Skip to content

com.sun.xml.wss.impl.WssSoapFaultException: ERROR: Policy for the service could not be obtained #460

New issue
New issue
Open
Open
com.sun.xml.wss.impl.WssSoapFaultException: ERROR: Policy for the service could not be obtained#460
@9611667063

Description

@9611667063
9611667063
opened on Oct 17, 2024

Hi Team,
We are facing below issue with webservice
javax.xml.ws.WebServiceException: WSSTUBE0025: Fehler bei der Prüfung der Sicherheit in der eingehenden Nachricht.
at com.sun.xml.wss.jaxws.impl.SecurityClientTube.processClientResponsePacket(SecurityClientTube.java:412)
at com.sun.xml.wss.jaxws.impl.SecurityClientTube.processResponse(SecurityClientTube.java:334) ~
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:1116) ~
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:1019) ~
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:988)
at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:846)
at com.sun.xml.ws.client.Stub.process(Stub.java:432) ~
at com.sun.xml.ws.client.dispatch.DispatchImpl.doInvoke(DispatchImpl.java:235) ~
at com.sun.xml.ws.client.dispatch.DispatchImpl.invoke(DispatchImpl.java:274) ~

Caused by: javax.xml.ws.soap.SOAPFaultException: ERROR: Policy for the service could not be obtained
at com.sun.xml.wss.jaxws.impl.SecurityTubeBase.getSOAPFaultException(SecurityTubeBase.java:686)
at com.sun.xml.wss.jaxws.impl.SecurityTubeBase.getSOAPFaultException(SecurityTubeBase.java:704)
... 19 more
Caused by: com.sun.xml.wss.impl.WssSoapFaultException: ERROR: Policy for the service could not be obtained
at com.sun.xml.wss.impl.SecurableSoapMessage.newSOAPFaultException(SecurableSoapMessage.java:319)
at com.sun.xml.wss.jaxws.impl.SecurityTubeBase.getSOAPFaultException(SecurityTubeBase.java:701) ~]
... 19 more
Caused by: com.sun.xml.wss.impl.PolicyViolationException: ERROR: Policy for the service could not be obtained
at com.sun.xml.wss.impl.policy.verifier.MessagePolicyVerifier.verifyPolicy(MessagePolicyVerifier.java:104) ~
at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.createMessage(SecurityRecipient.java:1007)
at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.validateMessage(SecurityRecipient.java:242)
at com.sun.xml.wss.jaxws.impl.SecurityTubeBase.verifyInboundMessage(SecurityTubeBase.java:426) ~
at com.sun.xml.wss.jaxws.impl.SecurityClientTube.processClientResponsePacket(SecurityClientTube.java:406) ~

Below is the WSDL configuration:

<wsp:PolicyReference URI="#BaseSecurityPolicy" required="false"/>
<soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>

<soap:operation soapAction=""/>

<soap:header message="tns:Header" part="messageAddressing" use="literal">
</soap:header>
<soap:body use="literal"/>
<wsp:PolicyReference URI="#SigningSecurityPolicy" required="true"/>


<soap:body use="literal"/>
<wsp:PolicyReference URI="#EmptySecurityPolicy" required="false"/>

 <wsp:Policy wsu:Id="SigningSecurityPolicy">
    <sp:SignedParts>
        <sp:Body/>
    </sp:SignedParts>
</wsp:Policy>
<wsp:Policy wsu:Id="EmptySecurityPolicy"/>
<wsp:Policy wsu:Id="BaseSecurityPolicy">
    <sp:AsymmetricBinding>
        <wsp:Policy>
            <sp:InitiatorToken>
                <wsp:Policy>
                    <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
                        <wsp:Policy>
                            <sp:RequireKeyIdentifierReference/>
                            <sp:WssX509V3Token10/>
                        </wsp:Policy>
                    </sp:X509Token>
                </wsp:Policy>
            </sp:InitiatorToken>
            <sp:RecipientToken>
                <wsp:Policy>
                    <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
                        <wsp:Policy>
                            <sp:RequireKeyIdentifierReference/>
                            <sp:WssX509V3Token10/>
                        </wsp:Policy>
                    </sp:X509Token>
                </wsp:Policy>
            </sp:RecipientToken>
            <sp:AlgorithmSuite signatureAlgorithm="SHA256withRSA">
                <wsp:Policy>
                    <sp:Basic256Sha256/>
                </wsp:Policy>
            </sp:AlgorithmSuite>
            <sp:Layout>
                <wsp:Policy>
                    <sp:Lax/>
                </wsp:Policy>
            </sp:Layout>
            <sp:OnlySignEntireHeadersAndBody/>
        </wsp:Policy>
    </sp:AsymmetricBinding>
    <wsp:Policy>
        <sp:MustSupportRefKeyIdentifier/>
    </wsp:Policy>
</wsp:Policy>

We have debugged found that Metro MessagePolicyVerifier below logic expects only Timestamp policy but our response had SignaturePolicy

if(actualPolicy == null || actualPolicy.size() <= 0){
if ((inferredSecurityPolicy != null) && (inferredSecurityPolicy.size() > 0)) {
//this could be a plain SSL scenario
if (!checkAllowExtraTimestamp(inferredSecurityPolicy)) {
log.log(Level.SEVERE, LogStringsMessages.WSS_0805_POLICY_NULL());
throw new PolicyViolationException("ERROR: Policy for the service could not be obtained");
}
}
}

     private boolean checkAllowExtraTimestamp(MessagePolicy inferredSecurityPolicy) {
    //assumption : inferredSecurityPolicy != null and size > 0
    if (inferredSecurityPolicy.size() > 1) {
     return false;
    }
    SecurityPolicy pol = null;
    try {
        pol = inferredSecurityPolicy.get(0);
    } catch (Exception ex) {
        //ignore for now;
    }
    return pol instanceof TimestampPolicy;
}
Could please explain share some more insight for expecting only TimestampPolicy here.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions