Return-Path: X-Original-To: apmail-cxf-issues-archive@www.apache.org Delivered-To: apmail-cxf-issues-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 65099D84E for ; Thu, 20 Dec 2012 17:07:13 +0000 (UTC) Received: (qmail 74529 invoked by uid 500); 20 Dec 2012 17:07:13 -0000 Delivered-To: apmail-cxf-issues-archive@cxf.apache.org Received: (qmail 74488 invoked by uid 500); 20 Dec 2012 17:07:13 -0000 Mailing-List: contact issues-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list issues@cxf.apache.org Received: (qmail 74478 invoked by uid 99); 20 Dec 2012 17:07:13 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 20 Dec 2012 17:07:13 +0000 Date: Thu, 20 Dec 2012 17:07:13 +0000 (UTC) From: "Franck WIELGUS (JIRA)" To: issues@cxf.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (CXF-4715) WS-security encrypted elements with XPath . CXF generates wsu:Id attribute, XSD validation on Metro fails MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/CXF-4715?page=3Dcom.atlassian.j= ira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=3D135371= 60#comment-13537160 ]=20 Franck WIELGUS commented on CXF-4715: ------------------------------------- I have a simpler example (see attached wsdl, CXF and Metro requests ) The associated stacktrace on the Metro server (2.2) :=20 WARNING: Client Request doesn't pass Service's Schema Validation org.xml.sax.SAXParseException; cvc-type.3.1.1: Element 'in' is a simple typ= e, so it cannot have attributes, excepting those whose namespace name is id= entical to 'http://www.w3.org/2001/XMLSchema-instance' and whose [local nam= e] is one of 'type', 'nil', 'schemaLocation' or 'noNamespaceSchemaLocation'= . However, the attribute, 'wsu:Id' was found. =09at com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.createSAX= ParseException(ErrorHandlerWrapper.java:198) =09at com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.error(Err= orHandlerWrapper.java:134) =09at com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(= XMLErrorReporter.java:437) =09at com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(= XMLErrorReporter.java:368) =09at com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(= XMLErrorReporter.java:325) =09at com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator$XSIErro= rReporter.reportError(XMLSchemaValidator.java:449) =09at com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.reportS= chemaError(XMLSchemaValidator.java:3228) =09at com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.process= Attributes(XMLSchemaValidator.java:2678) =09at com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.handleS= tartElement(XMLSchemaValidator.java:2047) =09at com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.startEl= ement(XMLSchemaValidator.java:737) =09at com.sun.org.apache.xerces.internal.jaxp.validation.DOMValidatorHelper= .beginNode(DOMValidatorHelper.java:276) =09at com.sun.org.apache.xerces.internal.jaxp.validation.DOMValidatorHelper= .validate(DOMValidatorHelper.java:243) =09at com.sun.org.apache.xerces.internal.jaxp.validation.DOMValidatorHelper= .validate(DOMValidatorHelper.java:189) =09at com.sun.org.apache.xerces.internal.jaxp.validation.ValidatorImpl.vali= date(ValidatorImpl.java:109) =09at javax.xml.validation.Validator.validate(Validator.java:124) =09at com.sun.xml.ws.util.pipe.AbstractSchemaValidationTube.doProcess(Abstr= actSchemaValidationTube.java:540) =09at com.sun.xml.ws.server.ServerSchemaValidationTube.processRequest(Serve= rSchemaValidationTube.java:125) =09at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:961) =09at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:910) =09at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:873) =09at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:775) =09at com.sun.xml.ws.server.WSEndpointImpl$2.process(WSEndpointImpl.java:38= 6) =09at com.sun.xml.ws.transport.http.HttpAdapter$HttpToolkit.handle(HttpAdap= ter.java:640) =09at com.sun.xml.ws.transport.http.HttpAdapter.handle(HttpAdapter.java:263= ) =09at com.sun.xml.ws.transport.http.servlet.ServletAdapter.invokeAsync(Serv= letAdapter.java:218) =09at com.sun.xml.ws.transport.http.servlet.WSServletDelegate.doGet(WSServl= etDelegate.java:159) =09at com.sun.xml.ws.transport.http.servlet.WSServletDelegate.doPost(WSServ= letDelegate.java:194) =09at com.sun.xml.ws.transport.http.servlet.WSServlet.doPost(WSServlet.java= :80) =09at javax.servlet.http.HttpServlet.service(HttpServlet.java:637) =09at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) =09at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl= icationFilterChain.java:290) =09at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF= ilterChain.java:206) =09at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperV= alve.java:233) =09at org.apache.catalina.core.StandardContextValve.invoke(StandardContextV= alve.java:191) =09at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.j= ava:127) =09at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.j= ava:102) =09at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineVal= ve.java:109) =09at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.jav= a:298) =09at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java= :857) =09at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.proce= ss(Http11Protocol.java:588) =09at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:48= 9) =09at java.lang.Thread.run(Thread.java:722) =20 > WS-security encrypted elements with XPath . CXF generates wsu:Id attribut= e, XSD validation on Metro fails > -------------------------------------------------------------------------= -------------------------------- > > Key: CXF-4715 > URL: https://issues.apache.org/jira/browse/CXF-4715 > Project: CXF > Issue Type: Bug > Components: WS-* Components > Affects Versions: 2.6.1, 2.7.1 > Environment: JDK 1.7.0_02 > Windows 7 > Tomcat 6.0.29 > Metro 1.5 / 2.2 server > Reporter: Franck WIELGUS > Priority: Minor > Attachments: cxf_decrypted_request.txt, cxf_request.txt, hellocli= ent.wsdl, metro_decrypted_request.txt, metro_request.txt > > > The problem is related to WS-security policies enforcement by a CXF clien= t and the generated message compared to what is expected by a Metro server = when XSD validation is turned on. > The following policy is used : > > =09=09 > =09=09=09 > =09=09=09=09 =09=09=09=09=09xmlns:sp=3D"http://docs.oasis-open.org/ws-sx/ws-securitypo= licy/200702"> > =09=09=09=09=09 > =09=09=09=09=09=09//*[local-name()=3D'inputToEncrypt']=09=09=09=09=09 > =09=09=09=09=09=09 > =09=09=09=09 > =09=09=09 > =09=09 > > CXF client encrypts the element matching the XPath expression, but it see= ms to add a "wsu:Id" attribute that is not allowed by Metro (not allowed by= the XSD of "inputToEncrypt" element). When the server analyzes the request= and tries to validate the message against the XSD, the following error app= ears : > javax.xml.ws.WebServiceException: org.xml.sax.SAXParseException; cvc-comp= lex-type.3.2.2 : L'attribut 'wsu:Id' n'est pas autoris=C3=A9 dans l'=C3=A9l= =C3=A9ment 'inputToEncrypt'. > =09at com.sun.xml.ws.util.pipe.AbstractSchemaValidationTube.doProcess(Abs= tractSchemaValidationTube.java:242) > =09at com.sun.xml.ws.util.pipe.AbstractSchemaValidationTube.processReques= t(AbstractSchemaValidationTube.java:211) > =09at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:598) > =09at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:557) > =09at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:542) > =09at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:439) > =09at com.sun.xml.ws.server.WSEndpointImpl$2.process(WSEndpointImpl.java:= 243) > =09at com.sun.xml.ws.transport.http.HttpAdapter$HttpToolkit.handle(HttpAd= apter.java:471) > =09at com.sun.xml.ws.transport.http.HttpAdapter.handle(HttpAdapter.java:2= 44) > =09at com.sun.xml.ws.transport.http.servlet.ServletAdapter.handle(Servlet= Adapter.java:135) > =09at com.sun.xml.ws.transport.http.servlet.WSServletDelegate.doGet(WSSer= vletDelegate.java:129) > =09at com.sun.xml.ws.transport.http.servlet.WSServletDelegate.doPost(WSSe= rvletDelegate.java:160) > =09at com.sun.xml.ws.transport.http.servlet.WSServlet.doPost(WSServlet.ja= va:75) > =09at javax.servlet.http.HttpServlet.service(HttpServlet.java:637) > =09at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) > =09at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Ap= plicationFilterChain.java:290) > =09at org.apache.catalina.core.ApplicationFilterChain.doFilter(Applicatio= nFilterChain.java:206) > =09at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrappe= rValve.java:233) > =09at org.apache.catalina.core.StandardContextValve.invoke(StandardContex= tValve.java:191) > =09at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve= .java:127) > =09at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve= .java:102) > =09at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineV= alve.java:109) > =09at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.j= ava:298) > =09at org.apache.coyote.http11.Http11Processor.process(Http11Processor.ja= va:857) > =09at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.pro= cess(Http11Protocol.java:588) > =09at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:= 489) > =09at java.lang.Thread.run(Thread.java:722) > Caused by: org.xml.sax.SAXParseException; cvc-complex-type.3.2.2 : L'attr= ibut 'wsu:Id' n'est pas autoris=C3=A9 dans l'=C3=A9l=C3=A9ment 'inputToEncr= ypt'. > =09at com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.createS= AXParseException(ErrorHandlerWrapper.java:198) > =09at com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.error(E= rrorHandlerWrapper.java:134) > =09at com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportErro= r(XMLErrorReporter.java:437) > =09at com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportErro= r(XMLErrorReporter.java:368) > =09at com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportErro= r(XMLErrorReporter.java:325) > =09at com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator$XSIEr= rorReporter.reportError(XMLSchemaValidator.java:449) > =09at com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.repor= tSchemaError(XMLSchemaValidator.java:3228) > =09at com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.proce= ssAttributes(XMLSchemaValidator.java:2705) > =09at com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.handl= eStartElement(XMLSchemaValidator.java:2047) > =09at com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.start= Element(XMLSchemaValidator.java:737) > =09at com.sun.org.apache.xerces.internal.jaxp.validation.DOMValidatorHelp= er.beginNode(DOMValidatorHelper.java:276) > =09at com.sun.org.apache.xerces.internal.jaxp.validation.DOMValidatorHelp= er.validate(DOMValidatorHelper.java:243) > =09at com.sun.org.apache.xerces.internal.jaxp.validation.DOMValidatorHelp= er.validate(DOMValidatorHelper.java:189) > =09at com.sun.org.apache.xerces.internal.jaxp.validation.ValidatorImpl.va= lidate(ValidatorImpl.java:109) > =09at javax.xml.validation.Validator.validate(Validator.java:124) > =09at com.sun.xml.ws.util.pipe.AbstractSchemaValidationTube.doProcess(Abs= tractSchemaValidationTube.java:240) > =09... 26 more > The workaround is to delete @SchemaValidation in the service class on Met= ro server to disable XSD validation. > A Metro client with the same policy does not have this behavior and the X= SD validation is fine. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrato= rs For more information on JIRA, see: http://www.atlassian.com/software/jira