You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Glen Mazza (JIRA)" <ji...@apache.org> on 2010/10/06 13:48:30 UTC
[jira] Commented: (CXF-3043) CXF does not handle security
processing on Fault responses
[ https://issues.apache.org/jira/browse/CXF-3043?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12918480#action_12918480 ]
Glen Mazza commented on CXF-3043:
---------------------------------
Are you sure this is a bug? Is there a specification which says Fault messages are to be encrypted (Does Metro do this)? It's normally a best practice *not* to give sensitive information over Faults anyway, and wouldn't encrypting encourage bad design habits? (Perhaps transport-layer encryption would be better if you wanted to do this.)
But more to the point, given that problems with the WS-Security policy statements are to be reported themselves as SOAP faults (per the WS-Security specification), and that safety/security problems with the configuration could be among the errors that would engender a fault, it would seem strange to rely on the same problematic policy statements that are producing the error/exception in subsequently sending the Fault back to the client.
> CXF does not handle security processing on Fault responses
> ----------------------------------------------------------
>
> Key: CXF-3043
> URL: https://issues.apache.org/jira/browse/CXF-3043
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.2.10
> Reporter: Dennis Sosnoski
>
> CXF ignores WS-Security policy configuration for Fault responses (tested with both 2.2.10 and the 2.3 nightly). Here's a WSDL sample illustrating the problem:
> <wsdl:definitions targetNamespace="http://ws.sosnoski.com/library/wsdl"
> xmlns:wns="http://ws.sosnoski.com/library/wsdl"
> xmlns:tns="http://ws.sosnoski.com/library/types"
> xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
> xmlns:wsdlsoap="http://schemas.xmlsoap.org/wsdl/soap/">
> <!-- Policy for Username Token with hashed password, sent from client to server only -->
> <wsp:Policy wsu:Id="UsernameToken" xmlns:wsu=
> "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:wsp="http://www.w3.org/ns/ws-policy"
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <sp:SupportingTokens>
> <wsp:Policy>
> <sp:UsernameToken sp:IncludeToken=
> "http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
> <wsp:Policy>
> <sp:HashPassword/>
> </wsp:Policy>
> </sp:UsernameToken>
> </wsp:Policy>
> </sp:SupportingTokens>
> </wsp:Policy>
> <!-- Policy for symmetric binding, using an ephemeral key generated by the client and
> sent to the server as part of the request, using asymmetric encryption with the server
> public key to secure the symmetric key. -->
> <wsp:Policy wsu:Id="SymmEncr"
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
> xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl"
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <sp:SymmetricBinding>
> <wsp:Policy>
> <sp:ProtectionToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
> <wsp:Policy>
> <sp:RequireDerivedKeys/>
> <sp:RequireThumbprintReference/>
> <sp:WssX509V3Token10/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:ProtectionToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic128Rsa15/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:OnlySignEntireHeadersAndBody/>
> </wsp:Policy>
> </sp:SymmetricBinding>
> <sp:Wss11>
> <wsp:Policy>
> <sp:MustSupportRefKeyIdentifier/>
> <sp:MustSupportRefThumbprint/>
> <sp:MustSupportRefEncryptedKey/>
> </wsp:Policy>
> </sp:Wss11>
> </wsp:Policy>
> <!-- Policy for encrypting the message body. -->
> <wsp:Policy wsu:Id="EncrBody" xmlns:wsu=
> "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:wsp="http://www.w3.org/ns/ws-policy"
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <sp:EncryptedParts>
> <sp:Body/>
> </sp:EncryptedParts>
> </wsp:Policy>
> ...
> <wsdl:binding name="LibrarySoapBinding" type="wns:Library">
> <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#UsernameToken"/>
> ...
> <wsdl:operation name="addBook">
> <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#SymmEncr"/>
> <wsdlsoap:operation soapAction="urn:addBook"/>
> <wsdl:input name="addBookRequest">
> <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#EncrBody"/>
> <wsdlsoap:body use="literal"/>
> </wsdl:input>
> <wsdl:output name="addBookResponse">
> <wsdlsoap:body use="literal"/>
> </wsdl:output>
> <wsdl:fault name="addDuplicateFault">
> <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#EncrBody"/>
> <wsdlsoap:fault name="addDuplicateFault" use="literal"/>
> </wsdl:fault>
> </wsdl:operation>
> ...
> (same WSDL as for CXF-3042 - this problem shows up if you run the client code multiple times, in which case the addBook operation always generates a Fault response).
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.