Hi Yesterday I tried to setup CXF with WS-Policy via annotations. The following Policy with two alternatives was applied:
<wsp:Policy xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"; xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";> <wsp:ExactlyOne> <wsp:All> <sp:AsymmetricBinding> <wsp:Policy> <sp:InitiatorToken> <wsp:Policy> <sp:X509Token> <wsp:Policy> <sp:WssX509V3Token11/> </wsp:Policy> </sp:X509Token> </wsp:Policy> </sp:InitiatorToken> <sp:RecipientToken> <wsp:Policy> <sp:X509Token> <wsp:Policy> <sp:WssX509V3Token11/> </wsp:Policy> </sp:X509Token> </wsp:Policy> </sp:RecipientToken> <sp:IncludeTimestamp/> </wsp:Policy> </sp:AsymmetricBinding> <sp:SignedParts> <sp:Body/> </sp:SignedParts> <sp:SignedElements> <!-- The IncludeTimestamp says that the Timestamp must be integrity protected either by transport or by message level security. We enforce message level protection here: --> <sp:XPath xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"; xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";> /soap:Envelope/soap:Header/wsse:Security/wsu:Timestamp </sp:XPath> </sp:SignedElements> </wsp:All> <wsp:All> <sp:AsymmetricBinding> <wsp:Policy> <sp:InitiatorToken> <wsp:Policy> <sp:X509Token> <wsp:Policy> <sp:WssX509V3Token11/> </wsp:Policy> </sp:X509Token> </wsp:Policy> </sp:InitiatorToken> <sp:RecipientToken> <wsp:Policy> <sp:X509Token> <wsp:Policy> <sp:WssX509V3Token11/> </wsp:Policy> </sp:X509Token> </wsp:Policy> </sp:RecipientToken> <sp:IncludeTimestamp/> </wsp:Policy> </sp:AsymmetricBinding> <sp:SignedParts> <sp:Body/> </sp:SignedParts> <sp:SignedElements> <!-- The IncludeTimestamp says that the Timestamp must be integrity protected either by transport or by message level security. We enforce message level protection here: --> <sp:XPath xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"; xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";> /soap:Envelope/soap:Header/wsse:Security/wsu:Timestamp </sp:XPath> </sp:SignedElements> <sp:EncryptedParts> <sp:Body/> </sp:EncryptedParts> </wsp:All> </wsp:ExactlyOne> </wsp:Policy> The expectation from my sided was, that one of the alternatives is choosen based on the actual request. But CXF chooses per default the alternative with the lowest number of assertions without taking the actual request into account. Then this selected alternative (effective Policy) is always used for all subsequent requests. Is this correct, or did I miss something? Is there a switch to change this behavior? Thanks Marc
