cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brian Storm Graversen (JIRA)" <j...@apache.org>
Subject [jira] [Created] (CXF-6398) AlgorithmSuitePolicyValidator rejects enveloped-signature Transform
Date Mon, 11 May 2015 11:44:39 GMT
Brian Storm Graversen created CXF-6398:
------------------------------------------

             Summary: AlgorithmSuitePolicyValidator rejects enveloped-signature Transform
                 Key: CXF-6398
                 URL: https://issues.apache.org/jira/browse/CXF-6398
             Project: CXF
          Issue Type: Bug
          Components: WS-* Components
    Affects Versions: 3.0.5
            Reporter: Brian Storm Graversen


I'm receiving a response from a (.NET) webservice, where the security requirements are set
by a WS-SecurityPolicy section in the WSDL.

The response contains a set of Reference elements, thave have both the enveloped-signature
transform and the c14n transform, example below

{code:xml}
	<Reference URI="#action">
		<Transforms>
			<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform>
			<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
		</Transforms>
		<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
		<DigestValue>1hj8fpM7T5rcOsNRPpnxA3p3AkM=</DigestValue>
	</Reference>
{code}

Unfortunately, the AlgorithmSuitePolicyValidator does not like the enveloped-signature transform,
and the response is rejected, exception shown below

{code}
Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: These policy alternatives
can not be satisfied: 
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AlgorithmSuite: The transform algorithms
do not match the requirement
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Basic256
	at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:160)
	at com.sun.proxy.$Proxy33.helloWorld(Unknown Source)
	at client.WSClient.hello(WSClient.java:19)
	at client.WSClient.main(WSClient.java:12)
Caused by: org.apache.cxf.ws.policy.PolicyException: These policy alternatives can not be
satisfied: 
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AlgorithmSuite: The transform algorithms
do not match the requirement
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Basic256
	at org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:203)
	at org.apache.cxf.ws.policy.PolicyVerificationInInterceptor.handle(PolicyVerificationInInterceptor.java:102)
	at org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:44)
	at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
	at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:802)

{code}

I took a look at the AlgorithmSuitePolicyValidator that does the actual validation, and it
scans through all the Transforms, and reject the Reference if ANY of the Transform elements
are not on an approved list.

Should it not just validate that the list of Transforms contains at least one transform that
is c14n (or similar), and allow the eveloped-signature transform?



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message