Hello,
I'm working on WS-Security based authentication with an X509 certificate
for a JAXWS service. I'm looking for help/confirmation on what a valid
Policy would look like in the WSDL. Most X509 policy examples include
signing/encryption, which I do not need (based solely on my requirements).
Below is the policy I have come up. If you see any errors or can offer any
thoughts on its correctness, I'd appreciate it.
<wsp:Policy wsu:Id="MyBindingPolicy">
<wsp:ExactlyOne>
<wsp:All>
<sp:SupportingTokens>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
">
<wsp:Policy/>
</sp:X509Token>
</wsp:Policy>
</sp:SupportingTokens>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
I wouldn't be here if I could get authentication working on my service with
this policy. When I invoke the service, I end up with the stack trace you
can see at the bottom of this email. Through working with a few example
projects from github, I know that an issue with the Policy can result in
this exception.
Here are some additional details. If there's any more information you'd
like to see, please let me know. Thanks in advance!
CXF Version 2.7.16
Relevant Namespaces Used:
1. xmlns:wsp="http://www.w3.org/ns/ws-policy";
2. xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
"
3. xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";
4. xmlns:wsse="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
"
JAXWS Endpoint Properties:
The only property I'm setting is "ws-security.bst.validator". I believe the
defaults for other properties are acceptable to me.
WS-Security Header from a request I'm sending:
<soap:Header>
<wsse:Security
xmlns:wsse="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
"
xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
"
soap:mustUnderstand="1">
<wsse:BinarySecurityToken
EncodingType="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
"
ValueType="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3
"
wsu:Id="SecurityToken-f6f96b4b-23c5-421e-92ff-f1050d531e82">MIIBoTCCAQqgA
[...] vONEqd9wa4XuA==
</wsse:BinarySecurityToken>
</wsse:Security>
</soap:Header>
Stack Trace:
08:25:38,153 INFO [stdout] (http-/127.0.0.1:8080-1)
org.apache.cxf.ws.policy.PolicyException: These policy alternatives can not
be satisfied:
08:25:38,154 INFO [stdout] (http-/127.0.0.1:8080-1) {
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SupportingTokens
08:25:38,155 INFO [stdout] (http-/127.0.0.1:8080-1) {
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}X509Token
08:25:38,156 INFO [stdout] (http-/127.0.0.1:8080-1) at
org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:179)
~[cxf-rt-ws-policy-2.7.16.jar:2.7.16]
08:25:38,157 INFO [stdout] (http-/127.0.0.1:8080-1) at
org.apache.cxf.ws.policy.PolicyVerificationInInterceptor.handle(PolicyVerificationInInterceptor.java:101)
~[cxf-rt-ws-policy-2.7.16.jar:2.7.16]
08:25:38,157 INFO [stdout] (http-/127.0.0.1:8080-1) at
org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:44)
~[cxf-rt-ws-policy-2.7.16.jar:2.7.16]
08:25:38,158 INFO [stdout] (http-/127.0.0.1:8080-1) at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
[cxf-api-2.7.16.jar:2.7.16]
08:25:38,160 INFO [stdout] (http-/127.0.0.1:8080-1) at
org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
[cxf-api-2.7.16.jar:2.7.16]
08:25:38,160 INFO [stdout] (http-/127.0.0.1:8080-1) at
org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:249)
[cxf-rt-transports-http-2.7.16.jar:2.7.16]
08:25:38,161 INFO [stdout] (http-/127.0.0.1:8080-1) at
org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:248)
[cxf-rt-transports-http-2.7.16.jar:2.7.16]
08:25:38,162 INFO [stdout] (http-/127.0.0.1:8080-1) at
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:222)
[cxf-rt-transports-http-2.7.16.jar:2.7.16]
08:25:38,163 INFO [stdout] (http-/127.0.0.1:8080-1) at
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153)
[cxf-rt-transports-http-2.7.16.jar:2.7.16]
08:25:38,164 INFO [stdout] (http-/127.0.0.1:8080-1) at
org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)
[cxf-rt-transports-http-2.7.16.jar:2.7.16]
08:25:38,164 INFO [stdout] (http-/127.0.0.1:8080-1) at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:289)
[cxf-rt-transports-http-2.7.16.jar:2.7.16]
08:25:38,168 INFO [stdout] (http-/127.0.0.1:8080-1) at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:209)
[cxf-rt-transports-http-2.7.16.jar:2.7.16]
08:25:38,169 INFO [stdout] (http-/127.0.0.1:8080-1) at
javax.servlet.http.HttpServlet.service(HttpServlet.java:754)
[jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar!/:1.0.2.Final-redhat-1]
08:25:38,171 INFO [stdout] (http-/127.0.0.1:8080-1) at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:265)
[cxf-rt-transports-http-2.7.16.jar:2.7.16]
