp:Policy>
> > > > </sp:TransportToken>
> > > > </wsp:Policy>
> > > > </sp:TransportBinding>
> > > > </wsp:Policy>
> > > > </wsp:PolicyAttachment>
> > > > </attachments>
> > > >
> > > > Stacktrace
> > > > ========
> > > >
> > > > java.lang.NullPointerException
> > >
> > >
> org.apache.cxf.ws.policy.PolicyEngineImpl.supportsAlternative(PolicyEngin
> > >eI
> > >
> > > >mpl.java:499)
> > >
> > >
> org.apache.cxf.ws.policy.EndpointPolicyImpl.getSupportedAlternatives(Endp
> > >oi
> > >
> > > >ntPolicyImpl.java:166)
> > >
> > >
> org.apache.cxf.ws.policy.EndpointPolicyImpl.chooseAlternative(EndpointPol
> > >ic
> > >
> > > >yImpl.java:153)
> > >
> > >
> org.apache.cxf.ws.policy.EndpointPolicyImpl.finalizeConfig(EndpointPolicy
> > >Im
> > >
> > > >pl.java:137)
> > >
> > >
> org.apache.cxf.ws.policy.EndpointPolicyImpl.initialize(EndpointPolicyImpl
> > >.j
> > >
> > > >ava:133)
> > >
> > >
> org.apache.cxf.ws.policy.PolicyEngineImpl.createEndpointPolicyInfo(Policy
> > >En
> > >
> > > >gineImpl.java:482)
> > >
> > >
> org.apache.cxf.ws.policy.PolicyEngineImpl.getEndpointPolicy(PolicyEngineI
> > >mp
> > >
> > > >l.java:229)
> > >
> > >
> org.apache.cxf.ws.policy.PolicyEngineImpl.getServerEndpointPolicy(PolicyE
> > >ng
> > >
> > > >ineImpl.java:217)
> > >
> > >
> org.apache.cxf.transport.http.policy.PolicyUtils.getServer(PolicyUtils.ja
> > >va
> > >
> > > >:180)
> > >
> > >
> org.apache.cxf.transport.http.AbstractHTTPDestination.initConfig(Abstract
> > >HT
> > >
> > > >TPDestination.java:398)
> > >
> > >
> org.apache.cxf.transport.http.AbstractHTTPDestination.<init>(AbstractHTTP
> > >De
> > >
> > > >stination.java:119)
> > >
> > >
> org.apache.cxf.transport.servlet.ServletDestination.<init>(ServletDestina
> > >ti
> > >
> > > >on.java:66)
> > >
> > >
> org.apache.cxf.transport.servlet.ServletTransportFactory.getDestination(S
> > >er
> > >
> > > >vletTransportFactory.java:102)
> > > >
> org.apache.cxf.endpoint.ServerImpl.initDestination(ServerImpl.java:90)
> > > > org.apache.cxf.endpoint.ServerImpl.<init>(ServerImpl.java:69)
> > >
> > >
> org.apache.cxf.frontend.ServerFactoryBean.create(ServerFactoryBean.java:1
> > >18
> > >
> > > >)
> > >
> > >
> org.apache.cxf.jaxws.JaxWsServerFactoryBean.create(JaxWsServerFactoryBean
> > >.j
> > >
> > > >ava:167)
> > >
> > > org.apache.cxf.jaxws.EndpointImpl.getServer(EndpointImpl.java:346)
> > >
> > > > org.apache.cxf.jaxws.EndpointImpl.doPublish(EndpointImpl.java:259)
> > > > org.apache.cxf.jaxws.EndpointImpl.publish(EndpointImpl.java:209)
> > > > org.apache.cxf.jaxws.EndpointImpl.publish(EndpointImpl.java:404)
> > > > sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > >
> > >
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java
> > >:3
> > >
> > > >9)
> > >
> > >
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorI
> > >mp
> > >
> > > >l.java:25) java.lang.reflect.Method.invoke(Method.java:597)
> > >
> > >
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFact
> > >or
> > >
> > > >y.invokeCustomInitMethod(AbstractAutowireCapableBeanFactory.java:1413)
> > >
> > >
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFact
> > >or
> > >
> > > >y.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1374)
> > >
> > >
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFact
> > >or
> > >
> > > >y.initializeBean(AbstractAutowireCapableBeanFactory.java:1334)
> > >
> > >
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFact
> > >or
> > >
> > > >y.doCreateBean(AbstractAutowireCapableBeanFactory.java:473)
> > >
> > >
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFact
> > >or
> > >
> > > >y$1.run(AbstractAutowireCapableBeanFactory.java:409)
> > > > java.security.AccessController.doPrivileged(Native Method)
> > >
> > >
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFact
> > >or
> > >
> > > >y.createBean(AbstractAutowireCapableBeanFactory.java:380)
> > >
> > >
> org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject
> > >(A
> > >
> > > >bstractBeanFactory.java:264)
> > >
> > >
> org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.ge<http://org.springframework.beans.factory.support.defaultsingletonbeanregistry.ge/>
> > >tS
> > >
> > > >ingleton(DefaultSingletonBeanRegistry.java:221)
> > >
> > >
> org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(A
> > >bs
> > >
> > > >tractBeanFactory.java:261)
> > >
> > >
> org.springframework.beans.factory.support.AbstractBeanFactory.getBean(Abs
> > >tr
> > >
> > > >actBeanFactory.java:185)
> > >
> > >
> org.springframework.beans.factory.support.AbstractBeanFactory.getBean(Abs
> > >tr
> > >
> > > >actBeanFactory.java:164)
> > >
> > >
> org.springframework.beans.factory.support.DefaultListableBeanFactory.preI
> > >ns
> > >
> > > >tantiateSingletons(DefaultListableBeanFactory.java:429)
> > >
> > >
> org.springframework.context.support.AbstractApplicationContext.finishBean
> > >Fa
> > >
> > > >ctoryInitialization(AbstractApplicationContext.java:729)
> > >
> > >
> org.springframework.context.support.AbstractApplicationContext.refresh(Ab
> > >st
> > >
> > > >ractApplicationContext.java:381)
> > >
> > >
> org.apache.cxf.transport.servlet.CXFServlet.loadAdditionalConfig(CXFServl
> > >et
> > >
> > > >.java:166)
> > >
> > >
> org.apache.cxf.transport.servlet.CXFServlet.updateContext(CXFServlet.java
> > >:1
> > >
> > > >34)
> > >
> > >
> org.apache.cxf.transport.servlet.CXFServlet.loadSpringBus(CXFServlet.java
> > >:1
> > >
> > > >01)
> > >
> > > org.apache.cxf.transport.servlet.CXFServlet.loadBus(CXFServlet.java:70)
> > >
> > >
> org.apache.cxf.transport.servlet.AbstractCXFServlet.init(AbstractCXFServl
> > >et
> > >
> > > >.java:79)
> > >
> > >
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:
> > >10
> > >
> > > >5)
> > >
> > >
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:14
> > >8)
> > >
> > >
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869
> > >)
> > >
> > >
> org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.proce
> > >ss
> > >
> > > >Connection(Http11BaseProtocol.java:664)
> > >
> > >
> org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.
> > >ja
> > >
> > > >va:527)
> > >
> > >
> org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowe
> > >rW
> > >
> > > >orkerThread.java:80)
> > >
> > >
> org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.
> > >ja
> > >
> > > >va:684) java.lang.Thread.run(Thread.java:619)
> > >
> > > --
> > > Daniel Kulp
> > > [email protected]
> > > http://www.dankulp.com/blog
>
> --
> Daniel Kulp
> [email protected]
> http://www.dankulp.com/blog
>
