Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-6144

WS-Security fails if body has signature on WSS4JInInterceptor

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Duplicate
    • Affects Version/s: 2.7.9
    • Fix Version/s: 2.7.12
    • Component/s: WS-* Components
    • Labels:
      None
    • Environment:

      Any

    • Estimated Complexity:
      Unknown

      Description

      If a WebService has WS-Security with the soap body as part of the signature, the incoming security check (by the WSS4JInInterceptor) will break.
      This bugs was introduced in 2.7.9 and is still present in the current codebase (3.0.3).
      This problem is caused by the WSS4JInInterceptor. It uses the "SAAJInInterceptor.INSTANCE.handleMessage(msg)" on getSOAPMessage to convert a CXF SoapMessage to a javax.xml.soap.SOAPMessage.
      During this conversion, the SAAJInInterceptor add an empty text-node at the end of the soap-body.
      This breaks when the soap-body is part of the signature.

      The old 2.7.8 version of the SAAJInInterceptor did (line 223 StaxUtils.readDocElements(soapMessage.getSOAPPart().getEnvelope().getBody(), xmlReader, true, true);
      The new 2.7.9 version does (line 140
      StaxUtils.copy(xmlReader1, new SAAJStreamWriter(e.getSOAPPart(), e.getSOAPPart().getEnvelope().getBody()), true, true);

      If I use XmlDebug in WSS4JInInterceptor right after this call, the old version returns:
      (see attachment soap-body-2.7.8.txt)
      while the new version returns:
      (see attachment soap-body-2.7.9.txt)

      Notice the additional #text/"\n" inside the body.

      For this debug logging, I changed the WSS4JInInterceptor:

          private SOAPMessage getSOAPMessage(SoapMessage msg) {
              SAAJInInterceptor.INSTANCE.handleMessage(msg);
              return msg.getContent(SOAPMessage.class);
          }
      

      to

      	private SOAPMessage getSOAPMessage(SoapMessage msg) {
      		SAAJInInterceptor.INSTANCE.handleMessage(msg);
      		SOAPMessage soapMsg = msg.getContent(SOAPMessage.class);
      		SOAPPart soapPart = soapMsg.getSOAPPart();
      		debugDomDocument(soapPart);
      		return soapMsg;
      	}
      
      	private void debugDomDocument(Document doc) {
      		ByteArrayOutputStream baos = new ByteArrayOutputStream();
      		PrintStream ps = new PrintStream(baos);
      		XmlDebug.printDocument(ps, doc);
      		ps.flush();
      		ps.close();
      		LOG.warn("SoapPart via XmlDebug: " + baos.toString());
      	}
      

        Attachments

        1. XmlDebug.java
          7 kB
          Ruud de Jong
        2. soap-body-2.7.8.txt
          0.5 kB
          Ruud de Jong
        3. soap-body-2.7.9.txt
          0.5 kB
          Ruud de Jong

          Issue Links

            Activity

              People

              • Assignee:
                coheigea Colm O hEigeartaigh
                Reporter:
                ruud.de.jong Ruud de Jong
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: