RE: WS-SecurityPolicy and signing faults

[Andrei Shakirin <as...@talend.com>]

Hi Jens,

> Wrt PolicyAttachment http://cxf.apache.org/docs/how-it-works.html says that
> "Currently, CXF supports only domain expressions of type
> wsa:EndpointReferenceType" to associate policy attachments with policy
> targets. I suppose that means there is currently no means to select a specific
> input/output from XML configuration only?

The PolicyAttachment URIDomainExpressionBuilder support was extended in CXF 2.7.12 (3.0.0): https://issues.apache.org/jira/browse/CXF-5685 
Therefore you can use following expressions as well:
wsdl11.definitions()
wsdl11.service(service)
wsdl11.binding(binding)
wsdl11.bindingOperation(binding/operation)
wsdl11.bindingOperation.input(binding/operation)
wsdl11.bindingOperation.output(binding/operation)
wsdl11.bindingOperation.fault(binding/operation/fault)

See https://github.com/apache/cxf/blob/master/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/policy/AddressingPolicyExternalAttachmentWsdl11Test.java as a sample.

I will update the documentation.


If you need really dynamic way to assign the policy, you can consider to use PolicyConstants.POLICY_OVERRIDE properties in your interceptor: http://ashakirin.blogspot.de/2012/02/using-ws-policy-in-cxf-projects.html ; http://cxf.apache.org/using-ws-policy-in-cxf-projects (Dynamically via message property)

Regards,
Andrei.

> -----Original Message-----
> From: Jens [mailto:smixdev@dzbank.de]
> Sent: Montag, 30. Mai 2016 09:30
> To: users@cxf.apache.org
> Subject: Re: WS-SecurityPolicy and signing faults
> 
> Thanks, Colm.
> 
> Unfortunately, that doesn't work for me, either. I'm using a Camel-CXF
> endpoint to internally forward the messages and I don't actually have a SEI to
> add annotations to.
> 
> Wrt PolicyAttachment http://cxf.apache.org/docs/how-it-works.html says that
> "Currently, CXF supports only domain expressions of type
> wsa:EndpointReferenceType" to associate policy attachments with policy
> targets. I suppose that means there is currently no means to select a specific
> input/output from XML configuration only?
> 
> Regards,
> Jens
> 
> 
> coheigea wrote
> > Hi Jens,
> >
> > You could try using the CXF @Policy annotation on the SEI itself. I
> > added a test that shows how this can be done:
> >
> > https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=systests/ws
> > -security/src/test/java/org/apache/cxf/systest/ws/fault/FaultTest.java
> > ;h=471f07ce0d6a53d7c869240e19ee494be6c360ee;hb=HEAD
> > https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=systests/ws
> > -security/src/test/java/org/apache/cxf/systest/ws/fault/DoubleItPortTy
> >
> peImplJavaFirst.java;h=5e205246c7f4103b3f3d7a25cddd2517430edc83;hb=HEA
> > D
> >
> > Two policies are defined on the latter, the security binding policy +
> > then the actual signed/encrypted parts policy, which is attached on
> > placement = Placement.BINDING_OPERATION_OUTPUT. This means that it is
> > only invoked on the normal response, and not if an exception is thrown.
> >
> > Note Dan Kulp fixed a bug to get this test to work -  before you could
> > only add policy annotations on methods of an interface, not of the
> > implementing class.
> >
> > Colm.
> >
> > On Wed, May 18, 2016 at 2:10 PM, Jens <
> 
> > smixdev@
> 
> > > wrote:
> >
> >> Thanks Colm,
> >>
> >> I cannot (am not supposed to) change the WSDL so I'm using a
> >> wsp:PolicyReference on the CXF endpoint.
> >> Is it possible that way as well?
> >>
> >> Jens
> >>
> >>
> >> coheigea wrote
> >> > Yes, simply reference the SignedParts policy only in the
> >> wsdl:input/output
> >> > in your wsdl:binding, and not the wsdl:fault.
> >> >
> >> > Colm.
> >> >
> >> > On Wed, May 18, 2016 at 9:17 AM, Jens <
> >>
> >> > smixdev@
> >>
> >> > > wrote:
> >> >
> >> >> Hi,
> >> >>
> >> >> I'm using WS-SecurityPolicy to sign my SOAP messages with
> >> >> SignedParts/Body and OnlySignEntireHeadersAndBody. In previous
> >> >> versions of CXF, the runtime would never sign outgoing fault
> >> >> messages. Recent versions seem to now sign fault messages, too. Is
> >> >> there a way to disable this new behaviour and
> >> go
> >> >> back to signing "regular" responses only? Is there a way to
> >> >> specify
> >> that
> >> >> with WS-Policy?
> >> >>
> >> >> Thanks,
> >> >> Jens
> >> >>
> >> >>
> >> >>
> >> >> --
> >> >> View this message in context:
> >> >>
> >> http://cxf.547215.n5.nabble.com/WS-SecurityPolicy-and-signing-faults-
> >> tp5768725.html
> >> >> Sent from the cxf-user mailing list archive at Nabble.com.
> >> >>
> >> >
> >> >
> >> >
> >> > --
> >> > Colm O hEigeartaigh
> >> >
> >> > Talend Community Coder
> >> > http://coders.talend.com
> >>
> >>
> >>
> >>
> >>
> >> --
> >> View this message in context:
> >> http://cxf.547215.n5.nabble.com/WS-SecurityPolicy-and-signing-faults-
> >> tp5768725p5768739.html Sent from the cxf-user mailing list archive at
> >> Nabble.com.
> >>
> >
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
> 
> 
> 
> 
> 
> --
> View this message in context: http://cxf.547215.n5.nabble.com/WS-
> SecurityPolicy-and-signing-faults-tp5768725p5769073.html
> Sent from the cxf-user mailing list archive at Nabble.com.

RE: WS-SecurityPolicy and signing faults

[Jens <sm...@dzbank.de>]

I think I see what the problem is. I'm trying to use a WS-Sec
AsymmetricBinding but that can only be assigned at the endpoint level, not
bindings or messages. As a result, it seems to me that going back to the CXF
2.x state of no security for fault messages is not possible. The closest
solution that should be possible seems to be to change the signed parts on
the relevant messages accordingly. I haven't been able to make that work
yet, either. As far as I can see it would still leave the unwanted security
token in the fault message in any case.

I'll poke around some more.

Jens


Jens wrote
> Hi Andrei,
> 
> that looks just like what I was looking for, thanks!
> 
> However, I can't seem to make it work. Applying the policy to service()
> works fine, but with both bindingOperation.input/output() and
> portTypeOperation.input/output() I always get mustUnderstand errors for
> the security headers (even with "...input(.*/.*)") so it looks like the
> policy either doesn't apply the necessary interceptors or doesn't match
> outright.
> 
> Any ideas what might be wrong?
> 
> Jens
> Andrei Shakirin wrote
>> Hi Jens,
>> 
>>> Wrt PolicyAttachment http://cxf.apache.org/docs/how-it-works.html says
>>> that
>>> "Currently, CXF supports only domain expressions of type
>>> wsa:EndpointReferenceType" to associate policy attachments with policy
>>> targets. I suppose that means there is currently no means to select a
>>> specific
>>> input/output from XML configuration only?
>> 
>> The PolicyAttachment URIDomainExpressionBuilder support was extended in
>> CXF 2.7.12 (3.0.0): https://issues.apache.org/jira/browse/CXF-5685 
>> Therefore you can use following expressions as well:
>> wsdl11.definitions()
>> wsdl11.service(service)
>> wsdl11.binding(binding)
>> wsdl11.bindingOperation(binding/operation)
>> wsdl11.bindingOperation.input(binding/operation)
>> wsdl11.bindingOperation.output(binding/operation)
>> wsdl11.bindingOperation.fault(binding/operation/fault)
>> 
>> See
>> https://github.com/apache/cxf/blob/master/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/policy/AddressingPolicyExternalAttachmentWsdl11Test.java
>> as a sample.
>> 
>> I will update the documentation.
>> 
>> 
>> If you need really dynamic way to assign the policy, you can consider to
>> use PolicyConstants.POLICY_OVERRIDE properties in your interceptor:
>> http://ashakirin.blogspot.de/2012/02/using-ws-policy-in-cxf-projects.html
>> ; http://cxf.apache.org/using-ws-policy-in-cxf-projects (Dynamically via
>> message property)
>> 
>> Regards,
>> Andrei.
>> 
>>> -----Original Message-----
>>> From: Jens [mailto:

>> smixdev@

>> ]
>>> Sent: Montag, 30. Mai 2016 09:30
>>> To: 

>> users@.apache

>>> Subject: Re: WS-SecurityPolicy and signing faults
>>> 
>>> Thanks, Colm.
>>> 
>>> Unfortunately, that doesn't work for me, either. I'm using a Camel-CXF
>>> endpoint to internally forward the messages and I don't actually have a
>>> SEI to
>>> add annotations to.
>>> 
>>> Wrt PolicyAttachment http://cxf.apache.org/docs/how-it-works.html says
>>> that
>>> "Currently, CXF supports only domain expressions of type
>>> wsa:EndpointReferenceType" to associate policy attachments with policy
>>> targets. I suppose that means there is currently no means to select a
>>> specific
>>> input/output from XML configuration only?
>>> 
>>> Regards,
>>> Jens
>>> 
>>> 
>>> coheigea wrote
>>> > Hi Jens,
>>> >
>>> > You could try using the CXF @Policy annotation on the SEI itself. I
>>> > added a test that shows how this can be done:
>>> >
>>> > https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=systests/ws
>>> > -security/src/test/java/org/apache/cxf/systest/ws/fault/FaultTest.java
>>> > ;h=471f07ce0d6a53d7c869240e19ee494be6c360ee;hb=HEAD
>>> > https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=systests/ws
>>> > -security/src/test/java/org/apache/cxf/systest/ws/fault/DoubleItPortTy
>>> >
>>> peImplJavaFirst.java;h=5e205246c7f4103b3f3d7a25cddd2517430edc83;hb=HEA
>>> > D
>>> >
>>> > Two policies are defined on the latter, the security binding policy +
>>> > then the actual signed/encrypted parts policy, which is attached on
>>> > placement = Placement.BINDING_OPERATION_OUTPUT. This means that it is
>>> > only invoked on the normal response, and not if an exception is
>>> thrown.
>>> >
>>> > Note Dan Kulp fixed a bug to get this test to work -  before you could
>>> > only add policy annotations on methods of an interface, not of the
>>> > implementing class.
>>> >
>>> > Colm.
>>> >
>>> > On Wed, May 18, 2016 at 2:10 PM, Jens <
>>> 
>>> > smixdev@
>>> 
>>> > > wrote:
>>> >
>>> >> Thanks Colm,
>>> >>
>>> >> I cannot (am not supposed to) change the WSDL so I'm using a
>>> >> wsp:PolicyReference on the CXF endpoint.
>>> >> Is it possible that way as well?
>>> >>
>>> >> Jens
>>> >>
>>> >>
>>> >> coheigea wrote
>>> >> > Yes, simply reference the SignedParts policy only in the
>>> >> wsdl:input/output
>>> >> > in your wsdl:binding, and not the wsdl:fault.
>>> >> >
>>> >> > Colm.
>>> >> >
>>> >> > On Wed, May 18, 2016 at 9:17 AM, Jens <
>>> >>
>>> >> > smixdev@
>>> >>
>>> >> > > wrote:
>>> >> >
>>> >> >> Hi,
>>> >> >>
>>> >> >> I'm using WS-SecurityPolicy to sign my SOAP messages with
>>> >> >> SignedParts/Body and OnlySignEntireHeadersAndBody. In previous
>>> >> >> versions of CXF, the runtime would never sign outgoing fault
>>> >> >> messages. Recent versions seem to now sign fault messages, too. Is
>>> >> >> there a way to disable this new behaviour and
>>> >> go
>>> >> >> back to signing "regular" responses only? Is there a way to
>>> >> >> specify
>>> >> that
>>> >> >> with WS-Policy?
>>> >> >>
>>> >> >> Thanks,
>>> >> >> Jens
>>> >> >>
>>> >> >>
>>> >> >>
>>> >> >> --
>>> >> >> View this message in context:
>>> >> >>
>>> >> http://cxf.547215.n5.nabble.com/WS-SecurityPolicy-and-signing-faults-
>>> >> tp5768725.html
>>> >> >> Sent from the cxf-user mailing list archive at Nabble.com.
>>> >> >>
>>> >> >
>>> >> >
>>> >> >
>>> >> > --
>>> >> > Colm O hEigeartaigh
>>> >> >
>>> >> > Talend Community Coder
>>> >> > http://coders.talend.com
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >> --
>>> >> View this message in context:
>>> >> http://cxf.547215.n5.nabble.com/WS-SecurityPolicy-and-signing-faults-
>>> >> tp5768725p5768739.html Sent from the cxf-user mailing list archive at
>>> >> Nabble.com.
>>> >>
>>> >
>>> >
>>> >
>>> > --
>>> > Colm O hEigeartaigh
>>> >
>>> > Talend Community Coder
>>> > http://coders.talend.com
>>> 
>>> 
>>> 
>>> 
>>> 
>>> --
>>> View this message in context: http://cxf.547215.n5.nabble.com/WS-
>>> SecurityPolicy-and-signing-faults-tp5768725p5769073.html
>>> Sent from the cxf-user mailing list archive at Nabble.com.





--
View this message in context: http://cxf.547215.n5.nabble.com/WS-SecurityPolicy-and-signing-faults-tp5768725p5769332.html
Sent from the cxf-user mailing list archive at Nabble.com.

RE: WS-SecurityPolicy and signing faults

[Jens <sm...@dzbank.de>]

Hi Andrei,

that looks just like what I was looking for, thanks!

However, I can't seem to make it work. Applying the policy to service()
works fine, but with both bindingOperation.input/output() and
portTypeOperation.input/output() I always get mustUnderstand errors for the
security headers (even with "...input(.*/.*)") so it looks like the policy
either doesn't apply the necessary interceptors or doesn't match outright.

Any ideas what might be wrong?

Jens


Andrei Shakirin wrote
> Hi Jens,
> 
>> Wrt PolicyAttachment http://cxf.apache.org/docs/how-it-works.html says
>> that
>> "Currently, CXF supports only domain expressions of type
>> wsa:EndpointReferenceType" to associate policy attachments with policy
>> targets. I suppose that means there is currently no means to select a
>> specific
>> input/output from XML configuration only?
> 
> The PolicyAttachment URIDomainExpressionBuilder support was extended in
> CXF 2.7.12 (3.0.0): https://issues.apache.org/jira/browse/CXF-5685 
> Therefore you can use following expressions as well:
> wsdl11.definitions()
> wsdl11.service(service)
> wsdl11.binding(binding)
> wsdl11.bindingOperation(binding/operation)
> wsdl11.bindingOperation.input(binding/operation)
> wsdl11.bindingOperation.output(binding/operation)
> wsdl11.bindingOperation.fault(binding/operation/fault)
> 
> See
> https://github.com/apache/cxf/blob/master/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/policy/AddressingPolicyExternalAttachmentWsdl11Test.java
> as a sample.
> 
> I will update the documentation.
> 
> 
> If you need really dynamic way to assign the policy, you can consider to
> use PolicyConstants.POLICY_OVERRIDE properties in your interceptor:
> http://ashakirin.blogspot.de/2012/02/using-ws-policy-in-cxf-projects.html
> ; http://cxf.apache.org/using-ws-policy-in-cxf-projects (Dynamically via
> message property)
> 
> Regards,
> Andrei.
> 
>> -----Original Message-----
>> From: Jens [mailto:

> smixdev@

> ]
>> Sent: Montag, 30. Mai 2016 09:30
>> To: 

> users@.apache

>> Subject: Re: WS-SecurityPolicy and signing faults
>> 
>> Thanks, Colm.
>> 
>> Unfortunately, that doesn't work for me, either. I'm using a Camel-CXF
>> endpoint to internally forward the messages and I don't actually have a
>> SEI to
>> add annotations to.
>> 
>> Wrt PolicyAttachment http://cxf.apache.org/docs/how-it-works.html says
>> that
>> "Currently, CXF supports only domain expressions of type
>> wsa:EndpointReferenceType" to associate policy attachments with policy
>> targets. I suppose that means there is currently no means to select a
>> specific
>> input/output from XML configuration only?
>> 
>> Regards,
>> Jens
>> 
>> 
>> coheigea wrote
>> > Hi Jens,
>> >
>> > You could try using the CXF @Policy annotation on the SEI itself. I
>> > added a test that shows how this can be done:
>> >
>> > https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=systests/ws
>> > -security/src/test/java/org/apache/cxf/systest/ws/fault/FaultTest.java
>> > ;h=471f07ce0d6a53d7c869240e19ee494be6c360ee;hb=HEAD
>> > https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=systests/ws
>> > -security/src/test/java/org/apache/cxf/systest/ws/fault/DoubleItPortTy
>> >
>> peImplJavaFirst.java;h=5e205246c7f4103b3f3d7a25cddd2517430edc83;hb=HEA
>> > D
>> >
>> > Two policies are defined on the latter, the security binding policy +
>> > then the actual signed/encrypted parts policy, which is attached on
>> > placement = Placement.BINDING_OPERATION_OUTPUT. This means that it is
>> > only invoked on the normal response, and not if an exception is thrown.
>> >
>> > Note Dan Kulp fixed a bug to get this test to work -  before you could
>> > only add policy annotations on methods of an interface, not of the
>> > implementing class.
>> >
>> > Colm.
>> >
>> > On Wed, May 18, 2016 at 2:10 PM, Jens <
>> 
>> > smixdev@
>> 
>> > > wrote:
>> >
>> >> Thanks Colm,
>> >>
>> >> I cannot (am not supposed to) change the WSDL so I'm using a
>> >> wsp:PolicyReference on the CXF endpoint.
>> >> Is it possible that way as well?
>> >>
>> >> Jens
>> >>
>> >>
>> >> coheigea wrote
>> >> > Yes, simply reference the SignedParts policy only in the
>> >> wsdl:input/output
>> >> > in your wsdl:binding, and not the wsdl:fault.
>> >> >
>> >> > Colm.
>> >> >
>> >> > On Wed, May 18, 2016 at 9:17 AM, Jens <
>> >>
>> >> > smixdev@
>> >>
>> >> > > wrote:
>> >> >
>> >> >> Hi,
>> >> >>
>> >> >> I'm using WS-SecurityPolicy to sign my SOAP messages with
>> >> >> SignedParts/Body and OnlySignEntireHeadersAndBody. In previous
>> >> >> versions of CXF, the runtime would never sign outgoing fault
>> >> >> messages. Recent versions seem to now sign fault messages, too. Is
>> >> >> there a way to disable this new behaviour and
>> >> go
>> >> >> back to signing "regular" responses only? Is there a way to
>> >> >> specify
>> >> that
>> >> >> with WS-Policy?
>> >> >>
>> >> >> Thanks,
>> >> >> Jens
>> >> >>
>> >> >>
>> >> >>
>> >> >> --
>> >> >> View this message in context:
>> >> >>
>> >> http://cxf.547215.n5.nabble.com/WS-SecurityPolicy-and-signing-faults-
>> >> tp5768725.html
>> >> >> Sent from the cxf-user mailing list archive at Nabble.com.
>> >> >>
>> >> >
>> >> >
>> >> >
>> >> > --
>> >> > Colm O hEigeartaigh
>> >> >
>> >> > Talend Community Coder
>> >> > http://coders.talend.com
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> --
>> >> View this message in context:
>> >> http://cxf.547215.n5.nabble.com/WS-SecurityPolicy-and-signing-faults-
>> >> tp5768725p5768739.html Sent from the cxf-user mailing list archive at
>> >> Nabble.com.
>> >>
>> >
>> >
>> >
>> > --
>> > Colm O hEigeartaigh
>> >
>> > Talend Community Coder
>> > http://coders.talend.com
>> 
>> 
>> 
>> 
>> 
>> --
>> View this message in context: http://cxf.547215.n5.nabble.com/WS-
>> SecurityPolicy-and-signing-faults-tp5768725p5769073.html
>> Sent from the cxf-user mailing list archive at Nabble.com.





--
View this message in context: http://cxf.547215.n5.nabble.com/WS-SecurityPolicy-and-signing-faults-tp5768725p5769328.html
Sent from the cxf-user mailing list archive at Nabble.com.