cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From TobiWan <tsd...@googlemail.com>
Subject Endpoint answers with "policy alternatives can not be satisfied" after sending X509 signed request
Date Mon, 29 Apr 2013 16:33:24 GMT
Hi there,

I'd like to implement a szenario where i'm trying to send a X509 signed
request to a server's endpoint who sends a X509 signed response back. At the
moment I'm always getting the following soap fault back from server and
don't know how what to do next:

org.apache.cxf.interceptor.Fault: These policy alternatives can not be
satisfied: 

{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AsymmetricBinding
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}X509Token
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}InitiatorToken
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}RecipientToken
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Layout
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Wss10
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SignedParts
        at
org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:47)
        at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:236)
        at
org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:89)
        at
org.apache.cxf.transport.servlet.ServletDestination.invoke(ServletDestination.java:99)
        at
org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:337)
        at
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:182)
        at
org.apache.cxf.transport.servlet.AbstractCXFServlet.invoke(AbstractCXFServlet.java:163)
        at
org.apache.cxf.transport.servlet.AbstractCXFServlet.doPost(AbstractCXFServlet.java:141)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
        at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
        at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at
org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
        at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
        at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
        at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
        at
org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:182)
        at
org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
        at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
        at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
        at
org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
        at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
        at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
        at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
        at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
        at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
        at java.lang.Thread.run(Thread.java:662)
Caused by: org.apache.cxf.ws.policy.PolicyException: These policy
alternatives can not be satisfied: 

{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AsymmetricBinding
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}X509Token
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}InitiatorToken
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}RecipientToken
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Layout
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Wss10
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SignedParts
        at
org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:140)
        at
org.apache.cxf.ws.policy.PolicyVerificationInInterceptor.handle(PolicyVerificationInInterceptor.java:96)
        at
org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:45)
        ... 27 more

Unfortunately i'm pretty new to webservices and also the cxf framework. As
long as i'm getting a significant exception everything is fine but right
know i'm really stuck. Here's the policy part from wsdl:

    <wsp:Policy wsu:Id="XXX">
        <wsp:ExactlyOne>
            <wsp:All>
                
                <sp:AsymmetricBinding
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                    <wsp:Policy>
                        <sp:InitiatorToken>
                            <wsp:Policy>
                                <sp:X509Token
                                   
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
                                    <wsp:Policy>
                                        <sp:WssX509V3Token10 />
                                    </wsp:Policy>
                                </sp:X509Token>
                            </wsp:Policy>
                        </sp:InitiatorToken>
                        <sp:RecipientToken>
                            <wsp:Policy>
                                <sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always">
                                    <wsp:Policy>
                                        <sp:WssX509V3Token10 />
                                    </wsp:Policy>
                                </sp:X509Token>
                            </wsp:Policy>
                        </sp:RecipientToken>
                        <sp:AlgorithmSuite>
                            <wsp:Policy>
                                <sp:Basic256 />
                            </wsp:Policy>
                        </sp:AlgorithmSuite>
                        <sp:Layout>
                            <wsp:Policy>
                                <sp:Strict />
                            </wsp:Policy>
                        </sp:Layout>
                        <sp:OnlySignEntireHeadersAndBody />
                    </wsp:Policy>
                </sp:AsymmetricBinding>
                <sp:Wss10>
                    <wsp:Policy
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                        <sp:MustSupportRefIssuerSerial />
                    </wsp:Policy>
                </sp:Wss10>
                <sp:SignedParts 
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                    <sp:Body />
                </sp:SignedParts>
            </wsp:All>
        </wsp:ExactlyOne>
    </wsp:Policy>

I also generated a client and server keystore containing the following
stuff:

clientKeystore.jks:

Keystore-Typ: JKS
Keystore-Provider: SUN

Keystore enthält 2 Einträge

Aliasname: myservicekey
Erstellungsdatum: 26.04.2013
Eintragstyp: trustedCertEntry

Eigentümer: CN=localhost
Aussteller: CN=localhost
Seriennummer: 2f8abbf3
Gültig von: Fri Apr 26 15:47:59 CEST 2013 bis: Sun Apr 26 15:47:59 CEST 2015
Zertifikat-Fingerprints:
	 MD5:  28:AF:60:C7:56:30:B4:48:7F:30:7E:B4:A8:A9:2E:1F
	 SHA1: 45:F1:62:85:56:94:8E:FF:6D:00:BA:0D:8C:FF:5D:6E:02:11:8F:B8
	 SHA256:
65:9A:CF:F3:E2:19:03:56:BB:8C:04:0E:84:C3:EB:F4:96:F2:02:4D:B3:8A:52:DD:23:15:19:05:6E:C9:F5:75
	 Signaturalgorithmusname: SHA1withRSA
	 Version: 3

Erweiterungen: 

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 79 38 4F 49 C4 81 F6 26   CE 49 DC 85 A2 BE 3F AF  y8OI...&.I....?.
0010: 5B 15 A8 44                                        [..D
]
]



*******************************************
*******************************************


Aliasname: myclientkey
Erstellungsdatum: 26.04.2013
Eintragstyp: PrivateKeyEntry
Zertifikatkettenlänge: 1
Zertifikat[1]:
Eigentümer: CN=clientuser
Aussteller: CN=clientuser
Seriennummer: 683223da
Gültig von: Fri Apr 26 15:48:15 CEST 2013 bis: Sun Apr 26 15:48:15 CEST 2015
Zertifikat-Fingerprints:
	 MD5:  CF:BE:DA:AE:1B:7C:38:AC:76:DE:48:5A:6B:A6:C3:85
	 SHA1: 49:08:EA:B3:02:C0:11:17:14:43:A6:3E:E0:FE:B3:3E:86:93:93:77
	 SHA256:
0E:90:F1:27:EA:79:6D:27:35:F0:D3:6E:E1:E7:24:BC:94:D8:7B:FA:C4:B5:E5:D3:FF:4A:44:8F:D1:9E:27:43
	 Signaturalgorithmusname: SHA1withRSA
	 Version: 3

Erweiterungen: 

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: EE 70 37 89 7C CA E5 42   33 52 89 51 46 A1 71 CE  .p7....B3R.QF.q.
0010: 30 C1 4F C0                                        0.O.
]
]



*******************************************
*******************************************


serviceKeystore.jks:

Keystore enthält 2 Einträge

Aliasname: myservicekey
Erstellungsdatum: 26.04.2013
Eintragstyp: PrivateKeyEntry
Zertifikatkettenlänge: 1
Zertifikat[1]:
Eigentümer: CN=localhost
Aussteller: CN=localhost
Seriennummer: 2f8abbf3
Gültig von: Fri Apr 26 15:47:59 CEST 2013 bis: Sun Apr 26 15:47:59 CEST 2015
Zertifikat-Fingerprints:
	 MD5:  28:AF:60:C7:56:30:B4:48:7F:30:7E:B4:A8:A9:2E:1F
	 SHA1: 45:F1:62:85:56:94:8E:FF:6D:00:BA:0D:8C:FF:5D:6E:02:11:8F:B8
	 SHA256:
65:9A:CF:F3:E2:19:03:56:BB:8C:04:0E:84:C3:EB:F4:96:F2:02:4D:B3:8A:52:DD:23:15:19:05:6E:C9:F5:75
	 Signaturalgorithmusname: SHA1withRSA
	 Version: 3

Erweiterungen: 

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 79 38 4F 49 C4 81 F6 26   CE 49 DC 85 A2 BE 3F AF  y8OI...&.I....?.
0010: 5B 15 A8 44                                        [..D
]
]



*******************************************
*******************************************


Aliasname: myclientkey
Erstellungsdatum: 26.04.2013
Eintragstyp: trustedCertEntry

Eigentümer: CN=clientuser
Aussteller: CN=clientuser
Seriennummer: 683223da
Gültig von: Fri Apr 26 15:48:15 CEST 2013 bis: Sun Apr 26 15:48:15 CEST 2015
Zertifikat-Fingerprints:
	 MD5:  CF:BE:DA:AE:1B:7C:38:AC:76:DE:48:5A:6B:A6:C3:85
	 SHA1: 49:08:EA:B3:02:C0:11:17:14:43:A6:3E:E0:FE:B3:3E:86:93:93:77
	 SHA256:
0E:90:F1:27:EA:79:6D:27:35:F0:D3:6E:E1:E7:24:BC:94:D8:7B:FA:C4:B5:E5:D3:FF:4A:44:8F:D1:9E:27:43
	 Signaturalgorithmusname: SHA1withRSA
	 Version: 3

Erweiterungen: 

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: EE 70 37 89 7C CA E5 42   33 52 89 51 46 A1 71 CE  .p7....B3R.QF.q.
0010: 30 C1 4F C0                                        0.O.
]
]



*******************************************

As told in the docs I added all needed properties to client cxf.xml and
cxf-servlet.xml. Here's the content:

cxf.xml:

<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:jaxws="http://cxf.apache.org/jaxws"
xmlns:p="http://cxf.apache.org/policy"
xmlns:wsp="http://www.w3.org/2006/07/ws-policy"
    xsi:schemaLocation="http://www.springframework.org/schema/beans 
   http://www.springframework.org/schema/beans/spring-beans.xsd
   http://cxf.apache.org/jaxws 
   http://cxf.apache.org/schemas/jaxws.xsd">

    <jaxws:client name="{URL}service" createdFromAPI="true">
        <jaxws:properties>
            <entry key="ws-security.callback-handler"
                value="core.webservice.sender.SoapMessageSenderCallback" />
            <entry key="ws-security.signature.properties"
value="clientKeystore.properties" />
        </jaxws:properties>
        <jaxws:features>
            <bean class="org.apache.cxf.feature.LoggingFeature" />
        </jaxws:features>
    </jaxws:client>
</beans>

cxf-servlet.xml:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:jaxws="http://cxf.apache.org/jaxws"
xmlns:cxf="http://cxf.apache.org/core"
    xmlns:p="http://cxf.apache.org/policy"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://cxf.apache.org/core
http://cxf.apache.org/schemas/core.xsd 
    http://cxf.apache.org/policy http://cxf.apache.org/schemas/policy.xsd
    http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd 
    http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd">

    <import resource="classpath:META-INF/cxf/cxf-extension-ws-security.xml"
/>
    <import resource="classpath:META-INF/cxf/cxf-extension-policy.xml" />

    <cxf:bus>
        <cxf:features>
            <p:policies ignoreUnknownAssertions="true" />
        </cxf:features>
    </cxf:bus>

    <jaxws:endpoint id="service" address="/service"
        implementor="core.webservice.receiver.SoapMessageReceiverImpl"
        wsdlLocation="WEB-INF/wsdl/service.wsdl">
        <jaxws:properties>
            <entry key="ws-security.callback-handler"
                value="core.webservice.receiver.SoapMessageReceiverCallback"
/>
            <entry key="ws-security.signature.properties"
value="serviceKeystore.properties" />
        </jaxws:properties>
        <jaxws:features>
            <bean class="org.apache.cxf.feature.LoggingFeature" />
        </jaxws:features>
    </jaxws:endpoint>
</beans>

I'm using CXF 2.2 and client and endpoint are deployed in a JBoss-4.2.3-GA.
Can somebody give me a hint, what maybe can be the cause of this exception?
If you need more infos, just ask and i'll post it.

Thanks in advance and regards,
Tobi



--
View this message in context: http://cxf.547215.n5.nabble.com/Endpoint-answers-with-policy-alternatives-can-not-be-satisfied-after-sending-X509-signed-request-tp5726909.html
Sent from the cxf-user mailing list archive at Nabble.com.

Mime
View raw message