[jira] Commented: (CXF-3043) CXF does not handle security processing on Fault responses

Daniel Kulp (JIRA) Wed, 06 Oct 2010 06:08:58 -0700

    [ 
https://issues.apache.org/jira/browse/CXF-3043?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12918499#action_12918499
 ]


Daniel Kulp commented on CXF-3043:
----------------------------------


This may be something that we try to enable depending on the internal fault 
type.   If it's an application level fault thrown form their implementation, 
then the fault policies should go into affect.    If it's a fault thrown from 
the incoming interceptors (such as a Security fault), then don't apply the 
policy.    Basically, if it's gotten into the application, we know the basic 
security requirements have been met.   

> CXF does not handle security processing on Fault responses
> ----------------------------------------------------------
>
>                 Key: CXF-3043
>                 URL: https://issues.apache.org/jira/browse/CXF-3043
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>    Affects Versions: 2.2.10
>            Reporter: Dennis Sosnoski
>
> CXF ignores WS-Security policy configuration for Fault responses (tested with 
> both 2.2.10 and the 2.3 nightly). Here's a WSDL sample illustrating the 
> problem:
> <wsdl:definitions targetNamespace="http://ws.sosnoski.com/library/wsdl";
> xmlns:wns="http://ws.sosnoski.com/library/wsdl";
> xmlns:tns="http://ws.sosnoski.com/library/types";
> xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/";
> xmlns:wsdlsoap="http://schemas.xmlsoap.org/wsdl/soap/";>
> <!-- Policy for Username Token with hashed password, sent from client to 
> server only -->
> <wsp:Policy wsu:Id="UsernameToken" xmlns:wsu=
> "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
> xmlns:wsp="http://www.w3.org/ns/ws-policy";
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
> <sp:SupportingTokens>
> <wsp:Policy>
> <sp:UsernameToken sp:IncludeToken=
> "http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
> <wsp:Policy>
> <sp:HashPassword/>
> </wsp:Policy>
> </sp:UsernameToken>
> </wsp:Policy>
> </sp:SupportingTokens>
> </wsp:Policy>
> <!-- Policy for symmetric binding, using an ephemeral key generated by the 
> client and
> sent to the server as part of the request, using asymmetric encryption with 
> the server
> public key to secure the symmetric key. -->
> <wsp:Policy wsu:Id="SymmEncr"
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
>  xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";
> xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl";
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
> <sp:SymmetricBinding>
> <wsp:Policy>
> <sp:ProtectionToken>
> <wsp:Policy>
> <sp:X509Token 
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";>
> <wsp:Policy>
> <sp:RequireDerivedKeys/>
> <sp:RequireThumbprintReference/>
> <sp:WssX509V3Token10/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:ProtectionToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic128Rsa15/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:OnlySignEntireHeadersAndBody/>
> </wsp:Policy>
> </sp:SymmetricBinding>
> <sp:Wss11>
> <wsp:Policy>
> <sp:MustSupportRefKeyIdentifier/>
> <sp:MustSupportRefThumbprint/>
> <sp:MustSupportRefEncryptedKey/>
> </wsp:Policy>
> </sp:Wss11>
> </wsp:Policy>
> <!-- Policy for encrypting the message body. -->
> <wsp:Policy wsu:Id="EncrBody" xmlns:wsu=
> "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
> xmlns:wsp="http://www.w3.org/ns/ws-policy";
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
> <sp:EncryptedParts>
> <sp:Body/>
> </sp:EncryptedParts>
> </wsp:Policy>
> ...
> <wsdl:binding name="LibrarySoapBinding" type="wns:Library">
> <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy"; 
> URI="#UsernameToken"/>
> ...
> <wsdl:operation name="addBook">
> <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy"; 
> URI="#SymmEncr"/>
> <wsdlsoap:operation soapAction="urn:addBook"/>
> <wsdl:input name="addBookRequest">
> <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy"; 
> URI="#EncrBody"/>
> <wsdlsoap:body use="literal"/>
> </wsdl:input>
> <wsdl:output name="addBookResponse">
> <wsdlsoap:body use="literal"/>
> </wsdl:output>
> <wsdl:fault name="addDuplicateFault">
> <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy"; 
> URI="#EncrBody"/>
> <wsdlsoap:fault name="addDuplicateFault" use="literal"/>
> </wsdl:fault>
> </wsdl:operation>
> ...
> (same WSDL as for CXF-3042 - this problem shows up if you run the client code 
> multiple times, in which case the addBook operation always generates a Fault 
> response).

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (CXF-3043) CXF does not handle security processing on Fault responses

Reply via email to