My policy looks like,
<wsp:All>
<sp:AsymmetricBinding
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";>
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:SignedSupportingTokens>
<wsp:Policy>
<sp:UsernameToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
</sp:UsernameToken>
</wsp:Policy>
</sp:SignedSupportingTokens>
<bnysp:AcceptsDisclosureStatement/>
</wsp:All>
As a client, I supply only usernametoken and I expect CXF to complain about
other missing policies. This does happen but only after *successfully*
authenticating my user. My expectation is to see an outright rejection from
CXF, when policy alternatives cannot be satisfied, w/out even authenticating
my user.
If I substitute a bad user, i see
<soap:Fault>
<faultcode>soap:Client</faultcode>
<faultstring>User Authentication Failure</faultstring>
</soap:Fault>
Is my expectation incorrect? OR Am I missing any here?
--
View this message in context:
http://cxf.547215.n5.nabble.com/WS-Policy-Execution-order-tp5639774p5639774.html
Sent from the cxf-user mailing list archive at Nabble.com.
