Hi there
Here are some more information how to reproduce the three issues:
Issue 1)
i) mvn -Pserver
ii) mvn -Psecure.client
**************************************
Issue 2)
i) comment out the two dependencies in the pom.xml:
<dependency>
<groupId>org.apache.cxf</groupId>
<artifactId>cxf-rt-ws-security</artifactId>
<version>${cxf.version}</version>
</dependency>
<dependency>
<groupId>org.apache.cxf</groupId>
<artifactId>cxf-rt-ws-policy</artifactId>
<version>${cxf.version}</version>
</dependency>
ii) mvn -Pserver
iii) mvn -Psecure.client
You see first on the client side that username/password (WS-Sec UsernameToken
profile) is not added to the request:
19.10.2009 16:17:35
org.apache.cxf.interceptor.LoggingOutInterceptor$LoggingCallback onClose
INFO: Outbound Message
---------------------------
ID: 1
Address: https://localhost:9001/SoapContext/SoapPort
Encoding: UTF-8
Content-Type: text/xml
Headers: {SOAPAction=[""], Authorization=[Basic Z3VndXM6aGFsbG8=], Accept=[*/*]}
Payload: <soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";><soap:Body><greetMe
xmlns="http://apache.org/hello_world_soap_http/types";><requestType>chzwuol</requestType></greetMe></soap:Body></soap:Envelope>
--------------------------------------
19.10.2009 16:17:35 org.apache.cxf.interceptor.LoggingInInterceptor logging
INFO: Inbound Message
----------------------------
ID: 1
Encoding: UTF-8
Content-Type: text/xml; charset=utf-8
Headers: {Content-Length=[240], Server=[Jetty(6.1.21)],
content-type=[text/xml;charset=utf-8]}
Payload: <soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";><soap:Body><greetMeResponse
xmlns="http://apache.org/hello_world_soap_http/types";><responseType>Hello
chzwuol</responseType></greetMeResponse></soap:Body></soap:Envelope>
--------------------------------------
Server responded with: Hello chzwuol
and on the server side (much more critical), no exception is thrown even the
policy is defined in the wsdl:
[INFO] 19.10.2009 16:17:35 org.apache.cxf.interceptor.LoggingInInterceptor
logging
[INFO] INFO: Inbound Message
[INFO] ----------------------------
[INFO] ID: 2
[INFO] Address: /SoapContext/SoapPort
[INFO] Encoding: UTF-8
[INFO] Content-Type: text/xml; charset=UTF-8
[INFO] Headers: {Content-Length=[216], Host=[localhost:9001],
User-Agent=[Apache CXF 2.2.4], Authorization=[Basic Z3VndXM6aGFsbG8=],
connection=[keep-alive], SO
APAction=[""], Pragma=[no-cache], Content-Type=[text/xml; charset=UTF-8],
content-type=[text/xml; charset=UTF-8], Cache-Control=[no-cache], Accept=[*/*]}
[INFO] Payload: <soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";><soap:Body><greetMe
<http://schemas.xmlsoap.org/soap/envelope/";><soap:Body><greetMe>
xmlns="http://apache.org/hello_world_soap_http/types
<http://apache.org/hello_world_soap_http/types> ">
<requestType>chzwuol</requestType></greetMe></soap:Body></soap:Envelope>
[INFO] --------------------------------------
[INFO] 19.10.2009 16:17:35 demo.hw_https.server.GreeterImpl greetMe
[INFO] [INFO] INFO: Executing operation greetMe
Executing operation greetMe
[INFO] Message received: chzwuol
[INFO]
[INFO] 19.10.2009 16:17:35
org.apache.cxf.interceptor.LoggingOutInterceptor$LoggingCallback onClose
[INFO] INFO: Outbound Message
[INFO] ---------------------------
[INFO] ID: 2
[INFO] Encoding: UTF-8
[INFO] Content-Type: text/xml
[INFO] Headers: {}
[INFO] Payload: <soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envel
<http://schemas.xmlsoap.org/soap/envel>
ope/"><soap:Body><greetMeResponse
xmlns="http://apache.org/hello_world_soap_http
<http://apache.org/hello_world_soap_http>
/types"><responseType>Hello chzwuol</responseType></greetMeResponse></soap:Body>
</soap:Envelope>
[INFO] --------------------------------------
***************************************************
Issue 3)
i) remove the attribute IncludeToken in the wsdl wsdl\hello_world.wsdl:
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always";
ii) mvn -Pserver
The server throws the following exception during startup:
[INFO] Caused by: java.lang.RuntimeException: Incorrect inclusion value: null
[INFO] at
org.apache.cxf.ws.security.policy.model.Token.setInclusion(Token.java:63)
[INFO] at
org.apache.cxf.ws.security.policy.builders.UsernameTokenBuilder.build(UsernameTokenBuilder.java:58)
[INFO] at
org.apache.cxf.ws.policy.AssertionBuilderRegistryImpl.build(AssertionBuilderRegistryImpl.java:110)
[INFO] at
org.apache.cxf.ws.policy.PolicyBuilderImpl.processOperationElement(PolicyBuilderImpl.java:190)
[INFO] at
org.apache.cxf.ws.policy.PolicyBuilderImpl.getPolicyOperator(PolicyBuilderImpl.java:133)
[INFO] at
org.apache.cxf.ws.policy.PolicyBuilderImpl.getPolicy(PolicyBuilderImpl.java:129)
[INFO] at
org.apache.cxf.ws.security.policy.builders.SupportingTokensBuilder.build(SupportingTokensBuilder.java:82)
IMHO, the bug is here:
String attribute = element.getAttributeNS(element.getNamespaceURI(),
SPConstants.ATTR_INCLUDE_TOKEN);
The method "getAttributeNS" shouldn't return an empty string.
Thanks
Oliver
________________________________
Von: Oliver Wulff [mailto:[email protected]]
Gesendet: Mo 19.10.2009 13:42
An: [email protected]
Betreff: WS-SecurityPolicy, UsernamePassword example
Hi there
I've created a UsernamePassword example based on WS-SecurityPolicy
configurations (instead of WSS4JIn/OutInterceptor). See attachment.
I came across a few issues which I'd like to discuss with you whether these are
user errors or bugs. Let me know your thoughts and I will raise the jira
requests...
1) The client sends the username/password, the server verifies the password,
processes the request and sends a soap message back. But the client fails with
the following exception:
Caused by: org.apache.cxf.ws.policy.PolicyException: These policy alternatives
can not be satisfied:
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}TransportBinding
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}TransportToken
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SupportingTokens
at
org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:140)
at
org.apache.cxf.ws.policy.PolicyVerificationInInterceptor.handle(PolicyVerificationInInterceptor.java:96)
at
org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:45)
... 24 more
Do you know why the client fails after the response from the server is sent
back? A policy exception should have been thrown before, I guess.
2) When I don't reference the following two dependencies in the POM the server
and client doesn't enforce the policy which means that the client sends the
request without username/password and the server accepts the request:
<dependency>
<groupId>org.apache.cxf</groupId>
<artifactId>cxf-rt-ws-security</artifactId>
<version>${cxf.version}</version>
</dependency>
<dependency>
<groupId>org.apache.cxf</groupId>
<artifactId>cxf-rt-ws-policy</artifactId>
<version>${cxf.version}</version>
</dependency>
3) If I don't define the IncludeToken attribute in the UsernameToken policy the
server fails:
[INFO] Caused by: java.lang.RuntimeException: Incorrect inclusion value: null
[INFO] at
org.apache.cxf.ws.security.policy.model.Token.setInclusion(Token.java:63)
[INFO] at
org.apache.cxf.ws.security.policy.builders.UsernameTokenBuilder.build(UsernameTokenBuilder.java:58)
[INFO] at
org.apache.cxf.ws.policy.AssertionBuilderRegistryImpl.build(AssertionBuilderRegistryImpl.java:110)
<sp:UsernameToken
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always";>
I debugged the code and noticed that "getAttributeNS" of class
UsernameTokenBuilder returns an empty string instead of null:
String attribute = element.getAttributeNS(element.getNamespaceURI(),
SPConstants.ATTR_INCLUDE_TOKEN);
if (attribute != null) {
usernameToken.setInclusion(consts.getInclusionFromAttributeValue(attribute));
}
Thanks
Oliver
