[jira] Resolved: (CXF-2165) SecurityPolicy-Assertion fails for only signing

[Daniel Kulp (JIRA)]

     [ 
https://issues.apache.org/jira/browse/CXF-2165?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Daniel Kulp resolved CXF-2165.
------------------------------

       Resolution: Fixed
    Fix Version/s: 2.2.1

> SecurityPolicy-Assertion fails for only signing 
> ------------------------------------------------
>
>                 Key: CXF-2165
>                 URL: https://issues.apache.org/jira/browse/CXF-2165
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>    Affects Versions: 2.2
>            Reporter: Benjamin Ernst
>            Assignee: Daniel Kulp
>             Fix For: 2.2.1
>
>         Attachments: policy.xml
>
>
> Policy-Assertion fails when a policy only asserts that the body is signed, 
> but not encrypted. Sending signed messages is no problem, but when receiving 
> a signed message the following error appears:
>   Caused by: org.apache.cxf.ws.policy.PolicyException: These policy 
> alternatives can not be satisfied:
>   
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AsymmetricBinding: 
> Not signed before encrypted
> There should not be any encryption at all, only signing. I debugged into the 
> code and found the following Method in the PolicyBasedWSS4JInInterceptor.java:
>  private boolean assertAsymetricBinding(AssertionInfoMap aim,
>                                            SoapMessage message,
>                                            SOAPMessage doc,
>                                            Protections prots,
>                                            boolean derived) {
>         Collection<AssertionInfo> ais = 
> aim.get(SP12Constants.ASYMMETRIC_BINDING);
>         if (ais == null) {
>             return true;
>         }
>         for (AssertionInfo ai : ais) {
>             AsymmetricBinding abinding = (AsymmetricBinding)ai.getAssertion();
>             ai.setAsserted(true);
>             if (abinding.getProtectionOrder() == 
> SPConstants.ProtectionOrder.EncryptBeforeSigning) {
>                 if (abinding.isSignatureProtection()) {
>                     if (prots != Protections.ENCRYPT_SIGN_PROTECT) {
>                         ai.setNotAsserted("Not encrypted before signed and 
> then protected");
>                     }
>                 } else if (prots != Protections.ENCRYPT_SIGN) {
>                     ai.setNotAsserted("Not encrypted before signed");         
>           
>                 }
>             } else if (prots != Protections.SIGN_ENCRYPT) {
>                 ai.setNotAsserted("Not signed before encrypted");             
>                       
>             }
>             assertPolicy(aim, abinding.getInitiatorToken());
>             assertPolicy(aim, abinding.getRecipientToken());
>             assertPolicy(aim, abinding.getInitiatorToken().getToken(), 
> derived);
>             assertPolicy(aim, abinding.getRecipientToken().getToken(), 
> derived);
>         }
>         return true;
>     }
> In this method the value of prots is ="SIGN" which is correct. But the 
> if-statement only checks if prots is not SIGN_ENCRYPT and then sets it to 
> notasserted. It might be because SPConstants.ProtectionOrder only knows 
> EncryptBeforeSigning and SigningBeforeEncrypt. There is nothing about only 
> signing, or only encrypting.
> The policy is attached.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.