Hello,
The version of Apache CXF to which this post applies is 2.7.7, although the
behavior described below has also been observed in 2.6.8.
I have a WSDL-first web service with a WS-Policy expression that includes an
X.509 token assertion as an option to authenticate with the service.
<wsp:Policy
wsu:Id="WsSecurityUsernameToken-Or-WsSecurityX509CertificateToken">
<wsp:ExactlyOne>
<wsp:All>
<wssp:UsernameToken
IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
<wsp:Policy/>
</wssp:UsernameToken>
</wsp:All>
<wsp:All>
<wssp:X509Token
IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
<wsp:Policy/>
</wssp:X509Token>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
I was anticipating the incoming interceptor chain for the service would
contain a PolicyBasedWSS4JInInterceptor (PBWII), but it doesn't, and a SOAP
request that fulfills the X509Token assertion is rejected as not having met
the policy for the service.
However, when I add an arbitrary and unwanted security binding to the policy
expression (e.g., a transport binding asserting basic authentication and
server authentication), a PBWII is instantiated and the same SOAP request is
processed without error.
It therefore appears a security binding is required for a PBWII and an
X509Token assertion must be expressed as a supporting token as part of a
security binding. Yet, this would be inconsistent with a UsernameToken
assertion, which CXF asserts independent of a security binding.
The behavior I've observed leads me to ask is there a way to express an
X509Token assertion independent of a security binding such that CXF will
apply the assertion?
Thank you.
--
View this message in context:
http://cxf.547215.n5.nabble.com/WS-Policy-Expressions-for-X-509-Token-Assertions-tp5742248.html
Sent from the cxf-user mailing list archive at Nabble.com.
