cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Valeri" <>
Subject WSS4JInInterceptor more lax in enforcing actions when encountering message containing a SOAP Fault
Date Wed, 28 Jul 2010 21:09:26 GMT
Lines 220-231 deal with the scenario where no security header is present at
all.  It would seem that the first if condition and the final else can be
handled by checkActions (while taking into account the ignoreActions flag).
The middle condition looks to be a potential security flaw in that we let
unsecured faults through without honoring the user's actions configuration.
If the user desires different actions in the fault scenario, they would
configure different instances of this interceptor in the fault chains.  What
reason exists for this laxness with respect to action enforcement in the
fault case?

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message