Hi,
I've a wsdl with the following partial content:
--cut
<sp:TransportBinding
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken RequireClientCertificate="false"/>
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
</wsp:Policy>
</sp:TransportBinding>
--cut
If I call this service the response from the server gets rejected by CXF:
--cut
Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: These
policy alternatives can not be satisfied:
{http://schemas.xmlsoap.org/ws/2005/07/securitypolicy}AlgorithmSuite:
The signature derived key length does not match the requirement
{http://schemas.xmlsoap.org/ws/2005/07/securitypolicy}Basic256
at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:161)
at com.sun.proxy.$Proxy51.getContractsByCustomerID(Unknown Source)
at
de.dmsserver.plugin.ford.test.fhdsales.TestComm.testGetContractsByCustomerID(TestComm.java:135)
at
de.dmsserver.plugin.ford.test.fhdsales.TestComm.main(TestComm.java:128)
--cut
If I change above "<sp:Basic256/>" to "<sp:Basic128/>" the message is
accepted.
Is this a problem with the remote service or with CXF?
AFAIK TransportBinding applies to the connection which is SSL encrypted.
If I check the SSL Certificate with "openssl s_client -showcerts
-connect [server]:443" I get:
--cut
CONNECTED(00000003)
depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization
Validation CA - SHA256 - G2
verify return:1
depth=0 C = XX, ST = XX, L = XX, O = XX, CN = XX
verify return:1
---
Certificate chain
0 s:/C=XX/ST=XX/L=XX/O=XX/CN=XX
i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA
- SHA256 - G2
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA
- SHA256 - G2
i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
---
Server certificate
subject=/C=XX/ST=XX/L=XX/O=XX/CN=XX
issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA
- SHA256 - G2
---
No client certificate CA names sent
---
SSL handshake has read 3072 bytes and written 471 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-SHA384
Session-ID:
CD4B00002CD328917F89C4AF9010C5145C745FD134466567345539C6AA1BE676
Session-ID-ctx:
Master-Key:
11B433DDEF0B003A6F261390EA6D50F1D881A9ADA2A40ABD3EC99F732C1132CD70CB17E19C4E6645B94CA25ACE798591
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1477495032
Timeout : 300 (sec)
Verify return code: 0 (ok)
--cut
Thanks
Martin
