cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jason Pell <ja...@pellcorp.com>
Subject Re: RequireClientCertificate confusion
Date Tue, 23 Oct 2012 02:41:30 GMT
patch attached

On Tue, Oct 23, 2012 at 1:33 PM, Jason Pell <jason@pellcorp.com> wrote:
> https://issues.apache.org/jira/browse/CXF-4595
>
> I will attach a test case to prove the issue asap
>
>
>
> On Tue, Oct 23, 2012 at 1:13 PM, Jason Pell <jason@pellcorp.com> wrote:
>> My namespaces look like:
>>
>> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"
>>
>>
>>
>> On Tue, Oct 23, 2012 at 1:12 PM, Jason Pell <jason@pellcorp.com> wrote:
>>> Hi,
>>>
>>> I am debugging 2.7.1 trunk to try and figure out why my
>>> RequireClientCertificate="true" appears to be ignored.
>>>
>>> My policy looks like:
>>>
>>> <wsp:Policy wsu:Id="SslWithUsernamePasswordToken">
>>>                 <wsp:ExactlyOne>
>>>                         <wsp:All>
>>>                                 <sp:TransportBinding>
>>>                                         <wsp:Policy>
>>>                                                 <sp:TransportToken>
>>>                                                         <wsp:Policy>
>>>                                                                 <sp:HttpsToken
RequireClientCertificate="true" />
>>>                                                         </wsp:Policy>
>>>                                                 </sp:TransportToken>
>>>                                                 <sp:AlgorithmSuite>
>>>                                                         <wsp:Policy>
>>>                                                                 <sp:Basic256
/>
>>>                                                         </wsp:Policy>
>>>                                                 </sp:AlgorithmSuite>
>>>
>>>                                                 <sp:IncludeTimestamp />
>>>                                         </wsp:Policy>
>>>                                 </sp:TransportBinding>
>>>
>>>                         </wsp:All>
>>>                 </wsp:ExactlyOne>
>>>         </wsp:Policy>
>>>
>>> I can see in the HttpsTokenInInterceptor that because there is no
>>> client token, the AssertionInfo is not being asserted, which I assumes
>>> means
>>> it should raise a policy error.
>>>
>>> However in the TransportBindingPolicyValidator it overrides this and
>>> actually sets the AssertionInfo that was not asserted to true!
>>>
>>> If I disable the second line, I get an exception because no client
>>> certificate is present.
>>>
>>> Index: src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java
>>> ===================================================================
>>> --- src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java
       (revision
>>> 1400641)
>>> +++ src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java
       (working
>>> copy)
>>> @@ -68,7 +68,7 @@
>>>              // HttpsToken is validated by the HttpsTokenInterceptorProvider
>>>              if (binding.getTransportToken() != null) {
>>>                  assertPolicy(aim, binding.getTransportToken());
>>> -                assertPolicy(aim, binding.getTransportToken().getToken());
>>> +            //    assertPolicy(aim, binding.getTransportToken().getToken());
>>>              }
>>>
>>>              // Check the AlgorithmSuite
>>>
>>> This is obviously not a complete patch, but it does I hope prove that
>>> there is an issue with client cert validation.  I shall open up a jira
>>> for this, but I don't feel confident enough to try and
>>> provide a patch without guidance as this is definately an area I am
>>> not very familiar with.

Mime
View raw message