Hi all,
I'm having big trouble trying to implement an application having multiple
service with each a different mechanism.
More precisely, I've one service exposed through three endpoints with
different policies. The first one is the service with no security at all.
The second one has encryption, and the third one works with
WS-SecureConversation.
I'm able to make all parts working sepearatly, but I miserably fail having
both secureconversation endpoint and encryption endpoint working at the same
time. I think it's configuration problems only but I'm not able to resolve
it.
The configuration is made in a beans.xml referenced from web.xml
(contexConfigLocation).
I've tried different configurations after looking at different posts
(essentially [1] and [2] are close to my problems). The problem is the same
with cxf 2.4 or 2.3.3 (well, I've reprocuded it a lot with 2.3.3, check full
stacktrace below) : as soon as I import cxf-extension-policy.xml and
cxf-extension-ws-security.xml, it breaks the regular WS-Security confs by
throwing "These policy alternatives can not be satisfied" exception. In the
contrary, if I don't have them, the SecureConversation cannot work.
Then, I'm not able to host at the same time services configured for
SecureConversation or Encryption (Encryption can be replaced by Signature or
sign_enc), whereas it works correctly if I only want SecureConversation or
only Encryption.
Anyone as ideas?
Thanks
Gabriel
Below :
1 - the problem with imports commented with what is working in which
situation
2 - beans.xml
2 - stacktrace when secureconversatoin fail because of missing imports
3 - stacktrace when encryption fail because of too many imports
5 - other messages related to my problem
#################################### 1
#############################################
<import resource="classpath:META-INF/cxf/cxf-all.xml" />
<!- - the two following lines make secure conversation working,
but break other security mechanisms for other endpoints!
Exception in this case is then : Caused by:
org.apache.cxf.binding.soap.SoapFault: These policy alternatives can not be
satisfied:
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AsymmetricBinding
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}UsernameToken
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}InitiatorToken
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}RecipientToken
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Layout
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Wss10
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SignedParts - -
>
<import resource="classpath:META-INF/cxf/cxf-extension-policy.xml" />
<import resource="classpath:META-INF/cxf/cxf-extension-ws-security.xml"
/>
For the full bean configuration :
#################################### 2
#############################################
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:jaxws="http://cxf.apache.org/jaxws";
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd";>
<import resource="classpath:META-INF/cxf/cxf-all.xml" />
<!- - the two following lines make secure conversation working,
but break other security mechanisms for other endpoints!
Exception in this case is then : Caused by:
org.apache.cxf.binding.soap.SoapFault: These policy alternatives can not be
satisfied:
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AsymmetricBinding
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}UsernameToken
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}InitiatorToken
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}RecipientToken
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Layout
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Wss10
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SignedParts - -
>
<import resource="classpath:META-INF/cxf/cxf-extension-policy.xml" />
<import resource="classpath:META-INF/cxf/cxf-extension-ws-security.xml"
/>
-->
<jaxws:endpoint xmlns:tns="http://localhost/customer/"; id="CustomerService"
implementor="webservices.CustomerService"
wsdlLocation="wsdl/CustomerService.wsdl"
endpointName="tns:CustomerServicePort"
serviceName="tns:CustomerService"
address="/CustomerServicePort">
<jaxws:features>
<bean class="server.timer.NewFeature" />
</jaxws:features>
</jaxws:endpoint>
<jaxws:endpoint xmlns:tns="http://localhost/customer/";
id="CustomerServiceEncrypt"
implementor="webservices.CustomerService"
wsdlLocation="wsdl/CustomerService_Encrypt.wsdl"
endpointName="tns:CustomerServicePort"
serviceName="tns:CustomerService"
address="/CustomerServiceEncryptPort">
<jaxws:inInterceptors>
<bean
class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor"
id="CustomerServiceEncrypt_Response">
<constructor-arg>
<map>
<entry key="action" value="Encrypt" />
<entry key="passwordType" value="PasswordDigest" />
<entry key="passwordCallbackClass"
value="server.ServerPasswordCallback" />
<entry key="decryptionPropFile"
value="etc/Server_Decrypt.properties" />
<entry key="encryptionKeyIdentifier"
value="IssuerSerial" />
</map>
</constructor-arg>
</bean>
</jaxws:inInterceptors>
<jaxws:outInterceptors>
<bean
class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor"
id="CustomerServiceEncrypt_Request">
<constructor-arg>
<map>
<entry key="action" value="Timestamp Encrypt" />
<entry key="passwordType" value="PasswordText" />
<entry key="user" value="serverx509v1" />
<entry key="passwordCallbackClass"
value="server.ServerPasswordCallback" />
<entry key="encryptionUser" value="clientx509v1" />
<entry key="encryptionPropFile"
value="etc/Server_SignVerf.properties" />
<entry key="encryptionKeyIdentifier"
value="IssuerSerial" />
<entry key="encryptionParts"
value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{Content}{http://schemas.xmlsoap.org/soap/envelope/}Body";
/>
</map>
</constructor-arg>
</bean>
</jaxws:outInterceptors>
<jaxws:features>
<bean class="server.timer.NewFeature" />
</jaxws:features>
</jaxws:endpoint>
<jaxws:endpoint xmlns:tns="http://localhost/customer/";
id="CustomerServiceSecureConversation"
implementor="webservices.CustomerService"
wsdlLocation="wsdl/CustomerServiceSecureConversation.wsdl"
endpointName="tns:CustomerServicePort"
serviceName="tns:CustomerService"
address="/CustomerServiceSecureConversationPort">
<jaxws:properties>
<entry key="ws-security.signature.properties.sct"
value="etc/Server_Decrypt.properties"/>
<entry key="ws-security.encryption.properties.sct"
value="etc/Server_SignVerf.properties"/>
<entry key="ws-security.signature.username.sct" value="serverx509v1"/>
<entry key="ws-security.encryption.username.sct"
value="useReqSigCert"/>
<entry key="ws-security.callback-handler.sct"
value="server.ServerPasswordCallback"/>
</jaxws:properties>
<jaxws:features>
<bean class="org.apache.cxf.feature.LoggingFeature" />
<bean class="server.timer.NewFeature" />
</jaxws:features>
</jaxws:endpoint>
</beans>
#################################### 3
#############################################
#Exception when encryption endpoint has been called first (thus working and
configured correctly) then at the first secureconversatoin endpoint call :
19 mai 2011 19:38:08 org.apache.cxf.phase.PhaseInterceptorChain
doDefaultLogging
ATTENTION: Interceptor for {http://localhost/customer/}CustomerService has
thrown exception, unwinding now
org.apache.cxf.binding.soap.SoapFault: MustUnderstand headers:
[{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security]
are not understood.
at
org.apache.cxf.binding.soap.interceptor.MustUnderstandInterceptor.checkUltimateReceiverHeaders(MustUnderstandInterceptor.java:150)
at
org.apache.cxf.binding.soap.interceptor.MustUnderstandInterceptor.handleMessage(MustUnderstandInterceptor.java:96)
at
org.apache.cxf.binding.soap.interceptor.MustUnderstandInterceptor.handleMessage(MustUnderstandInterceptor.java:49)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:255)
at
org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:113)
at
org.apache.cxf.transport.servlet.ServletDestination.invoke(ServletDestination.java:97)
at
org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:461)
at
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:188)
at
org.apache.cxf.transport.servlet.AbstractCXFServlet.invoke(AbstractCXFServlet.java:148)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:179)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:103)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:641)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:159)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:304)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:240)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:164)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:498)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:164)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:562)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:394)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:243)
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:188)
at
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:302)
at
java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:662)
#################################### 4
#############################################
#Exception with cxf 2.3.3 when secureconversation endpoint has been called
first (then configured properly) then at the first encryption endpoint call
:
19 mai 2011 19:42:37 org.apache.cxf.phase.PhaseInterceptorChain
doDefaultLogging
ATTENTION: Interceptor for
{http://localhost/customer/}CustomerService#{http://localhost/customer/}getCustomer
has thrown exception, unwinding now
org.apache.cxf.interceptor.Fault: These policy alternatives can not be
satisfied:
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AsymmetricBinding
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}UsernameToken
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}InitiatorToken
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}RecipientToken
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Layout
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Wss10
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SignedParts
at
org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:47)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:255)
at
org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:113)
at
org.apache.cxf.transport.servlet.ServletDestination.invoke(ServletDestination.java:97)
at
org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:461)
at
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:188)
at
org.apache.cxf.transport.servlet.AbstractCXFServlet.invoke(AbstractCXFServlet.java:148)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:179)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:103)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:641)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:159)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:304)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:240)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:164)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:498)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:164)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:562)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:394)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:243)
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:188)
at
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:302)
at
java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:662)
Caused by: org.apache.cxf.ws.policy.PolicyException: These policy
alternatives can not be satisfied:
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AsymmetricBinding
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}UsernameToken
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}InitiatorToken
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}RecipientToken
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Layout
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Wss10
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SignedParts
at
org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:140)
at
org.apache.cxf.ws.policy.PolicyVerificationInInterceptor.handle(PolicyVerificationInInterceptor.java:99)
at
org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:45)
... 26 more
#################################### 5
#############################################
[1]
http://cxf.547215.n5.nabble.com/quot-MustUnderstand-headers-quot-td548769.html
[2]
http://cxf.547215.n5.nabble.com/None-of-the-policy-alternatives-can-be-satisfied-td4346996.html
--
View this message in context:
http://cxf.547215.n5.nabble.com/These-policy-alternatives-can-not-be-satisfied-for-multiple-endpoints-and-security-tp4410427p4410427.html
Sent from the cxf-user mailing list archive at Nabble.com.
