cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Benjamin Ernst (JIRA)" <>
Subject [jira] Created: (CXF-2165) SecurityPolicy-Assertion fails for only signing
Date Thu, 09 Apr 2009 06:56:12 GMT
SecurityPolicy-Assertion fails for only signing 

                 Key: CXF-2165
             Project: CXF
          Issue Type: Bug
          Components: WS-* Components
    Affects Versions: 2.2
            Reporter: Benjamin Ernst

Policy-Assertion fails when a policy only asserts that the body is signed, but not encrypted.
Sending signed messages is no problem, but when receiving a signed message the following error

  Caused by: These policy alternatives can not be
  {}AsymmetricBinding: Not signed
before encrypted

There should not be any encryption at all, only signing. I debugged into the code and found
the following Method in the

 private boolean assertAsymetricBinding(AssertionInfoMap aim,
                                           SoapMessage message,
                                           SOAPMessage doc,
                                           Protections prots,
                                           boolean derived) {
        Collection<AssertionInfo> ais = aim.get(SP12Constants.ASYMMETRIC_BINDING);
        if (ais == null) {
            return true;
        for (AssertionInfo ai : ais) {
            AsymmetricBinding abinding = (AsymmetricBinding)ai.getAssertion();
            if (abinding.getProtectionOrder() == SPConstants.ProtectionOrder.EncryptBeforeSigning)
                if (abinding.isSignatureProtection()) {
                    if (prots != Protections.ENCRYPT_SIGN_PROTECT) {
                        ai.setNotAsserted("Not encrypted before signed and then protected");
                } else if (prots != Protections.ENCRYPT_SIGN) {
                    ai.setNotAsserted("Not encrypted before signed");                   
            } else if (prots != Protections.SIGN_ENCRYPT) {
                ai.setNotAsserted("Not signed before encrypted");                        
            assertPolicy(aim, abinding.getInitiatorToken());
            assertPolicy(aim, abinding.getRecipientToken());
            assertPolicy(aim, abinding.getInitiatorToken().getToken(), derived);
            assertPolicy(aim, abinding.getRecipientToken().getToken(), derived);
        return true;

In this method the value of prots is ="SIGN" which is correct. But the if-statement only checks
if prots is not SIGN_ENCRYPT and then sets it to notasserted. It might be because SPConstants.ProtectionOrder
only knows EncryptBeforeSigning and SigningBeforeEncrypt. There is nothing about only signing,
or only encrypting.

Here is the policy:

            <sp:AsymmetricBinding xmlns:sp=''>
                            <sp:X509Token sp:IncludeToken=''>
                                    <sp:WssX509V3Token10 />
                            <sp:X509Token sp:IncludeToken=''>
                                    <sp:WssX509V3Token10 />
                            <sp:Basic256 />
                            <sp:Strict />
                    <sp:OnlySignEntireHeadersAndBody />
            <sp:Wss10 xmlns:sp=''>
                    <sp:MustSupportRefEmbeddedToken />
            <sp:SignedParts xmlns:sp=''>
                <sp:Body />

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message