cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1368608 - in /cxf/branches/2.5.x-fixes: rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/ rt/core/src/main/java/org/apache/cxf/interceptor/ systests/uncategorized/src/test/java/org/apache/cxf/systest/soap/ testutils/s...
Date Thu, 02 Aug 2012 17:20:01 GMT
Author: coheigea
Date: Thu Aug  2 17:20:01 2012
New Revision: 1368608

URL: http://svn.apache.org/viewvc?rev=1368608&view=rev
Log:
Merged revisions 1368559 via  git cherry-pick from
https://svn.apache.org/repos/asf/cxf/trunk

........
  r1368559 | coheigea | 2012-08-02 16:49:51 +0100 (Thu, 02 Aug 2012) | 2 lines

  Some improvements to handling SOAP Actions

........


Conflicts:

	rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/SoapActionInInterceptor.java

Added:
    cxf/branches/2.5.x-fixes/systests/uncategorized/src/test/java/org/apache/cxf/systest/soap/RPCEncodedSoapActionGreeterImpl.java
    cxf/branches/2.5.x-fixes/systests/uncategorized/src/test/java/org/apache/cxf/systest/soap/RPCLitSoapActionGreeterImpl.java
    cxf/branches/2.5.x-fixes/systests/uncategorized/src/test/java/org/apache/cxf/systest/soap/WrappedEncodedSoapActionGreeterImpl.java
    cxf/branches/2.5.x-fixes/systests/uncategorized/src/test/java/org/apache/cxf/systest/soap/WrappedSoapActionGreeterImpl.java
Modified:
    cxf/branches/2.5.x-fixes/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/Messages.properties
    cxf/branches/2.5.x-fixes/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/SoapActionInInterceptor.java
    cxf/branches/2.5.x-fixes/rt/core/src/main/java/org/apache/cxf/interceptor/DocLiteralInInterceptor.java
    cxf/branches/2.5.x-fixes/rt/core/src/main/java/org/apache/cxf/interceptor/Messages.properties
    cxf/branches/2.5.x-fixes/systests/uncategorized/src/test/java/org/apache/cxf/systest/soap/SoapActionTest.java
    cxf/branches/2.5.x-fixes/testutils/src/main/resources/wsdl/hello_world_soap_action.wsdl

Modified: cxf/branches/2.5.x-fixes/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/Messages.properties
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/Messages.properties?rev=1368608&r1=1368607&r2=1368608&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/Messages.properties
(original)
+++ cxf/branches/2.5.x-fixes/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/Messages.properties
Thu Aug  2 17:20:01 2012
@@ -31,3 +31,4 @@ INVALID_11_VERSION=A SOAP 1.2 message is
 NO_NAMESPACE=No namespace on "{0}" element.
 BP_2211_RPCLIT_CANNOT_BE_NULL=Cannot write part {0}. RPC/Literal parts cannot be null. (WS-I
BP R2211)
 UNKNOWN_RPC_LIT_PART=Found element {0} but could not find matching RPC/Literal part
+SOAP_ACTION_MISMATCH=The given SOAPAction {0} does not match an operation.

Modified: cxf/branches/2.5.x-fixes/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/SoapActionInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/SoapActionInInterceptor.java?rev=1368608&r1=1368607&r2=1368608&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/SoapActionInInterceptor.java
(original)
+++ cxf/branches/2.5.x-fixes/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/SoapActionInInterceptor.java
Thu Aug  2 17:20:01 2012
@@ -22,12 +22,14 @@ package org.apache.cxf.binding.soap.inte
 import java.util.Collection;
 import java.util.List;
 import java.util.Map;
+import java.util.logging.Logger;
 
 import org.apache.cxf.binding.soap.Soap11;
 import org.apache.cxf.binding.soap.Soap12;
 import org.apache.cxf.binding.soap.SoapBindingConstants;
 import org.apache.cxf.binding.soap.SoapMessage;
 import org.apache.cxf.binding.soap.model.SoapOperationInfo;
+import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.common.util.StringUtils;
 import org.apache.cxf.endpoint.Endpoint;
 import org.apache.cxf.helpers.CastUtils;
@@ -40,6 +42,8 @@ import org.apache.cxf.service.model.Oper
 
 public class SoapActionInInterceptor extends AbstractSoapInterceptor {
     
+    private static final Logger LOG = LogUtils.getL7dLogger(SoapActionInInterceptor.class);
+    
     public SoapActionInInterceptor() {
         super(Phase.READ);
         addAfter(ReadHeadersInterceptor.class.getName());
@@ -91,6 +95,10 @@ public class SoapActionInInterceptor ext
     }
     
     public void handleMessage(SoapMessage message) throws Fault {
+        if (isRequestor(message)) {
+            return;
+        }
+        
         String action = getSoapAction(message);
         if (!StringUtils.isEmpty(action)) {
             getAndSetOperation(message, action);
@@ -108,24 +116,54 @@ public class SoapActionInInterceptor ext
         
         BindingOperationInfo bindingOp = null;
         
-        Collection<BindingOperationInfo> bops = ep.getBinding().getBindingInfo().getOperations();
-        if (bops == null) {
-            return;
-        }
-        for (BindingOperationInfo boi : bops) {
-            SoapOperationInfo soi = (SoapOperationInfo) boi.getExtensor(SoapOperationInfo.class);
-            if (soi != null && action.equals(soi.getAction())) {
-                if (bindingOp != null) {
-                    //more than one op with the same action, will need to parse normally
-                    return;
+        Collection<BindingOperationInfo> bops = ep.getEndpointInfo()
+            .getBinding().getOperations();
+        if (bops != null) {
+            for (BindingOperationInfo boi : bops) {
+                SoapOperationInfo soi = boi.getExtensor(SoapOperationInfo.class);
+                if (soi != null && action.equals(soi.getAction())) {
+                    if (bindingOp != null) {
+                        //more than one op with the same action, will need to parse normally
+                        return;
+                    }
+                    bindingOp = boi;
                 }
-                bindingOp = boi;
             }
         }
-        if (bindingOp != null) {
-            ex.put(BindingOperationInfo.class, bindingOp);
-            ex.put(OperationInfo.class, bindingOp.getOperationInfo());
+        
+        if (bindingOp == null) {
+            //we didn't match the an operation, we'll try again later to make
+            //sure the incoming message did end up matching an operation.
+            //This could occur in some cases like WS-RM and WS-SecConv that will
+            //intercept the message with a new endpoint/operation
+            message.getInterceptorChain().add(new SoapActionInAttemptTwoInterceptor());
+            return;
+        }
+
+        ex.put(BindingOperationInfo.class, bindingOp);
+        ex.put(OperationInfo.class, bindingOp.getOperationInfo());
+    }
+    
+    public static class SoapActionInAttemptTwoInterceptor extends AbstractSoapInterceptor
{
+        public SoapActionInAttemptTwoInterceptor() {
+            super(Phase.PRE_LOGICAL);
+        }
+        public void handleMessage(SoapMessage message) throws Fault {
+            BindingOperationInfo boi = message.getExchange().getBindingOperationInfo();
+            if (boi == null) {
+                return;
+            }
+            String action = getSoapAction(message);
+            if (StringUtils.isEmpty(action)) {
+                return;
+            }
+            SoapOperationInfo soi = boi.getExtensor(SoapOperationInfo.class);
+            if (soi == null || action.equals(soi.getAction())) {
+                return;
+            }
+            throw new Fault("SOAP_ACTION_MISMATCH", LOG, null, action);
         }
     }
 
+
 }

Modified: cxf/branches/2.5.x-fixes/rt/core/src/main/java/org/apache/cxf/interceptor/DocLiteralInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/core/src/main/java/org/apache/cxf/interceptor/DocLiteralInInterceptor.java?rev=1368608&r1=1368607&r2=1368608&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/core/src/main/java/org/apache/cxf/interceptor/DocLiteralInInterceptor.java
(original)
+++ cxf/branches/2.5.x-fixes/rt/core/src/main/java/org/apache/cxf/interceptor/DocLiteralInInterceptor.java
Thu Aug  2 17:20:01 2012
@@ -192,12 +192,11 @@ public class DocLiteralInInterceptor ext
                     } else {
                         p = findMessagePart(exchange, operations, elName, client, paramNum,
message);
                     }
-    
-                    if (p == null) {
-                        throw new Fault(new org.apache.cxf.common.i18n.Message("NO_PART_FOUND",
LOG, elName),
-                                        Fault.FAULT_CODE_CLIENT);
-                    }
-    
+                    
+                    //Make sure the elName found on the wire is actually OK for 
+                    //the purpose we need it
+                    validatePart(p, elName, si);
+
                     o = dr.read(p, xmlReader);
                     if (Boolean.TRUE.equals(si.getProperty("soap.force.doclit.bare")) 
                         && parameters.isEmpty()) {
@@ -224,6 +223,44 @@ public class DocLiteralInInterceptor ext
         }
     }
     
+    private void validatePart(MessagePartInfo p, QName elName, ServiceInfo si) {
+        if (p == null) {
+            throw new Fault(new org.apache.cxf.common.i18n.Message("NO_PART_FOUND", LOG,
elName),
+                            Fault.FAULT_CODE_CLIENT);
+
+        }
+
+        Boolean synth = Boolean.FALSE;
+        if (p.getMessageInfo() != null && p.getMessageInfo().getOperation() != null)
{
+            OperationInfo op = p.getMessageInfo().getOperation();
+            Boolean b = (Boolean)op.getProperty("operation.is.synthetic");
+            if (b != null) {
+                synth = b;
+            }
+        }
+        if (si != null && Boolean.TRUE.equals(si.getProperty("soap.force.doclit.bare")))
{
+            // something like a Provider service or similar that is forcing a
+            // doc/lit/bare on an endpoint that may not really be doc/lit/bare.  
+            // we need to just let these through per spec so the endpoint
+            // can process it
+            synth = true;
+        }
+        if (p.isElement()) {
+            if (p.getConcreteName() != null
+                && !elName.equals(p.getConcreteName())
+                && !Boolean.TRUE.equals(synth)) {
+                throw new Fault("UNEXPECTED_ELEMENT", LOG, null, elName,
+                                p.getConcreteName());
+            }
+        } else {
+            if (!(elName.equals(p.getName()) || elName.equals(p.getConcreteName()))
+                && !Boolean.TRUE.equals(synth)) {
+                throw new Fault("UNEXPECTED_ELEMENT", LOG, null, elName,
+                                p.getConcreteName());
+            }
+        }
+    }
+    
     private void getPara(DepthXMLStreamReader xmlReader,
                          DataReader<XMLStreamReader> dr,
                          MessageContentsList parameters,

Modified: cxf/branches/2.5.x-fixes/rt/core/src/main/java/org/apache/cxf/interceptor/Messages.properties
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/core/src/main/java/org/apache/cxf/interceptor/Messages.properties?rev=1368608&r1=1368607&r2=1368608&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/core/src/main/java/org/apache/cxf/interceptor/Messages.properties
(original)
+++ cxf/branches/2.5.x-fixes/rt/core/src/main/java/org/apache/cxf/interceptor/Messages.properties
Thu Aug  2 17:20:01 2012
@@ -40,4 +40,5 @@ COULD_NOT_FIND_SEICLASS=Could not find t
 EXCEPTION_WHILE_WRITING_FAULT = Exception occurred while writing fault.
 EXCEPTION_WHILE_CREATING_EXCEPTION = Exception occurred while creating exception: {0}
 UNEXPECTED_WRAPPER_ELEMENT = Unexpected wrapper element {0} found.   Expected {1}.
+UNEXPECTED_ELEMENT = Unexpected element {0} found.   Expected {1}.
  

Added: cxf/branches/2.5.x-fixes/systests/uncategorized/src/test/java/org/apache/cxf/systest/soap/RPCEncodedSoapActionGreeterImpl.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/uncategorized/src/test/java/org/apache/cxf/systest/soap/RPCEncodedSoapActionGreeterImpl.java?rev=1368608&view=auto
==============================================================================
--- cxf/branches/2.5.x-fixes/systests/uncategorized/src/test/java/org/apache/cxf/systest/soap/RPCEncodedSoapActionGreeterImpl.java
(added)
+++ cxf/branches/2.5.x-fixes/systests/uncategorized/src/test/java/org/apache/cxf/systest/soap/RPCEncodedSoapActionGreeterImpl.java
Thu Aug  2 17:20:01 2012
@@ -0,0 +1,40 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.systest.soap;
+
+import javax.jws.WebService;
+import javax.jws.soap.SOAPBinding;
+
+import org.apache.hello_world_soap_action.WrappedGreeter;
+
+@WebService(endpointInterface = "org.apache.hello_world_soap_action.WrappedGreeter", 
+serviceName = "WrappedSOAPService")
+@SOAPBinding(style = SOAPBinding.Style.RPC, use = SOAPBinding.Use.ENCODED)
+public class RPCEncodedSoapActionGreeterImpl implements WrappedGreeter {
+
+    public String sayHiRequestWrapped(String in) {
+        return "sayHi";
+    }
+
+    public String sayHiRequest2Wrapped(String in) {
+        return "sayHi2";
+    }
+
+}

Added: cxf/branches/2.5.x-fixes/systests/uncategorized/src/test/java/org/apache/cxf/systest/soap/RPCLitSoapActionGreeterImpl.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/uncategorized/src/test/java/org/apache/cxf/systest/soap/RPCLitSoapActionGreeterImpl.java?rev=1368608&view=auto
==============================================================================
--- cxf/branches/2.5.x-fixes/systests/uncategorized/src/test/java/org/apache/cxf/systest/soap/RPCLitSoapActionGreeterImpl.java
(added)
+++ cxf/branches/2.5.x-fixes/systests/uncategorized/src/test/java/org/apache/cxf/systest/soap/RPCLitSoapActionGreeterImpl.java
Thu Aug  2 17:20:01 2012
@@ -0,0 +1,40 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.systest.soap;
+
+import javax.jws.WebService;
+import javax.jws.soap.SOAPBinding;
+
+import org.apache.hello_world_soap_action.WrappedGreeter;
+
+@WebService(endpointInterface = "org.apache.hello_world_soap_action.WrappedGreeter", 
+serviceName = "WrappedSOAPService")
+@SOAPBinding(style = SOAPBinding.Style.RPC)
+public class RPCLitSoapActionGreeterImpl implements WrappedGreeter {
+
+    public String sayHiRequestWrapped(String in) {
+        return "sayHi";
+    }
+
+    public String sayHiRequest2Wrapped(String in) {
+        return "sayHi2";
+    }
+
+}

Modified: cxf/branches/2.5.x-fixes/systests/uncategorized/src/test/java/org/apache/cxf/systest/soap/SoapActionTest.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/uncategorized/src/test/java/org/apache/cxf/systest/soap/SoapActionTest.java?rev=1368608&r1=1368607&r2=1368608&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/systests/uncategorized/src/test/java/org/apache/cxf/systest/soap/SoapActionTest.java
(original)
+++ cxf/branches/2.5.x-fixes/systests/uncategorized/src/test/java/org/apache/cxf/systest/soap/SoapActionTest.java
Thu Aug  2 17:20:01 2012
@@ -19,6 +19,8 @@
 
 package org.apache.cxf.systest.soap;
 
+import javax.xml.ws.BindingProvider;
+
 import org.apache.cxf.Bus;
 import org.apache.cxf.BusFactory;
 import org.apache.cxf.binding.soap.Soap12;
@@ -27,6 +29,7 @@ import org.apache.cxf.jaxws.JaxWsProxyFa
 import org.apache.cxf.jaxws.JaxWsServerFactoryBean;
 import org.apache.cxf.testutil.common.TestUtil;
 import org.apache.hello_world_soap_action.Greeter;
+import org.apache.hello_world_soap_action.WrappedGreeter;
 import org.junit.AfterClass;
 import org.junit.Assert;
 import org.junit.BeforeClass;
@@ -35,11 +38,20 @@ import org.junit.Test;
 public class SoapActionTest extends Assert {
     static final String PORT1 = TestUtil.getPortNumber(SoapActionTest.class, 1);
     static final String PORT2 = TestUtil.getPortNumber(SoapActionTest.class, 2);
+    static final String PORT3 = TestUtil.getPortNumber(SoapActionTest.class, 3);
+    static final String PORT4 = TestUtil.getPortNumber(SoapActionTest.class, 4);
+    static final String PORT5 = TestUtil.getPortNumber(SoapActionTest.class, 5);
+    static final String PORT6 = TestUtil.getPortNumber(SoapActionTest.class, 6);
+    static final String PORT7 = TestUtil.getPortNumber(SoapActionTest.class, 7);
     
     static Bus bus;
     static String add11 = "http://localhost:" + PORT1 + "/test11";
     static String add12 = "http://localhost:" + PORT2 + "/test12";
-
+    static String add13 = "http://localhost:" + PORT3 + "/testWrapped";
+    static String add14 = "http://localhost:" + PORT4 + "/testWrapped12";
+    static String add15 = "http://localhost:" + PORT5 + "/testRPCLit";
+    static String add16 = "http://localhost:" + PORT6 + "/testRPCEncoded";
+    static String add17 = "http://localhost:" + PORT7 + "/testWrappedEncoded";
 
     @BeforeClass
     public static void createServers() throws Exception {
@@ -58,7 +70,40 @@ public class SoapActionTest extends Asse
         config.setVersion(Soap12.getInstance());
         sf.setBindingConfig(config);
         sf.create();
+        
+        sf = new JaxWsServerFactoryBean();
+        sf.setServiceBean(new WrappedSoapActionGreeterImpl());
+        sf.setAddress(add13);
+        sf.setBus(bus);
+        sf.create();
+        
+        sf = new JaxWsServerFactoryBean();
+        sf.setServiceBean(new WrappedSoapActionGreeterImpl());
+        sf.setAddress(add14);
+        sf.setBus(bus);
+        config.setVersion(Soap12.getInstance());
+        sf.setBindingConfig(config);
+        sf.create();
+        
+        sf = new JaxWsServerFactoryBean();
+        sf.setServiceBean(new RPCLitSoapActionGreeterImpl());
+        sf.setAddress(add15);
+        sf.setBus(bus);
+        sf.create();
+        
+        sf = new JaxWsServerFactoryBean();
+        sf.setServiceBean(new RPCEncodedSoapActionGreeterImpl());
+        sf.setAddress(add16);
+        sf.setBus(bus);
+        sf.create();
+        
+        sf = new JaxWsServerFactoryBean();
+        sf.setServiceBean(new WrappedEncodedSoapActionGreeterImpl());
+        sf.setAddress(add17);
+        sf.setBus(bus);
+        sf.create();
     }
+    
     @AfterClass
     public static void shutdown() throws Exception {
         bus.shutdown(true);
@@ -93,4 +138,348 @@ public class SoapActionTest extends Asse
         assertEquals("sayHi", greeter.sayHi("test"));
         assertEquals("sayHi2", greeter.sayHi2("test"));
     }
+    
+    
+    @Test
+    public void testBareSoapActionSpoofing() throws Exception {
+        JaxWsProxyFactoryBean pf = new JaxWsProxyFactoryBean();
+        pf.setServiceClass(Greeter.class);
+        pf.setAddress(add11);
+        pf.setBus(bus);
+        Greeter greeter = (Greeter) pf.create();
+        
+        assertEquals("sayHi", greeter.sayHi("test"));
+        assertEquals("sayHi2", greeter.sayHi2("test"));        
+        
+        // Now test spoofing attack
+        ((BindingProvider)greeter).getRequestContext().put(BindingProvider.SOAPACTION_USE_PROPERTY,
"true");
+        ((BindingProvider)greeter).getRequestContext().put(
+            BindingProvider.SOAPACTION_URI_PROPERTY, "SAY_HI_2"
+        );
+        try {
+            greeter.sayHi("test");
+            fail("Failure expected on spoofing attack");
+        } catch (Exception ex) {
+            // expected
+        }
+        
+        // Test the other operation
+        ((BindingProvider)greeter).getRequestContext().put(BindingProvider.SOAPACTION_USE_PROPERTY,
"true");
+        ((BindingProvider)greeter).getRequestContext().put(
+            BindingProvider.SOAPACTION_URI_PROPERTY, "SAY_HI_1"
+        );
+        try {
+            greeter.sayHi2("test");
+            fail("Failure expected on spoofing attack");
+        } catch (Exception ex) {
+            // expected
+        }
+        
+        // Test a SOAP Action that does not exist in the binding
+        ((BindingProvider)greeter).getRequestContext().put(BindingProvider.SOAPACTION_USE_PROPERTY,
"true");
+        ((BindingProvider)greeter).getRequestContext().put(
+            BindingProvider.SOAPACTION_URI_PROPERTY, "SAY_HI_UNKNOWN"
+        );
+        try {
+            greeter.sayHi("test");
+            fail("Failure expected on spoofing attack");
+        } catch (Exception ex) {
+            // expected
+        }
+    }
+    
+    @Test
+    public void testBareSoap12ActionSpoofing() throws Exception {
+        JaxWsProxyFactoryBean pf = new JaxWsProxyFactoryBean();
+        pf.setServiceClass(Greeter.class);
+        pf.setAddress(add12);
+        SoapBindingConfiguration config = new SoapBindingConfiguration();
+        config.setVersion(Soap12.getInstance());
+        pf.setBindingConfig(config);
+        pf.setBus(bus);
+        Greeter greeter = (Greeter) pf.create();
+        
+        assertEquals("sayHi", greeter.sayHi("test"));
+        assertEquals("sayHi2", greeter.sayHi2("test"));        
+        
+        // Now test spoofing attack
+        ((BindingProvider)greeter).getRequestContext().put(BindingProvider.SOAPACTION_USE_PROPERTY,
"true");
+        ((BindingProvider)greeter).getRequestContext().put(
+            BindingProvider.SOAPACTION_URI_PROPERTY, "SAY_HI_2"
+        );
+        try {
+            greeter.sayHi("test");
+            fail("Failure expected on spoofing attack");
+        } catch (Exception ex) {
+            // expected
+        }
+        
+        // Test the other operation
+        ((BindingProvider)greeter).getRequestContext().put(BindingProvider.SOAPACTION_USE_PROPERTY,
"true");
+        ((BindingProvider)greeter).getRequestContext().put(
+            BindingProvider.SOAPACTION_URI_PROPERTY, "SAY_HI_1"
+        );
+        try {
+            greeter.sayHi2("test");
+            fail("Failure expected on spoofing attack");
+        } catch (Exception ex) {
+            // expected
+        }
+        
+        // Test a SOAP Action that does not exist in the binding
+        ((BindingProvider)greeter).getRequestContext().put(BindingProvider.SOAPACTION_USE_PROPERTY,
"true");
+        ((BindingProvider)greeter).getRequestContext().put(
+            BindingProvider.SOAPACTION_URI_PROPERTY, "SAY_HI_UNKNOWN"
+        );
+        try {
+            greeter.sayHi("test");
+            fail("Failure expected on spoofing attack");
+        } catch (Exception ex) {
+            // expected
+        }
+    }
+    
+    @Test
+    public void testWrappedSoapActionSpoofing() throws Exception {
+        JaxWsProxyFactoryBean pf = new JaxWsProxyFactoryBean();
+        pf.setServiceClass(WrappedGreeter.class);
+        pf.setAddress(add13);
+        pf.setBus(bus);
+        WrappedGreeter greeter = (WrappedGreeter) pf.create();
+        
+        assertEquals("sayHi", greeter.sayHiRequestWrapped("test"));
+        assertEquals("sayHi2", greeter.sayHiRequest2Wrapped("test"));        
+        
+        // Now test spoofing attack
+        ((BindingProvider)greeter).getRequestContext().put(BindingProvider.SOAPACTION_USE_PROPERTY,
"true");
+        ((BindingProvider)greeter).getRequestContext().put(
+            BindingProvider.SOAPACTION_URI_PROPERTY, "SAY_HI_2"
+        );
+        try {
+            greeter.sayHiRequestWrapped("test");
+            fail("Failure expected on spoofing attack");
+        } catch (Exception ex) {
+            // expected
+        }
+        
+        // Test the other operation
+        ((BindingProvider)greeter).getRequestContext().put(BindingProvider.SOAPACTION_USE_PROPERTY,
"true");
+        ((BindingProvider)greeter).getRequestContext().put(
+            BindingProvider.SOAPACTION_URI_PROPERTY, "SAY_HI_1"
+        );
+        try {
+            greeter.sayHiRequest2Wrapped("test");
+            fail("Failure expected on spoofing attack");
+        } catch (Exception ex) {
+            // expected
+        }
+        
+        // Test a SOAP Action that does not exist in the binding
+        ((BindingProvider)greeter).getRequestContext().put(BindingProvider.SOAPACTION_USE_PROPERTY,
"true");
+        ((BindingProvider)greeter).getRequestContext().put(
+            BindingProvider.SOAPACTION_URI_PROPERTY, "SAY_HI_UNKNOWN"
+        );
+        try {
+            greeter.sayHiRequestWrapped("test");
+            fail("Failure expected on spoofing attack");
+        } catch (Exception ex) {
+            // expected
+        }
+    }
+    
+    @Test
+    public void testWrappedSoap12ActionSpoofing() throws Exception {
+        JaxWsProxyFactoryBean pf = new JaxWsProxyFactoryBean();
+        pf.setServiceClass(WrappedGreeter.class);
+        pf.setAddress(add14);
+        SoapBindingConfiguration config = new SoapBindingConfiguration();
+        config.setVersion(Soap12.getInstance());
+        pf.setBindingConfig(config);
+        pf.setBus(bus);
+        WrappedGreeter greeter = (WrappedGreeter) pf.create();
+        
+        assertEquals("sayHi", greeter.sayHiRequestWrapped("test"));
+        assertEquals("sayHi2", greeter.sayHiRequest2Wrapped("test"));        
+        
+        // Now test spoofing attack
+        ((BindingProvider)greeter).getRequestContext().put(BindingProvider.SOAPACTION_USE_PROPERTY,
"true");
+        ((BindingProvider)greeter).getRequestContext().put(
+            BindingProvider.SOAPACTION_URI_PROPERTY, "SAY_HI_2"
+        );
+        try {
+            greeter.sayHiRequestWrapped("test");
+            fail("Failure expected on spoofing attack");
+        } catch (Exception ex) {
+            // expected
+        }
+        
+        // Test the other operation
+        ((BindingProvider)greeter).getRequestContext().put(BindingProvider.SOAPACTION_USE_PROPERTY,
"true");
+        ((BindingProvider)greeter).getRequestContext().put(
+            BindingProvider.SOAPACTION_URI_PROPERTY, "SAY_HI_1"
+        );
+        try {
+            greeter.sayHiRequest2Wrapped("test");
+            fail("Failure expected on spoofing attack");
+        } catch (Exception ex) {
+            // expected
+        }
+        
+        // Test a SOAP Action that does not exist in the binding
+        ((BindingProvider)greeter).getRequestContext().put(BindingProvider.SOAPACTION_USE_PROPERTY,
"true");
+        ((BindingProvider)greeter).getRequestContext().put(
+            BindingProvider.SOAPACTION_URI_PROPERTY, "SAY_HI_UNKNOWN"
+        );
+        try {
+            greeter.sayHiRequestWrapped("test");
+            fail("Failure expected on spoofing attack");
+        } catch (Exception ex) {
+            // expected
+        }
+    }
+    
+    @Test
+    public void testRPCLitSoapActionSpoofing() throws Exception {
+        JaxWsProxyFactoryBean pf = new JaxWsProxyFactoryBean();
+        pf.setServiceClass(WrappedGreeter.class);
+        pf.setAddress(add15);
+        pf.setBus(bus);
+        WrappedGreeter greeter = (WrappedGreeter) pf.create();
+        
+        assertEquals("sayHi", greeter.sayHiRequestWrapped("test"));
+        assertEquals("sayHi2", greeter.sayHiRequest2Wrapped("test"));        
+        
+        // Now test spoofing attack
+        ((BindingProvider)greeter).getRequestContext().put(BindingProvider.SOAPACTION_USE_PROPERTY,
"true");
+        ((BindingProvider)greeter).getRequestContext().put(
+            BindingProvider.SOAPACTION_URI_PROPERTY, "SAY_HI_2"
+        );
+        try {
+            greeter.sayHiRequestWrapped("test");
+            fail("Failure expected on spoofing attack");
+        } catch (Exception ex) {
+            // expected
+        }
+        
+        // Test the other operation
+        ((BindingProvider)greeter).getRequestContext().put(BindingProvider.SOAPACTION_USE_PROPERTY,
"true");
+        ((BindingProvider)greeter).getRequestContext().put(
+            BindingProvider.SOAPACTION_URI_PROPERTY, "SAY_HI_1"
+        );
+        try {
+            greeter.sayHiRequest2Wrapped("test");
+            fail("Failure expected on spoofing attack");
+        } catch (Exception ex) {
+            // expected
+        }
+        
+        // Test a SOAP Action that does not exist in the binding
+        ((BindingProvider)greeter).getRequestContext().put(BindingProvider.SOAPACTION_USE_PROPERTY,
"true");
+        ((BindingProvider)greeter).getRequestContext().put(
+            BindingProvider.SOAPACTION_URI_PROPERTY, "SAY_HI_UNKNOWN"
+        );
+        try {
+            greeter.sayHiRequestWrapped("test");
+            fail("Failure expected on spoofing attack");
+        } catch (Exception ex) {
+            // expected
+        }
+    }
+    
+    @Test
+    public void testRPCEncodedSoapActionSpoofing() throws Exception {
+        JaxWsProxyFactoryBean pf = new JaxWsProxyFactoryBean();
+        pf.setServiceClass(WrappedGreeter.class);
+        pf.setAddress(add16);
+        pf.setBus(bus);
+        WrappedGreeter greeter = (WrappedGreeter) pf.create();
+        
+        assertEquals("sayHi", greeter.sayHiRequestWrapped("test"));
+        assertEquals("sayHi2", greeter.sayHiRequest2Wrapped("test"));        
+        
+        // Now test spoofing attack
+        ((BindingProvider)greeter).getRequestContext().put(BindingProvider.SOAPACTION_USE_PROPERTY,
"true");
+        ((BindingProvider)greeter).getRequestContext().put(
+            BindingProvider.SOAPACTION_URI_PROPERTY, "SAY_HI_2"
+        );
+        try {
+            greeter.sayHiRequestWrapped("test");
+            fail("Failure expected on spoofing attack");
+        } catch (Exception ex) {
+            // expected
+        }
+        
+        // Test the other operation
+        ((BindingProvider)greeter).getRequestContext().put(BindingProvider.SOAPACTION_USE_PROPERTY,
"true");
+        ((BindingProvider)greeter).getRequestContext().put(
+            BindingProvider.SOAPACTION_URI_PROPERTY, "SAY_HI_1"
+        );
+        try {
+            greeter.sayHiRequest2Wrapped("test");
+            fail("Failure expected on spoofing attack");
+        } catch (Exception ex) {
+            // expected
+        }
+        
+        // Test a SOAP Action that does not exist in the binding
+        ((BindingProvider)greeter).getRequestContext().put(BindingProvider.SOAPACTION_USE_PROPERTY,
"true");
+        ((BindingProvider)greeter).getRequestContext().put(
+            BindingProvider.SOAPACTION_URI_PROPERTY, "SAY_HI_UNKNOWN"
+        );
+        try {
+            greeter.sayHiRequestWrapped("test");
+            fail("Failure expected on spoofing attack");
+        } catch (Exception ex) {
+            // expected
+        }
+    }
+    
+    @Test
+    public void testWrappedEncodedSoapActionSpoofing() throws Exception {
+        JaxWsProxyFactoryBean pf = new JaxWsProxyFactoryBean();
+        pf.setServiceClass(WrappedGreeter.class);
+        pf.setAddress(add17);
+        pf.setBus(bus);
+        WrappedGreeter greeter = (WrappedGreeter) pf.create();
+        
+        assertEquals("sayHi", greeter.sayHiRequestWrapped("test"));
+        assertEquals("sayHi2", greeter.sayHiRequest2Wrapped("test"));        
+        
+        // Now test spoofing attack
+        ((BindingProvider)greeter).getRequestContext().put(BindingProvider.SOAPACTION_USE_PROPERTY,
"true");
+        ((BindingProvider)greeter).getRequestContext().put(
+            BindingProvider.SOAPACTION_URI_PROPERTY, "SAY_HI_2"
+        );
+        try {
+            greeter.sayHiRequestWrapped("test");
+            fail("Failure expected on spoofing attack");
+        } catch (Exception ex) {
+            // expected
+        }
+        
+        // Test the other operation
+        ((BindingProvider)greeter).getRequestContext().put(BindingProvider.SOAPACTION_USE_PROPERTY,
"true");
+        ((BindingProvider)greeter).getRequestContext().put(
+            BindingProvider.SOAPACTION_URI_PROPERTY, "SAY_HI_1"
+        );
+        try {
+            greeter.sayHiRequest2Wrapped("test");
+            fail("Failure expected on spoofing attack");
+        } catch (Exception ex) {
+            // expected
+        }
+        
+        // Test a SOAP Action that does not exist in the binding
+        ((BindingProvider)greeter).getRequestContext().put(BindingProvider.SOAPACTION_USE_PROPERTY,
"true");
+        ((BindingProvider)greeter).getRequestContext().put(
+            BindingProvider.SOAPACTION_URI_PROPERTY, "SAY_HI_UNKNOWN"
+        );
+        try {
+            greeter.sayHiRequestWrapped("test");
+            fail("Failure expected on spoofing attack");
+        } catch (Exception ex) {
+            // expected
+        }
+    }
+    
 }

Added: cxf/branches/2.5.x-fixes/systests/uncategorized/src/test/java/org/apache/cxf/systest/soap/WrappedEncodedSoapActionGreeterImpl.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/uncategorized/src/test/java/org/apache/cxf/systest/soap/WrappedEncodedSoapActionGreeterImpl.java?rev=1368608&view=auto
==============================================================================
--- cxf/branches/2.5.x-fixes/systests/uncategorized/src/test/java/org/apache/cxf/systest/soap/WrappedEncodedSoapActionGreeterImpl.java
(added)
+++ cxf/branches/2.5.x-fixes/systests/uncategorized/src/test/java/org/apache/cxf/systest/soap/WrappedEncodedSoapActionGreeterImpl.java
Thu Aug  2 17:20:01 2012
@@ -0,0 +1,40 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.systest.soap;
+
+import javax.jws.WebService;
+import javax.jws.soap.SOAPBinding;
+
+import org.apache.hello_world_soap_action.WrappedGreeter;
+
+@WebService(endpointInterface = "org.apache.hello_world_soap_action.WrappedGreeter", 
+            serviceName = "WrappedSOAPService")
+@SOAPBinding(use = SOAPBinding.Use.ENCODED)
+public class WrappedEncodedSoapActionGreeterImpl implements WrappedGreeter {
+
+    public String sayHiRequestWrapped(String in) {
+        return "sayHi";
+    }
+
+    public String sayHiRequest2Wrapped(String in) {
+        return "sayHi2";
+    }
+
+}

Added: cxf/branches/2.5.x-fixes/systests/uncategorized/src/test/java/org/apache/cxf/systest/soap/WrappedSoapActionGreeterImpl.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/uncategorized/src/test/java/org/apache/cxf/systest/soap/WrappedSoapActionGreeterImpl.java?rev=1368608&view=auto
==============================================================================
--- cxf/branches/2.5.x-fixes/systests/uncategorized/src/test/java/org/apache/cxf/systest/soap/WrappedSoapActionGreeterImpl.java
(added)
+++ cxf/branches/2.5.x-fixes/systests/uncategorized/src/test/java/org/apache/cxf/systest/soap/WrappedSoapActionGreeterImpl.java
Thu Aug  2 17:20:01 2012
@@ -0,0 +1,38 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.systest.soap;
+
+import javax.jws.WebService;
+
+import org.apache.hello_world_soap_action.WrappedGreeter;
+
+@WebService(endpointInterface = "org.apache.hello_world_soap_action.WrappedGreeter", 
+            serviceName = "WrappedSOAPService")
+public class WrappedSoapActionGreeterImpl implements WrappedGreeter {
+
+    public String sayHiRequestWrapped(String in) {
+        return "sayHi";
+    }
+
+    public String sayHiRequest2Wrapped(String in) {
+        return "sayHi2";
+    }
+
+}

Modified: cxf/branches/2.5.x-fixes/testutils/src/main/resources/wsdl/hello_world_soap_action.wsdl
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/testutils/src/main/resources/wsdl/hello_world_soap_action.wsdl?rev=1368608&r1=1368607&r2=1368608&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/testutils/src/main/resources/wsdl/hello_world_soap_action.wsdl
(original)
+++ cxf/branches/2.5.x-fixes/testutils/src/main/resources/wsdl/hello_world_soap_action.wsdl
Thu Aug  2 17:20:01 2012
@@ -26,6 +26,7 @@
   xmlns:jms="http://cxf.apache.org/transports/jms"
   xmlns:tns="http://apache.org/hello_world_soap_action"
   xmlns:x1="http://apache.org/hello_world_soap_action/types"
+  xmlns:x2="http://apache.org/hello_world_soap_action/types/wrapped"
   xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/"
   targetNamespace="http://apache.org/hello_world_soap_action"
   name="HelloWorld">
@@ -37,6 +38,36 @@
       <element name="text" type="xsd:string" />
       <element name="text2" type="xsd:string" />
     </schema>
+    <xsd:schema targetNamespace="http://apache.org/hello_world_soap_action/types/wrapped">
+            <xsd:element name="sayHiRequestWrapped">
+                <xsd:complexType>
+                    <xsd:sequence>
+                        <xsd:element name="wrappedText" type="xsd:string" />
+                    </xsd:sequence>
+                </xsd:complexType>
+            </xsd:element>
+            <xsd:element name="sayHiResponseWrapped">
+                <xsd:complexType>
+                    <xsd:sequence>
+                        <xsd:element name="wrappedTextResponse" type="xsd:string" />
+                    </xsd:sequence>
+                </xsd:complexType>
+            </xsd:element>
+            <xsd:element name="sayHiRequest2Wrapped">
+                <xsd:complexType>
+                    <xsd:sequence>
+                        <xsd:element name="wrappedText" type="xsd:string" />
+                    </xsd:sequence>
+                </xsd:complexType>
+            </xsd:element>
+            <xsd:element name="sayHiResponse2Wrapped">
+                <xsd:complexType>
+                    <xsd:sequence>
+                        <xsd:element name="wrappedTextResponse" type="xsd:string" />
+                    </xsd:sequence>
+                </xsd:complexType>
+            </xsd:element>
+        </xsd:schema>
   </wsdl:types>
   <wsdl:message name="sayHiRequest">
     <wsdl:part name="in" element="x1:text" />
@@ -50,6 +81,19 @@
   <wsdl:message name="sayHiResponse2">
     <wsdl:part name="out" element="x1:text" />
   </wsdl:message>
+  
+  <wsdl:message name="sayHiRequestWrapped">
+        <wsdl:part element="x2:sayHiRequestWrapped" name="parameters" />
+  </wsdl:message>
+  <wsdl:message name="sayHiResponseWrapped">
+        <wsdl:part element="x2:sayHiResponseWrapped" name="parameters" />
+  </wsdl:message>
+  <wsdl:message name="sayHiRequest2Wrapped">
+        <wsdl:part element="x2:sayHiRequest2Wrapped" name="parameters" />
+  </wsdl:message>
+  <wsdl:message name="sayHiResponse2Wrapped">
+        <wsdl:part element="x2:sayHiResponse2Wrapped" name="parameters" />
+  </wsdl:message>
 
   <wsdl:portType name="Greeter">
     <wsdl:operation name="sayHi">
@@ -63,6 +107,19 @@
     </wsdl:operation>
 
   </wsdl:portType>
+  
+  <wsdl:portType name="WrappedGreeter">
+        <wsdl:operation name="sayHiRequestWrapped">
+            <wsdl:input message="tns:sayHiRequestWrapped" />
+            <wsdl:output message="tns:sayHiResponseWrapped" />
+        </wsdl:operation>
+        
+        <wsdl:operation name="sayHiRequest2Wrapped">
+            <wsdl:input message="tns:sayHiRequest2Wrapped" />
+            <wsdl:output message="tns:sayHiResponse2Wrapped" />
+        </wsdl:operation>
+  </wsdl:portType>
+  
   <wsdl:binding name="Greeter_SOAPBinding" type="tns:Greeter">
     <soap:binding style="document"
       transport="http://schemas.xmlsoap.org/soap/http" />
@@ -86,6 +143,7 @@
     </wsdl:operation>
 
   </wsdl:binding>
+  
   <wsdl:binding name="Greeter_SOAP12Binding" type="tns:Greeter">
     <soap12:binding style="document"
       transport="http://www.w3.org/2003/05/soap/bindings/HTTP/" />
@@ -109,6 +167,53 @@
     </wsdl:operation>
     
   </wsdl:binding>
+  
+  <wsdl:binding name="Greeter_WrappedSOAPBinding" type="tns:WrappedGreeter">
+        <soap:binding style="document"
+            transport="http://schemas.xmlsoap.org/soap/http" />
+        <wsdl:operation name="sayHiRequestWrapped">
+            <soap:operation soapAction="SAY_HI_1" />
+            <wsdl:input>
+                <soap:body use="literal" />
+            </wsdl:input>
+            <wsdl:output>
+                <soap:body use="literal" />
+            </wsdl:output>
+        </wsdl:operation>
+        <wsdl:operation name="sayHiRequest2Wrapped">
+            <soap:operation soapAction="SAY_HI_2" />
+            <wsdl:input>
+                <soap:body use="literal" />
+            </wsdl:input>
+            <wsdl:output>
+                <soap:body use="literal" />
+            </wsdl:output>
+        </wsdl:operation>
+  </wsdl:binding>     
+  
+  <wsdl:binding name="Greeter_WrappedSOAP12Binding" type="tns:WrappedGreeter">
+        <soap12:binding style="document"
+            transport="http://www.w3.org/2003/05/soap/bindings/HTTP/" />
+        <wsdl:operation name="sayHiRequestWrapped">
+            <soap12:operation soapAction="SAY_HI_1" />
+            <wsdl:input>
+                <soap12:body use="literal" />
+            </wsdl:input>
+            <wsdl:output>
+                <soap12:body use="literal" />
+            </wsdl:output>
+        </wsdl:operation>
+        <wsdl:operation name="sayHiRequest2Wrapped">
+            <soap12:operation soapAction="SAY_HI_2" />
+            <wsdl:input>
+                <soap12:body use="literal" />
+            </wsdl:input>
+            <wsdl:output>
+                <soap12:body use="literal" />
+            </wsdl:output>
+        </wsdl:operation>
+  </wsdl:binding>     
+  
   <wsdl:service name="SOAPService">
     <wsdl:port name="SoapPort" binding="tns:Greeter_SOAPBinding">
       <soap:address
@@ -121,4 +226,14 @@
         location="http://localhost:9001/SOAPDocLitService/Soap12Port" />
     </wsdl:port>
   </wsdl:service>
+  <wsdl:service name="WrappedSOAPService">
+      <wsdl:port name="WrappedSoapPort" binding="tns:Greeter_WrappedSOAPBinding">
+            <soap:address location="http://localhost:9001/SOAPDocLitService/WrappedSoapPort"
/>
+      </wsdl:port>
+  </wsdl:service>
+  <wsdl:service name="WrappedSOAP12Service">
+      <wsdl:port name="WrappedSoap12Port" binding="tns:Greeter_WrappedSOAP12Binding">
+            <soap:address location="http://localhost:9001/SOAPDocLitService/WrappedSoap12Port"
/>
+      </wsdl:port>
+  </wsdl:service>
 </wsdl:definitions>



Mime
View raw message