Hi, CXF contains special interceptors for the cases of a UsernameToken, KerberosToken or SamlToken policy assertions that are independent of a binding. Any other policy use case is handled by the PolicyBased WSS4J Interceptors.
I suppose the question is whether there is a realistic use-case to also support an X509Token independent of a binding? What would the point be exactly of just having a X509 Certificate in the security header of a request, without it being used for signature or encryption? Colm. On Tue, Apr 1, 2014 at 7:21 PM, JHClouser <[email protected]> wrote: > Hello, > > The version of Apache CXF to which this post applies is 2.7.7, although the > behavior described below has also been observed in 2.6.8. > > I have a WSDL-first web service with a WS-Policy expression that includes > an > X.509 token assertion as an option to authenticate with the service. > > <wsp:Policy > wsu:Id="WsSecurityUsernameToken-Or-WsSecurityX509CertificateToken"> > <wsp:ExactlyOne> > > <wsp:All> > <wssp:UsernameToken > IncludeToken=" > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient > "> > <wsp:Policy/> > </wssp:UsernameToken> > </wsp:All> > > <wsp:All> > <wssp:X509Token > IncludeToken=" > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient > "> > <wsp:Policy/> > </wssp:X509Token> > </wsp:All> > </wsp:ExactlyOne> > </wsp:Policy> > > I was anticipating the incoming interceptor chain for the service would > contain a PolicyBasedWSS4JInInterceptor (PBWII), but it doesn't, and a SOAP > request that fulfills the X509Token assertion is rejected as not having met > the policy for the service. > > However, when I add an arbitrary and unwanted security binding to the > policy > expression (e.g., a transport binding asserting basic authentication and > server authentication), a PBWII is instantiated and the same SOAP request > is > processed without error. > > It therefore appears a security binding is required for a PBWII and an > X509Token assertion must be expressed as a supporting token as part of a > security binding. Yet, this would be inconsistent with a UsernameToken > assertion, which CXF asserts independent of a security binding. > > The behavior I've observed leads me to ask is there a way to express an > X509Token assertion independent of a security binding such that CXF will > apply the assertion? > > Thank you. > > > > -- > View this message in context: > http://cxf.547215.n5.nabble.com/WS-Policy-Expressions-for-X-509-Token-Assertions-tp5742248.html > Sent from the cxf-user mailing list archive at Nabble.com. > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
