It's a bug that has only recently been fixed: https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=commit;h=eb9ea1e1c049299221f080184a346d0ae5f8aef7
You will have to upgrade to one of the latest (CXF) releases to pick it up. Colm. On Wed, Feb 26, 2014 at 2:53 PM, pvivacqua <[email protected]> wrote: > *Hi, > > I am currently trying to implement WS-SecurityPolicy on a web service that > uses WS-Security (Jboss 7.1.1 + jbossws-cxf-4.1.1.Final). I am trying to > make CXF enforce tree policies: UsernameToken with Mutual X.509v3 > Authentication, Sign and Encrypt as follows:* > > <wsp:Policy > xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > " > xmlns:wspp="http://java.sun.com/xml/ns/wsit/policy"; > xmlns:wsp="http://www.w3.org/ns/ws-policy"; > xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata"; > xmlns:tcp="http://java.sun.com/xml/ns/wsit/2006/09/policy/soaptcp/service"; > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"; > xmlns:sc="http://schemas.sun.com/2006/03/wss/server"; > xmlns:fi=" > http://java.sun.com/xml/ns/wsit/2006/09/policy/fastinfoset/service"; > wsu:Id="GidWsNDSOiVendeBindingPolicy"> > <wsp:ExactlyOne> > <wsp:All> > <sp:AsymmetricBinding> > <wsp:Policy> > <sp:InitiatorToken> > <wsp:Policy> > <sp:X509Token > sp:IncludeToken=" > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient > "> > > <wsp:Policy> > > <sp:WssX509V3Token11/> > > </wsp:Policy> > </sp:X509Token> > </wsp:Policy> > </sp:InitiatorToken> > <sp:RecipientToken> > <wsp:Policy> > <sp:X509Token > sp:IncludeToken=" > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never > "> > > <wsp:Policy> > > <sp:WssX509V3Token10/> > > <sp:RequireIssuerSerialReference/> > > </wsp:Policy> > </sp:X509Token> > </wsp:Policy> > </sp:RecipientToken> > <sp:Layout> > <wsp:Policy> > <sp:Strict/> > </wsp:Policy> > </sp:Layout> > <sp:EncryptBeforeSigning/> > <sp:AlgorithmSuite> > <wsp:Policy> > <sp:Basic128Rsa15/> > </wsp:Policy> > </sp:AlgorithmSuite> > </wsp:Policy> > </sp:AsymmetricBinding> > <sp:Wss10> > <wsp:Policy> > <sp:MustSupportRefIssuerSerial/> > </wsp:Policy> > </sp:Wss10> > </wsp:All> > </wsp:ExactlyOne> > </wsp:Policy> > > > *All the policies work fine, except for the X509Token Assertion that > generates the following exception.* > > 10:59:56,636 WARNING [org.apache.cxf.phase.PhaseInterceptorChain] > (http-localhost-127.0.0.1-8080-1) Interceptor for > { > http://gid.ws.nds.oiVende/}GidWsNDSOiVende#{http://gid.ws.nds.OiVende/}teste > has thrown exception, unwinding now: org.apache.cxf.interceptor.Fault: > These > policy alternatives can not be satisfied: > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}X509Token: The > received token does not match the token inclusion requirement > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}X509Token > at > > org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:47) > [cxf-rt-ws-policy.jar:2.6.4] > at > > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:262) > [cxf-api.jar:2.6.4] > at > > org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) > [cxf-api.jar:2.6.4] > at > > org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:236) > [cxf-rt-transports-http.jar:2.6.4] > at > > org.jboss.wsf.stack.cxf.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:95) > [jbossws-cxf-server.jar:4.1.1.Final] > at > > org.jboss.wsf.stack.cxf.transport.ServletHelper.callRequestHandler(ServletHelper.java:156) > [jbossws-cxf-server.jar:4.1.1.Final] > at > org.jboss.wsf.stack.cxf.CXFServletExt.invoke(CXFServletExt.java:87) > [jbossws-cxf-server.jar:4.1.1.Final] > at > > org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:225) > [cxf-rt-transports-http.jar:2.6.4] > at > > org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:145) > [cxf-rt-transports-http.jar:2.6.4] > at javax.servlet.http.HttpServlet.service(HttpServlet.java:754) > [jboss-servlet-api_3.0_spec-1.0.0.Final.jar:1.0.0.Final] > at > org.jboss.wsf.stack.cxf.CXFServletExt.service(CXFServletExt.java:135) > [jbossws-cxf-server.jar:4.1.1.Final] > at > org.jboss.wsf.spi.deployment.WSFServlet.service(WSFServlet.java:140) > [jbossws-spi.jar:2.1.1.Final] > at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) > [jboss-servlet-api_3.0_spec-1.0.0.Final.jar:1.0.0.Final] > at > > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:329) > [jbossweb-7.0.13.Final.jar:] > at > > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) > [jbossweb-7.0.13.Final.jar:] > at > > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:275) > [jbossweb-7.0.13.Final.jar:] > at > > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:161) > [jbossweb-7.0.13.Final.jar:] > at > > org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:50) > [jboss-as-jpa-7.1.1.Final.jar:7.1.1.Final] > at > > org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) > [jboss-as-web-7.1.1.Final.jar:7.1.1.Final] > at > > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) > [jbossweb-7.0.13.Final.jar:] > at > > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) > [jbossweb-7.0.13.Final.jar:] > at > > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) > [jbossweb-7.0.13.Final.jar:] > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) > [jbossweb-7.0.13.Final.jar:] > at > org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) > [jbossweb-7.0.13.Final.jar:] > at > > org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) > [jbossweb-7.0.13.Final.jar:] > at > org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) > [jbossweb-7.0.13.Final.jar:] > at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_21] > Caused by: org.apache.cxf.ws.policy.PolicyException: These policy > alternatives can not be satisfied: > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}X509Token: The > received token does not match the token inclusion requirement > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}X509Token > at > > org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:167) > [cxf-rt-ws-policy.jar:2.6.4] > at > > org.apache.cxf.ws.policy.PolicyVerificationInInterceptor.handle(PolicyVerificationInInterceptor.java:101) > [cxf-rt-ws-policy.jar:2.6.4] > at > > org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:45) > [cxf-rt-ws-policy.jar:2.6.4] > ... 26 more > > *The request that generated the exception:* > > <soapenv:Envelope xmlns:gid="http://gid.ws.nds.OiVende/"; > xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";> > <soapenv:Header> > <wsse:Security > xmlns:wsse=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd > " > xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > "> > <wsse:UsernameToken wsu:Id="UsernameToken-16"> > > > <wsse:Username>AI1qTwNjGnsE99RHFhQ6QFbao7u/fw179mU5oTwGyP6LOOMcffLGZHnlUWD62o3onuGNGbFltkAA > > LYVQmowJ2tfL2MdorywfON3uYdQksb0tROGj1q+dtfOEdOO0/nRB4KIPaI9iUQuLlTZTXZZLRCyL > tfuPdNkM8ZQ/IgX8v+k=</wsse:Username> > <wsse:Password > Type=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText > ">GileUp2HMHBkZ3PvHk9PZFbbmOXKrDoGL/vEUVhXgBuJ5Z9U236w0J55xU645eH4RsltG3T4XmNQ > > e1ypi0NUbVzk2De4elkAKBF3s9bQE1rmONLoUYXQRuYDjNBbzajR2okXS80oKi7w0QOLibTFfQeO > R04KmBo75ykchSqNwKM=</wsse:Password> > <wsse:Nonce > EncodingType=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary > ">ngNCqeakderQcMpmxf4DvA==</wsse:Nonce> > > <wsu:Created>2014-02-26T13:59:52.827Z</wsu:Created> > </wsse:UsernameToken> > <ds:Signature Id="SIG-15" xmlns:ds=" > http://www.w3.org/2000/09/xmldsig#";> > <ds:SignedInfo> > <ds:CanonicalizationMethod > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> > <ec:InclusiveNamespaces > PrefixList="gid soapenv" > xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/> > </ds:CanonicalizationMethod> > <ds:SignatureMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> > <ds:Reference URI="#id-14"> > <ds:Transforms> > <ds:Transform > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> > > <ec:InclusiveNamespaces PrefixList="gid" > xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/> > </ds:Transform> > </ds:Transforms> > <ds:DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > > <ds:DigestValue>OQqnS4HijCjWqZud07QwEnBv1ho=</ds:DigestValue> > </ds:Reference> > </ds:SignedInfo> > > > <ds:SignatureValue>QW99DAhwIr/xgHnToRtPBVi87LtlUov6k/6kxGpGzqNpK4N5aI2FclAYX9AsU6Rt1mD4rvW7acvW > > VttWeQ73bLRtaBm9i2Kcb4/qKISWCpkbomRZO9t3G107hy57WP7SsO1m+uILMD3HqPnYX9clV4Ch > > kPHxpywKNdtJHd3TMBUgPHPWtHIcArm5buDfq4ptLTexq+YDcDpCbVB328S+oQpi8wZNSP9JX556 > > zHjNpDekI+S2dIDxSi/7a7PjNDO8d4ajg7yInznVx3AZm8AU6WHevdcFvIj8hFcKf+7eWNzS/Uos > FBr6+xuHX1C6dr/5FVgsCL2Ubr/vwPg8LdneJQ==</ds:SignatureValue> > <ds:KeyInfo > Id="KI-6F2BD13BBF5C75E94C139342319278815"> > <wsse:SecurityTokenReference > wsu:Id="STR-6F2BD13BBF5C75E94C139342319278816"> > <ds:X509Data> > > <ds:X509IssuerSerial> > > <ds:X509IssuerName>CN=gid.ws,OU=OI,O=TNL PCS S/A,L=Rio de > Janeiro,ST=Rio de Janeiro,C=BR</ds:X509IssuerName> > > <ds:X509SerialNumber>186004993</ds:X509SerialNumber> > > </ds:X509IssuerSerial> > </ds:X509Data> > </wsse:SecurityTokenReference> > </ds:KeyInfo> > </ds:Signature> > <xenc:EncryptedKey > Id="EK-6F2BD13BBF5C75E94C139342319278513" > xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";> > <xenc:EncryptionMethod > Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/> > <ds:KeyInfo xmlns:ds=" > http://www.w3.org/2000/09/xmldsig#";> > <wsse:SecurityTokenReference> > <ds:X509Data> > > <ds:X509IssuerSerial> > > <ds:X509IssuerName>CN=gid.ws,OU=OI,O=TNL PCS S/A,L=Rio de > Janeiro,ST=Rio de Janeiro,C=BR</ds:X509IssuerName> > > <ds:X509SerialNumber>2048318029</ds:X509SerialNumber> > > </ds:X509IssuerSerial> > </ds:X509Data> > </wsse:SecurityTokenReference> > </ds:KeyInfo> > <xenc:CipherData> > > > <xenc:CipherValue>dt7uxlbVMrE2NW7gKB22hl8SaxAY0003BaIJFrs1wCfHhCtg0AhZxGL6Qw0r1lUXPYLMuMjjKddoUbZzsyH8oZYy8umVOokfZyAsukBT4+58MjHrtfhP95f57PB/5P9KDwAYuU/34UhFJfe2PMAAaTn2Wnuk1a0PqvPIHKm7oHWb6qekaKWssGWGvPhFAFg1ea5ao3S9e9OsyXzPxjlHE/bT/aA3dKO4usnkxb+HRweYZQ2E9OK25J5kdBg+fs6195zQI2hCr5X/+cNCm6VvE7RvfPkU0VrwFXSBp0opzg8dpb1ZH17WtV09nyjIsGlMypNvDYIWJYwvKZ2B4ISQkw==</xenc:CipherValue> > </xenc:CipherData> > <xenc:ReferenceList> > <xenc:DataReference URI="#ED-13"/> > </xenc:ReferenceList> > </xenc:EncryptedKey> > </wsse:Security> > </soapenv:Header> > <soapenv:Body wsu:Id="id-14" > xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > "> > <xenc:EncryptedData Id="ED-13" > Type="http://www.w3.org/2001/04/xmlenc#Content"; > xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";> > <xenc:EncryptionMethod > Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/> > <ds:KeyInfo xmlns:ds=" > http://www.w3.org/2000/09/xmldsig#";> > <wsse:SecurityTokenReference > wsse11:TokenType=" > http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey > " > xmlns:wsse=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd > " > xmlns:wsse11=" > http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";> > <wsse:Reference > URI="#EK-6F2BD13BBF5C75E94C139342319278513"/> > </wsse:SecurityTokenReference> > </ds:KeyInfo> > <xenc:CipherData> > > > <xenc:CipherValue>p10d5TaRMy1vspa7TjBYZXrd2ZnTIPa6e5+OWHHKO2FZDt/Gst1skyPw/WdA2qzLXtqYm9EXvlwpkcgOp6NrDKsxVgm3uymRsTtvQZ8xeb3OgaZAuW9Cu5ADCStu5N3ykOb/BLfkSFbtnOZSqNrfYEyrFgLBNOFbiY3pTPRP7jqqWaHZjlKJoPtsizt2VB2rbZxiIubbfEgAz1HITyTWa0umhMD0pFK3HewWfIyMNvPSLTHUHPH433u9pPkAROP1b+V1sYbVJpm2ED3L0lujiUujB1S/vV89hAMAHjAVq8qzLZCwOfI64IaNwxzkbZdNmf+UybPtv0+YCy9nKlUalk8lZltHMEi96xTfTHDJMTHhUFE11fS3pqcX3j3tgPJHPPkYz95ZO7Sdn/wQeJXjFL2BHs0tuHPQwY/We5IgSLWqZpCgMHaFOXj1t6XMxGy/n0Y7Y06svaXGevGejJzBixX+8Ab9lLFMqx3WdToeF3onzNCn+gYD8P7UVtV3medF7GWe0Bb/JJSq7bsO6xzDpDl0lntm3gWO3S/ChxidRtRj+rN6ZQ7rBBUXKaEO0Ce9pDnsSxeVMYxJGNwyCeL3d4NOTqG/YtmecN58sOnpsC2WXCz26YqKiWQLKkH0bBSXVGMzi6Fsk7TgSw9VcobiFTffa+tcvSEWeFE/k+YrlL+EhCgw/ez31kbTglsXn4R5UTB4exBNjX7iW/f7iQzgentAIRTOLor6AezHD1GBGB5KVJuIL/gbrsguOlLQ0nqDM31AUj6t1pz4ygCTczNk16yZ4DMEX6dcXQzexprtRbQbqxnWVtcdx4on8isUUQWJ5dKzuRfx5CJ+nYnHRPKhKv4R3oqIvm3bAIMm6kd2tFY8wniN+tkao7XXkuwxdZbD8ZLMyjFNx97c41DPdXq/B9nwkaCKRBUW05waZ3u8bFAIciC35soYzijbeCEY+31pEUkNE1HbGYyrCWrh1PRRb7YaBAHJojq3hHqjkdEbFYgHdEj3xmyHinbted0LWYeF2+0mLt3Lu3rGK9hxY0nE/SW72zl5+qKq0qdzZChivXWehlxMan+IweY1t91DL7q+dImrAoWS03AWsZasXIWmfRJDYBn8+rMJOEQndjd6nlzuZHFFek3Rc4Jx/UYMFzMD3l0qxPoYfMkBxtg7/VKyDA==</xenc:CipherValue> > </xenc:CipherData> > </xenc:EncryptedData> > </soapenv:Body> > </soapenv:Envelope> > > *The jbossws-cxf.xml jaxws configuration:* > > <jaxws:properties> > <entry key="ws-security.callback-handler" > value="br.com.gid.ws.interfaces.callback.PasswordCallback"/> > <entry key="ws-security.encryption.properties" > value="resources/GidWsNDS_Server_Decrypt.properties"/> > <entry key="ws-security.signature.properties" > value="resources/GidWsNDS_Server_Decrypt.properties"/> > <entry key="ws-security.encryption.username" > value="useReqSigCert"/> > <entry key="ws-security.validate.token" value="false"/> > </jaxws:properties> > > > *Thanks in advance.* > > > > -- > View this message in context: > http://cxf.547215.n5.nabble.com/Why-is-my-X509Token-policy-not-being-satisfied-Is-this-a-bug-tp5740526.html > Sent from the cxf-user mailing list archive at Nabble.com. > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
