I am attaching them at the port level i.e.: <service name="Service"> <port name="ServiceInterfacePort" binding="pdef:ServiceInterfaceSecureSOAPBinding"> <wsp:PolicyReference URI="#SecurityServiceSignPolicy" /> <soap:address location="https://www.example.org/"; /> </port> </service>
The problem is that the referenced binding isdefined in a wsdl that I do not own (so I can't really attach the policy to the input, output and fault elements). Does this mean that the behaviour is normal when attaching the policy at the service element? Thank you for the feedback! Alex On Tue, Dec 1, 2015 at 4:22 PM, Colm O hEigeartaigh <[email protected]> wrote: > Are you attaching security policies to the wsdl:fault part of your security > binding? If policies are only attached to the wsdl:input/output, then the > SOAP Faults won't be secured. Here is an example: > > > https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/fault/DoubleItFault.wsdl;h=2e388f57657c88339659e1555e5cf5c439a691ce;hb=HEAD > > Colm. > > On Fri, Nov 27, 2015 at 8:12 AM, Alexandros Trifyllis < > [email protected] > > wrote: > > > Further into debugging, I notice that in class AbstractPolicyInterceptor > > line 69 (version 2.7.13): > > > > if (faultClass != null && faultClass.isAssignableFrom(cause.getClass())) > { > > > > the "faultClass" can never be "assignableFrom" the "cause". > > > > The "faultClass" is a custom class of mine which extends Exception. The > > "cause" in the case of schema validation > > is javax.xml.bind.UnmarshalException which also extends Exception. > > > > In that case, one is not assignable from the other. > > > > This failed check results in the framework not adding crucial > interceptors > > in the chain, like PolicyBasedWSS4JOutInterceptor etc. > > > > On Thu, Nov 26, 2015 at 2:59 PM, Alexandros Trifyllis < > > [email protected] > > > wrote: > > > > > I have a wsdl with security policy for signing messages. In my > endpoint I > > > have the annotation @SchemaValidation. When a validation throws a > > SoapFault > > > the message (with the SoapFault) is not signed. Running CXF in debug > > mode I > > > see that the interceptor chain used is different compared to the chain > > when > > > no fault occurs. This is normal but what does not seem normal is that > the > > > fault chain does not conatin interceptors > > > like: PolicyBasedWSS4JOutInterceptor, UsernameTokenInterceptor which > are > > > required for the message to be signed. Here is the chain when no fault > > > occurs: > > > > > > 14:14:56,310 FINE [org.apache.cxf.phase.PhaseInterceptorChain] > (default > > > task-4) Chain org.apache.cxf.phase.PhaseInterceptorChain@5a2ad9f8 was > > > modified. Current flow: > > > setup [ServerPolicyOutFaultInterceptor] > > > pre-logical [MAPAggregatorImpl, SoapHeaderOutFilterInterceptor, > > > SecurityVerificationOutInterceptor] > > > prepare-send [MessageSenderInterceptor, > GenericSecurityOutInterceptor, > > > Soap12FaultOutInterceptor] > > > pre-stream [LoggingOutInterceptor, CustomizeLoggingOutInterceptor, > > > StaxOutInterceptor] > > > pre-protocol [WebFaultOutInterceptor, MAPCodec, > > > PolicyBasedWSS4JOutInterceptor, UsernameTokenInterceptor] > > > write [SoapOutInterceptor] > > > marshal [Soap12FaultOutInterceptorInternal] > > > post-protocol [PolicyBasedWSS4JOutInterceptorInternal] > > > write-ending [SoapOutEndingInterceptor] > > > pre-protocol-ending [SAAJOutEndingInterceptor] > > > pre-stream-ending [StaxOutEndingInterceptor] > > > prepare-send-ending [MessageSenderEndingInterceptor] > > > > > > > > > and when fault occurs: > > > > > > 12:55:34,500 FINE [org.apache.cxf.phase.PhaseInterceptorChain] > (default > > > task-3) Chain org.apache.cxf.phase.PhaseInterceptorChain@30f5696 was > > > created. Current flow: > > > setup [ServerPolicyOutFaultInterceptor] > > > pre-logical [SoapHeaderOutFilterInterceptor] > > > prepare-send [MessageSenderInterceptor, > GenericSecurityOutInterceptor, > > > Soap12FaultOutInterceptor] > > > pre-stream [LoggingOutInterceptor, CustomizeLoggingOutInterceptor, > > > StaxOutInterceptor] > > > pre-protocol [WebFaultOutInterceptor] > > > write [SoapOutInterceptor] > > > > > > > > > Am I missing some configuration? > > > > > > Thank you in advance > > > > > > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com >
