Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-8137

Using SecurityConstants.VALIDATE_TOKEN with WSS4JInInterceptor no longer allows skipping validation of token

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.2.10
    • Fix Version/s: 3.3.5, 3.2.12
    • Component/s: WS-* Components
    • Labels:
      None
    • Estimated Complexity:
      Unknown

      Description

      Have been using SecurityConstants.VALIDATE_TOKEN=false to skip validation of UsernameToken with CXF 3.2.x successfully for a long time but this feature broke in 3.2.10.

      The reason is that the method getSecurityEngine(boolean utWithCallbacks) in WSS4JInInterceptor returns a different SecurityEngine than before.

      Up to version 3.2.9 using SecurityConstants.VALIDATE_TOKEN=false this method gave a WSSecurityEngine which had a WSSConfig with a validatorMap where the validator for  "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}UsernameToken" was a org.apache.wss4j.dom.validate.NoOpValidator.

      From 3.2.10 it gives a WSSecurityEngine that has a WSSConfig with a validatorMap where the validator for  "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}UsernameToken" was a org.apache.wss4j.dom.validate.UsernameTokenValidator and hence the validation is NOT skipped anymore.

      Should this feature still work for 3.2.10 or has it been removed on purpose?

      Could probably be solved by just switching the order of the if-statements in getSecurityEngine(boolean utWithCallbacks).

        Attachments

          Activity

            People

            • Assignee:
              coheigea Colm O hEigeartaigh
              Reporter:
              bjorn.hilstad Bjørn Hilstad
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: