You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Daniel Kulp <dk...@apache.org> on 2009/04/08 22:58:14 UTC
Re: WS-SecurityPolicy: Problem with AsymmetricBinding: Not signed before encrypted
That definitely looks like a bug. Can you log a jira with your policy
attached? I'll see if I can look at it tomorrow.
Dan
On Wed April 8 2009 12:07:31 pm Benjamin Ernst wrote:
> Hello everybody,
>
> I have a problem with the WS-SecurityPolicy. My Policy only asserts that
> the body is signed, but not encrypted. Sending signed messages is no
> problem, but when I receive a signed message the following error appears:
>
> Caused by: org.apache.cxf.ws.policy.PolicyException: These policy
> alternatives can not be satisfied:
> {
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AsymmetricBinding
>: Not signed before encrypted
>
> There should not be any encryption at all, only signing. I debugged into
> the code and found the following Method in the
> PolicyBasedWSS4JInInterceptor.java:
>
> private boolean assertAsymetricBinding(AssertionInfoMap aim,
> SoapMessage message,
> SOAPMessage doc,
> Protections prots,
> boolean derived) {
> Collection<AssertionInfo> ais =
> aim.get(SP12Constants.ASYMMETRIC_BINDING);
> if (ais == null) {
> return true;
> }
> for (AssertionInfo ai : ais) {
> AsymmetricBinding abinding =
> (AsymmetricBinding)ai.getAssertion();
> ai.setAsserted(true);
> if (abinding.getProtectionOrder() ==
> SPConstants.ProtectionOrder.EncryptBeforeSigning) {
> if (abinding.isSignatureProtection()) {
> if (prots != Protections.ENCRYPT_SIGN_PROTECT) {
> ai.setNotAsserted("Not encrypted before signed and
> then protected");
> }
> } else if (prots != Protections.ENCRYPT_SIGN) {
> ai.setNotAsserted("Not encrypted before
> signed");
> }
> } else if (prots != Protections.SIGN_ENCRYPT) {
> ai.setNotAsserted("Not signed before
> encrypted");
> }
> assertPolicy(aim, abinding.getInitiatorToken());
> assertPolicy(aim, abinding.getRecipientToken());
> assertPolicy(aim, abinding.getInitiatorToken().getToken(),
> derived);
> assertPolicy(aim, abinding.getRecipientToken().getToken(),
> derived);
> }
> return true;
> }
>
> In this method the value of prots is ="SIGN" which is correct. But the
> if-statement only checks if prots is not SIGN_ENCRYPT and then sets it to
> notasserted. It might be because SPConstants.ProtectionOrder only knows
> EncryptBeforeSigning and SigningBeforeEncrypt. There is nothing about only
> signing, or only encrypting.
>
> Is this an error, or do I have to configure something else?
>
> Here is my Policy:
>
> <wsp:Policy
> wsu:Id='Sig'
> xmlns:wsu='
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-
>1.0.xsd '
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:schemaLocation="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
>
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/ws-securitypolicy.xsd
> http://schemas.xmlsoap.org/ws/2004/09/policy
> http://schemas.xmlsoap.org/ws/2004/09/policy/ws-policy.xsd
> ">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:AsymmetricBinding xmlns:sp='
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'>
> <wsp:Policy>
> <sp:InitiatorToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken='
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToR
>ecipient '>
> <wsp:Policy>
> <sp:WssX509V3Token10 />
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:InitiatorToken>
> <sp:RecipientToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken='
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always'>
> <wsp:Policy>
> <sp:WssX509V3Token10 />
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:RecipientToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic256 />
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:Layout>
> <wsp:Policy>
> <sp:Strict />
> </wsp:Policy>
> </sp:Layout>
> <sp:OnlySignEntireHeadersAndBody />
> </wsp:Policy>
> </sp:AsymmetricBinding>
> <sp:Wss10 xmlns:sp='
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'>
> <wsp:Policy>
> <sp:MustSupportRefEmbeddedToken />
> </wsp:Policy>
> </sp:Wss10>
> <sp:SignedParts xmlns:sp='
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'>
> <sp:Body />
> </sp:SignedParts>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
>
>
> Thanks for any help!
>
> --Benjamin
--
Daniel Kulp
dkulp@apache.org
http://www.dankulp.com/blog
Re: WS-SecurityPolicy: Problem with AsymmetricBinding: Not signed before encrypted
Posted by Daniel Kulp <dk...@apache.org>.
On Thu April 9 2009 3:00:59 am Benjamin Ernst wrote:
> Hi Dan,
>
> thanks, for your help. I logged a Jira (
> https://issues.apache.org/jira/browse/CXF-2165) for this. My Policy should
> be attached to it.
This should now be fixed. Thanks for the policy.
Dan
> -- Benjamin
>
> On Wed, Apr 8, 2009 at 10:58 PM, Daniel Kulp <dk...@apache.org> wrote:
> > That definitely looks like a bug. Can you log a jira with your policy
> > attached? I'll see if I can look at it tomorrow.
> >
> > Dan
> >
> > On Wed April 8 2009 12:07:31 pm Benjamin Ernst wrote:
> > > Hello everybody,
> > >
> > > I have a problem with the WS-SecurityPolicy. My Policy only asserts
> > > that the body is signed, but not encrypted. Sending signed messages is
> > > no problem, but when I receive a signed message the following error
> > > appears:
> > >
> > > Caused by: org.apache.cxf.ws.policy.PolicyException: These policy
> > > alternatives can not be satisfied:
> > > {
> >
> > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AsymmetricBindi
> >ng<http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702%7DAsymmetricB
> >inding>
> >
> > >: Not signed before encrypted
> > >
> > > There should not be any encryption at all, only signing. I debugged
> > > into the code and found the following Method in the
> > > PolicyBasedWSS4JInInterceptor.java:
> > >
> > > private boolean assertAsymetricBinding(AssertionInfoMap aim,
> > > SoapMessage message,
> > > SOAPMessage doc,
> > > Protections prots,
> > > boolean derived) {
> > > Collection<AssertionInfo> ais =
> > > aim.get(SP12Constants.ASYMMETRIC_BINDING);
> > > if (ais == null) {
> > > return true;
> > > }
> > > for (AssertionInfo ai : ais) {
> > > AsymmetricBinding abinding =
> > > (AsymmetricBinding)ai.getAssertion();
> > > ai.setAsserted(true);
> > > if (abinding.getProtectionOrder() ==
> > > SPConstants.ProtectionOrder.EncryptBeforeSigning) {
> > > if (abinding.isSignatureProtection()) {
> > > if (prots != Protections.ENCRYPT_SIGN_PROTECT) {
> > > ai.setNotAsserted("Not encrypted before signed
> >
> > and
> >
> > > then protected");
> > > }
> > > } else if (prots != Protections.ENCRYPT_SIGN) {
> > > ai.setNotAsserted("Not encrypted before
> > > signed");
> > > }
> > > } else if (prots != Protections.SIGN_ENCRYPT) {
> > > ai.setNotAsserted("Not signed before
> > > encrypted");
> > > }
> > > assertPolicy(aim, abinding.getInitiatorToken());
> > > assertPolicy(aim, abinding.getRecipientToken());
> > > assertPolicy(aim, abinding.getInitiatorToken().getToken(),
> > > derived);
> > > assertPolicy(aim, abinding.getRecipientToken().getToken(),
> > > derived);
> > > }
> > > return true;
> > > }
> > >
> > > In this method the value of prots is ="SIGN" which is correct. But the
> > > if-statement only checks if prots is not SIGN_ENCRYPT and then sets it
> > > to notasserted. It might be because SPConstants.ProtectionOrder only
> > > knows EncryptBeforeSigning and SigningBeforeEncrypt. There is nothing
> > > about
> >
> > only
> >
> > > signing, or only encrypting.
> > >
> > > Is this an error, or do I have to configure something else?
> > >
> > > Here is my Policy:
> > >
> > > <wsp:Policy
> > > wsu:Id='Sig'
> > > xmlns:wsu='
> >
> > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utilit
> >y-
> >
> > >1.0.xsd '
> > > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
> > > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"
> > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> > > xsi:schemaLocation="
> > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
> >
> > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/ws-securitypolicy.xs
> >d
> >
> > > http://schemas.xmlsoap.org/ws/2004/09/policy
> > > http://schemas.xmlsoap.org/ws/2004/09/policy/ws-policy.xsd
> > > ">
> > > <wsp:ExactlyOne>
> > > <wsp:All>
> > > <sp:AsymmetricBinding xmlns:sp='
> > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'>
> > > <wsp:Policy>
> > > <sp:InitiatorToken>
> > > <wsp:Policy>
> > > <sp:X509Token sp:IncludeToken='
> >
> > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysT
> >oR
> >
> > >ecipient '>
> > > <wsp:Policy>
> > > <sp:WssX509V3Token10 />
> > > </wsp:Policy>
> > > </sp:X509Token>
> > > </wsp:Policy>
> > > </sp:InitiatorToken>
> > > <sp:RecipientToken>
> > > <wsp:Policy>
> > > <sp:X509Token sp:IncludeToken='
> > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Alway
> > >s
> >
> > '>
> >
> > > <wsp:Policy>
> > > <sp:WssX509V3Token10 />
> > > </wsp:Policy>
> > > </sp:X509Token>
> > > </wsp:Policy>
> > > </sp:RecipientToken>
> > > <sp:AlgorithmSuite>
> > > <wsp:Policy>
> > > <sp:Basic256 />
> > > </wsp:Policy>
> > > </sp:AlgorithmSuite>
> > > <sp:Layout>
> > > <wsp:Policy>
> > > <sp:Strict />
> > > </wsp:Policy>
> > > </sp:Layout>
> > > <sp:OnlySignEntireHeadersAndBody />
> > > </wsp:Policy>
> > > </sp:AsymmetricBinding>
> > > <sp:Wss10 xmlns:sp='
> > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'>
> > > <wsp:Policy>
> > > <sp:MustSupportRefEmbeddedToken />
> > > </wsp:Policy>
> > > </sp:Wss10>
> > > <sp:SignedParts xmlns:sp='
> > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'>
> > > <sp:Body />
> > > </sp:SignedParts>
> > > </wsp:All>
> > > </wsp:ExactlyOne>
> > > </wsp:Policy>
> > >
> > >
> > > Thanks for any help!
> > >
> > > --Benjamin
> >
> > --
> > Daniel Kulp
> > dkulp@apache.org
> > http://www.dankulp.com/blog
--
Daniel Kulp
dkulp@apache.org
http://www.dankulp.com/blog
Re: WS-SecurityPolicy: Problem with AsymmetricBinding: Not signed
before encrypted
Posted by Benjamin Ernst <be...@gmail.com>.
Hi Dan,
thanks, for your help. I logged a Jira (
https://issues.apache.org/jira/browse/CXF-2165) for this. My Policy should
be attached to it.
-- Benjamin
On Wed, Apr 8, 2009 at 10:58 PM, Daniel Kulp <dk...@apache.org> wrote:
>
> That definitely looks like a bug. Can you log a jira with your policy
> attached? I'll see if I can look at it tomorrow.
>
> Dan
>
>
> On Wed April 8 2009 12:07:31 pm Benjamin Ernst wrote:
> > Hello everybody,
> >
> > I have a problem with the WS-SecurityPolicy. My Policy only asserts that
> > the body is signed, but not encrypted. Sending signed messages is no
> > problem, but when I receive a signed message the following error appears:
> >
> > Caused by: org.apache.cxf.ws.policy.PolicyException: These policy
> > alternatives can not be satisfied:
> > {
> >
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AsymmetricBinding<http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702%7DAsymmetricBinding>
> >: Not signed before encrypted
> >
> > There should not be any encryption at all, only signing. I debugged into
> > the code and found the following Method in the
> > PolicyBasedWSS4JInInterceptor.java:
> >
> > private boolean assertAsymetricBinding(AssertionInfoMap aim,
> > SoapMessage message,
> > SOAPMessage doc,
> > Protections prots,
> > boolean derived) {
> > Collection<AssertionInfo> ais =
> > aim.get(SP12Constants.ASYMMETRIC_BINDING);
> > if (ais == null) {
> > return true;
> > }
> > for (AssertionInfo ai : ais) {
> > AsymmetricBinding abinding =
> > (AsymmetricBinding)ai.getAssertion();
> > ai.setAsserted(true);
> > if (abinding.getProtectionOrder() ==
> > SPConstants.ProtectionOrder.EncryptBeforeSigning) {
> > if (abinding.isSignatureProtection()) {
> > if (prots != Protections.ENCRYPT_SIGN_PROTECT) {
> > ai.setNotAsserted("Not encrypted before signed
> and
> > then protected");
> > }
> > } else if (prots != Protections.ENCRYPT_SIGN) {
> > ai.setNotAsserted("Not encrypted before
> > signed");
> > }
> > } else if (prots != Protections.SIGN_ENCRYPT) {
> > ai.setNotAsserted("Not signed before
> > encrypted");
> > }
> > assertPolicy(aim, abinding.getInitiatorToken());
> > assertPolicy(aim, abinding.getRecipientToken());
> > assertPolicy(aim, abinding.getInitiatorToken().getToken(),
> > derived);
> > assertPolicy(aim, abinding.getRecipientToken().getToken(),
> > derived);
> > }
> > return true;
> > }
> >
> > In this method the value of prots is ="SIGN" which is correct. But the
> > if-statement only checks if prots is not SIGN_ENCRYPT and then sets it to
> > notasserted. It might be because SPConstants.ProtectionOrder only knows
> > EncryptBeforeSigning and SigningBeforeEncrypt. There is nothing about
> only
> > signing, or only encrypting.
> >
> > Is this an error, or do I have to configure something else?
> >
> > Here is my Policy:
> >
> > <wsp:Policy
> > wsu:Id='Sig'
> > xmlns:wsu='
> >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-
> >1.0.xsd '
> > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
> > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"
> > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> > xsi:schemaLocation="
> > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
> >
> >
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/ws-securitypolicy.xsd
> > http://schemas.xmlsoap.org/ws/2004/09/policy
> > http://schemas.xmlsoap.org/ws/2004/09/policy/ws-policy.xsd
> > ">
> > <wsp:ExactlyOne>
> > <wsp:All>
> > <sp:AsymmetricBinding xmlns:sp='
> > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'>
> > <wsp:Policy>
> > <sp:InitiatorToken>
> > <wsp:Policy>
> > <sp:X509Token sp:IncludeToken='
> >
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToR
> >ecipient '>
> > <wsp:Policy>
> > <sp:WssX509V3Token10 />
> > </wsp:Policy>
> > </sp:X509Token>
> > </wsp:Policy>
> > </sp:InitiatorToken>
> > <sp:RecipientToken>
> > <wsp:Policy>
> > <sp:X509Token sp:IncludeToken='
> > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always
> '>
> > <wsp:Policy>
> > <sp:WssX509V3Token10 />
> > </wsp:Policy>
> > </sp:X509Token>
> > </wsp:Policy>
> > </sp:RecipientToken>
> > <sp:AlgorithmSuite>
> > <wsp:Policy>
> > <sp:Basic256 />
> > </wsp:Policy>
> > </sp:AlgorithmSuite>
> > <sp:Layout>
> > <wsp:Policy>
> > <sp:Strict />
> > </wsp:Policy>
> > </sp:Layout>
> > <sp:OnlySignEntireHeadersAndBody />
> > </wsp:Policy>
> > </sp:AsymmetricBinding>
> > <sp:Wss10 xmlns:sp='
> > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'>
> > <wsp:Policy>
> > <sp:MustSupportRefEmbeddedToken />
> > </wsp:Policy>
> > </sp:Wss10>
> > <sp:SignedParts xmlns:sp='
> > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'>
> > <sp:Body />
> > </sp:SignedParts>
> > </wsp:All>
> > </wsp:ExactlyOne>
> > </wsp:Policy>
> >
> >
> > Thanks for any help!
> >
> > --Benjamin
>
> --
> Daniel Kulp
> dkulp@apache.org
> http://www.dankulp.com/blog
>