cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dallas Vaughan (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (CXF-6409) CXF web service cannot process MTOM/XOP-optimized content within a CipherValue element
Date Tue, 19 May 2015 16:18:01 GMT

    [ https://issues.apache.org/jira/browse/CXF-6409?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14550645#comment-14550645
] 

Dallas Vaughan edited comment on CXF-6409 at 5/19/15 4:17 PM:
--------------------------------------------------------------

Here is the sanitized request (I added formatting to the XML part for readability). There
is no stack trace as the original XMLSecurityException gets swallowed and rethrown as a generic
WSSecurityException (which then gets sent back as a fault). I found the cause by stepping
through Santuario code during the processing of the request.

The exception thrown for the DOM-based implementation (which is also swallowed so there's
no stack trace) is a {{java.lang.ArrayIndexOutOfBoundsException}} in the {{org.apache.xml.security.encryption.XMLCipher.decryptToByteArray()}}
method at a {{System.arraycopy(encryptedBytes, 0, ivBytes, ivLen)}} call where {{encryptedBytes.length
== 0}}, {{ivBytes.length == 16}}, and {{ivLen == 16}}. When I stepped through this I found
that it happens during processing of an EncryptedData/CipherData/CipherValue element that
contains an {{xop:Include}} element.  Since it probably expects base64 here, it failed to
initialize {{encryptedBytes}} and {{System.arraycopy}} expects a byte array of length 16.

*EDIT*: I've attached the web service policy file in use for the CXF endpoint (and metro client).

{code:xml|title=Metro Request|borderStyle=solid}
POST /test/services/myService HTTP/1.1
Accept: text/xml, multipart/related
Content-Type: multipart/related;start="<rootpart*950412d0-d43b-4058-bff6-0a3d54c79563@example.jaxws.sun.com>";type="application/xop+xml";boundary="uuid:950412d0-d43b-4058-bff6-0a3d54c79563";start-info="text/xml"
SOAPAction: "http://example.com/webservice/myService/myOperation"
User-Agent: JAX-WS RI 2.2.10 svn-revision#919b322c92f13ad085a933e8dd6dd35d4947364b
Host: example.com:3333
Connection: keep-alive
Content-Length: 11154

--uuid:950412d0-d43b-4058-bff6-0a3d54c79563
Content-Id: <rootpart*950412d0-d43b-4058-bff6-0a3d54c79563@example.jaxws.sun.com>
Content-Type: application/xop+xml;charset=utf-8;type="text/xml"
Content-Transfer-Encoding: binary

<?xml version='1.0' encoding='UTF-8'?>
<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <S:Header>
        <To xmlns="http://www.w3.org/2005/08/addressing">http://localhost:3333/test/services/myService</To>
        <Action S:mustUnderstand="1" xmlns="http://www.w3.org/2005/08/addressing" xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">http://example.com/webservice/myService/myOperation</Action>
        <ReplyTo xmlns="http://www.w3.org/2005/08/addressing">
            <Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
        </ReplyTo>
        <FaultTo xmlns="http://www.w3.org/2005/08/addressing">
            <Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
        </FaultTo>
        <MessageID xmlns="http://www.w3.org/2005/08/addressing">uuid:52fd687a-8d92-44cb-ac24-0be1e1f4b25f</MessageID>
        <wsse:Security S:mustUnderstand="1">
            <wsu:Timestamp wsu:Id="_3" xmlns:ns17="http://www.w3.org/2003/05/soap-envelope"
xmlns:ns18="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512">
                <wsu:Created>2015-05-11T03:04:16Z</wsu:Created>
                <wsu:Expires>2015-05-11T03:09:16Z</wsu:Expires>
            </wsu:Timestamp>
            <xenc:EncryptedKey Id="_5003" xmlns:ns17="http://www.w3.org/2003/05/soap-envelope"
xmlns:ns18="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512">
                <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
                <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="KeyInfoType">
                    <wsse:SecurityTokenReference>
                        <ds:X509Data>
                            <ds:X509IssuerSerial>
                                <ds:X509IssuerName>CN=example.com, OU=ABC Group, O=Example,
L=Washington, ST=DC, C=US</ds:X509IssuerName>
                                <ds:X509SerialNumber>1234567890</ds:X509SerialNumber>
                            </ds:X509IssuerSerial>
                        </ds:X509Data>
                    </wsse:SecurityTokenReference>
                </ds:KeyInfo>
                <xenc:CipherData>
                    <xenc:CipherValue xmlns:xop="http://www.w3.org/2004/08/xop/include">
                        <xop:Include href="cid:7a19bfbe-029c-49f3-ae8d-7b1a358d5a52@example.jaxws.sun.com"/>
                    </xenc:CipherValue>
                </xenc:CipherData>
                <xenc:ReferenceList>
                    <xenc:DataReference URI="#_5004"/>
                    <xenc:DataReference URI="#_5005"/>
                    <xenc:DataReference URI="#_5006"/>
                </xenc:ReferenceList>
            </xenc:EncryptedKey>
            <xenc:EncryptedData Id="_5006" Type="http://www.w3.org/2001/04/xmlenc#Element"
xmlns:ns17="http://www.w3.org/2003/05/soap-envelope" xmlns:ns18="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512">
                <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
                <xenc:CipherData>
                    <xenc:CipherValue xmlns:xop="http://www.w3.org/2004/08/xop/include">
                        <xop:Include href="cid:934d35f9-01e8-468e-9e1e-c50b387a95c2@example.jaxws.sun.com"/>
                    </xenc:CipherValue>
                </xenc:CipherData>
            </xenc:EncryptedData>
            <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
wsu:Id="uuid_8e5eec8c-bbf4-40b4-9eea-12beecbdd981" xmlns:ns17="http://www.w3.org/2003/05/soap-envelope"
xmlns:ns18="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512" xmlns:xop="http://www.w3.org/2004/08/xop/include">
                <xop:Include href="cid:d921b6b7-a534-4d85-83d3-e03f0bbdf1a4@example.jaxws.sun.com"/>
            </wsse:BinarySecurityToken>
            <xenc:EncryptedData Id="_5005" Type="http://www.w3.org/2001/04/xmlenc#Element"
xmlns:ns17="http://www.w3.org/2003/05/soap-envelope" xmlns:ns18="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512">
                <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
                <xenc:CipherData>
                    <xenc:CipherValue xmlns:xop="http://www.w3.org/2004/08/xop/include">
                        <xop:Include href="cid:2c0a72f7-794f-4637-8d07-8ee0e8433145@example.jaxws.sun.com"/>
                    </xenc:CipherValue>
                </xenc:CipherData>
            </xenc:EncryptedData>
        </wsse:Security>
    </S:Header>
    <S:Body wsu:Id="_5002">
        <xenc:EncryptedData Id="_5004" Type="http://www.w3.org/2001/04/xmlenc#Content"
xmlns:ns17="http://www.w3.org/2003/05/soap-envelope" xmlns:ns18="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512">
            <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
            <xenc:CipherData>
                <xenc:CipherValue xmlns:xop="http://www.w3.org/2004/08/xop/include">
                    <xop:Include href="cid:81d3295e-2b64-4254-b697-67bcdb1d522e@example.jaxws.sun.com"/>
                </xenc:CipherValue>
            </xenc:CipherData>
        </xenc:EncryptedData>
    </S:Body>
</S:Envelope>
--uuid:950412d0-d43b-4058-bff6-0a3d54c79563
Content-Id: <7a19bfbe-029c-49f3-ae8d-7b1a358d5a52@example.jaxws.sun.com>
Content-Type: application/ciphervalue
Content-Transfer-Encoding: binary

H���k-�q��2s1  ߲r���ЭGMp~���Sc™(�M]�*���"�v�y��v�
v��w(�C�d�?�N�������^_��<�'ƿ    o��\�D�{�"(�J7�{�Txv�kЁ�T�U�A岏3��a\���`��Wh���q
�?��WRr�8t����D��[匁�S�6���'��|'����I����4JDyy��J�������{��'he��۟��F�w�Ch����t6⢾V�D:+��g�\�̜
--uuid:950412d0-d43b-4058-bff6-0a3d54c79563
Content-Id: <934d35f9-01e8-468e-9e1e-c50b387a95c2@example.jaxws.sun.com>
Content-Type: application/ciphervalue
Content-Transfer-Encoding: binary

��������W4�ĐJǀyp��?�xʰ��g�@Cr��!���@�2�$3����
�\���VK��}r�¿�`I  ���[Gb�R������ �=��C��Y�!h���j���ܣ�����1Xy�΋���
2|Ճn"
6LӖ�yy�w%��B�GqHZ�
����P��Jr��`E'
{code}

{code:xml|title=Web Service Policy definitions|borderStyle=solid}
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<wsdl:definitions
        xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
        xmlns:wssp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
        xmlns:wsp="http://www.w3.org/ns/ws-policy"
        xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
        xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata"
        xmlns:wsoma="http://schemas.xmlsoap.org/ws/2004/09/policy/optimizedmimeserialization"
        name="myWebServicePolicy" targetNamespace="http://example.com/webservice/securitypolicy">

    <wsp:Policy 
            wsp:Name="http://example.com/webservice/securitypolicy/generalBindingPolicy"
            wsu:Id="myWebServiceGeneralBindingPolicy">
        <wsp:ExactlyOne>
            <wsp:All>
                <wsoma:OptimizedMimeSerialization/>
                <wsam:Addressing wsp:Optional="false"/>
                <wssp:AsymmetricBinding>
                    <wsp:Policy>
                        <wssp:InitiatorToken>
                            <wsp:Policy>
                                <wssp:X509Token wssp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
                                    <wsp:Policy>
                                        <wssp:WssX509V3Token10/>
                                    </wsp:Policy>
                                </wssp:X509Token>
                            </wsp:Policy>
                        </wssp:InitiatorToken>
                        <wssp:RecipientToken>
                            <wsp:Policy>
                                <wssp:X509Token wssp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
                                    <wsp:Policy>
                                        <wssp:WssX509V3Token10/>
                                        <wssp:RequireIssuerSerialReference/>
                                    </wsp:Policy>
                                </wssp:X509Token>
                            </wsp:Policy>
                        </wssp:RecipientToken>
                        <wssp:IncludeTimestamp/>
                        <wssp:OnlySignEntireHeadersAndBody/>
                        <wssp:AlgorithmSuite>
                            <wsp:Policy>
                                <wssp:Basic256Sha256/>
                            </wsp:Policy>
                        </wssp:AlgorithmSuite>
                        <wssp:EncryptSignature/>
                        <wssp:ProtectTokens />
                    </wsp:Policy>
                </wssp:AsymmetricBinding>
                <wssp:SignedEncryptedSupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
                    <wsp:Policy>
                        <sp:UsernameToken
                                sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
                            <wsp:Policy>
                                <sp:WssUsernameToken10 />
                            </wsp:Policy>
                        </sp:UsernameToken>
                    </wsp:Policy>
                </wssp:SignedEncryptedSupportingTokens>
                <wssp:Wss11>
                    <wsp:Policy>
                        <wssp:MustSupportRefIssuerSerial/>
                    </wsp:Policy>
                </wssp:Wss11>
            </wsp:All>
        </wsp:ExactlyOne>
    </wsp:Policy>

    <wsp:Policy
            wsp:Name="http://example.com/webservice/securitypolicy/bindingInputPolicy"
            wsu:Id="myWebServiceBindingInputPolicy">
        <wsp:ExactlyOne>
            <wsp:All>
                <wssp:EncryptedParts>
                    <wssp:Body/>
                </wssp:EncryptedParts>
                <wssp:SignedParts>
                    <wssp:Body/>
                </wssp:SignedParts>
            </wsp:All>
        </wsp:ExactlyOne>
    </wsp:Policy>

    <wsp:Policy 
            wsp:Name="http://example.com/webservice/securitypolicy/bindingOutputPolicy"
            wsu:Id="myWebServiceBindingOutputPolicy">
        <wsp:ExactlyOne>
            <wsp:All>
                <wssp:EncryptedParts>
                    <wssp:Body/>
                </wssp:EncryptedParts>
                <wssp:SignedParts>
                    <wssp:Body/>
                </wssp:SignedParts>
            </wsp:All>
        </wsp:ExactlyOne>
    </wsp:Policy>

    <wsp:Policy 
            wsp:Name="http://example.com/webservice/securitypolicy/bindingFaultPolicy"
            wsu:Id="myWebServiceBindingFaultPolicy">
        <wsp:ExactlyOne>
            <wsp:All>
                <wssp:EncryptedParts>
                    <wssp:Body/>
                </wssp:EncryptedParts>
                <wssp:SignedParts>
                    <wssp:Body/>
                </wssp:SignedParts>
            </wsp:All>
        </wsp:ExactlyOne>
    </wsp:Policy>
</wsdl:definitions>
{code}


was (Author: dallasvaughan):
Here is the sanitized request (I added formatting to the XML part for readability). There
is no stack trace as the original XMLSecurityException gets swallowed and rethrown as a generic
WSSecurityException (which then gets sent back as a fault). I found the cause by stepping
through Santuario code during the processing of the request.

The exception thrown for the DOM-based implementation (which is also swallowed so there's
no stack trace) is a {{java.lang.ArrayIndexOutOfBoundsException}} in the {{org.apache.xml.security.encryption.XMLCipher.decryptToByteArray()}}
method at a {{System.arraycopy(encryptedBytes, 0, ivBytes, ivLen)}} call where {{encryptedBytes.length
== 0}}, {{ivBytes.length == 16}}, and {{ivLen == 16}}. When I stepped through this I found
that it happens during processing of an EncryptedData/CipherData/CipherValue element that
contains an {{xop:Include}} element.  Since it probably expects base64 here, it failed to
initialize {{encryptedBytes}} and {{System.arraycopy}} expects a byte array of length 16.

{code:|title=Metro Request|borderStyle=solid}
POST /test/services/myService HTTP/1.1
Accept: text/xml, multipart/related
Content-Type: multipart/related;start="<rootpart*950412d0-d43b-4058-bff6-0a3d54c79563@example.jaxws.sun.com>";type="application/xop+xml";boundary="uuid:950412d0-d43b-4058-bff6-0a3d54c79563";start-info="text/xml"
SOAPAction: "http://example.com/webservice/myService/myOperation"
User-Agent: JAX-WS RI 2.2.10 svn-revision#919b322c92f13ad085a933e8dd6dd35d4947364b
Host: example.com:3333
Connection: keep-alive
Content-Length: 11154

--uuid:950412d0-d43b-4058-bff6-0a3d54c79563
Content-Id: <rootpart*950412d0-d43b-4058-bff6-0a3d54c79563@example.jaxws.sun.com>
Content-Type: application/xop+xml;charset=utf-8;type="text/xml"
Content-Transfer-Encoding: binary

<?xml version='1.0' encoding='UTF-8'?>
<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <S:Header>
        <To xmlns="http://www.w3.org/2005/08/addressing">http://localhost:3333/test/services/myService</To>
        <Action S:mustUnderstand="1" xmlns="http://www.w3.org/2005/08/addressing" xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">http://example.com/webservice/myService/myOperation</Action>
        <ReplyTo xmlns="http://www.w3.org/2005/08/addressing">
            <Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
        </ReplyTo>
        <FaultTo xmlns="http://www.w3.org/2005/08/addressing">
            <Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
        </FaultTo>
        <MessageID xmlns="http://www.w3.org/2005/08/addressing">uuid:52fd687a-8d92-44cb-ac24-0be1e1f4b25f</MessageID>
        <wsse:Security S:mustUnderstand="1">
            <wsu:Timestamp wsu:Id="_3" xmlns:ns17="http://www.w3.org/2003/05/soap-envelope"
xmlns:ns18="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512">
                <wsu:Created>2015-05-11T03:04:16Z</wsu:Created>
                <wsu:Expires>2015-05-11T03:09:16Z</wsu:Expires>
            </wsu:Timestamp>
            <xenc:EncryptedKey Id="_5003" xmlns:ns17="http://www.w3.org/2003/05/soap-envelope"
xmlns:ns18="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512">
                <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
                <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="KeyInfoType">
                    <wsse:SecurityTokenReference>
                        <ds:X509Data>
                            <ds:X509IssuerSerial>
                                <ds:X509IssuerName>CN=example.com, OU=ABC Group, O=Example,
L=Washington, ST=DC, C=US</ds:X509IssuerName>
                                <ds:X509SerialNumber>1234567890</ds:X509SerialNumber>
                            </ds:X509IssuerSerial>
                        </ds:X509Data>
                    </wsse:SecurityTokenReference>
                </ds:KeyInfo>
                <xenc:CipherData>
                    <xenc:CipherValue xmlns:xop="http://www.w3.org/2004/08/xop/include">
                        <xop:Include href="cid:7a19bfbe-029c-49f3-ae8d-7b1a358d5a52@example.jaxws.sun.com"/>
                    </xenc:CipherValue>
                </xenc:CipherData>
                <xenc:ReferenceList>
                    <xenc:DataReference URI="#_5004"/>
                    <xenc:DataReference URI="#_5005"/>
                    <xenc:DataReference URI="#_5006"/>
                </xenc:ReferenceList>
            </xenc:EncryptedKey>
            <xenc:EncryptedData Id="_5006" Type="http://www.w3.org/2001/04/xmlenc#Element"
xmlns:ns17="http://www.w3.org/2003/05/soap-envelope" xmlns:ns18="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512">
                <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
                <xenc:CipherData>
                    <xenc:CipherValue xmlns:xop="http://www.w3.org/2004/08/xop/include">
                        <xop:Include href="cid:934d35f9-01e8-468e-9e1e-c50b387a95c2@example.jaxws.sun.com"/>
                    </xenc:CipherValue>
                </xenc:CipherData>
            </xenc:EncryptedData>
            <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
wsu:Id="uuid_8e5eec8c-bbf4-40b4-9eea-12beecbdd981" xmlns:ns17="http://www.w3.org/2003/05/soap-envelope"
xmlns:ns18="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512" xmlns:xop="http://www.w3.org/2004/08/xop/include">
                <xop:Include href="cid:d921b6b7-a534-4d85-83d3-e03f0bbdf1a4@example.jaxws.sun.com"/>
            </wsse:BinarySecurityToken>
            <xenc:EncryptedData Id="_5005" Type="http://www.w3.org/2001/04/xmlenc#Element"
xmlns:ns17="http://www.w3.org/2003/05/soap-envelope" xmlns:ns18="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512">
                <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
                <xenc:CipherData>
                    <xenc:CipherValue xmlns:xop="http://www.w3.org/2004/08/xop/include">
                        <xop:Include href="cid:2c0a72f7-794f-4637-8d07-8ee0e8433145@example.jaxws.sun.com"/>
                    </xenc:CipherValue>
                </xenc:CipherData>
            </xenc:EncryptedData>
        </wsse:Security>
    </S:Header>
    <S:Body wsu:Id="_5002">
        <xenc:EncryptedData Id="_5004" Type="http://www.w3.org/2001/04/xmlenc#Content"
xmlns:ns17="http://www.w3.org/2003/05/soap-envelope" xmlns:ns18="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512">
            <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
            <xenc:CipherData>
                <xenc:CipherValue xmlns:xop="http://www.w3.org/2004/08/xop/include">
                    <xop:Include href="cid:81d3295e-2b64-4254-b697-67bcdb1d522e@example.jaxws.sun.com"/>
                </xenc:CipherValue>
            </xenc:CipherData>
        </xenc:EncryptedData>
    </S:Body>
</S:Envelope>
--uuid:950412d0-d43b-4058-bff6-0a3d54c79563
Content-Id: <7a19bfbe-029c-49f3-ae8d-7b1a358d5a52@example.jaxws.sun.com>
Content-Type: application/ciphervalue
Content-Transfer-Encoding: binary

H���k-�q��2s1  ߲r���ЭGMp~���Sc™(�M]�*���"�v�y��v�
v��w(�C�d�?�N�������^_��<�'ƿ    o��\�D�{�"(�J7�{�Txv�kЁ�T�U�A岏3��a\���`��Wh���q
�?��WRr�8t����D��[匁�S�6���'��|'����I����4JDyy��J�������{��'he��۟��F�w�Ch����t6⢾V�D:+��g�\�̜
--uuid:950412d0-d43b-4058-bff6-0a3d54c79563
Content-Id: <934d35f9-01e8-468e-9e1e-c50b387a95c2@example.jaxws.sun.com>
Content-Type: application/ciphervalue
Content-Transfer-Encoding: binary

��������W4�ĐJǀyp��?�xʰ��g�@Cr��!���@�2�$3����
�\���VK��}r�¿�`I  ���[Gb�R������ �=��C��Y�!h���j���ܣ�����1Xy�΋���
2|Ճn"
6LӖ�yy�w%��B�GqHZ�
����P��Jr��`E'
{code}

> CXF web service cannot process MTOM/XOP-optimized content within a CipherValue element
> --------------------------------------------------------------------------------------
>
>                 Key: CXF-6409
>                 URL: https://issues.apache.org/jira/browse/CXF-6409
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>    Affects Versions: 3.0.4
>            Reporter: Dallas Vaughan
>            Assignee: Colm O hEigeartaigh
>
> When a CXF (WS-Security streaming-enabled) web service endpoint is configured to use
WS-Security and MTOM, CXF cannot handle requests from .NET and Metro clients because it cannot
process {{xop:Include}} elements that are children of {{enc:CipherValue}} elements, as both
of these clients will optimize any large encrypted (base64-encoded binary) content by serializing
it as a MIME part.
> For example, when a Metro MTOM-optimized WS-Security-based request is sent to a CXF endpoint,
the following exception is thrown within {{org.apache.xml.security.stax.impl.processor.input.AbstractDecryptInputProcessor$DecryptionThread.run()}}:
> {code}org.apache.xml.security.exceptions.XMLSecurityException: Unexpected StAX-Event:
START_ELEMENT{code}
> This makes it impossible for .NET and Metro clients to communicate with CXF endpoints
which have the MTOM and encryption policies specified.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message