cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: CXF (2.7.13) Security Policy not used when SoapFault thrown due to Schema Validation
Date Tue, 01 Dec 2015 14:22:08 GMT
Are you attaching security policies to the wsdl:fault part of your security
binding? If policies are only attached to the wsdl:input/output, then the
SOAP Faults won't be secured. Here is an example:

https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/fault/DoubleItFault.wsdl;h=2e388f57657c88339659e1555e5cf5c439a691ce;hb=HEAD

Colm.

On Fri, Nov 27, 2015 at 8:12 AM, Alexandros Trifyllis <a.trifyllis@gmail.com
> wrote:

> Further into debugging, I notice that in class AbstractPolicyInterceptor
> line 69 (version 2.7.13):
>
> if (faultClass != null && faultClass.isAssignableFrom(cause.getClass())) {
>
> the "faultClass" can never be "assignableFrom" the "cause".
>
> The "faultClass" is a custom class of mine which extends Exception. The
> "cause" in the case of schema validation
> is javax.xml.bind.UnmarshalException which also extends Exception.
>
> In that case, one is not assignable from the other.
>
> This failed check results in the framework not adding crucial interceptors
> in the chain, like PolicyBasedWSS4JOutInterceptor etc.
>
> On Thu, Nov 26, 2015 at 2:59 PM, Alexandros Trifyllis <
> a.trifyllis@gmail.com
> > wrote:
>
> > I have a wsdl with security policy for signing messages. In my endpoint I
> > have the annotation @SchemaValidation. When a validation throws a
> SoapFault
> > the message (with the SoapFault) is not signed. Running CXF in debug
> mode I
> > see that the interceptor chain used is different compared to the chain
> when
> > no fault occurs. This is normal but what does not seem normal is that the
> > fault chain does not conatin interceptors
> > like: PolicyBasedWSS4JOutInterceptor, UsernameTokenInterceptor which are
> > required for the message to be signed. Here is the chain when no fault
> > occurs:
> >
> > 14:14:56,310 FINE  [org.apache.cxf.phase.PhaseInterceptorChain] (default
> > task-4) Chain org.apache.cxf.phase.PhaseInterceptorChain@5a2ad9f8 was
> > modified. Current flow:
> >   setup [ServerPolicyOutFaultInterceptor]
> >   pre-logical [MAPAggregatorImpl, SoapHeaderOutFilterInterceptor,
> > SecurityVerificationOutInterceptor]
> >   prepare-send [MessageSenderInterceptor, GenericSecurityOutInterceptor,
> > Soap12FaultOutInterceptor]
> >   pre-stream [LoggingOutInterceptor, CustomizeLoggingOutInterceptor,
> > StaxOutInterceptor]
> >   pre-protocol [WebFaultOutInterceptor, MAPCodec,
> > PolicyBasedWSS4JOutInterceptor, UsernameTokenInterceptor]
> >   write [SoapOutInterceptor]
> >   marshal [Soap12FaultOutInterceptorInternal]
> >   post-protocol [PolicyBasedWSS4JOutInterceptorInternal]
> >   write-ending [SoapOutEndingInterceptor]
> >   pre-protocol-ending [SAAJOutEndingInterceptor]
> >   pre-stream-ending [StaxOutEndingInterceptor]
> >   prepare-send-ending [MessageSenderEndingInterceptor]
> >
> >
> > and when fault occurs:
> >
> > 12:55:34,500 FINE  [org.apache.cxf.phase.PhaseInterceptorChain] (default
> > task-3) Chain org.apache.cxf.phase.PhaseInterceptorChain@30f5696 was
> > created. Current flow:
> >   setup [ServerPolicyOutFaultInterceptor]
> >   pre-logical [SoapHeaderOutFilterInterceptor]
> >   prepare-send [MessageSenderInterceptor, GenericSecurityOutInterceptor,
> > Soap12FaultOutInterceptor]
> >   pre-stream [LoggingOutInterceptor, CustomizeLoggingOutInterceptor,
> > StaxOutInterceptor]
> >   pre-protocol [WebFaultOutInterceptor]
> >   write [SoapOutInterceptor]
> >
> >
> > Am I missing some configuration?
> >
> > Thank you in advance
> >
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message