cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Pawel Lipka (JIRA)" <j...@apache.org>
Subject [jira] Commented: (CXF-2356) WS-SecurityPolicy and faults
Date Fri, 24 Jul 2009 13:27:15 GMT

    [ https://issues.apache.org/jira/browse/CXF-2356?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12735051#action_12735051
] 

Pawel Lipka commented on CXF-2356:
----------------------------------

Unzip the attachment and run mvn test.

> WS-SecurityPolicy and faults
> ----------------------------
>
>                 Key: CXF-2356
>                 URL: https://issues.apache.org/jira/browse/CXF-2356
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>    Affects Versions: 2.2.2
>         Environment: cxf-2.2.2, wss4j-1.5.7, xmlsec-1.4.2
>            Reporter: Pawel Lipka
>         Attachments: wssecuritypolicy-tests.zip
>
>
> I have a secure WS that is described by a WS-Policy document that's
> pasted below.
> Policy A is attached to the wsdl:binding while policy B is attached to
> the wsdl:input,wsdl:output and wsdl:fault
> When my WS throws a soap fault there's a couple of problems:
> 1) the soap:Body element is not encrypted
> 2) the soap:Body element is not signed
> 3) the WS client fails to validate the WS-Security header with the
> that's also pasted below.
> The problem seems to be in the way CXF handles WS-Security header using
> the PolicyBasedWSS4JInterceptor.
> When the response arrives it passes through the in interceptor chain and
> the encrypted parts are decrypted. The way wss4j handles decryption is
> that it replaces the xmlenc:EncryptedData element in the SOAP document
> with the decrypted content but it does not remove the corresponding
> xmlenc:ReferenceData/xmlenc:DataReference element from the Security
> header. After decryption is done some other interceptor detects that the
> message is actually a fault and triggers the inFault interceptor chain.
> The inFault interceptor chain again contains the
> PolicyBasedWSS4JInterceptor and it should contain it since not all the
> policy assertions have been asserted by the 'in' chain. (e.g.
> UsingAddressing  assertion).
> The PolicyBasedWSS4JInterceptor runs wss4j again on a document that has
> already been decrypted and fails with the error below because the
> xmlenc:ReferenceData/xmlenc:DataReference elements point to nothing.
> Has anyone ever hit a problem like that? Is there any workaround for
> that  (other than chainging the WS-Policy document)?
> thanks in advance,
> 7038 [main] WARN org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor  - 
> org.apache.ws.security.WSSecurityException: An error was discovered
> processing the <wsse:Security> header (WSSecurityEngine: DataReference -
> referenced data not found)
>         at
> org.apache.ws.security.processor.ReferenceListProcessor.decryptDataRefEmbedded(ReferenceListProcessor.java:141)
>         at
> org.apache.ws.security.processor.ReferenceListProcessor.handleReferenceList(ReferenceListProcessor.java:113)
>         at
> org.apache.ws.security.processor.ReferenceListProcessor.handleToken(ReferenceListProcessor.java:76)
>         at
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
>         at
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:243)
>         at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:179)
>         at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:77)
>         at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:236)
>         at
> org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessage(AbstractFaultChainInitiatorObserver.java:96)
>         at
> org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:69)
>         at
> org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:34)
>         at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:236)
>         at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:645)
>         at org.apache.cxf.transport.http.HTTPConduit
> $WrappedOutputStream.handleResponseInternal(HTTPConduit.java:2132)
>         at org.apache.cxf.transport.http.HTTPConduit
> $WrappedOutputStream.handleResponse(HTTPConduit.java:2015)
>         at org.apache.cxf.transport.http.HTTPConduit
> $WrappedOutputStream.close(HTTPConduit.java:1940)
>         at
> org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:47)
>         at
> org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:180)
>         at
> org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:66)
>         at
> org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:627)
>         at org.apache.cxf.interceptor.MessageSenderInterceptor
> $MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
>         at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:236)
>         at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:471)
>         at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:301)
>         at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:253)
>         at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
>         at
> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:121)
>         at $Proxy38.sendMessage(Unknown Source)
> <wsp:Policy wsu:Id="A">
>                 <wsp:ExactlyOne>
>                         <wsp:All>
>                                 <sp:SymmetricBinding
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>                                         <wsp:Policy>
>                                                 <sp:ProtectionToken>
>                                                         <wsp:Policy>
>                                                                 <sp:X509Token
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
>                                                                         <wsp:Policy>
>                                                                                 <sp:RequireDerivedKeys
/>
>                                                                                 <sp:RequireThumbprintReference
/>
>                                                                                 <sp:WssX509V3Token10
/>
>                                                                         </wsp:Policy>
>                                                                 </sp:X509Token>
>                                                         </wsp:Policy>
>                                                 </sp:ProtectionToken>
>                                                 <sp:AlgorithmSuite>
>                                                         <wsp:Policy>
>                                                                 <sp:Basic128 />
>                                                         </wsp:Policy>
>                                                 </sp:AlgorithmSuite>
>                                                 <sp:Layout>
>                                                         <wsp:Policy>
>                                                                 <sp:Strict />
>                                                         </wsp:Policy>
>                                                 </sp:Layout>
>                                                 <sp:IncludeTimestamp />
>                                                 <sp:EncryptSignature />
>                                                 <sp:OnlySignEntireHeadersAndBody />
>                                         </wsp:Policy>
>                                 </sp:SymmetricBinding>
>                                 <sp:EndorsingSupportingTokens
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>                                         <wsp:Policy>
>                                                 <sp:X509Token
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
>                                                         <wsp:Policy>
>                                                                 <sp:RequireThumbprintReference
/>
>                                                                 <sp:WssX509V3Token10
/>
>                                                         </wsp:Policy>
>                                                 </sp:X509Token>
>                                         </wsp:Policy>
>                                 </sp:EndorsingSupportingTokens>
>                                 <sp:Wss11
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>                                         <wsp:Policy>
>                                                 <sp:MustSupportRefKeyIdentifier />
>                                                 <sp:MustSupportRefIssuerSerial />
>                                                 <sp:MustSupportRefThumbprint />
>                                                 <sp:MustSupportRefEncryptedKey />
>                                                 <sp:RequireSignatureConfirmation />
>                                         </wsp:Policy>
>                                 </sp:Wss11>
>                                 <sp:Trust10
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>                                         <wsp:Policy>
>                                                 <sp:MustSupportIssuedTokens />
>                                                 <sp:RequireClientEntropy />
>                                                 <sp:RequireServerEntropy />
>                                         </wsp:Policy>
>                                 </sp:Trust10>
>                                 <wsaw:UsingAddressing />
>                         </wsp:All>
>                 </wsp:ExactlyOne>
>         </wsp:Policy>
>         <wsp:Policy wsu:Id="B">
>                 <wsp:ExactlyOne>
>                         <wsp:All>
>                                 <sp:SignedParts
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>                                         <sp:Body />
>                                         <sp:Header Name="To"
> Namespace="http://www.w3.org/2005/08/addressing" />
>                                         <sp:Header Name="From"
> Namespace="http://www.w3.org/2005/08/addressing" />
>                                         <sp:Header Name="FaultTo"
> Namespace="http://www.w3.org/2005/08/addressing" />
>                                         <sp:Header Name="ReplyTo"
> Namespace="http://www.w3.org/2005/08/addressing" />
>                                         <sp:Header Name="MessageID"
> Namespace="http://www.w3.org/2005/08/addressing" />
>                                         <sp:Header Name="RelatesTo"
> Namespace="http://www.w3.org/2005/08/addressing" />
>                                         <sp:Header Name="Action"
> Namespace="http://www.w3.org/2005/08/addressing" />
>                                 </sp:SignedParts>
>                                 <sp:EncryptedParts
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>                                         <sp:Body />
>                                 </sp:EncryptedParts>
>                         </wsp:All>
>                 </wsp:ExactlyOne>
>         </wsp:Policy>

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message