I finally figured out the issue. Seems there might be a bug with policies with alternatives (more than one wsp:All inside wsp:ExactlyOne) when assigned to an binding operation when using java first @Policies. It's probably not that common a requirement, so its little surprise it has not come up.
https://issues.apache.org/jira/browse/CXF-4813 Policies with alternatives work perfectly when applied at the SEI level (placement of BINDING is all I tried) I wanted to apply at operation level so I could disable policies for some operations - such as a Ping operation. I think I am going to see if I can configure policies at SEI Binding and then just override to no policy for some operations. Seems there is the ability to override a policy by using the PolicyConstants.POLICY_OVERRIDE. I will have to see if can set that based on the operation name. Thanks jason On Tue, Feb 5, 2013 at 8:36 AM, Jason Pell <[email protected]> wrote: > I am not sure if it actually checks ssl or not but it does not matter as all > connections are at least ssl for our services. The difference is if they are > mutual ssl or not. > > Sent from my Galaxy S2 > > On Feb 5, 2013 2:16 AM, "Glen Mazza" <[email protected]> wrote: >> >> Also, make sure that our Policy engine can enforce that transport-layer >> encryption is being used (IIUC part of your requirements); I know it can >> check message-layer encryption, but I'm not sure whether/how it knows that >> SSL is being used. >> >> Glen >> >> On 02/03/2013 10:40 PM, Jason Pell wrote: >>> >>> I think I answered my own question. It appears that the first >>> alternative is chosen by default, no matter what when using the >>> MinimalAlternativeSelector >>> >>> The isCompatibleWithRequest method in BaseAlternativeSelector returns >>> true where the request == null. >>> >>> And it looks as though request is always null on the server side >>> (which I guess makes sense) >>> >>> Now I have to figure out if i can code up a AlternativeSelector based >>> on the content of the request information coming in from the client. >>> >>> Any ideas would be welcome... >>> >>> On Mon, Feb 4, 2013 at 11:51 AM, Jason Pell <[email protected]> wrote: >>>> >>>> Hi, >>>> >>>> I would like to configure a web service which requires one of two >>>> security mechanisms: >>>> >>>> 1) UsernamePassword + SSL (NOT MUTUAL) >>>> 2) Username only + SSL with Mutual Authentication. >>>> >>>> I was hoping to do this via WS-Policy ExactlyOnce matching, but it >>>> does not seem to work. >>>> >>>> What I was wanting to know is if I should expect it to work. I am >>>> about to jump in and debug what is actually happening but was hoping >>>> someone would help me before I got too far into it. >>>> >>>> My policy is: >>>> >>>> <wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"; >>>> >>>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; >>>> >>>> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> >>>> <wsp:ExactlyOne> >>>> <wsp:All> >>>> <sp:TransportBinding> >>>> <wsp:Policy> >>>> <sp:TransportToken> >>>> <wsp:Policy> >>>> >>>> <sp:HttpsToken> >>>> >>>> <wsp:Policy /> >>>> >>>> </sp:HttpsToken> >>>> </wsp:Policy> >>>> </sp:TransportToken> >>>> <sp:Layout> >>>> <wsp:Policy> >>>> <sp:Lax >>>> /> >>>> </wsp:Policy> >>>> </sp:Layout> >>>> <sp:AlgorithmSuite> >>>> <wsp:Policy> >>>> >>>> <sp:Basic128 /> >>>> </wsp:Policy> >>>> </sp:AlgorithmSuite> >>>> </wsp:Policy> >>>> </sp:TransportBinding> >>>> >>>> <sp:SupportingTokens> >>>> <wsp:Policy> >>>> <sp:UsernameToken> >>>> <wsp:Policy> >>>> >>>> <sp:WssUsernameToken11 /> >>>> </wsp:Policy> >>>> </sp:UsernameToken> >>>> </wsp:Policy> >>>> </sp:SupportingTokens> >>>> </wsp:All> >>>> >>>> <wsp:All> >>>> <sp:TransportBinding> >>>> <wsp:Policy> >>>> <sp:TransportToken> >>>> <wsp:Policy> >>>> >>>> <sp:HttpsToken> >>>> >>>> <wsp:Policy> >>>> >>>> <sp:RequireClientCertificate /> >>>> >>>> </wsp:Policy> >>>> >>>> </sp:HttpsToken> >>>> </wsp:Policy> >>>> </sp:TransportToken> >>>> <sp:AlgorithmSuite> >>>> <wsp:Policy> >>>> >>>> <sp:Basic256 /> >>>> </wsp:Policy> >>>> </sp:AlgorithmSuite> >>>> </wsp:Policy> >>>> </sp:TransportBinding> >>>> >>>> <sp:SupportingTokens> >>>> <wsp:Policy> >>>> <sp:UsernameToken> >>>> <wsp:Policy> >>>> >>>> <sp:NoPassword /> >>>> </wsp:Policy> >>>> </sp:UsernameToken> >>>> </wsp:Policy> >>>> </sp:SupportingTokens> >>>> </wsp:All> >>>> </wsp:ExactlyOne> >>>> </wsp:Policy> >> >> >> >> -- >> Glen Mazza >> Talend Community Coders - coders.talend.com >> blog: www.jroller.com/gmazza >> >
