SecurityPolicy-Assertion fails for only signing
------------------------------------------------
Key: CXF-2165
URL: https://issues.apache.org/jira/browse/CXF-2165
Project: CXF
Issue Type: Bug
Components: WS-* Components
Affects Versions: 2.2
Reporter: Benjamin Ernst
Policy-Assertion fails when a policy only asserts that the body is signed, but
not encrypted. Sending signed messages is no problem, but when receiving a
signed message the following error appears:
Caused by: org.apache.cxf.ws.policy.PolicyException: These policy
alternatives can not be satisfied:
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AsymmetricBinding:
Not signed before encrypted
There should not be any encryption at all, only signing. I debugged into the
code and found the following Method in the PolicyBasedWSS4JInInterceptor.java:
private boolean assertAsymetricBinding(AssertionInfoMap aim,
SoapMessage message,
SOAPMessage doc,
Protections prots,
boolean derived) {
Collection<AssertionInfo> ais =
aim.get(SP12Constants.ASYMMETRIC_BINDING);
if (ais == null) {
return true;
}
for (AssertionInfo ai : ais) {
AsymmetricBinding abinding = (AsymmetricBinding)ai.getAssertion();
ai.setAsserted(true);
if (abinding.getProtectionOrder() ==
SPConstants.ProtectionOrder.EncryptBeforeSigning) {
if (abinding.isSignatureProtection()) {
if (prots != Protections.ENCRYPT_SIGN_PROTECT) {
ai.setNotAsserted("Not encrypted before signed and then
protected");
}
} else if (prots != Protections.ENCRYPT_SIGN) {
ai.setNotAsserted("Not encrypted before signed");
}
} else if (prots != Protections.SIGN_ENCRYPT) {
ai.setNotAsserted("Not signed before encrypted");
}
assertPolicy(aim, abinding.getInitiatorToken());
assertPolicy(aim, abinding.getRecipientToken());
assertPolicy(aim, abinding.getInitiatorToken().getToken(), derived);
assertPolicy(aim, abinding.getRecipientToken().getToken(), derived);
}
return true;
}
In this method the value of prots is ="SIGN" which is correct. But the
if-statement only checks if prots is not SIGN_ENCRYPT and then sets it to
notasserted. It might be because SPConstants.ProtectionOrder only knows
EncryptBeforeSigning and SigningBeforeEncrypt. There is nothing about only
signing, or only encrypting.
Here is the policy:
<wsp:Policy
wsu:Id='Sig'
xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/ws-securitypolicy.xsd
http://schemas.xmlsoap.org/ws/2004/09/policy
http://schemas.xmlsoap.org/ws/2004/09/policy/ws-policy.xsd
">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding
xmlns:sp='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient'>
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always'>
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:OnlySignEntireHeadersAndBody />
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss10
xmlns:sp='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'>
<wsp:Policy>
<sp:MustSupportRefEmbeddedToken />
</wsp:Policy>
</sp:Wss10>
<sp:SignedParts
xmlns:sp='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'>
<sp:Body />
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
