You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Augusto Lima Filho <au...@gmail.com> on 2010/05/25 19:29:07 UTC
Problem using CXF client on Weblogic WS (WS-SecurityPolicy)
Hello everyone,
I've been trying to access a Web Service written on WebLogic server
and using Standard WS-Policy assertions but for some reason CXF
complains the Policy does not have alternatives:
"javax.xml.ws.soap.SOAPFaultException: None of the policy alternatives
can be satisfied."
The WS-policies I'm using are default Weblogic ones and were not
customised, here are them (extracted from the WSDL):
<wsp:UsingPolicy wssutil:Required="true" />
<wsp:Policy wssutil:Id="Wssp1.2-Wss1.0-X509-Basic256.xml">
<ns0:AsymmetricBinding>
<wsp:Policy>
<ns0:InitiatorToken>
<wsp:Policy>
<ns0:X509Token
ns0:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<ns0:WssX509V3Token10 />
</wsp:Policy>
</ns0:X509Token>
</wsp:Policy>
</ns0:InitiatorToken>
<ns0:RecipientToken>
<wsp:Policy>
<ns0:X509Token
ns0:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512/IncludeToken/Never">
<wsp:Policy>
<ns0:WssX509V3Token10 />
</wsp:Policy>
</ns0:X509Token>
</wsp:Policy>
</ns0:RecipientToken>
<ns0:AlgorithmSuite>
<wsp:Policy>
<ns0:Basic256 />
</wsp:Policy>
</ns0:AlgorithmSuite>
<ns0:Layout>
<wsp:Policy>
<ns0:Lax />
</wsp:Policy>
</ns0:Layout>
<ns0:IncludeTimestamp />
<ns0:ProtectTokens />
<ns0:OnlySignEntireHeadersAndBody />
</wsp:Policy>
</ns0:AsymmetricBinding>
<ns1:Wss10>
<wsp:Policy>
<ns1:MustSupportRefKeyIdentifier />
<ns1:MustSupportRefIssuerSerial />
</wsp:Policy>
</ns1:Wss10>
</wsp:Policy>
<wsp:Policy wssutil:Id="Wssp1.2-2007-EncryptBody.xml">
<ns2:EncryptedParts>
<ns2:Body />
</ns2:EncryptedParts>
</wsp:Policy>
<wsp:Policy wssutil:Id="Wssp1.2-SignBody.xml">
<ns3:SignedParts>
<ns3:Body />
</ns3:SignedParts>
</wsp:Policy>
<wsp:UsingPolicy wssutil:Required="true" />
<wsp:Policy wssutil:Id="Wssp1.2-Wss1.0-X509-Basic256.xml">
<ns1:AsymmetricBinding>
<wsp:Policy>
<ns1:InitiatorToken>
<wsp:Policy>
<ns1:X509Token
ns1:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<ns1:WssX509V3Token10 />
</wsp:Policy>
</ns1:X509Token>
</wsp:Policy>
</ns1:InitiatorToken>
<ns1:RecipientToken>
<wsp:Policy>
<ns1:X509Token
ns1:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512/IncludeToken/Never">
<wsp:Policy>
<ns1:WssX509V3Token10 />
</wsp:Policy>
</ns1:X509Token>
</wsp:Policy>
</ns1:RecipientToken>
<ns1:AlgorithmSuite>
<wsp:Policy>
<ns1:Basic256 />
</wsp:Policy>
</ns1:AlgorithmSuite>
<ns1:Layout>
<wsp:Policy>
<ns1:Lax />
</wsp:Policy>
</ns1:Layout>
<ns1:IncludeTimestamp />
<ns1:ProtectTokens />
<ns1:OnlySignEntireHeadersAndBody />
</wsp:Policy>
</ns1:AsymmetricBinding>
<ns2:Wss10>
<wsp:Policy>
<ns2:MustSupportRefKeyIdentifier />
<ns2:MustSupportRefIssuerSerial />
</wsp:Policy>
</ns2:Wss10>
</wsp:Policy>
<wsp:Policy wssutil:Id="Wssp1.2-2007-EncryptBody.xml">
<ns3:EncryptedParts>
<ns3:Body />
</ns3:EncryptedParts>
</wsp:Policy>
<wsp:Policy wssutil:Id="Wssp1.2-SignBody.xml">
<ns4:SignedParts>
<ns4:Body />
</ns4:SignedParts>
</wsp:Policy>
By inspecting the Policy in the WSDL I noticed it does not contain a
<wsp:All> and <wsp:ExactlyOne> tags, I don't know if this is required
by the specification. Using the client generated by the Weblogic
server the call works normally.
The assignment is done as following:
<binding name="CatalogoDadosPortBinding" type="tns:CatalogoDadosImpl">
<wsp:PolicyReference URI="#Wssp1.2-Wss1.0-X509-Basic256.xml"/>
<wsp:PolicyReference URI="#Wssp1.2-SignBody.xml"/>
<wsp:PolicyReference URI="#Wssp1.2-2007-EncryptBody.xml"/>
<wsp:PolicyReference URI="#Wssp1.2-Wss1.0-X509-Basic256.xml"/>
<wsp:PolicyReference URI="#Wssp1.2-SignBody.xml"/>
<wsp:PolicyReference URI="#Wssp1.2-2007-EncryptBody.xml"/>
<soap:binding transport="http://schemas.xmlsoap.org/soap/http"
style="document"/>
<operation name="init"> ...
It's strange that it's generating the policy references twice for each
one but I don't think that's the problem since, like I said, the
client using the weblogic server libraries works normally. Any help
will be appretiated!
Thank you
Re: Problem using CXF client on Weblogic WS (WS-SecurityPolicy)
Posted by Daniel Kulp <dk...@apache.org>.
On Tuesday 25 May 2010 1:29:07 pm Augusto Lima Filho wrote:
> Hello everyone,
> I've been trying to access a Web Service written on WebLogic server
> and using Standard WS-Policy assertions but for some reason CXF
> complains the Policy does not have alternatives:
> "javax.xml.ws.soap.SOAPFaultException: None of the policy alternatives
> can be satisfied."
That's caused by not understanding one of the Elements in the policy. My
gut feeling MAY be:
<wsp:UsingPolicy wssutil:Required="true" />
as I haven't seen that in a WSDL yet and a grep through the code doesn't
reveal anything. Any chance you can try removing those and seeing if that
fixes it? If so, definitely file a bug.
If not, I'd probably need a full wsdl to really debug the problem. If
possible, take one of our hello world type things and just copy the policies
into it and do a quick double check.
Dan
>
> The WS-policies I'm using are default Weblogic ones and were not
> customised, here are them (extracted from the WSDL):
>
> <wsp:UsingPolicy wssutil:Required="true" />
>
> <wsp:Policy wssutil:Id="Wssp1.2-Wss1.0-X509-Basic256.xml">
> <ns0:AsymmetricBinding>
> <wsp:Policy>
> <ns0:InitiatorToken>
> <wsp:Policy>
> <ns0:X509Token
> ns0:IncludeToken="http://docs.oasis-open.org/ws-
sx/ws-securitypolicy/
> 200512/IncludeToken/AlwaysToRecipient"> <wsp:Policy>
> <ns0:WssX509V3Token10 />
> </wsp:Policy>
> </ns0:X509Token>
> </wsp:Policy>
> </ns0:InitiatorToken>
>
> <ns0:RecipientToken>
> <wsp:Policy>
> <ns0:X509Token
> ns0:IncludeToken="http://docs.oasis-open.org/ws-
sx/ws-securitypolicy/
> 200512/IncludeToken/Never"> <wsp:Policy>
> <ns0:WssX509V3Token10 />
> </wsp:Policy>
> </ns0:X509Token>
> </wsp:Policy>
> </ns0:RecipientToken>
>
> <ns0:AlgorithmSuite>
> <wsp:Policy>
> <ns0:Basic256 />
> </wsp:Policy>
> </ns0:AlgorithmSuite>
>
> <ns0:Layout>
> <wsp:Policy>
> <ns0:Lax />
> </wsp:Policy>
> </ns0:Layout>
> <ns0:IncludeTimestamp />
> <ns0:ProtectTokens />
> <ns0:OnlySignEntireHeadersAndBody />
> </wsp:Policy>
> </ns0:AsymmetricBinding>
>
> <ns1:Wss10>
> <wsp:Policy>
> <ns1:MustSupportRefKeyIdentifier />
> <ns1:MustSupportRefIssuerSerial />
> </wsp:Policy>
> </ns1:Wss10>
> </wsp:Policy>
>
> <wsp:Policy wssutil:Id="Wssp1.2-2007-EncryptBody.xml">
> <ns2:EncryptedParts>
> <ns2:Body />
> </ns2:EncryptedParts>
> </wsp:Policy>
>
> <wsp:Policy wssutil:Id="Wssp1.2-SignBody.xml">
> <ns3:SignedParts>
> <ns3:Body />
> </ns3:SignedParts>
> </wsp:Policy>
> <wsp:UsingPolicy wssutil:Required="true" />
>
> <wsp:Policy wssutil:Id="Wssp1.2-Wss1.0-X509-Basic256.xml">
>
> <ns1:AsymmetricBinding>
> <wsp:Policy>
> <ns1:InitiatorToken>
> <wsp:Policy>
> <ns1:X509Token
> ns1:IncludeToken="http://docs.oasis-open.org/ws-
sx/ws-securitypolicy/
> 200512/IncludeToken/AlwaysToRecipient"> <wsp:Policy>
> <ns1:WssX509V3Token10 />
> </wsp:Policy>
> </ns1:X509Token>
> </wsp:Policy>
> </ns1:InitiatorToken>
>
> <ns1:RecipientToken>
> <wsp:Policy>
> <ns1:X509Token
> ns1:IncludeToken="http://docs.oasis-open.org/ws-
sx/ws-securitypolicy/
> 200512/IncludeToken/Never"> <wsp:Policy>
> <ns1:WssX509V3Token10 />
> </wsp:Policy>
> </ns1:X509Token>
> </wsp:Policy>
> </ns1:RecipientToken>
>
> <ns1:AlgorithmSuite>
> <wsp:Policy>
> <ns1:Basic256 />
> </wsp:Policy>
> </ns1:AlgorithmSuite>
>
> <ns1:Layout>
> <wsp:Policy>
> <ns1:Lax />
> </wsp:Policy>
> </ns1:Layout>
> <ns1:IncludeTimestamp />
> <ns1:ProtectTokens />
> <ns1:OnlySignEntireHeadersAndBody />
> </wsp:Policy>
> </ns1:AsymmetricBinding>
>
> <ns2:Wss10>
> <wsp:Policy>
> <ns2:MustSupportRefKeyIdentifier />
> <ns2:MustSupportRefIssuerSerial />
> </wsp:Policy>
> </ns2:Wss10>
> </wsp:Policy>
>
> <wsp:Policy wssutil:Id="Wssp1.2-2007-EncryptBody.xml">
> <ns3:EncryptedParts>
> <ns3:Body />
> </ns3:EncryptedParts>
> </wsp:Policy>
>
> <wsp:Policy wssutil:Id="Wssp1.2-SignBody.xml">
> <ns4:SignedParts>
> <ns4:Body />
> </ns4:SignedParts>
> </wsp:Policy>
>
>
> By inspecting the Policy in the WSDL I noticed it does not contain a
> <wsp:All> and <wsp:ExactlyOne> tags, I don't know if this is required
> by the specification. Using the client generated by the Weblogic
> server the call works normally.
>
> The assignment is done as following:
>
> <binding name="CatalogoDadosPortBinding" type="tns:CatalogoDadosImpl">
> <wsp:PolicyReference URI="#Wssp1.2-Wss1.0-X509-Basic256.xml"/>
> <wsp:PolicyReference URI="#Wssp1.2-SignBody.xml"/>
> <wsp:PolicyReference URI="#Wssp1.2-2007-EncryptBody.xml"/>
> <wsp:PolicyReference URI="#Wssp1.2-Wss1.0-X509-Basic256.xml"/>
> <wsp:PolicyReference URI="#Wssp1.2-SignBody.xml"/>
> <wsp:PolicyReference URI="#Wssp1.2-2007-EncryptBody.xml"/>
> <soap:binding transport="http://schemas.xmlsoap.org/soap/http"
> style="document"/>
> <operation name="init"> ...
>
> It's strange that it's generating the policy references twice for each
> one but I don't think that's the problem since, like I said, the
> client using the weblogic server libraries works normally. Any help
> will be appretiated!
> Thank you
--
Daniel Kulp
dkulp@apache.org
http://dankulp.com/blog