There definitely looks like a bug in here someplace, but I'm not 100% sure where or the cause. It definitely needs to replace the Assertion map (since the policy may be very different), but it likely should go through the old map and re-assert any policies on the new map that were asserted on the old. That MAY fix it, I'm not really sure. Is there any way you can create a test case? Better yet, can you try the above and maybe submit a patch if that works? You should just be able to walk the assertions in the old map, check if they exist in the new map, and assert them if they do.
Dan On Tuesday, October 18, 2011 9:52:59 AM timmgrant wrote: > Hi, > > I am using CXF 2.4.3 with the following policy: > > <wsp:Policy wsu:Id="WSHttpBinding_Blah_policy"> > <wsp:ExactlyOne> > <wsp:All> > <sp:TransportBinding > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > <wsp:Policy> > <sp:TransportToken> > <wsp:Policy> > <sp:HttpsToken RequireClientCertificate="false" /> > </wsp:Policy> > </sp:TransportToken> > <sp:AlgorithmSuite> > <wsp:Policy> > <sp:Basic256 /> > </wsp:Policy> > </sp:AlgorithmSuite> > <sp:Layout> > <wsp:Policy> > <sp:Strict /> > </wsp:Policy> > </sp:Layout> > <sp:IncludeTimestamp /> > </wsp:Policy> > </sp:TransportBinding> > <sp:EndorsingSupportingTokens > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > <wsp:Policy> > <sp:SecureConversationToken > > sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/Includ > eToken/AlwaysToRecipient"> <wsp:Policy> > > <sp:BootstrapPolicy> > > <wsp:Policy> > > <sp:SignedParts> > > <sp:Body /> > > <sp:Header Name="To" > > Namespace="http://www.w3.org/2005/08/addressing"; /> > > <sp:Header Name="From" > > Namespace="http://www.w3.org/2005/08/addressing"; /> > > <sp:Header Name="FaultTo" > > Namespace="http://www.w3.org/2005/08/addressing"; /> > > <sp:Header Name="ReplyTo" > > Namespace="http://www.w3.org/2005/08/addressing"; /> > > <sp:Header Name="MessageID" > > Namespace="http://www.w3.org/2005/08/addressing"; /> > > <sp:Header Name="RelatesTo" > > Namespace="http://www.w3.org/2005/08/addressing"; /> > > <sp:Header Name="Action" > > Namespace="http://www.w3.org/2005/08/addressing"; /> > > </sp:SignedParts> > > <sp:EncryptedParts> > > <sp:Body /> > > </sp:EncryptedParts> > > <sp:TransportBinding> > > <wsp:Policy> > > <sp:TransportToken> > > <wsp:Policy> > > <sp:HttpsToken RequireClientCertificate="false" /> > > </wsp:Policy> > > </sp:TransportToken> > > <sp:AlgorithmSuite> > > <wsp:Policy> > > <sp:Basic256 /> > > </wsp:Policy> > > </sp:AlgorithmSuite> > > <sp:Layout> > > <wsp:Policy> > > <sp:Strict /> > > </wsp:Policy> > > </sp:Layout> > > <sp:IncludeTimestamp /> > > </wsp:Policy> > > </sp:TransportBinding> > <sp:EndorsingSupportingTokens> > > <wsp:Policy> > > <sp:X509Token > > sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/Includ > eToken/AlwaysToRecipient"> <wsp:Policy> > > <sp:RequireThumbprintReference /> > > <sp:WssX509V3Token10 /> > > </wsp:Policy> > > </sp:X509Token> > > <sp:SignedParts> > > <sp:Header Name="To" > > Namespace="http://www.w3.org/2005/08/addressing"; /> > > </sp:SignedParts> > > </wsp:Policy> > </sp:EndorsingSupportingTokens> > > <sp:Wss11> > > <wsp:Policy> > > <sp:MustSupportRefKeyIdentifier /> > > <sp:MustSupportRefIssuerSerial /> > > <sp:MustSupportRefThumbprint /> > > <sp:MustSupportRefEncryptedKey /> > > </wsp:Policy> > > </sp:Wss11> > > <sp:Trust10> > > <wsp:Policy> > > <sp:MustSupportIssuedTokens /> > > <sp:RequireClientEntropy /> > > <sp:RequireServerEntropy /> > > </wsp:Policy> > > </sp:Trust10> > > </wsp:Policy> > > </sp:BootstrapPolicy> > </wsp:Policy> > </sp:SecureConversationToken> > <sp:SignedParts> > <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"; > /> > </sp:SignedParts> > </wsp:Policy> > </sp:EndorsingSupportingTokens> > <sp:Wss11 > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > <wsp:Policy> > <sp:MustSupportRefKeyIdentifier > /> > <sp:MustSupportRefIssuerSerial > /> > <sp:MustSupportRefThumbprint /> > <sp:MustSupportRefEncryptedKey > /> > </wsp:Policy> > </sp:Wss11> > <sp:Trust10 > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > <wsp:Policy> > <sp:MustSupportIssuedTokens /> > <sp:RequireClientEntropy /> > <sp:RequireServerEntropy /> > </wsp:Policy> > </sp:Trust10> > <wsaw:UsingAddressing /> > </wsp:All> > </wsp:ExactlyOne> > </wsp:Policy> > > However I am getting the following error: > > These policy alternatives can not be satisfied: > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SignedParts > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}EncryptedParts > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}TransportBinding > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}HttpsToken > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}TransportToken > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}IncludeTimestamp > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Layout > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}EndorsingSupporti > ngTokens > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}X509Token > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Wss11 > {http://schemas.xmlsoap.org/ws/2005/07/securitypolicy}Trust10 > > I am 99% certain the request message is fine and when I debug I can see that > all the policies are being satisfied however the > SecureConversationInInterceptor is then replacing the AssertionInfoMap (line > 252). Then when the PolicyVerificationInInterceptor checks that the > assertions have been satisfied they all fail because it has been replaced > with the new assertioninfomap. I'm at a bit of a loss as to whether this > is a bug or if I've missed something? > > Any ideas? > > Cheers, > Tim > > -- > View this message in context: > http://cxf.547215.n5.nabble.com/SecureConversationInInterceptor-removing-al > l-assertions-tp4914500p4914500.html Sent from the cxf-user mailing list > archive at Nabble.com. -- Daniel Kulp [email protected] http://dankulp.com/blog Talend - http://www.talend.com
