cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Oleh Faizulin (JIRA)" <j...@apache.org>
Subject [jira] [Created] (CXF-4629) Security issue with GET methods: WSS4JInInterceptor always allows HTTP Get requests from browser
Date Mon, 12 Nov 2012 21:49:12 GMT
Oleh Faizulin created CXF-4629:
----------------------------------

             Summary: Security issue with GET methods: WSS4JInInterceptor always allows HTTP
Get requests from browser
                 Key: CXF-4629
                 URL: https://issues.apache.org/jira/browse/CXF-4629
             Project: CXF
          Issue Type: Bug
          Components: WS-* Components
    Affects Versions: 2.7.0, 2.6.3
            Reporter: Oleh Faizulin
            Priority: Critical


Hello All,

We are running CFX web services with the following configuration:

web.xml
{noformat}
    <servlet>
        <servlet-name>cxf</servlet-name>
        <servlet-class>org.apache.cxf.transport.servlet.CXFServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>

    <servlet-mapping>
        <servlet-name>cxf</servlet-name>
        <url-pattern>/ls/*</url-pattern>
    </servlet-mapping>
{noformat}

spring config:
{noformat}
    <!-- ######################################### -->
    <beans:import resource="classpath:META-INF/cxf/cxf.xml" />
    <beans:import resource="classpath:META-INF/cxf/cxf-servlet.xml" />
    <beans:import resource="classpath:META-INF/cxf/cxf-extension-soap.xml" />

    <jaxws:endpoint id="lsWebEndpoint"
        implementor="${our endpoint class}"
        address="/api" >

        <jaxws:inInterceptors>
            <bean class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor" />
            <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
                <constructor-arg>
                    <map>
                        <entry key="action" value="UsernameToken"/>
                        <entry key="passwordType" value="PasswordText"/>
                        <entry key="passwordCallbackClass" value="${our password callback
impl}"/>
                    </map>
                </constructor-arg>
            </bean>
        </jaxws:inInterceptors>

    </jaxws:endpoint>
{noformat}

And we discovered that all our web services are accessible via browser (HTTP Get) without
any authentication. 
For instance:
{noformat}
http://localhost:8181/ls/api/test?a=10&b=20
{noformat}
returns
{noformat}
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<ns2:testResponse xmlns:ns2="${our namespace}">
<return>30</return>
</ns2:testResponse>
</soap:Body>
</soap:Envelope>
{noformat}

The reason is the following code in WSS4JInInterceptor:
{noformat}
    public final boolean isGET(SoapMessage message) {
        String method = (String)message.get(SoapMessage.HTTP_REQUEST_METHOD);
        return "GET".equals(method) && message.getContent(XMLStreamReader.class) ==
null;
    }
    
    public void handleMessage(SoapMessage msg) throws Fault {
        if (msg.containsKey(SECURITY_PROCESSED) || isGET(msg)) {
            return;
        }:
    ...
{noformat}

I was not able to find anything specific on google why GET methods are always allowed.

However it's somehow related to CXF-3170:
Please see http://cxf.547215.n5.nabble.com/svn-commit-r1062014-in-cxf-branches-2-3-x-fixes-rt-ws-security-src-main-java-org-apache-cxf-ws-secura-tt3352201.html#none

Also i found the following thread on StackOverflow without answer:
http://stackoverflow.com/questions/7933293/why-does-apache-cxf-ws-security-implementation-ignore-get-requests

Please advice on this this issue.

Regards,
Oleh.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message