WS-Security vulnerability
-------------------------
Key: CXF-1433
URL: https://issues.apache.org/jira/browse/CXF-1433
Project: CXF
Issue Type: Bug
Components: WS-* Components
Affects Versions: 2.0.3
Environment: Tomcat 5.5, Spring 2 and CXF 2.0.3 for the server and
Flex WS-client
Reporter: Loïc FRERING
Priority: Critical
It is possible to bypass the security checks configured with WS-Security.
Server configured with an Username Token WS-Security authentication with Spring
:
<jaxws:endpoint id="helloWorld" implementor="service.impl.HelloWorldImpl"
address="/HelloWorld">
<jaxws:inInterceptors>
<bean
class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor"/>
<bean
class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<constructor-arg>
<map>
<entry key="action"
value="UsernameToken"/>
<entry key="passwordType"
value="PasswordDigest"/>
<entry
key="passwordCallbackClass" value="service.security.ServerPasswordHandler"/>
</map>
</constructor-arg>
</bean>
<bean
class="org.apache.cxf.interceptor.LoggingInInterceptor"/>
<bean
class="org.apache.cxf.interceptor.LoggingOutInterceptor"/>
</jaxws:inInterceptors>
</jaxws:endpoint>
When a SOAP message is created and sent with the following header, the server
do not process the authentication and return the response :
<SOAP-ENV:Envelope>
<SOAP-ENV:Header>
<ns0:Security>
<ns0:wsse>Security</ns0:wsse>
</ns0:Security>
</SOAP-ENV:Header>
<SOAP-ENV:Body>
<ns0:sayHi>
<name>Loïc</name>
</ns0:sayHi>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
So it is possible to bypass all the security checks configured and to use it.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
