cynic
Reputation: 31
WS Policy with Apache CXF 3.0
Trying to implement WS-Policy within WSDL.
There is my configurations:
WS-Policy within WSDL:
<wsp:Policy wsu:Id="Signature">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken=
"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken=
"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:TripleDesRsa15/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:LaxTsFirst />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
<sp:OnlySignEntireHeadersAndBody />
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:SignedParts>
<sp:Body />
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
CXF configuration:
EndpointImpl endpoint = new EndpointImpl(bus, service);
endpoint.setWsdlLocation("classpath:/wsdl/ws.wsdl");
endpoint.setProperties(new HashMap<String, Object>() {
{
put("ws-security.signature.validator", customSignatureValidator);
put("ws-security.signature.properties", new Properties() {{
put("org.apache.ws.security.crypto.provider", "org.apache.ws.security.components.crypto.Merlin");
put("org.apache.ws.security.crypto.merlin.keystore.type", "jks");
put("org.apache.ws.security.crypto.merlin.keystore.password", keystorePassword);
put("org.apache.ws.security.crypto.merlin.file", keystorePath);
}});
put("ws-security.signature.username", privateKeyName);
put("ws-security.callback-handler", (CallbackHandler) callbacks -> {
WSPasswordCallback passwordCallback = (WSPasswordCallback) callbacks[0];
passwordCallback.setPassword(privateKeyPassword);
});
}
});
endpoint.publish("/ws");
Problem:
After sending SOAP request with timestamp, signature key information etc. I'm getting SOAP fault message:
These policy alternatives can not be satisfied:
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AsymmetricBinding: Received Timestamp does not match the requirements
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}InitiatorToken
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}RecipientToken
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}IncludeTimestamp
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}OnlySignEntireHeadersAndBody
Error appears even if I'm not sending timestamp. According logs (CXF) I see that signature is correct.
Upvotes: 0
Views: 1210
Answers (1)
cynic
Reputation: 31
After some debugging and experiments figured out the problem: provided SOAP request was incorrect according WS-Policy: Timestamp and Body must be signed by the same signature. If signed only Body - will face listed errors (which are bit inaccurate).
Upvotes: 1
Related Questions
- org.apache.cxf.ws.policy.PolicyException: None of the policy alternatives can be satisfied
- Apache CXF Policy Exception (WS Security)- Security configuration could not be detected
- CXF: Inbound policy verification failed: These policy alternatives can not be satisfied:
- How to secure a SOAP web service with WSS with CXF
- cxf ws-security client does not bind the configuration file
- WS-SecurityPolicy configuration of CXF client
- WS-Security Policy node not being generated in Apache CXF with Spring and custom context file
- soapaction in WSDL using CXF
- WSDL Apache CXF Issue
- CXF generated WSDL doesn't contain WS-SecurityPolicy definition