cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jason.laskow...@aurora.org
Subject Re: wss4jInConfiguration - Security can be bypassed by client in CXF 2.0.3 incubator
Date Wed, 16 Jan 2008 20:37:07 GMT
WSS4J actually has a bug logged on this point.  See 
http://issues.apache.org/jira/browse/WSS-70 .

The question now is - should CXF fix this or should all users of CXF be 
aware of the need to check the actions size yourself?




jason.laskowski@aurora.org 
01/16/2008 02:20 PM
Please respond to
cxf-user@incubator.apache.org


To
cxf-user@incubator.apache.org
cc

Subject
Re: wss4jInConfiguration - Security can be bypassed by client in CXF 2.0.3 
incubator






More info.

Looking at the latest wss4j code (1.5.3), the routine ignores the fact 
that the wsse:Security is empty and falls out indicating that all is well.
They have the code to catch this hole commented out for some reason.

 protected boolean checkReceiverResults(Vector wsResult, Vector actions) {
        int resultActions = wsResult.size();
        int size = actions.size();

        // if (size != resultActions) {
        // throw new AxisFault(
        // "WSDoAllReceiver: security processing failed (actions number
        // mismatch)");
        // }

        int ai = 0;
        for (int i = 0; i < resultActions; i++) {
            final Integer actInt = (Integer) ((WSSecurityEngineResult) 
wsResult
                    .get(i)).get(WSSecurityEngineResult.TAG_ACTION);
            int act = actInt.intValue();
            if (act == WSConstants.SC || act == WSConstants.BST) {
                continue;
            }
            if (ai >= size || ((Integer) actions.get(ai++)).intValue() != 
act) {
                return false;
            }
        }
        return true;
    }



jason.laskowski@aurora.org 
01/16/2008 01:29 PM
Please respond to
cxf-user@incubator.apache.org


To
cxf-user@incubator.apache.org
cc

Subject
wss4jInConfiguration - Security can be bypassed by client in CXF 2.0.3 
incubator






Hello,

I'm not sure if this is an issue or lack of correct configuration on my 
part.

I found that it is real easy to bypass the security checks (UsernameToken, 


Timestamp, and/or Signature) for the WS Security settings.
All you have to do is setup the client request to pass a <wsse:Security> 
tag as empty or with garbage in it and the service side will ignore the 
fact that any of those actions are required.

Here is an example request that my service method will answer even though 
it is suppose to require a Timestamp and a Signature action in the WS 
Security setup.

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
   <wsse:Security 
xmlns:wsse="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd

" 
soap:mustUnderstand="1">
      leave blank or pass garbage and security is bypassed
   </wsse:Security>
</soap:Header>
<soap:Body 
xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd

" 
wsu:Id="id-23632030">
   <ns1:sayHi xmlns:ns1="http://spring.demo/">
     <arg0>Joe</arg0>
   </ns1:sayHi>
</soap:Body>
</soap:Envelope>

Below is my CXF Servlet Spring beans configuration.
Am I missing something to tell WS Security that the actions are mandatory?

<?xml version="1.0" encoding="UTF-8"?>

<beans xmlns="http://www.springframework.org/schema/beans"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns:jaxws="http://cxf.apache.org/jaxws"
        xsi:schemaLocation="
http://www.springframework.org/schema/beans 
http://www.springframework.org/schema/beans/spring-beans.xsd
http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd">

        <import resource="classpath:META-INF/cxf/cxf.xml" />
        <import resource="classpath:META-INF/cxf/cxf-extension-soap.xml" 
/>
        <import resource="classpath:META-INF/cxf/cxf-servlet.xml" />

        <jaxws:endpoint 
          id="helloWorld" 
          implementor="demo.spring.HelloWorldImpl" 
          address="/HelloWorld">
        <jaxws:features>
            <bean class="org.apache.cxf.feature.LoggingFeature"/>
        </jaxws:features>
        <jaxws:inInterceptors>
            <bean 
class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor"/>
            <ref bean="wss4jInConfiguration"/>
        </jaxws:inInterceptors>
    </jaxws:endpoint>

    <bean id="wss4jInConfiguration" 
class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
        <property name="properties">
           <map>
              <entry key="action" value="Timestamp Signature"/>
              <entry key="passwordType" value="PasswordDigest" />
              <entry>
                 <key>
                    <value>passwordCallbackRef</value>
                 </key>
                 <ref bean="passwordCallback"/>
              </entry>
              <entry key="signaturePropFile" 
value="server_sign.properties"></entry>
           </map>
        </property>
    </bean>

    <bean id="passwordCallback" 
class="demo.spring.handlers.PasswordCallbackHandler"/>
    <bean id="serviceMethodAuthorizer" 
class="demo.spring.handlers.ServiceMethodAuthorizer"/>
</beans>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message