Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-4629

Security issue with GET methods: WSS4JInInterceptor always allows HTTP Get requests from browser

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 2.6.3, 2.7
    • Fix Version/s: 2.5.7, 2.6.4, 2.7.1
    • Component/s: WS-* Components
    • Labels:
      None
    • Estimated Complexity:
      Moderate

      Description

      Hello All,

      We are running CFX web services with the following configuration:

      web.xml

          <servlet>
              <servlet-name>cxf</servlet-name>
              <servlet-class>org.apache.cxf.transport.servlet.CXFServlet</servlet-class>
              <load-on-startup>1</load-on-startup>
          </servlet>
      
          <servlet-mapping>
              <servlet-name>cxf</servlet-name>
              <url-pattern>/ls/*</url-pattern>
          </servlet-mapping>
      

      spring config:

          <!-- ######################################### -->
          <beans:import resource="classpath:META-INF/cxf/cxf.xml" />
          <beans:import resource="classpath:META-INF/cxf/cxf-servlet.xml" />
          <beans:import resource="classpath:META-INF/cxf/cxf-extension-soap.xml" />
      
          <jaxws:endpoint id="lsWebEndpoint"
              implementor="${our endpoint class}"
              address="/api" >
      
              <jaxws:inInterceptors>
                  <bean class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor" />
                  <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
                      <constructor-arg>
                          <map>
                              <entry key="action" value="UsernameToken"/>
                              <entry key="passwordType" value="PasswordText"/>
                              <entry key="passwordCallbackClass" value="${our password callback impl}"/>
                          </map>
                      </constructor-arg>
                  </bean>
              </jaxws:inInterceptors>
      
          </jaxws:endpoint>
      

      And we discovered that all our web services are accessible via browser (HTTP Get) without any authentication.
      For instance:

      http://localhost:8181/ls/api/test?a=10&b=20
      
      @WebService
      public class WSEndpoint {
      
          @WebMethod
          public int test(@WebParam(name = "a") int a,
                          @WebParam(name = "b") int b) {
              return a + b;
          }
      }
      

      returns

      <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
      <soap:Body>
      <ns2:testResponse xmlns:ns2="${our namespace}">
      <return>30</return>
      </ns2:testResponse>
      </soap:Body>
      </soap:Envelope>
      

      The reason is the following code in WSS4JInInterceptor:

          public final boolean isGET(SoapMessage message) {
              String method = (String)message.get(SoapMessage.HTTP_REQUEST_METHOD);
              return "GET".equals(method) && message.getContent(XMLStreamReader.class) == null;
          }
          
          public void handleMessage(SoapMessage msg) throws Fault {
              if (msg.containsKey(SECURITY_PROCESSED) || isGET(msg)) {
                  return;
              }:
          ...
      

      I was not able to find anything specific on google why GET methods are always allowed.

      However it's somehow related to CXF-3170:
      Please see http://cxf.547215.n5.nabble.com/svn-commit-r1062014-in-cxf-branches-2-3-x-fixes-rt-ws-security-src-main-java-org-apache-cxf-ws-secura-tt3352201.html#none

      Also i found the following thread on StackOverflow without answer:
      http://stackoverflow.com/questions/7933293/why-does-apache-cxf-ws-security-implementation-ignore-get-requests

      Please advice on this this issue.

      Regards,
      Oleh.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                dkulp Daniel Kulp
                Reporter:
                soulkeeper Oleh Faizulin
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: