[
https://issues.apache.org/jira/browse/CXF-2165?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Benjamin Ernst updated CXF-2165:
--------------------------------
Description:
Policy-Assertion fails when a policy only asserts that the body is signed, but
not encrypted. Sending signed messages is no problem, but when receiving a
signed message the following error appears:
Caused by: org.apache.cxf.ws.policy.PolicyException: These policy
alternatives can not be satisfied:
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AsymmetricBinding:
Not signed before encrypted
There should not be any encryption at all, only signing. I debugged into the
code and found the following Method in the PolicyBasedWSS4JInInterceptor.java:
private boolean assertAsymetricBinding(AssertionInfoMap aim,
SoapMessage message,
SOAPMessage doc,
Protections prots,
boolean derived) {
Collection<AssertionInfo> ais =
aim.get(SP12Constants.ASYMMETRIC_BINDING);
if (ais == null) {
return true;
}
for (AssertionInfo ai : ais) {
AsymmetricBinding abinding = (AsymmetricBinding)ai.getAssertion();
ai.setAsserted(true);
if (abinding.getProtectionOrder() ==
SPConstants.ProtectionOrder.EncryptBeforeSigning) {
if (abinding.isSignatureProtection()) {
if (prots != Protections.ENCRYPT_SIGN_PROTECT) {
ai.setNotAsserted("Not encrypted before signed and then
protected");
}
} else if (prots != Protections.ENCRYPT_SIGN) {
ai.setNotAsserted("Not encrypted before signed");
}
} else if (prots != Protections.SIGN_ENCRYPT) {
ai.setNotAsserted("Not signed before encrypted");
}
assertPolicy(aim, abinding.getInitiatorToken());
assertPolicy(aim, abinding.getRecipientToken());
assertPolicy(aim, abinding.getInitiatorToken().getToken(), derived);
assertPolicy(aim, abinding.getRecipientToken().getToken(), derived);
}
return true;
}
In this method the value of prots is ="SIGN" which is correct. But the
if-statement only checks if prots is not SIGN_ENCRYPT and then sets it to
notasserted. It might be because SPConstants.ProtectionOrder only knows
EncryptBeforeSigning and SigningBeforeEncrypt. There is nothing about only
signing, or only encrypting.
The policy is attached.
was:
Policy-Assertion fails when a policy only asserts that the body is signed, but
not encrypted. Sending signed messages is no problem, but when receiving a
signed message the following error appears:
Caused by: org.apache.cxf.ws.policy.PolicyException: These policy
alternatives can not be satisfied:
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AsymmetricBinding:
Not signed before encrypted
There should not be any encryption at all, only signing. I debugged into the
code and found the following Method in the PolicyBasedWSS4JInInterceptor.java:
private boolean assertAsymetricBinding(AssertionInfoMap aim,
SoapMessage message,
SOAPMessage doc,
Protections prots,
boolean derived) {
Collection<AssertionInfo> ais =
aim.get(SP12Constants.ASYMMETRIC_BINDING);
if (ais == null) {
return true;
}
for (AssertionInfo ai : ais) {
AsymmetricBinding abinding = (AsymmetricBinding)ai.getAssertion();
ai.setAsserted(true);
if (abinding.getProtectionOrder() ==
SPConstants.ProtectionOrder.EncryptBeforeSigning) {
if (abinding.isSignatureProtection()) {
if (prots != Protections.ENCRYPT_SIGN_PROTECT) {
ai.setNotAsserted("Not encrypted before signed and then
protected");
}
} else if (prots != Protections.ENCRYPT_SIGN) {
ai.setNotAsserted("Not encrypted before signed");
}
} else if (prots != Protections.SIGN_ENCRYPT) {
ai.setNotAsserted("Not signed before encrypted");
}
assertPolicy(aim, abinding.getInitiatorToken());
assertPolicy(aim, abinding.getRecipientToken());
assertPolicy(aim, abinding.getInitiatorToken().getToken(), derived);
assertPolicy(aim, abinding.getRecipientToken().getToken(), derived);
}
return true;
}
In this method the value of prots is ="SIGN" which is correct. But the
if-statement only checks if prots is not SIGN_ENCRYPT and then sets it to
notasserted. It might be because SPConstants.ProtectionOrder only knows
EncryptBeforeSigning and SigningBeforeEncrypt. There is nothing about only
signing, or only encrypting.
Here is the policy:
<wsp:Policy
wsu:Id='Sig'
xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/ws-securitypolicy.xsd
http://schemas.xmlsoap.org/ws/2004/09/policy
http://schemas.xmlsoap.org/ws/2004/09/policy/ws-policy.xsd
">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding
xmlns:sp='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient'>
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always'>
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:OnlySignEntireHeadersAndBody />
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss10
xmlns:sp='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'>
<wsp:Policy>
<sp:MustSupportRefEmbeddedToken />
</wsp:Policy>
</sp:Wss10>
<sp:SignedParts
xmlns:sp='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'>
<sp:Body />
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
> SecurityPolicy-Assertion fails for only signing
> ------------------------------------------------
>
> Key: CXF-2165
> URL: https://issues.apache.org/jira/browse/CXF-2165
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.2
> Reporter: Benjamin Ernst
> Attachments: policy.xml
>
>
> Policy-Assertion fails when a policy only asserts that the body is signed,
> but not encrypted. Sending signed messages is no problem, but when receiving
> a signed message the following error appears:
> Caused by: org.apache.cxf.ws.policy.PolicyException: These policy
> alternatives can not be satisfied:
>
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AsymmetricBinding:
> Not signed before encrypted
> There should not be any encryption at all, only signing. I debugged into the
> code and found the following Method in the PolicyBasedWSS4JInInterceptor.java:
> private boolean assertAsymetricBinding(AssertionInfoMap aim,
> SoapMessage message,
> SOAPMessage doc,
> Protections prots,
> boolean derived) {
> Collection<AssertionInfo> ais =
> aim.get(SP12Constants.ASYMMETRIC_BINDING);
> if (ais == null) {
> return true;
> }
> for (AssertionInfo ai : ais) {
> AsymmetricBinding abinding = (AsymmetricBinding)ai.getAssertion();
> ai.setAsserted(true);
> if (abinding.getProtectionOrder() ==
> SPConstants.ProtectionOrder.EncryptBeforeSigning) {
> if (abinding.isSignatureProtection()) {
> if (prots != Protections.ENCRYPT_SIGN_PROTECT) {
> ai.setNotAsserted("Not encrypted before signed and
> then protected");
> }
> } else if (prots != Protections.ENCRYPT_SIGN) {
> ai.setNotAsserted("Not encrypted before signed");
>
> }
> } else if (prots != Protections.SIGN_ENCRYPT) {
> ai.setNotAsserted("Not signed before encrypted");
>
> }
> assertPolicy(aim, abinding.getInitiatorToken());
> assertPolicy(aim, abinding.getRecipientToken());
> assertPolicy(aim, abinding.getInitiatorToken().getToken(),
> derived);
> assertPolicy(aim, abinding.getRecipientToken().getToken(),
> derived);
> }
> return true;
> }
> In this method the value of prots is ="SIGN" which is correct. But the
> if-statement only checks if prots is not SIGN_ENCRYPT and then sets it to
> notasserted. It might be because SPConstants.ProtectionOrder only knows
> EncryptBeforeSigning and SigningBeforeEncrypt. There is nothing about only
> signing, or only encrypting.
> The policy is attached.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
