cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Benjamin Ernst (JIRA)" <j...@apache.org>
Subject [jira] Updated: (CXF-2165) SecurityPolicy-Assertion fails for only signing
Date Thu, 09 Apr 2009 06:58:12 GMT

     [ https://issues.apache.org/jira/browse/CXF-2165?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Benjamin Ernst updated CXF-2165:
--------------------------------

    Attachment: policy.xml

the policy for which the assertion fails

> SecurityPolicy-Assertion fails for only signing 
> ------------------------------------------------
>
>                 Key: CXF-2165
>                 URL: https://issues.apache.org/jira/browse/CXF-2165
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>    Affects Versions: 2.2
>            Reporter: Benjamin Ernst
>         Attachments: policy.xml
>
>
> Policy-Assertion fails when a policy only asserts that the body is signed, but not encrypted.
Sending signed messages is no problem, but when receiving a signed message the following error
appears:
>   Caused by: org.apache.cxf.ws.policy.PolicyException: These policy alternatives can
not be satisfied:
>   {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AsymmetricBinding: Not signed
before encrypted
> There should not be any encryption at all, only signing. I debugged into the code and
found the following Method in the PolicyBasedWSS4JInInterceptor.java:
>  private boolean assertAsymetricBinding(AssertionInfoMap aim,
>                                            SoapMessage message,
>                                            SOAPMessage doc,
>                                            Protections prots,
>                                            boolean derived) {
>         Collection<AssertionInfo> ais = aim.get(SP12Constants.ASYMMETRIC_BINDING);
>         if (ais == null) {
>             return true;
>         }
>         for (AssertionInfo ai : ais) {
>             AsymmetricBinding abinding = (AsymmetricBinding)ai.getAssertion();
>             ai.setAsserted(true);
>             if (abinding.getProtectionOrder() == SPConstants.ProtectionOrder.EncryptBeforeSigning)
{
>                 if (abinding.isSignatureProtection()) {
>                     if (prots != Protections.ENCRYPT_SIGN_PROTECT) {
>                         ai.setNotAsserted("Not encrypted before signed and then protected");
>                     }
>                 } else if (prots != Protections.ENCRYPT_SIGN) {
>                     ai.setNotAsserted("Not encrypted before signed");               
   
>                 }
>             } else if (prots != Protections.SIGN_ENCRYPT) {
>                 ai.setNotAsserted("Not signed before encrypted");                   
               
>             }
>             assertPolicy(aim, abinding.getInitiatorToken());
>             assertPolicy(aim, abinding.getRecipientToken());
>             assertPolicy(aim, abinding.getInitiatorToken().getToken(), derived);
>             assertPolicy(aim, abinding.getRecipientToken().getToken(), derived);
>         }
>         return true;
>     }
> In this method the value of prots is ="SIGN" which is correct. But the if-statement only
checks if prots is not SIGN_ENCRYPT and then sets it to notasserted. It might be because SPConstants.ProtectionOrder
only knows EncryptBeforeSigning and SigningBeforeEncrypt. There is nothing about only signing,
or only encrypting.
> Here is the policy:
> <wsp:Policy
>     wsu:Id='Sig'
>     xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'
>     xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
>     xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"
>     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>     xsi:schemaLocation="
>       http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
>       http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/ws-securitypolicy.xsd
>       http://schemas.xmlsoap.org/ws/2004/09/policy
>       http://schemas.xmlsoap.org/ws/2004/09/policy/ws-policy.xsd
>   ">
>     <wsp:ExactlyOne>
>         <wsp:All>
>             <sp:AsymmetricBinding xmlns:sp='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'>
>                 <wsp:Policy>
>                     <sp:InitiatorToken>
>                         <wsp:Policy>
>                             <sp:X509Token sp:IncludeToken='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient'>
>                                 <wsp:Policy>
>                                     <sp:WssX509V3Token10 />
>                                 </wsp:Policy>
>                             </sp:X509Token>
>                         </wsp:Policy>
>                     </sp:InitiatorToken>
>                     <sp:RecipientToken>
>                         <wsp:Policy>
>                             <sp:X509Token sp:IncludeToken='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always'>
>                                 <wsp:Policy>
>                                     <sp:WssX509V3Token10 />
>                                 </wsp:Policy>
>                             </sp:X509Token>
>                         </wsp:Policy>
>                     </sp:RecipientToken>
>                     <sp:AlgorithmSuite>
>                         <wsp:Policy>
>                             <sp:Basic256 />
>                         </wsp:Policy>
>                     </sp:AlgorithmSuite>
>                     <sp:Layout>
>                         <wsp:Policy>
>                             <sp:Strict />
>                         </wsp:Policy>
>                     </sp:Layout>
>                     <sp:OnlySignEntireHeadersAndBody />
>                 </wsp:Policy>
>             </sp:AsymmetricBinding>
>             <sp:Wss10 xmlns:sp='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'>
>                 <wsp:Policy>
>                     <sp:MustSupportRefEmbeddedToken />
>                 </wsp:Policy>
>             </sp:Wss10>
>             <sp:SignedParts xmlns:sp='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'>
>                 <sp:Body />
>             </sp:SignedParts>
>         </wsp:All>
>     </wsp:ExactlyOne>
> </wsp:Policy>

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message