ws-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: cxf client using StAX and ws-security policy fails in PolicyEnforcer when processing server response
Date Wed, 14 Aug 2019 13:03:39 GMT
Do you have a test-case that reproduces the problem that we could look at?
You shouldn't really need to work with PolicyEnforcer itself. To answer
your question though, yes PolicyEnforcer needs to know whether it's the
initiator or not - there is a "boolean initiator" in the constructor.

Colm.

On Wed, Aug 7, 2019 at 5:48 PM Erik Lund Jensen <info@erikjensen.it> wrote:

> Hi
>
> I have upgraded an old ws-security cxf client application to Java 11. It
> now uses StAX and builds a policy and sets the
> PolicyConstants.POLICY_OVERRIDE at the client's requestContext.
>
> It almost works, however, when getting to processing the response from the
> server then the PolicyEnforcer throws exception with no message (null).
> I ran a modified version of the PolicyEnforcer, which did not throw
> validation exception (inspired by issue WSS-486 with the modified
> if-statements in PolicyEnforcer).
> The result was that the PolicyVerificationInInterceptor then listed all
> the policy alternatives that could not be satisfied:
>
> Caused by: org.apache.cxf.ws.policy.PolicyException: These policy
> alternatives can not be satisfied:
> {
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AsymmetricBinding
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}InitiatorToken
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}X509Token
> {
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}WssX509V3Token10
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}RecipientToken
> {
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}RequireThumbprintReference
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AlgorithmSuite
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}TripleDes
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Layout
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Lax
> {
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}IncludeTimestamp
> {
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}OnlySignEntireHeadersAndBody
> {
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SignBeforeEncrypting
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SignedParts
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}EncryptedParts
> at
> org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:179)
>
> If I remove the PolicyVerificationInInterceptor from the cxf chain then
> the message is decrypted and everything looks fine.
> Could it be, that the PolicyEnforcer needs to know if it runs on the
> server-side or client-side and thereby be less strict at the client-side?
>
> Best regards
> Erik
>
>

-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
View raw message