Support of Binding Assertions at the Operation Level in Metro

In the WS-SecurityPolicy 1.0  spec. the Binding assertions were only allowed on the Endpoint Scope.

But according to the latest  1.3 spec it says the Asymmetric and Symmetric Binding  assertions  MAY also appear on the operation scope.

In earlier releases of Metro   there was a bug which prevented it from specifying the policy  on the operation scope . 

For example  if our policy contains 

<binding name="NewWebServicePortBinding" type="tns:NewWebService">  

<wsp:PolicyReference URI="#NewWebServicePortBindingPolicy"/>
        <operation name="ping">           
            <input>
                <wsp:PolicyReference URI="#NewWebServicePortBinding_ping_Input_Policy"/>
            </input>
            <output>
                <wsp:PolicyReference URI="#NewWebServicePortBinding_ping_Output_Policy"/>
            </output>
        </operation>      
</binding>

In the above policy snippet the tag <wsp:PolicyReference URI="#NewWebServicePortBindingPolicy"/> denotes the binding policy which is at the binding level.This policy applies to all operations

Thus all operations in the binding level are secured and if we want to add security to only some of the operations ,it is not possible .

And if we move that policy  to operation level as shown below

<binding name="NewWebServicePortBinding" type="tns:NewWebService">    
        <operation name="ping">    

<wsp:PolicyReference URI="#NewWebServicePortBindingPolicy"/>
            <input>
                <wsp:PolicyReference URI="#NewWebServicePortBinding_ping_Input_Policy"/>
            </input>
            <output>
                <wsp:PolicyReference URI="#NewWebServicePortBinding_ping_Output_Policy"/>
            </output>
        </operation>      
</binding>

then metro throws null pointer exception:

Policy is NULL

javax.xml.ws.soap.SOAPFaultException: ERROR: Policy for the service could not be obtained
    at com.sun.xml.ws.fault.SOAP11Fault.getProtocolException(SOAP11Fault.java:189)
    at com.sun.xml.ws.fault.SOAPFaultBuilder.createException(SOAPFaultBuilder.java:130)
    at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:119)

    ............................
Caused by: javax.xml.ws.soap.SOAPFaultException: ERROR: Policy for the service could not be obtained
    at com.sun.xml.ws.security.opt.impl.util.SOAPUtil.createSOAPFault(SOAPUtil.java:202)
    at com.sun.xml.ws.security.opt.impl.util.SOAPUtil.getSOAPFaultException(SOAPUtil.java:194)
    ..................

Caused by: com.sun.xml.wss.impl.PolicyViolationException: ERROR: Policy for the service could not be obtained
    at com.sun.xml.wss.impl.policy.verifier.MessagePolicyVerifier.verifyPolicy(MessagePolicyVerifier.java:112)
    at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.createMessage(SecurityRecipient.java:973)
    at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.validateMessage(SecurityRecipient.java:230)
    at com.sun.xml.wss.provider.wsit.WSITServerAuthContext.verifyInboundMessage(WSITServerAuthContext.java:533)
    at com.sun.xml.wss.provider.wsit.WSITServerAuthContext.validateRequest(WSITServerAuthContext.java:318)
    ... 43 more

...................

Now we are currently working on this and made the necessary  changes in Metro to support the binding assertions at the operation level.

With this change we can secure the operations which we want unlike the previous requirement that all operations  in binding level  will be secured.

So if the policy is such that:

<binding name="NewWebServicePortBinding" type="tns:NewWebService">

        <operation name="Add">
<wsp:PolicyReference URI="#NewWebServicePortBindingPolicy"/>
            <input>
                <wsp:PolicyReference URI="#NewWebServicePortBinding_Add_Input_Policy"/>
            </input>
            <output>
                <wsp:PolicyReference URI="#NewWebServicePortBinding_Add_Output_Policy"/>
            </output>
        </operation>
        <operation name="Subtract">
            <input>
                <wsp:PolicyReference URI="#NewWebServicePortBinding_Subtract_Input_Policy"/>
            </input>
            <output>
                <wsp:PolicyReference URI="#NewWebServicePortBinding_Subtract_Output_Policy"/>
            </output>
        </operation>
    </binding>

the Add operation uses secured messages and the Subtract  will use non secure  plain messages


Comments:

[Trackback] Securing individual operations of a WebService differently by attaching policies at the operation scope.

Posted by Kumar Jayanti's Blog on July 01, 2009 at 11:36 AM MVT #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Suresh Mandalapu

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today