You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Colm O hEigeartaigh <co...@apache.org> on 2015/12/01 15:22:08 UTC
Re: CXF (2.7.13) Security Policy not used when SoapFault thrown due
to Schema Validation
Are you attaching security policies to the wsdl:fault part of your security
binding? If policies are only attached to the wsdl:input/output, then the
SOAP Faults won't be secured. Here is an example:
https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/fault/DoubleItFault.wsdl;h=2e388f57657c88339659e1555e5cf5c439a691ce;hb=HEAD
Colm.
On Fri, Nov 27, 2015 at 8:12 AM, Alexandros Trifyllis <a.trifyllis@gmail.com
> wrote:
> Further into debugging, I notice that in class AbstractPolicyInterceptor
> line 69 (version 2.7.13):
>
> if (faultClass != null && faultClass.isAssignableFrom(cause.getClass())) {
>
> the "faultClass" can never be "assignableFrom" the "cause".
>
> The "faultClass" is a custom class of mine which extends Exception. The
> "cause" in the case of schema validation
> is javax.xml.bind.UnmarshalException which also extends Exception.
>
> In that case, one is not assignable from the other.
>
> This failed check results in the framework not adding crucial interceptors
> in the chain, like PolicyBasedWSS4JOutInterceptor etc.
>
> On Thu, Nov 26, 2015 at 2:59 PM, Alexandros Trifyllis <
> a.trifyllis@gmail.com
> > wrote:
>
> > I have a wsdl with security policy for signing messages. In my endpoint I
> > have the annotation @SchemaValidation. When a validation throws a
> SoapFault
> > the message (with the SoapFault) is not signed. Running CXF in debug
> mode I
> > see that the interceptor chain used is different compared to the chain
> when
> > no fault occurs. This is normal but what does not seem normal is that the
> > fault chain does not conatin interceptors
> > like: PolicyBasedWSS4JOutInterceptor, UsernameTokenInterceptor which are
> > required for the message to be signed. Here is the chain when no fault
> > occurs:
> >
> > 14:14:56,310 FINE [org.apache.cxf.phase.PhaseInterceptorChain] (default
> > task-4) Chain org.apache.cxf.phase.PhaseInterceptorChain@5a2ad9f8 was
> > modified. Current flow:
> > setup [ServerPolicyOutFaultInterceptor]
> > pre-logical [MAPAggregatorImpl, SoapHeaderOutFilterInterceptor,
> > SecurityVerificationOutInterceptor]
> > prepare-send [MessageSenderInterceptor, GenericSecurityOutInterceptor,
> > Soap12FaultOutInterceptor]
> > pre-stream [LoggingOutInterceptor, CustomizeLoggingOutInterceptor,
> > StaxOutInterceptor]
> > pre-protocol [WebFaultOutInterceptor, MAPCodec,
> > PolicyBasedWSS4JOutInterceptor, UsernameTokenInterceptor]
> > write [SoapOutInterceptor]
> > marshal [Soap12FaultOutInterceptorInternal]
> > post-protocol [PolicyBasedWSS4JOutInterceptorInternal]
> > write-ending [SoapOutEndingInterceptor]
> > pre-protocol-ending [SAAJOutEndingInterceptor]
> > pre-stream-ending [StaxOutEndingInterceptor]
> > prepare-send-ending [MessageSenderEndingInterceptor]
> >
> >
> > and when fault occurs:
> >
> > 12:55:34,500 FINE [org.apache.cxf.phase.PhaseInterceptorChain] (default
> > task-3) Chain org.apache.cxf.phase.PhaseInterceptorChain@30f5696 was
> > created. Current flow:
> > setup [ServerPolicyOutFaultInterceptor]
> > pre-logical [SoapHeaderOutFilterInterceptor]
> > prepare-send [MessageSenderInterceptor, GenericSecurityOutInterceptor,
> > Soap12FaultOutInterceptor]
> > pre-stream [LoggingOutInterceptor, CustomizeLoggingOutInterceptor,
> > StaxOutInterceptor]
> > pre-protocol [WebFaultOutInterceptor]
> > write [SoapOutInterceptor]
> >
> >
> > Am I missing some configuration?
> >
> > Thank you in advance
> >
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: CXF (2.7.13) Security Policy not used when SoapFault thrown due
to Schema Validation
Posted by Colm O hEigeartaigh <co...@apache.org>.
Hi,
I added a test to replicate this scenario and it works:
https://git1-us-west.apache.org/repos/asf?p=cxf.git;a=commit;h=fa985a4e
Could you try updating to a more recent version of CXF to see if it works?
Failing that, maybe take a look at the test I added and see if you can
modify it so that it fails as per your scenario.
Colm.
On Wed, Dec 9, 2015 at 7:38 AM, Alx <ot...@gmail.com> wrote:
> I am attaching them at the port level i.e.:
>
> <service name="Service">
> <port name="ServiceInterfacePort"
> binding="pdef:ServiceInterfaceSecureSOAPBinding">
> <wsp:PolicyReference URI="#SecurityServiceSignPolicy" />
> <soap:address location="https://www.example.org/" />
> </port>
> </service>
>
> The problem is that the referenced binding isdefined in a wsdl that I do
> not own (so I can't really attach the policy to the input, output and fault
> elements).
>
> Does this mean that the behaviour is normal when attaching the policy at
> the service element?
>
> Thank you for the feedback!
>
> Alex
>
> On Tue, Dec 1, 2015 at 4:22 PM, Colm O hEigeartaigh <co...@apache.org>
> wrote:
>
> > Are you attaching security policies to the wsdl:fault part of your
> security
> > binding? If policies are only attached to the wsdl:input/output, then the
> > SOAP Faults won't be secured. Here is an example:
> >
> >
> >
> https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/fault/DoubleItFault.wsdl;h=2e388f57657c88339659e1555e5cf5c439a691ce;hb=HEAD
> >
> > Colm.
> >
> > On Fri, Nov 27, 2015 at 8:12 AM, Alexandros Trifyllis <
> > a.trifyllis@gmail.com
> > > wrote:
> >
> > > Further into debugging, I notice that in class
> AbstractPolicyInterceptor
> > > line 69 (version 2.7.13):
> > >
> > > if (faultClass != null &&
> faultClass.isAssignableFrom(cause.getClass()))
> > {
> > >
> > > the "faultClass" can never be "assignableFrom" the "cause".
> > >
> > > The "faultClass" is a custom class of mine which extends Exception. The
> > > "cause" in the case of schema validation
> > > is javax.xml.bind.UnmarshalException which also extends Exception.
> > >
> > > In that case, one is not assignable from the other.
> > >
> > > This failed check results in the framework not adding crucial
> > interceptors
> > > in the chain, like PolicyBasedWSS4JOutInterceptor etc.
> > >
> > > On Thu, Nov 26, 2015 at 2:59 PM, Alexandros Trifyllis <
> > > a.trifyllis@gmail.com
> > > > wrote:
> > >
> > > > I have a wsdl with security policy for signing messages. In my
> > endpoint I
> > > > have the annotation @SchemaValidation. When a validation throws a
> > > SoapFault
> > > > the message (with the SoapFault) is not signed. Running CXF in debug
> > > mode I
> > > > see that the interceptor chain used is different compared to the
> chain
> > > when
> > > > no fault occurs. This is normal but what does not seem normal is that
> > the
> > > > fault chain does not conatin interceptors
> > > > like: PolicyBasedWSS4JOutInterceptor, UsernameTokenInterceptor which
> > are
> > > > required for the message to be signed. Here is the chain when no
> fault
> > > > occurs:
> > > >
> > > > 14:14:56,310 FINE [org.apache.cxf.phase.PhaseInterceptorChain]
> > (default
> > > > task-4) Chain org.apache.cxf.phase.PhaseInterceptorChain@5a2ad9f8
> was
> > > > modified. Current flow:
> > > > setup [ServerPolicyOutFaultInterceptor]
> > > > pre-logical [MAPAggregatorImpl, SoapHeaderOutFilterInterceptor,
> > > > SecurityVerificationOutInterceptor]
> > > > prepare-send [MessageSenderInterceptor,
> > GenericSecurityOutInterceptor,
> > > > Soap12FaultOutInterceptor]
> > > > pre-stream [LoggingOutInterceptor, CustomizeLoggingOutInterceptor,
> > > > StaxOutInterceptor]
> > > > pre-protocol [WebFaultOutInterceptor, MAPCodec,
> > > > PolicyBasedWSS4JOutInterceptor, UsernameTokenInterceptor]
> > > > write [SoapOutInterceptor]
> > > > marshal [Soap12FaultOutInterceptorInternal]
> > > > post-protocol [PolicyBasedWSS4JOutInterceptorInternal]
> > > > write-ending [SoapOutEndingInterceptor]
> > > > pre-protocol-ending [SAAJOutEndingInterceptor]
> > > > pre-stream-ending [StaxOutEndingInterceptor]
> > > > prepare-send-ending [MessageSenderEndingInterceptor]
> > > >
> > > >
> > > > and when fault occurs:
> > > >
> > > > 12:55:34,500 FINE [org.apache.cxf.phase.PhaseInterceptorChain]
> > (default
> > > > task-3) Chain org.apache.cxf.phase.PhaseInterceptorChain@30f5696 was
> > > > created. Current flow:
> > > > setup [ServerPolicyOutFaultInterceptor]
> > > > pre-logical [SoapHeaderOutFilterInterceptor]
> > > > prepare-send [MessageSenderInterceptor,
> > GenericSecurityOutInterceptor,
> > > > Soap12FaultOutInterceptor]
> > > > pre-stream [LoggingOutInterceptor, CustomizeLoggingOutInterceptor,
> > > > StaxOutInterceptor]
> > > > pre-protocol [WebFaultOutInterceptor]
> > > > write [SoapOutInterceptor]
> > > >
> > > >
> > > > Am I missing some configuration?
> > > >
> > > > Thank you in advance
> > > >
> > >
> >
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
> >
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: CXF (2.7.13) Security Policy not used when SoapFault thrown due
to Schema Validation
Posted by Alx <ot...@gmail.com>.
I am attaching them at the port level i.e.:
<service name="Service">
<port name="ServiceInterfacePort"
binding="pdef:ServiceInterfaceSecureSOAPBinding">
<wsp:PolicyReference URI="#SecurityServiceSignPolicy" />
<soap:address location="https://www.example.org/" />
</port>
</service>
The problem is that the referenced binding isdefined in a wsdl that I do
not own (so I can't really attach the policy to the input, output and fault
elements).
Does this mean that the behaviour is normal when attaching the policy at
the service element?
Thank you for the feedback!
Alex
On Tue, Dec 1, 2015 at 4:22 PM, Colm O hEigeartaigh <co...@apache.org>
wrote:
> Are you attaching security policies to the wsdl:fault part of your security
> binding? If policies are only attached to the wsdl:input/output, then the
> SOAP Faults won't be secured. Here is an example:
>
>
> https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/fault/DoubleItFault.wsdl;h=2e388f57657c88339659e1555e5cf5c439a691ce;hb=HEAD
>
> Colm.
>
> On Fri, Nov 27, 2015 at 8:12 AM, Alexandros Trifyllis <
> a.trifyllis@gmail.com
> > wrote:
>
> > Further into debugging, I notice that in class AbstractPolicyInterceptor
> > line 69 (version 2.7.13):
> >
> > if (faultClass != null && faultClass.isAssignableFrom(cause.getClass()))
> {
> >
> > the "faultClass" can never be "assignableFrom" the "cause".
> >
> > The "faultClass" is a custom class of mine which extends Exception. The
> > "cause" in the case of schema validation
> > is javax.xml.bind.UnmarshalException which also extends Exception.
> >
> > In that case, one is not assignable from the other.
> >
> > This failed check results in the framework not adding crucial
> interceptors
> > in the chain, like PolicyBasedWSS4JOutInterceptor etc.
> >
> > On Thu, Nov 26, 2015 at 2:59 PM, Alexandros Trifyllis <
> > a.trifyllis@gmail.com
> > > wrote:
> >
> > > I have a wsdl with security policy for signing messages. In my
> endpoint I
> > > have the annotation @SchemaValidation. When a validation throws a
> > SoapFault
> > > the message (with the SoapFault) is not signed. Running CXF in debug
> > mode I
> > > see that the interceptor chain used is different compared to the chain
> > when
> > > no fault occurs. This is normal but what does not seem normal is that
> the
> > > fault chain does not conatin interceptors
> > > like: PolicyBasedWSS4JOutInterceptor, UsernameTokenInterceptor which
> are
> > > required for the message to be signed. Here is the chain when no fault
> > > occurs:
> > >
> > > 14:14:56,310 FINE [org.apache.cxf.phase.PhaseInterceptorChain]
> (default
> > > task-4) Chain org.apache.cxf.phase.PhaseInterceptorChain@5a2ad9f8 was
> > > modified. Current flow:
> > > setup [ServerPolicyOutFaultInterceptor]
> > > pre-logical [MAPAggregatorImpl, SoapHeaderOutFilterInterceptor,
> > > SecurityVerificationOutInterceptor]
> > > prepare-send [MessageSenderInterceptor,
> GenericSecurityOutInterceptor,
> > > Soap12FaultOutInterceptor]
> > > pre-stream [LoggingOutInterceptor, CustomizeLoggingOutInterceptor,
> > > StaxOutInterceptor]
> > > pre-protocol [WebFaultOutInterceptor, MAPCodec,
> > > PolicyBasedWSS4JOutInterceptor, UsernameTokenInterceptor]
> > > write [SoapOutInterceptor]
> > > marshal [Soap12FaultOutInterceptorInternal]
> > > post-protocol [PolicyBasedWSS4JOutInterceptorInternal]
> > > write-ending [SoapOutEndingInterceptor]
> > > pre-protocol-ending [SAAJOutEndingInterceptor]
> > > pre-stream-ending [StaxOutEndingInterceptor]
> > > prepare-send-ending [MessageSenderEndingInterceptor]
> > >
> > >
> > > and when fault occurs:
> > >
> > > 12:55:34,500 FINE [org.apache.cxf.phase.PhaseInterceptorChain]
> (default
> > > task-3) Chain org.apache.cxf.phase.PhaseInterceptorChain@30f5696 was
> > > created. Current flow:
> > > setup [ServerPolicyOutFaultInterceptor]
> > > pre-logical [SoapHeaderOutFilterInterceptor]
> > > prepare-send [MessageSenderInterceptor,
> GenericSecurityOutInterceptor,
> > > Soap12FaultOutInterceptor]
> > > pre-stream [LoggingOutInterceptor, CustomizeLoggingOutInterceptor,
> > > StaxOutInterceptor]
> > > pre-protocol [WebFaultOutInterceptor]
> > > write [SoapOutInterceptor]
> > >
> > >
> > > Am I missing some configuration?
> > >
> > > Thank you in advance
> > >
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>