[prev in list] [next in list] [prev in thread] [next in thread]
List: xmlrpc-user
Subject: Re: cxf client using StAX and ws-security policy fails in PolicyEnforcer when processing server resp
From: Colm O hEigeartaigh <coheigea () apache ! org>
Date: 2019-08-14 13:03:39
Message-ID: CAB8XdGDUiNmcMW_cZOwwCPeJUxjMsQSn66d5zSOOG8cbNQ5tqA () mail ! gmail ! com
[Download RAW message or body]
Do you have a test-case that reproduces the problem that we could look at?
You shouldn't really need to work with PolicyEnforcer itself. To answer
your question though, yes PolicyEnforcer needs to know whether it's the
initiator or not - there is a "boolean initiator" in the constructor.
Colm.
On Wed, Aug 7, 2019 at 5:48 PM Erik Lund Jensen <info@erikjensen.it> wrote:
> Hi
>
> I have upgraded an old ws-security cxf client application to Java 11. It
> now uses StAX and builds a policy and sets the
> PolicyConstants.POLICY_OVERRIDE at the client's requestContext.
>
> It almost works, however, when getting to processing the response from the
> server then the PolicyEnforcer throws exception with no message (null).
> I ran a modified version of the PolicyEnforcer, which did not throw
> validation exception (inspired by issue WSS-486 with the modified
> if-statements in PolicyEnforcer).
> The result was that the PolicyVerificationInInterceptor then listed all
> the policy alternatives that could not be satisfied:
>
> Caused by: org.apache.cxf.ws.policy.PolicyException: These policy
> alternatives can not be satisfied:
> {
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AsymmetricBinding
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}InitiatorToken
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}X509Token
> {
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}WssX509V3Token10
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}RecipientToken
> {
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}RequireThumbprintReference
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AlgorithmSuite
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}TripleDes
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Layout
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Lax
> {
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}IncludeTimestamp
> {
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}OnlySignEntireHeadersAndBody
> {
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SignBeforeEncrypting
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SignedParts
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}EncryptedParts
> at
> org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:179)
>
> If I remove the PolicyVerificationInInterceptor from the cxf chain then
> the message is decrypted and everything looks fine.
> Could it be, that the PolicyEnforcer needs to know if it runs on the
> server-side or client-side and thereby be less strict at the client-side?
>
> Best regards
> Erik
>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
[Attachment #3 (text/html)]
<div dir="ltr"><div>Do you have a test-case that reproduces the problem that we could \
look at? You shouldn't really need to work with PolicyEnforcer itself. To answer \
your question though, yes PolicyEnforcer needs to know whether it's the initiator \
or not - there is a "boolean initiator" in the \
constructor.<br></div><div><br></div><div>Colm.<br></div></div><br><div \
class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Aug 7, 2019 at 5:48 PM \
Erik Lund Jensen <<a href="mailto:info@erikjensen.it">info@erikjensen.it</a>> \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div \
dir="ltr"><div>Hi<br></div><div><div><br></div><div>I have upgraded an old \
ws-security cxf client application to Java 11. It now uses StAX and builds a policy \
and sets the PolicyConstants.POLICY_OVERRIDE at the client's \
requestContext.</div><div><br></div><div>It almost works, however, when getting to \
processing the response from the server then the PolicyEnforcer throws exception with \
no message (null).</div><div>I ran a modified version of the PolicyEnforcer, which \
did not throw validation exception (inspired by issue WSS-486 with the modified \
if-statements in PolicyEnforcer).</div><div>The result was that the \
PolicyVerificationInInterceptor then listed all the policy alternatives that could \
not be satisfied: </div><div><br></div><div>Caused by: \
org.apache.cxf.ws.policy.PolicyException: These policy alternatives can not be \
satisfied: </div><div>{<a \
href="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702%7DAsymmetricBinding" \
target="_blank">http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AsymmetricBinding</a></div><div>{<a \
href="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702%7DInitiatorToken" \
target="_blank">http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}InitiatorToken</a></div><div>{<a \
href="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702%7DX509Token" \
target="_blank">http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}X509Token</a></div><div>{<a \
href="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702%7DWssX509V3Token10" \
target="_blank">http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}WssX509V3Token10</a></div><div>{<a \
href="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702%7DRecipientToken" \
target="_blank">http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}RecipientToken</a></div><div>{<a \
href="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702%7DRequireThumbprintReference" \
target="_blank">http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}RequireThumbprintReference</a></div><div>{<a \
href="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702%7DAlgorithmSuite" \
target="_blank">http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AlgorithmSuite</a></div><div>{<a \
href="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702%7DTripleDes" \
target="_blank">http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}TripleDes</a></div><div>{<a \
href="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702%7DLayout" \
target="_blank">http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Layout</a></div><div>{<a \
href="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702%7DLax" \
target="_blank">http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Lax</a></div><div>{<a \
href="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702%7DIncludeTimestamp" \
target="_blank">http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}IncludeTimestamp</a></div><div>{<a \
href="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702%7DOnlySignEntireHeadersAndBody" \
target="_blank">http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}OnlySignEntireHeadersAndBody</a></div><div>{<a \
href="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702%7DSignBeforeEncrypting" \
target="_blank">http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SignBeforeEncrypting</a></div><div>{<a \
href="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702%7DSignedParts" \
target="_blank">http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SignedParts</a></div><div>{<a \
href="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702%7DEncryptedParts" \
target="_blank">http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}EncryptedParts</a></div><div><span \
class="gmail-m_-5291880452660129975gmail-Apple-tab-span" \
style="white-space:pre-wrap"> </span>at \
org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:179)</div><div><br></div><div>If \
I remove the PolicyVerificationInInterceptor from the cxf chain then the message is \
decrypted and everything looks fine.</div><div>Could it be, that the PolicyEnforcer \
needs to know if it runs on the server-side or client-side and thereby be less strict \
at the client-side?</div></div><div><br></div><div>Best \
regards</div><div>Erik</div><div><br></div></div></div> </blockquote></div><br \
clear="all"><br>-- <br><div dir="ltr" class="gmail_signature">Colm O \
hEigeartaigh<br><br>Talend Community Coder<br><a href="http://coders.talend.com" \
target="_blank">http://coders.talend.com</a><br></div>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic