You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org> on 2012/12/21 16:55:14 UTC
[jira] [Resolved] (CXF-4716) WS-security policies enforcement with
CXF server, bad policy selected
[ https://issues.apache.org/jira/browse/CXF-4716?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh resolved CXF-4716.
--------------------------------------
Resolution: Fixed
This issue is now fixed, as confirmed by a test-case. The problem was that we were exiting too early from certain policy validation operations.
Colm.
> WS-security policies enforcement with CXF server, bad policy selected
> ---------------------------------------------------------------------
>
> Key: CXF-4716
> URL: https://issues.apache.org/jira/browse/CXF-4716
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.6.1, 2.7.1
> Environment: JDK 1.7.0_02
> Windows 7
> Tomcat 6.0.29
> Reporter: Franck WIELGUS
> Assignee: Colm O hEigeartaigh
> Priority: Minor
> Fix For: 2.5.8, 2.6.5, 2.7.2
>
> Attachments: CA_groupHeader_simple.xsd, POC1.wsdl, POC1.xsd, request.txt
>
>
> The problem is related to WS-security policies, only when a service is exposed with CXF in Tomcat :
> We have 2 operations :
> - getMsgChiffr : the "chiffr_policy" security policy is bound
> - getMsg2ChiffrBody : the "chiffr_body_policy" security policy is bound
> The input request for these 2 operations is composed of :
> - an input message : a string
> - a header : two strings
> The 2 policies are :
> chiffr_body_policy : only the body must be encrypted
> chiffr_policy : body+headers must be encrypted
> When getMsgChiffr is called, all is fine. CXF checks if "chiff_policy" is correctly applied (= body+headers encrypted)
> When getMsg2ChiffrBody is called, CXF checks "chiff_policy" instead of "chiffr_body_policy". The stacktrace is :
> 2012-12-20 17:16:21,037-DEBUG PolicyBasedWSS4JInInterceptor - Incoming request failed signed-encrypted policy validation
> 2012-12-20 17:16:21,037-DEBUG WSS4JInInterceptor - WSS4JInInterceptor: exit handleMessage()
> 2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleMessage on interceptor org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor@1c673a9
> 2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleMessage on interceptor org.apache.cxf.jaxb.attachment.JAXBAttachmentSchemaValidationHack@2a6c5e
> 2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleMessage on interceptor org.apache.cxf.interceptor.DocLiteralInInterceptor@46a62
> 2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleMessage on interceptor org.apache.cxf.binding.soap.interceptor.SoapHeaderInterceptor@1e463a2
> 2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleMessage on interceptor org.apache.cxf.interceptor.OneWayProcessorInterceptor@1173444
> 2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleMessage on interceptor org.apache.cxf.jaxws.interceptors.WrapperClassInInterceptor@688800
> 2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleMessage on interceptor org.apache.cxf.jaxws.interceptors.SwAInInterceptor@b07eeb
> 2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleMessage on interceptor org.apache.cxf.jaxws.interceptors.HolderInInterceptor@b8ec86
> 2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleMessage on interceptor org.apache.cxf.ws.policy.PolicyVerificationInInterceptor@1d6f8ae
> 2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleFault on interceptor org.apache.cxf.ws.policy.PolicyVerificationInInterceptor@1d6f8ae
> 2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleFault on interceptor org.apache.cxf.jaxws.interceptors.HolderInInterceptor@b8ec86
> 2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleFault on interceptor org.apache.cxf.jaxws.interceptors.SwAInInterceptor@b07eeb
> 2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleFault on interceptor org.apache.cxf.jaxws.interceptors.WrapperClassInInterceptor@688800
> 2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleFault on interceptor org.apache.cxf.interceptor.OneWayProcessorInterceptor@1173444
> 2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleFault on interceptor org.apache.cxf.binding.soap.interceptor.SoapHeaderInterceptor@1e463a2
> 2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleFault on interceptor org.apache.cxf.interceptor.DocLiteralInInterceptor@46a62
> 2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleFault on interceptor org.apache.cxf.jaxb.attachment.JAXBAttachmentSchemaValidationHack@2a6c5e
> 2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleFault on interceptor org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor@1c673a9
> 2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleFault on interceptor org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor@676d73
> 2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleFault on interceptor org.apache.cxf.binding.soap.interceptor.MustUnderstandInterceptor@1d3676a
> 2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleFault on interceptor org.apache.cxf.ws.mex.MEXInInterceptor@7e872c
> 2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleFault on interceptor org.apache.cxf.binding.soap.interceptor.StartBodyInterceptor@16d81d
> 2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleFault on interceptor org.apache.cxf.binding.soap.interceptor.SoapActionInInterceptor@7418be
> 2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleFault on interceptor org.apache.cxf.binding.soap.interceptor.ReadHeadersInterceptor@1494fcf
> 2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleFault on interceptor org.apache.cxf.binding.soap.saaj.SAAJInInterceptor$SAAJPreInInterceptor@1264f8b
> 2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleFault on interceptor org.apache.cxf.frontend.WSDLGetInterceptor@11be2e3
> 2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleFault on interceptor org.apache.cxf.interceptor.StaxInInterceptor@1e699b0
> 2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleFault on interceptor org.apache.cxf.transport.https.CertConstraintsInterceptor@130ac20
> 2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleFault on interceptor org.apache.cxf.interceptor.AttachmentInInterceptor@dc5f15
> 2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleFault on interceptor org.apache.cxf.interceptor.LoggingInInterceptor@15ca1bd
> 2012-12-20 17:16:21,052-DEBUG PhaseInterceptorChain - Invoking handleFault on interceptor org.apache.cxf.ws.policy.PolicyInInterceptor@2c7301
> 2012-12-20 17:16:21,052-WARN PhaseInterceptorChain - Interceptor for {http://www.abcdef-hijklmn.fr/interop/POC1/}POC1_service_sec#{http://www.abcdef-hijklmn.fr/interop/POC1/}getMsg2ChiffrBody has thrown exception, unwinding now
> org.apache.cxf.interceptor.Fault: These policy alternatives can not be satisfied:
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}EncryptedParts: {http://referentiel.ca.fr/soapHeaderV1} not + ENCRYPTED
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}EncryptedParts
> at org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:47)
> at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:271)
> at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
> at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:238)
> at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:218)
> at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:198)
> at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:137)
> at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:158)
> at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:243)
> at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:163)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
> at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:219)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
> at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
> at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
> at java.lang.Thread.run(Thread.java:722)
> Caused by: org.apache.cxf.ws.policy.PolicyException: These policy alternatives can not be satisfied:
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}EncryptedParts: {http://referentiel.ca.fr/soapHeaderV1} not + ENCRYPTED
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}EncryptedParts
> at org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:167)
> at org.apache.cxf.ws.policy.PolicyVerificationInInterceptor.handle(PolicyVerificationInInterceptor.java:101)
> at org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:45)
> ... 23 more
> The behavior seems to depend on some names used in the WSDL definition. The problem disappears when these names are changed, for example :
> - targetNamespace set to http://www.abcdefghijklmn.fr/interop/POC1/ or http://www.c-a.fr/interop/POC1/
> - operation getMsgChiffr set to something else
> It works fine when CXF runs as a client with the same WSDL. (CXF 2.6.1, CXF 2.7.1)
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira