Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-6327

Invalid Policy exception for EndorsingSupportingTokens with more than one token assertions

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.0.4
    • Fix Version/s: 3.1, 3.0.5
    • Component/s: WS-* Components
    • Labels:
      None
    • Estimated Complexity:
      Unknown

      Description

      Parsing WS-Security Policies containing EndorsingSupportingTokens with more than one token assertion in its nested Policy throws a "java.lang.IllegalArgumentException: Invalid Policy".

      Here is a WSDL test-case:

      https://rheaavs.element44.net/AvsMpsService_R1_Variante2.wsdl

      The sp:EndorsingSupportingTokens/wsp:Policy has 2 token assertions as children: a sp:X509Token and a sp:IssuedToken. Apparently CXF doesn't like that.

      If I either remove one of these token assertions or put a wsp:ExactlyOne around them, the exception will not be thrown and the SOAP-Request will be sent but the remote server will not accept the message and return an InvalidSecurity SOAP-Fault. Putting an wsp:ExactlyOne/wsp:All around the 2 tokens will cause the exception to be thrown again.

      According to the specification I cannot see anything wrong with this Policy. See http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.2/errata01/os/ws-securitypolicy-1.2-errata01-os-complete.html Section 8.3:

      <sp:EndorsingSupportingTokens xmlns:sp="..." ... >
      <wsp:Policy xmlns:wsp="...">
      [Token Assertion]+
      <sp:AlgorithmSuite ... > ... </sp:AlgorithmSuite> ?
      (
      <sp:SignedParts ... > ... </sp:SignedParts> |
      <sp:SignedElements ... > ... </sp:SignedElements> |
      <sp:EncryptedParts ... > ... </sp:EncryptedParts> |
      <sp:EncryptedElements ... > ... </sp:EncryptedElements> |
      <sp:ContentEncryptedElements ... > ... </sp:ContentEncryptedElements>
      ) *
      ...
      </wsp:Policy>
      ...
      </sp:EndorsingSupportingTokens>

      ...

      /sp:EndorsingSupportingTokens/wsp:Policy/[Token Assertion]
      The policy MUST identify one or more token assertions.

      This bug currently makes it impossible to access WebServices using such a SecurityPolicy for me as I couldn't find a client-side workaround.

        Attachments

          Activity

            People

            • Assignee:
              coheigea Colm O hEigeartaigh
              Reporter:
              s.proels Stefan Pröls
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: