cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Franck WIELGUS (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (CXF-4716) WS-security policies enforcement with CXF server, bad policy selected
Date Thu, 20 Dec 2012 16:39:12 GMT

     [ https://issues.apache.org/jira/browse/CXF-4716?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Franck WIELGUS updated CXF-4716:
--------------------------------

    Attachment: POC1.wsdl
    
> WS-security policies enforcement with CXF server, bad policy selected
> ---------------------------------------------------------------------
>
>                 Key: CXF-4716
>                 URL: https://issues.apache.org/jira/browse/CXF-4716
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>    Affects Versions: 2.6.1, 2.7.1
>         Environment: JDK 1.7.0_02
> Windows 7
> Tomcat 6.0.29
>            Reporter: Franck WIELGUS
>            Priority: Minor
>         Attachments: CA_groupHeader_simple.xsd, POC1.wsdl, POC1.xsd, request.txt
>
>
> The problem is related to WS-security policies, only when a service is exposed with CXF
in Tomcat :
> We have 2 operations :
> - getMsgChiffr : the "chiffr_policy" security policy is  bound
> - getMsg2ChiffrBody : the "chiffr_body_policy" security policy is  bound
> The input request for these 2 operations is composed of :
> - an input message : a string
> - a header : two strings
> The 2 policies are :
> chiffr_body_policy : only the body must be encrypted
> chiffr_policy : body+headers must be encrypted
> When getMsgChiffr is called, all is fine. CXF checks if "chiff_policy" is correctly applied
(= body+headers encrypted)
> When getMsg2ChiffrBody is called, CXF checks "chiff_policy" instead of "chiffr_body_policy".
The stacktrace is :
> 2012-12-20 17:16:21,037-DEBUG PolicyBasedWSS4JInInterceptor - Incoming request failed
signed-encrypted policy validation
> 2012-12-20 17:16:21,037-DEBUG WSS4JInInterceptor - WSS4JInInterceptor: exit handleMessage()
> 2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleMessage on interceptor
org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor@1c673a9
> 2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleMessage on interceptor
org.apache.cxf.jaxb.attachment.JAXBAttachmentSchemaValidationHack@2a6c5e
> 2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleMessage on interceptor
org.apache.cxf.interceptor.DocLiteralInInterceptor@46a62
> 2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleMessage on interceptor
org.apache.cxf.binding.soap.interceptor.SoapHeaderInterceptor@1e463a2
> 2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleMessage on interceptor
org.apache.cxf.interceptor.OneWayProcessorInterceptor@1173444
> 2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleMessage on interceptor
org.apache.cxf.jaxws.interceptors.WrapperClassInInterceptor@688800
> 2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleMessage on interceptor
org.apache.cxf.jaxws.interceptors.SwAInInterceptor@b07eeb
> 2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleMessage on interceptor
org.apache.cxf.jaxws.interceptors.HolderInInterceptor@b8ec86
> 2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleMessage on interceptor
org.apache.cxf.ws.policy.PolicyVerificationInInterceptor@1d6f8ae
> 2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleFault on interceptor
org.apache.cxf.ws.policy.PolicyVerificationInInterceptor@1d6f8ae
> 2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleFault on interceptor
org.apache.cxf.jaxws.interceptors.HolderInInterceptor@b8ec86
> 2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleFault on interceptor
org.apache.cxf.jaxws.interceptors.SwAInInterceptor@b07eeb
> 2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleFault on interceptor
org.apache.cxf.jaxws.interceptors.WrapperClassInInterceptor@688800
> 2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleFault on interceptor
org.apache.cxf.interceptor.OneWayProcessorInterceptor@1173444
> 2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleFault on interceptor
org.apache.cxf.binding.soap.interceptor.SoapHeaderInterceptor@1e463a2
> 2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleFault on interceptor
org.apache.cxf.interceptor.DocLiteralInInterceptor@46a62
> 2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleFault on interceptor
org.apache.cxf.jaxb.attachment.JAXBAttachmentSchemaValidationHack@2a6c5e
> 2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleFault on interceptor
org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor@1c673a9
> 2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleFault on interceptor
org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor@676d73
> 2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleFault on interceptor
org.apache.cxf.binding.soap.interceptor.MustUnderstandInterceptor@1d3676a
> 2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleFault on interceptor
org.apache.cxf.ws.mex.MEXInInterceptor@7e872c
> 2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleFault on interceptor
org.apache.cxf.binding.soap.interceptor.StartBodyInterceptor@16d81d
> 2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleFault on interceptor
org.apache.cxf.binding.soap.interceptor.SoapActionInInterceptor@7418be
> 2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleFault on interceptor
org.apache.cxf.binding.soap.interceptor.ReadHeadersInterceptor@1494fcf
> 2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleFault on interceptor
org.apache.cxf.binding.soap.saaj.SAAJInInterceptor$SAAJPreInInterceptor@1264f8b
> 2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleFault on interceptor
org.apache.cxf.frontend.WSDLGetInterceptor@11be2e3
> 2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleFault on interceptor
org.apache.cxf.interceptor.StaxInInterceptor@1e699b0
> 2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleFault on interceptor
org.apache.cxf.transport.https.CertConstraintsInterceptor@130ac20
> 2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleFault on interceptor
org.apache.cxf.interceptor.AttachmentInInterceptor@dc5f15
> 2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleFault on interceptor
org.apache.cxf.interceptor.LoggingInInterceptor@15ca1bd
> 2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleFault on interceptor
org.apache.cxf.ws.policy.PolicyInInterceptor@2c7301
> 2012-12-20 17:16:21,052-WARN  PhaseInterceptorChain - Interceptor for {http://www.abcdef-hijklmn.fr/interop/POC1/}POC1_service_sec#{http://www.abcdef-hijklmn.fr/interop/POC1/}getMsg2ChiffrBody
has thrown exception, unwinding now
> org.apache.cxf.interceptor.Fault: These policy alternatives can not be satisfied: 
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}EncryptedParts: {http://referentiel.ca.fr/soapHeaderV1}
not + ENCRYPTED
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}EncryptedParts
> 	at org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:47)
> 	at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:271)
> 	at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
> 	at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:238)
> 	at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:218)
> 	at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:198)
> 	at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:137)
> 	at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:158)
> 	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:243)
> 	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:163)
> 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
> 	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:219)
> 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
> 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> 	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> 	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> 	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> 	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> 	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> 	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
> 	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
> 	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
> 	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
> 	at java.lang.Thread.run(Thread.java:722)
> Caused by: org.apache.cxf.ws.policy.PolicyException: These policy alternatives can not
be satisfied: 
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}EncryptedParts: {http://referentiel.ca.fr/soapHeaderV1}
not + ENCRYPTED
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}EncryptedParts
> 	at org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:167)
> 	at org.apache.cxf.ws.policy.PolicyVerificationInInterceptor.handle(PolicyVerificationInInterceptor.java:101)
> 	at org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:45)
> 	... 23 more
> The behavior seems to depend on some names used in the WSDL definition. The problem disappears
when these names are changed, for example : 
> - targetNamespace set to http://www.abcdefghijklmn.fr/interop/POC1/ or http://www.c-a.fr/interop/POC1/
> - operation getMsgChiffr set to something else
> It works fine when CXF runs as a client with the same WSDL. (CXF 2.6.1, CXF 2.7.1)

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message