Error in Verifying Security in the Inbound Message

[glassfishrobot]

Setup: Glassfish beta2-build 41b WSIT build 1936

Attachments: 1)test case zip

Description: This is a Sign of Body/ Encrypt of an addressing header scenario.The Algorithm suite used in the wsdl is Basic256Rsa15.The input message policy has SignedParts of the Body and the "To" addressing header, and EncryptedParts of the "To" addressing header.The test fails on the client side with : Apr 23, 2007 1:57:40 PM com.sun.xml.wss.impl.policy.verifier.MessagePolicyVerifier processPrimaryPolicy SEVERE: WSS0206: Security Requirements have fully not been met Apr 23, 2007 1:57:40 PM com.sun.xml.wss.jaxws.impl.SecurityClientPipe process SEVERE: WSSPIPE0025: Error in Verifying Security in the Inbound Message. com.sun.xml.wss.impl.PolicyViolationException: com.sun.xml.wss.XWSSecurityException: Encryption Policy verification error: Looking for an Encryption Element in Security header, but found com.sun.xml.wss.impl.policy.mls.SignaturePolicy@578dfb. at com.sun.xml.wss.impl.policy.verifier.MessagePolicyVerifier.verifyPolicy(MessagePolicyVerifier.java:83) at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.createMessage(SecurityRecipient.java:682) at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.validateMessage(SecurityRecipient.java:204) at com.sun.xml.wss.jaxws.impl.SecurityPipeBase.verifyInboundMessage(SecurityPipeBase.java:395) at com.sun.xml.wss.jaxws.impl.SecurityClientPipe.process(SecurityClientPipe.java:217) at com.sun.xml.ws.api.pipe.helper.PipeAdapter.processRequest(PipeAdapter.java:79) at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:559) at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:518) at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:503) at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:400) at com.sun.xml.ws.client.Stub.process(Stub.java:235) at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:120) at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:230) at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:210) at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:103) at $Proxy36.ping(Unknown Source) at simple.client.PingServiceClients101.main(Unknown Source) Caused by: com.sun.xml.wss.XWSSecurityException: Encryption Policy verification error: Looking for an Encryption Element in Security header, but found com.sun.xml.wss.impl.policy.mls.SignaturePolicy@578dfb. at com.sun.xml.wss.impl.policy.verifier.MessagePolicyVerifier.processPrimaryPolicy(MessagePolicyVerifier.java:215) at com.sun.xml.wss.impl.policy.verifier.MessagePolicyVerifier.verifyPolicy(MessagePolicyVerifier.java:78) ... 16 more

Note: If instead of Encrypting the "To" addressing header, the Body is specified in the EncryptedParts, the test passes.

Environment

Operating System: All Platform: All

Affected Versions

[current]

[glassfishrobot]

Reported by eric_ekka@java.net

[glassfishrobot]

eric_ekka@java.net said: Created an attachment (id=355) test case zip

[glassfishrobot]

ashutoshshahi@java.net said: This issue is same as issue#505. Basically since the soap message is soap 1.1, there is no addressing header, and the encrypted part has addressing header mentioned; the receiving side expects some encryption policy, but since addressing header was absent, no data is encrypted, and finds a signature instead.

[glassfishrobot]

kumarjayanti@java.net said: Issue Fixed in XWSS Main Trunk.

Needs to be fixed in XWSS 1.0 FCS Branch.

CVS Diff of the Issue

Index: com/sun/xml/ws/security/opt/impl/incoming/TargetResolverImpl.java

RCS file: /cvs/xwss/xwss-ri/src/com/sun/xml/ws/security/opt/impl/incoming/TargetResolverImpl.java,v retrieving revision 1.3 diff -r1.3 TargetResolverImpl.java 193a194,203

public boolean isTargetPresent(List actualTargets) throws XWSSecurityException{

for(Target actualTarget : actualTargets){ String targetInPolicy = getTargetValue(actualTarget); if(presentInMessage(targetInPolicy))

{ > return true; > }

} return false; } Index: com/sun/xml/wss/impl/TargetResolverImpl.java

RCS file: /cvs/xwss/xwss-ri/src/com/sun/xml/wss/impl/TargetResolverImpl.java,v retrieving revision 1.3 diff -r1.3 TargetResolverImpl.java 117a118,130 public boolean isTargetPresent(List actualTargets) throws XWSSecurityException { FilterProcessingContext fpContext = new FilterProcessingContext(ctx); SecurityHeader header = fpContext.getSecurableSoapMessage().findSecurityHeader(); Document doc = header.getOwnerDocument(); for(Target actualTarget : actualTargets){ String targetInPolicy = getTargetValue(doc,actualTarget); NodeList nl = doc.getElementsByTagName(targetInPolicy); if(nl!=null && nl.getLength()>0){ > return true; > }

} return false; } Index: com/sun/xml/wss/impl/policy/verifier/MessagePolicyVerifier.java

RCS file: /cvs/xwss/xwss-ri/src/com/sun/xml/wss/impl/policy/verifier/MessagePolicyVerifier.java,v retrieving revision 1.12 diff -r1.12 MessagePolicyVerifier.java 179,181c179,185 < log.log(Level.SEVERE, "WSS0206.policy.violation.exception"); < throw new XWSSecurityException("Signature Policy verification error: Looking for a Signature Element " < + " in Security header, but found " + pol + "."); — //check to see for the case when no Signature Target present in message //The incoming message will not have Signature policy in that case. if(checkTargetPresence(actualPol))

{ > log.log(Level.SEVERE, "WSS0206.policy.violation.exception"); > throw new XWSSecurityException("Signature Policy verification error: Looking for a Signature Element " > + " in Security header, but found " + pol + "."); > }

214,216c218,224 < log.log(Level.SEVERE, "WSS0206.policy.violation.exception"); < throw new XWSSecurityException("Encryption Policy verification error: Looking for an Encryption Element " < + " in Security header, but found " + pol + "."); —

//check to see for the case when no Encryption Target present in message //The incoming message will not have Encryption policy in that case. if(checkTargetPresence(actualPol))

{ > log.log(Level.SEVERE, "WSS0206.policy.violation.exception"); > throw new XWSSecurityException("Encryption Policy verification error: Looking for an Encryption Element " > + " in Security header, but found " + pol + "."); > }

535a544,558

private boolean checkTargetPresence(WSSPolicy actualPol) throws XWSSecurityException{ List actualTargets = null; if(PolicyTypeUtil.signaturePolicy(actualPol))

{ > SignaturePolicy.FeatureBinding actualFeatureBinding = > (SignaturePolicy.FeatureBinding)actualPol.getFeatureBinding(); > actualTargets = (List)actualFeatureBinding.getTargetBindings(); > }

else if(PolicyTypeUtil.encryptionPolicy(actualPol))

{ > EncryptionPolicy.FeatureBinding actualFeatureBinding = > (EncryptionPolicy.FeatureBinding)actualPol.getFeatureBinding(); > actualTargets = (List)actualFeatureBinding.getTargetBindings(); > }

return targetResolver.isTargetPresent(actualTargets); } Index: com/sun/xml/wss/impl/policy/verifier/TargetResolver.java

RCS file: /cvs/xwss/xwss-ri/src/com/sun/xml/wss/impl/policy/verifier/TargetResolver.java,v retrieving revision 1.2 diff -r1.2 TargetResolver.java 38a39 boolean isTargetPresent(List actualTargets)throws XWSSecurityException;

[glassfishrobot]

ashutoshshahi@java.net said: Fixed by Kumar, and committed in the 1.0 branch after approval

[glassfishrobot]

File: testcase-s101.zip Attached By: eric_ekka@java.net

[glassfishrobot]

Was assigned to ashutoshshahi@java.net

[glassfishrobot]

This issue was imported from java.net JIRA WSIT-527

[glassfishrobot]

Marked as fixed on Tuesday, July 22nd 2008, 10:44:57 am