Could you create a test-case that reproduces the problem? Colm.
On Thu, May 19, 2011 at 6:53 PM, eirmag <[email protected]> wrote: > Hi all, > > I'm having big trouble trying to implement an application having multiple > service with each a different mechanism. > > More precisely, I've one service exposed through three endpoints with > different policies. The first one is the service with no security at all. > The second one has encryption, and the third one works with > WS-SecureConversation. > > I'm able to make all parts working sepearatly, but I miserably fail having > both secureconversation endpoint and encryption endpoint working at the same > time. I think it's configuration problems only but I'm not able to resolve > it. > > The configuration is made in a beans.xml referenced from web.xml > (contexConfigLocation). > > I've tried different configurations after looking at different posts > (essentially [1] and [2] are close to my problems). The problem is the same > with cxf 2.4 or 2.3.3 (well, I've reprocuded it a lot with 2.3.3, check full > stacktrace below) : as soon as I import cxf-extension-policy.xml and > cxf-extension-ws-security.xml, it breaks the regular WS-Security confs by > throwing "These policy alternatives can not be satisfied" exception. In the > contrary, if I don't have them, the SecureConversation cannot work. > > Then, I'm not able to host at the same time services configured for > SecureConversation or Encryption (Encryption can be replaced by Signature or > sign_enc), whereas it works correctly if I only want SecureConversation or > only Encryption. > > Anyone as ideas? > > Thanks > Gabriel > > Below : > 1 - the problem with imports commented with what is working in which > situation > 2 - beans.xml > 2 - stacktrace when secureconversatoin fail because of missing imports > 3 - stacktrace when encryption fail because of too many imports > 5 - other messages related to my problem > > > #################################### 1 > ############################################# > > <import resource="classpath:META-INF/cxf/cxf-all.xml" /> > > > > <!- - the two following lines make secure conversation working, > but break other security mechanisms for other endpoints! > Exception in this case is then : Caused by: > org.apache.cxf.binding.soap.SoapFault: These policy alternatives can not be > satisfied: > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AsymmetricBinding > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}UsernameToken > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}InitiatorToken > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}RecipientToken > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Layout > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Wss10 > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SignedParts - - > > > <import resource="classpath:META-INF/cxf/cxf-extension-policy.xml" /> > <import resource="classpath:META-INF/cxf/cxf-extension-ws-security.xml" > /> > > > For the full bean configuration : > > > #################################### 2 > ############################################# > <?xml version="1.0" encoding="UTF-8"?> > <beans xmlns="http://www.springframework.org/schema/beans"; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > xmlns:jaxws="http://cxf.apache.org/jaxws"; > xsi:schemaLocation="http://www.springframework.org/schema/beans > http://www.springframework.org/schema/beans/spring-beans-2.5.xsd > http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd";> > > > <import resource="classpath:META-INF/cxf/cxf-all.xml" /> > > > > <!- - the two following lines make secure conversation working, > but break other security mechanisms for other endpoints! > Exception in this case is then : Caused by: > org.apache.cxf.binding.soap.SoapFault: These policy alternatives can not be > satisfied: > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AsymmetricBinding > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}UsernameToken > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}InitiatorToken > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}RecipientToken > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Layout > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Wss10 > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SignedParts - - > > > <import resource="classpath:META-INF/cxf/cxf-extension-policy.xml" /> > <import resource="classpath:META-INF/cxf/cxf-extension-ws-security.xml" > /> > > --> > > > <jaxws:endpoint xmlns:tns="http://localhost/customer/"; id="CustomerService" > implementor="webservices.CustomerService" > wsdlLocation="wsdl/CustomerService.wsdl" > endpointName="tns:CustomerServicePort" > serviceName="tns:CustomerService" > address="/CustomerServicePort"> > <jaxws:features> > <bean class="server.timer.NewFeature" /> > </jaxws:features> > </jaxws:endpoint> > > > > > <jaxws:endpoint xmlns:tns="http://localhost/customer/"; > id="CustomerServiceEncrypt" > implementor="webservices.CustomerService" > wsdlLocation="wsdl/CustomerService_Encrypt.wsdl" > endpointName="tns:CustomerServicePort" > serviceName="tns:CustomerService" > address="/CustomerServiceEncryptPort"> > <jaxws:inInterceptors> > <bean > class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor" > id="CustomerServiceEncrypt_Response"> > <constructor-arg> > <map> > <entry key="action" value="Encrypt" /> > <entry key="passwordType" value="PasswordDigest" /> > <entry key="passwordCallbackClass" > value="server.ServerPasswordCallback" /> > <entry key="decryptionPropFile" > value="etc/Server_Decrypt.properties" /> > <entry key="encryptionKeyIdentifier" > value="IssuerSerial" /> > </map> > </constructor-arg> > </bean> > </jaxws:inInterceptors> > <jaxws:outInterceptors> > <bean > class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor" > id="CustomerServiceEncrypt_Request"> > <constructor-arg> > <map> > <entry key="action" value="Timestamp Encrypt" /> > <entry key="passwordType" value="PasswordText" /> > <entry key="user" value="serverx509v1" /> > <entry key="passwordCallbackClass" > value="server.ServerPasswordCallback" /> > <entry key="encryptionUser" value="clientx509v1" /> > <entry key="encryptionPropFile" > value="etc/Server_SignVerf.properties" /> > <entry key="encryptionKeyIdentifier" > value="IssuerSerial" /> > <entry key="encryptionParts" > value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{Content}{http://schemas.xmlsoap.org/soap/envelope/}Body"; > /> > </map> > </constructor-arg> > </bean> > </jaxws:outInterceptors> > <jaxws:features> > > <bean class="server.timer.NewFeature" /> > </jaxws:features> > </jaxws:endpoint> > > > > > <jaxws:endpoint xmlns:tns="http://localhost/customer/"; > id="CustomerServiceSecureConversation" > implementor="webservices.CustomerService" > wsdlLocation="wsdl/CustomerServiceSecureConversation.wsdl" > endpointName="tns:CustomerServicePort" > serviceName="tns:CustomerService" > address="/CustomerServiceSecureConversationPort"> > <jaxws:properties> > > > <entry key="ws-security.signature.properties.sct" > value="etc/Server_Decrypt.properties"/> > <entry key="ws-security.encryption.properties.sct" > value="etc/Server_SignVerf.properties"/> > <entry key="ws-security.signature.username.sct" value="serverx509v1"/> > > <entry key="ws-security.encryption.username.sct" > value="useReqSigCert"/> > <entry key="ws-security.callback-handler.sct" > value="server.ServerPasswordCallback"/> > </jaxws:properties> > > <jaxws:features> > <bean class="org.apache.cxf.feature.LoggingFeature" /> > <bean class="server.timer.NewFeature" /> > </jaxws:features> > </jaxws:endpoint> > > </beans> > > > > > #################################### 3 > ############################################# > #Exception when encryption endpoint has been called first (thus working and > configured correctly) then at the first secureconversatoin endpoint call : > 19 mai 2011 19:38:08 org.apache.cxf.phase.PhaseInterceptorChain > doDefaultLogging > ATTENTION: Interceptor for {http://localhost/customer/}CustomerService has > thrown exception, unwinding now > org.apache.cxf.binding.soap.SoapFault: MustUnderstand headers: > [{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security] > are not understood. > at > org.apache.cxf.binding.soap.interceptor.MustUnderstandInterceptor.checkUltimateReceiverHeaders(MustUnderstandInterceptor.java:150) > at > org.apache.cxf.binding.soap.interceptor.MustUnderstandInterceptor.handleMessage(MustUnderstandInterceptor.java:96) > at > org.apache.cxf.binding.soap.interceptor.MustUnderstandInterceptor.handleMessage(MustUnderstandInterceptor.java:49) > at > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:255) > at > org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:113) > at > org.apache.cxf.transport.servlet.ServletDestination.invoke(ServletDestination.java:97) > at > org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:461) > at > org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:188) > at > org.apache.cxf.transport.servlet.AbstractCXFServlet.invoke(AbstractCXFServlet.java:148) > at > org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:179) > at > org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:103) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:641) > at > org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:159) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:304) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:240) > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:164) > at > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:498) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:164) > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100) > at > org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:562) > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:394) > at > org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:243) > at > org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:188) > at > org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:302) > at > java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) > at java.lang.Thread.run(Thread.java:662) > > > > #################################### 4 > ############################################# > #Exception with cxf 2.3.3 when secureconversation endpoint has been called > first (then configured properly) then at the first encryption endpoint call > : > 19 mai 2011 19:42:37 org.apache.cxf.phase.PhaseInterceptorChain > doDefaultLogging > ATTENTION: Interceptor for > {http://localhost/customer/}CustomerService#{http://localhost/customer/}getCustomer > has thrown exception, unwinding now > org.apache.cxf.interceptor.Fault: These policy alternatives can not be > satisfied: > > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AsymmetricBinding > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}UsernameToken > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}InitiatorToken > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}RecipientToken > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Layout > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Wss10 > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SignedParts > at > org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:47) > at > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:255) > at > org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:113) > at > org.apache.cxf.transport.servlet.ServletDestination.invoke(ServletDestination.java:97) > at > org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:461) > at > org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:188) > at > org.apache.cxf.transport.servlet.AbstractCXFServlet.invoke(AbstractCXFServlet.java:148) > at > org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:179) > at > org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:103) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:641) > at > org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:159) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:304) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:240) > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:164) > at > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:498) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:164) > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100) > at > org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:562) > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:394) > at > org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:243) > at > org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:188) > at > org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:302) > at > java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) > at java.lang.Thread.run(Thread.java:662) > Caused by: org.apache.cxf.ws.policy.PolicyException: These policy > alternatives can not be satisfied: > > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AsymmetricBinding > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}UsernameToken > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}InitiatorToken > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}RecipientToken > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Layout > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Wss10 > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SignedParts > at > org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:140) > at > org.apache.cxf.ws.policy.PolicyVerificationInInterceptor.handle(PolicyVerificationInInterceptor.java:99) > at > org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:45) > ... 26 more > > > #################################### 5 > ############################################# > [1] > http://cxf.547215.n5.nabble.com/quot-MustUnderstand-headers-quot-td548769.html > [2] > http://cxf.547215.n5.nabble.com/None-of-the-policy-alternatives-can-be-satisfied-td4346996.html > > > > > > -- > View this message in context: > http://cxf.547215.n5.nabble.com/These-policy-alternatives-can-not-be-satisfied-for-multiple-endpoints-and-security-tp4410427p4410427.html > Sent from the cxf-user mailing list archive at Nabble.com. >
