My namespaces look like: xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";
On Tue, Oct 23, 2012 at 1:12 PM, Jason Pell <[email protected]> wrote: > Hi, > > I am debugging 2.7.1 trunk to try and figure out why my > RequireClientCertificate="true" appears to be ignored. > > My policy looks like: > > <wsp:Policy wsu:Id="SslWithUsernamePasswordToken"> > <wsp:ExactlyOne> > <wsp:All> > <sp:TransportBinding> > <wsp:Policy> > <sp:TransportToken> > <wsp:Policy> > > <sp:HttpsToken RequireClientCertificate="true" /> > </wsp:Policy> > </sp:TransportToken> > <sp:AlgorithmSuite> > <wsp:Policy> > <sp:Basic256 > /> > </wsp:Policy> > </sp:AlgorithmSuite> > > <sp:IncludeTimestamp /> > </wsp:Policy> > </sp:TransportBinding> > > </wsp:All> > </wsp:ExactlyOne> > </wsp:Policy> > > I can see in the HttpsTokenInInterceptor that because there is no > client token, the AssertionInfo is not being asserted, which I assumes > means > it should raise a policy error. > > However in the TransportBindingPolicyValidator it overrides this and > actually sets the AssertionInfo that was not asserted to true! > > If I disable the second line, I get an exception because no client > certificate is present. > > Index: > src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java > =================================================================== > --- > src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java > (revision > 1400641) > +++ > src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java > (working > copy) > @@ -68,7 +68,7 @@ > // HttpsToken is validated by the HttpsTokenInterceptorProvider > if (binding.getTransportToken() != null) { > assertPolicy(aim, binding.getTransportToken()); > - assertPolicy(aim, binding.getTransportToken().getToken()); > + // assertPolicy(aim, binding.getTransportToken().getToken()); > } > > // Check the AlgorithmSuite > > This is obviously not a complete patch, but it does I hope prove that > there is an issue with client cert validation. I shall open up a jira > for this, but I don't feel confident enough to try and > provide a patch without guidance as this is definately an area I am > not very familiar with.
