You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Daniel Kulp (JIRA)" <ji...@apache.org> on 2009/04/09 16:05:13 UTC
[jira] Assigned: (CXF-2165) SecurityPolicy-Assertion fails for only
signing
[ https://issues.apache.org/jira/browse/CXF-2165?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Daniel Kulp reassigned CXF-2165:
--------------------------------
Assignee: Daniel Kulp
> SecurityPolicy-Assertion fails for only signing
> ------------------------------------------------
>
> Key: CXF-2165
> URL: https://issues.apache.org/jira/browse/CXF-2165
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.2
> Reporter: Benjamin Ernst
> Assignee: Daniel Kulp
> Attachments: policy.xml
>
>
> Policy-Assertion fails when a policy only asserts that the body is signed, but not encrypted. Sending signed messages is no problem, but when receiving a signed message the following error appears:
> Caused by: org.apache.cxf.ws.policy.PolicyException: These policy alternatives can not be satisfied:
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AsymmetricBinding: Not signed before encrypted
> There should not be any encryption at all, only signing. I debugged into the code and found the following Method in the PolicyBasedWSS4JInInterceptor.java:
> private boolean assertAsymetricBinding(AssertionInfoMap aim,
> SoapMessage message,
> SOAPMessage doc,
> Protections prots,
> boolean derived) {
> Collection<AssertionInfo> ais = aim.get(SP12Constants.ASYMMETRIC_BINDING);
> if (ais == null) {
> return true;
> }
> for (AssertionInfo ai : ais) {
> AsymmetricBinding abinding = (AsymmetricBinding)ai.getAssertion();
> ai.setAsserted(true);
> if (abinding.getProtectionOrder() == SPConstants.ProtectionOrder.EncryptBeforeSigning) {
> if (abinding.isSignatureProtection()) {
> if (prots != Protections.ENCRYPT_SIGN_PROTECT) {
> ai.setNotAsserted("Not encrypted before signed and then protected");
> }
> } else if (prots != Protections.ENCRYPT_SIGN) {
> ai.setNotAsserted("Not encrypted before signed");
> }
> } else if (prots != Protections.SIGN_ENCRYPT) {
> ai.setNotAsserted("Not signed before encrypted");
> }
> assertPolicy(aim, abinding.getInitiatorToken());
> assertPolicy(aim, abinding.getRecipientToken());
> assertPolicy(aim, abinding.getInitiatorToken().getToken(), derived);
> assertPolicy(aim, abinding.getRecipientToken().getToken(), derived);
> }
> return true;
> }
> In this method the value of prots is ="SIGN" which is correct. But the if-statement only checks if prots is not SIGN_ENCRYPT and then sets it to notasserted. It might be because SPConstants.ProtectionOrder only knows EncryptBeforeSigning and SigningBeforeEncrypt. There is nothing about only signing, or only encrypting.
> The policy is attached.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.