[
https://issues.apache.org/jira/browse/CXF-6409?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14550645#comment-14550645
]
Dallas Vaughan commented on CXF-6409:
-------------------------------------
Here is the sanitized request (I added formatting to the XML part for
readability). There is no stack trace as the original XMLSecurityException gets
swallowed and rethrown as a generic WSSecurityException (which then gets sent
back as a fault). I found the cause by stepping through Santuario code during
the processing of the request.
The exception thrown for the DOM-based implementation (which is also swallowed
so there's no stack trace) is a {{java.lang.ArrayIndexOutOfBoundsException}} in
the {{org.apache.xml.security.encryption.XMLCipher.decryptToByteArray()}}
method at a {{System.arraycopy(encryptedBytes, 0, ivBytes, ivLen)}} call where
{{encryptedBytes.length == 0}}, {{ivBytes.length == 16}}, and {{ivLen == 16}}.
When I stepped through this I found that it happens during processing of an
EncryptedData/CipherData/CipherValue element that contains an {{xop:Include}}
element. Since it probably expects base64 here, it failed to initialize
{{encryptedBytes}} and {{System.arraycopy}} expects a byte array of length 16.
{code:|title=Metro Request|borderStyle=solid}
POST /test/services/myService HTTP/1.1
Accept: text/xml, multipart/related
Content-Type:
multipart/related;start="<rootpart*950412d0-d43b-4058-bff6-0a3d54c79...@example.jaxws.sun.com>";type="application/xop+xml";boundary="uuid:950412d0-d43b-4058-bff6-0a3d54c79563";start-info="text/xml"
SOAPAction: "http://example.com/webservice/myService/myOperation";
User-Agent: JAX-WS RI 2.2.10
svn-revision#919b322c92f13ad085a933e8dd6dd35d4947364b
Host: example.com:3333
Connection: keep-alive
Content-Length: 11154
--uuid:950412d0-d43b-4058-bff6-0a3d54c79563
Content-Id:
<rootpart*950412d0-d43b-4058-bff6-0a3d54c79...@example.jaxws.sun.com>
Content-Type: application/xop+xml;charset=utf-8;type="text/xml"
Content-Transfer-Encoding: binary
<?xml version='1.0' encoding='UTF-8'?>
<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#";
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";
xmlns:xs="http://www.w3.org/2001/XMLSchema";>
<S:Header>
<To
xmlns="http://www.w3.org/2005/08/addressing";>http://localhost:3333/test/services/myService</To>
<Action S:mustUnderstand="1"
xmlns="http://www.w3.org/2005/08/addressing";
xmlns:S="http://schemas.xmlsoap.org/soap/envelope/";>http://example.com/webservice/myService/myOperation</Action>
<ReplyTo xmlns="http://www.w3.org/2005/08/addressing";>
<Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
</ReplyTo>
<FaultTo xmlns="http://www.w3.org/2005/08/addressing";>
<Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
</FaultTo>
<MessageID
xmlns="http://www.w3.org/2005/08/addressing";>uuid:52fd687a-8d92-44cb-ac24-0be1e1f4b25f</MessageID>
<wsse:Security S:mustUnderstand="1">
<wsu:Timestamp wsu:Id="_3"
xmlns:ns17="http://www.w3.org/2003/05/soap-envelope";
xmlns:ns18="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";>
<wsu:Created>2015-05-11T03:04:16Z</wsu:Created>
<wsu:Expires>2015-05-11T03:09:16Z</wsu:Expires>
</wsu:Timestamp>
<xenc:EncryptedKey Id="_5003"
xmlns:ns17="http://www.w3.org/2003/05/soap-envelope";
xmlns:ns18="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";>
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<ds:KeyInfo
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="KeyInfoType">
<wsse:SecurityTokenReference>
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>CN=example.com, OU=ABC
Group, O=Example, L=Washington, ST=DC, C=US</ds:X509IssuerName>
<ds:X509SerialNumber>1234567890</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue
xmlns:xop="http://www.w3.org/2004/08/xop/include";>
<xop:Include
href="cid:7a19bfbe-029c-49f3-ae8d-7b1a358d5a52@example.jaxws.sun.com"/>
</xenc:CipherValue>
</xenc:CipherData>
<xenc:ReferenceList>
<xenc:DataReference URI="#_5004"/>
<xenc:DataReference URI="#_5005"/>
<xenc:DataReference URI="#_5006"/>
</xenc:ReferenceList>
</xenc:EncryptedKey>
<xenc:EncryptedData Id="_5006"
Type="http://www.w3.org/2001/04/xmlenc#Element";
xmlns:ns17="http://www.w3.org/2003/05/soap-envelope";
xmlns:ns18="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";>
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
<xenc:CipherData>
<xenc:CipherValue
xmlns:xop="http://www.w3.org/2004/08/xop/include";>
<xop:Include
href="cid:934d35f9-01e8-468e-9e1e-c50b387a95c2@example.jaxws.sun.com"/>
</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
<wsse:BinarySecurityToken
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
wsu:Id="uuid_8e5eec8c-bbf4-40b4-9eea-12beecbdd981"
xmlns:ns17="http://www.w3.org/2003/05/soap-envelope";
xmlns:ns18="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
xmlns:xop="http://www.w3.org/2004/08/xop/include";>
<xop:Include
href="cid:d921b6b7-a534-4d85-83d3-e03f0bbdf1a4@example.jaxws.sun.com"/>
</wsse:BinarySecurityToken>
<xenc:EncryptedData Id="_5005"
Type="http://www.w3.org/2001/04/xmlenc#Element";
xmlns:ns17="http://www.w3.org/2003/05/soap-envelope";
xmlns:ns18="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";>
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
<xenc:CipherData>
<xenc:CipherValue
xmlns:xop="http://www.w3.org/2004/08/xop/include";>
<xop:Include
href="cid:2c0a72f7-794f-4637-8d07-8ee0e8433145@example.jaxws.sun.com"/>
</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</wsse:Security>
</S:Header>
<S:Body wsu:Id="_5002">
<xenc:EncryptedData Id="_5004"
Type="http://www.w3.org/2001/04/xmlenc#Content";
xmlns:ns17="http://www.w3.org/2003/05/soap-envelope";
xmlns:ns18="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";>
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
<xenc:CipherData>
<xenc:CipherValue
xmlns:xop="http://www.w3.org/2004/08/xop/include";>
<xop:Include
href="cid:81d3295e-2b64-4254-b697-67bcdb1d522e@example.jaxws.sun.com"/>
</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</S:Body>
</S:Envelope>
--uuid:950412d0-d43b-4058-bff6-0a3d54c79563
Content-Id: <7a19bfbe-029c-49f3-ae8d-7b1a358d5...@example.jaxws.sun.com>
Content-Type: application/ciphervalue
Content-Transfer-Encoding: binary
H���k-�q��2�s1 ߲r���ЭGMp~���Sc(���M]��*���"��v�y��v�
v��w(��C�d�?��N���������^_��<�'ƿ
o��\��D�{�"�(�J7�{�Txv�kЁ�T�U�A岏3��a\���`���W�h���q
�?��WRr�8t����D��[�匁��S��6����'��|'�����I����4JDyy��J��������{���'he��۟��F�w�Ch������t6⢾V�D:+���g�\�̜
--uuid:950412d0-d43b-4058-bff6-0a3d54c79563
Content-Id: <934d35f9-01e8-468e-9e1e-c50b387a9...@example.jaxws.sun.com>
Content-Type: application/ciphervalue
Content-Transfer-Encoding: binary
�����������W4�ĐJǀyp��?���xʰ���g��@Cr��!����@�2��$�3����
��\���VK��}�r�¿�`I ����[Gb���R������ �=��C��Y��!h����j�����ܣ�����1Xy����
2|�Ճn�"
6LӖ��yy�w%��B�GqH��Z�
����P��Jr��`E'
{code}
> CXF web service cannot process MTOM/XOP-optimized content within a
> CipherValue element
> --------------------------------------------------------------------------------------
>
> Key: CXF-6409
> URL: https://issues.apache.org/jira/browse/CXF-6409
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 3.0.4
> Reporter: Dallas Vaughan
> Assignee: Colm O hEigeartaigh
>
> When a CXF (WS-Security streaming-enabled) web service endpoint is configured
> to use WS-Security and MTOM, CXF cannot handle requests from .NET and Metro
> clients because it cannot process {{xop:Include}} elements that are children
> of {{enc:CipherValue}} elements, as both of these clients will optimize any
> large encrypted (base64-encoded binary) content by serializing it as a MIME
> part.
> For example, when a Metro MTOM-optimized WS-Security-based request is sent to
> a CXF endpoint, the following exception is thrown within
> {{org.apache.xml.security.stax.impl.processor.input.AbstractDecryptInputProcessor$DecryptionThread.run()}}:
> {code}org.apache.xml.security.exceptions.XMLSecurityException: Unexpected
> StAX-Event: START_ELEMENT{code}
> This makes it impossible for .NET and Metro clients to communicate with CXF
> endpoints which have the MTOM and encryption policies specified.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
