Short version of the question;
Should I be able to write a WSDL with a UsernameToken that contains no
policy tag? The specification says it should be allowed, but I get an
exception from CXF: "sp:UsernameToken must have an inner wsp:Policy element"
Background:
I'm writing a client to connect to a SOAP webservice using a WSDL first
approach. For implementation I am using Apache CXF version 3.1.4
When testing I get the following exception:
/12:35:15.492 [main] WARN o.a.c.w.p.a.w.Wsdl11AttachmentPolicyProvider -
Failed to build the policy 'UsernameToken':sp:UsernameToken must have an
inner wsp:Policy element
Exception in thread "main" javax.xml.ws.soap.SOAPFaultException:
sp:UsernameToken must have an inner wsp:Policy element
at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:160)
...
Caused by: java.lang.IllegalArgumentException: sp:UsernameToken must have an
inner wsp:Policy element
at
org.apache.wss4j.policy.builders.UsernameTokenBuilder.build(UsernameTokenBuilder.java:52)
at
org.apache.wss4j.policy.builders.UsernameTokenBuilder.build(UsernameTokenBuilder.java:34)
at
org.apache.neethi.AssertionBuilderFactoryImpl.invokeBuilder(AssertionBuilderFactoryImpl.java:138)
/
The relevant part of the WSDL file looks like this:
/<wsp:Policy wsu:Id="UsernameToken">
<wsp:ExactlyOne>
<wsp:All>
<sp:SupportingTokens>
<wsp:Policy>
<sp:UsernameToken
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"/>
</wsp:Policy>
</sp:SupportingTokens>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
/
The error message indicates that CXF expects a policy tag under
UsernameToken. And indeed, while researching I came across a comment from
CXF bug tracker
<https://issues.apache.org/jira/browse/CXF-5132?focusedCommentId=13709887&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13709887>
:
------------
/Yes... Per spec, the <sp:UsernameToken> element MUST contain an internal
wsp:Policy element. It should look like:
<sp:UsernameToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
<wsp:Policy>
<sp:WssUsernameToken11 />
</wsp:Policy>
</sp:UsernameToken>
/------------
But, the specification
<http://specs.xmlsoap.org/ws/2005/07/securitypolicy/ws-securitypolicy.pdf>
says:
------------
//sp:UsernameToken/wsp:Policy
This optional element identifies additional requirements for use of the
sp:UsernameToken assertion.
/------------
Note: Optional.
So which one is it? It seems that CXF requires a policy while the
specification says it is optional. Is there another specification I need to
look at?
I verified that if I edited the WSDL and removed the reference to the policy
everything worked as expected, so is there another quick workaround?
My guess is that the WSDL file is incorrect and needs a policy element, but
to have a chance to get this change implemented I need to be able to point
to a specification where this is mentioned.
--
View this message in context:
http://cxf.547215.n5.nabble.com/Requirement-that-UsernameToken-must-have-an-inner-wsp-Policy-element-not-according-to-specification-tp5764368.html
Sent from the cxf-user mailing list archive at Nabble.com.
