Hello,
The version of Apache CXF to which this post applies is 2.7.7, although the
behavior described below has also been observed in 2.6.8.
I have a WSDL-first web service with a WS-Policy expression that includes an
X.509 token assertion as an option to authenticate with the service.
<wsp:Policy
wsu:Id="WsSecurityUsernameToken-Or-WsSecurityX509CertificateToken">
<wsp:ExactlyOne>
<wsp:All>
<wssp:UsernameToken
IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy/>
</wssp:UsernameToken>
</wsp:All>
<wsp:All>
<wssp:X509Token
IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy/>
</wssp:X509Token>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
I was anticipating the incoming interceptor chain for the service would
contain a PolicyBasedWSS4JInInterceptor (PBWII), but it doesn't, and a SOAP
request that fulfills the X509Token assertion is rejected as not having met
the policy for the service.
However, when I add an arbitrary and unwanted security binding to the policy
expression (e.g., a transport binding asserting basic authentication and
server authentication), a PBWII is instantiated and the same SOAP request is
processed without error.
It therefore appears a security binding is required for a PBWII and an
X509Token assertion must be expressed as a supporting token as part of a
security binding. Yet, this would be inconsistent with a UsernameToken
assertion, which CXF asserts independent of a security binding.
The behavior I've observed leads me to ask is there a way to express an
X509Token assertion independent of a security binding such that CXF will
apply the assertion?
Thank you.
The version of Apache CXF to which this post applies is 2.7.7, although the
behavior described below has also been observed in 2.6.8.
I have a WSDL-first web service with a WS-Policy expression that includes an
X.509 token assertion as an option to authenticate with the service.
<wsp:Policy
wsu:Id="WsSecurityUsernameToken-Or-WsSecurityX509CertificateToken">
<wsp:ExactlyOne>
<wsp:All>
<wssp:UsernameToken
IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy/>
</wssp:UsernameToken>
</wsp:All>
<wsp:All>
<wssp:X509Token
IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy/>
</wssp:X509Token>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
I was anticipating the incoming interceptor chain for the service would
contain a PolicyBasedWSS4JInInterceptor (PBWII), but it doesn't, and a SOAP
request that fulfills the X509Token assertion is rejected as not having met
the policy for the service.
However, when I add an arbitrary and unwanted security binding to the policy
expression (e.g., a transport binding asserting basic authentication and
server authentication), a PBWII is instantiated and the same SOAP request is
processed without error.
It therefore appears a security binding is required for a PBWII and an
X509Token assertion must be expressed as a supporting token as part of a
security binding. Yet, this would be inconsistent with a UsernameToken
assertion, which CXF asserts independent of a security binding.
The behavior I've observed leads me to ask is there a way to express an
X509Token assertion independent of a security binding such that CXF will
apply the assertion?
Thank you.