Support of Binding Assertions at the Operation Level in Metro : Suresh Mandalapu

« February 2010
Sun	Mon	Tue	Wed	Thu	Fri	Sat
	1	2	3	4	5	6
7	8	9	10	11	12	13
14	15	16	17	18	19	20
21	22	23	24	25	26	27
28

Today

« SAML token as Initia... | Main | Support of Endpoint... »

Wednesday Jun 24, 2009

Support of Binding Assertions at the Operation Level in Metro

In the WS-SecurityPolicy 1.0 spec. the Binding assertions were only allowed on the Endpoint Scope.

But according to the latest 1.3 spec it says the Asymmetric and Symmetric Binding assertions MAY also appear on the operation scope.

In earlier releases of Metro there was a bug which prevented it from specifying the policy on the operation scope .

For example if our policy contains

<wsp:PolicyReference URI="#NewWebServicePortBindingPolicy"/>
        <operation name="ping">
            <input>
                <wsp:PolicyReference URI="#NewWebServicePortBinding_ping_Input_Policy"/>
            </input>
            <output>
                <wsp:PolicyReference URI="#NewWebServicePortBinding_ping_Output_Policy"/>
            </output>
        </operation>
</binding>

In the above policy snippet the tag <wsp:PolicyReference URI="#NewWebServicePortBindingPolicy"/> denotes the binding policy which is at the binding level.This policy applies to all operations

Thus all operations in the binding level are secured and if we want to add security to only some of the operations ,it is not possible .

And if we move that policy to operation level as shown below

<wsp:PolicyReference URI="#NewWebServicePortBindingPolicy"/>
            <input>
                <wsp:PolicyReference URI="#NewWebServicePortBinding_ping_Input_Policy"/>
            </input>
            <output>
                <wsp:PolicyReference URI="#NewWebServicePortBinding_ping_Output_Policy"/>
            </output>
        </operation>
</binding>

then metro throws null pointer exception:

Policy is NULL

javax.xml.ws.soap.SOAPFaultException: ERROR: Policy for the service could not be obtained
    at com.sun.xml.ws.fault.SOAP11Fault.getProtocolException(SOAP11Fault.java:189)
    at com.sun.xml.ws.fault.SOAPFaultBuilder.createException(SOAPFaultBuilder.java:130)
    at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:119)

    ............................
Caused by: javax.xml.ws.soap.SOAPFaultException: ERROR: Policy for the service could not be obtained
    at com.sun.xml.ws.security.opt.impl.util.SOAPUtil.createSOAPFault(SOAPUtil.java:202)
    at com.sun.xml.ws.security.opt.impl.util.SOAPUtil.getSOAPFaultException(SOAPUtil.java:194)
    ..................

Caused by: com.sun.xml.wss.impl.PolicyViolationException: ERROR: Policy for the service could not be obtained
    at com.sun.xml.wss.impl.policy.verifier.MessagePolicyVerifier.verifyPolicy(MessagePolicyVerifier.java:112)
    at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.createMessage(SecurityRecipient.java:973)
    at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.validateMessage(SecurityRecipient.java:230)
    at com.sun.xml.wss.provider.wsit.WSITServerAuthContext.verifyInboundMessage(WSITServerAuthContext.java:533)
    at com.sun.xml.wss.provider.wsit.WSITServerAuthContext.validateRequest(WSITServerAuthContext.java:318)
    ... 43 more

...................

Now we are currently working on this and made the necessary changes in Metro to support the binding assertions at the operation level.

With this change we can secure the operations which we want unlike the previous requirement that all operations in binding level will be secured.

So if the policy is such that:

the Add operation uses secured messages and the Subtract will use non secure plain messages

Posted at 12:51PM Jun 24, 2009 by Suresh Mandalapu in Sun | Comments[1]

Comments:

[Trackback] Securing individual operations of a WebService differently by attaching policies at the operation scope.

Posted by Kumar Jayanti's Blog on July 01, 2009 at 06:36 PM MVT #

Suresh Mandalapu

Blog::Navigation

Blog::Editing

Bookmarks::Blogroll

Blog::Referrers

Site notes