cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Fred Dushin (JIRA)" <j...@apache.org>
Subject [jira] Created: (CXF-790) SOAP headers copied from input SOAPMessage to output SOAPMessage
Date Sat, 14 Jul 2007 00:53:04 GMT
SOAP headers copied from input SOAPMessage to output SOAPMessage
----------------------------------------------------------------

                 Key: CXF-790
                 URL: https://issues.apache.org/jira/browse/CXF-790
             Project: CXF
          Issue Type: Bug
          Components: Soap Binding
    Affects Versions: 2.0
            Reporter: Fred Dushin
            Priority: Blocker
             Fix For: 2.0.1


When a request is made on a server, the SOAP headers in a request appear to be copied directly
to the response SOAP message.

This is pretty severe in the case of WS-Security, because the consumer of the response has
to use the header information to "decode" the message, since the security headers contain
implicit instructtions for decrypting and verifying signatures on elements in the message
(possibly elements in the security header, itself).  Typically, the originator of the request
(e.g., the client) does not have the key material to do this decoding.

One potential solution would be for the security interceptors to strip the SAAJ SOAPMessage
of its headers as part of its processing the request, but i) it's not clear we really want
to do that -- subsequent consumers on the interceptor chain, or possibly the application itself,
may need this information; ii) furthermore, there's no guarantee that a security interceptor
will be installed in an application, so there are scenarios where such a solution would not
be efficacious.

I would prefer instead that the SOAPMessage representing the response, as it is passed to
the outbound interceptor on the server side, be more of a blank slate.

This probably applies to other WS-* specs that rely on proper processing of SOAP headers.

A sample CXF program will be enclosed shortly.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message