You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Benjamin Ernst (JIRA)" <ji...@apache.org> on 2009/04/09 08:58:12 UTC
[jira] Updated: (CXF-2165) SecurityPolicy-Assertion fails for only
signing
[ https://issues.apache.org/jira/browse/CXF-2165?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Benjamin Ernst updated CXF-2165:
--------------------------------
Description:
Policy-Assertion fails when a policy only asserts that the body is signed, but not encrypted. Sending signed messages is no problem, but when receiving a signed message the following error appears:
Caused by: org.apache.cxf.ws.policy.PolicyException: These policy alternatives can not be satisfied:
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AsymmetricBinding: Not signed before encrypted
There should not be any encryption at all, only signing. I debugged into the code and found the following Method in the PolicyBasedWSS4JInInterceptor.java:
private boolean assertAsymetricBinding(AssertionInfoMap aim,
SoapMessage message,
SOAPMessage doc,
Protections prots,
boolean derived) {
Collection<AssertionInfo> ais = aim.get(SP12Constants.ASYMMETRIC_BINDING);
if (ais == null) {
return true;
}
for (AssertionInfo ai : ais) {
AsymmetricBinding abinding = (AsymmetricBinding)ai.getAssertion();
ai.setAsserted(true);
if (abinding.getProtectionOrder() == SPConstants.ProtectionOrder.EncryptBeforeSigning) {
if (abinding.isSignatureProtection()) {
if (prots != Protections.ENCRYPT_SIGN_PROTECT) {
ai.setNotAsserted("Not encrypted before signed and then protected");
}
} else if (prots != Protections.ENCRYPT_SIGN) {
ai.setNotAsserted("Not encrypted before signed");
}
} else if (prots != Protections.SIGN_ENCRYPT) {
ai.setNotAsserted("Not signed before encrypted");
}
assertPolicy(aim, abinding.getInitiatorToken());
assertPolicy(aim, abinding.getRecipientToken());
assertPolicy(aim, abinding.getInitiatorToken().getToken(), derived);
assertPolicy(aim, abinding.getRecipientToken().getToken(), derived);
}
return true;
}
In this method the value of prots is ="SIGN" which is correct. But the if-statement only checks if prots is not SIGN_ENCRYPT and then sets it to notasserted. It might be because SPConstants.ProtectionOrder only knows EncryptBeforeSigning and SigningBeforeEncrypt. There is nothing about only signing, or only encrypting.
The policy is attached.
was:
Policy-Assertion fails when a policy only asserts that the body is signed, but not encrypted. Sending signed messages is no problem, but when receiving a signed message the following error appears:
Caused by: org.apache.cxf.ws.policy.PolicyException: These policy alternatives can not be satisfied:
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AsymmetricBinding: Not signed before encrypted
There should not be any encryption at all, only signing. I debugged into the code and found the following Method in the PolicyBasedWSS4JInInterceptor.java:
private boolean assertAsymetricBinding(AssertionInfoMap aim,
SoapMessage message,
SOAPMessage doc,
Protections prots,
boolean derived) {
Collection<AssertionInfo> ais = aim.get(SP12Constants.ASYMMETRIC_BINDING);
if (ais == null) {
return true;
}
for (AssertionInfo ai : ais) {
AsymmetricBinding abinding = (AsymmetricBinding)ai.getAssertion();
ai.setAsserted(true);
if (abinding.getProtectionOrder() == SPConstants.ProtectionOrder.EncryptBeforeSigning) {
if (abinding.isSignatureProtection()) {
if (prots != Protections.ENCRYPT_SIGN_PROTECT) {
ai.setNotAsserted("Not encrypted before signed and then protected");
}
} else if (prots != Protections.ENCRYPT_SIGN) {
ai.setNotAsserted("Not encrypted before signed");
}
} else if (prots != Protections.SIGN_ENCRYPT) {
ai.setNotAsserted("Not signed before encrypted");
}
assertPolicy(aim, abinding.getInitiatorToken());
assertPolicy(aim, abinding.getRecipientToken());
assertPolicy(aim, abinding.getInitiatorToken().getToken(), derived);
assertPolicy(aim, abinding.getRecipientToken().getToken(), derived);
}
return true;
}
In this method the value of prots is ="SIGN" which is correct. But the if-statement only checks if prots is not SIGN_ENCRYPT and then sets it to notasserted. It might be because SPConstants.ProtectionOrder only knows EncryptBeforeSigning and SigningBeforeEncrypt. There is nothing about only signing, or only encrypting.
Here is the policy:
<wsp:Policy
wsu:Id='Sig'
xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/ws-securitypolicy.xsd
http://schemas.xmlsoap.org/ws/2004/09/policy
http://schemas.xmlsoap.org/ws/2004/09/policy/ws-policy.xsd
">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding xmlns:sp='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient'>
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always'>
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:OnlySignEntireHeadersAndBody />
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss10 xmlns:sp='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'>
<wsp:Policy>
<sp:MustSupportRefEmbeddedToken />
</wsp:Policy>
</sp:Wss10>
<sp:SignedParts xmlns:sp='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'>
<sp:Body />
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
> SecurityPolicy-Assertion fails for only signing
> ------------------------------------------------
>
> Key: CXF-2165
> URL: https://issues.apache.org/jira/browse/CXF-2165
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.2
> Reporter: Benjamin Ernst
> Attachments: policy.xml
>
>
> Policy-Assertion fails when a policy only asserts that the body is signed, but not encrypted. Sending signed messages is no problem, but when receiving a signed message the following error appears:
> Caused by: org.apache.cxf.ws.policy.PolicyException: These policy alternatives can not be satisfied:
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AsymmetricBinding: Not signed before encrypted
> There should not be any encryption at all, only signing. I debugged into the code and found the following Method in the PolicyBasedWSS4JInInterceptor.java:
> private boolean assertAsymetricBinding(AssertionInfoMap aim,
> SoapMessage message,
> SOAPMessage doc,
> Protections prots,
> boolean derived) {
> Collection<AssertionInfo> ais = aim.get(SP12Constants.ASYMMETRIC_BINDING);
> if (ais == null) {
> return true;
> }
> for (AssertionInfo ai : ais) {
> AsymmetricBinding abinding = (AsymmetricBinding)ai.getAssertion();
> ai.setAsserted(true);
> if (abinding.getProtectionOrder() == SPConstants.ProtectionOrder.EncryptBeforeSigning) {
> if (abinding.isSignatureProtection()) {
> if (prots != Protections.ENCRYPT_SIGN_PROTECT) {
> ai.setNotAsserted("Not encrypted before signed and then protected");
> }
> } else if (prots != Protections.ENCRYPT_SIGN) {
> ai.setNotAsserted("Not encrypted before signed");
> }
> } else if (prots != Protections.SIGN_ENCRYPT) {
> ai.setNotAsserted("Not signed before encrypted");
> }
> assertPolicy(aim, abinding.getInitiatorToken());
> assertPolicy(aim, abinding.getRecipientToken());
> assertPolicy(aim, abinding.getInitiatorToken().getToken(), derived);
> assertPolicy(aim, abinding.getRecipientToken().getToken(), derived);
> }
> return true;
> }
> In this method the value of prots is ="SIGN" which is correct. But the if-statement only checks if prots is not SIGN_ENCRYPT and then sets it to notasserted. It might be because SPConstants.ProtectionOrder only knows EncryptBeforeSigning and SigningBeforeEncrypt. There is nothing about only signing, or only encrypting.
> The policy is attached.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.