cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Charles Moulliard (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (CXF-6873) PolicyVerificationInInterceptor ERROR Inbound policy verification failed: These policy alternatives can not be satisfied
Date Tue, 19 Apr 2016 16:41:25 GMT

     [ https://issues.apache.org/jira/browse/CXF-6873?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Charles Moulliard resolved CXF-6873.
------------------------------------
    Resolution: Fixed

Here is the correct syntax to be used including the <sp:LaxTsLast/> 

{code}
<?xml version="1.0"?>
<wsp:Policy xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
            xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
            xmlns:wsp="http://www.w3.org/ns/ws-policy" wsu:Id="RequiredPartsPolicy">
    <wsp:ExactlyOne>
        <wsp:All>
            <sp:AsymmetricBinding>
                <wsp:Policy>
                    <!-- The specified token populates the [Initiator Signature Token]
property and is used for the message signature from initiator to recipient. -->
                    <sp:InitiatorSignatureToken>
                        <wsp:Policy>
                            <sp:X509Token
                                    sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
                                <wsp:Policy>
                                    <!-- X509 Version 3 token should be used -->
                                    <sp:WssX509V3Token10/>
                                    <!-- An issuer serial reference is required when referencing
this token and is generated as such :
                                    <wsse:SecurityTokenReference wsu:Id="STR-0c1b9c80-f6c3-459b-a9ca-868add284ba2">
                                       <ds:X509Data>
                                           <ds:X509IssuerSerial>
                                               <ds:X509IssuerName>
                                                   CN=localhost,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Unknown
                                               </ds:X509IssuerName>
                                               <ds:X509SerialNumber>863863773</ds:X509SerialNumber>
                                           </ds:X509IssuerSerial>
                                       </ds:X509Data>
                                   </wsse:SecurityTokenReference>
                                    -->
                                    <sp:RequireIssuerSerialReference/>
                                </wsp:Policy>
                            </sp:X509Token>
                        </wsp:Policy>
                    </sp:InitiatorSignatureToken>
                    <sp:RecipientSignatureToken>
                        <wsp:Policy>
                            <sp:X509Token
                                    sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
                                <wsp:Policy>
                                    <!-- X509 Version 3 token should be used -->
                                    <sp:WssX509V3Token10/>
                                    <!-- An issuer serial reference is required when referencing
this token -->
                                    <sp:RequireIssuerSerialReference/>
                                </wsp:Policy>
                            </sp:X509Token>
                        </wsp:Policy>
                    </sp:RecipientSignatureToken>
                    <sp:Layout>
                        <wsp:Policy>
                            <!-- As Lax except that the last item in the security header
MUST be a wsse:Timestamp. Note that the [Timestamp] property MUST also be set to 'true' in
this case. -->
                            <sp:LaxTsLast/>
                        </wsp:Policy>
                    </sp:Layout>
                    <sp:AlgorithmSuite>
                        <wsp:Policy>
                            <!-- Algorithm to be used to sign the message -->
                            <sp:Basic128/>
                        </wsp:Policy>
                    </sp:AlgorithmSuite>
                    <sp:IncludeTimestamp/>
                    <sp:SupportingTokens>
                        <wsp:Policy>
                            <sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
                                <wsp:Policy>
                                    <sp:HashPassword/>
                                </wsp:Policy>
                            </sp:UsernameToken>
                        </wsp:Policy>
                    </sp:SupportingTokens>
                </wsp:Policy>
            </sp:AsymmetricBinding>
            <!-- Elements to be signed -->
            <sp:SignedParts>
                <sp:Body/>
                <sp:Header Namespace="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
Name="Timestamp"/>
            </sp:SignedParts>
        </wsp:All>
    </wsp:ExactlyOne>
</wsp:Policy>
{code}

> PolicyVerificationInInterceptor ERROR Inbound policy verification failed: These policy
alternatives can not be satisfied
> ------------------------------------------------------------------------------------------------------------------------
>
>                 Key: CXF-6873
>                 URL: https://issues.apache.org/jira/browse/CXF-6873
>             Project: CXF
>          Issue Type: Bug
>    Affects Versions: 3.0.4, 3.1.5
>            Reporter: Charles Moulliard
>
> The PolicyVerificationInInterceptor of the Interceptor of the Client reports this error
when it gets the Server response 
> {code}
> [                          main] PhaseInterceptorChain          WARN  Interceptor for
{http://jboss.org/HelloWorld}GreeterService#{http://jboss.org/HelloWorld}greetMe has thrown
exception, unwinding now
> org.apache.cxf.ws.policy.PolicyException: These policy alternatives can not be satisfied:

> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AsymmetricBinding: Received
Timestamp does not match the requirements
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}InitiatorSignatureToken
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}RecipientSignatureToken
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}IncludeTimestamp
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SignedParts: {http://schemas.xmlsoap.org/soap/envelope/}Body
not SIGNED
> 	at org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:179)
> 	at org.apache.cxf.ws.policy.PolicyVerificationInInterceptor.handle(PolicyVerificationInInterceptor.java:102)
> 	at org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:44)
> 	at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
> 	at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:802)
> {code}
> This error is related to the fact that the Server doesn't generate the required information
needed by the client 
> Response
> {code}
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
> <SOAP-ENV:Header xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
>     <wsse:Security
>             xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
>             xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>             soap:mustUnderstand="1">
>         <wsu:Timestamp wsu:Id="TS-48744ea4-5dfa-4910-97c1-88a3ba2b224b">
>             <wsu:Created>2016-04-19T14:13:50.848Z</wsu:Created>
>             <wsu:Expires>2016-04-19T14:18:50.848Z</wsu:Expires>
>         </wsu:Timestamp>
>     </wsse:Security>
> </SOAP-ENV:Header>
> <soap:Body>
>     <greetMeResponse xmlns="http://jboss.org/HelloWorld/types">
>         <responseType>Hello Charles</responseType>
>     </greetMeResponse>
> </soap:Body>
> </soap:Envelope>
> {code}
> Here is the WSSecurityPolicy that I'm using to configure the JAXWS Client/Server beans.
this policy is used to generate a TimeStamp, a username Token with a hashed password and the
Body, Timestamp are signed
> {code}
> <wsp:Policy xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>             xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
>             xmlns:wsp="http://www.w3.org/ns/ws-policy" wsu:Id="RequiredPartsPolicy">
>     <wsp:ExactlyOne>
>         <wsp:All>
>             <sp:AsymmetricBinding>
>                 <wsp:Policy>
>                     <!-- The specified token populates the [Initiator Signature Token]
property and is used for the message signature from initiator to recipient. -->
>                     <sp:InitiatorSignatureToken>
>                         <wsp:Policy>
>                             <sp:X509Token
>                                     sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
>                                 <wsp:Policy>
>                                     <!-- X509 Version 3 token should be used -->
>                                     <sp:WssX509V3Token10/>
>                                     <!-- An issuer serial reference is required when
referencing this token and is generated as such :
>                                     <wsse:SecurityTokenReference wsu:Id="STR-0c1b9c80-f6c3-459b-a9ca-868add284ba2">
>                                        <ds:X509Data>
>                                            <ds:X509IssuerSerial>
>                                                <ds:X509IssuerName>
>                                                    CN=localhost,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Unknown
>                                                </ds:X509IssuerName>
>                                                <ds:X509SerialNumber>863863773</ds:X509SerialNumber>
>                                            </ds:X509IssuerSerial>
>                                        </ds:X509Data>
>                                    </wsse:SecurityTokenReference>
>                                     -->
>                                     <sp:RequireIssuerSerialReference/>
>                                 </wsp:Policy>
>                             </sp:X509Token>
>                         </wsp:Policy>
>                     </sp:InitiatorSignatureToken>
>                     <sp:RecipientSignatureToken>
>                         <wsp:Policy>
>                             <sp:X509Token
>                                     sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
>                                 <wsp:Policy>
>                                     <!-- X509 Version 3 token should be used -->
>                                     <sp:WssX509V3Token10/>
>                                     <!-- An issuer serial reference is required when
referencing this token -->
>                                     <sp:RequireIssuerSerialReference/>
>                                 </wsp:Policy>
>                             </sp:X509Token>
>                         </wsp:Policy>
>                     </sp:RecipientSignatureToken>
>                     <sp:Layout>
>                         <wsp:Policy>
>                             <sp:Lax/>
>                         </wsp:Policy>
>                     </sp:Layout>
>                     <sp:AlgorithmSuite>
>                         <wsp:Policy>
>                             <!-- Algorithm to be used to sign the message -->
>                             <sp:Basic128/>
>                         </wsp:Policy>
>                     </sp:AlgorithmSuite>
>                     <!-- Include within the WSSE Header a TimeStamp -->
>                     <sp:IncludeTimestamp/>
>                     <sp:SignedSupportingTokens>
>                         <wsp:Policy>
>                             <sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
>                                 <wsp:Policy>
>                                     <sp:HashPassword/>
>                                 </wsp:Policy>
>                             </sp:UsernameToken>
>                         </wsp:Policy>
>                     </sp:SignedSupportingTokens>
>                 </wsp:Policy>
>             </sp:AsymmetricBinding>
>             <!-- Elements to be signed -->
>             <sp:SignedParts>
>                 <sp:Body/>
>                 <sp:Header
>                         Namespace="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>                         Name="Timestamp"/>
>             </sp:SignedParts>
>         </wsp:All>
>     </wsp:ExactlyOne>
> </wsp:Policy>
> {code}
> Here is the SOAP Request generated by the client
> {code}
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
>     <SOAP-ENV:Header xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
>         <wsse:Security
>                 xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
>                 xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
>             <wsu:Timestamp wsu:Id="TS-fb62d8a5-7000-4a7b-9b74-484de7744159">
>                 <wsu:Created>2016-04-19T14:13:50.122Z</wsu:Created>
>                 <wsu:Expires>2016-04-19T14:18:50.122Z</wsu:Expires>
>             </wsu:Timestamp>
>             <wsse:UsernameToken wsu:Id="UsernameToken-418f33ae-f291-4671-aaae-56c769fab274">
>                 <wsse:Username>cmoulliard</wsse:Username>
>                 <wsse:Password
>                         Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">
>                     NlBUyEfQJS8NoBc/9zqk0ea6NsU=
>                 </wsse:Password>
>                 <wsse:Nonce
>                         EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">
>                     +ex+MdsXUER0SlSebV+m9w==
>                 </wsse:Nonce>
>                 <wsu:Created>2016-04-19T14:13:50.151Z</wsu:Created>
>             </wsse:UsernameToken>
>             <wsse:BinarySecurityToken
>                     EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
>                     ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
>                     wsu:Id="X509-8590f6a8-03e0-43d3-b9b9-36de71fd462a">
>                 MIIDezCCAmOgAwIBAgIEM32D3TANBgkqhkiG9w0BAQsFADBuMRAwDgYDVQQGEwdVbmtub3duMRAwDgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMRAwDgYDVQQKEwdVbmtub3duMRAwDgYDVQQLEwdVbmtub3duMRIwEAYDVQQDEwlsb2NhbGhvc3QwHhcNMTYwNDA2MDkzMDA0WhcNMTYwNzA1MDkzMDA0WjBuMRAwDgYDVQQGEwdVbmtub3duMRAwDgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMRAwDgYDVQQKEwdVbmtub3duMRAwDgYDVQQLEwdVbmtub3duMRIwEAYDVQQDEwlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9DOFY0p6B//FzN21lp2jRFtzC70FmmFuWIHAkUzyougtsmVcLybhvh6B58WMWVJxFn1rPRYFS5VHybGUD06eYV8uMTllUw59U7nNTaYqr+xfKPXYqKkTqIEKC+gNNGm25NXXp48zq5+RXDQOffqE4q0bBL8tQxX+MkDxxdlBGWG+MkCscRNmt0cNnWZR/+aWz70c+MV4l0XbKruw7KuLttTvnuqIyT5/adv4zQkf8fKEqenREMZc6Vj8OVVt3/SxEj6Dfm3VO7LgxUg4gEnO4FpUSHYRclNYxH7BX81OveuALbiMjC6XmuUuw6EZLK8EuSNqzdZ7YVrvSE5RA6SbvAgMBAAGjITAfMB0GA1UdDgQWBBQ2CsMYRH1lVh+oWCC8kd5YlITAqTANBgkqhkiG9w0BAQsFAAOCAQEAH9jcis/n8jrj9A/NJ38QdM6ymTEEHaKvDdbMi3j+Ms6q5RJdVJ9ZKYdlPTgCgD+SgkpuoMZ2Dbe5hddouNV7FUdeN29fO00sGYtmHeT9vr4e6Z6ciYqM37BeeTm/c8KHpi+hscPtk86a66d4Zxwbty0d4C0WbjlBDPMlx73rOMiQZZOEdZj+c7q2r7HjSHsSb/gVXX/rDpWzpcPxWvMMiVnhOHEb8yNJZzIScTEF0QBmPatyXvNpldO7wgVPZ8pt0ev0WgVTjAwsFb51J3BHLaM/SaSjy+PMd0x7juakAP4od3zg7/LK1I2ArcAd06P/mI/88Dbm/CCcUBnZxLn7Aw==
>             </wsse:BinarySecurityToken>
>             <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
>                           Id="SIG-1e0b76c1-9a21-410e-bcc3-c3b6d50f3df4">
>                 <ds:SignedInfo>
>                     <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>                         <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
>                                                 PrefixList="soap"/>
>                     </ds:CanonicalizationMethod>
>                     <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>                     <ds:Reference URI="#TS-fb62d8a5-7000-4a7b-9b74-484de7744159">
>                         <ds:Transforms>
>                             <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>                                 <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
>                                                         PrefixList="wsse soap"/>
>                             </ds:Transform>
>                         </ds:Transforms>
>                         <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>                         <ds:DigestValue>Zz8butLavsU8pUGLUPgmmxDBjsk=</ds:DigestValue>
>                     </ds:Reference>
>                     <ds:Reference URI="#UsernameToken-418f33ae-f291-4671-aaae-56c769fab274">
>                         <ds:Transforms>
>                             <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>                                 <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
>                                                         PrefixList="soap"/>
>                             </ds:Transform>
>                         </ds:Transforms>
>                         <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>                         <ds:DigestValue>y6y/lKinEcuJIc+Zbtvmq/gZPZI=</ds:DigestValue>
>                     </ds:Reference>
>                     <ds:Reference URI="#_2ef50453-a254-494c-ad77-be6ac9a37b9d">
>                         <ds:Transforms>
>                             <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>                                 <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
>                                                         PrefixList=""/>
>                             </ds:Transform>
>                         </ds:Transforms>
>                         <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>                         <ds:DigestValue>8xtLX+pO7fQmIV4WPyAXCz8mBlI=</ds:DigestValue>
>                     </ds:Reference>
>                 </ds:SignedInfo>
>                 <ds:SignatureValue>
>                     fWyWo0mSjOVVPzun/OZaaRJ6w4+H74xaoqdG6Jzq7UIDm3LCbFF7cWz+6dZw/ajkb40xHPeYIbU1THXwOjKNr8OiPDQUIjKKgioIr2uYax3eZLO1GcBz6rct4dC0jfQUivGEzqbo/P+C9t+AQKboldVF6LvlnAcbk8RWo9uBeUpz1Bipotau/LovVgb4RuO/YmSO2fyQhRhnihvVmpkZ5NFq9cfy85KcQFuWYVjxRgLY9NprN9hOeeD8ARiWsOfIt7OIBPNcGGh6FwKumzWjNgKfYNurs2xVDAxVkTz/NUGt0sUBfSRbAL44LmYKfxH29sf08YwTeWGa+wutC67DRg==
>                 </ds:SignatureValue>
>                 <ds:KeyInfo Id="KI-915ac155-0866-48f2-980e-2c094f5f3d05">
>                     <wsse:SecurityTokenReference wsu:Id="STR-d1334971-113b-4fc2-bd60-f33355293b7d">
>                         <ds:X509Data>
>                             <ds:X509IssuerSerial>
>                                 <ds:X509IssuerName>
>                                     CN=localhost,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Unknown
>                                 </ds:X509IssuerName>
>                                 <ds:X509SerialNumber>863863773</ds:X509SerialNumber>
>                             </ds:X509IssuerSerial>
>                         </ds:X509Data>
>                     </wsse:SecurityTokenReference>
>                 </ds:KeyInfo>
>             </ds:Signature>
>         </wsse:Security>
>     </SOAP-ENV:Header>
>     <soap:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>                wsu:Id="_2ef50453-a254-494c-ad77-be6ac9a37b9d">
>         <greetMe xmlns="http://jboss.org/HelloWorld/types">
>             <requestType>Charles</requestType>
>         </greetMe>
>     </soap:Body>
> </soap:Envelope>
> {code}
> The problem disappears if I remove the tag <sp:IncludeTimestamp/> but of course
no signed TimeStamp will be included within the SOAP Request message 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message