Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-2854

Carriage return (\r) in String argument to service method causes "SoapFault: The signature or decryption was invalid"

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Not A Problem
    • Affects Version/s: 2.1.4
    • Fix Version/s: Invalid
    • Component/s: WS-* Components
    • Labels:
      None
    • Environment:

      Windows XP Professional SP3
      JDK 1.6.0_13

    • Estimated Complexity:
      Unknown

      Description

      When using a WSS4JOutInterceptor on the proxy client and WSS4JInInterceptor on the service with the action WSHandlerConstants.SIGNATURE, the call to the service terminates in a SoapFault for an invalid signature if a String containing a carriage return (\r) is passed as an argument to the service. Strings not containing a carriage return result in a successful response.

      A short (fewer than 100 total lines) demonstration of the bug can be provided; a stack trace is at the end of this description.

      Thank you.

      Stack Trace:
      org.apache.ws.security.WSSecurityException: The signature or decryption was invalid
      at org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:438)
      at org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:85)
      at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
      at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:243)
      at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:160)
      at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:67)
      at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:226)
      at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:89)
      at org.apache.cxf.transport.http_jetty.JettyHTTPDestination.serviceRequest(JettyHTTPDestination.java:295)
      at org.apache.cxf.transport.http_jetty.JettyHTTPDestination.doService(JettyHTTPDestination.java:258)
      at org.apache.cxf.transport.http_jetty.JettyHTTPHandler.handle(JettyHTTPHandler.java:70)
      at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:726)
      at org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:206)
      at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
      at org.mortbay.jetty.Server.handle(Server.java:324)
      at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:505)
      at org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:842)
      at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:648)
      at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:205)
      at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:380)
      at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:395)
      at org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:450)

      1. CXF-Carriage-Return-Issue-Demo.zip
        4 kB
        Web Development Guys
      2. CXF-Carriage-Return-Issue-Demo-2.zip
        8.96 MB
        Web Development Guys

        Activity

        Hide
        web.development.guys Web Development Guys added a comment -

        Here is a "proof of concept" demonstrating the issue. Other than libraries, it should be complete. It includes a keystore (storepass=password, keypass=password).

        Libraries used are:
        cxf-2.1.4.jar
        wss4j-1.5.5.jar
        wsdl4j-1.6.2.jar
        xml-resolver-1.2.jar
        XmlSchema-1.4.2.jar
        servlet-2_3.jar
        jetty-6.1.9.jar
        jetty-util-6.1.9.jar
        commons-logging-1.1.1.jar
        xmlsec-1.4.2.jar
        xalan.jar
        serializer-2.7.1.jar

        Show
        web.development.guys Web Development Guys added a comment - Here is a "proof of concept" demonstrating the issue. Other than libraries, it should be complete. It includes a keystore (storepass=password, keypass=password). Libraries used are: cxf-2.1.4.jar wss4j-1.5.5.jar wsdl4j-1.6.2.jar xml-resolver-1.2.jar XmlSchema-1.4.2.jar servlet-2_3.jar jetty-6.1.9.jar jetty-util-6.1.9.jar commons-logging-1.1.1.jar xmlsec-1.4.2.jar xalan.jar serializer-2.7.1.jar
        Hide
        dkulp Daniel Kulp added a comment -

        I believe this has been fixed for a fairly long time. It works fine with the latest 2.2.10 release of CXF which includes the latest (1.5.8) version of wss4j and 1.4.3 version of xmlsec.

        I would STRONGLY encourage upgrading to the latest versions to see if it's already fixed.

        Show
        dkulp Daniel Kulp added a comment - I believe this has been fixed for a fairly long time. It works fine with the latest 2.2.10 release of CXF which includes the latest (1.5.8) version of wss4j and 1.4.3 version of xmlsec. I would STRONGLY encourage upgrading to the latest versions to see if it's already fixed.
        Hide
        web.development.guys Web Development Guys added a comment -

        Same issue in 2.2.10 with wss4j 1.5.8 and xmlsec 1.4.3.

        Show
        web.development.guys Web Development Guys added a comment - Same issue in 2.2.10 with wss4j 1.5.8 and xmlsec 1.4.3.
        Hide
        web.development.guys Web Development Guys added a comment -

        Demonstration of issue using CXF 2.2.10 snapshot obtained today from official site.

        All libraries used added to /lib inside Zip to ease attempt to reproduce.

        Show
        web.development.guys Web Development Guys added a comment - Demonstration of issue using CXF 2.2.10 snapshot obtained today from official site. All libraries used added to /lib inside Zip to ease attempt to reproduce.
        Hide
        dkulp Daniel Kulp added a comment -

        This isn't really a "bug" in CXF. It's a bug in the Stax parser built into the JDK. If you add the wstx jar that we ship with CXF to the libs, the testcase works fine.

        Show
        dkulp Daniel Kulp added a comment - This isn't really a "bug" in CXF. It's a bug in the Stax parser built into the JDK. If you add the wstx jar that we ship with CXF to the libs, the testcase works fine.

          People

          • Assignee:
            dkulp Daniel Kulp
            Reporter:
            web.development.guys Web Development Guys
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development