Hi there,
I'd like to implement a szenario where i'm trying to send a X509 signed
request to a server's endpoint who sends a X509 signed response back. At the
moment I'm always getting the following soap fault back from server and
don't know how what to do next:
org.apache.cxf.interceptor.Fault: These policy alternatives can not be
satisfied:
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AsymmetricBinding
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}X509Token
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}InitiatorToken
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}RecipientToken
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Layout
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Wss10
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SignedParts
at
org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:47)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:236)
at
org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:89)
at
org.apache.cxf.transport.servlet.ServletDestination.invoke(ServletDestination.java:99)
at
org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:337)
at
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:182)
at
org.apache.cxf.transport.servlet.AbstractCXFServlet.invoke(AbstractCXFServlet.java:163)
at
org.apache.cxf.transport.servlet.AbstractCXFServlet.doPost(AbstractCXFServlet.java:141)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
at
org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:182)
at
org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at
org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
at java.lang.Thread.run(Thread.java:662)
Caused by: org.apache.cxf.ws.policy.PolicyException: These policy
alternatives can not be satisfied:
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AsymmetricBinding
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}X509Token
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}InitiatorToken
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}RecipientToken
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Layout
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Wss10
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SignedParts
at
org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:140)
at
org.apache.cxf.ws.policy.PolicyVerificationInInterceptor.handle(PolicyVerificationInInterceptor.java:96)
at
org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:45)
... 27 more
Unfortunately i'm pretty new to webservices and also the cxf framework. As
long as i'm getting a significant exception everything is fine but right
know i'm really stuck. Here's the policy part from wsdl:
<wsp:Policy wsu:Id="XXX">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";>
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always";>
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:OnlySignEntireHeadersAndBody />
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss10>
<wsp:Policy
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<sp:MustSupportRefIssuerSerial />
</wsp:Policy>
</sp:Wss10>
<sp:SignedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<sp:Body />
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
I also generated a client and server keystore containing the following
stuff:
clientKeystore.jks:
Keystore-Typ: JKS
Keystore-Provider: SUN
Keystore enthält 2 Einträge
Aliasname: myservicekey
Erstellungsdatum: 26.04.2013
Eintragstyp: trustedCertEntry
Eigentümer: CN=localhost
Aussteller: CN=localhost
Seriennummer: 2f8abbf3
Gültig von: Fri Apr 26 15:47:59 CEST 2013 bis: Sun Apr 26 15:47:59 CEST 2015
Zertifikat-Fingerprints:
MD5: 28:AF:60:C7:56:30:B4:48:7F:30:7E:B4:A8:A9:2E:1F
SHA1: 45:F1:62:85:56:94:8E:FF:6D:00:BA:0D:8C:FF:5D:6E:02:11:8F:B8
SHA256:
65:9A:CF:F3:E2:19:03:56:BB:8C:04:0E:84:C3:EB:F4:96:F2:02:4D:B3:8A:52:DD:23:15:19:05:6E:C9:F5:75
Signaturalgorithmusname: SHA1withRSA
Version: 3
Erweiterungen:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 79 38 4F 49 C4 81 F6 26 CE 49 DC 85 A2 BE 3F AF y8OI...&.I....?.
0010: 5B 15 A8 44 [..D
]
]
*******************************************
*******************************************
Aliasname: myclientkey
Erstellungsdatum: 26.04.2013
Eintragstyp: PrivateKeyEntry
Zertifikatkettenlänge: 1
Zertifikat[1]:
Eigentümer: CN=clientuser
Aussteller: CN=clientuser
Seriennummer: 683223da
Gültig von: Fri Apr 26 15:48:15 CEST 2013 bis: Sun Apr 26 15:48:15 CEST 2015
Zertifikat-Fingerprints:
MD5: CF:BE:DA:AE:1B:7C:38:AC:76:DE:48:5A:6B:A6:C3:85
SHA1: 49:08:EA:B3:02:C0:11:17:14:43:A6:3E:E0:FE:B3:3E:86:93:93:77
SHA256:
0E:90:F1:27:EA:79:6D:27:35:F0:D3:6E:E1:E7:24:BC:94:D8:7B:FA:C4:B5:E5:D3:FF:4A:44:8F:D1:9E:27:43
Signaturalgorithmusname: SHA1withRSA
Version: 3
Erweiterungen:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: EE 70 37 89 7C CA E5 42 33 52 89 51 46 A1 71 CE .p7....B3R.QF.q.
0010: 30 C1 4F C0 0.O.
]
]
*******************************************
*******************************************
serviceKeystore.jks:
Keystore enthält 2 Einträge
Aliasname: myservicekey
Erstellungsdatum: 26.04.2013
Eintragstyp: PrivateKeyEntry
Zertifikatkettenlänge: 1
Zertifikat[1]:
Eigentümer: CN=localhost
Aussteller: CN=localhost
Seriennummer: 2f8abbf3
Gültig von: Fri Apr 26 15:47:59 CEST 2013 bis: Sun Apr 26 15:47:59 CEST 2015
Zertifikat-Fingerprints:
MD5: 28:AF:60:C7:56:30:B4:48:7F:30:7E:B4:A8:A9:2E:1F
SHA1: 45:F1:62:85:56:94:8E:FF:6D:00:BA:0D:8C:FF:5D:6E:02:11:8F:B8
SHA256:
65:9A:CF:F3:E2:19:03:56:BB:8C:04:0E:84:C3:EB:F4:96:F2:02:4D:B3:8A:52:DD:23:15:19:05:6E:C9:F5:75
Signaturalgorithmusname: SHA1withRSA
Version: 3
Erweiterungen:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 79 38 4F 49 C4 81 F6 26 CE 49 DC 85 A2 BE 3F AF y8OI...&.I....?.
0010: 5B 15 A8 44 [..D
]
]
*******************************************
*******************************************
Aliasname: myclientkey
Erstellungsdatum: 26.04.2013
Eintragstyp: trustedCertEntry
Eigentümer: CN=clientuser
Aussteller: CN=clientuser
Seriennummer: 683223da
Gültig von: Fri Apr 26 15:48:15 CEST 2013 bis: Sun Apr 26 15:48:15 CEST 2015
Zertifikat-Fingerprints:
MD5: CF:BE:DA:AE:1B:7C:38:AC:76:DE:48:5A:6B:A6:C3:85
SHA1: 49:08:EA:B3:02:C0:11:17:14:43:A6:3E:E0:FE:B3:3E:86:93:93:77
SHA256:
0E:90:F1:27:EA:79:6D:27:35:F0:D3:6E:E1:E7:24:BC:94:D8:7B:FA:C4:B5:E5:D3:FF:4A:44:8F:D1:9E:27:43
Signaturalgorithmusname: SHA1withRSA
Version: 3
Erweiterungen:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: EE 70 37 89 7C CA E5 42 33 52 89 51 46 A1 71 CE .p7....B3R.QF.q.
0010: 30 C1 4F C0 0.O.
]
]
*******************************************
As told in the docs I added all needed properties to client cxf.xml and
cxf-servlet.xml. Here's the content:
cxf.xml:
<beans xmlns="http://www.springframework.org/schema/beans";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:jaxws="http://cxf.apache.org/jaxws";
xmlns:p="http://cxf.apache.org/policy";
xmlns:wsp="http://www.w3.org/2006/07/ws-policy";
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://cxf.apache.org/jaxws
http://cxf.apache.org/schemas/jaxws.xsd";>
<jaxws:client name="{URL}service" createdFromAPI="true">
<jaxws:properties>
<entry key="ws-security.callback-handler"
value="core.webservice.sender.SoapMessageSenderCallback" />
<entry key="ws-security.signature.properties"
value="clientKeystore.properties" />
</jaxws:properties>
<jaxws:features>
<bean class="org.apache.cxf.feature.LoggingFeature" />
</jaxws:features>
</jaxws:client>
</beans>
cxf-servlet.xml:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans";
xmlns:jaxws="http://cxf.apache.org/jaxws";
xmlns:cxf="http://cxf.apache.org/core";
xmlns:p="http://cxf.apache.org/policy";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="http://cxf.apache.org/core
http://cxf.apache.org/schemas/core.xsd
http://cxf.apache.org/policy http://cxf.apache.org/schemas/policy.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd";>
<import resource="classpath:META-INF/cxf/cxf-extension-ws-security.xml"
/>
<import resource="classpath:META-INF/cxf/cxf-extension-policy.xml" />
<cxf:bus>
<cxf:features>
<p:policies ignoreUnknownAssertions="true" />
</cxf:features>
</cxf:bus>
<jaxws:endpoint id="service" address="/service"
implementor="core.webservice.receiver.SoapMessageReceiverImpl"
wsdlLocation="WEB-INF/wsdl/service.wsdl">
<jaxws:properties>
<entry key="ws-security.callback-handler"
value="core.webservice.receiver.SoapMessageReceiverCallback"
/>
<entry key="ws-security.signature.properties"
value="serviceKeystore.properties" />
</jaxws:properties>
<jaxws:features>
<bean class="org.apache.cxf.feature.LoggingFeature" />
</jaxws:features>
</jaxws:endpoint>
</beans>
I'm using CXF 2.2 and client and endpoint are deployed in a JBoss-4.2.3-GA.
Can somebody give me a hint, what maybe can be the cause of this exception?
If you need more infos, just ask and i'll post it.
Thanks in advance and regards,
Tobi
--
View this message in context:
http://cxf.547215.n5.nabble.com/Endpoint-answers-with-policy-alternatives-can-not-be-satisfied-after-sending-X509-signed-request-tp5726909.html
Sent from the cxf-user mailing list archive at Nabble.com.
