You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Pawel Lipka (JIRA)" <ji...@apache.org> on 2009/07/24 15:27:15 UTC
[jira] Updated: (CXF-2356) WS-SecurityPolicy and faults
[ https://issues.apache.org/jira/browse/CXF-2356?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Pawel Lipka updated CXF-2356:
-----------------------------
Attachment: wssecuritypolicy-tests.zip
A maven project with a test that shows the bug
> WS-SecurityPolicy and faults
> ----------------------------
>
> Key: CXF-2356
> URL: https://issues.apache.org/jira/browse/CXF-2356
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.2.2
> Environment: cxf-2.2.2, wss4j-1.5.7, xmlsec-1.4.2
> Reporter: Pawel Lipka
> Attachments: wssecuritypolicy-tests.zip
>
>
> I have a secure WS that is described by a WS-Policy document that's
> pasted below.
> Policy A is attached to the wsdl:binding while policy B is attached to
> the wsdl:input,wsdl:output and wsdl:fault
> When my WS throws a soap fault there's a couple of problems:
> 1) the soap:Body element is not encrypted
> 2) the soap:Body element is not signed
> 3) the WS client fails to validate the WS-Security header with the
> that's also pasted below.
> The problem seems to be in the way CXF handles WS-Security header using
> the PolicyBasedWSS4JInterceptor.
> When the response arrives it passes through the in interceptor chain and
> the encrypted parts are decrypted. The way wss4j handles decryption is
> that it replaces the xmlenc:EncryptedData element in the SOAP document
> with the decrypted content but it does not remove the corresponding
> xmlenc:ReferenceData/xmlenc:DataReference element from the Security
> header. After decryption is done some other interceptor detects that the
> message is actually a fault and triggers the inFault interceptor chain.
> The inFault interceptor chain again contains the
> PolicyBasedWSS4JInterceptor and it should contain it since not all the
> policy assertions have been asserted by the 'in' chain. (e.g.
> UsingAddressing assertion).
> The PolicyBasedWSS4JInterceptor runs wss4j again on a document that has
> already been decrypted and fails with the error below because the
> xmlenc:ReferenceData/xmlenc:DataReference elements point to nothing.
> Has anyone ever hit a problem like that? Is there any workaround for
> that (other than chainging the WS-Policy document)?
> thanks in advance,
> 7038 [main] WARN org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor -
> org.apache.ws.security.WSSecurityException: An error was discovered
> processing the <wsse:Security> header (WSSecurityEngine: DataReference -
> referenced data not found)
> at
> org.apache.ws.security.processor.ReferenceListProcessor.decryptDataRefEmbedded(ReferenceListProcessor.java:141)
> at
> org.apache.ws.security.processor.ReferenceListProcessor.handleReferenceList(ReferenceListProcessor.java:113)
> at
> org.apache.ws.security.processor.ReferenceListProcessor.handleToken(ReferenceListProcessor.java:76)
> at
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
> at
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:243)
> at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:179)
> at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:77)
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:236)
> at
> org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessage(AbstractFaultChainInitiatorObserver.java:96)
> at
> org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:69)
> at
> org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:34)
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:236)
> at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:645)
> at org.apache.cxf.transport.http.HTTPConduit
> $WrappedOutputStream.handleResponseInternal(HTTPConduit.java:2132)
> at org.apache.cxf.transport.http.HTTPConduit
> $WrappedOutputStream.handleResponse(HTTPConduit.java:2015)
> at org.apache.cxf.transport.http.HTTPConduit
> $WrappedOutputStream.close(HTTPConduit.java:1940)
> at
> org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:47)
> at
> org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:180)
> at
> org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:66)
> at
> org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:627)
> at org.apache.cxf.interceptor.MessageSenderInterceptor
> $MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:236)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:471)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:301)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:253)
> at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
> at
> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:121)
> at $Proxy38.sendMessage(Unknown Source)
> <wsp:Policy wsu:Id="A">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:SymmetricBinding
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:ProtectionToken>
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
> <wsp:Policy>
> <sp:RequireDerivedKeys />
> <sp:RequireThumbprintReference />
> <sp:WssX509V3Token10 />
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:ProtectionToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic128 />
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:Layout>
> <wsp:Policy>
> <sp:Strict />
> </wsp:Policy>
> </sp:Layout>
> <sp:IncludeTimestamp />
> <sp:EncryptSignature />
> <sp:OnlySignEntireHeadersAndBody />
> </wsp:Policy>
> </sp:SymmetricBinding>
> <sp:EndorsingSupportingTokens
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
> <wsp:Policy>
> <sp:RequireThumbprintReference />
> <sp:WssX509V3Token10 />
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:EndorsingSupportingTokens>
> <sp:Wss11
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:MustSupportRefKeyIdentifier />
> <sp:MustSupportRefIssuerSerial />
> <sp:MustSupportRefThumbprint />
> <sp:MustSupportRefEncryptedKey />
> <sp:RequireSignatureConfirmation />
> </wsp:Policy>
> </sp:Wss11>
> <sp:Trust10
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:MustSupportIssuedTokens />
> <sp:RequireClientEntropy />
> <sp:RequireServerEntropy />
> </wsp:Policy>
> </sp:Trust10>
> <wsaw:UsingAddressing />
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
> <wsp:Policy wsu:Id="B">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:SignedParts
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <sp:Body />
> <sp:Header Name="To"
> Namespace="http://www.w3.org/2005/08/addressing" />
> <sp:Header Name="From"
> Namespace="http://www.w3.org/2005/08/addressing" />
> <sp:Header Name="FaultTo"
> Namespace="http://www.w3.org/2005/08/addressing" />
> <sp:Header Name="ReplyTo"
> Namespace="http://www.w3.org/2005/08/addressing" />
> <sp:Header Name="MessageID"
> Namespace="http://www.w3.org/2005/08/addressing" />
> <sp:Header Name="RelatesTo"
> Namespace="http://www.w3.org/2005/08/addressing" />
> <sp:Header Name="Action"
> Namespace="http://www.w3.org/2005/08/addressing" />
> </sp:SignedParts>
> <sp:EncryptedParts
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <sp:Body />
> </sp:EncryptedParts>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.