cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daniel Kulp (JIRA)" <j...@apache.org>
Subject [jira] Commented: (CXF-3043) CXF does not handle security processing on Fault responses
Date Wed, 06 Oct 2010 13:08:31 GMT

    [ https://issues.apache.org/jira/browse/CXF-3043?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12918499#action_12918499
] 

Daniel Kulp commented on CXF-3043:
----------------------------------


This may be something that we try to enable depending on the internal fault type.   If it's
an application level fault thrown form their implementation, then the fault policies should
go into affect.    If it's a fault thrown from the incoming interceptors (such as a Security
fault), then don't apply the policy.    Basically, if it's gotten into the application, we
know the basic security requirements have been met.   

> CXF does not handle security processing on Fault responses
> ----------------------------------------------------------
>
>                 Key: CXF-3043
>                 URL: https://issues.apache.org/jira/browse/CXF-3043
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>    Affects Versions: 2.2.10
>            Reporter: Dennis Sosnoski
>
> CXF ignores WS-Security policy configuration for Fault responses (tested with both 2.2.10
and the 2.3 nightly). Here's a WSDL sample illustrating the problem:
> <wsdl:definitions targetNamespace="http://ws.sosnoski.com/library/wsdl"
> xmlns:wns="http://ws.sosnoski.com/library/wsdl"
> xmlns:tns="http://ws.sosnoski.com/library/types"
> xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
> xmlns:wsdlsoap="http://schemas.xmlsoap.org/wsdl/soap/">
> <!-- Policy for Username Token with hashed password, sent from client to server only
-->
> <wsp:Policy wsu:Id="UsernameToken" xmlns:wsu=
> "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:wsp="http://www.w3.org/ns/ws-policy"
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <sp:SupportingTokens>
> <wsp:Policy>
> <sp:UsernameToken sp:IncludeToken=
> "http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
> <wsp:Policy>
> <sp:HashPassword/>
> </wsp:Policy>
> </sp:UsernameToken>
> </wsp:Policy>
> </sp:SupportingTokens>
> </wsp:Policy>
> <!-- Policy for symmetric binding, using an ephemeral key generated by the client
and
> sent to the server as part of the request, using asymmetric encryption with the server
> public key to secure the symmetric key. -->
> <wsp:Policy wsu:Id="SymmEncr"
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
> xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl"
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <sp:SymmetricBinding>
> <wsp:Policy>
> <sp:ProtectionToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
> <wsp:Policy>
> <sp:RequireDerivedKeys/>
> <sp:RequireThumbprintReference/>
> <sp:WssX509V3Token10/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:ProtectionToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic128Rsa15/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:OnlySignEntireHeadersAndBody/>
> </wsp:Policy>
> </sp:SymmetricBinding>
> <sp:Wss11>
> <wsp:Policy>
> <sp:MustSupportRefKeyIdentifier/>
> <sp:MustSupportRefThumbprint/>
> <sp:MustSupportRefEncryptedKey/>
> </wsp:Policy>
> </sp:Wss11>
> </wsp:Policy>
> <!-- Policy for encrypting the message body. -->
> <wsp:Policy wsu:Id="EncrBody" xmlns:wsu=
> "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:wsp="http://www.w3.org/ns/ws-policy"
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <sp:EncryptedParts>
> <sp:Body/>
> </sp:EncryptedParts>
> </wsp:Policy>
> ...
> <wsdl:binding name="LibrarySoapBinding" type="wns:Library">
> <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#UsernameToken"/>
> ...
> <wsdl:operation name="addBook">
> <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#SymmEncr"/>
> <wsdlsoap:operation soapAction="urn:addBook"/>
> <wsdl:input name="addBookRequest">
> <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#EncrBody"/>
> <wsdlsoap:body use="literal"/>
> </wsdl:input>
> <wsdl:output name="addBookResponse">
> <wsdlsoap:body use="literal"/>
> </wsdl:output>
> <wsdl:fault name="addDuplicateFault">
> <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#EncrBody"/>
> <wsdlsoap:fault name="addDuplicateFault" use="literal"/>
> </wsdl:fault>
> </wsdl:operation>
> ...
> (same WSDL as for CXF-3042 - this problem shows up if you run the client code multiple
times, in which case the addBook operation always generates a Fault response).

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message