You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by XiLai Dai <xl...@talend.com> on 2013/09/24 05:41:40 UTC
SAML token policy combines with Encryp/Sign policy will throw
exceptions
Hi, there
We have SAML Token (STS) policy defined as below (saml.policy):
<?xml version="1.0" encoding="UTF-8" ?>
<wsp:Policy xmlns:wsp="http://www.w3.org/ns/ws-policy" xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:IssuedToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<sp:RequestSecurityTokenTemplate>
<t:TokenType xmlns:t="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</t:TokenType>
<t:KeyType xmlns:t="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey</t:KeyType>
</sp:RequestSecurityTokenTemplate>
<wsp:Policy>
<!--sp:RequireInternalReference /-->
<sp:WssX509V3Token10 />
<sp:RequireIssuerSerialReference />
</wsp:Policy>
</sp:IssuedToken>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
<wsp:Policy>
<sp:WssX509V3Token10 />
<sp:RequireIssuerSerialReference />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:Layout>
<wsp:Policy>
<sp:Lax />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
<sp:OnlySignEntireHeadersAndBody />
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256 />
</wsp:Policy>
</sp:AlgorithmSuite>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss11 xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<sp:MustSupportRefIssuerSerial />
<sp:MustSupportRefThumbprint />
<sp:MustSupportRefEncryptedKey />
</wsp:Policy>
</sp:Wss11>
<sp:Trust13 xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<sp:MustSupportIssuedTokens />
<sp:RequireClientEntropy />
<sp:RequireServerEntropy />
</wsp:Policy>
</sp:Trust13>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
And Encrypt/Sign body policy (encrypt_sign.policy) defined as:
<wsp:Policy
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
xmlns:wsp="http://www.w3.org/ns/ws-policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssX509V3Token10 />
<sp:RequireIssuerSerialReference />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
<wsp:Policy>
<sp:WssX509V3Token10 />
<sp:RequireIssuerSerialReference />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:Layout>
<wsp:Policy>
<sp:Lax/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:OnlySignEntireHeadersAndBody/>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256 />
</wsp:Policy>
</sp:AlgorithmSuite>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:EncryptedParts>
<sp:Body/>
</sp:EncryptedParts>
<sp:SignedParts>
<sp:Body/>
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
The service endpoint defined in spring:
<jaxws:endpoint ...>
......
<jaxws:features>
<p:policies>
<wsp:PolicyReference URI="classpath:/saml.policy"/>
<wsp:PolicyReference URI="classpath:/encrypt_sign.policy"/>
</p:policies>
</jaxws:features>
</jaxws:endpoint>
The client defined also in spring:
<jaxws:client ...>
......
<jaxws:features>
<p:policies>
<wsp:PolicyReference URI="classpath:/saml.policy"/>
<wsp:PolicyReference URI="classpath:/encrypt_sign.policy"/>
</p:policies>
</jaxws:features>
</jaxws:client>
After deployed the service/client and invoke it, then the "Error in validating the IssuedToken policy" exception will be thrown.
11:25:53,782 | WARN | qtp895895561-118 | ache.cxf.common.logging.LogUtils 452 | 122 - org.apache.cxf.cxf-api - 2.7.7 | Interceptor for {http://services.talend.org/CRMService}CRMServiceProvider#{http://services.talend.org/CRMService}getCRMInformation has thrown exception, unwinding now
org.apache.cxf.ws.policy.PolicyException: These policy alternatives can not be satisfied:
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}IssuedToken: Error in validating the IssuedToken policy
at org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:179)[153:org.apache.cxf.cxf-rt-ws-policy:2.7.7]
at org.apache.cxf.ws.policy.PolicyVerificationInInterceptor.handle(PolicyVerificationInInterceptor.java:101)[153:org.apache.cxf.cxf-rt-ws-policy:2.7.7]
at org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:44)[153:org.apache.cxf.cxf-rt-ws-policy:2.7.7]
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)[122:org.apache.cxf.cxf-api:2.7.7]
at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)[122:org.apache.cxf.cxf-api:2.7.7]
at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:239)[130:org.apache.cxf.cxf-rt-transports-http:2.7.7]
The service and client work fine in case one of the policy applied (saml policy or encrypt_sign policy).
Any ideas? Maybe the different AsymmetricBinding can't be merged correctly? Thanks!
Regards.
Xilai
Re: SAML token policy combines with Encryp/Sign policy will throw exceptions
Posted by Colm O hEigeartaigh <co...@apache.org>.
I don't think that combining policies in this way is correct, as all of
both policies must be valid. The policy that uses "IssuedToken" will always
fail then for the other case.
Instead, you could try creating a new policy which allows an alternative
between both referenced policies.
Colm.
On Tue, Sep 24, 2013 at 4:41 AM, XiLai Dai <xl...@talend.com> wrote:
> Hi, there
>
> We have SAML Token (STS) policy defined as below (saml.policy):
>
> <?xml version="1.0" encoding="UTF-8" ?>
> <wsp:Policy xmlns:wsp="http://www.w3.org/ns/ws-policy" xmlns:sp="
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:AsymmetricBinding>
> <wsp:Policy>
> <sp:InitiatorToken>
> <wsp:Policy>
>
> <sp:IssuedToken
>
> sp:IncludeToken="
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient
> ">
>
> <sp:RequestSecurityTokenTemplate>
>
> <t:TokenType xmlns:t="
> http://docs.oasis-open.org/ws-sx/ws-trust/200512">
> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
> </t:TokenType>
>
> <t:KeyType xmlns:t="
> http://docs.oasis-open.org/ws-sx/ws-trust/200512">
> http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey</t:KeyType>
>
> </sp:RequestSecurityTokenTemplate>
>
> <wsp:Policy>
>
> <!--sp:RequireInternalReference /-->
> <sp:WssX509V3Token10 />
> <sp:RequireIssuerSerialReference />
>
> </wsp:Policy>
>
> </sp:IssuedToken>
> </wsp:Policy>
> </sp:InitiatorToken>
> <sp:RecipientToken>
> <wsp:Policy>
>
> <sp:X509Token
>
> sp:IncludeToken="
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never
> ">
>
> <wsp:Policy>
>
> <sp:WssX509V3Token10 />
>
> <sp:RequireIssuerSerialReference />
>
> </wsp:Policy>
>
> </sp:X509Token>
> </wsp:Policy>
> </sp:RecipientToken>
> <sp:Layout>
> <wsp:Policy>
> <sp:Lax />
> </wsp:Policy>
> </sp:Layout>
> <sp:IncludeTimestamp />
>
> <sp:OnlySignEntireHeadersAndBody />
> <sp:AlgorithmSuite>
> <wsp:Policy>
>
> <sp:Basic256 />
> </wsp:Policy>
> </sp:AlgorithmSuite>
> </wsp:Policy>
> </sp:AsymmetricBinding>
> <sp:Wss11 xmlns:sp="
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <wsp:Policy>
>
> <sp:MustSupportRefIssuerSerial />
>
> <sp:MustSupportRefThumbprint />
>
> <sp:MustSupportRefEncryptedKey />
> </wsp:Policy>
> </sp:Wss11>
> <sp:Trust13 xmlns:sp="
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <wsp:Policy>
> <sp:MustSupportIssuedTokens
> />
> <sp:RequireClientEntropy />
> <sp:RequireServerEntropy />
> </wsp:Policy>
> </sp:Trust13>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
>
> And Encrypt/Sign body policy (encrypt_sign.policy) defined as:
>
> <wsp:Policy
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
> xmlns:wsp="http://www.w3.org/ns/ws-policy"
> xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> ">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:AsymmetricBinding>
> <wsp:Policy>
> <sp:InitiatorToken>
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken="
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient
> ">
> <wsp:Policy>
> <sp:WssX509V3Token10 />
> <sp:RequireIssuerSerialReference />
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:InitiatorToken>
> <sp:RecipientToken>
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken="
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never
> ">
> <wsp:Policy>
> <sp:WssX509V3Token10 />
> <sp:RequireIssuerSerialReference />
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:RecipientToken>
> <sp:Layout>
> <wsp:Policy>
> <sp:Lax/>
> </wsp:Policy>
> </sp:Layout>
> <sp:IncludeTimestamp/>
> <sp:OnlySignEntireHeadersAndBody/>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic256 />
> </wsp:Policy>
> </sp:AlgorithmSuite>
> </wsp:Policy>
> </sp:AsymmetricBinding>
> <sp:EncryptedParts>
> <sp:Body/>
> </sp:EncryptedParts>
> <sp:SignedParts>
> <sp:Body/>
> </sp:SignedParts>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
>
> The service endpoint defined in spring:
> <jaxws:endpoint ...>
> ......
> <jaxws:features>
> <p:policies>
> <wsp:PolicyReference URI="classpath:/saml.policy"/>
> <wsp:PolicyReference URI="classpath:/encrypt_sign.policy"/>
> </p:policies>
> </jaxws:features>
> </jaxws:endpoint>
>
> The client defined also in spring:
> <jaxws:client ...>
> ......
> <jaxws:features>
> <p:policies>
> <wsp:PolicyReference URI="classpath:/saml.policy"/>
> <wsp:PolicyReference URI="classpath:/encrypt_sign.policy"/>
> </p:policies>
> </jaxws:features>
> </jaxws:client>
>
> After deployed the service/client and invoke it, then the "Error in
> validating the IssuedToken policy" exception will be thrown.
>
> 11:25:53,782 | WARN | qtp895895561-118 | ache.cxf.common.logging.LogUtils
> 452 | 122 - org.apache.cxf.cxf-api - 2.7.7 | Interceptor for {
> http://services.talend.org/CRMService}CRMServiceProvider#{http://services.talend.org/CRMService}getCRMInformationhas thrown exception, unwinding now
> org.apache.cxf.ws.policy.PolicyException: These policy alternatives can
> not be satisfied:
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}IssuedToken:
> Error in validating the IssuedToken policy
> at
> org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:179)[153:org.apache.cxf.cxf-rt-ws-policy:2.7.7]
> at
> org.apache.cxf.ws.policy.PolicyVerificationInInterceptor.handle(PolicyVerificationInInterceptor.java:101)[153:org.apache.cxf.cxf-rt-ws-policy:2.7.7]
> at
> org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:44)[153:org.apache.cxf.cxf-rt-ws-policy:2.7.7]
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)[122:org.apache.cxf.cxf-api:2.7.7]
> at
> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)[122:org.apache.cxf.cxf-api:2.7.7]
> at
> org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:239)[130:org.apache.cxf.cxf-rt-transports-http:2.7.7]
>
> The service and client work fine in case one of the policy applied (saml
> policy or encrypt_sign policy).
>
> Any ideas? Maybe the different AsymmetricBinding can't be merged
> correctly? Thanks!
>
> Regards.
> Xilai
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com