Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-5609

Won't pass verification of explicit WSS Policy AsymmetricBinding -> Layout -> Policy -> Lax

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.6.13, 2.7.10
    • Fix Version/s: 2.7.11, 2.6.14, 3.0
    • Component/s: WS-* Components
    • Labels:
      None
    • Estimated Complexity:
      Unknown

      Description

      Hello,

      I can't seem to get CXF WS-* validator to accept a message for service which has <sp:Layout> <wsp:Policy> <sp:Lax /> policy explicitly defined in the WSDL. Maybe I'm missing something, but all I get is:

      <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
      <soap:Body>
      <soap:Fault>
      <faultcode>soap:Server</faultcode>
      <faultstring>These policy alternatives can not be satisfied:

      {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}

      Layout</faultstring>
      </soap:Fault>
      </soap:Body>
      </soap:Envelope>

      I did some debugging on the issue and it appears that both org.apache.cxf.ws.security.policy.builders.LayoutBuilder and org.apache.cxf.ws.security.policy.model.AsymmetricBinding add org.apache.cxf.ws.security.policy.model.Layout assertions to the expected policy. However org.apache.cxf.ws.security.wss4j.policyvalidators.AbstractBindingPolicyValidator.checkProperties(SymmetricAsymmetricBindingBase, AssertionInfo, AssertionInfoMap, List<WSSecurityEngineResult>, List<WSSecurityEngineResult>, Message) successfully asserts only one of Layout instances while another one remains untouched and causes the failure to occur. If I comment out sp:Layout from WSDL, validation passes since LayoutBuilder never adds its Layout instance.

      I guess that removing LayoutBuilder would fix the problem but I'm not sure if this is the right thing to do.

      Relevant excerpt from WSDL:

      <wsp:Policy wsu:Id="SignAndEncrypt"
      xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
      xmlns:wsp="http://www.w3.org/ns/ws-policy" xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
      wsdl:required="true">
      <wsp:ExactlyOne>
      <wsp:All>
      <sp:AsymmetricBinding>
      <wsp:Policy>
      <sp:InitiatorToken>
      <wsp:Policy>
      <sp:X509Token
      sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
      <wsp:Policy>
      <sp:WssX509V3Token10 />
      </wsp:Policy>
      </sp:X509Token>
      </wsp:Policy>
      </sp:InitiatorToken>
      <sp:RecipientToken>
      <wsp:Policy>
      <sp:X509Token
      sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
      <wsp:Policy>
      <sp:WssX509V3Token10 />
      </wsp:Policy>
      </sp:X509Token>
      </wsp:Policy>
      </sp:RecipientToken>
      <sp:AlgorithmSuite>
      <wsp:Policy>
      <sp:Basic256Rsa15 />
      <sp:TripleDesRsa15 />
      <sp:Basic128Rsa15 />
      </wsp:Policy>
      </sp:AlgorithmSuite>
      <sp:IncludeTimestamp />
      <sp:EncryptSignature />
      <sp:OnlySignEntireHeadersAndBody />
      </wsp:Policy>
      </sp:AsymmetricBinding>
      <sp:Wss10>
      <wsp:Policy>
      <sp:MustSupportRefIssuerSerial />
      <sp:MustSupportRefEmbeddedToken />
      </wsp:Policy>
      </sp:Wss10>
      <sp:Layout>
      <wsp:Policy>
      <sp:Lax />
      </wsp:Policy>
      </sp:Layout>
      <sp:SignedParts>
      <sp:Body />
      <sp:Header Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing" />
      <sp:Header Namespace="http://www.w3.org/2005/08/addressing" />
      </sp:SignedParts>
      <sp:EncryptedParts>
      <sp:Body />
      </sp:EncryptedParts>
      </wsp:All>
      </wsp:ExactlyOne>
      </wsp:Policy>

        Attachments

          Activity

            People

            • Assignee:
              coheigea Colm O hEigeartaigh
              Reporter:
              modax Modestas Vainius
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: