You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Jason Pell <ja...@pellcorp.com> on 2012/10/23 04:12:52 UTC
RequireClientCertificate confusion
Hi,
I am debugging 2.7.1 trunk to try and figure out why my
RequireClientCertificate="true" appears to be ignored.
My policy looks like:
<wsp:Policy wsu:Id="SslWithUsernamePasswordToken">
<wsp:ExactlyOne>
<wsp:All>
<sp:TransportBinding>
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken RequireClientCertificate="true" />
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:IncludeTimestamp />
</wsp:Policy>
</sp:TransportBinding>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
I can see in the HttpsTokenInInterceptor that because there is no
client token, the AssertionInfo is not being asserted, which I assumes
means
it should raise a policy error.
However in the TransportBindingPolicyValidator it overrides this and
actually sets the AssertionInfo that was not asserted to true!
If I disable the second line, I get an exception because no client
certificate is present.
Index: src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java
===================================================================
--- src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java (revision
1400641)
+++ src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java (working
copy)
@@ -68,7 +68,7 @@
// HttpsToken is validated by the HttpsTokenInterceptorProvider
if (binding.getTransportToken() != null) {
assertPolicy(aim, binding.getTransportToken());
- assertPolicy(aim, binding.getTransportToken().getToken());
+ // assertPolicy(aim, binding.getTransportToken().getToken());
}
// Check the AlgorithmSuite
This is obviously not a complete patch, but it does I hope prove that
there is an issue with client cert validation. I shall open up a jira
for this, but I don't feel confident enough to try and
provide a patch without guidance as this is definately an area I am
not very familiar with.
Re: RequireClientCertificate confusion
Posted by Jason Pell <ja...@pellcorp.com>.
oops - sorry I meant that the test case was attached to the jira to
illustrate the bug.
On Tue, Oct 23, 2012 at 1:41 PM, Jason Pell <ja...@pellcorp.com> wrote:
> patch attached
>
> On Tue, Oct 23, 2012 at 1:33 PM, Jason Pell <ja...@pellcorp.com> wrote:
>> https://issues.apache.org/jira/browse/CXF-4595
>>
>> I will attach a test case to prove the issue asap
>>
>>
>>
>> On Tue, Oct 23, 2012 at 1:13 PM, Jason Pell <ja...@pellcorp.com> wrote:
>>> My namespaces look like:
>>>
>>> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
>>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"
>>>
>>>
>>>
>>> On Tue, Oct 23, 2012 at 1:12 PM, Jason Pell <ja...@pellcorp.com> wrote:
>>>> Hi,
>>>>
>>>> I am debugging 2.7.1 trunk to try and figure out why my
>>>> RequireClientCertificate="true" appears to be ignored.
>>>>
>>>> My policy looks like:
>>>>
>>>> <wsp:Policy wsu:Id="SslWithUsernamePasswordToken">
>>>> <wsp:ExactlyOne>
>>>> <wsp:All>
>>>> <sp:TransportBinding>
>>>> <wsp:Policy>
>>>> <sp:TransportToken>
>>>> <wsp:Policy>
>>>> <sp:HttpsToken RequireClientCertificate="true" />
>>>> </wsp:Policy>
>>>> </sp:TransportToken>
>>>> <sp:AlgorithmSuite>
>>>> <wsp:Policy>
>>>> <sp:Basic256 />
>>>> </wsp:Policy>
>>>> </sp:AlgorithmSuite>
>>>>
>>>> <sp:IncludeTimestamp />
>>>> </wsp:Policy>
>>>> </sp:TransportBinding>
>>>>
>>>> </wsp:All>
>>>> </wsp:ExactlyOne>
>>>> </wsp:Policy>
>>>>
>>>> I can see in the HttpsTokenInInterceptor that because there is no
>>>> client token, the AssertionInfo is not being asserted, which I assumes
>>>> means
>>>> it should raise a policy error.
>>>>
>>>> However in the TransportBindingPolicyValidator it overrides this and
>>>> actually sets the AssertionInfo that was not asserted to true!
>>>>
>>>> If I disable the second line, I get an exception because no client
>>>> certificate is present.
>>>>
>>>> Index: src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java
>>>> ===================================================================
>>>> --- src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java (revision
>>>> 1400641)
>>>> +++ src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java (working
>>>> copy)
>>>> @@ -68,7 +68,7 @@
>>>> // HttpsToken is validated by the HttpsTokenInterceptorProvider
>>>> if (binding.getTransportToken() != null) {
>>>> assertPolicy(aim, binding.getTransportToken());
>>>> - assertPolicy(aim, binding.getTransportToken().getToken());
>>>> + // assertPolicy(aim, binding.getTransportToken().getToken());
>>>> }
>>>>
>>>> // Check the AlgorithmSuite
>>>>
>>>> This is obviously not a complete patch, but it does I hope prove that
>>>> there is an issue with client cert validation. I shall open up a jira
>>>> for this, but I don't feel confident enough to try and
>>>> provide a patch without guidance as this is definately an area I am
>>>> not very familiar with.
Re: RequireClientCertificate confusion
Posted by Jason Pell <ja...@pellcorp.com>.
patch attached
On Tue, Oct 23, 2012 at 1:33 PM, Jason Pell <ja...@pellcorp.com> wrote:
> https://issues.apache.org/jira/browse/CXF-4595
>
> I will attach a test case to prove the issue asap
>
>
>
> On Tue, Oct 23, 2012 at 1:13 PM, Jason Pell <ja...@pellcorp.com> wrote:
>> My namespaces look like:
>>
>> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"
>>
>>
>>
>> On Tue, Oct 23, 2012 at 1:12 PM, Jason Pell <ja...@pellcorp.com> wrote:
>>> Hi,
>>>
>>> I am debugging 2.7.1 trunk to try and figure out why my
>>> RequireClientCertificate="true" appears to be ignored.
>>>
>>> My policy looks like:
>>>
>>> <wsp:Policy wsu:Id="SslWithUsernamePasswordToken">
>>> <wsp:ExactlyOne>
>>> <wsp:All>
>>> <sp:TransportBinding>
>>> <wsp:Policy>
>>> <sp:TransportToken>
>>> <wsp:Policy>
>>> <sp:HttpsToken RequireClientCertificate="true" />
>>> </wsp:Policy>
>>> </sp:TransportToken>
>>> <sp:AlgorithmSuite>
>>> <wsp:Policy>
>>> <sp:Basic256 />
>>> </wsp:Policy>
>>> </sp:AlgorithmSuite>
>>>
>>> <sp:IncludeTimestamp />
>>> </wsp:Policy>
>>> </sp:TransportBinding>
>>>
>>> </wsp:All>
>>> </wsp:ExactlyOne>
>>> </wsp:Policy>
>>>
>>> I can see in the HttpsTokenInInterceptor that because there is no
>>> client token, the AssertionInfo is not being asserted, which I assumes
>>> means
>>> it should raise a policy error.
>>>
>>> However in the TransportBindingPolicyValidator it overrides this and
>>> actually sets the AssertionInfo that was not asserted to true!
>>>
>>> If I disable the second line, I get an exception because no client
>>> certificate is present.
>>>
>>> Index: src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java
>>> ===================================================================
>>> --- src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java (revision
>>> 1400641)
>>> +++ src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java (working
>>> copy)
>>> @@ -68,7 +68,7 @@
>>> // HttpsToken is validated by the HttpsTokenInterceptorProvider
>>> if (binding.getTransportToken() != null) {
>>> assertPolicy(aim, binding.getTransportToken());
>>> - assertPolicy(aim, binding.getTransportToken().getToken());
>>> + // assertPolicy(aim, binding.getTransportToken().getToken());
>>> }
>>>
>>> // Check the AlgorithmSuite
>>>
>>> This is obviously not a complete patch, but it does I hope prove that
>>> there is an issue with client cert validation. I shall open up a jira
>>> for this, but I don't feel confident enough to try and
>>> provide a patch without guidance as this is definately an area I am
>>> not very familiar with.
Re: RequireClientCertificate confusion
Posted by Jason Pell <ja...@pellcorp.com>.
https://issues.apache.org/jira/browse/CXF-4595
I will attach a test case to prove the issue asap
On Tue, Oct 23, 2012 at 1:13 PM, Jason Pell <ja...@pellcorp.com> wrote:
> My namespaces look like:
>
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"
>
>
>
> On Tue, Oct 23, 2012 at 1:12 PM, Jason Pell <ja...@pellcorp.com> wrote:
>> Hi,
>>
>> I am debugging 2.7.1 trunk to try and figure out why my
>> RequireClientCertificate="true" appears to be ignored.
>>
>> My policy looks like:
>>
>> <wsp:Policy wsu:Id="SslWithUsernamePasswordToken">
>> <wsp:ExactlyOne>
>> <wsp:All>
>> <sp:TransportBinding>
>> <wsp:Policy>
>> <sp:TransportToken>
>> <wsp:Policy>
>> <sp:HttpsToken RequireClientCertificate="true" />
>> </wsp:Policy>
>> </sp:TransportToken>
>> <sp:AlgorithmSuite>
>> <wsp:Policy>
>> <sp:Basic256 />
>> </wsp:Policy>
>> </sp:AlgorithmSuite>
>>
>> <sp:IncludeTimestamp />
>> </wsp:Policy>
>> </sp:TransportBinding>
>>
>> </wsp:All>
>> </wsp:ExactlyOne>
>> </wsp:Policy>
>>
>> I can see in the HttpsTokenInInterceptor that because there is no
>> client token, the AssertionInfo is not being asserted, which I assumes
>> means
>> it should raise a policy error.
>>
>> However in the TransportBindingPolicyValidator it overrides this and
>> actually sets the AssertionInfo that was not asserted to true!
>>
>> If I disable the second line, I get an exception because no client
>> certificate is present.
>>
>> Index: src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java
>> ===================================================================
>> --- src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java (revision
>> 1400641)
>> +++ src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java (working
>> copy)
>> @@ -68,7 +68,7 @@
>> // HttpsToken is validated by the HttpsTokenInterceptorProvider
>> if (binding.getTransportToken() != null) {
>> assertPolicy(aim, binding.getTransportToken());
>> - assertPolicy(aim, binding.getTransportToken().getToken());
>> + // assertPolicy(aim, binding.getTransportToken().getToken());
>> }
>>
>> // Check the AlgorithmSuite
>>
>> This is obviously not a complete patch, but it does I hope prove that
>> there is an issue with client cert validation. I shall open up a jira
>> for this, but I don't feel confident enough to try and
>> provide a patch without guidance as this is definately an area I am
>> not very familiar with.
Re: RequireClientCertificate confusion
Posted by Jason Pell <ja...@pellcorp.com>.
My namespaces look like:
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"
On Tue, Oct 23, 2012 at 1:12 PM, Jason Pell <ja...@pellcorp.com> wrote:
> Hi,
>
> I am debugging 2.7.1 trunk to try and figure out why my
> RequireClientCertificate="true" appears to be ignored.
>
> My policy looks like:
>
> <wsp:Policy wsu:Id="SslWithUsernamePasswordToken">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:TransportBinding>
> <wsp:Policy>
> <sp:TransportToken>
> <wsp:Policy>
> <sp:HttpsToken RequireClientCertificate="true" />
> </wsp:Policy>
> </sp:TransportToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic256 />
> </wsp:Policy>
> </sp:AlgorithmSuite>
>
> <sp:IncludeTimestamp />
> </wsp:Policy>
> </sp:TransportBinding>
>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
>
> I can see in the HttpsTokenInInterceptor that because there is no
> client token, the AssertionInfo is not being asserted, which I assumes
> means
> it should raise a policy error.
>
> However in the TransportBindingPolicyValidator it overrides this and
> actually sets the AssertionInfo that was not asserted to true!
>
> If I disable the second line, I get an exception because no client
> certificate is present.
>
> Index: src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java
> ===================================================================
> --- src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java (revision
> 1400641)
> +++ src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java (working
> copy)
> @@ -68,7 +68,7 @@
> // HttpsToken is validated by the HttpsTokenInterceptorProvider
> if (binding.getTransportToken() != null) {
> assertPolicy(aim, binding.getTransportToken());
> - assertPolicy(aim, binding.getTransportToken().getToken());
> + // assertPolicy(aim, binding.getTransportToken().getToken());
> }
>
> // Check the AlgorithmSuite
>
> This is obviously not a complete patch, but it does I hope prove that
> there is an issue with client cert validation. I shall open up a jira
> for this, but I don't feel confident enough to try and
> provide a patch without guidance as this is definately an area I am
> not very familiar with.