I don't think that combining policies in this way is correct, as all of both policies must be valid. The policy that uses "IssuedToken" will always fail then for the other case.
Instead, you could try creating a new policy which allows an alternative between both referenced policies. Colm. On Tue, Sep 24, 2013 at 4:41 AM, XiLai Dai <[email protected]> wrote: > Hi, there > > We have SAML Token (STS) policy defined as below (saml.policy): > > <?xml version="1.0" encoding="UTF-8" ?> > <wsp:Policy xmlns:wsp="http://www.w3.org/ns/ws-policy"; xmlns:sp=" > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > <wsp:ExactlyOne> > <wsp:All> > <sp:AsymmetricBinding> > <wsp:Policy> > <sp:InitiatorToken> > <wsp:Policy> > > <sp:IssuedToken > > sp:IncludeToken=" > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient > "> > > <sp:RequestSecurityTokenTemplate> > > <t:TokenType xmlns:t=" > http://docs.oasis-open.org/ws-sx/ws-trust/200512";> > http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0 > </t:TokenType> > > <t:KeyType xmlns:t=" > http://docs.oasis-open.org/ws-sx/ws-trust/200512";> > http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey</t:KeyType> > > </sp:RequestSecurityTokenTemplate> > > <wsp:Policy> > > <!--sp:RequireInternalReference /--> > <sp:WssX509V3Token10 /> > <sp:RequireIssuerSerialReference /> > > </wsp:Policy> > > </sp:IssuedToken> > </wsp:Policy> > </sp:InitiatorToken> > <sp:RecipientToken> > <wsp:Policy> > > <sp:X509Token > > sp:IncludeToken=" > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never > "> > > <wsp:Policy> > > <sp:WssX509V3Token10 /> > > <sp:RequireIssuerSerialReference /> > > </wsp:Policy> > > </sp:X509Token> > </wsp:Policy> > </sp:RecipientToken> > <sp:Layout> > <wsp:Policy> > <sp:Lax /> > </wsp:Policy> > </sp:Layout> > <sp:IncludeTimestamp /> > > <sp:OnlySignEntireHeadersAndBody /> > <sp:AlgorithmSuite> > <wsp:Policy> > > <sp:Basic256 /> > </wsp:Policy> > </sp:AlgorithmSuite> > </wsp:Policy> > </sp:AsymmetricBinding> > <sp:Wss11 xmlns:sp=" > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > <wsp:Policy> > > <sp:MustSupportRefIssuerSerial /> > > <sp:MustSupportRefThumbprint /> > > <sp:MustSupportRefEncryptedKey /> > </wsp:Policy> > </sp:Wss11> > <sp:Trust13 xmlns:sp=" > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > <wsp:Policy> > <sp:MustSupportIssuedTokens > /> > <sp:RequireClientEntropy /> > <sp:RequireServerEntropy /> > </wsp:Policy> > </sp:Trust13> > </wsp:All> > </wsp:ExactlyOne> > </wsp:Policy> > > And Encrypt/Sign body policy (encrypt_sign.policy) defined as: > > <wsp:Policy > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"; > xmlns:wsp="http://www.w3.org/ns/ws-policy"; > xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > "> > <wsp:ExactlyOne> > <wsp:All> > <sp:AsymmetricBinding> > <wsp:Policy> > <sp:InitiatorToken> > <wsp:Policy> > <sp:X509Token > sp:IncludeToken=" > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient > "> > <wsp:Policy> > <sp:WssX509V3Token10 /> > <sp:RequireIssuerSerialReference /> > </wsp:Policy> > </sp:X509Token> > </wsp:Policy> > </sp:InitiatorToken> > <sp:RecipientToken> > <wsp:Policy> > <sp:X509Token > sp:IncludeToken=" > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never > "> > <wsp:Policy> > <sp:WssX509V3Token10 /> > <sp:RequireIssuerSerialReference /> > </wsp:Policy> > </sp:X509Token> > </wsp:Policy> > </sp:RecipientToken> > <sp:Layout> > <wsp:Policy> > <sp:Lax/> > </wsp:Policy> > </sp:Layout> > <sp:IncludeTimestamp/> > <sp:OnlySignEntireHeadersAndBody/> > <sp:AlgorithmSuite> > <wsp:Policy> > <sp:Basic256 /> > </wsp:Policy> > </sp:AlgorithmSuite> > </wsp:Policy> > </sp:AsymmetricBinding> > <sp:EncryptedParts> > <sp:Body/> > </sp:EncryptedParts> > <sp:SignedParts> > <sp:Body/> > </sp:SignedParts> > </wsp:All> > </wsp:ExactlyOne> > </wsp:Policy> > > The service endpoint defined in spring: > <jaxws:endpoint ...> > ...... > <jaxws:features> > <p:policies> > <wsp:PolicyReference URI="classpath:/saml.policy"/> > <wsp:PolicyReference URI="classpath:/encrypt_sign.policy"/> > </p:policies> > </jaxws:features> > </jaxws:endpoint> > > The client defined also in spring: > <jaxws:client ...> > ...... > <jaxws:features> > <p:policies> > <wsp:PolicyReference URI="classpath:/saml.policy"/> > <wsp:PolicyReference URI="classpath:/encrypt_sign.policy"/> > </p:policies> > </jaxws:features> > </jaxws:client> > > After deployed the service/client and invoke it, then the "Error in > validating the IssuedToken policy" exception will be thrown. > > 11:25:53,782 | WARN | qtp895895561-118 | ache.cxf.common.logging.LogUtils > 452 | 122 - org.apache.cxf.cxf-api - 2.7.7 | Interceptor for { > http://services.talend.org/CRMService}CRMServiceProvider#{http://services.talend.org/CRMService}getCRMInformationhas > thrown exception, unwinding now > org.apache.cxf.ws.policy.PolicyException: These policy alternatives can > not be satisfied: > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}IssuedToken: > Error in validating the IssuedToken policy > at > org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:179)[153:org.apache.cxf.cxf-rt-ws-policy:2.7.7] > at > org.apache.cxf.ws.policy.PolicyVerificationInInterceptor.handle(PolicyVerificationInInterceptor.java:101)[153:org.apache.cxf.cxf-rt-ws-policy:2.7.7] > at > org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:44)[153:org.apache.cxf.cxf-rt-ws-policy:2.7.7] > at > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)[122:org.apache.cxf.cxf-api:2.7.7] > at > org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)[122:org.apache.cxf.cxf-api:2.7.7] > at > org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:239)[130:org.apache.cxf.cxf-rt-transports-http:2.7.7] > > The service and client work fine in case one of the policy applied (saml > policy or encrypt_sign policy). > > Any ideas? Maybe the different AsymmetricBinding can't be merged > correctly? Thanks! > > Regards. > Xilai > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
