Parsing WS-Security Policies containing EndorsingSupportingTokens with more than one token assertion in its nested Policy throws a "java.lang.IllegalArgumentException: Invalid Policy".
Here is a WSDL test-case:
The sp:EndorsingSupportingTokens/wsp:Policy has 2 token assertions as children: a sp:X509Token and a sp:IssuedToken. Apparently CXF doesn't like that.
If I either remove one of these token assertions or put a wsp:ExactlyOne around them, the exception will not be thrown and the SOAP-Request will be sent but the remote server will not accept the message and return an InvalidSecurity SOAP-Fault. Putting an wsp:ExactlyOne/wsp:All around the 2 tokens will cause the exception to be thrown again.
According to the specification I cannot see anything wrong with this Policy. See http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.2/errata01/os/ws-securitypolicy-1.2-errata01-os-complete.html Section 8.3:
<sp:EndorsingSupportingTokens xmlns:sp="..." ... >
<sp:AlgorithmSuite ... > ... </sp:AlgorithmSuite> ?
<sp:SignedParts ... > ... </sp:SignedParts> |
<sp:SignedElements ... > ... </sp:SignedElements> |
<sp:EncryptedParts ... > ... </sp:EncryptedParts> |
<sp:EncryptedElements ... > ... </sp:EncryptedElements> |
<sp:ContentEncryptedElements ... > ... </sp:ContentEncryptedElements>
The policy MUST identify one or more token assertions.
This bug currently makes it impossible to access WebServices using such a SecurityPolicy for me as I couldn't find a client-side workaround.