java - How manage two assertion at the same time -
i wondering how part of policy should interpreted. first of all, part of policy valid? happens if send token10, work? token11?
i'm asking because if use policy apache cxf 2.7.x or 3.x "invalid policy exception" if use cxf 2.x.xxx.redhat-1 seems working, doubt if normal, or red hat libraries goes against standard.
<wsp:policy xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://www.w3.org/ns/ws-policy" xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702" wsu:id="securityservicesignthenencryptpolicy"> <wsp:exactlyone> <wsp:all> <sp:asymmetricbinding> <wsp:policy> <sp:initiatortoken> <wsp:policy> <sp:x509token sp:includetoken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/includetoken/alwaystorecipient"> <wsp:policy> <sp:wssx509v3token10/> <sp:wssx509v3token11/> </wsp:policy> </sp:x509token> </wsp:policy> </sp:initiatortoken> <sp:recipienttoken> <wsp:policy> <sp:x509token sp:includetoken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/includetoken/always"> <wsp:policy> <sp:wssx509v3token10/> <sp:wssx509v3token11/> </wsp:policy> </sp:x509token> </wsp:policy> </sp:recipienttoken> <sp:algorithmsuite> <wsp:policy> <sp:basic128rsa15/> <sp:basic256rsa15/> <sp:basic128sha256rsa15/> <sp:basic256sha256rsa15/> </wsp:policy> </sp:algorithmsuite> <sp:layout> <wsp:policy> <sp:lax/> </wsp:policy> </sp:layout> <sp:includetimestamp/> <sp:protecttokens/> <sp:onlysignentireheadersandbody/> </wsp:policy> </sp:asymmetricbinding> <sp:wss10> <wsp:policy> <sp:mustsupportrefkeyidentifier/> <sp:mustsupportrefissuerserial/> <sp:mustsupportrefthumbprint/> <sp:mustsupportrefencryptedkey/> </wsp:policy> </sp:wss10> <sp:wss11> <wsp:policy> <sp:mustsupportrefkeyidentifier/> <sp:mustsupportrefissuerserial/> <sp:mustsupportrefthumbprint/> <sp:mustsupportrefencryptedkey/> <sp:requiresignatureconfirmation/> </wsp:policy> </sp:wss11> </wsp:all> </wsp:exactlyone> <wsp:policy wsu:id="inputbindingpolicy"> <wsp:exactlyone> <wsp:all> <sp:encryptedparts> <sp:body/> </sp:encryptedparts> <sp:signedparts> <sp:body/> </sp:signedparts> </wsp:all> </wsp:exactlyone> </wsp:policy> <wsp:policy wsu:id="outputbindingpolicy"> <wsp:exactlyone> <wsp:all> <sp:encryptedparts> <sp:body/> </sp:encryptedparts> <sp:signedparts> <sp:body/> </sp:signedparts> </wsp:all> </wsp:exactlyone> </wsp:policy>
it's not valid, policy interpreted "all". if want support received token can either of 2 policies, you'll need write policy alternative 2 tokens.
Comments
Post a Comment