[CXF-5724] Extra text and comments after </soapenv:Body> are treated as part of SOAP body by CXF - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 2.7.9, 2.7.10, 2.7.11
Fix Version/s: 3.0, 2.7.12
Component/s: Soap Binding
Labels:
None

Estimated Complexity:
Unknown

Description

Hello,

it appears that since https://github.com/apache/cxf/commit/eb70d1008b8ffd32c90c990122b08d10ffcda933 extra characters and comments after </soapenv:Body> get "leaked" into CXF view of SOAP body. This is not a big problem unless SOAP body is signed with WSS Security. Obviously, then any characters (in particular new lines or whitespaces) after </soapenv:Body> will cause signature validation to fail due to checksum mismatch.

This is due to switch from StaxUtils.readDocElements() to StaxUtils.copy(). Now I'm not sure if StaxUtils.copy() is either buggy or misused there. If called with fragment=false, it would probably extract body as expected but then again I'm not sure what's the point of fragment flag. So, I attach the patch which fixes the "leak" problem in StaxUtils.copy() when fragment=true.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

0001-Do-not-leak-characters-and-comments-past-the-end-of-.patch
01/May/14 22:14
4 kB
Modestas Vainius

Issue Links

relates to

CXF-5679 WS-S after upgrade fails with org.apache.ws.security.WSSecurityException: The signature or decryption was invalid

Closed

Activity

People

Assignee:: Daniel Kulp

Reporter:: Modestas Vainius

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 01/May/14 22:12

Updated:: 11/Jul/14 12:50

Resolved:: 05/May/14 17:18