You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Oleh Faizulin (JIRA)" <ji...@apache.org> on 2012/11/12 22:49:12 UTC
[jira] [Created] (CXF-4629) Security issue with GET methods:
WSS4JInInterceptor always allows HTTP Get requests from browser
Oleh Faizulin created CXF-4629:
----------------------------------
Summary: Security issue with GET methods: WSS4JInInterceptor always allows HTTP Get requests from browser
Key: CXF-4629
URL: https://issues.apache.org/jira/browse/CXF-4629
Project: CXF
Issue Type: Bug
Components: WS-* Components
Affects Versions: 2.7.0, 2.6.3
Reporter: Oleh Faizulin
Priority: Critical
Hello All,
We are running CFX web services with the following configuration:
web.xml
{noformat}
<servlet>
<servlet-name>cxf</servlet-name>
<servlet-class>org.apache.cxf.transport.servlet.CXFServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>cxf</servlet-name>
<url-pattern>/ls/*</url-pattern>
</servlet-mapping>
{noformat}
spring config:
{noformat}
<!-- ######################################### -->
<beans:import resource="classpath:META-INF/cxf/cxf.xml" />
<beans:import resource="classpath:META-INF/cxf/cxf-servlet.xml" />
<beans:import resource="classpath:META-INF/cxf/cxf-extension-soap.xml" />
<jaxws:endpoint id="lsWebEndpoint"
implementor="${our endpoint class}"
address="/api" >
<jaxws:inInterceptors>
<bean class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor" />
<bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<constructor-arg>
<map>
<entry key="action" value="UsernameToken"/>
<entry key="passwordType" value="PasswordText"/>
<entry key="passwordCallbackClass" value="${our password callback impl}"/>
</map>
</constructor-arg>
</bean>
</jaxws:inInterceptors>
</jaxws:endpoint>
{noformat}
And we discovered that all our web services are accessible via browser (HTTP Get) without any authentication.
For instance:
{noformat}
http://localhost:8181/ls/api/test?a=10&b=20
{noformat}
returns
{noformat}
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<ns2:testResponse xmlns:ns2="${our namespace}">
<return>30</return>
</ns2:testResponse>
</soap:Body>
</soap:Envelope>
{noformat}
The reason is the following code in WSS4JInInterceptor:
{noformat}
public final boolean isGET(SoapMessage message) {
String method = (String)message.get(SoapMessage.HTTP_REQUEST_METHOD);
return "GET".equals(method) && message.getContent(XMLStreamReader.class) == null;
}
public void handleMessage(SoapMessage msg) throws Fault {
if (msg.containsKey(SECURITY_PROCESSED) || isGET(msg)) {
return;
}:
...
{noformat}
I was not able to find anything specific on google why GET methods are always allowed.
However it's somehow related to CXF-3170:
Please see http://cxf.547215.n5.nabble.com/svn-commit-r1062014-in-cxf-branches-2-3-x-fixes-rt-ws-security-src-main-java-org-apache-cxf-ws-secura-tt3352201.html#none
Also i found the following thread on StackOverflow without answer:
http://stackoverflow.com/questions/7933293/why-does-apache-cxf-ws-security-implementation-ignore-get-requests
Please advice on this this issue.
Regards,
Oleh.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (CXF-4629) Security issue with GET methods:
WSS4JInInterceptor always allows HTTP Get requests from browser
Posted by "Oleh Faizulin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4629?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Oleh Faizulin updated CXF-4629:
-------------------------------
Description:
Hello All,
We are running CFX web services with the following configuration:
web.xml
{noformat}
<servlet>
<servlet-name>cxf</servlet-name>
<servlet-class>org.apache.cxf.transport.servlet.CXFServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>cxf</servlet-name>
<url-pattern>/ls/*</url-pattern>
</servlet-mapping>
{noformat}
spring config:
{noformat}
<!-- ######################################### -->
<beans:import resource="classpath:META-INF/cxf/cxf.xml" />
<beans:import resource="classpath:META-INF/cxf/cxf-servlet.xml" />
<beans:import resource="classpath:META-INF/cxf/cxf-extension-soap.xml" />
<jaxws:endpoint id="lsWebEndpoint"
implementor="${our endpoint class}"
address="/api" >
<jaxws:inInterceptors>
<bean class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor" />
<bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<constructor-arg>
<map>
<entry key="action" value="UsernameToken"/>
<entry key="passwordType" value="PasswordText"/>
<entry key="passwordCallbackClass" value="${our password callback impl}"/>
</map>
</constructor-arg>
</bean>
</jaxws:inInterceptors>
</jaxws:endpoint>
{noformat}
And we discovered that all our web services are accessible via browser (HTTP Get) without any authentication.
For instance:
{noformat}
http://localhost:8181/ls/api/test?a=10&b=20
{noformat}
{noformat}
@WebService
public class WSEndpoint {
@WebMethod
public int test(@WebParam(name = "a") int a,
@WebParam(name = "b") int b) {
return a + b;
}
}
{noformat}
returns
{noformat}
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<ns2:testResponse xmlns:ns2="${our namespace}">
<return>30</return>
</ns2:testResponse>
</soap:Body>
</soap:Envelope>
{noformat}
The reason is the following code in WSS4JInInterceptor:
{noformat}
public final boolean isGET(SoapMessage message) {
String method = (String)message.get(SoapMessage.HTTP_REQUEST_METHOD);
return "GET".equals(method) && message.getContent(XMLStreamReader.class) == null;
}
public void handleMessage(SoapMessage msg) throws Fault {
if (msg.containsKey(SECURITY_PROCESSED) || isGET(msg)) {
return;
}:
...
{noformat}
I was not able to find anything specific on google why GET methods are always allowed.
However it's somehow related to CXF-3170:
Please see http://cxf.547215.n5.nabble.com/svn-commit-r1062014-in-cxf-branches-2-3-x-fixes-rt-ws-security-src-main-java-org-apache-cxf-ws-secura-tt3352201.html#none
Also i found the following thread on StackOverflow without answer:
http://stackoverflow.com/questions/7933293/why-does-apache-cxf-ws-security-implementation-ignore-get-requests
Please advice on this this issue.
Regards,
Oleh.
was:
Hello All,
We are running CFX web services with the following configuration:
web.xml
{noformat}
<servlet>
<servlet-name>cxf</servlet-name>
<servlet-class>org.apache.cxf.transport.servlet.CXFServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>cxf</servlet-name>
<url-pattern>/ls/*</url-pattern>
</servlet-mapping>
{noformat}
spring config:
{noformat}
<!-- ######################################### -->
<beans:import resource="classpath:META-INF/cxf/cxf.xml" />
<beans:import resource="classpath:META-INF/cxf/cxf-servlet.xml" />
<beans:import resource="classpath:META-INF/cxf/cxf-extension-soap.xml" />
<jaxws:endpoint id="lsWebEndpoint"
implementor="${our endpoint class}"
address="/api" >
<jaxws:inInterceptors>
<bean class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor" />
<bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<constructor-arg>
<map>
<entry key="action" value="UsernameToken"/>
<entry key="passwordType" value="PasswordText"/>
<entry key="passwordCallbackClass" value="${our password callback impl}"/>
</map>
</constructor-arg>
</bean>
</jaxws:inInterceptors>
</jaxws:endpoint>
{noformat}
And we discovered that all our web services are accessible via browser (HTTP Get) without any authentication.
For instance:
{noformat}
http://localhost:8181/ls/api/test?a=10&b=20
{noformat}
returns
{noformat}
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<ns2:testResponse xmlns:ns2="${our namespace}">
<return>30</return>
</ns2:testResponse>
</soap:Body>
</soap:Envelope>
{noformat}
The reason is the following code in WSS4JInInterceptor:
{noformat}
public final boolean isGET(SoapMessage message) {
String method = (String)message.get(SoapMessage.HTTP_REQUEST_METHOD);
return "GET".equals(method) && message.getContent(XMLStreamReader.class) == null;
}
public void handleMessage(SoapMessage msg) throws Fault {
if (msg.containsKey(SECURITY_PROCESSED) || isGET(msg)) {
return;
}:
...
{noformat}
I was not able to find anything specific on google why GET methods are always allowed.
However it's somehow related to CXF-3170:
Please see http://cxf.547215.n5.nabble.com/svn-commit-r1062014-in-cxf-branches-2-3-x-fixes-rt-ws-security-src-main-java-org-apache-cxf-ws-secura-tt3352201.html#none
Also i found the following thread on StackOverflow without answer:
http://stackoverflow.com/questions/7933293/why-does-apache-cxf-ws-security-implementation-ignore-get-requests
Please advice on this this issue.
Regards,
Oleh.
> Security issue with GET methods: WSS4JInInterceptor always allows HTTP Get requests from browser
> ------------------------------------------------------------------------------------------------
>
> Key: CXF-4629
> URL: https://issues.apache.org/jira/browse/CXF-4629
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.6.3, 2.7.0
> Reporter: Oleh Faizulin
> Priority: Critical
>
> Hello All,
> We are running CFX web services with the following configuration:
> web.xml
> {noformat}
> <servlet>
> <servlet-name>cxf</servlet-name>
> <servlet-class>org.apache.cxf.transport.servlet.CXFServlet</servlet-class>
> <load-on-startup>1</load-on-startup>
> </servlet>
> <servlet-mapping>
> <servlet-name>cxf</servlet-name>
> <url-pattern>/ls/*</url-pattern>
> </servlet-mapping>
> {noformat}
> spring config:
> {noformat}
> <!-- ######################################### -->
> <beans:import resource="classpath:META-INF/cxf/cxf.xml" />
> <beans:import resource="classpath:META-INF/cxf/cxf-servlet.xml" />
> <beans:import resource="classpath:META-INF/cxf/cxf-extension-soap.xml" />
> <jaxws:endpoint id="lsWebEndpoint"
> implementor="${our endpoint class}"
> address="/api" >
> <jaxws:inInterceptors>
> <bean class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor" />
> <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
> <constructor-arg>
> <map>
> <entry key="action" value="UsernameToken"/>
> <entry key="passwordType" value="PasswordText"/>
> <entry key="passwordCallbackClass" value="${our password callback impl}"/>
> </map>
> </constructor-arg>
> </bean>
> </jaxws:inInterceptors>
> </jaxws:endpoint>
> {noformat}
> And we discovered that all our web services are accessible via browser (HTTP Get) without any authentication.
> For instance:
> {noformat}
> http://localhost:8181/ls/api/test?a=10&b=20
> {noformat}
> {noformat}
> @WebService
> public class WSEndpoint {
> @WebMethod
> public int test(@WebParam(name = "a") int a,
> @WebParam(name = "b") int b) {
> return a + b;
> }
> }
> {noformat}
> returns
> {noformat}
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
> <soap:Body>
> <ns2:testResponse xmlns:ns2="${our namespace}">
> <return>30</return>
> </ns2:testResponse>
> </soap:Body>
> </soap:Envelope>
> {noformat}
> The reason is the following code in WSS4JInInterceptor:
> {noformat}
> public final boolean isGET(SoapMessage message) {
> String method = (String)message.get(SoapMessage.HTTP_REQUEST_METHOD);
> return "GET".equals(method) && message.getContent(XMLStreamReader.class) == null;
> }
>
> public void handleMessage(SoapMessage msg) throws Fault {
> if (msg.containsKey(SECURITY_PROCESSED) || isGET(msg)) {
> return;
> }:
> ...
> {noformat}
> I was not able to find anything specific on google why GET methods are always allowed.
> However it's somehow related to CXF-3170:
> Please see http://cxf.547215.n5.nabble.com/svn-commit-r1062014-in-cxf-branches-2-3-x-fixes-rt-ws-security-src-main-java-org-apache-cxf-ws-secura-tt3352201.html#none
> Also i found the following thread on StackOverflow without answer:
> http://stackoverflow.com/questions/7933293/why-does-apache-cxf-ws-security-implementation-ignore-get-requests
> Please advice on this this issue.
> Regards,
> Oleh.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CXF-4629) Security issue with GET methods:
WSS4JInInterceptor always allows HTTP Get requests from browser
Posted by "Freeman Fang (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4629?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13495816#comment-13495816 ]
Freeman Fang commented on CXF-4629:
-----------------------------------
Hi,
WSS4JInInterceptor is used for ws-security, and ws-security is based on soap message. IIRC, all soap message is carried via POST, but not GET. Honestly I'm a little bit surprised this GET request could pass through all other interceptors and invoke the method, could you please post the on-wire request message?
Freeman
> Security issue with GET methods: WSS4JInInterceptor always allows HTTP Get requests from browser
> ------------------------------------------------------------------------------------------------
>
> Key: CXF-4629
> URL: https://issues.apache.org/jira/browse/CXF-4629
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.6.3, 2.7.0
> Reporter: Oleh Faizulin
> Priority: Critical
>
> Hello All,
> We are running CFX web services with the following configuration:
> web.xml
> {noformat}
> <servlet>
> <servlet-name>cxf</servlet-name>
> <servlet-class>org.apache.cxf.transport.servlet.CXFServlet</servlet-class>
> <load-on-startup>1</load-on-startup>
> </servlet>
> <servlet-mapping>
> <servlet-name>cxf</servlet-name>
> <url-pattern>/ls/*</url-pattern>
> </servlet-mapping>
> {noformat}
> spring config:
> {noformat}
> <!-- ######################################### -->
> <beans:import resource="classpath:META-INF/cxf/cxf.xml" />
> <beans:import resource="classpath:META-INF/cxf/cxf-servlet.xml" />
> <beans:import resource="classpath:META-INF/cxf/cxf-extension-soap.xml" />
> <jaxws:endpoint id="lsWebEndpoint"
> implementor="${our endpoint class}"
> address="/api" >
> <jaxws:inInterceptors>
> <bean class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor" />
> <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
> <constructor-arg>
> <map>
> <entry key="action" value="UsernameToken"/>
> <entry key="passwordType" value="PasswordText"/>
> <entry key="passwordCallbackClass" value="${our password callback impl}"/>
> </map>
> </constructor-arg>
> </bean>
> </jaxws:inInterceptors>
> </jaxws:endpoint>
> {noformat}
> And we discovered that all our web services are accessible via browser (HTTP Get) without any authentication.
> For instance:
> {noformat}
> http://localhost:8181/ls/api/test?a=10&b=20
> {noformat}
> {noformat}
> @WebService
> public class WSEndpoint {
> @WebMethod
> public int test(@WebParam(name = "a") int a,
> @WebParam(name = "b") int b) {
> return a + b;
> }
> }
> {noformat}
> returns
> {noformat}
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
> <soap:Body>
> <ns2:testResponse xmlns:ns2="${our namespace}">
> <return>30</return>
> </ns2:testResponse>
> </soap:Body>
> </soap:Envelope>
> {noformat}
> The reason is the following code in WSS4JInInterceptor:
> {noformat}
> public final boolean isGET(SoapMessage message) {
> String method = (String)message.get(SoapMessage.HTTP_REQUEST_METHOD);
> return "GET".equals(method) && message.getContent(XMLStreamReader.class) == null;
> }
>
> public void handleMessage(SoapMessage msg) throws Fault {
> if (msg.containsKey(SECURITY_PROCESSED) || isGET(msg)) {
> return;
> }:
> ...
> {noformat}
> I was not able to find anything specific on google why GET methods are always allowed.
> However it's somehow related to CXF-3170:
> Please see http://cxf.547215.n5.nabble.com/svn-commit-r1062014-in-cxf-branches-2-3-x-fixes-rt-ws-security-src-main-java-org-apache-cxf-ws-secura-tt3352201.html#none
> Also i found the following thread on StackOverflow without answer:
> http://stackoverflow.com/questions/7933293/why-does-apache-cxf-ws-security-implementation-ignore-get-requests
> Please advice on this this issue.
> Regards,
> Oleh.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Comment Edited] (CXF-4629) Security issue with GET methods:
WSS4JInInterceptor always allows HTTP Get requests from browser
Posted by "Oleh Faizulin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4629?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13496475#comment-13496475 ]
Oleh Faizulin edited comment on CXF-4629 at 11/13/12 7:47 PM:
--------------------------------------------------------------
Freeman,
I don't get what do you mean by *the on-wire request message*.
I just start browser, write
{noformat}http://localhost:8181/ls/api/test?a=10&b=20{noformat}
press enter and get result from web service.
Anyway, to fix the problem we introduced our custom interceptor.
{noformat}
<jaxws:inInterceptors>
<bean class="com.ourpackage.RequestFilterInterceptor" /> <---- This one
<bean class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor" />
<bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
{noformat}
{noformat}
/**
* @author Aquanox
* @date 13.11.2012 14:46
*/
public class RequestFilterInterceptor extends AbstractWSS4JInterceptor {
public RequestFilterInterceptor() {
super();
setPhase(Phase.PRE_PROTOCOL);
}
@Override
public void handleMessage(SoapMessage message) throws Fault {
if (message.getContent(SOAPMessage.class) == null) {
throw createSoapFault(message.getVersion(), new WSSecurityException(WSSecurityException.INVALID_SECURITY));
}
}
/**
* Create a SoapFault from a WSSecurityException, following the SOAP Message Security
* 1.1 specification, chapter 12 "Error Handling".
*
* When the Soap version is 1.1 then set the Fault/Code/Value from the fault code
* specified in the WSSecurityException (if it exists).
*
* Otherwise set the Fault/Code/Value to env:Sender and the Fault/Code/Subcode/Value
* as the fault code from the WSSecurityException.
*/
private SoapFault createSoapFault(SoapVersion version, WSSecurityException e) {
SoapFault fault;
javax.xml.namespace.QName faultCode = e.getFaultCode();
if (version.getVersion() == 1.1 && faultCode != null) {
fault = new SoapFault(e.getMessage(), e, faultCode);
} else {
fault = new SoapFault(e.getMessage(), e, version.getSender());
if (version.getVersion() != 1.1 && faultCode != null) {
fault.setSubCode(faultCode);
}
}
return fault;
}
}
{noformat}
was (Author: soulkeeper):
Freeman,
I don't get what do you mean by *could you please post the on-wire request message*.
I just start browser, write
{noformat}http://localhost:8181/ls/api/test?a=10&b=20{noformat}
press enter and get result from web service.
Anyway, to fix the problem we introduced our custom interceptor.
{noformat}
<jaxws:inInterceptors>
<bean class="com.ourpackage.RequestFilterInterceptor" /> <---- This one
<bean class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor" />
<bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
{noformat}
{noformat}
/**
* @author Aquanox
* @date 13.11.2012 14:46
*/
public class RequestFilterInterceptor extends AbstractWSS4JInterceptor {
public RequestFilterInterceptor() {
super();
setPhase(Phase.PRE_PROTOCOL);
}
@Override
public void handleMessage(SoapMessage message) throws Fault {
if (message.getContent(SOAPMessage.class) == null) {
throw createSoapFault(message.getVersion(), new WSSecurityException(WSSecurityException.INVALID_SECURITY));
}
}
/**
* Create a SoapFault from a WSSecurityException, following the SOAP Message Security
* 1.1 specification, chapter 12 "Error Handling".
*
* When the Soap version is 1.1 then set the Fault/Code/Value from the fault code
* specified in the WSSecurityException (if it exists).
*
* Otherwise set the Fault/Code/Value to env:Sender and the Fault/Code/Subcode/Value
* as the fault code from the WSSecurityException.
*/
private SoapFault createSoapFault(SoapVersion version, WSSecurityException e) {
SoapFault fault;
javax.xml.namespace.QName faultCode = e.getFaultCode();
if (version.getVersion() == 1.1 && faultCode != null) {
fault = new SoapFault(e.getMessage(), e, faultCode);
} else {
fault = new SoapFault(e.getMessage(), e, version.getSender());
if (version.getVersion() != 1.1 && faultCode != null) {
fault.setSubCode(faultCode);
}
}
return fault;
}
}
{noformat}
> Security issue with GET methods: WSS4JInInterceptor always allows HTTP Get requests from browser
> ------------------------------------------------------------------------------------------------
>
> Key: CXF-4629
> URL: https://issues.apache.org/jira/browse/CXF-4629
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.6.3, 2.7.0
> Reporter: Oleh Faizulin
> Priority: Critical
>
> Hello All,
> We are running CFX web services with the following configuration:
> web.xml
> {noformat}
> <servlet>
> <servlet-name>cxf</servlet-name>
> <servlet-class>org.apache.cxf.transport.servlet.CXFServlet</servlet-class>
> <load-on-startup>1</load-on-startup>
> </servlet>
> <servlet-mapping>
> <servlet-name>cxf</servlet-name>
> <url-pattern>/ls/*</url-pattern>
> </servlet-mapping>
> {noformat}
> spring config:
> {noformat}
> <!-- ######################################### -->
> <beans:import resource="classpath:META-INF/cxf/cxf.xml" />
> <beans:import resource="classpath:META-INF/cxf/cxf-servlet.xml" />
> <beans:import resource="classpath:META-INF/cxf/cxf-extension-soap.xml" />
> <jaxws:endpoint id="lsWebEndpoint"
> implementor="${our endpoint class}"
> address="/api" >
> <jaxws:inInterceptors>
> <bean class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor" />
> <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
> <constructor-arg>
> <map>
> <entry key="action" value="UsernameToken"/>
> <entry key="passwordType" value="PasswordText"/>
> <entry key="passwordCallbackClass" value="${our password callback impl}"/>
> </map>
> </constructor-arg>
> </bean>
> </jaxws:inInterceptors>
> </jaxws:endpoint>
> {noformat}
> And we discovered that all our web services are accessible via browser (HTTP Get) without any authentication.
> For instance:
> {noformat}
> http://localhost:8181/ls/api/test?a=10&b=20
> {noformat}
> {noformat}
> @WebService
> public class WSEndpoint {
> @WebMethod
> public int test(@WebParam(name = "a") int a,
> @WebParam(name = "b") int b) {
> return a + b;
> }
> }
> {noformat}
> returns
> {noformat}
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
> <soap:Body>
> <ns2:testResponse xmlns:ns2="${our namespace}">
> <return>30</return>
> </ns2:testResponse>
> </soap:Body>
> </soap:Envelope>
> {noformat}
> The reason is the following code in WSS4JInInterceptor:
> {noformat}
> public final boolean isGET(SoapMessage message) {
> String method = (String)message.get(SoapMessage.HTTP_REQUEST_METHOD);
> return "GET".equals(method) && message.getContent(XMLStreamReader.class) == null;
> }
>
> public void handleMessage(SoapMessage msg) throws Fault {
> if (msg.containsKey(SECURITY_PROCESSED) || isGET(msg)) {
> return;
> }:
> ...
> {noformat}
> I was not able to find anything specific on google why GET methods are always allowed.
> However it's somehow related to CXF-3170:
> Please see http://cxf.547215.n5.nabble.com/svn-commit-r1062014-in-cxf-branches-2-3-x-fixes-rt-ws-security-src-main-java-org-apache-cxf-ws-secura-tt3352201.html#none
> Also i found the following thread on StackOverflow without answer:
> http://stackoverflow.com/questions/7933293/why-does-apache-cxf-ws-security-implementation-ignore-get-requests
> Please advice on this this issue.
> Regards,
> Oleh.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (CXF-4629) Security issue with GET methods:
WSS4JInInterceptor always allows HTTP Get requests from browser
Posted by "Daniel Kulp (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4629?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Daniel Kulp resolved CXF-4629.
------------------------------
Resolution: Fixed
Fix Version/s: 2.7.1
2.6.4
2.5.7
> Security issue with GET methods: WSS4JInInterceptor always allows HTTP Get requests from browser
> ------------------------------------------------------------------------------------------------
>
> Key: CXF-4629
> URL: https://issues.apache.org/jira/browse/CXF-4629
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.6.3, 2.7.0
> Reporter: Oleh Faizulin
> Assignee: Daniel Kulp
> Priority: Critical
> Fix For: 2.5.7, 2.6.4, 2.7.1
>
>
> Hello All,
> We are running CFX web services with the following configuration:
> web.xml
> {noformat}
> <servlet>
> <servlet-name>cxf</servlet-name>
> <servlet-class>org.apache.cxf.transport.servlet.CXFServlet</servlet-class>
> <load-on-startup>1</load-on-startup>
> </servlet>
> <servlet-mapping>
> <servlet-name>cxf</servlet-name>
> <url-pattern>/ls/*</url-pattern>
> </servlet-mapping>
> {noformat}
> spring config:
> {noformat}
> <!-- ######################################### -->
> <beans:import resource="classpath:META-INF/cxf/cxf.xml" />
> <beans:import resource="classpath:META-INF/cxf/cxf-servlet.xml" />
> <beans:import resource="classpath:META-INF/cxf/cxf-extension-soap.xml" />
> <jaxws:endpoint id="lsWebEndpoint"
> implementor="${our endpoint class}"
> address="/api" >
> <jaxws:inInterceptors>
> <bean class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor" />
> <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
> <constructor-arg>
> <map>
> <entry key="action" value="UsernameToken"/>
> <entry key="passwordType" value="PasswordText"/>
> <entry key="passwordCallbackClass" value="${our password callback impl}"/>
> </map>
> </constructor-arg>
> </bean>
> </jaxws:inInterceptors>
> </jaxws:endpoint>
> {noformat}
> And we discovered that all our web services are accessible via browser (HTTP Get) without any authentication.
> For instance:
> {noformat}
> http://localhost:8181/ls/api/test?a=10&b=20
> {noformat}
> {noformat}
> @WebService
> public class WSEndpoint {
> @WebMethod
> public int test(@WebParam(name = "a") int a,
> @WebParam(name = "b") int b) {
> return a + b;
> }
> }
> {noformat}
> returns
> {noformat}
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
> <soap:Body>
> <ns2:testResponse xmlns:ns2="${our namespace}">
> <return>30</return>
> </ns2:testResponse>
> </soap:Body>
> </soap:Envelope>
> {noformat}
> The reason is the following code in WSS4JInInterceptor:
> {noformat}
> public final boolean isGET(SoapMessage message) {
> String method = (String)message.get(SoapMessage.HTTP_REQUEST_METHOD);
> return "GET".equals(method) && message.getContent(XMLStreamReader.class) == null;
> }
>
> public void handleMessage(SoapMessage msg) throws Fault {
> if (msg.containsKey(SECURITY_PROCESSED) || isGET(msg)) {
> return;
> }:
> ...
> {noformat}
> I was not able to find anything specific on google why GET methods are always allowed.
> However it's somehow related to CXF-3170:
> Please see http://cxf.547215.n5.nabble.com/svn-commit-r1062014-in-cxf-branches-2-3-x-fixes-rt-ws-security-src-main-java-org-apache-cxf-ws-secura-tt3352201.html#none
> Also i found the following thread on StackOverflow without answer:
> http://stackoverflow.com/questions/7933293/why-does-apache-cxf-ws-security-implementation-ignore-get-requests
> Please advice on this this issue.
> Regards,
> Oleh.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (CXF-4629) Security issue with GET methods:
WSS4JInInterceptor always allows HTTP Get requests from browser
Posted by "Daniel Kulp (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4629?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Daniel Kulp updated CXF-4629:
-----------------------------
Assignee: Daniel Kulp
> Security issue with GET methods: WSS4JInInterceptor always allows HTTP Get requests from browser
> ------------------------------------------------------------------------------------------------
>
> Key: CXF-4629
> URL: https://issues.apache.org/jira/browse/CXF-4629
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.6.3, 2.7.0
> Reporter: Oleh Faizulin
> Assignee: Daniel Kulp
> Priority: Critical
>
> Hello All,
> We are running CFX web services with the following configuration:
> web.xml
> {noformat}
> <servlet>
> <servlet-name>cxf</servlet-name>
> <servlet-class>org.apache.cxf.transport.servlet.CXFServlet</servlet-class>
> <load-on-startup>1</load-on-startup>
> </servlet>
> <servlet-mapping>
> <servlet-name>cxf</servlet-name>
> <url-pattern>/ls/*</url-pattern>
> </servlet-mapping>
> {noformat}
> spring config:
> {noformat}
> <!-- ######################################### -->
> <beans:import resource="classpath:META-INF/cxf/cxf.xml" />
> <beans:import resource="classpath:META-INF/cxf/cxf-servlet.xml" />
> <beans:import resource="classpath:META-INF/cxf/cxf-extension-soap.xml" />
> <jaxws:endpoint id="lsWebEndpoint"
> implementor="${our endpoint class}"
> address="/api" >
> <jaxws:inInterceptors>
> <bean class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor" />
> <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
> <constructor-arg>
> <map>
> <entry key="action" value="UsernameToken"/>
> <entry key="passwordType" value="PasswordText"/>
> <entry key="passwordCallbackClass" value="${our password callback impl}"/>
> </map>
> </constructor-arg>
> </bean>
> </jaxws:inInterceptors>
> </jaxws:endpoint>
> {noformat}
> And we discovered that all our web services are accessible via browser (HTTP Get) without any authentication.
> For instance:
> {noformat}
> http://localhost:8181/ls/api/test?a=10&b=20
> {noformat}
> {noformat}
> @WebService
> public class WSEndpoint {
> @WebMethod
> public int test(@WebParam(name = "a") int a,
> @WebParam(name = "b") int b) {
> return a + b;
> }
> }
> {noformat}
> returns
> {noformat}
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
> <soap:Body>
> <ns2:testResponse xmlns:ns2="${our namespace}">
> <return>30</return>
> </ns2:testResponse>
> </soap:Body>
> </soap:Envelope>
> {noformat}
> The reason is the following code in WSS4JInInterceptor:
> {noformat}
> public final boolean isGET(SoapMessage message) {
> String method = (String)message.get(SoapMessage.HTTP_REQUEST_METHOD);
> return "GET".equals(method) && message.getContent(XMLStreamReader.class) == null;
> }
>
> public void handleMessage(SoapMessage msg) throws Fault {
> if (msg.containsKey(SECURITY_PROCESSED) || isGET(msg)) {
> return;
> }:
> ...
> {noformat}
> I was not able to find anything specific on google why GET methods are always allowed.
> However it's somehow related to CXF-3170:
> Please see http://cxf.547215.n5.nabble.com/svn-commit-r1062014-in-cxf-branches-2-3-x-fixes-rt-ws-security-src-main-java-org-apache-cxf-ws-secura-tt3352201.html#none
> Also i found the following thread on StackOverflow without answer:
> http://stackoverflow.com/questions/7933293/why-does-apache-cxf-ws-security-implementation-ignore-get-requests
> Please advice on this this issue.
> Regards,
> Oleh.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CXF-4629) Security issue with GET methods:
WSS4JInInterceptor always allows HTTP Get requests from browser
Posted by "Freeman Fang (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4629?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13496654#comment-13496654 ]
Freeman Fang commented on CXF-4629:
-----------------------------------
Thanks Dan for this clarification, I think you mean the URIMappingInterceptor.
And +1 for your suggestion.
Freeman
> Security issue with GET methods: WSS4JInInterceptor always allows HTTP Get requests from browser
> ------------------------------------------------------------------------------------------------
>
> Key: CXF-4629
> URL: https://issues.apache.org/jira/browse/CXF-4629
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.6.3, 2.7.0
> Reporter: Oleh Faizulin
> Assignee: Daniel Kulp
> Priority: Critical
>
> Hello All,
> We are running CFX web services with the following configuration:
> web.xml
> {noformat}
> <servlet>
> <servlet-name>cxf</servlet-name>
> <servlet-class>org.apache.cxf.transport.servlet.CXFServlet</servlet-class>
> <load-on-startup>1</load-on-startup>
> </servlet>
> <servlet-mapping>
> <servlet-name>cxf</servlet-name>
> <url-pattern>/ls/*</url-pattern>
> </servlet-mapping>
> {noformat}
> spring config:
> {noformat}
> <!-- ######################################### -->
> <beans:import resource="classpath:META-INF/cxf/cxf.xml" />
> <beans:import resource="classpath:META-INF/cxf/cxf-servlet.xml" />
> <beans:import resource="classpath:META-INF/cxf/cxf-extension-soap.xml" />
> <jaxws:endpoint id="lsWebEndpoint"
> implementor="${our endpoint class}"
> address="/api" >
> <jaxws:inInterceptors>
> <bean class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor" />
> <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
> <constructor-arg>
> <map>
> <entry key="action" value="UsernameToken"/>
> <entry key="passwordType" value="PasswordText"/>
> <entry key="passwordCallbackClass" value="${our password callback impl}"/>
> </map>
> </constructor-arg>
> </bean>
> </jaxws:inInterceptors>
> </jaxws:endpoint>
> {noformat}
> And we discovered that all our web services are accessible via browser (HTTP Get) without any authentication.
> For instance:
> {noformat}
> http://localhost:8181/ls/api/test?a=10&b=20
> {noformat}
> {noformat}
> @WebService
> public class WSEndpoint {
> @WebMethod
> public int test(@WebParam(name = "a") int a,
> @WebParam(name = "b") int b) {
> return a + b;
> }
> }
> {noformat}
> returns
> {noformat}
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
> <soap:Body>
> <ns2:testResponse xmlns:ns2="${our namespace}">
> <return>30</return>
> </ns2:testResponse>
> </soap:Body>
> </soap:Envelope>
> {noformat}
> The reason is the following code in WSS4JInInterceptor:
> {noformat}
> public final boolean isGET(SoapMessage message) {
> String method = (String)message.get(SoapMessage.HTTP_REQUEST_METHOD);
> return "GET".equals(method) && message.getContent(XMLStreamReader.class) == null;
> }
>
> public void handleMessage(SoapMessage msg) throws Fault {
> if (msg.containsKey(SECURITY_PROCESSED) || isGET(msg)) {
> return;
> }:
> ...
> {noformat}
> I was not able to find anything specific on google why GET methods are always allowed.
> However it's somehow related to CXF-3170:
> Please see http://cxf.547215.n5.nabble.com/svn-commit-r1062014-in-cxf-branches-2-3-x-fixes-rt-ws-security-src-main-java-org-apache-cxf-ws-secura-tt3352201.html#none
> Also i found the following thread on StackOverflow without answer:
> http://stackoverflow.com/questions/7933293/why-does-apache-cxf-ws-security-implementation-ignore-get-requests
> Please advice on this this issue.
> Regards,
> Oleh.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CXF-4629) Security issue with GET methods:
WSS4JInInterceptor always allows HTTP Get requests from browser
Posted by "Daniel Kulp (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4629?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13496513#comment-13496513 ]
Daniel Kulp commented on CXF-4629:
----------------------------------
This is due to the URIMappingInterceptor.
As a bit of history: this interceptor was added a very very long time ago to enable some basic "rest style" access to various SOAP services. This pretty much predates all the "real" attempts of rest within CXF, even the old http-binding that has now been removed. With JAX-RS, there is less value of this interceptor. That said, I know it's used as we did provide fixes to it last year. CXF-3499 CXF-3480 CXF-2697
What I'd like to do to fix this is:
1) In WSS4JInInterceptor, set a flag to make sure the URIInInterceptor is bypassed (or remove the URIInInterceptor off the chain). Port this back to 2.5/2.6
2) For 2.7.1/trunk, remove the URIInInterceptor off the default chain. Leave the class in the codebase so a user could configure it in if they require it, marked @Deprecated.
3) At some point in the future, completely remove it. With the JAX-RS support, we now have MUCH MUCH better ways of handling REST, even in conjunction with the SOAP endpoints.
Any concerns or other ideas?
> Security issue with GET methods: WSS4JInInterceptor always allows HTTP Get requests from browser
> ------------------------------------------------------------------------------------------------
>
> Key: CXF-4629
> URL: https://issues.apache.org/jira/browse/CXF-4629
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.6.3, 2.7.0
> Reporter: Oleh Faizulin
> Assignee: Daniel Kulp
> Priority: Critical
>
> Hello All,
> We are running CFX web services with the following configuration:
> web.xml
> {noformat}
> <servlet>
> <servlet-name>cxf</servlet-name>
> <servlet-class>org.apache.cxf.transport.servlet.CXFServlet</servlet-class>
> <load-on-startup>1</load-on-startup>
> </servlet>
> <servlet-mapping>
> <servlet-name>cxf</servlet-name>
> <url-pattern>/ls/*</url-pattern>
> </servlet-mapping>
> {noformat}
> spring config:
> {noformat}
> <!-- ######################################### -->
> <beans:import resource="classpath:META-INF/cxf/cxf.xml" />
> <beans:import resource="classpath:META-INF/cxf/cxf-servlet.xml" />
> <beans:import resource="classpath:META-INF/cxf/cxf-extension-soap.xml" />
> <jaxws:endpoint id="lsWebEndpoint"
> implementor="${our endpoint class}"
> address="/api" >
> <jaxws:inInterceptors>
> <bean class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor" />
> <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
> <constructor-arg>
> <map>
> <entry key="action" value="UsernameToken"/>
> <entry key="passwordType" value="PasswordText"/>
> <entry key="passwordCallbackClass" value="${our password callback impl}"/>
> </map>
> </constructor-arg>
> </bean>
> </jaxws:inInterceptors>
> </jaxws:endpoint>
> {noformat}
> And we discovered that all our web services are accessible via browser (HTTP Get) without any authentication.
> For instance:
> {noformat}
> http://localhost:8181/ls/api/test?a=10&b=20
> {noformat}
> {noformat}
> @WebService
> public class WSEndpoint {
> @WebMethod
> public int test(@WebParam(name = "a") int a,
> @WebParam(name = "b") int b) {
> return a + b;
> }
> }
> {noformat}
> returns
> {noformat}
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
> <soap:Body>
> <ns2:testResponse xmlns:ns2="${our namespace}">
> <return>30</return>
> </ns2:testResponse>
> </soap:Body>
> </soap:Envelope>
> {noformat}
> The reason is the following code in WSS4JInInterceptor:
> {noformat}
> public final boolean isGET(SoapMessage message) {
> String method = (String)message.get(SoapMessage.HTTP_REQUEST_METHOD);
> return "GET".equals(method) && message.getContent(XMLStreamReader.class) == null;
> }
>
> public void handleMessage(SoapMessage msg) throws Fault {
> if (msg.containsKey(SECURITY_PROCESSED) || isGET(msg)) {
> return;
> }:
> ...
> {noformat}
> I was not able to find anything specific on google why GET methods are always allowed.
> However it's somehow related to CXF-3170:
> Please see http://cxf.547215.n5.nabble.com/svn-commit-r1062014-in-cxf-branches-2-3-x-fixes-rt-ws-security-src-main-java-org-apache-cxf-ws-secura-tt3352201.html#none
> Also i found the following thread on StackOverflow without answer:
> http://stackoverflow.com/questions/7933293/why-does-apache-cxf-ws-security-implementation-ignore-get-requests
> Please advice on this this issue.
> Regards,
> Oleh.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CXF-4629) Security issue with GET methods:
WSS4JInInterceptor always allows HTTP Get requests from browser
Posted by "Oleh Faizulin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4629?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13496475#comment-13496475 ]
Oleh Faizulin commented on CXF-4629:
------------------------------------
Freeman,
I don't get what do you mean by *could you please post the on-wire request message*.
I just start browser, write
{noformat}http://localhost:8181/ls/api/test?a=10&b=20{noformat}
press enter and get result from web service.
Anyway, to fix the problem we introduced our custom interceptor.
{noformat}
<jaxws:inInterceptors>
<bean class="com.ourpackage.RequestFilterInterceptor" /> <---- This one
<bean class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor" />
<bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
{noformat}
{noformat}
/**
* @author Aquanox
* @date 13.11.2012 14:46
*/
public class RequestFilterInterceptor extends AbstractWSS4JInterceptor {
public RequestFilterInterceptor() {
super();
setPhase(Phase.PRE_PROTOCOL);
}
@Override
public void handleMessage(SoapMessage message) throws Fault {
if (message.getContent(SOAPMessage.class) == null) {
throw createSoapFault(message.getVersion(), new WSSecurityException(WSSecurityException.INVALID_SECURITY));
}
}
/**
* Create a SoapFault from a WSSecurityException, following the SOAP Message Security
* 1.1 specification, chapter 12 "Error Handling".
*
* When the Soap version is 1.1 then set the Fault/Code/Value from the fault code
* specified in the WSSecurityException (if it exists).
*
* Otherwise set the Fault/Code/Value to env:Sender and the Fault/Code/Subcode/Value
* as the fault code from the WSSecurityException.
*/
private SoapFault createSoapFault(SoapVersion version, WSSecurityException e) {
SoapFault fault;
javax.xml.namespace.QName faultCode = e.getFaultCode();
if (version.getVersion() == 1.1 && faultCode != null) {
fault = new SoapFault(e.getMessage(), e, faultCode);
} else {
fault = new SoapFault(e.getMessage(), e, version.getSender());
if (version.getVersion() != 1.1 && faultCode != null) {
fault.setSubCode(faultCode);
}
}
return fault;
}
}
{noformat}
> Security issue with GET methods: WSS4JInInterceptor always allows HTTP Get requests from browser
> ------------------------------------------------------------------------------------------------
>
> Key: CXF-4629
> URL: https://issues.apache.org/jira/browse/CXF-4629
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.6.3, 2.7.0
> Reporter: Oleh Faizulin
> Priority: Critical
>
> Hello All,
> We are running CFX web services with the following configuration:
> web.xml
> {noformat}
> <servlet>
> <servlet-name>cxf</servlet-name>
> <servlet-class>org.apache.cxf.transport.servlet.CXFServlet</servlet-class>
> <load-on-startup>1</load-on-startup>
> </servlet>
> <servlet-mapping>
> <servlet-name>cxf</servlet-name>
> <url-pattern>/ls/*</url-pattern>
> </servlet-mapping>
> {noformat}
> spring config:
> {noformat}
> <!-- ######################################### -->
> <beans:import resource="classpath:META-INF/cxf/cxf.xml" />
> <beans:import resource="classpath:META-INF/cxf/cxf-servlet.xml" />
> <beans:import resource="classpath:META-INF/cxf/cxf-extension-soap.xml" />
> <jaxws:endpoint id="lsWebEndpoint"
> implementor="${our endpoint class}"
> address="/api" >
> <jaxws:inInterceptors>
> <bean class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor" />
> <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
> <constructor-arg>
> <map>
> <entry key="action" value="UsernameToken"/>
> <entry key="passwordType" value="PasswordText"/>
> <entry key="passwordCallbackClass" value="${our password callback impl}"/>
> </map>
> </constructor-arg>
> </bean>
> </jaxws:inInterceptors>
> </jaxws:endpoint>
> {noformat}
> And we discovered that all our web services are accessible via browser (HTTP Get) without any authentication.
> For instance:
> {noformat}
> http://localhost:8181/ls/api/test?a=10&b=20
> {noformat}
> {noformat}
> @WebService
> public class WSEndpoint {
> @WebMethod
> public int test(@WebParam(name = "a") int a,
> @WebParam(name = "b") int b) {
> return a + b;
> }
> }
> {noformat}
> returns
> {noformat}
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
> <soap:Body>
> <ns2:testResponse xmlns:ns2="${our namespace}">
> <return>30</return>
> </ns2:testResponse>
> </soap:Body>
> </soap:Envelope>
> {noformat}
> The reason is the following code in WSS4JInInterceptor:
> {noformat}
> public final boolean isGET(SoapMessage message) {
> String method = (String)message.get(SoapMessage.HTTP_REQUEST_METHOD);
> return "GET".equals(method) && message.getContent(XMLStreamReader.class) == null;
> }
>
> public void handleMessage(SoapMessage msg) throws Fault {
> if (msg.containsKey(SECURITY_PROCESSED) || isGET(msg)) {
> return;
> }:
> ...
> {noformat}
> I was not able to find anything specific on google why GET methods are always allowed.
> However it's somehow related to CXF-3170:
> Please see http://cxf.547215.n5.nabble.com/svn-commit-r1062014-in-cxf-branches-2-3-x-fixes-rt-ws-security-src-main-java-org-apache-cxf-ws-secura-tt3352201.html#none
> Also i found the following thread on StackOverflow without answer:
> http://stackoverflow.com/questions/7933293/why-does-apache-cxf-ws-security-implementation-ignore-get-requests
> Please advice on this this issue.
> Regards,
> Oleh.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira