Skip to main content

Policy for the service could not be obtained

1 reply [Last post]
giedriuss
Offline
Joined: 2013-05-19
Points: 0

Hi,

I have a client, that sends SOAP messages and asked me to build a Web Service. He gave me policy file, and XSD to make web service. I used Netbeans 7.3 to build web service and deployed it on glassfish server 3.1.1.

The policy file:

<wsp:Policy wsu:Id="SignAndEncrypt"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsp="http://www.w3.org/ns/ws-policy" xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
wsdl:required="true">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128Rsa15 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:IncludeTimestamp />
<sp:EncryptSignature />
<sp:OnlySignEntireHeadersAndBody />
<sp:Layout>
  <wsp:Policy>
   <sp:Lax/>
  </wsp:Policy>
</sp:Layout>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss10>
<wsp:Policy>
<sp:MustSupportRefIssuerSerial />
</wsp:Policy>
</sp:Wss10>
<sp:Layout>
<wsp:Policy>
<sp:Lax />
</wsp:Policy>
</sp:Layout>
<sp:SignedParts>
<sp:Body />
<sp:Header Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing" />
<sp:Header Namespace="http://www.w3.org/2005/08/addressing" />
</sp:SignedParts>
<sp:EncryptedParts>
<sp:Body />
</sp:EncryptedParts>
<wsam:Addressing wsp:Optional="false"/>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>

<wsp:Policy wsu:Id="Addressing"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsp="http://www.w3.org/ns/ws-policy"
wsdl:required="true">
<wsam:Addressing>
<wsp:Policy>
<wsam:NonAnonymousResponses />
</wsp:Policy>
</wsam:Addressing>
</wsp:Policy>

<wsp:Policy wsu:Id="AddressingAnonymous"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsp="http://www.w3.org/ns/ws-policy"
wsdl:required="true">
<wsam:Addressing>
<wsp:Policy />
</wsam:Addressing>
</wsp:Policy>

In his example he uses these policy references in binding:

<wsp:PolicyReference xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
        URI="#SignAndEncrypt"/>

<wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy"
URI="#AddressingAnonymous" />

I did the same.
I get this SOAP message:
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Header>
    <wsse:Security soap:mustUnderstand="1" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
      <wsu:Timestamp wsu:Id="TS-1609">
        <wsu:Created>2013-05-20T06:24:19.555Z</wsu:Created> 
        <wsu:Expires>2013-05-20T06:29:19.555Z</wsu:Expires>
      </wsu:Timestamp>
      <xenc:EncryptedKey Id="EK-D26BF1C9EFEFA27F4F123524879511568741" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
        <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
          <wsse:SecurityTokenReference>
            <ds:X509Data>
              <ds:X509IssuerSerial>
                <ds:X509IssuerName>...</ds:X509IssuerName>
                <ds:X509SerialNumber>...</ds:X509SerialNumber>
              </ds:X509IssuerSerial>
            </ds:X509Data>
          </wsse:SecurityTokenReference></ds:KeyInfo>
         <xenc:CipherData>
         <xenc:CipherValue>adWfIr+dsd1aGiXWFCajFKGhkr4VToEj1oIBrvz35kfsWF8YPfgpvElvAlAJylU5z0QbvJnte6JngzO9acdZTlEekE2eORxIA2HGBoj+q3i6piFV0DcDCyRHrNZtIRCYJAqUdzlv3HfzFwd5RHQstt+tyiuERSlq1Njnh/7oJrONKdEjxLYZAbsdDqsqHoBnGU1Ls2TPFkFsDik+ErvQqLB/P1S95T0UFYP78k6JVlimDwqGZwYQDzOXCckd+ddL7vmGl6TmWefTLMN9ufx+0pRfZIY0hzU+9QHn/5sjDNGWSjDDBLXEnpHibFgSpSOWC03VEYc6/tAAnM+uHpHdLw==</xenc:CipherValue>
         </xenc:CipherData>
         <xenc:ReferenceList><xenc:DataReference URI="#ED-1611"/>
           <xenc:DataReference URI="#ED-1612"/>
         </xenc:ReferenceList>
       </xenc:EncryptedKey>
       <xenc:EncryptedData Id="ED-1612" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Element">
         <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
         <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
           <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
            <wsse:Reference URI="#EK-D26BF1C9EFEFA27F4F123524879511568741"/>
          </wsse:SecurityTokenReference>
        </ds:KeyInfo>
        <xenc:CipherData>
          <xenc:CipherValue>k/A3+WMQz0DNRxhcdbZBQAKUzBWYvghfuCG2DltEOQgnQQUJarkdG67HeVw0aUnAE8q51/zK+cYljX3nv1fqaEgnMDTgS6Qarsh425ROfTXdz++Eve/m6VcvspqIvuijWM6S/UDXxdZuKHtyp8/IJmtoUqK6RGPj3pqG/erwJnx5lhj1yXZkTNXQJ11Q6wIRLpdi5J6....
        </xenc:CipherValue>
      </xenc:CipherData>
    </xenc:EncryptedData>
   </wsse:Security>
  </soap:Header>
  <soap:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Id-1539754912">
    <xenc:EncryptedData Id="ED-1611" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Content">
      <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
          <wsse:Reference URI="#EK-D26BF1C9EFEFA27F4F123524879511568741"/>
        </wsse:SecurityTokenReference>
      </ds:KeyInfo>
      <xenc:CipherData>
        <xenc:CipherValue>XlGrCOw4tvWoi3ZqerzbvYWg/XlfLx8BrLoSSNBaizznvdKVxwYBXRTWUtLjq1E55zqDlZ79vm258yqHQ5G0WX79puIoGoQTP2KY9shFgxArYnR/AwVUZ6t9U6M5HM+YoArASW46TG5zNckAWP1hwKdiEOkKsb03soRme8bvq4mMhZYczsXwbxbf5Ia3fek4Abl0a7i7r61/CN/YIXtz8D6TJCFvIP9udEpUlXrdjhQOQOAjIMUAR5WC0UtzBcNCNcVj4ECVEKDf3QW8kCpvNaCvCIqI+sZPKp9UA2ix...
        </xenc:CipherData>
      </xenc:EncryptedData>
    </soap:Body>
  </soap:Envelope>
 

And I get this error:

[#|2013-05-20T10:39:59.176+0300|SEVERE|glassfish3.1.1|javax.enterprise.resource.xml.webservices.security|_ThreadID=20;_ThreadName=Thread-2;|Policy is null|#]

[#|2013-05-20T10:39:59.176+0300|SEVERE|glassfish3.1.1|com.sun.xml.wss.provider.wsit|_ThreadID=20;_ThreadName=Thread-2;|WSITPVD0035: Error in Verifying Security in Inbound Message.
com.sun.xml.wss.impl.PolicyViolationException: ERROR: Policy for the service could not be obtained
at com.sun.xml.wss.impl.policy.verifier.MessagePolicyVerifier.verifyPolicy(MessagePolicyVerifier.java:134)
at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.createMessage(SecurityRecipient.java:983)
at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.validateMessage(SecurityRecipient.java:232)
at com.sun.xml.wss.provider.wsit.WSITServerAuthContext.verifyInboundMessage(WSITServerAuthContext.java:586)
at com.sun.xml.wss.provider.wsit.WSITServerAuthContext.validateRequest(WSITServerAuthContext.java:360)
at com.sun.xml.wss.provider.wsit.WSITServerAuthContext.validateRequest(WSITServerAuthContext.java:263)
at com.sun.enterprise.security.webservices.CommonServerSecurityPipe.processRequest(CommonServerSecurityPipe.java:173)
at com.sun.enterprise.security.webservices.CommonServerSecurityPipe.process(CommonServerSecurityPipe.java:144)
at com.sun.xml.ws.api.pipe.helper.PipeAdapter.processRequest(PipeAdapter.java:119)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:641)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:600)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:585)
at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:482)
at com.sun.xml.ws.server.WSEndpointImpl$2.process(WSEndpointImpl.java:314)
at com.sun.xml.ws.transport.http.HttpAdapter$HttpToolkit.handle(HttpAdapter.java:608)
at com.sun.xml.ws.transport.http.HttpAdapter.handle(HttpAdapter.java:259)
at com.sun.xml.ws.transport.http.servlet.ServletAdapter.handle(ServletAdapter.java:162)
at org.glassfish.webservices.JAXWSServlet.doPost(JAXWSServlet.java:145)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:754)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
at org.apache.catalina.core.StandardWrapper.service(StandardWrapper.java:1539)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:281)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:655)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:595)
at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:98)
at com.sun.enterprise.web.PESessionLockingStandardPipeline.invoke(PESessionLockingStandardPipeline.java:91)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:162)
at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:330)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:231)
at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:174)
at com.sun.grizzly.http.ProcessorTask.invokeAdapter(ProcessorTask.java:828)
at com.sun.grizzly.http.ProcessorTask.doProcess(ProcessorTask.java:725)
at com.sun.grizzly.http.ProcessorTask.process(ProcessorTask.java:1019)
at com.sun.grizzly.http.DefaultProtocolFilter.execute(DefaultProtocolFilter.java:225)
at com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:137)
at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:104)
at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:90)
at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:79)
at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:54)
at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:59)
at com.sun.grizzly.ContextTask.run(ContextTask.java:71)
at com.sun.grizzly.util.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:532)
at com.sun.grizzly.util.AbstractThreadPool$Worker.run(AbstractThreadPool.java:513)
at java.lang.Thread.run(Thread.java:662)

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
giedriuss
Offline
Joined: 2013-05-19
Points: 0

Hi,

I was able to make my own web service client work. I took the SOAP request from the client, that does not work. I added addressing headers <soap:Header xmlns:wsa="http://www.w3.org/2005/08/addressing">.....<wsa:Action>...</wsa:Action></soap:Header>.

Adding <wsa:Action> was enough to make it work, but as I told I can not change client. I tried many ways, to make service work without addressing:

I changed addresing policy to:

<wsp:Policy wsu:Id="Addressing"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsp="http://www.w3.org/ns/ws-policy"
wsdl:required="true">
<wsam:Addressing wsp:Optional="true">
<wsp:Policy/>
                </wsam:Addressing>
</wsp:Policy>

I added these lines in my java code:
@Addressing(enabled=false)
@MemberSubmissionAddressing(enabled=false)

Still no luck. Only requests that have work, if not, I get
com.sun.xml.wss.impl.PolicyViolationException: ERROR: Policy for the service could not be obtained.