Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-8986

Ws-security-policy: if more policies are used in the same JVM, their algorithm suites influence each other

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Not A Problem
    • 4.0.4
    • None
    • WS-* Components
    • None
    • Unknown

    Description

      I'm fixing some tests in quarkus-cxf and I found a behavior which seems to be not desired. On the other hand I might be missing some information and this behavior is expected.

      Reproducer:

      1. Clone and build https://github.com/JiriOndrusek/quarkus-cxf/tree/suite-influence-reprodocer
      2. Run (with remote debug) 
        ./mvnw clean test -f integration-tests/ws-security-policy -Dtest="EncryptSignPolicyTest#helloEncryptSign" -Dmaven.surefire.debug

        Check value of effectivePolicy in this line https://github.com/apache/cxf/blob/main/rt/ws/policy/src/main/java/org/apache/cxf/ws/policy/PolicyOutInterceptor.java#L98
        Look into

        effectivePolicy->policy->policyComponents->exactlyOne->policyComponents->all->policyComponents->asymmetricBinding->alghoritnSuite->alghorithSuiteType

        Value is Basic256

      1. Run different test by this command 
        ./mvnw clean test -f integration-tests/ws-security-policy -Dtest="CustomEncryptSignPolicyTest#helloDefaultCustomValues" -Dmaven.surefire.debug

        Debug the same place and you can see, that the alghoritmSuiteType is CustomAlgorithmSuite

      1. Now run both tests together by 
        ./mvnw clean test -f integration-tests/ws-security-policy -Dtest="EncryptSignPolicyTest#helloEncryptSign,CustomEncryptSignPolicyTest#helloDefaultCustomValues" -Dmaven.surefire.debug

        The first breakpoint is triggered by

        CustomEncryptSignPolicyTest#helloDefaultCustomValues

        and you can see hat the alghoritmSuiteType is CustomAlgorithmSuite
        The second breakpoint belongs to

        EncryptSignPolicyTest#helloEncryptSign

        , but the value in the efectivePolicy->..->asymmetricBinding is CustomAlgorithmSuite

      This is wrong, the correct value should be Basic256

      I changed test `CustomEncryptSignPolicyTest#helloDefaultCustomValues` to use Basic128Rsa15 (to verify that the culprit is not the customAlgorithmSuite) and the result was wrong as with default values.
      Single execution showed Basic128Rsa15 or Basic256 (depends on the test), but execution of both tests showed Basic128Rsa15 in both cases.

      I think that the behavior is wrong. I have a test suite running on FIPS machine. If tests are executed alone all works correctly (some tests asserts success, some tests asserts failure). If I run tests together, the tests which should fail, are successful.

      Attachments

        Activity

          People

            Unassigned Unassigned
            jondruse Jiri Ondrusek
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: