Problem with webservice client using WS-SecurityPolicy

Thu, 26 Jun 2014 01:37:31 -0700 

Hi,

I need to consume a webservice which uses WS-SecurityPolicy, managed by
Oracle Webservices Manager, configured using the profile
oracle/wss11_x509_token_with_message_protection_service_policy. This policy
requires signing and encrypting the query using a x509 certificate. Here is
the relevant policy part of the WSDL:

    <wsp:Policy
wsu:Id="CustomerManagementSoapHttpBindingQSPort_Fault_Policy" xmlns:wsp="
http://schemas.xmlsoap.org/ws/2004/09/policy"; xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
"/>
    <wsp:Policy
wsu:Id="CustomerManagementSoapHttpBindingQSPort_Input_Policy" xmlns:wsp="
http://schemas.xmlsoap.org/ws/2004/09/policy"; xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
">
        <sp:SignedParts xmlns:sp="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
            <sp:Body/>
            <sp:Header Namespace="http://www.w3.org/2005/08/addressing"/>
            <sp:Header Namespace="
http://schemas.xmlsoap.org/ws/2004/08/addressing"/>
            <sp:Header Name="fmw-context" Namespace="
http://xmlns.oracle.com/fmw/context/1.0"/>
            <sp:Header Name="SignatureConfirmation" Namespace="
http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"/>
        </sp:SignedParts>
        <sp:EncryptedParts xmlns:sp="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
            <sp:Body/>
            <sp:Header Name="fmw-context" Namespace="
http://xmlns.oracle.com/fmw/context/1.0"/>
        </sp:EncryptedParts>
    </wsp:Policy>
    <wsp:Policy
wsu:Id="CustomerManagementSoapHttpBindingQSPort_Output_Policy" xmlns:wsp="
http://schemas.xmlsoap.org/ws/2004/09/policy"; xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
">
        <sp:SignedParts xmlns:sp="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
            <sp:Body/>
        </sp:SignedParts>
        <sp:EncryptedParts xmlns:sp="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
            <sp:Body/>
        </sp:EncryptedParts>
    </wsp:Policy>
    <wsp:Policy
wsu:Id="wss11_x509_token_with_message_protection_service_policy" xmlns:wsp="
http://schemas.xmlsoap.org/ws/2004/09/policy"; xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
">
        <sp:SymmetricBinding xmlns:sp="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
            <wsp:Policy>
                <sp:ProtectionToken>
                    <wsp:Policy>
                        <sp:X509Token sp:IncludeToken="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never";>
                            <wsp:Policy>
                                <sp:RequireThumbprintReference/>
                                <sp:WssX509V3Token11/>
                            </wsp:Policy>
                        </sp:X509Token>
                    </wsp:Policy>
                </sp:ProtectionToken>
                <sp:AlgorithmSuite>
                    <wsp:Policy>
                        <sp:Basic128/>
                    </wsp:Policy>
                </sp:AlgorithmSuite>
                <sp:Layout>
                    <wsp:Policy>
                        <sp:Lax/>
                    </wsp:Policy>
                </sp:Layout>
                <sp:IncludeTimestamp/>
                <sp:ProtectTokens/>
                <sp:OnlySignEntireHeadersAndBody/>
            </wsp:Policy>
        </sp:SymmetricBinding>
        <sp:EndorsingSupportingTokens xmlns:sp="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
            <wsp:Policy>
                <sp:X509Token sp:IncludeToken="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
">
                    <wsp:Policy>
                        <sp:WssX509V3Token11/>
                    </wsp:Policy>
                </sp:X509Token>
            </wsp:Policy>
        </sp:EndorsingSupportingTokens>
        <sp:Wss11 xmlns:sp="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
            <wsp:Policy>
                <sp:RequireSignatureConfirmation/>
                <sp:MustSupportRefEncryptedKey/>
            </wsp:Policy>
        </sp:Wss11>
    </wsp:Policy>

Y

    <wsdl:binding name="CustomerManagementSoapHttpBinding"
type="WL5G3N2:CustomerManagement">
        <WL5G3N4:binding style="document" transport="
http://schemas.xmlsoap.org/soap/http"/>
        <wsp:PolicyReference
URI="#wss11_x509_token_with_message_protection_service_policy"
wsdl:required="false" xmlns:wsp="
http://schemas.xmlsoap.org/ws/2004/09/policy"/>
        <wsdl:operation name="getCustomerInfo">
            <WL5G3N4:operation/>
            <wsdl:input>
                <WL5G3N4:header message="WL5G3N2:getCustomerInfoMsg"
part="customerManagementHeader" use="literal"/>
                <WL5G3N4:body use="literal" parts="getCustomerInfoData"/>
                <wsp:PolicyReference
URI="#CustomerManagementSoapHttpBindingQSPort_Input_Policy"
wsdl:required="false" xmlns:wsp="
http://schemas.xmlsoap.org/ws/2004/09/policy"/>
            </wsdl:input>
            <wsdl:output>
                <WL5G3N4:header
message="WL5G3N2:getCustomerInfoResponseMsg"
part="customerManagementResponseHeader" use="literal"/>
                <WL5G3N4:body use="literal"
parts="getCustomerInfoDataResponse"/>
                <wsp:PolicyReference
URI="#CustomerManagementSoapHttpBindingQSPort_Output_Policy"
wsdl:required="false" xmlns:wsp="
http://schemas.xmlsoap.org/ws/2004/09/policy"/>
            </wsdl:output>
            <wsdl:fault name="NoSuchElementException">
                <WL5G3N4:fault name="NoSuchElementException" use="literal"/>
                <wsp:PolicyReference
URI="#CustomerManagementSoapHttpBindingQSPort_Fault_Policy"
wsdl:required="false" xmlns:wsp="
http://schemas.xmlsoap.org/ws/2004/09/policy"/>
            </wsdl:fault>
            <wsdl:fault name="InternalError">
                <WL5G3N4:fault name="InternalError" use="literal"/>
                <wsp:PolicyReference
URI="#CustomerManagementSoapHttpBindingQSPort_Fault_Policy"
wsdl:required="false" xmlns:wsp="
http://schemas.xmlsoap.org/ws/2004/09/policy"/>
            </wsdl:fault>
        </wsdl:operation>
    </wsdl:binding>

The client config is very similar to the sample
"ws_security/sign_enc_policy":

    <cxf:bus>
        <cxf:features>
            <cxf:logging/>
        </cxf:features>
    </cxf:bus>

    <bean id="keystorePasswordCallback"
class="my.project.KeystorePasswordCallback"/>

    <jaxws:client name="{http://
.../CustomerManagement}CustomerManagementSoapHttpBindingQSPort"
                  createdFromAPI="true">
        <jaxws:properties>
            <entry key="ws-security.callback-handler"
value-ref="keystorePasswordCallback"/>
            <entry key="ws-security.signature.properties"
value="etc/Client_Sign.properties"/>
            <entry key="ws-security.signature.username"
value="clientx509v1"/>
            <entry key="ws-security.encryption.properties"
value="etc/Client_Encrypt.properties"/>
            <entry key="ws-security.encryption.username"
value="serverx509v1"/>
        </jaxws:properties>
    </jaxws:client>

The error I get at the other end is :

oracle.wsm.security.policy.scenario.policycompliance.PolicyComplianceException:
WSM-00034 : Error in Encryption reference mechanism compliance : Expected :
direct , Actual : null. Ensure that a compatible policy is attached at the
client side.

I don't know what I need to do to force encryption policy to direct. And I
don't know if I won't have other problems after that.

Did anyone manage to connect to a OWSM webservice with the same security
policy?

Thank you.
-- 
Etienne Bernard <[email protected]>
Director Técnico - FullSIX España - http://www.fullsix.es/

Reply via email to