Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
2.4.5, 2.5.2
-
None
-
JBossWS-CXF integration, using Apache CXF 2.4.x
-
Unknown
Description
When using WS-Policy to setup WS-Security interceptors, the WSSecurityInterceptorProvider runs:
... this.getInInterceptors().add(PolicyBasedWSS4JInInterceptor.INSTANCE); this.getInFaultInterceptors().add(PolicyBasedWSS4JInInterceptor.INSTANCE); ...
which causes the same instance of PolicyBasedWSS4JInInterceptor to be added to any bus.
Unfortunately, the PolicyBasedWSS4JInInterceptor ends up extending org.apache.ws.security.handler.WSHandler which has a Map<String, Crypto> attribute. That is used whenever loading a Crypto instance and caches instances with keys basically given by the Merlin prop file name the user specified for the endpoint.
So, when having multiple deployments referencing properties files with the same name, the first crypto instance is always used.
If we want to keep the singleton approach on using the PolicyBasedWSS4JInInterceptor, we should probably at least use a different mechanism for creating keys so that prop files from different deployments are kept separate.
Attachments
Attachments
Issue Links
- relates to
-
CXF-4539 WS-Security inbound performance regression
- Closed