Details
-
Bug
-
Status: Closed
-
Critical
-
Resolution: Fixed
-
2.6.3, 2.7
-
None
-
Moderate
Description
Hello All,
We are running CFX web services with the following configuration:
web.xml
<servlet>
<servlet-name>cxf</servlet-name>
<servlet-class>org.apache.cxf.transport.servlet.CXFServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>cxf</servlet-name>
<url-pattern>/ls/*</url-pattern>
</servlet-mapping>
spring config:
<!-- ######################################### -->
<beans:import resource="classpath:META-INF/cxf/cxf.xml" />
<beans:import resource="classpath:META-INF/cxf/cxf-servlet.xml" />
<beans:import resource="classpath:META-INF/cxf/cxf-extension-soap.xml" />
<jaxws:endpoint id="lsWebEndpoint"
implementor="${our endpoint class}"
address="/api" >
<jaxws:inInterceptors>
<bean class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor" />
<bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<constructor-arg>
<map>
<entry key="action" value="UsernameToken"/>
<entry key="passwordType" value="PasswordText"/>
<entry key="passwordCallbackClass" value="${our password callback impl}"/>
</map>
</constructor-arg>
</bean>
</jaxws:inInterceptors>
</jaxws:endpoint>
And we discovered that all our web services are accessible via browser (HTTP Get) without any authentication.
For instance:
http://localhost:8181/ls/api/test?a=10&b=20
@WebService
public class WSEndpoint {
@WebMethod
public int test(@WebParam(name = "a") int a,
@WebParam(name = "b") int b) {
return a + b;
}
}
returns
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<ns2:testResponse xmlns:ns2="${our namespace}">
<return>30</return>
</ns2:testResponse>
</soap:Body>
</soap:Envelope>
The reason is the following code in WSS4JInInterceptor:
public final boolean isGET(SoapMessage message) {
String method = (String)message.get(SoapMessage.HTTP_REQUEST_METHOD);
return "GET".equals(method) && message.getContent(XMLStreamReader.class) == null;
}
public void handleMessage(SoapMessage msg) throws Fault {
if (msg.containsKey(SECURITY_PROCESSED) || isGET(msg)) {
return;
}:
...
I was not able to find anything specific on google why GET methods are always allowed.
However it's somehow related to CXF-3170:
Please see http://cxf.547215.n5.nabble.com/svn-commit-r1062014-in-cxf-branches-2-3-x-fixes-rt-ws-security-src-main-java-org-apache-cxf-ws-secura-tt3352201.html#none
Also i found the following thread on StackOverflow without answer:
http://stackoverflow.com/questions/7933293/why-does-apache-cxf-ws-security-implementation-ignore-get-requests
Please advice on this this issue.
Regards,
Oleh.