Hmm... it definitely should be asserted. Is there any way you can run this in a debugger? If you could put a break point on line 174 of HttpsTokenInterceptorProvider, that would be a big help. At that point, I'd like to see the contents of TLSSessionInfo and make sure the certs are correct in there. The other place to breakpoint is line 550 of SSLUtils where the SSL certs and stuff are pulled from the request. If you can check that the correct information is pulled from there, that would also be a big help.
Dan On Tue August 18 2009 1:06:23 pm Stephen Langella wrote: > I am trying to configure my service to use WS SecurityPolicy for > specifying a transport binding policy for HTTPS. I have added a > TransportBinding policy to my WSDL and created a transport binding > policy and binded it to an endpoint policy subject. At first I > configured the server (through the WS-SecurityPolicy in the WSDL) to > not require the client to provide a certificate. This worked fine, > second I changed the server to require a client certificate > (<sp:HttpsToken RequireClientCertificate="true"/>). In testing this > I tried my client without providing a certificate and it still > worked. This seems to suggest that either the WS-SecurityPolicy is > not being applied or that CXF is not enforcing that a client > certificate be provided. Any ideas what I might be doing wrong? > Below I have provided my WSDL for reference, thanks in advance. > > <?xml version="1.0" encoding="UTF-8"?> > <wsdl:definitions name="HelloWorld" > xmlns:xsd="http://www.w3.org/2001/XMLSchema"; > xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"; > xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"; > xmlns:tns="http://www.cagrid.org/HelloWorld"; > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"; > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"; > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecuri >ty-utility-1.0.xsd " > targetNamespace="http://www.cagrid.org/HelloWorld";> > <wsdl:types> > <xsd:schema targetNamespace="http://www.cagrid.org/HelloWorld";> > <xsd:element name="SayHelloRequest" type="xsd:string" /> > <xsd:element name="SayHelloResponse" type="xsd:string" /> > </xsd:schema> > </wsdl:types> > <wsdl:message name="SayHelloRequest"> > <wsdl:part element="tns:SayHelloRequest" name="parameters" /> > </wsdl:message> > <wsdl:message name="SayHelloResponse"> > <wsdl:part element="tns:SayHelloResponse" name="parameters" /> > </wsdl:message> > <wsdl:portType name="HelloWorld"> > <wsdl:operation name="SayHello"> > <wsdl:input message="tns:SayHelloRequest" > name="sayHelloRequest" /> > <wsdl:output message="tns:SayHelloResponse" > name="sayHelloResponse" /> > </wsdl:operation> > </wsdl:portType> > <wsdl:binding name="HelloWorldBinding" type="tns:HelloWorld"> > <wsp:PolicyReference URI="#HelloWorldSecureTransportPolicy"/> > <soap:binding style="document" > transport="http://schemas.xmlsoap.org/soap/http"; /> > <wsdl:operation name="SayHello"> > <soap:operation soapAction="" style="document" /> > <wsdl:input name="sayHelloRequest"> > <soap:body use="literal" /> > </wsdl:input> > <wsdl:output name="sayHelloResponse"> > <soap:body use="literal" /> > </wsdl:output> > </wsdl:operation> > </wsdl:binding> > <wsdl:service name="HelloWorldService"> > <wsdl:port name="HelloWorldPort" > binding="tns:HelloWorldBinding"> > <soap:address location="https://llanowar:9001/HelloWorldService > " /> > </wsdl:port> > </wsdl:service> > > <wsp:Policy wsu:Id="HelloWorldSecureTransportPolicy"> > <wsp:ExactlyOne> > <wsp:All> > <sp:TransportBinding > > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy "> > <wsp:Policy> > <sp:TransportToken> > <wsp:Policy> > <sp:HttpsToken > RequireClientCertificate="true" /> > </wsp:Policy> > </sp:TransportToken> > <sp:AlgorithmSuite> > <wsp:Policy> > <sp:Basic256 /> > </wsp:Policy> > </sp:AlgorithmSuite> > <sp:Layout> > <wsp:Policy> > <sp:Lax /> > </wsp:Policy> > </sp:Layout> > <sp:IncludeTimestamp /> > </wsp:Policy> > </sp:TransportBinding> > <sp:Wss10 > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy "> > <wsp:Policy> > <sp:MustSupportRefKeyIdentifier /> > <sp:MustSupportRefIssuerSerial /> > </wsp:Policy> > </sp:Wss10> > </wsp:All> > </wsp:ExactlyOne> > </wsp:Policy> > </wsdl:definitions> > > > --Steve > > Stephen Langella > Co-Founder > Inventrio, LLC > www.inventrio.com > > [email protected] -- Daniel Kulp [email protected] http://www.dankulp.com/blog
