Re: WS Policy Execution order

Mon, 16 Apr 2012 01:50:49 -0700 

Hi,

> My expectation is to see an outright rejection from
> CXF, when policy alternatives cannot be satisfied, w/out even authenticating
> my user.

That is not how CXF currently works. It walks the security header of
the incoming request, and processes and validates each token it finds.
Only after the security header has been successfully processed does it
verify the results against the WS-SecurityPolicy requirement.

Colm.

On Sat, Apr 14, 2012 at 12:27 AM, sram <[email protected]> wrote:
> My policy looks like,
>        <wsp:All>
>                <sp:AsymmetricBinding
>                                
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
>                                <wsp:Policy>
>                                        <sp:InitiatorToken>
>                                                <wsp:Policy>
>                                                        <sp:X509Token
>
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";>
>                                                                <wsp:Policy>
>                                                                        
> <sp:WssX509V3Token10 />
>                                                                </wsp:Policy>
>                                                        </sp:X509Token>
>                                </wsp:Policy>
>                                        </sp:InitiatorToken>
>                                        <sp:AlgorithmSuite>
>                                                <wsp:Policy>
>                                                        <sp:Basic256 />
>                                                </wsp:Policy>
>                                        </sp:AlgorithmSuite>
>                                        <sp:Layout>
>                                                <wsp:Policy>
>                                                        <sp:Strict />
>                                                </wsp:Policy>
>                                        </sp:Layout>
>                                        <sp:IncludeTimestamp />
>                                </wsp:Policy>
>                        </sp:AsymmetricBinding>
>                        <sp:SignedSupportingTokens>
>                                <wsp:Policy>
>                                        <sp:UsernameToken
>
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
>                                        </sp:UsernameToken>
>                                </wsp:Policy>
>                        </sp:SignedSupportingTokens>
>                        <bnysp:AcceptsDisclosureStatement/>
>                </wsp:All>
>
> As a client, I supply only usernametoken and I expect CXF to complain about
> other missing policies. This does happen but only after *successfully*
> authenticating my user. My expectation is to see an outright rejection from
> CXF, when policy alternatives cannot be satisfied, w/out even authenticating
> my user.
>
> If I substitute a bad user, i see
>
> <soap:Fault>
>         <faultcode>soap:Client</faultcode>
>         <faultstring>User Authentication Failure</faultstring>
>      </soap:Fault>
>
>
> Is my expectation incorrect? OR Am I missing any here?
>
> --
> View this message in context: 
> http://cxf.547215.n5.nabble.com/WS-Policy-Execution-order-tp5639774p5639774.html
> Sent from the cxf-user mailing list archive at Nabble.com.



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Reply via email to