You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Benjamin Ernst <be...@gmail.com> on 2009/04/08 18:07:31 UTC
WS-SecurityPolicy: Problem with AsymmetricBinding: Not signed before
encrypted
Hello everybody,
I have a problem with the WS-SecurityPolicy. My Policy only asserts that the
body is signed, but not encrypted. Sending signed messages is no problem,
but when I receive a signed message the following error appears:
Caused by: org.apache.cxf.ws.policy.PolicyException: These policy
alternatives can not be satisfied:
{
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AsymmetricBinding:
Not signed before encrypted
There should not be any encryption at all, only signing. I debugged into the
code and found the following Method in the
PolicyBasedWSS4JInInterceptor.java:
private boolean assertAsymetricBinding(AssertionInfoMap aim,
SoapMessage message,
SOAPMessage doc,
Protections prots,
boolean derived) {
Collection<AssertionInfo> ais =
aim.get(SP12Constants.ASYMMETRIC_BINDING);
if (ais == null) {
return true;
}
for (AssertionInfo ai : ais) {
AsymmetricBinding abinding =
(AsymmetricBinding)ai.getAssertion();
ai.setAsserted(true);
if (abinding.getProtectionOrder() ==
SPConstants.ProtectionOrder.EncryptBeforeSigning) {
if (abinding.isSignatureProtection()) {
if (prots != Protections.ENCRYPT_SIGN_PROTECT) {
ai.setNotAsserted("Not encrypted before signed and
then protected");
}
} else if (prots != Protections.ENCRYPT_SIGN) {
ai.setNotAsserted("Not encrypted before
signed");
}
} else if (prots != Protections.SIGN_ENCRYPT) {
ai.setNotAsserted("Not signed before
encrypted");
}
assertPolicy(aim, abinding.getInitiatorToken());
assertPolicy(aim, abinding.getRecipientToken());
assertPolicy(aim, abinding.getInitiatorToken().getToken(),
derived);
assertPolicy(aim, abinding.getRecipientToken().getToken(),
derived);
}
return true;
}
In this method the value of prots is ="SIGN" which is correct. But the
if-statement only checks if prots is not SIGN_ENCRYPT and then sets it to
notasserted. It might be because SPConstants.ProtectionOrder only knows
EncryptBeforeSigning and SigningBeforeEncrypt. There is nothing about only
signing, or only encrypting.
Is this an error, or do I have to configure something else?
Here is my Policy:
<wsp:Policy
wsu:Id='Sig'
xmlns:wsu='
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
'
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/ws-securitypolicy.xsd
http://schemas.xmlsoap.org/ws/2004/09/policy
http://schemas.xmlsoap.org/ws/2004/09/policy/ws-policy.xsd
">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding xmlns:sp='
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken='
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
'>
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken='
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always'>
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:OnlySignEntireHeadersAndBody />
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss10 xmlns:sp='
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'>
<wsp:Policy>
<sp:MustSupportRefEmbeddedToken />
</wsp:Policy>
</sp:Wss10>
<sp:SignedParts xmlns:sp='
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'>
<sp:Body />
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
Thanks for any help!
--Benjamin
Re: WS-SecurityPolicy: Problem with AsymmetricBinding: Not signed before encrypted
Posted by Daniel Kulp <dk...@apache.org>.
On Thu April 9 2009 3:00:59 am Benjamin Ernst wrote:
> Hi Dan,
>
> thanks, for your help. I logged a Jira (
> https://issues.apache.org/jira/browse/CXF-2165) for this. My Policy should
> be attached to it.
This should now be fixed. Thanks for the policy.
Dan
> -- Benjamin
>
> On Wed, Apr 8, 2009 at 10:58 PM, Daniel Kulp <dk...@apache.org> wrote:
> > That definitely looks like a bug. Can you log a jira with your policy
> > attached? I'll see if I can look at it tomorrow.
> >
> > Dan
> >
> > On Wed April 8 2009 12:07:31 pm Benjamin Ernst wrote:
> > > Hello everybody,
> > >
> > > I have a problem with the WS-SecurityPolicy. My Policy only asserts
> > > that the body is signed, but not encrypted. Sending signed messages is
> > > no problem, but when I receive a signed message the following error
> > > appears:
> > >
> > > Caused by: org.apache.cxf.ws.policy.PolicyException: These policy
> > > alternatives can not be satisfied:
> > > {
> >
> > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AsymmetricBindi
> >ng<http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702%7DAsymmetricB
> >inding>
> >
> > >: Not signed before encrypted
> > >
> > > There should not be any encryption at all, only signing. I debugged
> > > into the code and found the following Method in the
> > > PolicyBasedWSS4JInInterceptor.java:
> > >
> > > private boolean assertAsymetricBinding(AssertionInfoMap aim,
> > > SoapMessage message,
> > > SOAPMessage doc,
> > > Protections prots,
> > > boolean derived) {
> > > Collection<AssertionInfo> ais =
> > > aim.get(SP12Constants.ASYMMETRIC_BINDING);
> > > if (ais == null) {
> > > return true;
> > > }
> > > for (AssertionInfo ai : ais) {
> > > AsymmetricBinding abinding =
> > > (AsymmetricBinding)ai.getAssertion();
> > > ai.setAsserted(true);
> > > if (abinding.getProtectionOrder() ==
> > > SPConstants.ProtectionOrder.EncryptBeforeSigning) {
> > > if (abinding.isSignatureProtection()) {
> > > if (prots != Protections.ENCRYPT_SIGN_PROTECT) {
> > > ai.setNotAsserted("Not encrypted before signed
> >
> > and
> >
> > > then protected");
> > > }
> > > } else if (prots != Protections.ENCRYPT_SIGN) {
> > > ai.setNotAsserted("Not encrypted before
> > > signed");
> > > }
> > > } else if (prots != Protections.SIGN_ENCRYPT) {
> > > ai.setNotAsserted("Not signed before
> > > encrypted");
> > > }
> > > assertPolicy(aim, abinding.getInitiatorToken());
> > > assertPolicy(aim, abinding.getRecipientToken());
> > > assertPolicy(aim, abinding.getInitiatorToken().getToken(),
> > > derived);
> > > assertPolicy(aim, abinding.getRecipientToken().getToken(),
> > > derived);
> > > }
> > > return true;
> > > }
> > >
> > > In this method the value of prots is ="SIGN" which is correct. But the
> > > if-statement only checks if prots is not SIGN_ENCRYPT and then sets it
> > > to notasserted. It might be because SPConstants.ProtectionOrder only
> > > knows EncryptBeforeSigning and SigningBeforeEncrypt. There is nothing
> > > about
> >
> > only
> >
> > > signing, or only encrypting.
> > >
> > > Is this an error, or do I have to configure something else?
> > >
> > > Here is my Policy:
> > >
> > > <wsp:Policy
> > > wsu:Id='Sig'
> > > xmlns:wsu='
> >
> > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utilit
> >y-
> >
> > >1.0.xsd '
> > > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
> > > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"
> > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> > > xsi:schemaLocation="
> > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
> >
> > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/ws-securitypolicy.xs
> >d
> >
> > > http://schemas.xmlsoap.org/ws/2004/09/policy
> > > http://schemas.xmlsoap.org/ws/2004/09/policy/ws-policy.xsd
> > > ">
> > > <wsp:ExactlyOne>
> > > <wsp:All>
> > > <sp:AsymmetricBinding xmlns:sp='
> > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'>
> > > <wsp:Policy>
> > > <sp:InitiatorToken>
> > > <wsp:Policy>
> > > <sp:X509Token sp:IncludeToken='
> >
> > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysT
> >oR
> >
> > >ecipient '>
> > > <wsp:Policy>
> > > <sp:WssX509V3Token10 />
> > > </wsp:Policy>
> > > </sp:X509Token>
> > > </wsp:Policy>
> > > </sp:InitiatorToken>
> > > <sp:RecipientToken>
> > > <wsp:Policy>
> > > <sp:X509Token sp:IncludeToken='
> > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Alway
> > >s
> >
> > '>
> >
> > > <wsp:Policy>
> > > <sp:WssX509V3Token10 />
> > > </wsp:Policy>
> > > </sp:X509Token>
> > > </wsp:Policy>
> > > </sp:RecipientToken>
> > > <sp:AlgorithmSuite>
> > > <wsp:Policy>
> > > <sp:Basic256 />
> > > </wsp:Policy>
> > > </sp:AlgorithmSuite>
> > > <sp:Layout>
> > > <wsp:Policy>
> > > <sp:Strict />
> > > </wsp:Policy>
> > > </sp:Layout>
> > > <sp:OnlySignEntireHeadersAndBody />
> > > </wsp:Policy>
> > > </sp:AsymmetricBinding>
> > > <sp:Wss10 xmlns:sp='
> > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'>
> > > <wsp:Policy>
> > > <sp:MustSupportRefEmbeddedToken />
> > > </wsp:Policy>
> > > </sp:Wss10>
> > > <sp:SignedParts xmlns:sp='
> > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'>
> > > <sp:Body />
> > > </sp:SignedParts>
> > > </wsp:All>
> > > </wsp:ExactlyOne>
> > > </wsp:Policy>
> > >
> > >
> > > Thanks for any help!
> > >
> > > --Benjamin
> >
> > --
> > Daniel Kulp
> > dkulp@apache.org
> > http://www.dankulp.com/blog
--
Daniel Kulp
dkulp@apache.org
http://www.dankulp.com/blog
Re: WS-SecurityPolicy: Problem with AsymmetricBinding: Not signed
before encrypted
Posted by Benjamin Ernst <be...@gmail.com>.
Hi Dan,
thanks, for your help. I logged a Jira (
https://issues.apache.org/jira/browse/CXF-2165) for this. My Policy should
be attached to it.
-- Benjamin
On Wed, Apr 8, 2009 at 10:58 PM, Daniel Kulp <dk...@apache.org> wrote:
>
> That definitely looks like a bug. Can you log a jira with your policy
> attached? I'll see if I can look at it tomorrow.
>
> Dan
>
>
> On Wed April 8 2009 12:07:31 pm Benjamin Ernst wrote:
> > Hello everybody,
> >
> > I have a problem with the WS-SecurityPolicy. My Policy only asserts that
> > the body is signed, but not encrypted. Sending signed messages is no
> > problem, but when I receive a signed message the following error appears:
> >
> > Caused by: org.apache.cxf.ws.policy.PolicyException: These policy
> > alternatives can not be satisfied:
> > {
> >
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AsymmetricBinding<http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702%7DAsymmetricBinding>
> >: Not signed before encrypted
> >
> > There should not be any encryption at all, only signing. I debugged into
> > the code and found the following Method in the
> > PolicyBasedWSS4JInInterceptor.java:
> >
> > private boolean assertAsymetricBinding(AssertionInfoMap aim,
> > SoapMessage message,
> > SOAPMessage doc,
> > Protections prots,
> > boolean derived) {
> > Collection<AssertionInfo> ais =
> > aim.get(SP12Constants.ASYMMETRIC_BINDING);
> > if (ais == null) {
> > return true;
> > }
> > for (AssertionInfo ai : ais) {
> > AsymmetricBinding abinding =
> > (AsymmetricBinding)ai.getAssertion();
> > ai.setAsserted(true);
> > if (abinding.getProtectionOrder() ==
> > SPConstants.ProtectionOrder.EncryptBeforeSigning) {
> > if (abinding.isSignatureProtection()) {
> > if (prots != Protections.ENCRYPT_SIGN_PROTECT) {
> > ai.setNotAsserted("Not encrypted before signed
> and
> > then protected");
> > }
> > } else if (prots != Protections.ENCRYPT_SIGN) {
> > ai.setNotAsserted("Not encrypted before
> > signed");
> > }
> > } else if (prots != Protections.SIGN_ENCRYPT) {
> > ai.setNotAsserted("Not signed before
> > encrypted");
> > }
> > assertPolicy(aim, abinding.getInitiatorToken());
> > assertPolicy(aim, abinding.getRecipientToken());
> > assertPolicy(aim, abinding.getInitiatorToken().getToken(),
> > derived);
> > assertPolicy(aim, abinding.getRecipientToken().getToken(),
> > derived);
> > }
> > return true;
> > }
> >
> > In this method the value of prots is ="SIGN" which is correct. But the
> > if-statement only checks if prots is not SIGN_ENCRYPT and then sets it to
> > notasserted. It might be because SPConstants.ProtectionOrder only knows
> > EncryptBeforeSigning and SigningBeforeEncrypt. There is nothing about
> only
> > signing, or only encrypting.
> >
> > Is this an error, or do I have to configure something else?
> >
> > Here is my Policy:
> >
> > <wsp:Policy
> > wsu:Id='Sig'
> > xmlns:wsu='
> >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-
> >1.0.xsd '
> > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
> > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"
> > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> > xsi:schemaLocation="
> > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
> >
> >
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/ws-securitypolicy.xsd
> > http://schemas.xmlsoap.org/ws/2004/09/policy
> > http://schemas.xmlsoap.org/ws/2004/09/policy/ws-policy.xsd
> > ">
> > <wsp:ExactlyOne>
> > <wsp:All>
> > <sp:AsymmetricBinding xmlns:sp='
> > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'>
> > <wsp:Policy>
> > <sp:InitiatorToken>
> > <wsp:Policy>
> > <sp:X509Token sp:IncludeToken='
> >
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToR
> >ecipient '>
> > <wsp:Policy>
> > <sp:WssX509V3Token10 />
> > </wsp:Policy>
> > </sp:X509Token>
> > </wsp:Policy>
> > </sp:InitiatorToken>
> > <sp:RecipientToken>
> > <wsp:Policy>
> > <sp:X509Token sp:IncludeToken='
> > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always
> '>
> > <wsp:Policy>
> > <sp:WssX509V3Token10 />
> > </wsp:Policy>
> > </sp:X509Token>
> > </wsp:Policy>
> > </sp:RecipientToken>
> > <sp:AlgorithmSuite>
> > <wsp:Policy>
> > <sp:Basic256 />
> > </wsp:Policy>
> > </sp:AlgorithmSuite>
> > <sp:Layout>
> > <wsp:Policy>
> > <sp:Strict />
> > </wsp:Policy>
> > </sp:Layout>
> > <sp:OnlySignEntireHeadersAndBody />
> > </wsp:Policy>
> > </sp:AsymmetricBinding>
> > <sp:Wss10 xmlns:sp='
> > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'>
> > <wsp:Policy>
> > <sp:MustSupportRefEmbeddedToken />
> > </wsp:Policy>
> > </sp:Wss10>
> > <sp:SignedParts xmlns:sp='
> > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'>
> > <sp:Body />
> > </sp:SignedParts>
> > </wsp:All>
> > </wsp:ExactlyOne>
> > </wsp:Policy>
> >
> >
> > Thanks for any help!
> >
> > --Benjamin
>
> --
> Daniel Kulp
> dkulp@apache.org
> http://www.dankulp.com/blog
>
Re: WS-SecurityPolicy: Problem with AsymmetricBinding: Not signed before encrypted
Posted by Daniel Kulp <dk...@apache.org>.
That definitely looks like a bug. Can you log a jira with your policy
attached? I'll see if I can look at it tomorrow.
Dan
On Wed April 8 2009 12:07:31 pm Benjamin Ernst wrote:
> Hello everybody,
>
> I have a problem with the WS-SecurityPolicy. My Policy only asserts that
> the body is signed, but not encrypted. Sending signed messages is no
> problem, but when I receive a signed message the following error appears:
>
> Caused by: org.apache.cxf.ws.policy.PolicyException: These policy
> alternatives can not be satisfied:
> {
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AsymmetricBinding
>: Not signed before encrypted
>
> There should not be any encryption at all, only signing. I debugged into
> the code and found the following Method in the
> PolicyBasedWSS4JInInterceptor.java:
>
> private boolean assertAsymetricBinding(AssertionInfoMap aim,
> SoapMessage message,
> SOAPMessage doc,
> Protections prots,
> boolean derived) {
> Collection<AssertionInfo> ais =
> aim.get(SP12Constants.ASYMMETRIC_BINDING);
> if (ais == null) {
> return true;
> }
> for (AssertionInfo ai : ais) {
> AsymmetricBinding abinding =
> (AsymmetricBinding)ai.getAssertion();
> ai.setAsserted(true);
> if (abinding.getProtectionOrder() ==
> SPConstants.ProtectionOrder.EncryptBeforeSigning) {
> if (abinding.isSignatureProtection()) {
> if (prots != Protections.ENCRYPT_SIGN_PROTECT) {
> ai.setNotAsserted("Not encrypted before signed and
> then protected");
> }
> } else if (prots != Protections.ENCRYPT_SIGN) {
> ai.setNotAsserted("Not encrypted before
> signed");
> }
> } else if (prots != Protections.SIGN_ENCRYPT) {
> ai.setNotAsserted("Not signed before
> encrypted");
> }
> assertPolicy(aim, abinding.getInitiatorToken());
> assertPolicy(aim, abinding.getRecipientToken());
> assertPolicy(aim, abinding.getInitiatorToken().getToken(),
> derived);
> assertPolicy(aim, abinding.getRecipientToken().getToken(),
> derived);
> }
> return true;
> }
>
> In this method the value of prots is ="SIGN" which is correct. But the
> if-statement only checks if prots is not SIGN_ENCRYPT and then sets it to
> notasserted. It might be because SPConstants.ProtectionOrder only knows
> EncryptBeforeSigning and SigningBeforeEncrypt. There is nothing about only
> signing, or only encrypting.
>
> Is this an error, or do I have to configure something else?
>
> Here is my Policy:
>
> <wsp:Policy
> wsu:Id='Sig'
> xmlns:wsu='
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-
>1.0.xsd '
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:schemaLocation="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
>
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/ws-securitypolicy.xsd
> http://schemas.xmlsoap.org/ws/2004/09/policy
> http://schemas.xmlsoap.org/ws/2004/09/policy/ws-policy.xsd
> ">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:AsymmetricBinding xmlns:sp='
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'>
> <wsp:Policy>
> <sp:InitiatorToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken='
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToR
>ecipient '>
> <wsp:Policy>
> <sp:WssX509V3Token10 />
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:InitiatorToken>
> <sp:RecipientToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken='
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always'>
> <wsp:Policy>
> <sp:WssX509V3Token10 />
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:RecipientToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic256 />
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:Layout>
> <wsp:Policy>
> <sp:Strict />
> </wsp:Policy>
> </sp:Layout>
> <sp:OnlySignEntireHeadersAndBody />
> </wsp:Policy>
> </sp:AsymmetricBinding>
> <sp:Wss10 xmlns:sp='
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'>
> <wsp:Policy>
> <sp:MustSupportRefEmbeddedToken />
> </wsp:Policy>
> </sp:Wss10>
> <sp:SignedParts xmlns:sp='
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'>
> <sp:Body />
> </sp:SignedParts>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
>
>
> Thanks for any help!
>
> --Benjamin
--
Daniel Kulp
dkulp@apache.org
http://www.dankulp.com/blog