[
https://issues.apache.org/jira/browse/CXF-8940?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17772696#comment-17772696
]
Freeman Yue Fang edited comment on CXF-8940 at 10/6/23 9:05 PM:
----------------------------------------------------------------
Hi [~ppalaga],
Thanks for raising this issue!
After the first glance, I don't think this is the problem in CXF. The problem
should be from quarkus-cxf or the test itself. The root cause that the
configuration in your test
{code}
...security.must-understand = false
{code}
doesn't work is that the
org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor somehow not
added into the quarkus cxf client
quarkus.cxf.client.helloUsernameTokenNoMustUnderstand. But
org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor should be added
by default in CXF by
org.apache.cxf.ws.security.policy.interceptors.WSSecurityInterceptorProvider,
together with PolicyBasedWSS4JStaxOutInterceptor. We have test case in CXF
source code
cxf/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ut/UsernameTokenPolicyTest.java
and I checked there, the
org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor in CXF test is
added and invoked correctly.
The PolicyBasedWSS4JStaxOutInterceptor contains the logic when
security.enable.streaming is true(Stax API based), while
PolicyBasedWSS4JOutInterceptor contains the logic when
security.enable.streaming is false(DOM api based).
If I explicitly add PolicyBasedWSS4JOutInterceptor to your test client, then it
works, but surely the real fix should be somewhere else.
{code}
---
a/integration-tests/ws-security-policy/src/main/resources/application.properties
+++
b/integration-tests/ws-security-policy/src/main/resources/application.properties
@@ -94,6 +94,7 @@
quarkus.cxf.client.helloUsernameTokenNoMustUnderstand.trust-store-password = pas
quarkus.cxf.client.helloUsernameTokenNoMustUnderstand.security.username =
${wss.user}
quarkus.cxf.client.helloUsernameTokenNoMustUnderstand.security.callback-handler
= #usernameTokenPasswordCallback
quarkus.cxf.client.helloUsernameTokenNoMustUnderstand.security.must-understand
= false
+quarkus.cxf.client.helloUsernameTokenNoMustUnderstand.out-interceptors =
org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor
quarkus.cxf.client.helloUsernameTokenNoMustUnderstand.features =
#messageCollector
{code}
In your testcase you can see that PolicyBasedWSS4JStaxOutInterceptor can be
added and invoked(that's why stax stream works as expected) by default while
PolicyBasedWSS4JOutInterceptor can't. I don't know why now but this should be
the direction to investigate.
Best Regards
Freeman
was (Author: ffang):
Hi [~ppalaga],
Thanks for raising this issue!
After the first glance, I don't think this is the problem in CXF. The problem
should be from quarkus-cxf or the test itself. The root cause that the
configuration in your test
{code}
...security.must-understand = false
{code}
doesn't work is that the
org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor somehow not
added into the quarkus cxf client
quarkus.cxf.client.helloUsernameTokenNoMustUnderstand. But
org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor should be added
by default in CXF by
org.apache.cxf.ws.security.policy.interceptors.WSSecurityInterceptorProvider,
together with PolicyBasedWSS4JStaxOutInterceptor. We have test case in CXF
source code
cxf/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ut/UsernameTokenPolicyTest.java
and I checked there, the
org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor in CXF test is
added and invoked correctly.
The PolicyBasedWSS4JStaxOutInterceptor contains the logic when
security.enable.streaming is true(Stax API based), while
PolicyBasedWSS4JOutInterceptor contains the logic when
security.enable.streaming is false(DOM api based).
If I explicitly add PolicyBasedWSS4JOutInterceptor to your test client, then it
works, but surely the real fix should be somewhere else.
{code}
---
a/integration-tests/ws-security-policy/src/main/resources/application.properties
+++
b/integration-tests/ws-security-policy/src/main/resources/application.properties
@@ -94,6 +94,7 @@
quarkus.cxf.client.helloUsernameTokenNoMustUnderstand.trust-store-password = pas
quarkus.cxf.client.helloUsernameTokenNoMustUnderstand.security.username =
${wss.user}
quarkus.cxf.client.helloUsernameTokenNoMustUnderstand.security.callback-handler
= #usernameTokenPasswordCallback
quarkus.cxf.client.helloUsernameTokenNoMustUnderstand.security.must-understand
= false
+quarkus.cxf.client.helloUsernameTokenNoMustUnderstand.out-interceptors =
org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor
quarkus.cxf.client.helloUsernameTokenNoMustUnderstand.features =
#messageCollector
{code}
Best Regards
Freeman
> ws-security.must-understand works only if security.enable.streaming is true
> ---------------------------------------------------------------------------
>
> Key: CXF-8940
> URL: https://issues.apache.org/jira/browse/CXF-8940
> Project: CXF
> Issue Type: Bug
> Reporter: Peter Palaga
> Priority: Major
>
> I am unfortunately not sure at all how to reproduce this with plain CXF. If a
> test is required to demonstrate the issue, I'd be thankful for pointing me to
> an existing test I could adapt.
> I am able to reproduce this with quarkus-cxf - here are the steps to
> reproduce:
> {code}
> git clone g...@github.com:ppalaga/quarkus-cxf.git
> cd quarkus-cxf
> git checkout CXF-8940
> mvnd clean install -DskipTests -Dquarkus.build.skip
> cd integration-tests/ws-security-policy
> mvnd clean test
> -Dtest=UsernameTokenSecurityPolicyTest#helloUsernameTokenNoMustUnderstand
> ...
> [ERROR]
> UsernameTokenSecurityPolicyTest>AbstractUsernameTokenSecurityPolicyTest.helloUsernameTokenNoMustUnderstand:180
>
> Expecting actual:
> "REQ_OUT
> Address: https://localhost:8444/services/helloUsernameToken
> HttpMethod: POST
> Content-Type: text/xml
> ExchangeId: 03fe3642-ab5b-4b85-b712-b8ed107f5a71
> ServiceName: UsernameTokenPolicyHelloService
> PortName: UsernameTokenPolicyHelloServicePort
> PortTypeName: UsernameTokenPolicyHelloService
> Headers: {SOAPAction="", Accept=*/*, Connection=Keep-Alive}
> Payload: <soap:Envelope
> xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";>
> <soap:Header>
> <wsse:Security
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
> soap:mustUnderstand="1">
> <wsse:UsernameToken
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
> wsu:Id="UsernameToken-4e64841c-ad35-48fd-b7ee-70e5f978e098">
> <wsse:Username>cxf-user</wsse:Username>
> <wsse:Password
> Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText";>secret</wsse:Password>
> <wsse:Nonce
> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";>5rs0Ra3q0FPLXFguajlTwQ==</wsse:Nonce>
> <wsu:Created>2023-10-05T22:40:54.436Z</wsu:Created>
> </wsse:UsernameToken>
> </wsse:Security>
> </soap:Header>
> <soap:Body>
> <ns2:hello xmlns:ns2="http://policy.security.it.cxf.quarkiverse.io/";>
> <arg0>helloUsernameTokenNoMustUnderstand</arg0>
> </ns2:hello>
> </soap:Body>
> </soap:Envelope>
> "
> not to contain:
> "soap:mustUnderstand="1""
> {code}
> Running the same logic with
> {{quarkus.cxf.client.helloUsernameTokenNoMustUnderstand.security.enable.streaming
> = true}} works as expected:
> {code}
> mvnd clean test
> -Dtest=UsernameTokenSecurityPolicyStaxTest#helloUsernameTokenNoMustUnderstand
> ...
> BUILD SUCCESS
> {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
