cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis Sosnoski (JIRA)" <j...@apache.org>
Subject [jira] Created: (CXF-3043) CXF does not handle security processing on Fault responses
Date Wed, 06 Oct 2010 10:19:31 GMT
CXF does not handle security processing on Fault responses
----------------------------------------------------------

                 Key: CXF-3043
                 URL: https://issues.apache.org/jira/browse/CXF-3043
             Project: CXF
          Issue Type: Bug
          Components: WS-* Components
    Affects Versions: 2.2.10
            Reporter: Dennis Sosnoski


CXF ignores WS-Security policy configuration for Fault responses (tested with both 2.2.10
and the 2.3 nightly). Here's a WSDL sample illustrating the problem:
<wsdl:definitions targetNamespace="http://ws.sosnoski.com/library/wsdl"
xmlns:wns="http://ws.sosnoski.com/library/wsdl"
xmlns:tns="http://ws.sosnoski.com/library/types"
xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
xmlns:wsdlsoap="http://schemas.xmlsoap.org/wsdl/soap/">

<!-- Policy for Username Token with hashed password, sent from client to server only -->
<wsp:Policy wsu:Id="UsernameToken" xmlns:wsu=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsp="http://www.w3.org/ns/ws-policy"
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<sp:SupportingTokens>
<wsp:Policy>
<sp:UsernameToken sp:IncludeToken=
"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:HashPassword/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SupportingTokens>
</wsp:Policy>

<!-- Policy for symmetric binding, using an ephemeral key generated by the client and
sent to the server as part of the request, using asymmetric encryption with the server
public key to secure the symmetric key. -->
<wsp:Policy wsu:Id="SymmEncr"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl"
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<sp:SymmetricBinding>
<wsp:Policy>
<sp:ProtectionToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
<wsp:Policy>
<sp:RequireDerivedKeys/>
<sp:RequireThumbprintReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:ProtectionToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128Rsa15/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:OnlySignEntireHeadersAndBody/>
</wsp:Policy>
</sp:SymmetricBinding>
<sp:Wss11>
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefThumbprint/>
<sp:MustSupportRefEncryptedKey/>
</wsp:Policy>
</sp:Wss11>
</wsp:Policy>

<!-- Policy for encrypting the message body. -->
<wsp:Policy wsu:Id="EncrBody" xmlns:wsu=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsp="http://www.w3.org/ns/ws-policy"
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<sp:EncryptedParts>
<sp:Body/>
</sp:EncryptedParts>
</wsp:Policy>
...
<wsdl:binding name="LibrarySoapBinding" type="wns:Library">

<wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#UsernameToken"/>
...
<wsdl:operation name="addBook">

<wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#SymmEncr"/>

<wsdlsoap:operation soapAction="urn:addBook"/>

<wsdl:input name="addBookRequest">
<wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#EncrBody"/>
<wsdlsoap:body use="literal"/>
</wsdl:input>

<wsdl:output name="addBookResponse">
<wsdlsoap:body use="literal"/>
</wsdl:output>

<wsdl:fault name="addDuplicateFault">
<wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#EncrBody"/>
<wsdlsoap:fault name="addDuplicateFault" use="literal"/>
</wsdl:fault>

</wsdl:operation>
...
(same WSDL as for CXF-3042 - this problem shows up if you run the client code multiple times,
in which case the addBook operation always generates a Fault response).

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message