You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cxf.apache.org by "Colm O hEigeartaigh (Jira)" <ji...@apache.org> on 2020/03/03 15:45:00 UTC

[jira] [Resolved] (CXF-8230) WS-Security and MTOM: Flag org.apache.cxf.ws.security.SecurityConstants.STORE_BYTES_IN_ATTACHMENT not working as expected

     [ https://issues.apache.org/jira/browse/CXF-8230?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Colm O hEigeartaigh resolved CXF-8230.
--------------------------------------
    Resolution: Won't Fix

I merged a fix to WSS4J for the next release to properly handle a SignatureValue where the bytes are stored in the attachment: https://issues.apache.org/jira/browse/WSS-666

I'm not going to support creating SignatureValues in the same way, as WSS4J uses the JSR-105 API to create XML Signatures, which doesn't support this kind of serialization (AFAIK).

I'd suggest testing with the latest WSS4J code with CXF to see if it fixes your problem. If you run into a bug then feel free to re-open this issue.

> WS-Security and MTOM: Flag org.apache.cxf.ws.security.SecurityConstants.STORE_BYTES_IN_ATTACHMENT not working as expected
> -------------------------------------------------------------------------------------------------------------------------
>
>                 Key: CXF-8230
>                 URL: https://issues.apache.org/jira/browse/CXF-8230
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>    Affects Versions: 3.2.5
>            Reporter: Jochen Riedlinger
>            Assignee: Colm O hEigeartaigh
>            Priority: Major
>         Attachments: example_request_1.xml
>
>
> Hi,
> by default an CXF client that uses MTOM and WS-Security sends the "BinarySecurityToken" and "SignatureValue" elements base64 encoded.
> I expect that "BinarySecurityToken" and "SignatureValue" are both sent as attachmentreferenced via XOP:INCLUDE, if I put the flag "org.apache.cxf.ws.security.SecurityConstants.STORE_BYTES_IN_ATTACHMENT=true".
> But this does not happen.
> If I put STORE_BYTES_IN_ATTACHMENT=true, only the BinarySecurityToken is attached while SignatureValue stays base64 encoded (see attched file "example_request_1.xml").
> IMHO the flag should also cause the SignatureValue to attached, shouldn't it?
>  
> Background story:
> The use-case for this is that I want a CXF client to behave like a 3rd party client (SAP) with which we have an compatibility issue.
> The SAP client sends BinarySecurityToken, SignatureValue and the real data as MTOM attachment. A CXF client only sends BinarySecurityToken and the real data as MTOM atatchment.
> I have the suspision that a CXF service cannot handle a request that sends BinarySecurityToken, SignatureValue and the real data as MTOM attachment.
> But since the STORE_BYTES_IN_ATTACHMENT flag does not work as expected, I cannot even write a reproducer....
>  
> Regards,
> Jochen



--
This message was sent by Atlassian Jira
(v8.3.4#803005)