Hi, CXF folks,
I think I need to get a web service client working with a service whose
WSDL uses WS-SecurityPolicy 1.0 definitions. What's a good way to do
this with the current CXF release?
I'd also like to update the CXF WS-SecurityPolicy doco page (at
http://cxf.apache.org/docs/ws-securitypolicy.html) to indicate which
WSSP versions are supported. Having that info up front would have saved
me some time and frustration. Any objections?
Here's the background.
This is the service's WSDL:
https://misapi.ercot.com/2007-08/Nodal/eEDS/EWS/?WSDL
It has policy bits like this.
<wsp:Policy
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"><sp:SecurityHeader
MustManifestEncryption="true" MustPrepend="true"
xmlns:sp="http://schemas.xmlsoap.org/ws/2002/12/secext"/></wsp:Policy>
<wsp:Policy wsu:Id="SecurityTokens"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wsp:ExactlyOne><wsp:All><sp:SecurityToken
xmlns:_ns1="http://www.actional.com"
xmlns:sp="http://schemas.xmlsoap.org/ws/2002/12/secext"><sp:TokenType>_ns1:SSLClientCertificate</sp:TokenType></sp:SecurityToken></wsp:All><wsp:All><sp:SecurityToken
xmlns:sp="http://schemas.xmlsoap.org/ws/2002/12/secext"><sp:TokenType>sp:X509v3</sp:TokenType></sp:SecurityToken></wsp:All><wsp:All><sp:SecurityToken
xmlns:_ns1="http://www.actional.com"
xmlns:sp="http://schemas.xmlsoap.org/ws/2002/12/secext"><sp:TokenType>_ns1:SSLClientCertificate</sp:TokenType></sp:SecurityToken><sp:SecurityToken
xmlns:sp="http://schemas.xmlsoap.org/ws/2002/12/secext"><sp:TokenType>sp:X509v3</sp:TokenType></sp:SecurityToken></wsp:All></wsp:ExactlyOne></wsp:Policy>
<wsp:Policy wsu:Id="SignedBody"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><sp:Integrity
xmlns:sp="http://schemas.xmlsoap.org/ws/2002/12/secext"><sp:TokenInfo><sp:SecurityToken><sp:TokenType>sp:X509v3</sp:TokenType></sp:SecurityToken></sp:TokenInfo><sp:MessageParts>wsp:GetBody(.)</sp:MessageParts></sp:Integrity></wsp:Policy>
...
<wsp:Policy wsu:Id="MarketInfo_input_policy"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wsp:PolicyReference
URI="#SecurityTokens"/><wsp:PolicyReference URI="#SignedBody"/></wsp:Policy>
And when I try to run a simple CXF client built with wsdl2java using
JAXB bindings, I get this error.
Apr 11, 2014 1:23:13 PM
org.apache.cxf.service.factory.ReflectionServiceFactoryBean
buildServiceFromWSDL
INFO: Creating Service
{http://www.ercot.com/wsdl/2007-06/nodal/ewsConcrete}NodalService from
WSDL:
file:/C:/Users/janke/Dropbox/freelancing/EON/ERCOT-awards/project/ercot-mis-client-cxf/ErcotMisClient/build/classes/egcna/ercotmis/wsdisc/resources/WSDL/eEDS_EWS-PROD-20140320-edited.wsdl
Apr 11, 2014 1:23:14 PM
org.apache.cxf.ws.policy.AssertionBuilderRegistryImpl
handleNoRegisteredBuilder
WARNING: No assertion builder for type
{http://schemas.xmlsoap.org/ws/2002/12/secext}SecurityToken registered.
Apr 11, 2014 1:23:14 PM
org.apache.cxf.ws.policy.AssertionBuilderRegistryImpl
handleNoRegisteredBuilder
WARNING: No assertion builder for type
{http://schemas.xmlsoap.org/ws/2002/12/secext}Integrity registered.
Apr 11, 2014 1:23:14 PM org.apache.cxf.phase.PhaseInterceptorChain
doDefaultLogging
WARNING: Interceptor for
{http://www.ercot.com/wsdl/2007-06/nodal/ewsConcrete}NodalService#{http://www.ercot.com/wsdl/2007-06/nodal/ewsConcrete}MarketInfo
has thrown exception, unwinding now
org.apache.cxf.ws.policy.PolicyException: None of the policy
alternatives can be satisfied.
at
org.apache.cxf.ws.policy.EffectivePolicyImpl.chooseAlternative(EffectivePolicyImpl.java:192)
at
org.apache.cxf.ws.policy.EffectivePolicyImpl.chooseAlternative(EffectivePolicyImpl.java:185)
at
org.apache.cxf.ws.policy.EffectivePolicyImpl.initialise(EffectivePolicyImpl.java:92)
at
org.apache.cxf.ws.policy.PolicyEngineImpl.getEffectiveClientRequestPolicy(PolicyEngineImpl.java:200)
at
org.apache.cxf.ws.policy.PolicyOutInterceptor.handle(PolicyOutInterceptor.java:98)
at
org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:44)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:565)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:474)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:377)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:330)
at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)
at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:135)
at com.sun.proxy.$Proxy32.marketInfo(Unknown Source)
at
egcna.ercotmis.wsdisc.MarketInfoTestClient.pingServiceStatus(MarketInfoTestClient.java:76)
at
egcna.ercotmis.wsdisc.MarketInfoTestClient.main(MarketInfoTestClient.java:49)
Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: None of
the policy alternatives can be satisfied.
at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:157)
at com.sun.proxy.$Proxy32.marketInfo(Unknown Source)
at
egcna.ercotmis.wsdisc.MarketInfoTestClient.pingServiceStatus(MarketInfoTestClient.java:76)
at
egcna.ercotmis.wsdisc.MarketInfoTestClient.main(MarketInfoTestClient.java:49)
Caused by: org.apache.cxf.ws.policy.PolicyException: None of the policy
alternatives can be satisfied.
at
org.apache.cxf.ws.policy.EffectivePolicyImpl.chooseAlternative(EffectivePolicyImpl.java:192)
at
org.apache.cxf.ws.policy.EffectivePolicyImpl.chooseAlternative(EffectivePolicyImpl.java:185)
at
org.apache.cxf.ws.policy.EffectivePolicyImpl.initialise(EffectivePolicyImpl.java:92)
at
org.apache.cxf.ws.policy.PolicyEngineImpl.getEffectiveClientRequestPolicy(PolicyEngineImpl.java:200)
at
org.apache.cxf.ws.policy.PolicyOutInterceptor.handle(PolicyOutInterceptor.java:98)
at
org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:44)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:565)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:474)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:377)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:330)
at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)
at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:135)
... 3 more
Java Result: 1
My diagnosis of that is that
http://schemas.xmlsoap.org/ws/2002/12/secext is the namespace for
WS-SecurityPolicy 1.0, and those identifiers are lacking "registered
handlers" because CXF doesn't support WSSP v 1.0, based on some earlier
mailing list traffic. (Correct me if I'm wrong.)
I read through the Jan '13 thread where Bob Ross was trying to do this
with a similar web service.
(http://cxf.547215.n5.nabble.com/Best-CXF-client-approach-for-remote-WSDL-using-wsp-Policy-td5721874.html)
Is this still good advice? Basically, write a custom WSS4JOutInterceptor?
Anybody know enough about WS-SecurityPolicy to know if I could just
rewrite the WSDL to use WS-SecurityPolicy 1.1 terms and get the behavior
the server is expecting, rather than writing custom Java code?
Thanks for taking the time to read this.
Cheers,
Andrew
I think I need to get a web service client working with a service whose
WSDL uses WS-SecurityPolicy 1.0 definitions. What's a good way to do
this with the current CXF release?
I'd also like to update the CXF WS-SecurityPolicy doco page (at
http://cxf.apache.org/docs/ws-securitypolicy.html) to indicate which
WSSP versions are supported. Having that info up front would have saved
me some time and frustration. Any objections?
Here's the background.
This is the service's WSDL:
https://misapi.ercot.com/2007-08/Nodal/eEDS/EWS/?WSDL
It has policy bits like this.
<wsp:Policy
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"><sp:SecurityHeader
MustManifestEncryption="true" MustPrepend="true"
xmlns:sp="http://schemas.xmlsoap.org/ws/2002/12/secext"/></wsp:Policy>
<wsp:Policy wsu:Id="SecurityTokens"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wsp:ExactlyOne><wsp:All><sp:SecurityToken
xmlns:_ns1="http://www.actional.com"
xmlns:sp="http://schemas.xmlsoap.org/ws/2002/12/secext"><sp:TokenType>_ns1:SSLClientCertificate</sp:TokenType></sp:SecurityToken></wsp:All><wsp:All><sp:SecurityToken
xmlns:sp="http://schemas.xmlsoap.org/ws/2002/12/secext"><sp:TokenType>sp:X509v3</sp:TokenType></sp:SecurityToken></wsp:All><wsp:All><sp:SecurityToken
xmlns:_ns1="http://www.actional.com"
xmlns:sp="http://schemas.xmlsoap.org/ws/2002/12/secext"><sp:TokenType>_ns1:SSLClientCertificate</sp:TokenType></sp:SecurityToken><sp:SecurityToken
xmlns:sp="http://schemas.xmlsoap.org/ws/2002/12/secext"><sp:TokenType>sp:X509v3</sp:TokenType></sp:SecurityToken></wsp:All></wsp:ExactlyOne></wsp:Policy>
<wsp:Policy wsu:Id="SignedBody"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><sp:Integrity
xmlns:sp="http://schemas.xmlsoap.org/ws/2002/12/secext"><sp:TokenInfo><sp:SecurityToken><sp:TokenType>sp:X509v3</sp:TokenType></sp:SecurityToken></sp:TokenInfo><sp:MessageParts>wsp:GetBody(.)</sp:MessageParts></sp:Integrity></wsp:Policy>
...
<wsp:Policy wsu:Id="MarketInfo_input_policy"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wsp:PolicyReference
URI="#SecurityTokens"/><wsp:PolicyReference URI="#SignedBody"/></wsp:Policy>
And when I try to run a simple CXF client built with wsdl2java using
JAXB bindings, I get this error.
Apr 11, 2014 1:23:13 PM
org.apache.cxf.service.factory.ReflectionServiceFactoryBean
buildServiceFromWSDL
INFO: Creating Service
{http://www.ercot.com/wsdl/2007-06/nodal/ewsConcrete}NodalService from
WSDL:
file:/C:/Users/janke/Dropbox/freelancing/EON/ERCOT-awards/project/ercot-mis-client-cxf/ErcotMisClient/build/classes/egcna/ercotmis/wsdisc/resources/WSDL/eEDS_EWS-PROD-20140320-edited.wsdl
Apr 11, 2014 1:23:14 PM
org.apache.cxf.ws.policy.AssertionBuilderRegistryImpl
handleNoRegisteredBuilder
WARNING: No assertion builder for type
{http://schemas.xmlsoap.org/ws/2002/12/secext}SecurityToken registered.
Apr 11, 2014 1:23:14 PM
org.apache.cxf.ws.policy.AssertionBuilderRegistryImpl
handleNoRegisteredBuilder
WARNING: No assertion builder for type
{http://schemas.xmlsoap.org/ws/2002/12/secext}Integrity registered.
Apr 11, 2014 1:23:14 PM org.apache.cxf.phase.PhaseInterceptorChain
doDefaultLogging
WARNING: Interceptor for
{http://www.ercot.com/wsdl/2007-06/nodal/ewsConcrete}NodalService#{http://www.ercot.com/wsdl/2007-06/nodal/ewsConcrete}MarketInfo
has thrown exception, unwinding now
org.apache.cxf.ws.policy.PolicyException: None of the policy
alternatives can be satisfied.
at
org.apache.cxf.ws.policy.EffectivePolicyImpl.chooseAlternative(EffectivePolicyImpl.java:192)
at
org.apache.cxf.ws.policy.EffectivePolicyImpl.chooseAlternative(EffectivePolicyImpl.java:185)
at
org.apache.cxf.ws.policy.EffectivePolicyImpl.initialise(EffectivePolicyImpl.java:92)
at
org.apache.cxf.ws.policy.PolicyEngineImpl.getEffectiveClientRequestPolicy(PolicyEngineImpl.java:200)
at
org.apache.cxf.ws.policy.PolicyOutInterceptor.handle(PolicyOutInterceptor.java:98)
at
org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:44)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:565)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:474)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:377)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:330)
at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)
at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:135)
at com.sun.proxy.$Proxy32.marketInfo(Unknown Source)
at
egcna.ercotmis.wsdisc.MarketInfoTestClient.pingServiceStatus(MarketInfoTestClient.java:76)
at
egcna.ercotmis.wsdisc.MarketInfoTestClient.main(MarketInfoTestClient.java:49)
Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: None of
the policy alternatives can be satisfied.
at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:157)
at com.sun.proxy.$Proxy32.marketInfo(Unknown Source)
at
egcna.ercotmis.wsdisc.MarketInfoTestClient.pingServiceStatus(MarketInfoTestClient.java:76)
at
egcna.ercotmis.wsdisc.MarketInfoTestClient.main(MarketInfoTestClient.java:49)
Caused by: org.apache.cxf.ws.policy.PolicyException: None of the policy
alternatives can be satisfied.
at
org.apache.cxf.ws.policy.EffectivePolicyImpl.chooseAlternative(EffectivePolicyImpl.java:192)
at
org.apache.cxf.ws.policy.EffectivePolicyImpl.chooseAlternative(EffectivePolicyImpl.java:185)
at
org.apache.cxf.ws.policy.EffectivePolicyImpl.initialise(EffectivePolicyImpl.java:92)
at
org.apache.cxf.ws.policy.PolicyEngineImpl.getEffectiveClientRequestPolicy(PolicyEngineImpl.java:200)
at
org.apache.cxf.ws.policy.PolicyOutInterceptor.handle(PolicyOutInterceptor.java:98)
at
org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:44)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:565)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:474)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:377)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:330)
at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)
at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:135)
... 3 more
Java Result: 1
My diagnosis of that is that
http://schemas.xmlsoap.org/ws/2002/12/secext is the namespace for
WS-SecurityPolicy 1.0, and those identifiers are lacking "registered
handlers" because CXF doesn't support WSSP v 1.0, based on some earlier
mailing list traffic. (Correct me if I'm wrong.)
I read through the Jan '13 thread where Bob Ross was trying to do this
with a similar web service.
(http://cxf.547215.n5.nabble.com/Best-CXF-client-approach-for-remote-WSDL-using-wsp-Policy-td5721874.html)
Is this still good advice? Basically, write a custom WSS4JOutInterceptor?
Anybody know enough about WS-SecurityPolicy to know if I could just
rewrite the WSDL to use WS-SecurityPolicy 1.1 terms and get the behavior
the server is expecting, rather than writing custom Java code?
Thanks for taking the time to read this.
Cheers,
Andrew
