You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@cxf.apache.org by Dennis Sosnoski <dm...@sosnoski.com> on 2010/08/24 14:59:37 UTC

Policy attachment points in WSDL

I'm trying some samples of effective policies combining multiple levels
of attachment in the WSDL. It looks like it works fine when I attach at
the wsdl:binding level and wsdl:binding/operation level, but not at the
wsdl:binding/operation/input|output level. Is message-level policy
attachment not supported by CXF?

The attached policy is one example I've tried, where the 'addBook'
operation defines both an operation-level policy and an input-message
policy:

    <wsdl:operation name="addBook">
 
      <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy"
URI="#SymmSign"/>

      <wsdlsoap:operation soapAction="urn:addBook"/>

      <wsdl:input name="addBookRequest">
        <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy"
URI="#UsernameToken"/>
        <wsdlsoap:body use="literal"/>
      </wsdl:input>

When I look at the data on the wire I don't see the UsernameToken being
generated, but the server accepts the messages anyway.

  - Dennis

-- 
Dennis M. Sosnoski
XML and Web Services in Java
Training and Consulting
http://www.sosnoski.com - http://www.sosnoski.co.nz
Seattle, WA +1-425-939-0576 - Wellington, NZ +64-4-298-6117

Re: Policy attachment points in WSDL

Posted by Daniel Kulp <dk...@apache.org>.

On Wednesday 25 August 2010 12:31:15 am Dennis Sosnoski wrote:
> On 08/25/2010 06:31 AM, Daniel Kulp wrote:
> After more investigation, it looks like what's happening is that the
> UsernameToken *is* being sent, but in encrypted form. I'm not sure if
> that's correct or not.
> 
> I have the UsernameToken in the policy as a SupportingToken. WS-SP says
> this about that:
> 
> /The supporting tokens can be added to any SOAP message and do not
> require any protection (signature or encryption) to be applied to the
> message before they are added. More specifically there is no requirement
> on "message signature" being present before the supporting tokens are
> added. However it is RECOMMENDED to employ underlying protection
> mechanism to ensure that the supporting tokens are cryptographically
> bound to the message during the transmission./
> 
> So does this mean that if encryption is possible  the stack should
> automatically encrypt the token anyway? I don't know. Any opinions?
> 
> In any case, it's nothing to do with attachment points - I get the same
> result when I only use a single combined policy.

It's kind of a interoperability thing with .NET.   .NET really doesn't accept 
an unsecured UsernameToken if there is ANY way that the UsernameToken can be 
secured.   In this case, with the exact same policy, if we sent it to .NET un-
encrypted, .NET would reject it.   Since the passwords and stuff are pretty 
insecure in a UsernameToken, MS requires the extra encryption to secure it.   
An https connection is fine or it requires it to be a fully encrypted token.


-- 
Daniel Kulp
dkulp@apache.org
http://dankulp.com/blog

Re: Policy attachment points in WSDL

Posted by Dennis Sosnoski <dm...@sosnoski.com>.

On 08/25/2010 06:31 AM, Daniel Kulp wrote:
> On Tuesday 24 August 2010 8:59:37 am Dennis Sosnoski wrote:
>   
>> I'm trying some samples of effective policies combining multiple levels
>> of attachment in the WSDL. It looks like it works fine when I attach at
>> the wsdl:binding level and wsdl:binding/operation level, but not at the
>> wsdl:binding/operation/input|output level. Is message-level policy
>> attachment not supported by CXF?
>>     
> It LOOKS like it should work.  Looking at the code where it calculates the 
> policy, I see:
>         policy = policy.merge(engine.getAggregatedOperationPolicy(boi));
>         if (null != bmi) {
>             policy = policy.merge(engine.getAggregatedMessagePolicy(bmi));
>         }
> so it looks like it should be merging in the message level policy.   Thus, if 
> it's not working, file a bug with a test case.   It might be in the 
> WSDLServiceBuilder or similar.   It might not be saving the policy on the 
> message level.   Not really sure.
>   

After more investigation, it looks like what's happening is that the
UsernameToken *is* being sent, but in encrypted form. I'm not sure if
that's correct or not.

I have the UsernameToken in the policy as a SupportingToken. WS-SP says
this about that:

/The supporting tokens can be added to any SOAP message and do not
require any protection (signature or encryption) to be applied to the
message before they are added. More specifically there is no requirement
on "message signature" being present before the supporting tokens are
added. However it is RECOMMENDED to employ underlying protection
mechanism to ensure that the supporting tokens are cryptographically
bound to the message during the transmission./

So does this mean that if encryption is possible  the stack should
automatically encrypt the token anyway? I don't know. Any opinions?

In any case, it's nothing to do with attachment points - I get the same
result when I only use a single combined policy.

   - Dennis

Re: Policy attachment points in WSDL

Posted by Daniel Kulp <dk...@apache.org>.

On Tuesday 24 August 2010 8:59:37 am Dennis Sosnoski wrote:
> I'm trying some samples of effective policies combining multiple levels
> of attachment in the WSDL. It looks like it works fine when I attach at
> the wsdl:binding level and wsdl:binding/operation level, but not at the
> wsdl:binding/operation/input|output level. Is message-level policy
> attachment not supported by CXF?

It LOOKS like it should work.  Looking at the code where it calculates the 
policy, I see:
        policy = policy.merge(engine.getAggregatedOperationPolicy(boi));
        if (null != bmi) {
            policy = policy.merge(engine.getAggregatedMessagePolicy(bmi));
        }
so it looks like it should be merging in the message level policy.   Thus, if 
it's not working, file a bug with a test case.   It might be in the 
WSDLServiceBuilder or similar.   It might not be saving the policy on the 
message level.   Not really sure.

Dan


> 
> The attached policy is one example I've tried, where the 'addBook'
> operation defines both an operation-level policy and an input-message
> policy:
> 
>     <wsdl:operation name="addBook">
> 
>       <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy"
> URI="#SymmSign"/>
> 
>       <wsdlsoap:operation soapAction="urn:addBook"/>
> 
>       <wsdl:input name="addBookRequest">
>         <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy"
> URI="#UsernameToken"/>
>         <wsdlsoap:body use="literal"/>
>       </wsdl:input>
> 
> When I look at the data on the wire I don't see the UsernameToken being
> generated, but the server accepts the messages anyway.
> 
>   - Dennis

-- 
Daniel Kulp
dkulp@apache.org
http://dankulp.com/blog