cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Kulp <dk...@apache.org>
Subject Re: CXF takes down IBM TFIM
Date Fri, 23 Apr 2010 18:28:02 GMT
On Friday 23 April 2010 1:56:26 pm Brandon Richins wrote:
> The below test case will return a SOAP fault with a message about
> IndexOutOfBoundsException.  All future "good" requests to TFIM will
> subsequently also receive the IndexOutOfBoundException instead of the
> correct response.  I've attached the client log for this scenario.
> 
> Can anyone confirm how many HTTP connections are made to the server for
> something like this?  I'm guessing two, one for retrieving the WSDL and
> one for sending the SOAP request.

It should be two, but if the wsdl has imports (for the schema or policies or 
such), there may be some additional requests to get those.

Also, it MAY be a single connection using Keep-Alives.    You may want to look 
at trying to use WireShark or something to see what's really happening at the 
raw wire level.

Dan

> 
> public class TFIMTest {
>     @Test
>     public void testRST() throws Exception {
>         Bus bus = BusFactory.getDefaultBus();
>         STSClient client = new STSClient(bus);
>        
> client.setWsdlLocation("https://mytfimserver.foo.org:9445/TrustServerWST13
> /services/RequestSecurityToken?wsdl");
> client.setServiceName("{http://docs.oasis-open.org/ws-sx/ws-trust/200512}S
> ecurityTokenService");
> client.setEndpointName("{http://docs.oasis-open.org/ws-sx/ws-trust/200512}
> RequestSecurityToken"); client.setRequiresEntropy(false);
>         client.setFeatures(buildFeatures());
> 
>         //set user name and password
>         Map<String, Object> ctx = client.getRequestContext();
>         ctx.put(SecurityConstants.USERNAME, "scott");
>         ctx.put(SecurityConstants.PASSWORD, "tiger");
> 
>         String appliesTo = "http://foo.org/VER/ICM/SAML1.1";
>         String action = null;
>         String requestType = "/Issue";
>         SecurityToken target = null;
> 
>         try {
>             client.requestSecurityToken(appliesTo, action, requestType,
> target); Assert.fail("TFIM should have thrown a fatal error");
>         } catch(SoapFault ex) {
>             Assert.assertEquals("java.lang.IndexOutOfBoundsException:
> Index: 0, Size: 0", ex.getMessage()); }
>     }
> 
>     private List<AbstractFeature> buildFeatures() {
>         List<AbstractFeature> result = new LinkedList<AbstractFeature>();
>         result.add(new WSAddressingFeature());
>         result.add(new WSPolicyFeature());
>         return result;
>     }
> }
> 
> Brandon
> 
> 
> -----Original Message-----
> From: Dennis Sosnoski [mailto:dms@sosnoski.com]
> Sent: Thursday, April 22, 2010 8:46 PM
> To: users@cxf.apache.org
> Subject: Re: CXF takes down IBM TFIM
> 
> Any information available from the crash might help isolate the problem.
> But if this is repeatable it represents a major security issue for TFIM,
> since it shows an easy denial-of-service attack.
> 
>   - Dennis
> 
> Brandon Richins wrote:
> > When I send a RST to IBM TFIM, my STS, I crash it to the point where it
> > has to be rebooted.  If I send the same request (captured) via SoapUI or
> > TCPMon, it doesn't crash it.
> > 
> > I was wondering what kind of connection parameters are added to http(s)
> > connections, specifically when communicating with an STS.  I saw Dan's
> > recent post indicating that CXF uses Java's HttpConnection and not
> > Apache commons-http component.  I even created a simple java client that
> > matched the headers from CXF 100% but I still can't replicate taking it
> > down.  I have looked at the HttpConduit and didn't see anything out of
> > the ordinary that could cause this.  Any ideas as I try to develop a
> > test case or debug this?
> > 
> > I tried to look at increasing the log level but
> > http://cxf.apache.org/docs/debugging-and-logging.html seems to be
> > missing the example content and the linked config
> > (http://cwiki.apache.org/CXF20DOC/configuration.html) returns a 404. 
> > Any tips here would be great too.
> > 
> > Thanks in advance,
> > 
> > Brandon

-- 
Daniel Kulp
dkulp@apache.org
http://dankulp.com/blog

Mime
View raw message