Reputation: 10646
Specification of SOAP wsdl for UsernameToken
I'm writing a client to connect to a SOAP webservice using a WSDL first approach. For implementation I am using Apache CXF version 3.1.4
When testing I get the following exception:
12:35:15.492 [main] WARN o.a.c.w.p.a.w.Wsdl11AttachmentPolicyProvider - Failed to build the policy 'UsernameToken':sp:UsernameToken must have an inner wsp:Policy element
Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: sp:UsernameToken must have an inner wsp:Policy element
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:160)
at com.sun.proxy.$Proxy36.getPing(Unknown Source)
...
Caused by: java.lang.IllegalArgumentException: sp:UsernameToken must have an inner wsp:Policy element
at org.apache.wss4j.policy.builders.UsernameTokenBuilder.build(UsernameTokenBuilder.java:52)
at org.apache.wss4j.policy.builders.UsernameTokenBuilder.build(UsernameTokenBuilder.java:34)
at org.apache.neethi.AssertionBuilderFactoryImpl.invokeBuilder(AssertionBuilderFactoryImpl.java:138)
The relevant part of the WSDL file looks like this:
<wsp:Policy wsu:Id="UsernameToken">
<wsp:ExactlyOne>
<wsp:All>
<sp:SupportingTokens>
<wsp:Policy>
<sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"/>
</wsp:Policy>
</sp:SupportingTokens>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
The error message indicates that CXF expects a policy tag under UsernameToken. And indeed, while researching I came across a comment from CXF bug tracker:
Yes... Per spec, the <sp:UsernameToken> element MUST contain an internal wsp:Policy element. It should look like:
<sp:UsernameToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssUsernameToken11 />
</wsp:Policy>
</sp:UsernameToken>
But, the specification says:
/sp:UsernameToken/wsp:Policy
This optional element identifies additional requirements for use of the
sp:UsernameToken assertion.
Note: Optional.
So which one is it? It seems that CXf requires a policy while the specification says it is optional. Is there another specification I need to look at?
Upvotes: 0
Views: 1839
Answers (1)
Reputation: 10646
Seems the question was fairly unnoticed here on SO, but in google leads someone here, I might as well post the solution.
I posted the same question on the Apache CXF user mailing list and got a reply:
It's a bug in WSS4J which I've just fixed: https://issues.apache.org/jira/browse/WSS-564
WS-SecurityPolicy 1.2 + 1.3 require a policy Element, but 1.1 doesn't. Until the next WSS4J release, your best bet is just to have an empty policy Element.
Upvotes: 2
Related Questions
- WS-Security UsernameToken with Apache CXF
- SOAP security header with UsernameToken and SecurityContextToken - CXF
- SoapFault: Failed to assert identity with UsernameToken
- Example of SOAP request authenticated with WS-UsernameToken
- cxf security headers for client using java
- What is the correct configuration for a CXF SOAP Service with UsernameTokenSignature?
- CXF + wsdl2java + authentication
- How to generate UsernameToken for SOAP request?
- How to add SOAP Security Header (UsernameToken) information to code-first Webservice Generated WSDL
- UserNameToken in soap from Java