Oliver,
On Mon October 19 2009 10:36:30 am Oliver Wulff wrote:
> Hi there
>
> Here are some more information how to reproduce the three issues:
>
> Issue 1)
> i) mvn -Pserver
> ii) mvn -Psecure.client
This looks like a potentially over-aggressive optimization on our part. Need
to dig in more, but it looks like if there ISN'T a security header at all in
the response, we just skip processing entirely, which in this case shouldn't
be done. Will dig in a bit more shortly.
> Issue 2)
> i) comment out the two dependencies in the pom.xml:
> <dependency>
> <groupId>org.apache.cxf</groupId>
> <artifactId>cxf-rt-ws-security</artifactId>
> <version>${cxf.version}</version>
> </dependency>
> <dependency>
> <groupId>org.apache.cxf</groupId>
> <artifactId>cxf-rt-ws-policy</artifactId>
> <version>${cxf.version}</version>
> </dependency>
> ii) mvn -Pserver
> iii) mvn -Psecure.client
>
> You see first on the client side that username/password (WS-Sec
> UsernameToken profile) is not added to the request:
If you comment out those deps, there isn't any policy engine or anything
installed into the CXF runtime. Thus, any policies in the wsdl are
completely ignored. This is pretty much expected and as designed.
> Issue 3)
> i) remove the attribute IncludeToken in the wsdl wsdl\hello_world.wsdl:
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/Inclu
> deToken/Always" ii) mvn -Pserver
>
> The server throws the following exception during startup:
>
> [INFO] Caused by: java.lang.RuntimeException: Incorrect inclusion value:
> null [INFO] at
> org.apache.cxf.ws.security.policy.model.Token.setInclusion(Token.java:63)
>
> IMHO, the bug is here:
> String attribute = element.getAttributeNS(element.getNamespaceURI(),
> SPConstants.ATTR_INCLUDE_TOKEN); The method "getAttributeNS" shouldn't
> return an empty string.
This is definitely a bug. If getAttributeNS returns null, we definitely
should be setting it to the correct default value. (../Always)
--
Daniel Kulp
[email protected]
http://www.dankulp.com/blog
