CXF does not handle security processing on Fault responses
----------------------------------------------------------
Key: CXF-3043
URL: https://issues.apache.org/jira/browse/CXF-3043
Project: CXF
Issue Type: Bug
Components: WS-* Components
Affects Versions: 2.2.10
Reporter: Dennis Sosnoski
CXF ignores WS-Security policy configuration for Fault responses (tested with
both 2.2.10 and the 2.3 nightly). Here's a WSDL sample illustrating the problem:
<wsdl:definitions targetNamespace="http://ws.sosnoski.com/library/wsdl";
xmlns:wns="http://ws.sosnoski.com/library/wsdl";
xmlns:tns="http://ws.sosnoski.com/library/types";
xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/";
xmlns:wsdlsoap="http://schemas.xmlsoap.org/wsdl/soap/";>
<!-- Policy for Username Token with hashed password, sent from client to server
only -->
<wsp:Policy wsu:Id="UsernameToken" xmlns:wsu=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:wsp="http://www.w3.org/ns/ws-policy";
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
<sp:SupportingTokens>
<wsp:Policy>
<sp:UsernameToken sp:IncludeToken=
"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
<wsp:Policy>
<sp:HashPassword/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SupportingTokens>
</wsp:Policy>
<!-- Policy for symmetric binding, using an ephemeral key generated by the
client and
sent to the server as part of the request, using asymmetric encryption with the
server
public key to secure the symmetric key. -->
<wsp:Policy wsu:Id="SymmEncr"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";
xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl";
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
<sp:SymmetricBinding>
<wsp:Policy>
<sp:ProtectionToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";>
<wsp:Policy>
<sp:RequireDerivedKeys/>
<sp:RequireThumbprintReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:ProtectionToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128Rsa15/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:OnlySignEntireHeadersAndBody/>
</wsp:Policy>
</sp:SymmetricBinding>
<sp:Wss11>
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefThumbprint/>
<sp:MustSupportRefEncryptedKey/>
</wsp:Policy>
</sp:Wss11>
</wsp:Policy>
<!-- Policy for encrypting the message body. -->
<wsp:Policy wsu:Id="EncrBody" xmlns:wsu=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:wsp="http://www.w3.org/ns/ws-policy";
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
<sp:EncryptedParts>
<sp:Body/>
</sp:EncryptedParts>
</wsp:Policy>
...
<wsdl:binding name="LibrarySoapBinding" type="wns:Library">
<wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy";
URI="#UsernameToken"/>
...
<wsdl:operation name="addBook">
<wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy";
URI="#SymmEncr"/>
<wsdlsoap:operation soapAction="urn:addBook"/>
<wsdl:input name="addBookRequest">
<wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy";
URI="#EncrBody"/>
<wsdlsoap:body use="literal"/>
</wsdl:input>
<wsdl:output name="addBookResponse">
<wsdlsoap:body use="literal"/>
</wsdl:output>
<wsdl:fault name="addDuplicateFault">
<wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy";
URI="#EncrBody"/>
<wsdlsoap:fault name="addDuplicateFault" use="literal"/>
</wsdl:fault>
</wsdl:operation>
...
(same WSDL as for CXF-3042 - this problem shows up if you run the client code
multiple times, in which case the addBook operation always generates a Fault
response).
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
