cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Fred Dushin (JIRA)" <j...@apache.org>
Subject [jira] Commented: (CXF-1433) WS-Security vulnerability
Date Thu, 14 Feb 2008 22:29:08 GMT

    [ https://issues.apache.org/jira/browse/CXF-1433?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12569117#action_12569117
] 

Fred Dushin commented on CXF-1433:
----------------------------------

I am unable to reproduce this error in a standalone case.

I will attach a sample program, which illustrates the security interceptors functioning properly.
 The testcase I am submitting, however, requires using the wget utility (available on most
unix systems) to POST a dumy message to the server.

There may still be an issue with CXF deployed in the tomcat container, which we can investigate
next.

> WS-Security vulnerability
> -------------------------
>
>                 Key: CXF-1433
>                 URL: https://issues.apache.org/jira/browse/CXF-1433
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>    Affects Versions: 2.0.3
>         Environment: Tomcat 5.5, Spring 2 and CXF 2.0.3 for the server and Flex WS-client
>            Reporter: Loïc FRERING
>            Priority: Critical
>
> It is possible to bypass the security checks configured with WS-Security.
> Server configured with an Username Token WS-Security authentication with Spring :
> <jaxws:endpoint id="helloWorld" implementor="service.impl.HelloWorldImpl" address="/HelloWorld">
> 		<jaxws:inInterceptors>
> 			<bean class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor"/>
> 			<bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
> 				<constructor-arg>
> 					<map>
> 						<entry key="action" value="UsernameToken"/>
> 						<entry key="passwordType" value="PasswordDigest"/>
> 						<entry key="passwordCallbackClass" value="service.security.ServerPasswordHandler"/>
> 					</map>
> 				</constructor-arg>
> 			</bean>
> 			<bean class="org.apache.cxf.interceptor.LoggingInInterceptor"/>
> 			<bean class="org.apache.cxf.interceptor.LoggingOutInterceptor"/>
> 		</jaxws:inInterceptors>
> 	</jaxws:endpoint>
> When a SOAP message is created and sent with the following header, the server do not
process the authentication and return the response :
> <SOAP-ENV:Envelope>
> 	<SOAP-ENV:Header>
> 	        <ns0:Security>
>                         <ns0:wsse>Security</ns0:wsse>
>                 </ns0:Security>
>         </SOAP-ENV:Header>
> 	<SOAP-ENV:Body>
>         	<ns0:sayHi>
>                         <name>Loïc</name>
>                 </ns0:sayHi>
>         </SOAP-ENV:Body>
> </SOAP-ENV:Envelope>
> So it is possible to bypass all the security checks configured and to use it.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message