You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Marc Giger (JIRA)" <ji...@apache.org> on 2008/03/25 22:59:24 UTC
[jira] Created: (CXF-1491) ReadHeadersInterceptor reads to much
after parsing soap-header and breaks wss signature
ReadHeadersInterceptor reads to much after parsing soap-header and breaks wss signature
---------------------------------------------------------------------------------------
Key: CXF-1491
URL: https://issues.apache.org/jira/browse/CXF-1491
Project: CXF
Issue Type: Bug
Affects Versions: 2.0.4
Reporter: Marc Giger
Priority: Critical
On line 176 in ReadHeadersInterceptor there is the following code:
/// advance just past body.
//xmlReader.nextTag();
if (message.getVersion().getFault().equals(xmlReader.getName())) {
Endpoint ep = message.getExchange().get(Endpoint.class);
if (!isDecoupled(message)) {
message.getInterceptorChain().abort();
if (ep.getInFaultObserver() != null) {
ep.getInFaultObserver().onMessage(message);
}
} else {
message.getExchange().put("deferred.fault.observer.notification", Boolean.TRUE);
}
}
xmlReader.nextTag(); reads to much. After the body-element it is possible to have a text-node which is part of signature-digest when the whole
body is signed. With this statement we skip this text-node and as result the signature is invalid.
xmlReader.next() solves that problem but the code that follows it stops working...of course.
Btw: If I understand the code correctly, if the incoming mesage is a soap-fault the InFaultChain is called. Is ReadHeadersInterceptor the right place to check for a InFault? What happens when the incoming fault is encrypted? Shouldn't that be moved to a separate interceptor after a possible WSS4JInterceptor is called?
Thanks
Marc
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Assigned: (CXF-1491) ReadHeadersInterceptor reads to much
after parsing soap-header and breaks wss signature
Posted by "Daniel Kulp (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-1491?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Daniel Kulp reassigned CXF-1491:
--------------------------------
Assignee: Daniel Kulp
> ReadHeadersInterceptor reads to much after parsing soap-header and breaks wss signature
> ---------------------------------------------------------------------------------------
>
> Key: CXF-1491
> URL: https://issues.apache.org/jira/browse/CXF-1491
> Project: CXF
> Issue Type: Bug
> Affects Versions: 2.0.4
> Reporter: Marc Giger
> Assignee: Daniel Kulp
> Priority: Critical
>
> On line 176 in ReadHeadersInterceptor there is the following code:
> /// advance just past body.
> //xmlReader.nextTag();
> if (message.getVersion().getFault().equals(xmlReader.getName())) {
> Endpoint ep = message.getExchange().get(Endpoint.class);
> if (!isDecoupled(message)) {
> message.getInterceptorChain().abort();
> if (ep.getInFaultObserver() != null) {
> ep.getInFaultObserver().onMessage(message);
> }
> } else {
> message.getExchange().put("deferred.fault.observer.notification", Boolean.TRUE);
> }
> }
> xmlReader.nextTag(); reads to much. After the body-element it is possible to have a text-node which is part of signature-digest when the whole
> body is signed. With this statement we skip this text-node and as result the signature is invalid.
> xmlReader.next() solves that problem but the code that follows it stops working...of course.
> Btw: If I understand the code correctly, if the incoming mesage is a soap-fault the InFaultChain is called. Is ReadHeadersInterceptor the right place to check for a InFault? What happens when the incoming fault is encrypted? Shouldn't that be moved to a separate interceptor after a possible WSS4JInterceptor is called?
> Thanks
> Marc
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Resolved: (CXF-1491) ReadHeadersInterceptor reads to much
after parsing soap-header and breaks wss signature
Posted by "Daniel Kulp (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-1491?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Daniel Kulp resolved CXF-1491.
------------------------------
Resolution: Fixed
Fix Version/s: 2.0.6
> ReadHeadersInterceptor reads to much after parsing soap-header and breaks wss signature
> ---------------------------------------------------------------------------------------
>
> Key: CXF-1491
> URL: https://issues.apache.org/jira/browse/CXF-1491
> Project: CXF
> Issue Type: Bug
> Affects Versions: 2.0.4
> Reporter: Marc Giger
> Assignee: Daniel Kulp
> Priority: Critical
> Fix For: 2.0.6
>
>
> On line 176 in ReadHeadersInterceptor there is the following code:
> /// advance just past body.
> //xmlReader.nextTag();
> if (message.getVersion().getFault().equals(xmlReader.getName())) {
> Endpoint ep = message.getExchange().get(Endpoint.class);
> if (!isDecoupled(message)) {
> message.getInterceptorChain().abort();
> if (ep.getInFaultObserver() != null) {
> ep.getInFaultObserver().onMessage(message);
> }
> } else {
> message.getExchange().put("deferred.fault.observer.notification", Boolean.TRUE);
> }
> }
> xmlReader.nextTag(); reads to much. After the body-element it is possible to have a text-node which is part of signature-digest when the whole
> body is signed. With this statement we skip this text-node and as result the signature is invalid.
> xmlReader.next() solves that problem but the code that follows it stops working...of course.
> Btw: If I understand the code correctly, if the incoming mesage is a soap-fault the InFaultChain is called. Is ReadHeadersInterceptor the right place to check for a InFault? What happens when the incoming fault is encrypted? Shouldn't that be moved to a separate interceptor after a possible WSS4JInterceptor is called?
> Thanks
> Marc
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.