Details
-
Bug
-
Status: Closed
-
Minor
-
Resolution: Fixed
-
2.6.1, 2.7.1
-
None
-
JDK 1.7.0_02
Windows 7
Tomcat 6.0.29
-
Unknown
Description
The problem is related to WS-security policies, only when a service is exposed with CXF in Tomcat :
We have 2 operations :
- getMsgChiffr : the "chiffr_policy" security policy is bound
- getMsg2ChiffrBody : the "chiffr_body_policy" security policy is bound
The input request for these 2 operations is composed of :
- an input message : a string
- a header : two strings
The 2 policies are :
chiffr_body_policy : only the body must be encrypted
chiffr_policy : body+headers must be encrypted
When getMsgChiffr is called, all is fine. CXF checks if "chiff_policy" is correctly applied (= body+headers encrypted)
When getMsg2ChiffrBody is called, CXF checks "chiff_policy" instead of "chiffr_body_policy". The stacktrace is :
2012-12-20 17:16:21,037-DEBUG PolicyBasedWSS4JInInterceptor - Incoming request failed signed-encrypted policy validation
2012-12-20 17:16:21,037-DEBUG WSS4JInInterceptor - WSS4JInInterceptor: exit handleMessage()
2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleMessage on interceptor org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor@1c673a9
2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleMessage on interceptor org.apache.cxf.jaxb.attachment.JAXBAttachmentSchemaValidationHack@2a6c5e
2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleMessage on interceptor org.apache.cxf.interceptor.DocLiteralInInterceptor@46a62
2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleMessage on interceptor org.apache.cxf.binding.soap.interceptor.SoapHeaderInterceptor@1e463a2
2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleMessage on interceptor org.apache.cxf.interceptor.OneWayProcessorInterceptor@1173444
2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleMessage on interceptor org.apache.cxf.jaxws.interceptors.WrapperClassInInterceptor@688800
2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleMessage on interceptor org.apache.cxf.jaxws.interceptors.SwAInInterceptor@b07eeb
2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleMessage on interceptor org.apache.cxf.jaxws.interceptors.HolderInInterceptor@b8ec86
2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleMessage on interceptor org.apache.cxf.ws.policy.PolicyVerificationInInterceptor@1d6f8ae
2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleFault on interceptor org.apache.cxf.ws.policy.PolicyVerificationInInterceptor@1d6f8ae
2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleFault on interceptor org.apache.cxf.jaxws.interceptors.HolderInInterceptor@b8ec86
2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleFault on interceptor org.apache.cxf.jaxws.interceptors.SwAInInterceptor@b07eeb
2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleFault on interceptor org.apache.cxf.jaxws.interceptors.WrapperClassInInterceptor@688800
2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleFault on interceptor org.apache.cxf.interceptor.OneWayProcessorInterceptor@1173444
2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleFault on interceptor org.apache.cxf.binding.soap.interceptor.SoapHeaderInterceptor@1e463a2
2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleFault on interceptor org.apache.cxf.interceptor.DocLiteralInInterceptor@46a62
2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleFault on interceptor org.apache.cxf.jaxb.attachment.JAXBAttachmentSchemaValidationHack@2a6c5e
2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleFault on interceptor org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor@1c673a9
2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleFault on interceptor org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor@676d73
2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleFault on interceptor org.apache.cxf.binding.soap.interceptor.MustUnderstandInterceptor@1d3676a
2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleFault on interceptor org.apache.cxf.ws.mex.MEXInInterceptor@7e872c
2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleFault on interceptor org.apache.cxf.binding.soap.interceptor.StartBodyInterceptor@16d81d
2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleFault on interceptor org.apache.cxf.binding.soap.interceptor.SoapActionInInterceptor@7418be
2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleFault on interceptor org.apache.cxf.binding.soap.interceptor.ReadHeadersInterceptor@1494fcf
2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleFault on interceptor org.apache.cxf.binding.soap.saaj.SAAJInInterceptor$SAAJPreInInterceptor@1264f8b
2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleFault on interceptor org.apache.cxf.frontend.WSDLGetInterceptor@11be2e3
2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleFault on interceptor org.apache.cxf.interceptor.StaxInInterceptor@1e699b0
2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleFault on interceptor org.apache.cxf.transport.https.CertConstraintsInterceptor@130ac20
2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleFault on interceptor org.apache.cxf.interceptor.AttachmentInInterceptor@dc5f15
2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleFault on interceptor org.apache.cxf.interceptor.LoggingInInterceptor@15ca1bd
2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleFault on interceptor org.apache.cxf.ws.policy.PolicyInInterceptor@2c7301
2012-12-20 17:16:21,052-WARN PhaseInterceptorChain - Interceptor for
POC1_service_sec#
{http://www.abcdef-hijklmn.fr/interop/POC1/}getMsg2ChiffrBody has thrown exception, unwinding now
org.apache.cxf.interceptor.Fault: These policy alternatives can not be satisfied:
EncryptedParts:
{http://referentiel.ca.fr/soapHeaderV1}not + ENCRYPTED
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}EncryptedParts
at org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:47)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:271)
at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:238)
at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:218)
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:198)
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:137)
at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:158)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:243)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:163)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:219)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
at java.lang.Thread.run(Thread.java:722)
Caused by: org.apache.cxf.ws.policy.PolicyException: These policy alternatives can not be satisfied:
EncryptedParts:
{http://referentiel.ca.fr/soapHeaderV1}not + ENCRYPTED
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}EncryptedParts
at org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:167)
at org.apache.cxf.ws.policy.PolicyVerificationInInterceptor.handle(PolicyVerificationInInterceptor.java:101)
at org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:45)
... 23 more
The behavior seems to depend on some names used in the WSDL definition. The problem disappears when these names are changed, for example :
- targetNamespace set to http://www.abcdefghijklmn.fr/interop/POC1/ or http://www.c-a.fr/interop/POC1/
- operation getMsgChiffr set to something else
It works fine when CXF runs as a client with the same WSDL. (CXF 2.6.1, CXF 2.7.1)