cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Colm O hEigeartaigh (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CXF-6327) Invalid Policy exception for EndorsingSupportingTokens with more than one token assertions
Date Wed, 15 Apr 2015 12:47:58 GMT

    [ https://issues.apache.org/jira/browse/CXF-6327?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14496131#comment-14496131
] 

Colm O hEigeartaigh commented on CXF-6327:
------------------------------------------


Fixed in WSS4J: https://issues.apache.org/jira/browse/WSS-534

Some additional fixes also made in CXF.

Colm.

> Invalid Policy exception for EndorsingSupportingTokens with more than one token assertions
> ------------------------------------------------------------------------------------------
>
>                 Key: CXF-6327
>                 URL: https://issues.apache.org/jira/browse/CXF-6327
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>    Affects Versions: 3.0.4
>            Reporter: Stefan Pröls
>            Assignee: Colm O hEigeartaigh
>             Fix For: 3.1.0, 3.0.5
>
>
> Parsing WS-Security Policies containing EndorsingSupportingTokens with more than one
token assertion in its nested Policy throws a "java.lang.IllegalArgumentException: Invalid
Policy".
> Here is a WSDL test-case:
> https://rheaavs.element44.net/AvsMpsService_R1_Variante2.wsdl
> The sp:EndorsingSupportingTokens/wsp:Policy has 2 token assertions as children: a sp:X509Token
and a sp:IssuedToken. Apparently CXF doesn't like that.
> If I either remove one of these token assertions or put a wsp:ExactlyOne around them,
the exception will not be thrown and the SOAP-Request will be sent but the remote server will
not accept the message and return an InvalidSecurity SOAP-Fault. Putting an wsp:ExactlyOne/wsp:All
around the 2 tokens will cause the exception to be thrown again.
> According to the specification I cannot see anything wrong with this Policy. See http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.2/errata01/os/ws-securitypolicy-1.2-errata01-os-complete.html
Section 8.3:
> <sp:EndorsingSupportingTokens xmlns:sp="..." ... >
>   <wsp:Policy xmlns:wsp="...">
>     [Token Assertion]+
>     <sp:AlgorithmSuite ... > ... </sp:AlgorithmSuite> ?
>     (
>       <sp:SignedParts ... > ... </sp:SignedParts> |
>       <sp:SignedElements ... > ... </sp:SignedElements> |
>       <sp:EncryptedParts ... > ... </sp:EncryptedParts> |
>       <sp:EncryptedElements ... > ... </sp:EncryptedElements> |
>       <sp:ContentEncryptedElements ... > ... </sp:ContentEncryptedElements>
>     ) *
>     ...
>   </wsp:Policy>
>   ...
> </sp:EndorsingSupportingTokens>
> ...
> /sp:EndorsingSupportingTokens/wsp:Policy/[Token Assertion]
>   The policy MUST identify one or more token assertions.
> This bug currently makes it impossible to access WebServices using such a SecurityPolicy
for me as I couldn't find a client-side workaround.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message