You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cxf.apache.org by "Dennis Sosnoski (JIRA)" <ji...@apache.org> on 2010/10/06 12:19:31 UTC

[jira] Created: (CXF-3043) CXF does not handle security processing on Fault responses

CXF does not handle security processing on Fault responses
----------------------------------------------------------

                 Key: CXF-3043
                 URL: https://issues.apache.org/jira/browse/CXF-3043
             Project: CXF
          Issue Type: Bug
          Components: WS-* Components
    Affects Versions: 2.2.10
            Reporter: Dennis Sosnoski


CXF ignores WS-Security policy configuration for Fault responses (tested with both 2.2.10 and the 2.3 nightly). Here's a WSDL sample illustrating the problem:
<wsdl:definitions targetNamespace="http://ws.sosnoski.com/library/wsdl"
xmlns:wns="http://ws.sosnoski.com/library/wsdl"
xmlns:tns="http://ws.sosnoski.com/library/types"
xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
xmlns:wsdlsoap="http://schemas.xmlsoap.org/wsdl/soap/">

<!-- Policy for Username Token with hashed password, sent from client to server only -->
<wsp:Policy wsu:Id="UsernameToken" xmlns:wsu=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsp="http://www.w3.org/ns/ws-policy"
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<sp:SupportingTokens>
<wsp:Policy>
<sp:UsernameToken sp:IncludeToken=
"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:HashPassword/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SupportingTokens>
</wsp:Policy>

<!-- Policy for symmetric binding, using an ephemeral key generated by the client and
sent to the server as part of the request, using asymmetric encryption with the server
public key to secure the symmetric key. -->
<wsp:Policy wsu:Id="SymmEncr"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl"
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<sp:SymmetricBinding>
<wsp:Policy>
<sp:ProtectionToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
<wsp:Policy>
<sp:RequireDerivedKeys/>
<sp:RequireThumbprintReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:ProtectionToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128Rsa15/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:OnlySignEntireHeadersAndBody/>
</wsp:Policy>
</sp:SymmetricBinding>
<sp:Wss11>
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefThumbprint/>
<sp:MustSupportRefEncryptedKey/>
</wsp:Policy>
</sp:Wss11>
</wsp:Policy>

<!-- Policy for encrypting the message body. -->
<wsp:Policy wsu:Id="EncrBody" xmlns:wsu=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsp="http://www.w3.org/ns/ws-policy"
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<sp:EncryptedParts>
<sp:Body/>
</sp:EncryptedParts>
</wsp:Policy>
...
<wsdl:binding name="LibrarySoapBinding" type="wns:Library">

<wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#UsernameToken"/>
...
<wsdl:operation name="addBook">

<wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#SymmEncr"/>

<wsdlsoap:operation soapAction="urn:addBook"/>

<wsdl:input name="addBookRequest">
<wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#EncrBody"/>
<wsdlsoap:body use="literal"/>
</wsdl:input>

<wsdl:output name="addBookResponse">
<wsdlsoap:body use="literal"/>
</wsdl:output>

<wsdl:fault name="addDuplicateFault">
<wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#EncrBody"/>
<wsdlsoap:fault name="addDuplicateFault" use="literal"/>
</wsdl:fault>

</wsdl:operation>
...
(same WSDL as for CXF-3042 - this problem shows up if you run the client code multiple times, in which case the addBook operation always generates a Fault response).

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Updated: (CXF-3043) CXF does not handle security processing on application-level Fault responses

Posted by "Dennis Sosnoski (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/CXF-3043?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Dennis Sosnoski updated CXF-3043:
---------------------------------

    Description: 
CXF ignores WS-Security policy configuration for application-level Fault responses (tested with both 2.2.10 and the 2.3 nightly). Here's a WSDL sample illustrating the problem:
<wsdl:definitions targetNamespace="http://ws.sosnoski.com/library/wsdl"
xmlns:wns="http://ws.sosnoski.com/library/wsdl"
xmlns:tns="http://ws.sosnoski.com/library/types"
xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
xmlns:wsdlsoap="http://schemas.xmlsoap.org/wsdl/soap/">

<!-- Policy for Username Token with hashed password, sent from client to server only -->
<wsp:Policy wsu:Id="UsernameToken" xmlns:wsu=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsp="http://www.w3.org/ns/ws-policy"
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<sp:SupportingTokens>
<wsp:Policy>
<sp:UsernameToken sp:IncludeToken=
"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:HashPassword/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SupportingTokens>
</wsp:Policy>

<!-- Policy for symmetric binding, using an ephemeral key generated by the client and
sent to the server as part of the request, using asymmetric encryption with the server
public key to secure the symmetric key. -->
<wsp:Policy wsu:Id="SymmEncr"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl"
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<sp:SymmetricBinding>
<wsp:Policy>
<sp:ProtectionToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
<wsp:Policy>
<sp:RequireDerivedKeys/>
<sp:RequireThumbprintReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:ProtectionToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128Rsa15/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:OnlySignEntireHeadersAndBody/>
</wsp:Policy>
</sp:SymmetricBinding>
<sp:Wss11>
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefThumbprint/>
<sp:MustSupportRefEncryptedKey/>
</wsp:Policy>
</sp:Wss11>
</wsp:Policy>

<!-- Policy for encrypting the message body. -->
<wsp:Policy wsu:Id="EncrBody" xmlns:wsu=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsp="http://www.w3.org/ns/ws-policy"
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<sp:EncryptedParts>
<sp:Body/>
</sp:EncryptedParts>
</wsp:Policy>
...
<wsdl:binding name="LibrarySoapBinding" type="wns:Library">

<wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#UsernameToken"/>
...
<wsdl:operation name="addBook">

<wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#SymmEncr"/>

<wsdlsoap:operation soapAction="urn:addBook"/>

<wsdl:input name="addBookRequest">
<wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#EncrBody"/>
<wsdlsoap:body use="literal"/>
</wsdl:input>

<wsdl:output name="addBookResponse">
<wsdlsoap:body use="literal"/>
</wsdl:output>

<wsdl:fault name="addDuplicateFault">
<wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#EncrBody"/>
<wsdlsoap:fault name="addDuplicateFault" use="literal"/>
</wsdl:fault>

</wsdl:operation>
...
(same WSDL as for CXF-3042 - this problem shows up if you run the client code multiple times, in which case the addBook operation always generates a Fault response).

  was:
CXF ignores WS-Security policy configuration for Fault responses (tested with both 2.2.10 and the 2.3 nightly). Here's a WSDL sample illustrating the problem:
<wsdl:definitions targetNamespace="http://ws.sosnoski.com/library/wsdl"
xmlns:wns="http://ws.sosnoski.com/library/wsdl"
xmlns:tns="http://ws.sosnoski.com/library/types"
xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
xmlns:wsdlsoap="http://schemas.xmlsoap.org/wsdl/soap/">

<!-- Policy for Username Token with hashed password, sent from client to server only -->
<wsp:Policy wsu:Id="UsernameToken" xmlns:wsu=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsp="http://www.w3.org/ns/ws-policy"
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<sp:SupportingTokens>
<wsp:Policy>
<sp:UsernameToken sp:IncludeToken=
"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:HashPassword/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SupportingTokens>
</wsp:Policy>

<!-- Policy for symmetric binding, using an ephemeral key generated by the client and
sent to the server as part of the request, using asymmetric encryption with the server
public key to secure the symmetric key. -->
<wsp:Policy wsu:Id="SymmEncr"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl"
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<sp:SymmetricBinding>
<wsp:Policy>
<sp:ProtectionToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
<wsp:Policy>
<sp:RequireDerivedKeys/>
<sp:RequireThumbprintReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:ProtectionToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128Rsa15/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:OnlySignEntireHeadersAndBody/>
</wsp:Policy>
</sp:SymmetricBinding>
<sp:Wss11>
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefThumbprint/>
<sp:MustSupportRefEncryptedKey/>
</wsp:Policy>
</sp:Wss11>
</wsp:Policy>

<!-- Policy for encrypting the message body. -->
<wsp:Policy wsu:Id="EncrBody" xmlns:wsu=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsp="http://www.w3.org/ns/ws-policy"
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<sp:EncryptedParts>
<sp:Body/>
</sp:EncryptedParts>
</wsp:Policy>
...
<wsdl:binding name="LibrarySoapBinding" type="wns:Library">

<wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#UsernameToken"/>
...
<wsdl:operation name="addBook">

<wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#SymmEncr"/>

<wsdlsoap:operation soapAction="urn:addBook"/>

<wsdl:input name="addBookRequest">
<wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#EncrBody"/>
<wsdlsoap:body use="literal"/>
</wsdl:input>

<wsdl:output name="addBookResponse">
<wsdlsoap:body use="literal"/>
</wsdl:output>

<wsdl:fault name="addDuplicateFault">
<wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#EncrBody"/>
<wsdlsoap:fault name="addDuplicateFault" use="literal"/>
</wsdl:fault>

</wsdl:operation>
...
(same WSDL as for CXF-3042 - this problem shows up if you run the client code multiple times, in which case the addBook operation always generates a Fault response).

        Summary: CXF does not handle security processing on application-level Fault responses  (was: CXF does not handle security processing on Fault responses)

> CXF does not handle security processing on application-level Fault responses
> ----------------------------------------------------------------------------
>
>                 Key: CXF-3043
>                 URL: https://issues.apache.org/jira/browse/CXF-3043
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>    Affects Versions: 2.2.10
>            Reporter: Dennis Sosnoski
>
> CXF ignores WS-Security policy configuration for application-level Fault responses (tested with both 2.2.10 and the 2.3 nightly). Here's a WSDL sample illustrating the problem:
> <wsdl:definitions targetNamespace="http://ws.sosnoski.com/library/wsdl"
> xmlns:wns="http://ws.sosnoski.com/library/wsdl"
> xmlns:tns="http://ws.sosnoski.com/library/types"
> xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
> xmlns:wsdlsoap="http://schemas.xmlsoap.org/wsdl/soap/">
> <!-- Policy for Username Token with hashed password, sent from client to server only -->
> <wsp:Policy wsu:Id="UsernameToken" xmlns:wsu=
> "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:wsp="http://www.w3.org/ns/ws-policy"
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <sp:SupportingTokens>
> <wsp:Policy>
> <sp:UsernameToken sp:IncludeToken=
> "http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
> <wsp:Policy>
> <sp:HashPassword/>
> </wsp:Policy>
> </sp:UsernameToken>
> </wsp:Policy>
> </sp:SupportingTokens>
> </wsp:Policy>
> <!-- Policy for symmetric binding, using an ephemeral key generated by the client and
> sent to the server as part of the request, using asymmetric encryption with the server
> public key to secure the symmetric key. -->
> <wsp:Policy wsu:Id="SymmEncr"
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
> xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl"
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <sp:SymmetricBinding>
> <wsp:Policy>
> <sp:ProtectionToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
> <wsp:Policy>
> <sp:RequireDerivedKeys/>
> <sp:RequireThumbprintReference/>
> <sp:WssX509V3Token10/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:ProtectionToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic128Rsa15/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:OnlySignEntireHeadersAndBody/>
> </wsp:Policy>
> </sp:SymmetricBinding>
> <sp:Wss11>
> <wsp:Policy>
> <sp:MustSupportRefKeyIdentifier/>
> <sp:MustSupportRefThumbprint/>
> <sp:MustSupportRefEncryptedKey/>
> </wsp:Policy>
> </sp:Wss11>
> </wsp:Policy>
> <!-- Policy for encrypting the message body. -->
> <wsp:Policy wsu:Id="EncrBody" xmlns:wsu=
> "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:wsp="http://www.w3.org/ns/ws-policy"
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <sp:EncryptedParts>
> <sp:Body/>
> </sp:EncryptedParts>
> </wsp:Policy>
> ...
> <wsdl:binding name="LibrarySoapBinding" type="wns:Library">
> <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#UsernameToken"/>
> ...
> <wsdl:operation name="addBook">
> <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#SymmEncr"/>
> <wsdlsoap:operation soapAction="urn:addBook"/>
> <wsdl:input name="addBookRequest">
> <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#EncrBody"/>
> <wsdlsoap:body use="literal"/>
> </wsdl:input>
> <wsdl:output name="addBookResponse">
> <wsdlsoap:body use="literal"/>
> </wsdl:output>
> <wsdl:fault name="addDuplicateFault">
> <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#EncrBody"/>
> <wsdlsoap:fault name="addDuplicateFault" use="literal"/>
> </wsdl:fault>
> </wsdl:operation>
> ...
> (same WSDL as for CXF-3042 - this problem shows up if you run the client code multiple times, in which case the addBook operation always generates a Fault response).

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (CXF-3043) CXF does not handle security processing on Fault responses

Posted by "Glen Mazza (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/CXF-3043?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12918480#action_12918480 ] 

Glen Mazza commented on CXF-3043:
---------------------------------

Are you sure this is a bug?  Is there a specification which says Fault messages are to be encrypted (Does Metro do this)?  It's normally a best practice *not* to give sensitive information over Faults anyway, and wouldn't encrypting encourage bad design habits?  (Perhaps transport-layer encryption would be better if you wanted to do this.)

But more to the point, given that problems with the WS-Security policy statements are to be reported themselves as SOAP faults (per the WS-Security specification), and that safety/security problems with the configuration could be among the errors that would engender a fault, it would seem strange to rely on the same problematic policy statements that are producing the error/exception in subsequently sending the Fault back to the client.





> CXF does not handle security processing on Fault responses
> ----------------------------------------------------------
>
>                 Key: CXF-3043
>                 URL: https://issues.apache.org/jira/browse/CXF-3043
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>    Affects Versions: 2.2.10
>            Reporter: Dennis Sosnoski
>
> CXF ignores WS-Security policy configuration for Fault responses (tested with both 2.2.10 and the 2.3 nightly). Here's a WSDL sample illustrating the problem:
> <wsdl:definitions targetNamespace="http://ws.sosnoski.com/library/wsdl"
> xmlns:wns="http://ws.sosnoski.com/library/wsdl"
> xmlns:tns="http://ws.sosnoski.com/library/types"
> xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
> xmlns:wsdlsoap="http://schemas.xmlsoap.org/wsdl/soap/">
> <!-- Policy for Username Token with hashed password, sent from client to server only -->
> <wsp:Policy wsu:Id="UsernameToken" xmlns:wsu=
> "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:wsp="http://www.w3.org/ns/ws-policy"
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <sp:SupportingTokens>
> <wsp:Policy>
> <sp:UsernameToken sp:IncludeToken=
> "http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
> <wsp:Policy>
> <sp:HashPassword/>
> </wsp:Policy>
> </sp:UsernameToken>
> </wsp:Policy>
> </sp:SupportingTokens>
> </wsp:Policy>
> <!-- Policy for symmetric binding, using an ephemeral key generated by the client and
> sent to the server as part of the request, using asymmetric encryption with the server
> public key to secure the symmetric key. -->
> <wsp:Policy wsu:Id="SymmEncr"
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
> xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl"
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <sp:SymmetricBinding>
> <wsp:Policy>
> <sp:ProtectionToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
> <wsp:Policy>
> <sp:RequireDerivedKeys/>
> <sp:RequireThumbprintReference/>
> <sp:WssX509V3Token10/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:ProtectionToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic128Rsa15/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:OnlySignEntireHeadersAndBody/>
> </wsp:Policy>
> </sp:SymmetricBinding>
> <sp:Wss11>
> <wsp:Policy>
> <sp:MustSupportRefKeyIdentifier/>
> <sp:MustSupportRefThumbprint/>
> <sp:MustSupportRefEncryptedKey/>
> </wsp:Policy>
> </sp:Wss11>
> </wsp:Policy>
> <!-- Policy for encrypting the message body. -->
> <wsp:Policy wsu:Id="EncrBody" xmlns:wsu=
> "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:wsp="http://www.w3.org/ns/ws-policy"
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <sp:EncryptedParts>
> <sp:Body/>
> </sp:EncryptedParts>
> </wsp:Policy>
> ...
> <wsdl:binding name="LibrarySoapBinding" type="wns:Library">
> <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#UsernameToken"/>
> ...
> <wsdl:operation name="addBook">
> <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#SymmEncr"/>
> <wsdlsoap:operation soapAction="urn:addBook"/>
> <wsdl:input name="addBookRequest">
> <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#EncrBody"/>
> <wsdlsoap:body use="literal"/>
> </wsdl:input>
> <wsdl:output name="addBookResponse">
> <wsdlsoap:body use="literal"/>
> </wsdl:output>
> <wsdl:fault name="addDuplicateFault">
> <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#EncrBody"/>
> <wsdlsoap:fault name="addDuplicateFault" use="literal"/>
> </wsdl:fault>
> </wsdl:operation>
> ...
> (same WSDL as for CXF-3042 - this problem shows up if you run the client code multiple times, in which case the addBook operation always generates a Fault response).

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (CXF-3043) CXF does not handle security processing on Fault responses

Posted by "Dennis Sosnoski (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/CXF-3043?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12918711#action_12918711 ] 

Dennis Sosnoski commented on CXF-3043:
--------------------------------------

I think Dan's comment represents the best practices in this area. Application faults may contain sensitive data which needs to be secured, just as other types of response from the application. I should have specified "application-level" faults in the title of this Jira just to make it clear that I was referring to this case.

> CXF does not handle security processing on Fault responses
> ----------------------------------------------------------
>
>                 Key: CXF-3043
>                 URL: https://issues.apache.org/jira/browse/CXF-3043
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>    Affects Versions: 2.2.10
>            Reporter: Dennis Sosnoski
>
> CXF ignores WS-Security policy configuration for Fault responses (tested with both 2.2.10 and the 2.3 nightly). Here's a WSDL sample illustrating the problem:
> <wsdl:definitions targetNamespace="http://ws.sosnoski.com/library/wsdl"
> xmlns:wns="http://ws.sosnoski.com/library/wsdl"
> xmlns:tns="http://ws.sosnoski.com/library/types"
> xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
> xmlns:wsdlsoap="http://schemas.xmlsoap.org/wsdl/soap/">
> <!-- Policy for Username Token with hashed password, sent from client to server only -->
> <wsp:Policy wsu:Id="UsernameToken" xmlns:wsu=
> "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:wsp="http://www.w3.org/ns/ws-policy"
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <sp:SupportingTokens>
> <wsp:Policy>
> <sp:UsernameToken sp:IncludeToken=
> "http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
> <wsp:Policy>
> <sp:HashPassword/>
> </wsp:Policy>
> </sp:UsernameToken>
> </wsp:Policy>
> </sp:SupportingTokens>
> </wsp:Policy>
> <!-- Policy for symmetric binding, using an ephemeral key generated by the client and
> sent to the server as part of the request, using asymmetric encryption with the server
> public key to secure the symmetric key. -->
> <wsp:Policy wsu:Id="SymmEncr"
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
> xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl"
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <sp:SymmetricBinding>
> <wsp:Policy>
> <sp:ProtectionToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
> <wsp:Policy>
> <sp:RequireDerivedKeys/>
> <sp:RequireThumbprintReference/>
> <sp:WssX509V3Token10/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:ProtectionToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic128Rsa15/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:OnlySignEntireHeadersAndBody/>
> </wsp:Policy>
> </sp:SymmetricBinding>
> <sp:Wss11>
> <wsp:Policy>
> <sp:MustSupportRefKeyIdentifier/>
> <sp:MustSupportRefThumbprint/>
> <sp:MustSupportRefEncryptedKey/>
> </wsp:Policy>
> </sp:Wss11>
> </wsp:Policy>
> <!-- Policy for encrypting the message body. -->
> <wsp:Policy wsu:Id="EncrBody" xmlns:wsu=
> "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:wsp="http://www.w3.org/ns/ws-policy"
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <sp:EncryptedParts>
> <sp:Body/>
> </sp:EncryptedParts>
> </wsp:Policy>
> ...
> <wsdl:binding name="LibrarySoapBinding" type="wns:Library">
> <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#UsernameToken"/>
> ...
> <wsdl:operation name="addBook">
> <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#SymmEncr"/>
> <wsdlsoap:operation soapAction="urn:addBook"/>
> <wsdl:input name="addBookRequest">
> <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#EncrBody"/>
> <wsdlsoap:body use="literal"/>
> </wsdl:input>
> <wsdl:output name="addBookResponse">
> <wsdlsoap:body use="literal"/>
> </wsdl:output>
> <wsdl:fault name="addDuplicateFault">
> <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#EncrBody"/>
> <wsdlsoap:fault name="addDuplicateFault" use="literal"/>
> </wsdl:fault>
> </wsdl:operation>
> ...
> (same WSDL as for CXF-3042 - this problem shows up if you run the client code multiple times, in which case the addBook operation always generates a Fault response).

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (CXF-3043) CXF does not handle security processing on Fault responses

Posted by "Daniel Kulp (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/CXF-3043?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12918499#action_12918499 ] 

Daniel Kulp commented on CXF-3043:
----------------------------------


This may be something that we try to enable depending on the internal fault type.   If it's an application level fault thrown form their implementation, then the fault policies should go into affect.    If it's a fault thrown from the incoming interceptors (such as a Security fault), then don't apply the policy.    Basically, if it's gotten into the application, we know the basic security requirements have been met.   

> CXF does not handle security processing on Fault responses
> ----------------------------------------------------------
>
>                 Key: CXF-3043
>                 URL: https://issues.apache.org/jira/browse/CXF-3043
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>    Affects Versions: 2.2.10
>            Reporter: Dennis Sosnoski
>
> CXF ignores WS-Security policy configuration for Fault responses (tested with both 2.2.10 and the 2.3 nightly). Here's a WSDL sample illustrating the problem:
> <wsdl:definitions targetNamespace="http://ws.sosnoski.com/library/wsdl"
> xmlns:wns="http://ws.sosnoski.com/library/wsdl"
> xmlns:tns="http://ws.sosnoski.com/library/types"
> xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
> xmlns:wsdlsoap="http://schemas.xmlsoap.org/wsdl/soap/">
> <!-- Policy for Username Token with hashed password, sent from client to server only -->
> <wsp:Policy wsu:Id="UsernameToken" xmlns:wsu=
> "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:wsp="http://www.w3.org/ns/ws-policy"
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <sp:SupportingTokens>
> <wsp:Policy>
> <sp:UsernameToken sp:IncludeToken=
> "http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
> <wsp:Policy>
> <sp:HashPassword/>
> </wsp:Policy>
> </sp:UsernameToken>
> </wsp:Policy>
> </sp:SupportingTokens>
> </wsp:Policy>
> <!-- Policy for symmetric binding, using an ephemeral key generated by the client and
> sent to the server as part of the request, using asymmetric encryption with the server
> public key to secure the symmetric key. -->
> <wsp:Policy wsu:Id="SymmEncr"
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
> xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl"
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <sp:SymmetricBinding>
> <wsp:Policy>
> <sp:ProtectionToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
> <wsp:Policy>
> <sp:RequireDerivedKeys/>
> <sp:RequireThumbprintReference/>
> <sp:WssX509V3Token10/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:ProtectionToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic128Rsa15/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:OnlySignEntireHeadersAndBody/>
> </wsp:Policy>
> </sp:SymmetricBinding>
> <sp:Wss11>
> <wsp:Policy>
> <sp:MustSupportRefKeyIdentifier/>
> <sp:MustSupportRefThumbprint/>
> <sp:MustSupportRefEncryptedKey/>
> </wsp:Policy>
> </sp:Wss11>
> </wsp:Policy>
> <!-- Policy for encrypting the message body. -->
> <wsp:Policy wsu:Id="EncrBody" xmlns:wsu=
> "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:wsp="http://www.w3.org/ns/ws-policy"
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <sp:EncryptedParts>
> <sp:Body/>
> </sp:EncryptedParts>
> </wsp:Policy>
> ...
> <wsdl:binding name="LibrarySoapBinding" type="wns:Library">
> <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#UsernameToken"/>
> ...
> <wsdl:operation name="addBook">
> <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#SymmEncr"/>
> <wsdlsoap:operation soapAction="urn:addBook"/>
> <wsdl:input name="addBookRequest">
> <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#EncrBody"/>
> <wsdlsoap:body use="literal"/>
> </wsdl:input>
> <wsdl:output name="addBookResponse">
> <wsdlsoap:body use="literal"/>
> </wsdl:output>
> <wsdl:fault name="addDuplicateFault">
> <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#EncrBody"/>
> <wsdlsoap:fault name="addDuplicateFault" use="literal"/>
> </wsdl:fault>
> </wsdl:operation>
> ...
> (same WSDL as for CXF-3042 - this problem shows up if you run the client code multiple times, in which case the addBook operation always generates a Fault response).

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.