Hi Frederik, It's a bug in WSS4J which I've just fixed: https://issues.apache.org/jira/browse/WSS-564
WS-SecurityPolicy 1.2 + 1.3 require a policy Element, but 1.1 doesn't. Until the next WSS4J release, your best bet is just to have an empty policy Element. Colm. On Mon, Jan 4, 2016 at 10:49 AM, Fredrik <[email protected]> wrote: > Short version of the question; > Should I be able to write a WSDL with a UsernameToken that contains no > policy tag? The specification says it should be allowed, but I get an > exception from CXF: "sp:UsernameToken must have an inner wsp:Policy > element" > > Background: > I'm writing a client to connect to a SOAP webservice using a WSDL first > approach. For implementation I am using Apache CXF version 3.1.4 > > When testing I get the following exception: > > /12:35:15.492 [main] WARN o.a.c.w.p.a.w.Wsdl11AttachmentPolicyProvider - > Failed to build the policy 'UsernameToken':sp:UsernameToken must have an > inner wsp:Policy element > Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: > sp:UsernameToken must have an inner wsp:Policy element > at > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:160) > ... > Caused by: java.lang.IllegalArgumentException: sp:UsernameToken must have > an > inner wsp:Policy element > at > > org.apache.wss4j.policy.builders.UsernameTokenBuilder.build(UsernameTokenBuilder.java:52) > at > > org.apache.wss4j.policy.builders.UsernameTokenBuilder.build(UsernameTokenBuilder.java:34) > at > > org.apache.neethi.AssertionBuilderFactoryImpl.invokeBuilder(AssertionBuilderFactoryImpl.java:138) > / > > The relevant part of the WSDL file looks like this: > > /<wsp:Policy wsu:Id="UsernameToken"> > <wsp:ExactlyOne> > <wsp:All> > <sp:SupportingTokens> > <wsp:Policy> > <sp:UsernameToken > sp:IncludeToken=" > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient > "/> > </wsp:Policy> > </sp:SupportingTokens> > </wsp:All> > </wsp:ExactlyOne> > </wsp:Policy> > / > The error message indicates that CXF expects a policy tag under > UsernameToken. And indeed, while researching I came across a comment from > CXF bug tracker > < > https://issues.apache.org/jira/browse/CXF-5132?focusedCommentId=13709887&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13709887 > > > : > ------------ > /Yes... Per spec, the <sp:UsernameToken> element MUST contain an internal > wsp:Policy element. It should look like: > <sp:UsernameToken > > sp:IncludeToken=" > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient > "> > <wsp:Policy> > <sp:WssUsernameToken11 /> > </wsp:Policy> > </sp:UsernameToken> > /------------ > > But, the specification > <http://specs.xmlsoap.org/ws/2005/07/securitypolicy/ws-securitypolicy.pdf> > says: > ------------ > //sp:UsernameToken/wsp:Policy > This optional element identifies additional requirements for use of the > sp:UsernameToken assertion. > /------------ > Note: Optional. > > So which one is it? It seems that CXF requires a policy while the > specification says it is optional. Is there another specification I need to > look at? > > I verified that if I edited the WSDL and removed the reference to the > policy > everything worked as expected, so is there another quick workaround? > > My guess is that the WSDL file is incorrect and needs a policy element, but > to have a chance to get this change implemented I need to be able to point > to a specification where this is mentioned. > > > > -- > View this message in context: > http://cxf.547215.n5.nabble.com/Requirement-that-UsernameToken-must-have-an-inner-wsp-Policy-element-not-according-to-specification-tp5764368.html > Sent from the cxf-user mailing list archive at Nabble.com. > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
