*Hi, I am currently trying to implement WS-SecurityPolicy on a web service that uses WS-Security (Jboss 7.1.1 + jbossws-cxf-4.1.1.Final). I am trying to make CXF enforce tree policies: UsernameToken with Mutual X.509v3 Authentication, Sign and Encrypt as follows:*
<wsp:Policy xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; xmlns:wspp="http://java.sun.com/xml/ns/wsit/policy"; xmlns:wsp="http://www.w3.org/ns/ws-policy"; xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata"; xmlns:tcp="http://java.sun.com/xml/ns/wsit/2006/09/policy/soaptcp/service"; xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"; xmlns:sc="http://schemas.sun.com/2006/03/wss/server"; xmlns:fi="http://java.sun.com/xml/ns/wsit/2006/09/policy/fastinfoset/service"; wsu:Id="GidWsNDSOiVendeBindingPolicy"> <wsp:ExactlyOne> <wsp:All> <sp:AsymmetricBinding> <wsp:Policy> <sp:InitiatorToken> <wsp:Policy> <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";> <wsp:Policy> <sp:WssX509V3Token11/> </wsp:Policy> </sp:X509Token> </wsp:Policy> </sp:InitiatorToken> <sp:RecipientToken> <wsp:Policy> <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";> <wsp:Policy> <sp:WssX509V3Token10/> <sp:RequireIssuerSerialReference/> </wsp:Policy> </sp:X509Token> </wsp:Policy> </sp:RecipientToken> <sp:Layout> <wsp:Policy> <sp:Strict/> </wsp:Policy> </sp:Layout> <sp:EncryptBeforeSigning/> <sp:AlgorithmSuite> <wsp:Policy> <sp:Basic128Rsa15/> </wsp:Policy> </sp:AlgorithmSuite> </wsp:Policy> </sp:AsymmetricBinding> <sp:Wss10> <wsp:Policy> <sp:MustSupportRefIssuerSerial/> </wsp:Policy> </sp:Wss10> </wsp:All> </wsp:ExactlyOne> </wsp:Policy> *All the policies work fine, except for the X509Token Assertion that generates the following exception.* 10:59:56,636 WARNING [org.apache.cxf.phase.PhaseInterceptorChain] (http-localhost-127.0.0.1-8080-1) Interceptor for {http://gid.ws.nds.oiVende/}GidWsNDSOiVende#{http://gid.ws.nds.OiVende/}teste has thrown exception, unwinding now: org.apache.cxf.interceptor.Fault: These policy alternatives can not be satisfied: {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}X509Token: The received token does not match the token inclusion requirement {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}X509Token at org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:47) [cxf-rt-ws-policy.jar:2.6.4] at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:262) [cxf-api.jar:2.6.4] at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) [cxf-api.jar:2.6.4] at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:236) [cxf-rt-transports-http.jar:2.6.4] at org.jboss.wsf.stack.cxf.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:95) [jbossws-cxf-server.jar:4.1.1.Final] at org.jboss.wsf.stack.cxf.transport.ServletHelper.callRequestHandler(ServletHelper.java:156) [jbossws-cxf-server.jar:4.1.1.Final] at org.jboss.wsf.stack.cxf.CXFServletExt.invoke(CXFServletExt.java:87) [jbossws-cxf-server.jar:4.1.1.Final] at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:225) [cxf-rt-transports-http.jar:2.6.4] at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:145) [cxf-rt-transports-http.jar:2.6.4] at javax.servlet.http.HttpServlet.service(HttpServlet.java:754) [jboss-servlet-api_3.0_spec-1.0.0.Final.jar:1.0.0.Final] at org.jboss.wsf.stack.cxf.CXFServletExt.service(CXFServletExt.java:135) [jbossws-cxf-server.jar:4.1.1.Final] at org.jboss.wsf.spi.deployment.WSFServlet.service(WSFServlet.java:140) [jbossws-spi.jar:2.1.1.Final] at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec-1.0.0.Final.jar:1.0.0.Final] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:329) [jbossweb-7.0.13.Final.jar:] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) [jbossweb-7.0.13.Final.jar:] at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:275) [jbossweb-7.0.13.Final.jar:] at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:161) [jbossweb-7.0.13.Final.jar:] at org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:50) [jboss-as-jpa-7.1.1.Final.jar:7.1.1.Final] at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.13.Final.jar:] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.13.Final.jar:] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.13.Final.jar:] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.13.Final.jar:] at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.13.Final.jar:] at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.13.Final.jar:] at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.13.Final.jar:] at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_21] Caused by: org.apache.cxf.ws.policy.PolicyException: These policy alternatives can not be satisfied: {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}X509Token: The received token does not match the token inclusion requirement {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}X509Token at org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:167) [cxf-rt-ws-policy.jar:2.6.4] at org.apache.cxf.ws.policy.PolicyVerificationInInterceptor.handle(PolicyVerificationInInterceptor.java:101) [cxf-rt-ws-policy.jar:2.6.4] at org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:45) [cxf-rt-ws-policy.jar:2.6.4] ... 26 more *The request that generated the exception:* <soapenv:Envelope xmlns:gid="http://gid.ws.nds.OiVende/"; xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";> <soapenv:Header> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";> <wsse:UsernameToken wsu:Id="UsernameToken-16"> <wsse:Username>AI1qTwNjGnsE99RHFhQ6QFbao7u/fw179mU5oTwGyP6LOOMcffLGZHnlUWD62o3onuGNGbFltkAA LYVQmowJ2tfL2MdorywfON3uYdQksb0tROGj1q+dtfOEdOO0/nRB4KIPaI9iUQuLlTZTXZZLRCyL tfuPdNkM8ZQ/IgX8v+k=</wsse:Username> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText";>GileUp2HMHBkZ3PvHk9PZFbbmOXKrDoGL/vEUVhXgBuJ5Z9U236w0J55xU645eH4RsltG3T4XmNQ e1ypi0NUbVzk2De4elkAKBF3s9bQE1rmONLoUYXQRuYDjNBbzajR2okXS80oKi7w0QOLibTFfQeO R04KmBo75ykchSqNwKM=</wsse:Password> <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";>ngNCqeakderQcMpmxf4DvA==</wsse:Nonce> <wsu:Created>2014-02-26T13:59:52.827Z</wsu:Created> </wsse:UsernameToken> <ds:Signature Id="SIG-15" xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> <ec:InclusiveNamespaces PrefixList="gid soapenv" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:CanonicalizationMethod> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#id-14"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> <ec:InclusiveNamespaces PrefixList="gid" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>OQqnS4HijCjWqZud07QwEnBv1ho=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>QW99DAhwIr/xgHnToRtPBVi87LtlUov6k/6kxGpGzqNpK4N5aI2FclAYX9AsU6Rt1mD4rvW7acvW VttWeQ73bLRtaBm9i2Kcb4/qKISWCpkbomRZO9t3G107hy57WP7SsO1m+uILMD3HqPnYX9clV4Ch kPHxpywKNdtJHd3TMBUgPHPWtHIcArm5buDfq4ptLTexq+YDcDpCbVB328S+oQpi8wZNSP9JX556 zHjNpDekI+S2dIDxSi/7a7PjNDO8d4ajg7yInznVx3AZm8AU6WHevdcFvIj8hFcKf+7eWNzS/Uos FBr6+xuHX1C6dr/5FVgsCL2Ubr/vwPg8LdneJQ==</ds:SignatureValue> <ds:KeyInfo Id="KI-6F2BD13BBF5C75E94C139342319278815"> <wsse:SecurityTokenReference wsu:Id="STR-6F2BD13BBF5C75E94C139342319278816"> <ds:X509Data> <ds:X509IssuerSerial> <ds:X509IssuerName>CN=gid.ws,OU=OI,O=TNL PCS S/A,L=Rio de Janeiro,ST=Rio de Janeiro,C=BR</ds:X509IssuerName> <ds:X509SerialNumber>186004993</ds:X509SerialNumber> </ds:X509IssuerSerial> </ds:X509Data> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> <xenc:EncryptedKey Id="EK-6F2BD13BBF5C75E94C139342319278513" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> <wsse:SecurityTokenReference> <ds:X509Data> <ds:X509IssuerSerial> <ds:X509IssuerName>CN=gid.ws,OU=OI,O=TNL PCS S/A,L=Rio de Janeiro,ST=Rio de Janeiro,C=BR</ds:X509IssuerName> <ds:X509SerialNumber>2048318029</ds:X509SerialNumber> </ds:X509IssuerSerial> </ds:X509Data> </wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>dt7uxlbVMrE2NW7gKB22hl8SaxAY0003BaIJFrs1wCfHhCtg0AhZxGL6Qw0r1lUXPYLMuMjjKddoUbZzsyH8oZYy8umVOokfZyAsukBT4+58MjHrtfhP95f57PB/5P9KDwAYuU/34UhFJfe2PMAAaTn2Wnuk1a0PqvPIHKm7oHWb6qekaKWssGWGvPhFAFg1ea5ao3S9e9OsyXzPxjlHE/bT/aA3dKO4usnkxb+HRweYZQ2E9OK25J5kdBg+fs6195zQI2hCr5X/+cNCm6VvE7RvfPkU0VrwFXSBp0opzg8dpb1ZH17WtV09nyjIsGlMypNvDYIWJYwvKZ2B4ISQkw==</xenc:CipherValue> </xenc:CipherData> <xenc:ReferenceList> <xenc:DataReference URI="#ED-13"/> </xenc:ReferenceList> </xenc:EncryptedKey> </wsse:Security> </soapenv:Header> <soapenv:Body wsu:Id="id-14" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";> <xenc:EncryptedData Id="ED-13" Type="http://www.w3.org/2001/04/xmlenc#Content"; xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> <wsse:SecurityTokenReference wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"; xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";> <wsse:Reference URI="#EK-6F2BD13BBF5C75E94C139342319278513"/> </wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>p10d5TaRMy1vspa7TjBYZXrd2ZnTIPa6e5+OWHHKO2FZDt/Gst1skyPw/WdA2qzLXtqYm9EXvlwpkcgOp6NrDKsxVgm3uymRsTtvQZ8xeb3OgaZAuW9Cu5ADCStu5N3ykOb/BLfkSFbtnOZSqNrfYEyrFgLBNOFbiY3pTPRP7jqqWaHZjlKJoPtsizt2VB2rbZxiIubbfEgAz1HITyTWa0umhMD0pFK3HewWfIyMNvPSLTHUHPH433u9pPkAROP1b+V1sYbVJpm2ED3L0lujiUujB1S/vV89hAMAHjAVq8qzLZCwOfI64IaNwxzkbZdNmf+UybPtv0+YCy9nKlUalk8lZltHMEi96xTfTHDJMTHhUFE11fS3pqcX3j3tgPJHPPkYz95ZO7Sdn/wQeJXjFL2BHs0tuHPQwY/We5IgSLWqZpCgMHaFOXj1t6XMxGy/n0Y7Y06svaXGevGejJzBixX+8Ab9lLFMqx3WdToeF3onzNCn+gYD8P7UVtV3medF7GWe0Bb/JJSq7bsO6xzDpDl0lntm3gWO3S/ChxidRtRj+rN6ZQ7rBBUXKaEO0Ce9pDnsSxeVMYxJGNwyCeL3d4NOTqG/YtmecN58sOnpsC2WXCz26YqKiWQLKkH0bBSXVGMzi6Fsk7TgSw9VcobiFTffa+tcvSEWeFE/k+YrlL+EhCgw/ez31kbTglsXn4R5UTB4exBNjX7iW/f7iQzgentAIRTOLor6AezHD1GBGB5KVJuIL/gbrsguOlLQ0nqDM31AUj6t1pz4ygCTczNk16yZ4DMEX6dcXQzexprtRbQbqxnWVtcdx4on8isUUQWJ5dKzuRfx5CJ+nYnHRPKhKv4R3oqIvm3bAIMm6kd2tFY8wniN+tkao7XXkuwxdZbD8ZLMyjFNx97c41DPdXq/B9nwkaCKRBUW05waZ3u8bFAIciC35soYzijbeCEY+31pEUkNE1HbGYyrCWrh1PRRb7YaBAHJojq3hHqjkdEbFYgHdEj3xmyHinbted0LWYeF2+0mLt3Lu3rGK9hxY0nE/SW72zl5+qKq0qdzZChivXWehlxMan+IweY1t91DL7q+dImrAoWS03AWsZasXIWmfRJDYBn8+rMJOEQndjd6nlzuZHFFek3Rc4Jx/UYMFzMD3l0qxPoYfMkBxtg7/VKyDA==</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </soapenv:Body> </soapenv:Envelope> *The jbossws-cxf.xml jaxws configuration:* <jaxws:properties> <entry key="ws-security.callback-handler" value="br.com.gid.ws.interfaces.callback.PasswordCallback"/> <entry key="ws-security.encryption.properties" value="resources/GidWsNDS_Server_Decrypt.properties"/> <entry key="ws-security.signature.properties" value="resources/GidWsNDS_Server_Decrypt.properties"/> <entry key="ws-security.encryption.username" value="useReqSigCert"/> <entry key="ws-security.validate.token" value="false"/> </jaxws:properties> *Thanks in advance.* -- View this message in context: http://cxf.547215.n5.nabble.com/Why-is-my-X509Token-policy-not-being-satisfied-Is-this-a-bug-tp5740526.html Sent from the cxf-user mailing list archive at Nabble.com.
