[CXF-5609] Won't pass verification of explicit WSS Policy AsymmetricBinding -> Layout -> Policy -> Lax - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 2.6.13, 2.7.10
Fix Version/s: 2.7.11, 2.6.14, 3.0
Component/s: WS-* Components
Labels:
None

Estimated Complexity:
Unknown

Description

Hello,

I can't seem to get CXF WS-* validator to accept a message for service which has <sp:Layout> <wsp:Policy> <sp:Lax /> policy explicitly defined in the WSDL. Maybe I'm missing something, but all I get is:

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<soap:Fault>
<faultcode>soap:Server</faultcode>
<faultstring>These policy alternatives can not be satisfied:

{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}

Layout</faultstring>
</soap:Fault>
</soap:Body>
</soap:Envelope>

I did some debugging on the issue and it appears that both org.apache.cxf.ws.security.policy.builders.LayoutBuilder and org.apache.cxf.ws.security.policy.model.AsymmetricBinding add org.apache.cxf.ws.security.policy.model.Layout assertions to the expected policy. However org.apache.cxf.ws.security.wss4j.policyvalidators.AbstractBindingPolicyValidator.checkProperties(SymmetricAsymmetricBindingBase, AssertionInfo, AssertionInfoMap, List<WSSecurityEngineResult>, List<WSSecurityEngineResult>, Message) successfully asserts only one of Layout instances while another one remains untouched and causes the failure to occur. If I comment out sp:Layout from WSDL, validation passes since LayoutBuilder never adds its Layout instance.

I guess that removing LayoutBuilder would fix the problem but I'm not sure if this is the right thing to do.

Relevant excerpt from WSDL:

<wsp:Policy wsu:Id="SignAndEncrypt"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsp="http://www.w3.org/ns/ws-policy" xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
wsdl:required="true">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256Rsa15 />
<sp:TripleDesRsa15 />
<sp:Basic128Rsa15 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:IncludeTimestamp />
<sp:EncryptSignature />
<sp:OnlySignEntireHeadersAndBody />
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss10>
<wsp:Policy>
<sp:MustSupportRefIssuerSerial />
<sp:MustSupportRefEmbeddedToken />
</wsp:Policy>
</sp:Wss10>
<sp:Layout>
<wsp:Policy>
<sp:Lax />
</wsp:Policy>
</sp:Layout>
<sp:SignedParts>
<sp:Body />
<sp:Header Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing" />
<sp:Header Namespace="http://www.w3.org/2005/08/addressing" />
</sp:SignedParts>
<sp:EncryptedParts>
<sp:Body />
</sp:EncryptedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>

Attachments

Activity

People

Assignee:: Colm O hEigeartaigh

Reporter:: Modestas Vainius

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 12/Mar/14 18:43

Updated:: 11/Jul/14 12:50

Resolved:: 13/Mar/14 16:49