WSS4J actually has a bug logged on this point. See http://issues.apache.org/jira/browse/WSS-70 .
The question now is - should CXF fix this or should all users of CXF be aware of the need to check the actions size yourself? [EMAIL PROTECTED] 01/16/2008 02:20 PM Please respond to [email protected] To [email protected] cc Subject Re: wss4jInConfiguration - Security can be bypassed by client in CXF 2.0.3 incubator More info. Looking at the latest wss4j code (1.5.3), the routine ignores the fact that the wsse:Security is empty and falls out indicating that all is well. They have the code to catch this hole commented out for some reason. protected boolean checkReceiverResults(Vector wsResult, Vector actions) { int resultActions = wsResult.size(); int size = actions.size(); // if (size != resultActions) { // throw new AxisFault( // "WSDoAllReceiver: security processing failed (actions number // mismatch)"); // } int ai = 0; for (int i = 0; i < resultActions; i++) { final Integer actInt = (Integer) ((WSSecurityEngineResult) wsResult .get(i)).get(WSSecurityEngineResult.TAG_ACTION); int act = actInt.intValue(); if (act == WSConstants.SC || act == WSConstants.BST) { continue; } if (ai >= size || ((Integer) actions.get(ai++)).intValue() != act) { return false; } } return true; } [EMAIL PROTECTED] 01/16/2008 01:29 PM Please respond to [email protected] To [email protected] cc Subject wss4jInConfiguration - Security can be bypassed by client in CXF 2.0.3 incubator Hello, I'm not sure if this is an issue or lack of correct configuration on my part. I found that it is real easy to bypass the security checks (UsernameToken, Timestamp, and/or Signature) for the WS Security settings. All you have to do is setup the client request to pass a <wsse:Security> tag as empty or with garbage in it and the service side will ignore the fact that any of those actions are required. Here is an example request that my service method will answer even though it is suppose to require a Timestamp and a Signature action in the WS Security setup. <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";> <soap:Header> <wsse:Security xmlns:wsse=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd " soap:mustUnderstand="1"> leave blank or pass garbage and security is bypassed </wsse:Security> </soap:Header> <soap:Body xmlns:wsu=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd " wsu:Id="id-23632030"> <ns1:sayHi xmlns:ns1="http://spring.demo/";> <arg0>Joe</arg0> </ns1:sayHi> </soap:Body> </soap:Envelope> Below is my CXF Servlet Spring beans configuration. Am I missing something to tell WS Security that the actions are mandatory? <?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:jaxws="http://cxf.apache.org/jaxws"; xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd";> <import resource="classpath:META-INF/cxf/cxf.xml" /> <import resource="classpath:META-INF/cxf/cxf-extension-soap.xml" /> <import resource="classpath:META-INF/cxf/cxf-servlet.xml" /> <jaxws:endpoint id="helloWorld" implementor="demo.spring.HelloWorldImpl" address="/HelloWorld"> <jaxws:features> <bean class="org.apache.cxf.feature.LoggingFeature"/> </jaxws:features> <jaxws:inInterceptors> <bean class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor"/> <ref bean="wss4jInConfiguration"/> </jaxws:inInterceptors> </jaxws:endpoint> <bean id="wss4jInConfiguration" class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor"> <property name="properties"> <map> <entry key="action" value="Timestamp Signature"/> <entry key="passwordType" value="PasswordDigest" /> <entry> <key> <value>passwordCallbackRef</value> </key> <ref bean="passwordCallback"/> </entry> <entry key="signaturePropFile" value="server_sign.properties"></entry> </map> </property> </bean> <bean id="passwordCallback" class="demo.spring.handlers.PasswordCallbackHandler"/> <bean id="serviceMethodAuthorizer" class="demo.spring.handlers.ServiceMethodAuthorizer"/> </beans>
