You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cxf.apache.org by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org> on 2015/04/03 15:29:53 UTC

[jira] [Commented] (CXF-6327) Invalid Policy exception for EndorsingSupportingTokens with more than one token assertions

    [ https://issues.apache.org/jira/browse/CXF-6327?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14394419#comment-14394419 ] 

Colm O hEigeartaigh commented on CXF-6327:
------------------------------------------


We don't support multiple "all" token assertions.

Colm.

> Invalid Policy exception for EndorsingSupportingTokens with more than one token assertions
> ------------------------------------------------------------------------------------------
>
>                 Key: CXF-6327
>                 URL: https://issues.apache.org/jira/browse/CXF-6327
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>    Affects Versions: 3.0.4
>            Reporter: Stefan Pröls
>
> Parsing WS-Security Policies containing EndorsingSupportingTokens with more than one token assertion in its nested Policy throws a "java.lang.IllegalArgumentException: Invalid Policy".
> Here is a WSDL test-case:
> https://rheaavs.element44.net/AvsMpsService_R1_Variante2.wsdl
> The sp:EndorsingSupportingTokens/wsp:Policy has 2 token assertions as children: a sp:X509Token and a sp:IssuedToken. Apparently CXF doesn't like that.
> If I either remove one of these token assertions or put a wsp:ExactlyOne around them, the exception will not be thrown and the SOAP-Request will be sent but the remote server will not accept the message and return an InvalidSecurity SOAP-Fault. Putting an wsp:ExactlyOne/wsp:All around the 2 tokens will cause the exception to be thrown again.
> According to the specification I cannot see anything wrong with this Policy. See http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.2/errata01/os/ws-securitypolicy-1.2-errata01-os-complete.html Section 8.3:
> <sp:EndorsingSupportingTokens xmlns:sp="..." ... >
>   <wsp:Policy xmlns:wsp="...">
>     [Token Assertion]+
>     <sp:AlgorithmSuite ... > ... </sp:AlgorithmSuite> ?
>     (
>       <sp:SignedParts ... > ... </sp:SignedParts> |
>       <sp:SignedElements ... > ... </sp:SignedElements> |
>       <sp:EncryptedParts ... > ... </sp:EncryptedParts> |
>       <sp:EncryptedElements ... > ... </sp:EncryptedElements> |
>       <sp:ContentEncryptedElements ... > ... </sp:ContentEncryptedElements>
>     ) *
>     ...
>   </wsp:Policy>
>   ...
> </sp:EndorsingSupportingTokens>
> ...
> /sp:EndorsingSupportingTokens/wsp:Policy/[Token Assertion]
>   The policy MUST identify one or more token assertions.
> This bug currently makes it impossible to access WebServices using such a SecurityPolicy for me as I couldn't find a client-side workaround.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)