chemistry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Florian Müller (JIRA) <j...@apache.org>
Subject [jira] [Assigned] (CMIS-1000) Web Services binding failure in Chemistry 0.14 client while passing customized SOAP Security header
Date Mon, 03 Oct 2016 16:42:21 GMT

     [ https://issues.apache.org/jira/browse/CMIS-1000?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Florian Müller reassigned CMIS-1000:
------------------------------------

    Assignee: Florian Müller

> Web Services binding failure in Chemistry 0.14 client while passing customized SOAP Security
header
> ---------------------------------------------------------------------------------------------------
>
>                 Key: CMIS-1000
>                 URL: https://issues.apache.org/jira/browse/CMIS-1000
>             Project: Chemistry
>          Issue Type: Bug
>          Components: opencmis-client-bindings
>    Affects Versions: OpenCMIS 0.14.0
>         Environment: Windows 8.1 x64
> Apache Tomcat 8.0.18 x64
> Oracle Java 1.8.0_71-b15 x64
> Apache Chemistry 0.14
> Apache CXF 3.0.9
>            Reporter: Vyacheslav Pascarel
>            Assignee: Florian Müller
>
> I have a custom authentication provider that extends org.apache.chemistry.opencmis.client.bindings.spi.StandardAuthenticationProvider.
The provider modifies Security header in outgoing SOAP message in order to implement a proprietary
authentication. On the server side authentication data is parsed, client is authenticated,
request is processed and a new Security header is attached to the reply message. The client
extract authentication data from the response and uses it for sequential calls. That worked
well in implementations based on Chemistry 0.10 and 0.13. While trying to port to Chemistry
0.14 the code started to fail with *java.lang.UnsupportedOperationException*. Using debugger
I found the cause of the failure:
> # When message is being prepared to be sent Chemistry framework calls a custom authentication
provider. The provide prepares Security header and returns it to framework
> # Framework in org.apache.chemistry.opencmis.client.bindings.spi.webservices. *CXFPortProvider.
createPortObject(…)* creates a new header list and adds it to request context at line 120:
> {code:java}
> portObject.getRequestContext().put(
>     Header.HEADER_LIST,
>     Collections.singletonList(new Header(new QName(soapHeader.getNamespaceURI(), soapHeader
>             .getLocalName()), soapHeader)));
> {code}
> # Request is sent to server, server processes it and replies with a message containing
another Security header
> # Response is being processed on client by Apache CXF making bunch of calls to interceptors.
One of the interceptors, *org.apache.cxf.binding.soap.saaj.AAJInInterceptor.replaceHeaders(…)*,
attempts to replaces old headers in context if the response has headers with matching names
(line 310):
> {code:java}
> Header oldHdr = message.getHeader(
> new QName(elem.getNamespaceURI(), elem.getLocalName()));
> if (oldHdr != null) {
>     message.getHeaders().remove(oldHdr);
> } 
> message.getHeaders().add(shead);   
> {code}
> The problem is that the header list created by *CXFPortProvider* in step#2 is read-only,
but *AAJInInterceptor* in step #4 expects it to be read-write.
> Not sure where the fix has to be done, but I would expect that having the same header
in the request and response is acceptable.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message