com.sun.xml.wss.impl.WssSoapFaultException: ERROR: Policy for the service could not be obtained

[9611667063]

Hi Team,
We are facing below issue with webservice
javax.xml.ws.WebServiceException: WSSTUBE0025: Fehler bei der Prüfung der Sicherheit in der eingehenden Nachricht.
at com.sun.xml.wss.jaxws.impl.SecurityClientTube.processClientResponsePacket(SecurityClientTube.java:412)
at com.sun.xml.wss.jaxws.impl.SecurityClientTube.processResponse(SecurityClientTube.java:334) ~
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:1116) ~
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:1019) ~
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:988)
at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:846)
at com.sun.xml.ws.client.Stub.process(Stub.java:432) ~
at com.sun.xml.ws.client.dispatch.DispatchImpl.doInvoke(DispatchImpl.java:235) ~
at com.sun.xml.ws.client.dispatch.DispatchImpl.invoke(DispatchImpl.java:274) ~

Caused by: javax.xml.ws.soap.SOAPFaultException: ERROR: Policy for the service could not be obtained
at com.sun.xml.wss.jaxws.impl.SecurityTubeBase.getSOAPFaultException(SecurityTubeBase.java:686)
at com.sun.xml.wss.jaxws.impl.SecurityTubeBase.getSOAPFaultException(SecurityTubeBase.java:704)
... 19 more
Caused by: com.sun.xml.wss.impl.WssSoapFaultException: ERROR: Policy for the service could not be obtained
at com.sun.xml.wss.impl.SecurableSoapMessage.newSOAPFaultException(SecurableSoapMessage.java:319)
at com.sun.xml.wss.jaxws.impl.SecurityTubeBase.getSOAPFaultException(SecurityTubeBase.java:701) ~]
... 19 more
Caused by: com.sun.xml.wss.impl.PolicyViolationException: ERROR: Policy for the service could not be obtained
at com.sun.xml.wss.impl.policy.verifier.MessagePolicyVerifier.verifyPolicy(MessagePolicyVerifier.java:104) ~
at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.createMessage(SecurityRecipient.java:1007)
at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.validateMessage(SecurityRecipient.java:242)
at com.sun.xml.wss.jaxws.impl.SecurityTubeBase.verifyInboundMessage(SecurityTubeBase.java:426) ~
at com.sun.xml.wss.jaxws.impl.SecurityClientTube.processClientResponsePacket(SecurityClientTube.java:406) ~

Below is the WSDL configuration:

<wsp:PolicyReference URI="#BaseSecurityPolicy" required="false"/>
<soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>

<soap:operation soapAction=""/>

<soap:header message="tns:Header" part="messageAddressing" use="literal">
</soap:header>
<soap:body use="literal"/>
<wsp:PolicyReference URI="#SigningSecurityPolicy" required="true"/>


<soap:body use="literal"/>
<wsp:PolicyReference URI="#EmptySecurityPolicy" required="false"/>

 <wsp:Policy wsu:Id="SigningSecurityPolicy">
    <sp:SignedParts>
        <sp:Body/>
    </sp:SignedParts>
</wsp:Policy>
<wsp:Policy wsu:Id="EmptySecurityPolicy"/>
<wsp:Policy wsu:Id="BaseSecurityPolicy">
    <sp:AsymmetricBinding>
        <wsp:Policy>
            <sp:InitiatorToken>
                <wsp:Policy>
                    <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
                        <wsp:Policy>
                            <sp:RequireKeyIdentifierReference/>
                            <sp:WssX509V3Token10/>
                        </wsp:Policy>
                    </sp:X509Token>
                </wsp:Policy>
            </sp:InitiatorToken>
            <sp:RecipientToken>
                <wsp:Policy>
                    <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
                        <wsp:Policy>
                            <sp:RequireKeyIdentifierReference/>
                            <sp:WssX509V3Token10/>
                        </wsp:Policy>
                    </sp:X509Token>
                </wsp:Policy>
            </sp:RecipientToken>
            <sp:AlgorithmSuite signatureAlgorithm="SHA256withRSA">
                <wsp:Policy>
                    <sp:Basic256Sha256/>
                </wsp:Policy>
            </sp:AlgorithmSuite>
            <sp:Layout>
                <wsp:Policy>
                    <sp:Lax/>
                </wsp:Policy>
            </sp:Layout>
            <sp:OnlySignEntireHeadersAndBody/>
        </wsp:Policy>
    </sp:AsymmetricBinding>
    <wsp:Policy>
        <sp:MustSupportRefKeyIdentifier/>
    </wsp:Policy>
</wsp:Policy>

We have debugged found that Metro MessagePolicyVerifier below logic expects only Timestamp policy but our response had SignaturePolicy

if(actualPolicy == null || actualPolicy.size() <= 0){
if ((inferredSecurityPolicy != null) && (inferredSecurityPolicy.size() > 0)) {
//this could be a plain SSL scenario
if (!checkAllowExtraTimestamp(inferredSecurityPolicy)) {
log.log(Level.SEVERE, LogStringsMessages.WSS_0805_POLICY_NULL());
throw new PolicyViolationException("ERROR: Policy for the service could not be obtained");
}
}
}

     private boolean checkAllowExtraTimestamp(MessagePolicy inferredSecurityPolicy) {
    //assumption : inferredSecurityPolicy != null and size > 0
    if (inferredSecurityPolicy.size() > 1) {
     return false;
    }
    SecurityPolicy pol = null;
    try {
        pol = inferredSecurityPolicy.get(0);
    } catch (Exception ex) {
        //ignore for now;
    }
    return pol instanceof TimestampPolicy;
}
Could please explain share some more insight for expecting only TimestampPolicy here.