Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-7979

Issues when an operation's input and output should have different policies

    XMLWordPrintableJSON

    Details

    • Estimated Complexity:
      Unknown

      Description

      We think we might have found an issue in the way WSDL-Embedded WebService Security Policies are interpreted at runtime.

      We are in contract-first mode, but don't use generated JAXB bindings. We use a @WebServiceProvider implementation as a dynamic server and use javax.xml.ws.Dispatch to build a dynamic client.

      The issue happens when we try to apply different WSS-Policies to an operation's wsdl:input and wsdl:output, so e.g. having the request secured but the response non-secured.

      We see different behavior depending on where we put the wsp:PolicyReference within the WSDL, but we didn't manage to make it work: either the client doesn't encrypt the request at all, or the server encrypts the response as well.

      I created a small but fully functional project on GitHub that contains a unit test which demonstrates the behavior (be sure to check the project's README).

      Please have a look at: https://github.com/netmikey/cxf-security-test

        Attachments

          Activity

            People

            • Assignee:
              coheigea Colm O hEigeartaigh
              Reporter:
              netmikey Mike M.
            • Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: