Dan, thanks for the feedback... >>> If you comment out those deps, there isn't any policy engine or anything installed into the CXF runtime. Thus, any policies in the wsdl are completely ignored. This is pretty much expected and as designed. >>> I think it would make sense to either ignore it or abort if something unknown is defined. The drawback is that an invalid deployment results into an unprotected web service. Thanks Oliver
________________________________ Von: Daniel Kulp [mailto:[email protected]] Gesendet: Mo 19.10.2009 17:33 An: [email protected] Cc: Oliver Wulff Betreff: Re: AW: WS-SecurityPolicy, UsernamePassword example Oliver, On Mon October 19 2009 10:36:30 am Oliver Wulff wrote: > Hi there > > Here are some more information how to reproduce the three issues: > > Issue 1) > i) mvn -Pserver > ii) mvn -Psecure.client This looks like a potentially over-aggressive optimization on our part. Need to dig in more, but it looks like if there ISN'T a security header at all in the response, we just skip processing entirely, which in this case shouldn't be done. Will dig in a bit more shortly. > Issue 2) > i) comment out the two dependencies in the pom.xml: > <dependency> > <groupId>org.apache.cxf</groupId> > <artifactId>cxf-rt-ws-security</artifactId> > <version>${cxf.version}</version> > </dependency> > <dependency> > <groupId>org.apache.cxf</groupId> > <artifactId>cxf-rt-ws-policy</artifactId> > <version>${cxf.version}</version> > </dependency> > ii) mvn -Pserver > iii) mvn -Psecure.client > > You see first on the client side that username/password (WS-Sec > UsernameToken profile) is not added to the request: If you comment out those deps, there isn't any policy engine or anything installed into the CXF runtime. Thus, any policies in the wsdl are completely ignored. This is pretty much expected and as designed. > Issue 3) > i) remove the attribute IncludeToken in the wsdl wsdl\hello_world.wsdl: > sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/Inclu > deToken/Always" ii) mvn -Pserver > > The server throws the following exception during startup: > > [INFO] Caused by: java.lang.RuntimeException: Incorrect inclusion value: > null [INFO] at > org.apache.cxf.ws.security.policy.model.Token.setInclusion(Token.java:63) > > IMHO, the bug is here: > String attribute = element.getAttributeNS(element.getNamespaceURI(), > SPConstants.ATTR_INCLUDE_TOKEN); The method "getAttributeNS" shouldn't > return an empty string. This is definitely a bug. If getAttributeNS returns null, we definitely should be setting it to the correct default value. (../Always) -- Daniel Kulp [email protected] http://www.dankulp.com/blog
