Return-Path: X-Original-To: apmail-cxf-commits-archive@www.apache.org Delivered-To: apmail-cxf-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 3DD3FD23F for ; Thu, 2 Aug 2012 17:20:55 +0000 (UTC) Received: (qmail 87661 invoked by uid 500); 2 Aug 2012 17:20:55 -0000 Delivered-To: apmail-cxf-commits-archive@cxf.apache.org Received: (qmail 87562 invoked by uid 500); 2 Aug 2012 17:20:55 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 87555 invoked by uid 99); 2 Aug 2012 17:20:55 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 02 Aug 2012 17:20:55 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 02 Aug 2012 17:20:47 +0000 Received: from eris.apache.org (localhost [127.0.0.1]) by eris.apache.org (Postfix) with ESMTP id 43F6423889DA; Thu, 2 Aug 2012 17:20:02 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1368608 - in /cxf/branches/2.5.x-fixes: rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/ rt/core/src/main/java/org/apache/cxf/interceptor/ systests/uncategorized/src/test/java/org/apache/cxf/systest/soap/ testutils/s... Date: Thu, 02 Aug 2012 17:20:01 -0000 To: commits@cxf.apache.org From: coheigea@apache.org X-Mailer: svnmailer-1.0.8-patched Message-Id: <20120802172002.43F6423889DA@eris.apache.org> Author: coheigea Date: Thu Aug 2 17:20:01 2012 New Revision: 1368608 URL: http://svn.apache.org/viewvc?rev=1368608&view=rev Log: Merged revisions 1368559 via git cherry-pick from https://svn.apache.org/repos/asf/cxf/trunk ........ r1368559 | coheigea | 2012-08-02 16:49:51 +0100 (Thu, 02 Aug 2012) | 2 lines Some improvements to handling SOAP Actions ........ Conflicts: rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/SoapActionInInterceptor.java Added: cxf/branches/2.5.x-fixes/systests/uncategorized/src/test/java/org/apache/cxf/systest/soap/RPCEncodedSoapActionGreeterImpl.java cxf/branches/2.5.x-fixes/systests/uncategorized/src/test/java/org/apache/cxf/systest/soap/RPCLitSoapActionGreeterImpl.java cxf/branches/2.5.x-fixes/systests/uncategorized/src/test/java/org/apache/cxf/systest/soap/WrappedEncodedSoapActionGreeterImpl.java cxf/branches/2.5.x-fixes/systests/uncategorized/src/test/java/org/apache/cxf/systest/soap/WrappedSoapActionGreeterImpl.java Modified: cxf/branches/2.5.x-fixes/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/Messages.properties cxf/branches/2.5.x-fixes/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/SoapActionInInterceptor.java cxf/branches/2.5.x-fixes/rt/core/src/main/java/org/apache/cxf/interceptor/DocLiteralInInterceptor.java cxf/branches/2.5.x-fixes/rt/core/src/main/java/org/apache/cxf/interceptor/Messages.properties cxf/branches/2.5.x-fixes/systests/uncategorized/src/test/java/org/apache/cxf/systest/soap/SoapActionTest.java cxf/branches/2.5.x-fixes/testutils/src/main/resources/wsdl/hello_world_soap_action.wsdl Modified: cxf/branches/2.5.x-fixes/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/Messages.properties URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/Messages.properties?rev=1368608&r1=1368607&r2=1368608&view=diff ============================================================================== --- cxf/branches/2.5.x-fixes/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/Messages.properties (original) +++ cxf/branches/2.5.x-fixes/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/Messages.properties Thu Aug 2 17:20:01 2012 @@ -31,3 +31,4 @@ INVALID_11_VERSION=A SOAP 1.2 message is NO_NAMESPACE=No namespace on "{0}" element. BP_2211_RPCLIT_CANNOT_BE_NULL=Cannot write part {0}. RPC/Literal parts cannot be null. (WS-I BP R2211) UNKNOWN_RPC_LIT_PART=Found element {0} but could not find matching RPC/Literal part +SOAP_ACTION_MISMATCH=The given SOAPAction {0} does not match an operation. Modified: cxf/branches/2.5.x-fixes/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/SoapActionInInterceptor.java URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/SoapActionInInterceptor.java?rev=1368608&r1=1368607&r2=1368608&view=diff ============================================================================== --- cxf/branches/2.5.x-fixes/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/SoapActionInInterceptor.java (original) +++ cxf/branches/2.5.x-fixes/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/SoapActionInInterceptor.java Thu Aug 2 17:20:01 2012 @@ -22,12 +22,14 @@ package org.apache.cxf.binding.soap.inte import java.util.Collection; import java.util.List; import java.util.Map; +import java.util.logging.Logger; import org.apache.cxf.binding.soap.Soap11; import org.apache.cxf.binding.soap.Soap12; import org.apache.cxf.binding.soap.SoapBindingConstants; import org.apache.cxf.binding.soap.SoapMessage; import org.apache.cxf.binding.soap.model.SoapOperationInfo; +import org.apache.cxf.common.logging.LogUtils; import org.apache.cxf.common.util.StringUtils; import org.apache.cxf.endpoint.Endpoint; import org.apache.cxf.helpers.CastUtils; @@ -40,6 +42,8 @@ import org.apache.cxf.service.model.Oper public class SoapActionInInterceptor extends AbstractSoapInterceptor { + private static final Logger LOG = LogUtils.getL7dLogger(SoapActionInInterceptor.class); + public SoapActionInInterceptor() { super(Phase.READ); addAfter(ReadHeadersInterceptor.class.getName()); @@ -91,6 +95,10 @@ public class SoapActionInInterceptor ext } public void handleMessage(SoapMessage message) throws Fault { + if (isRequestor(message)) { + return; + } + String action = getSoapAction(message); if (!StringUtils.isEmpty(action)) { getAndSetOperation(message, action); @@ -108,24 +116,54 @@ public class SoapActionInInterceptor ext BindingOperationInfo bindingOp = null; - Collection bops = ep.getBinding().getBindingInfo().getOperations(); - if (bops == null) { - return; - } - for (BindingOperationInfo boi : bops) { - SoapOperationInfo soi = (SoapOperationInfo) boi.getExtensor(SoapOperationInfo.class); - if (soi != null && action.equals(soi.getAction())) { - if (bindingOp != null) { - //more than one op with the same action, will need to parse normally - return; + Collection bops = ep.getEndpointInfo() + .getBinding().getOperations(); + if (bops != null) { + for (BindingOperationInfo boi : bops) { + SoapOperationInfo soi = boi.getExtensor(SoapOperationInfo.class); + if (soi != null && action.equals(soi.getAction())) { + if (bindingOp != null) { + //more than one op with the same action, will need to parse normally + return; + } + bindingOp = boi; } - bindingOp = boi; } } - if (bindingOp != null) { - ex.put(BindingOperationInfo.class, bindingOp); - ex.put(OperationInfo.class, bindingOp.getOperationInfo()); + + if (bindingOp == null) { + //we didn't match the an operation, we'll try again later to make + //sure the incoming message did end up matching an operation. + //This could occur in some cases like WS-RM and WS-SecConv that will + //intercept the message with a new endpoint/operation + message.getInterceptorChain().add(new SoapActionInAttemptTwoInterceptor()); + return; + } + + ex.put(BindingOperationInfo.class, bindingOp); + ex.put(OperationInfo.class, bindingOp.getOperationInfo()); + } + + public static class SoapActionInAttemptTwoInterceptor extends AbstractSoapInterceptor { + public SoapActionInAttemptTwoInterceptor() { + super(Phase.PRE_LOGICAL); + } + public void handleMessage(SoapMessage message) throws Fault { + BindingOperationInfo boi = message.getExchange().getBindingOperationInfo(); + if (boi == null) { + return; + } + String action = getSoapAction(message); + if (StringUtils.isEmpty(action)) { + return; + } + SoapOperationInfo soi = boi.getExtensor(SoapOperationInfo.class); + if (soi == null || action.equals(soi.getAction())) { + return; + } + throw new Fault("SOAP_ACTION_MISMATCH", LOG, null, action); } } + } Modified: cxf/branches/2.5.x-fixes/rt/core/src/main/java/org/apache/cxf/interceptor/DocLiteralInInterceptor.java URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/core/src/main/java/org/apache/cxf/interceptor/DocLiteralInInterceptor.java?rev=1368608&r1=1368607&r2=1368608&view=diff ============================================================================== --- cxf/branches/2.5.x-fixes/rt/core/src/main/java/org/apache/cxf/interceptor/DocLiteralInInterceptor.java (original) +++ cxf/branches/2.5.x-fixes/rt/core/src/main/java/org/apache/cxf/interceptor/DocLiteralInInterceptor.java Thu Aug 2 17:20:01 2012 @@ -192,12 +192,11 @@ public class DocLiteralInInterceptor ext } else { p = findMessagePart(exchange, operations, elName, client, paramNum, message); } - - if (p == null) { - throw new Fault(new org.apache.cxf.common.i18n.Message("NO_PART_FOUND", LOG, elName), - Fault.FAULT_CODE_CLIENT); - } - + + //Make sure the elName found on the wire is actually OK for + //the purpose we need it + validatePart(p, elName, si); + o = dr.read(p, xmlReader); if (Boolean.TRUE.equals(si.getProperty("soap.force.doclit.bare")) && parameters.isEmpty()) { @@ -224,6 +223,44 @@ public class DocLiteralInInterceptor ext } } + private void validatePart(MessagePartInfo p, QName elName, ServiceInfo si) { + if (p == null) { + throw new Fault(new org.apache.cxf.common.i18n.Message("NO_PART_FOUND", LOG, elName), + Fault.FAULT_CODE_CLIENT); + + } + + Boolean synth = Boolean.FALSE; + if (p.getMessageInfo() != null && p.getMessageInfo().getOperation() != null) { + OperationInfo op = p.getMessageInfo().getOperation(); + Boolean b = (Boolean)op.getProperty("operation.is.synthetic"); + if (b != null) { + synth = b; + } + } + if (si != null && Boolean.TRUE.equals(si.getProperty("soap.force.doclit.bare"))) { + // something like a Provider service or similar that is forcing a + // doc/lit/bare on an endpoint that may not really be doc/lit/bare. + // we need to just let these through per spec so the endpoint + // can process it + synth = true; + } + if (p.isElement()) { + if (p.getConcreteName() != null + && !elName.equals(p.getConcreteName()) + && !Boolean.TRUE.equals(synth)) { + throw new Fault("UNEXPECTED_ELEMENT", LOG, null, elName, + p.getConcreteName()); + } + } else { + if (!(elName.equals(p.getName()) || elName.equals(p.getConcreteName())) + && !Boolean.TRUE.equals(synth)) { + throw new Fault("UNEXPECTED_ELEMENT", LOG, null, elName, + p.getConcreteName()); + } + } + } + private void getPara(DepthXMLStreamReader xmlReader, DataReader dr, MessageContentsList parameters, Modified: cxf/branches/2.5.x-fixes/rt/core/src/main/java/org/apache/cxf/interceptor/Messages.properties URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/core/src/main/java/org/apache/cxf/interceptor/Messages.properties?rev=1368608&r1=1368607&r2=1368608&view=diff ============================================================================== --- cxf/branches/2.5.x-fixes/rt/core/src/main/java/org/apache/cxf/interceptor/Messages.properties (original) +++ cxf/branches/2.5.x-fixes/rt/core/src/main/java/org/apache/cxf/interceptor/Messages.properties Thu Aug 2 17:20:01 2012 @@ -40,4 +40,5 @@ COULD_NOT_FIND_SEICLASS=Could not find t EXCEPTION_WHILE_WRITING_FAULT = Exception occurred while writing fault. EXCEPTION_WHILE_CREATING_EXCEPTION = Exception occurred while creating exception: {0} UNEXPECTED_WRAPPER_ELEMENT = Unexpected wrapper element {0} found. Expected {1}. +UNEXPECTED_ELEMENT = Unexpected element {0} found. Expected {1}. Added: cxf/branches/2.5.x-fixes/systests/uncategorized/src/test/java/org/apache/cxf/systest/soap/RPCEncodedSoapActionGreeterImpl.java URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/uncategorized/src/test/java/org/apache/cxf/systest/soap/RPCEncodedSoapActionGreeterImpl.java?rev=1368608&view=auto ============================================================================== --- cxf/branches/2.5.x-fixes/systests/uncategorized/src/test/java/org/apache/cxf/systest/soap/RPCEncodedSoapActionGreeterImpl.java (added) +++ cxf/branches/2.5.x-fixes/systests/uncategorized/src/test/java/org/apache/cxf/systest/soap/RPCEncodedSoapActionGreeterImpl.java Thu Aug 2 17:20:01 2012 @@ -0,0 +1,40 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.cxf.systest.soap; + +import javax.jws.WebService; +import javax.jws.soap.SOAPBinding; + +import org.apache.hello_world_soap_action.WrappedGreeter; + +@WebService(endpointInterface = "org.apache.hello_world_soap_action.WrappedGreeter", +serviceName = "WrappedSOAPService") +@SOAPBinding(style = SOAPBinding.Style.RPC, use = SOAPBinding.Use.ENCODED) +public class RPCEncodedSoapActionGreeterImpl implements WrappedGreeter { + + public String sayHiRequestWrapped(String in) { + return "sayHi"; + } + + public String sayHiRequest2Wrapped(String in) { + return "sayHi2"; + } + +} Added: cxf/branches/2.5.x-fixes/systests/uncategorized/src/test/java/org/apache/cxf/systest/soap/RPCLitSoapActionGreeterImpl.java URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/uncategorized/src/test/java/org/apache/cxf/systest/soap/RPCLitSoapActionGreeterImpl.java?rev=1368608&view=auto ============================================================================== --- cxf/branches/2.5.x-fixes/systests/uncategorized/src/test/java/org/apache/cxf/systest/soap/RPCLitSoapActionGreeterImpl.java (added) +++ cxf/branches/2.5.x-fixes/systests/uncategorized/src/test/java/org/apache/cxf/systest/soap/RPCLitSoapActionGreeterImpl.java Thu Aug 2 17:20:01 2012 @@ -0,0 +1,40 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.cxf.systest.soap; + +import javax.jws.WebService; +import javax.jws.soap.SOAPBinding; + +import org.apache.hello_world_soap_action.WrappedGreeter; + +@WebService(endpointInterface = "org.apache.hello_world_soap_action.WrappedGreeter", +serviceName = "WrappedSOAPService") +@SOAPBinding(style = SOAPBinding.Style.RPC) +public class RPCLitSoapActionGreeterImpl implements WrappedGreeter { + + public String sayHiRequestWrapped(String in) { + return "sayHi"; + } + + public String sayHiRequest2Wrapped(String in) { + return "sayHi2"; + } + +} Modified: cxf/branches/2.5.x-fixes/systests/uncategorized/src/test/java/org/apache/cxf/systest/soap/SoapActionTest.java URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/uncategorized/src/test/java/org/apache/cxf/systest/soap/SoapActionTest.java?rev=1368608&r1=1368607&r2=1368608&view=diff ============================================================================== --- cxf/branches/2.5.x-fixes/systests/uncategorized/src/test/java/org/apache/cxf/systest/soap/SoapActionTest.java (original) +++ cxf/branches/2.5.x-fixes/systests/uncategorized/src/test/java/org/apache/cxf/systest/soap/SoapActionTest.java Thu Aug 2 17:20:01 2012 @@ -19,6 +19,8 @@ package org.apache.cxf.systest.soap; +import javax.xml.ws.BindingProvider; + import org.apache.cxf.Bus; import org.apache.cxf.BusFactory; import org.apache.cxf.binding.soap.Soap12; @@ -27,6 +29,7 @@ import org.apache.cxf.jaxws.JaxWsProxyFa import org.apache.cxf.jaxws.JaxWsServerFactoryBean; import org.apache.cxf.testutil.common.TestUtil; import org.apache.hello_world_soap_action.Greeter; +import org.apache.hello_world_soap_action.WrappedGreeter; import org.junit.AfterClass; import org.junit.Assert; import org.junit.BeforeClass; @@ -35,11 +38,20 @@ import org.junit.Test; public class SoapActionTest extends Assert { static final String PORT1 = TestUtil.getPortNumber(SoapActionTest.class, 1); static final String PORT2 = TestUtil.getPortNumber(SoapActionTest.class, 2); + static final String PORT3 = TestUtil.getPortNumber(SoapActionTest.class, 3); + static final String PORT4 = TestUtil.getPortNumber(SoapActionTest.class, 4); + static final String PORT5 = TestUtil.getPortNumber(SoapActionTest.class, 5); + static final String PORT6 = TestUtil.getPortNumber(SoapActionTest.class, 6); + static final String PORT7 = TestUtil.getPortNumber(SoapActionTest.class, 7); static Bus bus; static String add11 = "http://localhost:" + PORT1 + "/test11"; static String add12 = "http://localhost:" + PORT2 + "/test12"; - + static String add13 = "http://localhost:" + PORT3 + "/testWrapped"; + static String add14 = "http://localhost:" + PORT4 + "/testWrapped12"; + static String add15 = "http://localhost:" + PORT5 + "/testRPCLit"; + static String add16 = "http://localhost:" + PORT6 + "/testRPCEncoded"; + static String add17 = "http://localhost:" + PORT7 + "/testWrappedEncoded"; @BeforeClass public static void createServers() throws Exception { @@ -58,7 +70,40 @@ public class SoapActionTest extends Asse config.setVersion(Soap12.getInstance()); sf.setBindingConfig(config); sf.create(); + + sf = new JaxWsServerFactoryBean(); + sf.setServiceBean(new WrappedSoapActionGreeterImpl()); + sf.setAddress(add13); + sf.setBus(bus); + sf.create(); + + sf = new JaxWsServerFactoryBean(); + sf.setServiceBean(new WrappedSoapActionGreeterImpl()); + sf.setAddress(add14); + sf.setBus(bus); + config.setVersion(Soap12.getInstance()); + sf.setBindingConfig(config); + sf.create(); + + sf = new JaxWsServerFactoryBean(); + sf.setServiceBean(new RPCLitSoapActionGreeterImpl()); + sf.setAddress(add15); + sf.setBus(bus); + sf.create(); + + sf = new JaxWsServerFactoryBean(); + sf.setServiceBean(new RPCEncodedSoapActionGreeterImpl()); + sf.setAddress(add16); + sf.setBus(bus); + sf.create(); + + sf = new JaxWsServerFactoryBean(); + sf.setServiceBean(new WrappedEncodedSoapActionGreeterImpl()); + sf.setAddress(add17); + sf.setBus(bus); + sf.create(); } + @AfterClass public static void shutdown() throws Exception { bus.shutdown(true); @@ -93,4 +138,348 @@ public class SoapActionTest extends Asse assertEquals("sayHi", greeter.sayHi("test")); assertEquals("sayHi2", greeter.sayHi2("test")); } + + + @Test + public void testBareSoapActionSpoofing() throws Exception { + JaxWsProxyFactoryBean pf = new JaxWsProxyFactoryBean(); + pf.setServiceClass(Greeter.class); + pf.setAddress(add11); + pf.setBus(bus); + Greeter greeter = (Greeter) pf.create(); + + assertEquals("sayHi", greeter.sayHi("test")); + assertEquals("sayHi2", greeter.sayHi2("test")); + + // Now test spoofing attack + ((BindingProvider)greeter).getRequestContext().put(BindingProvider.SOAPACTION_USE_PROPERTY, "true"); + ((BindingProvider)greeter).getRequestContext().put( + BindingProvider.SOAPACTION_URI_PROPERTY, "SAY_HI_2" + ); + try { + greeter.sayHi("test"); + fail("Failure expected on spoofing attack"); + } catch (Exception ex) { + // expected + } + + // Test the other operation + ((BindingProvider)greeter).getRequestContext().put(BindingProvider.SOAPACTION_USE_PROPERTY, "true"); + ((BindingProvider)greeter).getRequestContext().put( + BindingProvider.SOAPACTION_URI_PROPERTY, "SAY_HI_1" + ); + try { + greeter.sayHi2("test"); + fail("Failure expected on spoofing attack"); + } catch (Exception ex) { + // expected + } + + // Test a SOAP Action that does not exist in the binding + ((BindingProvider)greeter).getRequestContext().put(BindingProvider.SOAPACTION_USE_PROPERTY, "true"); + ((BindingProvider)greeter).getRequestContext().put( + BindingProvider.SOAPACTION_URI_PROPERTY, "SAY_HI_UNKNOWN" + ); + try { + greeter.sayHi("test"); + fail("Failure expected on spoofing attack"); + } catch (Exception ex) { + // expected + } + } + + @Test + public void testBareSoap12ActionSpoofing() throws Exception { + JaxWsProxyFactoryBean pf = new JaxWsProxyFactoryBean(); + pf.setServiceClass(Greeter.class); + pf.setAddress(add12); + SoapBindingConfiguration config = new SoapBindingConfiguration(); + config.setVersion(Soap12.getInstance()); + pf.setBindingConfig(config); + pf.setBus(bus); + Greeter greeter = (Greeter) pf.create(); + + assertEquals("sayHi", greeter.sayHi("test")); + assertEquals("sayHi2", greeter.sayHi2("test")); + + // Now test spoofing attack + ((BindingProvider)greeter).getRequestContext().put(BindingProvider.SOAPACTION_USE_PROPERTY, "true"); + ((BindingProvider)greeter).getRequestContext().put( + BindingProvider.SOAPACTION_URI_PROPERTY, "SAY_HI_2" + ); + try { + greeter.sayHi("test"); + fail("Failure expected on spoofing attack"); + } catch (Exception ex) { + // expected + } + + // Test the other operation + ((BindingProvider)greeter).getRequestContext().put(BindingProvider.SOAPACTION_USE_PROPERTY, "true"); + ((BindingProvider)greeter).getRequestContext().put( + BindingProvider.SOAPACTION_URI_PROPERTY, "SAY_HI_1" + ); + try { + greeter.sayHi2("test"); + fail("Failure expected on spoofing attack"); + } catch (Exception ex) { + // expected + } + + // Test a SOAP Action that does not exist in the binding + ((BindingProvider)greeter).getRequestContext().put(BindingProvider.SOAPACTION_USE_PROPERTY, "true"); + ((BindingProvider)greeter).getRequestContext().put( + BindingProvider.SOAPACTION_URI_PROPERTY, "SAY_HI_UNKNOWN" + ); + try { + greeter.sayHi("test"); + fail("Failure expected on spoofing attack"); + } catch (Exception ex) { + // expected + } + } + + @Test + public void testWrappedSoapActionSpoofing() throws Exception { + JaxWsProxyFactoryBean pf = new JaxWsProxyFactoryBean(); + pf.setServiceClass(WrappedGreeter.class); + pf.setAddress(add13); + pf.setBus(bus); + WrappedGreeter greeter = (WrappedGreeter) pf.create(); + + assertEquals("sayHi", greeter.sayHiRequestWrapped("test")); + assertEquals("sayHi2", greeter.sayHiRequest2Wrapped("test")); + + // Now test spoofing attack + ((BindingProvider)greeter).getRequestContext().put(BindingProvider.SOAPACTION_USE_PROPERTY, "true"); + ((BindingProvider)greeter).getRequestContext().put( + BindingProvider.SOAPACTION_URI_PROPERTY, "SAY_HI_2" + ); + try { + greeter.sayHiRequestWrapped("test"); + fail("Failure expected on spoofing attack"); + } catch (Exception ex) { + // expected + } + + // Test the other operation + ((BindingProvider)greeter).getRequestContext().put(BindingProvider.SOAPACTION_USE_PROPERTY, "true"); + ((BindingProvider)greeter).getRequestContext().put( + BindingProvider.SOAPACTION_URI_PROPERTY, "SAY_HI_1" + ); + try { + greeter.sayHiRequest2Wrapped("test"); + fail("Failure expected on spoofing attack"); + } catch (Exception ex) { + // expected + } + + // Test a SOAP Action that does not exist in the binding + ((BindingProvider)greeter).getRequestContext().put(BindingProvider.SOAPACTION_USE_PROPERTY, "true"); + ((BindingProvider)greeter).getRequestContext().put( + BindingProvider.SOAPACTION_URI_PROPERTY, "SAY_HI_UNKNOWN" + ); + try { + greeter.sayHiRequestWrapped("test"); + fail("Failure expected on spoofing attack"); + } catch (Exception ex) { + // expected + } + } + + @Test + public void testWrappedSoap12ActionSpoofing() throws Exception { + JaxWsProxyFactoryBean pf = new JaxWsProxyFactoryBean(); + pf.setServiceClass(WrappedGreeter.class); + pf.setAddress(add14); + SoapBindingConfiguration config = new SoapBindingConfiguration(); + config.setVersion(Soap12.getInstance()); + pf.setBindingConfig(config); + pf.setBus(bus); + WrappedGreeter greeter = (WrappedGreeter) pf.create(); + + assertEquals("sayHi", greeter.sayHiRequestWrapped("test")); + assertEquals("sayHi2", greeter.sayHiRequest2Wrapped("test")); + + // Now test spoofing attack + ((BindingProvider)greeter).getRequestContext().put(BindingProvider.SOAPACTION_USE_PROPERTY, "true"); + ((BindingProvider)greeter).getRequestContext().put( + BindingProvider.SOAPACTION_URI_PROPERTY, "SAY_HI_2" + ); + try { + greeter.sayHiRequestWrapped("test"); + fail("Failure expected on spoofing attack"); + } catch (Exception ex) { + // expected + } + + // Test the other operation + ((BindingProvider)greeter).getRequestContext().put(BindingProvider.SOAPACTION_USE_PROPERTY, "true"); + ((BindingProvider)greeter).getRequestContext().put( + BindingProvider.SOAPACTION_URI_PROPERTY, "SAY_HI_1" + ); + try { + greeter.sayHiRequest2Wrapped("test"); + fail("Failure expected on spoofing attack"); + } catch (Exception ex) { + // expected + } + + // Test a SOAP Action that does not exist in the binding + ((BindingProvider)greeter).getRequestContext().put(BindingProvider.SOAPACTION_USE_PROPERTY, "true"); + ((BindingProvider)greeter).getRequestContext().put( + BindingProvider.SOAPACTION_URI_PROPERTY, "SAY_HI_UNKNOWN" + ); + try { + greeter.sayHiRequestWrapped("test"); + fail("Failure expected on spoofing attack"); + } catch (Exception ex) { + // expected + } + } + + @Test + public void testRPCLitSoapActionSpoofing() throws Exception { + JaxWsProxyFactoryBean pf = new JaxWsProxyFactoryBean(); + pf.setServiceClass(WrappedGreeter.class); + pf.setAddress(add15); + pf.setBus(bus); + WrappedGreeter greeter = (WrappedGreeter) pf.create(); + + assertEquals("sayHi", greeter.sayHiRequestWrapped("test")); + assertEquals("sayHi2", greeter.sayHiRequest2Wrapped("test")); + + // Now test spoofing attack + ((BindingProvider)greeter).getRequestContext().put(BindingProvider.SOAPACTION_USE_PROPERTY, "true"); + ((BindingProvider)greeter).getRequestContext().put( + BindingProvider.SOAPACTION_URI_PROPERTY, "SAY_HI_2" + ); + try { + greeter.sayHiRequestWrapped("test"); + fail("Failure expected on spoofing attack"); + } catch (Exception ex) { + // expected + } + + // Test the other operation + ((BindingProvider)greeter).getRequestContext().put(BindingProvider.SOAPACTION_USE_PROPERTY, "true"); + ((BindingProvider)greeter).getRequestContext().put( + BindingProvider.SOAPACTION_URI_PROPERTY, "SAY_HI_1" + ); + try { + greeter.sayHiRequest2Wrapped("test"); + fail("Failure expected on spoofing attack"); + } catch (Exception ex) { + // expected + } + + // Test a SOAP Action that does not exist in the binding + ((BindingProvider)greeter).getRequestContext().put(BindingProvider.SOAPACTION_USE_PROPERTY, "true"); + ((BindingProvider)greeter).getRequestContext().put( + BindingProvider.SOAPACTION_URI_PROPERTY, "SAY_HI_UNKNOWN" + ); + try { + greeter.sayHiRequestWrapped("test"); + fail("Failure expected on spoofing attack"); + } catch (Exception ex) { + // expected + } + } + + @Test + public void testRPCEncodedSoapActionSpoofing() throws Exception { + JaxWsProxyFactoryBean pf = new JaxWsProxyFactoryBean(); + pf.setServiceClass(WrappedGreeter.class); + pf.setAddress(add16); + pf.setBus(bus); + WrappedGreeter greeter = (WrappedGreeter) pf.create(); + + assertEquals("sayHi", greeter.sayHiRequestWrapped("test")); + assertEquals("sayHi2", greeter.sayHiRequest2Wrapped("test")); + + // Now test spoofing attack + ((BindingProvider)greeter).getRequestContext().put(BindingProvider.SOAPACTION_USE_PROPERTY, "true"); + ((BindingProvider)greeter).getRequestContext().put( + BindingProvider.SOAPACTION_URI_PROPERTY, "SAY_HI_2" + ); + try { + greeter.sayHiRequestWrapped("test"); + fail("Failure expected on spoofing attack"); + } catch (Exception ex) { + // expected + } + + // Test the other operation + ((BindingProvider)greeter).getRequestContext().put(BindingProvider.SOAPACTION_USE_PROPERTY, "true"); + ((BindingProvider)greeter).getRequestContext().put( + BindingProvider.SOAPACTION_URI_PROPERTY, "SAY_HI_1" + ); + try { + greeter.sayHiRequest2Wrapped("test"); + fail("Failure expected on spoofing attack"); + } catch (Exception ex) { + // expected + } + + // Test a SOAP Action that does not exist in the binding + ((BindingProvider)greeter).getRequestContext().put(BindingProvider.SOAPACTION_USE_PROPERTY, "true"); + ((BindingProvider)greeter).getRequestContext().put( + BindingProvider.SOAPACTION_URI_PROPERTY, "SAY_HI_UNKNOWN" + ); + try { + greeter.sayHiRequestWrapped("test"); + fail("Failure expected on spoofing attack"); + } catch (Exception ex) { + // expected + } + } + + @Test + public void testWrappedEncodedSoapActionSpoofing() throws Exception { + JaxWsProxyFactoryBean pf = new JaxWsProxyFactoryBean(); + pf.setServiceClass(WrappedGreeter.class); + pf.setAddress(add17); + pf.setBus(bus); + WrappedGreeter greeter = (WrappedGreeter) pf.create(); + + assertEquals("sayHi", greeter.sayHiRequestWrapped("test")); + assertEquals("sayHi2", greeter.sayHiRequest2Wrapped("test")); + + // Now test spoofing attack + ((BindingProvider)greeter).getRequestContext().put(BindingProvider.SOAPACTION_USE_PROPERTY, "true"); + ((BindingProvider)greeter).getRequestContext().put( + BindingProvider.SOAPACTION_URI_PROPERTY, "SAY_HI_2" + ); + try { + greeter.sayHiRequestWrapped("test"); + fail("Failure expected on spoofing attack"); + } catch (Exception ex) { + // expected + } + + // Test the other operation + ((BindingProvider)greeter).getRequestContext().put(BindingProvider.SOAPACTION_USE_PROPERTY, "true"); + ((BindingProvider)greeter).getRequestContext().put( + BindingProvider.SOAPACTION_URI_PROPERTY, "SAY_HI_1" + ); + try { + greeter.sayHiRequest2Wrapped("test"); + fail("Failure expected on spoofing attack"); + } catch (Exception ex) { + // expected + } + + // Test a SOAP Action that does not exist in the binding + ((BindingProvider)greeter).getRequestContext().put(BindingProvider.SOAPACTION_USE_PROPERTY, "true"); + ((BindingProvider)greeter).getRequestContext().put( + BindingProvider.SOAPACTION_URI_PROPERTY, "SAY_HI_UNKNOWN" + ); + try { + greeter.sayHiRequestWrapped("test"); + fail("Failure expected on spoofing attack"); + } catch (Exception ex) { + // expected + } + } + } Added: cxf/branches/2.5.x-fixes/systests/uncategorized/src/test/java/org/apache/cxf/systest/soap/WrappedEncodedSoapActionGreeterImpl.java URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/uncategorized/src/test/java/org/apache/cxf/systest/soap/WrappedEncodedSoapActionGreeterImpl.java?rev=1368608&view=auto ============================================================================== --- cxf/branches/2.5.x-fixes/systests/uncategorized/src/test/java/org/apache/cxf/systest/soap/WrappedEncodedSoapActionGreeterImpl.java (added) +++ cxf/branches/2.5.x-fixes/systests/uncategorized/src/test/java/org/apache/cxf/systest/soap/WrappedEncodedSoapActionGreeterImpl.java Thu Aug 2 17:20:01 2012 @@ -0,0 +1,40 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.cxf.systest.soap; + +import javax.jws.WebService; +import javax.jws.soap.SOAPBinding; + +import org.apache.hello_world_soap_action.WrappedGreeter; + +@WebService(endpointInterface = "org.apache.hello_world_soap_action.WrappedGreeter", + serviceName = "WrappedSOAPService") +@SOAPBinding(use = SOAPBinding.Use.ENCODED) +public class WrappedEncodedSoapActionGreeterImpl implements WrappedGreeter { + + public String sayHiRequestWrapped(String in) { + return "sayHi"; + } + + public String sayHiRequest2Wrapped(String in) { + return "sayHi2"; + } + +} Added: cxf/branches/2.5.x-fixes/systests/uncategorized/src/test/java/org/apache/cxf/systest/soap/WrappedSoapActionGreeterImpl.java URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/uncategorized/src/test/java/org/apache/cxf/systest/soap/WrappedSoapActionGreeterImpl.java?rev=1368608&view=auto ============================================================================== --- cxf/branches/2.5.x-fixes/systests/uncategorized/src/test/java/org/apache/cxf/systest/soap/WrappedSoapActionGreeterImpl.java (added) +++ cxf/branches/2.5.x-fixes/systests/uncategorized/src/test/java/org/apache/cxf/systest/soap/WrappedSoapActionGreeterImpl.java Thu Aug 2 17:20:01 2012 @@ -0,0 +1,38 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.cxf.systest.soap; + +import javax.jws.WebService; + +import org.apache.hello_world_soap_action.WrappedGreeter; + +@WebService(endpointInterface = "org.apache.hello_world_soap_action.WrappedGreeter", + serviceName = "WrappedSOAPService") +public class WrappedSoapActionGreeterImpl implements WrappedGreeter { + + public String sayHiRequestWrapped(String in) { + return "sayHi"; + } + + public String sayHiRequest2Wrapped(String in) { + return "sayHi2"; + } + +} Modified: cxf/branches/2.5.x-fixes/testutils/src/main/resources/wsdl/hello_world_soap_action.wsdl URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/testutils/src/main/resources/wsdl/hello_world_soap_action.wsdl?rev=1368608&r1=1368607&r2=1368608&view=diff ============================================================================== --- cxf/branches/2.5.x-fixes/testutils/src/main/resources/wsdl/hello_world_soap_action.wsdl (original) +++ cxf/branches/2.5.x-fixes/testutils/src/main/resources/wsdl/hello_world_soap_action.wsdl Thu Aug 2 17:20:01 2012 @@ -26,6 +26,7 @@ xmlns:jms="http://cxf.apache.org/transports/jms" xmlns:tns="http://apache.org/hello_world_soap_action" xmlns:x1="http://apache.org/hello_world_soap_action/types" + xmlns:x2="http://apache.org/hello_world_soap_action/types/wrapped" xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/" targetNamespace="http://apache.org/hello_world_soap_action" name="HelloWorld"> @@ -37,6 +38,36 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -50,6 +81,19 @@ + + + + + + + + + + + + + @@ -63,6 +107,19 @@ + + + + + + + + + + + + + @@ -86,6 +143,7 @@ + @@ -109,6 +167,53 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +