Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
2.7.7
-
None
-
Unknown
Description
When WS-RM with an anonoymous endpoint is used in conjuction with a policy based WS-Security configuration, the sequence acknoledgement response to the client is rejected by the policy validator.
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}X509Token: The received token does not match the token inclusion requirement
org.apache.cxf.ws.policy.PolicyException: These policy alternatives can not be satisfied:
X509Token: The received token does not match the token inclusion requirement
at org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:179)
at org.apache.cxf.ws.policy.PolicyVerificationInInterceptor.handle(PolicyVerificationInInterceptor.java:101)
at org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:44)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:835)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1606)
The cause of this issue is in the RM processing to reset the requestor role, whose value will subsequently be used by the policy validator to choose the correct configuration value. The requestor role for the SequenceAck messages should not be reset.