cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ruud de Jong (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (CXF-6144) WS-Security fails if body has signature on WSS4JInInterceptor
Date Tue, 09 Dec 2014 12:04:12 GMT

     [ https://issues.apache.org/jira/browse/CXF-6144?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Ruud de Jong updated CXF-6144:
------------------------------
    Description: 
If a WebService has WS-Security with the soap body as part of the signature, the incoming
security check (by the WSS4JInInterceptor) will break.
This bugs was introduced in 2.7.9 and is still present in the current codebase (3.0.3).
This problem is caused by the WSS4JInInterceptor. It uses the "SAAJInInterceptor.INSTANCE.handleMessage(msg)"
on getSOAPMessage to convert a CXF SoapMessage to a javax.xml.soap.SOAPMessage.
During this conversion, the SAAJInInterceptor add an empty text-node at the end of the soap-body.
This breaks when the soap-body is part of the signature.

The old 2.7.8 version of the SAAJInInterceptor did (line 223:) StaxUtils.readDocElements(soapMessage.getSOAPPart().getEnvelope().getBody(),
xmlReader, true, true);
The new 2.7.9 version does (line 140:)
StaxUtils.copy(xmlReader1, new SAAJStreamWriter(e.getSOAPPart(), e.getSOAPPart().getEnvelope().getBody()),
true, true);

If I use XmlDebug in WSS4JInInterceptor right after this call, the old version returns:
(see attachment soap-body-2.7.8.txt)
while the new version returns:
(see attachment soap-body-2.7.9.txt)

Notice the additional #text/"\n" inside the body.

  was:
If a WebService has WS-Security with the soap body as part of the signature, the incoming
security check (by the WSS4JInInterceptor) will break.
This bugs was introduced in 2.7.9 and is still present in the current codebase (3.0.3).
This problem is caused by the WSS4JInInterceptor. It uses the "SAAJInInterceptor.INSTANCE.handleMessage(msg)"
on getSOAPMessage to convert a CXF SoapMessage to a javax.xml.soap.SOAPMessage.
During this conversion, the SAAJInInterceptor add an empty text-node at the end of the soap-body.
This breaks when the soap-body is part of the signature.

The old 2.7.8 version of the SAAJInInterceptor did (line 223:) StaxUtils.readDocElements(soapMessage.getSOAPPart().getEnvelope().getBody(),
xmlReader, true, true);
The new 2.7.9 version does (line 140:)
StaxUtils.copy(xmlReader1, new SAAJStreamWriter(e.getSOAPPart(), e.getSOAPPart().getEnvelope().getBody()),
true, true);

If I use XmlDebug in WSS4JInInterceptor right after this call, the old version returns:
   soapenv:Body/"" wsu:Id=id-DAA3E142F565CE51EF1418124875319916 xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
      ns:genereerProduct/""
         ns:productRequest/""
            ns:klantreferentie/""
               #text/"123"
            ns:productnaam/""
               #text/"456"
            ns:productversie/""
               #text/"789"
            ns:productsleutel/""
               ns:kvkNummer/""
                  #text/"33333333"
   #text/"\n"
   #text/"\n"

while the new version returns:
   soapenv:Body/"" wsu:Id=id-DAA3E142F565CE51EF1418124875319916 xmlns:wsu=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
      ns:genereerProduct/""
         ns:productRequest/""
            ns:klantreferentie/""
               #text/"123"
            ns:productnaam/""
               #text/"456"
            ns:productversie/""
               #text/"789"
            ns:productsleutel/""
               ns:kvkNummer/""
                  #text/"33333333"
      #text/"\n"
   #text/"\n"
   #text/"\n"

Notice the additional #text/"\n" inside the body.


> WS-Security fails if body has signature on WSS4JInInterceptor
> -------------------------------------------------------------
>
>                 Key: CXF-6144
>                 URL: https://issues.apache.org/jira/browse/CXF-6144
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>    Affects Versions: 2.7.9
>         Environment: Any
>            Reporter: Ruud de Jong
>         Attachments: XmlDebug.java, soap-body-2.7.8.txt, soap-body-2.7.9.txt
>
>
> If a WebService has WS-Security with the soap body as part of the signature, the incoming
security check (by the WSS4JInInterceptor) will break.
> This bugs was introduced in 2.7.9 and is still present in the current codebase (3.0.3).
> This problem is caused by the WSS4JInInterceptor. It uses the "SAAJInInterceptor.INSTANCE.handleMessage(msg)"
on getSOAPMessage to convert a CXF SoapMessage to a javax.xml.soap.SOAPMessage.
> During this conversion, the SAAJInInterceptor add an empty text-node at the end of the
soap-body.
> This breaks when the soap-body is part of the signature.
> The old 2.7.8 version of the SAAJInInterceptor did (line 223:) StaxUtils.readDocElements(soapMessage.getSOAPPart().getEnvelope().getBody(),
xmlReader, true, true);
> The new 2.7.9 version does (line 140:)
> StaxUtils.copy(xmlReader1, new SAAJStreamWriter(e.getSOAPPart(), e.getSOAPPart().getEnvelope().getBody()),
true, true);
> If I use XmlDebug in WSS4JInInterceptor right after this call, the old version returns:
> (see attachment soap-body-2.7.8.txt)
> while the new version returns:
> (see attachment soap-body-2.7.9.txt)
> Notice the additional #text/"\n" inside the body.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message