cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: CXF (2.7.13) Security Policy not used when SoapFault thrown due to Schema Validation
Date Wed, 06 Jan 2016 11:34:01 GMT
Hi,

I added a test to replicate this scenario and it works:

https://git1-us-west.apache.org/repos/asf?p=cxf.git;a=commit;h=fa985a4e

Could you try updating to a more recent version of CXF to see if it works?
Failing that, maybe take a look at the test I added and see if you can
modify it so that it fails as per your scenario.

Colm.

On Wed, Dec 9, 2015 at 7:38 AM, Alx <otinanism@gmail.com> wrote:

> I am attaching them at the port level i.e.:
>
> <service name="Service">
> <port name="ServiceInterfacePort"
> binding="pdef:ServiceInterfaceSecureSOAPBinding">
> <wsp:PolicyReference URI="#SecurityServiceSignPolicy" />
> <soap:address location="https://www.example.org/" />
> </port>
> </service>
>
> The problem is that the referenced binding isdefined in a wsdl that I do
> not own (so I can't really attach the policy to the input, output and fault
> elements).
>
> Does this mean that the behaviour is normal when attaching the policy at
> the service element?
>
> Thank you for the feedback!
>
> Alex
>
> On Tue, Dec 1, 2015 at 4:22 PM, Colm O hEigeartaigh <coheigea@apache.org>
> wrote:
>
> > Are you attaching security policies to the wsdl:fault part of your
> security
> > binding? If policies are only attached to the wsdl:input/output, then the
> > SOAP Faults won't be secured. Here is an example:
> >
> >
> >
> https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/fault/DoubleItFault.wsdl;h=2e388f57657c88339659e1555e5cf5c439a691ce;hb=HEAD
> >
> > Colm.
> >
> > On Fri, Nov 27, 2015 at 8:12 AM, Alexandros Trifyllis <
> > a.trifyllis@gmail.com
> > > wrote:
> >
> > > Further into debugging, I notice that in class
> AbstractPolicyInterceptor
> > > line 69 (version 2.7.13):
> > >
> > > if (faultClass != null &&
> faultClass.isAssignableFrom(cause.getClass()))
> > {
> > >
> > > the "faultClass" can never be "assignableFrom" the "cause".
> > >
> > > The "faultClass" is a custom class of mine which extends Exception. The
> > > "cause" in the case of schema validation
> > > is javax.xml.bind.UnmarshalException which also extends Exception.
> > >
> > > In that case, one is not assignable from the other.
> > >
> > > This failed check results in the framework not adding crucial
> > interceptors
> > > in the chain, like PolicyBasedWSS4JOutInterceptor etc.
> > >
> > > On Thu, Nov 26, 2015 at 2:59 PM, Alexandros Trifyllis <
> > > a.trifyllis@gmail.com
> > > > wrote:
> > >
> > > > I have a wsdl with security policy for signing messages. In my
> > endpoint I
> > > > have the annotation @SchemaValidation. When a validation throws a
> > > SoapFault
> > > > the message (with the SoapFault) is not signed. Running CXF in debug
> > > mode I
> > > > see that the interceptor chain used is different compared to the
> chain
> > > when
> > > > no fault occurs. This is normal but what does not seem normal is that
> > the
> > > > fault chain does not conatin interceptors
> > > > like: PolicyBasedWSS4JOutInterceptor, UsernameTokenInterceptor which
> > are
> > > > required for the message to be signed. Here is the chain when no
> fault
> > > > occurs:
> > > >
> > > > 14:14:56,310 FINE  [org.apache.cxf.phase.PhaseInterceptorChain]
> > (default
> > > > task-4) Chain org.apache.cxf.phase.PhaseInterceptorChain@5a2ad9f8
> was
> > > > modified. Current flow:
> > > >   setup [ServerPolicyOutFaultInterceptor]
> > > >   pre-logical [MAPAggregatorImpl, SoapHeaderOutFilterInterceptor,
> > > > SecurityVerificationOutInterceptor]
> > > >   prepare-send [MessageSenderInterceptor,
> > GenericSecurityOutInterceptor,
> > > > Soap12FaultOutInterceptor]
> > > >   pre-stream [LoggingOutInterceptor, CustomizeLoggingOutInterceptor,
> > > > StaxOutInterceptor]
> > > >   pre-protocol [WebFaultOutInterceptor, MAPCodec,
> > > > PolicyBasedWSS4JOutInterceptor, UsernameTokenInterceptor]
> > > >   write [SoapOutInterceptor]
> > > >   marshal [Soap12FaultOutInterceptorInternal]
> > > >   post-protocol [PolicyBasedWSS4JOutInterceptorInternal]
> > > >   write-ending [SoapOutEndingInterceptor]
> > > >   pre-protocol-ending [SAAJOutEndingInterceptor]
> > > >   pre-stream-ending [StaxOutEndingInterceptor]
> > > >   prepare-send-ending [MessageSenderEndingInterceptor]
> > > >
> > > >
> > > > and when fault occurs:
> > > >
> > > > 12:55:34,500 FINE  [org.apache.cxf.phase.PhaseInterceptorChain]
> > (default
> > > > task-3) Chain org.apache.cxf.phase.PhaseInterceptorChain@30f5696 was
> > > > created. Current flow:
> > > >   setup [ServerPolicyOutFaultInterceptor]
> > > >   pre-logical [SoapHeaderOutFilterInterceptor]
> > > >   prepare-send [MessageSenderInterceptor,
> > GenericSecurityOutInterceptor,
> > > > Soap12FaultOutInterceptor]
> > > >   pre-stream [LoggingOutInterceptor, CustomizeLoggingOutInterceptor,
> > > > StaxOutInterceptor]
> > > >   pre-protocol [WebFaultOutInterceptor]
> > > >   write [SoapOutInterceptor]
> > > >
> > > >
> > > > Am I missing some configuration?
> > > >
> > > > Thank you in advance
> > > >
> > >
> >
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
> >
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message