SAML token policy combines with Encryp/Sign policy will throw exceptions

Mon, 23 Sep 2013 20:42:47 -0700 

Hi, there

We have SAML Token (STS) policy defined as below (saml.policy):

<?xml version="1.0" encoding="UTF-8" ?>
<wsp:Policy xmlns:wsp="http://www.w3.org/ns/ws-policy"; 
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
         <wsp:ExactlyOne>
                   <wsp:All>
                            <sp:AsymmetricBinding>
                                     <wsp:Policy>
                                               <sp:InitiatorToken>
                                                        <wsp:Policy>
                                                                 <sp:IssuedToken
                                                                          
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
                                                                           
<sp:RequestSecurityTokenTemplate>
                                                                                
    <t:TokenType 
xmlns:t="http://docs.oasis-open.org/ws-sx/ws-trust/200512";>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</t:TokenType>
                                                                                
    <t:KeyType 
xmlns:t="http://docs.oasis-open.org/ws-sx/ws-trust/200512";>http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey</t:KeyType>
                                                                           
</sp:RequestSecurityTokenTemplate>
                                                                           
<wsp:Policy>
                                                                                
    <!--sp:RequireInternalReference /-->
                                    <sp:WssX509V3Token10 />
                                    <sp:RequireIssuerSerialReference />
                                                                           
</wsp:Policy>
                                                                 
</sp:IssuedToken>
                                                        </wsp:Policy>
                                               </sp:InitiatorToken>
                                               <sp:RecipientToken>
                                                        <wsp:Policy>
                                                                 <sp:X509Token
                                                                          
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";>
                                                                           
<wsp:Policy>
                                                                                
    <sp:WssX509V3Token10 />
                                                                                
    <sp:RequireIssuerSerialReference />
                                                                           
</wsp:Policy>
                                                                 </sp:X509Token>
                                                        </wsp:Policy>
                                               </sp:RecipientToken>
                                               <sp:Layout>
                                                        <wsp:Policy>
                                                                 <sp:Lax />
                                                        </wsp:Policy>
                                               </sp:Layout>
                                               <sp:IncludeTimestamp />
                                               <sp:OnlySignEntireHeadersAndBody 
/>
                                               <sp:AlgorithmSuite>
                                                        <wsp:Policy>
                                                                 <sp:Basic256 />
                                                        </wsp:Policy>
                                               </sp:AlgorithmSuite>
                                     </wsp:Policy>
                            </sp:AsymmetricBinding>
                            <sp:Wss11 
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
                                     <wsp:Policy>
                                               <sp:MustSupportRefIssuerSerial />
                                               <sp:MustSupportRefThumbprint />
                                               <sp:MustSupportRefEncryptedKey />
                                     </wsp:Policy>
                            </sp:Wss11>
                            <sp:Trust13 
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
                                     <wsp:Policy>
                                               <sp:MustSupportIssuedTokens />
                                               <sp:RequireClientEntropy />
                                               <sp:RequireServerEntropy />
                                     </wsp:Policy>
                            </sp:Trust13>
                   </wsp:All>
         </wsp:ExactlyOne>
</wsp:Policy>

And Encrypt/Sign body policy (encrypt_sign.policy) defined as:

<wsp:Policy
    xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";
    xmlns:wsp="http://www.w3.org/ns/ws-policy";
    
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>
      <wsp:ExactlyOne>
         <wsp:All>
            <sp:AsymmetricBinding>
               <wsp:Policy>
                  <sp:InitiatorToken>
                     <wsp:Policy>
                        <sp:X509Token
                           
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
                           <wsp:Policy>
                              <sp:WssX509V3Token10 />
                              <sp:RequireIssuerSerialReference />
                           </wsp:Policy>
                        </sp:X509Token>
                     </wsp:Policy>
                  </sp:InitiatorToken>
                  <sp:RecipientToken>
                     <wsp:Policy>
                        <sp:X509Token
                           
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";>
                           <wsp:Policy>
                              <sp:WssX509V3Token10 />
                              <sp:RequireIssuerSerialReference />
                           </wsp:Policy>
                        </sp:X509Token>
                     </wsp:Policy>
                  </sp:RecipientToken>
                  <sp:Layout>
                     <wsp:Policy>
                        <sp:Lax/>
                     </wsp:Policy>
                  </sp:Layout>
                  <sp:IncludeTimestamp/>
                  <sp:OnlySignEntireHeadersAndBody/>
                  <sp:AlgorithmSuite>
                     <wsp:Policy>
                        <sp:Basic256 />
                     </wsp:Policy>
                  </sp:AlgorithmSuite>
               </wsp:Policy>
            </sp:AsymmetricBinding>
            <sp:EncryptedParts>
               <sp:Body/>
            </sp:EncryptedParts>
            <sp:SignedParts>
               <sp:Body/>
            </sp:SignedParts>
         </wsp:All>
      </wsp:ExactlyOne>
</wsp:Policy>

The service endpoint defined in spring:
<jaxws:endpoint ...>
        ......
        <jaxws:features>
            <p:policies>
                <wsp:PolicyReference URI="classpath:/saml.policy"/>
                <wsp:PolicyReference URI="classpath:/encrypt_sign.policy"/>
            </p:policies>
        </jaxws:features>
</jaxws:endpoint>

The client defined also in spring:
<jaxws:client ...>
        ......
        <jaxws:features>
            <p:policies>
                <wsp:PolicyReference URI="classpath:/saml.policy"/>
                <wsp:PolicyReference URI="classpath:/encrypt_sign.policy"/>
            </p:policies>
        </jaxws:features>
</jaxws:client>

After deployed the service/client and invoke it, then the "Error in validating 
the IssuedToken policy" exception will be thrown.

11:25:53,782 | WARN  | qtp895895561-118 | ache.cxf.common.logging.LogUtils  452 
| 122 - org.apache.cxf.cxf-api - 2.7.7 | Interceptor for 
{http://services.talend.org/CRMService}CRMServiceProvider#{http://services.talend.org/CRMService}getCRMInformation
 has thrown exception, unwinding now
org.apache.cxf.ws.policy.PolicyException: These policy alternatives can not be 
satisfied:
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}IssuedToken: Error 
in validating the IssuedToken policy
         at 
org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:179)[153:org.apache.cxf.cxf-rt-ws-policy:2.7.7]
         at 
org.apache.cxf.ws.policy.PolicyVerificationInInterceptor.handle(PolicyVerificationInInterceptor.java:101)[153:org.apache.cxf.cxf-rt-ws-policy:2.7.7]
         at 
org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:44)[153:org.apache.cxf.cxf-rt-ws-policy:2.7.7]
         at 
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)[122:org.apache.cxf.cxf-api:2.7.7]
         at 
org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)[122:org.apache.cxf.cxf-api:2.7.7]
         at 
org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:239)[130:org.apache.cxf.cxf-rt-transports-http:2.7.7]

The service and client work fine in case one of the policy applied (saml policy 
or encrypt_sign policy).

Any ideas? Maybe the different AsymmetricBinding can't be merged correctly?  
Thanks!

Regards.
Xilai

Reply via email to