<wsp:Policy xmlns:L7p="http://www.layer7tech.com/ws/policy" xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy">
<wsp:All wsp:Usage="Required">
<wsp:OneOrMore wsp:Usage="Required">
<L7p:SslAssertion/>
<L7p:CustomizeErrorResponse>
<L7p:AssertionComment assertionComment="included">
<L7p:Properties mapValue="included">
<L7p:entry>
<L7p:key stringValue="RIGHT.COMMENT"/>
<L7p:value stringValue="//401 - SSL required."/>
</L7p:entry>
</L7p:Properties>
</L7p:AssertionComment>
<L7p:Content stringValueReference="inline"><![CDATA[{
"success": false,
"fault": {
"faultcode": "soapenv:Client",
"faultstring": "SSL required",
"faultactor": "${request.url}",
"detail": "SSL required."
}
}]]></L7p:Content>
<L7p:ContentType stringValue="application/json; charset=UTF-8"/>
<L7p:ExtraHeaders nameValuePairArray="included"/>
<L7p:HttpStatus stringValue="401"/>
</L7p:CustomizeErrorResponse>
<L7p:FalseAssertion/>
</wsp:OneOrMore>
<wsp:All wsp:Usage="Required">
<wsp:OneOrMore wsp:Usage="Required">
<wsp:All wsp:Usage="Required">
<L7p:SslAssertion>
<L7p:RequireClientAuthentication booleanValue="true"/>
</L7p:SslAssertion>
<L7p:AuditDetailAssertion>
<L7p:Detail stringValueReference="inline"><![CDATA[subject.dn.cn:${request.ssl.clientCertificate.subject.dn.cn};
serial:${request.ssl.clientCertificate.serial};
notAfter:${request.ssl.clientCertificate.notAfter};
issuer:${request.ssl.clientCertificate.issuer};
extendedKeyUsageValues:${request.ssl.clientCertificate.extendedKeyUsageValues};
subject:${request.ssl.clientCertificate.subject};
thumbprintSHA1:${request.ssl.clientCertificate.thumbprintSHA1};]]></L7p:Detail>
</L7p:AuditDetailAssertion>
</wsp:All>
<wsp:All wsp:Usage="Required">
<wsp:OneOrMore wsp:Usage="Required">
<wsp:OneOrMore wsp:Usage="Required">
<L7p:ComparisonAssertion>
<L7p:CaseSensitive booleanValue="false"/>
<L7p:Expression1 stringValue="${request.ssl.clientCertificate}"/>
<L7p:Expression2 stringValue=""/>
<L7p:Operator operator="EMPTY"/>
<L7p:Predicates predicates="included">
<L7p:item binary="included">
<L7p:CaseSensitive booleanValue="false"/>
<L7p:Operator operator="EMPTY"/>
<L7p:RightValue stringValue=""/>
</L7p:item>
</L7p:Predicates>
</L7p:ComparisonAssertion>
<L7p:ComparisonAssertion>
<L7p:CaseSensitive booleanValue="false"/>
<L7p:Expression1 stringValue="${request.ssl.clientCertificate}"/>
<L7p:Expression2 stringValue=""/>
<L7p:Negate booleanValue="true"/>
<L7p:Operator operator="EMPTY"/>
<L7p:Predicates predicates="included">
<L7p:item binary="included">
<L7p:CaseSensitive booleanValue="false"/>
<L7p:Negated booleanValue="true"/>
<L7p:Operator operator="EMPTY"/>
<L7p:RightValue stringValue=""/>
</L7p:item>
</L7p:Predicates>
</L7p:ComparisonAssertion>
<L7p:CustomizeErrorResponse>
<L7p:AssertionComment assertionComment="included">
<L7p:Properties mapValue="included">
<L7p:entry>
<L7p:key stringValue="RIGHT.COMMENT"/>
<L7p:value stringValue="//401 - No credentials were provided. Request was not authenticated."/>
</L7p:entry>
</L7p:Properties>
</L7p:AssertionComment>
<L7p:Content stringValueReference="inline"><![CDATA[{
"success": false,
"fault": {
"faultcode": "soapenv:Client",
"faultstring": "Access Denied",
"faultactor": "${request.url}",
"detail": {
"datetime": "${request.time}",
"errorcode": "401",
"message": "No credentials were provided. Request was not authenticated."
}
}
}]]></L7p:Content>
<L7p:ContentType stringValue="application/json; charset=UTF-8"/>
<L7p:ExtraHeaders nameValuePairArray="included"/>
<L7p:HttpStatus stringValue="401"/>
</L7p:CustomizeErrorResponse>
</wsp:OneOrMore>
<wsp:All wsp:Usage="Required">
<L7p:AuditDetailAssertion>
<L7p:Detail stringValueReference="inline"><![CDATA[Usage: ${request.ssl.clientCertificate.extendedKeyUsageValues}
crlSign: ${request.ssl.clientCertificate.keyUsage.dataEncipherment}
dataEncipherment: ${request.ssl.clientCertificate.keyUsage.dataEncipherment}
decipherOnly: ${request.ssl.clientCertificate.keyUsage.decipherOnly}
digitalSignature: ${request.ssl.clientCertificate.keyUsage.digitalSignature}
encipherOnly: ${request.ssl.clientCertificate.keyUsage.encipherOnly}
keyAgreement: ${request.ssl.clientCertificate.keyUsage.keyAgreement}
keyCertSign: ${request.ssl.clientCertificate.keyUsage.keyCertSign}
keyEncipherment: ${request.ssl.clientCertificate.keyUsage.keyEncipherment}
nonRepudiation: ${request.ssl.clientCertificate.keyUsage.nonRepudiation}]]></L7p:Detail>
</L7p:AuditDetailAssertion>
<L7p:ComparisonAssertion>
<L7p:CaseSensitive booleanValue="false"/>
<L7p:Expression1 stringValue="${request.ssl.clientCertificate.extendedKeyUsageValues}"/>
<L7p:Expression2 stringValue="1.3.6.1.5.5.7.3.2"/>
<L7p:Negate booleanValue="true"/>
<L7p:Operator operator="CONTAINS"/>
<L7p:Predicates predicates="included">
<L7p:item binary="included">
<L7p:CaseSensitive booleanValue="false"/>
<L7p:Negated booleanValue="true"/>
<L7p:Operator operator="CONTAINS"/>
<L7p:RightValue stringValue="1.3.6.1.5.5.7.3.2"/>
</L7p:item>
</L7p:Predicates>
</L7p:ComparisonAssertion>
<L7p:CustomizeErrorResponse>
<L7p:AssertionComment assertionComment="included">
<L7p:Properties mapValue="included">
<L7p:entry>
<L7p:key stringValue="RIGHT.COMMENT"/>
<L7p:value stringValue="//403 - The certificate used to sign the request is not provisioned for use as a client certificate."/>
</L7p:entry>
</L7p:Properties>
</L7p:AssertionComment>
<L7p:Content stringValueReference="inline"><![CDATA[{
"success": false,
"fault": {
"faultcode": "soapenv:Client",
"faultstring": "Access Denied",
"faultactor": "${request.url}",
"detail": {
"datetime": "${request.time}",
"errorcode": "403",
"message": "The certificate used to sign the request is not provisioned for use as a client certificate."
}
}
}]]></L7p:Content>
<L7p:ContentType stringValue="application/json; charset=UTF-8"/>
<L7p:ExtraHeaders nameValuePairArray="included"/>
<L7p:HttpStatus stringValue="403"/>
</L7p:CustomizeErrorResponse>
</wsp:All>
<L7p:CustomizeErrorResponse>
<L7p:AssertionComment assertionComment="included">
<L7p:Properties mapValue="included">
<L7p:entry>
<L7p:key stringValue="RIGHT.COMMENT"/>
<L7p:value stringValue="//403 - The certificate used to sign the request is not acceptable."/>
</L7p:entry>
</L7p:Properties>
</L7p:AssertionComment>
<L7p:Content stringValueReference="inline"><![CDATA[{
"success": false,
"fault": {
"faultcode": "soapenv:Client",
"faultstring": "Authentication Failed",
"faultactor": "${request.url}",
"detail": {
"datetime": "${request.time}",
"errorcode": "403",
"message": "The certificate used to sign the request is not acceptable."
}
}
}]]></L7p:Content>
<L7p:ContentType stringValue="application/json; charset=UTF-8"/>
<L7p:ExtraHeaders nameValuePairArray="included"/>
<L7p:HttpStatus stringValue="403"/>
</L7p:CustomizeErrorResponse>
<L7p:assertionComment>
<L7p:Properties mapValue="included">
<L7p:entry>
<L7p:key stringValue="RIGHT.COMMENT"/>
<L7p:value stringValue="//try to log requestor properties"/>
</L7p:entry>
</L7p:Properties>
</L7p:assertionComment>
</wsp:OneOrMore>
<L7p:ForEachLoop L7p:Usage="Required"
loopVariable="audit.details" variablePrefix="this.current">
<wsp:OneOrMore wsp:Usage="Required">
<L7p:ComparisonAssertion>
<L7p:CaseSensitive booleanValue="false"/>
<L7p:Expression1 stringValue="${this.current.messageId}"/>
<L7p:Operator operatorNull="null"/>
<L7p:Predicates predicates="included">
<L7p:item dataType="included">
<L7p:Type variableDataType="string"/>
</L7p:item>
<L7p:item binary="included">
<L7p:CaseSensitive booleanValue="false"/>
<L7p:Negated booleanValue="true"/>
<L7p:RightValue stringValue="6"/>
</L7p:item>
<L7p:item binary="included">
<L7p:CaseSensitive booleanValue="false"/>
<L7p:Negated booleanValue="true"/>
<L7p:RightValue stringValue="4113"/>
</L7p:item>
</L7p:Predicates>
</L7p:ComparisonAssertion>
<wsp:All wsp:Usage="Required">
<L7p:ComparisonAssertion>
<L7p:CaseSensitive booleanValue="false"/>
<L7p:Expression1 stringValue="${this.current.messageId}"/>
<L7p:Operator operatorNull="null"/>
<L7p:Predicates predicates="included">
<L7p:item dataType="included">
<L7p:Type variableDataType="string"/>
</L7p:item>
<L7p:item binary="included">
<L7p:CaseSensitive booleanValue="false"/>
<L7p:RightValue stringValue="6"/>
</L7p:item>
</L7p:Predicates>
</L7p:ComparisonAssertion>
<L7p:CustomizeErrorResponse>
<L7p:AssertionComment assertionComment="included">
<L7p:Properties mapValue="included">
<L7p:entry>
<L7p:key stringValue="RIGHT.COMMENT"/>
<L7p:value stringValue="//403 - Valid client certificate required. The client certificate used to sign the request is expired."/>
</L7p:entry>
</L7p:Properties>
</L7p:AssertionComment>
<L7p:Content stringValueReference="inline"><![CDATA[{
"success": false,
"fault": {
"faultcode": "soapenv:Client",
"faultstring": "Expired Client Certificate",
"faultactor": "${request.url}",
"detail": {
"datetime": "${request.time}",
"errorcode": "403",
"message": "Valid client certificate required. The client certificate used to sign the request is expired."
}
}
}]]></L7p:Content>
<L7p:ContentType stringValue="application/json;charset=utf-8"/>
<L7p:ExtraHeaders nameValuePairArray="included"/>
<L7p:HttpStatus stringValue="403"/>
</L7p:CustomizeErrorResponse>
</wsp:All>
</wsp:OneOrMore>
</L7p:ForEachLoop>
<L7p:FalseAssertion/>
</wsp:All>
</wsp:OneOrMore>
</wsp:All>
<L7p:HardcodedResponse>
<L7p:Base64ResponseBody stringValue="ewogICJzdWNjZXNzIjogdHJ1ZSwKICAiZGV0YWlsIjogewogICAgIkxheWVyNyI6IHsKICAgICAgInBvbGljeVJlc3VsdCI6ICJZb3VyIGNsaWVudCBjZXJ0aWZpY2F0ZSBpcyBwcm9wZXJseSBhdHRhY2hlZC4gIGFwcGxpY2F0aW9uL2pzb24iCiAgICB9LAogICAgIkNsaWVudCI6IHsKICAgICAgIlN1YmplY3RDTiI6ICIke3JlcXVlc3Quc3NsLmNsaWVudENlcnRpZmljYXRlLnN1YmplY3QuZG4uY259IiwKICAgICAgIlNlcmlhbE51bSI6ICIke3JlcXVlc3Quc3NsLmNsaWVudENlcnRpZmljYXRlLnNlcmlhbH0iLAogICAgICAiSXNzdWVyQ04iOiAiJHtyZXF1ZXN0LnNzbC5jbGllbnRDZXJ0aWZpY2F0ZS5pc3N1ZXIuZG4uY259IiwKICAgICAgIkV4cGlyYXRpb24iOiAiJHtyZXF1ZXN0LnNzbC5jbGllbnRDZXJ0aWZpY2F0ZS5ub3RBZnRlcn0iLAogICAgICAiRlFETiI6ICIke3JlcXVlc3Quc3NsLmNsaWVudENlcnRpZmljYXRlLnN1YmplY3R9IiwKICAgICAgIlN1YmplY3RLZXlJRCI6ICIke3JlcXVlc3Quc3NsLmNsaWVudENlcnRpZmljYXRlLnN1YmplY3RLZXlJZGVudGlmaWVyfSIKICAgICAgIlVzYWdlIjogIiR7cmVxdWVzdC5zc2wuY2xpZW50Q2VydGlmaWNhdGUuZXh0ZW5kZWRLZXlVc2FnZVZhbHVlc30iCiAgICB9LAogICAgIlJlcXVlc3QiOiB7CiAgICAgICJVUkwiOiAiJHtyZXF1ZXN0LnVybH0iLAogICAgICAiTWV0aG9kIjogIiR7cmVxdWVzdC5odHRwLm1ldGhvZH0iLAogICAgICAiU2l6ZSI6ICIke3JlcXVlc3Quc2l6ZX0iCiAgICB9LAogICAgIkhlYWRlciI6IHsKICAgICAgIkNvbnRlbnQtVHlwZSI6ICIke3JlcXVlc3QuaHR0cC5oZWFkZXIuY29udGVudC10eXBlfSIsCiAgICAgICJDb250ZW50LUxlbmd0aCI6ICIke3JlcXVlc3QuaHR0cC5oZWFkZXIuY29udGVudC1sZW5ndGh9IiwKICAgICAgIlNvYXBBY3Rpb24iOiAiJHtyZXF1ZXN0Lmh0dHAuaGVhZGVyLnNvYXBhY3Rpb259IgogICAgfQogIH0KfQo="/>
<L7p:ResponseContentType stringValue="text/plain; charset=UTF-8"/>
</L7p:HardcodedResponse>
</wsp:All>
</wsp:Policy>
Failure modes cleaned up and messages updated
ReplyDelete