You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by "Shults, Benji" <Be...@ecologicanalytics.com> on 2013/03/27 20:14:19 UTC
WSS4JInInterceptor setting SECURITY_PROCESSED when no security
header provided
I’m using CXF 2.7.3.
The WSS4JInInterceptor is setting SECURITY_PROCESSED to Boolean.TRUE and the service is invoked when no SOAP Security header is provided. Is this the expected behavior? I would expect security processing to fail if no security header is provided.
My password callback function is never called and the service is invoked. What am I missing?
Is this because the WSDL doesn’t mention any security policy (or any policy for that matter)? What do I need to do in such a case?
Here’s my spring config excerpt.
<jaxws:endpoint id="eventNotificationEndpoint"
implementor="#eventNotificationEndpointImpl" address="/eventNotification">
<jaxws:properties>
<entry key="schema-validation-enabled" value="true" />
<!-- The following two properties are set because we are using such an
old version of ehcache. Delete these when we upgrade EhCache. -->
<entry key="ws-security.nonce.cache.instance" value-ref="nonceMemoryReplayCache" />
<entry key="ws-security.timestamp.cache.instance" value-ref="timestampMemoryReplayCache" />
</jaxws:properties>
<jaxws:inInterceptors>
<ref bean="loggingInInterceptor" />
<bean id="eventNotificationMeterSecurityEnabledCheckIncomingInterceptor"
class="com.ecologic.components.server.security.webservices.interceptors.SecurityEnabledCheckInInterceptor"
p:securityManager-ref="securityManager"
p:webServiceAuthStrategyDao-ref="wsDestinationDao" p:endpointName="EventNotification"
p:endpointType="WS_SERVER_INT" />
<bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<constructor-arg>
<map>
<entry key="action" value="UsernameToken Timestamp" />
<entry key="passwordType" value="PasswordDigest" />
<entry key="passwordCallbackRef">
<bean parent="securityServiceForWebserviceWithDigest"
p:endpointName="EventNotification" />
</entry>
</map>
</constructor-arg>
<property name="ignoreActions" value="true" />
</bean>
</jaxws:inInterceptors>
<jaxws:outInterceptors>
<ref bean="loggingOutInterceptor" />
<ref bean="securityEnabledCheckOutgoingInterceptor" />
</jaxws:outInterceptors>
</jaxws:endpoint>
Cheers,
Benji
P PLEASE CONSIDER OUR ENVIRONMENT BEFORE PRINTING THIS EMAIL.
This e-mail (including any attachments) is confidential and may be legally privileged. If you are not an intended recipient or an authorized representative of an intended recipient, you are prohibited from using, copying or distributing the information in this e-mail or its attachments. If you have received this e-mail in error, please notify the sender immediately by return e-mail and delete all copies of this message and any attachments. Thank you.
RE: WSS4JInInterceptor setting SECURITY_PROCESSED when no security
header provided
Posted by "Shults, Benji" <Be...@ecologicanalytics.com>.
Colm,
Thanks, that was it.
Benji
-----Original Message-----
From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
Sent: Thursday, March 28, 2013 5:11 AM
To: users@cxf.apache.org
Subject: Re: WSS4JInInterceptor setting SECURITY_PROCESSED when no security header provided
Hi Benji,
It is not throwing an exception because you have defined the following
property:
<property name="ignoreActions" value="true" />
That is telling the WSS4JInInterceptor not to bother matching configured
Actions against what was actually processed. This property is not really
intended to be used under normal circumstances. The
PolicyBasedWSS4JInInterceptor sets it to true as it does it's own
verification of what security actions were performed.
Colm.
On Wed, Mar 27, 2013 at 7:14 PM, Shults, Benji <
Benji.Shults@ecologicanalytics.com> wrote:
> I'm using CXF 2.7.3.
>
> The WSS4JInInterceptor is setting SECURITY_PROCESSED to Boolean.TRUE and
> the service is invoked when no SOAP Security header is provided. Is this
> the expected behavior? I would expect security processing to fail if no
> security header is provided.
>
> My password callback function is never called and the service is invoked.
> What am I missing?
>
> Is this because the WSDL doesn't mention any security policy (or any
> policy for that matter)? What do I need to do in such a case?
>
> Here's my spring config excerpt.
>
> <jaxws:endpoint id="eventNotificationEndpoint"
>
> implementor="#eventNotificationEndpointImpl" address="/eventNotification">
> <jaxws:properties>
> <entry
> key="schema-validation-enabled" value="true" />
> <!-- The following two
> properties are set because we are using such an
> old
> version of ehcache. Delete these when we upgrade EhCache. -->
> <entry
> key="ws-security.nonce.cache.instance" value-ref="nonceMemoryReplayCache" />
> <entry
> key="ws-security.timestamp.cache.instance"
> value-ref="timestampMemoryReplayCache" />
> </jaxws:properties>
> <jaxws:inInterceptors>
> <ref
> bean="loggingInInterceptor" />
> <bean
> id="eventNotificationMeterSecurityEnabledCheckIncomingInterceptor"
>
> class="com.ecologic.components.server.security.webservices.interceptors.SecurityEnabledCheckInInterceptor"
>
> p:securityManager-ref="securityManager"
>
> p:webServiceAuthStrategyDao-ref="wsDestinationDao"
> p:endpointName="EventNotification"
>
> p:endpointType="WS_SERVER_INT" />
> <bean
> class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
>
> <constructor-arg>
>
> <map>
>
> <entry key="action" value="UsernameToken Timestamp" />
>
> <entry key="passwordType" value="PasswordDigest" />
>
> <entry key="passwordCallbackRef">
>
> <bean
> parent="securityServiceForWebserviceWithDigest"
>
>
> p:endpointName="EventNotification" />
>
> </entry>
>
> </map>
>
> </constructor-arg>
> <property
> name="ignoreActions" value="true" />
> </bean>
> </jaxws:inInterceptors>
> <jaxws:outInterceptors>
> <ref
> bean="loggingOutInterceptor" />
> <ref
> bean="securityEnabledCheckOutgoingInterceptor" />
> </jaxws:outInterceptors>
> </jaxws:endpoint>
>
> Cheers,
>
> Benji
>
>
>
> P PLEASE CONSIDER OUR ENVIRONMENT BEFORE PRINTING THIS EMAIL.
>
> This e-mail (including any attachments) is confidential and may be legally
> privileged. If you are not an intended recipient or an authorized
> representative of an intended recipient, you are prohibited from using,
> copying or distributing the information in this e-mail or its attachments.
> If you have received this e-mail in error, please notify the sender
> immediately by return e-mail and delete all copies of this message and any
> attachments. Thank you.
>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: WSS4JInInterceptor setting SECURITY_PROCESSED when no security
header provided
Posted by Colm O hEigeartaigh <co...@apache.org>.
Hi Benji,
It is not throwing an exception because you have defined the following
property:
<property name="ignoreActions" value="true" />
That is telling the WSS4JInInterceptor not to bother matching configured
Actions against what was actually processed. This property is not really
intended to be used under normal circumstances. The
PolicyBasedWSS4JInInterceptor sets it to true as it does it's own
verification of what security actions were performed.
Colm.
On Wed, Mar 27, 2013 at 7:14 PM, Shults, Benji <
Benji.Shults@ecologicanalytics.com> wrote:
> I’m using CXF 2.7.3.
>
> The WSS4JInInterceptor is setting SECURITY_PROCESSED to Boolean.TRUE and
> the service is invoked when no SOAP Security header is provided. Is this
> the expected behavior? I would expect security processing to fail if no
> security header is provided.
>
> My password callback function is never called and the service is invoked.
> What am I missing?
>
> Is this because the WSDL doesn’t mention any security policy (or any
> policy for that matter)? What do I need to do in such a case?
>
> Here’s my spring config excerpt.
>
> <jaxws:endpoint id="eventNotificationEndpoint"
>
> implementor="#eventNotificationEndpointImpl" address="/eventNotification">
> <jaxws:properties>
> <entry
> key="schema-validation-enabled" value="true" />
> <!-- The following two
> properties are set because we are using such an
> old
> version of ehcache. Delete these when we upgrade EhCache. -->
> <entry
> key="ws-security.nonce.cache.instance" value-ref="nonceMemoryReplayCache" />
> <entry
> key="ws-security.timestamp.cache.instance"
> value-ref="timestampMemoryReplayCache" />
> </jaxws:properties>
> <jaxws:inInterceptors>
> <ref
> bean="loggingInInterceptor" />
> <bean
> id="eventNotificationMeterSecurityEnabledCheckIncomingInterceptor"
>
> class="com.ecologic.components.server.security.webservices.interceptors.SecurityEnabledCheckInInterceptor"
>
> p:securityManager-ref="securityManager"
>
> p:webServiceAuthStrategyDao-ref="wsDestinationDao"
> p:endpointName="EventNotification"
>
> p:endpointType="WS_SERVER_INT" />
> <bean
> class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
>
> <constructor-arg>
>
> <map>
>
> <entry key="action" value="UsernameToken Timestamp" />
>
> <entry key="passwordType" value="PasswordDigest" />
>
> <entry key="passwordCallbackRef">
>
> <bean
> parent="securityServiceForWebserviceWithDigest"
>
>
> p:endpointName="EventNotification" />
>
> </entry>
>
> </map>
>
> </constructor-arg>
> <property
> name="ignoreActions" value="true" />
> </bean>
> </jaxws:inInterceptors>
> <jaxws:outInterceptors>
> <ref
> bean="loggingOutInterceptor" />
> <ref
> bean="securityEnabledCheckOutgoingInterceptor" />
> </jaxws:outInterceptors>
> </jaxws:endpoint>
>
> Cheers,
>
> Benji
>
>
>
> P PLEASE CONSIDER OUR ENVIRONMENT BEFORE PRINTING THIS EMAIL.
>
> This e-mail (including any attachments) is confidential and may be legally
> privileged. If you are not an intended recipient or an authorized
> representative of an intended recipient, you are prohibited from using,
> copying or distributing the information in this e-mail or its attachments.
> If you have received this e-mail in error, please notify the sender
> immediately by return e-mail and delete all copies of this message and any
> attachments. Thank you.
>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com