Hi,
I am debugging 2.7.1 trunk to try and figure out why my
RequireClientCertificate="true" appears to be ignored.
My policy looks like:
<wsp:Policy wsu:Id="SslWithUsernamePasswordToken">
<wsp:ExactlyOne>
<wsp:All>
<sp:TransportBinding>
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken
RequireClientCertificate="true" />
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:IncludeTimestamp />
</wsp:Policy>
</sp:TransportBinding>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
I can see in the HttpsTokenInInterceptor that because there is no
client token, the AssertionInfo is not being asserted, which I assumes
means
it should raise a policy error.
However in the TransportBindingPolicyValidator it overrides this and
actually sets the AssertionInfo that was not asserted to true!
If I disable the second line, I get an exception because no client
certificate is present.
Index:
src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java
===================================================================
---
src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java
(revision
1400641)
+++
src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java
(working
copy)
@@ -68,7 +68,7 @@
// HttpsToken is validated by the HttpsTokenInterceptorProvider
if (binding.getTransportToken() != null) {
assertPolicy(aim, binding.getTransportToken());
- assertPolicy(aim, binding.getTransportToken().getToken());
+ // assertPolicy(aim, binding.getTransportToken().getToken());
}
// Check the AlgorithmSuite
This is obviously not a complete patch, but it does I hope prove that
there is an issue with client cert validation. I shall open up a jira
for this, but I don't feel confident enough to try and
provide a patch without guidance as this is definately an area I am
not very familiar with.
