More info.
Looking at the latest wss4j code (1.5.3), the routine ignores the fact
that the wsse:Security is empty and falls out indicating that all is well.
They have the code to catch this hole commented out for some reason.
protected boolean checkReceiverResults(Vector wsResult, Vector actions) {
int resultActions = wsResult.size();
int size = actions.size();
// if (size != resultActions) {
// throw new AxisFault(
// "WSDoAllReceiver: security processing failed (actions number
// mismatch)");
// }
int ai = 0;
for (int i = 0; i < resultActions; i++) {
final Integer actInt = (Integer) ((WSSecurityEngineResult)
wsResult
.get(i)).get(WSSecurityEngineResult.TAG_ACTION);
int act = actInt.intValue();
if (act == WSConstants.SC || act == WSConstants.BST) {
continue;
}
if (ai >= size || ((Integer) actions.get(ai++)).intValue() !=
act) {
return false;
}
}
return true;
}
[EMAIL PROTECTED]
01/16/2008 01:29 PM
Please respond to
[email protected]
To
[email protected]
cc
Subject
wss4jInConfiguration - Security can be bypassed by client in CXF 2.0.3
incubator
Hello,
I'm not sure if this is an issue or lack of correct configuration on my
part.
I found that it is real easy to bypass the security checks (UsernameToken,
Timestamp, and/or Signature) for the WS Security settings.
All you have to do is setup the client request to pass a <wsse:Security>
tag as empty or with garbage in it and the service side will ignore the
fact that any of those actions are required.
Here is an example request that my service method will answer even though
it is suppose to require a Timestamp and a Signature action in the WS
Security setup.
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";>
<soap:Header>
<wsse:Security
xmlns:wsse="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
"
soap:mustUnderstand="1">
leave blank or pass garbage and security is bypassed
</wsse:Security>
</soap:Header>
<soap:Body
xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
"
wsu:Id="id-23632030">
<ns1:sayHi xmlns:ns1="http://spring.demo/";>
<arg0>Joe</arg0>
</ns1:sayHi>
</soap:Body>
</soap:Envelope>
Below is my CXF Servlet Spring beans configuration.
Am I missing something to tell WS Security that the actions are mandatory?
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:jaxws="http://cxf.apache.org/jaxws";
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd";>
<import resource="classpath:META-INF/cxf/cxf.xml" />
<import resource="classpath:META-INF/cxf/cxf-extension-soap.xml"
/>
<import resource="classpath:META-INF/cxf/cxf-servlet.xml" />
<jaxws:endpoint
id="helloWorld"
implementor="demo.spring.HelloWorldImpl"
address="/HelloWorld">
<jaxws:features>
<bean class="org.apache.cxf.feature.LoggingFeature"/>
</jaxws:features>
<jaxws:inInterceptors>
<bean
class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor"/>
<ref bean="wss4jInConfiguration"/>
</jaxws:inInterceptors>
</jaxws:endpoint>
<bean id="wss4jInConfiguration"
class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<property name="properties">
<map>
<entry key="action" value="Timestamp Signature"/>
<entry key="passwordType" value="PasswordDigest" />
<entry>
<key>
<value>passwordCallbackRef</value>
</key>
<ref bean="passwordCallback"/>
</entry>
<entry key="signaturePropFile"
value="server_sign.properties"></entry>
</map>
</property>
</bean>
<bean id="passwordCallback"
class="demo.spring.handlers.PasswordCallbackHandler"/>
<bean id="serviceMethodAuthorizer"
class="demo.spring.handlers.ServiceMethodAuthorizer"/>
</beans>
