Return-Path: X-Original-To: apmail-cxf-issues-archive@www.apache.org Delivered-To: apmail-cxf-issues-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 10356187A5 for ; Mon, 11 May 2015 11:44:45 +0000 (UTC) Received: (qmail 47967 invoked by uid 500); 11 May 2015 11:44:39 -0000 Delivered-To: apmail-cxf-issues-archive@cxf.apache.org Received: (qmail 47934 invoked by uid 500); 11 May 2015 11:44:39 -0000 Mailing-List: contact issues-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list issues@cxf.apache.org Received: (qmail 47873 invoked by uid 99); 11 May 2015 11:44:39 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 11 May 2015 11:44:39 +0000 Date: Mon, 11 May 2015 11:44:39 +0000 (UTC) From: "Brian Storm Graversen (JIRA)" To: issues@cxf.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Created] (CXF-6398) AlgorithmSuitePolicyValidator rejects enveloped-signature Transform MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 Brian Storm Graversen created CXF-6398: ------------------------------------------ Summary: AlgorithmSuitePolicyValidator rejects enveloped-signature Transform Key: CXF-6398 URL: https://issues.apache.org/jira/browse/CXF-6398 Project: CXF Issue Type: Bug Components: WS-* Components Affects Versions: 3.0.5 Reporter: Brian Storm Graversen I'm receiving a response from a (.NET) webservice, where the security requirements are set by a WS-SecurityPolicy section in the WSDL. The response contains a set of Reference elements, thave have both the enveloped-signature transform and the c14n transform, example below {code:xml} 1hj8fpM7T5rcOsNRPpnxA3p3AkM= {code} Unfortunately, the AlgorithmSuitePolicyValidator does not like the enveloped-signature transform, and the response is rejected, exception shown below {code} Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: These policy alternatives can not be satisfied: {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AlgorithmSuite: The transform algorithms do not match the requirement {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Basic256 at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:160) at com.sun.proxy.$Proxy33.helloWorld(Unknown Source) at client.WSClient.hello(WSClient.java:19) at client.WSClient.main(WSClient.java:12) Caused by: org.apache.cxf.ws.policy.PolicyException: These policy alternatives can not be satisfied: {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AlgorithmSuite: The transform algorithms do not match the requirement {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Basic256 at org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:203) at org.apache.cxf.ws.policy.PolicyVerificationInInterceptor.handle(PolicyVerificationInInterceptor.java:102) at org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:44) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307) at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:802) {code} I took a look at the AlgorithmSuitePolicyValidator that does the actual validation, and it scans through all the Transforms, and reject the Reference if ANY of the Transform elements are not on an approved list. Should it not just validate that the list of Transforms contains at least one transform that is c14n (or similar), and allow the eveloped-signature transform? -- This message was sent by Atlassian JIRA (v6.3.4#6332)