On Tuesday, October 04, 2011 1:57:32 PM Marc Giger wrote: > On Tue, 04 Oct 2011 10:16:14 +0200 > > Alessio Soldano <[email protected]> wrote: > > You can configure the org.apache.cxf.ws.policy.AlternativeSelector [1] > > to be used in the Bus, either through the spring configuration or with > > something like: > > > > bus.getExtension(PolicyEngine.class).setAlternativeSelector(new > > MaximalAlternativeSelector()); > > > > The default selector is the MinimalAlternativeSelector. > > Yes, I'm aware of this. But the alternative will be selected without looking > into the actual request and selecting the appropriate policy. > > Simple use case: > > Two alternatives, one which enforces a <sp:WssX509V3Token10/> > the other one enforces a <sp:WssX509Pkcs7Token10/> > > so that both token types are allowed but no other kind of Token. > Or an use case where both an asym- and -symmetric binding is allowed for a > particular operation with specific keys? Or... > > How can > it be done with CXF?
As an FYI: this is more or less logged as: https://issues.apache.org/jira/browse/CXF-3365 Different description, but pretty much the same underlying cause. Dan > > Thanks > > Marc > > > Cheers > > Alessio > > > > [1] http://cxf.apache.org/docs/wspconfiguration.html > > > > On 10/04/2011 08:44 AM, Marc Giger wrote: > > > Hi > > > > > > Yesterday I tried to setup CXF with WS-Policy via annotations. The > > > following Policy with two alternatives was applied: > > > > > > <wsp:Policy > > > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702 > > > " xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"; > > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss- > > > wssecurity-utility-1.0.xsd">> > > > > <wsp:ExactlyOne> > > > > > > <wsp:All> > > > > > > <sp:AsymmetricBinding> > > > > > > <wsp:Policy> > > > > > > <sp:InitiatorToken> > > > > > > <wsp:Policy> > > > > > > <sp:X509Token> > > > > > > <wsp:Policy> > > > > > > <sp: > > > WssX > > > 509V > > > 3Tok > > > en11 > > > /> > > > > > > </wsp:Policy > > > > > > > > > > </sp:X509Token> > > > > > > </wsp:Policy> > > > > > > </sp:InitiatorToken> > > > <sp:RecipientToken> > > > > > > <wsp:Policy> > > > > > > <sp:X509Token> > > > > > > <wsp:Policy> > > > > > > <sp: > > > WssX > > > 509V > > > 3Tok > > > en11 > > > /> > > > > > > </wsp:Policy > > > > > > > > > > </sp:X509Token> > > > > > > </wsp:Policy> > > > > > > </sp:RecipientToken> > > > <sp:IncludeTimestamp/> > > > > > > </wsp:Policy> > > > > > > </sp:AsymmetricBinding> > > > <sp:SignedParts> > > > > > > <sp:Body/> > > > > > > </sp:SignedParts> > > > <sp:SignedElements> > > > > > > <!-- The IncludeTimestamp says that the > > > Timestamp must be integrity protected > > > either by> > > > > transport or by message level security. We > > > enforce message level protection here: > > > -->> > > > > <sp:XPath > > > xmlns:soap="http://schemas.xmlsoap.org/soap > > > /envelope/"> > > > > xmlns:wsse="http://docs. > > > oasis-open.org/wss/2004/ > > > 01/oasis-200401-wss-wsse > > > curity-secext-1.0.xsd" > > > xmlns:wsu="http://docs. > > > oasis-open.org/wss/2004/ > > > 01/oasis-200401-wss-wsse > > > curity-utility-1.0.xsd">> > > > > /soap:Envelope/soap:Header/wsse:Secu > > > rity/wsu:Timestamp > > > > > > </sp:XPath> > > > > > > </sp:SignedElements> > > > > > > </wsp:All> > > > <wsp:All> > > > > > > <sp:AsymmetricBinding> > > > > > > <wsp:Policy> > > > > > > <sp:InitiatorToken> > > > > > > <wsp:Policy> > > > > > > <sp:X509Token> > > > > > > <wsp:Policy> > > > > > > <sp: > > > WssX > > > 509V > > > 3Tok > > > en11 > > > /> > > > > > > </wsp:Policy > > > > > > > > > > </sp:X509Token> > > > > > > </wsp:Policy> > > > > > > </sp:InitiatorToken> > > > <sp:RecipientToken> > > > > > > <wsp:Policy> > > > > > > <sp:X509Token> > > > > > > <wsp:Policy> > > > > > > <sp: > > > WssX > > > 509V > > > 3Tok > > > en11 > > > /> > > > > > > </wsp:Policy > > > > > > > > > > </sp:X509Token> > > > > > > </wsp:Policy> > > > > > > </sp:RecipientToken> > > > <sp:IncludeTimestamp/> > > > > > > </wsp:Policy> > > > > > > </sp:AsymmetricBinding> > > > <sp:SignedParts> > > > > > > <sp:Body/> > > > > > > </sp:SignedParts> > > > <sp:SignedElements> > > > > > > <!-- The IncludeTimestamp says that the > > > Timestamp must be integrity protected > > > either by> > > > > transport or by message level security. We > > > enforce message level protection here: > > > -->> > > > > <sp:XPath > > > xmlns:soap="http://schemas.xmlsoap.org/soap > > > /envelope/"> > > > > xmlns:wsse="http://docs. > > > oasis-open.org/wss/2004/ > > > 01/oasis-200401-wss-wsse > > > curity-secext-1.0.xsd" > > > xmlns:wsu="http://docs. > > > oasis-open.org/wss/2004/ > > > 01/oasis-200401-wss-wsse > > > curity-utility-1.0.xsd">> > > > > /soap:Envelope/soap:Header/wsse:Secu > > > rity/wsu:Timestamp > > > > > > </sp:XPath> > > > > > > </sp:SignedElements> > > > <sp:EncryptedParts> > > > > > > <sp:Body/> > > > > > > </sp:EncryptedParts> > > > > > > </wsp:All> > > > > > > </wsp:ExactlyOne> > > > > > > </wsp:Policy> > > > > > > The expectation from my sided was, that one of the alternatives is > > > choosen based on the actual request. But CXF chooses per default > > > the alternative with the lowest number of assertions without taking > > > the actual request into account. Then this selected alternative > > > (effective Policy) is always used for all subsequent requests. > > > > > > Is this correct, or did I miss something? Is there a switch to > > > change this behavior? > > > > > > Thanks > > > > > > Marc -- Daniel Kulp [email protected] http://dankulp.com/blog Talend - http://www.talend.com
