cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Kulp <dk...@apache.org>
Subject Re: SecureConversationInInterceptor removing all assertions
Date Tue, 18 Oct 2011 18:32:49 GMT


There definitely looks like a bug in here someplace, but I'm not 100% sure 
where or the cause.   It definitely needs to replace the Assertion map (since 
the policy may be very different), but it likely should go through the old map 
and re-assert any policies on the new map that were asserted on the old.   
That MAY fix it, I'm not really sure.   Is there any way you can create a test 
case?   Better yet, can you try the above and maybe submit a patch if that 
works?   You should just be able to walk the assertions in the old map, check 
if they exist in the new map, and assert them if they do.

Dan



On Tuesday, October 18, 2011 9:52:59 AM timmgrant wrote:
> Hi,
> 
> I am using CXF 2.4.3 with the following policy:
> 
> 	<wsp:Policy wsu:Id="WSHttpBinding_Blah_policy">
> 		<wsp:ExactlyOne>
> 			<wsp:All>
> 				<sp:TransportBinding
> 					
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> 					<wsp:Policy>
> 						<sp:TransportToken>
> 							<wsp:Policy>
> 								<sp:HttpsToken 
RequireClientCertificate="false" />
> 							</wsp:Policy>
> 						</sp:TransportToken>
> 						<sp:AlgorithmSuite>
> 							<wsp:Policy>
> 								<sp:Basic256 />
> 							</wsp:Policy>
> 						</sp:AlgorithmSuite>
> 						<sp:Layout>
> 							<wsp:Policy>
> 								<sp:Strict />
> 							</wsp:Policy>
> 						</sp:Layout>
> 						<sp:IncludeTimestamp />
> 					</wsp:Policy>
> 				</sp:TransportBinding>
> 				<sp:EndorsingSupportingTokens
> 					
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> 					<wsp:Policy>
> 						<sp:SecureConversationToken
> 
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/Includ
> eToken/AlwaysToRecipient"> <wsp:Policy>
> 								<sp:BootstrapPolicy>
> 									<wsp:Policy>
> 										<sp:SignedParts>
> 											<sp:Body />
> 											<sp:Header Name="To"
> 												
Namespace="http://www.w3.org/2005/08/addressing" />
> 											<sp:Header Name="From"
> 												
Namespace="http://www.w3.org/2005/08/addressing" />
> 											<sp:Header 
Name="FaultTo"
> 												
Namespace="http://www.w3.org/2005/08/addressing" />
> 											<sp:Header 
Name="ReplyTo"
> 												
Namespace="http://www.w3.org/2005/08/addressing" />
> 											<sp:Header 
Name="MessageID"
> 												
Namespace="http://www.w3.org/2005/08/addressing" />
> 											<sp:Header 
Name="RelatesTo"
> 												
Namespace="http://www.w3.org/2005/08/addressing" />
> 											<sp:Header 
Name="Action"
> 												
Namespace="http://www.w3.org/2005/08/addressing" />
> 										</sp:SignedParts>
> 										<sp:EncryptedParts>
> 											<sp:Body />
> 										</sp:EncryptedParts>
> 										<sp:TransportBinding>
> 											<wsp:Policy>
> 												
<sp:TransportToken>
> 													<wsp:Policy>
> 														
<sp:HttpsToken RequireClientCertificate="false" />
> 													</wsp:Policy>
> 												
</sp:TransportToken>
> 												
<sp:AlgorithmSuite>
> 													<wsp:Policy>
> 														
<sp:Basic256 />
> 													</wsp:Policy>
> 												
</sp:AlgorithmSuite>
> 												<sp:Layout>
> 													<wsp:Policy>
> 														
<sp:Strict />
> 													</wsp:Policy>
> 												</sp:Layout>
> 												
<sp:IncludeTimestamp />
> 											</wsp:Policy>
> 										</sp:TransportBinding>
> 										
<sp:EndorsingSupportingTokens>
> 											<wsp:Policy>
> 												<sp:X509Token
> 
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/Includ
> eToken/AlwaysToRecipient"> <wsp:Policy>
> 														
<sp:RequireThumbprintReference />
> 														
<sp:WssX509V3Token10 />
> 													</wsp:Policy>
> 												</sp:X509Token>
> 												<sp:SignedParts>
> 													<sp:Header 
Name="To"
> 														
Namespace="http://www.w3.org/2005/08/addressing" />
> 												</sp:SignedParts>
> 											</wsp:Policy>
> 										
</sp:EndorsingSupportingTokens>
> 										<sp:Wss11>
> 											<wsp:Policy>
> 												
<sp:MustSupportRefKeyIdentifier />
> 												
<sp:MustSupportRefIssuerSerial />
> 												
<sp:MustSupportRefThumbprint />
> 												
<sp:MustSupportRefEncryptedKey />
> 											</wsp:Policy>
> 										</sp:Wss11>
> 										<sp:Trust10>
> 											<wsp:Policy>
> 												
<sp:MustSupportIssuedTokens />
> 												
<sp:RequireClientEntropy />
> 												
<sp:RequireServerEntropy />
> 											</wsp:Policy>
> 										</sp:Trust10>
> 									</wsp:Policy>
> 								</sp:BootstrapPolicy>
> 							</wsp:Policy>
> 						</sp:SecureConversationToken>
> 						<sp:SignedParts>
> 							<sp:Header Name="To" 
Namespace="http://www.w3.org/2005/08/addressing"
> />
> 						</sp:SignedParts>
> 					</wsp:Policy>
> 				</sp:EndorsingSupportingTokens>
> 				<sp:Wss11
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> 					<wsp:Policy>
> 						<sp:MustSupportRefKeyIdentifier />
> 						<sp:MustSupportRefIssuerSerial />
> 						<sp:MustSupportRefThumbprint />
> 						<sp:MustSupportRefEncryptedKey />
> 					</wsp:Policy>
> 				</sp:Wss11>
> 				<sp:Trust10
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> 					<wsp:Policy>
> 						<sp:MustSupportIssuedTokens />
> 						<sp:RequireClientEntropy />
> 						<sp:RequireServerEntropy />
> 					</wsp:Policy>
> 				</sp:Trust10>
> 				<wsaw:UsingAddressing />
> 			</wsp:All>
> 		</wsp:ExactlyOne>
> 	</wsp:Policy>
> 
> However I am getting the following error:
> 
> These policy alternatives can not be satisfied:
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SignedParts
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}EncryptedParts
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}TransportBinding
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}HttpsToken
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}TransportToken
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}IncludeTimestamp
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Layout
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}EndorsingSupporti
> ngTokens
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}X509Token
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Wss11
> {http://schemas.xmlsoap.org/ws/2005/07/securitypolicy}Trust10
> 
> I am 99% certain the request message is fine and when I debug I can see that
> all the policies are being satisfied however the
> SecureConversationInInterceptor is then replacing the AssertionInfoMap (line
> 252). Then when the PolicyVerificationInInterceptor checks that the
> assertions have been satisfied they all fail because it has been replaced
> with the new assertioninfomap.  I'm at a bit of a loss as to whether this
> is a bug or if I've missed something?
> 
> Any ideas?
> 
> Cheers,
> Tim
> 
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/SecureConversationInInterceptor-removing-al
> l-assertions-tp4914500p4914500.html Sent from the cxf-user mailing list
> archive at Nabble.com.
-- 
Daniel Kulp
dkulp@apache.org
http://dankulp.com/blog
Talend - http://www.talend.com

Mime
View raw message