Re: AW: WS-SecurityPolicy, UsernamePassword example

Mon, 19 Oct 2009 09:22:39 -0700 

Oliver:

https://issues.apache.org/jira/browse/CXF-2479
https://issues.apache.org/jira/browse/CXF-2480

I'm testing fixes for both now.  Should have them committed by the end  of the 
day.

Dan



On Mon October 19 2009 11:33:45 am Daniel Kulp wrote:
> Oliver,
> 
> On Mon October 19 2009 10:36:30 am Oliver Wulff wrote:
> > Hi there
> >
> > Here are some more information how to reproduce the three issues:
> >
> > Issue 1)
> > i) mvn -Pserver
> > ii) mvn -Psecure.client
> 
> This looks like a potentially over-aggressive optimization on our part.  
>  Need to dig in more, but it looks like if there ISN'T a security header at
>  all in the response, we just skip processing entirely, which in this case
>  shouldn't be done.  Will dig in a bit more shortly.
> 
> > Issue 2)
> > i) comment out the two dependencies in the pom.xml:
> >        <dependency>
> >             <groupId>org.apache.cxf</groupId>
> >             <artifactId>cxf-rt-ws-security</artifactId>
> >             <version>${cxf.version}</version>
> >         </dependency>
> >         <dependency>
> >             <groupId>org.apache.cxf</groupId>
> >             <artifactId>cxf-rt-ws-policy</artifactId>
> >             <version>${cxf.version}</version>
> >         </dependency>
> > ii) mvn -Pserver
> > iii) mvn -Psecure.client
> >
> > You see first on the client side that username/password (WS-Sec
> >  UsernameToken profile) is not added to the request:
> 
> If you comment out those deps, there isn't any policy engine or anything
> installed into the CXF runtime.   Thus, any policies in the wsdl are
> completely ignored.    This is pretty much expected and as designed.
> 
> > Issue 3)
> > i) remove the attribute IncludeToken in the wsdl wsdl\hello_world.wsdl:
> > sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/Inc
> >lu deToken/Always" ii) mvn -Pserver
> >
> > The server throws the following exception during startup:
> >
> > [INFO] Caused by: java.lang.RuntimeException: Incorrect inclusion value:
> >  null [INFO]  at
> > 
> > org.apache.cxf.ws.security.policy.model.Token.setInclusion(Token.java:63)
> >
> > IMHO, the bug is here:
> > String attribute = element.getAttributeNS(element.getNamespaceURI(),
> >  SPConstants.ATTR_INCLUDE_TOKEN); The method "getAttributeNS" shouldn't
> >  return an empty string.
> 
> This is definitely a bug.  If getAttributeNS returns null, we definitely
> should be setting it to the correct default value. (../Always)
> 

-- 
Daniel Kulp
[email protected]
http://www.dankulp.com/blog

Reply via email to