WS-SecurityPolicy 1.0 handling

Fri, 11 Apr 2014 11:34:24 -0700 

Hi, CXF folks,
I think I need to get a web service client working with a service whose WSDL uses WS-SecurityPolicy 1.0 definitions. What's a good way to do this with the current CXF release? 


I'd also like to update the CXF WS-SecurityPolicy doco page (at 
http://cxf.apache.org/docs/ws-securitypolicy.html) to indicate which 
WSSP versions are supported. Having that info up front would have saved 
me some time and frustration. Any objections?



Here's the background.


This is the service's WSDL: 
https://misapi.ercot.com/2007-08/Nodal/eEDS/EWS/?WSDL


It has policy bits like this.


<wsp:Policy 
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";><sp:SecurityHeader 
MustManifestEncryption="true" MustPrepend="true" 
xmlns:sp="http://schemas.xmlsoap.org/ws/2002/12/secext"/></wsp:Policy>
    <wsp:Policy wsu:Id="SecurityTokens" 
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"; 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";><wsp:ExactlyOne><wsp:All><sp:SecurityToken 
xmlns:_ns1="http://www.actional.com"; 
xmlns:sp="http://schemas.xmlsoap.org/ws/2002/12/secext";><sp:TokenType>_ns1:SSLClientCertificate</sp:TokenType></sp:SecurityToken></wsp:All><wsp:All><sp:SecurityToken 
xmlns:sp="http://schemas.xmlsoap.org/ws/2002/12/secext";><sp:TokenType>sp:X509v3</sp:TokenType></sp:SecurityToken></wsp:All><wsp:All><sp:SecurityToken 
xmlns:_ns1="http://www.actional.com"; 
xmlns:sp="http://schemas.xmlsoap.org/ws/2002/12/secext";><sp:TokenType>_ns1:SSLClientCertificate</sp:TokenType></sp:SecurityToken><sp:SecurityToken 
xmlns:sp="http://schemas.xmlsoap.org/ws/2002/12/secext";><sp:TokenType>sp:X509v3</sp:TokenType></sp:SecurityToken></wsp:All></wsp:ExactlyOne></wsp:Policy>
    <wsp:Policy wsu:Id="SignedBody" 
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"; 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";><sp:Integrity 
xmlns:sp="http://schemas.xmlsoap.org/ws/2002/12/secext";><sp:TokenInfo><sp:SecurityToken><sp:TokenType>sp:X509v3</sp:TokenType></sp:SecurityToken></sp:TokenInfo><sp:MessageParts>wsp:GetBody(.)</sp:MessageParts></sp:Integrity></wsp:Policy>

...

    <wsp:Policy wsu:Id="MarketInfo_input_policy" 
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"; 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";><wsp:PolicyReference 
URI="#SecurityTokens"/><wsp:PolicyReference URI="#SignedBody"/></wsp:Policy>




And when I try to run a simple CXF client built with wsdl2java using 
JAXB bindings, I get this error.




Apr 11, 2014 1:23:13 PM 
org.apache.cxf.service.factory.ReflectionServiceFactoryBean 
buildServiceFromWSDL
INFO: Creating Service 
{http://www.ercot.com/wsdl/2007-06/nodal/ewsConcrete}NodalService from 
WSDL: 
file:/C:/Users/janke/Dropbox/freelancing/EON/ERCOT-awards/project/ercot-mis-client-cxf/ErcotMisClient/build/classes/egcna/ercotmis/wsdisc/resources/WSDL/eEDS_EWS-PROD-20140320-edited.wsdl
Apr 11, 2014 1:23:14 PM 
org.apache.cxf.ws.policy.AssertionBuilderRegistryImpl 
handleNoRegisteredBuilder
WARNING: No assertion builder for type 
{http://schemas.xmlsoap.org/ws/2002/12/secext}SecurityToken registered.
Apr 11, 2014 1:23:14 PM 
org.apache.cxf.ws.policy.AssertionBuilderRegistryImpl 
handleNoRegisteredBuilder
WARNING: No assertion builder for type 
{http://schemas.xmlsoap.org/ws/2002/12/secext}Integrity registered.
Apr 11, 2014 1:23:14 PM org.apache.cxf.phase.PhaseInterceptorChain 
doDefaultLogging
WARNING: Interceptor for 
{http://www.ercot.com/wsdl/2007-06/nodal/ewsConcrete}NodalService#{http://www.ercot.com/wsdl/2007-06/nodal/ewsConcrete}MarketInfo 
has thrown exception, unwinding now
org.apache.cxf.ws.policy.PolicyException: None of the policy 
alternatives can be satisfied.
    at 
org.apache.cxf.ws.policy.EffectivePolicyImpl.chooseAlternative(EffectivePolicyImpl.java:192)
    at 
org.apache.cxf.ws.policy.EffectivePolicyImpl.chooseAlternative(EffectivePolicyImpl.java:185)
    at 
org.apache.cxf.ws.policy.EffectivePolicyImpl.initialise(EffectivePolicyImpl.java:92)
    at 
org.apache.cxf.ws.policy.PolicyEngineImpl.getEffectiveClientRequestPolicy(PolicyEngineImpl.java:200)
    at 
org.apache.cxf.ws.policy.PolicyOutInterceptor.handle(PolicyOutInterceptor.java:98)
    at 
org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:44)
    at 
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)

    at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:565)
    at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:474)
    at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:377)
    at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:330)
    at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)

    at 
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:135)

    at com.sun.proxy.$Proxy32.marketInfo(Unknown Source)

    at 
egcna.ercotmis.wsdisc.MarketInfoTestClient.pingServiceStatus(MarketInfoTestClient.java:76)
    at 
egcna.ercotmis.wsdisc.MarketInfoTestClient.main(MarketInfoTestClient.java:49)



Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: None of 
the policy alternatives can be satisfied.
    at 
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:157)

    at com.sun.proxy.$Proxy32.marketInfo(Unknown Source)

    at 
egcna.ercotmis.wsdisc.MarketInfoTestClient.pingServiceStatus(MarketInfoTestClient.java:76)
    at 
egcna.ercotmis.wsdisc.MarketInfoTestClient.main(MarketInfoTestClient.java:49)
Caused by: org.apache.cxf.ws.policy.PolicyException: None of the policy 
alternatives can be satisfied.
    at 
org.apache.cxf.ws.policy.EffectivePolicyImpl.chooseAlternative(EffectivePolicyImpl.java:192)
    at 
org.apache.cxf.ws.policy.EffectivePolicyImpl.chooseAlternative(EffectivePolicyImpl.java:185)
    at 
org.apache.cxf.ws.policy.EffectivePolicyImpl.initialise(EffectivePolicyImpl.java:92)
    at 
org.apache.cxf.ws.policy.PolicyEngineImpl.getEffectiveClientRequestPolicy(PolicyEngineImpl.java:200)
    at 
org.apache.cxf.ws.policy.PolicyOutInterceptor.handle(PolicyOutInterceptor.java:98)
    at 
org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:44)
    at 
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)

    at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:565)
    at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:474)
    at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:377)
    at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:330)
    at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)

    at 
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:135)

    ... 3 more
Java Result: 1



My diagnosis of that is that 
http://schemas.xmlsoap.org/ws/2002/12/secext is the namespace for 
WS-SecurityPolicy 1.0, and those identifiers are lacking "registered 
handlers" because CXF doesn't support WSSP v 1.0, based on some earlier 
mailing list traffic. (Correct me if I'm wrong.)



I read through the Jan '13 thread where Bob Ross was trying to do this 
with a similar web service. 
(http://cxf.547215.n5.nabble.com/Best-CXF-client-approach-for-remote-WSDL-using-wsp-Policy-td5721874.html) 
Is this still good advice? Basically, write a custom WSS4JOutInterceptor?



Anybody know enough about WS-SecurityPolicy to know if I could just 
rewrite the WSDL to use WS-SecurityPolicy 1.1 terms and get the behavior 
the server is expecting, rather than writing custom Java code?


Thanks for taking the time to read this.

Cheers,
Andrew






















					Reply via email to