You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Bjørn Hilstad (Jira)" <ji...@apache.org> on 2019/10/25 09:31:00 UTC
[jira] [Created] (CXF-8137) Using SecurityConstants.VALIDATE_TOKEN
with WSS4JInInterceptor no longer allows skipping validation of token
Bjørn Hilstad created CXF-8137:
----------------------------------
Summary: Using SecurityConstants.VALIDATE_TOKEN with WSS4JInInterceptor no longer allows skipping validation of token
Key: CXF-8137
URL: https://issues.apache.org/jira/browse/CXF-8137
Project: CXF
Issue Type: Bug
Components: WS-* Components
Affects Versions: 3.2.10
Reporter: Bjørn Hilstad
Have been using SecurityConstants.VALIDATE_TOKEN=false to skip validation of UsernameToken with CXF 3.2.x successfully for a long time but this feature broke in 3.2.10.
The reason is that the method getSecurityEngine(boolean utWithCallbacks) in WSS4JInInterceptor returns a different SecurityEngine than before.
Up to version 3.2.9 using SecurityConstants.VALIDATE_TOKEN=false this method gave a WSSecurityEngine which had a WSSConfig with a validatorMap where the validator for "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}UsernameToken" was a org.apache.wss4j.dom.validate.NoOpValidator.
From 3.2.10 it gives a WSSecurityEngine that has a WSSConfig with a validatorMap where the validator for "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}UsernameToken" was a org.apache.wss4j.dom.validate.UsernameTokenValidator and hence the validation is NOT skipped anymore.
Should this feature still work for 3.2.10 or has it been removed on purpose?
Could probably be solved by just switching the order of the if-statements in getSecurityEngine(boolean utWithCallbacks).
--
This message was sent by Atlassian Jira
(v8.3.4#803005)