cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Benjamin Ernst (JIRA)" <j...@apache.org>
Subject [jira] Created: (CXF-2165) SecurityPolicy-Assertion fails for only signing
Date Thu, 09 Apr 2009 06:56:12 GMT
SecurityPolicy-Assertion fails for only signing 
------------------------------------------------

                 Key: CXF-2165
                 URL: https://issues.apache.org/jira/browse/CXF-2165
             Project: CXF
          Issue Type: Bug
          Components: WS-* Components
    Affects Versions: 2.2
            Reporter: Benjamin Ernst


Policy-Assertion fails when a policy only asserts that the body is signed, but not encrypted.
Sending signed messages is no problem, but when receiving a signed message the following error
appears:

  Caused by: org.apache.cxf.ws.policy.PolicyException: These policy alternatives can not be
satisfied:
  {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AsymmetricBinding: Not signed
before encrypted

There should not be any encryption at all, only signing. I debugged into the code and found
the following Method in the PolicyBasedWSS4JInInterceptor.java:

 private boolean assertAsymetricBinding(AssertionInfoMap aim,
                                           SoapMessage message,
                                           SOAPMessage doc,
                                           Protections prots,
                                           boolean derived) {
        Collection<AssertionInfo> ais = aim.get(SP12Constants.ASYMMETRIC_BINDING);
        if (ais == null) {
            return true;
        }
        for (AssertionInfo ai : ais) {
            AsymmetricBinding abinding = (AsymmetricBinding)ai.getAssertion();
            ai.setAsserted(true);
            if (abinding.getProtectionOrder() == SPConstants.ProtectionOrder.EncryptBeforeSigning)
{
                if (abinding.isSignatureProtection()) {
                    if (prots != Protections.ENCRYPT_SIGN_PROTECT) {
                        ai.setNotAsserted("Not encrypted before signed and then protected");
                    }
                } else if (prots != Protections.ENCRYPT_SIGN) {
                    ai.setNotAsserted("Not encrypted before signed");                   
                }
            } else if (prots != Protections.SIGN_ENCRYPT) {
                ai.setNotAsserted("Not signed before encrypted");                        
          
            }
            assertPolicy(aim, abinding.getInitiatorToken());
            assertPolicy(aim, abinding.getRecipientToken());
            assertPolicy(aim, abinding.getInitiatorToken().getToken(), derived);
            assertPolicy(aim, abinding.getRecipientToken().getToken(), derived);
        }
        return true;
    }

In this method the value of prots is ="SIGN" which is correct. But the if-statement only checks
if prots is not SIGN_ENCRYPT and then sets it to notasserted. It might be because SPConstants.ProtectionOrder
only knows EncryptBeforeSigning and SigningBeforeEncrypt. There is nothing about only signing,
or only encrypting.

Here is the policy:

<wsp:Policy
    wsu:Id='Sig'
    xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'
    xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
    xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="
      http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
      http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/ws-securitypolicy.xsd
      http://schemas.xmlsoap.org/ws/2004/09/policy
      http://schemas.xmlsoap.org/ws/2004/09/policy/ws-policy.xsd
  ">
    <wsp:ExactlyOne>
        <wsp:All>
            <sp:AsymmetricBinding xmlns:sp='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'>
                <wsp:Policy>
                    <sp:InitiatorToken>
                        <wsp:Policy>
                            <sp:X509Token sp:IncludeToken='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient'>
                                <wsp:Policy>
                                    <sp:WssX509V3Token10 />
                                </wsp:Policy>
                            </sp:X509Token>
                        </wsp:Policy>
                    </sp:InitiatorToken>
                    <sp:RecipientToken>
                        <wsp:Policy>
                            <sp:X509Token sp:IncludeToken='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always'>
                                <wsp:Policy>
                                    <sp:WssX509V3Token10 />
                                </wsp:Policy>
                            </sp:X509Token>
                        </wsp:Policy>
                    </sp:RecipientToken>
                    <sp:AlgorithmSuite>
                        <wsp:Policy>
                            <sp:Basic256 />
                        </wsp:Policy>
                    </sp:AlgorithmSuite>
                    <sp:Layout>
                        <wsp:Policy>
                            <sp:Strict />
                        </wsp:Policy>
                    </sp:Layout>
                    <sp:OnlySignEntireHeadersAndBody />
                </wsp:Policy>
            </sp:AsymmetricBinding>
            <sp:Wss10 xmlns:sp='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'>
                <wsp:Policy>
                    <sp:MustSupportRefEmbeddedToken />
                </wsp:Policy>
            </sp:Wss10>
            <sp:SignedParts xmlns:sp='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'>
                <sp:Body />
            </sp:SignedParts>
        </wsp:All>
    </wsp:ExactlyOne>
</wsp:Policy>


-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message