You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cxf.apache.org by "Colm O hEigeartaigh (Jira)" <ji...@apache.org> on 2020/01/15 10:25:01 UTC

[jira] [Closed] (CXF-8137) Using SecurityConstants.VALIDATE_TOKEN with WSS4JInInterceptor no longer allows skipping validation of token

     [ https://issues.apache.org/jira/browse/CXF-8137?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Colm O hEigeartaigh closed CXF-8137.
------------------------------------

> Using SecurityConstants.VALIDATE_TOKEN with WSS4JInInterceptor no longer allows skipping validation of token
> ------------------------------------------------------------------------------------------------------------
>
>                 Key: CXF-8137
>                 URL: https://issues.apache.org/jira/browse/CXF-8137
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>    Affects Versions: 3.2.10
>            Reporter: Bjørn Hilstad
>            Assignee: Colm O hEigeartaigh
>            Priority: Major
>             Fix For: 3.3.5, 3.2.12
>
>
> Have been using SecurityConstants.VALIDATE_TOKEN=false to skip validation of UsernameToken with CXF 3.2.x successfully for a long time but this feature broke in 3.2.10.
> The reason is that the method getSecurityEngine(boolean utWithCallbacks) in WSS4JInInterceptor returns a different SecurityEngine than before.
> Up to version 3.2.9 using SecurityConstants.VALIDATE_TOKEN=false this method gave a WSSecurityEngine which had a WSSConfig with a validatorMap where the validator for  "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}UsernameToken" was a org.apache.wss4j.dom.validate.NoOpValidator.
> From 3.2.10 it gives a WSSecurityEngine that has a WSSConfig with a validatorMap where the validator for  "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}UsernameToken" was a org.apache.wss4j.dom.validate.UsernameTokenValidator and hence the validation is NOT skipped anymore.
> Should this feature still work for 3.2.10 or has it been removed on purpose?
> Could probably be solved by just switching the order of the if-statements in getSecurityEngine(boolean utWithCallbacks).



--
This message was sent by Atlassian Jira
(v8.3.4#803005)