Return-Path: 
 <issues-return-23084-apmail-cxf-issues-archive=cxf.apache.org@cxf.apache.org>
X-Original-To: apmail-cxf-issues-archive@www.apache.org
Delivered-To: apmail-cxf-issues-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 7A995D3FA
	for <apmail-cxf-issues-archive@www.apache.org>;
 Tue, 13 Nov 2012 23:12:14 +0000 (UTC)
Received: (qmail 71723 invoked by uid 500); 13 Nov 2012 23:12:13 -0000
Delivered-To: apmail-cxf-issues-archive@cxf.apache.org
Received: (qmail 71688 invoked by uid 500); 13 Nov 2012 23:12:13 -0000
Mailing-List: contact issues-help@cxf.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:issues-help@cxf.apache.org>
List-Unsubscribe: <mailto:issues-unsubscribe@cxf.apache.org>
List-Post: <mailto:issues@cxf.apache.org>
List-Id: <issues.cxf.apache.org>
Reply-To: dev@cxf.apache.org
Delivered-To: mailing list issues@cxf.apache.org
Received: (qmail 71651 invoked by uid 99); 13 Nov 2012 23:12:13 -0000
Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 13 Nov 2012 23:12:13 +0000
Date: Tue, 13 Nov 2012 23:12:13 +0000 (UTC)
From: "Freeman Fang (JIRA)" <jira@apache.org>
To: issues@cxf.apache.org
Message-ID: <721531191.110818.1352848333626.JavaMail.jiratomcat@arcas>
In-Reply-To: <1471136559.103145.1352756952515.JavaMail.jiratomcat@arcas>
Subject: [jira] [Commented] (CXF-4629) Security issue with GET methods:
 WSS4JInInterceptor always allows HTTP Get requests from browser
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394


    [ https://issues.apache.org/jira/browse/CXF-4629?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13496654#comment-13496654 ] 

Freeman Fang commented on CXF-4629:
-----------------------------------

Thanks Dan for this clarification, I think you mean the URIMappingInterceptor.
And +1 for your suggestion.

Freeman


                
> Security issue with GET methods: WSS4JInInterceptor always allows HTTP Get requests from browser
> ------------------------------------------------------------------------------------------------
>
>                 Key: CXF-4629
>                 URL: https://issues.apache.org/jira/browse/CXF-4629
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>    Affects Versions: 2.6.3, 2.7.0
>            Reporter: Oleh Faizulin
>            Assignee: Daniel Kulp
>            Priority: Critical
>
> Hello All,
> We are running CFX web services with the following configuration:
> web.xml
> {noformat}
>     <servlet>
>         <servlet-name>cxf</servlet-name>
>         <servlet-class>org.apache.cxf.transport.servlet.CXFServlet</servlet-class>
>         <load-on-startup>1</load-on-startup>
>     </servlet>
>     <servlet-mapping>
>         <servlet-name>cxf</servlet-name>
>         <url-pattern>/ls/*</url-pattern>
>     </servlet-mapping>
> {noformat}
> spring config:
> {noformat}
>     <!-- ######################################### -->
>     <beans:import resource="classpath:META-INF/cxf/cxf.xml" />
>     <beans:import resource="classpath:META-INF/cxf/cxf-servlet.xml" />
>     <beans:import resource="classpath:META-INF/cxf/cxf-extension-soap.xml" />
>     <jaxws:endpoint id="lsWebEndpoint"
>         implementor="${our endpoint class}"
>         address="/api" >
>         <jaxws:inInterceptors>
>             <bean class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor" />
>             <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
>                 <constructor-arg>
>                     <map>
>                         <entry key="action" value="UsernameToken"/>
>                         <entry key="passwordType" value="PasswordText"/>
>                         <entry key="passwordCallbackClass" value="${our password callback impl}"/>
>                     </map>
>                 </constructor-arg>
>             </bean>
>         </jaxws:inInterceptors>
>     </jaxws:endpoint>
> {noformat}
> And we discovered that all our web services are accessible via browser (HTTP Get) without any authentication. 
> For instance:
> {noformat}
> http://localhost:8181/ls/api/test?a=10&b=20
> {noformat}
> {noformat}
> @WebService
> public class WSEndpoint {
>     @WebMethod
>     public int test(@WebParam(name = "a") int a,
>                     @WebParam(name = "b") int b) {
>         return a + b;
>     }
> }
> {noformat}
> returns
> {noformat}
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
> <soap:Body>
> <ns2:testResponse xmlns:ns2="${our namespace}">
> <return>30</return>
> </ns2:testResponse>
> </soap:Body>
> </soap:Envelope>
> {noformat}
> The reason is the following code in WSS4JInInterceptor:
> {noformat}
>     public final boolean isGET(SoapMessage message) {
>         String method = (String)message.get(SoapMessage.HTTP_REQUEST_METHOD);
>         return "GET".equals(method) && message.getContent(XMLStreamReader.class) == null;
>     }
>     
>     public void handleMessage(SoapMessage msg) throws Fault {
>         if (msg.containsKey(SECURITY_PROCESSED) || isGET(msg)) {
>             return;
>         }:
>     ...
> {noformat}
> I was not able to find anything specific on google why GET methods are always allowed.
> However it's somehow related to CXF-3170:
> Please see http://cxf.547215.n5.nabble.com/svn-commit-r1062014-in-cxf-branches-2-3-x-fixes-rt-ws-security-src-main-java-org-apache-cxf-ws-secura-tt3352201.html#none
> Also i found the following thread on StackOverflow without answer:
> http://stackoverflow.com/questions/7933293/why-does-apache-cxf-ws-security-implementation-ignore-get-requests
> Please advice on this this issue.
> Regards,
> Oleh.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira