[jira] [Commented] (CXF-6409) CXF web service cannot process MTOM/XOP-optimized content within a CipherValue element

Wed, 03 Jun 2015 10:43:12 -0700 

    [ 
https://issues.apache.org/jira/browse/CXF-6409?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14571386#comment-14571386
 ] 

Dallas Vaughan commented on CXF-6409:
-------------------------------------

I have stepped through the Binary Security Token processing code and found the 
following:

The signature validation doesn't work with the BinarySecurity changes because, 
unlike with the previous implementation, the {{xop:Include}} element is still 
present in the BinarySecurityToken element. This is because the 
{{setToken(byte[])}} method is never called which replaces the "include" 
element with the base64-encoded value. The {{setToken}} call was replaced by 
{{setRawToken}} in the {{BinarySecurityTokenProcessor}} class (line 178).

When the digest is calculated for the BinarySecurityToken in signature 
verification, (I believe) it uses the element's child value and because it's 
still an {{xop:Include}} element, it doesn't match and it fails. 


> CXF web service cannot process MTOM/XOP-optimized content within a 
> CipherValue element
> --------------------------------------------------------------------------------------
>
>                 Key: CXF-6409
>                 URL: https://issues.apache.org/jira/browse/CXF-6409
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>    Affects Versions: 3.0.4
>            Reporter: Dallas Vaughan
>            Assignee: Colm O hEigeartaigh
>             Fix For: 3.1.1, 3.0.6
>
>         Attachments: decrypt-xop.patch
>
>
> When a CXF (WS-Security streaming-enabled) web service endpoint is configured 
> to use WS-Security and MTOM, CXF cannot handle requests from .NET and Metro 
> clients because it cannot process {{xop:Include}} elements that are children 
> of {{enc:CipherValue}} elements, as both of these clients will optimize any 
> large encrypted (base64-encoded binary) content by serializing it as a MIME 
> part.
> For example, when a Metro MTOM-optimized WS-Security-based request is sent to 
> a CXF endpoint, the following exception is thrown within 
> {{org.apache.xml.security.stax.impl.processor.input.AbstractDecryptInputProcessor$DecryptionThread.run()}}:
> {code}org.apache.xml.security.exceptions.XMLSecurityException: Unexpected 
> StAX-Event: START_ELEMENT{code}
> This makes it impossible for .NET and Metro clients to communicate with CXF 
> endpoints which have the MTOM and encryption policies specified.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to