Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-4629

Security issue with GET methods: WSS4JInInterceptor always allows HTTP Get requests from browser

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Critical
    • Resolution: Fixed
    • 2.6.3, 2.7
    • 2.5.7, 2.6.4, 2.7.1
    • WS-* Components
    • None
    • Moderate

    Description

      Hello All,

      We are running CFX web services with the following configuration:

      web.xml

          <servlet>
              <servlet-name>cxf</servlet-name>
              <servlet-class>org.apache.cxf.transport.servlet.CXFServlet</servlet-class>
              <load-on-startup>1</load-on-startup>
          </servlet>
      
          <servlet-mapping>
              <servlet-name>cxf</servlet-name>
              <url-pattern>/ls/*</url-pattern>
          </servlet-mapping>
      

      spring config:

          <!-- ######################################### -->
          <beans:import resource="classpath:META-INF/cxf/cxf.xml" />
          <beans:import resource="classpath:META-INF/cxf/cxf-servlet.xml" />
          <beans:import resource="classpath:META-INF/cxf/cxf-extension-soap.xml" />
      
          <jaxws:endpoint id="lsWebEndpoint"
              implementor="${our endpoint class}"
              address="/api" >
      
              <jaxws:inInterceptors>
                  <bean class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor" />
                  <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
                      <constructor-arg>
                          <map>
                              <entry key="action" value="UsernameToken"/>
                              <entry key="passwordType" value="PasswordText"/>
                              <entry key="passwordCallbackClass" value="${our password callback impl}"/>
                          </map>
                      </constructor-arg>
                  </bean>
              </jaxws:inInterceptors>
      
          </jaxws:endpoint>
      

      And we discovered that all our web services are accessible via browser (HTTP Get) without any authentication.
      For instance:

      http://localhost:8181/ls/api/test?a=10&b=20
      
      @WebService
      public class WSEndpoint {
      
          @WebMethod
          public int test(@WebParam(name = "a") int a,
                          @WebParam(name = "b") int b) {
              return a + b;
          }
      }
      

      returns

      <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
      <soap:Body>
      <ns2:testResponse xmlns:ns2="${our namespace}">
      <return>30</return>
      </ns2:testResponse>
      </soap:Body>
      </soap:Envelope>
      

      The reason is the following code in WSS4JInInterceptor:

          public final boolean isGET(SoapMessage message) {
              String method = (String)message.get(SoapMessage.HTTP_REQUEST_METHOD);
              return "GET".equals(method) && message.getContent(XMLStreamReader.class) == null;
          }
          
          public void handleMessage(SoapMessage msg) throws Fault {
              if (msg.containsKey(SECURITY_PROCESSED) || isGET(msg)) {
                  return;
              }:
          ...
      

      I was not able to find anything specific on google why GET methods are always allowed.

      However it's somehow related to CXF-3170:
      Please see http://cxf.547215.n5.nabble.com/svn-commit-r1062014-in-cxf-branches-2-3-x-fixes-rt-ws-security-src-main-java-org-apache-cxf-ws-secura-tt3352201.html#none

      Also i found the following thread on StackOverflow without answer:
      http://stackoverflow.com/questions/7933293/why-does-apache-cxf-ws-security-implementation-ignore-get-requests

      Please advice on this this issue.

      Regards,
      Oleh.

      Attachments

        Issue Links

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            dkulp Daniel Kulp
            soulkeeper Oleh Faizulin
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment